v4.1.0 — Tailscale Security Lockdown

Tailscale Network Isolation

tui-browser now requires Tailscale for network access. The server binds exclusively to its Tailscale IP — invisible to the public internet and local LAN.

Security

• BIND env var — server binds to a specific IP (Tailscale interface only)
• Security headers — X-Content-Type-Options, X-Frame-Options, Cache-Control: no-store on API routes
• /api/network removed — no longer exposes local LAN IPs
• Cloudflare tunnel removed — Tailscale replaces both the tunnel and the local fast-path

Removed

• AppNetwork local fast-path — entire module deleted. Tailscale handles direct routing between devices on the same LAN automatically.
• Connection mode icons — no local/tunnel distinction when everything goes through Tailscale
• Settings panel Sync button — no LAN IP discovery needed
• setup-local.html — cert acceptance page no longer needed

Fixed (multi-server routing)

• Bulk kill now groups sessions by server and routes to the correct origin
• Terminal kill, rename, AI title generation route to the session's server
• Double-tap connect passes server name correctly
• File browser opens to the terminal session's CWD (was broken by multi-server hash format)
• File editor read/write routes through the correct server origin
• WebSocket connects to the correct server when accessed from a custom domain
• Right-click in file browser shows custom context menu (suppresses browser default)

Changed

• install.sh requires Tailscale, auto-detects IP, sets BIND in systemd unit
• README rewritten for Tailscale-only networking
• CORS restored (safe — only Tailscale devices can reach the server)

🤖 Generated with Claude Code

v4.0.0 — Multi-Machine Federation

Multi-Machine Federation

Access terminals from multiple computers through a single dashboard. Each machine runs its own tui-browser server; the browser connects directly to each — no proxy or relay.

What's New

• Multi-machine support — add remote servers via the settings panel (wrench icon). Sessions are grouped by server with collapsible sections.
• Smart connection resolution — auto-discovers LAN IPs from each server via /api/network and races them against the configured URL for lowest latency. Green house icon = local, orange globe = remote.
• Auto-update — remote servers auto-pull from git and restart when the primary server's version bumps. Pre-commit hook auto-bumps patch version on every commit.
• Server settings panel — add/remove servers with a single URL field. Sync button fetches and displays discovered local IPs.
• Per-server file browser — each server group has its own file browser button. File browser in terminal view routes to the correct server.
• Collapsible server groups — click group headers to collapse/expand. State persisted in browser localStorage.
• Unified grouped view — HOST group always shows local sessions at the top. No separate single/multi-server code paths.

New API Endpoints

Method	Endpoint	Description
GET	/api/identity	Server name + package version
GET	/api/servers	Multi-server configuration list
PUT	/api/servers	Update server list
GET	/api/update/status	Check if self-update is in progress
POST	/api/update	Trigger git pull + npm install + restart

New Files

• server/identity.js — server identity endpoint
• server/servers.js — server config CRUD
• server/update.js — self-update endpoint
• public/js/server-manager.js — multi-server connection manager
• public/js/settings-panel.js — settings overlay UI
• scripts/bump-version.sh — pre-commit version bump hook

Install

# Primary machine
./install.sh --server-name desktop --primary

# Additional machines
./install.sh --server-name laptop

Then open the wrench icon on the primary's dashboard to add remote servers by URL.

v3.0.0 — File Browser

File Browser

Session-aware file manager accessible from any device — browse, view, edit, upload, and download files right from your phone.

What's new

• File browser overlay — Google Files-style UI with breadcrumb navigation, vscode-icons for 1,480+ file types, and mobile-optimized touch interactions
• Code editor — CodeMirror 6 with syntax highlighting for 13 languages (JS, Python, Rust, Go, etc.), read-only view with tap-to-edit
• File uploads — drag-and-drop (or file picker on mobile) via FilePond with progress bars and multi-file support
• File downloads — single files download directly, folders download as zip archives
• File management — create folders, rename, delete, copy, move with a long-press context menu and bulk selection
• Session-aware — opens to the working directory of the current terminal session, or home dir from the dashboard
• Configurable access — allowed directories set in data/file-browser-config.json, path traversal prevention on all endpoints

Interaction model

• Single tap — select/deselect files (selection bar appears for bulk actions)
• Double tap — open folder or file
• Long press — context menu (rename, copy, move, download, info, delete)

Technical details

• 11 new REST API endpoints under /api/files/*
• 3 new frontend IIFE modules: file-browser.js, file-editor.js, file-upload.js
• 3 new npm dependencies: multer (uploads), archiver (zip downloads), vscode-icons-js (file icons)
• Pre-bundled vendor assets: CodeMirror 6 (~988KB) and vscode-icons (~65KB) — no build step required
• XSS protection via HTML escaping, upload filename sanitization, input validation on all endpoints

v2.2.0

What's New

• Terminal input passthrough fixes — browser right-click menu suppressed so tmux context menus work, Shift+Enter sends literal newline (matching Kitty), Ctrl+Shift+V pastes from clipboard
• Quickbar redesign — replaced cramped 13-button single row with 3 swipeable pages (Input, Signals, Arrows) plus anchored Sel/TextInput buttons. Swipe + dot indicators on mobile, arrow buttons on desktop
• Back button overlay handling — back button now closes overlays before navigating away from terminal
• Text selection improvement — soft-wrapped lines unwrapped for cleaner mobile copy
• AI title generation — app-set pane titles passed to AI title generation with cursor passthrough
• Mobile UI fixes — global notes button, quickbar keys, scroll-mode fix, and various mobile improvements

v2.1.0

What's New

Mobile UX Overhaul

• Swipe-to-scroll terminal via tmux copy-mode with 1:1 touch tracking
• Keyboard toggle button with VirtualKeyboard API support
• Connection resilience — auto-reconnect before sending text input or quick-keys
• Prevent unwanted keyboard popup on touch devices

Terminal Text Input

• Compose-and-send text input panel with quickbar integration
• Draft persistence, sent history, and global notes
• Send button doubles as Enter key, keyboard pill turns red when off
• Quick Launch prefills the input form

Session Management

• Auto-remove idle detached sessions after 24h (with dashboard expiry label)
• Session lock to protect from accidental deletion
• Bulk session kill with selection and filter presets
• Edit/delete Quick Launch shortcuts from the dropdown UI

AI Titles

• Reworked AI titles — process-based detection instead of scrollback parsing
• Claude Code session detection with remote-control URL

Networking

• Instant network switching — race local IPs, react to network events
• Piggyback local probe on dashboard poll, remove separate interval
• Periodic re-check when on tunnel to detect local availability

Other

• High contrast toggle and pane titles in session cards
• Modular refactor — all server modules kept under ~250 lines
• Respect OS auto-rotate (removed manifest orientation lock)

v2.0.0

TUI Browser v2.0.0

VNC for terminals — web access to tmux sessions from any device.

Highlights

• Modular architecture (all server modules under ~250 lines)
• Claude Code session detection with remote-control URL
• Compose-and-send text input panel with quickbar
• Session locking to prevent accidental deletion
• Bulk kill with filter presets
• Quick Launch shortcuts
• Session info overlay (memory, CPU, process tree)
• High contrast toggle and pane titles in session cards
• Auto-switching between Cloudflare tunnel and direct local HTTPS
• AI-powered session titles via Claude CLI
• PWA support with offline caching