termbeam 1.14.5 → 1.14.6

package/README.md

@@ -109,8 +109,7 @@ flowchart LR
 | `--port <port>`       | Server port                                     | `3456`         |
 | `--host <addr>`       | Bind address                                    | `127.0.0.1`    |
 | `--lan`               | Bind to all interfaces (LAN access)             | Off            |
-| `--public`            | Public tunnel access (default)                  | On             |
-| `--private`           | Require Microsoft login for tunnel access       | Off            |
+| `--public`            | Allow public tunnel access (no Microsoft login) | Off            |
 | `-i, --interactive`   | Interactive setup wizard                        | Off            |
 | `--log-level <level>` | Log verbosity (error/warn/info/debug)           | `info`         |
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "termbeam",
-  "version": "1.14.5",
+  "version": "1.14.6",
   "description": "Beam your terminal to any device — mobile-optimized web terminal with multi-session support",
   "main": "src/server/index.js",
   "bin": {

package/src/cli/index.js

@@ -25,10 +25,10 @@ Options:
   --password <pw>       Set access password (or TERMBEAM_PASSWORD env var)
   --generate-password   Auto-generate a secure password (default: auto)
   --no-password         Disable password authentication
-  --tunnel              Create a devtunnel URL (default: on, public access)
+  --tunnel              Create a devtunnel URL (default: on, private access)
   --no-tunnel           Disable tunnel (LAN-only mode)
   --persisted-tunnel    Create a reusable devtunnel URL (stable across restarts)
-  --private             Require Microsoft login to access the tunnel (owner-only)
+  --public              Allow public tunnel access (default: private, owner-only)
   --port <port>         Set port (default: 3456, or PORT env var)
   --host <addr>         Bind address (default: 127.0.0.1)
   --lan                 Bind to 0.0.0.0 (allow LAN access, default: localhost only)
@@ -40,9 +40,9 @@ Options:
 
 Defaults:
   By default, TermBeam enables tunnel + auto-generated password for secure
-  mobile access (clipboard, HTTPS). Tunnels are public (anonymous) — TermBeam's
-  own password auth protects your terminal. Use --private for owner-only access
-  via Microsoft login, or --no-tunnel for LAN-only mode.
+  mobile access (clipboard, HTTPS). Tunnels are private (owner-only via
+  Microsoft login). Use --public for public access, or
+  --no-tunnel for LAN-only mode.
 
 Examples:
   termbeam                          Start with tunnel + auto password
@@ -249,7 +249,7 @@ function parseArgs() {
   let useTunnel = true;
   let noTunnel = false;
   let persistedTunnel = false;
-  let privateTunnel = false;
+  let publicTunnel = false;
   let interactive = false;
   let force = false;
   let explicitPassword = !!password;
@@ -268,10 +268,8 @@ function parseArgs() {
     } else if (args[i] === '--persisted-tunnel') {
       useTunnel = true;
       persistedTunnel = true;
-    } else if (args[i] === '--private') {
-      privateTunnel = true;
     } else if (args[i] === '--public') {
-      // no-op: public is now the default; kept for backwards compatibility
+      publicTunnel = true;
     } else if (args[i].startsWith('--password=')) {
       password = args[i].split('=')[1];
       if (!password) {
@@ -334,24 +332,24 @@ function parseArgs() {
   // --no-tunnel disables the default tunnel
   if (noTunnel) useTunnel = false;
 
-  // --private requires a tunnel
-  if (privateTunnel && !useTunnel) {
+  // --public requires a tunnel
+  if (publicTunnel && !useTunnel) {
     const rd = '\x1b[31m';
     const rs = '\x1b[0m';
-    log.error('--private requires a tunnel');
+    log.error('--public requires a tunnel');
     console.error(
-      `${rd}Error: --private requires a tunnel. Remove --no-tunnel or remove --private.${rs}`,
+      `${rd}Error: --public requires a tunnel. Remove --no-tunnel or remove --public.${rs}`,
     );
     process.exit(1);
   }
 
