happy-stacks 0.1.0 → 0.2.0

package/scripts/auth.mjs

@@ -1,24 +1,163 @@
 import './utils/env.mjs';
-import { parseArgs } from './utils/args.mjs';
-import { printResult, wantsHelp, wantsJson } from './utils/cli.mjs';
-import { getComponentDir, getDefaultAutostartPaths, getRootDir, getStackName } from './utils/paths.mjs';
+import { parseArgs } from './utils/cli/args.mjs';
+import { printResult, wantsHelp, wantsJson } from './utils/cli/cli.mjs';
+import { getComponentDir, getDefaultAutostartPaths, getRootDir, getStackName, resolveStackEnvPath } from './utils/paths.mjs';
+import { listAllStackNames } from './utils/stacks.mjs';
 import { resolvePublicServerUrl } from './tailscale.mjs';
+import { resolveServerPortFromEnv } from './utils/server_urls.mjs';
 import { existsSync, readFileSync } from 'node:fs';
 import { join } from 'node:path';
 import { homedir } from 'node:os';
 import { spawn } from 'node:child_process';
+import { mkdir, readFile, writeFile } from 'node:fs/promises';
+import { dirname } from 'node:path';
+
+import { parseDotenv } from './utils/dotenv.mjs';
+import { ensureDepsInstalled, pmExecBin } from './utils/pm.mjs';
+import { applyHappyServerMigrations, ensureHappyServerManagedInfra } from './utils/happy_server_infra.mjs';
+import { clearDevAuthKey, readDevAuthKey, writeDevAuthKey } from './utils/dev_auth_key.mjs';
+import { getExpoStatePaths, isStateProcessRunning } from './utils/expo.mjs';
+import { resolveAuthSeedFromEnv } from './utils/stack_startup.mjs';
+import { printAuthLoginInstructions } from './utils/auth_login_ux.mjs';
+import { copyFileIfMissing, linkFileIfMissing, removeFileOrSymlinkIfExists, writeSecretFileIfMissing } from './utils/auth_files.mjs';
+import { getLegacyHappyBaseDir, isLegacyAuthSourceName } from './utils/auth_sources.mjs';
+import { isSandboxed, sandboxAllowsGlobalSideEffects } from './utils/sandbox.mjs';
+import { resolveHandyMasterSecretFromStack } from './utils/handy_master_secret.mjs';
 
 function getInternalServerUrl() {
-  const portRaw = (process.env.HAPPY_LOCAL_SERVER_PORT ?? process.env.HAPPY_STACKS_SERVER_PORT ?? '').trim();
-  const port = portRaw ? Number(portRaw) : 3005;
-  const n = Number.isFinite(port) ? port : 3005;
+  const n = resolveServerPortFromEnv({ env: process.env, defaultPort: 3005 });
   return { port: n, url: `http://127.0.0.1:${n}` };
 }
 
+function resolveEnvPublicUrlForStack({ stackName }) {
+  const candidate = (process.env.HAPPY_LOCAL_SERVER_URL ?? process.env.HAPPY_STACKS_SERVER_URL ?? '').trim();
+
+  // For main, allow the user's global/public URL override (commonly a Tailscale Serve URL).
+  if (stackName === 'main') {
+    return candidate;
+  }
+
+  // For non-main stacks, do NOT inherit a global/server URL override from ~/.happy-stacks/env.local
+  // (which often points at main). Only use a public URL override if it is explicitly present in the
+  // stack env file itself.
+  const envPath =
+    (process.env.HAPPY_STACKS_ENV_FILE ?? '').trim() ||
+    (process.env.HAPPY_LOCAL_ENV_FILE ?? '').trim() ||
+    getStackEnvPath(stackName);
+  try {
+    if (!envPath || !existsSync(envPath)) return '';
+    const raw = readFileSync(envPath, 'utf-8');
+    const env = raw ? parseEnvToObject(raw) : {};
+    return (env.HAPPY_LOCAL_SERVER_URL ?? env.HAPPY_STACKS_SERVER_URL ?? '').toString().trim();
+  } catch {
+    return '';
+  }
+}
+
 function expandTilde(p) {
   return p.replace(/^~(?=\/)/, homedir());
 }
 
