@instafy/cli 0.1.6 → 0.1.7

package/README.md

@@ -20,7 +20,7 @@ Run Instafy projects locally and connect them back to Instafy Studio — from an
 - `instafy runtime:status` — show health of the last started runtime.
 - `instafy runtime:stop` — stop the last started runtime.
 - `instafy tunnel` — request a tunnel and forward a local port.
-- `instafy project:mount` — mount project files locally (SSHFS).
+- `instafy api:get` — query controller endpoints (conversations, messages, runs, etc).
 
 Run `instafy --help` for the full command list and options.
 

package/dist/api.js

@@ -0,0 +1,130 @@
+import fs from "node:fs";
+function normalizeUrl(raw) {
+    const value = (raw ?? "").trim();
+    if (!value)
+        return "http://127.0.0.1:8788";
+    return value.replace(/\/$/, "");
+}
+function normalizeToken(raw) {
+    if (!raw)
+        return null;
+    const trimmed = raw.trim();
+    return trimmed.length ? trimmed : null;
+}
+function resolveBearerToken(options) {
+    return (normalizeToken(options.accessToken) ??
+        normalizeToken(options.serviceToken) ??
+        normalizeToken(process.env["CONTROLLER_ACCESS_TOKEN"]) ??
+        normalizeToken(process.env["INSTAFY_ACCESS_TOKEN"]) ??
+        normalizeToken(process.env["INSTAFY_SERVICE_TOKEN"]) ??
+        normalizeToken(process.env["CONTROLLER_TOKEN"]) ??
+        normalizeToken(process.env["SUPABASE_ACCESS_TOKEN"]));
+}
+function parseKeyValue(raw) {
+    const trimmed = raw.trim();
+    if (!trimmed) {
+        throw new Error("Key/value pair cannot be empty");
+    }
+    const equals = trimmed.indexOf("=");
+    if (equals === -1) {
+        return { key: trimmed, value: "" };
+    }
+    const key = trimmed.slice(0, equals).trim();
+    const value = trimmed.slice(equals + 1).trim();
+    if (!key) {
+        throw new Error(`Invalid pair "${raw}" (missing key)`);
+    }
+    return { key, value };
+}
+function parseHeader(raw) {
+    const trimmed = raw.trim();
+    if (!trimmed) {
+        throw new Error("Header cannot be empty");
+    }
+    const colon = trimmed.indexOf(":");
+    if (colon !== -1) {
+        const key = trimmed.slice(0, colon).trim();
+        const value = trimmed.slice(colon + 1).trim();
+        if (!key) {
+            throw new Error(`Invalid header "${raw}" (missing name)`);
+        }
+        return { key, value };
+    }
+    return parseKeyValue(trimmed);
+}
+function parseJsonBody(options) {
+    if (options.jsonFile) {
+        const raw = fs.readFileSync(options.jsonFile, "utf8");
+        const parsed = JSON.parse(raw);
+        return JSON.stringify(parsed);
+    }
+    if (options.json) {
+        const parsed = JSON.parse(options.json);
+        return JSON.stringify(parsed);
+    }
+    return undefined;
+}
+function buildRequestUrl(options) {
+    const base = normalizeUrl(options.controllerUrl ??
+        process.env["INSTAFY_SERVER_URL"] ??
+        process.env["CONTROLLER_BASE_URL"] ??
