@ghl-ai/aw 0.1.44-beta.1 → 0.1.44-beta.2

package/c4/eccRegistryBridge.mjs

@@ -0,0 +1,184 @@
+/**
+ * c4/eccRegistryBridge.mjs — Codex-only Bug A workaround.
+ *
+ * Codex Web's upstream `aw-session-start.sh` enumerator scans a fixed
+ * registry path:
+ *
+ *   ~/.aw/.aw_registry/platform/core/skills/<name>/SKILL.md
+ *
+ * ECC ships skills under a different path:
+ *
+ *   ~/.aw-ecc/skills/<name>/SKILL.md
+ *
+ * On Codex Web, neither Claude's plugin marketplace nor Cursor's direct
+ * `~/.cursor/skills/...` resolution applies. The only way Codex can see
+ * ECC skills is if the registry path is populated. We bridge by symlinking
+ * each ECC skill's SKILL.md into the registry layout, idempotently, without
+ * clobbering any user-authored content already present at the target.
+ *
+ * Also installs a fallback symlink at `<homeOf(awHome)>/.aw_registry` →
+ * `<awHome>/.aw_registry` because some legacy hooks read from that path.
+ *
+ * **Scope**: Codex Web only. The orchestrator is responsible for *not*
+ * invoking this on claude-web or cursor-cloud; the module itself is
+ * harness-agnostic and just performs the bridge.
+ */
+
+import {
+  existsSync,
+  lstatSync,
+  readlinkSync,
+  readdirSync,
+  mkdirSync,
+  symlinkSync,
+  unlinkSync,
+} from 'node:fs';
+import { dirname, join } from 'node:path';
+
+/** True iff `path` is a symlink that points to a nonexistent target. */
+function isBrokenSymlink(path) {
+  try {
+    const st = lstatSync(path);
+    if (!st.isSymbolicLink()) return false;
+    return !existsSync(path);
+  } catch {
+    return false;
+  }
+}
+
+/**
+ * Install the fallback symlink `~/.aw_registry → ~/.aw/.aw_registry` if not
+ * present and not blocked by an existing real directory. Best-effort.
+ */
+function installRegistryFallbackLink(awHome) {
+  const home = dirname(awHome);
+  const fallback = join(home, '.aw_registry');
+  const target = join(awHome, '.aw_registry');
+
+  if (!existsSync(target)) {
+    // Nothing to point at yet — skip silently.
+    return;
+  }
+
+  let existsAtFallback = false;
+  try {
+    lstatSync(fallback);
+    existsAtFallback = true;
+  } catch {
+    existsAtFallback = false;
+  }
+
+  if (existsAtFallback) return; // do not clobber existing dir/symlink
+
+  try {
+    symlinkSync(target, fallback);
+  } catch {
+    // best-effort
+  }
+}
+
+/**
+ * Symlink every ECC skill into the registry layout. Idempotent.
+ *
+ * Result shape:
+ *   - linked   — skill names freshly bridged this call
+ *   - skipped  — skill names whose registry target already existed (file or healthy symlink)
+ *   - broken   — skill directories that exist in eccHome/skills/ but have no SKILL.md
+ *                (broken ECC layout — distinct from already-bridged so the orchestrator
+ *                can surface a real diagnostic rather than treating it as success)
+ *   - reason   — only set when the result is fully diagnostic:
+ *                  'ecc-missing'    — eccHome/skills/ does not exist
+ *                  'already-bridged' — every well-formed skill was already linked
+ *                                     and there were no broken skills
+ *
+ * @param {object} opts
+ * @param {string} opts.awHome    Path of the AW home (e.g. ~/.aw).
+ * @param {string} opts.eccHome   Path of the ECC home (e.g. ~/.aw-ecc).
+ * @returns {{
+ *   linked: string[],
+ *   skipped: string[],
+ *   broken: string[],
+ *   reason?: 'already-bridged' | 'ecc-missing'
+ * }}
+ */
+export function applyEccRegistryBridge({ awHome, eccHome } = {}) {
+  if (!awHome || !eccHome) {
+    throw new Error('applyEccRegistryBridge: awHome and eccHome are required');
+  }
+
+  const eccSkillsDir = join(eccHome, 'skills');
+  if (!existsSync(eccSkillsDir)) {
+    return { linked: [], skipped: [], broken: [], reason: 'ecc-missing' };
+  }
+
+  const linked = [];
+  const skipped = [];
+  const broken = [];
+
+  let entries;
+  try {
+    entries = readdirSync(eccSkillsDir, { withFileTypes: true });
+  } catch {
+    return { linked: [], skipped: [], broken: [], reason: 'ecc-missing' };
+  }
+
+  let skillDirCount = 0;
+  for (const entry of entries) {
+    if (!entry.isDirectory()) continue;
+    skillDirCount += 1;
+    const name = entry.name;
+    const source = join(eccSkillsDir, name, 'SKILL.md');
+
+    // ECC skill directory exists but lacks SKILL.md → broken layout.
