@instafy/cli 0.1.7 → 0.1.8-staging.350

package/README.md

@@ -6,6 +6,9 @@ Run Instafy projects locally and connect them back to Instafy Studio — from an
 
 ## Quickstart
 
+0. Log in once: `instafy login`
+   - Also enables Git auth (credential helper) for Instafy Git Service. Disable with `instafy login --no-git-setup`.
+   - Optional: set defaults with `instafy config set controller-url <url>` / `instafy config set studio-url <url>`
 1. Link a folder to a project:
    - VS Code: install the Instafy extension and run `Instafy: Link Workspace to Project`, or
    - Terminal: `instafy project:init`
@@ -19,7 +22,10 @@ Run Instafy projects locally and connect them back to Instafy Studio — from an
 - `instafy runtime:start` — start a local runtime (agent + origin).
 - `instafy runtime:status` — show health of the last started runtime.
 - `instafy runtime:stop` — stop the last started runtime.
-- `instafy tunnel` — request a tunnel and forward a local port.
+- `instafy tunnel` — start a detached tunnel for a local port.
+  - `instafy tunnel:list` — list local tunnels started by the CLI.
+  - `instafy tunnel:logs <tunnelId> --follow` — tail tunnel logs.
+  - `instafy tunnel:stop <tunnelId>` — stop + revoke a tunnel.
 - `instafy api:get` — query controller endpoints (conversations, messages, runs, etc).
 
 Run `instafy --help` for the full command list and options.

package/dist/api.js

@@ -1,4 +1,5 @@
 import fs from "node:fs";
+import { resolveConfiguredAccessToken } from "./config.js";
 function normalizeUrl(raw) {
     const value = (raw ?? "").trim();
     if (!value)
@@ -18,7 +19,8 @@ function resolveBearerToken(options) {
         normalizeToken(process.env["INSTAFY_ACCESS_TOKEN"]) ??
         normalizeToken(process.env["INSTAFY_SERVICE_TOKEN"]) ??
         normalizeToken(process.env["CONTROLLER_TOKEN"]) ??
-        normalizeToken(process.env["SUPABASE_ACCESS_TOKEN"]));
+        normalizeToken(process.env["SUPABASE_ACCESS_TOKEN"]) ??
+        resolveConfiguredAccessToken());
 }
 function parseKeyValue(raw) {
     const trimmed = raw.trim();