+        "http://127.0.0.1:8788");
+    const rawPath = options.path.trim();
+    if (!rawPath) {
+        throw new Error("Path is required");
+    }
+    const url = rawPath.startsWith("http://") || rawPath.startsWith("https://")
+        ? new URL(rawPath)
+        : new URL(rawPath.startsWith("/") ? rawPath : `/${rawPath}`, `${base}/`);
+    for (const pair of options.query ?? []) {
+        const { key, value } = parseKeyValue(pair);
+        url.searchParams.set(key, value);
+    }
+    return url;
+}
+function maybePrettyPrintJson(text, pretty) {
+    if (!pretty)
+        return text;
+    if (!text.trim())
+        return text;
+    try {
+        return JSON.stringify(JSON.parse(text), null, 2);
+    }
+    catch {
+        return text;
+    }
+}
+export async function requestControllerApi(options) {
+    const url = buildRequestUrl(options);
+    const bearer = resolveBearerToken(options);
+    const headers = new Headers();
+    headers.set("accept", "application/json");
+    if (bearer) {
+        headers.set("authorization", `Bearer ${bearer}`);
+    }
+    for (const header of options.headers ?? []) {
+        const { key, value } = parseHeader(header);
+        headers.set(key, value);
+    }
+    const body = parseJsonBody(options);
+    if (body !== undefined && !headers.has("content-type")) {
+        headers.set("content-type", "application/json");
+    }
+    const response = await fetch(url, {
+        method: options.method,
+        headers,
+        body,
+    });
+    const responseText = await response.text().catch(() => "");
+    const contentType = response.headers.get("content-type") ?? "";
+    const isJson = contentType.includes("application/json") || contentType.includes("+json");
+    const pretty = options.pretty !== false;
+    const formattedBody = isJson ? maybePrettyPrintJson(responseText, pretty) : responseText;
+    if (!response.ok) {
+        const prefix = `Request failed (${response.status} ${response.statusText})`;
+        const suffix = formattedBody.trim() ? `: ${formattedBody}` : "";
+        throw new Error(`${prefix}${suffix}`);
+    }
+    if (formattedBody)
+        console.log(formattedBody);
+}

package/dist/git.js

@@ -0,0 +1,96 @@
+import fs from "node:fs";
+import path from "node:path";
+import kleur from "kleur";
+function normalizeToken(value) {
+    if (typeof value !== "string") {
+        return null;
+    }
+    const trimmed = value.trim();
+    return trimmed.length > 0 ? trimmed : null;
+}
+function readTokenFromFile(filePath) {
+    const normalized = normalizeToken(filePath);
+    if (!normalized) {
+        return null;
+    }
+    const resolved = path.resolve(normalized);
+    const contents = fs.readFileSync(resolved, "utf8").trim();
+    if (!contents) {
+        throw new Error(`token file ${resolved} was empty`);
+    }
+    return contents;
+}
+function resolveControllerAccessToken(options) {
+    return (normalizeToken(options.controllerAccessToken) ??
+        normalizeToken(process.env["INSTAFY_ACCESS_TOKEN"]) ??
+        normalizeToken(process.env["CONTROLLER_ACCESS_TOKEN"]) ??
+        normalizeToken(options.supabaseAccessToken) ??
+        readTokenFromFile(options.supabaseAccessTokenFile) ??
+        normalizeToken(process.env["SUPABASE_ACCESS_TOKEN"]) ??
+        null);
+}
+export async function mintGitAccessToken(params) {
+    const url = params.controllerUrl.replace(/\/$/, "");
+    const target = `${url}/projects/${encodeURIComponent(params.projectId)}/git/access_token`;
+    const scopes = params.scopes && params.scopes.length > 0
+        ? params.scopes
+        : ["git.read", "git.write"];
+    const response = await fetch(target, {
+        method: "POST",
+        headers: {
+            authorization: `Bearer ${params.controllerAccessToken}`,
+            "content-type": "application/json",
+        },
+        body: JSON.stringify({
+            scopes,
+            ttlSeconds: params.ttlSeconds,
+        }),
+    });
+    if (!response.ok) {
+        const text = await response.text().catch(() => "");
+        throw new Error(`Instafy server rejected git token request (${response.status} ${response.statusText}): ${text}`);
+    }
+    const payload = (await response.json());
+    const token = typeof payload.token === "string" ? payload.token.trim() : "";
+    if (!token) {
+        throw new Error("Instafy server response missing token field while minting git token.");
+    }
+    const expiresIn = typeof payload.expiresIn === "number" ? payload.expiresIn : 0;
+    return {
+        projectId: payload.projectId ?? params.projectId,
+        token,
+        expiresIn,
+        scopes: Array.isArray(payload.scopes) ? payload.scopes : scopes,
+    };
+}
+export async function gitToken(options) {
+    const controllerUrl = options.controllerUrl ??
