feat: integrate framework files into monorepo under packages/mosaic/framework/

Moves all Mosaic framework runtime files from the separate bootstrap repo
into the monorepo as canonical source. The @mosaic/mosaic npm package now
ships the complete framework — bin scripts, runtime configs, tools, and
templates — enabling standalone installation via npm install.

Structure:
  packages/mosaic/framework/
  ├── bin/          28 CLI scripts (mosaic, mosaic-doctor, mosaic-sync-skills, etc.)
  ├── runtime/      Runtime adapters (claude, codex, opencode, pi, mcp)
  ├── tools/        Shell tooling (git, prdy, orchestrator, quality, etc.)
  ├── templates/    Agent and repo templates
  ├── defaults/     Default identity files (AGENTS.md, STANDARDS.md, SOUL.md, etc.)
  ├── install.sh    Legacy bash installer
  └── remote-install.sh  One-liner remote installer

Key files with Pi support and recent fixes:
- bin/mosaic: launch_pi() with skills-local loop
- bin/mosaic-doctor: --fix auto-wiring for all 4 harnesses
- bin/mosaic-sync-skills: Pi as 4th link target, symlink-aware find
- bin/mosaic-link-runtime-assets: Pi settings.json patching
- bin/mosaic-migrate-local-skills: Pi skill roots, symlink find
- runtime/pi/RUNTIME.md + mosaic-extension.ts

Package ships 251 framework files in the npm tarball (278KB compressed).

packages/mosaic/framework/tools/authentik/user-create.sh

@@ -0,0 +1,100 @@
+#!/usr/bin/env bash
+#
+# user-create.sh — Create an Authentik user
+#
+# Usage: user-create.sh -u <username> -n <name> -e <email> [-p password] [-g group] [-a instance]
+#
+# Options:
+#   -u username   Username (required)
+#   -n name       Display name (required)
+#   -e email      Email address (required)
+#   -p password   Initial password (optional — user gets set-password flow if omitted)
+#   -g group      Group name to add user to (optional)
+#   -f format     Output format: table (default), json
+#   -a instance   Authentik instance name (e.g. usc, mosaic)
+#   -h            Show this help
+#
+# Environment variables (or credentials.json):
+#   AUTHENTIK_URL — Authentik instance URL
+set -euo pipefail
+
+MOSAIC_HOME="${MOSAIC_HOME:-$HOME/.config/mosaic}"
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+source "$MOSAIC_HOME/tools/_lib/credentials.sh"
+
+USERNAME="" NAME="" EMAIL="" PASSWORD="" GROUP="" FORMAT="table" AK_INSTANCE=""
+
+while getopts "u:n:e:p:g:f:a:h" opt; do
+  case $opt in
+    u) USERNAME="$OPTARG" ;;
+    n) NAME="$OPTARG" ;;
+    e) EMAIL="$OPTARG" ;;
+    p) PASSWORD="$OPTARG" ;;
+    g) GROUP="$OPTARG" ;;
+    f) FORMAT="$OPTARG" ;;
+    a) AK_INSTANCE="$OPTARG" ;;
+    h) head -19 "$0" | grep "^#" | sed 's/^# \?//'; exit 0 ;;
+    *) echo "Usage: $0 -u <username> -n <name> -e <email> [-p password] [-g group] [-a instance]" >&2; exit 1 ;;
+  esac
+done
+
+if [[ -n "$AK_INSTANCE" ]]; then
+  load_credentials "authentik-${AK_INSTANCE}"
+else
+  load_credentials authentik
+fi
+
+if [[ -z "$USERNAME" || -z "$NAME" || -z "$EMAIL" ]]; then
+  echo "Error: -u username, -n name, and -e email are required" >&2
+  exit 1
+fi
+
+TOKEN=$("$SCRIPT_DIR/auth-token.sh" -q ${AK_INSTANCE:+-a "$AK_INSTANCE"})
+
+# Build user payload
+payload=$(jq -n \
+  --arg username "$USERNAME" \
+  --arg name "$NAME" \
+  --arg email "$EMAIL" \
+  '{username: $username, name: $name, email: $email, is_active: true}')
+
+# Add password if provided
+if [[ -n "$PASSWORD" ]]; then
+  payload=$(echo "$payload" | jq --arg pw "$PASSWORD" '. + {password: $pw}')
+fi
+
+# Add to group if provided
+if [[ -n "$GROUP" ]]; then
+  # Look up group PK by name
+  group_response=$(curl -sk \
+    -H "Authorization: Bearer $TOKEN" \
+    "${AUTHENTIK_URL}/api/v3/core/groups/?search=${GROUP}")
+  group_pk=$(echo "$group_response" | jq -r ".results[] | select(.name == \"$GROUP\") | .pk" | head -1)
+  if [[ -n "$group_pk" ]]; then
+    payload=$(echo "$payload" | jq --arg gk "$group_pk" '. + {groups: [$gk]}')
+  else
+    echo "Warning: Group '$GROUP' not found — creating user without group" >&2
+  fi
+fi
+
+response=$(curl -sk -w "\n%{http_code}" -X POST \
+  -H "Authorization: Bearer $TOKEN" \
+  -H "Content-Type: application/json" \
+  -d "$payload" \
+  "${AUTHENTIK_URL}/api/v3/core/users/")
+
+http_code=$(echo "$response" | tail -n1)
+body=$(echo "$response" | sed '$d')
+
+if [[ "$http_code" != "201" ]]; then
+  echo "Error: Failed to create user (HTTP $http_code)" >&2
+  echo "$body" | jq -r '.' 2>/dev/null >&2
+  exit 1
+fi
+
+if [[ "$FORMAT" == "json" ]]; then
+  echo "$body" | jq '.'
+else
+  echo "User created successfully:"
+  echo "$body" | jq -r '"  Username: \(.username)\n  Name:     \(.name)\n  Email:    \(.email)\n  PK:       \(.pk)"'
+fi