package/dist/auth.js

@@ -0,0 +1,112 @@
+import kleur from "kleur";
+import { createInterface } from "node:readline/promises";
+import { stdin as input, stdout as output } from "node:process";
+import { clearInstafyCliConfig, getInstafyConfigPath, resolveConfiguredStudioUrl, resolveControllerUrl, resolveUserAccessToken, writeInstafyCliConfig, } from "./config.js";
+import { installGitCredentialHelper, uninstallGitCredentialHelper } from "./git-setup.js";
+function normalizeUrl(raw) {
+    const trimmed = typeof raw === "string" ? raw.trim() : "";
+    if (!trimmed) {
+        return null;
+    }
+    return trimmed.replace(/\/$/, "");
+}
+function normalizeToken(raw) {
+    const trimmed = typeof raw === "string" ? raw.trim() : "";
+    if (!trimmed) {
+        return null;
+    }
+    const lowered = trimmed.toLowerCase();
+    if (lowered === "null" || lowered === "undefined") {
+        return null;
+    }
+    return trimmed;
+}
+function looksLikeLocalControllerUrl(controllerUrl) {
+    try {
+        const parsed = new URL(controllerUrl);
+        const host = parsed.hostname.toLowerCase();
+        return host === "127.0.0.1" || host === "localhost" || host === "::1";
+    }
+    catch {
+        return controllerUrl.includes("127.0.0.1") || controllerUrl.includes("localhost");
+    }
+}
+function deriveDefaultStudioUrl(controllerUrl) {
+    if (looksLikeLocalControllerUrl(controllerUrl)) {
+        return "http://localhost:5173";
+    }
+    return "https://staging.instafy.dev";
+}
+export async function login(options) {
+    const controllerUrl = resolveControllerUrl({ controllerUrl: options.controllerUrl ?? null });
+    const studioUrl = normalizeUrl(options.studioUrl ?? null) ??
+        normalizeUrl(process.env["INSTAFY_STUDIO_URL"] ?? null) ??
+        resolveConfiguredStudioUrl() ??
+        deriveDefaultStudioUrl(controllerUrl);
+    const url = new URL("/cli/login", studioUrl);
+    url.searchParams.set("serverUrl", controllerUrl);
+    if (options.json) {
+        console.log(JSON.stringify({ url: url.toString(), configPath: getInstafyConfigPath() }));
+        return;
+    }
+    console.log(kleur.green("Instafy CLI login"));
+    console.log("");
+    console.log("1) Open this URL in your browser:");
+    console.log(kleur.cyan(url.toString()));
+    console.log("");
+    console.log("2) After you sign in, copy the token shown on that page.");
+    console.log("");
+    const provided = normalizeToken(options.token ?? null);
+    const existing = resolveUserAccessToken();
+    let token = provided;
+    if (!token) {
+        const rl = createInterface({ input, output });
+        try {
+            token = normalizeToken(await rl.question("Paste token: "));
+        }
+        finally {
+            rl.close();
+        }
+    }
+    if (!token) {
+        throw new Error("No token provided.");
+    }
+    if (!options.noStore) {
+        writeInstafyCliConfig({ controllerUrl, studioUrl, accessToken: token });
+        console.log("");
+        console.log(kleur.green(`Saved token to ${getInstafyConfigPath()}`));
+        if (options.gitSetup !== false) {
+            try {
+                const result = installGitCredentialHelper();
+                if (result.changed) {
+                    console.log(kleur.green("Enabled git auth (credential helper installed)."));
+                }
+            }
+            catch (error) {
+                console.log(kleur.yellow(`Warning: failed to configure git credential helper: ${error instanceof Error ? error.message : String(error)}`));
+            }
+        }
+    }
+    else if (existing) {
+        console.log("");
+        console.log(kleur.yellow("Token not stored (existing token kept)."));
+    }
+    console.log("");
+    console.log("Next:");
+    console.log(`- ${kleur.cyan("instafy project:init")}`);
+    console.log(`- ${kleur.cyan("instafy runtime:start")}`);
+}
+export async function logout(options) {
+    clearInstafyCliConfig(["accessToken"]);
