happy-stacks 0.3.0 → 0.5.0

package/scripts/utils/auth/daemon_gate.mjs

@@ -0,0 +1,55 @@
+import { existsSync } from 'node:fs';
+import { join } from 'node:path';
+
+/**
+ * Shared policy for when the stack runner should start the Happy daemon.
+ *
+ * In `setup-pr` / `review-pr` guided login flows we intentionally start server+UI first,
+ * then guide authentication, then start daemon post-auth. Starting the daemon before
+ * credentials exist can strand it in its own auth flow (lock held, no machine registration),
+ * which leads to "no machines" in the UI.
+ */
+
+export function credentialsPathForCliHomeDir(cliHomeDir) {
+  return join(String(cliHomeDir ?? ''), 'access.key');
+}
+
+export function hasStackCredentials({ cliHomeDir }) {
+  if (!cliHomeDir) return false;
+  return existsSync(credentialsPathForCliHomeDir(cliHomeDir));
+}
+
+export function isAuthFlowEnabled(env) {
+  const v = (env?.HAPPY_STACKS_AUTH_FLOW ?? env?.HAPPY_LOCAL_AUTH_FLOW ?? '').toString().trim();
+  return v === '1' || v.toLowerCase() === 'true';
+}
+
+/**
+ * Returns { ok: boolean, reason: string } where ok=true means it's safe to start the daemon now.
+ * When ok=false, callers should either:
+ * - run interactive auth first (TTY), or
+ * - skip daemon start without error in orchestrated auth flows, or
+ * - fail closed in non-interactive contexts.
+ */
+export function daemonStartGate({ env, cliHomeDir }) {
+  if (hasStackCredentials({ cliHomeDir })) {
+    return { ok: true, reason: 'credentials_present' };
+  }
+  if (isAuthFlowEnabled(env)) {
+    // Orchestrated auth flow (setup-pr/review-pr): keep server/UI up and let the orchestrator
+    // run guided login; starting the daemon now is counterproductive.
+    return { ok: false, reason: 'auth_flow_missing_credentials' };
+  }
+  return { ok: false, reason: 'missing_credentials' };
+}
+
+export function formatDaemonAuthRequiredError({ stackName, cliHomeDir }) {
+  const name = (stackName ?? '').toString().trim() || 'main';
+  const path = credentialsPathForCliHomeDir(cliHomeDir);
+  return (
+    `[local] daemon auth required: credentials not found for stack "${name}".\n` +
+    `[local] expected: ${path}\n` +
+    `[local] fix: run \`happy auth login\` (stack-scoped), or re-run with UI enabled to complete guided login.`
+  );
+}
+

package/scripts/utils/auth/daemon_gate.test.mjs

@@ -0,0 +1,37 @@
+import { mkdtemp, writeFile } from 'node:fs/promises';
+import { tmpdir } from 'node:os';
+import { join } from 'node:path';
+import { test } from 'node:test';
+import assert from 'node:assert/strict';
+
+import { daemonStartGate, hasStackCredentials } from './daemon_gate.mjs';
+
+test('hasStackCredentials detects access.key', async () => {
+  const dir = await mkdtemp(join(tmpdir(), 'happy-stacks-daemon-gate-'));
+  assert.equal(hasStackCredentials({ cliHomeDir: dir }), false);
+  await writeFile(join(dir, 'access.key'), 'dummy', 'utf-8');
+  assert.equal(hasStackCredentials({ cliHomeDir: dir }), true);
+});
+
+test('daemonStartGate blocks daemon start in auth flow when missing credentials', async () => {
+  const dir = await mkdtemp(join(tmpdir(), 'happy-stacks-daemon-gate-'));
+  const gate = daemonStartGate({ env: { HAPPY_STACKS_AUTH_FLOW: '1' }, cliHomeDir: dir });
+  assert.equal(gate.ok, false);
+  assert.equal(gate.reason, 'auth_flow_missing_credentials');
+});
+
+test('daemonStartGate blocks daemon start when missing credentials (non-auth flow)', async () => {
+  const dir = await mkdtemp(join(tmpdir(), 'happy-stacks-daemon-gate-'));
+  const gate = daemonStartGate({ env: {}, cliHomeDir: dir });
+  assert.equal(gate.ok, false);
+  assert.equal(gate.reason, 'missing_credentials');
+});
+
+test('daemonStartGate allows daemon start when credentials exist', async () => {
+  const dir = await mkdtemp(join(tmpdir(), 'happy-stacks-daemon-gate-'));
+  await writeFile(join(dir, 'access.key'), 'dummy', 'utf-8');
+  const gate = daemonStartGate({ env: {}, cliHomeDir: dir });
+  assert.equal(gate.ok, true);
+  assert.equal(gate.reason, 'credentials_present');
+});
+

