# Planned Remote — Web-Based Terminal & Remote Desktop Client ## Product Spec Sheet > **Concept**: A modern, self-hosted web application combining the best features of Termius (SSH/SFTP) and MobaXterm (SSH + RDP + SFTP browser) — accessible from any browser, no desktop client required. > > **Stack**: Nuxt 3 (Vue 3 SSR) + NestJS backend + PostgreSQL > > **Target Users**: MSP technicians, sysadmins, and IT teams who need unified remote access to SSH and RDP endpoints from any device --- ## 1. Feature Comparison — What We're Building Against ### Termius (Desktop/Mobile SSH Client) | Feature | Termius Free | Termius Pro ($14.99/mo) | | ------------------------- | ------------ | ---------------------------- | | SSH / Mosh / Telnet | ✅ | ✅ | | SFTP file transfer | ✅ | ✅ | | Port forwarding | ✅ | ✅ | | Multi-tab sessions | ✅ | ✅ | | Split panes | ❌ | ✅ | | Encrypted cloud vault | ❌ | ✅ | | Cross-device sync | ❌ | ✅ | | Team sharing | ❌ | ✅ (Team plan $29.99/user/mo) | | Saved snippets/macros | ❌ | ✅ | | FIDO2 / hardware key auth | ✅ | ✅ | | RDP | ❌ | ❌ | | SFTP browser (sidebar) | ❌ | ❌ | **Key Termius strength**: Beautiful cross-platform UI, encrypted credential sync. **Key Termius weakness**: No RDP. No SFTP sidebar browser. No web-based option. --- ### MobaXterm (Windows Desktop Client) | Feature | MobaXterm Free | MobaXterm Pro ($69/license) | | ------------------------------------------------ | ---------------- | --------------------------- | | SSH / Mosh / Telnet / rlogin | ✅ | ✅ | | RDP (Remote Desktop) | ✅ | ✅ | | VNC | ✅ | ✅ | | SFTP sidebar browser (auto-opens on SSH connect) | ✅ | ✅ | | X11 server | ✅ | ✅ | | Multi-tab sessions | ✅ | ✅ | | Split panes | ✅ | ✅ | | SSH tunnels (graphical manager) | ✅ | ✅ | | Macros / saved commands | ❌ (max 4) | ✅ (unlimited) | | Session limit | 12 max | Unlimited | | Customizable / brandable | ❌ | ✅ | | Portable (USB stick) | ✅ | ✅ | | Web-based | ❌ | ❌ | | Cross-platform | ❌ (Windows only) | ❌ (Windows only) | **Key MobaXterm strength**: All-in-one (SSH + RDP + VNC + SFTP + X11). The SFTP sidebar that auto-opens on SSH connect is killer UX. **Key MobaXterm weakness**: Windows only. Not web-based. Dated UI. --- ## 2. Vigilance Remote — Our Feature Set ### Core Principle **Everything MobaXterm does for SSH + RDP + SFTP, but in a modern web browser with Termius-level UI polish.** ### 2.1 SSH Terminal | Feature | Implementation | | ------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | SSH connections | **xterm.js** (MIT) — the industry standard web terminal. Used by VS Code, Tabby, Theia, and hundreds of production applications. GPU-accelerated rendering, full Unicode/CJK/emoji support. | | Backend proxy | **NestJS WebSocket gateway** + **ssh2** (npm) — Node.js SSH client library. Browser connects via WebSocket to NestJS, which proxies to the SSH target. No direct SSH from browser. | | Authentication | Password, SSH key (stored encrypted), SSH agent forwarding, FIDO2/hardware key | | Multi-tab sessions | Tab bar with session labels, color-coded by host group | | Split panes | Horizontal and vertical splits within a single tab (xterm.js instances in a flex grid) | | Session recording | Record terminal sessions as asciinema-compatible casts. Replay in browser. Audit trail for MSP compliance. | | Saved snippets | Quick-execute saved commands/scripts. Click to paste into active terminal. | | Terminal theming | Dark/light modes, custom color schemes, font selection, font size | | Search in terminal | Ctrl+F search through terminal scrollback buffer (xterm.js `SearchAddon`) | | Copy/paste | Ctrl+Shift+C / Ctrl+Shift+V, or right-click context menu | ### 2.2 SFTP File Browser (MobaXterm's Killer Feature) | Feature | Implementation | | ------------------------ | ------------------------------------------------------------------------------------------------------------------------- | | Auto-open on SSH connect | When an SSH session connects, the SFTP sidebar automatically opens showing the remote filesystem. Exactly like MobaXterm. | | Sidebar layout | Left sidebar panel (resizable) showing remote filesystem as a tree. Main panel is the terminal. | | File operations | Browse, upload (drag-and-drop from desktop), download, rename, delete, chmod, create directory | | Dual-pane mode | Optional second SFTP panel for server-to-server file operations (drag between panels) | | File editing | Click a text file to open in an embedded code editor (Monaco Editor — same as VS Code). Save pushes back via SFTP. | | Transfer queue | Background upload/download queue with progress bars, pause/resume, retry | | Backend | **ssh2-sftp-client** (npm) or raw **ssh2** SFTP subsystem. All file operations proxied through NestJS. | ### 2.3 RDP (Remote Desktop) | Feature | Implementation | | ----------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------ | | RDP connections | **Apache Guacamole** (`guacd` daemon + `guacamole-common-js` client library). Industry-standard, Apache-licensed, battle-tested web RDP. | | Architecture | Browser → WebSocket → NestJS → Guacamole protocol → `guacd` daemon → RDP to target. The NestJS backend acts as the tunnel between the JavaScript client and guacd. | | Display | HTML5 Canvas rendering via `guacamole-common-js`. Keyboard, mouse, and touch input forwarded. | | Multi-monitor | Support for multiple virtual displays | | Clipboard sync | Bidirectional clipboard between browser and remote desktop | | File transfer | Upload/download via Guacamole's built-in file transfer (drive redirection) | | Audio | Remote audio playback in browser | | Resolution | Auto-detect browser window size, or set fixed resolution | | RDP settings | Color depth, security mode (NLA/TLS/RDP), console session, admin mode, load balancing info | | Session recording | Guacamole native session recording (video-like playback of RDP sessions) | ### 2.4 Connection Manager (Termius-style) | Feature | Details | | -------------------- | ----------------------------------------------------------------------------------------------------- | | Host database | Store hosts with: name, hostname/IP, port, protocol (SSH/RDP), credentials, group, tags, notes, color | | Groups/folders | Organize hosts into hierarchical groups (e.g., "RSM > Servers", "Filters Fast > Switches") | | Quick connect | Top bar with hostname input — type and connect without saving | | Search | Full-text search across all hosts, tags, and notes | | Credential vault | AES-256-GCM encrypted storage for passwords and SSH keys. Master password or Entra ID auth. | | SSH key management | Generate, import, export SSH keys. Associate keys with hosts. | | Jump hosts / bastion | Configure SSH proxy/jump hosts for reaching targets behind firewalls | | Port forwarding | Graphical SSH tunnel manager — local, remote, and dynamic forwarding | | Tags & labels | Color-coded tags for categorization (production, staging, dev, client-name) | ### 2.5 Team & MSP Features | Feature | Details | | -------------------- | ----------------------------------------------------------------------------------- | | Multi-user | User accounts with RBAC. Admin, Technician, Read-Only roles. | | Entra ID SSO | One-click Microsoft Entra ID integration (same pattern as Vigilance HQ and RSM ERP) | | Shared connections | Admins define connection templates. Technicians connect without seeing credentials. | | Audit logging | Every connection, command, file transfer logged with user, timestamp, duration. | | Session sharing | Share a live terminal session with a colleague (read-only or collaborative) | | Client-scoped access | MSP multi-tenancy — technicians see only the hosts for clients they're assigned to | --- ## 3. Technology Stack ### Frontend | Component | Technology | License | | ------------------ | ----------------------------------------------------------------------------------------- | ---------- | | Framework | Nuxt 3 (Vue 3 SSR) | MIT | | Terminal emulator | xterm.js 5.x | MIT | | Terminal addons | `@xterm/addon-fit`, `@xterm/addon-search`, `@xterm/addon-web-links`, `@xterm/addon-webgl` | MIT | | Code editor (SFTP) | Monaco Editor | MIT | | RDP client | guacamole-common-js | Apache 2.0 | | UI library | PrimeVue 4 or Naive UI | MIT | | State management | Pinia | MIT | | CSS | Tailwind CSS | MIT | | File upload | Drag-and-drop with progress (native File API) | — | ### Backend | Component | Technology | License | | --------------------- | ----------------------------------------------------- | ------------------ | | Framework | NestJS 10 | MIT | | SSH proxy | ssh2 (npm) | MIT | | SFTP operations | ssh2 SFTP subsystem (built into ssh2) | MIT | | RDP proxy | guacd (Apache Guacamole daemon) | Apache 2.0 | | Guacamole tunnel | Custom NestJS WebSocket gateway → guacd TCP | Apache 2.0 | | Database | PostgreSQL 16 (hosts, users, credentials, audit logs) | PostgreSQL License | | Credential encryption | AES-256-GCM (same pattern as Vigilance HQ) | — | | WebSocket | NestJS `@WebSocketGateway` (socket.io or ws) | MIT | | Auth | JWT + Microsoft Entra ID (one-click setup) | — | | Session recording | asciinema format for SSH, Guacamole native for RDP | MIT / Apache 2.0 | ### Infrastructure | Component | Technology | | ------------- | -------------------------------------------------------------------------- | | Deployment | Docker Compose | | Services | `app` (Nuxt SSR + NestJS), `guacd` (Guacamole daemon), `postgres`, `redis` | | Reverse proxy | Nginx (WebSocket upgrade support required) | | `guacd` | Docker image `guacamole/guacd` — handles RDP/VNC protocol translation | --- ## 4. Architecture ``` ┌─────────────────────────────────────────────────────────────┐ │ Browser (Any device, any OS) │ │ ┌──────────────┐ ┌──────────────┐ ┌──────────────┐ │ │ │ xterm.js │ │ SFTP Browser │ │ guac-client │ │ │ │ (SSH term) │ │ (file tree) │ │ (RDP canvas) │ │ │ └──────┬───────┘ └──────┬───────┘ └──────┬───────┘ │ │ │ WebSocket │ REST/WS │ WebSocket │ └─────────┼──────────────────┼─────────────────┼──────────────┘ │ │ │ ┌─────────┼──────────────────┼─────────────────┼──────────────┐ │ NestJS Backend (Docker) │ │ │ │ ┌──────▼───────┐ ┌──────▼───────┐ ┌──────▼───────┐ │ │ │ SSH Gateway │ │ SFTP Service │ │ Guac Tunnel │ │ │ │ (ssh2 lib) │ │ (ssh2 sftp) │ │ (TCP→guacd) │ │ │ └──────┬───────┘ └──────┬───────┘ └──────┬───────┘ │ │ │ SSH │ SFTP │ Guac Protocol │ └─────────┼──────────────────┼─────────────────┼──────────────┘ │ │ │ ▼ ▼ ▼ ┌───────────────┐ ┌───────────────┐ ┌─────────────┐ │ SSH Server │ │ SSH Server │ │ guacd │ │ (Linux/Unix) │ │ (same host) │ │ (Docker) │ └───────────────┘ └───────────────┘ └──────┬──────┘ │ RDP ▼ ┌───────────────┐ │ RDP Server │ │ (Windows) │ └───────────────┘ ``` --- ## 5. Key Open Source Components | Component | GitHub | Stars | License | Purpose | | ----------------------- | ----------------------- | ----- | ---------- | ------------------------------------------------------------------------------------------ | | **xterm.js** | xtermjs/xterm.js | 18K+ | MIT | Web terminal emulator — the industry standard. Used by VS Code. | | **ssh2** | mscdex/ssh2 | 5.5K+ | MIT | Pure JavaScript SSH2 client/server. Powers the SSH proxy layer. | | **guacamole-common-js** | apache/guacamole-client | 3.2K+ | Apache 2.0 | JavaScript RDP/VNC client. Renders remote desktop in HTML5 Canvas. | | **guacd** | apache/guacamole-server | 3.2K+ | Apache 2.0 | Native daemon that