shell-mirror 1.5.131 → 1.5.138

package/public/privacy.html

@@ -0,0 +1,362 @@
+<!DOCTYPE html>
+<html lang="en">
+<head>
+    <meta charset="UTF-8">
+    <meta name="viewport" content="width=device-width, initial-scale=1.0">
+    <link rel="icon" type="image/png" href="/images/favicon.png">
+    <title>>shell-mirror — Privacy</title>
+    <meta name="description" content="How >shell-mirror handles your data. Plain-language privacy explanation.">
+
+    <meta property="og:type" content="website">
+    <meta property="og:title" content=">shell-mirror — Privacy">
+    <meta property="og:description" content="How >shell-mirror handles your data.">
+    <meta property="og:url" content="https://shellmirror.app/privacy">
+
+    <meta property="twitter:card" content="summary">
+    <meta property="twitter:title" content=">shell-mirror — Privacy">
+    <meta property="twitter:description" content="How >shell-mirror handles your data.">
+
+    <!-- Fonts -->
+    <link rel="preconnect" href="https://fonts.googleapis.com">
+    <link rel="preconnect" href="https://fonts.gstatic.com" crossorigin>
+    <link href="https://fonts.googleapis.com/css2?family=Inter:wght@400;500;700;800&family=Space+Grotesk:wght@400;500;600;700&display=swap" rel="stylesheet">
+
+    <!-- Google Analytics 4 -->
+    <script>
+        window.dataLayer = window.dataLayer || [];
+        function gtag(){dataLayer.push(arguments);}
+        gtag('js', new Date());
+        gtag('config', 'G-LG7ZGLB8FK');
+        (function() {
+            var script = document.createElement('script');
+            script.async = true;
+            script.src = 'https://www.googletagmanager.com/gtag/js?id=G-LG7ZGLB8FK';
+            script.onload = function() { window.gtagLoaded = true; };
+            script.onerror = function() { window.gtagLoaded = false; };
+            document.head.appendChild(script);
+        })();
+    </script>
+
+    <!-- Microsoft Clarity -->
+    <script type="text/javascript">
+        (function(c,l,a,r,i,t,y){
+            c[a]=c[a]||function(){(c[a].q=c[a].q||[]).push(arguments)};
+            t=l.createElement(r);t.async=1;t.src="https://www.clarity.ms/tag/"+i;
+            y=l.getElementsByTagName(r)[0];y.parentNode.insertBefore(t,y);
+        })(window, document, "clarity", "script", "sy1w2d7il7");
+    </script>
+
+    <style>
+        :root {
+            --bg-primary: #121315;
+            --bg-secondary: #1b1c1e;
+            --bg-tertiary: #1f2022;
+            --bg-hover: #292a2c;
+            --text-primary: #e3e2e5;
+            --text-secondary: #8a8f98;
+            --text-muted: #5a5f6a;
+            --accent: #7c4dff;
+            --accent-light: #cdbdff;
+            --accent-hover: #6833ea;
+            --success: #00c853;
+            --border: rgba(73, 68, 85, 0.15);
+            --border-visible: rgba(73, 68, 85, 0.3);
+        }
+
+        * { margin: 0; padding: 0; box-sizing: border-box; }
+
+        body {
+            font-family: 'Inter', -apple-system, BlinkMacSystemFont, "Segoe UI", Roboto, Helvetica, Arial, sans-serif;
+            line-height: 1.6;
+            color: var(--text-primary);
+            background: var(--bg-primary);
+            min-height: 100vh;
+            -webkit-font-smoothing: antialiased;
+        }
+
+        .container { max-width: 1200px; margin: 0 auto; padding: 0 32px; }
+
+        /* Header */
+        header {
+            position: fixed;
+            top: 0;
+            width: 100%;
+            z-index: 100;
+            background: rgba(18, 19, 21, 0.6);
+            backdrop-filter: blur(20px);
+            -webkit-backdrop-filter: blur(20px);
+            box-shadow: 0 8px 32px rgba(124, 77, 255, 0.04);
+        }
+        header .container {
+            display: flex;
+            justify-content: space-between;
+            align-items: center;
+            padding-top: 16px;
+            padding-bottom: 16px;
+        }
+        .logo { font-size: 1.3rem; font-weight: 800; color: #f0eff2; letter-spacing: -0.03em; text-decoration: none; }
+        .nav-links { display: flex; gap: 32px; align-items: center; }