+function resolveEnvWebappUrlForStack({ stackName }) {
+  const candidate = (process.env.HAPPY_WEBAPP_URL ?? '').trim();
+
+  // For main, allow the user's global override.
+  if (stackName === 'main') {
+    return candidate;
+  }
+
+  // For non-main stacks, only respect HAPPY_WEBAPP_URL if it is explicitly present in the stack env file.
+  const envPath =
+    (process.env.HAPPY_STACKS_ENV_FILE ?? '').trim() ||
+    (process.env.HAPPY_LOCAL_ENV_FILE ?? '').trim() ||
+    getStackEnvPath(stackName);
+  try {
+    if (!envPath || !existsSync(envPath)) return '';
+    const raw = readFileSync(envPath, 'utf-8');
+    const env = raw ? parseEnvToObject(raw) : {};
+    return (env.HAPPY_WEBAPP_URL ?? '').toString().trim();
+  } catch {
+    return '';
+  }
+}
+
+function sanitizeDnsLabel(raw, { fallback = 'stack' } = {}) {
+  const s = String(raw ?? '')
+    .toLowerCase()
+    .replace(/[^a-z0-9-]+/g, '-')
+    .replace(/-+/g, '-')
+    .replace(/^-+/, '')
+    .replace(/-+$/, '');
+  return s || fallback;
+}
+
+async function resolveWebappUrlFromRunningExpo({ rootDir, stackName }) {
+  try {
+    const baseDir = getStackDir(stackName);
+    const uiDir = getComponentDir(rootDir, 'happy');
+    const uiPaths = getExpoStatePaths({
+      baseDir,
+      kind: 'ui-dev',
+      projectDir: uiDir,
+      stateFileName: 'ui.state.json',
+    });
+    const uiRunning = await isStateProcessRunning(uiPaths.statePath);
+    if (!uiRunning.running) return null;
+    const port = Number(uiRunning.state?.port);
+    if (!Number.isFinite(port) || port <= 0) return null;
+    const host = stackName && stackName !== 'main' ? `happy-${sanitizeDnsLabel(stackName)}.localhost` : 'localhost';
+    return `http://${host}:${port}`;
+  } catch {
+    return null;
+  }
+}
+
+async function ensureDir(p) {
+  await mkdir(p, { recursive: true });
+}
+
+async function readTextIfExists(path) {
+  try {
+    if (!existsSync(path)) return null;
+    const raw = await readFile(path, 'utf-8');
+    const t = raw.trim();
+    return t ? t : null;
+  } catch {
+    return null;
+  }
+}
+
+// (auth file copy/link helpers live in scripts/utils/auth_files.mjs)
+
+function parseEnvToObject(raw) {
+  const parsed = parseDotenv(raw);
+  return Object.fromEntries(parsed.entries());
+}
+
+function getStackDir(stackName) {
+  return resolveStackEnvPath(stackName).baseDir;
+}
+
+function getStackEnvPath(stackName) {
+  return resolveStackEnvPath(stackName).envPath;
+}
+
+function stackExistsSync(stackName) {
+  if (stackName === 'main') return true;
+  const envPath = getStackEnvPath(stackName);
+  return existsSync(envPath);
+}
+
+function getCliHomeDirFromEnvOrDefault({ stackBaseDir, env }) {
+  const fromEnv = (env.HAPPY_STACKS_CLI_HOME_DIR ?? env.HAPPY_LOCAL_CLI_HOME_DIR ?? '').trim();
+  return fromEnv || join(stackBaseDir, 'cli');
+}
+
+function getServerLightDataDirFromEnvOrDefault({ stackBaseDir, env }) {
+  const fromEnv = (env.HAPPY_SERVER_LIGHT_DATA_DIR ?? '').trim();
+  return fromEnv || join(stackBaseDir, 'server-light');
+}
+
 function resolveCliHomeDir() {
   const fromEnv = (process.env.HAPPY_LOCAL_CLI_HOME_DIR ?? process.env.HAPPY_STACKS_CLI_HOME_DIR ?? '').trim();
   if (fromEnv) {
@@ -94,13 +233,614 @@ function authLoginSuggestion(stackName) {
   return stackName === 'main' ? 'happys auth login' : `happys stack auth ${stackName} login`;
 }
 
