happy-stacks 0.1.2 → 0.3.0

package/scripts/auth.mjs

@@ -1,133 +1,68 @@
-import './utils/env.mjs';
-import { parseArgs } from './utils/args.mjs';
-import { printResult, wantsHelp, wantsJson } from './utils/cli.mjs';
-import { getComponentDir, getDefaultAutostartPaths, getRootDir, getStackName, resolveStackEnvPath } from './utils/paths.mjs';
+import './utils/env/env.mjs';
+import { parseArgs } from './utils/cli/args.mjs';
+import { printResult, wantsHelp, wantsJson } from './utils/cli/cli.mjs';
+import { getComponentDir, getDefaultAutostartPaths, getRootDir, getStackName, resolveStackEnvPath } from './utils/paths/paths.mjs';
+import { listAllStackNames } from './utils/stack/stacks.mjs';
 import { resolvePublicServerUrl } from './tailscale.mjs';
+import { getInternalServerUrl, getPublicServerUrlEnvOverride, getWebappUrlEnvOverride } from './utils/server/urls.mjs';
+import { fetchHappyHealth } from './utils/server/server.mjs';
 import { existsSync, readFileSync } from 'node:fs';
 import { join } from 'node:path';
 import { homedir } from 'node:os';
 import { spawn } from 'node:child_process';
-import { chmod, copyFile, mkdir, readFile, writeFile } from 'node:fs/promises';
+import { mkdir, writeFile } from 'node:fs/promises';
 import { dirname } from 'node:path';
 
-import { parseDotenv } from './utils/dotenv.mjs';
-
-function getInternalServerUrl() {
-  const portRaw = (process.env.HAPPY_LOCAL_SERVER_PORT ?? process.env.HAPPY_STACKS_SERVER_PORT ?? '').trim();
-  const port = portRaw ? Number(portRaw) : 3005;
-  const n = Number.isFinite(port) ? port : 3005;
-  return { port: n, url: `http://127.0.0.1:${n}` };
-}
-
-function expandTilde(p) {
-  return p.replace(/^~(?=\/)/, homedir());
-}
-
-async function ensureDir(p) {
-  await mkdir(p, { recursive: true });
+import { parseEnvToObject } from './utils/env/dotenv.mjs';
+import { ensureDepsInstalled, pmExecBin } from './utils/proc/pm.mjs';
+import { applyHappyServerMigrations, ensureHappyServerManagedInfra } from './utils/server/infra/happy_server_infra.mjs';
+import { clearDevAuthKey, readDevAuthKey, writeDevAuthKey } from './utils/auth/dev_key.mjs';
+import { getExpoStatePaths, isStateProcessRunning } from './utils/expo/expo.mjs';
+import { resolveAuthSeedFromEnv } from './utils/stack/startup.mjs';
+import { printAuthLoginInstructions } from './utils/auth/login_ux.mjs';
+import { copyFileIfMissing, linkFileIfMissing, removeFileOrSymlinkIfExists, writeSecretFileIfMissing } from './utils/auth/files.mjs';
+import { getLegacyHappyBaseDir, isLegacyAuthSourceName } from './utils/auth/sources.mjs';
+import { isSandboxed, sandboxAllowsGlobalSideEffects } from './utils/env/sandbox.mjs';
+import { resolveHandyMasterSecretFromStack } from './utils/auth/handy_master_secret.mjs';
+import { ensureDir, readTextIfExists } from './utils/fs/ops.mjs';
+import { stackExistsSync } from './utils/stack/stacks.mjs';
+import { checkDaemonState } from './daemon.mjs';
+import {
+  getCliHomeDirFromEnvOrDefault,
+  getServerLightDataDirFromEnvOrDefault,
+  resolveCliHomeDir,
+} from './utils/stack/dirs.mjs';
+import { resolveLocalhostHost } from './utils/paths/localhost_host.mjs';
+
+function getInternalServerUrlCompat() {
+  const { port, internalServerUrl } = getInternalServerUrl({ env: process.env, defaultPort: 3005 });
+  return { port, url: internalServerUrl };
 }
 
-async function readTextIfExists(path) {
+async function resolveWebappUrlFromRunningExpo({ rootDir, stackName }) {
   try {
-    if (!existsSync(path)) return null;
-    const raw = await readFile(path, 'utf-8');
-    const t = raw.trim();
-    return t ? t : null;
+    const baseDir = resolveStackEnvPath(stackName).baseDir;
+    const uiDir = getComponentDir(rootDir, 'happy');
+    const uiPaths = getExpoStatePaths({
+      baseDir,
+      kind: 'ui-dev',
+      projectDir: uiDir,
+      stateFileName: 'ui.state.json',
+    });
+    const uiRunning = await isStateProcessRunning(uiPaths.statePath);
+    if (!uiRunning.running) return null;
+    const port = Number(uiRunning.state?.port);
+    if (!Number.isFinite(port) || port <= 0) return null;
+    const host = resolveLocalhostHost({ stackMode: stackName !== 'main', stackName });
+    return `http://${host}:${port}`;
   } catch {
     return null;
   }
 }
 
