feat(mosaic): merge @mosaic/cli into @mosaic/mosaic

@mosaic/mosaic is now the single package providing both:
- 'mosaic' binary (CLI: yolo, coord, prdy, tui, gateway, etc.)
- 'mosaic-wizard' binary (installation wizard)

Changes:
- Move packages/cli/src/* into packages/mosaic/src/
- Convert dynamic @mosaic/mosaic imports to static relative imports
- Add CLI deps (ink, react, socket.io-client, @mosaic/config) to mosaic
- Add jsx: react-jsx to mosaic's tsconfig
- Exclude packages/cli from workspace (pnpm-workspace.yaml)
- Update install.sh to install @mosaic/mosaic instead of @mosaic/cli
- Bump version to 0.0.17

This eliminates the circular dependency between @mosaic/cli and
@mosaic/mosaic that was blocking the build graph.

packages/mosaic/src/auth.ts

@@ -0,0 +1,115 @@
+import { readFileSync, writeFileSync, mkdirSync, existsSync } from 'node:fs';
+import { resolve } from 'node:path';
+import { homedir } from 'node:os';
+
+const SESSION_DIR = resolve(homedir(), '.mosaic');
+const SESSION_FILE = resolve(SESSION_DIR, 'session.json');
+
+interface StoredSession {
+  gatewayUrl: string;
+  cookie: string;
+  userId: string;
+  email: string;
+  expiresAt: string;
+}
+
+export interface AuthResult {
+  cookie: string;
+  userId: string;
+  email: string;
+}
+
+/**
+ * Sign in to the gateway and return the session cookie.
+ */
+export async function signIn(
+  gatewayUrl: string,
+  email: string,
+  password: string,
+): Promise<AuthResult> {
+  const res = await fetch(`${gatewayUrl}/api/auth/sign-in/email`, {
+    method: 'POST',
+    headers: { 'Content-Type': 'application/json', Origin: gatewayUrl },
+    body: JSON.stringify({ email, password }),
+    redirect: 'manual',
+  });
+
+  if (!res.ok) {
+    const body = await res.text().catch(() => '');
+    throw new Error(`Sign-in failed (${res.status}): ${body}`);
+  }
+
+  // Extract set-cookie header
+  const setCookieHeader = res.headers.getSetCookie?.() ?? [];
+  const sessionCookie = setCookieHeader
+    .map((c) => c.split(';')[0]!)
+    .filter((c) => c.startsWith('better-auth.session_token='))
+    .join('; ');
+
+  if (!sessionCookie) {
+    throw new Error('No session cookie returned from sign-in');
+  }
+
+  // Parse the response body for user info
+  const data = (await res.json()) as { user?: { id: string; email: string } };
+  const userId = data.user?.id ?? 'unknown';
+  const userEmail = data.user?.email ?? email;
+
+  return { cookie: sessionCookie, userId, email: userEmail };
+}
+
+/**
+ * Save session to ~/.mosaic/session.json
+ */
+export function saveSession(gatewayUrl: string, auth: AuthResult): void {
+  if (!existsSync(SESSION_DIR)) {
+    mkdirSync(SESSION_DIR, { recursive: true });
+  }
+
+  const session: StoredSession = {
+    gatewayUrl,
+    cookie: auth.cookie,
+    userId: auth.userId,
+    email: auth.email,
+    expiresAt: new Date(Date.now() + 7 * 24 * 60 * 60 * 1000).toISOString(), // 7 days
+  };
+
+  writeFileSync(SESSION_FILE, JSON.stringify(session, null, 2), 'utf-8');
+}
+
+/**
+ * Load a saved session. Returns null if no session, expired, or wrong gateway.
+ */
+export function loadSession(gatewayUrl: string): AuthResult | null {
+  if (!existsSync(SESSION_FILE)) return null;
+
+  try {
+    const raw = readFileSync(SESSION_FILE, 'utf-8');
+    const session = JSON.parse(raw) as StoredSession;
+
+    if (session.gatewayUrl !== gatewayUrl) return null;
+    if (new Date(session.expiresAt) < new Date()) return null;
+
+    return {
+      cookie: session.cookie,
+      userId: session.userId,
+      email: session.email,
+    };
+  } catch {
+    return null;
+  }
+}
+
+/**
+ * Validate that a stored session is still active by hitting get-session.
+ */
+export async function validateSession(gatewayUrl: string, cookie: string): Promise<boolean> {
+  try {
+    const res = await fetch(`${gatewayUrl}/api/auth/get-session`, {
+      headers: { Cookie: cookie, Origin: gatewayUrl },
+    });
+    return res.ok;
+  } catch {
+    return false;
+  }
+}