fix(mosaic): address code review findings for gateway token recovery (CU-03-08)

- auth.ts: write session.json with mode 0o600 (was world-readable; cookie is a credential)
- login.ts: add promptSecret() using TTY raw mode so password is not echoed to terminal
- login.ts: export promptLine() so token-ops.ts can use it (keeps prompts mockable in tests)
- login.ts: fix password trimming — do not trim() passwords (may have intentional whitespace)
- token-ops.ts: use promptLine/promptSecret from login.ts (replaces inline readline)
- token-ops.ts: persistToken() warns when --gateway targets a different host than meta.json
- gateway.ts: mark --password flag [UNSAFE] in help; emit console.warn when it is used
- recover-token.spec.ts: update mock to include promptLine/promptSecret from ./login.js

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

packages/mosaic/package.json

@@ -36,6 +36,7 @@
     "@mosaicstack/prdy": "workspace:*",
     "@mosaicstack/quality-rails": "workspace:*",
     "@mosaicstack/queue": "workspace:*",
+    "@mosaicstack/storage": "workspace:*",
     "@mosaicstack/types": "workspace:*",
     "@clack/prompts": "^0.9.1",
     "commander": "^13.0.0",

packages/mosaic/src/auth.ts

@@ -74,7 +74,8 @@ export function saveSession(gatewayUrl: string, auth: AuthResult): void {
     expiresAt: new Date(Date.now() + 7 * 24 * 60 * 60 * 1000).toISOString(), // 7 days
   };
 
-  writeFileSync(SESSION_FILE, JSON.stringify(session, null, 2), 'utf-8');
+  // 0o600: owner read/write only — the session cookie is a credential
+  writeFileSync(SESSION_FILE, JSON.stringify(session, null, 2), { encoding: 'utf-8', mode: 0o600 });
 }
 
 /**

packages/mosaic/src/cli.ts

@@ -7,6 +7,7 @@ import { registerLogCommand } from '@mosaicstack/log';
 import { registerMemoryCommand } from '@mosaicstack/memory';
 import { registerQualityRails } from '@mosaicstack/quality-rails';
 import { registerQueueCommand } from '@mosaicstack/queue';
+import { registerStorageCommand } from '@mosaicstack/storage';
 import { registerAgentCommand } from './commands/agent.js';
 import { registerConfigCommand } from './commands/config.js';
 import { registerMissionCommand } from './commands/mission.js';
@@ -362,6 +363,10 @@ registerMemoryCommand(program);
 
 registerQueueCommand(program);
 
+// ─── storage ─────────────────────────────────────────────────────────────
+
+registerStorageCommand(program);
+
 // ─── update ─────────────────────────────────────────────────────────────
 
 program

packages/mosaic/src/commands/gateway.ts

@@ -126,10 +126,18 @@ export function registerGatewayCommand(program: Command): void {
     .description('Sign in to the gateway (defaults to URL from meta.json)')
     .option('-g, --gateway <url>', 'Gateway URL (overrides meta.json)')
     .option('-e, --email <email>', 'Email address')
-    .option('-p, --password <password>', 'Password')
+    .option(
+      '-p, --password <password>',
+      '[UNSAFE] Avoid — exposes credentials in shell history and process listings',
+    )
     .action(async (cmdOpts: { gateway?: string; email?: string; password?: string }) => {
       const { runLogin } = await import('./gateway/login.js');
       const url = getGatewayUrl(cmdOpts.gateway);
+      if (cmdOpts.password) {
+        console.warn(
+          'Warning: --password flag exposes credentials in shell history and process listings.',
+        );
+      }
       try {
         await runLogin({ gatewayUrl: url, email: cmdOpts.email, password: cmdOpts.password });
       } catch (err) {

packages/mosaic/src/commands/gateway/login.ts

@@ -2,6 +2,62 @@ import { createInterface } from 'node:readline';
 import { signIn, saveSession } from '../../auth.js';
 import { readMeta } from './daemon.js';
 
