npm - @awebai/claude-skills - Versions diffs - 0.2.11 → 0.2.12 - Mend

@awebai/claude-skills 0.2.11 → 0.2.12

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (5) hide show

package/.claude-plugin/plugin.json +1 -1
package/package.json +1 -1
package/skills/aweb-bootstrap/SKILL.md +282 -147
package/skills/aweb-bootstrap/references/bootstrap-scenarios.md +208 -64
package/skills/aweb-team-membership/SKILL.md +10 -3

package/.claude-plugin/plugin.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "aweb-skills",
-  "version": "0.2.11",
+  "version": "0.2.12",
   "description": "aweb agent coordination skills: teach your Claude Code agent how to use the aw CLI for mail, chat, tasks, and team coordination.",
   "author": {
     "name": "awebai"

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@awebai/claude-skills",
-  "version": "0.2.11",
+  "version": "0.2.12",
   "description": "Content-only Claude Code plugin shipping the canonical aweb agent-coordination skills: aweb-coordination, aweb-messaging, aweb-team-membership, aweb-bootstrap, aweb-identity.",
   "license": "MIT",
   "homepage": "https://aweb.ai",

package/skills/aweb-bootstrap/SKILL.md CHANGED Viewed

@@ -1,136 +1,207 @@
 ---
 name: aweb-bootstrap
-description: This skill should be used when helping a human create or join an aweb team from a template (aw team bootstrap), choosing a template and team source (hosted new team, BYOT, API key, invite, or current workspace forwarding), using the project-local agents/ layout or legacy work-directory/work-repo-url mode, provisioning optional worktree-bound agents, and validating/re-running bootstrap safely.
+description: This skill should be used when helping a human create, provision, add, or remove repo-local aweb agents with the `aw agents` lifecycle from a template, choosing a team source (hosted new team, BYOT, API key, invite, or current workspace forwarding), using the project-local agents/ layout, provisioning optional worktree-bound agents, and validating/re-running safely.
 allowed-tools: "Bash(aw *)"
 ---
 # aweb Bootstrap
-Use this skill when a human wants to create or extend an aweb team from a reusable template, and you need to guide them through `aw team bootstrap` decisions and validation.
+Use this skill when a human wants to create or extend a repo-local
+aweb agent team from a reusable template, and you need to guide them
+through `aw agents` decisions and validation.
-This skill is about **mental model + decision policy + safe execution**, not memorizing flags.
+This skill is about **mental model + decision policy + safe
+execution**, not memorizing flags.
 Related skills:
 - For day-to-day coordination once the team exists: `aweb-coordination`
 - For mail/chat response policy: `aweb-messaging`
-- For joining an existing team, multi-team membership, custody, addressability, and contacts: `aweb-team-membership`
+- For joining an existing team, multi-team membership, custody,
+  addressability, and contacts: `aweb-team-membership`
 Long-form reference: docs/team-bootstrap.md in the aweb repo.
 ## Mental model: what bootstrap is assembling
-`aw team bootstrap` combines five separate things that are easy to confuse:
+`aw agents bootstrap` combines five separate things that are easy to
+confuse:
 1) Template repo — the blueprint.
-- Contains `team.yaml`, role playbooks, shared instructions, and `home/<responsibility>/AGENTS.md` files.
-- The template says what responsibilities should exist and which `role_name` each should use.
+- Contains `team.yaml`, role playbooks, shared instructions, and
+  `home/<responsibility>/AGENTS.md` files.
+- The template says what responsibilities should exist and which
+  `role_name` each should use.
+- The template is identity-free. Do not put final aliases, DIDs,
+  global addresses, certs, or per-human state in committed
+  `team.yaml`.
 2) Generated project-local agents directory — where humans start agents.
 - By default, run bootstrap from the root of the work repo.
-- Bootstrap creates `agents/` in that repo. Every live agent home is under `agents/home/<responsibility>/`.
+- Bootstrap creates `agents/` in that repo. Every live agent home is
+  under `agents/home/<responsibility>/`.
 - The coordinator/global-style home normally has `work -> <repo-root>`.
-- Worktree-bound homes still live under `agents/home/<responsibility>/`; their `work` symlink points at `agents/worktrees/<alias-or-responsibility>/`.
-- Use `--agents-dir <name>` only when the repo already uses `agents/` for something else. If the target directory exists, bootstrap must fail before side effects.
-3) Legacy work directory or work repo — compatibility mode.
-- Passing `--work-directory` or `--work-repo-url` selects the old out-of-repo layout.
-- Do not combine `--agents-dir` with either legacy work flag.
-- Legacy mode is still supported for existing scripts/templates, but do not choose it for a new customer unless they explicitly need the old shape.
-4) Team source — the authority/context the generated agents join.
-- Hosted new team, existing hosted team via `AWEB_API_KEY`, explicit `--invite-token`, current workspace forwarding, or BYOT.
-- Exactly one explicit source is allowed. If no explicit source is set and cwd is already an aw workspace, bootstrap forwards that current team. If no current workspace exists and the run is interactive, bootstrap creates a hosted team. Non-interactive runs need an explicit source.
+- Worktree-bound homes still live under
+  `agents/home/<responsibility>/`; their `work` symlink points at
+  `agents/worktrees/<worktree-name>/`.
+- Use `--agents-dir <name>` only when the repo already uses `agents/`
+  for something else. If the target directory exists, bootstrap must
+  fail before side effects.
+3) Team source — the authority/context the generated agents join.
+- Hosted new team, existing hosted team via `AWEB_API_KEY`, explicit
+  `--invite-token`, current workspace forwarding, or BYOT.
+- Exactly one explicit source is allowed. If no explicit source is set
+  and cwd is already an aw workspace, bootstrap forwards that current
+  team. If no current workspace exists and the run is interactive,
+  bootstrap creates a hosted team. Non-interactive runs need an
+  explicit source.
+4) Per-human naming — how shared layouts avoid collisions.
