IUH-M02: Wizard remediation — hooks visibility, password masking, headless path #426

New Issue

Closed

opened 2026-04-05 16:47:34 +00:00 by jason.woltje · 0 comments

jason.woltje commented 2026-04-05 16:47:34 +00:00

Owner

Copy Link

Mission: install-ux-hardening-20260405
Milestone: IUH-M02
Branch: feat/wizard-remediation
Agent tier: sonnet
Depends on: IUH-M01

Problem

Post-cli-unification audit surfaced three wizard UX gaps that are all small, surgical fixes:

1. bootstrapFirstUser in packages/mosaic/src/commands/gateway/install.ts:503 prompts for admin password via rl.question() which echoes plaintext — not masked, no confirmation.
2. Hooks in framework/runtime/claude/hooks-config.json and framework/runtime/claude/settings.json are copied into ~/.claude/ silently by mosaic-link-runtime-assets during framework install. User has no visibility, no confirmation, no management surface.
3. runConfigWizard and bootstrapFirstUser both use direct rl.question with no headless/env-var path. tools/install.sh --yes does NOT propagate through these — CI/Docker installs hang.

Scope

• Password masking: replace plaintext rl.question('Admin password...') with a masked TTY reader (echo * or nothing) + a confirmation prompt
• Hooks preview stage added to wizard (after runtimeSetupStage, before skillsSelectStage): parse framework/runtime/claude/hooks-config.json, show each hook name + description + trigger, prompt for confirmation, record acceptance
• mosaic config hooks list, mosaic config hooks enable <name>, mosaic config hooks disable <name> subcommands
• Headless path: env-var driven runConfigWizard (MOSAIC_ASSUME_YES, MOSAIC_GATEWAY_PORT, MOSAIC_STORAGE_TIER, MOSAIC_DATABASE_URL, MOSAIC_VALKEY_URL, MOSAIC_CORS_ORIGIN, MOSAIC_ANTHROPIC_API_KEY) and bootstrapFirstUser (MOSAIC_ADMIN_NAME, MOSAIC_ADMIN_EMAIL, MOSAIC_ADMIN_PASSWORD)
• When MOSAIC_ASSUME_YES=1 and stdin is not a TTY, skip all interactive prompts and use env vars or defaults; fail clearly if required env vars are missing

Success Criteria

• Password entry is masked (no plaintext echo) with confirmation step
• Wizard shows hooks preview + confirmation before installing them
• mosaic config hooks list shows currently active hooks
• MOSAIC_ASSUME_YES=1 MOSAIC_ADMIN_NAME=test MOSAIC_ADMIN_EMAIL=test@local MOSAIC_ADMIN_PASSWORD=xxx mosaic gateway install completes without any prompts
• Vitest coverage for all three
• Independent code review completed
• PR merged to main, CI green, issue closed

Files to touch

• packages/mosaic/src/commands/gateway/install.ts — password masking + headless path
• packages/mosaic/src/stages/hooks-preview.ts (new) — wizard stage
• packages/mosaic/src/wizard.ts — wire new stage
• packages/mosaic/src/commands/config.ts — add hooks subcommands
• packages/mosaic/src/prompter/* — masked password helper
• Tests: install.spec.ts, hooks-preview.spec.ts, config.spec.ts

