app/src-tauri/src/commands/terminal_commands.rs

use tauri::{AppHandle, Emitter, State};

use crate::models::{AuthMode, BedrockAuthMethod, Project};
use crate::AppState;

/// Build the command to run in the container terminal.
///
/// For Bedrock Profile projects, wraps `claude` in a bash script that validates
/// the AWS session first. If the SSO session is expired, runs `aws sso login`
/// so the user can re-authenticate (the URL is clickable via xterm.js WebLinksAddon).
fn build_terminal_cmd(project: &Project, state: &AppState) -> Vec<String> {
    let is_bedrock_profile = project.auth_mode == AuthMode::Bedrock
        && project
            .bedrock_config
            .as_ref()
            .map(|b| b.auth_method == BedrockAuthMethod::Profile)
            .unwrap_or(false);

    if !is_bedrock_profile {
        return vec![
            "claude".to_string(),
            "--dangerously-skip-permissions".to_string(),
        ];
    }

    // Resolve AWS profile: project-level → global settings → "default"
    let profile = project
        .bedrock_config
        .as_ref()
        .and_then(|b| b.aws_profile.clone())
        .or_else(|| state.settings_store.get().global_aws.aws_profile.clone())
        .unwrap_or_else(|| "default".to_string());

    // Build a bash wrapper that validates credentials, re-auths if needed,
    // then exec's into claude.
    let script = format!(
        r#"
echo "Validating AWS session for profile '{profile}'..."
if aws sts get-caller-identity --profile '{profile}' >/dev/null 2>&1; then
    echo "AWS session valid."
else
    echo "AWS session expired or invalid."
    # Check if this profile uses SSO (has sso_start_url configured)
    if aws configure get sso_start_url --profile '{profile}' >/dev/null 2>&1; then
        echo "Starting SSO login — click the URL below to authenticate:"
        echo ""
        aws sso login --profile '{profile}'
        if [ $? -ne 0 ]; then
            echo ""
            echo "SSO login failed or was cancelled. Starting Claude anyway..."
            echo "You may see authentication errors."
            echo ""
        fi
    else
        echo "Profile '{profile}' does not use SSO. Check your AWS credentials."
        echo "Starting Claude anyway..."
        echo ""
    fi
fi
exec claude --dangerously-skip-permissions
"#,
        profile = profile
    );

    vec![
        "bash".to_string(),
        "-c".to_string(),
        script,
    ]
}

#[tauri::command]
pub async fn open_terminal_session(
    project_id: String,
    session_id: String,
    app_handle: AppHandle,
    state: State<'_, AppState>,
) -> Result<(), String> {
    let project = state
        .projects_store
        .get(&project_id)
        .ok_or_else(|| format!("Project {} not found", project_id))?;

    let container_id = project
        .container_id
        .as_ref()
        .ok_or_else(|| "Container not running".to_string())?;

    let cmd = build_terminal_cmd(&project, &state);

    let output_event = format!("terminal-output-{}", session_id);
    let exit_event = format!("terminal-exit-{}", session_id);
    let app_handle_output = app_handle.clone();
    let app_handle_exit = app_handle.clone();

    state
        .exec_manager
        .create_session(
            container_id,
            &session_id,
            cmd,
            move |data| {
                let _ = app_handle_output.emit(&output_event, data);
            },
            Box::new(move || {
                let _ = app_handle_exit.emit(&exit_event, ());
            }),
        )
        .await
}

#[tauri::command]
pub async fn terminal_input(
    session_id: String,
    data: Vec<u8>,
    state: State<'_, AppState>,
) -> Result<(), String> {
    state.exec_manager.send_input(&session_id, data).await
}

#[tauri::command]
pub async fn terminal_resize(
    session_id: String,
    cols: u16,
    rows: u16,
    state: State<'_, AppState>,
) -> Result<(), String> {
    state.exec_manager.resize(&session_id, cols, rows).await
}

