stack-cli: explicit --cloud-project-id / --config-file across exec, config, project

[BilalG1]

Summary

Reworks the stack CLI surface so the cloud-vs-local choice is explicit at every invocation, removing the global --project-id / STACK_PROJECT_ID env var and the local-default exec behavior introduced earlier in this branch.

stack exec

• Removes --cloud, STACK_EXEC_DEFAULT_TARGET, and the implicit local default. The CLI now requires exactly one of:
  • --cloud-project-id <id> — run against the Stack Auth cloud API
  • --config-file <path> — run against the local emulator project mapped to that absolute config-file path
• The --config-file branch resolves the project id by calling the existing GET /api/latest/internal/local-emulator/project endpoint and matching absolute_file_path client-side. No new backend endpoint introduced.

stack config pull / stack config push

• Both now take --cloud-project-id <id> per-command instead of the global flag / STACK_PROJECT_ID env.
• config pull --config-file is optional: when omitted, the CLI uses ./stack.config.ts from the current directory. If neither flag nor cwd file is present, it exits with a clear hint to pass --config-file or cd into a directory containing stack.config.ts.

stack project list

• Default (no flags) lists both cloud and local emulator projects. Each entry carries a target: "cloud" | "dev" field (text format: <id>\t<displayName>\t[<target>]).
• --cloud / --dev filter to a single source (mutually exclusive — passing both errors).
• On the default code path, an unreachable local emulator emits a single stderr warning (warning: skipping dev projects — local emulator not reachable …) and the command still succeeds with cloud results. With --dev explicit, the unreachable case hard-errors.

stack project create

• Now requires --cloud to make the cloud-vs-local choice explicit. There is no local alternative today; the flag exists to surface the decision so a future local-project create doesn't silently change behavior.

Backend

• Bumps the LIMIT on GET /api/latest/internal/local-emulator/project from 20 → 100 so project list --dev doesn't silently truncate.

Refactors (from earlier in this branch, unchanged here)

• Local-emulator paths/ports/PCK polling live in packages/stack-cli/src/lib/emulator-paths.ts.
• Shared local-emulator admin credentials live in packages/stack-shared/src/local-emulator.ts.
• resolveAuth / resolveLocalEmulatorAuth take an explicit projectId: string (no more Flags parameter).
• New packages/stack-cli/src/lib/local-emulator-client.ts encapsulates the GET-and-match flow used by both exec --config-file and project list --dev.

Breaking changes

Scripts that relied on any of the following must be updated:

Removed	Replacement
Global --project-id <id> flag	Per-command --cloud-project-id <id>
STACK_PROJECT_ID env var	Per-command --cloud-project-id <id>
stack exec --cloud	stack exec --cloud-project-id <id>
STACK_EXEC_DEFAULT_TARGET=cloud|local	--cloud-project-id <id> or --config-file <path>
stack exec defaulting to local emulator	Explicit --config-file <path> required
stack project create without a flag	stack project create --cloud … required

Test plan

• pnpm lint (stack-cli, backend, e2e) — clean
• pnpm --filter @stackframe/stack-cli typecheck — clean
• pnpm --filter @stackframe/stack-cli exec vitest run — 72/72 passing (new unit tests: parseExecTarget, resolveConfigFilePathForPull, resolveProjectListSources, formatProjectList)
• pnpm test run apps/e2e/tests/general/cli.test.ts — 73 passing, 4 skipped, 0 failing. New e2e cases cover:
  • exec with neither flag → errors with "Specify a target"
  • exec with both flags → errors with "not both"
  • exec --config-file with missing file / missing PCK / unreachable API
  • exec --config-file happy path against a real local-emulator backend (gated on NEXT_PUBLIC_STACK_IS_LOCAL_EMULATOR=true)
  • config pull cwd fallback to ./stack.config.ts
  • config pull with no --config-file and no cwd stack.config.ts → errors with Pass --config-file …
  • project list --cloud --dev together → errors
  • project list default with unreachable emulator → cloud results + single stderr warning
  • project create without --cloud → errors
  • All previously---cloud exec cases ported to --cloud-project-id
• Manual smoke: stack exec --help, stack project list --cloud --dev, stack project create all emit the expected friendly errors / help text.

Summary by CodeRabbit

Release Notes

• New Features

  • CLI exec, config, and project commands now require explicit targeting via --cloud-project-id (cloud) or --config-file (local emulator).
  • project list now supports --cloud and --dev flags to display projects from both sources with target indicators.
  • Enhanced environment variable validation for emulator service ports with proper fallback handling.

• Bug Fixes

  • project list now gracefully handles unreachable emulator with warning fallback instead of failure.

