Browser terminal

ThoxMicroV opens a browser terminal directly into the device — no SSH exposure, no shared key, and no shell. The REPL is thoxosctl shell, constrained to a small set of subcommands.

Five-step flow

1. 1

   The Next.js server checks requireDeviceAccess(operator) against RLS-filtered queries.

2. 2

   It mints a 5-minute HS256 JWT scoped to (profile_id, device_id, jti) and records the session.

3. 3

   The browser opens a WebSocket to the exec-relay sidecar with the token.

4. 4

   The relay verifies signature, audience, issuer, expiry, and claim shape before spawning a PTY into the right node container running thoxosctl shell — a constrained REPL, not bash.

5. 5

   On disconnect, the row is closed with byte counters.

Allowed commands

The REPL is constrained. The following commands are permitted; everything else is rejected.

Recording

Every session records open and close timestamps, byte counters, and the actor identity. Terminal contents are not stored in the browser. Tokens expire in five minutes and are scoped per (user, device).