+    if (!existsSync(source)) {
+      broken.push(name);
+      continue;
+    }
+
+    const targetDir = join(awHome, '.aw_registry/platform/core/skills', name);
+    const target = join(targetDir, 'SKILL.md');
+
+    // If target already exists and is a healthy file/symlink, leave it alone.
+    let targetExists = false;
+    try {
+      lstatSync(target);
+      targetExists = true;
+    } catch {
+      targetExists = false;
+    }
+
+    if (targetExists && !isBrokenSymlink(target)) {
+      skipped.push(name);
+      continue;
+    }
+
+    // Either absent or a broken symlink — replace.
+    mkdirSync(targetDir, { recursive: true });
+    if (targetExists) {
+      try { unlinkSync(target); } catch { /* best-effort */ }
+    }
+    try {
+      symlinkSync(source, target);
+      linked.push(name);
+    } catch {
+      // Filesystem may forbid symlinks (rare on Codex Web). Treat as broken
+      // so the orchestrator can surface the real diagnostic.
+      broken.push(name);
+    }
+  }
+
+  installRegistryFallbackLink(awHome);
+
+  const result = { linked, skipped, broken };
+  // Only flag 'already-bridged' when every well-formed skill was already linked
+  // AND no broken skills exist — i.e. this run was a true no-op.
+  if (
+    skillDirCount > 0 &&
+    linked.length === 0 &&
+    broken.length === 0 &&
+    skipped.length === skillDirCount
+  ) {
+    result.reason = 'already-bridged';
+  }
+  return result;
+}

package/c4/ghCli.mjs

@@ -0,0 +1,94 @@
+/**
+ * c4/ghCli.mjs — gh CLI install with apt-keyring fallback.
+ *
+ * Decision tree (mirrors pilot's `ensure_github_cli`):
+ *   1. gh on PATH                            → 'preinstalled'
+ *   2. apt-get not on PATH (non-Debian image) → 'unavailable'
+ *   3. `apt-get install -y -qq gh` direct succeeds → 'apt-default'
+ *   4. Keyring fallback (download keyring + add apt source + install) → 'apt-keyring'
+ *   5. Both apt paths fail                    → 'unavailable'
+ *
+ * Best-effort: never throws. The orchestrator continues even on
+ * { installed: false } because the insteadOf rewrite path alone usually
+ * suffices for git operations; gh is redundancy.
+ *
+ * The `shell` injection point makes this fully unit-testable without
+ * spawning real apt-get subprocesses or touching /etc/apt.
+ */
+
+import { spawnSync } from 'node:child_process';
+
+/**
+ * @typedef {object} ShellResult
+ * @property {boolean} ok
+ * @property {string} [stdout]
+ * @property {string} [stderr]
+ * @property {number} [exitCode]
+ *
+ * @typedef {(cmd: string) => ShellResult} ShellRunner
+ */
+
+/** Default real shell — captures stdout/stderr to avoid polluting parent output. */
+function defaultShell(cmd) {
+  const result = spawnSync(cmd, [], {
+    shell: true,
+    encoding: 'utf8',
+    stdio: ['ignore', 'pipe', 'pipe'],
+  });
+  return {
+    ok: result.status === 0,
+    stdout: result.stdout ?? '',
+    stderr: result.stderr ?? '',
+    exitCode: result.status ?? -1,
+  };
+}
+
+/** Run a shell command and never throw — failures show up as `{ ok: false }`. */
+function runSafe(shell, cmd) {
+  try {
+    const result = shell(cmd);
+    return result ?? { ok: false, stdout: '', stderr: '', exitCode: -1 };
+  } catch (err) {
+    return { ok: false, stdout: '', stderr: String(err?.message ?? err), exitCode: -1 };
+  }
+}
+
+const KEYRING_STEPS = [
+  'apt-get install -y -qq curl ca-certificates gnupg',
+  'mkdir -p /etc/apt/keyrings',
+  'curl -fsSL https://cli.github.com/packages/githubcli-archive-keyring.gpg ' +
+    '| tee /etc/apt/keyrings/githubcli-archive-keyring.gpg > /dev/null',
+  'chmod go+r /etc/apt/keyrings/githubcli-archive-keyring.gpg',
+  'echo "deb [arch=$(dpkg --print-architecture) ' +
+    'signed-by=/etc/apt/keyrings/githubcli-archive-keyring.gpg] ' +
+    'https://cli.github.com/packages stable main" ' +
+    '| tee /etc/apt/sources.list.d/github-cli.list > /dev/null',
+  'apt-get update -y -qq',
+  'apt-get install -y -qq gh',
+];
+
+/**
+ * @param {object} [opts]
+ * @param {ShellRunner} [opts.shell]  Injection point for testing.