• Tests

  • Expanded test coverage for project targeting, config file resolution, and emulator connectivity scenarios.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
stack-auth-hosted-components	Ready	Preview, Comment	May 14, 2026 1:36am
stack-auth-mcp	Ready	Preview, Comment	May 14, 2026 1:36am
stack-backend	Ready	Preview, Comment	May 14, 2026 1:36am
stack-dashboard	Ready	Preview, Comment	May 14, 2026 1:36am
stack-demo	Ready	Preview, Comment	May 14, 2026 1:36am
stack-docs	Ready	Preview, Comment	May 14, 2026 1:36am
stack-preview-backend	Ready	Preview, Comment	May 14, 2026 1:36am
stack-preview-dashboard	Ready	Preview, Comment	May 14, 2026 1:36am

[coderabbitai]

📝 Walkthrough

Walkthrough

Centralizes local-emulator admin credentials in the shared package, adds emulator path/port utilities and PCK polling, implements local-emulator client/auth with retries, refactors CLI auth to be flag-less, adds explicit cloud/config targeting for exec, and updates tests and app/dashboard wiring.

Changes

Local Emulator CLI Support

Layer / File(s)	Summary
Shared Credentials packages/stack-shared/src/local-emulator.ts, apps/backend/src/lib/local-emulator.ts, apps/dashboard/src/app/(main)/(protected)/layout-client.tsx	Exports LOCAL_EMULATOR_ADMIN_EMAIL and LOCAL_EMULATOR_ADMIN_PASSWORD; backend re-exports and dashboard uses them for auto-login.
Emulator Path and Port Utilities packages/stack-cli/src/lib/emulator-paths.ts, packages/stack-cli/src/lib/emulator-paths.test.ts	Adds default port constants, envPort, envPortFirstSet, emulator path helpers (emulatorHome, emulatorRunDir, internalPckPath), port accessors, and pollInternalPck() with tests for readiness, timeouts, whitespace handling, delayed detection, and non-ENOENT error propagation.
Local Emulator HTTP Client & Listing packages/stack-cli/src/lib/local-emulator-client.ts	Adds getInternalPck, fetchWithRetry, listLocalEmulatorProjects, findProjectByAbsolutePath, and lookupLocalEmulatorProjectIdByPath with runtime validation and AuthError wrapping.
Auth System Refactor & Local Auth packages/stack-cli/src/lib/auth.ts, packages/stack-cli/src/lib/auth.test.ts	LoginConfig adds publishableClientKey; resolveLoginConfig() and resolveSessionAuth() are parameterless; adds emulator URL/timeouts, localEmulatorReadyTimeoutMs(), isRetryableFetchError(), internal PCK polling, abortable sign-in with exponential backoff, and resolveLocalEmulatorAuth(). Tests cover retry classification and timeout parsing.
Exec Command Targeting packages/stack-cli/src/commands/exec.ts, packages/stack-cli/src/commands/exec.test.ts	Introduces ExecTarget and parseExecTarget, adds --cloud-project-id and --config-file options, and branches auth between resolveAuth(projectId) (cloud) and resolveLocalEmulatorAuth(projectId) (config).
Config Pull/Push Helpers packages/stack-cli/src/commands/config-file.ts, packages/stack-cli/src/commands/config-file.test.ts	Adds resolveConfigFilePathForPull, makes --cloud-project-id required for config push/pull, and tests explicit/omitted/empty-path resolution and error guidance.
Project List/Create Changes packages/stack-cli/src/commands/project.ts, packages/stack-cli/src/commands/project.test.ts	Adds ProjectTarget, ProjectListEntry, ProjectListFlags, resolveProjectListSources, formatProjectList; project list supports --cloud/--dev merging and tagging; updated tests.
CLI Emulator Command Integration packages/stack-cli/src/commands/emulator.ts, packages/stack-cli/src/commands/emulator.test.ts	Emulator command imports emulator-paths helpers, delegates PCK reading to pollInternalPck, forwards legacy EMULATOR_*_PORT env values when spawning, and prints ports from accessor helpers; adds tests validating STACK_ vs legacy EMULATOR_ precedence and validation.
Login / Init Command Refactor packages/stack-cli/src/commands/login.ts, packages/stack-cli/src/commands/init.ts	Removes flag threading: commands now call resolveLoginConfig() / resolveSessionAuth() without CLI flags; performLogin/ensureLoggedInSession updated accordingly.
CLI Index & Internal App packages/stack-cli/src/index.ts, packages/stack-cli/src/lib/app.ts	Removes global --project-id option; getInternalApp uses session-provided publishableClientKey instead of a default.
E2E and CLI Tests Updated apps/e2e/tests/general/cli.test.ts, various CLI tests	Adds isLocalEmulator gating, updates exec/config tests to pass --cloud-project-id/--config-file, adds emulator failure/positive exec scenarios, and adjusts related test cases.
Backend recent-projects limit apps/backend/src/app/api/latest/internal/local-emulator/project/route.tsx	Increases recent local-emulator projects SQL LIMIT from 20 to 100.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Possibly related PRs

• hexclave/stack-auth#1383: Related changes to the local-emulator recent-projects GET route (listing behavior/limits).

