termbeam 0.1.0 → 0.1.1

package/README.md

@@ -13,7 +13,7 @@ I built this because I kept needing to run quick commands on my dev machine whil
 
 [Full documentation](https://dorlugasigal.github.io/TermBeam/)
 
-https://github.com/user-attachments/assets/c91ca15d-0c84-400f-bbfa-3d58d1be07ee
+https://github.com/user-attachments/assets/9dd4f3d7-f017-4314-9b3a-f6a5688e3671
 
 ## Quick Start
 
@@ -30,18 +30,22 @@ termbeam
 
 Scan the QR code printed in your terminal, or open the URL on any device.
 
-### Password protection (recommended)
+### Secure by default
 
-```bash
-termbeam --generate-password
+TermBeam starts with a tunnel and auto-generated password out of the box — just run `termbeam` and scan the QR code.
 
-# or set your own
-termbeam --password mysecret
+```bash
+termbeam                        # tunnel + auto-password (default)
+termbeam --password mysecret    # use a specific password
+termbeam --no-tunnel            # LAN-only (no tunnel)
+termbeam --no-password          # disable password protection
 ```
 
 ## Features
 
 - **Mobile-first UI** with on-screen touch bar (arrow keys, Tab, Enter, Ctrl shortcuts, Esc) and touch-optimized controls
+- **Copy/paste support** — Copy button opens text overlay for finger-selectable terminal content; Paste button with clipboard API + fallback modal
+- **Image paste** — paste images from clipboard, uploaded to server
 - **Tabbed multi-session terminal** — open, switch, and manage multiple sessions from a single tab bar with drag-to-reorder
 - **Split view** — view two sessions side-by-side (horizontal on desktop, vertical on mobile)
 - **Session colors** — assign a color to each session for quick identification
@@ -65,11 +69,14 @@ termbeam --password mysecret
 ## Remote Access
 
 ```bash
-# One-off tunnel (deleted on shutdown)
-termbeam --tunnel --generate-password
+# Tunnel is on by default
+termbeam
 
 # Persisted tunnel (stable URL you can bookmark, reused across restarts, 30-day expiry)
-termbeam --persisted-tunnel --generate-password
+termbeam --persisted-tunnel
+
+# LAN-only (no tunnel)
+termbeam --no-tunnel
 ```
 
 Requires the [Dev Tunnels CLI](https://learn.microsoft.com/en-us/azure/developer/dev-tunnels/get-started):
@@ -88,20 +95,22 @@ termbeam --port 8080              # custom port (default: 3456)
 termbeam --host 127.0.0.1        # restrict to localhost (default: 0.0.0.0)
 ```
 
-| Flag                  | Description                              | Default     |
-| --------------------- | ---------------------------------------- | ----------- |
-| `--password <pw>`     | Set access password (also accepts `--password=<pw>`) | None |
-| `--generate-password` | Auto-generate a secure password          | —           |
-| `--tunnel`            | Create an ephemeral devtunnel URL        | Off         |
-| `--persisted-tunnel`  | Create a reusable devtunnel URL          | Off         |
-| `--port <port>`       | Server port                              | `3456`      |
-| `--host <addr>`       | Bind address                             | `0.0.0.0`   |
+| Flag                  | Description                              | Default          |
+| --------------------- | ---------------------------------------- | ---------------- |
+| `--password <pw>`     | Set access password (also accepts `--password=<pw>`) | Auto-generated |
+| `--no-password`       | Disable password                         | —                |
+| `--generate-password` | Auto-generate a secure password          | On               |
+| `--tunnel`            | Create an ephemeral devtunnel URL        | On               |
+| `--no-tunnel`         | Disable tunnel (LAN-only)                | —                |
+| `--persisted-tunnel`  | Create a reusable devtunnel URL          | Off              |
+| `--port <port>`       | Server port                              | `3456`           |
+| `--host <addr>`       | Bind address                             | `0.0.0.0`        |
 
 Environment variables: `PORT`, `TERMBEAM_PASSWORD`, `TERMBEAM_CWD`, `SHELL` (Unix fallback), `COMSPEC` (Windows fallback). See [Configuration docs](https://dorlugasigal.github.io/TermBeam/configuration/).
 
 ## Security
 
-TermBeam binds to all interfaces (`0.0.0.0`) by default, so it's accessible on your local network out of the box. **Always set a password** when running on a shared network, or pass `--host 127.0.0.1` to restrict access to your machine only.
+TermBeam auto-generates a password and creates a tunnel by default, so your terminal is protected out of the box. Be aware that the tunnel exposes your terminal to the internet — use `--no-tunnel` for LAN-only access, or `--host 127.0.0.1` to restrict to your machine only.
 
 Auth uses secure httpOnly cookies with 24-hour expiry, login is rate-limited to 5 attempts per minute, and security headers (X-Frame-Options, X-Content-Type-Options, etc.) are set on all responses. API clients that can't use cookies can authenticate with an `Authorization: Bearer <password>` header. See the [Security Guide](https://dorlugasigal.github.io/TermBeam/security/) for more.
 
@@ -115,4 +124,4 @@ Contributions welcome — see [CONTRIBUTING.md](CONTRIBUTING.md).
 
