npm - @awebai/claude-skills - Versions diffs - 0.2.10 → 0.2.12 - Mend

@awebai/claude-skills 0.2.10 → 0.2.12

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (7) hide show

package/.claude-plugin/plugin.json +1 -1
package/package.json +1 -1
package/skills/aweb-bootstrap/SKILL.md +320 -139
package/skills/aweb-bootstrap/references/bootstrap-scenarios.md +222 -67
package/skills/aweb-identity/SKILL.md +3 -3
package/skills/aweb-messaging/SKILL.md +10 -8
package/skills/aweb-team-membership/SKILL.md +10 -3

package/.claude-plugin/plugin.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "aweb-skills",
-  "version": "0.2.10",
+  "version": "0.2.12",
   "description": "aweb agent coordination skills: teach your Claude Code agent how to use the aw CLI for mail, chat, tasks, and team coordination.",
   "author": {
     "name": "awebai"

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@awebai/claude-skills",
-  "version": "0.2.10",
+  "version": "0.2.12",
   "description": "Content-only Claude Code plugin shipping the canonical aweb agent-coordination skills: aweb-coordination, aweb-messaging, aweb-team-membership, aweb-bootstrap, aweb-identity.",
   "license": "MIT",
   "homepage": "https://aweb.ai",

package/skills/aweb-bootstrap/SKILL.md CHANGED Viewed

@@ -1,267 +1,448 @@
 ---
 name: aweb-bootstrap
-description: This skill should be used when helping a human create or join an aweb team from a template (aw team bootstrap), choosing a template and team source (hosted new team, BYOT, API key, invite, or current workspace forwarding), selecting work-directory vs work-repo-url, provisioning optional worktree agents, and validating/re-running bootstrap safely.
+description: This skill should be used when helping a human create, provision, add, or remove repo-local aweb agents with the `aw agents` lifecycle from a template, choosing a team source (hosted new team, BYOT, API key, invite, or current workspace forwarding), using the project-local agents/ layout, provisioning optional worktree-bound agents, and validating/re-running safely.
 allowed-tools: "Bash(aw *)"
 ---
 # aweb Bootstrap
-Use this skill when a human wants to create or extend an aweb team from a reusable template, and you need to guide them through `aw team bootstrap` decisions and validation.
+Use this skill when a human wants to create or extend a repo-local
+aweb agent team from a reusable template, and you need to guide them
+through `aw agents` decisions and validation.
-This skill is about **mental model + decision policy + safe execution**, not memorizing flags.
+This skill is about **mental model + decision policy + safe
+execution**, not memorizing flags.
 Related skills:
 - For day-to-day coordination once the team exists: `aweb-coordination`
 - For mail/chat response policy: `aweb-messaging`
-- For joining an existing team, multi-team membership, custody, addressability, and contacts: `aweb-team-membership`
+- For joining an existing team, multi-team membership, custody,
+  addressability, and contacts: `aweb-team-membership`
 Long-form reference: docs/team-bootstrap.md in the aweb repo.
 ## Mental model: what bootstrap is assembling
-`aw team bootstrap` combines four separate things that are easy to confuse:
+`aw agents bootstrap` combines five separate things that are easy to
+confuse:
 1) Template repo — the blueprint.
-- Contains `team.yaml`, role playbooks, shared instructions, and `agents/<responsibility>/AGENTS.md` files.
-- The template says what responsibilities should exist and which `role_name` each should use.
-2) Work directory or work repo — the thing agents work on.
-- `--work-directory` points at an existing folder.
-- `--work-repo-url` clones a repo into `<template>/worktrees/<derived-name>/` and uses that clone as the work directory.
-- Each responsibility workspace gets this directory symlinked as `./work`.
+- Contains `team.yaml`, role playbooks, shared instructions, and
+  `home/<responsibility>/AGENTS.md` files.
+- The template says what responsibilities should exist and which
+  `role_name` each should use.
+- The template is identity-free. Do not put final aliases, DIDs,
+  global addresses, certs, or per-human state in committed
+  `team.yaml`.
+2) Generated project-local agents directory — where humans start agents.
+- By default, run bootstrap from the root of the work repo.
+- Bootstrap creates `agents/` in that repo. Every live agent home is
+  under `agents/home/<responsibility>/`.
+- The coordinator/global-style home normally has `work -> <repo-root>`.
+- Worktree-bound homes still live under
+  `agents/home/<responsibility>/`; their `work` symlink points at
+  `agents/worktrees/<worktree-name>/`.
+- Use `--agents-dir <name>` only when the repo already uses `agents/`
+  for something else. If the target directory exists, bootstrap must
+  fail before side effects.
 3) Team source — the authority/context the generated agents join.
-- Hosted new team, existing hosted team via `AWEB_API_KEY`, explicit `--invite-token`, current workspace forwarding, or BYOT.
-- Exactly one explicit source is allowed. If no explicit source is set and cwd is already an aw workspace, bootstrap forwards that current team. If no current workspace exists and the run is interactive, bootstrap creates a hosted team. Non-interactive runs need an explicit source.
-4) Generated workspaces — the identities that will act.
-- Each `agents/<responsibility>/` directory becomes an aw workspace with its own identity and team certificate.
-- The **first generated plan** is the anchor: bootstrap connects it first, installs roles/instructions from that workspace's team context, then invites/connects the rest.
-- Do not assume a responsibility named `implementation` is special. The anchor is the first plan the CLI generated.
+- Hosted new team, existing hosted team via `AWEB_API_KEY`, explicit
+  `--invite-token`, current workspace forwarding, or BYOT.
+- Exactly one explicit source is allowed. If no explicit source is set
+  and cwd is already an aw workspace, bootstrap forwards that current
+  team. If no current workspace exists and the run is interactive,
+  bootstrap creates a hosted team. Non-interactive runs need an
+  explicit source.
+4) Per-human naming — how shared layouts avoid collisions.
+- Use `--identity-prefix <slug>` for shared repos. Examples: `juan`,
+  `maria`, `acme-dev`.
+- Canonical multi-human templates use patterns such as
+  `{user}-{classic-name}` for local aliases and
+  `{user}-{responsibility}` for global address names.
+- Never commit the final planned alias/address to `team.yaml`; it
+  belongs in ignored `.aw/` state under each agent home.
+5) Generated workspaces — the identities that will act.
+- Each `agents/home/<responsibility>/` directory becomes an aw
+  workspace with its own identity and team certificate.
+- The **first generated plan** is the anchor: bootstrap connects it
+  first, installs roles/instructions from that workspace's team
+  context, then invites/connects the rest.
+- Do not assume a responsibility named `implementation` is special.
+  The anchor is the first plan the CLI generated.
 Aweb team source terms:
 - Hosted new team: aweb.ai creates/hosts the team.