+- Use `--identity-prefix <slug>` for shared repos. Examples: `juan`,
+  `maria`, `acme-dev`.
+- Canonical multi-human templates use patterns such as
+  `{user}-{classic-name}` for local aliases and
+  `{user}-{responsibility}` for global address names.
+- Never commit the final planned alias/address to `team.yaml`; it
+  belongs in ignored `.aw/` state under each agent home.
 5) Generated workspaces — the identities that will act.
-- Each `agents/home/<responsibility>/` directory becomes an aw workspace with its own identity and team certificate.
-- The **first generated plan** is the anchor: bootstrap connects it first, installs roles/instructions from that workspace's team context, then invites/connects the rest.
-- Do not assume a responsibility named `implementation` is special. The anchor is the first plan the CLI generated.
+- Each `agents/home/<responsibility>/` directory becomes an aw
+  workspace with its own identity and team certificate.
+- The **first generated plan** is the anchor: bootstrap connects it
+  first, installs roles/instructions from that workspace's team
+  context, then invites/connects the rest.
+- Do not assume a responsibility named `implementation` is special.
+  The anchor is the first plan the CLI generated.
 Aweb team source terms:
 - Hosted new team: aweb.ai creates/hosts the team.
-- API key: joins the hosted team represented by `AWEB_API_KEY`; `--aweb-url`/`AWEB_URL` is optional and defaults to hosted aweb.ai.
+- API key: joins the hosted team represented by `AWEB_API_KEY`;
+  `--aweb-url`/`AWEB_URL` is optional and defaults to hosted aweb.ai.
 - Invite token: first generated workspace accepts an existing invite.
-- Current workspace forwarding: caller cwd already has `.aw`; bootstrap creates a one-use invite from that active team.
-- BYOT: bring your own team. This includes bringing your own domain/namespace and controller key. Do not describe a separate domain-only bootstrap mode.
+- Current workspace forwarding: caller cwd already has `.aw`;
+  bootstrap creates a one-use invite from that active team.
+- BYOT: bring your own team. This includes bringing your own
+  domain/namespace and controller key. Do not describe a separate
+  domain-only bootstrap mode.
-## Bootstrap vs join (first decision)
+## Bootstrap vs provision vs add
-Bootstrap when:
+Use `aw agents bootstrap` when:
+- You are creating the committed `agents/` layout for a repo.
 - You are creating a brand-new team from a template.
-- You are extending an existing team with a template-defined set of agent workspaces, roles, and instructions.
-- You want reproducible setup for multiple agents/workspaces.
-- You want a “one command resolves the team source + installs roles + provisions agent dirs” flow.
+- You are extending an existing team with a template-defined set of
+  agent homes, roles, and instructions.
-Do NOT bootstrap when:
+Use `aw agents provision` when:
-- The team already exists and you just need to add yourself: use `aweb-team-membership` and the `aw id team ...` commands.
-- You only need another workspace for yourself: use `aw workspace add-worktree` (git worktree) or create another directory and `aw init` it.
+- The repo already has a committed `agents/` layout.
+- Another human needs their own local `.aw/` state for the same
+  responsibilities.
+- They have an invite, API key, BYOT authority, or current workspace
+  context for the same team.
-## Pick a template (what team shape are we creating?)
+Use `aw agents add` or `aw agents add-worktree` when:
-Canonical templates:
+- The layout already exists and you need one more responsibility.
+- You want a repo-root agent (`add`) or isolated git worktree agent
+  (`add-worktree`).
-- awebai/aweb-team-coord-worktrees (3 agents)
-  Use when you want a coordinator plus isolated developer/reviewer git worktrees in the current repo.
+Do NOT bootstrap when:
+- The team already exists and you just need to add yourself: use
+  `aweb-team-membership` and the `aw id team ...` commands.
+- You only need another workspace for yourself outside the repo-local
+  convention: use `aw workspace add-worktree` or create another
+  directory and `aw init` it.
-- awebai/aweb-team-dev-review (2 agents)
-  Use when you want the smallest meaningful team: implementation + review.
+## Pick a template
-- awebai/aweb-team-company-surfaces (6 agents)
-  Use when you want a cross-functional team: direction/engineering/operations/support/outreach/analytics.
+Canonical templates:
+- awebai/aweb-team-coord-worktrees
+  Use when you want a coordinator plus isolated developer/reviewer git
+  worktrees in the current repo.
+- awebai/aweb-team-company-surfaces
+  Use when you want a cross-functional team: direction/engineering/
+  operations/support/outreach/analytics.
 Fork/edit vs use-as-is:
 - Use as-is to learn the flow or to run a standard team.
-- Clone or fork when you want to customize roles, responsibilities, or instructions before provisioning.
-- It is safe to edit the template checkout before applying it; `aw team bootstrap` reads `team.yaml`, `roles/`, `docs/`, and `home/` from the local template directory at run time.
+- Clone or fork when you want to customize roles, responsibilities, or
+  instructions before provisioning.
+- It is safe to edit the template checkout before applying it;
+  `aw agents bootstrap` reads `team.yaml`, `roles/`, `docs/`, and
+  `home/` from the local template directory at run time.
 ## Customizing a template before applying it
-When the human wants different agents, role playbooks, names, or instructions, do not try to patch the generated workspaces after bootstrap. Clone/edit the template first, then bootstrap the edited local directory.
+When the human wants different agents, role playbooks, names, or
+instructions, do not patch generated workspaces after bootstrap.
+Clone/edit the template first, then bootstrap the edited local
+directory.
 Typical safe flow:
 ```bash
-git clone https://github.com/awebai/aweb-team-dev-review.git my-team-template
+git clone https://github.com/awebai/aweb-team-coord-worktrees.git my-team-template
 cd my-team-template
 # edit team.yaml, roles/*.md, docs/team.md, home/<responsibility>/AGENTS.md
 cd /path/to/project-repo
-aw team bootstrap /path/to/my-team-template --dry-run
-aw team bootstrap /path/to/my-team-template --username alice
+aw agents bootstrap /path/to/my-team-template --dry-run --identity-prefix juan
+aw agents bootstrap /path/to/my-team-template --username alice --identity-prefix juan
 ```
 What to edit:
-- `team.yaml` roles: add/remove role names and point each to a role file.