+ * @returns {{ installed: boolean, source: 'preinstalled' | 'apt-default' | 'apt-keyring' | 'unavailable' }}
+ */
+export function ensureGhCli({ shell = defaultShell } = {}) {
+  if (runSafe(shell, 'command -v gh').ok) {
+    return { installed: true, source: 'preinstalled' };
+  }
+
+  if (!runSafe(shell, 'command -v apt-get').ok) {
+    return { installed: false, source: 'unavailable' };
+  }
+
+  if (runSafe(shell, 'apt-get install -y -qq gh').ok) {
+    return { installed: true, source: 'apt-default' };
+  }
+
+  for (const step of KEYRING_STEPS) {
+    if (!runSafe(shell, step).ok) {
+      return { installed: false, source: 'unavailable' };
+    }
+  }
+  return { installed: true, source: 'apt-keyring' };
+}

package/c4/gitAuth.mjs

@@ -0,0 +1,384 @@
+/**
+ * c4/gitAuth.mjs — 6-step pilot auth sequence + 3-way preflight verification.
+ *
+ * Mirrors `cursor-web-bootstrap.sh::clear_existing_github_auth +
+ * configure_github_access + preflight_platform_docs_access`. The aggressive
+ * scrub-and-rebuild model (vs. surgical edit) is empirically required —
+ * Cursor's pre-installed `cursor` gh account writes url.*.insteadOf rules
+ * with its own non-org-authorized token, and a surgical edit loses the race
+ * against `gh auth setup-git`'s re-emission.
+ *
+ * Every external dependency (shell, fs, fetch) is parameterized so the module
+ * is fully unit-testable without spawning real git/gh subprocesses or doing
+ * real HTTPS calls.
+ */
+
+import {
+  spawnSync,
+} from 'node:child_process';
+import {
+  writeFileSync,
+  chmodSync,
+  rmSync,
+  existsSync,
+} from 'node:fs';
+import { join } from 'node:path';
+
+const PLATFORM_DOCS_REPO = 'GoHighLevel/platform-docs';
+
+/* ─────────────────────────────────────────────────────────────────────────
+ * Default shell runner — captures stdout/stderr; supports stdin via opts.input
+ * ───────────────────────────────────────────────────────────────────────── */
+
+function defaultShell(cmd, opts = {}) {
+  const result = spawnSync(cmd, [], {
+    shell: true,
+    encoding: 'utf8',
+    stdio: opts.input ? ['pipe', 'pipe', 'pipe'] : ['ignore', 'pipe', 'pipe'],
+    input: opts.input,
+    env: opts.env ?? process.env,
+  });
+  return {
+    ok: result.status === 0,
+    stdout: result.stdout ?? '',
+    stderr: result.stderr ?? '',
+    exitCode: result.status ?? -1,
+  };
+}
+
+function runSafe(shell, cmd, opts) {
+  try {
+    return shell(cmd, opts) ?? { ok: false, stdout: '', stderr: '', exitCode: -1 };
+  } catch (err) {
+    return { ok: false, stdout: '', stderr: String(err?.message ?? err), exitCode: -1 };
+  }
+}
+
+/* ─────────────────────────────────────────────────────────────────────────
+ * Step 1 — clearAllGitHubAuthState
+ * ───────────────────────────────────────────────────────────────────────── */
+
+/**
+ * Parse `git config --global --get-regexp '^url\.'` output and return
+ * unique section names (everything before the final `.<key>` part).
+ *
+ *   url.https://x-access-token:ABC@github.com/.insteadOf https://github.com/
+ *   →  url.https://x-access-token:ABC@github.com/
+ */
+function extractUrlSections(stdout) {
+  const sections = new Set();
+  for (const rawLine of stdout.split('\n')) {
+    const line = rawLine.trim();
+    if (!line) continue;
+    const fullKey = line.split(/\s+/)[0]; // "url.<section>.<keyName>"
+    const section = fullKey.replace(/\.[^.]*$/, '');
+    if (section.startsWith('url.')) sections.add(section);
+  }
+  return [...sections];
+}
+
+/**
+ * Parse `gh auth status` output (stdout AND stderr — gh versions differ).
