@ghl-ai/aw 0.1.41-beta.0 → 0.1.41-beta.1

package/cli.mjs

@@ -26,6 +26,7 @@ const COMMANDS = {
   nuke:    () => import('./commands/nuke.mjs').then(m => m.nukeCommand),
   daemon:  () => import('./commands/daemon.mjs').then(m => m.daemonCommand),
   telemetry: () => import('./commands/telemetry.mjs').then(m => m.telemetryCommand),
+  'slack-sim': () => import('./commands/slack-sim.mjs').then(m => m.slackSimCommand),
 };
 
 function parseArgs(argv) {

package/commands/init.mjs

@@ -13,7 +13,6 @@ import {
   readFileSync,
   rmSync,
   realpathSync,
-  appendFileSync,
 } from 'node:fs';
 import { execSync } from 'node:child_process';
 import { join, dirname, sep } from 'node:path';
@@ -88,24 +87,65 @@ function syncHomeAndProjectInstructions(cwd, namespace) {
   }
 }
 
-// ── Ensure ~/.aw/.gitignore has personal/local entries ───────────────────
-
-const AW_GITIGNORE_ENTRIES = [
+// ── Ensure ~/.aw/.git/info/exclude has the whitelist block ─────────────
+//
+// Strategy: only .aw_registry/, .aw_rules/, content/ are tracked — everything
+// else at the top level of ~/.aw/ is local-only (telemetry/, hooks/, logs,
+// .DS_Store, etc.). We write to .git/info/exclude (not tracked .gitignore)
+// so upstream pulls never conflict.
+
+const AW_MANAGED_BEGIN = '# BEGIN aw-managed (do not edit; managed by `aw init`)';
+const AW_MANAGED_END   = '# END aw-managed';
+
+const AW_MANAGED_BLOCK = [
+  AW_MANAGED_BEGIN,
+  '# Whitelist: only these top-level entries are tracked; everything else is local-only.',
+  '/*',
+  '!/.aw_registry',
+  '!/.aw_rules',
+  '!/content',
+  '',
+  '# Nested local state within whitelisted dirs',
+  '/.aw_registry/.sync-config.json',
+  AW_MANAGED_END,
+  '',
+].join('\n');
+
+// Legacy flat lines appended by earlier versions of ensureAwGitignore — strip on upgrade
+// so we don't leave stale rules lingering outside the managed block.
+const LEGACY_GITIGNORE_LINES = new Set([
   '.aw_registry/.sync-config.json',
   'hooks/',
-];
+  '# aw: personal/local — do not commit',
+]);
+
+function escapeRegex(s) {
+  return s.replace(/[.*+?^${}()|[\]\\]/g, '\\$&');
+}
 
-function ensureAwGitignore(awHome) {
-  // Use .git/info/exclude so the tracked .gitignore stays clean
+export function ensureAwGitignore(awHome) {
   const excludePath = join(awHome, '.git', 'info', 'exclude');
   let existing = '';
-  try { existing = readFileSync(excludePath, 'utf8'); } catch { /* doesn't exist yet */ }
-  const missing = AW_GITIGNORE_ENTRIES.filter(e => !existing.includes(e));
-  if (missing.length === 0) return;
-  const block = (existing.endsWith('\n') || existing === '' ? '' : '\n')
-    + '# aw: personal/local — do not commit\n'
-    + missing.join('\n') + '\n';
-  try { appendFileSync(excludePath, block); } catch { /* best effort */ }
+  try { existing = readFileSync(excludePath, 'utf8'); } catch (err) { void err; /* doesn't exist yet */ }
+
+  // Strip any prior aw-managed block so re-rendering is idempotent.
+  const blockRegex = new RegExp(
+    `${escapeRegex(AW_MANAGED_BEGIN)}[\\s\\S]*?${escapeRegex(AW_MANAGED_END)}\\n?`,
+    'g'
+  );
+  const withoutManaged = existing.replace(blockRegex, '');
+
+  // Strip legacy flat lines (pre-whitelist implementation).
+  const cleaned = withoutManaged
+    .split('\n')
+    .filter(line => !LEGACY_GITIGNORE_LINES.has(line.trim()))
+    .join('\n');
+
+  const prefix = cleaned === '' || cleaned.endsWith('\n') ? cleaned : cleaned + '\n';
+  const next = prefix + AW_MANAGED_BLOCK;
+
+  if (next === existing) return; // already up to date
+  try { writeFileSync(excludePath, next); } catch (err) { void err; /* best effort */ }
 }
 