-async function writeSecretFileIfMissing({ path, secret }) {
-  if (existsSync(path)) return false;
-  await ensureDir(dirname(path));
-  await writeFile(path, secret, { encoding: 'utf-8', mode: 0o600 });
-  return true;
-}
-
-async function copyFileIfMissing({ from, to, mode }) {
-  if (existsSync(to)) return false;
-  if (!existsSync(from)) return false;
-  await ensureDir(dirname(to));
-  await copyFile(from, to);
-  if (mode) {
-    await chmod(to, mode).catch(() => {});
-  }
-  return true;
-}
-
-function parseEnvToObject(raw) {
-  const parsed = parseDotenv(raw);
-  return Object.fromEntries(parsed.entries());
-}
-
-function getStackDir(stackName) {
-  return resolveStackEnvPath(stackName).baseDir;
-}
-
-function getStackEnvPath(stackName) {
-  return resolveStackEnvPath(stackName).envPath;
-}
-
-function stackExistsSync(stackName) {
-  if (stackName === 'main') return true;
-  const envPath = getStackEnvPath(stackName);
-  return existsSync(envPath);
-}
-
-function getCliHomeDirFromEnvOrDefault({ stackBaseDir, env }) {
-  const fromEnv = (env.HAPPY_STACKS_CLI_HOME_DIR ?? env.HAPPY_LOCAL_CLI_HOME_DIR ?? '').trim();
-  return fromEnv || join(stackBaseDir, 'cli');
-}
-
-function getServerLightDataDirFromEnvOrDefault({ stackBaseDir, env }) {
-  const fromEnv = (env.HAPPY_SERVER_LIGHT_DATA_DIR ?? '').trim();
-  return fromEnv || join(stackBaseDir, 'server-light');
-}
-
-async function resolveHandyMasterSecretFromStack({ stackName, requireStackExists }) {
-  if (requireStackExists && !stackExistsSync(stackName)) {
-    throw new Error(`[auth] cannot copy auth: source stack "${stackName}" does not exist`);
-  }
-
-  const sourceBaseDir = getStackDir(stackName);
-  const sourceEnvPath = getStackEnvPath(stackName);
-  const raw = await readTextIfExists(sourceEnvPath);
-  const env = raw ? parseEnvToObject(raw) : {};
-
-  const inline = (env.HANDY_MASTER_SECRET ?? '').trim();
-  if (inline) {
-    return { secret: inline, source: `${sourceEnvPath} (HANDY_MASTER_SECRET)` };
-  }
-
-  const secretFile = (env.HAPPY_STACKS_HANDY_MASTER_SECRET_FILE ?? '').trim();
-  if (secretFile) {
-    const secret = await readTextIfExists(secretFile);
-    if (secret) return { secret, source: secretFile };
-  }
-
-  const dataDir = getServerLightDataDirFromEnvOrDefault({ stackBaseDir: sourceBaseDir, env });
-  const secretPath = join(dataDir, 'handy-master-secret.txt');
-  const secret = await readTextIfExists(secretPath);
-  if (secret) return { secret, source: secretPath };
-
-  // Last-resort legacy: if main has never been migrated to stack dirs.
-  if (stackName === 'main') {
-    const legacy = join(homedir(), '.happy', 'server-light', 'handy-master-secret.txt');
-    const legacySecret = await readTextIfExists(legacy);
-    if (legacySecret) return { secret: legacySecret, source: legacy };
-  }
+// NOTE: common fs helpers live in scripts/utils/fs/ops.mjs
 
-  return { secret: null, source: null };
-}
-
-function resolveCliHomeDir() {
-  const fromEnv = (process.env.HAPPY_LOCAL_CLI_HOME_DIR ?? process.env.HAPPY_STACKS_CLI_HOME_DIR ?? '').trim();
-  if (fromEnv) {
-    return expandTilde(fromEnv);
-  }
-  return join(getDefaultAutostartPaths().baseDir, 'cli');
-}
+// (auth file copy/link helpers live in scripts/utils/auth/files.mjs)
 
 function fileHasContent(path) {
   try {
@@ -138,67 +73,14 @@ function fileHasContent(path) {
   }
 }
 
-function checkDaemonState(cliHomeDir) {
-  const statePath = join(cliHomeDir, 'daemon.state.json');
-  const lockPath = join(cliHomeDir, 'daemon.state.json.lock');
-
-  const alive = (pid) => {
-    try {
-      process.kill(pid, 0);
-      return true;
-    } catch {
-      return false;
-    }
-  };
-
-  if (existsSync(statePath)) {
-    try {
-      const state = JSON.parse(readFileSync(statePath, 'utf-8'));
-      const pid = Number(state?.pid);
-      if (Number.isFinite(pid) && pid > 0) {
-        return alive(pid) ? { status: 'running', pid } : { status: 'stale_state', pid };
-      }
-      return { status: 'bad_state' };
-    } catch {
-      return { status: 'bad_state' };
-    }
-  }
-
-  if (existsSync(lockPath)) {
-    try {
-      const pid = Number(readFileSync(lockPath, 'utf-8').trim());
-      if (Number.isFinite(pid) && pid > 0) {
-        return alive(pid) ? { status: 'starting', pid } : { status: 'stale_lock', pid };
-      }
-    } catch {
-      // ignore
-    }
-  }
-
-  return { status: 'stopped' };
-}
-
-async function fetchHealth(internalServerUrl) {
-  const ctl = new AbortController();
-  const t = setTimeout(() => ctl.abort(), 1500);
-  try {
-    const res = await fetch(`${internalServerUrl}/health`, { method: 'GET', signal: ctl.signal });
-    const body = (await res.text()).trim();
-    return { ok: res.ok, status: res.status, body };
-  } catch {
-    return { ok: false, status: null, body: null };
-  } finally {
-    clearTimeout(t);
-  }
-}
-
 function authLoginSuggestion(stackName) {
   return stackName === 'main' ? 'happys auth login' : `happys stack auth ${stackName} login`;
 }
 
