feat(macp): add registerMacpCommand for mosaic macp CLI surface

Adds mosaic macp tasks list|submit|gate|events tail subcommands to
@mosaicstack/macp, wires registerMacpCommand into the root mosaic CLI,
and ships a smoke test asserting command structure without touching disk
or starting an event emitter. Ref CU-05-08.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

packages/log/package.json

@@ -23,7 +23,6 @@
   },
   "dependencies": {
     "@mosaicstack/db": "workspace:*",
-    "commander": "^13.0.0",
     "drizzle-orm": "^0.45.1"
   },
   "devDependencies": {

packages/log/src/cli.spec.ts

@@ -1,68 +0,0 @@
-import { Command } from 'commander';
-import { describe, it, expect } from 'vitest';
-
-import { registerLogCommand } from './cli.js';
-
-function buildTestProgram(): Command {
-  const program = new Command('mosaic');
-  program.exitOverride(); // prevent process.exit in tests
-  registerLogCommand(program);
-  return program;
-}
-
-describe('registerLogCommand', () => {
-  it('registers a "log" subcommand on the parent', () => {
-    const program = buildTestProgram();
-    const names = program.commands.map((c) => c.name());
-    expect(names).toContain('log');
-  });
-
-  it('log command has tail, search, export, and level subcommands', () => {
-    const program = buildTestProgram();
-    const logCmd = program.commands.find((c) => c.name() === 'log');
-    expect(logCmd).toBeDefined();
-    const subNames = logCmd!.commands.map((c) => c.name());
-    expect(subNames).toContain('tail');
-    expect(subNames).toContain('search');
-    expect(subNames).toContain('export');
-    expect(subNames).toContain('level');
-  });
-
-  it('tail subcommand has expected options', () => {
-    const program = buildTestProgram();
-    const logCmd = program.commands.find((c) => c.name() === 'log')!;
-    const tailCmd = logCmd.commands.find((c) => c.name() === 'tail')!;
-    const optionNames = tailCmd.options.map((o) => o.long);
-    expect(optionNames).toContain('--agent');
-    expect(optionNames).toContain('--level');
-    expect(optionNames).toContain('--category');
-    expect(optionNames).toContain('--tier');
-    expect(optionNames).toContain('--limit');
-    expect(optionNames).toContain('--db');
-  });
-
-  it('search subcommand accepts a positional query argument', () => {
-    const program = buildTestProgram();
-    const logCmd = program.commands.find((c) => c.name() === 'log')!;
-    const searchCmd = logCmd.commands.find((c) => c.name() === 'search')!;
-    // Commander stores positional args in _args
-    const argNames = searchCmd.registeredArguments.map((a) => a.name());
-    expect(argNames).toContain('query');
-  });
-
-  it('export subcommand accepts a positional path argument', () => {
-    const program = buildTestProgram();
-    const logCmd = program.commands.find((c) => c.name() === 'log')!;
-    const exportCmd = logCmd.commands.find((c) => c.name() === 'export')!;
-    const argNames = exportCmd.registeredArguments.map((a) => a.name());
-    expect(argNames).toContain('path');
-  });
-
-  it('level subcommand accepts a positional level argument', () => {
-    const program = buildTestProgram();
-    const logCmd = program.commands.find((c) => c.name() === 'log')!;
-    const levelCmd = logCmd.commands.find((c) => c.name() === 'level')!;
-    const argNames = levelCmd.registeredArguments.map((a) => a.name());
-    expect(argNames).toContain('level');
-  });
-});

