* feat(mobile): port supervisor app to current main * chore(mobile): format mobile package |
||
|---|---|---|
| .. | ||
| README.md | ||
| ao-phone-proxy.js | ||
README.md
Connecting a physical phone (LAN bridge)
The AO daemon binds to localhost only (127.0.0.1:3001) by design - it has no
auth, so it never exposes itself to the network. That means a physical phone
(a separate device on your Wi-Fi) can't reach it directly.
ao-phone-proxy.js is a tiny bridge that fixes this without weakening the
daemon: it opens one LAN port, forwards it to the loopback daemon, and uses
trust-on-first-connect - the first device that connects is pinned as the
only allowed device; every other machine on the Wi-Fi is refused.
Run it
From the repo root (Node is the only requirement):
node packages/mobile/scripts/ao-phone-proxy.js
You'll see:
AO phone bridge: 0.0.0.0:3011 -> 127.0.0.1:3001 | waiting for first device (trust-on-first-connect)
Connect the phone
- Make sure the phone and the computer are on the same Wi-Fi.
- Find the computer's LAN IP:
ipconfig getifaddr en0(macOS). - In the AO app's Settings:
- Host: that LAN IP (e.g.
192.168.1.84) - API Port:
3011 - Use TLS: off
- Host: that LAN IP (e.g.
- Open the app. The bridge logs
[paired] <phone-ip> is now the only allowed device- the phone is now the single trusted device. Done.
Re-pair a different phone
RESET=1 node packages/mobile/scripts/ao-phone-proxy.js
Then connect the new phone (it becomes the pinned device).
Options
| Env | Default | Meaning |
|---|---|---|
PORT |
3011 |
LAN port to expose to the phone |
TARGET |
3001 |
Loopback daemon port to forward to |
STATE |
~/.ao/phone-allow.json |
Where the paired-device IP is remembered |
RESET |
- | RESET=1 clears the pairing, then pairs the next device |
Notes
- Keep the daemon on its default localhost bind - don't set
AO_HOST. This
bridge is the only thing exposed to the LAN. - DHCP drift: if the phone's IP changes, its new IP won't match the pin and
it'll be blocked -RESET=1and reconnect, or set a DHCP reservation for
the phone in your router so its IP is fixed. - Trust model: whoever connects first is trusted, and IP allowlisting is a
lightweight LAN control (a hostile device on the same Wi-Fi could spoof the
paired IP). Fine for a trusted home network; for shared/untrusted Wi-Fi use
Tailscale or real auth instead.