-function authCopyFromMainSuggestion(stackName) {
+function authCopyFromSeedSuggestion(stackName) {
   if (stackName === 'main') return null;
-  return `happys stack auth ${stackName} copy-from main`;
+  const from = resolveAuthSeedFromEnv(process.env);
+  return `happys stack auth ${stackName} copy-from ${from}`;
 }
 
 function resolveServerComponentForCurrentStack() {
@@ -208,6 +90,70 @@ function resolveServerComponentForCurrentStack() {
   );
 }
 
+async function cmdDevKey({ argv, json }) {
+  const { flags, kv } = parseArgs(argv);
+  const wantPrint = flags.has('--print');
+  const fmtRaw = (kv.get('--format') ?? '').trim();
+  // UX: the Happy UI restore screen expects the "backup" (XXXXX-...) format.
+  //
+  // IMPORTANT: the Happy restore screen treats any key containing '-' as "backup format",
+  // so printing a base64url key (which may contain '-') is *not reliably pasteable*.
+  // Default to backup always unless explicitly overridden.
+  const fmt = fmtRaw || 'backup'; // base64url | backup
+  const set = (kv.get('--set') ?? '').trim();
+  const clear = flags.has('--clear');
+
+  if (set) {
+    const res = await writeDevAuthKey({ env: process.env, input: set });
+    if (json) {
+      printResult({ json, data: { ok: true, action: 'set', path: res.path } });
+      return;
+    }
+    console.log(`[auth] dev-key saved to ${res.path}`);
+    return;
+  }
+  if (clear) {
+    const res = await clearDevAuthKey({ env: process.env });
+    if (json) {
+      printResult({ json, data: { ok: res.ok, action: 'clear', ...res } });
+      return;
+    }
+    console.log(res.deleted ? `[auth] dev-key removed (${res.path})` : `[auth] dev-key not set (${res.path})`);
+    return;
+  }
+
+  const out = await readDevAuthKey({ env: process.env });
+  if (!out.ok) {
+    throw new Error(`[auth] dev-key: ${out.error ?? 'failed'}`);
+  }
+  if (!out.secretKeyBase64Url) {
+    const msg =
+      `[auth] dev-key is not configured.\n` +
+      `Set it once (local-only, not committed):\n` +
+      `  happys auth dev-key --set "<base64url-secret-or-backup-format>"\n` +
+      `Or export it for this shell:\n` +
+      `  export HAPPY_STACKS_DEV_AUTH_SECRET_KEY="<base64url-secret>"\n`;
+    if (json) {
+      printResult({ json, data: { ok: false, error: 'missing_dev_key', file: out.path ?? null } });
+    } else {
+      console.log(msg);
+    }
+    process.exit(1);
+  }
+
+  const value = fmt === 'backup' ? out.backup : out.secretKeyBase64Url;
+  if (wantPrint) {
+    process.stdout.write(value + '\n');
+    return;
+  }
+  if (json) {
+    printResult({ json, data: { ok: true, key: value, format: fmt, source: out.source ?? null } });
+    return;
+  }
+  console.log(`[auth] dev-key (${fmt}) [source=${out.source ?? 'unknown'}]`);
+  console.log(value);
+}
+
 async function runNodeCapture({ cwd, env, args, stdin }) {
   return await new Promise((resolvePromise, rejectPromise) => {
     const child = spawn(process.execPath, args, {
@@ -243,10 +189,25 @@ function resolveServerComponentFromEnv(env) {
   return v === 'happy-server' ? 'happy-server' : 'happy-server-light';
 }
 
-function resolveDatabaseUrlFromEnvOrThrow(env, { label }) {
-  const v = (env.DATABASE_URL ?? '').trim();
-  if (!v) throw new Error(`[auth] missing DATABASE_URL for ${label}`);
-  return v;
+function resolveDatabaseUrlForStackOrThrow({ env, stackName, baseDir, serverComponent, label }) {
+  const v = (env.DATABASE_URL ?? '').toString().trim();
+  if (v) {
+    if (serverComponent === 'happy-server') {
+      const lower = v.toLowerCase();
+      const ok = lower.startsWith('postgresql://') || lower.startsWith('postgres://');
+      if (!ok) {
+        throw new Error(
+          `[auth] invalid DATABASE_URL for ${label || `stack "${stackName}"`}: expected postgresql://... (got ${JSON.stringify(v)})`
+        );
+      }
+    }
+    return v;
+  }
+  if (serverComponent === 'happy-server-light') {
+    const dataDir = (env.HAPPY_SERVER_LIGHT_DATA_DIR ?? '').toString().trim() || join(baseDir, 'server-light');
+    return `file:${join(dataDir, 'happy-server-light.sqlite')}`;
+  }
+  throw new Error(`[auth] missing DATABASE_URL for ${label || `stack "${stackName}"`}`);
 }
 