+/**
+ * Prompt for a single line of input (with echo).
+ */
+export function promptLine(question: string): Promise<string> {
+  const rl = createInterface({ input: process.stdin, output: process.stdout });
+  return new Promise((resolve) => {
+    rl.question(question, (answer) => {
+      rl.close();
+      resolve(answer.trim());
+    });
+  });
+}
+
+/**
+ * Prompt for a secret value without echoing the typed characters to the terminal.
+ * Uses TTY raw mode when available so that passwords do not appear in terminal
+ * recordings, scrollback, or shared screen sessions.
+ */
+export function promptSecret(question: string): Promise<string> {
+  return new Promise((resolve) => {
+    process.stdout.write(question);
+    if (process.stdin.isTTY) {
+      process.stdin.setRawMode(true);
+    }
+    process.stdin.resume();
+    process.stdin.setEncoding('utf-8');
+
+    let secret = '';
+    const onData = (char: string): void => {
+      if (char === '\n' || char === '\r' || char === '\u0004') {
+        process.stdout.write('\n');
+        if (process.stdin.isTTY) {
+          process.stdin.setRawMode(false);
+        }
+        process.stdin.pause();
+        process.stdin.removeListener('data', onData);
+        resolve(secret);
+      } else if (char === '\u0003') {
+        // ^C
+        process.stdout.write('\n');
+        if (process.stdin.isTTY) {
+          process.stdin.setRawMode(false);
+        }
+        process.stdin.pause();
+        process.stdin.removeListener('data', onData);
+        process.exit(130);
+      } else if (char === '\u007f' || char === '\b') {
+        secret = secret.slice(0, -1);
+      } else {
+        secret += char;
+      }
+    };
+    process.stdin.on('data', onData);
+  });
+}
+
 /**
  * Shared login helper used by both `mosaic login` and `mosaic gateway login`.
  * Prompts for email/password if not supplied, signs in, and persists the session.
@@ -11,17 +67,9 @@ export async function runLogin(opts: {
   email?: string;
   password?: string;
 }): Promise<void> {
-  let email = opts.email;
+  const email = opts.email ?? (await promptLine('Email: '));
-  let password = opts.password;
+  // Do not trim password — it may intentionally contain leading/trailing whitespace
-
+  const password = opts.password ?? (await promptSecret('Password: '));
-  if (!email || !password) {
-    const rl = createInterface({ input: process.stdin, output: process.stdout });
-    const ask = (q: string): Promise<string> => new Promise((resolve) => rl.question(q, resolve));
-
-    if (!email) email = await ask('Email: ');
-    if (!password) password = await ask('Password: ');
-    rl.close();
-  }
 
   const auth = await signIn(opts.gatewayUrl, email, password);
   saveSession(opts.gatewayUrl, auth);

packages/mosaic/src/commands/gateway/recover-token.spec.ts

@@ -16,14 +16,9 @@ vi.mock('./daemon.js', () => ({
 
 vi.mock('./login.js', () => ({
   getGatewayUrl: vi.fn().mockReturnValue('http://localhost:14242'),
-}));
+  // promptLine/promptSecret are used by ensureSession; return fixed values so tests don't block on stdin
-
+  promptLine: vi.fn().mockResolvedValue('test@example.com'),
-// Mock readline so tests don't block on stdin
+  promptSecret: vi.fn().mockResolvedValue('test-password'),
-vi.mock('node:readline', () => ({
-  createInterface: vi.fn().mockReturnValue({
-    question: vi.fn((_q: string, cb: (a: string) => void) => cb('test-input')),
-    close: vi.fn(),
-  }),
 }));
 
 const mockFetch = vi.fn();

packages/mosaic/src/commands/gateway/token-ops.ts

@@ -1,7 +1,6 @@
-import { createInterface } from 'node:readline';
 import { loadSession, validateSession, signIn, saveSession } from '../../auth.js';
 import { readMeta, writeMeta } from './daemon.js';
-import { getGatewayUrl } from './login.js';
+import { getGatewayUrl, promptLine, promptSecret } from './login.js';
 
 interface MintedToken {
   id: string;
@@ -58,6 +57,9 @@ export async function mintAdminToken(
 
