Compare commits
1 Commits
feat/gatew
...
6553f16d42
| Author | SHA1 | Date | |
|---|---|---|---|
|
6553f16d42 |
@@ -1,193 +0,0 @@
|
||||
# Gateway Admin Token Recovery — Implementation Plan
|
||||
|
||||
**Mission:** `cli-unification-20260404`
|
||||
**Task:** `CU-03-01` (planning only — no runtime code changes)
|
||||
**Status:** Design locked (Session 1) — BetterAuth cookie-based recovery
|
||||
|
||||
---
|
||||
|
||||
## 1. Problem Statement
|
||||
|
||||
The gateway installer strands operators when the admin user exists but the admin
|
||||
API token is missing. Concrete trigger:
|
||||
|
||||
- `~/.config/mosaic/gateway/meta.json` was deleted / regenerated.
|
||||
- The installer was re-run after a previous successful bootstrap.
|
||||
|
||||
Flow today (`packages/mosaic/src/commands/gateway/install.ts:375-400`):
|
||||
|
||||
1. `bootstrapFirstUser` hits `GET /api/bootstrap/status`.
|
||||
2. Server returns `needsSetup: false` because `users` count > 0.
|
||||
3. Installer logs `Admin user already exists — skipping setup. (No admin token on file — sign in via the web UI to manage tokens.)` and returns.
|
||||
4. The operator now has:
|
||||
- No token in `meta.json`.
|
||||
- No CLI path to mint a new one (`mosaic gateway <anything>` that needs the token fails).
|
||||
- `POST /api/bootstrap/setup` locked out — it only runs when `users` count is zero (`apps/gateway/src/admin/bootstrap.controller.ts:34-37`).
|
||||
- `POST /api/admin/tokens` gated by `AdminGuard` — requires either a bearer token (which they don't have) or a BetterAuth session (which they don't have in the CLI).
|
||||
|
||||
Dead end. The web UI is the only escape hatch today, and for headless installs even that may be inaccessible.
|
||||
|
||||
## 2. Design Summary
|
||||
|
||||
The BetterAuth session cookie is the authority. The operator runs
|
||||
`mosaic gateway login` to sign in with email/password, which persists a session
|
||||
cookie via `saveSession` (reusing `packages/mosaic/src/auth.ts`). With a valid
|
||||
session, `mosaic gateway config recover-token` (stranded-operator entry point)
|
||||
and `mosaic gateway config rotate-token` call the existing authenticated admin
|
||||
endpoint `POST /api/admin/tokens` using the cookie, then persist the returned
|
||||
plaintext to `meta.json` via `writeMeta`. **No new server endpoints are
|
||||
required** — `AdminGuard` already accepts BetterAuth session cookies via its
|
||||
`validateSession` path (`apps/gateway/src/admin/admin.guard.ts:90-120`).
|
||||
|
||||
## 3. Surface Contract
|
||||
|
||||
### 3.1 Server — no changes required
|
||||
|
||||
| Endpoint | Status | Notes |
|
||||
| ------------------------------ | --------------- | ------------------------------------------------------------------------------------------------------------------------ |
|
||||
| `POST /api/admin/tokens` | **Reuse as-is** | `admin-tokens.controller.ts:46-72`. Returns `{ id, label, scope, expiresAt, lastUsedAt, createdAt, plaintext }`. |
|
||||
| `GET /api/admin/tokens` | **Reuse** | Useful for `mosaic gateway config tokens list` follow-on (out of scope for CU-03-01, but trivial once auth path exists). |
|
||||
| `DELETE /api/admin/tokens/:id` | **Reuse** | Used by rotate flow for optional old-token revocation. |
|
||||
| `POST /api/bootstrap/setup` | **Unchanged** | Remains first-user-only; not part of recovery. |
|
||||
|
||||
`AdminGuard.validateSession` takes BetterAuth cookies from `request.raw.headers`
|
||||
via `fromNodeHeaders` and calls `auth.api.getSession({ headers })`. It also
|
||||
enforces `role === 'admin'`. This is exactly the path the CLI will hit with
|
||||
`Cookie: better-auth.session_token=...`.
|
||||
|
||||
**Confirmed feasible** during CU-03-01 investigation.
|
||||
|
||||
### 3.2 `mosaic gateway login`
|
||||
|
||||
Thin wrapper over the existing top-level `mosaic login`
|
||||
(`packages/mosaic/src/cli.ts:42-76`) with gateway-specific defaults pulled from
|
||||
`readMeta()`.
|
||||
|
||||
| Aspect | Behavior |
|
||||
| ------------------- | ------------------------------------------------------------------------------------------------------------------------------- |
|
||||
| Default gateway URL | `http://${meta.host}:${meta.port}` from `readMeta()`, fallback `http://localhost:14242`. |
|
||||
| Flow | Prompt email + password -> `signIn()` -> `saveSession()`. |
|
||||
| Persistence | `~/.mosaic/session.json` via existing `saveSession` (7-day expiry). |
|
||||
| Decision | **Thin wrapper**, not alias. Rationale: defaults differ (reads `meta.json`), and discoverability under `mosaic gateway --help`. |
|
||||
| Implementation | Share the sign-in logic by extracting a small `runLogin(gatewayUrl, email?, password?)` helper; both commands call it. |
|
||||
|
||||
### 3.3 `mosaic gateway config rotate-token`
|
||||
|
||||
| Aspect | Behavior |
|
||||
| ------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
|
||||
| Precondition | Valid session (via `loadSession` + `validateSession`). On failure, print: "Not signed in — run `mosaic gateway login`" and exit non-zero. |
|
||||
| Request | `POST ${gatewayUrl}/api/admin/tokens` with header `Cookie: <session>`, body `{ label: "CLI token (rotated YYYY-MM-DD)" }`. |
|
||||
| On success | Read meta via `readMeta()`, set `meta.adminToken = plaintext`, `writeMeta(meta)`. Print the token banner (reuse `printAdminTokenBanner` shape). |
|
||||
| Old token | **Optional `--revoke-old`** flag. When set and a previous `meta.adminToken` existed, call `DELETE /api/admin/tokens/:id` after rotation. Requires listing first to find the id; punt to CU-03-02 decision. Document as nice-to-have. |
|
||||
| Exit codes | `0` success; `1` network error; `2` auth error; `3` server rejection. |
|
||||
|
||||
### 3.4 `mosaic gateway config recover-token`
|
||||
|
||||
Superset of `rotate-token` with an inline login nudge — the "stranded operator"
|
||||
entry point.
|
||||
|
||||
| Step | Action |
|
||||
| ---- | -------------------------------------------------------------------------------------------------------------------------------- |
|
||||
| 1 | `readMeta()` — derive gateway URL. If meta is missing entirely, fall back to `--gateway` flag or default. |
|
||||
| 2 | `loadSession(gatewayUrl)` then `validateSession`. If either fails, prompt inline: email + password -> `signIn` -> `saveSession`. |
|
||||
| 3 | `POST /api/admin/tokens` with cookie, label `"Recovered via CLI YYYY-MM-DDTHH:mm"`. |
|
||||
| 4 | Persist plaintext to `meta.json` via `writeMeta`. |
|
||||
| 5 | Print the token banner and next-steps hints (e.g. `mosaic gateway status`). |
|
||||
| 6 | Exit `0`. |
|
||||
|
||||
Key property: this command is **runnable with nothing but email+password in hand**.
|
||||
It assumes the gateway is up but assumes no prior CLI session state.
|
||||
|
||||
### 3.5 File touch list (for CU-03-02..05 execution)
|
||||
|
||||
| File | Change |
|
||||
| ----------------------------------------------------- | ------------------------------------------------------------------------------------------ |
|
||||
| `packages/mosaic/src/commands/gateway.ts` | Register `login`, `config recover-token`, `config rotate-token` subcommands under `gw`. |
|
||||
| `packages/mosaic/src/commands/gateway/config.ts` | Add `runRecoverToken`, `runRotateToken` handlers; export from module. |
|
||||
| `packages/mosaic/src/commands/gateway/login.ts` (new) | Thin wrapper calling shared `runLogin` helper with meta-derived default URL. |
|
||||
| `packages/mosaic/src/auth.ts` | No change expected. Possibly export a `requireSession(gatewayUrl)` helper (reuse pattern). |
|
||||
| `packages/mosaic/src/commands/gateway/install.ts` | `bootstrapFirstUser` branch: "user exists, no token" -> offer recovery (see Section 4). |
|
||||
|
||||
## 4. Installer Fix (CU-03-06 preview)
|
||||
|
||||
Current stranding point is `install.ts:388-395`. The fix:
|
||||
|
||||
```
|
||||
if (!status.needsSetup) {
|
||||
if (meta.adminToken) {
|
||||
// unchanged — happy path
|
||||
} else {
|
||||
// NEW: prompt "Admin exists but no token on file. Recover now? [Y/n]"
|
||||
// If yes -> call runRecoverToken(gatewayUrl) inline (interactive):
|
||||
// - prompt email + password
|
||||
// - signIn -> saveSession
|
||||
// - POST /api/admin/tokens
|
||||
// - writeMeta(meta) with returned plaintext
|
||||
// - print banner
|
||||
// If no -> print the current stranded message but include:
|
||||
// "Run `mosaic gateway config recover-token` when ready."
|
||||
}
|
||||
}
|
||||
```
|
||||
|
||||
Shape notes (actual code lands in CU-03-06):
|
||||
|
||||
- Extract the recovery body so it can be called **both** from the standalone
|
||||
command and from `bootstrapFirstUser` without duplicating prompts.
|
||||
- Reuse the same `rl` readline interface already open in `bootstrapFirstUser`
|
||||
for the inline prompts.
|
||||
- Preserve non-interactive behavior: if `process.stdin.isTTY` is false, skip the
|
||||
prompt and emit the "run recover-token" hint only.