+function authCopyFromSeedSuggestion(stackName) {
+  if (stackName === 'main') return null;
+  const from = resolveAuthSeedFromEnv(process.env);
+  return `happys stack auth ${stackName} copy-from ${from}`;
+}
+
+function resolveServerComponentForCurrentStack() {
+  return (
+    (process.env.HAPPY_STACKS_SERVER_COMPONENT ?? process.env.HAPPY_LOCAL_SERVER_COMPONENT ?? 'happy-server-light').trim() ||
+    'happy-server-light'
+  );
+}
+
+async function cmdDevKey({ argv, json }) {
+  const { flags, kv } = parseArgs(argv);
+  const wantPrint = flags.has('--print');
+  const fmtRaw = (kv.get('--format') ?? '').trim();
+  // UX: the Happy UI restore screen expects the "backup" (XXXXX-...) format.
+  //
+  // IMPORTANT: the Happy restore screen treats any key containing '-' as "backup format",
+  // so printing a base64url key (which may contain '-') is *not reliably pasteable*.
+  // Default to backup always unless explicitly overridden.
+  const fmt = fmtRaw || 'backup'; // base64url | backup
+  const set = (kv.get('--set') ?? '').trim();
+  const clear = flags.has('--clear');
+
+  if (set) {
+    const res = await writeDevAuthKey({ env: process.env, input: set });
+    if (json) {
+      printResult({ json, data: { ok: true, action: 'set', path: res.path } });
+      return;
+    }
+    console.log(`[auth] dev-key saved to ${res.path}`);
+    return;
+  }
+  if (clear) {
+    const res = await clearDevAuthKey({ env: process.env });
+    if (json) {
+      printResult({ json, data: { ok: res.ok, action: 'clear', ...res } });
+      return;
+    }
+    console.log(res.deleted ? `[auth] dev-key removed (${res.path})` : `[auth] dev-key not set (${res.path})`);
+    return;
+  }
+
+  const out = await readDevAuthKey({ env: process.env });
+  if (!out.ok) {
+    throw new Error(`[auth] dev-key: ${out.error ?? 'failed'}`);
+  }
+  if (!out.secretKeyBase64Url) {
+    const msg =
+      `[auth] dev-key is not configured.\n` +
+      `Set it once (local-only, not committed):\n` +
+      `  happys auth dev-key --set "<base64url-secret-or-backup-format>"\n` +
+      `Or export it for this shell:\n` +
+      `  export HAPPY_STACKS_DEV_AUTH_SECRET_KEY="<base64url-secret>"\n`;
+    if (json) {
+      printResult({ json, data: { ok: false, error: 'missing_dev_key', file: out.path ?? null } });
+    } else {
+      console.log(msg);
+    }
+    process.exit(1);
+  }
+
+  const value = fmt === 'backup' ? out.backup : out.secretKeyBase64Url;
+  if (wantPrint) {
+    process.stdout.write(value + '\n');
+    return;
+  }
+  if (json) {
+    printResult({ json, data: { ok: true, key: value, format: fmt, source: out.source ?? null } });
+    return;
+  }
+  console.log(`[auth] dev-key (${fmt}) [source=${out.source ?? 'unknown'}]`);
+  console.log(value);
+}
+
+async function runNodeCapture({ cwd, env, args, stdin }) {
+  return await new Promise((resolvePromise, rejectPromise) => {
+    const child = spawn(process.execPath, args, {
+      cwd,
+      env,
+      stdio: ['pipe', 'pipe', 'pipe'],
+    });
+    let stdout = '';
+    let stderr = '';
+    child.stdout.on('data', (d) => {
+      stdout += String(d);
+    });
+    child.stderr.on('data', (d) => {
+      stderr += String(d);
+    });
+    child.on('error', (err) => rejectPromise(err));
+    child.on('close', (code) => {
+      if (code === 0) {
+        resolvePromise({ stdout, stderr });
+        return;
+      }
+      rejectPromise(new Error(`node exited with ${code}${stderr.trim() ? `: ${stderr.trim()}` : ''}`));
+    });
+    if (stdin != null) {
+      child.stdin.write(String(stdin));
+    }
+    child.stdin.end();
+  });
+}
+
+function resolveServerComponentFromEnv(env) {
+  const v = (env.HAPPY_STACKS_SERVER_COMPONENT ?? env.HAPPY_LOCAL_SERVER_COMPONENT ?? 'happy-server-light').trim() || 'happy-server-light';
+  return v === 'happy-server' ? 'happy-server' : 'happy-server-light';
+}
+
+function resolveDatabaseUrlForStackOrThrow({ env, stackName, baseDir, serverComponent, label }) {
+  const v = (env.DATABASE_URL ?? '').toString().trim();
+  if (v) {
+    if (serverComponent === 'happy-server') {
+      const lower = v.toLowerCase();
+      const ok = lower.startsWith('postgresql://') || lower.startsWith('postgres://');
+      if (!ok) {
+        throw new Error(
+          `[auth] invalid DATABASE_URL for ${label || `stack "${stackName}"`}: expected postgresql://... (got ${JSON.stringify(v)})`
+        );
+      }
+    }
+    return v;
+  }
+  if (serverComponent === 'happy-server-light') {
+    const dataDir = (env.HAPPY_SERVER_LIGHT_DATA_DIR ?? '').toString().trim() || join(baseDir, 'server-light');
+    return `file:${join(dataDir, 'happy-server-light.sqlite')}`;
+  }
+  throw new Error(`[auth] missing DATABASE_URL for ${label || `stack "${stackName}"`}`);
+}
+
+function resolveServerComponentDir({ rootDir, serverComponent }) {
+  return getComponentDir(rootDir, serverComponent === 'happy-server' ? 'happy-server' : 'happy-server-light');
+}
+
+async function seedAccountsFromSourceDbToTargetDb({
+  rootDir,
+  fromStackName,
+  fromServerComponent,
+  fromDatabaseUrl,
+  targetStackName,
+  targetServerComponent,
+  targetDatabaseUrl,
+  force = false,
+}) {
+  const sourceCwd = resolveServerComponentDir({ rootDir, serverComponent: fromServerComponent });
+  const targetCwd = resolveServerComponentDir({ rootDir, serverComponent: targetServerComponent });
+
+  const listScript = `
+process.on('uncaughtException', (e) => {
+  console.error(e instanceof Error ? e.message : String(e));
+  process.exit(1);
+});
+process.on('unhandledRejection', (e) => {
+  console.error(e instanceof Error ? e.message : String(e));
+  process.exit(1);
+});
+import { PrismaClient } from '@prisma/client';
+const db = new PrismaClient();
+try {
+  const accounts = await db.account.findMany({ select: { id: true, publicKey: true } });
+  console.log(JSON.stringify(accounts));
+} finally {
+  await db.$disconnect();
+}
+`.trim();
+
+  const insertScript = `
+process.on('uncaughtException', (e) => {
+  console.error(e instanceof Error ? e.message : String(e));
+  process.exit(1);
+});
+process.on('unhandledRejection', (e) => {
+  console.error(e instanceof Error ? e.message : String(e));
+  process.exit(1);
+});
+import { PrismaClient } from '@prisma/client';
+import fs from 'node:fs';
+const FORCE = ${force ? 'true' : 'false'};
+const raw = fs.readFileSync(0, 'utf8').trim();
+const accounts = raw ? JSON.parse(raw) : [];
+const db = new PrismaClient();
+try {
+  let insertedCount = 0;
+  for (const a of accounts) {
+    // eslint-disable-next-line no-await-in-loop
+    try {
+      await db.account.create({ data: { id: a.id, publicKey: a.publicKey } });
+      insertedCount += 1;
+    } catch (e) {
+      // Prisma unique constraint violation
+      if (e && typeof e === 'object' && 'code' in e && e.code === 'P2002') {
+        // Two common cases:
+        // - id already exists (fine)
+        // - publicKey already exists on a different id (auth mismatch -> machine FK failures later)
+        //
+        // For --force, we try to delete the conflicting row by publicKey and then retry insert.
+        // Without --force, fail-closed with a helpful error so users don't end up with "seeded" but broken stacks.
+        try {
+          const existing = await db.account.findUnique({ where: { publicKey: a.publicKey }, select: { id: true } });
+          if (existing?.id && existing.id !== a.id) {
+            if (!FORCE) {
+              throw new Error(
+                \`account publicKey conflict: target already has publicKey for id=\${existing.id}, but seed wants id=\${a.id}. Re-run with --force to replace the conflicting account row.\`
+              );
+            }
+            // Best-effort delete; will fail if other rows reference this account (then we fail closed).
+            await db.account.delete({ where: { publicKey: a.publicKey } });
+            await db.account.create({ data: { id: a.id, publicKey: a.publicKey } });
+            insertedCount += 1;
+            continue;
+          }
+        } catch (inner) {
