feat(mosaic): gateway token recovery via BetterAuth cookie (CU-03-03..07)

Add mosaic gateway login subcommand with meta.json URL default, config rotate-token and recover-token subcommands for admin token minting via BetterAuth session cookie, fix the bootstrapFirstUser dead-end when admin exists but no token is on file, and add Vitest tests for all new flows. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
feat(brain): mosaic brain CLI surface (#403 )
2026-04-05 00:23:08 -05:00 · 2026-04-05 05:20:44 +00:00 · 2026-04-05 05:12:32 +00:00 · 2026-04-05 05:11:33 +00:00
16 changed files with 1188 additions and 7 deletions
--- a/docs/plans/gateway-token-recovery.md
+++ b/docs/plans/gateway-token-recovery.md
@@ -0,0 +1,193 @@
 # Gateway Admin Token Recovery — Implementation Plan
 **Mission:** `cli-unification-20260404`
 **Task:** `CU-03-01` (planning only — no runtime code changes)
 **Status:** Design locked (Session 1) — BetterAuth cookie-based recovery
 ---
 ## 1. Problem Statement
 The gateway installer strands operators when the admin user exists but the admin
 API token is missing. Concrete trigger:
 - `~/.config/mosaic/gateway/meta.json` was deleted / regenerated.
 - The installer was re-run after a previous successful bootstrap.
 Flow today (`packages/mosaic/src/commands/gateway/install.ts:375-400`):
 1. `bootstrapFirstUser` hits `GET /api/bootstrap/status`.
 2. Server returns `needsSetup: false` because `users` count > 0.
 3. Installer logs `Admin user already exists — skipping setup. (No admin token on file — sign in via the web UI to manage tokens.)` and returns.
 4. The operator now has:
   - No token in `meta.json`.
   - No CLI path to mint a new one (`mosaic gateway <anything>` that needs the token fails).
   - `POST /api/bootstrap/setup` locked out — it only runs when `users` count is zero (`apps/gateway/src/admin/bootstrap.controller.ts:34-37`).
   - `POST /api/admin/tokens` gated by `AdminGuard` — requires either a bearer token (which they don't have) or a BetterAuth session (which they don't have in the CLI).
 Dead end. The web UI is the only escape hatch today, and for headless installs even that may be inaccessible.
 ## 2. Design Summary
 The BetterAuth session cookie is the authority. The operator runs
 `mosaic gateway login` to sign in with email/password, which persists a session
 cookie via `saveSession` (reusing `packages/mosaic/src/auth.ts`). With a valid
 session, `mosaic gateway config recover-token` (stranded-operator entry point)
 and `mosaic gateway config rotate-token` call the existing authenticated admin
 endpoint `POST /api/admin/tokens` using the cookie, then persist the returned
 plaintext to `meta.json` via `writeMeta`. **No new server endpoints are
 required** — `AdminGuard` already accepts BetterAuth session cookies via its
 `validateSession` path (`apps/gateway/src/admin/admin.guard.ts:90-120`).
 ## 3. Surface Contract
 ### 3.1 Server — no changes required
 | Endpoint                       | Status          | Notes                                                                                                                    |
 | ------------------------------ | --------------- | ------------------------------------------------------------------------------------------------------------------------ |
 | `POST /api/admin/tokens`       | **Reuse as-is** | `admin-tokens.controller.ts:46-72`. Returns `{ id, label, scope, expiresAt, lastUsedAt, createdAt, plaintext }`.         |
 | `GET  /api/admin/tokens`       | **Reuse**       | Useful for `mosaic gateway config tokens list` follow-on (out of scope for CU-03-01, but trivial once auth path exists). |
 | `DELETE /api/admin/tokens/:id` | **Reuse**       | Used by rotate flow for optional old-token revocation.                                                                   |
 | `POST /api/bootstrap/setup`    | **Unchanged**   | Remains first-user-only; not part of recovery.                                                                           |
 `AdminGuard.validateSession` takes BetterAuth cookies from `request.raw.headers`
 via `fromNodeHeaders` and calls `auth.api.getSession({ headers })`. It also
 enforces `role === 'admin'`. This is exactly the path the CLI will hit with
 `Cookie: better-auth.session_token=...`.
 **Confirmed feasible** during CU-03-01 investigation.
 ### 3.2 `mosaic gateway login`
 Thin wrapper over the existing top-level `mosaic login`
 (`packages/mosaic/src/cli.ts:42-76`) with gateway-specific defaults pulled from
 `readMeta()`.
 | Aspect              | Behavior                                                                                                                        |
 | ------------------- | ------------------------------------------------------------------------------------------------------------------------------- |
 | Default gateway URL | `http://${meta.host}:${meta.port}` from `readMeta()`, fallback `http://localhost:14242`.                                        |
 | Flow                | Prompt email + password -> `signIn()` -> `saveSession()`.                                                                       |
 | Persistence         | `~/.mosaic/session.json` via existing `saveSession` (7-day expiry).                                                             |
 | Decision            | **Thin wrapper**, not alias. Rationale: defaults differ (reads `meta.json`), and discoverability under `mosaic gateway --help`. |
 | Implementation      | Share the sign-in logic by extracting a small `runLogin(gatewayUrl, email?, password?)` helper; both commands call it.          |
 ### 3.3 `mosaic gateway config rotate-token`
 | Aspect       | Behavior                                                                                                                                                                                                                             |
 | ------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
 | Precondition | Valid session (via `loadSession` + `validateSession`). On failure, print: "Not signed in — run `mosaic gateway login`" and exit non-zero.                                                                                            |
 | Request      | `POST ${gatewayUrl}/api/admin/tokens` with header `Cookie: <session>`, body `{ label: "CLI token (rotated YYYY-MM-DD)" }`.                                                                                                           |
 | On success   | Read meta via `readMeta()`, set `meta.adminToken = plaintext`, `writeMeta(meta)`. Print the token banner (reuse `printAdminTokenBanner` shape).                                                                                      |
 | Old token    | **Optional `--revoke-old`** flag. When set and a previous `meta.adminToken` existed, call `DELETE /api/admin/tokens/:id` after rotation. Requires listing first to find the id; punt to CU-03-02 decision. Document as nice-to-have. |
 | Exit codes   | `0` success; `1` network error; `2` auth error; `3` server rejection.                                                                                                                                                                |
 ### 3.4 `mosaic gateway config recover-token`
 Superset of `rotate-token` with an inline login nudge — the "stranded operator"
 entry point.
 | Step | Action                                                                                                                           |
 | ---- | -------------------------------------------------------------------------------------------------------------------------------- |
 | 1    | `readMeta()` — derive gateway URL. If meta is missing entirely, fall back to `--gateway` flag or default.                        |
 | 2    | `loadSession(gatewayUrl)` then `validateSession`. If either fails, prompt inline: email + password -> `signIn` -> `saveSession`. |
 | 3    | `POST /api/admin/tokens` with cookie, label `"Recovered via CLI YYYY-MM-DDTHH:mm"`.                                              |
 | 4    | Persist plaintext to `meta.json` via `writeMeta`.                                                                                |
 | 5    | Print the token banner and next-steps hints (e.g. `mosaic gateway status`).                                                      |
 | 6    | Exit `0`.                                                                                                                        |
 Key property: this command is **runnable with nothing but email+password in hand**.