|
||||
|
||||
## 5. Test Strategy (CU-03-07 scope)
|
||||
|
||||
### 5.1 Happy paths
|
||||
|
||||
| Command | Scenario | Expected |
|
||||
| ------------------------------------- | ------------------------------------------------ | -------------------------------------------------------- |
|
||||
| `mosaic gateway login` | Valid creds | `session.json` written, 7-day expiry, exit 0 |
|
||||
| `mosaic gateway config rotate-token` | Valid session, server reachable | `meta.json` updated, banner printed, new token usable |
|
||||
| `mosaic gateway config recover-token` | No session, valid creds, server reachable | Prompts for creds, writes session + meta, exit 0 |
|
||||
| Installer inline recovery | Re-run after `meta.json` wipe, operator says yes | Meta restored, banner printed, no manual CLI step needed |
|
||||
|
||||
### 5.2 Error paths (must all produce actionable messages and non-zero exit)
|
||||
|
||||
| Failure | Expected handling |
|
||||
| --------------------------------- | --------------------------------------------------------------------------------- |
|
||||
| Invalid email/password | BetterAuth 401 surfaced as "Sign-in failed: <server message>", exit 2 |
|
||||
| Expired stored session | Recover command silently re-prompts; rotate command exits 2 with "run login" hint |
|
||||
| Gateway down / connection refused | "Could not reach gateway at <url>" exit 1 |
|
||||
| Server rejects token creation | Print status + body excerpt, exit 3 |
|
||||
| Meta file missing (recover) | Fall back to `--gateway` flag or default; warn that meta will be created |
|
||||
| Non-admin user | `AdminGuard` 403 surfaced as "User is not an admin", exit 2 |
|
||||
|
||||
### 5.3 Integration test (recommended)
|
||||
|
||||
Spin up gateway in test harness, create admin user via `/api/bootstrap/setup`,
|
||||
wipe `meta.json`, invoke `mosaic gateway config recover-token` programmatically,
|
||||
assert new `meta.adminToken` works against `GET /api/admin/tokens`.
|
||||
|
||||
## 6. Risks & Open Questions
|
||||
|
||||
| # | Item | Severity | Mitigation |
|
||||
| --- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------- | -------------------------------------------------------------------------------------------------------------- |
|
||||
| 1 | `AdminGuard.validateSession` calls `getSession` with `fromNodeHeaders(request.raw.headers)`. CLI sends `Cookie:` header only. Confirm BetterAuth reads from `Cookie`, not `Set-Cookie`. | Low | Confirmed — `mosaic login` + `mosaic tui` already use this flow successfully (`cli.ts:137-181`). |
|
||||
| 2 | Session cookie local expiry (7d) vs BetterAuth server-side expiry may drift. | Low | `validateSession` hits `get-session`; handle 401 by re-prompting. |
|
||||
| 3 | Label collision / unbounded token growth if operators run `recover-token` repeatedly. | Low | Include ISO timestamp in label. Optional `--revoke-old` in CU-03-02. Add `tokens list/prune` later. |
|
||||
| 4 | `mosaic login` exists at top level and `mosaic gateway login` is a wrapper — risk of confusion. | Low | Document that `gateway login` is the preferred entry for gateway operators; top-level stays for compatibility. |
|
||||
| 5 | `meta.json` write is not atomic. Crash between token creation and `writeMeta` leaves an orphan token server-side with no plaintext on disk. | Medium | Accept for now — re-running `recover-token` mints a fresh token. Document as known limitation. |
|
||||
| 6 | Non-TTY installer runs (CI, headless provisioners) cannot prompt for creds interactively. | Medium | Installer inline recovery must skip prompt when `!process.stdin.isTTY`; emit the recover-token hint. |
|
||||
| 7 | If `BETTER_AUTH_SECRET` rotates between login and recover, the session cookie is invalid — user must re-login. Acceptable but surface a clear error. | Low | Error handler maps 401 on recover -> "Session invalid; re-run `mosaic gateway login`". |
|
||||
| 8 | No MFA today. When MFA lands, BetterAuth sign-in will return a challenge, not a cookie — recovery UX will need a second prompt step. | Future | Out of scope for this mission. Flag for future CLI work. |
|
||||
|
||||
## 7. Downstream Task Hooks
|
||||
|
||||
| Task | Scope |
|
||||
| -------- | -------------------------------------------------------------------------- |
|
||||
| CU-03-02 | Implement `mosaic gateway login` wrapper + shared `runLogin` extraction. |
|
||||
| CU-03-03 | Implement `mosaic gateway config rotate-token`. |
|
||||
| CU-03-04 | Implement `mosaic gateway config recover-token`. |
|
||||
| CU-03-05 | Wire commands into `gateway.ts` registration, update `--help` copy. |
|
||||
| CU-03-06 | Installer inline recovery hook in `bootstrapFirstUser`. |
|
||||
| CU-03-07 | Tests per Section 5. |
|
||||
| CU-03-08 | Docs: update gateway install README + operator runbook with recovery flow. |
|
||||
@@ -22,8 +22,7 @@
|
||||
},
|
||||
"dependencies": {
|
||||
"@mosaicstack/db": "workspace:^",
|
||||
"@mosaicstack/types": "workspace:*",
|
||||
"commander": "^13.0.0"
|
||||
"@mosaicstack/types": "workspace:*"
|
||||
},
|
||||
"devDependencies": {
|
||||
"typescript": "^5.8.0",
|
||||
|
||||
@@ -1,95 +0,0 @@
|
||||
import { describe, it, expect } from 'vitest';
|
||||
import { Command } from 'commander';
|
||||
import { registerBrainCommand } from './cli.js';
|
||||
|
||||
/**
|
||||
* Smoke test: verifies the command tree is correctly registered.
|
||||
* No database connection is opened — we only inspect Commander metadata.
|
||||
*/
|
||||
describe('registerBrainCommand', () => {
|
||||
function buildProgram(): Command {
|
||||
const program = new Command('mosaic');
|
||||
// Prevent Commander from calling process.exit on parse errors during tests.
|
||||
program.exitOverride();
|
||||
registerBrainCommand(program);
|
||||
return program;
|
||||
}
|
||||
|
||||
it('registers a top-level "brain" command', () => {
|
||||
const program = buildProgram();
|
||||
const brainCmd = program.commands.find((c) => c.name() === 'brain');
|
||||
expect(brainCmd).toBeDefined();
|
||||
});
|
||||
|
||||
it('registers "brain projects" with "list" and "create" subcommands', () => {
|
||||
const program = buildProgram();
|
||||
const brainCmd = program.commands.find((c) => c.name() === 'brain')!;
|
||||
const projectsCmd = brainCmd.commands.find((c) => c.name() === 'projects');
|
||||
expect(projectsCmd).toBeDefined();
|
||||
|
||||
const subNames = projectsCmd!.commands.map((c) => c.name());
|
||||
expect(subNames).toContain('list');
|
||||
expect(subNames).toContain('create');
|
||||
});
|
||||
|
||||
it('registers "brain missions" with "list" subcommand', () => {
|
||||
const program = buildProgram();
|
||||
const brainCmd = program.commands.find((c) => c.name() === 'brain')!;
|
||||
const missionsCmd = brainCmd.commands.find((c) => c.name() === 'missions');
|
||||
expect(missionsCmd).toBeDefined();
|
||||
|
||||
const subNames = missionsCmd!.commands.map((c) => c.name());
|
||||
expect(subNames).toContain('list');
|
||||
});
|
||||
|
||||
it('registers "brain tasks" with "list" subcommand', () => {
|
||||
const program = buildProgram();
|
||||
const brainCmd = program.commands.find((c) => c.name() === 'brain')!;
|
||||
const tasksCmd = brainCmd.commands.find((c) => c.name() === 'tasks');
|
||||
expect(tasksCmd).toBeDefined();
|
||||
|
||||
const subNames = tasksCmd!.commands.map((c) => c.name());
|
||||
expect(subNames).toContain('list');
|
||||
});
|
||||
|
||||
it('registers "brain conversations" with "list" subcommand', () => {
|
||||
const program = buildProgram();
|
||||
const brainCmd = program.commands.find((c) => c.name() === 'brain')!;
|
||||
const conversationsCmd = brainCmd.commands.find((c) => c.name() === 'conversations');
|
||||
expect(conversationsCmd).toBeDefined();
|
||||
|
||||
const subNames = conversationsCmd!.commands.map((c) => c.name());
|
||||
expect(subNames).toContain('list');
|
||||
});
|
||||
|
||||
it('"brain projects list" accepts --db and --limit options', () => {
|
||||
const program = buildProgram();
|
||||
const brainCmd = program.commands.find((c) => c.name() === 'brain')!;
|
||||
const projectsCmd = brainCmd.commands.find((c) => c.name() === 'projects')!;
|
||||
const listCmd = projectsCmd.commands.find((c) => c.name() === 'list')!;
|
||||
|
||||
const optionNames = listCmd.options.map((o) => o.long);
|
||||
expect(optionNames).toContain('--db');
|
||||
expect(optionNames).toContain('--limit');
|
||||
});
|
||||
|
||||
it('"brain missions list" accepts --project option', () => {
|
||||
const program = buildProgram();
|
||||
const brainCmd = program.commands.find((c) => c.name() === 'brain')!;
|
||||
const missionsCmd = brainCmd.commands.find((c) => c.name() === 'missions')!;
|
||||
const listCmd = missionsCmd.commands.find((c) => c.name() === 'list')!;
|
||||
|
||||
const optionNames = listCmd.options.map((o) => o.long);
|
||||
expect(optionNames).toContain('--project');
|
||||
});
|
||||
|
||||
it('"brain tasks list" accepts --project option', () => {
|
||||
const program = buildProgram();
|
||||
const brainCmd = program.commands.find((c) => c.name() === 'brain')!;
|
||||
const tasksCmd = brainCmd.commands.find((c) => c.name() === 'tasks')!;
|
||||
const listCmd = tasksCmd.commands.find((c) => c.name() === 'list')!;
|
||||
|
||||
const optionNames = listCmd.options.map((o) => o.long);
|
||||
expect(optionNames).toContain('--project');
|
||||
});
|
||||
});
|
||||
@@ -1,142 +0,0 @@
|
||||
import type { Command } from 'commander';
|
||||
import { createDb, type DbHandle } from '@mosaicstack/db';
|
||||
import { createBrain } from './brain.js';
|
||||
|
||||
/**
|
||||
* Build and attach the `brain` subcommand tree onto an existing Commander program.