-- API key: joins the hosted team represented by `AWEB_API_KEY`; `--aweb-url`/`AWEB_URL` is optional and defaults to hosted aweb.ai.
+- API key: joins the hosted team represented by `AWEB_API_KEY`;
+  `--aweb-url`/`AWEB_URL` is optional and defaults to hosted aweb.ai.
 - Invite token: first generated workspace accepts an existing invite.
-- Current workspace forwarding: caller cwd already has `.aw`; bootstrap creates a one-use invite from that active team.
-- BYOT: bring your own team. This includes bringing your own domain/namespace and controller key. Do not describe a separate domain-only bootstrap mode.
+- Current workspace forwarding: caller cwd already has `.aw`;
+  bootstrap creates a one-use invite from that active team.
+- BYOT: bring your own team. This includes bringing your own
+  domain/namespace and controller key. Do not describe a separate
+  domain-only bootstrap mode.
-## Bootstrap vs join (first decision)
+## Bootstrap vs provision vs add
-Bootstrap when:
+Use `aw agents bootstrap` when:
+- You are creating the committed `agents/` layout for a repo.
 - You are creating a brand-new team from a template.
-- You are extending an existing team with a template-defined set of agent workspaces, roles, and instructions.
-- You want reproducible setup for multiple agents/workspaces.
-- You want a “one command resolves the team source + installs roles + provisions agent dirs” flow.
+- You are extending an existing team with a template-defined set of
+  agent homes, roles, and instructions.
+Use `aw agents provision` when:
+- The repo already has a committed `agents/` layout.
+- Another human needs their own local `.aw/` state for the same
+  responsibilities.
+- They have an invite, API key, BYOT authority, or current workspace
+  context for the same team.
+Use `aw agents add` or `aw agents add-worktree` when:
+- The layout already exists and you need one more responsibility.
+- You want a repo-root agent (`add`) or isolated git worktree agent
+  (`add-worktree`).
 Do NOT bootstrap when:
-- The team already exists and you just need to add yourself: use `aweb-team-membership` and the `aw id team ...` commands.
-- You only need another workspace for yourself: use `aw workspace add-worktree` (git worktree) or create another directory and `aw init` it.
+- The team already exists and you just need to add yourself: use
+  `aweb-team-membership` and the `aw id team ...` commands.
+- You only need another workspace for yourself outside the repo-local
+  convention: use `aw workspace add-worktree` or create another
+  directory and `aw init` it.
-## Pick a template (what team shape are we creating?)
+## Pick a template
 Canonical templates:
-- awebai/aweb-team-dev-review (2 agents)
-  Use when you want the smallest meaningful team: implementation + review.
-- awebai/aweb-team-company-surfaces (6 agents)
-  Use when you want a cross-functional team: direction/engineering/operations/support/outreach/analytics.
+- awebai/aweb-team-coord-worktrees
+  Use when you want a coordinator plus isolated developer/reviewer git
+  worktrees in the current repo.
+- awebai/aweb-team-company-surfaces
+  Use when you want a cross-functional team: direction/engineering/
+  operations/support/outreach/analytics.
 Fork/edit vs use-as-is:
 - Use as-is to learn the flow or to run a standard team.
-- Clone or fork when you want to customize roles, responsibilities, or instructions before provisioning.
-- It is safe to edit the template checkout before applying it; `aw team bootstrap` reads `team.yaml`, `roles/`, `docs/`, and `agents/` from the local template directory at run time.
+- Clone or fork when you want to customize roles, responsibilities, or
+  instructions before provisioning.
+- It is safe to edit the template checkout before applying it;
+  `aw agents bootstrap` reads `team.yaml`, `roles/`, `docs/`, and
+  `home/` from the local template directory at run time.
 ## Customizing a template before applying it
-When the human wants different agents, role playbooks, names, or instructions, do not try to patch the generated workspaces after bootstrap. Clone/edit the template first, then bootstrap the edited local directory.
+When the human wants different agents, role playbooks, names, or
+instructions, do not patch generated workspaces after bootstrap.
+Clone/edit the template first, then bootstrap the edited local
+directory.
 Typical safe flow:
 ```bash
-git clone https://github.com/awebai/aweb-team-dev-review.git my-team-template
+git clone https://github.com/awebai/aweb-team-coord-worktrees.git my-team-template
 cd my-team-template
-# edit team.yaml, roles/*.md, docs/team.md, agents/<responsibility>/AGENTS.md
-aw team bootstrap . --dry-run --work-directory /path/to/work
-aw team bootstrap . --work-directory /path/to/work
+# edit team.yaml, roles/*.md, docs/team.md, home/<responsibility>/AGENTS.md
+cd /path/to/project-repo
+aw agents bootstrap /path/to/my-team-template --dry-run --identity-prefix juan
+aw agents bootstrap /path/to/my-team-template --username alice --identity-prefix juan
 ```
 What to edit:
-- `team.yaml` roles: add/remove role names and point each to a role file.
-- `team.yaml` agents: add/remove responsibility workspaces and set each `role_name`, `default_name`, and `default_alias`.
-- `team.yaml` worktrees: add/remove local git-worktree agents for code work.
-- `roles/*.md`: change operational playbooks installed with `aw roles`.
-- `docs/team.md`: change shared team instructions installed after the anchor connects.
-- `agents/<responsibility>/AGENTS.md`: change per-workspace startup context.
+- `team.yaml` roles: add/remove role names and point each to a role
+  file.
+- `team.yaml` agents: add/remove responsibility workspaces and set
+  each `role_name`, optional `identity_scope`, optional
+  `home_template`, and optional `work`.
+- `team.yaml` naming: for shared repos, prefer
+  `naming.local_alias.pattern: "{user}-{classic-name}"`.
+- Use `work: repo_root` for an agent whose `work` symlink points to
+  the project repo root.
+- Use `work: git_worktree` for an agent whose `work` symlink points
+  to a generated git worktree under `agents/worktrees/`.
+- `roles/*.md`: change operational playbooks installed with
+  `aw roles`.
+- `docs/team.md`: change shared team instructions installed after the
+  anchor connects.
+- `home/<responsibility>/AGENTS.md`: change per-workspace startup
+  context.
+Do not use `default_name` or `default_alias` in current templates.
+Those are legacy hints only and must not become committed identity
+state.
+## Before running bootstrap
+1) For the default layout, run bootstrap from the root of the project
+git repo.
+- Bootstrap creates `agents/` there.
+- If `agents/` exists, stop. Do not ask bootstrap to adopt, merge, or
+  overwrite it.
+- If the project already has a different `agents/` directory, ask the
+  human for a different `--agents-dir <name>`.
+2) Decide the team source. This affects whether bootstrap creates a
+new hosted team, joins an API-key/invite team, forwards the current
+team, or uses BYOT.
+3) Decide the identity prefix. Shared repos should always pass
+`--identity-prefix <human-slug>` explicitly.
+## Default layout: project-local agents/
+New bootstrap runs should normally use the default layout:
-Default agent names are accepted automatically. Only use `--ask-for-agent-names` when a human specifically wants an interactive rename prompt during bootstrap.
-## Before running bootstrap (safety checks)
-1) Run bootstrap from a directory that is NOT already inside a git repo/worktree.
-- If you are inside a git repo/worktree and you are using a remote template ref, bootstrap will refuse to clone by default.
-- Use `--template-cache-dir` as the explicit escape hatch when you must run from inside a repo.
+```bash
+cd /path/to/project-repo
+aw agents bootstrap https://github.com/awebai/aweb-team-coord-worktrees.git \
+  --username alice \
+  --identity-prefix juan
+```
-2) Decide the “work” directory model (see next section). This affects whether agents share one checkout or get isolated worktrees.
+Expected generated shape:
+```text
+agents/
+  team.yaml
+  docs/
+  roles/
+  home/
+    coordinator/
+      .aw/
+      AGENTS.md
+      work -> ../../..
+    developer/
+      .aw/
+      AGENTS.md
+      work -> ../../worktrees/developer
+    reviewer/
+      .aw/
+      AGENTS.md
+      work -> ../../worktrees/reviewer
+  worktrees/
+    developer/
+    reviewer/
+```
-## Exactly one of: work-directory OR work-repo-url (XOR)
+The repo root itself is not an aw workspace. Start Codex, Claude Code,
+or Pi from an agent home:
-Bootstrap needs a directory to symlink into each agent workspace as ./work.
+```bash
+cd agents/home/coordinator
+codex
+```
-You must provide exactly one of:
+Bootstrap writes scoped `.gitignore` entries for
+`agents/home/*/.aw/`, `agents/home/*/work`, and `agents/worktrees/`.
+It must not ignore the whole `agents/` directory.
-A) --work-directory PATH
+If an older generated repo tracked `agents/home/*/work`, remove those
+symlinks from git after upgrading:
-- Use when you already have a local directory you want agents to use as work.
-- For code teams with worktree agents (team.yaml worktrees:), PATH must be a git repo.
+```bash
+git rm --cached agents/home/*/work
+git add .gitignore agents
+git commit -m "agents: ignore generated work symlinks"
+```
-B) --work-repo-url VALUE
+## Multi-human shared repo flow
-- Use when you want bootstrap to clone a repo for you.
-- VALUE can be a URL or a local path; bootstrap runs “git clone VALUE” into:
+First human:
-  <template-checkout>/worktrees/<derived-name>/
+```bash
+cd /path/to/project-repo
+aw agents bootstrap https://github.com/awebai/aweb-team-coord-worktrees.git \
+  --username alice \
+  --identity-prefix juan
+git add agents .gitignore
+git commit -m "agents: add team layout"
+```
-  where <derived-name> matches git’s default directory naming (basename, .git stripped).
+Second human:
-- That clone destination is then used as the effective work directory (symlinked as ./work in each agent workspace).
+```bash
+git pull
+aw agents provision --invite-token <token> --identity-prefix maria
+cd agents/home/coordinator
+codex
+```
-If both flags are set, treat it as a user error and stop.
+The second human does not run bootstrap over the existing `agents/`
+directory. Provision reads the committed layout and writes only ignored
+local state.
 ## Team source policy
-Non-dry-run bootstrap needs one coherent team source. This is the most important decision: it determines which team owns the roles, instructions, tasks, mail, chat, and membership certificates created during bootstrap.
+Non-dry-run bootstrap needs one coherent team source.
 Resolution order:
-- If any explicit source is set (`AWEB_API_KEY`, `--invite-token`, `--username`, or `--namespace/--team`), do not set another explicit source.
-- If no explicit source is set and cwd is an initialized aw workspace, bootstrap forwards the current active team.
-- If no explicit source is set, cwd is not an aw workspace, and the run is interactive, bootstrap creates/uses a hosted team through onboarding prompts.
-- If no source can be resolved, stop and ask the human which team source to use.
-The first generated agent workspace is the anchor: bootstrap connects it first, installs roles/instructions from that workspace's team context, then invites/connects the remaining agents and any declared worktree agents.
+- If any explicit source is set (`AWEB_API_KEY`, `--invite-token`,
+  `--username`, or `--namespace/--team`), do not set another explicit
+  source.
+- If no explicit source is set and cwd is an initialized aw workspace,
+  bootstrap forwards the current active team.
+- If no explicit source is set, cwd is not an aw workspace, and the
+  run is interactive, bootstrap creates/uses a hosted team through
+  onboarding prompts.
+- If no source can be resolved, stop and ask the human which team
+  source to use.
 Supported sources:
-1) Hosted new team (aweb.ai)
+1) Hosted new team
 - Best for first-time teams.
 - Use `--username <name>` or run interactively in a TTY.
-- Bootstrap uses the same hosted onboarding path as `aw init` for the first generated workspace.
+- Bootstrap uses the same hosted onboarding path as `aw init` for the
+  first generated workspace.
 2) Existing hosted team via API key
 - If `AWEB_API_KEY` is set, bootstrap joins the API key's hosted team.
-- `--aweb-url`/`AWEB_URL` is optional; when omitted, the hosted aweb.ai default is used. Set it only to target a non-default stack.
+- `--aweb-url`/`AWEB_URL` is optional; when omitted, the hosted
+  aweb.ai default is used.
 - Do not also pass `--username`, `--invite-token`, or BYOT flags.
 3) Existing team via invite token
 - Pass `--invite-token <token>`.
-- Bootstrap accepts it into the first generated workspace, then creates further invites from that established team context.
+- Bootstrap accepts it into the first generated workspace, then
+  creates further invites from that established team context.
 4) Current workspace forwarding
-- If the caller's cwd is already initialized for aw and no explicit source is set, bootstrap creates a one-use invite from the current active team and accepts it into the first generated workspace.
-- This is the safe default for adding a template team shape to the team you are already using.
+- If caller cwd is already initialized for aw and no explicit source
+  is set, bootstrap creates a one-use invite from the current active
+  team and accepts it into the first generated workspace.
-5) BYOT (bring your own team)
+5) BYOT
-- Use `--namespace <domain> --team <slug>` when the team's namespace/domain and controller key live in your environment.
-- BYOT includes bringing your own domain; there is no separate supported domain-only bootstrap mode.
-- Bootstrap creates/ensures the team in that namespace, invites the first generated workspace, then uses it as the anchor.
+- Use `--namespace <domain> --team <slug>` when the team's namespace/
+  domain and controller key live in your environment.
+- Bootstrap creates/ensures the team in that namespace, invites the
+  first generated workspace, then uses it as the anchor.
 Decision recipe:
-- Human says “make me a new team” and has no existing aw context: use hosted (`--username` or interactive prompt).
-- Human has a dashboard/API key: use `AWEB_API_KEY=... aw team bootstrap ...`; do not ask for `AWEB_URL` unless they are using a non-default stack.