-  // Public tunnels (default) require password authentication
-  if (useTunnel && !privateTunnel && !password) {
+  // --public requires password authentication
+  if (publicTunnel && !password) {
     const rd = '\x1b[31m';
     const rs = '\x1b[0m';
     log.error('Public tunnels require password authentication');
     console.error(
-      `${rd}Error: Public tunnels require password authentication. Remove --no-password or add --private.${rs}`,
+      `${rd}Error: Public tunnels require password authentication. Remove --no-password or remove --public.${rs}`,
     );
     process.exit(1);
   }
@@ -368,7 +366,7 @@ function parseArgs() {
     password,
     useTunnel,
     persistedTunnel,
-    privateTunnel,
+    publicTunnel,
     shell,
     shellArgs,
     cwd,
@@ -380,7 +378,7 @@ function parseArgs() {
   };
 
   log.debug(
-    `Config: port=${port}, host=${host}, shell=${shell}, tunnel=${useTunnel}, persisted=${persistedTunnel}, private=${privateTunnel}`,
+    `Config: port=${port}, host=${host}, shell=${shell}, tunnel=${useTunnel}, persisted=${persistedTunnel}, public=${publicTunnel}`,
   );
 
   return config;

package/src/cli/interactive.js

@@ -58,7 +58,7 @@ async function runInteractiveSetup(baseConfig) {
     password: baseConfig.password,
     useTunnel: baseConfig.useTunnel,
     persistedTunnel: baseConfig.persistedTunnel,
-    privateTunnel: baseConfig.privateTunnel,
+    publicTunnel: baseConfig.publicTunnel,
     shell: baseConfig.shell,
     shellArgs: baseConfig.shellArgs,
     cwd: baseConfig.cwd,
@@ -153,18 +153,19 @@ async function runInteractiveSetup(baseConfig) {
     showProgress(2);
     const publicChoice = await choose(rl, 'Tunnel access:', [
       {
-        label: 'Public',
-        hint: 'Anonymous access — TermBeam password protects your terminal (recommended)',
+        label: 'Private (owner-only)',
+        hint: 'Only the Microsoft account that created the tunnel can access it',
       },
       {
-        label: 'Private (owner-only)',
-        hint: 'Requires Microsoft login to reach the tunnel — adds extra auth layer',
+        label: 'Public',
+        hint: '🚨 No Microsoft login — anyone with the URL can reach your terminal',
+        danger: true,
       },
     ]);
-    config.privateTunnel = publicChoice.index === 1;
+    config.publicTunnel = publicChoice.index === 1;
 
     // Auto-generate password if public tunnel with no password
-    if (!config.privateTunnel && !config.password) {
+    if (config.publicTunnel && !config.password) {
       console.log(yellow('  ⚠ Public tunnels require password authentication.'));
       config.password = crypto.randomBytes(16).toString('base64url');
       process.stdout.write(dim(`  Auto-generated password: ${config.password}`) + '\n');
@@ -177,22 +178,22 @@ async function runInteractiveSetup(baseConfig) {
     config.host = '0.0.0.0';
     config.useTunnel = false;
     config.persistedTunnel = false;
-    config.privateTunnel = false;
+    config.publicTunnel = false;
   } else {
     // Localhost only
     config.host = '127.0.0.1';
     config.useTunnel = false;
     config.persistedTunnel = false;
-    config.privateTunnel = false;
+    config.publicTunnel = false;
   }
 
   const accessLabel = !config.useTunnel
     ? config.host === '0.0.0.0'
       ? 'LAN (0.0.0.0)'
       : 'Localhost only'
-    : config.privateTunnel
-      ? 'DevTunnel (private)'
-      : 'DevTunnel (public)';
+    : config.publicTunnel
+      ? 'DevTunnel (public)'
+      : 'DevTunnel (private)';
   log.debug(`Access mode selected: ${accessLabel}`);
   decisions.push({ label: 'Access', value: accessLabel });
 