Suggested reviewers

• mantrakp04
• N2D4

Poem

🐰 I hopped through ports and PCKs tonight,
shared creds snug where devs can log in light,
exec now picks cloud or config with a nudge,
poll waits for keys while retries softly trudge,
tests clap — a rabbit's tiny bytebound jig.

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 16.67% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description check	✅ Passed	The pull request description is comprehensive, well-structured, and clearly explains the changes, breaking changes, test plan, and rationale.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Title check	✅ Passed	The PR title accurately summarizes the main changes: making cloud vs. local project targeting explicit across multiple CLI commands (exec, config, project) by adding --cloud-project-id and --config-file options.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch cli-exec-changes

Warning

Review ran into problems

🔥 Problems

Stopped waiting for pipeline failures after 30000ms. One of your pipelines takes longer than our 30000ms fetch window to run, so review may not consider pipeline-failure results for inline comments if any failures occurred after the fetch window. Increase the timeout if you want to wait longer or run a @coderabbit review after the pipeline has finished.

Tip

💬 Introducing Slack Agent: The best way for teams to turn conversations into code.

Slack Agent is built on CodeRabbit's deep understanding of your code, so your team can collaborate across the entire SDLC without losing context.

• Generate code and open pull requests
• Plan features and break down work
• Investigate incidents and troubleshoot customer tickets together
• Automate recurring tasks and respond to alerts with triggers
• Summarize progress and report instantly

Built for teams:

• Shared memory across your entire org—no repeating context
• Per-thread sandboxes to safely plan and execute work
• Governance built-in—scoped access, auditability, and budget controls

One agent for your entire SDLC. Right inside Slack.

👉 Get started

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🧹 Nitpick comments (3)

packages/stack-cli/src/lib/emulator-paths.ts (1)

79-91: ⚡ Quick win

Replace Date.now() with performance.now() for elapsed-time measurement.

Date.now() is used here to compute a deadline and measure remaining time — exactly the use-case for performance.now().

As per coding guidelines: "Use performance.now() instead of Date.now() for measuring elapsed real time."

performance is a global in Node.js 16+; if the project must support earlier Node, import it from perf_hooks.

♻️ Proposed fix

 export async function pollInternalPck(timeoutMs: number): Promise<string | null> {
   const pckPath = internalPckPath();
-  const deadline = Date.now() + timeoutMs;
+  const deadline = performance.now() + timeoutMs;
   let delay = 50;
   while (true) {
     try {
       const contents = readFileSync(pckPath, "utf-8").trim();
       if (contents) return contents;
     } catch (e) {
       if ((e as NodeJS.ErrnoException).code !== "ENOENT") throw e;
     }
-    if (Date.now() >= deadline) return null;
-    const remaining = deadline - Date.now();
+    if (performance.now() >= deadline) return null;
+    const remaining = deadline - performance.now();
     await new Promise((r) => setTimeout(r, Math.min(delay, remaining)));
     delay = Math.min(delay * 2, 2000);
   }
 }

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@packages/stack-cli/src/lib/emulator-paths.ts` around lines 79 - 91, Replace
the uses of Date.now() used for elapsed-time/deadline calculation in the polling
loop inside emulator-paths.ts (the code that sets deadline = Date.now() +
timeoutMs and checks Date.now() >= deadline and computes remaining) with
performance.now() to measure elapsed time; ensure you either use the global
performance (Node 16+) or import { performance } from "perf_hooks" at the top if
globals are not available, and update all references (deadline, remaining
calculation, and delay scheduling) so they consistently use performance.now()
while leaving readFileSync(pckPath, "utf-8") and the retry/backoff logic
unchanged.

packages/stack-cli/src/commands/init.ts (1)

274-287: 💤 Low value

Drop the unused _flags parameter from these handlers.

_flags is no longer threaded into auth resolution, and both call sites in runInit already pass flags only because the signature still demands it. Removing the parameter (and the corresponding flags argument at the call sites) makes the obsolete data flow disappear instead of relying on the underscore convention.