packages/log/src/cli.ts

@@ -1,177 +0,0 @@
-import { writeFileSync } from 'node:fs';
-
-import type { Command } from 'commander';
-
-import type { LogCategory, LogLevel, LogTier } from './agent-logs.js';
-
-interface FilterOptions {
-  agent?: string;
-  level?: string;
-  category?: string;
-  tier?: string;
-  limit?: string;
-  db?: string;
-}
-
-function parseLimit(raw: string | undefined, defaultVal = 50): number {
-  if (!raw) return defaultVal;
-  const n = parseInt(raw, 10);
-  return Number.isFinite(n) && n > 0 ? n : defaultVal;
-}
-
-function buildQuery(opts: FilterOptions) {
-  return {
-    ...(opts.agent ? { sessionId: opts.agent } : {}),
-    ...(opts.level ? { level: opts.level as LogLevel } : {}),
-    ...(opts.category ? { category: opts.category as LogCategory } : {}),
-    ...(opts.tier ? { tier: opts.tier as LogTier } : {}),
-    limit: parseLimit(opts.limit),
-  };
-}
-
-async function openDb(connectionString: string) {
-  const { createDb } = await import('@mosaicstack/db');
-  return createDb(connectionString);
-}
-
-function resolveConnectionString(opts: FilterOptions): string | undefined {
-  return opts.db ?? process.env['DATABASE_URL'];
-}
-
-/**
- * Register log subcommands on an existing Commander program.
- * This avoids cross-package Commander version mismatches by using the
- * caller's Command instance directly.
- */
-export function registerLogCommand(parent: Command): void {
-  const log = parent.command('log').description('Query and manage agent logs');
-
-  // ─── tail ───────────────────────────────────────────────────────────────
-
-  log
-    .command('tail')
-    .description('Tail recent agent logs')
-    .option('--agent <id>', 'Filter by agent/session ID')
-    .option('--level <level>', 'Filter by log level (debug|info|warn|error)')
-    .option('--category <cat>', 'Filter by category (decision|tool_use|learning|error|general)')
-    .option('--tier <tier>', 'Filter by tier (hot|warm|cold)')
-    .option('--limit <n>', 'Number of logs to return (default 50)', '50')
-    .option('--db <connection-string>', 'Database connection string (or set DATABASE_URL)')
-    .action(async (opts: FilterOptions) => {
-      const connStr = resolveConnectionString(opts);
-      if (!connStr) {
-        console.error('Database connection required: use --db or set DATABASE_URL');
-        process.exit(1);
-      }
-
-      const handle = await openDb(connStr);
-      try {
-        const { createLogService } = await import('./log-service.js');
-        const svc = createLogService(handle.db);
-        const query = buildQuery(opts);
-
-        const logs = await svc.logs.query(query);
-        if (logs.length === 0) {
-          console.log('No logs found.');
-          return;
-        }
-        for (const entry of logs) {
-          const ts = new Date(entry.createdAt).toISOString();
-          console.log(`[${ts}] [${entry.level}] [${entry.category}] ${entry.content}`);
-        }
-      } finally {
-        await handle.close();
-      }
-    });
-
-  // ─── search ─────────────────────────────────────────────────────────────
-
-  log
-    .command('search <query>')
-    .description('Full-text search over agent logs')
-    .option('--agent <id>', 'Filter by agent/session ID')
-    .option('--level <level>', 'Filter by log level (debug|info|warn|error)')
-    .option('--category <cat>', 'Filter by category (decision|tool_use|learning|error|general)')
-    .option('--tier <tier>', 'Filter by tier (hot|warm|cold)')
-    .option('--limit <n>', 'Number of logs to return (default 50)', '50')
-    .option('--db <connection-string>', 'Database connection string (or set DATABASE_URL)')
-    .action(async (query: string, opts: FilterOptions) => {
-      const connStr = resolveConnectionString(opts);
-      if (!connStr) {
-        console.error('Database connection required: use --db or set DATABASE_URL');
-        process.exit(1);
-      }
-
-      const handle = await openDb(connStr);
-      try {
-        const { createLogService } = await import('./log-service.js');
-        const svc = createLogService(handle.db);
-        const baseQuery = buildQuery(opts);
-
-        const logs = await svc.logs.query(baseQuery);
-        const lowerQ = query.toLowerCase();
-        const matched = logs.filter(
-          (e) =>
-            e.content.toLowerCase().includes(lowerQ) ||
-            (e.metadata != null && JSON.stringify(e.metadata).toLowerCase().includes(lowerQ)),
-        );
-
-        if (matched.length === 0) {
-          console.log('No matching logs found.');
-          return;
-        }
-        for (const entry of matched) {
-          const ts = new Date(entry.createdAt).toISOString();
-          console.log(`[${ts}] [${entry.level}] [${entry.category}] ${entry.content}`);
-        }
-      } finally {
-        await handle.close();
-      }
-    });
-
-  // ─── export ─────────────────────────────────────────────────────────────
-
-  log
-    .command('export <path>')
-    .description('Export matching logs to an NDJSON file')
-    .option('--agent <id>', 'Filter by agent/session ID')
-    .option('--level <level>', 'Filter by log level (debug|info|warn|error)')
-    .option('--category <cat>', 'Filter by category (decision|tool_use|learning|error|general)')
-    .option('--tier <tier>', 'Filter by tier (hot|warm|cold)')
-    .option('--limit <n>', 'Number of logs to export (default 50)', '50')
-    .option('--db <connection-string>', 'Database connection string (or set DATABASE_URL)')
-    .action(async (outputPath: string, opts: FilterOptions) => {
-      const connStr = resolveConnectionString(opts);
-      if (!connStr) {
-        console.error('Database connection required: use --db or set DATABASE_URL');
-        process.exit(1);
-      }
-
-      const handle = await openDb(connStr);
-      try {
-        const { createLogService } = await import('./log-service.js');
-        const svc = createLogService(handle.db);
-        const query = buildQuery(opts);
-
-        const logs = await svc.logs.query(query);
-        const ndjson = logs.map((e) => JSON.stringify(e)).join('\n');
-        writeFileSync(outputPath, ndjson, 'utf8');
-        console.log(`Exported ${logs.length} log(s) to ${outputPath}`);
-      } finally {
-        await handle.close();
-      }
-    });
-
-  // ─── level ──────────────────────────────────────────────────────────────
-
-  log
-    .command('level <level>')
-    .description('Set runtime log level for the connected log service')
-    .action((level: string) => {
-      void level;
-      console.log(
-        'Runtime log level adjustment is not supported in current mode (DB-backed log service).',
-      );
-      process.exitCode = 0;
-    });
-}