+          throw inner;
+        }
+        continue;
+      }
+      throw e;
+    }
+  }
+  console.log(JSON.stringify({ sourceCount: accounts.length, insertedCount }));
+} finally {
+  await db.$disconnect();
+}
+`.trim();
+
+  const { stdout: srcOut } = await runNodeCapture({
+    cwd: sourceCwd,
+    env: { ...process.env, DATABASE_URL: fromDatabaseUrl },
+    args: ['--input-type=module', '-e', listScript],
+  });
+  const accounts = srcOut.trim() ? JSON.parse(srcOut.trim()) : [];
+
+  const { stdout: insOut } = await runNodeCapture({
+    cwd: targetCwd,
+    env: { ...process.env, DATABASE_URL: targetDatabaseUrl },
+    args: ['--input-type=module', '-e', insertScript],
+    stdin: JSON.stringify(accounts),
+  });
+  const res = insOut.trim() ? JSON.parse(insOut.trim()) : { sourceCount: accounts.length, insertedCount: 0 };
+
+  return {
+    ok: true,
+    fromStackName,
+    targetStackName,
+    sourceCount: Number(res.sourceCount ?? accounts.length) || 0,
+    insertedCount: Number(res.insertedCount ?? 0) || 0,
+  };
+}
+
+async function cmdCopyFrom({ argv, json }) {
+  const rootDir = getRootDir(import.meta.url);
+  const stackName = getStackName();
+
+  const positionals = argv.filter((a) => !a.startsWith('--'));
+  const fromStackName = (positionals[1] ?? '').trim();
+  if (!fromStackName) {
+    throw new Error(
+      '[auth] usage: happys stack auth <name> copy-from <sourceStack|legacy> [--force] [--with-infra] [--json]  OR  happys auth copy-from <sourceStack|legacy> --all [--except=main,dev-auth] [--force] [--with-infra] [--json]\n' +
+        'notes:\n' +
+        '  - sourceStack can be a stack name (e.g. main, dev-auth)\n' +
+        '  - legacy uses ~/.happy/{cli,server-light} as a source (best-effort)'
+    );
+  }
+
+  const { flags, kv } = parseArgs(argv);
+  const all = flags.has('--all');
+  if (isLegacyAuthSourceName(fromStackName) && isSandboxed() && !sandboxAllowsGlobalSideEffects()) {
+    throw new Error(
+      '[auth] legacy auth source is disabled in sandbox mode.\n' +
+        'Reason: it reads from ~/.happy (global user state).\n' +
+        'If you really want this, set: HAPPY_STACKS_SANDBOX_ALLOW_GLOBAL=1'
+    );
+  }
+  const force =
+    flags.has('--force') ||
+    flags.has('--overwrite') ||
+    (kv.get('--force') ?? '').trim() === '1' ||
+    (kv.get('--overwrite') ?? '').trim() === '1';
+  const withInfra =
+    flags.has('--with-infra') ||
+    flags.has('--ensure-infra') ||
+    flags.has('--infra') ||
+    (kv.get('--with-infra') ?? '').trim() === '1' ||
+    (kv.get('--ensure-infra') ?? '').trim() === '1';
+  const linkMode =
+    flags.has('--link') ||
+    flags.has('--symlink') ||
+    flags.has('--link-auth') ||
+    (kv.get('--link') ?? '').trim() === '1' ||
+    (kv.get('--symlink') ?? '').trim() === '1' ||
+    (kv.get('--auth-mode') ?? '').trim() === 'link' ||
+    (process.env.HAPPY_STACKS_AUTH_LINK ?? process.env.HAPPY_LOCAL_AUTH_LINK ?? '').toString().trim() === '1' ||
+    (process.env.HAPPY_STACKS_AUTH_MODE ?? process.env.HAPPY_LOCAL_AUTH_MODE ?? '').toString().trim() === 'link';
+  const allowMain = flags.has('--allow-main') || flags.has('--main-ok') || (kv.get('--allow-main') ?? '').trim() === '1';
+  const exceptRaw = (kv.get('--except') ?? '').trim();
+  const except = new Set(exceptRaw.split(',').map((s) => s.trim()).filter(Boolean));
+
+  if (all) {
+    // Global bulk operation (no stack context required).
+    const stacks = await listAllStackNames();
+    const results = [];
+    const totalTargets = stacks.filter((s) => !except.has(s) && s !== fromStackName).length;
+    let idx = 0;
+    const progress = (line) => {
+      // In JSON mode, never pollute stdout (reserved for final JSON).
+      // eslint-disable-next-line no-console
+      (json ? console.error : console.log)(line);
+    };
+
+    progress(
+      `[auth] copy-from --all: from=${fromStackName}${except.size ? ` (except=${[...except].join(',')})` : ''}${force ? ' (force)' : ''}${withInfra ? ' (with-infra)' : ''}`
+    );
+    for (const target of stacks) {
+      if (except.has(target)) {
+        progress(`- ↪ ${target}: skipped (excluded)`);
+        results.push({ stackName: target, ok: true, skipped: true, reason: 'excluded' });
+        continue;
+      }
+      if (target === fromStackName) {
+        progress(`- ↪ ${target}: skipped (source_stack)`);
+        results.push({ stackName: target, ok: true, skipped: true, reason: 'source_stack' });
+        continue;
+      }
+
+      idx += 1;
+      progress(`[auth] [${idx}/${totalTargets}] seeding stack "${target}"...`);
+
+      try {
+        const out = await runNodeCapture({
+          cwd: rootDir,
+          env: process.env,
+          args: [
+            join(rootDir, 'scripts', 'stack.mjs'),
+            'auth',
+            target,
+            '--',
+            'copy-from',
+            fromStackName,
+            '--json',
+            ...(force ? ['--force'] : []),
+            ...(withInfra ? ['--with-infra'] : []),
+            ...(linkMode ? ['--link'] : []),
+          ],
+        });
+        const parsed = out.stdout.trim() ? JSON.parse(out.stdout.trim()) : null;
+
+        const copied = parsed?.copied && typeof parsed.copied === 'object' ? parsed.copied : null;
+        const db = copied?.dbAccounts ? `db=${copied.dbAccounts.insertedCount}/${copied.dbAccounts.sourceCount}` : copied?.dbError ? `db=skipped` : `db=unknown`;
+        const secret = copied?.secret ? 'secret' : null;
+        const cli = copied?.accessKey || copied?.settings ? 'cli' : null;
+        const any = copied?.secret || copied?.accessKey || copied?.settings || copied?.db;
+        const summary = any ? `seeded (${[db, secret, cli].filter(Boolean).join(', ')})` : `noop (already has auth)`;
+        progress(`- ✅ ${target}: ${summary}`);
+        if (copied?.dbError) {
+          progress(`  - db seed skipped: ${copied.dbError}`);
+        }
+
+        results.push({ stackName: target, ok: true, skipped: false, fromStackName, out: parsed });
+      } catch (e) {
+        const msg = e instanceof Error ? e.message : String(e);
+        progress(`- ❌ ${target}: failed`);
+        progress(`  - ${msg}`);
+        results.push({ stackName: target, ok: false, skipped: false, fromStackName, error: msg });
+      }
+    }
+
+    const ok = results.every((r) => r.ok);
+    if (json) {
+      printResult({ json, data: { ok, fromStackName, results } });
+      return;
+    }
+    // (we already streamed progress above)
+    const failed = results.filter((r) => !r.ok).length;
+    const skipped = results.filter((r) => r.ok && r.skipped).length;
+    const seeded = results.filter((r) => r.ok && !r.skipped).length;
+    // eslint-disable-next-line no-console
+    console.log(`[auth] done: ok=${ok ? 'true' : 'false'} seeded=${seeded} skipped=${skipped} failed=${failed}`);
+    if (!ok) process.exit(1);
+    return;
+  }
+
+  if (stackName === 'main' && !allowMain) {
+    throw new Error(
+      '[auth] copy-from is intended for stack-scoped usage (e.g. happys stack auth <name> copy-from main), or pass --all.\n' +
+        'If you really intend to seed the main Happy Stacks install, re-run with: --allow-main'
+    );
+  }
+
+  const serverComponent = resolveServerComponentForCurrentStack();
+  const serverDirForPrisma = resolveServerComponentDir({ rootDir, serverComponent });
+  const targetBaseDir = getDefaultAutostartPaths().baseDir;
+  const targetCli = resolveCliHomeDir();
+  const targetServerLightDataDir =
+    (process.env.HAPPY_SERVER_LIGHT_DATA_DIR ?? '').trim() || join(targetBaseDir, 'server-light');
+  const targetSecretFile =
+    (process.env.HAPPY_STACKS_HANDY_MASTER_SECRET_FILE ?? '').trim() || join(targetBaseDir, 'happy-server', 'handy-master-secret.txt');
+
+  const isLegacySource = isLegacyAuthSourceName(fromStackName);
+  if (isLegacySource && isSandboxed() && !sandboxAllowsGlobalSideEffects()) {
+    throw new Error(
+      '[auth] legacy auth source is disabled in sandbox mode.\n' +
+        'Reason: it reads from ~/.happy (global user state).\n' +