|
||||
* Uses the caller's Command instance to avoid cross-package Commander version mismatches.
|
||||
*/
|
||||
export function registerBrainCommand(parent: Command): void {
|
||||
const brain = parent.command('brain').description('Inspect and manage brain data stores');
|
||||
|
||||
// ─── shared DB option helper ─────────────────────────────────────────────
|
||||
|
||||
function addDbOption(cmd: Command): Command {
|
||||
return cmd.option(
|
||||
'--db <connection-string>',
|
||||
'PostgreSQL connection string (overrides MOSAIC_DB_URL)',
|
||||
);
|
||||
}
|
||||
|
||||
function resolveDb(opts: { db?: string }): ReturnType<typeof createBrain> {
|
||||
const connectionString = opts.db ?? process.env['MOSAIC_DB_URL'];
|
||||
if (!connectionString) {
|
||||
console.error('No DB connection string provided. Pass --db <url> or set MOSAIC_DB_URL.');
|
||||
process.exit(1);
|
||||
}
|
||||
const handle: DbHandle = createDb(connectionString);
|
||||
return createBrain(handle.db);
|
||||
}
|
||||
|
||||
// ─── projects ────────────────────────────────────────────────────────────
|
||||
|
||||
const projects = brain.command('projects').description('Manage projects');
|
||||
|
||||
addDbOption(
|
||||
projects
|
||||
.command('list')
|
||||
.description('List all projects')
|
||||
.option('--limit <n>', 'Maximum number of results', '50'),
|
||||
).action(async (opts: { db?: string; limit: string }) => {
|
||||
const b = resolveDb(opts);
|
||||
const limit = parseInt(opts.limit, 10);
|
||||
const rows = await b.projects.findAll();
|
||||
const sliced = rows.slice(0, limit);
|
||||
if (sliced.length === 0) {
|
||||
console.log('No projects found.');
|
||||
return;
|
||||
}
|
||||
for (const p of sliced) {
|
||||
console.log(`${p.id} ${p.name}`);
|
||||
}
|
||||
});
|
||||
|
||||
addDbOption(
|
||||
projects
|
||||
.command('create <name>')
|
||||
.description('Create a new project')
|
||||
.requiredOption('--owner-id <id>', 'Owner user ID'),
|
||||
).action(async (name: string, opts: { db?: string; ownerId: string }) => {
|
||||
const b = resolveDb(opts);
|
||||
const created = await b.projects.create({
|
||||
name,
|
||||
ownerId: opts.ownerId,
|
||||
ownerType: 'user',
|
||||
});
|
||||
console.log(`Created project: ${created.id} ${created.name}`);
|
||||
});
|
||||
|
||||
// ─── missions ────────────────────────────────────────────────────────────
|
||||
|
||||
const missions = brain.command('missions').description('Manage missions');
|
||||
|
||||
addDbOption(
|
||||
missions
|
||||
.command('list')
|
||||
.description('List all missions')
|
||||
.option('--limit <n>', 'Maximum number of results', '50')
|
||||
.option('--project <id>', 'Filter by project ID'),
|
||||
).action(async (opts: { db?: string; limit: string; project?: string }) => {
|
||||
const b = resolveDb(opts);
|
||||
const limit = parseInt(opts.limit, 10);
|
||||
const rows = opts.project
|
||||
? await b.missions.findByProject(opts.project)
|
||||
: await b.missions.findAll();
|
||||
const sliced = rows.slice(0, limit);
|
||||
if (sliced.length === 0) {
|
||||
console.log('No missions found.');
|
||||
return;
|
||||
}
|
||||
for (const m of sliced) {
|
||||
console.log(`${m.id} ${m.name}`);
|
||||
}
|
||||
});
|
||||
|
||||
// ─── tasks ────────────────────────────────────────────────────────────────
|
||||
|
||||
const tasks = brain.command('tasks').description('Manage generic tasks');
|
||||
|
||||
addDbOption(
|
||||
tasks
|
||||
.command('list')
|
||||
.description('List all tasks')
|
||||
.option('--limit <n>', 'Maximum number of results', '50')
|
||||
.option('--project <id>', 'Filter by project ID'),
|
||||
).action(async (opts: { db?: string; limit: string; project?: string }) => {
|
||||
const b = resolveDb(opts);
|
||||
const limit = parseInt(opts.limit, 10);
|
||||
const rows = opts.project ? await b.tasks.findByProject(opts.project) : await b.tasks.findAll();
|
||||
const sliced = rows.slice(0, limit);
|
||||
if (sliced.length === 0) {
|
||||
console.log('No tasks found.');
|
||||
return;
|
||||
}
|
||||
for (const t of sliced) {
|
||||
console.log(`${t.id} ${t.title} [${t.status}]`);
|
||||
}
|
||||
});
|
||||
|
||||
// ─── conversations ────────────────────────────────────────────────────────
|
||||
|
||||
const conversations = brain.command('conversations').description('Manage conversations');
|
||||
|
||||
addDbOption(
|
||||
conversations
|
||||
.command('list')
|
||||
.description('List conversations for a user')
|
||||
.option('--limit <n>', 'Maximum number of results', '50')
|
||||
.requiredOption('--user-id <id>', 'User ID to scope the query'),
|
||||
).action(async (opts: { db?: string; limit: string; userId: string }) => {
|
||||
const b = resolveDb(opts);
|
||||
const limit = parseInt(opts.limit, 10);
|
||||
const rows = await b.conversations.findAll(opts.userId);
|
||||
const sliced = rows.slice(0, limit);
|
||||
if (sliced.length === 0) {
|
||||
console.log('No conversations found.');
|
||||
return;
|
||||
}
|
||||
for (const c of sliced) {
|
||||
console.log(`${c.id} ${c.title ?? '(untitled)'}`);
|
||||
}
|
||||
});
|
||||
}
|
||||
@@ -1,5 +1,4 @@
|
||||
export { createBrain, type Brain } from './brain.js';
|
||||
export { registerBrainCommand } from './cli.js';
|
||||
export {
|
||||
createProjectsRepo,
|
||||
type ProjectsRepo,
|
||||
|
||||
@@ -25,6 +25,7 @@
|
||||
"@mosaicstack/db": "workspace:*",
|
||||
"@mosaicstack/storage": "workspace:*",
|
||||
"@mosaicstack/types": "workspace:*",
|
||||
"commander": "^13.0.0",
|
||||
"drizzle-orm": "^0.45.1"
|
||||
},
|
||||
"devDependencies": {
|
||||
|
||||
63
packages/memory/src/cli.spec.ts
Normal file
63
packages/memory/src/cli.spec.ts
Normal file
@@ -0,0 +1,63 @@
|
||||
import { describe, it, expect } from 'vitest';
|
||||
import { Command } from 'commander';
|
||||
import { registerMemoryCommand } from './cli.js';
|
||||
|
||||
/**
|
||||
* Smoke test — only verifies command wiring.
|
||||
* Does NOT open a database connection.
|
||||
*/
|
||||
describe('registerMemoryCommand', () => {
|
||||
function buildProgram(): Command {
|
||||
const program = new Command('mosaic');
|
||||
program.exitOverride(); // prevent process.exit during tests
|
||||
registerMemoryCommand(program);
|
||||
return program;
|
||||
}
|
||||
|
||||
it('registers a "memory" subcommand', () => {
|
||||
const program = buildProgram();
|
||||
const memory = program.commands.find((c) => c.name() === 'memory');
|
||||
expect(memory).toBeDefined();
|
||||
});
|
||||
|
||||
it('registers "memory search"', () => {
|
||||
const program = buildProgram();
|
||||
const memory = program.commands.find((c) => c.name() === 'memory')!;
|
||||
const search = memory.commands.find((c) => c.name() === 'search');
|
||||
expect(search).toBeDefined();
|
||||
});
|
||||
|
||||
it('registers "memory stats"', () => {
|
||||
const program = buildProgram();
|
||||
const memory = program.commands.find((c) => c.name() === 'memory')!;
|
||||
const stats = memory.commands.find((c) => c.name() === 'stats');
|
||||
expect(stats).toBeDefined();
|
||||
});
|
||||
|
||||
it('registers "memory insights list"', () => {
|
||||
const program = buildProgram();
|
||||
const memory = program.commands.find((c) => c.name() === 'memory')!;
|
||||
const insights = memory.commands.find((c) => c.name() === 'insights');
|
||||
expect(insights).toBeDefined();
|
||||
const list = insights!.commands.find((c) => c.name() === 'list');
|
||||
expect(list).toBeDefined();
|
||||
});
|
||||
|
||||
it('registers "memory preferences list"', () => {
|
||||
const program = buildProgram();
|
||||
const memory = program.commands.find((c) => c.name() === 'memory')!;
|
||||
const preferences = memory.commands.find((c) => c.name() === 'preferences');
|
||||
expect(preferences).toBeDefined();
|
||||
const list = preferences!.commands.find((c) => c.name() === 'list');
|
||||
expect(list).toBeDefined();
|
||||
});
|
||||
|
||||
it('"memory search" has --limit and --agent options', () => {
|
||||
const program = buildProgram();
|
||||
const memory = program.commands.find((c) => c.name() === 'memory')!;
|
||||
const search = memory.commands.find((c) => c.name() === 'search')!;
|
||||
const optNames = search.options.map((o) => o.long);
|
||||
expect(optNames).toContain('--limit');
|
||||
expect(optNames).toContain('--agent');
|
||||
});
|
||||
});
|
||||
179
packages/memory/src/cli.ts
Normal file
179
packages/memory/src/cli.ts
Normal file
@@ -0,0 +1,179 @@
|
||||
import type { Command } from 'commander';
|
||||
|
||||
import type { MemoryAdapter } from './types.js';
|
||||
|
||||
/**
|
||||
* Build and return a connected MemoryAdapter from a connection string or
|
||||
* the MEMORY_DB_URL / DATABASE_URL environment variable.