 /**
  * Persist the new token into meta.json and print the confirmation banner.
+ *
+ * Emits a warning when the target gateway differs from the locally installed one,
+ * so operators are aware that meta.json may not reflect the intended gateway.
  */
 export function persistToken(gatewayUrl: string, minted: MintedToken): void {
   const meta = readMeta() ?? {
@@ -68,6 +70,15 @@ export function persistToken(gatewayUrl: string, minted: MintedToken): void {
     port: parseInt(new URL(gatewayUrl).port || '14242', 10),
   };
 
+  // Warn when the target gateway does not match the locally installed one
+  const targetHost = new URL(gatewayUrl).hostname;
+  if (targetHost !== meta.host) {
+    console.warn(
+      `Warning: token was minted against ${gatewayUrl} but is being saved to the local` +
+        ` meta.json (host: ${meta.host}). Copy the token manually if targeting a remote gateway.`,
+    );
+  }
+
   writeMeta({ ...meta, adminToken: minted.plaintext });
 
   const preview = `${minted.plaintext.slice(0, 8)}...`;
@@ -108,13 +119,10 @@ export async function ensureSession(gatewayUrl: string): Promise<string> {
     console.log(`No session found for ${gatewayUrl}. Please sign in.`);
   }
 
-  // Prompt for credentials
+  // Prompt for credentials — password must not be echoed to the terminal
-  const rl = createInterface({ input: process.stdin, output: process.stdout });
+  const email = await promptLine('Email: ');
-  const ask = (q: string): Promise<string> => new Promise((resolve) => rl.question(q, resolve));
+  // Do not trim password — it may contain intentional leading/trailing whitespace
-
+  const password = await promptSecret('Password: ');
-  const email = (await ask('Email: ')).trim();
-  const password = (await ask('Password: ')).trim();
-  rl.close();
 
   const auth = await signIn(gatewayUrl, email, password).catch((err: unknown) => {
     console.error(err instanceof Error ? err.message : String(err));

packages/storage/package.json

@@ -23,7 +23,8 @@
   "dependencies": {
     "@electric-sql/pglite": "^0.2.17",
     "@mosaicstack/db": "workspace:^",
-    "@mosaicstack/types": "workspace:*"
+    "@mosaicstack/types": "workspace:*",
+    "commander": "^13.0.0"
   },
   "devDependencies": {
     "typescript": "^5.8.0",

