Remote control and mobile

Control Center is a desktop app, but the work it tracks doesn’t stop when you step away from your desk. Remote control pairs the desktop with your phone over a direct, peer-to-peer link, using Remote, the companion app at remote.usectrl.dev, so you can follow the fleet from there: read messages and tickets, reply to an agent, triage your newsfeed, without the audio, transcript, source code, or credentials that live on the desktop ever leaving it.

Think of it as a read-mostly companion to the deck. It is not meant to replace the full desktop client.

<svg viewBox="0 0 24 24" width="16" height="16" fill="currentColor" class="starlight-aside__icon"><path d="M12 11C11.7348 11 11.4804 11.1054 11.2929 11.2929C11.1054 11.4804 11 11.7348 11 12V16C11 16.2652 11.1054 16.5196 11.2929 16.7071C11.4804 16.8946 11.7348 17 12 17C12.2652 17 12.5196 16.8946 12.7071 16.7071C12.8946 16.5196 13 16.2652 13 16V12C13 11.7348 12.8946 11.4804 12.7071 11.2929C12.5196 11.1054 12.2652 11 12 11ZM12.38 7.08C12.1365 6.97998 11.8635 6.97998 11.62 7.08C11.4973 7.12759 11.3851 7.19896 11.29 7.29C11.2017 7.3872 11.1306 7.49882 11.08 7.62C11.024 7.73868 10.9966 7.86882 11 8C10.9992 8.13161 11.0245 8.26207 11.0742 8.38391C11.124 8.50574 11.1973 8.61656 11.29 8.71C11.3872 8.79833 11.4988 8.86936 11.62 8.92C11.7715 8.98224 11.936 9.00632 12.099 8.99011C12.2619 8.97391 12.4184 8.91792 12.5547 8.82707C12.691 8.73622 12.8029 8.61328 12.8805 8.46907C12.9582 8.32486 12.9992 8.16378 13 8C12.9963 7.73523 12.8927 7.48163 12.71 7.29C12.6149 7.19896 12.5028 7.12759 12.38 7.08ZM12 2C10.0222 2 8.08879 2.58649 6.4443 3.6853C4.79981 4.78412 3.51809 6.3459 2.76121 8.17317C2.00433 10.0004 1.8063 12.0111 2.19215 13.9509C2.578 15.8907 3.53041 17.6725 4.92894 19.0711C6.32746 20.4696 8.10929 21.422 10.0491 21.8079C11.9889 22.1937 13.9996 21.9957 15.8268 21.2388C17.6541 20.4819 19.2159 19.2002 20.3147 17.5557C21.4135 15.9112 22 13.9778 22 12C22 10.6868 21.7413 9.38642 21.2388 8.17317C20.7363 6.95991 19.9997 5.85752 19.0711 4.92893C18.1425 4.00035 17.0401 3.26375 15.8268 2.7612C14.6136 2.25866 13.3132 2 12 2ZM12 20C10.4178 20 8.87104 19.5308 7.55544 18.6518C6.23985 17.7727 5.21447 16.5233 4.60897 15.0615C4.00347 13.5997 3.84504 11.9911 4.15372 10.4393C4.4624 8.88743 5.22433 7.46197 6.34315 6.34315C7.46197 5.22433 8.88743 4.4624 10.4393 4.15372C11.9911 3.84504 13.5997 4.00346 15.0615 4.60896C16.5233 5.21447 17.7727 6.23984 18.6518 7.55544C19.5308 8.87103 20 10.4177 20 12C20 14.1217 19.1572 16.1566 17.6569 17.6569C16.1566 19.1571 14.1217 20 12 20Z"/></svg>Two different remote paths

The phone companion pairs over WebRTC with the running desktop, via a signaling broker — a separate transport from the headless cc_server the desktop itself talks to. The full web build (and a desktop pointed at a remote server) is the other remote path; it dials cc_server over WebSocket and renders the complete app. See Deployment and clients for how the two differ.

