@instafy/cli 0.1.8 → 0.1.10

package/dist/config.js

@@ -1,8 +1,25 @@
 import fs from "node:fs";
 import os from "node:os";
 import path from "node:path";
+import { createRequire } from "node:module";
+import { findProjectManifest } from "./project-manifest.js";
+const require = createRequire(import.meta.url);
+const cliVersion = (() => {
+    try {
+        const pkg = require("../package.json");
+        return typeof pkg.version === "string" ? pkg.version : "";
+    }
+    catch {
+        return "";
+    }
+})();
+const isStagingCli = cliVersion.includes("-staging.");
 const INSTAFY_DIR = path.join(os.homedir(), ".instafy");
 const CONFIG_PATH = path.join(INSTAFY_DIR, "config.json");
+const PROFILES_DIR = path.join(INSTAFY_DIR, "profiles");
+const DEFAULT_LOCAL_CONTROLLER_URL = "http://127.0.0.1:8788";
+const DEFAULT_HOSTED_CONTROLLER_URL = "https://controller.instafy.dev";
+const DEFAULT_CONTROLLER_URL = isStagingCli ? DEFAULT_HOSTED_CONTROLLER_URL : DEFAULT_LOCAL_CONTROLLER_URL;
 function normalizeToken(value) {
     if (typeof value !== "string") {
         return null;
@@ -24,9 +41,45 @@ function normalizeUrl(value) {
     }
     return trimmed.replace(/\/$/, "");
 }
+function normalizeProfileName(value) {
+    const trimmed = typeof value === "string" ? value.trim() : "";
+    if (!trimmed) {
+        return null;
+    }
+    if (!/^[A-Za-z0-9][A-Za-z0-9._-]{0,63}$/.test(trimmed)) {
+        throw new Error(`Invalid profile name "${value}". Use letters/numbers plus . _ - (max 64 chars).`);
+    }
+    if (trimmed.includes("..")) {
+        throw new Error(`Invalid profile name "${value}".`);
+    }
+    return trimmed;
+}
 export function getInstafyConfigPath() {
     return CONFIG_PATH;
 }
+export function getInstafyProfilesDirPath() {
+    return PROFILES_DIR;
+}
+export function getInstafyProfileConfigPath(profile) {
+    const normalized = normalizeProfileName(profile);
+    if (!normalized) {
+        throw new Error("Profile name is required.");
+    }
+    return path.join(PROFILES_DIR, `${normalized}.json`);
+}
+export function listInstafyProfileNames() {
+    try {
+        const entries = fs.readdirSync(PROFILES_DIR, { withFileTypes: true });
+        return entries
+            .filter((entry) => entry.isFile() && entry.name.endsWith(".json"))
+            .map((entry) => entry.name.slice(0, -".json".length))
+            .filter(Boolean)
+            .sort((a, b) => a.localeCompare(b));
+    }
+    catch {
+        return [];
+    }
+}
 export function readInstafyCliConfig() {
     try {
         const raw = fs.readFileSync(CONFIG_PATH, "utf8");
@@ -39,6 +92,32 @@ export function readInstafyCliConfig() {
             controllerUrl: normalizeUrl(typeof record.controllerUrl === "string" ? record.controllerUrl : null),
             studioUrl: normalizeUrl(typeof record.studioUrl === "string" ? record.studioUrl : null),
             accessToken: normalizeToken(typeof record.accessToken === "string" ? record.accessToken : null),
+            refreshToken: normalizeToken(typeof record.refreshToken === "string" ? record.refreshToken : null),
+            supabaseUrl: normalizeUrl(typeof record.supabaseUrl === "string" ? record.supabaseUrl : null),
+            supabaseAnonKey: normalizeToken(typeof record.supabaseAnonKey === "string" ? record.supabaseAnonKey : null),
+            updatedAt: typeof record.updatedAt === "string" ? record.updatedAt : null,
+        };
+    }
+    catch {
+        return {};
+    }
+}
+export function readInstafyProfileConfig(profile) {
+    const filePath = getInstafyProfileConfigPath(profile);
+    try {
+        const raw = fs.readFileSync(filePath, "utf8");
+        const parsed = JSON.parse(raw);
+        if (!parsed || typeof parsed !== "object") {
+            return {};
+        }
+        const record = parsed;
+        return {
+            controllerUrl: normalizeUrl(typeof record.controllerUrl === "string" ? record.controllerUrl : null),
+            studioUrl: normalizeUrl(typeof record.studioUrl === "string" ? record.studioUrl : null),
+            accessToken: normalizeToken(typeof record.accessToken === "string" ? record.accessToken : null),
