@ghl-ai/aw 0.1.39-beta.9 → 0.1.40-beta.0

package/ecc.mjs

@@ -10,7 +10,7 @@ import { applyStoredStartupPreferences } from "./startup.mjs";
 
 const AW_ECC_REPO_SSH = "git@github.com:shreyansh-ghl/aw-ecc.git";
 const AW_ECC_REPO_HTTPS = "https://github.com/shreyansh-ghl/aw-ecc.git";
-export const AW_ECC_TAG = "v1.4.33";
+export const AW_ECC_TAG = "v1.4.37";
 
 const MARKETPLACE_NAME = "aw-marketplace";
 const PLUGIN_KEY = `aw@${MARKETPLACE_NAME}`;

package/git.mjs

@@ -9,6 +9,49 @@ import { REGISTRY_BASE_BRANCH, REGISTRY_DIR, DOCS_SOURCE_DIR, RULES_SOURCE_DIR }
 
 const exec = promisify(execCb);
 
+/**
+ * Env vars applied to every git command that touches the network.
+ * GIT_TERMINAL_PROMPT=0 prevents git from hanging when it would otherwise
+ * prompt for credentials (e.g. HTTPS URL with SSH-only auth configured).
+ * Instead, git exits immediately with a non-zero code that we can catch.
+ */
+const GIT_NET_ENV = { ...process.env, GIT_TERMINAL_PROMPT: '0' };
+
+/**
+ * Convert an HTTPS GitHub URL to its SSH equivalent.
+ * e.g. https://github.com/Org/Repo.git → git@github.com:Org/Repo.git
+ */
+function toSshUrl(httpsUrl) {
+  const m = httpsUrl.match(/^https:\/\/github\.com\/(.+)$/);
+  return m ? `git@github.com:${m[1]}` : httpsUrl;
+}
+
+/**
+ * Detect whether the user's git is configured to prefer SSH for github.com.
+ * Checks: 1) git insteadOf config  2) gh CLI auth status
+ * Returns true if SSH is preferred.
+ */
+function prefersSsh() {
+  // Check git url."git@github.com:".insteadOf
+  try {
+    const out = execSync(
+      'git config --global --get-regexp "url\\.git@github\\.com.*\\.insteadOf"',
+      { stdio: 'pipe', encoding: 'utf8', env: GIT_NET_ENV },
+    ).trim();
+    if (out.includes('https://github.com')) return true;
+  } catch { /* not configured */ }
+
+  // Check gh auth — if protocol is ssh, prefer SSH
+  try {
+    const out = execSync('gh auth status 2>&1', {
+      stdio: 'pipe', encoding: 'utf8', env: GIT_NET_ENV, timeout: 5000,
+    });
+    if (/git protocol:\s*ssh/i.test(out)) return true;
+  } catch { /* gh not installed or not authed */ }
+
+  return false;
+}
+
 // ── Backward-compat: temp-dir sparse checkout (used by search.mjs) ────────────
 
 /**
@@ -18,12 +61,23 @@ const exec = promisify(execCb);
 export function sparseCheckout(repo, paths) {
   const tempDir = mkdtempSync(join(tmpdir(), 'aw-'));
 
-  const repoUrl = repo.startsWith('http') ? repo : `https://github.com/${repo}.git`;
-  try {
-    execSync(`git clone --filter=blob:none --no-checkout "${repoUrl}" "${tempDir}"`, {
-      stdio: 'pipe',
-    });
-  } catch (e) {
+  const httpsUrl = repo.startsWith('http') ? repo : `https://github.com/${repo}.git`;
+  const urls = prefersSsh() ? [toSshUrl(httpsUrl), httpsUrl] : [httpsUrl, toSshUrl(httpsUrl)];
+
+  let cloned = false;
+  for (const url of urls) {
+    try {
+      execSync(`git clone --filter=blob:none --no-checkout "${url}" "${tempDir}"`, {
+        stdio: 'pipe', env: GIT_NET_ENV,
+      });
+      cloned = true;
+      break;
+    } catch {
+      // Clean up partial clone so next attempt can use the same tempDir
+      try { rmSync(join(tempDir, '.git'), { recursive: true, force: true }); } catch {}
+    }
+  }
+  if (!cloned) {
     throw new Error(`Failed to clone ${repo}. Check your git credentials and repo access.`);
   }
 