packages/log/src/index.ts

@@ -9,4 +9,3 @@ export {
   type LogTier,
   type LogQuery,
 } from './agent-logs.js';
-export { registerLogCommand } from './cli.js';

packages/macp/package.json

@@ -21,6 +21,9 @@
     "typecheck": "tsc --noEmit",
     "test": "vitest run --passWithNoTests"
   },
+  "dependencies": {
+    "commander": "^13.0.0"
+  },
   "devDependencies": {
     "@types/node": "^22.0.0",
     "@vitest/coverage-v8": "^2.0.0",

packages/macp/src/cli.spec.ts

@@ -0,0 +1,77 @@
+import { describe, it, expect } from 'vitest';
+import { Command } from 'commander';
+import { registerMacpCommand } from './cli.js';
+
+describe('registerMacpCommand', () => {
+  function buildProgram(): Command {
+    const program = new Command();
+    program.exitOverride(); // prevent process.exit in tests
+    registerMacpCommand(program);
+    return program;
+  }
+
+  it('registers a "macp" command on the parent', () => {
+    const program = buildProgram();
+    const macpCmd = program.commands.find((c) => c.name() === 'macp');
+    expect(macpCmd).toBeDefined();
+  });
+
+  it('registers "macp tasks" subcommand group', () => {
+    const program = buildProgram();
+    const macpCmd = program.commands.find((c) => c.name() === 'macp')!;
+    const tasksCmd = macpCmd.commands.find((c) => c.name() === 'tasks');
+    expect(tasksCmd).toBeDefined();
+  });
+
+  it('registers "macp tasks list" subcommand with --status and --type flags', () => {
+    const program = buildProgram();
+    const macpCmd = program.commands.find((c) => c.name() === 'macp')!;
+    const tasksCmd = macpCmd.commands.find((c) => c.name() === 'tasks')!;
+    const listCmd = tasksCmd.commands.find((c) => c.name() === 'list');
+    expect(listCmd).toBeDefined();
+    const optionNames = listCmd!.options.map((o) => o.long);
+    expect(optionNames).toContain('--status');
+    expect(optionNames).toContain('--type');
+  });
+
+  it('registers "macp submit" subcommand', () => {
+    const program = buildProgram();
+    const macpCmd = program.commands.find((c) => c.name() === 'macp')!;
+    const submitCmd = macpCmd.commands.find((c) => c.name() === 'submit');
+    expect(submitCmd).toBeDefined();
+  });
+
+  it('registers "macp gate" subcommand with --fail-on flag', () => {
+    const program = buildProgram();
+    const macpCmd = program.commands.find((c) => c.name() === 'macp')!;
+    const gateCmd = macpCmd.commands.find((c) => c.name() === 'gate');
+    expect(gateCmd).toBeDefined();
+    const optionNames = gateCmd!.options.map((o) => o.long);
+    expect(optionNames).toContain('--fail-on');
+  });
+
+  it('registers "macp events" subcommand group', () => {
+    const program = buildProgram();
+    const macpCmd = program.commands.find((c) => c.name() === 'macp')!;
+    const eventsCmd = macpCmd.commands.find((c) => c.name() === 'events');
+    expect(eventsCmd).toBeDefined();
+  });
+
+  it('registers "macp events tail" subcommand', () => {
+    const program = buildProgram();
+    const macpCmd = program.commands.find((c) => c.name() === 'macp')!;
+    const eventsCmd = macpCmd.commands.find((c) => c.name() === 'events')!;
+    const tailCmd = eventsCmd.commands.find((c) => c.name() === 'tail');
+    expect(tailCmd).toBeDefined();
+  });
+
+  it('has all required top-level subcommands', () => {
+    const program = buildProgram();
+    const macpCmd = program.commands.find((c) => c.name() === 'macp')!;
+    const topLevel = macpCmd.commands.map((c) => c.name());
+    expect(topLevel).toContain('tasks');
+    expect(topLevel).toContain('submit');
+    expect(topLevel).toContain('gate');
+    expect(topLevel).toContain('events');
+  });
+});

packages/macp/src/cli.ts

@@ -0,0 +1,92 @@
+import type { Command } from 'commander';
+
+/**
