Skip to content

feat: remote-control feature for browser-based CLI interaction#48

Open
BingqingLyu wants to merge 1 commit into
mainfrom
fork-pr-2330-feature-remote-control
Open

feat: remote-control feature for browser-based CLI interaction#48
BingqingLyu wants to merge 1 commit into
mainfrom
fork-pr-2330-feature-remote-control

Conversation

@BingqingLyu

@BingqingLyu BingqingLyu commented Apr 27, 2026
edited
Loading

Copy link
Copy Markdown
Owner

Features Implemented

Core Functionality

  • HTTP + WebSocket server for real-time bidirectional communication
  • Web-based UI accessible at http://localhost:7373/
  • Token-based authentication with cryptographically secure tokens (64 hex chars)
  • Real-time message synchronization between CLI and browser
  • QR code display for easy mobile connection (via qrcode-terminal)

Security Features

  • Rate limiting: Max 5 auth attempts per minute per IP
  • Connection limits: Max 5 concurrent connections
  • Message size validation: Max 1MB per WebSocket message
  • Idle timeout: 30-minute session timeout for inactive connections
  • HTML sanitization: XSS prevention via explicit character escaping
  • Security headers: X-Content-Type-Options, X-Frame-Options, X-XSS-Protection
  • Token transmission via WebSocket messages (not URL parameters)
  • WSS support option for encrypted connections

User Interface

  • Clean, modern web UI with gradient background
  • Security warning banner for non-encrypted connections
  • Real-time connection status indicator
  • Token display with copy-friendly formatting
  • WebSocket connection status (Connecting → Connected)
  • Message area showing conversation history
  • Input field for sending messages to CLI

CLI Integration

  • Slash command: /remote-control
  • CLI subcommand: qwen remote-control
  • Custom options: --port, --host, --name, --stop
  • Clear startup messages with connection details
  • Graceful shutdown on Ctrl+C

Files Added

  • docs/remote-control.md - User documentation
  • packages/cli/src/remote-control/types.ts - Protocol type definitions
  • packages/cli/src/remote-control/server/RemoteControlServer.ts - Server implementation
  • packages/cli/src/remote-control/server/RemoteControlServer.test.ts - Unit tests
  • packages/cli/src/remote-control/utils/htmlSanitizer.ts - Security utilities
  • packages/cli/src/remote-control/index.ts - Module exports
  • packages/cli/src/commands/remote-control/index.ts - CLI subcommand
  • packages/cli/src/ui/commands/remoteControlCommand.ts - Slash command

Files Modified

  • packages/cli/package.json - Added ws, @types/ws dependencies
  • packages/cli/src/config/config.ts - Registered remote-control subcommand
  • packages/cli/src/services/BuiltinCommandLoader.ts - Registered slash command

Known Limitations

Current Limitations (Intentional)

  1. Local-only by default: Server binds to localhost for security
  2. No encryption by default: Uses plain WS, WSS must be explicitly enabled
  3. Single session: Only one CLI session can be controlled at a time
  4. No file uploads: Cannot upload files through web interface
  5. Limited tool execution: Some CLI tools require local terminal access

Future Enhancements (Not Implemented)

  1. Mobile app integration: No dedicated mobile app (web UI is responsive)
  2. Public relay: No external relay server (like claude.ai/code)
  3. Access control lists: No IP whitelisting/blacklisting
  4. Session revocation: Cannot kick specific connected clients
  5. Audit logging: No security event logging
  6. Metrics/monitoring: No Prometheus-style metrics endpoint
  7. Token rotation: Tokens don't rotate during session lifetime
  8. Multi-factor auth: Single token authentication only

Security Considerations

Production Deployment Requirements

Before deploying to production or internet-facing environments:

  • Enable WSS (WebSocket Secure) - set secure: true in config
  • Configure firewall rules to restrict access
  • Consider implementing IP whitelisting
  • Enable audit logging for security events
  • Set up monitoring for connection metrics
  • Define token rotation policy
  • Create incident response plan for compromised tokens

Recommended Use Cases

Safe to use:

  • Local development (localhost only)
  • Trusted internal networks
  • Second screen monitoring
  • Screen sharing alternative

⚠️ Use with caution:

  • External network access (requires WSS)
  • Public internet exposure (requires additional security measures)

Not recommended without additional security:

  • Production environments without WSS
  • Public networks without firewall rules
  • Sensitive/confidential work without encryption

Testing

All tests pass:

# Unit tests
bun test packages/cli/src/remote-control/server/RemoteControlServer.test.ts

# UX flow test
node test-ux-flow.js

# Manual testing
node test-remote-control-launcher.js

Related Issues

Fixes: QwenLM#1946 (Request remote-control Feature)

@ossaidqadri
feat: add remote-control feature for browser-based CLI interaction
c52858a 
Addresses PR QwenLM#2330 security review comments:
- Remove auth token from HTML page source
- Remove token from QR code URL (sent via WS message instead)
- Fix rate limit IP bypass (store clientIp at connection time)
- Add proxy-aware IP detection (X-Forwarded-For, X-Real-IP)
- Validate Host header before URL construction
- Fix /remote-control stop unreachable
- Fix ESM require.main usage
- Remove misleading secure flag (always ws:// until TLS)
- Remove token from /api/connect and /api/qr-data endpoints
- Add missing ws dependency
- Remove unused '/' from htmlEscapes mapping
@BingqingLyu BingqingLyu added independent-review independent-review Non-trivial PR with no function-level conflict with other open PRs and removed conflicting-group-1 labels May 7, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

independent-review Non-trivial PR with no function-level conflict with other open PRs

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Request remote-control Feature

2 participants

@BingqingLyu @ossaidqadri