+        process.env["INSTAFY_SERVER_URL"] ??
+        process.env["CONTROLLER_BASE_URL"] ??
+        "http://127.0.0.1:8788";
+    const token = resolveControllerAccessToken({
+        controllerAccessToken: options.controllerAccessToken,
+        supabaseAccessToken: options.supabaseAccessToken,
+        supabaseAccessTokenFile: options.supabaseAccessTokenFile,
+    });
+    if (!token) {
+        throw new Error("Access token is required (--access-token/INSTAFY_ACCESS_TOKEN or --supabase-access-token/SUPABASE_ACCESS_TOKEN).");
+    }
+    const minted = await mintGitAccessToken({
+        controllerUrl,
+        controllerAccessToken: token,
+        projectId: options.project,
+        scopes: options.scopes,
+        ttlSeconds: options.ttlSeconds,
+    });
+    if (options.json) {
+        console.log(JSON.stringify(minted));
+    }
+    else {
+        console.log(minted.token);
+        if (minted.expiresIn > 0) {
+            console.error(kleur.gray(`expiresIn=${minted.expiresIn}s`));
+        }
+    }
+    return minted.token;
+}

package/dist/index.js

@@ -2,9 +2,11 @@ import { Command, Option } from "commander";
 import { pathToFileURL } from "node:url";
 import { createRequire } from "node:module";
 import kleur from "kleur";
-import { runtimeStart, runtimeStatus, runtimeStop, runtimeToken, mountWorkspace, } from "./runtime.js";
+import { runtimeStart, runtimeStatus, runtimeStop, runtimeToken, } from "./runtime.js";
+import { gitToken } from "./git.js";
 import { projectInit } from "./project.js";
 import { runTunnelCommand } from "./tunnel.js";
+import { requestControllerApi } from "./api.js";
 export const program = new Command();
 const require = createRequire(import.meta.url);
 const pkg = require("../package.json");
@@ -23,6 +25,9 @@ function addServiceTokenOptions(command, description) {
         .option("--service-token <token>", description)
         .addOption(new Option("--controller-token <token>").hideHelp());
 }
+function collectStringOption(value, previous) {
+    return [...previous, value];
+}
 program
     .name("instafy")
     .description("Instafy CLI — run your project locally and connect to Studio")
@@ -50,8 +55,6 @@ runtimeStartCommand
     .option("--provider <provider>", "Runtime provider label (default: self-hosted)")
     .option("--bind-host <host>", "Origin bind host (default 127.0.0.1)")
     .option("--bind-port <port>", "Origin bind port (default 54332)")
-    .option("--mount-project-files", "Mount project files from Instafy (SSHFS)")
-    .addOption(new Option("--mount-controller-fs").hideHelp())
     .option("--detach", "Run runtime in background and exit immediately")
     .option("--log-file <path>", "Write runtime stdout/stderr to a file (implied when detached)")
     .action(async (opts) => {
@@ -61,8 +64,6 @@ runtimeStartCommand
             controllerUrl: opts.serverUrl ?? opts.controllerUrl,
             controllerToken: opts.serviceToken ?? opts.controllerToken,
             controllerAccessToken: opts.accessToken ?? opts.controllerAccessToken,
-            mountProjectFiles: Boolean(opts.mountProjectFiles),
-            mountControllerFs: Boolean(opts.mountControllerFs),
         });
     }
     catch (error) {
@@ -83,21 +84,6 @@ program
