Secure remote-control platform that lets an iPhone control a Mac over the internet using a hardened relay, native clients, and app-layer end-to-end encryption.
This project demonstrates practical engineering for roles in AI, data, and business-facing technical product work: requirements definition, threat modeling, system design, reliability, and documentation for adoption.
- Domain: remote systems, secure communications, cross-platform app development
- Business value: secure remote access workflow with production deployment path
- Engineering strengths shown: architecture, security hardening, mobile + desktop client integration, operational docs
- Collaboration maturity: onboarding docs, troubleshooting, CI, contribution and security policies
- Product/System Design: distributed architecture, pairing workflow, secure session lifecycle
- Security Engineering: TLS/WSS, Curve25519 key exchange, HKDF, AES-GCM, replay defense, periodic rekeying
- Backend/API: FastAPI relay, WebSocket routing, rate limiting, origin controls
- Client Development: SwiftUI on iOS/macOS, WebSocket clients, UI trust gating, permission handling
- DevOps: Caddy reverse proxy, Docker Compose deployment, GitHub Actions CI
- Business Analyst Lens: clear user flows, risk controls, measurable acceptance criteria, stakeholder-ready docs
- macOS app creates a short-lived pairing code from the relay API.
- iOS and macOS apps connect via WSS to the relay.
- Native clients establish E2E session keys via ephemeral Curve25519 handshake.
- Fingerprints are compared and explicitly trusted before stream/control is enabled.
- Encrypted frames/events flow through relay as ciphertext only.
- Replay attempts are dropped using monotonic sequence checks.
- Session keys automatically rotate every 5 minutes or 300 encrypted messages.
relay/FastAPI relay server (pair code API + WebSocket bridge + hardening)apps/macos/MacbookControllerMacnative macOS agent appapps/ios/MacbookControlleriOSnative iPhone controller appdeploy/HTTPS/WSS deployment files (Caddy + docker compose)controller/fallback web controller (non-native)docs/recruiter-facing summaries and supporting material
cd relay
python3 -m venv .venv
source .venv/bin/activate
pip install -r requirements.txt
cp .env.example .envRecommended local .env values:
MAC_DEVICE_TOKEN=replace-with-long-random-token
PAIR_CODE_TTL_SECONDS=300
ALLOWED_ORIGINS=
REQUIRE_HTTPS=false
RATE_LIMIT_WINDOW_SECONDS=60
RATE_LIMIT_CREATE_CODE=15
RATE_LIMIT_CHECK_CODE=120Start:
uvicorn relay_server:app --host 0.0.0.0 --port 8787Open:
apps/MacbookController.xcodeproj
If needed, regenerate from spec:
brew install xcodegen
cd apps
xcodegen generateIn Xcode:
- Run
MacbookControllerMacon Mac - Run
MacbookControlleriOSon iPhone - Set Signing Team for both targets if prompted
- Screen Recording
- Accessibility
Then fully restart the macOS app.
- Start session on Mac app and note 6-digit code + fingerprint
- Connect from iPhone app with the code
- Compare fingerprints on both devices
- Press Trust on both
- Remote stream/control goes live
Use deploy/Caddyfile and deploy/docker-compose.yml.
Set real domains in deploy/Caddyfile and set:
REQUIRE_HTTPS=true
ALLOWED_ORIGINS=https://controller.yourdomain.comThen:
cd deploy
docker compose up -d- Project brief: docs/PROJECT_BRIEF.md
- Portfolio bullets: docs/PORTFOLIO_BULLETS.md
- Native app details: apps/README.md
- No stream after connect: fingerprint trust not confirmed on one side
- No control input: macOS Accessibility permission missing
- Blank frames: macOS Screen Recording permission missing
- Remote connect failures: check DNS/TLS and ensure
wss://is used