pingdotgg
diff --git a/‎REMOTE.md‎
Lines changed: 45 additions & 46 deletions b/‎REMOTE.md‎
Lines changed: 45 additions & 46 deletions
diff --git a/‎apps/server/src/cli-config.test.ts‎
Lines changed: 63 additions & 0 deletions b/‎apps/server/src/cli-config.test.ts‎
Lines changed: 63 additions & 0 deletions
diff --git a/‎apps/server/src/cli.ts‎
Lines changed: 47 additions & 27 deletions b/‎apps/server/src/cli.ts‎
Lines changed: 47 additions & 27 deletions
diff --git a/‎apps/server/src/config.ts‎
Lines changed: 5 additions & 0 deletions b/‎apps/server/src/config.ts‎
Lines changed: 5 additions & 0 deletions
diff --git a/‎apps/server/src/environment/Layers/ServerEnvironment.test.ts‎
Lines changed: 1 addition & 0 deletions b/‎apps/server/src/environment/Layers/ServerEnvironment.test.ts‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎apps/server/src/server.test.ts‎
Lines changed: 1 addition & 0 deletions b/‎apps/server/src/server.test.ts‎
Lines changed: 1 addition & 0 deletions
@@ -1,68 +1,67 @@
-# Remote Access Setup
+# Remote Access
 
-Use this when you want to open T3 Code from another device (phone, tablet, another laptop).
+Use this when you want to connect to a T3 Code server from another device such as a phone, tablet, or separate desktop app.
 
-## CLI ↔ Env option map
+## Recommended Setup
 
-The T3 Code CLI accepts the following configuration options, available either as CLI flags or environment variables:
+Use a trusted private network that meshes your devices together, such as a tailnet.
 
-| CLI flag                | Env var               | Notes                                                                                |
-| ----------------------- | --------------------- | ------------------------------------------------------------------------------------ |
-| `--mode <web\|desktop>` | `T3CODE_MODE`         | Runtime mode.                                                                        |
-| `--port <number>`       | `T3CODE_PORT`         | HTTP/WebSocket port.                                                                 |
-| `--host <address>`      | `T3CODE_HOST`         | Bind interface/address.                                                              |
-| `--base-dir <path>`     | `T3CODE_HOME`         | Base directory.                                                                      |
-| `--dev-url <url>`       | `VITE_DEV_SERVER_URL` | Dev web URL redirect/proxy target.                                                   |
-| `--no-browser`          | `T3CODE_NO_BROWSER`   | Disable auto-open browser.                                                           |
-| `--auth-token <token>`  | `T3CODE_AUTH_TOKEN`   | WebSocket auth token. Use this for standard CLI and remote-server flows.             |
-| `--bootstrap-fd <fd>`   | `T3CODE_BOOTSTRAP_FD` | Read a one-shot bootstrap envelope from an inherited file descriptor during startup. |
+That gives you:
 
-> TIP: Use the `--help` flag to see all available options and their descriptions.
+- a stable address to connect to
+- transport security at the network layer
+- less exposure than opening the server to the public internet
 
-## Security First
+## Headless Server Flow
 
-- Always set `--auth-token` before exposing the server outside localhost.
-  - When you control the process launcher, prefer sending the auth token in a JSON envelope via `--bootstrap-fd <fd>`.
-    With `--bootstrap-fd <fd>`, the launcher starts the server first, then sends a one-shot JSON envelope over the inherited file descriptor. This allows the auth token to be delivered without putting it in process environment or command line arguments.
-- Treat the token like a password.
-- Prefer binding to trusted interfaces (LAN IP or Tailnet IP) instead of opening all interfaces unless needed.
-
-## 1) Build + run server for remote access
-
-Remote access should use the built web app (not local Vite redirect mode).
+Run the server with `t3 serve`.
 
 ```bash
-bun run build
-TOKEN="$(openssl rand -hex 24)"
-bun run --cwd apps/server start -- --host 0.0.0.0 --port 3773 --auth-token "$TOKEN" --no-browser
+npx t3 serve --host "$(tailscale ip -4)"
 ```
 
-Then open on your phone:
+`t3 serve` starts the server without opening a browser and prints:
 
-`http://<your-machine-ip>:3773`
+- a connection string
+- a pairing token
+- a pairing URL
+- a QR code for the pairing URL
 
-Example:
+From there, connect from another device in either of these ways:
 
-`http://192.168.1.42:3773`
+- scan the QR code on your phone
+- in the desktop app, enter the full pairing URL
+- in the desktop app, enter the host and token separately
 
-Notes:
+Use `t3 serve --help` for the full flag reference. It supports the same general startup options as the normal server command, including an optional `cwd` argument.
 