         process.exit(1);
     }
 });
-program
-    .command("runtime:sshfs:check")
-    .description("Check SSHFS availability (needed for file mounts)")
-    .option("--sshfs-bin <path>", "sshfs binary (default: sshfs or SHARED_FS_BIN)")
-    .action(async (opts) => {
-    try {
-        const { checkSshfs } = await import("./runtime.js");
-        await checkSshfs(opts.sshfsBin);
-        console.log(kleur.green(`sshfs OK (${opts.sshfsBin ?? process.env.SHARED_FS_BIN ?? "sshfs"})`));
-    }
-    catch (error) {
-        console.error(kleur.red(String(error)));
-        process.exit(1);
-    }
-});
 program
     .command("runtime:stop")
     .description("Stop the local Instafy runtime")
@@ -137,6 +123,41 @@ runtimeTokenCommand
         process.exit(1);
     }
 });
+const gitTokenCommand = program
+    .command("git:token")
+    .description("Mint a git access token for the project repo")
+    .requiredOption("--project <id>", "Project UUID");
+addServerUrlOptions(gitTokenCommand);
+addAccessTokenOptions(gitTokenCommand, "Instafy access token (required)");
+gitTokenCommand
+    .option("--supabase-access-token <token>", "Supabase session token (alternative to Studio token)")
+    .option("--supabase-access-token-file <path>", "File containing the Supabase session token")
+    .option("--scope <scope...>", "Requested scopes (git.read, git.write)")
+    .option("--ttl-seconds <seconds>", "Token TTL in seconds (default server policy)")
+    .option("--json", "Output token response as JSON")
+    .action(async (opts) => {
+    try {
+        const ttlSecondsRaw = typeof opts.ttlSeconds === "string" ? opts.ttlSeconds.trim() : "";
+        const ttlSeconds = ttlSecondsRaw.length > 0 ? Number.parseInt(ttlSecondsRaw, 10) : undefined;
+        if (ttlSecondsRaw.length > 0 && (!Number.isFinite(ttlSeconds) || ttlSeconds <= 0)) {
+            throw new Error("--ttl-seconds must be a positive integer");
+        }
+        await gitToken({
+            project: opts.project,
+            controllerUrl: opts.serverUrl ?? opts.controllerUrl,
+            controllerAccessToken: opts.accessToken ?? opts.controllerAccessToken,
+            supabaseAccessToken: opts.supabaseAccessToken,
+            supabaseAccessTokenFile: opts.supabaseAccessTokenFile,
+            scopes: opts.scope,
+            ttlSeconds,
+            json: opts.json,
+        });
+    }
+    catch (error) {
+        console.error(kleur.red(String(error)));
+        process.exit(1);
+    }
+});
 const projectInitCommand = program
     .command("project:init")
     .description("Create an Instafy project and link this folder (.instafy/project.json)")
@@ -238,39 +259,30 @@ projectListCommand
         process.exit(1);
     }
 });
-async function runProjectMount(opts) {
-    const token = opts.accessToken ??
-        opts.controllerAccessToken ??
-        process.env.INSTAFY_ACCESS_TOKEN ??
-        process.env.CONTROLLER_ACCESS_TOKEN ??
-        process.env.CONTROLLER_TOKEN;
-    if (!token) {
-        throw new Error("Access token is required for project:mount.");
-    }
-    const serverUrl = opts.serverUrl ??
-        opts.controllerUrl ??
-        process.env.INSTAFY_SERVER_URL ??
-        process.env.CONTROLLER_BASE_URL ??