package/scripts/utils/auth/guided_pr_auth.mjs

@@ -0,0 +1,79 @@
+import { isTty, promptSelect, withRl } from '../cli/wizard.mjs';
+import { detectSeedableAuthSources } from './sources.mjs';
+
+/**
+ * Decide how a PR review stack should authenticate.
+ *
+ * This deliberately does NOT offer "legacy ~/.happy" sources:
+ * for production/remote Happy installs we cannot reliably seed local DB Account rows, so it leads to broken stacks.
+ */
+export async function decidePrAuthPlan({
+  interactive = isTty(),
+  seedAuthFlag = null,
+  explicitFrom = '',
+  defaultLoginNow = true,
+} = {}) {
+  if (seedAuthFlag === false) return { mode: 'login', loginNow: defaultLoginNow };
+  if (seedAuthFlag === true) {
+    // Caller must supply from; if not, pick best available.
+    const sources = detectSeedableAuthSources();
+    const from = explicitFrom || sources[0] || 'main';
+    return { mode: 'seed', from, link: true };
+  }
+  if (explicitFrom) {
+    return { mode: 'seed', from: explicitFrom, link: true };
+  }
+
+  const sources = detectSeedableAuthSources();
+  if (!interactive) {
+    // Non-interactive default: prefer seeding only if explicitly configured elsewhere.
+    // setup-pr will handle its own defaults.
+    return { mode: 'auto', sources };
+  }
+
+  // If there's nothing to reuse, don't ask a pointless question.
+  if (!sources.length) {
+    return { mode: 'login', loginNow: defaultLoginNow, reason: 'no_seed_sources' };
+  }
+
+  // Interactive prompt: keep it simple for reviewers.
+  const choice = await withRl(async (rl) => {
+    const opts = [];
+    if (sources.length) {
+      opts.push({ label: `reuse existing Happy Stacks auth (${sources.join(' / ')})`, value: 'seed' });
+    }
+    opts.push({ label: defaultLoginNow ? 'login now (recommended)' : 'login later', value: 'login' });
+    return await promptSelect(rl, {
+      title: 'Authentication for this PR stack:',
+      options: opts,
+      defaultIndex: 0,
+    });
+  });
+
+  if (choice === 'seed' && sources.length) {
+    let from = sources[0];
+    if (sources.length > 1) {
+      from = await withRl(async (rl) => {
+        return await promptSelect(rl, {
+          title: 'Which existing auth should we reuse?',
+          options: sources.map((s) => ({ label: s, value: s })),
+          defaultIndex: 0,
+        });
+      });
+    }
+    const link = await withRl(async (rl) => {
+      return await promptSelect(rl, {
+        title: 'When reusing, symlink or copy credentials?',
+        options: [
+          { label: 'symlink (recommended) — stays up to date', value: true },
+          { label: 'copy — more isolated per stack', value: false },
+        ],
+        defaultIndex: 0,
+      });
+    });
+    return { mode: 'seed', from: String(from), link: Boolean(link) };
+  }
+
+  return { mode: 'login', loginNow: defaultLoginNow };
+}
+

package/scripts/utils/auth/guided_stack_web_login.mjs

@@ -0,0 +1,75 @@
+import { prompt, withRl } from '../cli/wizard.mjs';
+import { openUrlInBrowser } from '../ui/browser.mjs';
+import { preferStackLocalhostUrl } from '../paths/localhost_host.mjs';
+
+function supportsAnsi() {
+  if (!process.stdout.isTTY) return false;
+  if (process.env.NO_COLOR) return false;
+  if ((process.env.TERM ?? '').toLowerCase() === 'dumb') return false;
+  return true;
+}
+
+function bold(s) {
+  return supportsAnsi() ? `\x1b[1m${s}\x1b[0m` : String(s);
+}
+
+function dim(s) {
+  return supportsAnsi() ? `\x1b[2m${s}\x1b[0m` : String(s);
+}
+
+function cyan(s) {
+  return supportsAnsi() ? `\x1b[36m${s}\x1b[0m` : String(s);
+}
+
+function green(s) {
+  return supportsAnsi() ? `\x1b[32m${s}\x1b[0m` : String(s);
+}
+
+export async function guidedStackWebSignupThenLogin({ webappUrl, stackName }) {
+  const url = await preferStackLocalhostUrl(webappUrl, { stackName });
+
+  // eslint-disable-next-line no-console
+  console.log('');
+  // eslint-disable-next-line no-console
+  console.log(bold('Happy login'));
+
+  // Step 1/2
+  // eslint-disable-next-line no-console
+  console.log(dim('Step 1/2 — open the web app'));
+  // eslint-disable-next-line no-console
+  console.log(`We’ll open the Happy web app so you can ${bold('create an account')} (or ${bold('log in')}).`);
+  if (url) {
+    // eslint-disable-next-line no-console
+    console.log(`${dim('URL:')} ${cyan(url)}`);
+  }
+  // eslint-disable-next-line no-console
+  console.log('');
+  // eslint-disable-next-line no-console
+  console.log(`${bold('Press Enter')} to open it in your browser.`);
+  await withRl(async (rl) => {
+    await prompt(rl, '', { defaultValue: '' });
+  });
+  if (url) {
+    await openUrlInBrowser(url);
+  }
+  // eslint-disable-next-line no-console
+  console.log(green('✓ Browser opened'));
+
+  // Step 2/2
+  // eslint-disable-next-line no-console
+  console.log('');
+  // eslint-disable-next-line no-console
+  console.log(dim('Step 2/2 — connect this terminal'));
+  // eslint-disable-next-line no-console
+  console.log(`Next, we’ll connect ${bold('this terminal')} to your Happy account.`);
+  // eslint-disable-next-line no-console
+  console.log(`When prompted, choose: ${bold('Web Browser')} ${dim('(press 2)')}.`);
+  // eslint-disable-next-line no-console
+  console.log('');
+  // eslint-disable-next-line no-console
+  console.log(`After you’ve created/logged in in the browser, ${bold('press Enter')} to continue.`);
+  await withRl(async (rl) => {
+    await prompt(rl, '', { defaultValue: '' });
+  });
+}
+