-- `team.yaml` agents: add/remove responsibility workspaces and set each `role_name`, `default_name`, `default_alias`, optional `home_template`, and optional `work`.
-- Use `work: repo_root` for an agent whose `work` symlink points to the project repo root.
-- Use `work: git_worktree` for an agent whose `work` symlink points to a generated git worktree under `agents/worktrees/`.
-- `roles/*.md`: change operational playbooks installed with `aw roles`.
-- `docs/team.md`: change shared team instructions installed after the anchor connects.
-- `home/<responsibility>/AGENTS.md`: change per-workspace startup context.
-Default agent names are accepted automatically. Only use `--ask-for-agent-names` when a human specifically wants an interactive rename prompt during bootstrap.
-## Before running bootstrap (safety checks)
-1) For the default layout, run bootstrap from the root of the project git repo.
+- `team.yaml` roles: add/remove role names and point each to a role
+  file.
+- `team.yaml` agents: add/remove responsibility workspaces and set
+  each `role_name`, optional `identity_scope`, optional
+  `home_template`, and optional `work`.
+- `team.yaml` naming: for shared repos, prefer
+  `naming.local_alias.pattern: "{user}-{classic-name}"`.
+- Use `work: repo_root` for an agent whose `work` symlink points to
+  the project repo root.
+- Use `work: git_worktree` for an agent whose `work` symlink points
+  to a generated git worktree under `agents/worktrees/`.
+- `roles/*.md`: change operational playbooks installed with
+  `aw roles`.
+- `docs/team.md`: change shared team instructions installed after the
+  anchor connects.
+- `home/<responsibility>/AGENTS.md`: change per-workspace startup
+  context.
+Do not use `default_name` or `default_alias` in current templates.
+Those are legacy hints only and must not become committed identity
+state.
+## Before running bootstrap
+1) For the default layout, run bootstrap from the root of the project
+git repo.
 - Bootstrap creates `agents/` there.
-- If `agents/` exists, stop. Do not ask bootstrap to adopt, merge, or overwrite it.
-- If the project already has a different `agents/` directory, ask the human for a different `--agents-dir <name>`.
+- If `agents/` exists, stop. Do not ask bootstrap to adopt, merge, or
+  overwrite it.
+- If the project already has a different `agents/` directory, ask the
+  human for a different `--agents-dir <name>`.
-2) Decide the team source. This affects whether bootstrap creates a new hosted team, joins an API-key/invite team, forwards the current team, or uses BYOT.
+2) Decide the team source. This affects whether bootstrap creates a
+new hosted team, joins an API-key/invite team, forwards the current
+team, or uses BYOT.
-3) Use legacy work flags only for old out-of-repo bootstrap scripts.
+3) Decide the identity prefix. Shared repos should always pass
+`--identity-prefix <human-slug>` explicitly.
 ## Default layout: project-local agents/
@@ -138,7 +209,9 @@ New bootstrap runs should normally use the default layout:
 ```bash
 cd /path/to/project-repo
-aw team bootstrap https://github.com/awebai/aweb-team-coord-worktrees.git --username alice
+aw agents bootstrap https://github.com/awebai/aweb-team-coord-worktrees.git \
+  --username alice \
+  --identity-prefix juan
 ```
 Expected generated shape:
@@ -156,158 +229,220 @@ agents/
     developer/
       .aw/
       AGENTS.md
-      work -> ../../worktrees/dev
+      work -> ../../worktrees/developer
     reviewer/
       .aw/
       AGENTS.md
-      work -> ../../worktrees/review
+      work -> ../../worktrees/reviewer
   worktrees/
-    dev/
-    review/
+    developer/
+    reviewer/
 ```
-The repo root itself is not an aw workspace. Start Codex, Claude Code, or Pi from an agent home, for example:
+The repo root itself is not an aw workspace. Start Codex, Claude Code,
+or Pi from an agent home:
 ```bash
 cd agents/home/coordinator
 codex
 ```
-Bootstrap writes scoped `.gitignore` entries for `agents/home/*/.aw/` and `agents/worktrees/`. It must not ignore the whole `agents/` directory.
+Bootstrap writes scoped `.gitignore` entries for
+`agents/home/*/.aw/`, `agents/home/*/work`, and `agents/worktrees/`.
+It must not ignore the whole `agents/` directory.
-## Legacy mode: work-directory OR work-repo-url (XOR)
+If an older generated repo tracked `agents/home/*/work`, remove those
+symlinks from git after upgrading:
-Use legacy mode only for existing scripts/templates that expect generated homes outside the work repo.
+```bash
+git rm --cached agents/home/*/work
+git add .gitignore agents
+git commit -m "agents: ignore generated work symlinks"
+```
-- `--work-directory PATH`: use an existing local directory as each responsibility workspace's `./work`.
-- `--work-repo-url VALUE`: clone a repo into `<template-checkout>/worktrees/<derived-name>/` and use that clone as `./work`.
+## Multi-human shared repo flow
+First human:
+```bash
+cd /path/to/project-repo
+aw agents bootstrap https://github.com/awebai/aweb-team-coord-worktrees.git \
+  --username alice \
+  --identity-prefix juan
+git add agents .gitignore
+git commit -m "agents: add team layout"
+```
-If both flags are set, treat it as a user error and stop. If `--agents-dir` is combined with either legacy flag, treat it as a user error and stop.
+Second human:
+```bash
+git pull
+aw agents provision --invite-token <token> --identity-prefix maria
+cd agents/home/coordinator
+codex
+```
+The second human does not run bootstrap over the existing `agents/`
+directory. Provision reads the committed layout and writes only ignored
+local state.