♻️ Proposed fix

-async function handleCreateCloud(_flags: Record<string, unknown>, opts: InitOptions, outputDir: string): Promise<{ configPath?: string }> {
+async function handleCreateCloud(opts: InitOptions, outputDir: string): Promise<{ configPath?: string }> {
   const sessionAuth = await ensureLoggedInSession();
   ...
 }

-async function handleLinkFromCloud(_flags: Record<string, unknown>, opts: InitOptions, outputDir: string): Promise<{ configPath?: string }> {
+async function handleLinkFromCloud(opts: InitOptions, outputDir: string): Promise<{ configPath?: string }> {
   const sessionAuth = await ensureLoggedInSession();
   ...
 }

And update the call sites in runInit (lines 130/140) to drop flags. If flags is otherwise unused in runInit, you can also drop the const flags = program.opts(); line.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@packages/stack-cli/src/commands/init.ts` around lines 274 - 287, Remove the
unused _flags parameter from both handler signatures (handleCreateCloud and
handleLinkFromCloud) and update their call sites in runInit to stop passing
flags; specifically, delete the first parameter in each function definition and
remove the corresponding argument where they are invoked (and if runInit no
longer uses flags at all, also remove the const flags = program.opts()
declaration). Ensure only these two function names are changed so auth
resolution no longer receives obsolete flag data.

packages/stack-cli/src/lib/auth.ts (1)

217-220: 💤 Low value

Avoid silent catch-all on res.text().

.catch(() => "") swallows any failure (transport error mid-stream, abort, etc.) without observability. Since you're already inside an error-reporting branch, prefer explicit handling that surfaces the read failure in the resulting message instead of pretending the body was empty.

♻️ Proposed fix

   if (!res.ok) {
-    const body = await res.text().catch(() => "");
-    throw new AuthError(`Local emulator sign-in failed (${res.status} ${res.statusText})${body ? `: ${body}` : ""}. Make sure the emulator is running with NEXT_PUBLIC_STACK_IS_LOCAL_EMULATOR=true.`);
+    let body = "";
+    let bodyReadError: unknown = null;
+    try {
+      body = await res.text();
+    } catch (err) {
+      bodyReadError = err;
+    }
+    const detail = body
+      ? `: ${body}`
+      : bodyReadError
+        ? ` (failed to read response body: ${bodyReadError instanceof Error ? bodyReadError.message : String(bodyReadError)})`
+        : "";
+    throw new AuthError(`Local emulator sign-in failed (${res.status} ${res.statusText})${detail}. Make sure the emulator is running with NEXT_PUBLIC_STACK_IS_LOCAL_EMULATOR=true.`);
   }

As per coding guidelines, "NEVER try-catch-all, NEVER void a promise, and NEVER use .catch(console.error)." and "errors are never silently swallowed".

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@packages/stack-cli/src/lib/auth.ts` around lines 217 - 220, The current
catch-all on res.text() silences read failures; change the logic around the
failed response branch so you attempt to read the body but surface any body-read
error in the thrown AuthError instead of returning an empty string. Concretely,
wrap the await res.text() call in a try/catch that captures the thrown error
(e.g., bodyReadError) and include either the body or the
bodyReadError.message/stack in the new AuthError message (reference res,
res.text(), and AuthError) so transport/stream errors are visible in logs rather
than being silently swallowed.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@apps/e2e/tests/general/cli.test.ts`:
- Around line 325-371: Add a guard assertion to both negative emulator tests
("local-default exec errors when emulator PCK file is missing" and
"local-default exec errors when emulator API is unreachable"): before calling
runCli, add expect(createdProjectId).toBeDefined() (the same check used in the
positive create-project test) so the tests fail fast if createdProjectId is
undefined and we don't mis-interpret a missing project ID as an emulator error;
update the tests that reference createdProjectId and runCli to include this
single-line guard.

In `@packages/stack-cli/src/lib/auth.ts`:
- Around line 179-202: Replace the wall-clock based timing in
localEmulatorSignInWithRetry with a monotonic clock: change all uses of
Date.now() that compute deadline, remainingForRequest, remaining, and the
deadline comparison to use performance.now() (keep units in milliseconds and the
same arithmetic with totalTimeoutMs), e.g. compute deadline = performance.now()
+ totalTimeoutMs and use performance.now() in the checks and mins for
perRequestTimeoutMs and sleep calculation; ensure lastError logic and thrown
message remain unchanged and no other behavior is altered.

---

Nitpick comments:
In `@packages/stack-cli/src/commands/init.ts`:
- Around line 274-287: Remove the unused _flags parameter from both handler
signatures (handleCreateCloud and handleLinkFromCloud) and update their call
sites in runInit to stop passing flags; specifically, delete the first parameter
in each function definition and remove the corresponding argument where they are
invoked (and if runInit no longer uses flags at all, also remove the const flags
= program.opts() declaration). Ensure only these two function names are changed
so auth resolution no longer receives obsolete flag data.