packages/storage/src/cli.spec.ts

@@ -0,0 +1,85 @@
+import { describe, it, expect } from 'vitest';
+import { Command } from 'commander';
+import { registerStorageCommand } from './cli.js';
+
+describe('registerStorageCommand', () => {
+  function buildProgram(): Command {
+    const program = new Command();
+    program.exitOverride(); // prevent process.exit in tests
+    registerStorageCommand(program);
+    return program;
+  }
+
+  it('registers a "storage" command on the parent', () => {
+    const program = buildProgram();
+    const storageCmd = program.commands.find((c) => c.name() === 'storage');
+    expect(storageCmd).toBeDefined();
+  });
+
+  it('registers "storage status" subcommand', () => {
+    const program = buildProgram();
+    const storageCmd = program.commands.find((c) => c.name() === 'storage')!;
+    const statusCmd = storageCmd.commands.find((c) => c.name() === 'status');
+    expect(statusCmd).toBeDefined();
+  });
+
+  it('registers "storage tier" subcommand group', () => {
+    const program = buildProgram();
+    const storageCmd = program.commands.find((c) => c.name() === 'storage')!;
+    const tierCmd = storageCmd.commands.find((c) => c.name() === 'tier');
+    expect(tierCmd).toBeDefined();
+  });
+
+  it('registers "storage tier show" subcommand', () => {
+    const program = buildProgram();
+    const storageCmd = program.commands.find((c) => c.name() === 'storage')!;
+    const tierCmd = storageCmd.commands.find((c) => c.name() === 'tier')!;
+    const showCmd = tierCmd.commands.find((c) => c.name() === 'show');
+    expect(showCmd).toBeDefined();
+  });
+
+  it('registers "storage tier switch" subcommand', () => {
+    const program = buildProgram();
+    const storageCmd = program.commands.find((c) => c.name() === 'storage')!;
+    const tierCmd = storageCmd.commands.find((c) => c.name() === 'tier')!;
+    const switchCmd = tierCmd.commands.find((c) => c.name() === 'switch');
+    expect(switchCmd).toBeDefined();
+  });
+
+  it('registers "storage export" subcommand', () => {
+    const program = buildProgram();
+    const storageCmd = program.commands.find((c) => c.name() === 'storage')!;
+    const exportCmd = storageCmd.commands.find((c) => c.name() === 'export');
+    expect(exportCmd).toBeDefined();
+  });
+
+  it('registers "storage import" subcommand', () => {
+    const program = buildProgram();
+    const storageCmd = program.commands.find((c) => c.name() === 'storage')!;
+    const importCmd = storageCmd.commands.find((c) => c.name() === 'import');
+    expect(importCmd).toBeDefined();
+  });
+
+  it('registers "storage migrate" subcommand', () => {
+    const program = buildProgram();
+    const storageCmd = program.commands.find((c) => c.name() === 'storage')!;
+    const migrateCmd = storageCmd.commands.find((c) => c.name() === 'migrate');
+    expect(migrateCmd).toBeDefined();
+  });
+
+  it('has all required subcommands in a single assertion', () => {
+    const program = buildProgram();
+    const storageCmd = program.commands.find((c) => c.name() === 'storage')!;
+    const topLevel = storageCmd.commands.map((c) => c.name());
+    expect(topLevel).toContain('status');
+    expect(topLevel).toContain('tier');
+    expect(topLevel).toContain('export');
+    expect(topLevel).toContain('import');
+    expect(topLevel).toContain('migrate');
+
+    const tierCmd = storageCmd.commands.find((c) => c.name() === 'tier')!;
+    const tierSubcmds = tierCmd.commands.map((c) => c.name());
+    expect(tierSubcmds).toContain('show');
+    expect(tierSubcmds).toContain('switch');
+  });
+});