+            refreshToken: normalizeToken(typeof record.refreshToken === "string" ? record.refreshToken : null),
+            supabaseUrl: normalizeUrl(typeof record.supabaseUrl === "string" ? record.supabaseUrl : null),
+            supabaseAnonKey: normalizeToken(typeof record.supabaseAnonKey === "string" ? record.supabaseAnonKey : null),
             updatedAt: typeof record.updatedAt === "string" ? record.updatedAt : null,
         };
     }
@@ -52,6 +131,9 @@ export function writeInstafyCliConfig(update) {
         controllerUrl: normalizeUrl(update.controllerUrl ?? existing.controllerUrl ?? null),
         studioUrl: normalizeUrl(update.studioUrl ?? existing.studioUrl ?? null),
         accessToken: normalizeToken(update.accessToken ?? existing.accessToken ?? null),
+        refreshToken: normalizeToken(update.refreshToken ?? existing.refreshToken ?? null),
+        supabaseUrl: normalizeUrl(update.supabaseUrl ?? existing.supabaseUrl ?? null),
+        supabaseAnonKey: normalizeToken(update.supabaseAnonKey ?? existing.supabaseAnonKey ?? null),
         updatedAt: new Date().toISOString(),
     };
     fs.mkdirSync(INSTAFY_DIR, { recursive: true });
@@ -64,6 +146,28 @@ export function writeInstafyCliConfig(update) {
     }
     return next;
 }
+export function writeInstafyProfileConfig(profile, update) {
+    const filePath = getInstafyProfileConfigPath(profile);
+    const existing = readInstafyProfileConfig(profile);
+    const next = {
+        controllerUrl: normalizeUrl(update.controllerUrl ?? existing.controllerUrl ?? null),
+        studioUrl: normalizeUrl(update.studioUrl ?? existing.studioUrl ?? null),
+        accessToken: normalizeToken(update.accessToken ?? existing.accessToken ?? null),
+        refreshToken: normalizeToken(update.refreshToken ?? existing.refreshToken ?? null),
+        supabaseUrl: normalizeUrl(update.supabaseUrl ?? existing.supabaseUrl ?? null),
+        supabaseAnonKey: normalizeToken(update.supabaseAnonKey ?? existing.supabaseAnonKey ?? null),
+        updatedAt: new Date().toISOString(),
+    };
+    fs.mkdirSync(PROFILES_DIR, { recursive: true });
+    fs.writeFileSync(filePath, JSON.stringify(next, null, 2), { encoding: "utf8" });
+    try {
+        fs.chmodSync(filePath, 0o600);
+    }
+    catch {
+        // ignore chmod failures (windows / unusual fs)
+    }
+    return next;
+}
 export function clearInstafyCliConfig(keys) {
     if (!keys || keys.length === 0) {
         try {
@@ -81,31 +185,108 @@ export function clearInstafyCliConfig(keys) {
     }
     writeInstafyCliConfig(next);
 }
-export function resolveConfiguredControllerUrl() {
+export function clearInstafyProfileConfig(profile, keys) {
+    const filePath = getInstafyProfileConfigPath(profile);
+    if (!keys || keys.length === 0) {
+        try {
+            fs.rmSync(filePath, { force: true });
+        }
+        catch {
+            // ignore
+        }
+        return;
+    }
+    const existing = readInstafyProfileConfig(profile);
+    const next = { ...existing };
+    for (const key of keys) {
+        next[key] = null;
+    }
+    writeInstafyProfileConfig(profile, next);
+}
+export function resolveActiveProfileName(params) {
+    const explicit = normalizeProfileName(params?.profile ?? null);
+    if (explicit) {
+        return explicit;
+    }
+    const fromEnv = normalizeProfileName(process.env["INSTAFY_PROFILE"] ?? null);
+    if (fromEnv) {
+        return fromEnv;
+    }
+    const cwd = (params?.cwd ?? process.cwd()).trim();
+    if (!cwd) {
+        return null;
+    }
+    const manifest = findProjectManifest(cwd).manifest;
+    return normalizeProfileName(manifest?.profile ?? null);
+}
+export function resolveConfiguredControllerUrl(params) {
+    const profile = resolveActiveProfileName(params);
+    if (profile) {
+        const configured = readInstafyProfileConfig(profile);
+        return normalizeUrl(configured.controllerUrl ?? null);
+    }
     const config = readInstafyCliConfig();
     return normalizeUrl(config.controllerUrl ?? null);
 }
-export function resolveConfiguredStudioUrl() {
+export function resolveConfiguredStudioUrl(params) {