 It assumes the gateway is up but assumes no prior CLI session state.
 ### 3.5 File touch list (for CU-03-02..05 execution)
 | File                                                  | Change                                                                                     |
 | ----------------------------------------------------- | ------------------------------------------------------------------------------------------ |
 | `packages/mosaic/src/commands/gateway.ts`             | Register `login`, `config recover-token`, `config rotate-token` subcommands under `gw`.    |
 | `packages/mosaic/src/commands/gateway/config.ts`      | Add `runRecoverToken`, `runRotateToken` handlers; export from module.                      |
 | `packages/mosaic/src/commands/gateway/login.ts` (new) | Thin wrapper calling shared `runLogin` helper with meta-derived default URL.               |
 | `packages/mosaic/src/auth.ts`                         | No change expected. Possibly export a `requireSession(gatewayUrl)` helper (reuse pattern). |
 | `packages/mosaic/src/commands/gateway/install.ts`     | `bootstrapFirstUser` branch: "user exists, no token" -> offer recovery (see Section 4).    |
 ## 4. Installer Fix (CU-03-06 preview)
 Current stranding point is `install.ts:388-395`. The fix:
 ```
 if (!status.needsSetup) {
  if (meta.adminToken) {
    // unchanged — happy path
  } else {
    // NEW: prompt "Admin exists but no token on file. Recover now? [Y/n]"
    // If yes -> call runRecoverToken(gatewayUrl) inline (interactive):
    //   - prompt email + password
    //   - signIn -> saveSession
    //   - POST /api/admin/tokens
    //   - writeMeta(meta) with returned plaintext
    //   - print banner
    // If no -> print the current stranded message but include:
    //   "Run `mosaic gateway config recover-token` when ready."
  }
 }
 ```
 Shape notes (actual code lands in CU-03-06):
 - Extract the recovery body so it can be called **both** from the standalone
  command and from `bootstrapFirstUser` without duplicating prompts.
 - Reuse the same `rl` readline interface already open in `bootstrapFirstUser`
  for the inline prompts.
 - Preserve non-interactive behavior: if `process.stdin.isTTY` is false, skip the
  prompt and emit the "run recover-token" hint only.
 ## 5. Test Strategy (CU-03-07 scope)
 ### 5.1 Happy paths
 | Command                               | Scenario                                         | Expected                                                 |
 | ------------------------------------- | ------------------------------------------------ | -------------------------------------------------------- |
 | `mosaic gateway login`                | Valid creds                                      | `session.json` written, 7-day expiry, exit 0             |
 | `mosaic gateway config rotate-token`  | Valid session, server reachable                  | `meta.json` updated, banner printed, new token usable    |
 | `mosaic gateway config recover-token` | No session, valid creds, server reachable        | Prompts for creds, writes session + meta, exit 0         |
 | Installer inline recovery             | Re-run after `meta.json` wipe, operator says yes | Meta restored, banner printed, no manual CLI step needed |
 ### 5.2 Error paths (must all produce actionable messages and non-zero exit)
 | Failure                           | Expected handling                                                                 |
 | --------------------------------- | --------------------------------------------------------------------------------- |
 | Invalid email/password            | BetterAuth 401 surfaced as "Sign-in failed: <server message>", exit 2             |
 | Expired stored session            | Recover command silently re-prompts; rotate command exits 2 with "run login" hint |
 | Gateway down / connection refused | "Could not reach gateway at <url>" exit 1                                         |
 | Server rejects token creation     | Print status + body excerpt, exit 3                                               |
 | Meta file missing (recover)       | Fall back to `--gateway` flag or default; warn that meta will be created          |
 | Non-admin user                    | `AdminGuard` 403 surfaced as "User is not an admin", exit 2                       |
 ### 5.3 Integration test (recommended)
 Spin up gateway in test harness, create admin user via `/api/bootstrap/setup`,
 wipe `meta.json`, invoke `mosaic gateway config recover-token` programmatically,
 assert new `meta.adminToken` works against `GET /api/admin/tokens`.
 ## 6. Risks & Open Questions
 | #   | Item                                                                                                                                                                                    | Severity | Mitigation                                                                                                     |
 | --- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------- | -------------------------------------------------------------------------------------------------------------- |
 | 1   | `AdminGuard.validateSession` calls `getSession` with `fromNodeHeaders(request.raw.headers)`. CLI sends `Cookie:` header only. Confirm BetterAuth reads from `Cookie`, not `Set-Cookie`. | Low      | Confirmed — `mosaic login` + `mosaic tui` already use this flow successfully (`cli.ts:137-181`).               |
 | 2   | Session cookie local expiry (7d) vs BetterAuth server-side expiry may drift.                                                                                                            | Low      | `validateSession` hits `get-session`; handle 401 by re-prompting.                                              |
 | 3   | Label collision / unbounded token growth if operators run `recover-token` repeatedly.                                                                                                   | Low      | Include ISO timestamp in label. Optional `--revoke-old` in CU-03-02. Add `tokens list/prune` later.            |
 | 4   | `mosaic login` exists at top level and `mosaic gateway login` is a wrapper — risk of confusion.                                                                                         | Low      | Document that `gateway login` is the preferred entry for gateway operators; top-level stays for compatibility. |
 | 5   | `meta.json` write is not atomic. Crash between token creation and `writeMeta` leaves an orphan token server-side with no plaintext on disk.                                             | Medium   | Accept for now — re-running `recover-token` mints a fresh token. Document as known limitation.                 |
 | 6   | Non-TTY installer runs (CI, headless provisioners) cannot prompt for creds interactively.                                                                                               | Medium   | Installer inline recovery must skip prompt when `!process.stdin.isTTY`; emit the recover-token hint.           |
 | 7   | If `BETTER_AUTH_SECRET` rotates between login and recover, the session cookie is invalid — user must re-login. Acceptable but surface a clear error.                                    | Low      | Error handler maps 401 on recover -> "Session invalid; re-run `mosaic gateway login`".                         |
 | 8   | No MFA today. When MFA lands, BetterAuth sign-in will return a challenge, not a cookie — recovery UX will need a second prompt step.                                                    | Future   | Out of scope for this mission. Flag for future CLI work.                                                       |
 ## 7. Downstream Task Hooks
 | Task     | Scope                                                                      |
 | -------- | -------------------------------------------------------------------------- |
 | CU-03-02 | Implement `mosaic gateway login` wrapper + shared `runLogin` extraction.   |
 | CU-03-03 | Implement `mosaic gateway config rotate-token`.                            |
 | CU-03-04 | Implement `mosaic gateway config recover-token`.                           |
 | CU-03-05 | Wire commands into `gateway.ts` registration, update `--help` copy.        |
 | CU-03-06 | Installer inline recovery hook in `bootstrapFirstUser`.                    |
 | CU-03-07 | Tests per Section 5.                                                       |
 | CU-03-08 | Docs: update gateway install README + operator runbook with recovery flow. |
--- a/packages/brain/package.json
+++ b/packages/brain/package.json
@@ -22,7 +22,8 @@
  },
  "dependencies": {
    "@mosaicstack/db": "workspace:^",
-    "@mosaicstack/types": "workspace:*"
+    "@mosaicstack/types": "workspace:*",
    "commander": "^13.0.0"
  },
  "devDependencies": {
    "typescript": "^5.8.0",
--- a/packages/brain/src/cli.spec.ts
+++ b/packages/brain/src/cli.spec.ts
@@ -0,0 +1,95 @@
 import { describe, it, expect } from 'vitest';
 import { Command } from 'commander';
 import { registerBrainCommand } from './cli.js';
 /**
 * Smoke test: verifies the command tree is correctly registered.