+        .nav-links a { color: var(--text-muted); text-decoration: none; font-size: 0.9rem; font-weight: 500; transition: color 0.2s ease; }
+        .nav-links a:hover { color: var(--text-primary); }
+        .header-right { display: flex; align-items: center; gap: 16px; }
+        .cta-button {
+            background: var(--accent); color: white; padding: 10px 22px;
+            text-decoration: none; border-radius: 8px; font-weight: 600;
+            border: none; cursor: pointer; transition: all 0.2s ease; font-size: 0.9rem;
+            box-shadow: 0 4px 16px rgba(124, 77, 255, 0.2);
+        }
+        .cta-button:hover { background: var(--accent-hover); box-shadow: 0 4px 20px rgba(124, 77, 255, 0.35); }
+
+        /* Page content */
+        .page-header {
+            text-align: center;
+            padding: 140px 0 40px;
+        }
+
+        .page-header h1 {
+            font-size: clamp(1.75rem, 4vw, 2.5rem);
+            font-weight: 800;
+            margin-bottom: 20px;
+            letter-spacing: -0.02em;
+        }
+
+        .page-header p {
+            color: var(--text-secondary);
+            font-size: 1.05rem;
+            max-width: 600px;
+            margin: 0 auto;
+            line-height: 1.7;
+        }
+
+        .privacy-body {
+            max-width: 680px;
+            margin: 0 auto;
+            padding: 40px 32px 100px;
+        }
+
+        .privacy-body p {
+            color: var(--text-secondary);
+            font-size: 1rem;
+            line-height: 1.7;
+            margin-bottom: 16px;
+        }
+
+        .privacy-body h2 {
+            font-size: 1.2rem;
+            font-weight: 700;
+            color: var(--text-primary);
+            margin-top: 40px;
+            margin-bottom: 12px;
+        }
+
+        .privacy-body h2:first-child { margin-top: 0; }
+
+        .privacy-body ul {
+            list-style: none;
+            margin-bottom: 16px;
+        }
+
+        .privacy-body ul li {
+            color: var(--text-secondary);
+            font-size: 0.95rem;
+            line-height: 1.6;
+            padding: 6px 0 6px 20px;
+            position: relative;
+        }
+
+        .privacy-body ul li::before {
+            content: '';
+            position: absolute;
+            left: 0;
+            top: 14px;
+            width: 6px;
+            height: 6px;
+            background: var(--accent);
+            border-radius: 50%;
+        }
+
+        .privacy-note {
+            background: var(--bg-secondary);
+            border: 1px solid var(--border-visible);
+            border-radius: 12px;
+            padding: 24px;
+            margin-top: 40px;
+        }
+
+        .privacy-note p {
+            color: var(--text-muted);
+            font-size: 0.9rem;
+            margin-bottom: 0;
+        }
+
+        /* Footer */
+        footer {
+            background: rgba(13, 14, 16, 0.8);
+            border-top: 1px solid var(--border);
+            padding: 40px 0;
+        }
+        .footer-inner { display: flex; justify-content: space-between; align-items: center; }
+        .footer-brand {
+            font-family: 'Space Grotesk', sans-serif;
+            font-weight: 700; font-size: 0.85rem; color: var(--text-secondary);
+            letter-spacing: 0.15em; text-transform: uppercase;
+        }
+        .footer-links { display: flex; gap: 28px; }
+        .footer-links a {
+            color: var(--text-muted); text-decoration: none;
+            font-family: 'Space Grotesk', sans-serif; font-size: 0.8rem;
+            letter-spacing: 0.1em; text-transform: uppercase; transition: color 0.2s ease;
+        }
+        .footer-links a:hover { color: var(--accent-light); }
+
+        @media (max-width: 768px) {
+            .container { padding: 0 20px; }
+            .page-header { padding: 120px 0 30px; }
+            .page-header h1 { font-size: 1.5rem; }
+            .header-right .nav-links { display: none; }
+            .footer-inner { flex-direction: column; gap: 16px; text-align: center; }
+            .privacy-body { padding: 40px 0 80px; }
+        }
+    </style>
+</head>
+<body>
+    <header>