@@ -47,10 +101,20 @@ export function sparseCheckout(repo, paths) {
 export async function sparseCheckoutAsync(repo, paths) {
   const tempDir = mkdtempSync(join(tmpdir(), 'aw-'));
 
-  const repoUrl = repo.startsWith('http') ? repo : `https://github.com/${repo}.git`;
-  try {
-    await exec(`git clone --filter=blob:none --no-checkout "${repoUrl}" "${tempDir}"`);
-  } catch (e) {
+  const httpsUrl = repo.startsWith('http') ? repo : `https://github.com/${repo}.git`;
+  const urls = prefersSsh() ? [toSshUrl(httpsUrl), httpsUrl] : [httpsUrl, toSshUrl(httpsUrl)];
+
+  let cloned = false;
+  for (const url of urls) {
+    try {
+      await exec(`git clone --filter=blob:none --no-checkout "${url}" "${tempDir}"`, { env: GIT_NET_ENV });
+      cloned = true;
+      break;
+    } catch {
+      try { rmSync(join(tempDir, '.git'), { recursive: true, force: true }); } catch {}
+    }
+  }
+  if (!cloned) {
     throw new Error(`Failed to clone ${repo}. Check your git credentials and repo access.`);
   }
 
@@ -106,7 +170,9 @@ export function isValidClone(awHome, repoUrl) {
   if (!existsSync(join(awHome, '.git'))) return false;
   try {
     const remote = execSync('git remote get-url origin', { cwd: awHome, stdio: 'pipe', encoding: 'utf8' }).trim();
-    return remote === repoUrl || remote === repoUrl.replace(/\.git$/, '') + '.git' || remote.replace(/\.git$/, '') === repoUrl.replace(/\.git$/, '');
+    // Normalize both sides to bare repo path for comparison (handles HTTPS ↔ SSH)
+    const normalize = (u) => u.replace(/\.git$/, '').replace(/^git@github\.com:/, 'https://github.com/');
+    return normalize(remote) === normalize(repoUrl);
   } catch {
     return false;
   }
@@ -123,10 +189,26 @@ export async function initPersistentClone(repoUrl, awHome, sparsePaths) {
     try { execSync(`rm -rf "${awHome}"`, { stdio: 'pipe' }); } catch {}
   }
 
-  try {
-    await exec(`git clone --filter=blob:none --no-checkout "${repoUrl}" "${awHome}"`);
-  } catch (e) {
-    throw new Error(`Failed to clone ${repoUrl}: ${e.message}`);
+  const urls = prefersSsh()
+    ? [toSshUrl(repoUrl), repoUrl]
+    : [repoUrl, toSshUrl(repoUrl)];
+
+  let cloned = false;
+  for (const url of urls) {
+    // Clean up any partial clone from a previous attempt
+    if (existsSync(awHome) && !isValidClone(awHome, url)) {
+      try { execSync(`rm -rf "${awHome}"`, { stdio: 'pipe' }); } catch {}
+    }
+    try {
+      await exec(`git clone --filter=blob:none --no-checkout "${url}" "${awHome}"`, { env: GIT_NET_ENV });
+      cloned = true;
+      break;
+    } catch {
+      // try next URL
+    }
+  }
+  if (!cloned) {
+    throw new Error(`Failed to clone ${repoUrl}. Check your git credentials and repo access (HTTPS and SSH both failed).`);
   }
 
   try {
@@ -286,7 +368,7 @@ export async function fetchAndMerge(awHome, { silent = true } = {}) {
 