|
||||
*
|
||||
* For pgvector (postgres://...) the connection string is injected into
|
||||
* DATABASE_URL so that PgVectorAdapter's internal createDb() picks it up.
|
||||
*
|
||||
* Throws with a human-readable message if no connection info is available.
|
||||
*/
|
||||
async function resolveAdapter(dbOption: string | undefined): Promise<MemoryAdapter> {
|
||||
const connStr = dbOption ?? process.env['MEMORY_DB_URL'] ?? process.env['DATABASE_URL'];
|
||||
if (!connStr) {
|
||||
throw new Error(
|
||||
'No database connection string provided. ' +
|
||||
'Pass --db <connection-string> or set MEMORY_DB_URL / DATABASE_URL.',
|
||||
);
|
||||
}
|
||||
|
||||
// Lazy imports so the module loads cleanly without a live DB during smoke tests.
|
||||
const { createMemoryAdapter, registerMemoryAdapter } = await import('./factory.js');
|
||||
|
||||
if (connStr.startsWith('postgres') || connStr.startsWith('pg')) {
|
||||
// PgVectorAdapter reads DATABASE_URL via createDb() — inject it here.
|
||||
process.env['DATABASE_URL'] = connStr;
|
||||
|
||||
const { PgVectorAdapter } = await import('./adapters/pgvector.js');
|
||||
registerMemoryAdapter('pgvector', (cfg) => new PgVectorAdapter(cfg as never));
|
||||
return createMemoryAdapter({ type: 'pgvector' });
|
||||
}
|
||||
|
||||
// Keyword adapter backed by pglite storage; treat connStr as a data directory.
|
||||
const { KeywordAdapter } = await import('./adapters/keyword.js');
|
||||
const { createStorageAdapter, registerStorageAdapter } = await import('@mosaicstack/storage');
|
||||
const { PgliteAdapter } = await import('@mosaicstack/storage');
|
||||
|
||||
registerStorageAdapter('pglite', (cfg) => new PgliteAdapter(cfg as never));
|
||||
|
||||
const storage = createStorageAdapter({ type: 'pglite', dataDir: connStr });
|
||||
|
||||
registerMemoryAdapter('keyword', (cfg) => new KeywordAdapter(cfg as never));
|
||||
return createMemoryAdapter({ type: 'keyword', storage });
|
||||
}
|
||||
|
||||
/**
|
||||
* Register `memory` subcommands on an existing Commander program.
|
||||
* Follows the registerQualityRails pattern from @mosaicstack/quality-rails.
|
||||
*/
|
||||
export function registerMemoryCommand(parent: Command): void {
|
||||
const memory = parent.command('memory').description('Inspect and query the Mosaic memory layer');
|
||||
|
||||
// ── memory search <query> ──────────────────────────────────────────────
|
||||
memory
|
||||
.command('search <query>')
|
||||
.description('Semantic search over insights')
|
||||
.option('--db <connection-string>', 'Database connection string (or set MEMORY_DB_URL)')
|
||||
.option('--limit <n>', 'Maximum number of results', '10')
|
||||
.option('--agent <id>', 'Filter by agent / user ID')
|
||||
.action(async (query: string, opts: { db?: string; limit: string; agent?: string }) => {
|
||||
let adapter: MemoryAdapter | undefined;
|
||||
try {
|
||||
adapter = await resolveAdapter(opts.db);
|
||||
const limit = parseInt(opts.limit, 10);
|
||||
const userId = opts.agent ?? 'system';
|
||||
const results = await adapter.searchInsights(userId, query, { limit });
|
||||
|
||||
if (results.length === 0) {
|
||||
console.log('No insights found.');
|
||||
} else {
|
||||
for (const r of results) {
|
||||
console.log(`[${r.id}] (score=${r.score.toFixed(3)}) ${r.content}`);
|
||||
}
|
||||
}
|
||||
} catch (err) {
|
||||
console.error(`Error: ${err instanceof Error ? err.message : String(err)}`);
|
||||
process.exitCode = 1;
|
||||
} finally {
|
||||
await adapter?.close();
|
||||
}
|
||||
});
|
||||
|
||||
// ── memory stats ──────────────────────────────────────────────────────
|
||||
memory
|
||||
.command('stats')
|
||||
.description('Print memory tier info: adapter type, insight count, preference count')
|
||||
.option('--db <connection-string>', 'Database connection string (or set MEMORY_DB_URL)')
|
||||
.option('--agent <id>', 'User / agent ID scope for counts', 'system')
|
||||
.action(async (opts: { db?: string; agent: string }) => {
|
||||
let adapter: MemoryAdapter | undefined;
|
||||
try {
|
||||
adapter = await resolveAdapter(opts.db);
|
||||
|
||||
const adapterType = adapter.name;
|
||||
|
||||
const insightCount = await adapter
|
||||
.searchInsights(opts.agent, '', { limit: 100000 })
|
||||
.then((r) => r.length)
|
||||
.catch(() => -1);
|
||||
|
||||
const prefCount = await adapter
|
||||
.listPreferences(opts.agent)
|
||||
.then((r) => r.length)
|
||||
.catch(() => -1);
|
||||
|
||||
console.log(`adapter: ${adapterType}`);
|
||||
console.log(`insights: ${insightCount === -1 ? 'unavailable' : String(insightCount)}`);
|
||||
console.log(`preferences: ${prefCount === -1 ? 'unavailable' : String(prefCount)}`);
|
||||
} catch (err) {
|
||||
console.error(`Error: ${err instanceof Error ? err.message : String(err)}`);
|
||||
process.exitCode = 1;
|
||||
} finally {
|
||||
await adapter?.close();
|
||||
}
|
||||
});
|
||||
|
||||
// ── memory insights ───────────────────────────────────────────────────
|
||||
const insightsCmd = memory.command('insights').description('Manage insights');
|
||||
|
||||
insightsCmd
|
||||
.command('list')
|
||||
.description('List recent insights')
|
||||
.option('--db <connection-string>', 'Database connection string (or set MEMORY_DB_URL)')
|
||||
.option('--limit <n>', 'Maximum number of results', '20')
|
||||
.option('--agent <id>', 'User / agent ID scope', 'system')
|
||||
.action(async (opts: { db?: string; limit: string; agent: string }) => {
|
||||
let adapter: MemoryAdapter | undefined;
|
||||
try {
|
||||
adapter = await resolveAdapter(opts.db);
|
||||
const limit = parseInt(opts.limit, 10);
|
||||
const results = await adapter.searchInsights(opts.agent, '', { limit });
|
||||
|
||||
if (results.length === 0) {
|
||||
console.log('No insights found.');
|
||||
} else {
|
||||
for (const r of results) {
|
||||
console.log(`[${r.id}] ${r.content}`);
|
||||
}
|
||||
}
|
||||
} catch (err) {
|
||||
console.error(`Error: ${err instanceof Error ? err.message : String(err)}`);
|
||||
process.exitCode = 1;
|
||||
} finally {
|
||||
await adapter?.close();
|
||||
}
|
||||
});
|
||||
|
||||
// ── memory preferences ────────────────────────────────────────────────
|
||||
const prefsCmd = memory.command('preferences').description('Manage stored preferences');
|
||||
|
||||
prefsCmd
|
||||
.command('list')
|
||||
.description('List stored preferences')
|
||||
.option('--db <connection-string>', 'Database connection string (or set MEMORY_DB_URL)')
|
||||
.option('--agent <id>', 'User / agent ID scope', 'system')
|
||||
.option('--category <cat>', 'Filter by category')
|
||||
.action(async (opts: { db?: string; agent: string; category?: string }) => {
|
||||
let adapter: MemoryAdapter | undefined;
|
||||
try {
|
||||
adapter = await resolveAdapter(opts.db);
|
||||
const prefs = await adapter.listPreferences(opts.agent, opts.category);
|
||||
|
||||
if (prefs.length === 0) {
|
||||
console.log('No preferences found.');
|
||||
} else {
|
||||
for (const p of prefs) {
|
||||
console.log(`[${p.category}] ${p.key} = ${JSON.stringify(p.value)}`);
|
||||
}
|
||||
}
|
||||
} catch (err) {
|
||||
console.error(`Error: ${err instanceof Error ? err.message : String(err)}`);
|
||||
process.exitCode = 1;
|
||||
} finally {
|
||||
await adapter?.close();
|
||||
}
|
||||
});
|
||||
}
|
||||
@@ -1,4 +1,5 @@
|
||||
export { createMemory, type Memory } from './memory.js';
|
||||
export { registerMemoryCommand } from './cli.js';
|
||||
export {
|
||||
createPreferencesRepo,
|
||||
type PreferencesRepo,
|
||||
|
||||
@@ -27,10 +27,10 @@
|
||||
"test": "vitest run --passWithNoTests"
|
||||
},
|
||||
"dependencies": {
|
||||
"@mosaicstack/brain": "workspace:*",
|
||||
"@mosaicstack/config": "workspace:*",
|
||||
"@mosaicstack/forge": "workspace:*",
|
||||
"@mosaicstack/macp": "workspace:*",
|
||||
"@mosaicstack/memory": "workspace:*",
|
||||
"@mosaicstack/prdy": "workspace:*",
|
||||
"@mosaicstack/quality-rails": "workspace:*",
|
||||
"@mosaicstack/types": "workspace:*",
|
||||
|
||||
@@ -2,8 +2,8 @@
|
||||
|
||||
import { createRequire } from 'module';
|
||||
import { Command } from 'commander';
|
||||
import { registerBrainCommand } from '@mosaicstack/brain';
|
||||
import { registerQualityRails } from '@mosaicstack/quality-rails';
|
||||
import { registerMemoryCommand } from '@mosaicstack/memory';
|
||||
import { registerAgentCommand } from './commands/agent.js';
|
||||
import { registerMissionCommand } from './commands/mission.js';
|
||||
// prdy is registered via launch.ts
|
||||
@@ -34,23 +34,7 @@ try {
|
||||
|
||||
const program = new Command();
|
||||
|
||||
program
|
||||
.name('mosaic')
|
||||
.description('Mosaic Stack CLI')
|
||||
.version(CLI_VERSION)
|
||||
.configureHelp({ sortSubcommands: true })
|
||||
.addHelpText(
|
||||
'after',
|
||||
`
|
||||
Command Groups:
|
||||
|
||||
Runtime: tui, login, sessions
|
||||
Gateway: gateway
|
||||
Framework: agent, bootstrap, coord, doctor, init, launch, mission, prdy, seq, sync, upgrade, wizard, yolo