 * No database connection is opened — we only inspect Commander metadata.
 */
 describe('registerBrainCommand', () => {
  function buildProgram(): Command {
    const program = new Command('mosaic');
    // Prevent Commander from calling process.exit on parse errors during tests.
    program.exitOverride();
    registerBrainCommand(program);
    return program;
  }
  it('registers a top-level "brain" command', () => {
    const program = buildProgram();
    const brainCmd = program.commands.find((c) => c.name() === 'brain');
    expect(brainCmd).toBeDefined();
  });
  it('registers "brain projects" with "list" and "create" subcommands', () => {
    const program = buildProgram();
    const brainCmd = program.commands.find((c) => c.name() === 'brain')!;
    const projectsCmd = brainCmd.commands.find((c) => c.name() === 'projects');
    expect(projectsCmd).toBeDefined();
    const subNames = projectsCmd!.commands.map((c) => c.name());
    expect(subNames).toContain('list');
    expect(subNames).toContain('create');
  });
  it('registers "brain missions" with "list" subcommand', () => {
    const program = buildProgram();
    const brainCmd = program.commands.find((c) => c.name() === 'brain')!;
    const missionsCmd = brainCmd.commands.find((c) => c.name() === 'missions');
    expect(missionsCmd).toBeDefined();
    const subNames = missionsCmd!.commands.map((c) => c.name());
    expect(subNames).toContain('list');
  });
  it('registers "brain tasks" with "list" subcommand', () => {
    const program = buildProgram();
    const brainCmd = program.commands.find((c) => c.name() === 'brain')!;
    const tasksCmd = brainCmd.commands.find((c) => c.name() === 'tasks');
    expect(tasksCmd).toBeDefined();
    const subNames = tasksCmd!.commands.map((c) => c.name());
    expect(subNames).toContain('list');
  });
  it('registers "brain conversations" with "list" subcommand', () => {
    const program = buildProgram();
    const brainCmd = program.commands.find((c) => c.name() === 'brain')!;
    const conversationsCmd = brainCmd.commands.find((c) => c.name() === 'conversations');
    expect(conversationsCmd).toBeDefined();
    const subNames = conversationsCmd!.commands.map((c) => c.name());
    expect(subNames).toContain('list');
  });
  it('"brain projects list" accepts --db and --limit options', () => {
    const program = buildProgram();
    const brainCmd = program.commands.find((c) => c.name() === 'brain')!;
    const projectsCmd = brainCmd.commands.find((c) => c.name() === 'projects')!;
    const listCmd = projectsCmd.commands.find((c) => c.name() === 'list')!;
    const optionNames = listCmd.options.map((o) => o.long);
    expect(optionNames).toContain('--db');
    expect(optionNames).toContain('--limit');
  });
  it('"brain missions list" accepts --project option', () => {
    const program = buildProgram();
    const brainCmd = program.commands.find((c) => c.name() === 'brain')!;
    const missionsCmd = brainCmd.commands.find((c) => c.name() === 'missions')!;
    const listCmd = missionsCmd.commands.find((c) => c.name() === 'list')!;
    const optionNames = listCmd.options.map((o) => o.long);
    expect(optionNames).toContain('--project');
  });
  it('"brain tasks list" accepts --project option', () => {
    const program = buildProgram();
    const brainCmd = program.commands.find((c) => c.name() === 'brain')!;
    const tasksCmd = brainCmd.commands.find((c) => c.name() === 'tasks')!;
    const listCmd = tasksCmd.commands.find((c) => c.name() === 'list')!;
    const optionNames = listCmd.options.map((o) => o.long);
    expect(optionNames).toContain('--project');
  });
 });
--- a/packages/brain/src/cli.ts
+++ b/packages/brain/src/cli.ts
@@ -0,0 +1,142 @@
 import type { Command } from 'commander';
 import { createDb, type DbHandle } from '@mosaicstack/db';
 import { createBrain } from './brain.js';
 /**
 * Build and attach the `brain` subcommand tree onto an existing Commander program.
 * Uses the caller's Command instance to avoid cross-package Commander version mismatches.
 */
 export function registerBrainCommand(parent: Command): void {
  const brain = parent.command('brain').description('Inspect and manage brain data stores');
  // ─── shared DB option helper ─────────────────────────────────────────────
  function addDbOption(cmd: Command): Command {
    return cmd.option(
      '--db <connection-string>',
      'PostgreSQL connection string (overrides MOSAIC_DB_URL)',
    );
  }
  function resolveDb(opts: { db?: string }): ReturnType<typeof createBrain> {
    const connectionString = opts.db ?? process.env['MOSAIC_DB_URL'];
    if (!connectionString) {
      console.error('No DB connection string provided. Pass --db <url> or set MOSAIC_DB_URL.');
      process.exit(1);
    }
    const handle: DbHandle = createDb(connectionString);
    return createBrain(handle.db);
  }
  // ─── projects ────────────────────────────────────────────────────────────
  const projects = brain.command('projects').description('Manage projects');
  addDbOption(
    projects
      .command('list')
      .description('List all projects')
      .option('--limit <n>', 'Maximum number of results', '50'),
  ).action(async (opts: { db?: string; limit: string }) => {
    const b = resolveDb(opts);
    const limit = parseInt(opts.limit, 10);
    const rows = await b.projects.findAll();
    const sliced = rows.slice(0, limit);
    if (sliced.length === 0) {
      console.log('No projects found.');
      return;
    }
    for (const p of sliced) {
      console.log(`${p.id}  ${p.name}`);
    }
  });
  addDbOption(
    projects
      .command('create <name>')
      .description('Create a new project')
      .requiredOption('--owner-id <id>', 'Owner user ID'),
  ).action(async (name: string, opts: { db?: string; ownerId: string }) => {
    const b = resolveDb(opts);
    const created = await b.projects.create({
      name,
      ownerId: opts.ownerId,
      ownerType: 'user',
    });
    console.log(`Created project: ${created.id}  ${created.name}`);
  });
  // ─── missions ────────────────────────────────────────────────────────────
  const missions = brain.command('missions').description('Manage missions');
  addDbOption(
    missions
      .command('list')
      .description('List all missions')
      .option('--limit <n>', 'Maximum number of results', '50')
      .option('--project <id>', 'Filter by project ID'),
  ).action(async (opts: { db?: string; limit: string; project?: string }) => {
    const b = resolveDb(opts);
    const limit = parseInt(opts.limit, 10);
    const rows = opts.project
      ? await b.missions.findByProject(opts.project)
      : await b.missions.findAll();
    const sliced = rows.slice(0, limit);
    if (sliced.length === 0) {
      console.log('No missions found.');
      return;
    }
    for (const m of sliced) {
      console.log(`${m.id}  ${m.name}`);
    }
  });
  // ─── tasks ────────────────────────────────────────────────────────────────
  const tasks = brain.command('tasks').description('Manage generic tasks');
  addDbOption(
    tasks
      .command('list')
      .description('List all tasks')
      .option('--limit <n>', 'Maximum number of results', '50')