+ * Register macp subcommands on an existing Commander program.
+ * This avoids cross-package Commander version mismatches by using the
+ * caller's Command instance directly.
+ */
+export function registerMacpCommand(parent: Command): void {
+  const macp = parent.command('macp').description('MACP task and gate management');
+
+  // ─── tasks ───────────────────────────────────────────────────────────────
+
+  const tasks = macp.command('tasks').description('Manage MACP tasks');
+
+  tasks
+    .command('list')
+    .description('List MACP tasks')
+    .option(
+      '--status <status>',
+      'Filter by task status (pending|running|gated|completed|failed|escalated)',
+    )
+    .option(
+      '--type <type>',
+      'Filter by task type (coding|deploy|research|review|documentation|infrastructure)',
+    )
+    .action((opts: { status?: string; type?: string }) => {
+      // not yet wired — task persistence layer is not present in @mosaicstack/macp
+      console.log('[macp] tasks list: not yet wired — use macp package programmatically');
+      if (opts.status) {
+        console.log(`  status filter: ${opts.status}`);
+      }
+      if (opts.type) {
+        console.log(`  type filter: ${opts.type}`);
+      }
+      process.exitCode = 0;
+    });
+
+  // ─── submit ──────────────────────────────────────────────────────────────
+
+  macp
+    .command('submit <path>')
+    .description('Submit a task from a JSON/YAML spec file')
+    .action((specPath: string) => {
+      // not yet wired — task submission requires a running MACP server
+      console.log('[macp] submit: not yet wired — use macp package programmatically');
+      console.log(`  spec path: ${specPath}`);
+      console.log('  task id:   (unavailable — no MACP server connected)');
+      console.log('  status:    (unavailable — no MACP server connected)');
+      process.exitCode = 0;
+    });
+
+  // ─── gate ────────────────────────────────────────────────────────────────
+
+  macp
+    .command('gate <spec>')
+    .description('Run a gate from a spec string or file path (wraps runGate/runGates)')
+    .option('--fail-on <mode>', 'Gate fail-on mode: ai|fail|both|none', 'fail')
+    .option('--cwd <path>', 'Working directory for gate execution', process.cwd())
+    .option('--log <path>', 'Path to write gate log output', '/tmp/macp-gate.log')
+    .option('--timeout <seconds>', 'Gate timeout in seconds', '60')
+    .action((spec: string, opts: { failOn: string; cwd: string; log: string; timeout: string }) => {
+      // not yet wired — gate execution requires a task context and event sink
+      console.log('[macp] gate: not yet wired — use macp package programmatically');
+      console.log(`  spec:     ${spec}`);
+      console.log(`  fail-on:  ${opts.failOn}`);
+      console.log(`  cwd:      ${opts.cwd}`);
+      console.log(`  log:      ${opts.log}`);
+      console.log(`  timeout:  ${opts.timeout}s`);
+      process.exitCode = 0;
+    });
+
+  // ─── events ──────────────────────────────────────────────────────────────
+
+  const events = macp.command('events').description('Stream MACP events');
+
+  events
+    .command('tail')
+    .description('Tail MACP events from the event log (wraps event emitter)')
+    .option('--file <path>', 'Path to the MACP events NDJSON file')
+    .option('--follow', 'Follow the file for new events (like tail -f)')
+    .action((opts: { file?: string; follow?: boolean }) => {
+      // not yet wired — event streaming requires a live event source
+      console.log('[macp] events tail: not yet wired — use macp package programmatically');
+      if (opts.file) {
+        console.log(`  file:   ${opts.file}`);
+      }
+      if (opts.follow) {
+        console.log('  mode:   follow');
+      }
+      process.exitCode = 0;
+    });
+}

