github my-claude-utils/clsh v0.1.8
v0.1.8 — Security, PWA Auth, Session Persistence
on GitHub

latest release: v0.1.9
20 days ago

What's new since v0.1.0

15 PRs shipped. Security hardening, PWA password/biometric auth, session persistence fixes, and a polished mobile experience.

Security Hardening (PRs #21, #23)

clsh gives remote shell access to your machine, so security is our top priority. This release addresses all critical and high findings from our internal audit:

  • One-time bootstrap tokens: Consumed after first use, 5-minute TTL (was permanent)
  • Server-side password auth: scrypt hashing (N=16384, 64-byte key, random salt) with crypto.timingSafeEqual
  • Face ID / Touch ID auth: WebAuthn biometric credentials stored server-side for PWA re-authentication
  • Rate limiting: 5-10 requests per 15 minutes on all auth endpoints
  • WebSocket hardening: Origin validation, 64KB max payload, resize bounds checking
  • JWT in first WS message: No longer in URL query string (prevents log leaks)
  • Bootstrap token in hash fragment: Not sent to servers or logged by proxies
  • CORS restricted: Dynamic allowlist (no more wildcard *)
  • Security headers: X-Frame-Options, CSP, X-Content-Type-Options, Referrer-Policy
  • SSE endpoint removed: Eliminated unused attack surface

Found a vulnerability? Please report it: SECURITY.md or email security@clsh.dev

PWA Password + Biometric Auth (PR #23)

iOS PWAs get isolated localStorage, so scanning a QR code from Safari doesn't carry over to the home screen app. Now:

  • Set a password during lock screen setup (synced to server via scrypt)
  • Enable Face ID (WebAuthn credential stored server-side)
  • Reopen PWA: authenticate with Face ID or password (no QR re-scan needed)
  • Lock screen state automatically syncs between browser and server

7 new API endpoints, 3 new database tables, 5 new frontend files.

Session Persistence Fixes (PRs #14, #15, #16)

  • Sessions now properly survive server restarts via tmux control mode
  • Fixed posix_spawnp crash caused by npm stripping execute permissions from node-pty's spawn-helper
  • Fixed stale session cleanup on startup (catches spawn failures, cleans DB)
  • destroyAll() no longer kills tmux sessions during graceful shutdown

Splash Screen + Mobile Auth UX (PR #21)

  • Animated CLSH ASCII logo reveal on startup (staggered lines, glow, shimmer, fadeout)
  • Mobile auth simplified to QR-only (no more token paste clutter on phones)
  • In-app QR scanner with rear camera (jsQR, iOS Safari getUserMedia fix)
  • Connection status banner in grid view (reconnecting / disconnected state)

Connectivity Improvements (PR #21)

  • Local network IP added to allowed origins (phones on same Wi-Fi work)
  • Dynamic web port support (run multiple instances with PORT=N)
  • iOS history.replaceState fix for PWA standalone mode
  • White flash fix on load (inline dark background)

CLI + Distribution (PRs #7, #9, #10, #11, #12, #13)

  • Package renamed from clsh to clsh-dev (npm name conflict with clsx/cli/slash)
  • npx clsh-dev setup interactive wizard for ngrok configuration
  • ~/.clsh/config.json support (env vars > .env > config > defaults)
  • GitHub link in startup banner

npm packages

npx clsh-dev          # v0.1.8
Package Version
clsh-dev 0.1.8
@clsh/agent 0.0.7
@clsh/web 0.0.4

Full changelog: v0.1.0...v0.1.8

Check out latest releases or
releases around my-claude-utils/clsh v0.1.8

Don't miss a new clsh release

NewReleases is sending notifications on new releases.

Get notifications