      .option('--project <id>', 'Filter by project ID'),
  ).action(async (opts: { db?: string; limit: string; project?: string }) => {
    const b = resolveDb(opts);
    const limit = parseInt(opts.limit, 10);
    const rows = opts.project ? await b.tasks.findByProject(opts.project) : await b.tasks.findAll();
    const sliced = rows.slice(0, limit);
    if (sliced.length === 0) {
      console.log('No tasks found.');
      return;
    }
    for (const t of sliced) {
      console.log(`${t.id}  ${t.title}  [${t.status}]`);
    }
  });
  // ─── conversations ────────────────────────────────────────────────────────
  const conversations = brain.command('conversations').description('Manage conversations');
  addDbOption(
    conversations
      .command('list')
      .description('List conversations for a user')
      .option('--limit <n>', 'Maximum number of results', '50')
      .requiredOption('--user-id <id>', 'User ID to scope the query'),
  ).action(async (opts: { db?: string; limit: string; userId: string }) => {
    const b = resolveDb(opts);
    const limit = parseInt(opts.limit, 10);
    const rows = await b.conversations.findAll(opts.userId);
    const sliced = rows.slice(0, limit);
    if (sliced.length === 0) {
      console.log('No conversations found.');
      return;
    }
    for (const c of sliced) {
      console.log(`${c.id}  ${c.title ?? '(untitled)'}`);
    }
  });
 }
--- a/packages/brain/src/index.ts
+++ b/packages/brain/src/index.ts
@@ -1,4 +1,5 @@
 export { createBrain, type Brain } from './brain.js';
 export { registerBrainCommand } from './cli.js';
 export {
  createProjectsRepo,
  type ProjectsRepo,
--- a/packages/mosaic/package.json
+++ b/packages/mosaic/package.json
@@ -27,6 +27,7 @@
    "test": "vitest run --passWithNoTests"
  },
  "dependencies": {
    "@mosaicstack/brain": "workspace:*",
    "@mosaicstack/config": "workspace:*",
    "@mosaicstack/forge": "workspace:*",
    "@mosaicstack/macp": "workspace:*",
--- a/packages/mosaic/src/cli.ts
+++ b/packages/mosaic/src/cli.ts
@@ -2,6 +2,7 @@
 import { createRequire } from 'module';
 import { Command } from 'commander';
 import { registerBrainCommand } from '@mosaicstack/brain';
 import { registerQualityRails } from '@mosaicstack/quality-rails';
 import { registerAgentCommand } from './commands/agent.js';
 import { registerMissionCommand } from './commands/mission.js';
@@ -33,7 +34,23 @@ try {
 const program = new Command();
-program.name('mosaic').description('Mosaic Stack CLI').version(CLI_VERSION);
+program
  .name('mosaic')
  .description('Mosaic Stack CLI')
  .version(CLI_VERSION)
  .configureHelp({ sortSubcommands: true })
  .addHelpText(
    'after',
    `
 Command Groups:
  Runtime:    tui, login, sessions
  Gateway:    gateway
  Framework:  agent, bootstrap, coord, doctor, init, launch, mission, prdy, seq, sync, upgrade, wizard, yolo
  Platform:   update
  Runtimes:   claude, codex, opencode, pi
 `,
  );
 // ─── runtime launchers + framework commands ────────────────────────────
@@ -214,7 +231,10 @@ program
 // ─── sessions ───────────────────────────────────────────────────────────
-const sessionsCmd = program.command('sessions').description('Manage active agent sessions');
+const sessionsCmd = program
  .command('sessions')
  .description('Manage active agent sessions')
  .configureHelp({ sortSubcommands: true });
 sessionsCmd
  .command('list')
@@ -314,6 +334,10 @@ registerAgentCommand(program);
 registerMissionCommand(program);
 // ─── brain ──────────────────────────────────────────────────────────────
 registerBrainCommand(program);
 // ─── quality-rails ──────────────────────────────────────────────────────
 registerQualityRails(program);
--- a/packages/mosaic/src/commands/gateway.ts
+++ b/packages/mosaic/src/commands/gateway.ts
@@ -6,6 +6,7 @@ import {
  stopDaemon,
  waitForHealth,
 } from './gateway/daemon.js';
 import { getGatewayUrl } from './gateway/login.js';
 interface GatewayParentOpts {
  host: string;
@@ -30,6 +31,7 @@ export function registerGatewayCommand(program: Command): void {
    .option('-h, --host <host>', 'Gateway host', 'localhost')
    .option('-p, --port <port>', 'Gateway port', '14242')
    .option('-t, --token <token>', 'Admin API token')
    .configureHelp({ sortSubcommands: true })
    .action(() => {
      gw.outputHelp();
    });
@@ -118,9 +120,28 @@ export function registerGatewayCommand(program: Command): void {
      await runStatus(opts);
    });
  // ─── login ──────────────────────────────────────────────────────────────
  gw.command('login')
    .description('Sign in to the gateway (defaults to URL from meta.json)')
    .option('-g, --gateway <url>', 'Gateway URL (overrides meta.json)')
    .option('-e, --email <email>', 'Email address')
    .option('-p, --password <password>', 'Password')
    .action(async (cmdOpts: { gateway?: string; email?: string; password?: string }) => {
      const { runLogin } = await import('./gateway/login.js');
      const url = getGatewayUrl(cmdOpts.gateway);
      try {
        await runLogin({ gatewayUrl: url, email: cmdOpts.email, password: cmdOpts.password });
      } catch (err) {
        console.error(err instanceof Error ? err.message : String(err));
        process.exit(1);
      }
    });
  // ─── config ─────────────────────────────────────────────────────────────
-  gw.command('config')
+  const configCmd = gw
    .command('config')
    .description('View or modify gateway configuration')
    .option('--set <KEY=VALUE>', 'Set a configuration value')
    .option('--unset <KEY>', 'Remove a configuration key')
@@ -130,6 +151,24 @@ export function registerGatewayCommand(program: Command): void {
      await runConfig(cmdOpts);
    });
  configCmd
    .command('rotate-token')
    .description('Mint a new admin token using the stored BetterAuth session')
    .option('-g, --gateway <url>', 'Gateway URL (overrides meta.json)')
    .action(async (cmdOpts: { gateway?: string }) => {
      const { runRotateToken } = await import('./gateway/token-ops.js');
      await runRotateToken(cmdOpts.gateway);
    });
  configCmd
    .command('recover-token')
    .description('Recover an admin token — prompts for login if no valid session exists')
    .option('-g, --gateway <url>', 'Gateway URL (overrides meta.json)')
    .action(async (cmdOpts: { gateway?: string }) => {
      const { runRecoverToken } = await import('./gateway/token-ops.js');
      await runRecoverToken(cmdOpts.gateway);
    });
  // ─── logs ───────────────────────────────────────────────────────────────
  gw.command('logs')
--- a/packages/mosaic/src/commands/gateway/install.ts
+++ b/packages/mosaic/src/commands/gateway/install.ts
@@ -388,10 +388,32 @@ async function bootstrapFirstUser(
    if (!status.needsSetup) {
      if (meta.adminToken) {
        console.log('Admin user already exists (token on file).');
-      } else {
+        return;
        console.log('Admin user already exists — skipping setup.');
        console.log('(No admin token on file — sign in via the web UI to manage tokens.)');
      }
      // Admin user exists but no token — offer inline recovery when interactive.