 function resolveServerComponentDir({ rootDir, serverComponent }) {
@@ -261,6 +222,7 @@ async function seedAccountsFromSourceDbToTargetDb({
   targetStackName,
   targetServerComponent,
   targetDatabaseUrl,
+  force = false,
 }) {
   const sourceCwd = resolveServerComponentDir({ rootDir, serverComponent: fromServerComponent });
   const targetCwd = resolveServerComponentDir({ rootDir, serverComponent: targetServerComponent });
@@ -295,6 +257,7 @@ process.on('unhandledRejection', (e) => {
 });
 import { PrismaClient } from '@prisma/client';
 import fs from 'node:fs';
+const FORCE = ${force ? 'true' : 'false'};
 const raw = fs.readFileSync(0, 'utf8').trim();
 const accounts = raw ? JSON.parse(raw) : [];
 const db = new PrismaClient();
@@ -308,6 +271,29 @@ try {
     } catch (e) {
       // Prisma unique constraint violation
       if (e && typeof e === 'object' && 'code' in e && e.code === 'P2002') {
+        // Two common cases:
+        // - id already exists (fine)
+        // - publicKey already exists on a different id (auth mismatch -> machine FK failures later)
+        //
+        // For --force, we try to delete the conflicting row by publicKey and then retry insert.
+        // Without --force, fail-closed with a helpful error so users don't end up with "seeded" but broken stacks.
+        try {
+          const existing = await db.account.findUnique({ where: { publicKey: a.publicKey }, select: { id: true } });
+          if (existing?.id && existing.id !== a.id) {
+            if (!FORCE) {
+              throw new Error(
+                \`account publicKey conflict: target already has publicKey for id=\${existing.id}, but seed wants id=\${a.id}. Re-run with --force to replace the conflicting account row.\`
+              );
+            }
+            // Best-effort delete; will fail if other rows reference this account (then we fail closed).
+            await db.account.delete({ where: { publicKey: a.publicKey } });
+            await db.account.create({ data: { id: a.id, publicKey: a.publicKey } });
+            insertedCount += 1;
+            continue;
+          }
+        } catch (inner) {
+          throw inner;
+        }
         continue;
       }
       throw e;
@@ -346,17 +332,144 @@ try {
 async function cmdCopyFrom({ argv, json }) {
   const rootDir = getRootDir(import.meta.url);
   const stackName = getStackName();
-  if (stackName === 'main') {
-    throw new Error('[auth] copy-from is intended for stack-scoped usage (e.g. happys stack auth <name> copy-from main)');
-  }
 
   const positionals = argv.filter((a) => !a.startsWith('--'));
   const fromStackName = (positionals[1] ?? '').trim();
   if (!fromStackName) {
-    throw new Error('[auth] usage: happys stack auth <name> copy-from <sourceStack> [--json]');
+    throw new Error(
+      '[auth] usage: happys stack auth <name> copy-from <sourceStack|legacy> [--force] [--with-infra] [--json]  OR  happys auth copy-from <sourceStack|legacy> --all [--except=main,dev-auth] [--force] [--with-infra] [--json]\n' +
+        'notes:\n' +
+        '  - sourceStack can be a stack name (e.g. main, dev-auth)\n' +
+        '  - legacy uses ~/.happy/{cli,server-light} as a source (best-effort)'
+    );
+  }
+
+  const { flags, kv } = parseArgs(argv);
+  const all = flags.has('--all');
+  if (isLegacyAuthSourceName(fromStackName) && isSandboxed() && !sandboxAllowsGlobalSideEffects()) {
+    throw new Error(
+      '[auth] legacy auth source is disabled in sandbox mode.\n' +
+        'Reason: it reads from ~/.happy (global user state).\n' +
+        'If you really want this, set: HAPPY_STACKS_SANDBOX_ALLOW_GLOBAL=1'
+    );
+  }
+  const force =
+    flags.has('--force') ||
+    flags.has('--overwrite') ||
+    (kv.get('--force') ?? '').trim() === '1' ||
+    (kv.get('--overwrite') ?? '').trim() === '1';
+  const withInfra =
+    flags.has('--with-infra') ||
+    flags.has('--ensure-infra') ||
+    flags.has('--infra') ||
+    (kv.get('--with-infra') ?? '').trim() === '1' ||
+    (kv.get('--ensure-infra') ?? '').trim() === '1';
+  const linkMode =
+    flags.has('--link') ||
+    flags.has('--symlink') ||
+    flags.has('--link-auth') ||
+    (kv.get('--link') ?? '').trim() === '1' ||
+    (kv.get('--symlink') ?? '').trim() === '1' ||
+    (kv.get('--auth-mode') ?? '').trim() === 'link' ||
+    (process.env.HAPPY_STACKS_AUTH_LINK ?? process.env.HAPPY_LOCAL_AUTH_LINK ?? '').toString().trim() === '1' ||
+    (process.env.HAPPY_STACKS_AUTH_MODE ?? process.env.HAPPY_LOCAL_AUTH_MODE ?? '').toString().trim() === 'link';
+  const allowMain = flags.has('--allow-main') || flags.has('--main-ok') || (kv.get('--allow-main') ?? '').trim() === '1';
+  const exceptRaw = (kv.get('--except') ?? '').trim();
+  const except = new Set(exceptRaw.split(',').map((s) => s.trim()).filter(Boolean));
+
+  if (all) {
+    // Global bulk operation (no stack context required).
+    const stacks = await listAllStackNames();
+    const results = [];
+    const totalTargets = stacks.filter((s) => !except.has(s) && s !== fromStackName).length;
+    let idx = 0;
+    const progress = (line) => {
+      // In JSON mode, never pollute stdout (reserved for final JSON).
+      // eslint-disable-next-line no-console
+      (json ? console.error : console.log)(line);
+    };
+
+    progress(
+      `[auth] copy-from --all: from=${fromStackName}${except.size ? ` (except=${[...except].join(',')})` : ''}${force ? ' (force)' : ''}${withInfra ? ' (with-infra)' : ''}`
+    );
+    for (const target of stacks) {
+      if (except.has(target)) {
+        progress(`- ↪ ${target}: skipped (excluded)`);
+        results.push({ stackName: target, ok: true, skipped: true, reason: 'excluded' });
+        continue;
+      }
+      if (target === fromStackName) {
+        progress(`- ↪ ${target}: skipped (source_stack)`);
+        results.push({ stackName: target, ok: true, skipped: true, reason: 'source_stack' });
+        continue;
+      }
+
+      idx += 1;
+      progress(`[auth] [${idx}/${totalTargets}] seeding stack "${target}"...`);
+
+      try {
+        const out = await runNodeCapture({
+          cwd: rootDir,
+          env: process.env,
+          args: [
+            join(rootDir, 'scripts', 'stack.mjs'),
+            'auth',
+            target,
+            '--',
+            'copy-from',
+            fromStackName,
+            '--json',
+            ...(force ? ['--force'] : []),
+            ...(withInfra ? ['--with-infra'] : []),
+            ...(linkMode ? ['--link'] : []),
+          ],
+        });
+        const parsed = out.stdout.trim() ? JSON.parse(out.stdout.trim()) : null;
+
+        const copied = parsed?.copied && typeof parsed.copied === 'object' ? parsed.copied : null;
+        const db = copied?.dbAccounts ? `db=${copied.dbAccounts.insertedCount}/${copied.dbAccounts.sourceCount}` : copied?.dbError ? `db=skipped` : `db=unknown`;
+        const secret = copied?.secret ? 'secret' : null;
+        const cli = copied?.accessKey || copied?.settings ? 'cli' : null;
+        const any = copied?.secret || copied?.accessKey || copied?.settings || copied?.db;
+        const summary = any ? `seeded (${[db, secret, cli].filter(Boolean).join(', ')})` : `noop (already has auth)`;
+        progress(`- ✅ ${target}: ${summary}`);
+        if (copied?.dbError) {
+          progress(`  - db seed skipped: ${copied.dbError}`);
+        }
+
+        results.push({ stackName: target, ok: true, skipped: false, fromStackName, out: parsed });
+      } catch (e) {
+        const msg = e instanceof Error ? e.message : String(e);
+        progress(`- ❌ ${target}: failed`);
+        progress(`  - ${msg}`);
+        results.push({ stackName: target, ok: false, skipped: false, fromStackName, error: msg });
+      }
+    }
+
+    const ok = results.every((r) => r.ok);
+    if (json) {
+      printResult({ json, data: { ok, fromStackName, results } });
+      return;
+    }
+    // (we already streamed progress above)
+    const failed = results.filter((r) => !r.ok).length;
+    const skipped = results.filter((r) => r.ok && r.skipped).length;
+    const seeded = results.filter((r) => r.ok && !r.skipped).length;
+    // eslint-disable-next-line no-console
+    console.log(`[auth] done: ok=${ok ? 'true' : 'false'} seeded=${seeded} skipped=${skipped} failed=${failed}`);
+    if (!ok) process.exit(1);
+    return;
+  }
+
+  if (stackName === 'main' && !allowMain) {
+    throw new Error(
+      '[auth] copy-from is intended for stack-scoped usage (e.g. happys stack auth <name> copy-from main), or pass --all.\n' +
+        'If you really intend to seed the main Happy Stacks install, re-run with: --allow-main'
+    );
   }
 