+    const profile = resolveActiveProfileName(params);
+    if (profile) {
+        const configured = readInstafyProfileConfig(profile);
+        return normalizeUrl(configured.studioUrl ?? null);
+    }
     const config = readInstafyCliConfig();
     return normalizeUrl(config.studioUrl ?? null);
 }
-export function resolveConfiguredAccessToken() {
+export function resolveConfiguredAccessToken(params) {
+    const profile = resolveActiveProfileName(params);
+    if (profile) {
+        const configured = readInstafyProfileConfig(profile);
+        return normalizeToken(configured.accessToken ?? null);
+    }
     const config = readInstafyCliConfig();
     return normalizeToken(config.accessToken ?? null);
 }
 export function resolveControllerUrl(params) {
-    const config = readInstafyCliConfig();
+    const profile = resolveActiveProfileName({ profile: params?.profile ?? null, cwd: params?.cwd ?? null });
+    const config = profile ? readInstafyProfileConfig(profile) : readInstafyCliConfig();
     return (normalizeUrl(params?.controllerUrl ?? null) ??
         normalizeUrl(process.env["INSTAFY_SERVER_URL"] ?? null) ??
         normalizeUrl(process.env["CONTROLLER_BASE_URL"] ?? null) ??
         normalizeUrl(config.controllerUrl ?? null) ??
-        "http://127.0.0.1:8788");
+        DEFAULT_CONTROLLER_URL);
 }
 export function resolveUserAccessToken(params) {
-    const config = readInstafyCliConfig();
+    const profile = resolveActiveProfileName({ profile: params?.profile ?? null, cwd: params?.cwd ?? null });
+    const config = profile ? readInstafyProfileConfig(profile) : readInstafyCliConfig();
     return (normalizeToken(params?.accessToken ?? null) ??
         normalizeToken(process.env["INSTAFY_ACCESS_TOKEN"] ?? null) ??
         normalizeToken(process.env["CONTROLLER_ACCESS_TOKEN"] ?? null) ??
+        normalizeToken(process.env["RUNTIME_ACCESS_TOKEN"] ?? null) ??
         normalizeToken(process.env["SUPABASE_ACCESS_TOKEN"] ?? null) ??
         normalizeToken(config.accessToken ?? null));
 }
+export function resolveUserAccessTokenWithSource(params) {
+    const profile = resolveActiveProfileName({ profile: params?.profile ?? null, cwd: params?.cwd ?? null });
+    const config = profile ? readInstafyProfileConfig(profile) : readInstafyCliConfig();
+    const explicit = normalizeToken(params?.accessToken ?? null);
+    if (explicit) {
+        return { token: explicit, source: "explicit", profile };
+    }
+    const envKeys = [
+        "INSTAFY_ACCESS_TOKEN",
+        "CONTROLLER_ACCESS_TOKEN",
+        "RUNTIME_ACCESS_TOKEN",
+        "SUPABASE_ACCESS_TOKEN",
+    ];
+    for (const key of envKeys) {
+        const value = normalizeToken(process.env[key] ?? null);
+        if (value) {
+            return { token: value, source: "env", profile };
+        }
+    }
+    const stored = normalizeToken(config.accessToken ?? null);
+    if (stored) {
+        return { token: stored, source: "config", profile };
+    }
+    return { token: null, source: "none", profile };
+}

package/dist/controller-fetch.js

@@ -0,0 +1,33 @@
+import { extractControllerErrorMessage } from "./errors.js";
+import { refreshStoredSupabaseSession } from "./supabase-session.js";
+function shouldAttemptRefresh(status, body) {
+    if (status !== 401) {
+        return false;
+    }
+    const message = extractControllerErrorMessage(body) ?? "";
+    return message.toLowerCase().includes("expired");
+}
+function withBearer(init, token) {
+    const headers = new Headers(init?.headers);
+    headers.set("authorization", `Bearer ${token}`);
+    return { ...init, headers };
+}
+export async function fetchWithControllerAuth(params) {
+    const response = await fetch(params.url, withBearer(params.init, params.accessToken));
+    if (response.ok) {
+        return { response, accessToken: params.accessToken };
+    }
+    if (params.tokenSource !== "config") {
+        return { response, accessToken: params.accessToken };
+    }
+    const responseText = await response.clone().text().catch(() => "");
+    if (!shouldAttemptRefresh(response.status, responseText)) {
+        return { response, accessToken: params.accessToken };