+    try {
+        uninstallGitCredentialHelper();
+    }
+    catch {
+        // ignore git helper cleanup failures
+    }
+    if (options?.json) {
+        console.log(JSON.stringify({ ok: true }));
+        return;
+    }
+    console.log(kleur.green("Logged out (cleared saved access token)."));
+}

package/dist/config-command.js

@@ -0,0 +1,104 @@
+import kleur from "kleur";
+import { clearInstafyCliConfig, getInstafyConfigPath, readInstafyCliConfig, writeInstafyCliConfig, } from "./config.js";
+function normalizeKey(raw) {
+    const key = raw.trim().toLowerCase().replace(/_/g, "-");
+    if (key === "controller-url" || key === "controllerurl" || key === "server-url") {
+        return "controller-url";
+    }
+    if (key === "studio-url" || key === "studiourl") {
+        return "studio-url";
+    }
+    throw new Error(`Unknown config key: ${raw} (supported: controller-url, studio-url)`);
+}
+function getValue(config, key) {
+    if (key === "controller-url")
+        return config.controllerUrl ?? null;
+    if (key === "studio-url")
+        return config.studioUrl ?? null;
+    return null;
+}
+function updateConfig(key, value) {
+    if (key === "controller-url") {
+        return writeInstafyCliConfig({ controllerUrl: value });
+    }
+    if (key === "studio-url") {
+        return writeInstafyCliConfig({ studioUrl: value });
+    }
+    return writeInstafyCliConfig({});
+}
+function clearConfig(key) {
+    if (key === "controller-url") {
+        clearInstafyCliConfig(["controllerUrl"]);
+        return;
+    }
+    if (key === "studio-url") {
+        clearInstafyCliConfig(["studioUrl"]);
+        return;
+    }
+}
+export function configPath(options) {
+    const path = getInstafyConfigPath();
+    if (options?.json) {
+        console.log(JSON.stringify({ path }, null, 2));
+        return;
+    }
+    console.log(path);
+}
+export function configList(options) {
+    const config = readInstafyCliConfig();
+    const payload = {
+        path: getInstafyConfigPath(),
+        controllerUrl: config.controllerUrl ?? null,
+        studioUrl: config.studioUrl ?? null,
+        accessTokenSet: Boolean(config.accessToken),
+        updatedAt: config.updatedAt ?? null,
+    };
+    if (options?.json) {
+        console.log(JSON.stringify(payload, null, 2));
+        return;
+    }
+    console.log(kleur.green("Instafy CLI config"));
+    console.log(`Path: ${payload.path}`);
+    console.log(`controller-url: ${payload.controllerUrl ?? kleur.yellow("(not set)")}`);
+    console.log(`studio-url: ${payload.studioUrl ?? kleur.yellow("(not set)")}`);
+    console.log(`access-token: ${payload.accessTokenSet ? kleur.green("(set)") : kleur.yellow("(not set)")}`);
+    if (payload.updatedAt) {
+        console.log(`updated-at: ${payload.updatedAt}`);
+    }
+}
+export function configGet(params) {
+    const key = normalizeKey(params.key);
+    const config = readInstafyCliConfig();
+    const value = getValue(config, key);
+    if (!value) {
+        throw new Error(`Config key ${key} is not set. Run \`instafy config set ${key} <value>\`.`);
+    }
+    if (params.json) {
+        console.log(JSON.stringify({ key, value }, null, 2));
+        return;
+    }
+    console.log(value);
+}
+export function configSet(params) {
+    const key = normalizeKey(params.key);
+    const updated = updateConfig(key, params.value);
+    const value = getValue(updated, key);
+    if (!value) {
+        throw new Error(`Failed to set ${key}.`);
+    }
+    if (params.json) {
+        console.log(JSON.stringify({ key, value, path: getInstafyConfigPath() }, null, 2));
+        return;
+    }
+    console.log(kleur.green(`Set ${key}`));
+    console.log(value);
+}
+export function configUnset(params) {
+    const key = normalizeKey(params.key);
+    clearConfig(key);
+    if (params.json) {
+        console.log(JSON.stringify({ ok: true, key }, null, 2));
+        return;
+    }
+    console.log(kleur.green(`Unset ${key}`));
+}