   const serverComponent = resolveServerComponentForCurrentStack();
+  const serverDirForPrisma = resolveServerComponentDir({ rootDir, serverComponent });
   const targetBaseDir = getDefaultAutostartPaths().baseDir;
   const targetCli = resolveCliHomeDir();
   const targetServerLightDataDir =
@@ -364,7 +477,20 @@ async function cmdCopyFrom({ argv, json }) {
   const targetSecretFile =
     (process.env.HAPPY_STACKS_HANDY_MASTER_SECRET_FILE ?? '').trim() || join(targetBaseDir, 'happy-server', 'handy-master-secret.txt');
 
-  const { secret, source } = await resolveHandyMasterSecretFromStack({ stackName: fromStackName, requireStackExists: true });
+  const isLegacySource = isLegacyAuthSourceName(fromStackName);
+  if (isLegacySource && isSandboxed() && !sandboxAllowsGlobalSideEffects()) {
+    throw new Error(
+      '[auth] legacy auth source is disabled in sandbox mode.\n' +
+        'Reason: it reads from ~/.happy (global user state).\n' +
+        'If you really want this, set: HAPPY_STACKS_SANDBOX_ALLOW_GLOBAL=1'
+    );
+  }
+  const { secret, source } = await resolveHandyMasterSecretFromStack({
+    stackName: fromStackName,
+    requireStackExists: !isLegacySource,
+    allowLegacyAuthSource: !isSandboxed() || sandboxAllowsGlobalSideEffects(),
+    allowLegacyMainFallback: !isSandboxed() || sandboxAllowsGlobalSideEffects(),
+  });
 
   const copied = {
     secret: false,
@@ -379,49 +505,150 @@ async function cmdCopyFrom({ argv, json }) {
 
   if (secret) {
     if (serverComponent === 'happy-server-light') {
-      copied.secret = await writeSecretFileIfMissing({ path: join(targetServerLightDataDir, 'handy-master-secret.txt'), secret });
+      const target = join(targetServerLightDataDir, 'handy-master-secret.txt');
+      const sourcePath = source && !String(source).includes('(HANDY_MASTER_SECRET)') ? String(source) : '';
+      if (linkMode && sourcePath && existsSync(sourcePath)) {
+        copied.secret = await linkFileIfMissing({ from: sourcePath, to: target, force });
+      } else {
+        copied.secret = await writeSecretFileIfMissing({ path: target, secret, force });
+      }
     } else if (serverComponent === 'happy-server') {
-      copied.secret = await writeSecretFileIfMissing({ path: targetSecretFile, secret });
+      const sourcePath = source && !String(source).includes('(HANDY_MASTER_SECRET)') ? String(source) : '';
+      if (linkMode && sourcePath && existsSync(sourcePath)) {
+        copied.secret = await linkFileIfMissing({ from: sourcePath, to: targetSecretFile, force });
+      } else {
+        copied.secret = await writeSecretFileIfMissing({ path: targetSecretFile, secret, force });
+      }
     }
   }
 