   // ── 2. Fetch ──────────────────────────────────────────────────────────────
   try {
-    await exec(`git -C "${awHome}" fetch origin ${REGISTRY_BASE_BRANCH}`);
+    await exec(`git -C "${awHome}" fetch origin ${REGISTRY_BASE_BRANCH}`, { env: GIT_NET_ENV });
   } catch (e) {
     throw new Error(`Failed to fetch from origin: ${e.message}`);
   }
@@ -315,7 +397,7 @@ export async function fetchAndMerge(awHome, { silent = true } = {}) {
     // someone else pushed to the remote tracking branch since our last fetch.
     if (isPushBranch) {
       try {
-        await exec(`git -C "${awHome}" push --force-with-lease origin "${currentBranch}"`);
+        await exec(`git -C "${awHome}" push --force-with-lease origin "${currentBranch}"`, { env: GIT_NET_ENV });
       } catch { /* non-blocking — divergence will be resolved on next aw push */ }
     }
   } catch {
@@ -442,7 +524,7 @@ export function updatePushBranch(awHome, pushBranchName) {
   }
 
   try {
-    execSync(`git -C "${awHome}" push origin "${pushBranchName}" --force`, { stdio: 'pipe' });
+    execSync(`git -C "${awHome}" push origin "${pushBranchName}" --force`, { stdio: 'pipe', env: GIT_NET_ENV });
   } catch (e) {
     throw new Error(`Failed to push branch: ${e.message}`);
   }
@@ -485,7 +567,7 @@ export async function createPushBranch(awHome, branchName, files, commitMsg, pre
   }
 
   try {
-    await exec(`git -C "${awHome}" push -u origin "${branchName}"`);
+    await exec(`git -C "${awHome}" push -u origin "${branchName}"`, { env: GIT_NET_ENV });
   } catch (e) {
     throw new Error(`Failed to push branch: ${e.message}`);
   }

package/integrate.mjs

@@ -114,12 +114,41 @@ function shouldResetHomeInstructionFile(content, file) {
   return legacyMarkers.some(marker => content.includes(marker));
 }
 
+function stripLegacyRepoInstructionContent(content, file) {
+  const legacyMarkers = file === 'CLAUDE.md'
+    ? [
+      '# CLAUDE.md — ',
+      '## Routing Rule (ABSOLUTE)',
+      'This supplements the root `AGENTS.md` with Codex-specific guidance.',
+      '<!-- BEGIN ECC -->',
+    ]
+    : [
+      '# AGENTS.md — ',
+      '# ECC for Codex CLI',
+      '# AW SDLC Repo Instructions',
+      'Use the repo-local AW SDLC files as the source of truth for routing and stage behavior.',
+      '## Agent System',
+      '<!-- BEGIN ECC -->',
+    ];
+
+  const startIndexes = legacyMarkers
+    .map(marker => content.indexOf(marker))
+    .filter(idx => idx !== -1);
+
+  if (startIndexes.length === 0) return content;
+
+  const startIdx = Math.min(...startIndexes);
+  const preserved = content.slice(0, startIdx).trimEnd();
+  return preserved ? `${preserved}\n` : '';
+}
+
 function applyManagedInstructionSections(content, file, rulesSections = {}, options = {}) {
   const rulesHeader = file === 'CLAUDE.md' ? CLAUDE_RULES_HEADER : AGENTS_RULES_HEADER;
   const rulesSection = file === 'CLAUDE.md' ? rulesSections.claudeSection : rulesSections.agentsSection;
   const includeBridge = options.includeBridge !== false;
 
-  let next = stripManagedBlock(content, AW_ROUTER_BRIDGE_START_MARKER, AW_ROUTER_BRIDGE_END_MARKER);
+  let next = stripLegacyRepoInstructionContent(content, file);
+  next = stripManagedBlock(next, AW_ROUTER_BRIDGE_START_MARKER, AW_ROUTER_BRIDGE_END_MARKER);
   next = stripManagedSection(next, AW_ROUTER_BRIDGE_HEADER, [rulesHeader]);
   next = stripManagedSection(next, rulesHeader);
   next = next.trimEnd();
@@ -129,8 +158,15 @@ function applyManagedInstructionSections(content, file, rulesSections = {}, opti
     return next ? `${next}\n` : '';
   }
 