packages/macp/src/index.ts

@@ -41,3 +41,6 @@ export type { NormalizedGate } from './gate-runner.js';
 
 // Event emitter
 export { nowISO, appendEvent, emitEvent } from './event-emitter.js';
+
+// CLI
+export { registerMacpCommand } from './cli.js';

packages/mosaic/package.json

@@ -30,7 +30,6 @@
     "@mosaicstack/brain": "workspace:*",
     "@mosaicstack/config": "workspace:*",
     "@mosaicstack/forge": "workspace:*",
-    "@mosaicstack/log": "workspace:*",
     "@mosaicstack/macp": "workspace:*",
     "@mosaicstack/memory": "workspace:*",
     "@mosaicstack/prdy": "workspace:*",

packages/mosaic/src/auth.ts

@@ -74,8 +74,7 @@ export function saveSession(gatewayUrl: string, auth: AuthResult): void {
     expiresAt: new Date(Date.now() + 7 * 24 * 60 * 60 * 1000).toISOString(), // 7 days
   };
 
-  // 0o600: owner read/write only — the session cookie is a credential
-  writeFileSync(SESSION_FILE, JSON.stringify(session, null, 2), { encoding: 'utf-8', mode: 0o600 });
+  writeFileSync(SESSION_FILE, JSON.stringify(session, null, 2), 'utf-8');
 }
 
 /**

packages/mosaic/src/cli.ts

@@ -3,7 +3,7 @@
 import { createRequire } from 'module';
 import { Command } from 'commander';
 import { registerBrainCommand } from '@mosaicstack/brain';
-import { registerLogCommand } from '@mosaicstack/log';
+import { registerMacpCommand } from '@mosaicstack/macp';
 import { registerMemoryCommand } from '@mosaicstack/memory';
 import { registerQualityRails } from '@mosaicstack/quality-rails';
 import { registerQueueCommand } from '@mosaicstack/queue';
@@ -347,14 +347,14 @@ registerMissionCommand(program);
 
 registerBrainCommand(program);
 
+// ─── macp ────────────────────────────────────────────────────────────────
+
+registerMacpCommand(program);
+
 // ─── quality-rails ──────────────────────────────────────────────────────
 
 registerQualityRails(program);
 