-  const sourceBaseDir = getStackDir(fromStackName);
-  const sourceEnvRaw = await readTextIfExists(getStackEnvPath(fromStackName));
+  const sourceBaseDir = isLegacySource ? getLegacyHappyBaseDir() : resolveStackEnvPath(fromStackName).baseDir;
+  const sourceEnvRaw = isLegacySource ? '' : await readTextIfExists(resolveStackEnvPath(fromStackName).envPath);
   const sourceEnv = sourceEnvRaw ? parseEnvToObject(sourceEnvRaw) : {};
-  const sourceCli = getCliHomeDirFromEnvOrDefault({ stackBaseDir: sourceBaseDir, env: sourceEnv });
-
-  copied.accessKey = await copyFileIfMissing({
-    from: join(sourceCli, 'access.key'),
-    to: join(targetCli, 'access.key'),
-    mode: 0o600,
-  });
-  copied.settings = await copyFileIfMissing({
-    from: join(sourceCli, 'settings.json'),
-    to: join(targetCli, 'settings.json'),
-    mode: 0o600,
-  });
+  const sourceCli = isLegacySource
+    ? join(sourceBaseDir, 'cli')
+    : getCliHomeDirFromEnvOrDefault({ stackBaseDir: sourceBaseDir, env: sourceEnv });
+
+  if (linkMode) {
+    copied.accessKey = await linkFileIfMissing({ from: join(sourceCli, 'access.key'), to: join(targetCli, 'access.key'), force });
+    copied.settings = await linkFileIfMissing({ from: join(sourceCli, 'settings.json'), to: join(targetCli, 'settings.json'), force });
+  } else {
+    copied.accessKey = await copyFileIfMissing({
+      from: join(sourceCli, 'access.key'),
+      to: join(targetCli, 'access.key'),
+      mode: 0o600,
+      force,
+    });
+    copied.settings = await copyFileIfMissing({
+      from: join(sourceCli, 'settings.json'),
+      to: join(targetCli, 'settings.json'),
+      mode: 0o600,
+      force,
+    });
+  }
 
   // Best-effort DB seeding: copy Account rows from source stack DB to target stack DB.
   // This avoids FK failures (e.g., Prisma P2003) when the target DB is fresh but the copied token
   // refers to an account ID that does not exist there yet.
   try {
-    const fromServerComponent = resolveServerComponentFromEnv(sourceEnv);
-    const fromDatabaseUrl = resolveDatabaseUrlFromEnvOrThrow(sourceEnv, { label: `source stack "${fromStackName}"` });
+    // Ensure prisma is runnable (best-effort). If deps aren't installed, we'll fall back to skipping DB seeding.
+    // IMPORTANT: when running with --json, keep stdout clean (no yarn/prisma chatter).
+    await ensureDepsInstalled(serverDirForPrisma, serverComponent, { quiet: json }).catch(() => {});
+
+    const fromServerComponent = isLegacySource ? 'happy-server-light' : resolveServerComponentFromEnv(sourceEnv);
+    const fromDatabaseUrl = resolveDatabaseUrlForStackOrThrow({
+      env: sourceEnv,
+      stackName: fromStackName,
+      baseDir: sourceBaseDir,
+      serverComponent: fromServerComponent,
+      label: `source stack "${fromStackName}"`,
+    });
     const targetEnv = process.env;
     const targetServerComponent = resolveServerComponentFromEnv(targetEnv);
-    const targetDatabaseUrl = resolveDatabaseUrlFromEnvOrThrow(targetEnv, { label: `target stack "${stackName}"` });
-
-    const seeded = await seedAccountsFromSourceDbToTargetDb({
-      rootDir,
-      fromStackName,
-      fromServerComponent,
-      fromDatabaseUrl,
-      targetStackName: stackName,
-      targetServerComponent,
-      targetDatabaseUrl,
-    });
-    copied.dbAccounts = { sourceCount: seeded.sourceCount, insertedCount: seeded.insertedCount };
-    copied.db = true;
+    let targetDatabaseUrl;
+    try {
+      targetDatabaseUrl = resolveDatabaseUrlForStackOrThrow({
+        env: targetEnv,
+        stackName,
+        baseDir: targetBaseDir,
+        serverComponent: targetServerComponent,
+        label: `target stack "${stackName}"`,
+      });
+    } catch (e) {
+      // For full server stacks, allow `copy-from --with-infra` to bring up Docker infra just-in-time
+      // so we can seed DB accounts reliably.
+      const managed = (targetEnv.HAPPY_STACKS_MANAGED_INFRA ?? targetEnv.HAPPY_LOCAL_MANAGED_INFRA ?? '1').toString().trim() !== '0';
+      if (targetServerComponent === 'happy-server' && withInfra && managed) {
+        const { port } = getInternalServerUrlCompat();
+        const publicServerUrl = `http://localhost:${port}`;
+        const envPath = resolveStackEnvPath(stackName).envPath;
+        const infra = await ensureHappyServerManagedInfra({
+          stackName,
+          baseDir: targetBaseDir,
+          serverPort: port,
+          publicServerUrl,
+          envPath,
+          env: targetEnv,
+          quiet: json,
+          // Auth seeding only needs Postgres; don't block on Minio bucket init.
+          skipMinioInit: true,
+        });
+        targetDatabaseUrl = infra?.env?.DATABASE_URL ?? '';
+      } else {
+        throw e;
+      }
+    }
+    if (!targetDatabaseUrl) {
+      throw new Error(
+        `[auth] missing DATABASE_URL for target stack "${stackName}". ` +
+          (targetServerComponent === 'happy-server' ? `If this is a managed infra stack, re-run with --with-infra.` : '')
+      );
+    }
+
+    const runSeed = async () => {
+      const seeded = await seedAccountsFromSourceDbToTargetDb({
+        rootDir,
+        fromStackName,
+        fromServerComponent,
+        fromDatabaseUrl,
+        targetStackName: stackName,
+        targetServerComponent,
+        targetDatabaseUrl,
+        force,
+      });
+      copied.dbAccounts = { sourceCount: seeded.sourceCount, insertedCount: seeded.insertedCount };
+      copied.db = true;
+      copied.dbError = null;
+    };
+
+    try {
+      await runSeed();
+    } catch (e) {
+      const msg = e instanceof Error ? e.message : String(e);
+      // If the target DB exists but hasn't had schema applied yet, Prisma will report missing tables.
+      // Fix it best-effort by applying schema, then retry seeding once.
+      const looksLikeMissingTable = msg.toLowerCase().includes('does not exist') || msg.toLowerCase().includes('no such table');
+      if (looksLikeMissingTable) {
+        if (serverComponent === 'happy-server-light') {
+          await pmExecBin({
+            dir: serverDirForPrisma,
+            bin: 'prisma',
+            args: ['db', 'push'],
+            env: { ...process.env, DATABASE_URL: targetDatabaseUrl },
+            quiet: json,
+          }).catch(() => {});
+        } else if (serverComponent === 'happy-server') {
+          await applyHappyServerMigrations({
+            serverDir: serverDirForPrisma,
+            env: { ...process.env, DATABASE_URL: targetDatabaseUrl },
+            quiet: json,
+          }).catch(() => {});
+        }
+        await runSeed();
+      } else {
+        throw e;
+      }
+    }
   } catch (err) {
     copied.db = false;
     copied.dbAccounts = null;
@@ -455,9 +682,8 @@ async function cmdStatus({ json }) {
   const rootDir = getRootDir(import.meta.url);
   const stackName = getStackName();
 