package/dist/config.js

@@ -0,0 +1,111 @@
+import fs from "node:fs";
+import os from "node:os";
+import path from "node:path";
+const INSTAFY_DIR = path.join(os.homedir(), ".instafy");
+const CONFIG_PATH = path.join(INSTAFY_DIR, "config.json");
+function normalizeToken(value) {
+    if (typeof value !== "string") {
+        return null;
+    }
+    const trimmed = value.trim();
+    if (!trimmed) {
+        return null;
+    }
+    const lowered = trimmed.toLowerCase();
+    if (lowered === "null" || lowered === "undefined") {
+        return null;
+    }
+    return trimmed;
+}
+function normalizeUrl(value) {
+    const trimmed = typeof value === "string" ? value.trim() : "";
+    if (!trimmed) {
+        return null;
+    }
+    return trimmed.replace(/\/$/, "");
+}
+export function getInstafyConfigPath() {
+    return CONFIG_PATH;
+}
+export function readInstafyCliConfig() {
+    try {
+        const raw = fs.readFileSync(CONFIG_PATH, "utf8");
+        const parsed = JSON.parse(raw);
+        if (!parsed || typeof parsed !== "object") {
+            return {};
+        }
+        const record = parsed;
+        return {
+            controllerUrl: normalizeUrl(typeof record.controllerUrl === "string" ? record.controllerUrl : null),
+            studioUrl: normalizeUrl(typeof record.studioUrl === "string" ? record.studioUrl : null),
+            accessToken: normalizeToken(typeof record.accessToken === "string" ? record.accessToken : null),
+            updatedAt: typeof record.updatedAt === "string" ? record.updatedAt : null,
+        };
+    }
+    catch {
+        return {};
+    }
+}
+export function writeInstafyCliConfig(update) {
+    const existing = readInstafyCliConfig();
+    const next = {
+        controllerUrl: normalizeUrl(update.controllerUrl ?? existing.controllerUrl ?? null),
+        studioUrl: normalizeUrl(update.studioUrl ?? existing.studioUrl ?? null),
+        accessToken: normalizeToken(update.accessToken ?? existing.accessToken ?? null),
+        updatedAt: new Date().toISOString(),
+    };
+    fs.mkdirSync(INSTAFY_DIR, { recursive: true });
+    fs.writeFileSync(CONFIG_PATH, JSON.stringify(next, null, 2), { encoding: "utf8" });
+    try {
+        fs.chmodSync(CONFIG_PATH, 0o600);
+    }
+    catch {
+        // ignore chmod failures (windows / unusual fs)
+    }
+    return next;
+}
+export function clearInstafyCliConfig(keys) {
+    if (!keys || keys.length === 0) {
+        try {
+            fs.rmSync(CONFIG_PATH, { force: true });
+        }
+        catch {
+            // ignore
+        }
+        return;
+    }
+    const existing = readInstafyCliConfig();
+    const next = { ...existing };
+    for (const key of keys) {
+        next[key] = null;
+    }
+    writeInstafyCliConfig(next);
+}
+export function resolveConfiguredControllerUrl() {
+    const config = readInstafyCliConfig();
+    return normalizeUrl(config.controllerUrl ?? null);
+}
+export function resolveConfiguredStudioUrl() {
+    const config = readInstafyCliConfig();
+    return normalizeUrl(config.studioUrl ?? null);
+}
+export function resolveConfiguredAccessToken() {
+    const config = readInstafyCliConfig();
+    return normalizeToken(config.accessToken ?? null);
+}
+export function resolveControllerUrl(params) {
+    const config = readInstafyCliConfig();
+    return (normalizeUrl(params?.controllerUrl ?? null) ??
+        normalizeUrl(process.env["INSTAFY_SERVER_URL"] ?? null) ??
+        normalizeUrl(process.env["CONTROLLER_BASE_URL"] ?? null) ??
+        normalizeUrl(config.controllerUrl ?? null) ??
+        "http://127.0.0.1:8788");
+}
+export function resolveUserAccessToken(params) {
+    const config = readInstafyCliConfig();
+    return (normalizeToken(params?.accessToken ?? null) ??
+        normalizeToken(process.env["INSTAFY_ACCESS_TOKEN"] ?? null) ??
+        normalizeToken(process.env["CONTROLLER_ACCESS_TOKEN"] ?? null) ??
+        normalizeToken(process.env["SUPABASE_ACCESS_TOKEN"] ?? null) ??
+        normalizeToken(config.accessToken ?? null));
+}