 // ── IDE tasks for auto-pull ─────────────────────────────────────────────
@@ -371,7 +411,7 @@ export async function initCommand(args) {
   }
 
   // Determine sparse paths
-  const sparsePaths = [`.aw_registry/platform`, `content`, RULES_SOURCE_DIR, `.aw_registry/AW-PROTOCOL.md`, `CODEOWNERS`, `.github/CODEOWNERS`];
+  const sparsePaths = [`.aw_registry/platform`, `content`, RULES_SOURCE_DIR, `.aw_registry/AW-PROTOCOL.md`, `CODEOWNERS`];
   if (folderName) {
     sparsePaths.push(`.aw_registry/${folderName}`);
   }

package/commands/push.mjs

@@ -1,7 +1,7 @@
 // commands/push.mjs — Push local agents/skills to registry via PR using persistent git clone
 
 import { existsSync, statSync, readFileSync, appendFileSync } from 'node:fs';
-import { join, dirname, relative } from 'node:path';
+import { join, dirname } from 'node:path';
 import { fileURLToPath } from 'node:url';
 import { exec as execCb, execFile as execFileCb } from 'node:child_process';
 import { promisify } from 'node:util';
@@ -361,11 +361,7 @@ async function doPush(files, awHome, dryRun, worktreeFlow = false, preStaged = f
 
   // CODEOWNERS for new namespaces (runs inside spinner so no silent gap)
   const topNamespaces = [...new Set(files.map(f => f.namespace.split('/')[0]))];
-  // GitHub looks for CODEOWNERS in .github/ first (takes precedence over root).
-  // platform-docs has .github/CODEOWNERS as the authoritative file.
-  const codeownersPath = existsSync(join(awHome, '.github', 'CODEOWNERS'))
-    ? join(awHome, '.github', 'CODEOWNERS')
-    : join(awHome, 'CODEOWNERS');
+  const codeownersPath = join(awHome, 'CODEOWNERS');
   const newNamespaces = [];
   const ghUser = await getGitHubUser();
   for (const ns of topNamespaces) {
@@ -378,8 +374,7 @@ async function doPush(files, awHome, dryRun, worktreeFlow = false, preStaged = f
 
   const pathsToStage = files.map(f => f.registryTarget);
   if (newNamespaces.length > 0 && existsSync(codeownersPath)) {
-    // Stage the correct relative path (could be .github/CODEOWNERS or root CODEOWNERS)
-    pathsToStage.push(relative(awHome, codeownersPath));
+    pathsToStage.push('CODEOWNERS');
   }
   // Also stage any extra paths (content/, CODEOWNERS manual edits) passed from the caller
   for (const p of extraPaths) {
@@ -478,17 +473,17 @@ export async function pushCommand(args) {
   if (!input) {
     const rulesChanged = hasRulesChanges(cwd);
 
-    // Extra paths outside .aw_registry/ that aw also manages: content/, CODEOWNERS, .github/CODEOWNERS.
+    // Extra paths outside .aw_registry/ that aw also manages: content/ and CODEOWNERS.
     // Detect staged variants for staged-mode and unstaged variants for auto-mode.
     const getExtraStagedPaths = async () => {
       try {
-        const { stdout } = await exec(`git -C "${awHome}" diff --cached --name-only -- content/ CODEOWNERS .github/CODEOWNERS`);
+        const { stdout } = await exec(`git -C "${awHome}" diff --cached --name-only -- content/ CODEOWNERS`);
         return stdout.trim().split('\n').filter(Boolean);
       } catch { return []; }
     };
     const getExtraChangedPaths = async () => {
       try {
-        const { stdout } = await exec(`git -C "${awHome}" status --porcelain -- content/ CODEOWNERS .github/CODEOWNERS`);
+        const { stdout } = await exec(`git -C "${awHome}" status --porcelain -- content/ CODEOWNERS`);
         // git status --porcelain prefix is XY (2 chars) + optional space + path.
         // Staged-only files: `M path` (2-char prefix); unstaged files: ` M path` (3-char prefix).
         // slice(2).trimStart() handles both cases correctly.