In `@packages/stack-cli/src/lib/auth.ts`:
- Around line 217-220: The current catch-all on res.text() silences read
failures; change the logic around the failed response branch so you attempt to
read the body but surface any body-read error in the thrown AuthError instead of
returning an empty string. Concretely, wrap the await res.text() call in a
try/catch that captures the thrown error (e.g., bodyReadError) and include
either the body or the bodyReadError.message/stack in the new AuthError message
(reference res, res.text(), and AuthError) so transport/stream errors are
visible in logs rather than being silently swallowed.

In `@packages/stack-cli/src/lib/emulator-paths.ts`:
- Around line 79-91: Replace the uses of Date.now() used for
elapsed-time/deadline calculation in the polling loop inside emulator-paths.ts
(the code that sets deadline = Date.now() + timeoutMs and checks Date.now() >=
deadline and computes remaining) with performance.now() to measure elapsed time;
ensure you either use the global performance (Node 16+) or import { performance
} from "perf_hooks" at the top if globals are not available, and update all
references (deadline, remaining calculation, and delay scheduling) so they
consistently use performance.now() while leaving readFileSync(pckPath, "utf-8")
and the retry/backoff logic unchanged.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: d7d488bb-4abd-4f8e-b7d7-f09370f56e56

📥 Commits

Reviewing files that changed from the base of the PR and between 6eaf492 and 6acd561.

📒 Files selected for processing (17)

• apps/backend/src/lib/local-emulator.ts
• apps/dashboard/src/app/(main)/(protected)/layout-client.tsx
• apps/e2e/tests/general/cli.test.ts
• packages/stack-cli/src/commands/emulator.test.ts
• packages/stack-cli/src/commands/emulator.ts
• packages/stack-cli/src/commands/exec.test.ts
• packages/stack-cli/src/commands/exec.ts
• packages/stack-cli/src/commands/init.ts
• packages/stack-cli/src/commands/login.ts
• packages/stack-cli/src/commands/project.ts
• packages/stack-cli/src/lib/app.ts
• packages/stack-cli/src/lib/auth.test.ts
• packages/stack-cli/src/lib/auth.ts
• packages/stack-cli/src/lib/config.ts
• packages/stack-cli/src/lib/emulator-paths.test.ts
• packages/stack-cli/src/lib/emulator-paths.ts
• packages/stack-shared/src/local-emulator.ts

[greptile-apps]

Greptile Summary

This PR makes stack exec default to the local emulator (signing in as the well-known admin via a polled PCK file) and adds --cloud / STACK_EXEC_DEFAULT_TARGET=cloud to opt back to the cloud API. It also centralises emulator credentials into packages/stack-shared/src/local-emulator.ts, extracts path/port/PCK helpers into packages/stack-cli/src/lib/emulator-paths.ts, and drops the now-unused flags parameter from resolveLoginConfig / resolveSessionAuth / performLogin.

• New emulator auth flow (auth.ts): polls the PCK file with exponential backoff, then signs in against the local backend with a retry loop; AuthError from either phase propagates cleanly to the top-level handler.
• Port resolution (emulator-paths.ts): STACK_EMULATOR_*_PORT env vars now take precedence over the legacy unprefixed EMULATOR_*_PORT names; resolved values are forwarded to run-emulator.sh.
• Breaking change (noted in the PR description): existing scripts that run stack exec without --cloud will target the local emulator and fail unless they pass --cloud or set STACK_EXEC_DEFAULT_TARGET=cloud.

Confidence Score: 4/5

Safe to merge after verifying the backend grants the emulator admin access to all local-emulator projects.

The auth-flow refactor is well-structured and the unit/e2e test coverage is thorough. The two concerns worth a second look: (1) the positive e2e test signs in as the emulator admin but looks up a project created by the test user — if the backend's listOwnedProjects does not give the admin superuser project access, that test will always fail in local-emulator CI; (2) the per-phase timeout budget is applied independently to PCK polling and sign-in, so the actual wait can silently reach double the configured value, and the 0ms fast-fail path still fires one 1ms-timeout network attempt that can produce an 'aborted' message rather than a connection-specific one. Neither blocks the cloud path or any existing functionality.

packages/stack-cli/src/lib/auth.ts (timeout semantics and error messaging in localEmulatorSignInWithRetry) and apps/e2e/tests/general/cli.test.ts (emulator-admin project-ownership assumption in the positive happy-path test).

