mosaicstack/stack
1
0
Fork 0
Code Issues 13 Pull Requests Actions Packages Projects Releases 11 Wiki Activity

feat(mosaic): gateway token recovery via BetterAuth cookie #411

Merged
jason.woltje merged 1 commits from feat/gateway-token-recovery into main 2026-04-05 05:43:50 +00:00
Conversation 0 Commits 1 Files Changed 7 +720 -4
jason.woltje commented 2026-04-05 05:26:40 +00:00
Owner
Copy Link

Mission: cli-unification-20260404. Tasks: CU-03-03, CU-03-04, CU-03-05, CU-03-06, CU-03-07. Design doc: PR 401.

Commands added:

mosaic gateway login - Thin wrapper with gateway URL defaulting from meta.json, falling back to localhost:14242. Email and password prompted if not supplied as flags.

mosaic gateway config rotate-token - Requires a stored valid BetterAuth session. Calls POST /api/admin/tokens with the session cookie and writes the returned plaintext to meta.json.

mosaic gateway config recover-token - Stranded-operator entry point. If no valid session exists, prompts for email and password inline, signs in, saves the session, then mints and persists a new admin token.

Installer fix - bootstrapFirstUser in install.ts now offers inline token recovery when admin user exists but no token is on file. In TTY mode it prompts; non-interactive prints the recover-token hint.

New files: login.ts, token-ops.ts, login.spec.ts (5 tests), rotate-token.spec.ts (10 tests), recover-token.spec.ts (7 tests).

All gates green: 100 tests pass, typecheck clean, lint clean, format clean.

Mission: cli-unification-20260404. Tasks: CU-03-03, CU-03-04, CU-03-05, CU-03-06, CU-03-07. Design doc: PR 401. Commands added: mosaic gateway login - Thin wrapper with gateway URL defaulting from meta.json, falling back to localhost:14242. Email and password prompted if not supplied as flags. mosaic gateway config rotate-token - Requires a stored valid BetterAuth session. Calls POST /api/admin/tokens with the session cookie and writes the returned plaintext to meta.json. mosaic gateway config recover-token - Stranded-operator entry point. If no valid session exists, prompts for email and password inline, signs in, saves the session, then mints and persists a new admin token. Installer fix - bootstrapFirstUser in install.ts now offers inline token recovery when admin user exists but no token is on file. In TTY mode it prompts; non-interactive prints the recover-token hint. New files: login.ts, token-ops.ts, login.spec.ts (5 tests), rotate-token.spec.ts (10 tests), recover-token.spec.ts (7 tests). All gates green: 100 tests pass, typecheck clean, lint clean, format clean.
jason.woltje added 1 commit 2026-04-05 05:26:42 +00:00
feat(mosaic): gateway token recovery via BetterAuth cookie (CU-03-03..07)
All checks were successful
ci/woodpecker/push/ci Pipeline was successful
Details
ci/woodpecker/pr/ci Pipeline was successful
Details
41f5d34072 
Add mosaic gateway login subcommand with meta.json URL default, config
rotate-token and recover-token subcommands for admin token minting via
BetterAuth session cookie, fix the bootstrapFirstUser dead-end when admin
exists but no token is on file, and add Vitest tests for all new flows.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
jason.woltje merged commit 5917016509 into main 2026-04-05 05:43:50 +00:00
Sign in to join this conversation.
Reviewers
No Reviewers
Labels
No items
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
jason.woltje
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: mosaicstack/stack#411
Delete Branch "feat/gateway-token-recovery"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?