package/scripts/utils/auth/interactive_stack_auth.mjs

@@ -0,0 +1,72 @@
+import { existsSync } from 'node:fs';
+import { join } from 'node:path';
+
+import { isTty, prompt, withRl } from '../cli/wizard.mjs';
+import { detectSeedableAuthSources } from './sources.mjs';
+import { guidedStackAuthLoginNow, stackAuthCopyFrom } from './stack_guided_login.mjs';
+
+export function needsAuthSeed({ cliHomeDir, accountCount }) {
+  const accessKeyPath = join(cliHomeDir, 'access.key');
+  const hasAccessKey = existsSync(accessKeyPath);
+  const hasAccounts = typeof accountCount === 'number' ? accountCount > 0 : null;
+  return !hasAccessKey || hasAccounts === false;
+}
+
+function normalizeChoice(raw) {
+  const s = String(raw ?? '').trim().toLowerCase();
+  if (!s) return '';
+  return s[0];
+}
+
+export async function maybeRunInteractiveStackAuthSetup({
+  rootDir,
+  env = process.env,
+  stackName,
+  cliHomeDir,
+  accountCount,
+  isInteractive = isTty(),
+  autoSeedEnabled = false,
+  beforeLogin = null,
+} = {}) {
+  if (!isInteractive) return { ok: true, skipped: true, reason: 'non_interactive' };
+  if (autoSeedEnabled) return { ok: true, skipped: true, reason: 'auto_seed_enabled' };
+  if (!needsAuthSeed({ cliHomeDir, accountCount })) return { ok: true, skipped: true, reason: 'already_initialized' };
+
+  const sources = detectSeedableAuthSources().filter((s) => s && s !== stackName);
+  const hasDevAuth = sources.includes('dev-auth');
+  const hasMain = sources.includes('main');
+
+  let choice = 'login';
+  if (hasDevAuth || hasMain) {
+    const defaultLetter = hasDevAuth ? 'Y' : hasMain ? 'M' : 'N';
+    const promptLine =
+      `[local] auth: stack "${stackName}" needs authentication.\n` +
+      `[local] Choose one:\n` +
+      (hasDevAuth ? `  - Y: copy from dev-auth\n` : '') +
+      (hasMain ? `  - M: copy from main\n` : '') +
+      `  - N: login now\n`;
+
+    // eslint-disable-next-line no-console
+    console.log(promptLine);
+    const answer = await withRl(async (rl) => {
+      return await prompt(rl, `Pick [Y/M/N] (default: ${defaultLetter}): `, { defaultValue: defaultLetter });
+    });
+    const c = normalizeChoice(answer);
+    if (c === 'y' && hasDevAuth) choice = 'dev-auth';
+    else if (c === 'm' && hasMain) choice = 'main';
+    else if (c === 'n') choice = 'login';
+    else choice = hasDevAuth ? 'dev-auth' : hasMain ? 'main' : 'login';
+  }
+
+  if (choice === 'login') {
+    if (beforeLogin && typeof beforeLogin === 'function') {
+      await beforeLogin();
+    }
+    await guidedStackAuthLoginNow({ rootDir, stackName, env });
+    return { ok: true, skipped: false, mode: 'login' };
+  }
+
+  await stackAuthCopyFrom({ rootDir, stackName, fromStackName: String(choice), env, link: true });
+  return { ok: true, skipped: false, mode: 'seed', from: String(choice), link: true };
+}
+

package/scripts/utils/auth/login_ux.mjs

@@ -8,6 +8,21 @@ export function normalizeAuthLoginContext(raw) {
   return 'generic';
 }
 