      console.log('Admin user already exists but no admin token is on file.');
      if (process.stdin.isTTY) {
        const answer = (await prompt(rl, 'Run token recovery now? [Y/n] ')).trim().toLowerCase();
        if (answer === '' || answer === 'y' || answer === 'yes') {
          console.log();
          try {
            const { ensureSession, mintAdminToken, persistToken } = await import('./token-ops.js');
            const cookie = await ensureSession(baseUrl);
            const label = `CLI recovery token (${new Date().toISOString().slice(0, 16).replace('T', ' ')})`;
            const minted = await mintAdminToken(baseUrl, cookie, label);
            persistToken(baseUrl, minted);
          } catch (err) {
            console.error(
              `Token recovery failed: ${err instanceof Error ? err.message : String(err)}`,
            );
          }
          return;
        }
      }
      console.log('No admin token on file. Run: mosaic gateway config recover-token');
      return;
    }
  } catch {
--- a/packages/mosaic/src/commands/gateway/login.spec.ts
+++ b/packages/mosaic/src/commands/gateway/login.spec.ts
@@ -0,0 +1,87 @@
 import { describe, it, expect, vi, beforeEach } from 'vitest';
 // Mock auth module
 vi.mock('../../auth.js', () => ({
  signIn: vi.fn(),
  saveSession: vi.fn(),
 }));
 // Mock daemon to avoid file-system reads
 vi.mock('./daemon.js', () => ({
  readMeta: vi.fn().mockReturnValue({
    host: 'localhost',
    port: 14242,
    version: '1.0.0',
    installedAt: '',
    entryPoint: '',
  }),
 }));
 import { runLogin, getGatewayUrl } from './login.js';
 import { signIn, saveSession } from '../../auth.js';
 import { readMeta } from './daemon.js';
 const mockSignIn = vi.mocked(signIn);
 const mockSaveSession = vi.mocked(saveSession);
 const mockReadMeta = vi.mocked(readMeta);
 describe('getGatewayUrl', () => {
  it('returns override URL when provided', () => {
    expect(getGatewayUrl('http://my-gateway:9999')).toBe('http://my-gateway:9999');
  });
  it('builds URL from meta.json when no override given', () => {
    mockReadMeta.mockReturnValueOnce({
      host: 'myhost',
      port: 8080,
      version: '1.0.0',
      installedAt: '',
      entryPoint: '',
    });
    expect(getGatewayUrl()).toBe('http://myhost:8080');
  });
  it('falls back to default when meta is null', () => {
    mockReadMeta.mockReturnValueOnce(null);
    expect(getGatewayUrl()).toBe('http://localhost:14242');
  });
 });
 describe('runLogin', () => {
  const consoleLogSpy = vi.spyOn(console, 'log').mockImplementation(() => {});
  beforeEach(() => {
    vi.clearAllMocks();
  });
  it('calls signIn and saveSession on success', async () => {
    const fakeAuth = {
      cookie: 'better-auth.session_token=abc',
      userId: 'u1',
      email: 'admin@test.com',
    };
    mockSignIn.mockResolvedValueOnce(fakeAuth);
    await runLogin({
      gatewayUrl: 'http://localhost:14242',
      email: 'admin@test.com',
      password: 'password123',
    });
    expect(mockSignIn).toHaveBeenCalledWith(
      'http://localhost:14242',
      'admin@test.com',
      'password123',
    );
    expect(mockSaveSession).toHaveBeenCalledWith('http://localhost:14242', fakeAuth);
    expect(consoleLogSpy).toHaveBeenCalledWith(expect.stringContaining('admin@test.com'));
  });
  it('propagates signIn errors', async () => {
    mockSignIn.mockRejectedValueOnce(new Error('Sign-in failed (401): invalid credentials'));
    await expect(
      runLogin({ gatewayUrl: 'http://localhost:14242', email: 'bad@test.com', password: 'wrong' }),
    ).rejects.toThrow('Sign-in failed (401)');
  });
 });
--- a/packages/mosaic/src/commands/gateway/login.ts
+++ b/packages/mosaic/src/commands/gateway/login.ts
@@ -0,0 +1,39 @@
 import { createInterface } from 'node:readline';
 import { signIn, saveSession } from '../../auth.js';
 import { readMeta } from './daemon.js';
 /**
 * Shared login helper used by both `mosaic login` and `mosaic gateway login`.
 * Prompts for email/password if not supplied, signs in, and persists the session.
 */
 export async function runLogin(opts: {
  gatewayUrl: string;
  email?: string;
  password?: string;
 }): Promise<void> {
  let email = opts.email;
  let password = opts.password;
  if (!email || !password) {
    const rl = createInterface({ input: process.stdin, output: process.stdout });
    const ask = (q: string): Promise<string> => new Promise((resolve) => rl.question(q, resolve));
    if (!email) email = await ask('Email: ');
    if (!password) password = await ask('Password: ');
    rl.close();
  }
  const auth = await signIn(opts.gatewayUrl, email, password);
  saveSession(opts.gatewayUrl, auth);
  console.log(`Signed in as ${auth.email} (${opts.gatewayUrl})`);
 }
 /**
 * Derive the gateway base URL from meta.json with a fallback.