What the phone can do

The paired phone reaches a small, intentional slice of the desktop’s surface:

• Read tickets, agents, channels and their messages, and your newsfeed
• Reply: send a message in a channel, update or assign a ticket, mark an article read or saved

That’s it. A phone is a lower-privilege principal than a local agent. It cannot spawn processes, spend LLM budget, push to GitHub, hire or fire agents, or create workspaces. See the security model for why.

How the link is built

The connection is a direct WebRTC data channel between the phone and the desktop. There is no cloud relay sitting between them that can see your data.

Three pieces come together at pairing time:

Piece	Role
Remote (phone app)	The companion web app, hosted at remote.usectrl.dev by default, or self-hosted. Loads in a browser, holds the pairing record in IndexedDB.
Signaling broker	A wss:// relay that carries only opaque connection setup blobs (SDP/ICE). It never sees app data or the pairing secret.
STUN servers	Help the two peers find each other’s network path. No TURN relay, by design: there is no server that relays your traffic.

The desktop is the answerer: the phone creates the connection offer and the data channel, and the desktop answers. ICE uses a direct LAN path when both devices are on the same network and hole-punches through NAT via STUN when they aren’t.

Because there is no TURN relay, the link is genuinely peer-to-peer, but it also means a strict or symmetric NAT can block it (roughly 10–20% of networks). That is the trade-off: Control Center would rather fail to pair than quietly route your data through a third-party relay. On repeated connection failure the phone suggests joining the same Wi-Fi as the desktop and keeps retrying in the background; a connection that succeeds once reconnects without re-scanning the code.

Pairing

You start a pairing offer on the desktop; it shows a QR code (and a copyable link). Scan it with the phone’s camera (or open the link in a browser) and the phone connects.

What’s in that code is a deep link:

https://<pwa-host>/#<payload>

The payload rides in the URL fragment, the part after # that browsers never send to the server, so the PWA’s HTTPS host never sees it. The payload carries everything the phone needs to reach the desktop and prove who it is:

• the signaling broker URL and a one-time room code
• a 32-byte pre-shared key (PSK)
• the desktop’s app-instance id
• the STUN server list
• a short expiry (~5 minutes)

The phone decodes it, stores a pairing record locally, and strips the fragment so the secret leaves the URL. The offer is short-lived: an unused QR expires.

The security model

A paired phone is authenticated but untrusted. Several layers keep an approved (or leaked) pairing from becoming full remote control of the desktop.

1. Default-deny tool policy

The phone shares the desktop’s tool registry, the same one the MCP server exposes, but a default-deny allow-list governs which tools it may call. Anything not listed is rejected before it ever runs. The allow-list is intentionally read-and-observe heavy, plus a handful of local-only writes (a message, a ticket update) that spend no LLM budget, spawn no process, and touch no external system like GitHub.

Denied, for example: consulting an agent, starting an AI review, killing an agent, publishing a review to GitHub, hiring or firing agents, creating a workspace.

2. A pre-shared key bound to the connection

On connect, the desktop runs a PSK nonce challenge and binds the proof to the connection’s pinned DTLS fingerprint. The signaling broker only relays setup blobs; it never sees the PSK. A device that is revoked (or whose row is deleted) finds its PSK already gone, so it fails closed on reconnect.

3. Per-session workspace binding

Every tool call the phone makes is scoped by a per-session workspace binding, the sole source of the workspace_id for that call. The binding is seeded from the desktop’s active workspace when the phone connects, but is independent of the desktop UI: switching workspaces on the phone changes only the binding, never the desktop’s view. A phone bound to workspace A cannot read or mutate workspace B by passing a foreign id. This is the same workspace isolation invariant the rest of the product enforces.

4. Rate limiting

Each session runs a sliding-window limiter, a cap on total calls per minute and a tighter sub-cap on the mutating verbs, so a misbehaving or hijacked client can’t flood tool calls, churn local writes, or burn resources.

5. No long-lived cloud presence

The signaling broker carries only connection setup, stays in the room only for the device’s lifetime, and drops transiently without surfacing as a hang-up. The app data, audio, transcript, source, and credentials all stay on the desktop.