package/dist/errors.js

@@ -0,0 +1,10 @@
+export function formatAuthRequiredError(params) {
+    const lines = ["Not authenticated. Run `instafy login` first."];
+    if (params?.retryCommand) {
+        lines.push("", `Then retry: ${params.retryCommand}`);
+    }
+    if (params?.advancedHint) {
+        lines.push("", `Advanced: ${params.advancedHint}`);
+    }
+    return new Error(lines.join("\n"));
+}

package/dist/git-credential.js

@@ -0,0 +1,201 @@
+import { spawnSync } from "node:child_process";
+import { resolveControllerUrl, resolveUserAccessToken } from "./config.js";
+import { mintGitAccessToken } from "./git.js";
+function parseCredentialRequest(raw) {
+    const request = {};
+    for (const line of raw.split(/\r?\n/)) {
+        if (!line.trim())
+            continue;
+        const idx = line.indexOf("=");
+        if (idx <= 0)
+            continue;
+        const key = line.slice(0, idx).trim();
+        const value = line.slice(idx + 1).trim();
+        if (!value)
+            continue;
+        if (key === "protocol")
+            request.protocol = value;
+        if (key === "host")
+            request.host = value;
+        if (key === "path")
+            request.path = value;
+        if (key === "url")
+            request.url = value;
+        if (key === "username")
+            request.username = value;
+    }
+    return request;
+}
+function normalizeHost(rawHost) {
+    const host = rawHost.trim();
+    if (!host)
+        return null;
+    const lowered = host.toLowerCase();
+    const bracketed = lowered.match(/^\[(.+)\](?::\d+)?$/);
+    if (bracketed) {
+        return { host: lowered, hostname: bracketed[1] ?? lowered };
+    }
+    const lastColon = lowered.lastIndexOf(":");
+    if (lastColon > 0) {
+        const possiblePort = lowered.slice(lastColon + 1);
+        if (/^\d+$/.test(possiblePort)) {
+            return { host: lowered, hostname: lowered.slice(0, lastColon) };
+        }
+    }
+    return { host: lowered, hostname: lowered };
+}
+function resolveRequestHost(request) {
+    if (request.host?.trim())
+        return request.host.trim();
+    if (request.url?.trim()) {
+        try {
+            const parsed = new URL(request.url.trim());
+            return parsed.host;
+        }
+        catch {
+            return null;
+        }
+    }
+    return null;
+}
+function splitCsv(value) {
+    return (value ?? "")
+        .split(",")
+        .map((entry) => entry.trim().toLowerCase())
+        .filter(Boolean);
+}
+function isAllowedGitHost(rawHost) {
+    if (!rawHost)
+        return false;
+    const normalized = normalizeHost(rawHost);
+    if (!normalized)
+        return false;
+    const allowHosts = splitCsv(process.env["INSTAFY_GIT_HOSTS"]);
+    if (allowHosts.includes(normalized.host) || allowHosts.includes(normalized.hostname)) {
+        return true;
+    }
+    // Safe-by-default allow-list: Instafy domains and local dev.
+    if (normalized.hostname === "localhost" ||
+        normalized.hostname === "127.0.0.1" ||
+        normalized.hostname === "::1" ||
+        normalized.hostname === "host.docker.internal") {
+        return true;
+    }
+    return normalized.hostname.endsWith(".instafy.dev");
+}
+function normalizeRepoName(raw) {
+    const trimmed = raw.trim().replace(/^\/+/, "");
+    if (!trimmed)
+        return null;
+    const first = trimmed.split("/")[0] ?? "";
+    if (!first.endsWith(".git"))
+        return null;
+    const withoutSuffix = first.slice(0, -".git".length);
+    return withoutSuffix || null;
+}
+function isUuid(value) {
+    return /^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/i.test(value);
+}
+function parseProjectIdFromUrl(raw) {
+    const trimmed = raw.trim();
+    if (!trimmed)
+        return null;
+    try {
+        const parsed = new URL(trimmed);
+        const repo = normalizeRepoName(parsed.pathname);
+        return repo && isUuid(repo) ? repo : null;
+    }
+    catch {
+        // Not a WHATWG URL (e.g. scp-like).
+    }
+    const scpLike = trimmed.match(/^(?:[^@]+@)?([^:]+):(.+)$/);
+    if (scpLike) {
+        const repo = normalizeRepoName(scpLike[2] ?? "");
+        return repo && isUuid(repo) ? repo : null;
+    }
+    return null;
+}
+function resolveProjectIdFromRequest(request) {
+    const fromPath = request.path ? normalizeRepoName(request.path) : null;
+    if (fromPath && isUuid(fromPath))
+        return fromPath;
+    const fromUrl = request.url ? parseProjectIdFromUrl(request.url) : null;
+    if (fromUrl)
+        return fromUrl;
+    return null;
+}
+function resolveProjectIdFromGitRemotes(host) {
+    const result = spawnSync("git", ["config", "--get-regexp", "^remote\\..*\\.url$"], {
+        encoding: "utf8",
+    });
+    if (result.status !== 0) {
+        return null;
+    }
+    const lines = (result.stdout ?? "").split(/\r?\n/).map((line) => line.trim()).filter(Boolean);
+    for (const line of lines) {
+        const parts = line.split(/\s+/, 2);
+        const url = parts[1] ?? "";
+        if (!url)
+            continue;
+        if (host) {
+            try {
+                const parsed = new URL(url);
+                if (parsed.host !== host)
+                    continue;
+            }
+            catch {
+                // ignore non-url remotes when host is known
+                continue;
+            }
+        }
+        const projectId = parseProjectIdFromUrl(url);
+        if (projectId)
+            return projectId;
+    }
+    return null;
+}
+export async function runGitCredentialHelper(operation) {
+    const normalized = (operation ?? "").trim().toLowerCase();
+    if (!normalized) {
+        throw new Error("git credential helper requires an operation (get|store|erase)");
+    }
+    // We mint tokens on demand; no persistence needed.
+    if (normalized === "store" || normalized === "erase") {
+        return;
+    }
+    if (normalized !== "get") {
+        throw new Error(`unsupported git credential operation: ${operation}`);
+    }
+    const stdin = await new Promise((resolve) => {
+        let buffer = "";
+        process.stdin.setEncoding("utf8");
+        process.stdin.on("data", (chunk) => (buffer += chunk));
+        process.stdin.on("end", () => resolve(buffer));
+        process.stdin.resume();
+    });
+    const request = parseCredentialRequest(stdin);
+    const requestHost = resolveRequestHost(request);
+    if (!isAllowedGitHost(requestHost)) {
+        return;
+    }
+    const projectId = resolveProjectIdFromRequest(request) ??
+        resolveProjectIdFromGitRemotes(requestHost);
+    if (!projectId) {
+        return;
+    }
+    const controllerUrl = resolveControllerUrl({ controllerUrl: null });
+    const userAccessToken = resolveUserAccessToken({ accessToken: null });
+    if (!userAccessToken) {
+        throw new Error("Not authenticated. Run `instafy login` first.");
+    }
+    const abort = new AbortController();
+    const timeout = setTimeout(() => abort.abort(), 5000);
+    const minted = await mintGitAccessToken({
+        controllerUrl,
+        controllerAccessToken: userAccessToken,
+        projectId,
+        scopes: ["git.read", "git.write"],
+        signal: abort.signal,
+    }).finally(() => clearTimeout(timeout));
+    process.stdout.write(`username=instafy\npassword=${minted.token}\n`);
+}