 */
 export function getGatewayUrl(overrideUrl?: string): string {
  if (overrideUrl) return overrideUrl;
  const meta = readMeta();
  if (meta) return `http://${meta.host}:${meta.port.toString()}`;
  return 'http://localhost:14242';
 }
--- a/packages/mosaic/src/commands/gateway/recover-token.spec.ts
+++ b/packages/mosaic/src/commands/gateway/recover-token.spec.ts
@@ -0,0 +1,176 @@
 import { describe, it, expect, vi, beforeEach } from 'vitest';
 // ─── Mocks ──────────────────────────────────────────────────────────────────
 vi.mock('../../auth.js', () => ({
  loadSession: vi.fn(),
  validateSession: vi.fn(),
  signIn: vi.fn(),
  saveSession: vi.fn(),
 }));
 vi.mock('./daemon.js', () => ({
  readMeta: vi.fn(),
  writeMeta: vi.fn(),
 }));
 vi.mock('./login.js', () => ({
  getGatewayUrl: vi.fn().mockReturnValue('http://localhost:14242'),
 }));
 // Mock readline so tests don't block on stdin
 vi.mock('node:readline', () => ({
  createInterface: vi.fn().mockReturnValue({
    question: vi.fn((_q: string, cb: (a: string) => void) => cb('test-input')),
    close: vi.fn(),
  }),
 }));
 const mockFetch = vi.fn();
 vi.stubGlobal('fetch', mockFetch);
 import { runRecoverToken, ensureSession } from './token-ops.js';
 import { loadSession, validateSession, signIn, saveSession } from '../../auth.js';
 import { readMeta, writeMeta } from './daemon.js';
 const mockLoadSession = vi.mocked(loadSession);
 const mockValidateSession = vi.mocked(validateSession);
 const mockSignIn = vi.mocked(signIn);
 const mockSaveSession = vi.mocked(saveSession);
 const mockReadMeta = vi.mocked(readMeta);
 const mockWriteMeta = vi.mocked(writeMeta);
 const baseUrl = 'http://localhost:14242';
 const fakeCookie = 'better-auth.session_token=sess123';
 const fakeToken = {
  id: 'tok-1',
  label: 'CLI recovery token (2026-04-04 12:00)',
  plaintext: 'abcdef1234567890',
 };
 const fakeMeta = {
  version: '1.0.0',
  installedAt: '',
  entryPoint: '',
  host: 'localhost',
  port: 14242,
 };
 describe('ensureSession', () => {
  beforeEach(() => {
    vi.clearAllMocks();
    vi.spyOn(console, 'log').mockImplementation(() => {});
  });
  it('returns cookie from stored session when valid', async () => {
    mockLoadSession.mockReturnValueOnce({ cookie: fakeCookie, userId: 'u1', email: 'a@b.com' });
    mockValidateSession.mockResolvedValueOnce(true);
    const cookie = await ensureSession(baseUrl);
    expect(cookie).toBe(fakeCookie);
    expect(mockSignIn).not.toHaveBeenCalled();
  });
  it('prompts for credentials and signs in when stored session is invalid', async () => {
    mockLoadSession.mockReturnValueOnce({ cookie: 'old-cookie', userId: 'u1', email: 'a@b.com' });
    mockValidateSession.mockResolvedValueOnce(false);
    const newAuth = { cookie: fakeCookie, userId: 'u2', email: 'a@b.com' };
    mockSignIn.mockResolvedValueOnce(newAuth);
    const cookie = await ensureSession(baseUrl);
    expect(cookie).toBe(fakeCookie);
    expect(mockSaveSession).toHaveBeenCalledWith(baseUrl, newAuth);
  });
  it('prompts for credentials when no session exists', async () => {
    mockLoadSession.mockReturnValueOnce(null);
    const newAuth = { cookie: fakeCookie, userId: 'u2', email: 'a@b.com' };
    mockSignIn.mockResolvedValueOnce(newAuth);
    const cookie = await ensureSession(baseUrl);
    expect(cookie).toBe(fakeCookie);
    expect(mockSignIn).toHaveBeenCalled();
  });
  it('exits non-zero when signIn fails', async () => {
    mockLoadSession.mockReturnValueOnce(null);
    mockSignIn.mockRejectedValueOnce(new Error('Sign-in failed (401): bad creds'));
    const processExitSpy = vi
      .spyOn(process, 'exit')
      .mockImplementation((_code?: number | string | null | undefined) => {
        throw new Error(`process.exit(${String(_code)})`);
      });
    const consoleErrorSpy = vi.spyOn(console, 'error').mockImplementation(() => {});
    await expect(ensureSession(baseUrl)).rejects.toThrow('process.exit(2)');
    expect(processExitSpy).toHaveBeenCalledWith(2);
    processExitSpy.mockRestore();
    consoleErrorSpy.mockRestore();
  });
 });
 describe('runRecoverToken', () => {
  beforeEach(() => {
    vi.clearAllMocks();
    vi.spyOn(console, 'log').mockImplementation(() => {});
    vi.spyOn(console, 'error').mockImplementation(() => {});
  });
  it('prompts for login, mints a token, and persists it when no session exists', async () => {
    mockLoadSession.mockReturnValueOnce(null);
    const newAuth = { cookie: fakeCookie, userId: 'u2', email: 'admin@test.com' };
    mockSignIn.mockResolvedValueOnce(newAuth);
    mockReadMeta.mockReturnValue(fakeMeta);
    mockFetch.mockResolvedValueOnce({
      ok: true,
      status: 200,
      json: async () => fakeToken,
    });
    await runRecoverToken();
    expect(mockSignIn).toHaveBeenCalled();
    expect(mockFetch).toHaveBeenCalledWith(
      `${baseUrl}/api/admin/tokens`,
      expect.objectContaining({ method: 'POST' }),
    );
    expect(mockWriteMeta).toHaveBeenCalledWith(
      expect.objectContaining({ adminToken: fakeToken.plaintext }),
    );
  });
  it('skips login when a valid session exists and mints a recovery token', async () => {
    mockLoadSession.mockReturnValueOnce({ cookie: fakeCookie, userId: 'u1', email: 'a@b.com' });
    mockValidateSession.mockResolvedValueOnce(true);
    mockReadMeta.mockReturnValue(fakeMeta);
    mockFetch.mockResolvedValueOnce({
      ok: true,
      status: 200,
      json: async () => fakeToken,
    });
    await runRecoverToken();
    expect(mockSignIn).not.toHaveBeenCalled();
    expect(mockWriteMeta).toHaveBeenCalledWith(
      expect.objectContaining({ adminToken: fakeToken.plaintext }),
    );
  });
  it('uses label containing "recovery token"', async () => {
    mockLoadSession.mockReturnValueOnce({ cookie: fakeCookie, userId: 'u1', email: 'a@b.com' });
    mockValidateSession.mockResolvedValueOnce(true);
    mockReadMeta.mockReturnValue(fakeMeta);
    mockFetch.mockResolvedValueOnce({
      ok: true,
      status: 200,
      json: async () => fakeToken,
    });
    await runRecoverToken();
    const call = mockFetch.mock.calls[0] as [string, RequestInit];
    const body = JSON.parse(call[1].body as string) as { label: string };
    expect(body.label).toMatch(/CLI recovery token/);
  });
 });
--- a/packages/mosaic/src/commands/gateway/rotate-token.spec.ts
+++ b/packages/mosaic/src/commands/gateway/rotate-token.spec.ts
@@ -0,0 +1,205 @@
 import { describe, it, expect, vi, beforeEach } from 'vitest';
 // ─── Mocks ──────────────────────────────────────────────────────────────────
 vi.mock('../../auth.js', () => ({
  loadSession: vi.fn(),
  validateSession: vi.fn(),
  signIn: vi.fn(),
  saveSession: vi.fn(),
 }));
 vi.mock('./daemon.js', () => ({
  readMeta: vi.fn(),
  writeMeta: vi.fn(),
 }));
 vi.mock('./login.js', () => ({
