ALL MEMOS Download .docx

TL;DR (5 bullets, 30-second read)

1. The pattern exists and has been shipped by real projects. jamierpond/claude-remote (GitHub, Feb 2026) does exactly this stack: local Node.js server on port 6767, Claude CLI subprocess, WebSocket bridge, Cloudflare Tunnel as the HTTPS reverse proxy. Multiple other repos (claudecodeui, claude-code-web, claude-code-webui) confirm the local-server-bridging-to-Claude-CLI pattern is mature at the community level.

2. Anthropic now ships a first-party answer: Remote Control (v2.1.51+, Feb 2026 research preview). It uses outbound HTTPS polling to the Anthropic API — no open ports, no Cloudflare Tunnel needed. However, it requires a claude.ai subscription (no API key auth), is flagged as "clunky and buggy" by the HN community, and the local process must stay running.

3. Cloudflare Tunnel is the homelab standard for this use case. Named tunnels (managed via dashboard, token-based config) are the 2026 recommended setup. The main failure modes are single-connector SPOF and silent connector restarts — both solvable with a systemd service + redundant connector. Quick tunnels are acceptable for dev/testing but generate random URLs on each restart.

4. Claude Code updates break things frequently. The changelog documents 176+ updates in ~12 months. Surface areas with highest churn: hook system (8+ revisions), permission rules (12+ revisions), session resumption (6+ revisions), CLI flags. The v2.1.119/v2.1.120 release (April 2026) landed 8 regressions simultaneously, including a --resume TypeError and broken auto-updates. Hook exit-code behavior (must exit 2, write to stderr) is a recurring silent failure pattern.

5. Ship it — with Cloudflare Tunnel + your own local server — rather than depending on Anthropic's Remote Control. Community repos prove the architecture works today. Anthropic's native solution has subscription lock-in, no API key support, and is in "research preview." The maintenance risk is real but manageable: pin the Claude Code version, CI-test the bridge surface, and treat each Claude Code update as a potential breaking event.

---

Section 1: Cloudflare Tunnel for Self-Hosted Dashboards

Maturity Assessment

As of 2026, Cloudflare Tunnel is the default recommendation in homelab circles for exposing local services without port forwarding. The pattern predates 2025 but the tooling has matured: named tunnels (config lives in the Cloudflare dashboard, local cloudflared only needs a token) are now the standard over legacy config-file tunnels. The free tier covers all homelab-scale use. Multiple full-length install guides published in Q1 2026 confirm active community investment.

Sources confirming maturity:

• HomeLab Starter guide (https://homelabstarter.com/homelab-cloudflare-tunnel/) — step-by-step for dashboard integration
• Medium post by Andrew Viant (April 2026, https://medium.com/@andrew.awds/expose-your-homelab-services-without-opening-ports-using-cloudflare-tunnel-5ff3ea065c79)
• recca0120 technical writeup (April 14 2026, https://recca0120.github.io/en/2026/04/14/cloudflare-tunnel-2026/)
• Cloudflare official docs (https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/)

Reliability Data

ServerCompass published a dedicated reliability checklist (https://servercompass.app/blog/cloudflare-tunnel-random-reliability-checklist) that identifies the key failure modes:

• Single connector SPOF: one cloudflared process going down kills all access. Run two connectors on separate hosts to eliminate this.
• Silent crash-loops: running cloudflared in an interactive shell rather than as a systemd service causes it to restart every few minutes while appearing intermittently connected. Failures look random until you check process status separately.
• Layered failure blindness: the stack has four independent failure layers (app health, host resources, tunnel connector, public DNS). Without separated monitoring of each layer, you cannot isolate incidents.
• No external validation: local health checks do not prove public reachability. Run outside-in HTTPS monitoring (e.g., UptimeRobot hitting the public URL) with alerts gated on repeated failures, not single blips.

Security Notes

• Cloudflare terminates TLS at the edge — meaning Cloudflare can theoretically see unencrypted traffic between the edge and your tunnel connector. For Claude Code command traffic this is relevant: apply application-level auth (API key, token) on top of tunnel TLS.
• Named tunnels support Cloudflare Access (zero-trust auth via SSO/OTP) at the tunnel level — this is the recommended hardening for internet-exposed services. Free tier includes Access for up to 50 users.
• Proxy header misalignment (missing X-Forwarded-For, X-Real-IP trust) causes silent auth failures in some apps. Configure trustProxyHeaders in the local server.
• Keep an SSH route independent of the tunnel for emergency recovery — if the tunnel breaks, you need a second path in.