+- Human says "make me a new team" and has no existing aw context: use
+  hosted (`--username` or interactive prompt) plus
+  `--identity-prefix`.
+- Human has a dashboard/API key: use
+  `AWEB_API_KEY=... aw agents bootstrap ... --identity-prefix <slug>`.
 - Human pasted an invite: use `--invite-token`.
-- Human is already inside the team workspace that should own the new agents: use current workspace forwarding (no explicit source).
-- Human controls a namespace/domain and wants the team under that namespace: use BYOT (`--namespace` + `--team`).
-Policy guidance:
+- Human is already inside the team workspace that should own the new
+  agents: use current workspace forwarding.
+- Human controls a namespace/domain and wants the team under that
+  namespace: use BYOT (`--namespace` + `--team`).
-- Prefer hosted for “get a working team now”.
-- Prefer API key or invite when the team already exists but the caller is not already inside it.
-- Prefer current workspace forwarding when you are already inside the target team.
-- Prefer BYOT when you need local control over the team namespace/domain and routing.
-- Use `--dry-run` for planning only. It prints the resolved plan (template ref, work directory, team source, generated workspaces) without writing identities, files, or server state. Do not pair it with side-effecting flags expecting partial provisioning.
-## Worktree agents (team.yaml worktrees:)
+## Adding agents later
-Worktree agents are an OPTIONAL second layer for codebases where multiple agents will edit in parallel.
+Add a repo-root local responsibility:
-- Responsibility workspaces live under agents/<responsibility>/.
-- Worktree agents live under worktrees/ and each has its own git worktree checkout and its own .aw/ identity state.
+```bash
+aw agents add support --role support
+```
-Turn worktree agents on when:
+Add a worktree-bound local responsibility:
-- The work directory is a git repo.
-- Multiple agents will change files in parallel.
-- You want each agent’s edits isolated until you merge.
+```bash
+aw agents add-worktree developer --role developer
+```
-Leave it off when:
+Add a global BYOT responsibility:
-- Work is non-code.
-- Only one agent edits at a time.
+```bash
+aw agents add support \
+  --global \
+  --namespace example.com \
+  --team circle \
+  --identity-prefix juan
+```
-Operational note:
+Remove explicitly separates layout and identity effects:
-- Worktree agents are local-only identities by design; they are for parallel local work, not for global addressability.
+```bash
+aw agents remove support --remove-layout
+aw agents remove support --deprovision-local
+aw agents remove support --delete-global-address
+```
-## After bootstrap: validate that the team is actually usable
+`--remove-layout` does not revoke other humans' certs and does not
+delete their ignored `.aw/` state.
-For each agent directory under agents/<responsibility>/:
+`--deprovision-local` uses the local team controller key for self-custodial
+teams. For hosted-managed cert-only agents, it can use the agent's own signing
+key and active team certificate to ask the hosted service to deprovision that
+same agent. It must not be described as dashboard authority over BYOT members.
-- Run `aw workspace status` to confirm:
-  - the workspace is initialized
-  - the active team is correct
-  - the identity is present
+`--delete-global-address` is opt-in. Self-custodial namespaces require the
+local namespace controller key. Hosted-managed global agents can delete only
+hosted-managed addresses through hosted self-deprovision; BYOT/unmanaged
+addresses remain customer-controller-owned.
-- Run `aw whoami` to confirm the identity fields are present.
+Map hosted self-deprovision structured errors to concrete recovery:
-- If you use a wake-up path (Pi extension / Claude Code channel plugin), start it inside the agent directory after initialization.
+- `hosted_team_controller_required`: use/restore the self-custodial team
+  controller key; this is not a hosted-managed team.
+- `global_address_not_hosted_managed`: delete the address with the customer
+  namespace controller; the hosted service must not delete BYOT/unmanaged
+  addresses.
+- `delete_global_address_required`: rerun with `--delete-global-address` for a
+  hosted-managed global agent.
+- `local_identity_has_no_global_address`: rerun without
+  `--delete-global-address`; local identities do not have global addresses.
-## Re-run safety and idempotence (how to avoid making a mess)
+## Legacy mode
-When iterating on templates or recovering from partial setup:
+Legacy out-of-repo mode is still supported for existing scripts that
+pass `--work-directory` or `--work-repo-url`. Do not choose it for a
+new customer unless they explicitly need the old shape.
-- Use `--dry-run` first to validate the plan.
-- Use `--refresh-template` only when you intend to re-clone over a previous template checkout.
-- Treat identity/certificate state under .aw/ as the source of truth; do not delete it casually.
-- If you need to create a fresh workspace, do it in a new directory rather than mutating an existing identity in place.
+## After bootstrap: validate that the team is usable
-If bootstrap fails mid-way:
+For each agent directory under `agents/home/<responsibility>/`:
-- Capture the first failing command and error.
-- Do not keep retrying blindly; first confirm whether some workspaces were already created and connected.
-- Prefer completing the remaining agent dirs rather than redoing everything.
+- Run `aw workspace status` to confirm the workspace is initialized,
+  the active team is correct, and the identity is present.
+- Run `aw whoami` to confirm identity fields are present.
+- If you use a wake-up path (Pi extension / Claude Code channel
+  plugin), start it inside the agent directory after initialization.
-## Adding agents later
+## Troubleshooting policy
-Two common expansions after initial bootstrap:
+If bootstrap fails:
-- Add another responsibility workspace: create a new directory and run `aw init` (or extend your template and bootstrap a new repo).
-- Add another isolated code workspace on the same repo: use `aw workspace add-worktree`.
+- Stop and capture the first error.
+- Do not retry over an existing `agents/` directory.
+- Prefer explicit recovery with `aw agents provision`, `aw agents add`,
+  or `aw agents remove` over deleting `.aw/` state.
+- If you must remove generated state, inspect/back up `.aw/` first.
-When in doubt, choose the smallest change that preserves existing identities and avoids rewriting certificates.
+If a multi-human provision hits an alias/address conflict, rerun with a
+different `--identity-prefix` or naming pattern. Invite-only flows may
+discover collisions only when accepting/registering; this is expected
+fail-closed behavior.
 ## References
 Read these only when deeper context is needed:
-- references/bootstrap-scenarios.md: scenarios, checklists, and troubleshooting.
-- https://aweb.ai/docs/team-bootstrap/ : full reference guide.
+- references/bootstrap-scenarios.md: scenarios, checklists, and
+  troubleshooting.
 - docs/team-bootstrap.md (aweb repo checkout): full reference guide.