#[tauri::command]
pub async fn close_terminal_session(
    session_id: String,
    state: State<'_, AppState>,
) -> Result<(), String> {
    // Close audio bridge if it exists
    let audio_session_id = format!("audio-{}", session_id);
    state.exec_manager.close_session(&audio_session_id).await;
    // Close terminal session
    state.exec_manager.close_session(&session_id).await;
    Ok(())
}

#[tauri::command]
pub async fn paste_image_to_terminal(
    session_id: String,
    image_data: Vec<u8>,
    state: State<'_, AppState>,
) -> Result<String, String> {
    let container_id = state.exec_manager.get_container_id(&session_id).await?;

    let timestamp = std::time::SystemTime::now()
        .duration_since(std::time::UNIX_EPOCH)
        .unwrap_or_default()
        .as_millis();
    let file_name = format!("clipboard_{}.png", timestamp);

    state
        .exec_manager
        .write_file_to_container(&container_id, &file_name, &image_data)
        .await
}

#[tauri::command]
pub async fn start_audio_bridge(
    session_id: String,
    state: State<'_, AppState>,
) -> Result<(), String> {
    // Get container_id from the terminal session
    let container_id = state.exec_manager.get_container_id(&session_id).await?;

    // Create audio bridge exec session with ID "audio-{session_id}"
    // The loop handles reconnection when the FIFO reader (fake rec) is killed and restarted
    let audio_session_id = format!("audio-{}", session_id);
    let cmd = vec![
        "bash".to_string(),
        "-c".to_string(),
        "FIFO=/tmp/triple-c-audio-input; [ -p \"$FIFO\" ] || mkfifo \"$FIFO\"; trap '' PIPE; while true; do cat > \"$FIFO\" 2>/dev/null; sleep 0.1; done".to_string(),
    ];

    state
        .exec_manager
        .create_session_with_tty(
            &container_id,
            &audio_session_id,
            cmd,
            false,
            |_data| { /* ignore output from the audio bridge */ },
            Box::new(|| { /* no exit handler needed */ }),
        )
        .await
}

#[tauri::command]
pub async fn send_audio_data(
    session_id: String,
    data: Vec<u8>,
    state: State<'_, AppState>,
) -> Result<(), String> {
    let audio_session_id = format!("audio-{}", session_id);
    state.exec_manager.send_input(&audio_session_id, data).await
}

#[tauri::command]
pub async fn stop_audio_bridge(
    session_id: String,
    state: State<'_, AppState>,
) -> Result<(), String> {
    let audio_session_id = format!("audio-{}", session_id);
    state.exec_manager.close_session(&audio_session_id).await;
    Ok(())
}
Initial commit: Triple-C app, container, and CI Tauri v2 desktop app (React/TypeScript + Rust) for managing containerized Claude Code environments. Includes Gitea Actions workflow for building and pushing the sandbox container image, and a BUILDING.md guide for manual app builds on Linux and Windows. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> 2026-02-27 04:29:51 +00:00			`use tauri::{AppHandle, Emitter, State};`

fix: validate AWS SSO session before launching Claude for Bedrock Profile auth When using AWS Profile auth (SSO) with Bedrock, expired SSO sessions caused Claude Code to spin indefinitely. Three root causes fixed: 1. Mount host .aws at /tmp/.host-aws (read-only) and copy to /home/claude/.aws in entrypoint, mirroring the SSH key pattern. This gives AWS CLI writable sso/cache and cli/cache directories. 2. For Bedrock Profile projects, wrap the claude command in a bash script that validates credentials via `aws sts get-caller-identity` before launch. If SSO session is expired, runs `aws sso login` with the auth URL visible and clickable in the terminal. 3. Non-SSO profiles with bad creds get a warning but Claude still starts. Non-Bedrock projects are unaffected. Note: existing containers need a rebuild to pick up the new mount path. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> 2026-03-04 11:41:42 -08:00			`use crate::models::{AuthMode, BedrockAuthMethod, Project};`
Initial commit: Triple-C app, container, and CI Tauri v2 desktop app (React/TypeScript + Rust) for managing containerized Claude Code environments. Includes Gitea Actions workflow for building and pushing the sandbox container image, and a BUILDING.md guide for manual app builds on Linux and Windows. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> 2026-02-27 04:29:51 +00:00			`use crate::AppState;`