 ## Acknowledgments
 
-Special thanks to [@tamirdresher](https://github.com/tamirdresher) for the [blog post](https://www.tamirdresher.com/blog/2026/02/26/squad-remote-control) that inspired the solution idea for this project, and for his [cli-tunnel](https://github.com/tamirdresher/cli-tunnel) implementation.
+Special thanks to [@tamirdresher](https://github.com/tamirdresher) for the [blog post](https://www.tamirdresher.com/blog/2026/02/26/squad-remote-control) that inspired the solution idea for this project, and for his [cli-tunnel](https://github.com/tamirdresher/cli-tunnel) implementation.

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "termbeam",
-  "version": "0.1.0",
+  "version": "0.1.1",
   "description": "Beam your terminal to any device — mobile-optimized web terminal with multi-session support",
   "main": "src/server.js",
   "bin": {

package/public/index.html

@@ -647,7 +647,7 @@
         </div>
         <label for="sess-cwd">Working Directory</label>
         <div class="cwd-picker">
-          <input type="text" id="sess-cwd" placeholder="/Users/dorlugasigal" />
+          <input type="text" id="sess-cwd" placeholder="Uses server default" />
           <button type="button" class="cwd-browse-btn" id="browse-btn" title="Browse folders">
             <svg
               width="18"
@@ -838,6 +838,10 @@
         try {
           const res = await fetch('/api/shells');
           const data = await res.json();
+          if (data.cwd) {
+            document.getElementById('sess-cwd').placeholder = data.cwd;
+            hubServerCwd = data.cwd;
+          }
           shellSelect.innerHTML = '';
           for (const s of data.shells) {
             const opt = document.createElement('option');
@@ -952,9 +956,10 @@
       const browserBreadcrumb = document.getElementById('browser-breadcrumb');
       const browserPath = document.getElementById('browser-path');
       let currentBrowsePath = '/';
+      let hubServerCwd = '/';
 
       document.getElementById('browse-btn').addEventListener('click', () => {
-        const initial = cwdInput.value.trim() || '/';
+        const initial = cwdInput.value.trim() || hubServerCwd;
         navigateTo(initial);
         browserOverlay.classList.add('visible');
       });
@@ -980,11 +985,17 @@
         try {
           const res = await fetch(`/api/dirs?q=${encodeURIComponent(dir + '/')}`);
           const data = await res.json();
-          if (!data.dirs.length) {
-            browserList.innerHTML = '<div class="browser-empty">No subfolders</div>';
-            return;
+          let items = '';
+          // Add parent (..) entry unless at root
+          const parent = dir.replace(/[/\\][^/\\]+$/, '') || (dir.includes('\\') ? dir.match(/^[A-Za-z]:\\/)?.[0] : '/');
+          if (parent && parent !== dir) {
+            items += `<div class="folder-item" data-path="${esc(parent)}">
+            <span class="folder-icon">📁</span>
+            <span class="folder-name">..</span>
+            <span class="folder-arrow">›</span>
+          </div>`;
           }
-          browserList.innerHTML = data.dirs
+          items += data.dirs
             .map((d) => {
               const name = d.split(/[/\\]/).pop();
               return `<div class="folder-item" data-path="${esc(d)}">
@@ -995,6 +1006,7 @@
             })
             .join('');
 
+          browserList.innerHTML = items || '<div class="browser-empty">No subfolders</div>';
           browserList.querySelectorAll('.folder-item').forEach((el) => {
             el.addEventListener('click', () => navigateTo(el.dataset.path));
           });
@@ -1005,13 +1017,15 @@
       }
 
       function renderBreadcrumb(dir) {
-        const parts = dir.split('/').filter(Boolean);
-        let html = `<button class="crumb" data-path="/">/</button>`;
-        let accumulated = '';
+        const sep = dir.includes('\\') ? '\\' : '/';
+        const parts = dir.split(/[/\\]/).filter(Boolean);
+        const isWindows = /^[A-Za-z]:/.test(dir);
+        let html = isWindows ? '' : `<button class="crumb" data-path="/">/</button>`;
+        let accumulated = isWindows ? '' : '';
         parts.forEach((part, i) => {
-          accumulated += '/' + part;
+          accumulated += (i === 0 && isWindows ? '' : sep) + part;
           const isCurrent = i === parts.length - 1;
-          html += `<span class="crumb-sep">›</span>`;
+          if (i > 0 || isWindows) html += `<span class="crumb-sep">›</span>`;
           html += `<button class="crumb${isCurrent ? ' current' : ''}" data-path="${esc(accumulated)}">${esc(part)}</button>`;
         });
         browserBreadcrumb.innerHTML = html;
@@ -1031,6 +1045,7 @@
         .catch(() => {});
 
       loadSessions();
+      loadShells();
       setInterval(loadSessions, 3000);
 
       // Share button

package/public/sw.js

@@ -1,4 +1,4 @@
-const CACHE_NAME = 'termbeam-v2';
+const CACHE_NAME = 'termbeam-v5';
 const SHELL_URLS = ['/', '/terminal'];
 
 self.addEventListener('install', (event) => {
@@ -56,7 +56,21 @@ self.addEventListener('fetch', (event) => {
     return;
   }
 