Important Files Changed

Filename	Overview
packages/stack-cli/src/commands/exec.ts	Adds --cloud flag and resolveExecTarget to route between local-emulator and cloud paths; logic is straightforward and well-tested.
packages/stack-cli/src/lib/auth.ts	Adds resolveLocalEmulatorAuth with PCK polling + sign-in retry loop; per-phase timeout budget can silently double worst-case wait; 0ms fast-fail path still makes one 1ms-timeout network attempt.
packages/stack-cli/src/lib/emulator-paths.ts	New module cleanly extracts paths, port resolution (with STACK_-prefix alias priority), and PCK polling; well-covered by the accompanying test file.
packages/stack-shared/src/local-emulator.ts	New shared module centralising the well-known emulator admin credentials; eliminates string duplication across backend, dashboard, and CLI.
apps/e2e/tests/general/cli.test.ts	Existing cloud tests updated with --cloud; new negative emulator tests are sound; positive local-emulator test assumes emulator admin can see the test user's project — this works only if the backend grants the admin superuser project access.
packages/stack-cli/src/lib/app.ts	Switches getInternalApp to use auth.publishableClientKey from the auth object instead of the hardcoded default; enables the local-emulator path to supply its own PCK.
apps/backend/src/lib/local-emulator.ts	Removes the inline credential constants and imports them from the shared package; trivial refactor with no behavioural change.
apps/dashboard/src/app/(main)/(protected)/layout-client.tsx	Replaces hardcoded credential strings with the shared constants; no behavioural change.
packages/stack-cli/src/commands/emulator.ts	Removes inline port/path helpers in favour of imports from emulator-paths.ts; emulatorSpawnEnv now forwards all five resolved ports to run-emulator.sh regardless of source env var.
packages/stack-cli/src/lib/config.ts	Adds STACK_EMULATOR_API_URL and STACK_EMULATOR_DASHBOARD_URL to the allowed ConfigKey union so they can be persisted in the credentials file.

Sequence Diagram

sequenceDiagram
    participant User
    participant exec.ts
    participant auth.ts
    participant emulator-paths.ts
    participant LocalEmulator

    User->>exec.ts: stack exec [--cloud] "js"
    exec.ts->>exec.ts: resolveExecTarget(opts, env)

    alt "--cloud or STACK_EXEC_DEFAULT_TARGET=cloud"
        exec.ts->>auth.ts: resolveAuth(flags)
        auth.ts-->>exec.ts: ProjectAuthWithRefreshToken (cloud creds)
    else default: local emulator
        exec.ts->>auth.ts: resolveLocalEmulatorAuth(flags)
        auth.ts->>emulator-paths.ts: pollInternalPck(readyTimeoutMs)
        emulator-paths.ts-->>auth.ts: internalPck (or null - throw AuthError)
        auth.ts->>LocalEmulator: POST /api/v1/auth/password/sign-in (retry loop)
        LocalEmulator-->>auth.ts: refresh_token
        auth.ts-->>exec.ts: ProjectAuthWithRefreshToken (local creds)
    end

    exec.ts->>exec.ts: getAdminProject(auth)
    exec.ts->>LocalEmulator: listOwnedProjects - find projectId
    exec.ts->>exec.ts: new AsyncFunction(stackServerApp, js)
    exec.ts-->>User: JSON result or error

Loading

Comments Outside Diff (3)

1. apps/e2e/tests/general/cli.test.ts, line 249-269 (link)

   Emulator admin ownership assumption may not hold

   The positive happy-path test signs in as local-emulator@stack-auth.com and then calls getAdminProject(auth), which internally calls user.listOwnedProjects() and looks for createdProjectId. However, createdProjectId was created by the test user (a randomly generated account from beforeAll), not by the emulator admin. If the backend's listOwnedProjects for the emulator admin only returns projects that user actually owns, getAdminProject will throw "Project '...' not found. Make sure you own this project." and the test will fail.

   The test only runs when isLocalEmulator is true, suggesting the backend may grant the emulator admin superuser-level project access. If so, it would be worth a short comment here (or in getAdminProject) explaining that assumption, so future readers don't have to dig through backend code to understand why this works.

   Prompt To Fix With AI

   This is a comment left during a code review.
   Path: apps/e2e/tests/general/cli.test.ts
   Line: 249-269
   
   Comment:
   **Emulator admin ownership assumption may not hold**
   
   The positive happy-path test signs in as `local-emulator@stack-auth.com` and then calls `getAdminProject(auth)`, which internally calls `user.listOwnedProjects()` and looks for `createdProjectId`. However, `createdProjectId` was created by the test user (a randomly generated account from `beforeAll`), not by the emulator admin. If the backend's `listOwnedProjects` for the emulator admin only returns projects that user actually owns, `getAdminProject` will throw "Project '...' not found. Make sure you own this project." and the test will fail.
   
