scripts: replace local-up.sh with idempotent Python lifecycle script

local-up.py is a stdlib-only Python rewrite of local-up.sh +
local-seed-secrets.sh. Key improvements:

- Correctly parses limactl list --json NDJSON output (json.load()
  choked on NDJSON, causing spurious VM creation attempts)
- Handles all Lima VM states: none, Running, Stopped, Broken, etc.
- Inlines seed secrets (no separate local-seed-secrets.sh subprocess)
- Partial runs: --seed, --apply, --restart flags
- Consistent idempotency: every step checks state before acting
- Adds people-backend/celery to restart list; find to PG users list

local-up.sh patched: yq in prereqs, NDJSON-safe VM detection,
--server-side for Linkerd apply, people in restart list, Mail URL.

scripts/local-up.sh

@@ -11,7 +11,7 @@ CTX="--context=sunbeam"
 # 1. Check prerequisites
 # ---------------------------------------------------------------------------
 echo "==> Checking prerequisites..."
-for tool in limactl mkcert kubectl kustomize linkerd jq; do
+for tool in limactl mkcert kubectl kustomize linkerd jq yq; do
   if ! command -v "$tool" &>/dev/null; then
     echo "ERROR: '$tool' not found. Install with: brew install $tool" >&2
     exit 1
@@ -22,15 +22,12 @@ echo "    OK"
 # ---------------------------------------------------------------------------
 # 2. Start Lima VM (skip if already running)
 # ---------------------------------------------------------------------------
+# Separate existence check from status — avoids falling through to "create"
+# when VM exists but has an unexpected status (Broken, Starting, etc.)
 LIMA_STATUS=$(limactl list --json 2>/dev/null | \
   python3 -c "import sys,json; vms=[v for v in json.load(sys.stdin) if v['name']=='sunbeam']; print(vms[0]['status'] if vms else 'none')" 2>/dev/null || echo "none")
 
-if [[ "$LIMA_STATUS" == "Running" ]]; then
-  echo "==> Lima VM 'sunbeam' already running."
-elif [[ "$LIMA_STATUS" == "Stopped" ]]; then
-  echo "==> Starting existing Lima VM 'sunbeam'..."
-  limactl start sunbeam
-else
+if [[ "$LIMA_STATUS" == "none" ]]; then
   echo "==> Creating Lima VM 'sunbeam' (k3s, 6 CPU / 12 GB / 60 GB)..."
   limactl start \
     --name=sunbeam \
@@ -40,6 +37,12 @@ else
     --disk=60 \
     --vm-type=vz \
     --mount-type=virtiofs
+elif [[ "$LIMA_STATUS" == "Running" ]]; then
+  echo "==> Lima VM 'sunbeam' already running."
+else
+  # Covers Stopped, Broken, Starting, or any other state
+  echo "==> Starting Lima VM 'sunbeam' (status: $LIMA_STATUS)..."
+  limactl start sunbeam
 fi
 
 # ---------------------------------------------------------------------------
@@ -96,10 +99,10 @@ if ! kubectl $CTX get ns linkerd &>/dev/null; then
   kubectl $CTX apply --server-side -f https://github.com/kubernetes-sigs/gateway-api/releases/download/v1.4.0/standard-install.yaml
 
   echo "==> Installing Linkerd CRDs..."
-  linkerd install --crds | kubectl $CTX apply -f -
+  linkerd install --crds | kubectl $CTX apply --server-side -f -
 
   echo "==> Installing Linkerd control plane..."
-  linkerd install | kubectl $CTX apply -f -
+  linkerd install | kubectl $CTX apply --server-side -f -
   kubectl $CTX -n linkerd rollout status deployment/linkerd-identity --timeout=120s
   kubectl $CTX -n linkerd rollout status deployment/linkerd-destination --timeout=120s
   kubectl $CTX -n linkerd rollout status deployment/linkerd-proxy-injector --timeout=120s
@@ -164,6 +167,9 @@ for ns_deploy in \
   "devtools/gitea" \
   "storage/seaweedfs-filer" \
   "lasuite/hive" \
+  "lasuite/people-backend" \
+  "lasuite/people-celery-worker" \
+  "lasuite/people-celery-beat" \
   "media/livekit-server"; do
   ns="${ns_deploy%%/*}"
   dep="${ns_deploy##*/}"
@@ -192,9 +198,9 @@ echo "  Docs:    https://docs.${DOMAIN}/"
 echo "  Meet:    https://meet.${DOMAIN}/"
 echo "  Drive:   https://drive.${DOMAIN}/"
 echo "  Chat:    https://chat.${DOMAIN}/"
+echo "  Mail:    https://mail.${DOMAIN}/"
 echo "  People:  https://people.${DOMAIN}/"
 echo "  Gitea:   https://src.${DOMAIN}/"
-echo "  Mailpit: https://mailpit.${DOMAIN}/  (captured outbound email)"
 echo ""
 echo "OpenBao UI: kubectl $CTX -n data port-forward svc/openbao 8200:8200"
 echo "            http://localhost:8200  (token from: kubectl $CTX -n data get secret openbao-keys -o jsonpath='{.data.root-token}' | base64 -d)"