package/git.mjs

@@ -9,6 +9,49 @@ import { REGISTRY_BASE_BRANCH, REGISTRY_DIR, DOCS_SOURCE_DIR, RULES_SOURCE_DIR }
 
 const exec = promisify(execCb);
 
+/**
+ * Env vars applied to every git command that touches the network.
+ * GIT_TERMINAL_PROMPT=0 prevents git from hanging when it would otherwise
+ * prompt for credentials (e.g. HTTPS URL with SSH-only auth configured).
+ * Instead, git exits immediately with a non-zero code that we can catch.
+ */
+const GIT_NET_ENV = { ...process.env, GIT_TERMINAL_PROMPT: '0' };
+
+/**
+ * Convert an HTTPS GitHub URL to its SSH equivalent.
+ * e.g. https://github.com/Org/Repo.git → git@github.com:Org/Repo.git
+ */
+export function toSshUrl(httpsUrl) {
+  const m = httpsUrl.match(/^https:\/\/github\.com\/(.+)$/);
+  return m ? `git@github.com:${m[1]}` : httpsUrl;
+}
+
+/**
+ * Detect whether the user's git is configured to prefer SSH for github.com.
+ * Checks: 1) git insteadOf config  2) gh CLI auth status
+ * Returns true if SSH is preferred.
+ */
+export function prefersSsh() {
+  // Check git url."git@github.com:".insteadOf
+  try {
+    const out = execSync(
+      'git config --global --get-regexp "url\\.git@github\\.com.*\\.insteadOf"',
+      { stdio: 'pipe', encoding: 'utf8', env: GIT_NET_ENV },
+    ).trim();
+    if (out.includes('https://github.com')) return true;
+  } catch { /* not configured */ }
+
+  // Check gh auth — if protocol is ssh, prefer SSH
+  try {
+    const out = execSync('gh auth status 2>&1', {
+      stdio: 'pipe', encoding: 'utf8', env: GIT_NET_ENV, timeout: 5000,
+    });
+    if (/git protocol:\s*ssh/i.test(out)) return true;
+  } catch { /* gh not installed or not authed */ }
+
+  return false;
+}
+
 // ── Backward-compat: temp-dir sparse checkout (used by search.mjs) ────────────
 
 /**
@@ -18,12 +61,23 @@ const exec = promisify(execCb);
 export function sparseCheckout(repo, paths) {
   const tempDir = mkdtempSync(join(tmpdir(), 'aw-'));
 
-  const repoUrl = repo.startsWith('http') ? repo : `https://github.com/${repo}.git`;
-  try {
-    execSync(`git clone --filter=blob:none --no-checkout "${repoUrl}" "${tempDir}"`, {
-      stdio: 'pipe',
-    });
-  } catch (e) {
+  const httpsUrl = repo.startsWith('http') ? repo : `https://github.com/${repo}.git`;
+  const urls = prefersSsh() ? [toSshUrl(httpsUrl), httpsUrl] : [httpsUrl, toSshUrl(httpsUrl)];
+
+  let cloned = false;
+  for (const url of urls) {
+    try {
+      execSync(`git clone --filter=blob:none --no-checkout "${url}" "${tempDir}"`, {
+        stdio: 'pipe', env: GIT_NET_ENV,
+      });
+      cloned = true;
+      break;
+    } catch {
+      // Clean up partial clone so next attempt can use the same tempDir
+      try { rmSync(join(tempDir, '.git'), { recursive: true, force: true }); } catch {}
+    }
+  }
+  if (!cloned) {
     throw new Error(`Failed to clone ${repo}. Check your git credentials and repo access.`);
   }
 
