Skip to content

feat: add QR code display on ppg serve startup#121

Open
2witstudios wants to merge 3 commits intomainfrom
ppg/issue-88-qr-display
Open

feat: add QR code display on ppg serve startup#121
2witstudios wants to merge 3 commits intomainfrom
ppg/issue-88-qr-display

Conversation

@2witstudios
Copy link
Owner

@2witstudios 2witstudios commented Feb 27, 2026

Summary

  • Adds ppg serve command that starts an HTTPS server with auto-generated self-signed TLS certificates
  • Displays a pairing QR code on startup encoding ppg://connect?host=...&port=...&ca=...&token=...
  • Includes CA SHA-256 fingerprint in the pairing URL for certificate pinning
  • Prints auth token to stdout once at generation time
  • QR code only rendered in interactive terminals (suppressed in --daemon mode)
  • Supports --json for machine-readable output with all pairing details

Closes #88

Test plan

  • Run ppg serve in an interactive terminal and verify QR code is displayed
  • Scan QR code with iOS device camera and verify URL is well-formed
  • Run ppg serve --daemon and verify QR code is not displayed
  • Run ppg serve --json and verify JSON output includes token, fingerprint, and pairingUrl
  • Run ppg serve --port 8080 and verify server binds to correct port
  • Verify self-signed certs are generated in .ppg/certs/ on first run and reused on subsequent runs
  • Run npm run typecheck — passes (pre-existing spawn.test.ts issue unrelated)
  • Run npm test — all 218 tests pass

@2witstudios
feat: add QR code display on ppg serve startup
2781a53 
Add `ppg serve` command that starts an HTTPS server with self-signed TLS
certificates and displays a pairing QR code for iOS device connectivity.

- Generate self-signed EC certs (prime256v1) stored in .ppg/certs/
- Encode pairing URL: ppg://connect?host=...&port=...&ca=...&token=...
- Include CA SHA-256 fingerprint for certificate pinning
- Print auth token to stdout at generation time
- Render QR code via qrcode-terminal (small mode)
- Only display QR in interactive terminal (skip in --daemon mode)
- Support --json for machine-readable output
- Add qrcode-terminal to dependencies

Closes #88
@chatgpt-codex-connector
Copy link

chatgpt-codex-connector bot commented Feb 27, 2026

You have reached your Codex usage limits for code reviews. You can see your limits in the Codex usage dashboard.
To continue using code reviews, you can upgrade your account or add credits to your account and enable them for code reviews in your settings.

@coderabbitai
Copy link

coderabbitai bot commented Feb 27, 2026
edited
Loading

Warning

Rate limit exceeded

@2witstudios has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 7 minutes and 34 seconds before requesting another review.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

📥 Commits

Reviewing files that changed from the base of the PR and between 34deb69 and aefca80.

⛔ Files ignored due to path filters (1)
  • package-lock.json is excluded by !**/package-lock.json
📒 Files selected for processing (6)
  • package.json
  • src/cli.ts
  • src/commands/serve.test.ts
  • src/commands/serve.ts
  • src/commands/spawn.test.ts
  • src/core/tls.ts
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Post copyable unit tests in a comment
  • Commit unit tests in branch ppg/issue-88-qr-display

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@2witstudios
fix: address code review findings for serve command
a111a3a 
- Critical: use crypto.timingSafeEqual for bearer token comparison
  instead of string equality to prevent timing side-channel attacks
- High: extract TLS logic to core/tls.ts, use execa with argument
  arrays instead of execSync with shell string interpolation
- High: add unit tests for buildPairingUrl, getLocalIp, verifyToken
- Medium: use requireManifest() instead of manual fs.access check
- Medium: use fs.mkdtemp for temp key files instead of predictable
  PID-based paths
- Medium: replace sync fs and child_process with async equivalents
- Low: remove redundant default fallbacks (Commander provides them)
@2witstudios
Harden serve TLS setup and fix typecheck regression
aefca80
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Add QR code display on ppg serve startup

1 participant

@2witstudios