-  const appended = sections.join('\n\n').trim();
-  return next ? `${next}\n\n${appended}\n` : `${appended}\n`;
+  // Marker tells users (and aw init) where the managed section starts.
+  // Everything BEFORE this marker is repo-owned and never touched by aw.
+  // Everything AFTER is managed by aw — re-rendered on every aw init.
+  const managedBoundary = '<!-- aw-managed: content below is regenerated by `aw init` — put your own content above this line -->';
+  const appended = [managedBoundary, ...sections].join('\n\n').trim();
+  // Strip any prior managedBoundary line from `next` so we don't accumulate them
+  // when re-running aw init.
+  const cleaned = next.split('\n').filter(line => line.trim() !== managedBoundary).join('\n').trimEnd();
+  return cleaned ? `${cleaned}\n\n${appended}\n` : `${appended}\n`;
 }
 
 /**
@@ -188,49 +224,34 @@ function findFiles(dir, typeName) {
 }
 
 /**
- * Copy AGENTS.md to project root and refresh rules sections in any existing
- * CLAUDE.md. New CLAUDE.md files are intentionally not generated because their
- * routing rules can hijack plugin command dispatch in some workspaces.
+ * Refresh rules sections in any existing AGENTS.md/CLAUDE.md at the repo
+ * root.
+ *
+ * Repo instruction files are user-owned. aw init no longer creates or updates
+ * managed sections in repo-local AGENTS.md / CLAUDE.md.
+ *
+ * The only repo-file behavior left is cleanup: if a repo still contains old
+ * aw-managed sections from prior versions, strip those sections while leaving
+ * the user's own content intact.
  */
 export function copyInstructions(cwd, tempDir, namespace) {
   const rulesSections = renderRules(cwd);
   const createdFiles = [];
+
   for (const file of ['AGENTS.md', 'CLAUDE.md']) {
     const dest = join(cwd, file);
     if (existsSync(dest)) {
       const existing = readFileSync(dest, 'utf8');
-      const updated = applyManagedInstructionSections(existing, file, rulesSections, { includeBridge: false });
+      const updated = applyManagedInstructionSections(existing, file, {}, { includeBridge: false });
 
       if (updated !== existing) {
         writeFileSync(dest, updated);
-        fmt.logSuccess(`Updated ${file}`);
+        fmt.logStep(`Stripped aw-managed sections from ${file} (now in ~/.claude/CLAUDE.md / ~/.codex/AGENTS.md)`);
       }
       continue;
     }
 
-    if (file === 'CLAUDE.md') continue;
-
-    if (tempDir) {
-      const src = join(tempDir, '.aw_registry', file);
-      if (existsSync(src)) {
-        let content = readFileSync(src, 'utf8');
-        if (namespace) {
-          content = content.replace(/\{\{TEAM\}\}/g, namespace);
-        }
-        content = applyManagedInstructionSections(content, file, rulesSections, { includeBridge: false });
-        writeFileSync(dest, content);
-        fmt.logSuccess(`Created ${file}`);
-        createdFiles.push(dest);
-        continue;
-      }
-    }
-
-    const content = generateAgentsMd(cwd, namespace, rulesSections);
-    if (content) {
-      writeFileSync(dest, applyManagedInstructionSections(content, file, rulesSections, { includeBridge: false }));
-      fmt.logSuccess(`Created ${file}`);
-      createdFiles.push(dest);
-    }
+    // Never create repo instruction files anymore.
   }
   return createdFiles;
 }
@@ -286,7 +307,7 @@ function generateClaudeMd(cwd, namespace, rulesSections = {}) {
   const team = namespace || 'my-team';
   let base = `# CLAUDE.md — ${team}
 
-Team: ${team} | Local-first orchestration via \`.aw_docs/\` | MCPs: \`memory/*\` (shared knowledge), \`git-jenkins\` (CI/CD), \`grafana\` (observability)
+Team: ${team} | Local-first orchestration via \`.aw_docs/\` | MCPs: \`memory/*\` (shared knowledge), \`jenkins_*\` (CI/CD via ghl-ai MCP), \`grafana\` (observability)
 