+        'If you really want this, set: HAPPY_STACKS_SANDBOX_ALLOW_GLOBAL=1'
+    );
+  }
+  const { secret, source } = await resolveHandyMasterSecretFromStack({
+    stackName: fromStackName,
+    requireStackExists: !isLegacySource,
+    allowLegacyAuthSource: !isSandboxed() || sandboxAllowsGlobalSideEffects(),
+    allowLegacyMainFallback: !isSandboxed() || sandboxAllowsGlobalSideEffects(),
+  });
+
+  const copied = {
+    secret: false,
+    accessKey: false,
+    settings: false,
+    db: false,
+    dbAccounts: null,
+    dbError: null,
+    sourceStack: fromStackName,
+    stackName,
+  };
+
+  if (secret) {
+    if (serverComponent === 'happy-server-light') {
+      const target = join(targetServerLightDataDir, 'handy-master-secret.txt');
+      const sourcePath = source && !String(source).includes('(HANDY_MASTER_SECRET)') ? String(source) : '';
+      if (linkMode && sourcePath && existsSync(sourcePath)) {
+        copied.secret = await linkFileIfMissing({ from: sourcePath, to: target, force });
+      } else {
+        copied.secret = await writeSecretFileIfMissing({ path: target, secret, force });
+      }
+    } else if (serverComponent === 'happy-server') {
+      const sourcePath = source && !String(source).includes('(HANDY_MASTER_SECRET)') ? String(source) : '';
+      if (linkMode && sourcePath && existsSync(sourcePath)) {
+        copied.secret = await linkFileIfMissing({ from: sourcePath, to: targetSecretFile, force });
+      } else {
+        copied.secret = await writeSecretFileIfMissing({ path: targetSecretFile, secret, force });
+      }
+    }
+  }
+
+  const sourceBaseDir = isLegacySource ? getLegacyHappyBaseDir() : getStackDir(fromStackName);
+  const sourceEnvRaw = isLegacySource ? '' : await readTextIfExists(getStackEnvPath(fromStackName));
+  const sourceEnv = sourceEnvRaw ? parseEnvToObject(sourceEnvRaw) : {};
+  const sourceCli = isLegacySource
+    ? join(sourceBaseDir, 'cli')
+    : getCliHomeDirFromEnvOrDefault({ stackBaseDir: sourceBaseDir, env: sourceEnv });
+
+  if (linkMode) {
+    copied.accessKey = await linkFileIfMissing({ from: join(sourceCli, 'access.key'), to: join(targetCli, 'access.key'), force });
+    copied.settings = await linkFileIfMissing({ from: join(sourceCli, 'settings.json'), to: join(targetCli, 'settings.json'), force });
+  } else {
+    copied.accessKey = await copyFileIfMissing({
+      from: join(sourceCli, 'access.key'),
+      to: join(targetCli, 'access.key'),
+      mode: 0o600,
+      force,
+    });
+    copied.settings = await copyFileIfMissing({
+      from: join(sourceCli, 'settings.json'),
+      to: join(targetCli, 'settings.json'),
+      mode: 0o600,
+      force,
+    });
+  }
+
+  // Best-effort DB seeding: copy Account rows from source stack DB to target stack DB.
+  // This avoids FK failures (e.g., Prisma P2003) when the target DB is fresh but the copied token
+  // refers to an account ID that does not exist there yet.
+  try {
+    // Ensure prisma is runnable (best-effort). If deps aren't installed, we'll fall back to skipping DB seeding.
+    // IMPORTANT: when running with --json, keep stdout clean (no yarn/prisma chatter).
+    await ensureDepsInstalled(serverDirForPrisma, serverComponent, { quiet: json }).catch(() => {});
+
+    const fromServerComponent = isLegacySource ? 'happy-server-light' : resolveServerComponentFromEnv(sourceEnv);
+    const fromDatabaseUrl = resolveDatabaseUrlForStackOrThrow({
+      env: sourceEnv,
+      stackName: fromStackName,
+      baseDir: sourceBaseDir,
+      serverComponent: fromServerComponent,
+      label: `source stack "${fromStackName}"`,
+    });
+    const targetEnv = process.env;
+    const targetServerComponent = resolveServerComponentFromEnv(targetEnv);
+    let targetDatabaseUrl;
+    try {
+      targetDatabaseUrl = resolveDatabaseUrlForStackOrThrow({
+        env: targetEnv,
+        stackName,
+        baseDir: targetBaseDir,
+        serverComponent: targetServerComponent,
+        label: `target stack "${stackName}"`,
+      });
+    } catch (e) {
+      // For full server stacks, allow `copy-from --with-infra` to bring up Docker infra just-in-time
+      // so we can seed DB accounts reliably.
+      const managed = (targetEnv.HAPPY_STACKS_MANAGED_INFRA ?? targetEnv.HAPPY_LOCAL_MANAGED_INFRA ?? '1').toString().trim() !== '0';
+      if (targetServerComponent === 'happy-server' && withInfra && managed) {
+        const { port } = getInternalServerUrl();
+        const publicServerUrl = `http://localhost:${port}`;
+        const envPath = getStackEnvPath(stackName);
+        const infra = await ensureHappyServerManagedInfra({
+          stackName,
+          baseDir: targetBaseDir,
+          serverPort: port,
+          publicServerUrl,
+          envPath,
+          env: targetEnv,
+          quiet: json,
+          // Auth seeding only needs Postgres; don't block on Minio bucket init.
+          skipMinioInit: true,
+        });
+        targetDatabaseUrl = infra?.env?.DATABASE_URL ?? '';
+      } else {
+        throw e;
+      }
+    }
+    if (!targetDatabaseUrl) {
+      throw new Error(
+        `[auth] missing DATABASE_URL for target stack "${stackName}". ` +
+          (targetServerComponent === 'happy-server' ? `If this is a managed infra stack, re-run with --with-infra.` : '')
+      );
+    }
+
+    const runSeed = async () => {
+      const seeded = await seedAccountsFromSourceDbToTargetDb({
+        rootDir,
+        fromStackName,
+        fromServerComponent,
+        fromDatabaseUrl,
+        targetStackName: stackName,
+        targetServerComponent,
+        targetDatabaseUrl,
+        force,
+      });
+      copied.dbAccounts = { sourceCount: seeded.sourceCount, insertedCount: seeded.insertedCount };
+      copied.db = true;
+      copied.dbError = null;
+    };
+
+    try {
+      await runSeed();
+    } catch (e) {
+      const msg = e instanceof Error ? e.message : String(e);
+      // If the target DB exists but hasn't had schema applied yet, Prisma will report missing tables.
+      // Fix it best-effort by applying schema, then retry seeding once.
+      const looksLikeMissingTable = msg.toLowerCase().includes('does not exist') || msg.toLowerCase().includes('no such table');
+      if (looksLikeMissingTable) {
+        if (serverComponent === 'happy-server-light') {
+          await pmExecBin({
+            dir: serverDirForPrisma,
+            bin: 'prisma',
+            args: ['db', 'push'],
+            env: { ...process.env, DATABASE_URL: targetDatabaseUrl },
+            quiet: json,
+          }).catch(() => {});
+        } else if (serverComponent === 'happy-server') {
+          await applyHappyServerMigrations({
+            serverDir: serverDirForPrisma,
+            env: { ...process.env, DATABASE_URL: targetDatabaseUrl },
+            quiet: json,
+          }).catch(() => {});
+        }
+        await runSeed();
+      } else {
+        throw e;
+      }
+    }
+  } catch (err) {
+    copied.db = false;
+    copied.dbAccounts = null;
+    copied.dbError = err instanceof Error ? err.message : String(err);
+    if (!json) {
+      console.warn(`[auth] db seed skipped: ${copied.dbError}`);
+    }
+  }
+
+  if (json) {
+    printResult({ json, data: { ok: true, copied } });
+    return;
+  }
+
+  const any = copied.secret || copied.accessKey || copied.settings || copied.db;
+  if (!any) {
+    console.log(`[auth] nothing to copy (target already has auth files)`);
+    return;
+  }
+
+  console.log(`[auth] copied auth from "${fromStackName}" into "${stackName}" (no re-login needed)`);
+  if (copied.secret) console.log(`  - master secret: copied (${source || 'unknown source'})`);
+  if (copied.dbAccounts) {
+    console.log(`  - db: seeded Account rows (inserted=${copied.dbAccounts.insertedCount}/${copied.dbAccounts.sourceCount})`);
+  }
+  if (copied.accessKey) console.log(`  - cli: copied access.key`);
+  if (copied.settings) console.log(`  - cli: copied settings.json`);
+}
+
 async function cmdStatus({ json }) {
   const rootDir = getRootDir(import.meta.url);
   const stackName = getStackName();
 