Gotchas Specific to a Local Command-Forwarding Server

• WebSocket connections require wss:// protocol and websocket: true in the tunnel ingress config. Using http:// for a WS upgrade silently fails.
• Quick tunnels (no Cloudflare account) generate a new random subdomain on each cloudflared restart. For a dashboard you'll want a named tunnel on a domain you own.
• Corporate firewalls sometimes block port 7844 (cloudflared control plane). Fallback to HTTPS port 443 is built-in since cloudflared 2023+.

---

Section 2: Remote Control of a Locally-Running Claude Instance via Web UI

What Exists Today

Tier 1: Exact pattern confirmed (community-built)

jamierpond/claude-remote (https://github.com/jamierpond/claude-remote) — The closest match to the architecture in question. Ships:

• A local Node.js HTTP + WebSocket server (port 6767)
• Spawns the Claude CLI as a subprocess with streaming output
• ECDH P-256 key exchange via QR code (Argon2 PIN, AES-256-GCM message encryption)
• Cloudflare Tunnel explicitly listed as the HTTPS reverse proxy
• PWA-installable mobile client
• Multi-layer encryption so "even if your reverse proxy terminates TLS, the message contents are opaque"

This project directly proves the web-UI → Cloudflare Tunnel → local Node server → Claude CLI subprocess pattern is viable and has been shipped.

vultuk/claude-code-web (https://github.com/vultuk/claude-code-web) — Spawns Claude Code via node-pty, real-time WebSocket bidirectional communication, xterm.js terminal emulation, auth tokens. No tunnel bundled but designed to run behind one.

siteboon/claudecodeui (https://github.com/siteboon/claudecodeui) — CloudCLI: npx @cloudcli-ai/cloudcli launches a Node.js server on localhost:3001, auto-discovers sessions from ~/.claude. Offers a managed CloudCLI Cloud option that handles remote access, and a self-hosted option (direct network access or any reverse proxy). No Cloudflare Tunnel mentioned explicitly but self-hosted path is reverse-proxy-agnostic.

sugyan/claude-code-webui (https://github.com/sugyan/claude-code-webui) — Deno or Node.js backend, default binds to 127.0.0.1:8080. Explicitly cautions against public internet exposure without auth. Uses 0.0.0.0 as an opt-in.

JessyTsui/Claude-Code-Remote (https://github.com/JessyTsui/Claude-Code-Remote) — Hook-based notification and command-injection (email, Telegram, LINE). PTY mode or tmux mode injection. Not a web UI but confirms bidirectional command-forwarding pattern. Recommends ngrok for local webhook testing (Cloudflare Tunnel is a direct substitute).

Tier 2: First-party answer (Anthropic Remote Control)

Anthropic shipped claude remote-control (docs: https://code.claude.com/docs/en/remote-control) in research preview, requiring v2.1.51+. Architecture:

• Local Claude Code process makes outbound HTTPS polling to Anthropic API
• No inbound ports required on local machine
• Messages routed through Anthropic API over TLS
• Accessible via claude.ai/code or Claude iOS/Android apps

Critical limitations for Harnoor's use case:

• Requires claude.ai subscription (Pro/Max/Team/Enterprise). API keys explicitly not supported. This is a hard blocker if TITAN runs with an API key.
• Research preview — Hacker News thread (https://news.ycombinator.com/item?id=47148454) describes it as "extremely clunky and buggy": can't interrupt Claude, sessions disconnect intermittently, XML renders as raw text, one-session-at-a-time limit outside server mode.
• Local process must stay running: if the terminal closes, the session ends. 10-minute network outage causes timeout and process exit.
• Android app forces GitHub permission scope to access sessions — flagged as unnecessary and concerning by community.
• Ultraplan sessions disconnect Remote Control (they share the claude.ai/code interface).

Tier 3: Security analysis

Penligent published a security analysis (https://www.penligent.ai/hackinglabs/claude-code-remote-control-security-risks-when-your-local-session-becomes-a-remote-execution-interface) specifically on Remote Control's attack surface — relevant reading before deploying any remote Claude Code access.