fix: validate AWS SSO session before launching Claude for Bedrock Profile auth When using AWS Profile auth (SSO) with Bedrock, expired SSO sessions caused Claude Code to spin indefinitely. Three root causes fixed: 1. Mount host .aws at /tmp/.host-aws (read-only) and copy to /home/claude/.aws in entrypoint, mirroring the SSH key pattern. This gives AWS CLI writable sso/cache and cli/cache directories. 2. For Bedrock Profile projects, wrap the claude command in a bash script that validates credentials via `aws sts get-caller-identity` before launch. If SSO session is expired, runs `aws sso login` with the auth URL visible and clickable in the terminal. 3. Non-SSO profiles with bad creds get a warning but Claude still starts. Non-Bedrock projects are unaffected. Note: existing containers need a rebuild to pick up the new mount path. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> 2026-03-04 11:41:42 -08:00			`/// Build the command to run in the container terminal.`
			`///`
			/// For Bedrock Profile projects, wraps `claude` in a bash script that validates
			/// the AWS session first. If the SSO session is expired, runs `aws sso login`
			`/// so the user can re-authenticate (the URL is clickable via xterm.js WebLinksAddon).`
			`fn build_terminal_cmd(project: &Project, state: &AppState) -> Vec<String> {`
			`let is_bedrock_profile = project.auth_mode == AuthMode::Bedrock`
			`&& project`
			`.bedrock_config`
			`.as_ref()`
			`.map(\|b\| b.auth_method == BedrockAuthMethod::Profile)`
			`.unwrap_or(false);`

			`if !is_bedrock_profile {`
			`return vec![`
			`"claude".to_string(),`
			`"--dangerously-skip-permissions".to_string(),`
			`];`
			`}`

			`// Resolve AWS profile: project-level → global settings → "default"`
			`let profile = project`
			`.bedrock_config`
			`.as_ref()`
			`.and_then(\|b\| b.aws_profile.clone())`
			`.or_else(\|\| state.settings_store.get().global_aws.aws_profile.clone())`
			`.unwrap_or_else(\|\| "default".to_string());`

			`// Build a bash wrapper that validates credentials, re-auths if needed,`
			`// then exec's into claude.`
			`let script = format!(`
			`r#"`
			`echo "Validating AWS session for profile '{profile}'..."`
			`if aws sts get-caller-identity --profile '{profile}' >/dev/null 2>&1; then`
			`echo "AWS session valid."`
			`else`
			`echo "AWS session expired or invalid."`
			`# Check if this profile uses SSO (has sso_start_url configured)`
			`if aws configure get sso_start_url --profile '{profile}' >/dev/null 2>&1; then`
			`echo "Starting SSO login — click the URL below to authenticate:"`
			`echo ""`
			`aws sso login --profile '{profile}'`
			`if [ $? -ne 0 ]; then`
			`echo ""`
			`echo "SSO login failed or was cancelled. Starting Claude anyway..."`
			`echo "You may see authentication errors."`
			`echo ""`
			`fi`
			`else`
			`echo "Profile '{profile}' does not use SSO. Check your AWS credentials."`
			`echo "Starting Claude anyway..."`
			`echo ""`
			`fi`
			`fi`
			`exec claude --dangerously-skip-permissions`
			`"#,`
			`profile = profile`
			`);`

			`vec![`
			`"bash".to_string(),`
			`"-c".to_string(),`
			`script,`
			`]`
			`}`