|
||||
Platform: update
|
||||
Runtimes: claude, codex, opencode, pi
|
||||
`,
|
||||
);
|
||||
program.name('mosaic').description('Mosaic Stack CLI').version(CLI_VERSION);
|
||||
|
||||
// ─── runtime launchers + framework commands ────────────────────────────
|
||||
|
||||
@@ -231,10 +215,7 @@ program
|
||||
|
||||
// ─── sessions ───────────────────────────────────────────────────────────
|
||||
|
||||
const sessionsCmd = program
|
||||
.command('sessions')
|
||||
.description('Manage active agent sessions')
|
||||
.configureHelp({ sortSubcommands: true });
|
||||
const sessionsCmd = program.command('sessions').description('Manage active agent sessions');
|
||||
|
||||
sessionsCmd
|
||||
.command('list')
|
||||
@@ -334,14 +315,14 @@ registerAgentCommand(program);
|
||||
|
||||
registerMissionCommand(program);
|
||||
|
||||
// ─── brain ──────────────────────────────────────────────────────────────
|
||||
|
||||
registerBrainCommand(program);
|
||||
|
||||
// ─── quality-rails ──────────────────────────────────────────────────────
|
||||
|
||||
registerQualityRails(program);
|
||||
|
||||
// ─── memory ──────────────────────────────────────────────────────────────
|
||||
|
||||
registerMemoryCommand(program);
|
||||
|
||||
// ─── update ─────────────────────────────────────────────────────────────
|
||||
|
||||
program
|
||||
|
||||
@@ -6,7 +6,6 @@ import {
|
||||
stopDaemon,
|
||||
waitForHealth,
|
||||
} from './gateway/daemon.js';
|
||||
import { getGatewayUrl } from './gateway/login.js';
|
||||
|
||||
interface GatewayParentOpts {
|
||||
host: string;
|
||||
@@ -31,7 +30,6 @@ export function registerGatewayCommand(program: Command): void {
|
||||
.option('-h, --host <host>', 'Gateway host', 'localhost')
|
||||
.option('-p, --port <port>', 'Gateway port', '14242')
|
||||
.option('-t, --token <token>', 'Admin API token')
|
||||
.configureHelp({ sortSubcommands: true })
|
||||
.action(() => {
|
||||
gw.outputHelp();
|
||||
});
|
||||
@@ -120,28 +118,9 @@ export function registerGatewayCommand(program: Command): void {
|
||||
await runStatus(opts);
|
||||
});
|
||||
|
||||
// ─── login ──────────────────────────────────────────────────────────────
|
||||
|
||||
gw.command('login')
|
||||
.description('Sign in to the gateway (defaults to URL from meta.json)')
|
||||
.option('-g, --gateway <url>', 'Gateway URL (overrides meta.json)')
|
||||
.option('-e, --email <email>', 'Email address')
|
||||
.option('-p, --password <password>', 'Password')
|
||||
.action(async (cmdOpts: { gateway?: string; email?: string; password?: string }) => {
|
||||
const { runLogin } = await import('./gateway/login.js');
|
||||
const url = getGatewayUrl(cmdOpts.gateway);
|
||||
try {
|
||||
await runLogin({ gatewayUrl: url, email: cmdOpts.email, password: cmdOpts.password });
|
||||
} catch (err) {
|
||||
console.error(err instanceof Error ? err.message : String(err));
|
||||
process.exit(1);
|
||||
}
|
||||
});
|
||||
|
||||
// ─── config ─────────────────────────────────────────────────────────────
|
||||
|
||||
const configCmd = gw
|
||||
.command('config')
|
||||
gw.command('config')
|
||||
.description('View or modify gateway configuration')
|
||||
.option('--set <KEY=VALUE>', 'Set a configuration value')
|
||||
.option('--unset <KEY>', 'Remove a configuration key')
|
||||
@@ -151,24 +130,6 @@ export function registerGatewayCommand(program: Command): void {
|
||||
await runConfig(cmdOpts);
|
||||
});
|
||||
|
||||
configCmd
|
||||
.command('rotate-token')
|
||||
.description('Mint a new admin token using the stored BetterAuth session')
|
||||
.option('-g, --gateway <url>', 'Gateway URL (overrides meta.json)')
|
||||
.action(async (cmdOpts: { gateway?: string }) => {
|
||||
const { runRotateToken } = await import('./gateway/token-ops.js');
|
||||
await runRotateToken(cmdOpts.gateway);
|
||||
});
|
||||
|
||||
configCmd
|
||||
.command('recover-token')
|
||||
.description('Recover an admin token — prompts for login if no valid session exists')
|
||||
.option('-g, --gateway <url>', 'Gateway URL (overrides meta.json)')
|
||||
.action(async (cmdOpts: { gateway?: string }) => {
|
||||
const { runRecoverToken } = await import('./gateway/token-ops.js');
|
||||
await runRecoverToken(cmdOpts.gateway);
|
||||
});
|
||||
|
||||
// ─── logs ───────────────────────────────────────────────────────────────
|
||||
|
||||
gw.command('logs')
|
||||
|
||||
@@ -388,32 +388,10 @@ async function bootstrapFirstUser(
|
||||
if (!status.needsSetup) {
|
||||
if (meta.adminToken) {
|
||||
console.log('Admin user already exists (token on file).');
|
||||
return;
|
||||
} else {
|
||||
console.log('Admin user already exists — skipping setup.');
|
||||
console.log('(No admin token on file — sign in via the web UI to manage tokens.)');
|
||||
}
|
||||
|
||||
// Admin user exists but no token — offer inline recovery when interactive.
|
||||
console.log('Admin user already exists but no admin token is on file.');
|
||||
|
||||
if (process.stdin.isTTY) {
|
||||
const answer = (await prompt(rl, 'Run token recovery now? [Y/n] ')).trim().toLowerCase();
|
||||
if (answer === '' || answer === 'y' || answer === 'yes') {
|
||||
console.log();
|
||||
try {
|
||||
const { ensureSession, mintAdminToken, persistToken } = await import('./token-ops.js');
|
||||
const cookie = await ensureSession(baseUrl);
|
||||
const label = `CLI recovery token (${new Date().toISOString().slice(0, 16).replace('T', ' ')})`;
|
||||
const minted = await mintAdminToken(baseUrl, cookie, label);
|
||||
persistToken(baseUrl, minted);
|
||||
} catch (err) {
|
||||
console.error(
|
||||
`Token recovery failed: ${err instanceof Error ? err.message : String(err)}`,
|
||||
);
|
||||
}
|
||||
return;
|
||||
}
|
||||
}
|
||||
|
||||
console.log('No admin token on file. Run: mosaic gateway config recover-token');
|
||||
return;
|
||||
}
|
||||
} catch {
|
||||
|
||||
@@ -1,87 +0,0 @@
|
||||
import { describe, it, expect, vi, beforeEach } from 'vitest';
|
||||
|
||||
// Mock auth module
|
||||
vi.mock('../../auth.js', () => ({
|
||||
signIn: vi.fn(),
|
||||
saveSession: vi.fn(),
|
||||
}));
|
||||
|
||||
// Mock daemon to avoid file-system reads
|
||||
vi.mock('./daemon.js', () => ({
|
||||
readMeta: vi.fn().mockReturnValue({
|
||||
host: 'localhost',
|
||||
port: 14242,
|
||||
version: '1.0.0',
|
||||
installedAt: '',
|
||||
entryPoint: '',
|
||||
}),
|
||||
}));
|
||||
|
||||
import { runLogin, getGatewayUrl } from './login.js';
|
||||
import { signIn, saveSession } from '../../auth.js';
|
||||
import { readMeta } from './daemon.js';
|
||||
|
||||
const mockSignIn = vi.mocked(signIn);
|
||||
const mockSaveSession = vi.mocked(saveSession);
|
||||
const mockReadMeta = vi.mocked(readMeta);
|
||||
|
||||
describe('getGatewayUrl', () => {
|
||||
it('returns override URL when provided', () => {
|
||||
expect(getGatewayUrl('http://my-gateway:9999')).toBe('http://my-gateway:9999');
|
||||
});
|
||||
|
||||
it('builds URL from meta.json when no override given', () => {
|
||||
mockReadMeta.mockReturnValueOnce({
|
||||
host: 'myhost',
|
||||
port: 8080,
|
||||
version: '1.0.0',
|
||||
installedAt: '',
|
||||
entryPoint: '',
|
||||
});
|
||||
expect(getGatewayUrl()).toBe('http://myhost:8080');
|
||||
});
|
||||
|
||||
it('falls back to default when meta is null', () => {
|
||||
mockReadMeta.mockReturnValueOnce(null);
|
||||
expect(getGatewayUrl()).toBe('http://localhost:14242');
|
||||
});
|
||||
});
|
||||
|
||||
describe('runLogin', () => {
|
||||
const consoleLogSpy = vi.spyOn(console, 'log').mockImplementation(() => {});
|
||||
|
||||
beforeEach(() => {
|
||||
vi.clearAllMocks();
|
||||
});
|
||||
|
||||
it('calls signIn and saveSession on success', async () => {
|
||||
const fakeAuth = {
|
||||
cookie: 'better-auth.session_token=abc',
|
||||
userId: 'u1',
|
||||
email: 'admin@test.com',
|
||||
};
|
||||
mockSignIn.mockResolvedValueOnce(fakeAuth);
|
||||
|
||||
await runLogin({
|
||||
gatewayUrl: 'http://localhost:14242',
|
||||
email: 'admin@test.com',
|
||||
password: 'password123',
|
||||
});
|
||||
|
||||
expect(mockSignIn).toHaveBeenCalledWith(
|
||||
'http://localhost:14242',
|
||||
'admin@test.com',
|
||||
'password123',
|
||||
);
|
||||
expect(mockSaveSession).toHaveBeenCalledWith('http://localhost:14242', fakeAuth);
|
||||
expect(consoleLogSpy).toHaveBeenCalledWith(expect.stringContaining('admin@test.com'));
|
||||
});
|
||||
|
||||
it('propagates signIn errors', async () => {
|
||||
mockSignIn.mockRejectedValueOnce(new Error('Sign-in failed (401): invalid credentials'));
|
||||
|
||||
await expect(
|
||||
runLogin({ gatewayUrl: 'http://localhost:14242', email: 'bad@test.com', password: 'wrong' }),
|
||||
).rejects.toThrow('Sign-in failed (401)');
|
||||
});
|
||||
});
|
||||
@@ -1,39 +0,0 @@
|
||||
import { createInterface } from 'node:readline';
|
||||
import { signIn, saveSession } from '../../auth.js';
|
||||
import { readMeta } from './daemon.js';
|
||||
|
||||
/**
|
||||
* Shared login helper used by both `mosaic login` and `mosaic gateway login`.