-        "http://127.0.0.1:8788";
-    const mountDir = await mountWorkspace({
-        project: opts.project,
-        controllerUrl: serverUrl,
-        controllerAccessToken: token,
-        mountPath: opts.path,
-        sshfsBin: opts.sshfsBin,
-        extraOptions: opts.options,
-    });
-    console.log(kleur.green(`Mounted project files to ${mountDir}`));
-}
-function configureProjectMountCommand(command) {
+function configureApiCommand(command, method) {
     addServerUrlOptions(command);
     addAccessTokenOptions(command, "Instafy access token");
+    addServiceTokenOptions(command, "Instafy service token (advanced)");
     command
-        .option("--sshfs-bin <path>", "sshfs binary (default: sshfs or SHARED_FS_BIN)")
-        .option("--options <opts>", "Extra sshfs options")
-        .action(async (opts) => {
+        .option("--query <key=value>", "Query param (repeatable)", collectStringOption, [])
+        .option("--header <header>", "Extra header (repeatable, Key: Value)", collectStringOption, [])
+        .option("--json <json>", "JSON body as string")
+        .option("--json-file <path>", "JSON body read from file")
+        .option("--no-pretty", "Disable JSON pretty-printing")
+        .action(async (pathArg, opts) => {
         try {
-            await runProjectMount(opts);
+            await requestControllerApi({
+                method,
+                path: pathArg,
+                controllerUrl: opts.serverUrl ?? opts.controllerUrl,
+                accessToken: opts.accessToken ?? opts.controllerAccessToken,
+                serviceToken: opts.serviceToken ?? opts.controllerToken,
+                query: opts.query,
+                headers: opts.header,
+                json: opts.json,
+                jsonFile: opts.jsonFile,
+                pretty: opts.pretty,
+            });
         }
         catch (error) {
             console.error(kleur.red(String(error)));
@@ -278,12 +290,26 @@ function configureProjectMountCommand(command) {
         }
     });
 }
-const projectMountCommand = program
-    .command("project:mount")
-    .description("Mount project files into a local folder (SSHFS, shared storage)")
-    .requiredOption("--project <id>", "Project UUID")
-    .requiredOption("--path <dir>", "Local mount directory");
-configureProjectMountCommand(projectMountCommand);
+const apiGetCommand = program
+    .command("api:get")
+    .description("Perform an authenticated GET request to the controller API")
+    .argument("<path>", "API path (or full URL), e.g. /conversations/<id>/messages?limit=50");
+configureApiCommand(apiGetCommand, "GET");
+const apiPostCommand = program
+    .command("api:post")
+    .description("Perform an authenticated POST request to the controller API")
+    .argument("<path>", "API path (or full URL)");
+configureApiCommand(apiPostCommand, "POST");
+const apiPatchCommand = program
+    .command("api:patch")
+    .description("Perform an authenticated PATCH request to the controller API")
+    .argument("<path>", "API path (or full URL)");
+configureApiCommand(apiPatchCommand, "PATCH");
+const apiDeleteCommand = program
+    .command("api:delete")
+    .description("Perform an authenticated DELETE request to the controller API")
+    .argument("<path>", "API path (or full URL)");
+configureApiCommand(apiDeleteCommand, "DELETE");
 export async function runCli(argv = process.argv) {
     if (argv.length <= 2) {
         program.outputHelp();
@@ -295,6 +321,6 @@ if (import.meta.url === pathToFileURL(process.argv[1] ?? "").href) {
     void runCli(process.argv);
 }
 // Re-export programmatic APIs for embedders (e.g., VS Code extension).
-export { runtimeStart as startRuntime, runtimeStatus as getRuntimeStatus, runtimeStop as stopRuntime, runtimeToken as mintRuntimeToken, mintRuntimeAccessToken, findProjectManifest, mountWorkspace, } from "./runtime.js";
+export { runtimeStart as startRuntime, runtimeStatus as getRuntimeStatus, runtimeStop as stopRuntime, runtimeToken as mintRuntimeToken, mintRuntimeAccessToken, findProjectManifest, } from "./runtime.js";
 export { projectInit, listProjects } from "./project.js";
 export { listOrganizations } from "./org.js";

package/dist/runtime.js

@@ -1,4 +1,4 @@
-import { spawn, spawnSync } from "node:child_process";
+import { spawn } from "node:child_process";
 import { existsSync, mkdirSync, openSync, readFileSync, rmSync, writeFileSync } from "node:fs";