package/skills/aweb-bootstrap/references/bootstrap-scenarios.md CHANGED Viewed

@@ -1,87 +1,149 @@
-# aweb Bootstrap scenarios and checklists
+# aweb agents bootstrap scenarios and checklists
-This reference is support material for the aweb-bootstrap skill. Use it when you need concrete examples, troubleshooting checklists, or a quick “what should I run next?” guide.
+This reference is support material for the aweb-bootstrap skill. Use it
+when you need concrete examples, troubleshooting checklists, or a quick
+"what should I run next?" guide.
-It is intentionally narrower than docs/team-bootstrap.md: it focuses on common decision points and failure modes.
+It is intentionally narrower than docs/team-bootstrap.md: it focuses on
+common decision points and failure modes.
 ## Quick mental model
-- Template repo = blueprint for roles, instructions, and responsibility directories.
-- Work directory/repo = the project/content agents see as `./work`.
+- Template repo = blueprint for roles, instructions, and agent home
+  templates.
+- Default generated layout = project-local `agents/` directory
+  containing `home/`, `worktrees/`, `roles/`, `docs/`, and `team.yaml`.
+- Work target = what each agent's `work` symlink points at: the repo
+  root (`work: repo_root`) or a generated git worktree
+  (`work: git_worktree`).
 - Team source = the authority the generated agents join.
-- First generated workspace = bootstrap anchor. It connects first; roles/instructions install through it; all other generated agents join through invites from that established team context.
-- BYOT means bring your own team, including your own namespace/domain and controller key. Do not present a separate domain-only bootstrap mode.
+- Identity prefix = the per-human slug used to avoid alias/address
+  collisions in shared repos.
+- First generated workspace = bootstrap anchor. It connects first;
+  roles/instructions install through it; all other generated agents
+  join through invites from that established team context.
+- BYOT means bring your own team, including your own namespace/domain
+  and controller key. Do not present a separate domain-only bootstrap
+  mode.
 Team-source precedence:
-- Explicit sources conflict: use only one of `AWEB_API_KEY`, `--invite-token`, `--username`, or `--namespace/--team`.
-- With no explicit source, an initialized caller cwd forwards its current active team.
-- With no explicit source and no caller workspace, an interactive run uses hosted onboarding.
-- Non-interactive runs need an explicit source or initialized caller workspace.
+- Explicit sources conflict: use only one of `AWEB_API_KEY`,
+  `--invite-token`, `--username`, or `--namespace/--team`.
+- With no explicit source, an initialized caller cwd forwards its
+  current active team.
+- With no explicit source and no caller workspace, an interactive run
+  uses hosted onboarding.
+- Non-interactive runs need an explicit source or initialized caller
+  workspace.
-## Scenario: first-time hosted team from a template (recommended)
+## Scenario: first-time hosted team from a template
-Goal: create a new aweb.ai team and provision agent workspaces from a template.
+Goal: create a new aweb.ai team and provision agent workspaces from a
+template.
 Checklist:
-- Run from a directory that is not inside an existing git repo/worktree.
-- Pick a template:
-  - awebai/aweb-team-dev-review for a minimal 2-agent setup.
-  - awebai/aweb-team-company-surfaces for a 6-agent cross-functional setup.
+- Run from the root of the project git repo.
+- Confirm the target agents directory does not already exist. Default:
+  `agents/`.
+- Pick a template.
+- Pick a human-specific `--identity-prefix`.
-Example (using an existing local work directory):
+Example:
-  aw team bootstrap https://github.com/awebai/aweb-team-dev-review.git --username alice --work-directory /path/to/work
+  cd /path/to/project-repo
+  aw agents bootstrap https://github.com/awebai/aweb-team-coord-worktrees.git \
+    --username alice \
+    --identity-prefix juan
-Example (clone the work repo into the template checkout):
+Example with a non-default agents directory:
-  aw team bootstrap https://github.com/awebai/aweb-team-dev-review.git --username alice --work-repo-url https://github.com/ORG/REPO.git
+  cd /path/to/project-repo
+  aw agents bootstrap https://github.com/awebai/aweb-team-coord-worktrees.git \
+    --username alice \
+    --identity-prefix juan \
+    --agents-dir aweb-agents
 Notes:
-- work-directory and work-repo-url are XOR: set exactly one.
-- When work-repo-url is used, bootstrap clones into:
+- Bootstrap creates `agents/home/<responsibility>/` for every live
+  agent home.
+- Worktree-bound agents get checkouts under
+  `agents/worktrees/<worktree-name>/`.
+- The repo root is not an aw workspace; humans should start
+  Codex/Claude/Pi from `agents/home/<responsibility>/`.
+## Scenario: second human provisions the same repo
+Goal: another human clones the repo and creates their own ignored
+identity state for the same committed layout.
+Checklist:
+- Do not run bootstrap over the existing `agents/` directory.
+- Get an invite token, API key, BYOT authority, or current workspace
+  context for the same team.
+- Use a different `--identity-prefix`.
+Example:
+  git pull
+  aw agents provision --invite-token <token> --identity-prefix maria
+  cd agents/home/coordinator
+  codex
-  <template-checkout>/worktrees/<derived-name>/
+Expected behavior:
-  where derived-name is the git-style repo directory name (basename with .git stripped).
+- Committed `agents/team.yaml`, `roles/`, `docs/`, and
+  `home/*/AGENTS.md` remain unchanged.
+- Local `.aw/` state and `work` symlinks are regenerated under
+  `agents/home/*/`.
+- Worktree directories are under `agents/worktrees/`.
 ## Scenario: customize the template before applying it
-Goal: change roles, agent responsibilities, names, aliases, or instructions before any team state is created.
+Goal: change roles, agent responsibilities, naming policy, or
+instructions before any team state is created.
 Checklist:
 - Clone or fork the template first.
-- Edit `team.yaml`, `roles/*.md`, `docs/team.md`, and `agents/<responsibility>/AGENTS.md` as needed.
-- Run `aw team bootstrap . --dry-run ...` from the template checkout to validate.
-- Bootstrap the local directory only after the plan looks right.
+- Edit `team.yaml`, `roles/*.md`, `docs/team.md`, and
+  `home/<responsibility>/AGENTS.md` as needed.
+- Run `aw agents bootstrap /path/to/template --dry-run` from the
+  project repo root to validate.
+- Bootstrap the local template directory only after the plan looks
+  right.
 Example:
-  git clone https://github.com/awebai/aweb-team-dev-review.git my-team-template
+  git clone https://github.com/awebai/aweb-team-coord-worktrees.git my-team-template
   cd my-team-template
-  # edit team.yaml / roles / docs / agents
-  aw team bootstrap . --dry-run --work-directory /path/to/work
-  aw team bootstrap . --username alice --work-directory /path/to/work
+  # edit team.yaml / roles / docs / home
+  cd /path/to/project-repo
+  aw agents bootstrap /path/to/my-team-template --dry-run --identity-prefix juan
+  aw agents bootstrap /path/to/my-team-template --username alice --identity-prefix juan
-## Scenario: BYOT (bring your own team)
+## Scenario: BYOT
 Goal: bootstrap a team under a namespace/domain you control.
 Checklist:
-- Confirm you have a controller identity key for the namespace/domain.
-- Remember BYOT includes bringing your own domain; there is no separate supported domain-only bootstrap mode.
-- Bootstrap will connect the first generated workspace, install roles/instructions there, then invite/connect the remaining agents.
+- Confirm the namespace is registered and the controller key is
+  available locally.
+- Remember BYOT includes bringing your own domain; there is no separate
+  supported domain-only bootstrap mode.
+- Bootstrap will connect the first generated workspace, install