-  // Cache-first for static assets
+  // Network-first for HTML pages (always get latest code)
+  if (event.request.mode === 'navigate' || event.request.headers.get('accept')?.includes('text/html')) {
+    event.respondWith(
+      fetch(event.request).then((response) => {
+        if (response.ok) {
+          const clone = response.clone();
+          caches.open(CACHE_NAME).then((cache) => cache.put(event.request, clone));
+        }
+        return response;
+      }).catch(() => caches.match(event.request))
+    );
+    return;
+  }
+
+  // Cache-first for static assets (JS, CSS, images)
   event.respondWith(
     caches.match(event.request).then((cached) => {
       if (cached) return cached;

package/public/terminal.html

@@ -309,7 +309,8 @@
       #paste-overlay {
         display: none; position: fixed; top: 0; left: 0; right: 0; bottom: 0;
         background: var(--overlay-bg); z-index: 150;
-        flex-direction: column; align-items: center; justify-content: center; gap: 12px;
+        flex-direction: column; align-items: center; justify-content: flex-start;
+        padding-top: calc(80px + env(safe-area-inset-top, 0px)); gap: 12px;
       }
       #paste-overlay.visible { display: flex; }
       #paste-overlay label { font-size: 15px; color: #fff; font-weight: 600; }
@@ -319,6 +320,38 @@
         padding: 10px; font-size: 14px; font-family: 'NerdFont', 'JetBrains Mono', monospace; resize: vertical;
       }
 
+      #select-overlay {
+        display: none; position: fixed; top: 0; left: 0; right: 0; bottom: 0;
+        background: var(--bg); z-index: 160;
+        flex-direction: column;
+      }
+      #select-overlay.visible { display: flex; }
+      .select-overlay-header {
+        display: flex; align-items: center; justify-content: space-between;
+        padding: 12px 12px; border-bottom: 1px solid var(--border);
+        font-size: 15px; font-weight: 600; color: var(--text);
+        padding-top: calc(12px + env(safe-area-inset-top, 0px));
+        min-height: 48px; box-sizing: border-box;
+      }
+      .select-overlay-header button {
+        padding: 6px 12px; border: none; border-radius: 8px;
+        font-size: 13px; font-weight: 600; cursor: pointer;
+        white-space: nowrap; flex-shrink: 0;
+        transition: background 0.15s, transform 0.1s;
+      }
+      .select-overlay-header button:active { transform: scale(0.95); }
+      #select-copy { background: var(--accent); color: #fff; }
+      #select-close { background: var(--border); color: var(--text); }
+      #select-content {
+        flex: 1; overflow: auto; padding: 12px 16px;
+        font-family: 'NerdFont', 'JetBrains Mono', monospace;
+        font-size: 13px; line-height: 1.4; color: var(--text);
+        white-space: pre; word-break: normal;
+        -webkit-user-select: text; user-select: text;
+        margin: 0;
+        padding-bottom: calc(12px + env(safe-area-inset-bottom, 0px));
+      }
+
       #reconnect-overlay {
         display: none; position: fixed; top: 0; left: 0; right: 0; bottom: 0;
         background: var(--overlay-bg); z-index: 100;
@@ -714,6 +747,7 @@
       <button class="key-btn" data-key="&#x1b;[H" title="Home">Home</button>
       <button class="key-btn" data-key="&#x1b;[F" title="End">End</button>
       <div class="key-sep"></div>
+      <button class="key-btn" id="select-btn" title="Copy text">Copy</button>
       <button class="key-btn" id="paste-btn" title="Paste from clipboard">Paste</button>
       <div class="key-sep"></div>
       <button class="key-btn wide" data-key="&#x09;" title="Autocomplete">Tab</button>
@@ -740,6 +774,18 @@
       </div>
     </div>
 
+    <div id="select-overlay">
+      <div class="select-overlay-header">
+        <span id="select-title">Copy Text</span>
+        <div style="display:flex;gap:8px">
+          <button id="select-copy">Copy</button>
+          <button id="select-close">Done</button>
+        </div>
+      </div>
+      <button id="select-load-more" style="display:none;width:100%;padding:8px;background:var(--surface);color:var(--accent);border:1px solid var(--border);border-radius:6px;font-size:13px;cursor:pointer;">▲ Load more</button>
+      <pre id="select-content"></pre>
+    </div>
+
     <!-- New Session Modal -->
     <div class="modal-overlay" id="new-session-modal">
       <div class="modal">
@@ -804,8 +850,20 @@
       const managed = new Map(); // sessionId -> ManagedSession
       let activeId = null;
       let splitMode = false;
+
       let splitSecondId = null;
 
+      // Clipboard copy fallback for non-secure contexts (HTTP over LAN)
+      function copyFallback(text) {
+        const ta = document.createElement('textarea');
+        ta.value = text;
+        ta.style.cssText = 'position:fixed;left:-9999px;top:-9999px';
+        document.body.appendChild(ta);
+        ta.select();
+        try { document.execCommand('copy'); showToast('Copied!'); } catch {}
+        document.body.removeChild(ta);
+      }
+
       // ===== DOM Refs =====
       const statusDot = document.getElementById('status-dot');
       const statusText = document.getElementById('status-text');
@@ -937,7 +995,10 @@
         renderTabs();
         setupKeyBar();
         setupPaste();
+        setupImagePaste();
+        setupSelectMode();
         setupNewSessionModal();
+        loadShellsForModal();
         startPolling();
 
         // Zoom
@@ -1120,8 +1181,14 @@
         // Copy on selection
         term.onSelectionChange(() => {
           const sel = term.getSelection();
-          if (sel && navigator.clipboard && navigator.clipboard.writeText) {
-            navigator.clipboard.writeText(sel).then(() => showToast('Copied!')).catch(() => {});
+          if (!sel) return;
+          if (navigator.clipboard && navigator.clipboard.writeText) {
+            navigator.clipboard.writeText(sel).then(() => showToast('Copied!')).catch(() => {
+              // Fallback for non-secure contexts (HTTP over LAN)
+              copyFallback(sel);
+            });
+          } else {
+            copyFallback(sel);
           }
         });
 
