feat(mosaic): gateway token recovery via BetterAuth cookie (#411)

packages/mosaic/src/commands/gateway/install.ts

@@ -388,10 +388,32 @@ async function bootstrapFirstUser(
     if (!status.needsSetup) {
       if (meta.adminToken) {
         console.log('Admin user already exists (token on file).');
-      } else {
-        console.log('Admin user already exists — skipping setup.');
-        console.log('(No admin token on file — sign in via the web UI to manage tokens.)');
+        return;
       }
+
+      // Admin user exists but no token — offer inline recovery when interactive.
+      console.log('Admin user already exists but no admin token is on file.');
+
+      if (process.stdin.isTTY) {
+        const answer = (await prompt(rl, 'Run token recovery now? [Y/n] ')).trim().toLowerCase();
+        if (answer === '' || answer === 'y' || answer === 'yes') {
+          console.log();
+          try {
+            const { ensureSession, mintAdminToken, persistToken } = await import('./token-ops.js');
+            const cookie = await ensureSession(baseUrl);
+            const label = `CLI recovery token (${new Date().toISOString().slice(0, 16).replace('T', ' ')})`;
+            const minted = await mintAdminToken(baseUrl, cookie, label);
+            persistToken(baseUrl, minted);
+          } catch (err) {
+            console.error(
+              `Token recovery failed: ${err instanceof Error ? err.message : String(err)}`,
+            );
+          }
+          return;
+        }
+      }
+
+      console.log('No admin token on file. Run: mosaic gateway config recover-token');
       return;
     }
   } catch {