no account. no cloud relay. no middleman.

architecture

your phone connects directly to your machine. there's no relay server in between.

• direct connection: the host cli runs on your machine and streams over websocket to your phone
• no cloud relay: we don't run any servers. your terminal traffic stays on your network
• tls encryption: all connections use tls with ecdsa p-256 keys. certs are auto-generated on first run and pinned by fingerprint
• local pairing: pairing codes are generated locally via unix socket, never exposed to the network until you share them

device pairing

• pairing requires explicit action on both devices (qr scan or manual code entry)
• codes are 6-digit, single-use, and expire after 2 minutes
• codes are bcrypt-hashed at rest and rate limited (5 attempts per minute)
• trust mismatch triggers a hard-block -- re-pair from scratch required
• each paired device is tracked and can be revoked with pseudocoder devices revoke

best practices

• use tailscale (recommended): creates a secure mesh network between your devices with no port forwarding
• alternatives: any trusted private network where both devices share a secure path
• don't expose to the internet: the host is not designed for public access
• run diagnostics: use pseudocoder doctor to verify host health and network reachability
• review the source: the host cli is fully open source
• revoke unused devices: remove paired devices you no longer use

what flows through the connection

everything that appears in your terminal: commands, output, diffs, file paths, potentially api keys or credentials if they're visible in the terminal. this is why the direct connection matters. none of it touches infrastructure you don't control.

keep-awake security

keep-awake only prevents sleep while an active session is running and releases when the session ends. it respects battery level and can be remotely disabled via CLI. no persistent system modifications are made.

learn more

• reliability notes
• host cli source code
• privacy policy