+    }
+    const refreshed = await refreshStoredSupabaseSession({ profile: params.profile ?? null, cwd: params.cwd ?? null });
+    if (!refreshed?.accessToken) {
+        return { response, accessToken: params.accessToken };
+    }
+    const retry = await fetch(params.url, withBearer(params.init, refreshed.accessToken));
+    return { response: retry, accessToken: refreshed.accessToken };
+}

package/dist/errors.js

@@ -0,0 +1,63 @@
+export function formatAuthRequiredError(params) {
+    const lines = ["Not authenticated. Run `instafy login` first."];
+    if (params?.retryCommand) {
+        lines.push("", `Then retry: ${params.retryCommand}`);
+    }
+    if (params?.advancedHint) {
+        lines.push("", `Advanced: ${params.advancedHint}`);
+    }
+    return new Error(lines.join("\n"));
+}
+export function extractControllerErrorMessage(body) {
+    const trimmed = body.trim();
+    if (!trimmed) {
+        return null;
+    }
+    try {
+        const parsed = JSON.parse(trimmed);
+        if (parsed && typeof parsed === "object") {
+            const record = parsed;
+            const message = typeof record.message === "string" ? record.message.trim() : "";
+            if (message)
+                return message;
+            const error = typeof record.error === "string" ? record.error.trim() : "";
+            if (error)
+                return error;
+            const hint = typeof record.hint === "string" ? record.hint.trim() : "";
+            if (hint)
+                return hint;
+        }
+    }
+    catch {
+        // ignore malformed json
+    }
+    return trimmed;
+}
+export function formatAuthRejectedError(params) {
+    const status = params?.status ?? 0;
+    const message = params?.responseBody ? extractControllerErrorMessage(params.responseBody) : null;
+    const normalized = (message ?? "").toLowerCase();
+    const headline = (() => {
+        if (status === 403) {
+            return "Access denied. Make sure you are signed into the right account (`instafy login`).";
+        }
+        if (status === 401 && normalized.includes("expired")) {
+            return "Your login has expired. Run `instafy login` again.";
+        }
+        if (status === 401) {
+            return "Not authenticated. Run `instafy login` again.";
+        }
+        return "Not authenticated. Run `instafy login` first.";
+    })();
+    const lines = [headline];
+    if (params?.retryCommand) {
+        lines.push("", `Then retry: ${params.retryCommand}`);
+    }
+    if (message) {
+        lines.push("", `Server: ${message}`);
+    }
+    if (params?.advancedHint) {
+        lines.push("", `Advanced: ${params.advancedHint}`);
+    }
+    return new Error(lines.join("\n"));
+}

package/dist/git-credential.js

@@ -0,0 +1,205 @@
+import { spawnSync } from "node:child_process";
+import { resolveControllerUrl, resolveUserAccessToken } from "./config.js";
+import { mintGitAccessToken } from "./git.js";
+function parseCredentialRequest(raw) {
+    const request = {};
+    for (const line of raw.split(/\r?\n/)) {
+        if (!line.trim())
+            continue;
+        const idx = line.indexOf("=");
+        if (idx <= 0)
+            continue;
+        const key = line.slice(0, idx).trim();
+        const value = line.slice(idx + 1).trim();
+        if (!value)
+            continue;
+        if (key === "protocol")
+            request.protocol = value;
+        if (key === "host")
+            request.host = value;
+        if (key === "path")
+            request.path = value;
+        if (key === "url")
+            request.url = value;
+        if (key === "username")
+            request.username = value;
+    }
+    return request;
+}
+function normalizeHost(rawHost) {
+    const host = rawHost.trim();
+    if (!host)
+        return null;
+    const lowered = host.toLowerCase();
+    const bracketed = lowered.match(/^\[(.+)\](?::\d+)?$/);
+    if (bracketed) {
+        return { host: lowered, hostname: bracketed[1] ?? lowered };
+    }
+    const lastColon = lowered.lastIndexOf(":");
+    if (lastColon > 0) {
+        const possiblePort = lowered.slice(lastColon + 1);