+ * Looks for "Logged in to github.com account <name>" patterns.
+ *
+ * Defensively filters extracted names to GitHub's allowed username charset
+ * (`[A-Za-z0-9-]`) — defense-in-depth against a tampered `gh` output that
+ * could otherwise inject shell metacharacters into our `gh auth logout`
+ * call below. GitHub usernames are 1–39 chars per the platform; we accept
+ * the same range but cap with sanity bounds.
+ */
+const GH_USERNAME_PATTERN = /^[A-Za-z0-9-]{1,39}$/;
+
+function extractGhAccounts(stdout, stderr) {
+  const haystack = `${stdout}\n${stderr}`;
+  const pattern = /Logged in to github\.com account (\S+)/g;
+  const accounts = new Set();
+  let match;
+  while ((match = pattern.exec(haystack)) !== null) {
+    const name = match[1];
+    if (GH_USERNAME_PATTERN.test(name)) {
+      accounts.add(name);
+    }
+    // Silently drop names that don't match the allowed charset — they are
+    // either unparseable cruft from gh's output or evidence of tampering;
+    // either way, we will not interpolate them into a shell command.
+  }
+  return [...accounts];
+}
+
+/**
+ * Aggressively scrub all pre-existing GitHub auth state. Returns a
+ * diagnostic record so callers can log what was wiped.
+ *
+ * @param {object} opts
+ * @param {Function} [opts.shell]
+ * @param {string} [opts.home]
+ */
+export function clearAllGitHubAuthState({ shell = defaultShell, home = process.env.HOME ?? '~' } = {}) {
+  const removedSections = [];
+  const loggedOutAccounts = [];
+  const wipedFiles = [];
+
+  // 1. Enumerate + remove url.* sections (wholesale).
+  const urlList = runSafe(shell, "git config --global --get-regexp '^url\\.'");
+  if (urlList.ok && urlList.stdout) {
+    for (const section of extractUrlSections(urlList.stdout)) {
+      runSafe(shell, `git config --global --remove-section "${section}"`);
+      removedSections.push(section);
+    }
+  }
+
+  // 2. Unset both credential.helper variants.
+  runSafe(shell, 'git config --global --unset-all credential.helper');
+  runSafe(shell, 'git config --global --unset-all credential.https://github.com.helper');
+
+  // 3. Log out every gh account on github.com (dynamic enumeration).
+  if (runSafe(shell, 'command -v gh').ok) {
+    const status = runSafe(shell, 'gh auth status --hostname github.com');
+    for (const acct of extractGhAccounts(status.stdout, status.stderr)) {
+      runSafe(shell, `gh auth logout --hostname github.com --user ${acct}`);
+      loggedOutAccounts.push(acct);
+    }
+  }
+
+  // 4. Remove ~/.git-credentials.
+  const credPath = join(home, '.git-credentials');
+  if (existsSync(credPath)) {
+    try {
+      rmSync(credPath, { force: true });
+      wipedFiles.push(credPath);
+    } catch {
+      // Best-effort: leave a stale file rather than crash the bootstrap.
+    }
+  }
+
+  return { removedSections, loggedOutAccounts, wipedFiles };
+}
+
+/* ─────────────────────────────────────────────────────────────────────────
+ * Step 2 — installPatInsteadOf + installCredentialHelperStore
+ * ───────────────────────────────────────────────────────────────────────── */
+
+function assertToken(token) {
+  if (typeof token !== 'string' || token.length === 0) {
+    throw new Error('gitAuth: token is required (got empty/non-string)');
+  }
+}
+
+/**
+ * Write the global insteadOf rule that rewrites https://github.com/ to use
+ * x-access-token:<token>@github.com.
+ *
+ * @param {string} token
+ * @param {object} [opts]
+ */
+export function installPatInsteadOf(token, { shell = defaultShell } = {}) {
+  assertToken(token);
+  runSafe(
+    shell,
+    `git config --global url."https://x-access-token:${token}@github.com/".insteadOf "https://github.com/"`
+  );
+}
+
+/**
+ * Install ~/.git-credentials with the token entry (chmod 600) and configure
+ * git to read from it via the `store` helper. Belt-and-suspenders alongside
+ * insteadOf for tools that bypass URL rewriting.