Initial commit: Triple-C app, container, and CI Tauri v2 desktop app (React/TypeScript + Rust) for managing containerized Claude Code environments. Includes Gitea Actions workflow for building and pushing the sandbox container image, and a BUILDING.md guide for manual app builds on Linux and Windows. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> 2026-02-27 04:29:51 +00:00			`#[tauri::command]`
			`pub async fn open_terminal_session(`
			`project_id: String,`
			`session_id: String,`
			`app_handle: AppHandle,`
			`state: State<'_, AppState>,`
			`) -> Result<(), String> {`
			`let project = state`
			`.projects_store`
			`.get(&project_id)`
			`.ok_or_else(\|\| format!("Project {} not found", project_id))?;`

			`let container_id = project`
			`.container_id`
			`.as_ref()`
			`.ok_or_else(\|\| "Container not running".to_string())?;`

fix: validate AWS SSO session before launching Claude for Bedrock Profile auth When using AWS Profile auth (SSO) with Bedrock, expired SSO sessions caused Claude Code to spin indefinitely. Three root causes fixed: 1. Mount host .aws at /tmp/.host-aws (read-only) and copy to /home/claude/.aws in entrypoint, mirroring the SSH key pattern. This gives AWS CLI writable sso/cache and cli/cache directories. 2. For Bedrock Profile projects, wrap the claude command in a bash script that validates credentials via `aws sts get-caller-identity` before launch. If SSO session is expired, runs `aws sso login` with the auth URL visible and clickable in the terminal. 3. Non-SSO profiles with bad creds get a warning but Claude still starts. Non-Bedrock projects are unaffected. Note: existing containers need a rebuild to pick up the new mount path. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> 2026-03-04 11:41:42 -08:00			`let cmd = build_terminal_cmd(&project, &state);`
Initial commit: Triple-C app, container, and CI Tauri v2 desktop app (React/TypeScript + Rust) for managing containerized Claude Code environments. Includes Gitea Actions workflow for building and pushing the sandbox container image, and a BUILDING.md guide for manual app builds on Linux and Windows. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> 2026-02-27 04:29:51 +00:00
			`let output_event = format!("terminal-output-{}", session_id);`
			`let exit_event = format!("terminal-exit-{}", session_id);`
			`let app_handle_output = app_handle.clone();`
			`let app_handle_exit = app_handle.clone();`

			`state`
			`.exec_manager`
			`.create_session(`
			`container_id,`
			`&session_id,`
			`cmd,`
			`move \|data\| {`
			`let _ = app_handle_output.emit(&output_event, data);`
			`},`
			`Box::new(move \|\| {`
			`let _ = app_handle_exit.emit(&exit_event, ());`
			`}),`
			`)`
			`.await`
			`}`

			`#[tauri::command]`
			`pub async fn terminal_input(`
			`session_id: String,`
			`data: Vec<u8>,`
			`state: State<'_, AppState>,`
			`) -> Result<(), String> {`
			`state.exec_manager.send_input(&session_id, data).await`
			`}`

			`#[tauri::command]`
			`pub async fn terminal_resize(`
			`session_id: String,`
			`cols: u16,`
			`rows: u16,`
			`state: State<'_, AppState>,`
			`) -> Result<(), String> {`
			`state.exec_manager.resize(&session_id, cols, rows).await`
			`}`