|
||||
* Prompts for email/password if not supplied, signs in, and persists the session.
|
||||
*/
|
||||
export async function runLogin(opts: {
|
||||
gatewayUrl: string;
|
||||
email?: string;
|
||||
password?: string;
|
||||
}): Promise<void> {
|
||||
let email = opts.email;
|
||||
let password = opts.password;
|
||||
|
||||
if (!email || !password) {
|
||||
const rl = createInterface({ input: process.stdin, output: process.stdout });
|
||||
const ask = (q: string): Promise<string> => new Promise((resolve) => rl.question(q, resolve));
|
||||
|
||||
if (!email) email = await ask('Email: ');
|
||||
if (!password) password = await ask('Password: ');
|
||||
rl.close();
|
||||
}
|
||||
|
||||
const auth = await signIn(opts.gatewayUrl, email, password);
|
||||
saveSession(opts.gatewayUrl, auth);
|
||||
console.log(`Signed in as ${auth.email} (${opts.gatewayUrl})`);
|
||||
}
|
||||
|
||||
/**
|
||||
* Derive the gateway base URL from meta.json with a fallback.
|
||||
*/
|
||||
export function getGatewayUrl(overrideUrl?: string): string {
|
||||
if (overrideUrl) return overrideUrl;
|
||||
const meta = readMeta();
|
||||
if (meta) return `http://${meta.host}:${meta.port.toString()}`;
|
||||
return 'http://localhost:14242';
|
||||
}
|
||||
@@ -1,176 +0,0 @@
|
||||
import { describe, it, expect, vi, beforeEach } from 'vitest';
|
||||
|
||||
// ─── Mocks ──────────────────────────────────────────────────────────────────
|
||||
|
||||
vi.mock('../../auth.js', () => ({
|
||||
loadSession: vi.fn(),
|
||||
validateSession: vi.fn(),
|
||||
signIn: vi.fn(),
|
||||
saveSession: vi.fn(),
|
||||
}));
|
||||
|
||||
vi.mock('./daemon.js', () => ({
|
||||
readMeta: vi.fn(),
|
||||
writeMeta: vi.fn(),
|
||||
}));
|
||||
|
||||
vi.mock('./login.js', () => ({
|
||||
getGatewayUrl: vi.fn().mockReturnValue('http://localhost:14242'),
|
||||
}));
|
||||
|
||||
// Mock readline so tests don't block on stdin
|
||||
vi.mock('node:readline', () => ({
|
||||
createInterface: vi.fn().mockReturnValue({
|
||||
question: vi.fn((_q: string, cb: (a: string) => void) => cb('test-input')),
|
||||
close: vi.fn(),
|
||||
}),
|
||||
}));
|
||||
|
||||
const mockFetch = vi.fn();
|
||||
vi.stubGlobal('fetch', mockFetch);
|
||||
|
||||
import { runRecoverToken, ensureSession } from './token-ops.js';
|
||||
import { loadSession, validateSession, signIn, saveSession } from '../../auth.js';
|
||||
import { readMeta, writeMeta } from './daemon.js';
|
||||
|
||||
const mockLoadSession = vi.mocked(loadSession);
|
||||
const mockValidateSession = vi.mocked(validateSession);
|
||||
const mockSignIn = vi.mocked(signIn);
|
||||
const mockSaveSession = vi.mocked(saveSession);
|
||||
const mockReadMeta = vi.mocked(readMeta);
|
||||
const mockWriteMeta = vi.mocked(writeMeta);
|
||||
|
||||
const baseUrl = 'http://localhost:14242';
|
||||
const fakeCookie = 'better-auth.session_token=sess123';
|
||||
const fakeToken = {
|
||||
id: 'tok-1',
|
||||
label: 'CLI recovery token (2026-04-04 12:00)',
|
||||
plaintext: 'abcdef1234567890',
|
||||
};
|
||||
const fakeMeta = {
|
||||
version: '1.0.0',
|
||||
installedAt: '',
|
||||
entryPoint: '',
|
||||
host: 'localhost',
|
||||
port: 14242,
|
||||
};
|
||||
|
||||
describe('ensureSession', () => {
|
||||
beforeEach(() => {
|
||||
vi.clearAllMocks();
|
||||
vi.spyOn(console, 'log').mockImplementation(() => {});
|
||||
});
|
||||
|
||||
it('returns cookie from stored session when valid', async () => {
|
||||
mockLoadSession.mockReturnValueOnce({ cookie: fakeCookie, userId: 'u1', email: 'a@b.com' });
|
||||
mockValidateSession.mockResolvedValueOnce(true);
|
||||
|
||||
const cookie = await ensureSession(baseUrl);
|
||||
expect(cookie).toBe(fakeCookie);
|
||||
expect(mockSignIn).not.toHaveBeenCalled();
|
||||
});
|
||||
|
||||
it('prompts for credentials and signs in when stored session is invalid', async () => {
|
||||
mockLoadSession.mockReturnValueOnce({ cookie: 'old-cookie', userId: 'u1', email: 'a@b.com' });
|
||||
mockValidateSession.mockResolvedValueOnce(false);
|
||||
const newAuth = { cookie: fakeCookie, userId: 'u2', email: 'a@b.com' };
|
||||
mockSignIn.mockResolvedValueOnce(newAuth);
|
||||
|
||||
const cookie = await ensureSession(baseUrl);
|
||||
expect(cookie).toBe(fakeCookie);
|
||||
expect(mockSaveSession).toHaveBeenCalledWith(baseUrl, newAuth);
|
||||
});
|
||||
|
||||
it('prompts for credentials when no session exists', async () => {
|
||||
mockLoadSession.mockReturnValueOnce(null);
|
||||
const newAuth = { cookie: fakeCookie, userId: 'u2', email: 'a@b.com' };
|
||||
mockSignIn.mockResolvedValueOnce(newAuth);
|
||||
|
||||
const cookie = await ensureSession(baseUrl);
|
||||
expect(cookie).toBe(fakeCookie);
|
||||
expect(mockSignIn).toHaveBeenCalled();
|
||||
});
|
||||
|
||||
it('exits non-zero when signIn fails', async () => {
|
||||
mockLoadSession.mockReturnValueOnce(null);
|
||||
mockSignIn.mockRejectedValueOnce(new Error('Sign-in failed (401): bad creds'));
|
||||
const processExitSpy = vi
|
||||
.spyOn(process, 'exit')
|
||||
.mockImplementation((_code?: number | string | null | undefined) => {
|
||||
throw new Error(`process.exit(${String(_code)})`);
|
||||
});
|
||||
const consoleErrorSpy = vi.spyOn(console, 'error').mockImplementation(() => {});
|
||||
|
||||
await expect(ensureSession(baseUrl)).rejects.toThrow('process.exit(2)');
|
||||
expect(processExitSpy).toHaveBeenCalledWith(2);
|
||||
|
||||
processExitSpy.mockRestore();
|
||||
consoleErrorSpy.mockRestore();
|
||||
});
|
||||
});
|
||||
|
||||
describe('runRecoverToken', () => {
|
||||
beforeEach(() => {
|
||||
vi.clearAllMocks();
|
||||
vi.spyOn(console, 'log').mockImplementation(() => {});
|
||||
vi.spyOn(console, 'error').mockImplementation(() => {});
|
||||
});
|
||||
|
||||
it('prompts for login, mints a token, and persists it when no session exists', async () => {
|
||||
mockLoadSession.mockReturnValueOnce(null);
|
||||
const newAuth = { cookie: fakeCookie, userId: 'u2', email: 'admin@test.com' };
|
||||
mockSignIn.mockResolvedValueOnce(newAuth);
|
||||
mockReadMeta.mockReturnValue(fakeMeta);
|
||||
mockFetch.mockResolvedValueOnce({
|
||||
ok: true,
|
||||
status: 200,
|
||||
json: async () => fakeToken,
|
||||
});
|
||||
|
||||
await runRecoverToken();
|
||||
|
||||
expect(mockSignIn).toHaveBeenCalled();
|
||||
expect(mockFetch).toHaveBeenCalledWith(
|
||||
`${baseUrl}/api/admin/tokens`,
|
||||
expect.objectContaining({ method: 'POST' }),
|
||||
);
|
||||
expect(mockWriteMeta).toHaveBeenCalledWith(
|
||||
expect.objectContaining({ adminToken: fakeToken.plaintext }),
|
||||
);
|
||||
});
|
||||
|
||||
it('skips login when a valid session exists and mints a recovery token', async () => {
|
||||
mockLoadSession.mockReturnValueOnce({ cookie: fakeCookie, userId: 'u1', email: 'a@b.com' });
|
||||
mockValidateSession.mockResolvedValueOnce(true);
|
||||
mockReadMeta.mockReturnValue(fakeMeta);
|
||||
mockFetch.mockResolvedValueOnce({
|
||||
ok: true,
|
||||
status: 200,
|
||||
json: async () => fakeToken,
|
||||
});
|
||||
|
||||
await runRecoverToken();
|
||||
|
||||
expect(mockSignIn).not.toHaveBeenCalled();
|
||||
expect(mockWriteMeta).toHaveBeenCalledWith(
|
||||
expect.objectContaining({ adminToken: fakeToken.plaintext }),
|
||||
);
|
||||
});
|
||||
|
||||
it('uses label containing "recovery token"', async () => {
|
||||
mockLoadSession.mockReturnValueOnce({ cookie: fakeCookie, userId: 'u1', email: 'a@b.com' });
|
||||
mockValidateSession.mockResolvedValueOnce(true);
|
||||
mockReadMeta.mockReturnValue(fakeMeta);
|
||||
mockFetch.mockResolvedValueOnce({
|
||||
ok: true,
|
||||
status: 200,
|
||||
json: async () => fakeToken,
|
||||
});
|
||||
|
||||
await runRecoverToken();
|
||||
|
||||
const call = mockFetch.mock.calls[0] as [string, RequestInit];
|
||||
const body = JSON.parse(call[1].body as string) as { label: string };
|
||||
expect(body.label).toMatch(/CLI recovery token/);
|
||||
});
|
||||
});
|
||||
@@ -1,205 +0,0 @@
|
||||
import { describe, it, expect, vi, beforeEach } from 'vitest';