-- `--host 0.0.0.0` listens on all IPv4 interfaces.
-- `--no-browser` prevents local auto-open, which is usually better for headless/remote sessions.
-- Ensure your OS firewall allows inbound TCP on the selected port.
+## How Pairing Works
 
-## 2) Tailnet / Tailscale access
+The remote device does not need a long-lived secret up front.
 
-If you use Tailscale, you can bind directly to your Tailnet address.
+Instead:
 
-```bash
-TAILNET_IP="$(tailscale ip -4)"
-TOKEN="$(openssl rand -hex 24)"
-bun run --cwd apps/server start -- --host "$(tailscale ip -4)" --port 3773 --auth-token "$TOKEN" --no-browser
-```
+1. `t3 serve` issues a one-time owner pairing token.
+2. The remote device exchanges that token with the server.
+3. The server creates an authenticated session for that device.
+
+After pairing, future access is session-based. You do not need to keep reusing the original token unless you are pairing a new device.
+
+## Managing Access Later
+
+Use `t3 auth` to manage access after the initial pairing flow.
+
+Typical uses:
+
+- issue additional pairing credentials
+- inspect active sessions
+- revoke old pairing links or sessions
 
-Open from any device in your tailnet:
+Use `t3 auth --help` and the nested subcommand help pages for the full reference.
 