package/dist/git-setup.js

@@ -0,0 +1,56 @@
+import { spawnSync } from "node:child_process";
+const INSTAFY_GIT_HELPER_VALUE = "!instafy git:credential";
+function isLikelySameHelper(value) {
+    return value.includes("instafy git:credential");
+}
+function runGit(args) {
+    const result = spawnSync("git", args, { encoding: "utf8" });
+    if (result.error) {
+        throw result.error;
+    }
+    return result;
+}
+export function isGitAvailable() {
+    try {
+        const result = runGit(["--version"]);
+        return result.status === 0;
+    }
+    catch {
+        return false;
+    }
+}
+export function installGitCredentialHelper() {
+    if (!isGitAvailable()) {
+        return { changed: false };
+    }
+    const existing = runGit(["config", "--global", "--get-all", "credential.helper"]);
+    const helpers = (existing.stdout ?? "")
+        .split(/\r?\n/)
+        .map((line) => line.trim())
+        .filter(Boolean);
+    if (helpers.some(isLikelySameHelper)) {
+        return { changed: false };
+    }
+    runGit(["config", "--global", "--add", "credential.helper", INSTAFY_GIT_HELPER_VALUE]);
+    return { changed: true };
+}
+export function uninstallGitCredentialHelper() {
+    if (!isGitAvailable()) {
+        return { changed: false };
+    }
+    const existing = runGit(["config", "--global", "--get-all", "credential.helper"]);
+    const helpers = (existing.stdout ?? "")
+        .split(/\r?\n/)
+        .map((line) => line.trim())
+        .filter(Boolean);
+    if (!helpers.some(isLikelySameHelper)) {
+        return { changed: false };
+    }
+    const remaining = helpers.filter((helper) => !isLikelySameHelper(helper));
+    // Remove all helpers, then re-add the ones we didn't own.
+    runGit(["config", "--global", "--unset-all", "credential.helper"]);
+    for (const helper of remaining) {
+        runGit(["config", "--global", "--add", "credential.helper", helper]);
+    }
+    return { changed: true };
+}

package/dist/git.js

@@ -1,6 +1,7 @@
 import fs from "node:fs";
 import path from "node:path";
 import kleur from "kleur";
+import { resolveConfiguredAccessToken } from "./config.js";
 function normalizeToken(value) {
     if (typeof value !== "string") {
         return null;
@@ -27,6 +28,7 @@ function resolveControllerAccessToken(options) {
         normalizeToken(options.supabaseAccessToken) ??
         readTokenFromFile(options.supabaseAccessTokenFile) ??
         normalizeToken(process.env["SUPABASE_ACCESS_TOKEN"]) ??
+        resolveConfiguredAccessToken() ??
         null);
 }
 export async function mintGitAccessToken(params) {
@@ -41,6 +43,7 @@ export async function mintGitAccessToken(params) {
             authorization: `Bearer ${params.controllerAccessToken}`,
             "content-type": "application/json",
         },
+        signal: params.signal,
         body: JSON.stringify({
             scopes,
             ttlSeconds: params.ttlSeconds,
@@ -74,7 +77,7 @@ export async function gitToken(options) {
         supabaseAccessTokenFile: options.supabaseAccessTokenFile,
     });
     if (!token) {
-        throw new Error("Access token is required (--access-token/INSTAFY_ACCESS_TOKEN or --supabase-access-token/SUPABASE_ACCESS_TOKEN).");
+        throw new Error("Login required. Run `instafy login` or pass --access-token / --supabase-access-token.");
     }
     const minted = await mintGitAccessToken({
         controllerUrl,