-  const { port, url: internalServerUrl } = getInternalServerUrl();
-  const defaultPublicUrl = `http://localhost:${port}`;
-  const envPublicUrl = (process.env.HAPPY_LOCAL_SERVER_URL ?? process.env.HAPPY_STACKS_SERVER_URL ?? '').trim();
+  const { port, url: internalServerUrl } = getInternalServerUrlCompat();
+  const { defaultPublicUrl, envPublicUrl } = getPublicServerUrlEnvOverride({ env: process.env, serverPort: port, stackName });
   const { publicServerUrl } = await resolvePublicServerUrl({
     internalServerUrl,
     defaultPublicUrl,
@@ -478,7 +704,12 @@ async function cmdStatus({ json }) {
   };
 
   const daemon = checkDaemonState(cliHomeDir);
-  const health = await fetchHealth(internalServerUrl);
+  const healthRaw = await fetchHappyHealth(internalServerUrl);
+  const health = {
+    ok: Boolean(healthRaw.ok),
+    status: healthRaw.status,
+    body: healthRaw.text ? healthRaw.text.trim() : null,
+  };
 
   const out = {
     stackName,
@@ -519,9 +750,9 @@ async function cmdStatus({ json }) {
   console.log(authLine);
   if (!auth.ok) {
     console.log(`  ↪ run: ${authLoginSuggestion(stackName)}`);
-    const copyFromMain = authCopyFromMainSuggestion(stackName);
-    if (copyFromMain) {
-      console.log(`  ↪ or (recommended if main is already logged in): ${copyFromMain}`);
+    const copyFromSeed = authCopyFromSeedSuggestion(stackName);
+    if (copyFromSeed) {
+      console.log(`  ↪ or (recommended if your seed stack is already logged in): ${copyFromSeed}`);
     }
   }
   console.log(daemonLine);
@@ -539,22 +770,31 @@ async function cmdStatus({ json }) {
 async function cmdLogin({ argv, json }) {
   const rootDir = getRootDir(import.meta.url);
   const stackName = getStackName();
+  const { kv } = parseArgs(argv);
 
-  const { port, url: internalServerUrl } = getInternalServerUrl();
-  const defaultPublicUrl = `http://localhost:${port}`;
-  const envPublicUrl = (process.env.HAPPY_LOCAL_SERVER_URL ?? process.env.HAPPY_STACKS_SERVER_URL ?? '').trim();
+  const { port, url: internalServerUrl } = getInternalServerUrlCompat();
+  const { defaultPublicUrl, envPublicUrl } = getPublicServerUrlEnvOverride({ env: process.env, serverPort: port, stackName });
   const { publicServerUrl } = await resolvePublicServerUrl({
     internalServerUrl,
     defaultPublicUrl,
     envPublicUrl,
     allowEnable: false,
   });
+  const { envWebappUrl } = getWebappUrlEnvOverride({ env: process.env, stackName });
+  const expoWebappUrl = await resolveWebappUrlFromRunningExpo({ rootDir, stackName });
+  const webappUrl = envWebappUrl || expoWebappUrl || publicServerUrl;
+  const webappUrlSource = expoWebappUrl ? 'expo' : envWebappUrl ? 'stack env override' : 'server';
 
   const cliHomeDir = resolveCliHomeDir();
   const cliBin = join(getComponentDir(rootDir, 'happy-cli'), 'bin', 'happy.mjs');
 
   const force = !argv.includes('--no-force');
   const wantPrint = argv.includes('--print');
+  const contextRaw =
+    (kv.get('--context') ?? process.env.HAPPY_STACKS_AUTH_LOGIN_CONTEXT ?? process.env.HAPPY_LOCAL_AUTH_LOGIN_CONTEXT ?? '')
+      .toString()
+      .trim();
+  const context = contextRaw || (stackName === 'main' ? 'generic' : 'stack');
 