Gap Analysis: Has Anyone Done Exactly This?

The exact stack (custom web UI → Cloudflare Tunnel → local forwarding server → Claude Code) has been implemented by jamierpond/claude-remote. The difference from Harnoor's design is minor: claude-remote uses a mobile PWA as the web UI rather than a general-purpose dashboard. The forwarding server architecture is identical. The Cloudflare Tunnel integration is explicit.

No gap in precedent. The pattern is validated.

---

Section 3: Long-Term Maintenance and Claude Update Risk

Update Velocity

Anthropic ships Claude Code at an aggressive pace: 176+ documented updates in 2025, multiple releases per week, 2,295-line CHANGELOG.md. The most recent regression batch (v2.1.119/v2.1.120, April 24 2026) simultaneously broke:

1. claude --resume — throws TypeError, session restoration non-functional

2. Silent model routing (opus-4-7 routed to wrong variant)

3. UI duplication on terminal resize

4. Broken auto-update mechanism

5. WSL2 --resume MCP menu freeze

6. CLAUDE.md ignored by model

7. Sandbox exclusion bypass

8. macOS worktree hang on Apple Silicon

Workaround documented: downgrade to v2.1.117, disable auto-updates. Source: https://gist.github.com/yurukusa/a866b4cd2976486156a00c190c39cef6

Surface Areas by Churn Level (from CHANGELOG.md raw)

| Surface Area | Revision Count | Notes |

|---|---|---|

| Permission rules | 12+ | Security hardening, Bash command parsing |

| Hook system | 8+ | New events, exit-code behavior, output persistence |

| CLI flags | 7+ | --resume, --bare, --effort, model defaults |

| Session resumption | 6+ | Transcript chains, fork recovery, subagent restoration |

| MCP / Plugin management | 5+ | OAuth flows, marketplace filtering |

Hook-Specific Risks

The hook system is the integration surface most likely to affect a remote-control bridge:

• Stop-family hooks (SessionEnd etc.) silently fail with exit code 0 and discarded stdout — must exit with code 2 and write to stderr for the block to take effect. This is a recurring regression pattern — it broke in v2.0.30, was fixed in v2.0.31, regressed again (Issue #10814). Do not rely on stop hooks for critical control flow.
• SessionEnd hooks are killed before completion when running async work (Issue #41577, open as of April 2026). Any hook that does async I/O (e.g., posting to a web server) is unreliable.
• PreToolUse hooks returning "allow" no longer bypass deny rules as of v2.1.77 — a silent behavior change with security implications.
• Hook output exceeding 50K characters saves to disk instead of injecting directly (v2.1.89) — affects hooks that try to return large context.

CLI/SDK Surface Risks

• claude update behavior changed to use native binaries (v2.1.113) — if you pin a version via npm you may get a different binary than expected.
• CLAUDE_CODE_SUBPROCESS_ENV_SCRUB=1 was added to strip credentials from subprocess environments. If your local server relies on env vars being inherited into Claude Code subprocesses, this flag silently breaks that.
• claude remote-control is in research preview — Anthropic explicitly reserves the right to change or remove it.
• The subprocess inheriting CLAUDECODE=1 env var prevents SDK usage from hooks/plugins (claude-agent-sdk-python Issue #573, open). If the bridge uses the SDK inside a hook, this is a blocker.

Maintenance Posture Recommendation

1. Pin Claude Code to a known-good version in your deployment (npm install -g @anthropic-ai/claude-code@2.1.117 or equivalent). Test each update in a staging env before promoting.

2. Minimize hook surface area. Use hooks only for synchronous, fast, exit-code-based control flow. Do not use hooks for async I/O.

3. Do not depend on --resume programmatically. It has broken in at least 3 version ranges. If you need persistent sessions, use claude remote-control server mode or manage session state outside the Claude CLI.

4. CI test the bridge surface. A simple smoke test (send prompt → verify response arrives at web UI) catches ~80% of CLI-breaking regressions. Run on each Claude Code release.

5. Subscribe to the releases feed: https://github.com/anthropics/claude-code/releases — set a GitHub notification or RSS watch. The regression gist (Section 3) was published within 24 hours of the bad release.