translates RDP/VNC protocols to Guacamole protocol. | | **Monaco Editor** | microsoft/monaco-editor | 42K+ | MIT | VS Code's editor component. For in-browser file editing via SFTP. | | **Tabby** (reference) | Eugeny/tabby | 62K+ | MIT | Formerly Terminus — reference for SSH/SFTP web client architecture. Includes web app mode. | All components are **MIT or Apache 2.0 licensed** — zero GPL contamination, fully commercial-viable. --- ## 6. Competitive Positioning | Feature | Termius Pro | MobaXterm Pro | Apache Guacamole | **Vigilance Remote** | | ---------------------- | --------------- | ------------------ | ---------------- | -------------------------- | | SSH Terminal | ✅ | ✅ | ✅ | ✅ | | RDP | ❌ | ✅ | ✅ | ✅ | | SFTP sidebar browser | ❌ | ✅ (killer feature) | ❌ | ✅ | | Web-based (no install) | ❌ | ❌ | ✅ | ✅ | | Cross-platform | ✅ (native apps) | ❌ (Windows only) | ✅ (web) | ✅ (web) | | Modern UI | ✅ | ❌ (dated) | ❌ (basic) | ✅ | | Team/MSP features | ✅ (Team plan) | ❌ | ✅ (basic) | ✅ | | Entra ID SSO | ❌ | ❌ | ❌ | ✅ | | Credential vault | ✅ | ✅ (master pw) | ✅ (DB) | ✅ (AES-256-GCM) | | Session recording | ❌ | ❌ | ✅ | ✅ | | Audit logging | ❌ | ❌ | ✅ (basic) | ✅ (comprehensive) | | Multi-tenant (MSP) | ❌ | ❌ | ❌ | ✅ | | Self-hosted | ❌ | N/A (desktop) | ✅ | ✅ | | Embedded code editor | ❌ | ✅ (MobaTextEditor) | ❌ | ✅ (Monaco) | | Price | $14.99/mo/user | $69 one-time | Free | Self-hosted (free) or SaaS | **Vigilance Remote is the only solution that combines**: web-based access + RDP + SSH + SFTP sidebar browser + modern UI + MSP multi-tenancy + Entra ID SSO + session recording + audit logging in a single self-hosted application. --- ## 7. Database Schema (High Level) ``` users — id, email, name, role, entra_id, created_at hosts — id, name, hostname, port, protocol (ssh/rdp), group_id, tags, notes, color host_groups — id, name, parent_id (hierarchical) credentials — id, host_id, type (password/key/entra), encrypted_value, key_passphrase ssh_keys — id, user_id, name, public_key, encrypted_private_key, passphrase sessions — id, user_id, host_id, protocol, started_at, ended_at, recording_path audit_logs — id, user_id, action, target, details, ip_address, timestamp port_forwards — id, host_id, type (local/remote/dynamic), local_port, remote_host, remote_port snippets — id, user_id, name, command, tags client_access — id, user_id, client_id (MSP multi-tenant scoping) settings — id, key, value (system-wide config) ``` --- ## 8. Build Estimate Given the existing open-source components (xterm.js, guacd, ssh2, Monaco), the heavy lifting is integration, not invention. The core SSH terminal + SFTP browser + RDP via Guacamole + connection manager could be built as a focused 3-4 week project using the Commander doctrine. | Phase | Duration | Deliverables | | ------------ | -------- | --------------------------------------------------------------------------------------------------------------------------------------- | | Foundation | Week 1 | Nuxt 3 scaffold, NestJS backend, Docker Compose (app + guacd + postgres + redis), auth (Entra ID + local), connection manager CRUD | | SSH + SFTP | Week 2 | xterm.js terminal with WebSocket proxy, multi-tab, split panes, SFTP sidebar browser with drag-drop upload/download, Monaco file editor | | RDP | Week 3 | guacd integration, guacamole-common-js client, RDP canvas rendering, clipboard sync, session settings | | Polish & MSP | Week 4 | Session recording/playback, audit logging, team features, MSP multi-tenant scoping, theming, keyboard shortcuts, snippets | --- *This spec is ready for Claude Code. The open-source components are proven, the architecture is clean, and the integration patterns are well-documented. Point the XO at this spec and the result is a self-hosted MobaXterm replacement that runs in any browser.*