+        if (/^\d+$/.test(possiblePort)) {
+            return { host: lowered, hostname: lowered.slice(0, lastColon) };
+        }
+    }
+    return { host: lowered, hostname: lowered };
+}
+function resolveRequestHost(request) {
+    if (request.host?.trim())
+        return request.host.trim();
+    if (request.url?.trim()) {
+        try {
+            const parsed = new URL(request.url.trim());
+            return parsed.host;
+        }
+        catch {
+            return null;
+        }
+    }
+    return null;
+}
+function splitCsv(value) {
+    return (value ?? "")
+        .split(",")
+        .map((entry) => entry.trim().toLowerCase())
+        .filter(Boolean);
+}
+function isAllowedGitHost(rawHost) {
+    if (!rawHost)
+        return false;
+    const normalized = normalizeHost(rawHost);
+    if (!normalized)
+        return false;
+    const allowHosts = splitCsv(process.env["INSTAFY_GIT_HOSTS"]);
+    if (allowHosts.includes(normalized.host) || allowHosts.includes(normalized.hostname)) {
+        return true;
+    }
+    // Safe-by-default allow-list: Instafy domains and local dev.
+    if (normalized.hostname === "localhost" ||
+        normalized.hostname === "127.0.0.1" ||
+        normalized.hostname === "::1" ||
+        normalized.hostname === "host.docker.internal") {
+        return true;
+    }
+    // Local dev stack defaults to docker-compose service names.
+    if (normalized.hostname === "git-edge" || normalized.hostname.startsWith("git-shard")) {
+        return true;
+    }
+    return normalized.hostname.endsWith(".instafy.dev");
+}
+function normalizeRepoName(raw) {
+    const trimmed = raw.trim().replace(/^\/+/, "");
+    if (!trimmed)
+        return null;
+    const first = trimmed.split("/")[0] ?? "";
+    if (!first.endsWith(".git"))
+        return null;
+    const withoutSuffix = first.slice(0, -".git".length);
+    return withoutSuffix || null;
+}
+function isUuid(value) {
+    return /^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/i.test(value);
+}
+function parseProjectIdFromUrl(raw) {
+    const trimmed = raw.trim();
+    if (!trimmed)
+        return null;
+    try {
+        const parsed = new URL(trimmed);
+        const repo = normalizeRepoName(parsed.pathname);
+        return repo && isUuid(repo) ? repo : null;
+    }
+    catch {
+        // Not a WHATWG URL (e.g. scp-like).
+    }
+    const scpLike = trimmed.match(/^(?:[^@]+@)?([^:]+):(.+)$/);
+    if (scpLike) {
+        const repo = normalizeRepoName(scpLike[2] ?? "");
+        return repo && isUuid(repo) ? repo : null;
+    }
+    return null;
+}
+function resolveProjectIdFromRequest(request) {
+    const fromPath = request.path ? normalizeRepoName(request.path) : null;
+    if (fromPath && isUuid(fromPath))
+        return fromPath;
+    const fromUrl = request.url ? parseProjectIdFromUrl(request.url) : null;
+    if (fromUrl)
+        return fromUrl;
+    return null;
+}
+function resolveProjectIdFromGitRemotes(host) {
+    const result = spawnSync("git", ["config", "--get-regexp", "^remote\\..*\\.url$"], {
+        encoding: "utf8",
+    });
+    if (result.status !== 0) {
+        return null;
+    }
+    const lines = (result.stdout ?? "").split(/\r?\n/).map((line) => line.trim()).filter(Boolean);
+    for (const line of lines) {
+        const parts = line.split(/\s+/, 2);
+        const url = parts[1] ?? "";
+        if (!url)
+            continue;
+        if (host) {
+            try {
+                const parsed = new URL(url);
+                if (parsed.host !== host)
+                    continue;
+            }
+            catch {
+                // ignore non-url remotes when host is known
+                continue;
+            }
+        }
+        const projectId = parseProjectIdFromUrl(url);
+        if (projectId)
+            return projectId;
+    }
+    return null;
+}
+export async function runGitCredentialHelper(operation) {
+    const normalized = (operation ?? "").trim().toLowerCase();
+    if (!normalized) {
+        throw new Error("git credential helper requires an operation (get|store|erase)");
+    }
+    // We mint tokens on demand; no persistence needed.