 ## Team source policy
-Non-dry-run bootstrap needs one coherent team source. This is the most important decision: it determines which team owns the roles, instructions, tasks, mail, chat, and membership certificates created during bootstrap.
+Non-dry-run bootstrap needs one coherent team source.
 Resolution order:
-- If any explicit source is set (`AWEB_API_KEY`, `--invite-token`, `--username`, or `--namespace/--team`), do not set another explicit source.
-- If no explicit source is set and cwd is an initialized aw workspace, bootstrap forwards the current active team.
-- If no explicit source is set, cwd is not an aw workspace, and the run is interactive, bootstrap creates/uses a hosted team through onboarding prompts.
-- If no source can be resolved, stop and ask the human which team source to use.
-The first generated agent workspace is the anchor: bootstrap connects it first, installs roles/instructions from that workspace's team context, then invites/connects the remaining agents and any declared worktree agents.
+- If any explicit source is set (`AWEB_API_KEY`, `--invite-token`,
+  `--username`, or `--namespace/--team`), do not set another explicit
+  source.
+- If no explicit source is set and cwd is an initialized aw workspace,
+  bootstrap forwards the current active team.
+- If no explicit source is set, cwd is not an aw workspace, and the
+  run is interactive, bootstrap creates/uses a hosted team through
+  onboarding prompts.
+- If no source can be resolved, stop and ask the human which team
+  source to use.
 Supported sources:
-1) Hosted new team (aweb.ai)
+1) Hosted new team
 - Best for first-time teams.
 - Use `--username <name>` or run interactively in a TTY.
-- Bootstrap uses the same hosted onboarding path as `aw init` for the first generated workspace.
+- Bootstrap uses the same hosted onboarding path as `aw init` for the
+  first generated workspace.
 2) Existing hosted team via API key
 - If `AWEB_API_KEY` is set, bootstrap joins the API key's hosted team.
-- `--aweb-url`/`AWEB_URL` is optional; when omitted, the hosted aweb.ai default is used. Set it only to target a non-default stack.
+- `--aweb-url`/`AWEB_URL` is optional; when omitted, the hosted
+  aweb.ai default is used.
 - Do not also pass `--username`, `--invite-token`, or BYOT flags.
 3) Existing team via invite token
 - Pass `--invite-token <token>`.
-- Bootstrap accepts it into the first generated workspace, then creates further invites from that established team context.
+- Bootstrap accepts it into the first generated workspace, then
+  creates further invites from that established team context.
 4) Current workspace forwarding
-- If the caller's cwd is already initialized for aw and no explicit source is set, bootstrap creates a one-use invite from the current active team and accepts it into the first generated workspace.
-- This is the safe default for adding a template team shape to the team you are already using.
+- If caller cwd is already initialized for aw and no explicit source
+  is set, bootstrap creates a one-use invite from the current active
+  team and accepts it into the first generated workspace.
-5) BYOT (bring your own team)
+5) BYOT
-- Use `--namespace <domain> --team <slug>` when the team's namespace/domain and controller key live in your environment.
-- BYOT includes bringing your own domain; there is no separate supported domain-only bootstrap mode.
-- Bootstrap creates/ensures the team in that namespace, invites the first generated workspace, then uses it as the anchor.
+- Use `--namespace <domain> --team <slug>` when the team's namespace/
+  domain and controller key live in your environment.
+- Bootstrap creates/ensures the team in that namespace, invites the
+  first generated workspace, then uses it as the anchor.
 Decision recipe:
-- Human says “make me a new team” and has no existing aw context: use hosted (`--username` or interactive prompt).
-- Human has a dashboard/API key: use `AWEB_API_KEY=... aw team bootstrap ...`; do not ask for `AWEB_URL` unless they are using a non-default stack.
+- Human says "make me a new team" and has no existing aw context: use
+  hosted (`--username` or interactive prompt) plus
+  `--identity-prefix`.
+- Human has a dashboard/API key: use
+  `AWEB_API_KEY=... aw agents bootstrap ... --identity-prefix <slug>`.
 - Human pasted an invite: use `--invite-token`.
-- Human is already inside the team workspace that should own the new agents: use current workspace forwarding (no explicit source).
-- Human controls a namespace/domain and wants the team under that namespace: use BYOT (`--namespace` + `--team`).
-Policy guidance:
-- Prefer hosted for “get a working team now”.
-- Prefer API key or invite when the team already exists but the caller is not already inside it.
-- Prefer current workspace forwarding when you are already inside the target team.
-- Prefer BYOT when you need local control over the team namespace/domain and routing.
-- Use `--dry-run` for planning only. It prints the resolved plan (template ref, work directory, team source, generated workspaces) without writing identities, files, or server state. Do not pair it with side-effecting flags expecting partial provisioning.
+- Human is already inside the team workspace that should own the new
+  agents: use current workspace forwarding.
+- Human controls a namespace/domain and wants the team under that
+  namespace: use BYOT (`--namespace` + `--team`).
-## Worktree-bound agents (`work: git_worktree`)
+## Adding agents later
-Worktree-bound agents are for codebases where multiple agents will edit in parallel.
+Add a repo-root local responsibility:
-- Every live home stays under `agents/home/<responsibility>/`.
-- A `work: git_worktree` agent gets a git checkout under `agents/worktrees/<alias-or-responsibility>/`.
-- Its home has `work -> ../../worktrees/<alias-or-responsibility>`.
+```bash
+aw agents add support --role support
+```
-Use `work: git_worktree` when:
+Add a worktree-bound local responsibility:
-- The project directory is a git repo.
-- Multiple agents will change files in parallel.
-- You want each agent’s edits isolated until you merge.
+```bash
+aw agents add-worktree developer --role developer
+```
-Leave it off when:
+Add a global BYOT responsibility:
-- Work is non-code.
-- Only one agent edits at a time.