packages/storage/src/cli.ts

@@ -0,0 +1,256 @@
+import type { Command } from 'commander';
+
+/**
+ * Reads the DATABASE_URL environment variable and redacts the password portion.
+ */
+function redactedConnectionString(): string | null {
+  const url = process.env['DATABASE_URL'];
+  if (!url) return null;
+  try {
+    const parsed = new URL(url);
+    if (parsed.password) {
+      parsed.password = '***';
+    }
+    return parsed.toString();
+  } catch {
+    // Not a valid URL — redact anything that looks like :password@
+    return url.replace(/:([^@/]+)@/, ':***@');
+  }
+}
+
+/**
+ * Determine the active storage tier from the environment.
+ * Looks at DATABASE_URL; if absent or set to a pglite path, treats tier as pglite.
+ */
+function activeTier(): 'postgres' | 'pglite' {
+  const url = process.env['DATABASE_URL'];
+  if (url && url.startsWith('postgres')) return 'postgres';
+  return 'pglite';
+}
+
+/**
+ * Return a human-readable config source description.
+ */
+function configSource(): string {
+  if (process.env['DATABASE_URL']) return 'env:DATABASE_URL';
+  const pgliteDir = process.env['PGLITE_DATA_DIR'];
+  if (pgliteDir) return `env:PGLITE_DATA_DIR (${pgliteDir})`;
+  return 'default (no DATABASE_URL set)';
+}
+
+/**
+ * Register storage subcommands on an existing Commander program.
+ * Follows the registerQualityRails pattern — uses the caller's Command
+ * instance to avoid cross-package Commander version mismatches.
+ */
+export function registerStorageCommand(parent: Command): void {
+  const storage = parent
+    .command('storage')
+    .description('Inspect and manage Mosaic storage configuration');
+
+  // ── storage status ───────────────────────────────────────────────────────
+
+  storage
+    .command('status')
+    .description('Show the configured storage tier and whether the adapter is reachable')
+    .action(async () => {
+      const tier = activeTier();
+      const source = configSource();
+      const connStr = tier === 'postgres' ? redactedConnectionString() : null;
+
+      console.log(`[storage] tier: ${tier}`);
+      console.log(`[storage] config source: ${source}`);
+
+      if (tier === 'postgres' && connStr) {
+        console.log(`[storage] connection: ${connStr}`);
+        try {
+          const { createDb, sql } = await import('@mosaicstack/db');
+          const url = process.env['DATABASE_URL'] ?? '';
+          const handle = createDb(url);
+          await handle.db.execute(sql`SELECT 1`);
+          await handle.close();
+          console.log('[storage] reachable: yes');
+        } catch (err) {
+          console.log(
+            `[storage] reachable: no (${err instanceof Error ? err.message : String(err)})`,
+          );
+        }
+      } else {
+        const dataDir = process.env['PGLITE_DATA_DIR'] ?? ':memory:';
+        console.log(`[storage] data dir: ${dataDir}`);
+        console.log('[storage] reachable: pglite is always local — no network check needed');
+      }
+    });
+
+  // ── storage tier ─────────────────────────────────────────────────────────
+
+  const tier = storage.command('tier').description('Inspect or switch the storage tier');
+
+  tier
+    .command('show')
+    .description('Print the active storage tier and its config source')
+    .action(() => {
+      const activeTierValue = activeTier();
+      const source = configSource();
+      console.log(`[storage] active tier: ${activeTierValue}`);
+      console.log(`[storage] config source: ${source}`);
+    });
+
+  tier
+    .command('switch <tier>')
+    .description('Switch storage tier between pglite and postgres')
+    .action((newTier: string) => {
+      const validTiers = ['pglite', 'postgres'];
+      if (!validTiers.includes(newTier)) {
+        console.error(
+          `[storage] unknown tier: ${newTier}. Valid options: ${validTiers.join(', ')}`,
+        );
+        process.exitCode = 1;
+        return;
+      }
+
+      console.log(`[storage] tier switch requested: ${newTier}`);
+      console.log('');
+      console.log('Mosaic storage tier is controlled by environment variables.');
+      console.log('Automatic config-file mutation is not supported — set the variable manually.');
+      console.log('');
+
+      if (newTier === 'postgres') {
+        console.log('To switch to postgres:');
+        console.log('  1. Set DATABASE_URL in your environment or .env file:');
+        console.log('       export DATABASE_URL="postgresql://user:pass@localhost:5432/mosaic"');
+        console.log('  2. Run migrations:');
+        console.log('       pnpm --filter @mosaicstack/db db:migrate');
+        console.log('  3. Restart the gateway.');
+      } else {
+        console.log('To switch to pglite:');
+        console.log('  1. Unset DATABASE_URL (or set it to a pglite path):');
+        console.log('       unset DATABASE_URL');
+        console.log('       # optionally: export PGLITE_DATA_DIR=/path/to/pglite/data');
+        console.log('  2. Restart the gateway.');
+        console.log('  Note: pglite uses an in-process database — no migrations needed.');
+      }
+    });
+
+  // ── storage export ───────────────────────────────────────────────────────
+
+  storage
+    .command('export <path>')
+    .description('Dump the active storage contents to a file')
+    .action((outputPath: string) => {
+      const currentTier = activeTier();
+