  getGatewayUrl: vi.fn().mockReturnValue('http://localhost:14242'),
 }));
 // Mock global fetch
 const mockFetch = vi.fn();
 vi.stubGlobal('fetch', mockFetch);
 import { runRotateToken, mintAdminToken, persistToken } from './token-ops.js';
 import { loadSession, validateSession } from '../../auth.js';
 import { readMeta, writeMeta } from './daemon.js';
 const mockLoadSession = vi.mocked(loadSession);
 const mockValidateSession = vi.mocked(validateSession);
 const mockReadMeta = vi.mocked(readMeta);
 const mockWriteMeta = vi.mocked(writeMeta);
 const baseUrl = 'http://localhost:14242';
 const fakeCookie = 'better-auth.session_token=sess123';
 const fakeToken = {
  id: 'tok-1',
  label: 'CLI rotated token (2026-04-04)',
  plaintext: 'abcdef1234567890',
 };
 const fakeMeta = {
  version: '1.0.0',
  installedAt: '',
  entryPoint: '',
  host: 'localhost',
  port: 14242,
 };
 describe('mintAdminToken', () => {
  beforeEach(() => {
    vi.clearAllMocks();
  });
  it('calls the admin tokens endpoint with the session cookie and returns the token', async () => {
    mockFetch.mockResolvedValueOnce({
      ok: true,
      status: 200,
      json: async () => fakeToken,
    });
    const result = await mintAdminToken(baseUrl, fakeCookie, fakeToken.label);
    expect(mockFetch).toHaveBeenCalledWith(
      `${baseUrl}/api/admin/tokens`,
      expect.objectContaining({
        method: 'POST',
        headers: expect.objectContaining({ Cookie: fakeCookie }),
      }),
    );
    expect(result).toEqual(fakeToken);
  });
  it('exits 2 on 401 from the server', async () => {
    mockFetch.mockResolvedValueOnce({ ok: false, status: 401, text: async () => 'Unauthorized' });
    const processExitSpy = vi
      .spyOn(process, 'exit')
      .mockImplementation((_code?: number | string | null | undefined) => {
        throw new Error(`process.exit(${String(_code)})`);
      });
    await expect(mintAdminToken(baseUrl, fakeCookie, 'label')).rejects.toThrow('process.exit(2)');
    expect(processExitSpy).toHaveBeenCalledWith(2);
    processExitSpy.mockRestore();
  });
  it('exits 2 on 403 from the server', async () => {
    mockFetch.mockResolvedValueOnce({ ok: false, status: 403, text: async () => 'Forbidden' });
    const processExitSpy = vi
      .spyOn(process, 'exit')
      .mockImplementation((_code?: number | string | null | undefined) => {
        throw new Error(`process.exit(${String(_code)})`);
      });
    await expect(mintAdminToken(baseUrl, fakeCookie, 'label')).rejects.toThrow('process.exit(2)');
    expect(processExitSpy).toHaveBeenCalledWith(2);
    processExitSpy.mockRestore();
  });
  it('exits 3 on other non-ok status', async () => {
    mockFetch.mockResolvedValueOnce({ ok: false, status: 500, text: async () => 'Internal Error' });
    const processExitSpy = vi
      .spyOn(process, 'exit')
      .mockImplementation((_code?: number | string | null | undefined) => {
        throw new Error(`process.exit(${String(_code)})`);
      });
    await expect(mintAdminToken(baseUrl, fakeCookie, 'label')).rejects.toThrow('process.exit(3)');
    expect(processExitSpy).toHaveBeenCalledWith(3);
    processExitSpy.mockRestore();
  });
  it('exits 1 on network error', async () => {
    mockFetch.mockRejectedValueOnce(new Error('connection refused'));
    const processExitSpy = vi
      .spyOn(process, 'exit')
      .mockImplementation((_code?: number | string | null | undefined) => {
        throw new Error(`process.exit(${String(_code)})`);
      });
    await expect(mintAdminToken(baseUrl, fakeCookie, 'label')).rejects.toThrow('process.exit(1)');
    expect(processExitSpy).toHaveBeenCalledWith(1);
    processExitSpy.mockRestore();
  });
 });
 describe('persistToken', () => {
  beforeEach(() => {
    vi.clearAllMocks();
  });
  it('writes the new token to meta.json', () => {
    mockReadMeta.mockReturnValueOnce(fakeMeta);
    const consoleSpy = vi.spyOn(console, 'log').mockImplementation(() => {});
    persistToken(baseUrl, fakeToken);
    expect(mockWriteMeta).toHaveBeenCalledWith(
      expect.objectContaining({ adminToken: fakeToken.plaintext }),
    );
    consoleSpy.mockRestore();
  });
  it('prints a masked preview of the token', () => {
    mockReadMeta.mockReturnValueOnce(fakeMeta);
    const consoleSpy = vi.spyOn(console, 'log').mockImplementation(() => {});
    persistToken(baseUrl, fakeToken);
    const allOutput = consoleSpy.mock.calls.map((c) => c.join(' ')).join('\n');
    expect(allOutput).toContain('abcdef12...');
    consoleSpy.mockRestore();
  });
 });
 describe('runRotateToken', () => {
  beforeEach(() => {
    vi.clearAllMocks();
    vi.spyOn(console, 'error').mockImplementation(() => {});
    vi.spyOn(console, 'log').mockImplementation(() => {});
  });
  it('exits 2 when there is no stored session', async () => {
    mockLoadSession.mockReturnValueOnce(null);
    const processExitSpy = vi
      .spyOn(process, 'exit')
      .mockImplementation((_code?: number | string | null | undefined) => {
        throw new Error(`process.exit(${String(_code)})`);
      });
    await expect(runRotateToken()).rejects.toThrow('process.exit(2)');
    expect(processExitSpy).toHaveBeenCalledWith(2);
    processExitSpy.mockRestore();
  });
  it('exits 2 when session is invalid', async () => {
    mockLoadSession.mockReturnValueOnce({ cookie: fakeCookie, userId: 'u1', email: 'a@b.com' });
    mockValidateSession.mockResolvedValueOnce(false);
    const processExitSpy = vi
      .spyOn(process, 'exit')
      .mockImplementation((_code?: number | string | null | undefined) => {
        throw new Error(`process.exit(${String(_code)})`);
      });
    await expect(runRotateToken()).rejects.toThrow('process.exit(2)');
    expect(processExitSpy).toHaveBeenCalledWith(2);
    processExitSpy.mockRestore();
  });
  it('mints and persists a new token when session is valid', async () => {
    mockLoadSession.mockReturnValueOnce({ cookie: fakeCookie, userId: 'u1', email: 'a@b.com' });
    mockValidateSession.mockResolvedValueOnce(true);
    mockReadMeta.mockReturnValue(fakeMeta);
    mockFetch.mockResolvedValueOnce({
      ok: true,
      status: 200,
      json: async () => fakeToken,
    });
    await runRotateToken();
    expect(mockWriteMeta).toHaveBeenCalledWith(
      expect.objectContaining({ adminToken: fakeToken.plaintext }),
    );
  });
 });
--- a/packages/mosaic/src/commands/gateway/token-ops.ts
+++ b/packages/mosaic/src/commands/gateway/token-ops.ts
@@ -0,0 +1,149 @@
 import { createInterface } from 'node:readline';
 import { loadSession, validateSession, signIn, saveSession } from '../../auth.js';
 import { readMeta, writeMeta } from './daemon.js';
 import { getGatewayUrl } from './login.js';
 interface MintedToken {
  id: string;
  label: string;
  plaintext: string;
 }
 /**
 * Call POST /api/admin/tokens with the session cookie and return the minted token.