Live updates

Once paired, the phone receives live, workspace-scoped updates as notifications (new agent messages, tickets assigned to you, status changes), mirroring the desktop’s own notifications but filtered to the bound workspace. A phone never receives a notification from another workspace.

Where it lives

Surface	What it shows
Settings → Devices	Paired devices with live status, plus pair / approve / revoke
Settings → Remote control	The transport: signaling broker URL, PWA host, STUN servers, start-on-launch, listener on/off

The Remote control section configures the transport; the Devices screen manages the devices themselves.

<svg viewBox="0 0 24 24" width="16" height="16" fill="currentColor" class="starlight-aside__icon"><path d="M12 11C11.7348 11 11.4804 11.1054 11.2929 11.2929C11.1054 11.4804 11 11.7348 11 12V16C11 16.2652 11.1054 16.5196 11.2929 16.7071C11.4804 16.8946 11.7348 17 12 17C12.2652 17 12.5196 16.8946 12.7071 16.7071C12.8946 16.5196 13 16.2652 13 16V12C13 11.7348 12.8946 11.4804 12.7071 11.2929C12.5196 11.1054 12.2652 11 12 11ZM12.38 7.08C12.1365 6.97998 11.8635 6.97998 11.62 7.08C11.4973 7.12759 11.3851 7.19896 11.29 7.29C11.2017 7.3872 11.1306 7.49882 11.08 7.62C11.024 7.73868 10.9966 7.86882 11 8C10.9992 8.13161 11.0245 8.26207 11.0742 8.38391C11.124 8.50574 11.1973 8.61656 11.29 8.71C11.3872 8.79833 11.4988 8.86936 11.62 8.92C11.7715 8.98224 11.936 9.00632 12.099 8.99011C12.2619 8.97391 12.4184 8.91792 12.5547 8.82707C12.691 8.73622 12.8029 8.61328 12.8805 8.46907C12.9582 8.32486 12.9992 8.16378 13 8C12.9963 7.73523 12.8927 7.48163 12.71 7.29C12.6149 7.19896 12.5028 7.12759 12.38 7.08ZM12 2C10.0222 2 8.08879 2.58649 6.4443 3.6853C4.79981 4.78412 3.51809 6.3459 2.76121 8.17317C2.00433 10.0004 1.8063 12.0111 2.19215 13.9509C2.578 15.8907 3.53041 17.6725 4.92894 19.0711C6.32746 20.4696 8.10929 21.422 10.0491 21.8079C11.9889 22.1937 13.9996 21.9957 15.8268 21.2388C17.6541 20.4819 19.2159 19.2002 20.3147 17.5557C21.4135 15.9112 22 13.9778 22 12C22 10.6868 21.7413 9.38642 21.2388 8.17317C20.7363 6.95991 19.9997 5.85752 19.0711 4.92893C18.1425 4.00035 17.0401 3.26375 15.8268 2.7612C14.6136 2.25866 13.3132 2 12 2ZM12 20C10.4178 20 8.87104 19.5308 7.55544 18.6518C6.23985 17.7727 5.21447 16.5233 4.60897 15.0615C4.00347 13.5997 3.84504 11.9911 4.15372 10.4393C4.4624 8.88743 5.22433 7.46197 6.34315 6.34315C7.46197 5.22433 8.88743 4.4624 10.4393 4.15372C11.9911 3.84504 13.5997 4.00346 15.0615 4.60896C16.5233 5.21447 17.7727 6.23984 18.6518 7.55544C19.5308 8.87103 20 10.4177 20 12C20 14.1217 19.1572 16.1566 17.6569 17.6569C16.1566 19.1571 14.1217 20 12 20Z"/></svg>Note

Remote control is desktop-only and is not exposed over MCP. The phone speaks to the desktop’s own tool dispatcher over the peer connection; it is not an MCP client of an external server.

Related concepts

• Workspaces and isolation: the per-session workspace binding enforces the same invariant
• Architecture: where remote control sits in the stack

Related guides

• Pair a device