Remote control

Lime’s remote control lets you drive a lime session running on your laptop from a phone, tablet, or any browser — over a Cloudflare Quick Tunnel or a persistent named tunnel.

Topology

The CLI hosts the bridge; the client connects in. There is no Anthropic- or Lime-hosted relay — you control both sides.

┌──────────┐     wss     ┌────────────────┐     ws     ┌────────────────┐
│  phone   │ ◀─────────▶ │ Cloudflare      │ ◀────────▶│ lime CLI on    │
│  PWA /   │             │ tunnel (cfd)    │           │ your laptop    │
│ browser  │             │                 │           │ (bridge --ws)  │
└──────────┘             └────────────────┘           └────────────────┘

Local-only (LAN)

lime bridge --ws --ws-port 9111 --ws-token "$(openssl rand -hex 32)"

Bound to 127.0.0.1, bearer-token gated (constant-time compare, 4001 close on auth failure), NDJSON framing. Connect from the phone over the LAN with ws://<laptop-ip>:9111 if your network allows.

Remote (Cloudflare Quick Tunnel)

1. Mint a device token.

   lime remote pair --label "my-phone"

   The token is printed once. Lime stores only a hash; the full token is shown to you exactly one time.

2. Bind the bridge and spin up a tunnel.

   lime remote start

   Lime starts the bridge in WebSocket + device-auth mode, then launches cloudflared (auto-downloading it on first use if missing). It prints a one-shot pairing URL.

3. Open the pairing URL on the phone.

   The PWA exchanges the device token for a long-lived credential. Subsequent reconnects don’t need pairing.

For a stable hostname, use a pre-configured named tunnel:

lime remote start --persistent prod-tunnel --url tunnel.example.com

--persistent and --url require each other; either both are present or neither is.

cloudflared lifecycle

• Auto-downloaded on first use if not on PATH. Disable with --no-auto-install.
• Restarted on crash.
• Stderr is mirrored as cloudflared: lines so an operator running lime remote start sees exactly what’s happening.

Manage devices

lime remote pair --label "phone-1"          # mint a token
lime remote devices                         # list registered devices
lime remote revoke <device-id>              # revoke
lime bridge --status                        # inspect bridge engine state

What’s protected

• Device token authentication — constant-time compare on the bridge, hashed-at-rest on the host, single-use pairing token.
• WsBridgeConfig with sane defaults — 127.0.0.1 bind, allowed origin list, redaction on by default.
• BridgeTelemetry — connection events, reconnect counters, per-device usage.
• Redaction in event logs — secrets from MCP tool calls and permission decisions are redacted on the wire.
• Event log with backfill on resume — the phone can drop offline and rejoin without losing transcript turns.

When to disable redaction

For trusted local-only setups (a phone on the same LAN, no tunnel) you can disable outbound redaction:

lime bridge --ws --no-redact ...

Caution

Don’t combine --no-redact with a Cloudflare tunnel. The tunnel egress is an external network; redaction is your last line of defense.

Design posture

Lime’s bridge is self-hosted by design: the CLI is the server, not a relay client to a multi-tenant service. That trades convenience features (zero-config cross-network reach through a SaaS) for full local control over the wire format, redaction policy, and reachability.