+```bash
+aw agents add support \
+  --global \
+  --namespace example.com \
+  --team circle \
+  --identity-prefix juan
+```
-Operational note:
+Remove explicitly separates layout and identity effects:
-- Worktree-bound agents are local identities by default; they are for parallel local work, not for global addressability.
+```bash
+aw agents remove support --remove-layout
+aw agents remove support --deprovision-local
+aw agents remove support --delete-global-address
+```
-## After bootstrap: validate that the team is actually usable
+`--remove-layout` does not revoke other humans' certs and does not
+delete their ignored `.aw/` state.
-For each agent directory under `agents/home/<responsibility>/`:
+`--deprovision-local` uses the local team controller key for self-custodial
+teams. For hosted-managed cert-only agents, it can use the agent's own signing
+key and active team certificate to ask the hosted service to deprovision that
+same agent. It must not be described as dashboard authority over BYOT members.
-- Run `aw workspace status` to confirm:
-  - the workspace is initialized
-  - the active team is correct
-  - the identity is present
+`--delete-global-address` is opt-in. Self-custodial namespaces require the
+local namespace controller key. Hosted-managed global agents can delete only
+hosted-managed addresses through hosted self-deprovision; BYOT/unmanaged
+addresses remain customer-controller-owned.
-- Run `aw whoami` to confirm the identity fields are present.
+Map hosted self-deprovision structured errors to concrete recovery:
-- If you use a wake-up path (Pi extension / Claude Code channel plugin), start it inside the agent directory after initialization.
+- `hosted_team_controller_required`: use/restore the self-custodial team
+  controller key; this is not a hosted-managed team.
+- `global_address_not_hosted_managed`: delete the address with the customer
+  namespace controller; the hosted service must not delete BYOT/unmanaged
+  addresses.
+- `delete_global_address_required`: rerun with `--delete-global-address` for a
+  hosted-managed global agent.
+- `local_identity_has_no_global_address`: rerun without
+  `--delete-global-address`; local identities do not have global addresses.
-## Re-run safety and idempotence (how to avoid making a mess)
+## Legacy mode
-When iterating on templates or recovering from partial setup:
+Legacy out-of-repo mode is still supported for existing scripts that
+pass `--work-directory` or `--work-repo-url`. Do not choose it for a
+new customer unless they explicitly need the old shape.
-- Use `--dry-run` first to validate the plan.
-- Use `--refresh-template` only when you intend to re-clone over a previous template checkout.
-- Treat identity/certificate state under .aw/ as the source of truth; do not delete it casually.
-- If you need to create a fresh workspace, do it in a new directory rather than mutating an existing identity in place.
-- If `agents/` already exists, do not retry over it. Pick a different `--agents-dir` or remove the existing directory only if the human confirms it is disposable.
+## After bootstrap: validate that the team is usable
-If bootstrap fails mid-way:
+For each agent directory under `agents/home/<responsibility>/`:
-- Capture the first failing command and error.
-- Do not keep retrying blindly; first confirm whether some workspaces were already created and connected.
-- Prefer completing the remaining agent dirs rather than redoing everything.
+- Run `aw workspace status` to confirm the workspace is initialized,
+  the active team is correct, and the identity is present.
+- Run `aw whoami` to confirm identity fields are present.
+- If you use a wake-up path (Pi extension / Claude Code channel
+  plugin), start it inside the agent directory after initialization.
-## Adding agents later
+## Troubleshooting policy
-Two common expansions after initial bootstrap:
+If bootstrap fails:
-- Add another responsibility workspace: create a new directory and run `aw init` (or extend your template and bootstrap a new repo).
-- Add another isolated code workspace on the same repo: use `aw workspace add-worktree`.
+- Stop and capture the first error.
+- Do not retry over an existing `agents/` directory.
+- Prefer explicit recovery with `aw agents provision`, `aw agents add`,
+  or `aw agents remove` over deleting `.aw/` state.
+- If you must remove generated state, inspect/back up `.aw/` first.
-When in doubt, choose the smallest change that preserves existing identities and avoids rewriting certificates.
+If a multi-human provision hits an alias/address conflict, rerun with a
+different `--identity-prefix` or naming pattern. Invite-only flows may
+discover collisions only when accepting/registering; this is expected
+fail-closed behavior.
 ## References
 Read these only when deeper context is needed:
-- references/bootstrap-scenarios.md: scenarios, checklists, and troubleshooting.
-- https://aweb.ai/docs/team-bootstrap/ : full reference guide.
+- references/bootstrap-scenarios.md: scenarios, checklists, and
+  troubleshooting.
 - docs/team-bootstrap.md (aweb repo checkout): full reference guide.

package/skills/aweb-bootstrap/references/bootstrap-scenarios.md CHANGED Viewed

@@ -1,89 +1,149 @@
-# aweb Bootstrap scenarios and checklists
+# aweb agents bootstrap scenarios and checklists
-This reference is support material for the aweb-bootstrap skill. Use it when you need concrete examples, troubleshooting checklists, or a quick “what should I run next?” guide.
+This reference is support material for the aweb-bootstrap skill. Use it
+when you need concrete examples, troubleshooting checklists, or a quick
+"what should I run next?" guide.
-It is intentionally narrower than docs/team-bootstrap.md: it focuses on common decision points and failure modes.
+It is intentionally narrower than docs/team-bootstrap.md: it focuses on
+common decision points and failure modes.
 ## Quick mental model
-- Template repo = blueprint for roles, instructions, and agent home templates.
-- Default generated layout = project-local `agents/` directory containing `home/`, `worktrees/`, `roles/`, `docs/`, and `team.yaml`.
-- Work target = what each agent's `work` symlink points at: the repo root (`work: repo_root`) or a generated git worktree (`work: git_worktree`).
+- Template repo = blueprint for roles, instructions, and agent home
+  templates.
+- Default generated layout = project-local `agents/` directory
+  containing `home/`, `worktrees/`, `roles/`, `docs/`, and `team.yaml`.