 ## Routing Rule (ABSOLUTE)
 
@@ -357,7 +378,7 @@ memory/search  → Search shared team knowledge base
 memory/store   → Push learnings to shared knowledge (eager sync after runs)
 memory/get     → Fetch specific memory by ID
 grafana/*      → External observability
-git-jenkins/*  → External CI/CD pipelines
+jenkins_*      → CI/CD pipelines (provided by ghl-ai MCP)
 stitch/*       → External design generation
 \`\`\`
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@ghl-ai/aw",
-  "version": "0.1.39-beta.9",
+  "version": "0.1.40-beta.0",
   "description": "Agentic Workspace CLI — pull, push & manage agents, skills and commands from the registry",
   "type": "module",
   "bin": {

package/render-rules.mjs

@@ -6,7 +6,12 @@ import { homedir } from 'node:os';
 import * as fmt from './fmt.mjs';
 import { RULES_RUNTIME_DIR } from './constants.mjs';
 
-const GENERATED_HEADER = '<!-- Generated by aw — do not edit manually -->\n\n';
+// The marker is placed AFTER the YAML frontmatter so Cursor/Markdown parsers
+// see the frontmatter at byte 0. Putting an HTML comment before --- breaks
+// Cursor's alwaysApply/globs detection.
+const GENERATED_MARKER = '<!-- Generated by aw — do not edit manually -->';
+// Legacy header (pre-pattern comment first) — kept for pruning old files.
+const LEGACY_GENERATED_HEADER = '<!-- Generated by aw — do not edit manually -->\n\n';
 const STACK_OVERLAY_FLAG = 'AW_ENABLE_STACK_OVERLAY_RULES';
 
 /** Rule scope → Cursor .mdc glob patterns */
@@ -196,7 +201,8 @@ function pruneStaleGeneratedRules(outputDir, expectedFilenames) {
 
     const fullPath = join(outputDir, entry.name);
     const content = readOrNull(fullPath);
-    if (!content?.startsWith(GENERATED_HEADER)) continue;
+    // Match both new pattern (marker after frontmatter) and legacy (marker at top).
+    if (!content || (!content.includes(GENERATED_MARKER) && !content.startsWith(LEGACY_GENERATED_HEADER))) continue;
 
     try {
       unlinkSync(fullPath);
@@ -303,7 +309,9 @@ function renderCursorRules(cwd, rulesDir, options = {}) {
       }
     }
 
-    const content = GENERATED_HEADER + frontmatter.join('\n') + '\n\n' + agentsMd.trim() + '\n' + refSection;
+    // Frontmatter MUST be at byte 0 for Cursor's YAML parser.
+    // Generated marker goes on the line immediately after the closing ---.
+    const content = frontmatter.join('\n') + '\n' + GENERATED_MARKER + '\n\n' + agentsMd.trim() + '\n' + refSection;
     writeFileSync(join(cursorRulesDir, `${scopeToFilename(scope)}.mdc`), content);
     count++;
   }
@@ -318,10 +326,13 @@ function renderCursorRules(cwd, rulesDir, options = {}) {
 }
 
 function generateCursorAwRoutingRule() {
-  return `${GENERATED_HEADER}---
+  // Frontmatter MUST be at byte 0 for Cursor's alwaysApply/globs detection.
+  return `---
 description: "AW global routing: select route, READ stage skill, then respond"
 alwaysApply: true
 ---
+${GENERATED_MARKER}
+
 # AW Global Routing
 
 ## Hard Gate (MUST — do not skip)
@@ -460,7 +471,8 @@ function renderClaudeRules(cwd, rulesDir, options = {}) {
       }
     }
 