+    if (normalized === "store" || normalized === "erase") {
+        return;
+    }
+    if (normalized !== "get") {
+        throw new Error(`unsupported git credential operation: ${operation}`);
+    }
+    const stdin = await new Promise((resolve) => {
+        let buffer = "";
+        process.stdin.setEncoding("utf8");
+        process.stdin.on("data", (chunk) => (buffer += chunk));
+        process.stdin.on("end", () => resolve(buffer));
+        process.stdin.resume();
+    });
+    const request = parseCredentialRequest(stdin);
+    const requestHost = resolveRequestHost(request);
+    if (!isAllowedGitHost(requestHost)) {
+        return;
+    }
+    const projectId = resolveProjectIdFromRequest(request) ??
+        resolveProjectIdFromGitRemotes(requestHost);
+    if (!projectId) {
+        return;
+    }
+    const controllerUrl = resolveControllerUrl({ controllerUrl: null });
+    const userAccessToken = resolveUserAccessToken({ accessToken: null });
+    if (!userAccessToken) {
+        throw new Error("Not authenticated. Run `instafy login` first.");
+    }
+    const abort = new AbortController();
+    const timeout = setTimeout(() => abort.abort(), 5000);
+    const minted = await mintGitAccessToken({
+        controllerUrl,
+        controllerAccessToken: userAccessToken,
+        projectId,
+        scopes: ["git.read", "git.write"],
+        signal: abort.signal,
+    }).finally(() => clearTimeout(timeout));
+    process.stdout.write(`username=instafy\npassword=${minted.token}\n`);
+}

package/dist/git-setup.js

@@ -0,0 +1,56 @@
+import { spawnSync } from "node:child_process";
+const INSTAFY_GIT_HELPER_VALUE = "!instafy git credential";
+function isLikelySameHelper(value) {
+    return value.includes("instafy git credential");
+}
+function runGit(args) {
+    const result = spawnSync("git", args, { encoding: "utf8" });
+    if (result.error) {
+        throw result.error;
+    }
+    return result;
+}
+export function isGitAvailable() {
+    try {
+        const result = runGit(["--version"]);
+        return result.status === 0;
+    }
+    catch {
+        return false;
+    }
+}
+export function installGitCredentialHelper() {
+    if (!isGitAvailable()) {
+        return { changed: false };
+    }
+    const existing = runGit(["config", "--global", "--get-all", "credential.helper"]);
+    const helpers = (existing.stdout ?? "")
+        .split(/\r?\n/)
+        .map((line) => line.trim())
+        .filter(Boolean);
+    if (helpers.some(isLikelySameHelper)) {
+        return { changed: false };
+    }
+    runGit(["config", "--global", "--add", "credential.helper", INSTAFY_GIT_HELPER_VALUE]);
+    return { changed: true };
+}
+export function uninstallGitCredentialHelper() {
+    if (!isGitAvailable()) {
+        return { changed: false };
+    }
+    const existing = runGit(["config", "--global", "--get-all", "credential.helper"]);
+    const helpers = (existing.stdout ?? "")
+        .split(/\r?\n/)
+        .map((line) => line.trim())
+        .filter(Boolean);
+    if (!helpers.some(isLikelySameHelper)) {
+        return { changed: false };
+    }
+    const remaining = helpers.filter((helper) => !isLikelySameHelper(helper));
+    // Remove all helpers, then re-add the ones we didn't own.
+    runGit(["config", "--global", "--unset-all", "credential.helper"]);
+    for (const helper of remaining) {
+        runGit(["config", "--global", "--add", "credential.helper", helper]);
+    }
+    return { changed: true };
+}