 import path from "node:path";
 import kleur from "kleur";
@@ -66,137 +66,6 @@ function normalizeToken(value) {
     const trimmed = value.trim();
     return trimmed.length > 0 ? trimmed : null;
 }
-function setSharedFsEnv(env, opts) {
-    if (!opts)
-        return;
-    if (opts.host)
-        env["SHARED_FS_HOST"] = opts.host;
-    if (opts.port)
-        env["SHARED_FS_PORT"] = String(opts.port);
-    if (opts.user)
-        env["SHARED_FS_USER"] = opts.user;
-    if (opts.path)
-        env["SHARED_FS_PATH"] = opts.path;
-    if (opts.keyB64)
-        env["SHARED_FS_KEY_B64"] = opts.keyB64;
-    if (opts.keyPath)
-        env["SHARED_FS_KEY_PATH"] = opts.keyPath;
-    if (opts.options)
-        env["SHARED_FS_OPTIONS"] = opts.options;
-    if (opts.flat)
-        env["RUNTIME_SHARED_FS_FLAT"] = "1";
-    env["SHARED_FS_PROTOCOL"] = env["SHARED_FS_PROTOCOL"] ?? "sshfs";
-}
-async function fetchWorkspaceMountToken(params) {
-    const base = params.controllerUrl.replace(/\/+$/, "");
-    const url = `${base}/projects/${encodeURIComponent(params.projectId)}/workspace/mount-token`;
-    const res = await fetch(url, {
-        headers: {
-            authorization: `Bearer ${params.controllerAccessToken}`,
-            accept: "application/json",
-        },
-    });
-    if (!res.ok) {
-        const text = await res.text().catch(() => "");
-        throw new Error(`Failed to fetch workspace mount token (${res.status} ${res.statusText}): ${text}`);
-    }
-    const json = (await res.json());
-    if (!json?.protocol || !json.host || !json.path) {
-        throw new Error("Workspace mount token response missing required fields.");
-    }
-    return json;
-}
-function prepareTempKey(keyB64) {
-    if (!keyB64)
-        return null;
-    const buf = Buffer.from(keyB64.trim(), "base64");
-    const tmpDir = path.join(os.tmpdir(), "instafy-shared-fs-cli");
-    mkdirSync(tmpDir, { recursive: true });
-    const file = path.join(tmpDir, `sshfs-key-${Date.now()}.pem`);
-    writeFileSync(file, buf, { mode: 0o600 });
-    return file;
-}
-export async function mountWorkspace(options) {
-    const mountDir = path.resolve(options.mountPath);
-    mkdirSync(mountDir, { recursive: true });
-    const token = await fetchWorkspaceMountToken({
-        controllerUrl: options.controllerUrl,
-        controllerAccessToken: options.controllerAccessToken,
-        projectId: options.project,
-    });
-    if (token.protocol !== "sshfs") {
-        throw new Error(`Unsupported mount protocol: ${token.protocol}`);
-    }
-    const sshfsBin = options.sshfsBin || process.env.SHARED_FS_BIN || "sshfs";
-    assertSshfsAvailable(sshfsBin);
-    const keyPath = prepareTempKey(token.key_b64 ?? null);
-    const args = [
-        `${token.user}@${token.host}:${token.path}`,
-        mountDir,
-        "-p",
-        String(token.port ?? 22),
-        "-o",
-        "StrictHostKeyChecking=no",
-    ];
-    const mergedOpts = token.options || options.extraOptions;
-    if (keyPath) {
-        args.push("-o", `IdentityFile=${keyPath}`);
-    }
-    if (mergedOpts && mergedOpts.trim()) {
-        args.push("-o", mergedOpts.trim());
-    }
-    const result = spawnSync(sshfsBin, args, {
-        stdio: "inherit",
-        env: process.env,
-    });
-    if (keyPath) {
-        try {
-            rmSync(keyPath);
-        }
-        catch {
-            // ignore
-        }
-    }
-    if (result.status !== 0) {
-        throw new Error(`sshfs mount failed (code ${result.status ?? result.error?.message ?? "unknown"})\n` +
-            `Command: ${sshfsBin} ${args.join(" ")}`);
-    }
-    validateMountHealthy(mountDir);
-    return mountDir;
-}
-export async function checkSshfs(binOverride) {
-    const bin = binOverride || process.env.SHARED_FS_BIN || "sshfs";
-    assertSshfsAvailable(bin);
-}
-function assertSshfsAvailable(bin) {
-    const check = spawnSync(bin, ["-V"], { stdio: "ignore" });
-    if ((check.status ?? check["code"] ?? 1) === 0) {
-        return;
-    }
-    const platform = process.platform;
-    const hints = {
-        darwin: "brew install --cask macfuse && brew install gromgit/fuse/sshfs-mac",
-        linux: "sudo apt-get update && sudo apt-get install -y sshfs",
-        win32: "Install WinFsp and SSHFS-Win: https://github.com/billziss-gh/sshfs-win",
-    };
-    const hint = hints[platform] ??