   const { port, url: internalServerUrl } = getInternalServerUrl();
   const defaultPublicUrl = `http://localhost:${port}`;
-  const envPublicUrl = (process.env.HAPPY_LOCAL_SERVER_URL ?? process.env.HAPPY_STACKS_SERVER_URL ?? '').trim();
+  const envPublicUrl = resolveEnvPublicUrlForStack({ stackName });
   const { publicServerUrl } = await resolvePublicServerUrl({
     internalServerUrl,
     defaultPublicUrl,
@@ -162,33 +902,52 @@ async function cmdStatus({ json }) {
   console.log(authLine);
   if (!auth.ok) {
     console.log(`  ↪ run: ${authLoginSuggestion(stackName)}`);
+    const copyFromSeed = authCopyFromSeedSuggestion(stackName);
+    if (copyFromSeed) {
+      console.log(`  ↪ or (recommended if your seed stack is already logged in): ${copyFromSeed}`);
+    }
   }
   console.log(daemonLine);
   console.log(serverLine);
+  if (!health.ok) {
+    const startHint = stackName === 'main' ? 'happys dev' : `happys stack dev ${stackName}`;
+    console.log(`  ↪ this stack does not appear to be running. Start it with: ${startHint}`);
+    return;
+  }
   if (auth.ok && daemon.status !== 'running') {
-    console.log(`  ↪ auth is OK; this looks like a daemon/runtime issue. Try: happys doctor`);
+    console.log(`  ↪ daemon is not running for this stack. If you expected it to be running, try: happys doctor`);
   }
 }
 