   The test only runs when `isLocalEmulator` is true, suggesting the backend may grant the emulator admin superuser-level project access. If so, it would be worth a short comment here (or in `getAdminProject`) explaining that assumption, so future readers don't have to dig through backend code to understand why this works.
   
   How can I resolve this? If you propose a fix, please make it concise.

2. packages/stack-cli/src/lib/auth.ts, line 904-927 (link)

   Network attempt still made when totalTimeoutMs = 0

   When STACK_EMULATOR_READY_TIMEOUT_MS=0 (used in the "unreachable" e2e test to fail fast), deadline = Date.now() and remainingForRequest = Math.max(1, 0-ish) = 1. This forces one fetch attempt with a 1ms AbortSignal.timeout. If the 1ms signal fires before ECONNREFUSED is returned (e.g., on a slow CI machine), lastError becomes an AbortError with message = "aborted", and the thrown AuthError reads "Cannot reach local emulator … (after 0ms): aborted." — which hides the actual connection error.

   For "fail-fast" callers, adding an early-exit when totalTimeoutMs === 0 before the loop would skip the misleading 1ms-timeout fetch entirely and produce a cleaner message.

   Prompt To Fix With AI

   This is a comment left during a code review.
   Path: packages/stack-cli/src/lib/auth.ts
   Line: 904-927
   
   Comment:
   **Network attempt still made when `totalTimeoutMs = 0`**
   
   When `STACK_EMULATOR_READY_TIMEOUT_MS=0` (used in the "unreachable" e2e test to fail fast), `deadline = Date.now()` and `remainingForRequest = Math.max(1, 0-ish) = 1`. This forces one fetch attempt with a `1ms` `AbortSignal.timeout`. If the 1ms signal fires before ECONNREFUSED is returned (e.g., on a slow CI machine), `lastError` becomes an `AbortError` with `message = "aborted"`, and the thrown `AuthError` reads `"Cannot reach local emulator … (after 0ms): aborted."` — which hides the actual connection error.
   
   For "fail-fast" callers, adding an early-exit when `totalTimeoutMs === 0` before the loop would skip the misleading 1ms-timeout fetch entirely and produce a cleaner message.
   
   How can I resolve this? If you propose a fix, please make it concise.

3. packages/stack-cli/src/lib/auth.ts, line 848-866 (link)

   Double-timeout budget not surfaced in user-visible error messages

   The comment correctly notes that readyTimeoutMs is applied independently to PCK polling and the sign-in retry loop, so wall-clock time can reach ~2× the configured value. However, localEmulatorSignInWithRetry reports "(after ${totalTimeoutMs}ms)" using the per-phase budget, not the elapsed real time. A user who sets STACK_EMULATOR_READY_TIMEOUT_MS=5000 and hits both phase timeouts will wait 10 seconds but see "(after 5000ms)" in the error — which understates the actual wait. Tracking and reporting real elapsed time (or documenting the 2× behaviour in the error string) would reduce confusion.

   Prompt To Fix With AI

   This is a comment left during a code review.
   Path: packages/stack-cli/src/lib/auth.ts
   Line: 848-866
   
   Comment:
   **Double-timeout budget not surfaced in user-visible error messages**
   
   The comment correctly notes that `readyTimeoutMs` is applied independently to PCK polling and the sign-in retry loop, so wall-clock time can reach ~2× the configured value. However, `localEmulatorSignInWithRetry` reports `"(after ${totalTimeoutMs}ms)"` using the per-phase budget, not the elapsed real time. A user who sets `STACK_EMULATOR_READY_TIMEOUT_MS=5000` and hits both phase timeouts will wait 10 seconds but see `"(after 5000ms)"` in the error — which understates the actual wait. Tracking and reporting real elapsed time (or documenting the 2× behaviour in the error string) would reduce confusion.
   
   How can I resolve this? If you propose a fix, please make it concise.

Prompt To Fix All With AI

Fix the following 3 code review issues. Work through them one at a time, proposing concise fixes.

---

### Issue 1 of 3
apps/e2e/tests/general/cli.test.ts:249-269
**Emulator admin ownership assumption may not hold**

The positive happy-path test signs in as `local-emulator@stack-auth.com` and then calls `getAdminProject(auth)`, which internally calls `user.listOwnedProjects()` and looks for `createdProjectId`. However, `createdProjectId` was created by the test user (a randomly generated account from `beforeAll`), not by the emulator admin. If the backend's `listOwnedProjects` for the emulator admin only returns projects that user actually owns, `getAdminProject` will throw "Project '...' not found. Make sure you own this project." and the test will fail.

The test only runs when `isLocalEmulator` is true, suggesting the backend may grant the emulator admin superuser-level project access. If so, it would be worth a short comment here (or in `getAdminProject`) explaining that assumption, so future readers don't have to dig through backend code to understand why this works.