-`http://<tailnet-ip>:3773`
+## Security Notes
 
-You can also bind `--host 0.0.0.0` and connect through the Tailnet IP, but binding directly to the Tailnet IP limits exposure.
+- Treat pairing URLs and pairing tokens like passwords.
+- Prefer binding `--host` to a trusted private address, such as a Tailnet IP, instead of exposing the server broadly.
+- Anyone with a valid pairing credential can create a session until that credential expires or is revoked.
+- Use `t3 auth` to revoke credentials or sessions you no longer trust.
@@ -83,6 +83,7 @@ it.layer(NodeServices.layer)("cli config resolution", (it) => {
         staticDir: undefined,
         devUrl: new URL("http://127.0.0.1:5173"),
         noBrowser: true,
+        startupPresentation: "browser",
         desktopBootstrapToken: undefined,
         autoBootstrapProjectFromCwd: false,
         logWebSocketEvents: true,
@@ -144,6 +145,7 @@ it.layer(NodeServices.layer)("cli config resolution", (it) => {
         staticDir: undefined,
         devUrl: new URL("http://127.0.0.1:4173"),
         noBrowser: true,
+        startupPresentation: "browser",
         desktopBootstrapToken: undefined,
         autoBootstrapProjectFromCwd: true,
         logWebSocketEvents: true,
@@ -212,6 +214,7 @@ it.layer(NodeServices.layer)("cli config resolution", (it) => {
         staticDir: undefined,
         devUrl: new URL("http://127.0.0.1:5173"),
         noBrowser: true,
+        startupPresentation: "browser",
         desktopBootstrapToken: undefined,
         autoBootstrapProjectFromCwd: false,
         logWebSocketEvents: true,
@@ -329,6 +332,7 @@ it.layer(NodeServices.layer)("cli config resolution", (it) => {
         staticDir: undefined,
         devUrl: new URL("http://127.0.0.1:4173"),
         noBrowser: true,
+        startupPresentation: "browser",
         desktopBootstrapToken: undefined,
         autoBootstrapProjectFromCwd: true,
         logWebSocketEvents: true,
@@ -392,10 +396,69 @@ it.layer(NodeServices.layer)("cli config resolution", (it) => {
         staticDir: resolved.staticDir,
         devUrl: undefined,
         noBrowser: true,
+        startupPresentation: "browser",
         desktopBootstrapToken: undefined,
         autoBootstrapProjectFromCwd: false,
         logWebSocketEvents: false,
       });
     }),
   );
+
+  it.effect("forces noBrowser when resolving headless startup presentation", () =>
+    Effect.gen(function* () {
+      const { join } = yield* Path.Path;
+      const baseDir = join(os.tmpdir(), "t3-cli-config-headless-base");
+      const derivedPaths = yield* deriveServerPaths(baseDir, undefined);
+
+      const resolved = yield* resolveServerConfig(
+        {
+          mode: Option.some("web"),
+          port: Option.some(3773),
+          host: Option.none(),
+          baseDir: Option.some(baseDir),
+          cwd: Option.none(),
+          devUrl: Option.none(),
+          noBrowser: Option.none(),
+          bootstrapFd: Option.none(),
+          autoBootstrapProjectFromCwd: Option.none(),
+          logWebSocketEvents: Option.none(),
+        },
+        Option.none(),
+        {
+          startupPresentation: "headless",
+        },
+      ).pipe(
+        Effect.provide(
+          Layer.mergeAll(
+            ConfigProvider.layer(
+              ConfigProvider.fromEnv({
+                env: {
+                  T3CODE_NO_BROWSER: "false",
+                },
+              }),
+            ),
+            NetService.layer,
+          ),
+        ),
+      );
+
+      expect(resolved).toEqual({
+        logLevel: "Info",
+        ...defaultObservabilityConfig,
+        mode: "web",
+        port: 3773,
+        cwd: process.cwd(),
+        baseDir,
+        ...derivedPaths,
+        host: undefined,
+        staticDir: resolved.staticDir,
+        devUrl: undefined,
+        noBrowser: true,
+        startupPresentation: "headless",
+        desktopBootstrapToken: undefined,
+        autoBootstrapProjectFromCwd: true,
+        logWebSocketEvents: false,
+      });
+    }),
+  );
 });
@@ -25,6 +25,7 @@ import {
   ServerConfig,
   RuntimeMode,
   type ServerConfigShape,
+  type StartupPresentation,
 } from "./config";
 import { readBootstrapEnvelope } from "./bootstrap";
 import { expandHomePath, resolveBaseDir } from "./os-jank";
@@ -187,6 +188,9 @@ const loadPersistedObservabilitySettings = Effect.fn(function* (settingsPath: st
 export const resolveServerConfig = (
   flags: CliServerFlags,
   cliLogLevel: Option.Option<LogLevel.LogLevel>,
+  options?: {
+    readonly startupPresentation?: StartupPresentation;
+  },
 ) =>
   Effect.gen(function* () {
     const { findAvailablePort } = yield* NetService;
@@ -253,18 +257,22 @@ export const resolveServerConfig = (
     );
     const serverTracePath = env.traceFile ?? derivedPaths.serverTracePath;
     yield* fs.makeDirectory(path.dirname(serverTracePath), { recursive: true });
-    const noBrowser = resolveBooleanFlag(
-      flags.noBrowser,
-      Option.getOrElse(
-        resolveOptionPrecedence(
-          Option.fromUndefinedOr(env.noBrowser),
-          Option.flatMap(bootstrapEnvelope, (bootstrap) =>
-            Option.fromUndefinedOr(bootstrap.noBrowser),
-          ),
-        ),
-        () => mode === "desktop",
-      ),
-    );
+    const startupPresentation = options?.startupPresentation ?? "browser";
+    const noBrowser =
+      startupPresentation === "headless"
+        ? true
+        : resolveBooleanFlag(
+            flags.noBrowser,
+            Option.getOrElse(
+              resolveOptionPrecedence(
+                Option.fromUndefinedOr(env.noBrowser),
+                Option.flatMap(bootstrapEnvelope, (bootstrap) =>
+                  Option.fromUndefinedOr(bootstrap.noBrowser),
+                ),
+              ),
+              () => mode === "desktop",
+            ),
+          );
     const desktopBootstrapToken = Option.getOrUndefined(
       Option.flatMap(bootstrapEnvelope, (bootstrap) =>
         Option.fromUndefinedOr(bootstrap.desktopBootstrapToken),
@@ -340,6 +348,7 @@ export const resolveServerConfig = (
       staticDir,
       devUrl,
       noBrowser,
+      startupPresentation,
       desktopBootstrapToken,
       autoBootstrapProjectFromCwd,
       logWebSocketEvents,
@@ -452,7 +461,7 @@ const runWithAuthControlPlane = <A, E>(
     );
   });
 