**Mission:** install-ux-hardening-20260405 **Milestone:** IUH-M02 **Branch:** feat/wizard-remediation **Agent tier:** sonnet **Depends on:** IUH-M01 ## Problem Post-cli-unification audit surfaced three wizard UX gaps that are all small, surgical fixes: 1. `bootstrapFirstUser` in `packages/mosaic/src/commands/gateway/install.ts:503` prompts for admin password via `rl.question()` which echoes plaintext — not masked, no confirmation. 2. Hooks in `framework/runtime/claude/hooks-config.json` and `framework/runtime/claude/settings.json` are copied into ~/.claude/ silently by `mosaic-link-runtime-assets` during framework install. User has no visibility, no confirmation, no management surface. 3. `runConfigWizard` and `bootstrapFirstUser` both use direct `rl.question` with no headless/env-var path. `tools/install.sh --yes` does NOT propagate through these — CI/Docker installs hang. ## Scope - [ ] Password masking: replace plaintext `rl.question('Admin password...')` with a masked TTY reader (echo * or nothing) + a confirmation prompt - [ ] Hooks preview stage added to wizard (after `runtimeSetupStage`, before `skillsSelectStage`): parse `framework/runtime/claude/hooks-config.json`, show each hook name + description + trigger, prompt for confirmation, record acceptance - [ ] `mosaic config hooks list`, `mosaic config hooks enable <name>`, `mosaic config hooks disable <name>` subcommands - [ ] Headless path: env-var driven `runConfigWizard` (`MOSAIC_ASSUME_YES`, `MOSAIC_GATEWAY_PORT`, `MOSAIC_STORAGE_TIER`, `MOSAIC_DATABASE_URL`, `MOSAIC_VALKEY_URL`, `MOSAIC_CORS_ORIGIN`, `MOSAIC_ANTHROPIC_API_KEY`) and `bootstrapFirstUser` (`MOSAIC_ADMIN_NAME`, `MOSAIC_ADMIN_EMAIL`, `MOSAIC_ADMIN_PASSWORD`) - [ ] When `MOSAIC_ASSUME_YES=1` and stdin is not a TTY, skip all interactive prompts and use env vars or defaults; fail clearly if required env vars are missing ## Success Criteria - [ ] Password entry is masked (no plaintext echo) with confirmation step - [ ] Wizard shows hooks preview + confirmation before installing them - [ ] `mosaic config hooks list` shows currently active hooks - [ ] `MOSAIC_ASSUME_YES=1 MOSAIC_ADMIN_NAME=test MOSAIC_ADMIN_EMAIL=test@local MOSAIC_ADMIN_PASSWORD=xxx mosaic gateway install` completes without any prompts - [ ] Vitest coverage for all three - [ ] Independent code review completed - [ ] PR merged to main, CI green, issue closed ## Files to touch - `packages/mosaic/src/commands/gateway/install.ts` — password masking + headless path - `packages/mosaic/src/stages/hooks-preview.ts` (new) — wizard stage - `packages/mosaic/src/wizard.ts` — wire new stage - `packages/mosaic/src/commands/config.ts` — add hooks subcommands - `packages/mosaic/src/prompter/*` — masked password helper - Tests: install.spec.ts, hooks-preview.spec.ts, config.spec.ts

jason.woltje referenced this issue from a commit 2026-04-05 17:10:23 +00:00

docs: scaffold install-ux-hardening mission + archive cli-unification

jason.woltje referenced this issue 2026-04-05 17:10:41 +00:00

docs: scaffold install-ux-hardening mission + archive cli-unification #430

jason.woltje referenced this issue from a commit 2026-04-05 17:35:54 +00:00

feat: wizard remediation — password mask, hooks preview, headless (IUH-M02)

jason.woltje referenced a pull request that will close this issue 2026-04-05 17:36:36 +00:00

feat: wizard remediation — password mask, hooks preview, headless (IUH-M02) #431

jason.woltje referenced this issue from a commit 2026-04-05 17:44:39 +00:00

feat: wizard remediation — password mask, hooks preview, headless (IUH-M02)

jason.woltje closed this issue 2026-04-05 17:47:54 +00:00

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

release/mosaic-v0.0.29

fix/installer-idempotent-creds

feat/framework-superpowers-enforcement

feat/install-ux-intent

feat/install-ux-polish

docs/iuv-m01-complete

fix/build-vitest-allowdefault

fix/bootstrap-hotfix

docs/install-ux-v2-scaffold

release/mosaic-v0.0.25

docs/iuh-mission-complete

feat/unified-first-run

docs/iuh-m02-complete

feat/wizard-remediation

feat/mosaic-macp-cli

fix/gateway-token-recovery-review

feat/mosaic-auth-cli

feat/mosaic-forge-cli-v2

feat/mosaic-storage-cli

feat/mosaic-memory-cli

feat/gateway-token-recovery

feat/mosaic-forge-cli

feat/mosaic-config-command

feat/mosaic-queue-cli

feat/mosaic-brain-cli

feat/mosaic-help-alphabetize

docs/gateway-token-recovery-plan

chore/bump-mosaic-0.0.21

fix/populate-known-packages-list

fix/publish-loud-errors

fix/gitea-org-rename

fix/gateway-install-ux

fix/rename-mosaic-scope-391

fix/db-memory-queue-publish-drift

fix/updater-wrapper-gitea-387

fix/config-package-version-drift

fix/updater-mosaic-package-382

fix/merge-cli-into-mosaic

fix/metapackage-cli-dep

chore/bump-cli-mosaic-0.0.16

fix/gateway-deprecation-warnings

fix/gateway-install-prefix-eacces

chore/gateway-default-port-14242

fix/gateway-scoped-registry

fix/gateway-install-registry

chore/bump-0.0.11

feat/gateway-local-tier

feat/task-1775219952-fix-add-build-tools-to-ci-install-step-for-better-sqlite3

fix/pnpm-build-scripts

fix/storage-sqlite-ci

feat/storage-abstraction

fix/idempotent-init

mosaic-v0.0.29

mosaic-v0.0.28

mosaic-v0.0.27

mosaic-v0.0.26

mosaic-v0.0.25

mosaic-v0.0.24

v0.2.0

v0.1.0

v0.0.8

v0.0.7

v0.0.6

v0.0.5

v0.0.4

Labels

No items

No Label

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

jason.woltje

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: mosaicstack/stack#426