-// ─── log ─────────────────────────────────────────────────────────────────
-
-registerLogCommand(program);
-
 // ─── memory ──────────────────────────────────────────────────────────────
 
 registerMemoryCommand(program);

packages/mosaic/src/commands/gateway.ts

@@ -126,18 +126,10 @@ export function registerGatewayCommand(program: Command): void {
     .description('Sign in to the gateway (defaults to URL from meta.json)')
     .option('-g, --gateway <url>', 'Gateway URL (overrides meta.json)')
     .option('-e, --email <email>', 'Email address')
-    .option(
-      '-p, --password <password>',
-      '[UNSAFE] Avoid — exposes credentials in shell history and process listings',
-    )
+    .option('-p, --password <password>', 'Password')
     .action(async (cmdOpts: { gateway?: string; email?: string; password?: string }) => {
       const { runLogin } = await import('./gateway/login.js');
       const url = getGatewayUrl(cmdOpts.gateway);
-      if (cmdOpts.password) {
-        console.warn(
-          'Warning: --password flag exposes credentials in shell history and process listings.',
-        );
-      }
       try {
         await runLogin({ gatewayUrl: url, email: cmdOpts.email, password: cmdOpts.password });
       } catch (err) {

packages/mosaic/src/commands/gateway/login.ts

@@ -2,62 +2,6 @@ import { createInterface } from 'node:readline';
 import { signIn, saveSession } from '../../auth.js';
 import { readMeta } from './daemon.js';
 
-/**
- * Prompt for a single line of input (with echo).
- */
-export function promptLine(question: string): Promise<string> {
-  const rl = createInterface({ input: process.stdin, output: process.stdout });
-  return new Promise((resolve) => {
-    rl.question(question, (answer) => {
-      rl.close();
-      resolve(answer.trim());
-    });
-  });
-}
-
-/**
- * Prompt for a secret value without echoing the typed characters to the terminal.
- * Uses TTY raw mode when available so that passwords do not appear in terminal
- * recordings, scrollback, or shared screen sessions.
- */
-export function promptSecret(question: string): Promise<string> {
-  return new Promise((resolve) => {
-    process.stdout.write(question);
-    if (process.stdin.isTTY) {
-      process.stdin.setRawMode(true);
-    }
-    process.stdin.resume();
-    process.stdin.setEncoding('utf-8');
-
-    let secret = '';
-    const onData = (char: string): void => {
-      if (char === '\n' || char === '\r' || char === '\u0004') {
-        process.stdout.write('\n');
-        if (process.stdin.isTTY) {
-          process.stdin.setRawMode(false);
-        }
-        process.stdin.pause();
-        process.stdin.removeListener('data', onData);
-        resolve(secret);
-      } else if (char === '\u0003') {
-        // ^C
-        process.stdout.write('\n');
-        if (process.stdin.isTTY) {
-          process.stdin.setRawMode(false);
-        }
-        process.stdin.pause();
-        process.stdin.removeListener('data', onData);
-        process.exit(130);
-      } else if (char === '\u007f' || char === '\b') {
-        secret = secret.slice(0, -1);
-      } else {
-        secret += char;
-      }
-    };
-    process.stdin.on('data', onData);
-  });
-}
-
 /**
  * Shared login helper used by both `mosaic login` and `mosaic gateway login`.
  * Prompts for email/password if not supplied, signs in, and persists the session.
@@ -67,9 +11,17 @@ export async function runLogin(opts: {
   email?: string;
   password?: string;
 }): Promise<void> {
-  const email = opts.email ?? (await promptLine('Email: '));
-  // Do not trim password — it may intentionally contain leading/trailing whitespace
-  const password = opts.password ?? (await promptSecret('Password: '));
+  let email = opts.email;
+  let password = opts.password;
+
+  if (!email || !password) {
+    const rl = createInterface({ input: process.stdin, output: process.stdout });
+    const ask = (q: string): Promise<string> => new Promise((resolve) => rl.question(q, resolve));
+
+    if (!email) email = await ask('Email: ');
+    if (!password) password = await ask('Password: ');
+    rl.close();
+  }
 
   const auth = await signIn(opts.gatewayUrl, email, password);
   saveSession(opts.gatewayUrl, auth);

packages/mosaic/src/commands/gateway/recover-token.spec.ts

@@ -16,9 +16,14 @@ vi.mock('./daemon.js', () => ({
 
 vi.mock('./login.js', () => ({
   getGatewayUrl: vi.fn().mockReturnValue('http://localhost:14242'),
-  // promptLine/promptSecret are used by ensureSession; return fixed values so tests don't block on stdin
-  promptLine: vi.fn().mockResolvedValue('test@example.com'),
-  promptSecret: vi.fn().mockResolvedValue('test-password'),
+}));
+
+// Mock readline so tests don't block on stdin
+vi.mock('node:readline', () => ({
+  createInterface: vi.fn().mockReturnValue({
+    question: vi.fn((_q: string, cb: (a: string) => void) => cb('test-input')),
+    close: vi.fn(),
+  }),
 }));
 