|
||||
|
||||
// ─── Mocks ──────────────────────────────────────────────────────────────────
|
||||
|
||||
vi.mock('../../auth.js', () => ({
|
||||
loadSession: vi.fn(),
|
||||
validateSession: vi.fn(),
|
||||
signIn: vi.fn(),
|
||||
saveSession: vi.fn(),
|
||||
}));
|
||||
|
||||
vi.mock('./daemon.js', () => ({
|
||||
readMeta: vi.fn(),
|
||||
writeMeta: vi.fn(),
|
||||
}));
|
||||
|
||||
vi.mock('./login.js', () => ({
|
||||
getGatewayUrl: vi.fn().mockReturnValue('http://localhost:14242'),
|
||||
}));
|
||||
|
||||
// Mock global fetch
|
||||
const mockFetch = vi.fn();
|
||||
vi.stubGlobal('fetch', mockFetch);
|
||||
|
||||
import { runRotateToken, mintAdminToken, persistToken } from './token-ops.js';
|
||||
import { loadSession, validateSession } from '../../auth.js';
|
||||
import { readMeta, writeMeta } from './daemon.js';
|
||||
|
||||
const mockLoadSession = vi.mocked(loadSession);
|
||||
const mockValidateSession = vi.mocked(validateSession);
|
||||
const mockReadMeta = vi.mocked(readMeta);
|
||||
const mockWriteMeta = vi.mocked(writeMeta);
|
||||
|
||||
const baseUrl = 'http://localhost:14242';
|
||||
const fakeCookie = 'better-auth.session_token=sess123';
|
||||
const fakeToken = {
|
||||
id: 'tok-1',
|
||||
label: 'CLI rotated token (2026-04-04)',
|
||||
plaintext: 'abcdef1234567890',
|
||||
};
|
||||
const fakeMeta = {
|
||||
version: '1.0.0',
|
||||
installedAt: '',
|
||||
entryPoint: '',
|
||||
host: 'localhost',
|
||||
port: 14242,
|
||||
};
|
||||
|
||||
describe('mintAdminToken', () => {
|
||||
beforeEach(() => {
|
||||
vi.clearAllMocks();
|
||||
});
|
||||
|
||||
it('calls the admin tokens endpoint with the session cookie and returns the token', async () => {
|
||||
mockFetch.mockResolvedValueOnce({
|
||||
ok: true,
|
||||
status: 200,
|
||||
json: async () => fakeToken,
|
||||
});
|
||||
|
||||
const result = await mintAdminToken(baseUrl, fakeCookie, fakeToken.label);
|
||||
|
||||
expect(mockFetch).toHaveBeenCalledWith(
|
||||
`${baseUrl}/api/admin/tokens`,
|
||||
expect.objectContaining({
|
||||
method: 'POST',
|
||||
headers: expect.objectContaining({ Cookie: fakeCookie }),
|
||||
}),
|
||||
);
|
||||
expect(result).toEqual(fakeToken);
|
||||
});
|
||||
|
||||
it('exits 2 on 401 from the server', async () => {
|
||||
mockFetch.mockResolvedValueOnce({ ok: false, status: 401, text: async () => 'Unauthorized' });
|
||||
const processExitSpy = vi
|
||||
.spyOn(process, 'exit')
|
||||
.mockImplementation((_code?: number | string | null | undefined) => {
|
||||
throw new Error(`process.exit(${String(_code)})`);
|
||||
});
|
||||
|
||||
await expect(mintAdminToken(baseUrl, fakeCookie, 'label')).rejects.toThrow('process.exit(2)');
|
||||
expect(processExitSpy).toHaveBeenCalledWith(2);
|
||||
processExitSpy.mockRestore();
|
||||
});
|
||||
|
||||
it('exits 2 on 403 from the server', async () => {
|
||||
mockFetch.mockResolvedValueOnce({ ok: false, status: 403, text: async () => 'Forbidden' });
|
||||
const processExitSpy = vi
|
||||
.spyOn(process, 'exit')
|
||||
.mockImplementation((_code?: number | string | null | undefined) => {
|
||||
throw new Error(`process.exit(${String(_code)})`);
|
||||
});
|
||||
|
||||
await expect(mintAdminToken(baseUrl, fakeCookie, 'label')).rejects.toThrow('process.exit(2)');
|
||||
expect(processExitSpy).toHaveBeenCalledWith(2);
|
||||
processExitSpy.mockRestore();
|
||||
});
|
||||
|
||||
it('exits 3 on other non-ok status', async () => {
|
||||
mockFetch.mockResolvedValueOnce({ ok: false, status: 500, text: async () => 'Internal Error' });
|
||||
const processExitSpy = vi
|
||||
.spyOn(process, 'exit')
|
||||
.mockImplementation((_code?: number | string | null | undefined) => {
|
||||
throw new Error(`process.exit(${String(_code)})`);
|
||||
});
|
||||
|
||||
await expect(mintAdminToken(baseUrl, fakeCookie, 'label')).rejects.toThrow('process.exit(3)');
|
||||
expect(processExitSpy).toHaveBeenCalledWith(3);
|
||||
processExitSpy.mockRestore();
|
||||
});
|
||||
|
||||
it('exits 1 on network error', async () => {
|
||||
mockFetch.mockRejectedValueOnce(new Error('connection refused'));
|
||||
const processExitSpy = vi
|
||||
.spyOn(process, 'exit')
|
||||
.mockImplementation((_code?: number | string | null | undefined) => {
|
||||
throw new Error(`process.exit(${String(_code)})`);
|
||||
});
|
||||
|
||||
await expect(mintAdminToken(baseUrl, fakeCookie, 'label')).rejects.toThrow('process.exit(1)');
|
||||
expect(processExitSpy).toHaveBeenCalledWith(1);
|
||||
processExitSpy.mockRestore();
|
||||
});
|
||||
});
|
||||
|
||||
describe('persistToken', () => {
|
||||
beforeEach(() => {
|
||||
vi.clearAllMocks();
|
||||
});
|
||||
|
||||
it('writes the new token to meta.json', () => {
|
||||
mockReadMeta.mockReturnValueOnce(fakeMeta);
|
||||
const consoleSpy = vi.spyOn(console, 'log').mockImplementation(() => {});
|
||||
|
||||
persistToken(baseUrl, fakeToken);
|
||||
|
||||
expect(mockWriteMeta).toHaveBeenCalledWith(
|
||||
expect.objectContaining({ adminToken: fakeToken.plaintext }),
|
||||
);
|
||||
consoleSpy.mockRestore();
|
||||
});
|
||||
|
||||
it('prints a masked preview of the token', () => {
|
||||
mockReadMeta.mockReturnValueOnce(fakeMeta);
|
||||
const consoleSpy = vi.spyOn(console, 'log').mockImplementation(() => {});
|
||||
|
||||
persistToken(baseUrl, fakeToken);
|
||||
|
||||
const allOutput = consoleSpy.mock.calls.map((c) => c.join(' ')).join('\n');
|
||||
expect(allOutput).toContain('abcdef12...');
|
||||
consoleSpy.mockRestore();
|
||||
});
|
||||
});
|
||||
|
||||
describe('runRotateToken', () => {
|
||||
beforeEach(() => {
|
||||
vi.clearAllMocks();
|
||||
vi.spyOn(console, 'error').mockImplementation(() => {});
|
||||
vi.spyOn(console, 'log').mockImplementation(() => {});
|
||||
});
|
||||
|
||||
it('exits 2 when there is no stored session', async () => {
|
||||
mockLoadSession.mockReturnValueOnce(null);
|
||||
const processExitSpy = vi
|
||||
.spyOn(process, 'exit')
|
||||
.mockImplementation((_code?: number | string | null | undefined) => {
|
||||
throw new Error(`process.exit(${String(_code)})`);
|
||||
});
|
||||
|
||||
await expect(runRotateToken()).rejects.toThrow('process.exit(2)');
|
||||
expect(processExitSpy).toHaveBeenCalledWith(2);
|
||||
processExitSpy.mockRestore();
|
||||
});
|
||||
|
||||
it('exits 2 when session is invalid', async () => {
|
||||
mockLoadSession.mockReturnValueOnce({ cookie: fakeCookie, userId: 'u1', email: 'a@b.com' });
|
||||
mockValidateSession.mockResolvedValueOnce(false);
|
||||
const processExitSpy = vi
|
||||
.spyOn(process, 'exit')
|
||||
.mockImplementation((_code?: number | string | null | undefined) => {
|
||||
throw new Error(`process.exit(${String(_code)})`);
|
||||
});
|
||||
|
||||
await expect(runRotateToken()).rejects.toThrow('process.exit(2)');
|
||||
expect(processExitSpy).toHaveBeenCalledWith(2);
|
||||
processExitSpy.mockRestore();
|
||||
});
|
||||
|
||||
it('mints and persists a new token when session is valid', async () => {
|
||||
mockLoadSession.mockReturnValueOnce({ cookie: fakeCookie, userId: 'u1', email: 'a@b.com' });
|
||||
mockValidateSession.mockResolvedValueOnce(true);
|
||||
mockReadMeta.mockReturnValue(fakeMeta);
|
||||
mockFetch.mockResolvedValueOnce({
|
||||
ok: true,
|
||||
status: 200,
|
||||
json: async () => fakeToken,
|
||||
});
|
||||
|
||||
await runRotateToken();
|
||||
|
||||
expect(mockWriteMeta).toHaveBeenCalledWith(
|
||||
expect.objectContaining({ adminToken: fakeToken.plaintext }),
|
||||
);
|
||||
});
|
||||
});
|
||||
@@ -1,149 +0,0 @@
|
||||
import { createInterface } from 'node:readline';
|
||||
import { loadSession, validateSession, signIn, saveSession } from '../../auth.js';
|
||||
import { readMeta, writeMeta } from './daemon.js';
|
||||
import { getGatewayUrl } from './login.js';
|
||||
|
||||
interface MintedToken {
|
||||
id: string;
|
||||
label: string;
|
||||
plaintext: string;
|
||||
}
|
||||
|
||||
/**
|
||||
* Call POST /api/admin/tokens with the session cookie and return the minted token.