@@ -225,7 +226,7 @@ async function runInteractiveSetup(baseConfig) {
   console.log(`  Tunnel:        ${config.useTunnel ? cyan('enabled') : yellow('disabled')}`);
   if (config.useTunnel) {
     console.log(`  Persisted:     ${config.persistedTunnel ? cyan('yes') : dim('no')}`);
-    console.log(`  Public:        ${config.privateTunnel ? dim('no (private)') : cyan('yes')}`);
+    console.log(`  Public:        ${config.publicTunnel ? yellow('yes') : dim('no')}`);
   }
   console.log(`  Shell:         ${cyan(config.shell || 'default')}`);
   console.log(`  Directory:     ${cyan(config.cwd)}`);
@@ -246,7 +247,7 @@ async function runInteractiveSetup(baseConfig) {
     if (config.host === '0.0.0.0') cmdParts.push('--lan');
   } else {
     if (config.persistedTunnel) cmdParts.push('--persisted-tunnel');
-    if (config.privateTunnel) cmdParts.push('--private');
+    if (config.publicTunnel) cmdParts.push('--public');
   }
   if (config.logLevel !== 'info') cmdParts.push('--log-level', config.logLevel);
   const cliCommand = cmdParts.join(' ');

package/src/cli/service.js

@@ -80,8 +80,8 @@ function buildArgs(config) {
   if (config.persistedTunnel) {
     args.push('--persisted-tunnel');
   }
-  if (config.privateTunnel) {
-    args.push('--private');
+  if (config.publicTunnel) {
+    args.push('--public');
   }
   if (config.logLevel && config.logLevel !== 'info') {
     args.push('--log-level', config.logLevel);
@@ -290,17 +290,18 @@ async function actionInstall() {
     // Re-render step to clear the previous menu before showing sub-question
     showProgress(3);
     const publicChoice = await choose(rl, 'Tunnel access:', [
-      {
-        label: 'Public (anyone with the link)',
-        hint: 'Anonymous access — TermBeam password protects your terminal (recommended)',
-      },
       {
         label: 'Private (requires Microsoft login)',
         hint: 'Only you can access the tunnel — secured via your Microsoft account',
       },
+      {
+        label: 'Public (anyone with the link)',
+        hint: '🚨 Anyone with the URL can reach your terminal — password is the only protection',
+        danger: true,
+      },
     ]);
-    config.privateTunnel = publicChoice.index === 1;
-    if (!config.privateTunnel && config.password === false) {
+    config.publicTunnel = publicChoice.index === 1;
+    if (config.publicTunnel && config.password === false) {
       console.log(yellow('  ⚠ Public tunnels require password authentication.'));
       config.password = crypto.randomBytes(16).toString('base64url');
       process.stdout.write(dim(`  Auto-generated password: ${config.password}`) + '\n');
@@ -318,9 +319,9 @@ async function actionInstall() {
     ? config.lan
       ? 'LAN (0.0.0.0)'
       : 'Localhost only'
-    : config.privateTunnel
-      ? 'DevTunnel (private)'
-      : 'DevTunnel (public)';
+    : config.publicTunnel
+      ? 'DevTunnel (public)'
+      : 'DevTunnel (private)';
   decisions.push({ label: 'Access', value: accessLabel });
 
   // Working directory
@@ -367,7 +368,7 @@ async function actionInstall() {
   console.log(`  Tunnel:        ${config.noTunnel ? yellow('disabled') : cyan('enabled')}`);
   if (!config.noTunnel) {
     console.log(`  Persisted:     ${config.persistedTunnel ? cyan('yes') : dim('no')}`);
-    console.log(`  Public:        ${config.privateTunnel ? yellow('no (private)') : dim('yes')}`);
+    console.log(`  Public:        ${config.publicTunnel ? yellow('yes') : dim('no')}`);
   }
   console.log(`  Directory:     ${cyan(config.cwd)}`);
   console.log(`  Shell:         ${cyan(config.shell || 'default')}`);

package/src/server/index.js

@@ -1,6 +1,7 @@
 #!/usr/bin/env node
 const os = require('os');
 const path = require('path');
+const readline = require('readline');
 const express = require('express');
 const cookieParser = require('cookie-parser');
 const http = require('http');
@@ -17,6 +18,7 @@ const { createPreviewProxy } = require('./preview');
 const { writeConnectionConfig, removeConnectionConfig } = require('../cli/resume');
 const { checkForUpdate, detectInstallMethod } = require('../utils/update-check');
 