@@ -1203,6 +1270,11 @@
                 reconnectOverlay.classList.add('visible');
               }
             } else if (msg.type === 'error') {
+              if (msg.message === 'Session not found') {
+                ms.exited = true;
+                if (ms.reconnectTimer) { clearTimeout(ms.reconnectTimer); ms.reconnectTimer = null; }
+                renderTabs();
+              }
               if (ms.id === activeId) {
                 statusText.textContent = msg.message;
                 reconnectOverlay.querySelector('.msg').textContent = msg.message;
@@ -1655,18 +1727,25 @@
           }, 400);
         }
 
+        let keyBarTouched = false;
         keyBar.addEventListener('mousedown', e => {
+          if (keyBarTouched) { keyBarTouched = false; return; }
           const btn = e.target.closest('.key-btn');
-          if (btn) { e.preventDefault(); startRepeat(btn); }
+          if (btn && btn.dataset.key) { e.preventDefault(); startRepeat(btn); }
         });
         keyBar.addEventListener('mouseup', stopRepeat);
         keyBar.addEventListener('mouseleave', stopRepeat);
 
         keyBar.addEventListener('touchstart', e => {
+          keyBarTouched = true;
           const btn = e.target.closest('.key-btn');
-          if (btn) startRepeat(btn);
-        }, { passive: true });
-        keyBar.addEventListener('touchend', stopRepeat);
+          if (btn && btn.dataset.key) { e.preventDefault(); startRepeat(btn); }
+        }, { passive: false });
+        keyBar.addEventListener('touchend', (e) => {
+          const btn = e.target.closest('.key-btn');
+          if (btn && btn.dataset.key) e.preventDefault();
+          stopRepeat();
+        });
         keyBar.addEventListener('touchcancel', stopRepeat);
 
         keyBar.addEventListener('click', e => {
@@ -1679,6 +1758,7 @@
       function setupPaste() {
         const pasteOverlay = document.getElementById('paste-overlay');
         const pasteInput = document.getElementById('paste-input');
+        const pasteBtn = document.getElementById('paste-btn');
 
         function openPasteModal() {
           pasteInput.value = '';
@@ -1686,19 +1766,65 @@
           pasteInput.focus();
         }
 
-        document.getElementById('paste-btn').addEventListener('mousedown', e => e.preventDefault());
-        document.getElementById('paste-btn').addEventListener('click', () => {
+        async function handlePaste() {
+          // Try clipboard API for text first (most common), then images, then fallback to modal
           if (navigator.clipboard && navigator.clipboard.readText) {
-            navigator.clipboard.readText().then(text => {
-              const ms = managed.get(activeId);
-              if (text && ms && ms.ws && ms.ws.readyState === 1) {
-                ms.ws.send(JSON.stringify({ type: 'input', data: text }));
-                showToast('Pasted!');
+            try {
+              const text = await navigator.clipboard.readText();
+              if (text) {
+                const ms = managed.get(activeId);
+                if (ms && ms.ws && ms.ws.readyState === 1) {
+                  ms.ws.send(JSON.stringify({ type: 'input', data: text }));
+                  showToast('Pasted!');
+                }
+                return;
               }
-            }).catch(() => openPasteModal());
-          } else {
-            openPasteModal();
+            } catch (err) {
+              console.warn('clipboard.readText failed:', err.message);
+            }
+          }
+          // Image paste: try clipboard.read() only if readText didn't work
+          if (navigator.clipboard && navigator.clipboard.read) {
+            try {
+              const items = await navigator.clipboard.read();
+              for (const item of items) {
+                const imageType = item.types.find(t => t.startsWith('image/'));
+                if (imageType) {
+                  const blob = await item.getType(imageType);
+                  const res = await fetch('/api/upload', {
+                    method: 'POST',
+                    headers: { 'Content-Type': imageType },
+                    body: blob,
+                    credentials: 'same-origin',
+                  });
+                  if (!res.ok) throw new Error('Upload failed');
+                  const data = await res.json();
+                  const ms = managed.get(activeId);
+                  if (ms && ms.ws && ms.ws.readyState === 1) {
+                    ms.ws.send(JSON.stringify({ type: 'input', data: data.path + ' ' }));
+                    showToast('Image pasted: ' + data.path.split(/[/\\]/).pop());
+                  }
+                  return;
+                }
+              }
+            } catch (err) {
+              console.warn('clipboard.read failed:', err.message);
+            }
           }
+          openPasteModal();
+        }
+
+        // Use touchend directly for iOS Safari (click may not fire reliably)
+        let pasteTouched = false;
+        pasteBtn.addEventListener('touchend', (e) => {
+          e.preventDefault();
+          pasteTouched = true;
+          handlePaste();
+        });
+        pasteBtn.addEventListener('mousedown', e => e.preventDefault());
+        pasteBtn.addEventListener('click', () => {
+          if (pasteTouched) { pasteTouched = false; return; }
+          handlePaste();
         });
 
         document.getElementById('paste-send').addEventListener('click', () => {
@@ -1717,6 +1843,130 @@
         });
       }
 