 * Exits the process on network or auth errors.
 */
 export async function mintAdminToken(
  gatewayUrl: string,
  cookie: string,
  label: string,
 ): Promise<MintedToken> {
  let res: Response;
  try {
    res = await fetch(`${gatewayUrl}/api/admin/tokens`, {
      method: 'POST',
      headers: {
        'Content-Type': 'application/json',
        Cookie: cookie,
        Origin: gatewayUrl,
      },
      body: JSON.stringify({ label, scope: 'admin' }),
    });
  } catch (err) {
    console.error(
      `Could not reach gateway at ${gatewayUrl}: ${err instanceof Error ? err.message : String(err)}`,
    );
    process.exit(1);
  }
  if (res.status === 401 || res.status === 403) {
    console.error(
      `Session rejected by the gateway (${res.status.toString()}) — your session may be expired.`,
    );
    console.error('Run: mosaic gateway login');
    process.exit(2);
  }
  if (!res.ok) {
    const body = await res.text().catch(() => '');
    console.error(
      `Gateway rejected token creation (${res.status.toString()}): ${body.slice(0, 200)}`,
    );
    process.exit(3);
  }
  const data = (await res.json()) as { id: string; label: string; plaintext: string };
  return { id: data.id, label: data.label, plaintext: data.plaintext };
 }
 /**
 * Persist the new token into meta.json and print the confirmation banner.
 */
 export function persistToken(gatewayUrl: string, minted: MintedToken): void {
  const meta = readMeta() ?? {
    version: 'unknown',
    installedAt: new Date().toISOString(),
    entryPoint: '',
    host: new URL(gatewayUrl).hostname,
    port: parseInt(new URL(gatewayUrl).port || '14242', 10),
  };
  writeMeta({ ...meta, adminToken: minted.plaintext });
  const preview = `${minted.plaintext.slice(0, 8)}...`;
  console.log();
  console.log(`Token minted:  ${minted.label}`);
  console.log(`Preview:       ${preview}`);
  console.log('Token saved to meta.json. Use it with admin endpoints.');
 }
 /**
 * Require a valid session for the given gateway URL.
 * Returns the session cookie or exits if not authenticated.
 */
 export async function requireSession(gatewayUrl: string): Promise<string> {
  const session = loadSession(gatewayUrl);
  if (session) {
    const valid = await validateSession(gatewayUrl, session.cookie);
    if (valid) return session.cookie;
  }
  console.error('Not signed in or session expired.');
  console.error('Run: mosaic gateway login');
  process.exit(2);
 }
 /**
 * Ensure a valid session for the gateway, prompting for credentials if needed.
 * On sign-in failure, prints the error and exits non-zero.
 * Returns the session cookie.
 */
 export async function ensureSession(gatewayUrl: string): Promise<string> {
  // Try the stored session first
  const session = loadSession(gatewayUrl);
  if (session) {
    const valid = await validateSession(gatewayUrl, session.cookie);
    if (valid) return session.cookie;
    console.log('Stored session is invalid or expired. Please sign in again.');
  } else {
    console.log(`No session found for ${gatewayUrl}. Please sign in.`);
  }
  // Prompt for credentials
  const rl = createInterface({ input: process.stdin, output: process.stdout });
  const ask = (q: string): Promise<string> => new Promise((resolve) => rl.question(q, resolve));
  const email = (await ask('Email: ')).trim();
  const password = (await ask('Password: ')).trim();
  rl.close();
  const auth = await signIn(gatewayUrl, email, password).catch((err: unknown) => {
    console.error(err instanceof Error ? err.message : String(err));
    process.exit(2);
  });
  saveSession(gatewayUrl, auth);
  console.log(`Signed in as ${auth.email}`);
  return auth.cookie;
 }
 /**
 * `mosaic gateway config rotate-token` — requires an existing valid session.
 */
 export async function runRotateToken(gatewayUrl?: string): Promise<void> {
  const url = getGatewayUrl(gatewayUrl);
  const cookie = await requireSession(url);
  const label = `CLI rotated token (${new Date().toISOString().slice(0, 10)})`;
  const minted = await mintAdminToken(url, cookie, label);
  persistToken(url, minted);
 }
 /**
 * `mosaic gateway config recover-token` — prompts for login if no session exists.
 */
 export async function runRecoverToken(gatewayUrl?: string): Promise<void> {
  const url = getGatewayUrl(gatewayUrl);
  const cookie = await ensureSession(url);
  const label = `CLI recovery token (${new Date().toISOString().slice(0, 16).replace('T', ' ')})`;
  const minted = await mintAdminToken(url, cookie, label);
  persistToken(url, minted);
 }
--- a/packages/mosaic/src/commands/mission.ts
+++ b/packages/mosaic/src/commands/mission.ts
@@ -47,6 +47,7 @@ export function registerMissionCommand(program: Command) {
    .option('--update <idOrName>', 'Update a mission')
    .option('--project <idOrName>', 'Scope to project')
    .argument('[id]', 'Show mission detail by ID')
    .configureHelp({ sortSubcommands: true })
    .action(
      async (
        id: string | undefined,
--- a/pnpm-lock.yaml
+++ b/pnpm-lock.yaml
@@ -294,6 +294,9 @@ importers:
      '@mosaicstack/types':
        specifier: workspace:*
        version: link:../types
      commander:
        specifier: ^13.0.0
        version: 13.1.0
    devDependencies:
      typescript:
        specifier: ^5.8.0
@@ -454,6 +457,9 @@ importers:
      '@clack/prompts':
        specifier: ^0.9.1
        version: 0.9.1
      '@mosaicstack/brain':
        specifier: workspace:*
        version: link:../brain
      '@mosaicstack/config':
        specifier: workspace:*
        version: link:../config
Author	SHA1	Message	Date
Jarvis	41f5d34072	feat(mosaic): gateway token recovery via BetterAuth cookie (CU-03-03..07) All checks were successful ci/woodpecker/push/ci Pipeline was successful Details ci/woodpecker/pr/ci Pipeline was successful Details Add mosaic gateway login subcommand with meta.json URL default, config rotate-token and recover-token subcommands for admin token minting via BetterAuth session cookie, fix the bootstrapFirstUser dead-end when admin exists but no token is on file, and add Vitest tests for all new flows. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-04-05 00:23:08 -05:00
jason.woltje	febd866098	feat(brain): mosaic brain CLI surface (#403 ) Some checks failed ci/woodpecker/push/ci Pipeline was successful Details ci/woodpecker/push/publish Pipeline failed Details	2026-04-05 05:20:44 +00:00
jason.woltje	2446593fff	feat(mosaic): alphabetize and group mosaic --help output (#402 ) Some checks failed ci/woodpecker/push/ci Pipeline was successful Details ci/woodpecker/push/publish Pipeline failed Details	2026-04-05 05:12:32 +00:00
jason.woltje	651426cf2e	docs(plan): gateway admin token recovery flow (#401 ) Some checks failed ci/woodpecker/push/publish Pipeline failed Details ci/woodpecker/push/ci Pipeline failed Details	2026-04-05 05:11:33 +00:00