+// --- Helpers ---
 function getLocalIP() {
   const interfaces = os.networkInterfaces();
   for (const name of Object.keys(interfaces)) {
@@ -27,6 +29,16 @@ function getLocalIP() {
   return '127.0.0.1';
 }
 
+function confirmPublicTunnel() {
+  const rl = readline.createInterface({ input: process.stdin, output: process.stdout });
+  return new Promise((resolve) => {
+    rl.question('  Do you want to continue with public access? (y/N): ', (answer) => {
+      rl.close();
+      resolve(answer.trim().toLowerCase() === 'y');
+    });
+  });
+}
+
 /**
  * Create a TermBeam server instance without starting it.
  * @param {object} [overrides] - Optional overrides
@@ -128,13 +140,26 @@ function createTermBeamServer(overrides = {}) {
       }
     }
 
-    // Warn about private tunnel access when --private flag is used
-    if (config.useTunnel && config.privateTunnel) {
+    // Warn and require consent for public tunnel access
+    if (config.useTunnel && config.publicTunnel) {
+      const rd = '\x1b[31m';
       const yl = '\x1b[33m';
       const rs = '\x1b[0m';
+      const bd = '\x1b[1m';
+      console.log('');
+      console.log(`  ${rd}${bd}⚠️  DANGER: Public tunnel access requested${rs}`);
       console.log('');
-      console.log(`  ${yl}ℹ️  Private tunnel: Microsoft login required to access the tunnel.${rs}`);
+      console.log(`  ${yl}This will make your terminal accessible to ANYONE with the URL.${rs}`);
+      console.log(`  ${yl}No Microsoft login will be required to reach the tunnel.${rs}`);
+      console.log(`  ${yl}Only the TermBeam password will protect your terminal.${rs}`);
       console.log('');
+      const confirmed = await confirmPublicTunnel();
+      if (!confirmed) {
+        console.log('');
+        console.log('  Aborted. Restart without --public for private access.');
+        console.log('');
+        process.exit(1);
+      }
     }
 
     return new Promise((resolve) => {
@@ -204,7 +229,7 @@ function createTermBeamServer(overrides = {}) {
         if (config.useTunnel) {
           const tunnel = await startTunnel(actualPort, {
             persisted: config.persistedTunnel,
-            private: config.privateTunnel,
+            anonymous: config.publicTunnel,
           });
           if (tunnel) {
             publicUrl = tunnel.url;

package/src/tunnel/index.js

@@ -234,16 +234,8 @@ async function startTunnel(port, options = {}) {
         { stdio: 'pipe' },
       );
     } catch {}
-    // Set tunnel access: public (anonymous, default) or private (owner-only via Microsoft login)
-    if (options.private) {
-      // Remove any existing anonymous access to ensure the tunnel is private
-      try {
-        execFileSync(devtunnelCmd, ['access', 'reset', tunnelId], {
-          stdio: 'pipe',
-        });
-      } catch {}
-      log.info('Tunnel access: private (owner-only via Microsoft login)');
-    } else {
+    // Set tunnel access: public (anonymous) or private (owner-only via Microsoft login)
+    if (options.anonymous) {
       try {
         execFileSync(
           devtunnelCmd,
@@ -252,6 +244,14 @@ async function startTunnel(port, options = {}) {
         );
       } catch {}
       log.info('Tunnel access: public (anonymous)');
+    } else {
+      // Remove any existing anonymous access to ensure the tunnel is private
+      try {
+        execFileSync(devtunnelCmd, ['access', 'reset', tunnelId], {
+          stdio: 'pipe',
+        });
+      } catch {}
+      log.info('Tunnel access: private (owner-only via Microsoft login)');
     }
 
     const hostProc = spawn(devtunnelCmd, ['host', tunnelId], {