+      // ===== Select Text Overlay =====
+      function setupSelectMode() {
+        const selectBtn = document.getElementById('select-btn');
+        const selectOverlay = document.getElementById('select-overlay');
+        const selectContent = document.getElementById('select-content');
+        const PAGE_SIZE = 200;
+        let allLines = [];
+        let loadedFrom = 0;
+
+        function renderLines(from, to) {
+          return allLines.slice(from, to).join('\n');
+        }
+
+        function openSelectOverlay() {
+          const ms = managed.get(activeId);
+          if (!ms) return;
+          const buf = ms.term.buffer.active;
+          allLines = [];
+          for (let i = 0; i < buf.length; i++) {
+            const line = buf.getLine(i);
+            if (line) allLines.push(line.translateToString(true));
+          }
+          // Trim trailing empty lines
+          while (allLines.length > 0 && allLines[allLines.length - 1].trim() === '') allLines.pop();
+
+          // Show last PAGE_SIZE lines
+          loadedFrom = Math.max(0, allLines.length - PAGE_SIZE);
+          selectContent.textContent = renderLines(loadedFrom, allLines.length);
+
+          // Show/hide "Load more" button
+          const loadMoreBtn = document.getElementById('select-load-more');
+          loadMoreBtn.style.display = loadedFrom > 0 ? 'block' : 'none';
+          loadMoreBtn.textContent = `▲ Load more (${loadedFrom} lines above)`;
+
+          // Show line count in title
+          const title = document.getElementById('select-title');
+          const shown = allLines.length - loadedFrom;
+          title.textContent = allLines.length <= PAGE_SIZE
+            ? `Copy Text (${allLines.length} lines)`
+            : `Copy Text (${shown}/${allLines.length} lines)`;
+
+          selectBtn.style.display = 'none';
+          selectOverlay.classList.add('visible');
+          selectContent.scrollTop = selectContent.scrollHeight;
+        }
+
+        document.getElementById('select-load-more').addEventListener('click', () => {
+          const prevHeight = selectContent.scrollHeight;
+          const newFrom = Math.max(0, loadedFrom - PAGE_SIZE);
+          const chunk = renderLines(newFrom, loadedFrom);
+          selectContent.textContent = chunk + '\n' + selectContent.textContent;
+          loadedFrom = newFrom;
+          // Keep scroll position stable
+          selectContent.scrollTop = selectContent.scrollHeight - prevHeight;
+          const loadMoreBtn = document.getElementById('select-load-more');
+          loadMoreBtn.style.display = loadedFrom > 0 ? 'block' : 'none';
+          loadMoreBtn.textContent = loadedFrom > 0 ? `▲ Load more (${loadedFrom} lines above)` : '';
+          // Update title
+          const title = document.getElementById('select-title');
+          const shown = allLines.length - loadedFrom;
+          title.textContent = `Copy Text (${shown}/${allLines.length} lines)`;
+        });
+
+        selectBtn.addEventListener('mousedown', e => e.preventDefault());
+        selectBtn.addEventListener('click', openSelectOverlay);
+
+        document.getElementById('select-copy').addEventListener('click', () => {
+          // Copy finger selection if any, otherwise copy all loaded text
+          const sel = window.getSelection();
+          const text = (sel && sel.toString()) ? sel.toString() : selectContent.textContent;
+          if (!text) return;
+          if (navigator.clipboard && navigator.clipboard.writeText) {
+            navigator.clipboard.writeText(text).then(() => showToast('Copied!')).catch(() => {
+              copyFallback(text);
+            });
+          } else {
+            copyFallback(text);
+          }
+        });
+
+        document.getElementById('select-close').addEventListener('click', () => {
+          selectOverlay.classList.remove('visible');
+          selectContent.textContent = '';
+          allLines = [];
+          selectBtn.style.display = '';
+          const ms = managed.get(activeId);
+          if (ms) ms.term.focus();
+        });
+      }
+
+      // ===== Image Paste =====
+      function setupImagePaste() {
+        document.addEventListener('paste', async (e) => {
+          const items = e.clipboardData && e.clipboardData.items;
+          if (!items) return;
+
+          for (const item of items) {
+            if (item.type.startsWith('image/')) {
+              e.preventDefault();
+              const blob = item.getAsFile();
+              if (!blob) return;
+
+              try {
+                const res = await fetch('/api/upload', {
+                  method: 'POST',
+                  headers: { 'Content-Type': item.type },
+                  body: blob,
+                });
+                if (!res.ok) throw new Error('Upload failed');
+                const data = await res.json();
+                const ms = managed.get(activeId);
+                if (ms && ms.ws && ms.ws.readyState === 1) {
+                  ms.ws.send(JSON.stringify({ type: 'input', data: data.path + ' ' }));
+                  showToast('Image pasted: ' + data.path.split(/[/\\]/).pop());
+                }
+              } catch (err) {
+                showToast('Image paste failed');
+              }
+              return;
+            }
+          }
+        });
+      }
+
       // ===== New Session Modal =====
       let shellsLoaded = false;
 
@@ -1755,9 +2005,10 @@
         const nsBrowserBreadcrumb = document.getElementById('ns-browser-breadcrumb');
         const nsBrowserPath = document.getElementById('ns-browser-path');
         let nsBrowsePath = '/';
+        let serverCwd = '/';
 