   const nodeArgs = [cliBin, 'auth', 'login'];
   if (force || argv.includes('--force')) {
@@ -565,11 +805,11 @@ async function cmdLogin({ argv, json }) {
     ...process.env,
     HAPPY_HOME_DIR: cliHomeDir,
     HAPPY_SERVER_URL: internalServerUrl,
-    HAPPY_WEBAPP_URL: publicServerUrl,
+    HAPPY_WEBAPP_URL: webappUrl,
   };
 
   if (wantPrint) {
-    const cmd = `HAPPY_HOME_DIR="${cliHomeDir}" HAPPY_SERVER_URL="${internalServerUrl}" HAPPY_WEBAPP_URL="${publicServerUrl}" node "${cliBin}" auth login${nodeArgs.includes('--force') ? ' --force' : ''}`;
+    const cmd = `HAPPY_HOME_DIR="${cliHomeDir}" HAPPY_SERVER_URL="${internalServerUrl}" HAPPY_WEBAPP_URL="${webappUrl}" node "${cliBin}" auth login${nodeArgs.includes('--force') ? ' --force' : ''}`;
     if (json) {
       printResult({ json, data: { ok: true, stackName, cmd } });
     } else {
@@ -579,8 +819,15 @@ async function cmdLogin({ argv, json }) {
   }
 
   if (!json) {
-    console.log(`[auth] stack: ${stackName}`);
-    console.log(`[auth] launching login...`);
+    printAuthLoginInstructions({
+      stackName,
+      context,
+      webappUrl,
+      webappUrlSource,
+      internalServerUrl,
+      publicServerUrl,
+      rerunCmd: authLoginSuggestion(stackName),
+    });
   }
 
   const child = spawn(process.execPath, nodeArgs, {
@@ -589,7 +836,45 @@ async function cmdLogin({ argv, json }) {
     stdio: 'inherit',
   });
 
+  const timeoutMsRaw =
+    (process.env.HAPPY_STACKS_AUTH_LOGIN_TIMEOUT_MS ?? process.env.HAPPY_LOCAL_AUTH_LOGIN_TIMEOUT_MS ?? '600000').toString().trim();
+  const timeoutMs = timeoutMsRaw ? Number(timeoutMsRaw) : 600000;
+  const hasTimeout = Number.isFinite(timeoutMs) && timeoutMs > 0;
+
+  let exiting = false;
+  const killChild = (signal) => {
+    if (exiting) return;
+    exiting = true;
+    try {
+      child.kill(signal);
+    } catch {
+      // ignore
+    }
+    setTimeout(() => {
+      try {
+        if (child.pid) process.kill(child.pid, 'SIGKILL');
+      } catch {
+        // ignore
+      }
+    }, 1500).unref?.();
+  };
+
+  const onSigint = () => killChild('SIGINT');
+  const onSigterm = () => killChild('SIGTERM');
+  process.on('SIGINT', onSigint);
+  process.on('SIGTERM', onSigterm);
+
+  const t = hasTimeout
+    ? setTimeout(() => {
+        console.warn(`[auth] login timed out after ${timeoutMs}ms (set HAPPY_STACKS_AUTH_LOGIN_TIMEOUT_MS=0 to disable)`);
+        killChild('SIGTERM');
+      }, timeoutMs)
+    : null;
+
   await new Promise((resolve) => child.on('exit', resolve));
+  process.off('SIGINT', onSigint);
+  process.off('SIGTERM', onSigterm);
+  if (t) clearTimeout(t);
   if (json) {
     printResult({ json, data: { ok: child.exitCode === 0, exitCode: child.exitCode } });
   } else if (child.exitCode && child.exitCode !== 0) {
@@ -606,16 +891,22 @@ async function main() {
   if (wantsHelp(argv, { flags }) || cmd === 'help') {
     printResult({
       json,
-      data: { commands: ['status', 'login', 'copy-from'], stackScoped: 'happys stack auth <name> status|login|copy-from' },
+      data: { commands: ['status', 'login', 'copy-from', 'dev-key'], stackScoped: 'happys stack auth <name> status|login|copy-from' },
       text: [
         '[auth] usage:',
         '  happys auth status [--json]',
         '  happys auth login [--force] [--print] [--json]',
+        '  happys auth copy-from <sourceStack|legacy> --all [--except=main,dev-auth] [--force] [--with-infra] [--link] [--json]',
+        '  happys auth dev-key [--print] [--format=base64url|backup] [--set=<base64url>] [--clear] [--json]',
+        '',
+        'advanced:',
+        '  happys auth login --context=selfhost|dev|stack   # UX labels only',
+        '  happys auth copy-from legacy --allow-main [--link] [--force]   # reuse (symlink) or copy ~/.happy creds into main happy-stacks install',
         '',
         'stack-scoped:',
         '  happys stack auth <name> status [--json]',
         '  happys stack auth <name> login [--force] [--print] [--json]',
-        '  happys stack auth <name> copy-from <sourceStack> [--json]',
+        '  happys stack auth <name> copy-from <sourceStack|legacy> [--force] [--with-infra] [--link] [--json]',
       ].join('\n'),
     });
     return;
@@ -633,6 +924,10 @@ async function main() {
     await cmdCopyFrom({ argv, json });
     return;
   }
+  if (cmd === 'dev-key') {
+    await cmdDevKey({ argv, json });
+    return;
+  }
 
   throw new Error(`[auth] unknown command: ${cmd}`);
 }