-        "Install sshfs for your platform and ensure it is on PATH (or pass --sshfs-bin).";
-    throw new Error(`sshfs binary '${bin}' not found or not executable. ${hint}`);
-}
-function validateMountHealthy(mountDir) {
-    try {
-        // Best-effort sanity check to catch "Transport endpoint not connected" right after mount.
-        const entries = spawnSync("ls", ["-la", mountDir], { stdio: "ignore" });
-        if ((entries.status ?? entries["code"] ?? 1) !== 0) {
-            throw new Error("ls failed");
-        }
-    }
-    catch (error) {
-        const message = error instanceof Error ? error.message : String(error);
-        throw new Error(`sshfs mount appears unhealthy at ${mountDir}: ${message}. ` +
-            "Ensure the mount host is reachable and sshfs/fuse is enabled.");
-    }
-}
 export function findProjectManifest(startDir) {
     let current = path.resolve(startDir);
     const root = path.parse(current).root;
@@ -392,28 +261,6 @@ export async function runtimeStart(options) {
     if (runtimeAccessToken) {
         env["RUNTIME_ACCESS_TOKEN"] = runtimeAccessToken;
     }
-    // Auto-fetch workspace mount token if requested
-    const shouldMountProjectFiles = Boolean(options.mountProjectFiles || options.mountControllerFs);
-    if (shouldMountProjectFiles && controllerAccessToken && env["CONTROLLER_BASE_URL"]) {
-        const token = await fetchWorkspaceMountToken({
-            controllerUrl: env["CONTROLLER_BASE_URL"],
-            controllerAccessToken,
-            projectId,
-        });
-        setSharedFsEnv(env, {
-            host: token.host,
-            port: token.port,
-            user: token.user,
-            path: token.path,
-            keyB64: token.key_b64 ?? undefined,
-            options: token.options ?? undefined,
-            flat: true,
-        });
-    }
-    else {
-        // Shared FS mount options (sshfs) from flags/env
-        setSharedFsEnv(env, options.sharedFs);
-    }
     if (options.codexBin)
         env["CODEX_BIN"] = options.codexBin;
     if (options.proxyBaseUrl)
@@ -448,9 +295,14 @@ export async function runtimeStart(options) {
         throw new Error("Runtime/origin token is required (--origin-token or ORIGIN_INTERNAL_TOKEN), or provide --runtime-token/--controller-access-token to mint/use one");
     }
     env["ORIGIN_INTERNAL_TOKEN"] = originToken;
-    env["ORIGIN_SKIP_AUTH"] = env["ORIGIN_SKIP_AUTH"] ?? "1";
-    // Shared FS mount options (sshfs)
-    setSharedFsEnv(env, options.sharedFs);
+    const skipAuthRaw = env["ORIGIN_SKIP_AUTH"]?.trim().toLowerCase();
+    const skipAuth = skipAuthRaw === "1" || skipAuthRaw === "true" || skipAuthRaw === "yes";
+    const usesTunnel = !env["ORIGIN_ENDPOINT"];
+    const usesExplicitEndpoint = Boolean(env["ORIGIN_ENDPOINT"]);
+    if (skipAuth && (usesTunnel || usesExplicitEndpoint)) {
+        console.warn(kleur.yellow("Warning: ORIGIN_SKIP_AUTH is enabled while the origin may be reachable remotely (tunnel or --origin-endpoint). " +
+            "This is unsafe; disable ORIGIN_SKIP_AUTH for any non-local usage."));
+    }
     env["RUNTIME_DISPLAY_NAME"] =
         options.displayName ?? env["RUNTIME_DISPLAY_NAME"] ?? "Instafy CLI Runtime";
     const manifestProvider = manifestInfo.manifest?.orgName?.trim() ||

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@instafy/cli",
-  "version": "0.1.6",
+  "version": "0.1.7",
   "description": "Run Instafy projects locally, link folders to Studio, and share previews/webhooks via tunnels.",
   "private": false,
   "publishConfig": {