+- Work target = what each agent's `work` symlink points at: the repo
+  root (`work: repo_root`) or a generated git worktree
+  (`work: git_worktree`).
 - Team source = the authority the generated agents join.
-- First generated workspace = bootstrap anchor. It connects first; roles/instructions install through it; all other generated agents join through invites from that established team context.
-- BYOT means bring your own team, including your own namespace/domain and controller key. Do not present a separate domain-only bootstrap mode.
+- Identity prefix = the per-human slug used to avoid alias/address
+  collisions in shared repos.
+- First generated workspace = bootstrap anchor. It connects first;
+  roles/instructions install through it; all other generated agents
+  join through invites from that established team context.
+- BYOT means bring your own team, including your own namespace/domain
+  and controller key. Do not present a separate domain-only bootstrap
+  mode.
 Team-source precedence:
-- Explicit sources conflict: use only one of `AWEB_API_KEY`, `--invite-token`, `--username`, or `--namespace/--team`.
-- With no explicit source, an initialized caller cwd forwards its current active team.
-- With no explicit source and no caller workspace, an interactive run uses hosted onboarding.
-- Non-interactive runs need an explicit source or initialized caller workspace.
+- Explicit sources conflict: use only one of `AWEB_API_KEY`,
+  `--invite-token`, `--username`, or `--namespace/--team`.
+- With no explicit source, an initialized caller cwd forwards its
+  current active team.
+- With no explicit source and no caller workspace, an interactive run
+  uses hosted onboarding.
+- Non-interactive runs need an explicit source or initialized caller
+  workspace.
-## Scenario: first-time hosted team from a template (recommended)
+## Scenario: first-time hosted team from a template
-Goal: create a new aweb.ai team and provision agent workspaces from a template.
+Goal: create a new aweb.ai team and provision agent workspaces from a
+template.
 Checklist:
 - Run from the root of the project git repo.
-- Confirm the target agents directory does not already exist. Default: `agents/`.
-- Pick a template:
-  - awebai/aweb-team-coord-worktrees for coordinator + developer/reviewer worktrees.
-  - awebai/aweb-team-dev-review for a minimal 2-agent setup.
-  - awebai/aweb-team-company-surfaces for a 6-agent cross-functional setup.
+- Confirm the target agents directory does not already exist. Default:
+  `agents/`.
+- Pick a template.
+- Pick a human-specific `--identity-prefix`.
 Example:
   cd /path/to/project-repo
-  aw team bootstrap https://github.com/awebai/aweb-team-coord-worktrees.git --username alice
+  aw agents bootstrap https://github.com/awebai/aweb-team-coord-worktrees.git \
+    --username alice \
+    --identity-prefix juan
 Example with a non-default agents directory:
   cd /path/to/project-repo
-  aw team bootstrap https://github.com/awebai/aweb-team-coord-worktrees.git --username alice --agents-dir aweb-agents
+  aw agents bootstrap https://github.com/awebai/aweb-team-coord-worktrees.git \
+    --username alice \
+    --identity-prefix juan \
+    --agents-dir aweb-agents
 Notes:
-- Bootstrap creates `agents/home/<agent>/` for every live agent home.
-- Worktree-bound agents get checkouts under `agents/worktrees/<alias-or-agent>/`.
-- The repo root is not an aw workspace; humans should start Codex/Claude/Pi from `agents/home/<agent>/`.
+- Bootstrap creates `agents/home/<responsibility>/` for every live
+  agent home.
+- Worktree-bound agents get checkouts under
+  `agents/worktrees/<worktree-name>/`.
+- The repo root is not an aw workspace; humans should start
+  Codex/Claude/Pi from `agents/home/<responsibility>/`.
+## Scenario: second human provisions the same repo
+Goal: another human clones the repo and creates their own ignored
+identity state for the same committed layout.
+Checklist:
+- Do not run bootstrap over the existing `agents/` directory.
+- Get an invite token, API key, BYOT authority, or current workspace
+  context for the same team.
+- Use a different `--identity-prefix`.
+Example:
+  git pull
+  aw agents provision --invite-token <token> --identity-prefix maria
+  cd agents/home/coordinator
+  codex
+Expected behavior:
+- Committed `agents/team.yaml`, `roles/`, `docs/`, and
+  `home/*/AGENTS.md` remain unchanged.
+- Local `.aw/` state and `work` symlinks are regenerated under
+  `agents/home/*/`.
+- Worktree directories are under `agents/worktrees/`.
 ## Scenario: customize the template before applying it
-Goal: change roles, agent responsibilities, names, aliases, or instructions before any team state is created.
+Goal: change roles, agent responsibilities, naming policy, or
+instructions before any team state is created.
 Checklist:
 - Clone or fork the template first.
-- Edit `team.yaml`, `roles/*.md`, `docs/team.md`, and `home/<responsibility>/AGENTS.md` as needed.
-- Run `aw team bootstrap /path/to/template --dry-run` from the project repo root to validate.
-- Bootstrap the local template directory only after the plan looks right.
+- Edit `team.yaml`, `roles/*.md`, `docs/team.md`, and
+  `home/<responsibility>/AGENTS.md` as needed.
+- Run `aw agents bootstrap /path/to/template --dry-run` from the
+  project repo root to validate.
+- Bootstrap the local template directory only after the plan looks
+  right.
 Example:
-  git clone https://github.com/awebai/aweb-team-dev-review.git my-team-template
+  git clone https://github.com/awebai/aweb-team-coord-worktrees.git my-team-template
   cd my-team-template
   # edit team.yaml / roles / docs / home
   cd /path/to/project-repo
-  aw team bootstrap /path/to/my-team-template --dry-run
-  aw team bootstrap /path/to/my-team-template --username alice
+  aw agents bootstrap /path/to/my-team-template --dry-run --identity-prefix juan
+  aw agents bootstrap /path/to/my-team-template --username alice --identity-prefix juan
-## Scenario: BYOT (bring your own team)
+## Scenario: BYOT
 Goal: bootstrap a team under a namespace/domain you control.