 async function cmdLogin({ argv, json }) {
   const rootDir = getRootDir(import.meta.url);
   const stackName = getStackName();
+  const { kv } = parseArgs(argv);
 
   const { port, url: internalServerUrl } = getInternalServerUrl();
   const defaultPublicUrl = `http://localhost:${port}`;
-  const envPublicUrl = (process.env.HAPPY_LOCAL_SERVER_URL ?? process.env.HAPPY_STACKS_SERVER_URL ?? '').trim();
+  const envPublicUrl = resolveEnvPublicUrlForStack({ stackName });
   const { publicServerUrl } = await resolvePublicServerUrl({
     internalServerUrl,
     defaultPublicUrl,
     envPublicUrl,
     allowEnable: false,
   });
+  const envWebappUrl = resolveEnvWebappUrlForStack({ stackName });
+  const expoWebappUrl = await resolveWebappUrlFromRunningExpo({ rootDir, stackName });
+  const webappUrl = envWebappUrl || expoWebappUrl || publicServerUrl;
+  const webappUrlSource = expoWebappUrl ? 'expo' : envWebappUrl ? 'stack env override' : 'server';
 
   const cliHomeDir = resolveCliHomeDir();
   const cliBin = join(getComponentDir(rootDir, 'happy-cli'), 'bin', 'happy.mjs');
 
   const force = !argv.includes('--no-force');
   const wantPrint = argv.includes('--print');
+  const contextRaw =
+    (kv.get('--context') ?? process.env.HAPPY_STACKS_AUTH_LOGIN_CONTEXT ?? process.env.HAPPY_LOCAL_AUTH_LOGIN_CONTEXT ?? '')
+      .toString()
+      .trim();
+  const context = contextRaw || (stackName === 'main' ? 'generic' : 'stack');
 