@@ -47,10 +101,20 @@ export function sparseCheckout(repo, paths) {
 export async function sparseCheckoutAsync(repo, paths) {
   const tempDir = mkdtempSync(join(tmpdir(), 'aw-'));
 
-  const repoUrl = repo.startsWith('http') ? repo : `https://github.com/${repo}.git`;
-  try {
-    await exec(`git clone --filter=blob:none --no-checkout "${repoUrl}" "${tempDir}"`);
-  } catch (e) {
+  const httpsUrl = repo.startsWith('http') ? repo : `https://github.com/${repo}.git`;
+  const urls = prefersSsh() ? [toSshUrl(httpsUrl), httpsUrl] : [httpsUrl, toSshUrl(httpsUrl)];
+
+  let cloned = false;
+  for (const url of urls) {
+    try {
+      await exec(`git clone --filter=blob:none --no-checkout "${url}" "${tempDir}"`, { env: GIT_NET_ENV });
+      cloned = true;
+      break;
+    } catch {
+      try { rmSync(join(tempDir, '.git'), { recursive: true, force: true }); } catch {}
+    }
+  }
+  if (!cloned) {
     throw new Error(`Failed to clone ${repo}. Check your git credentials and repo access.`);
   }
 
@@ -106,7 +170,9 @@ export function isValidClone(awHome, repoUrl) {
   if (!existsSync(join(awHome, '.git'))) return false;
   try {
     const remote = execSync('git remote get-url origin', { cwd: awHome, stdio: 'pipe', encoding: 'utf8' }).trim();
-    return remote === repoUrl || remote === repoUrl.replace(/\.git$/, '') + '.git' || remote.replace(/\.git$/, '') === repoUrl.replace(/\.git$/, '');
+    // Normalize both sides to bare repo path for comparison (handles HTTPS ↔ SSH)
+    const normalize = (u) => u.replace(/\.git$/, '').replace(/^git@github\.com:/, 'https://github.com/');
+    return normalize(remote) === normalize(repoUrl);
   } catch {
     return false;
   }
@@ -123,10 +189,26 @@ export async function initPersistentClone(repoUrl, awHome, sparsePaths) {
     try { execSync(`rm -rf "${awHome}"`, { stdio: 'pipe' }); } catch {}
   }
 
-  try {
-    await exec(`git clone --filter=blob:none --no-checkout "${repoUrl}" "${awHome}"`);
-  } catch (e) {
-    throw new Error(`Failed to clone ${repoUrl}: ${e.message}`);
+  const urls = prefersSsh()
+    ? [toSshUrl(repoUrl), repoUrl]
+    : [repoUrl, toSshUrl(repoUrl)];
+
+  let cloned = false;
+  for (const url of urls) {
+    // Clean up any partial clone from a previous attempt
+    if (existsSync(awHome) && !isValidClone(awHome, url)) {
+      try { execSync(`rm -rf "${awHome}"`, { stdio: 'pipe' }); } catch {}
+    }
+    try {
+      await exec(`git clone --filter=blob:none --no-checkout "${url}" "${awHome}"`, { env: GIT_NET_ENV });
+      cloned = true;
+      break;
+    } catch {
+      // try next URL
+    }
+  }
+  if (!cloned) {
+    throw new Error(`Failed to clone ${repoUrl}. Check your git credentials and repo access (HTTPS and SSH both failed).`);
   }
 
   try {
@@ -286,7 +368,7 @@ export async function fetchAndMerge(awHome, { silent = true } = {}) {
 