+      if (currentTier === 'postgres') {
+        const redacted = redactedConnectionString() ?? '<DATABASE_URL>';
+        console.log('[storage] export for postgres tier');
+        console.log('');
+        console.log('postgres export is not yet wired in the CLI — use pg_dump directly:');
+        console.log('');
+        console.log(`  pg_dump "${redacted}" > ${outputPath}`);
+        console.log('');
+        console.log('Or with Docker:');
+        console.log(
+          `  docker exec <postgres-container> pg_dump -U <user> <dbname> > ${outputPath}`,
+        );
+        process.exitCode = 0;
+      } else {
+        const dataDir = process.env['PGLITE_DATA_DIR'];
+        console.log('[storage] export for pglite tier');
+        console.log('');
+        console.log(
+          'pglite export is not yet wired in the CLI — copy the data directory directly:',
+        );
+        console.log('');
+        if (dataDir) {
+          console.log(`  cp -r ${dataDir} ${outputPath}`);
+        } else {
+          console.log(
+            '  PGLITE_DATA_DIR is not set; the database is in-memory and cannot be exported.',
+          );
+          console.log('  Set PGLITE_DATA_DIR to a persistent path before running export.');
+        }
+        process.exitCode = 0;
+      }
+    });
+
+  // ── storage import ───────────────────────────────────────────────────────
+
+  storage
+    .command('import <path>')
+    .description('Restore storage contents from a previously exported file')
+    .action((inputPath: string) => {
+      const currentTier = activeTier();
+
+      if (currentTier === 'postgres') {
+        const redacted = redactedConnectionString() ?? '<DATABASE_URL>';
+        console.log('[storage] import for postgres tier');
+        console.log('');
+        console.log('postgres import is not yet wired in the CLI — use psql directly:');
+        console.log('');
+        console.log(`  psql "${redacted}" < ${inputPath}`);
+        process.exitCode = 0;
+      } else {
+        const dataDir = process.env['PGLITE_DATA_DIR'];
+        console.log('[storage] import for pglite tier');
+        console.log('');
+        console.log(
+          'pglite import is not yet wired in the CLI — restore the data directory directly:',
+        );
+        console.log('');
+        if (dataDir) {
+          console.log(`  rm -rf ${dataDir} && cp -r ${inputPath} ${dataDir}`);
+          console.log('  Then restart the gateway.');
+        } else {
+          console.log(
+            '  PGLITE_DATA_DIR is not set; set it to a persistent path before running import.',
+          );
+        }
+        process.exitCode = 0;
+      }
+    });
+
+  // ── storage migrate ──────────────────────────────────────────────────────
+
+  storage
+    .command('migrate')
+    .description(
+      'Run database migrations (thin wrapper — delegates to pnpm db:migrate or prints the command)',
+    )
+    .option('--run', 'Actually execute the migration command via shell')
+    .action(async (opts: { run?: boolean }) => {
+      const currentTier = activeTier();
+
+      if (currentTier === 'pglite') {
+        console.log('[storage] pglite tier detected');
+        console.log(
+          'pglite runs schema setup automatically on first connection via adapter.migrate().',
+        );
+        console.log('No separate migration step is required.');
+        return;
+      }
+
+      const migrateCmd = 'pnpm --filter @mosaicstack/db db:migrate';
+      console.log('[storage] postgres tier detected');
+      console.log(`Migration command: ${migrateCmd}`);
+      console.log('');
+
+      if (opts.run) {
+        console.log('Running migrations...');
+        const { execSync } = await import('node:child_process');
+        try {
+          execSync(migrateCmd, { stdio: 'inherit' });
+          console.log('[storage] migrations complete.');
+        } catch (err) {
+          console.error(
+            `[storage] migration failed: ${err instanceof Error ? err.message : String(err)}`,
+          );
+          process.exitCode = 1;
+        }
+      } else {
+        console.log('To run migrations, execute:');
+        console.log(`  ${migrateCmd}`);
+        console.log('');
+        console.log('Or pass --run to have this command execute it for you.');
+      }
+    });
+}

packages/storage/src/index.ts

@@ -2,6 +2,7 @@ export type { StorageAdapter, StorageConfig } from './types.js';
 export { createStorageAdapter, registerStorageAdapter } from './factory.js';
 export { PostgresAdapter } from './adapters/postgres.js';
 export { PgliteAdapter } from './adapters/pglite.js';
+export { registerStorageCommand } from './cli.js';
 
 import { registerStorageAdapter } from './factory.js';
 import { PostgresAdapter } from './adapters/postgres.js';

pnpm-lock.yaml

@@ -490,6 +490,9 @@ importers:
       '@mosaicstack/queue':
         specifier: workspace:*
         version: link:../queue
+      '@mosaicstack/storage':
+        specifier: workspace:*
+        version: link:../storage
       '@mosaicstack/types':
         specifier: workspace:*
         version: link:../types
@@ -611,6 +614,9 @@ importers:
       '@mosaicstack/types':
         specifier: workspace:*
         version: link:../types
+      commander:
+        specifier: ^13.0.0
+        version: 13.1.0
     devDependencies:
       typescript:
         specifier: ^5.8.0