---

Architecture Recommendation

Recommended stack for Harnoor's A013 dashboard:

Browser / Phone
    |
    | HTTPS (Cloudflare Tunnel — named tunnel, token-based)
    v
cloudflared (systemd service, two connectors for HA)
    |
    | HTTP/WebSocket (localhost)
    v
Local Node.js bridge server (port 6767 or similar)
    - Auth: API key or token in request header
    - Application-level message encryption (optional, see claude-remote)
    |
    | spawn() / node-pty
    v
Claude Code CLI (pinned version)
    - claude --dangerously-skip-permissions (or fine-grained permission config)
    - Session managed by bridge server

This is what jamierpond/claude-remote ships. It is validated. The only design decision is whether to use node-pty (full terminal emulation, xterm.js on frontend) vs. the Claude Code SDK's query() function (structured JSON, easier to parse, but more breaking-change risk as SDK is updated). Prefer node-pty for stability — it talks to the CLI binary, not a programmatic API layer that Anthropic changes frequently.

Avoid:

• Anthropic's Remote Control as the primary bridge (subscription required, research preview, buggy, process-lifetime-bound).
• Using hooks as the command ingestion mechanism (async completion unreliable, frequent regressions).
• Quick Cloudflare tunnels (random URLs, no persistence).

---

Contradictions / Uncertainties

• The Anthropic Remote Control docs (https://code.claude.com/docs/en/remote-control) say "all traffic travels through the Anthropic API over TLS" but the HN community notes XML renders as raw text and sessions disconnect frequently — suggesting the streaming layer is still immature. Treat it as alpha, not production.
• jamierpond/claude-remote's encryption layer (AES-256-GCM over ECDH) is impressive but adds implementation complexity. No security audit found. For TITAN's internal use (single user, private Cloudflare Tunnel), simpler bearer token auth is sufficient.
• The v2.1.119/v2.1.120 regression batch (8 regressions, April 24 2026) is very recent — no post-mortem published. It is unclear whether this cadence of simultaneous regressions is a one-time event or indicative of reduced QA rigor.

---

Sources

1. Cloudflare Tunnel reliability checklist — https://servercompass.app/blog/cloudflare-tunnel-random-reliability-checklist

2. HomeLab Starter Cloudflare Tunnel guide — https://homelabstarter.com/homelab-cloudflare-tunnel/

3. recca0120 Cloudflare Tunnel 2026 writeup — https://recca0120.github.io/en/2026/04/14/cloudflare-tunnel-2026/

4. Cloudflare official tunnel docs — https://developers.cloudflare.com/cloudflare-one/networks/tunnels/

5. jamierpond/claude-remote — https://github.com/jamierpond/claude-remote

6. siteboon/claudecodeui — https://github.com/siteboon/claudecodeui

7. vultuk/claude-code-web — https://github.com/vultuk/claude-code-web

8. sugyan/claude-code-webui — https://github.com/sugyan/claude-code-webui

9. JessyTsui/Claude-Code-Remote — https://github.com/JessyTsui/Claude-Code-Remote

10. Anthropic Remote Control docs — https://code.claude.com/docs/en/remote-control

11. HN thread on Remote Control — https://news.ycombinator.com/item?id=47148454

12. Penligent Remote Control security analysis — https://www.penligent.ai/hackinglabs/claude-code-remote-control-security-risks-when-a-local-session-becomes-a-remote-execution-interface/

13. Claude Code CHANGELOG.md (raw) — https://raw.githubusercontent.com/anthropics/claude-code/main/CHANGELOG.md

14. v2.1.119/v2.1.120 regression gist — https://gist.github.com/yurukusa/a866b4cd2976486156a00c190c39cef6

15. Claude Code issues: hooks regression #10814 — https://github.com/anthropics/claude-code/issues/10814

16. Claude Code issues: SessionEnd async kill #41577 — https://github.com/anthropics/claude-code/issues/41577

17. Claude Code issues: remote access feature request #31891 — https://github.com/anthropics/claude-code/issues/31891

18. Tactic Remote Cloudflare Tunnel blog — https://tacticremote.com/blog/2026-02-28-cloudflare-tunnel-remote-development/

19. Cloudflare Tunnel for Remote Development (clauderc.com redirect) — https://clauderc.com/blog/2026-02-28-cloudflare-tunnel-remote-development/