         document.getElementById('ns-browse-btn').addEventListener('click', () => {
-          const initial = nsCwdInput.value.trim() || '/';
+          const initial = nsCwdInput.value.trim() || serverCwd;
           nsBrowseNavigate(initial);
           nsBrowserOverlay.classList.add('visible');
         });
@@ -1782,11 +2033,17 @@
           try {
             const res = await fetch(`/api/dirs?q=${encodeURIComponent(dir + '/')}`);
             const data = await res.json();
-            if (!data.dirs.length) {
-              nsBrowserList.innerHTML = '<div class="browser-empty">No subfolders</div>';
-              return;
+            let items = '';
+            // Add parent (..) entry unless at root
+            const parent = dir.replace(/[/\\][^/\\]+$/, '') || (dir.includes('\\') ? dir.match(/^[A-Za-z]:\\/)?.[0] : '/');
+            if (parent && parent !== dir) {
+              items += `<div class="folder-item" data-path="${escAttr(parent)}">
+                <span class="folder-icon">📁</span>
+                <span class="folder-name">..</span>
+                <span class="folder-arrow">›</span>
+              </div>`;
             }
-            nsBrowserList.innerHTML = data.dirs.map(d => {
+            items += data.dirs.map(d => {
               const name = d.split(/[/\\]/).pop();
               return `<div class="folder-item" data-path="${escAttr(d)}">
                 <span class="folder-icon">📁</span>
@@ -1794,6 +2051,7 @@
                 <span class="folder-arrow">›</span>
               </div>`;
             }).join('');
+            nsBrowserList.innerHTML = items || '<div class="browser-empty">No subfolders</div>';
             nsBrowserList.querySelectorAll('.folder-item').forEach(el => {
               el.addEventListener('click', () => nsBrowseNavigate(el.dataset.path));
             });
@@ -1804,13 +2062,15 @@
         }
 
         function nsBrowseRenderBreadcrumb(dir) {
-          const parts = dir.split('/').filter(Boolean);
-          let html = `<button class="crumb" data-path="/">/</button>`;
-          let accumulated = '';
+          const sep = dir.includes('\\') ? '\\' : '/';
+          const parts = dir.split(/[/\\]/).filter(Boolean);
+          const isWindows = /^[A-Za-z]:/.test(dir);
+          let html = isWindows ? '' : `<button class="crumb" data-path="/">/</button>`;
+          let accumulated = isWindows ? '' : '';
           parts.forEach((part, i) => {
-            accumulated += '/' + part;
+            accumulated += (i === 0 && isWindows ? '' : sep) + part;
             const isCurrent = i === parts.length - 1;
-            html += `<span class="crumb-sep">›</span>`;
+            if (i > 0 || isWindows) html += `<span class="crumb-sep">›</span>`;
             html += `<button class="crumb${isCurrent ? ' current' : ''}" data-path="${escAttr(accumulated)}">${esc(part)}</button>`;
           });
           nsBrowserBreadcrumb.innerHTML = html;
@@ -1826,6 +2086,10 @@
         const sel = document.getElementById('ns-shell');
         try {
           const data = await fetch('/api/shells').then(r => r.json());
+          if (data.cwd) {
+            serverCwd = data.cwd;
+            document.getElementById('ns-cwd').placeholder = data.cwd;
+          }
           sel.innerHTML = data.shells.map(s =>
             '<option value="' + escAttr(s.cmd) + '"' + (s.cmd === data.default ? ' selected' : '') + '>'
             + esc(s.name) + ' (' + esc(s.cmd) + ')</option>'
@@ -1913,6 +2177,7 @@
                     statusText.textContent = '';
                     statusDot.className = '';
                     document.getElementById('stop-btn').style.display = 'none';
+                    reconnectOverlay.classList.remove('visible');
                   }
                 }
               }

package/src/auth.js

@@ -107,6 +107,7 @@ function createAuth(password) {
     const attempts = authAttempts.get(ip) || [];
     const recent = attempts.filter((t) => now - t < window);
     if (recent.length >= maxAttempts) {
+      console.warn(`[termbeam] Auth: rate limit exceeded for ${ip}`);
       return res.status(429).json({ error: 'Too many attempts. Try again later.' });
     }
     recent.push(now);

package/src/cli.js

@@ -11,19 +11,26 @@ Usage:
 
 Options:
   --password <pw>       Set access password (or TERMBEAM_PASSWORD env var)
-  --generate-password   Auto-generate a secure password
-  --tunnel              Create a public devtunnel URL (ephemeral)
+  --generate-password   Auto-generate a secure password (default: auto)
+  --no-password         Disable password authentication
+  --tunnel              Create a public devtunnel URL (default: on)
+  --no-tunnel           Disable tunnel (LAN-only mode)
   --persisted-tunnel    Create a reusable devtunnel URL (stable across restarts)
   --port <port>         Set port (default: 3456, or PORT env var)
   --host <addr>         Bind address (default: 0.0.0.0)
   -h, --help            Show this help
   -v, --version         Show version
 
+Defaults:
+  By default, TermBeam enables tunnel + auto-generated password for secure
+  mobile access (clipboard, HTTPS). Use --no-tunnel for LAN-only mode.
+
 Examples:
-  termbeam                          Start with default shell
-  termbeam --password secret        Start with password auth
-  termbeam --generate-password      Start with auto-generated password
-  termbeam --tunnel --password pw   Start with public tunnel
+  termbeam                          Start with tunnel + auto password
+  termbeam --no-tunnel              LAN-only, no tunnel
+  termbeam --no-tunnel --no-password  LAN-only, no auth (local use)
+  termbeam --password secret        Start with specific password
+  termbeam --persisted-tunnel       Stable tunnel URL across restarts
   termbeam /bin/bash                Use bash instead of default shell
 