 Checklist:
-- Confirm you have a controller identity key for the namespace/domain.
-- Remember BYOT includes bringing your own domain; there is no separate supported domain-only bootstrap mode.
-- Bootstrap will connect the first generated workspace, install roles/instructions there, then invite/connect the remaining agents.
+- Confirm the namespace is registered and the controller key is
+  available locally.
+- Remember BYOT includes bringing your own domain; there is no separate
+  supported domain-only bootstrap mode.
+- Bootstrap will connect the first generated workspace, install
+  roles/instructions there, then invite/connect the remaining agents.
-Example shape (values are placeholders):
+Example shape:
-  aw team bootstrap https://github.com/awebai/aweb-team-dev-review.git \
+  aw agents bootstrap https://github.com/awebai/aweb-team-coord-worktrees.git \
     --namespace example.com \
-    --team dev
+    --team dev \
+    --identity-prefix juan
 If you are also self-hosting the coordination stack, add:
@@ -92,76 +152,149 @@ If you are also self-hosting the coordination stack, add:
 ## Scenario: existing hosted team via API key
-Goal: provision a template into the hosted team associated with an API key.
+Goal: provision a template into the hosted team associated with an API
+key.
 Checklist:
-- Set AWEB_API_KEY.
-- Optionally set AWEB_URL or pass --aweb-url to target a non-default stack; otherwise the hosted default is used.
-- Do not also pass --username, --invite-token, or BYOT flags.
+- Set `AWEB_API_KEY`.
+- Optionally set `AWEB_URL` or pass `--aweb-url` to target a
+  non-default stack; otherwise the hosted default is used.
+- Do not also pass `--username`, `--invite-token`, or BYOT flags.
 Example:
   AWEB_API_KEY=aw_sk_... \
-    aw team bootstrap /path/to/template
+    aw agents bootstrap /path/to/template --identity-prefix juan
 ## Scenario: existing team via invite token
-Goal: accept an invite into the first generated workspace and use it as the anchor for the rest of bootstrap.
+Goal: accept an invite into the first generated workspace and use it as
+the anchor for the rest of bootstrap.
 Example:
-  aw team bootstrap /path/to/template \
-    --invite-token <token>
+  aw agents bootstrap /path/to/template \
+    --invite-token <token> \
+    --identity-prefix maria
 ## Scenario: current workspace forwarding
-Goal: run bootstrap from an existing aw workspace and forward that active team into the generated template workspaces.
+Goal: run bootstrap from an existing aw workspace and forward that
+active team into the generated template workspaces.
 Checklist:
 - Confirm `aw workspace status` succeeds in the caller cwd.
 - Do not pass another explicit team source.
-- Bootstrap will create a one-use invite from the current active team for the first generated workspace.
+- Bootstrap will create a one-use invite from the current active team
+  for the first generated workspace.
 ## Scenario: dry-run planning
-Goal: validate the plan and see generated workspace commands without changing files, identities, or server state.
+Goal: validate the plan and see generated workspace commands without
+changing files, identities, or server state.
 Example:
-  aw team bootstrap /path/to/template --dry-run
+  aw agents bootstrap /path/to/template --dry-run --identity-prefix juan
+## Scenario: add a new responsibility later
+Repo-root local agent:
+  aw agents add support --role support
+Worktree-bound local agent:
+  aw agents add-worktree developer --role developer
+Global BYOT agent:
+  aw agents add support \
+    --global \
+    --namespace example.com \
+    --team circle \
+    --identity-prefix juan
+## Scenario: remove a responsibility
+Remove the shared blueprint entry:
+  aw agents remove support --remove-layout
+Remove this human's local ignored state:
+  aw agents remove support --deprovision-local
+Delete a global address when you have the required namespace authority:
+  aw agents remove support --delete-global-address
+`--remove-layout` is not a team-wide revocation. Other humans' local
+`.aw/` state and certificates continue until they deprovision or the
+certs expire/revoke separately.
+`--deprovision-local` uses local team-controller authority for self-custodial
+teams. Hosted-managed cert-only agents may self-deprovision through the hosted
+service using their own signing key and active team certificate. That hosted
+path applies only to the same agent and must not be described as dashboard
+authority over BYOT members.
+`--delete-global-address` is opt-in. Self-custodial namespaces require the
+local namespace controller key. Hosted-managed global agents can delete only
+hosted-managed addresses through hosted self-deprovision; unmanaged/BYOT
+addresses remain customer-controller-owned.
+Hosted self-deprovision errors are actionable:
+- `hosted_team_controller_required`: use/restore the self-custodial team
+  controller key; this is not a hosted-managed team.
+- `global_address_not_hosted_managed`: delete the address with the customer
+  namespace controller; the hosted service must not delete BYOT/unmanaged
+  addresses.
+- `delete_global_address_required`: rerun with `--delete-global-address` for a
+  hosted-managed global agent.
+- `local_identity_has_no_global_address`: rerun without
+  `--delete-global-address`; local identities do not have global addresses.
 ## Legacy mode: old out-of-repo bootstrap
-Use legacy mode only for existing scripts/templates that still expect the old layout.
+Use legacy mode only for existing scripts/templates that still expect
+the old layout.
 - `--work-directory <path>` selects legacy work-directory mode.
-- `--work-repo-url <url-or-local-path>` selects legacy clone-then-bootstrap mode.
+- `--work-repo-url <url-or-local-path>` selects legacy
+  clone-then-bootstrap mode.
 - The two flags are XOR.
 - Do not combine `--agents-dir` with either legacy work flag.
-## Worktree-bound agents: when to enable and what to expect
+## Worktree-bound agents
-Use `work: git_worktree` when multiple agents will edit code in parallel.
+Use `work: git_worktree` when multiple agents will edit code in
+parallel.