+function supportsAnsi() {
+  if (!process.stdout.isTTY) return false;
+  if (process.env.NO_COLOR) return false;
+  if ((process.env.TERM ?? '').toLowerCase() === 'dumb') return false;
+  return true;
+}
+
+function bold(s) {
+  return supportsAnsi() ? `\x1b[1m${s}\x1b[0m` : String(s);
+}
+
+function dim(s) {
+  return supportsAnsi() ? `\x1b[2m${s}\x1b[0m` : String(s);
+}
+
 export function printAuthLoginInstructions({
   stackName,
   context = 'generic',
@@ -18,23 +33,27 @@ export function printAuthLoginInstructions({
   rerunCmd,
 }) {
   const ctx = normalizeAuthLoginContext(context);
-  const title =
+  const subtitle =
     ctx === 'selfhost'
-      ? '[auth] login (self-host)'
+      ? 'Self-host'
       : ctx === 'dev'
-        ? '[auth] login (dev)'
+        ? 'Dev'
         : ctx === 'stack'
-          ? `[auth] login (stack=${stackName || 'unknown'})`
-          : '[auth] login';
+          ? `Stack: ${stackName || 'unknown'}`
+          : '';
 
   // eslint-disable-next-line no-console
   console.log('');
   // eslint-disable-next-line no-console
-  console.log(title);
+  console.log(bold('Happy login'));
+  if (subtitle) {
+    // eslint-disable-next-line no-console
+    console.log(dim(subtitle));
+  }
   // eslint-disable-next-line no-console
-  console.log('[auth] steps:');
+  console.log('Steps:');
   // eslint-disable-next-line no-console
-  console.log('  1) A browser window will open for authentication');
+  console.log('  1) A browser window will open');
   // eslint-disable-next-line no-console
   console.log('  2) Sign in (or create an account if this is your first time)');
   // eslint-disable-next-line no-console
@@ -46,28 +65,28 @@ export function printAuthLoginInstructions({
     // eslint-disable-next-line no-console
     console.log('');
     // eslint-disable-next-line no-console
-    console.log(`[auth] webapp:   ${webappUrl}${webappUrlSource ? ` (${webappUrlSource})` : ''}`);
+    console.log(`Web app:   ${webappUrl}${webappUrlSource ? ` (${webappUrlSource})` : ''}`);
   }
   if (internalServerUrl) {
     // eslint-disable-next-line no-console
-    console.log(`[auth] internal: ${internalServerUrl}`);
+    console.log(`Internal:  ${internalServerUrl}`);
   }
   if (publicServerUrl) {
     // eslint-disable-next-line no-console
-    console.log(`[auth] public:   ${publicServerUrl}`);
+    console.log(`Public:    ${publicServerUrl}`);
   }
 
   if (ctx === 'selfhost') {
     // eslint-disable-next-line no-console
     console.log('');
     // eslint-disable-next-line no-console
-    console.log('[auth] note: this is required so the daemon can register this machine and sync sessions across devices.');
+    console.log(dim('Note: this is required so the daemon can register this machine and sync sessions across devices.'));
   }
 
   // eslint-disable-next-line no-console
   console.log('');
   // eslint-disable-next-line no-console
-  console.log('[auth] tips:');
+  console.log('Tips:');
   // eslint-disable-next-line no-console
   console.log('- If the browser page does not load, make sure Happy is running and reachable.');
   // eslint-disable-next-line no-console

package/scripts/utils/auth/sources.mjs

@@ -1,5 +1,8 @@
 import { homedir } from 'node:os';
 import { join } from 'node:path';
+import { existsSync } from 'node:fs';
+
+import { resolveStackEnvPath } from '../paths/paths.mjs';
 
 export function isLegacyAuthSourceName(name) {
   const s = String(name ?? '').trim().toLowerCase();
@@ -10,3 +13,26 @@ export function getLegacyHappyBaseDir() {
   return join(homedir(), '.happy');
 }
 
+export function stackHasAccessKey(stackName) {
+  try {
+    const { baseDir, envPath } = resolveStackEnvPath(stackName);
+    if (!existsSync(envPath)) return false;
+    return existsSync(join(baseDir, 'cli', 'access.key'));
+  } catch {
+    return false;
+  }
+}
+
+/**
+ * Seed sources that are safe to reuse locally.
+ *
+ * Note: deliberately does NOT include legacy ~/.happy sources; in many contexts we cannot reliably
+ * seed DB Account rows, which leads to broken stacks.
+ */
+export function detectSeedableAuthSources() {
+  const out = [];
+  if (stackHasAccessKey('dev-auth')) out.push('dev-auth');
+  if (stackHasAccessKey('main')) out.push('main');
+  return out;
+}
+