 Environment:
@@ -146,8 +153,10 @@ function parseArgs() {
   const defaultShell = getDefaultShell();
   const cwd = process.env.TERMBEAM_CWD || process.env.PTY_CWD || process.cwd();
   let password = process.env.TERMBEAM_PASSWORD || process.env.PTY_PASSWORD || null;
-  let useTunnel = false;
+  let useTunnel = true;
+  let noTunnel = false;
   let persistedTunnel = false;
+  let explicitPassword = !!password;
 
   const args = process.argv.slice(2);
   const filteredArgs = [];
@@ -155,13 +164,17 @@ function parseArgs() {
   for (let i = 0; i < args.length; i++) {
     if (args[i] === '--password' && args[i + 1]) {
       password = args[++i];
+      explicitPassword = true;
     } else if (args[i] === '--tunnel') {
       useTunnel = true;
+    } else if (args[i] === '--no-tunnel') {
+      noTunnel = true;
     } else if (args[i] === '--persisted-tunnel') {
       useTunnel = true;
       persistedTunnel = true;
     } else if (args[i].startsWith('--password=')) {
       password = args[i].split('=')[1];
+      explicitPassword = true;
     } else if (args[i] === '--help' || args[i] === '-h') {
       printHelp();
       process.exit(0);
@@ -171,7 +184,10 @@ function parseArgs() {
       process.exit(0);
     } else if (args[i] === '--generate-password') {
       password = crypto.randomBytes(16).toString('base64url');
-      console.log(`Generated password: ${password}`);
+      explicitPassword = true;
+    } else if (args[i] === '--no-password') {
+      password = null;
+      explicitPassword = true;
     } else if (args[i] === '--port' && args[i + 1]) {
       port = parseInt(args[++i], 10);
     } else if (args[i] === '--host' && args[i + 1]) {
@@ -181,6 +197,14 @@ function parseArgs() {
     }
   }
 
+  // Default: auto-generate password if none specified
+  if (!explicitPassword && !password) {
+    password = crypto.randomBytes(16).toString('base64url');
+  }
+
+  // --no-tunnel disables the default tunnel
+  if (noTunnel) useTunnel = false;
+
   const shell = filteredArgs[0] || defaultShell;
   const shellArgs = filteredArgs.slice(1);
 

package/src/routes.js

@@ -1,6 +1,7 @@
 const path = require('path');
 const os = require('os');
 const fs = require('fs');
+const crypto = require('crypto');
 const express = require('express');
 const { detectShells } = require('./shells');
 
@@ -27,8 +28,10 @@ function setupRoutes(app, { auth, sessions, config }) {
         maxAge: 24 * 60 * 60 * 1000,
         secure: false,
       });
+      console.log(`[termbeam] Auth: login success from ${req.ip}`);
       res.json({ ok: true });
     } else {
+      console.warn(`[termbeam] Auth: login failed from ${req.ip}`);
       res.status(401).json({ error: 'wrong password' });
     }
   });
@@ -66,7 +69,7 @@ function setupRoutes(app, { auth, sessions, config }) {
   // Available shells
   app.get('/api/shells', auth.middleware, (_req, res) => {
     const shells = detectShells();
-    res.json({ shells, default: config.defaultShell });
+    res.json({ shells, default: config.defaultShell, cwd: config.cwd });
   });
 
   app.delete('/api/sessions/:id', auth.middleware, (req, res) => {
@@ -89,11 +92,64 @@ function setupRoutes(app, { auth, sessions, config }) {
     }
   });
 
+  // Image upload
+  app.post('/api/upload', auth.middleware, (req, res) => {
+    const contentType = req.headers['content-type'] || '';
+    if (!contentType.startsWith('image/')) {
+      console.warn(`[termbeam] Upload rejected: invalid content-type "${contentType}"`);
+      return res.status(400).json({ error: 'Invalid content type' });
+    }
+
+    const chunks = [];
+    let size = 0;
+    let aborted = false;
+    const limit = 10 * 1024 * 1024;
+
+    req.on('data', (chunk) => {
+      if (aborted) return;
+      size += chunk.length;
+      if (size > limit) {
+        aborted = true;
+        console.warn(`[termbeam] Upload rejected: file too large (${size} bytes)`);
+        res.status(413).json({ error: 'File too large' });
+        req.resume(); // drain remaining data
+        return;
+      }
+      chunks.push(chunk);
+    });
+
+    req.on('end', () => {
+      if (aborted) return;
+      const buffer = Buffer.concat(chunks);
+      if (!buffer.length) {
+        return res.status(400).json({ error: 'No image data' });
+      }
+      const ext = {
+        'image/png': '.png',
+        'image/jpeg': '.jpg',
+        'image/gif': '.gif',
+        'image/webp': '.webp',
+        'image/bmp': '.bmp',
+      }[contentType] || '.png';
+      const filename = `termbeam-${crypto.randomUUID()}${ext}`;
+      const filepath = path.join(os.tmpdir(), filename);
+      fs.writeFileSync(filepath, buffer);
+      console.log(`[termbeam] Upload: ${filename} (${buffer.length} bytes)`);
+      res.json({ path: filepath });
+    });
+
+    req.on('error', (err) => {
+      console.error(`[termbeam] Upload error: ${err.message}`);
+      res.status(500).json({ error: 'Upload failed' });
+    });
+  });
+
   // Directory listing for folder browser
   app.get('/api/dirs', auth.middleware, (req, res) => {
-    const query = req.query.q || os.homedir();
-    const dir = query.endsWith('/') ? query : path.dirname(query);
-    const prefix = query.endsWith('/') ? '' : path.basename(query);
+    const query = req.query.q || (config.cwd + path.sep);
+    const endsWithSep = query.endsWith('/') || query.endsWith('\\');
+    const dir = endsWithSep ? query : path.dirname(query);
+    const prefix = endsWithSep ? '' : path.basename(query);
 