-    const content = GENERATED_HEADER + frontmatter + agentsMd.trim() + '\n' + refSection;
+    // Claude Code reads .md frontmatter similarly — keep marker after frontmatter.
+    const content = frontmatter + GENERATED_MARKER + '\n\n' + agentsMd.trim() + '\n' + refSection;
     writeFileSync(join(claudeRulesDir, `${scopeToFilename(scope)}.md`), content);
     count++;
   }
@@ -471,21 +483,120 @@ function renderClaudeRules(cwd, rulesDir, options = {}) {
 /**
  * Generate a rules section for CLAUDE.md from runtime AW rules.
  */
-export function generateClaudeMdRulesSection(rulesDir) {
+/**
+ * Resolve the final scope set for AGENTS.md/CLAUDE.md filtering.
+ * Precedence: explicit option > .aw/config.json awRuleScopes > auto-detect.
+ * Returns undefined if user explicitly disabled filtering (awRuleScopes: "all").
+ */
+export function resolveApplicableScopes(cwd, options = {}) {
+  if (options.applicableScopes) return options.applicableScopes;
+
+  // Read .aw/config.json if present.
+  const configPath = join(cwd, '.aw', 'config.json');
+  if (existsSync(configPath)) {
+    try {
+      const config = JSON.parse(readFileSync(configPath, 'utf8'));
+      const setting = config.awRuleScopes;
+      if (setting === 'all') return undefined;        // disable filtering
+      if (Array.isArray(setting)) return new Set(setting);
+    } catch { /* fall through to auto-detect */ }
+  }
+
+  return detectApplicableScopes(cwd);
+}
+
+/**
+ * Detect applicable rule scopes for a consumer repo based on filesystem signals.
+ * Returns a Set of scope names (e.g. 'frontend', 'backend', 'mobile').
+ * 'universal' and 'security' are ALWAYS returned (cross-cutting, apply everywhere).
+ */
+export function detectApplicableScopes(cwd) {
+  const scopes = new Set(['universal', 'security']);
+
+  const has = (rel) => existsSync(join(cwd, rel));
+  const readPkg = () => {
+    try {
+      if (!has('package.json')) return null;
+      return JSON.parse(readFileSync(join(cwd, 'package.json'), 'utf8'));
+    } catch {
+      return null;
+    }
+  };
+
+  const pkg = readPkg();
+  if (pkg) {
+    const deps = { ...(pkg.dependencies || {}), ...(pkg.devDependencies || {}) };
+    // Frontend signals
+    if (deps.vue || deps.nuxt || deps['@vue/cli-service'] || deps.react || deps.next || deps.svelte) {
+      scopes.add('frontend');
+    }
+    // Backend signals
+    if (deps['@nestjs/core'] || deps.express || deps.fastify || deps.koa || deps['@platform-core/base-service']) {
+      scopes.add('backend');
+      scopes.add('api-design');
+    }
+    // Data signals
+    if (deps.mongoose || deps.typeorm || deps.prisma || deps.knex || deps['@platform-core/firestore']) {
+      scopes.add('data');
+    }
+    // SDET signals
+    if (deps.playwright || deps['@playwright/test'] || deps['@gohighlevel/sdet-platform-core']) {
+      scopes.add('sdet');
+    }
+  }
+
+  if (has('pubspec.yaml')) scopes.add('mobile');               // Flutter/Dart
+  if (has('pom.xml') || has('build.gradle') || has('build.gradle.kts')) scopes.add('backend');
+  if (has('go.mod')) scopes.add('backend');
+  if (has('Cargo.toml')) scopes.add('backend');
+  if (has('requirements.txt') || has('pyproject.toml')) scopes.add('backend');
+
+  // Infra signals
+  if (has('Dockerfile') || has('Jenkinsfile') || has('helm') || has('terraform')) {
+    scopes.add('infra');
+  }
+
+  // If we only found the defaults (universal + security) with no other signals,
+  // return undefined to preserve current behavior (show all rules). Filtering
+  // only kicks in when we positively detect a framework or stack.
+  if (scopes.size <= 2) return undefined;
+  return scopes;
+}
+
+function filterRulesByScopes(rules, applicableScopes) {
+  if (!applicableScopes || applicableScopes.size === 0) return rules;
+  return rules.filter(r => {
+    const scope = String(r.id || '').split('/')[0];
+    return applicableScopes.has(scope);
+  });
+}
+
+export function generateClaudeMdRulesSection(rulesDir, options = {}) {
   const manifest = readManifest(rulesDir);
   if (!manifest) return '';
 