+  roles/instructions there, then invite/connect the remaining agents.
-Example shape (values are placeholders):
+Example shape:
-  aw team bootstrap https://github.com/awebai/aweb-team-dev-review.git \
+  aw agents bootstrap https://github.com/awebai/aweb-team-coord-worktrees.git \
     --namespace example.com \
     --team dev \
-    --work-directory /path/to/work
+    --identity-prefix juan
 If you are also self-hosting the coordination stack, add:
@@ -90,86 +152,179 @@ If you are also self-hosting the coordination stack, add:
 ## Scenario: existing hosted team via API key
-Goal: provision a template into the hosted team associated with an API key.
+Goal: provision a template into the hosted team associated with an API
+key.
 Checklist:
-- Set AWEB_API_KEY.
-- Optionally set AWEB_URL or pass --aweb-url to target a non-default stack; otherwise the hosted default is used.
-- Do not also pass --username, --invite-token, or BYOT flags.
+- Set `AWEB_API_KEY`.
+- Optionally set `AWEB_URL` or pass `--aweb-url` to target a
+  non-default stack; otherwise the hosted default is used.
+- Do not also pass `--username`, `--invite-token`, or BYOT flags.
 Example:
   AWEB_API_KEY=aw_sk_... \
-    aw team bootstrap /path/to/template --work-directory /path/to/work
+    aw agents bootstrap /path/to/template --identity-prefix juan
 ## Scenario: existing team via invite token
-Goal: accept an invite into the first generated workspace and use it as the anchor for the rest of bootstrap.
+Goal: accept an invite into the first generated workspace and use it as
+the anchor for the rest of bootstrap.
 Example:
-  aw team bootstrap /path/to/template \
+  aw agents bootstrap /path/to/template \
     --invite-token <token> \
-    --work-directory /path/to/work
+    --identity-prefix maria
 ## Scenario: current workspace forwarding
-Goal: run bootstrap from an existing aw workspace and forward that active team into the generated template workspaces.
+Goal: run bootstrap from an existing aw workspace and forward that
+active team into the generated template workspaces.
 Checklist:
 - Confirm `aw workspace status` succeeds in the caller cwd.
 - Do not pass another explicit team source.
-- Bootstrap will create a one-use invite from the current active team for the first generated workspace.
+- Bootstrap will create a one-use invite from the current active team
+  for the first generated workspace.
 ## Scenario: dry-run planning
-Goal: validate the plan and see generated workspace commands without changing files, identities, or server state.
+Goal: validate the plan and see generated workspace commands without
+changing files, identities, or server state.
 Example:
-  aw team bootstrap /path/to/template --dry-run --work-directory /path/to/work
+  aw agents bootstrap /path/to/template --dry-run --identity-prefix juan
+## Scenario: add a new responsibility later
+Repo-root local agent:
+  aw agents add support --role support
+Worktree-bound local agent:
+  aw agents add-worktree developer --role developer
+Global BYOT agent:
+  aw agents add support \
+    --global \
+    --namespace example.com \
+    --team circle \
+    --identity-prefix juan
+## Scenario: remove a responsibility
+Remove the shared blueprint entry:
+  aw agents remove support --remove-layout
+Remove this human's local ignored state:
+  aw agents remove support --deprovision-local
+Delete a global address when you have the required namespace authority:
+  aw agents remove support --delete-global-address
+`--remove-layout` is not a team-wide revocation. Other humans' local
+`.aw/` state and certificates continue until they deprovision or the
+certs expire/revoke separately.
+`--deprovision-local` uses local team-controller authority for self-custodial
+teams. Hosted-managed cert-only agents may self-deprovision through the hosted
+service using their own signing key and active team certificate. That hosted
+path applies only to the same agent and must not be described as dashboard
+authority over BYOT members.
-## Worktree agents: when to enable and what to expect
+`--delete-global-address` is opt-in. Self-custodial namespaces require the
+local namespace controller key. Hosted-managed global agents can delete only
+hosted-managed addresses through hosted self-deprovision; unmanaged/BYOT
+addresses remain customer-controller-owned.
-Use worktree agents when multiple agents will edit code in parallel.
+Hosted self-deprovision errors are actionable:
+- `hosted_team_controller_required`: use/restore the self-custodial team
+  controller key; this is not a hosted-managed team.
+- `global_address_not_hosted_managed`: delete the address with the customer
+  namespace controller; the hosted service must not delete BYOT/unmanaged
+  addresses.
+- `delete_global_address_required`: rerun with `--delete-global-address` for a
+  hosted-managed global agent.
+- `local_identity_has_no_global_address`: rerun without
+  `--delete-global-address`; local identities do not have global addresses.
+## Legacy mode: old out-of-repo bootstrap
+Use legacy mode only for existing scripts/templates that still expect
+the old layout.
+- `--work-directory <path>` selects legacy work-directory mode.
+- `--work-repo-url <url-or-local-path>` selects legacy
+  clone-then-bootstrap mode.
+- The two flags are XOR.
+- Do not combine `--agents-dir` with either legacy work flag.
+## Worktree-bound agents
+Use `work: git_worktree` when multiple agents will edit code in
+parallel.
 Requirements:
-- The work directory must be a git repo.
-- The template must declare a worktrees: block in team.yaml.
+- The project directory must be a git repo.
+- The template declares `work: git_worktree` for the relevant agent in
+  `team.yaml`.
-What bootstrap does:
+What bootstrap/add-worktree does:
-- It creates template worktrees/ (if missing) and git-excludes it locally.
-- It creates one git worktree per entry.
-- Each worktree agent gets its own .aw/ state and local-scope identity.
+- It creates `agents/worktrees/` and writes scoped `.gitignore`
+  entries.
+- It creates one git worktree per `work: git_worktree` agent.
+- The live agent home remains under `agents/home/<responsibility>/`.
+- Each worktree-bound agent gets its own `.aw/` state and local-scope
+  identity.
 Common pitfall:
-- Alias collisions: worktree agent aliases must not collide with existing team aliases.
+- Alias collisions: in shared repos use `--identity-prefix` and a
+  template local alias pattern such as `{user}-{classic-name}`.
-## Quick validation after bootstrap
+## Quick validation after bootstrap/provision
-In each generated agent directory (agents/<responsibility>/):
+In each generated agent directory (`agents/home/<responsibility>/`):
 - aw workspace status
 - aw whoami
 If you are using a wake-up integration:
-- start the Pi extension or the Claude Code channel plugin in that directory after initialization
+- start the Pi extension or the Claude Code channel plugin in that
+  directory after initialization
 ## Troubleshooting patterns
 If bootstrap fails:
 - Stop and capture the first error.
-- Identify which directories were already created.
-- Prefer completing the remaining steps rather than deleting existing .aw state.
+- Do not retry over an existing `agents/` directory.
+- Inspect/back up `.aw/` state before deleting generated directories.
+- Prefer `aw agents provision`, `aw agents add`, or
+  `aw agents remove` recovery commands over hand-editing identity
+  state.
+If a multi-human provision hits a conflict:
+- Rerun with a different `--identity-prefix` or naming pattern.
+- Invite-only flows may discover existing aliases only at mutation
+  time; this is expected fail-closed behavior.
-If you see identity_mismatch or unverified messages in live channel metadata:
+If you see identity_mismatch or unverified messages in live channel
+metadata:
 - Compare with aw chat history output.
 - Confirm the channel plugin / Pi package version is current.