     try {
       const entries = fs.readdirSync(dir, { withFileTypes: true });

package/src/server.js

@@ -26,13 +26,14 @@ app.use(cookieParser());
 app.use((_req, res, next) => {
   res.setHeader('X-Content-Type-Options', 'nosniff');
   res.setHeader('X-Frame-Options', 'DENY');
-  res.setHeader('X-XSS-Protection', '1; mode=block');
   res.setHeader('Referrer-Policy', 'no-referrer');
+  res.setHeader('Cache-Control', 'no-store');
+  res.setHeader('Content-Security-Policy', "default-src 'self'; script-src 'self' 'unsafe-inline' https://cdn.jsdelivr.net; style-src 'self' 'unsafe-inline' https://cdn.jsdelivr.net; connect-src 'self' ws: wss:; font-src 'self' https://cdn.jsdelivr.net");
   next();
 });
 
 const server = http.createServer(app);
-const wss = new WebSocketServer({ server, path: '/ws' });
+const wss = new WebSocketServer({ server, path: '/ws', maxPayload: 1 * 1024 * 1024 });
 
 setupRoutes(app, { auth, sessions, config });
 setupWebSocket(wss, { auth, sessions });
@@ -105,32 +106,37 @@ server.listen(config.port, config.host, async () => {
   console.log('');
   console.log(`  Beam your terminal to any device 📡  v${config.version}`);
   console.log('');
-  console.log(`  Local:    http://localhost:${config.port}`);
   const isLanReachable = config.host === '0.0.0.0' || config.host === '::' || config.host === ip;
-  if (isLanReachable) {
-    console.log(`  LAN:      ${localUrl}`);
-  }
-  console.log(`  Shell:    ${config.shell}`);
-  console.log(`  Session:  ${defaultId}`);
   const gn = '\x1b[38;5;114m'; // green
-  console.log(`  Auth:     ${config.password ? `${gn}🔒 password${rs}` : '🔓 none'}`);
+  const dm = '\x1b[2m'; // dim
 
   let publicUrl = null;
   if (config.useTunnel) {
     const tunnel = await startTunnel(config.port, { persisted: config.persistedTunnel });
     if (tunnel) {
       publicUrl = tunnel.url;
-      console.log('');
-      console.log(`  🌐 Public:  ${publicUrl}`);
-      console.log(`  Tunnel:   ${tunnel.mode} (expires in ${tunnel.expiry})`);
     } else {
-      console.log('');
       console.log('  ⚠️  Tunnel failed to start. Using LAN only.');
     }
   }
 
+  console.log(`  Shell:    ${config.shell}`);
+  console.log(`  Session:  ${defaultId}`);
+  console.log(`  Auth:     ${config.password ? `${gn}🔒 password${rs}` : '🔓 none'}`);
+  console.log('');
+
+  if (publicUrl) {
+    console.log(`  🌐 Public:  ${publicUrl}`);
+  }
+  console.log(`  Local:    http://localhost:${config.port}`);
+  if (isLanReachable) {
+    console.log(`  LAN:      ${localUrl}`);
+  }
+
   const qrUrl = publicUrl || (isLanReachable ? localUrl : `http://localhost:${config.port}`);
   console.log('');
+  console.log(`  ${dm}📋 Clipboard requires HTTPS — use the Public or localhost URL${rs}`);
+  console.log('');
   try {
     const qr = await QRCode.toString(qrUrl, { type: 'terminal', small: true });
     console.log(qr);

package/src/sessions.js

@@ -82,6 +82,7 @@ class SessionManager {
   delete(id) {
     const s = this.sessions.get(id);
     if (!s) return false;
+    console.log(`[termbeam] Session "${s.name}" deleted (id=${id})`);
     s.pty.kill();
     return true;
   }

package/src/tunnel.js

@@ -173,7 +173,8 @@ async function startTunnel(port, options = {}) {
       hostProc.stderr.on('data', (data) => {
         output += data.toString();
       });
-      hostProc.on('error', () => {
+      hostProc.on('error', (err) => {
+        console.error(`[termbeam] Tunnel process error: ${err.message}`);
         clearTimeout(timeout);
         resolve(null);
       });

package/src/websocket.js

@@ -35,7 +35,9 @@ function setupWebSocket(wss, { auth, sessions }) {
           if (msg.password === auth.password || auth.validateToken(msg.token)) {
             authenticated = true;
             ws.send(JSON.stringify({ type: 'auth_ok' }));
+            console.log('[termbeam] WS: auth success');
           } else {
+            console.warn('[termbeam] WS: auth failed');
             ws.send(JSON.stringify({ type: 'error', message: 'Unauthorized' }));
             ws.close();
           }
@@ -52,6 +54,7 @@ function setupWebSocket(wss, { auth, sessions }) {
           const session = sessions.get(msg.sessionId);
           if (!session) {
             ws.send(JSON.stringify({ type: 'error', message: 'Session not found' }));
+            console.warn(`[termbeam] WS: attach failed — session ${msg.sessionId} not found`);
             return;
           }
           attached = session;
@@ -76,8 +79,8 @@ function setupWebSocket(wss, { auth, sessions }) {
             recalcPtySize(attached);
           }
         }
-      } catch {
-        if (attached) attached.pty.write(raw.toString());
+      } catch (err) {
+        console.warn('WS: dropped unparseable message:', err.message);
       }
     });