   // ── 2. Fetch ──────────────────────────────────────────────────────────────
   try {
-    await exec(`git -C "${awHome}" fetch origin ${REGISTRY_BASE_BRANCH}`);
+    await exec(`git -C "${awHome}" fetch origin ${REGISTRY_BASE_BRANCH}`, { env: GIT_NET_ENV });
   } catch (e) {
     throw new Error(`Failed to fetch from origin: ${e.message}`);
   }
@@ -315,7 +397,7 @@ export async function fetchAndMerge(awHome, { silent = true } = {}) {
     // someone else pushed to the remote tracking branch since our last fetch.
     if (isPushBranch) {
       try {
-        await exec(`git -C "${awHome}" push --force-with-lease origin "${currentBranch}"`);
+        await exec(`git -C "${awHome}" push --force-with-lease origin "${currentBranch}"`, { env: GIT_NET_ENV });
       } catch { /* non-blocking — divergence will be resolved on next aw push */ }
     }
   } catch {
@@ -442,7 +524,7 @@ export function updatePushBranch(awHome, pushBranchName) {
   }
 
   try {
-    execSync(`git -C "${awHome}" push origin "${pushBranchName}" --force`, { stdio: 'pipe' });
+    execSync(`git -C "${awHome}" push origin "${pushBranchName}" --force`, { stdio: 'pipe', env: GIT_NET_ENV });
   } catch (e) {
     throw new Error(`Failed to push branch: ${e.message}`);
   }
@@ -485,7 +567,7 @@ export async function createPushBranch(awHome, branchName, files, commitMsg, pre
   }
 
   try {
-    await exec(`git -C "${awHome}" push -u origin "${branchName}"`);
+    await exec(`git -C "${awHome}" push -u origin "${branchName}"`, { env: GIT_NET_ENV });
   } catch (e) {
     throw new Error(`Failed to push branch: ${e.message}`);
   }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@ghl-ai/aw",
-  "version": "0.1.41-beta.0",
+  "version": "0.1.41-beta.1",
   "description": "Agentic Workspace CLI — pull, push & manage agents, skills and commands from the registry",
   "type": "module",
   "bin": {

package/telemetry.mjs

@@ -7,7 +7,7 @@
 
 import { createHash, randomUUID } from 'node:crypto';
 import { hostname, userInfo, platform, arch, release } from 'node:os';
-import { readFileSync, writeFileSync, mkdirSync, existsSync, readdirSync } from 'node:fs';
+import { readFileSync, writeFileSync, mkdirSync, existsSync, readdirSync, lstatSync, unlinkSync } from 'node:fs';
 import { join, dirname } from 'node:path';
 import { fileURLToPath } from 'node:url';
 import { execSync } from 'node:child_process';
@@ -16,7 +16,9 @@ import { TELEMETRY_URL, AW_HOME } from './constants.mjs';
 const __dirname = dirname(fileURLToPath(import.meta.url));
 const VERSION = JSON.parse(readFileSync(join(__dirname, 'package.json'), 'utf8')).version;
 
-const CONFIG_PATH = join(AW_HOME, '.telemetry');
+const CONFIG_DIR         = join(AW_HOME, 'telemetry');
+const CONFIG_PATH        = join(CONFIG_DIR, 'config.json');
+const LEGACY_CONFIG_PATH = join(AW_HOME, '.telemetry');
 
 // ── Config ──────────────────────────────────────────────────────────
 
@@ -30,7 +32,15 @@ export function loadConfig() {
     if (existsSync(CONFIG_PATH)) {
       return JSON.parse(readFileSync(CONFIG_PATH, 'utf8'));
     }
-  } catch { /* corrupt file — recreate */ }
+    // One-time migration from legacy single-file shape (~/.aw/.telemetry).
+    // Only triggered when new path is missing, so re-running is a no-op.
+    if (existsSync(LEGACY_CONFIG_PATH) && lstatSync(LEGACY_CONFIG_PATH).isFile()) {
+      const legacy = JSON.parse(readFileSync(LEGACY_CONFIG_PATH, 'utf8'));
+      saveConfig(legacy);
+      try { unlinkSync(LEGACY_CONFIG_PATH); } catch (err) { void err; /* best-effort cleanup */ }
+      return legacy;
+    }
+  } catch (err) { void err; /* corrupt file — fall through to fresh config */ }
 
   const config = {
     machine_id: generateMachineId(),