+        <div class="container">
+            <a href="/" class="logo">>shell-mirror</a>
+            <div class="header-right">
+                <div class="nav-links">
+                    <a href="/privacy">Privacy</a>
+                    <a href="/contact">Contact</a>
+                </div>
+                <div id="header-cta">
+                    <button class="cta-button" onclick="handleGoogleLogin()">Get Started</button>
+                </div>
+            </div>
+        </div>
+    </header>
+
+    <main>
+        <section class="page-header">
+            <div class="container">
+                <h1>Privacy</h1>
+                <p>>shell-mirror is a personal tool for accessing your own terminal session from your own phone.</p>
+            </div>
+        </section>
+
+        <div class="privacy-body">
+            <p>We keep the wording here simple on purpose. If the product asks you to sign in, it should be clear what that sign-in is for and what it is not for.</p>
+
+            <h2>Sign-in</h2>
+            <p>>shell-mirror uses Google OAuth 2.0 for authentication. When you sign in, we receive your name, email address, and Google profile ID. This information is used to connect your phone and computer to the same session. We do not request access to your Google contacts, files, calendar, or any other data beyond your basic profile.</p>
+
+            <h2>Terminal data</h2>
+            <p>Your terminal input and output are transmitted directly between your computer and your phone using a WebRTC peer-to-peer data channel. The >shell-mirror signaling server handles the initial connection setup (exchanging WebRTC offers, answers, and connection candidates) but does not see or store your terminal content.</p>
+            <p>When a direct peer-to-peer connection cannot be established (for example, due to network configuration), a TURN relay server is used to route the connection. In this case, terminal data passes through the relay, but the WebRTC data channel remains encrypted (DTLS-SRTP).</p>
+
+            <h2>Session information</h2>
+            <p>The >shell-mirror agent running on your computer sends a status heartbeat to shellmirror.app approximately every 60 seconds. This heartbeat includes your agent ID, machine name, platform, and the number of active sessions. It does not include any terminal content, commands, or output.</p>
+            <!-- TODO: Document whether heartbeat data is persisted server-side or only held in memory. This should be clarified by the maintainer. -->
+
+            <h2>Data storage</h2>
+            <p>>shell-mirror does not use a database for terminal sessions. Your sessions exist in memory on your own computer and are lost when the agent stops. The signaling server holds connection state in memory only.</p>
+            <p>Your sign-in session is stored as a browser cookie that expires after 30 days.</p>
+            <!-- TODO: Document the PHP backend's session storage and data retention policy. This is not currently documented in the codebase. -->
+
+            <h2>Analytics</h2>
+            <p>The >shell-mirror website (this marketing site and the dashboard) uses Google Analytics 4 and Microsoft Clarity for standard web analytics. These services use cookies. The terminal data path itself does not include analytics tracking.</p>
+
+            <h2>Third-party services</h2>
+            <ul>
+                <li>Google OAuth 2.0 — authentication</li>
+                <li>Google Analytics 4 — web analytics on the marketing site and dashboard</li>
+                <li>Microsoft Clarity — session recording on the marketing site and dashboard</li>
+                <li>OpenRelay TURN server — WebRTC relay fallback when direct peer-to-peer is not possible</li>
+            </ul>
+
+            <div class="privacy-note">
+                <p>>shell-mirror uses Google sign-in. It requests only your basic profile information (name and email) to authenticate your session. If you want to review or revoke this access, you can do so in your Google account settings.</p>
+            </div>
+        </div>
+
+        <footer>