### Issue 2 of 3
packages/stack-cli/src/lib/auth.ts:904-927
**Network attempt still made when `totalTimeoutMs = 0`**

When `STACK_EMULATOR_READY_TIMEOUT_MS=0` (used in the "unreachable" e2e test to fail fast), `deadline = Date.now()` and `remainingForRequest = Math.max(1, 0-ish) = 1`. This forces one fetch attempt with a `1ms` `AbortSignal.timeout`. If the 1ms signal fires before ECONNREFUSED is returned (e.g., on a slow CI machine), `lastError` becomes an `AbortError` with `message = "aborted"`, and the thrown `AuthError` reads `"Cannot reach local emulator … (after 0ms): aborted."` — which hides the actual connection error.

For "fail-fast" callers, adding an early-exit when `totalTimeoutMs === 0` before the loop would skip the misleading 1ms-timeout fetch entirely and produce a cleaner message.

### Issue 3 of 3
packages/stack-cli/src/lib/auth.ts:848-866
**Double-timeout budget not surfaced in user-visible error messages**

The comment correctly notes that `readyTimeoutMs` is applied independently to PCK polling and the sign-in retry loop, so wall-clock time can reach ~2× the configured value. However, `localEmulatorSignInWithRetry` reports `"(after ${totalTimeoutMs}ms)"` using the per-phase budget, not the elapsed real time. A user who sets `STACK_EMULATOR_READY_TIMEOUT_MS=5000` and hits both phase timeouts will wait 10 seconds but see `"(after 5000ms)"` in the error — which understates the actual wait. Tracking and reporting real elapsed time (or documenting the 2× behaviour in the error string) would reduce confusion.

_{Reviews (1): Last reviewed commit: "stack exec: default to local emulator, a..." | Re-trigger Greptile}

[coderabbitai]

🧹 Nitpick comments (1)

apps/e2e/tests/general/cli.test.ts (1)

220-222: ⚡ Quick win

Avoid introducing any in the new project-list assertion path.

Type the parsed list once and let find infer item type instead of (p: any).

♻️ Proposed fix

-      const projects = JSON.parse(stdout);
-      const found = projects.find((p: any) => p.id === createdProjectId);
+      const projects: Array<{ id: string; displayName: string; target: "cloud" | "dev" }> = JSON.parse(stdout);
+      const found = projects.find((p) => p.id === createdProjectId);

As per coding guidelines, "Try to avoid the any type. Whenever you need to use any, leave a comment explaining why you're using it..."

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@apps/e2e/tests/general/cli.test.ts` around lines 220 - 222, The test
currently uses an explicit any in the find callback; instead parse stdout into a
typed array (e.g., assign JSON.parse(stdout) to a typed variable like projects:
Project[] or inferred type) so the subsequent projects.find((p) => p.id ===
createdProjectId) can infer the item type and avoid (p: any). Update the
declaration of projects (and import or declare the Project/test DTO type if
needed) so the expect(found).toBeDefined() assertion uses a properly typed list
rather than any.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In `@apps/e2e/tests/general/cli.test.ts`:
- Around line 220-222: The test currently uses an explicit any in the find
callback; instead parse stdout into a typed array (e.g., assign
JSON.parse(stdout) to a typed variable like projects: Project[] or inferred
type) so the subsequent projects.find((p) => p.id === createdProjectId) can
infer the item type and avoid (p: any). Update the declaration of projects (and
import or declare the Project/test DTO type if needed) so the
expect(found).toBeDefined() assertion uses a properly typed list rather than
any.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 8b751821-599a-40d2-aa35-3f50d90cf379

📥 Commits

Reviewing files that changed from the base of the PR and between 00e17be and 34cade4.

📒 Files selected for processing (12)

• apps/backend/src/app/api/latest/internal/local-emulator/project/route.tsx
• apps/e2e/tests/general/cli.test.ts
• packages/stack-cli/src/commands/config-file.test.ts
• packages/stack-cli/src/commands/config-file.ts
• packages/stack-cli/src/commands/emulator.ts
• packages/stack-cli/src/commands/exec.test.ts
• packages/stack-cli/src/commands/exec.ts
• packages/stack-cli/src/commands/project.test.ts
• packages/stack-cli/src/commands/project.ts
• packages/stack-cli/src/index.ts
• packages/stack-cli/src/lib/auth.ts
• packages/stack-cli/src/lib/local-emulator-client.ts

💤 Files with no reviewable changes (1)

• packages/stack-cli/src/index.ts

🚧 Files skipped from review as they are similar to previous changes (1)

• packages/stack-cli/src/commands/emulator.ts