 Requirements:
 - The project directory must be a git repo.
-- The template declares `work: git_worktree` for the relevant agent in `team.yaml`.
+- The template declares `work: git_worktree` for the relevant agent in
+  `team.yaml`.
-What bootstrap does:
+What bootstrap/add-worktree does:
-- It creates `agents/worktrees/` and writes scoped `.gitignore` entries.
+- It creates `agents/worktrees/` and writes scoped `.gitignore`
+  entries.
 - It creates one git worktree per `work: git_worktree` agent.
 - The live agent home remains under `agents/home/<responsibility>/`.
-- Each worktree-bound agent gets its own `.aw/` state and local-scope identity.
+- Each worktree-bound agent gets its own `.aw/` state and local-scope
+  identity.
 Common pitfall:
-- Alias collisions: worktree agent aliases must not collide with existing team aliases.
+- Alias collisions: in shared repos use `--identity-prefix` and a
+  template local alias pattern such as `{user}-{classic-name}`.
-## Quick validation after bootstrap
+## Quick validation after bootstrap/provision
 In each generated agent directory (`agents/home/<responsibility>/`):
@@ -170,17 +303,28 @@ In each generated agent directory (`agents/home/<responsibility>/`):
 If you are using a wake-up integration:
-- start the Pi extension or the Claude Code channel plugin in that directory after initialization
+- start the Pi extension or the Claude Code channel plugin in that
+  directory after initialization
 ## Troubleshooting patterns
 If bootstrap fails:
 - Stop and capture the first error.
-- Identify which directories were already created.
-- Prefer completing the remaining steps rather than deleting existing .aw state.
+- Do not retry over an existing `agents/` directory.
+- Inspect/back up `.aw/` state before deleting generated directories.
+- Prefer `aw agents provision`, `aw agents add`, or
+  `aw agents remove` recovery commands over hand-editing identity
+  state.
+If a multi-human provision hits a conflict:
+- Rerun with a different `--identity-prefix` or naming pattern.
+- Invite-only flows may discover existing aliases only at mutation
+  time; this is expected fail-closed behavior.
-If you see identity_mismatch or unverified messages in live channel metadata:
+If you see identity_mismatch or unverified messages in live channel
+metadata:
 - Compare with aw chat history output.
 - Confirm the channel plugin / Pi package version is current.

package/skills/aweb-team-membership/SKILL.md CHANGED Viewed

@@ -84,7 +84,7 @@ aw init   # if the joining directory still needs server binding
 No token round-trip. Direct controller-mint. Available only for hosted teams because BYOT controller keys aren't held by aweb.
-**Path 3 — CLI invite-token, for hosted local-worktree only.** Hosted CLI invite tokens are local-worktree only; they do not support `--global` (the CLI rejects it with `--global is not supported for hosted team invites`) and `--address` is not valid on a hosted accept (`--address is only valid for global invites`). Use this when the owner wants to invite a new local-workspace identity by token:
+**Path 3 — CLI invite-token, for hosted self-custodial local or global identities.** Hosted CLI invite tokens are redeemed through the cloud, but the accepting directory keeps its own signing key. Use the default form when the owner wants to invite a new local-workspace identity by token:
 ```bash
 # Owner side (in a workspace with the necessary authority):
@@ -97,7 +97,14 @@ aw id team accept-invite <token> --alias <alias>
 aw init                        # finish wiring the new workspace
 ```
-`accept-invite` refuses to overwrite an existing `.aw/` identity and generates a fresh local self-custodial identity in the target directory before requesting the certificate. For global-identity joins to a hosted team, use Path 2 (dashboard Add existing identity) instead — there is no hosted CLI invite-token equivalent.
+`accept-invite` refuses to overwrite an existing `.aw/` identity and generates a fresh local self-custodial identity in the target directory before requesting the certificate. For a hosted global identity, accept the hosted token with `--address <domain>/<name>`:
+```bash
+aw id team accept-invite <token> --address <domain>/<name>
+aw init                        # finish wiring the new workspace
+```
+In the hosted `--address` case, the CLI creates a fresh self-custodial global identity for the address, registers it through the hosted service, and installs the hosted team certificate. The hosted service signs the team certificate; it does not receive the accepting directory's private signing key. If the user already has a global identity and only needs a certificate for an existing hosted team, Path 2 (dashboard Add existing identity + `fetch-cert`) remains valid.
 This is **not** the cross-machine BYOT path. Do not present it as the normal way to join a BYOT team from another machine.
@@ -161,7 +168,7 @@ This is the local-controller convenience case only. For cross-machine BYOT joins
 Two distinct local actions install a membership:
-- **`aw id team accept-invite <token>`** — redeems a CLI invite token. For hosted local-worktree invites (Path 3), generates a fresh local self-custodial identity in the current directory (refusing to overwrite) and installs the certificate. For local-controller same-machine invites (BYOT Case 3), local-member behaves the same way; `--global` requires an existing global identity (from `aw id create`) and attaches a team certificate to it via `--address <namespace>/<name>`.
+- **`aw id team accept-invite <token>`** — redeems a CLI invite token. For hosted invites (Path 3), generates a fresh self-custodial identity in the current directory (refusing to overwrite) and installs the certificate; default is local, while `--address <domain>/<name>` creates/registers a fresh global identity through the hosted service before certificate install. For local-controller same-machine invites (BYOT Case 3), local-member behaves the same way as hosted local; global accepts require an existing global identity (from `aw id create`) and attach a team certificate to it via `--address <namespace>/<name>`.
 - **`aw id team fetch-cert --namespace <namespace> --team <team> --cert-id <id>`** — installs a certificate that has already been minted server-side (by hosted "Add existing identity") or signed by a controller (BYOT `add-member`). Used for hosted Path 2 and BYOT Case 1.
 If you have a token, use `accept-invite`. If you have a `cert-id` printed by the dashboard or controller, use `fetch-cert`.