			`#[tauri::command]`
			`pub async fn close_terminal_session(`
			`session_id: String,`
			`state: State<'_, AppState>,`
			`) -> Result<(), String> {`
feat: add voice mode support via mic passthrough to container Enables Claude Code's /voice command inside Docker containers by capturing microphone audio in the Tauri webview and streaming it into the container via a FIFO pipe. Container: fake rec/arecord shims read PCM from a FIFO instead of a real mic. Audio bridge exec writes PCM from Tauri into the FIFO. Frontend: getUserMedia() + AudioWorklet captures 16kHz mono PCM and streams it to the container via invoke("send_audio_data"). UI: "Mic Off/On" toggle button in the terminal view. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> 2026-03-05 06:11:33 -08:00			`// Close audio bridge if it exists`
			`let audio_session_id = format!("audio-{}", session_id);`
			`state.exec_manager.close_session(&audio_session_id).await;`
			`// Close terminal session`
Initial commit: Triple-C app, container, and CI Tauri v2 desktop app (React/TypeScript + Rust) for managing containerized Claude Code environments. Includes Gitea Actions workflow for building and pushing the sandbox container image, and a BUILDING.md guide for manual app builds on Linux and Windows. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> 2026-02-27 04:29:51 +00:00			`state.exec_manager.close_session(&session_id).await;`
			`Ok(())`
			`}`
Add image paste support for xterm.js terminal Intercept clipboard paste events containing images in the terminal, upload them into the Docker container via bollard's tar upload API, and inject the resulting file path into terminal stdin so Claude Code can reference the image. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> 2026-03-01 10:52:08 -08:00
			`#[tauri::command]`
			`pub async fn paste_image_to_terminal(`
			`session_id: String,`
			`image_data: Vec<u8>,`
			`state: State<'_, AppState>,`
			`) -> Result<String, String> {`
			`let container_id = state.exec_manager.get_container_id(&session_id).await?;`

			`let timestamp = std::time::SystemTime::now()`
			`.duration_since(std::time::UNIX_EPOCH)`
			`.unwrap_or_default()`
			`.as_millis();`
			`let file_name = format!("clipboard_{}.png", timestamp);`

			`state`
			`.exec_manager`
			`.write_file_to_container(&container_id, &file_name, &image_data)`
			`.await`
			`}`
feat: add voice mode support via mic passthrough to container Enables Claude Code's /voice command inside Docker containers by capturing microphone audio in the Tauri webview and streaming it into the container via a FIFO pipe. Container: fake rec/arecord shims read PCM from a FIFO instead of a real mic. Audio bridge exec writes PCM from Tauri into the FIFO. Frontend: getUserMedia() + AudioWorklet captures 16kHz mono PCM and streams it to the container via invoke("send_audio_data"). UI: "Mic Off/On" toggle button in the terminal view. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> 2026-03-05 06:11:33 -08:00
			`#[tauri::command]`
			`pub async fn start_audio_bridge(`
			`session_id: String,`
			`state: State<'_, AppState>,`
			`) -> Result<(), String> {`
			`// Get container_id from the terminal session`
			`let container_id = state.exec_manager.get_container_id(&session_id).await?;`

			`// Create audio bridge exec session with ID "audio-{session_id}"`
			`// The loop handles reconnection when the FIFO reader (fake rec) is killed and restarted`
			`let audio_session_id = format!("audio-{}", session_id);`
			`let cmd = vec![`
			`"bash".to_string(),`
			`"-c".to_string(),`
			`"FIFO=/tmp/triple-c-audio-input; [ -p \"$FIFO\" ] \|\| mkfifo \"$FIFO\"; trap '' PIPE; while true; do cat > \"$FIFO\" 2>/dev/null; sleep 0.1; done".to_string(),`
			`];`

			`state`
			`.exec_manager`
			`.create_session_with_tty(`
			`&container_id,`
			`&audio_session_id,`
			`cmd,`
			`false,`
			`\|_data\| { /* ignore output from the audio bridge */ },`
			`Box::new(\|\| { /* no exit handler needed */ }),`
			`)`
			`.await`
			`}`

			`#[tauri::command]`
			`pub async fn send_audio_data(`
			`session_id: String,`
			`data: Vec<u8>,`
			`state: State<'_, AppState>,`
			`) -> Result<(), String> {`
			`let audio_session_id = format!("audio-{}", session_id);`
			`state.exec_manager.send_input(&audio_session_id, data).await`
			`}`

			`#[tauri::command]`
			`pub async fn stop_audio_bridge(`
			`session_id: String,`
			`state: State<'_, AppState>,`
			`) -> Result<(), String> {`
			`let audio_session_id = format!("audio-{}", session_id);`
			`state.exec_manager.close_session(&audio_session_id).await;`
			`Ok(())`
			`}`