   const mustRules = manifest.rules.filter(r => r.severity === 'MUST');
-  if (mustRules.length === 0) return '';
+  const applicableScopes = options.applicableScopes;
+  const filteredRules = applicableScopes
+    ? filterRulesByScopes(mustRules, applicableScopes)
+    : mustRules;
+  if (filteredRules.length === 0) return '';
 
   const lines = [
     '## Platform Rules (MUST)',
     '',
     '> Rendered from platform `.aw/.aw_rules/`. Full details in reference files.',
-    '',
   ];
 
-  for (const rule of mustRules) {
+  if (applicableScopes) {
+    lines.push(
+      `> Filtered to scopes detected in this repo: \`${[...applicableScopes].sort().join('`, `')}\`. ` +
+      `To override, set \`awRuleScopes\` in \`.aw/config.json\`.`,
+    );
+  }
+  lines.push('');
+
+  for (const rule of filteredRules) {
     lines.push(`- [ ] **${rule.id}** — ${rule.description}`);
   }
 
@@ -516,14 +627,28 @@ export function generateAgentsMdRulesSection(rulesDir, options = {}) {
   // Reference table — tells all IDEs (especially Codex) where to read domain rules.
   // Codex can't auto-trigger by glob, but it CAN read these files when working in
   // the matching area. Keep AGENTS.md lean; full content stays in the source files.
-  const scopes = listRuleScopes(rulesDir, {
+  const allScopes = listRuleScopes(rulesDir, {
     includeNestedScopes: stackOverlaysEnabled(options),
   });
+  // Filter domain scopes by what's relevant to this consumer repo.
+  // 'universal' and 'security' always apply; other domains require detection.
+  const applicableScopes = options.applicableScopes;
+  const isApplicable = (scope) => !applicableScopes
+    || applicableScopes.has(scope)
+    || applicableScopes.has(scope.split('/')[0]);
+  const scopes = allScopes.filter(({ scope }) => isApplicable(scope));
   const domains = scopes.filter(({ scope }) => !scope.includes('/'));
   const overlays = scopes.filter(({ scope }) => scope.includes('/'));
   if (domains.length > 0) {
     lines.push('### Domain Rules');
     lines.push('');
+    if (applicableScopes) {
+      lines.push(
+        `> Filtered to scopes detected in this repo: \`${[...applicableScopes].sort().join('`, `')}\`. ` +
+        `To override, set \`awRuleScopes\` (array or "all") in \`.aw/config.json\`.`,
+      );
+      lines.push('');
+    }
     lines.push('When working in a specific domain, read the matching rules file:');
     lines.push('');
     lines.push('| Domain | Read when editing | Rules file |');
@@ -566,10 +691,14 @@ export function renderRules(cwd, options = {}) {
   const rulesDir = resolveRulesSourceDir(cwd, options);
   if (!rulesDir) return { cursorCount: 0, claudeSection: '', agentsSection: '' };
 
+  // Resolve applicable scopes for AGENTS.md / CLAUDE.md MUST-rule list.
+  // Order: explicit option → .aw/config.json awRuleScopes → auto-detect.
+  const applicableScopes = resolveApplicableScopes(cwd, options);
+
   const cursorCount = renderCursorRules(cwd, rulesDir, options);
   const claudeCount = renderClaudeRules(cwd, rulesDir, options);
-  const claudeSection = generateClaudeMdRulesSection(rulesDir);
-  const agentsSection = generateAgentsMdRulesSection(rulesDir, { ...options, outputDir: cwd });
+  const claudeSection = generateClaudeMdRulesSection(rulesDir, { applicableScopes });
+  const agentsSection = generateAgentsMdRulesSection(rulesDir, { ...options, outputDir: cwd, applicableScopes });
 
   // Also render to global dirs so rules apply everywhere
   const HOME = options.homeDir || homedir();