+            <div class="container footer-inner">
+                <div class="footer-brand" id="version-info">>shell-mirror</div>
+                <div class="footer-links">
+                    <a href="/how-it-works">How it works</a>
+                    <a href="/privacy">Privacy</a>
+                    <a href="/contact">Contact</a>
+                </div>
+            </div>
+        </footer>
+    </main>
+
+    <script>
+        async function checkAuthStatus() {
+            try {
+                const response = await fetch('/php-backend/api/auth-status.php');
+                const data = await response.json();
+                if (data.success && data.data && data.data.authenticated)
+                    return { isAuthenticated: true, user: data.data.user };
+            } catch (error) {}
+            return { isAuthenticated: false, user: null };
+        }
+
+        function sendGAEvent(n, p) { if (typeof gtag === 'function') gtag('event', n, p); }
+
+        async function handleGoogleLogin() {
+            sendGAEvent('cta_click', { cta_label: 'sign_in', cta_location: 'privacy_page' });
+            window.location.href = '/php-backend/api/auth-login.php?return=' + encodeURIComponent('/app/dashboard');
+        }
+
+        async function loadVersionInfo() {
+            try {
+                const response = await fetch('/build-info.json');
+                const buildInfo = await response.json();
+                const el = document.getElementById('version-info');
+                if (el && buildInfo) el.textContent = `>shell-mirror v${buildInfo.version}`.toUpperCase();
+            } catch (e) {}
+        }
+
+        // Scroll depth
+        const scrollFired = {};
+        window.addEventListener('scroll', () => {
+            const pct = Math.round((window.scrollY + window.innerHeight) / document.body.scrollHeight * 100);
+            [25, 50, 75, 100].forEach(t => {
+                if (pct >= t && !scrollFired[t]) { scrollFired[t] = true; sendGAEvent('scroll_depth', { scroll_percent: t, page_title: document.title }); }
+            });
+        }, { passive: true });
+
+        // Time on page
+        const pageLoadTime = Date.now();
+        window.addEventListener('beforeunload', () => {
+            sendGAEvent('time_on_page', {
+                seconds_on_page: Math.round((Date.now() - pageLoadTime) / 1000),
+                page_title: document.title,
+                max_scroll_percent: Math.max(...Object.keys(scrollFired).map(Number), 0)
+            });
+        });
+
+        async function updateHeaderAndCTA() {
+            const authStatus = await checkAuthStatus();
+            const headerCta = document.getElementById('header-cta');
+            if (authStatus.isAuthenticated) {
+                headerCta.innerHTML = `
+                    <span style="color: var(--text-secondary); font-size: 0.85rem;">Welcome, ${authStatus.user.name || authStatus.user.email}</span>
+                    <a href="/app/dashboard.html" class="cta-button">Dashboard</a>
+                `;
+                headerCta.style.display = 'flex';
+                headerCta.style.alignItems = 'center';
+                headerCta.style.gap = '15px';
+            } else {
+                headerCta.innerHTML = '<button class="cta-button" onclick="handleGoogleLogin()">Sign In</button>';
+            }
+        }
+
+        document.addEventListener('DOMContentLoaded', async () => {
+            sendGAEvent('page_view', { page_title: document.title, page_location: window.location.href });
+            await updateHeaderAndCTA();
+            loadVersionInfo();
+        });
+    </script>
+</body>
+</html>

package/server.js

@@ -86,6 +86,15 @@ app.get('/', (req, res) => {
   }
 });
 
+// Marketing pages - clean URLs
+app.get('/how-it-works', (req, res) => {
+  res.sendFile(path.join(__dirname, 'public', 'how-it-works.html'));
+});
+
+app.get('/privacy', (req, res) => {
+  res.sendFile(path.join(__dirname, 'public', 'privacy.html'));
+});
+
 // LOCAL_TESTING_ONLY: Simple bypass for local development
 if (isLocalEnvironment && !isProduction) {
   app.get('/auth/local/bypass', (req, res) => {