   const nodeArgs = [cliBin, 'auth', 'login'];
   if (force || argv.includes('--force')) {
@@ -199,11 +958,11 @@ async function cmdLogin({ argv, json }) {
     ...process.env,
     HAPPY_HOME_DIR: cliHomeDir,
     HAPPY_SERVER_URL: internalServerUrl,
-    HAPPY_WEBAPP_URL: publicServerUrl,
+    HAPPY_WEBAPP_URL: webappUrl,
   };
 
   if (wantPrint) {
-    const cmd = `HAPPY_HOME_DIR="${cliHomeDir}" HAPPY_SERVER_URL="${internalServerUrl}" HAPPY_WEBAPP_URL="${publicServerUrl}" node "${cliBin}" auth login${nodeArgs.includes('--force') ? ' --force' : ''}`;
+    const cmd = `HAPPY_HOME_DIR="${cliHomeDir}" HAPPY_SERVER_URL="${internalServerUrl}" HAPPY_WEBAPP_URL="${webappUrl}" node "${cliBin}" auth login${nodeArgs.includes('--force') ? ' --force' : ''}`;
     if (json) {
       printResult({ json, data: { ok: true, stackName, cmd } });
     } else {
@@ -213,8 +972,15 @@ async function cmdLogin({ argv, json }) {
   }
 
   if (!json) {
-    console.log(`[auth] stack: ${stackName}`);
-    console.log(`[auth] launching login...`);
+    printAuthLoginInstructions({
+      stackName,
+      context,
+      webappUrl,
+      webappUrlSource,
+      internalServerUrl,
+      publicServerUrl,
+      rerunCmd: authLoginSuggestion(stackName),
+    });
   }
 
   const child = spawn(process.execPath, nodeArgs, {
@@ -223,7 +989,45 @@ async function cmdLogin({ argv, json }) {
     stdio: 'inherit',
   });
 
+  const timeoutMsRaw =
+    (process.env.HAPPY_STACKS_AUTH_LOGIN_TIMEOUT_MS ?? process.env.HAPPY_LOCAL_AUTH_LOGIN_TIMEOUT_MS ?? '600000').toString().trim();
+  const timeoutMs = timeoutMsRaw ? Number(timeoutMsRaw) : 600000;
+  const hasTimeout = Number.isFinite(timeoutMs) && timeoutMs > 0;
+
+  let exiting = false;
+  const killChild = (signal) => {
+    if (exiting) return;
+    exiting = true;
+    try {
+      child.kill(signal);
+    } catch {
+      // ignore
+    }
+    setTimeout(() => {
+      try {
+        if (child.pid) process.kill(child.pid, 'SIGKILL');
+      } catch {
+        // ignore
+      }
+    }, 1500).unref?.();
+  };
+
+  const onSigint = () => killChild('SIGINT');
+  const onSigterm = () => killChild('SIGTERM');
+  process.on('SIGINT', onSigint);
+  process.on('SIGTERM', onSigterm);
+
+  const t = hasTimeout
+    ? setTimeout(() => {
+        console.warn(`[auth] login timed out after ${timeoutMs}ms (set HAPPY_STACKS_AUTH_LOGIN_TIMEOUT_MS=0 to disable)`);
+        killChild('SIGTERM');
+      }, timeoutMs)
+    : null;
+
   await new Promise((resolve) => child.on('exit', resolve));
+  process.off('SIGINT', onSigint);
+  process.off('SIGTERM', onSigterm);
+  if (t) clearTimeout(t);
   if (json) {
     printResult({ json, data: { ok: child.exitCode === 0, exitCode: child.exitCode } });
   } else if (child.exitCode && child.exitCode !== 0) {
@@ -240,15 +1044,22 @@ async function main() {
   if (wantsHelp(argv, { flags }) || cmd === 'help') {
     printResult({
       json,
-      data: { commands: ['status', 'login'], stackScoped: 'happys stack auth <name> status|login' },
+      data: { commands: ['status', 'login', 'copy-from', 'dev-key'], stackScoped: 'happys stack auth <name> status|login|copy-from' },
       text: [
         '[auth] usage:',
         '  happys auth status [--json]',
         '  happys auth login [--force] [--print] [--json]',
+        '  happys auth copy-from <sourceStack|legacy> --all [--except=main,dev-auth] [--force] [--with-infra] [--link] [--json]',
+        '  happys auth dev-key [--print] [--format=base64url|backup] [--set=<base64url>] [--clear] [--json]',
+        '',
+        'advanced:',
+        '  happys auth login --context=selfhost|dev|stack   # UX labels only',
+        '  happys auth copy-from legacy --allow-main [--link] [--force]   # reuse (symlink) or copy ~/.happy creds into main happy-stacks install',
         '',
         'stack-scoped:',
         '  happys stack auth <name> status [--json]',
         '  happys stack auth <name> login [--force] [--print] [--json]',
+        '  happys stack auth <name> copy-from <sourceStack|legacy> [--force] [--with-infra] [--link] [--json]',
       ].join('\n'),
     });
     return;
@@ -262,6 +1073,14 @@ async function main() {
     await cmdLogin({ argv, json });
     return;
   }
+  if (cmd === 'copy-from') {
+    await cmdCopyFrom({ argv, json });
+    return;
+  }
+  if (cmd === 'dev-key') {
+    await cmdDevKey({ argv, json });
+    return;
+  }
 
   throw new Error(`[auth] unknown command: ${cmd}`);
 }