 const mockFetch = vi.fn();

packages/mosaic/src/commands/gateway/token-ops.ts

@@ -1,6 +1,7 @@
+import { createInterface } from 'node:readline';
 import { loadSession, validateSession, signIn, saveSession } from '../../auth.js';
 import { readMeta, writeMeta } from './daemon.js';
-import { getGatewayUrl, promptLine, promptSecret } from './login.js';
+import { getGatewayUrl } from './login.js';
 
 interface MintedToken {
   id: string;
@@ -57,9 +58,6 @@ export async function mintAdminToken(
 
 /**
  * Persist the new token into meta.json and print the confirmation banner.
- *
- * Emits a warning when the target gateway differs from the locally installed one,
- * so operators are aware that meta.json may not reflect the intended gateway.
  */
 export function persistToken(gatewayUrl: string, minted: MintedToken): void {
   const meta = readMeta() ?? {
@@ -70,15 +68,6 @@ export function persistToken(gatewayUrl: string, minted: MintedToken): void {
     port: parseInt(new URL(gatewayUrl).port || '14242', 10),
   };
 
-  // Warn when the target gateway does not match the locally installed one
-  const targetHost = new URL(gatewayUrl).hostname;
-  if (targetHost !== meta.host) {
-    console.warn(
-      `Warning: token was minted against ${gatewayUrl} but is being saved to the local` +
-        ` meta.json (host: ${meta.host}). Copy the token manually if targeting a remote gateway.`,
-    );
-  }
-
   writeMeta({ ...meta, adminToken: minted.plaintext });
 
   const preview = `${minted.plaintext.slice(0, 8)}...`;
@@ -119,10 +108,13 @@ export async function ensureSession(gatewayUrl: string): Promise<string> {
     console.log(`No session found for ${gatewayUrl}. Please sign in.`);
   }
 
-  // Prompt for credentials — password must not be echoed to the terminal
-  const email = await promptLine('Email: ');
-  // Do not trim password — it may contain intentional leading/trailing whitespace
-  const password = await promptSecret('Password: ');
+  // Prompt for credentials
+  const rl = createInterface({ input: process.stdin, output: process.stdout });
+  const ask = (q: string): Promise<string> => new Promise((resolve) => rl.question(q, resolve));
+
+  const email = (await ask('Email: ')).trim();
+  const password = (await ask('Password: ')).trim();
+  rl.close();
 
   const auth = await signIn(gatewayUrl, email, password).catch((err: unknown) => {
     console.error(err instanceof Error ? err.message : String(err));

pnpm-lock.yaml

@@ -404,9 +404,6 @@ importers:
       '@mosaicstack/db':
         specifier: workspace:*
         version: link:../db
-      commander:
-        specifier: ^13.0.0
-        version: 13.1.0
       drizzle-orm:
         specifier: ^0.45.1
         version: 0.45.1(@electric-sql/pglite@0.2.17)(@opentelemetry/api@1.9.0)(@types/better-sqlite3@7.6.13)(@types/pg@8.15.6)(better-sqlite3@12.8.0)(kysely@0.28.11)(postgres@3.4.8)
@@ -419,6 +416,10 @@ importers:
         version: 2.1.9(@types/node@24.12.0)(jsdom@29.0.0(@noble/hashes@2.0.1))(lightningcss@1.31.1)
 
   packages/macp:
+    dependencies:
+      commander:
+        specifier: ^13.0.0
+        version: 13.1.0
     devDependencies:
       '@types/node':
         specifier: ^22.0.0
@@ -472,9 +473,6 @@ importers:
       '@mosaicstack/forge':
         specifier: workspace:*
         version: link:../forge
-      '@mosaicstack/log':
-        specifier: workspace:*
-        version: link:../log
       '@mosaicstack/macp':
         specifier: workspace:*
         version: link:../macp