package/skills/aweb-identity/SKILL.md CHANGED Viewed

@@ -67,7 +67,7 @@ The normative E2E contract is `docs/e2e-messaging-contract.md`. Do not invent pr
 For local E2E messaging, the self-custodial client needs both identity signing material and local encryption private keys. Back up the active encryption private key and archived encryption private keys with the same seriousness as `.aw/signing.key`: losing archived encryption keys makes historical encrypted messages unrecoverable. AC/aweb cannot recover or decrypt old encrypted messages for support.
-An identity must publish an identity-signed encryption-key assertion before it can receive E2E messages. Missing, stale, unsigned, or mismatched encryption-key discovery fails closed; do not retry as plaintext unless the human explicitly chooses the separately named legacy plaintext mode from the final CLI. Service signatures may assert route support, but not recipient encryption-key authority. Local identities omit absent `stable_id`/address fields instead of sending empty strings. In non-interactive runs, stop, report the exact `aw doctor` / command error, and ask the human or coordinator to run the approved key setup, backup, or rotation flow.
+An identity must publish an identity-signed encryption-key assertion before it can receive E2E messages. New self-custodial identity and team-install paths create local encryption key material automatically, including `aw id create`, `aw init`, `aw service init`, `aw id team accept-invite`, `aw id team fetch-cert`, and bootstrap/add-worktree flows. Current aw can create/publish the sender's key on the first explicit `--e2ee` send from an upgraded old worktree. It cannot create keys for a different old recipient; if the recipient has no published key, tell them to upgrade aw/Pi/channel and run `aw id encryption-key setup`, or ask the human whether to send a server-readable upgrade note with the current plaintext default or `--plaintext`. Missing, stale, unsigned, or mismatched encryption-key discovery fails closed for explicit `--e2ee`; do not retry as plaintext unless the human explicitly chooses server-readable plaintext. Service signatures may assert route support, but not recipient encryption-key authority. Local identities omit absent `stable_id`/address fields instead of sending empty strings. In non-interactive runs, stop, report the exact `aw doctor` / command error, and ask the human or coordinator to run the approved key setup, backup, or rotation flow.
 Use the CLI keyring commands for self-custodial E2E readiness:
@@ -79,7 +79,7 @@ aw id encryption-key show     # inspect local keyring state
 `setup` stores the private key locally before publishing the public assertion. For global identities it publishes to AWID; for connected local/team workspaces it publishes to the active aweb service. `rotate` must not delete old private keys. After either command, remind the human to back up `.aw/encryption-keys/`.
-Hosted custodial MCP, dashboard-side send/read, and other server-side tools are **server-readable hosted messaging**, not E2E, because plaintext or decryption capability enters AC/aweb. Do not tell users that hosted custodial/server-side messaging is end-to-end encrypted unless a future design keeps plaintext and decryption fully outside AC.
+Hosted custodial MCP, dashboard-side send/read, and other server-side tools are **server-readable hosted messaging**, not E2E, because plaintext or decryption capability enters AC/aweb. Do not use the end-to-end label for hosted custodial/server-side messaging unless a future design keeps plaintext and decryption fully outside AC.
 AWID controller keys are separate from worktree identity keys. Namespace and team controller keys live under `~/.awid/`; they are authority keys, not app config. Keep that directory safe and backed up. Worktree identity keys (`.aw/signing.key`) remain with the workspace they act from.
@@ -161,7 +161,7 @@ Interpret failures by what's missing (file references assume a self-custodial CL
 - **No `.aw/` in this directory** — there is no workspace here at all. Run `aw init` or move to a directory that has been initialized.
 - **`.aw/signing.key` missing** — workspace exists but has no signing key. Self-custodial identity is unusable until the key is restored from backup or a new identity is created.
-- **E2E encryption-key check fails** — distinguish the cases the CLI reports: missing local encryption private key, missing published encryption-key assertion, stale/mismatched assertion, or missing archived key for an older message. Do not advise plaintext fallback. Capture the exact error, run `aw doctor` when available, and ask the human to restore keys from backup or run `aw id encryption-key setup` / `aw id encryption-key rotate` as appropriate.
+- **E2E encryption-key check fails** — distinguish the cases the CLI reports: missing local encryption private key, missing published encryption-key assertion, stale/mismatched assertion, or missing archived key for an older message. Do not advise plaintext fallback. Capture the exact error, run `aw doctor` when available, and ask the human to restore keys from backup or run `aw id encryption-key setup` / `aw id encryption-key rotate` as appropriate. Use `--plaintext` only when the human explicitly chooses server-readable plaintext.
 - **`.aw/workspace.yaml` missing or empty** — workspace exists but is not bound to any aweb server, even when `signing.key` is present. Re-run `aw init`.
 - **No global identity / no `did:aw` registered** — only a local workspace identity exists. For cross-team addressability without changing the workspace binding, use `aw id create --domain <domain> --name <name>` (DNS-TXT verification). Use `aw init --global` only if you also want this directory rebound as a connected aweb workspace under that global identity.
 - **Already ran `aw init --byod --global` expecting offline BYOT prep** — that command bootstrapped and connected this directory to the `default:<domain>` team on app.aweb.ai (the team created during BYOD onboarding), leaving `.aw/{identity.yaml,signing.key,teams.yaml,workspace.yaml,team-certs/}` populated. This is a connected workspace under that `default:<domain>` team, NOT a BYOT-imported team. To recover, pick one:

package/skills/aweb-messaging/SKILL.md CHANGED Viewed

@@ -10,9 +10,11 @@ This skill is the playbook for aweb channel awakenings. When you receive an inje
 It also covers explicit user requests to send mail or chat through aweb.
-E2E messaging boundary: for encrypted v2 messages, AC/aweb servers route ciphertext and local clients decrypt before showing or injecting plaintext. Hosted custodial MCP, dashboard-side send/read, and server-side tools are **server-readable hosted messaging**, not E2E. Do not describe hosted custodial/server-side messaging as end-to-end encrypted.
+E2E messaging boundary: for encrypted v2 messages, AC/aweb servers route ciphertext and local clients decrypt before showing or injecting plaintext. Hosted custodial MCP, dashboard-side send/read, and server-side tools are **server-readable hosted messaging**, not E2E. Do not use the end-to-end label for hosted custodial/server-side messaging.
-Legacy plaintext boundary: existing plaintext mail/chat remains legacy/server-readable while retained and must not be described as retroactively E2E. If an intended E2E send fails because keys, capability, route support, or version support is missing/stale/mismatched, stop and report the exact failure. Do not resend as plaintext unless the human explicitly chooses the approved legacy plaintext command/flag.
+Interim plaintext boundary: in the current aw CLI release, mail and chat are server-readable plaintext by default. Do not describe default CLI mail/chat as E2E. Pass `--e2ee` only when the human explicitly wants encrypted send; if that encrypted send fails because keys, capability, route support, or version support is missing/stale/mismatched, stop and report the exact failure. Do not silently retry as plaintext.
+Mixed-version boundary: old pre-E2E aw/channel/Pi clients may not have published recipient encryption keys yet. A current aw CLI can create/publish the sender's local encryption key for explicit `--e2ee` sends, but it cannot create keys for another recipient. If the recipient lacks a key, report that they need to upgrade aw/Pi/channel and publish a key. Plain default sends and `--plaintext` are server-readable.
 If the event says to use the aw CLI and the response is not obvious, continue with this skill. For broader work coordination, load `aweb-coordination`. For recipient addressability, inbound-mode policy, team membership, or multi-team identity questions, load `aweb-team-membership`.
@@ -77,15 +79,15 @@ aw chat extend-wait <from> "working on it, 2 minutes"
 Before replying to a confusing chat, inspect pending/open/history state. Do not use chat for broad FYI updates. Send mail instead.
-Encrypted chat is explicit. Use `--e2ee` only when the human or policy asks for E2E chat and every participant has identity-authorized encryption capability:
+Mail and chat are server-readable plaintext by default in the current aw CLI release. Add `--e2ee` only when the human explicitly wants an encrypted send; it fails closed if keys, capability, route support, or version support are missing. `--plaintext` is an explicit clarifier for the current default.
 ```bash
-aw chat send-and-wait <alias-or-address> "..." --start-conversation --e2ee
-aw chat send-and-leave <alias-or-address> "..." --e2ee
-aw chat extend-wait <from> "working on it" --e2ee
+aw chat send-and-wait <alias-or-address> "..." --start-conversation
+aw chat send-and-leave <alias-or-address> "..."
+aw chat extend-wait <from> "working on it"
 ```
-Read paths such as `aw chat pending`, `aw chat history`, and channel listen/decrypt paths show plaintext only after local decryption. If `--e2ee` fails because a key, capability, route, or version is missing or stale, stop and report the exact error; do not resend as plaintext unless the human explicitly chooses the approved legacy plaintext path.
+Encrypted read paths such as `aw chat pending`, `aw chat history`, and channel listen/decrypt paths show plaintext only after local decryption. If an explicit `--e2ee` send fails because a key, capability, route, or version is missing or stale, stop and report the exact error; do not resend as plaintext unless the human explicitly chooses server-readable plaintext.
 ## Harness surfaces
@@ -109,7 +111,7 @@ Harness support differs:
 The channel is inbound only. Use `aw mail` or `aw chat` to respond.
-For E2E messages, channel/Pi/`aw run` may show plaintext only after local decryption in the user's workspace or client process. Server notifications and SSE payloads should be metadata-only for encrypted content. Recipient E2E capability and encryption keys must be identity-authorized; a service signature can assert route support only. If an event or tool error says an encryption key/capability is missing, stale, or mismatched, fail closed and report the error. Do not silently resend as plaintext.
+For E2E messages, channel/Pi/`aw run` may show plaintext only after local decryption in the user's workspace or client process. Server notifications and SSE payloads should be metadata-only for encrypted content. Recipient E2E capability and encryption keys must be identity-authorized; a service signature can assert route support only. If an event or tool error says an encryption key/capability is missing, stale, or mismatched, fail closed and report the error. Do not silently resend as plaintext. If the local channel/Pi process was upgraded from a pre-E2E version, run `aw id encryption-key setup` in the workspace before expecting it to receive encrypted messages.
 ## Control and work awakenings

package/skills/aweb-team-membership/SKILL.md CHANGED Viewed

@@ -84,7 +84,7 @@ aw init   # if the joining directory still needs server binding
 No token round-trip. Direct controller-mint. Available only for hosted teams because BYOT controller keys aren't held by aweb.
-**Path 3 — CLI invite-token, for hosted local-worktree only.** Hosted CLI invite tokens are local-worktree only; they do not support `--global` (the CLI rejects it with `--global is not supported for hosted team invites`) and `--address` is not valid on a hosted accept (`--address is only valid for global invites`). Use this when the owner wants to invite a new local-workspace identity by token:
+**Path 3 — CLI invite-token, for hosted self-custodial local or global identities.** Hosted CLI invite tokens are redeemed through the cloud, but the accepting directory keeps its own signing key. Use the default form when the owner wants to invite a new local-workspace identity by token:
 ```bash
 # Owner side (in a workspace with the necessary authority):
@@ -97,7 +97,14 @@ aw id team accept-invite <token> --alias <alias>
 aw init                        # finish wiring the new workspace
 ```
-`accept-invite` refuses to overwrite an existing `.aw/` identity and generates a fresh local self-custodial identity in the target directory before requesting the certificate. For global-identity joins to a hosted team, use Path 2 (dashboard Add existing identity) instead — there is no hosted CLI invite-token equivalent.
+`accept-invite` refuses to overwrite an existing `.aw/` identity and generates a fresh local self-custodial identity in the target directory before requesting the certificate. For a hosted global identity, accept the hosted token with `--address <domain>/<name>`:
+```bash
+aw id team accept-invite <token> --address <domain>/<name>
+aw init                        # finish wiring the new workspace
+```
+In the hosted `--address` case, the CLI creates a fresh self-custodial global identity for the address, registers it through the hosted service, and installs the hosted team certificate. The hosted service signs the team certificate; it does not receive the accepting directory's private signing key. If the user already has a global identity and only needs a certificate for an existing hosted team, Path 2 (dashboard Add existing identity + `fetch-cert`) remains valid.
 This is **not** the cross-machine BYOT path. Do not present it as the normal way to join a BYOT team from another machine.
@@ -161,7 +168,7 @@ This is the local-controller convenience case only. For cross-machine BYOT joins
 Two distinct local actions install a membership:
-- **`aw id team accept-invite <token>`** — redeems a CLI invite token. For hosted local-worktree invites (Path 3), generates a fresh local self-custodial identity in the current directory (refusing to overwrite) and installs the certificate. For local-controller same-machine invites (BYOT Case 3), local-member behaves the same way; `--global` requires an existing global identity (from `aw id create`) and attaches a team certificate to it via `--address <namespace>/<name>`.
+- **`aw id team accept-invite <token>`** — redeems a CLI invite token. For hosted invites (Path 3), generates a fresh self-custodial identity in the current directory (refusing to overwrite) and installs the certificate; default is local, while `--address <domain>/<name>` creates/registers a fresh global identity through the hosted service before certificate install. For local-controller same-machine invites (BYOT Case 3), local-member behaves the same way as hosted local; global accepts require an existing global identity (from `aw id create`) and attach a team certificate to it via `--address <namespace>/<name>`.
 - **`aw id team fetch-cert --namespace <namespace> --team <team> --cert-id <id>`** — installs a certificate that has already been minted server-side (by hosted "Add existing identity") or signed by a controller (BYOT `add-member`). Used for hosted Path 2 and BYOT Case 1.
 If you have a token, use `accept-invite`. If you have a `cert-id` printed by the dashboard or controller, use `fetch-cert`.