|
||||
* Exits the process on network or auth errors.
|
||||
*/
|
||||
export async function mintAdminToken(
|
||||
gatewayUrl: string,
|
||||
cookie: string,
|
||||
label: string,
|
||||
): Promise<MintedToken> {
|
||||
let res: Response;
|
||||
try {
|
||||
res = await fetch(`${gatewayUrl}/api/admin/tokens`, {
|
||||
method: 'POST',
|
||||
headers: {
|
||||
'Content-Type': 'application/json',
|
||||
Cookie: cookie,
|
||||
Origin: gatewayUrl,
|
||||
},
|
||||
body: JSON.stringify({ label, scope: 'admin' }),
|
||||
});
|
||||
} catch (err) {
|
||||
console.error(
|
||||
`Could not reach gateway at ${gatewayUrl}: ${err instanceof Error ? err.message : String(err)}`,
|
||||
);
|
||||
process.exit(1);
|
||||
}
|
||||
|
||||
if (res.status === 401 || res.status === 403) {
|
||||
console.error(
|
||||
`Session rejected by the gateway (${res.status.toString()}) — your session may be expired.`,
|
||||
);
|
||||
console.error('Run: mosaic gateway login');
|
||||
process.exit(2);
|
||||
}
|
||||
|
||||
if (!res.ok) {
|
||||
const body = await res.text().catch(() => '');
|
||||
console.error(
|
||||
`Gateway rejected token creation (${res.status.toString()}): ${body.slice(0, 200)}`,
|
||||
);
|
||||
process.exit(3);
|
||||
}
|
||||
|
||||
const data = (await res.json()) as { id: string; label: string; plaintext: string };
|
||||
return { id: data.id, label: data.label, plaintext: data.plaintext };
|
||||
}
|
||||
|
||||
/**
|
||||
* Persist the new token into meta.json and print the confirmation banner.
|
||||
*/
|
||||
export function persistToken(gatewayUrl: string, minted: MintedToken): void {
|
||||
const meta = readMeta() ?? {
|
||||
version: 'unknown',
|
||||
installedAt: new Date().toISOString(),
|
||||
entryPoint: '',
|
||||
host: new URL(gatewayUrl).hostname,
|
||||
port: parseInt(new URL(gatewayUrl).port || '14242', 10),
|
||||
};
|
||||
|
||||
writeMeta({ ...meta, adminToken: minted.plaintext });
|
||||
|
||||
const preview = `${minted.plaintext.slice(0, 8)}...`;
|
||||
console.log();
|
||||
console.log(`Token minted: ${minted.label}`);
|
||||
console.log(`Preview: ${preview}`);
|
||||
console.log('Token saved to meta.json. Use it with admin endpoints.');
|
||||
}
|
||||
|
||||
/**
|
||||
* Require a valid session for the given gateway URL.
|
||||
* Returns the session cookie or exits if not authenticated.
|
||||
*/
|
||||
export async function requireSession(gatewayUrl: string): Promise<string> {
|
||||
const session = loadSession(gatewayUrl);
|
||||
if (session) {
|
||||
const valid = await validateSession(gatewayUrl, session.cookie);
|
||||
if (valid) return session.cookie;
|
||||
}
|
||||
console.error('Not signed in or session expired.');
|
||||
console.error('Run: mosaic gateway login');
|
||||
process.exit(2);
|
||||
}
|
||||
|
||||
/**
|
||||
* Ensure a valid session for the gateway, prompting for credentials if needed.
|
||||
* On sign-in failure, prints the error and exits non-zero.
|
||||
* Returns the session cookie.
|
||||
*/
|
||||
export async function ensureSession(gatewayUrl: string): Promise<string> {
|
||||
// Try the stored session first
|
||||
const session = loadSession(gatewayUrl);
|
||||
if (session) {
|
||||
const valid = await validateSession(gatewayUrl, session.cookie);
|
||||
if (valid) return session.cookie;
|
||||
console.log('Stored session is invalid or expired. Please sign in again.');
|
||||
} else {
|
||||
console.log(`No session found for ${gatewayUrl}. Please sign in.`);
|
||||
}
|
||||
|
||||
// Prompt for credentials
|
||||
const rl = createInterface({ input: process.stdin, output: process.stdout });
|
||||
const ask = (q: string): Promise<string> => new Promise((resolve) => rl.question(q, resolve));
|
||||
|
||||
const email = (await ask('Email: ')).trim();
|
||||
const password = (await ask('Password: ')).trim();
|
||||
rl.close();
|
||||
|
||||
const auth = await signIn(gatewayUrl, email, password).catch((err: unknown) => {
|
||||
console.error(err instanceof Error ? err.message : String(err));
|
||||
process.exit(2);
|
||||
});
|
||||
|
||||
saveSession(gatewayUrl, auth);
|
||||
console.log(`Signed in as ${auth.email}`);
|
||||
return auth.cookie;
|
||||
}
|
||||
|
||||
/**
|
||||
* `mosaic gateway config rotate-token` — requires an existing valid session.
|
||||
*/
|
||||
export async function runRotateToken(gatewayUrl?: string): Promise<void> {
|
||||
const url = getGatewayUrl(gatewayUrl);
|
||||
const cookie = await requireSession(url);
|
||||
const label = `CLI rotated token (${new Date().toISOString().slice(0, 10)})`;
|
||||
const minted = await mintAdminToken(url, cookie, label);
|
||||
persistToken(url, minted);
|
||||
}
|
||||
|
||||
/**
|
||||
* `mosaic gateway config recover-token` — prompts for login if no session exists.
|
||||
*/
|
||||
export async function runRecoverToken(gatewayUrl?: string): Promise<void> {
|
||||
const url = getGatewayUrl(gatewayUrl);
|
||||
const cookie = await ensureSession(url);
|
||||
const label = `CLI recovery token (${new Date().toISOString().slice(0, 16).replace('T', ' ')})`;
|
||||
const minted = await mintAdminToken(url, cookie, label);
|
||||
persistToken(url, minted);
|
||||
}
|
||||
@@ -47,7 +47,6 @@ export function registerMissionCommand(program: Command) {
|
||||
.option('--update <idOrName>', 'Update a mission')
|
||||
.option('--project <idOrName>', 'Scope to project')
|
||||
.argument('[id]', 'Show mission detail by ID')
|
||||
.configureHelp({ sortSubcommands: true })
|
||||
.action(
|
||||
async (
|
||||
id: string | undefined,
|
||||
|
||||
12
pnpm-lock.yaml
generated
12
pnpm-lock.yaml
generated
@@ -294,9 +294,6 @@ importers:
|
||||
'@mosaicstack/types':
|
||||
specifier: workspace:*
|
||||
version: link:../types
|
||||
commander:
|
||||
specifier: ^13.0.0
|
||||
version: 13.1.0
|
||||
devDependencies:
|
||||
typescript:
|
||||
specifier: ^5.8.0
|
||||
@@ -441,6 +438,9 @@ importers:
|
||||
'@mosaicstack/types':
|
||||
specifier: workspace:*
|
||||
version: link:../types
|
||||
commander:
|
||||
specifier: ^13.0.0
|
||||
version: 13.1.0
|
||||
drizzle-orm:
|
||||
specifier: ^0.45.1
|
||||
version: 0.45.1(@electric-sql/pglite@0.2.17)(@opentelemetry/api@1.9.0)(@types/better-sqlite3@7.6.13)(@types/pg@8.15.6)(better-sqlite3@12.8.0)(kysely@0.28.11)(postgres@3.4.8)
|
||||
@@ -457,9 +457,6 @@ importers:
|
||||
'@clack/prompts':
|
||||
specifier: ^0.9.1
|
||||
version: 0.9.1
|
||||
'@mosaicstack/brain':
|
||||
specifier: workspace:*
|
||||
version: link:../brain
|
||||
'@mosaicstack/config':
|
||||
specifier: workspace:*
|
||||
version: link:../config
|
||||
@@ -469,6 +466,9 @@ importers:
|
||||
'@mosaicstack/macp':
|
||||
specifier: workspace:*
|
||||
version: link:../macp
|
||||
'@mosaicstack/memory':
|
||||
specifier: workspace:*
|
||||
version: link:../memory
|
||||
'@mosaicstack/prdy':
|
||||
specifier: workspace:*
|
||||
version: link:../prdy
|
||||
|
||||
Reference in New Issue
Block a user