-const commandFlags = {
+const sharedServerCommandFlags = {
   mode: modeFlag,
   port: portFlag,
   host: hostFlag,
@@ -674,25 +683,36 @@ const authCommand = Command.make("auth").pipe(
   Command.withSubcommands([pairingCommand, sessionCommand]),
 );
 
-const startCommand = Command.make("start", commandFlags).pipe(
+const runServerCommand = (
+  flags: CliServerFlags,
+  options?: {
+    readonly startupPresentation?: StartupPresentation;
+  },
+) =>
+  Effect.gen(function* () {
+    const logLevel = yield* GlobalFlag.LogLevel;
+    const config = yield* resolveServerConfig(flags, logLevel, options);
+    return yield* runServer.pipe(Effect.provideService(ServerConfig, config));
+  });
+
+const startCommand = Command.make("start", { ...sharedServerCommandFlags }).pipe(
   Command.withDescription("Run the T3 Code server."),
+  Command.withHandler((flags) => runServerCommand(flags)),
+);
+
+const serveCommand = Command.make("serve", { ...sharedServerCommandFlags }).pipe(
+  Command.withDescription(
+    "Run the T3 Code server without opening a browser and print headless pairing details.",
+  ),
   Command.withHandler((flags) =>
-    Effect.gen(function* () {
-      const logLevel = yield* GlobalFlag.LogLevel;
-      const config = yield* resolveServerConfig(flags, logLevel);
-      return yield* runServer.pipe(Effect.provideService(ServerConfig, config));
+    runServerCommand(flags, {
+      startupPresentation: "headless",
     }),
   ),
 );
 
-export const cli = Command.make("t3", commandFlags).pipe(
+export const cli = Command.make("t3", { ...sharedServerCommandFlags }).pipe(
   Command.withDescription("Run the T3 Code server."),
-  Command.withHandler((flags) =>
-    Effect.gen(function* () {
-      const logLevel = yield* GlobalFlag.LogLevel;
-      const config = yield* resolveServerConfig(flags, logLevel);
-      return yield* runServer.pipe(Effect.provideService(ServerConfig, config));
-    }),
-  ),
-  Command.withSubcommands([startCommand, authCommand]),
+  Command.withHandler((flags) => runServerCommand(flags)),
+  Command.withSubcommands([startCommand, serveCommand, authCommand]),
 );
@@ -13,6 +13,9 @@ export const DEFAULT_PORT = 3773;
 export const RuntimeMode = Schema.Literals(["web", "desktop"]);
 export type RuntimeMode = typeof RuntimeMode.Type;
 
+export const StartupPresentation = Schema.Literals(["browser", "headless"]);
+export type StartupPresentation = typeof StartupPresentation.Type;
+
 /**
  * ServerDerivedPaths - Derived paths from the base directory.
  */
@@ -56,6 +59,7 @@ export interface ServerConfigShape extends ServerDerivedPaths {
   readonly staticDir: string | undefined;
   readonly devUrl: URL | undefined;
   readonly noBrowser: boolean;
+  readonly startupPresentation: StartupPresentation;
   readonly desktopBootstrapToken: string | undefined;
   readonly autoBootstrapProjectFromCwd: boolean;
   readonly logWebSocketEvents: boolean;
@@ -153,6 +157,7 @@ export class ServerConfig extends ServiceMap.Service<ServerConfig, ServerConfigS
           staticDir: undefined,
           devUrl,
           noBrowser: false,
+          startupPresentation: "browser",
         } satisfies ServerConfigShape;
       }),
     );
 
@@ -36,6 +36,7 @@ const makeServerConfig = Effect.fn(function* (baseDir: string) {
     staticDir: undefined,
     devUrl: undefined,
     noBrowser: false,
+    startupPresentation: "browser",
   } satisfies ServerConfigShape;
 });
 
 
@@ -331,6 +331,7 @@ const buildAppUnderTest = (options?: {
       staticDir: undefined,
       devUrl,
       noBrowser: true,
+      startupPresentation: "browser",
       desktopBootstrapToken: defaultDesktopBootstrapToken,
       autoBootstrapProjectFromCwd: false,
       logWebSocketEvents: false,