+ *
+ * @param {string} token
+ * @param {string} home
+ * @param {object} [opts]
+ */
+export function installCredentialHelperStore(token, home, { shell = defaultShell } = {}) {
+  assertToken(token);
+  if (!home || typeof home !== 'string') {
+    throw new Error('gitAuth: home is required');
+  }
+  const credPath = join(home, '.git-credentials');
+  writeFileSync(credPath, `https://x-access-token:${token}@github.com\n`, { mode: 0o600 });
+  try { chmodSync(credPath, 0o600); } catch { /* best-effort */ }
+  runSafe(shell, `git config --global credential.helper "store --file=${credPath}"`);
+}
+
+/* ─────────────────────────────────────────────────────────────────────────
+ * Step 3 — gh login + setup-git
+ * ───────────────────────────────────────────────────────────────────────── */
+
+/** Spawn env without GITHUB_TOKEN / GH_TOKEN — gh refuses --with-token if either is set. */
+function envWithoutGhTokens() {
+  const env = { ...process.env };
+  delete env.GITHUB_TOKEN;
+  delete env.GH_TOKEN;
+  return env;
+}
+
+/**
+ * Pipe the PAT into `gh auth login --with-token`. Best-effort: returns
+ * `{ ok: false }` rather than throwing if gh is missing or login fails.
+ *
+ * @param {string} token
+ * @param {object} [opts]
+ */
+export function ghAuthLoginWithToken(token, { shell = defaultShell } = {}) {
+  assertToken(token);
+  if (!runSafe(shell, 'command -v gh').ok) {
+    return { ok: false, error: 'gh CLI not installed' };
+  }
+  const result = runSafe(
+    shell,
+    'gh auth login --hostname github.com --with-token',
+    { input: `${token}\n`, env: envWithoutGhTokens() }
+  );
+  if (result.ok) return { ok: true };
+  return { ok: false, error: (result.stderr || result.stdout || 'gh auth login failed').trim() };
+}
+
+/**
+ * Run `gh auth setup-git` — re-writes a richer set of url.*.insteadOf rules
+ * using OUR token (covering git@, ssh://, https:// forms).
+ *
+ * @param {object} [opts]
+ */
+export function ghAuthSetupGit({ shell = defaultShell } = {}) {
+  if (!runSafe(shell, 'command -v gh').ok) return { ok: false };
+  const result = runSafe(shell, 'gh auth setup-git');
+  return { ok: result.ok };
+}
+
+/* ─────────────────────────────────────────────────────────────────────────
+ * Step 4 — ensureOriginRemote
+ * ───────────────────────────────────────────────────────────────────────── */
+
+/**
+ * If <cwd>/.git exists and no origin matches the desired URL, set/add origin.
+ * No-op when there is no .git dir (we may be in a non-git workspace).
+ *
+ * @param {object} opts
+ * @param {string} opts.cwd
+ * @param {string} [opts.repoFullName]
+ * @param {Function} [opts.shell]
+ */
+export function ensureOriginRemote({ cwd, repoFullName, shell = defaultShell } = {}) {
+  if (!cwd || !existsSync(join(cwd, '.git'))) {
+    return { changed: false, action: 'no-git-dir' };
+  }
+
+  const existing = runSafe(shell, `git -C "${cwd}" remote get-url origin`);
+  let resolvedRepo = repoFullName;
+  if (!resolvedRepo) {
+    if (existing.ok) {
+      const m = existing.stdout.match(/github\.com[:/]([^/]+\/[^/.]+)(?:\.git)?/);
+      if (m) resolvedRepo = m[1];
+    }
+    if (!resolvedRepo) {
+      resolvedRepo = process.env.REPO_FULL_NAME ?? '';
+    }
+  }
+  if (!resolvedRepo) {
+    return { changed: false, action: 'no-git-dir' };
+  }
+
+  const desiredUrl = `https://github.com/${resolvedRepo}.git`;
+
+  if (existing.ok) {
+    const current = existing.stdout.trim();
+    if (current === desiredUrl) return { changed: false, action: 'noop' };
+    runSafe(shell, `git -C "${cwd}" remote set-url origin "${desiredUrl}"`);
+    return { changed: true, action: 'set-url' };
+  }
+
+  runSafe(shell, `git -C "${cwd}" remote add origin "${desiredUrl}"`);
+  return { changed: true, action: 'add' };
+}
+
+/* ─────────────────────────────────────────────────────────────────────────
+ * Step 5 — verifyAuth (3 modes) + preflightPlatformDocs
+ * ───────────────────────────────────────────────────────────────────────── */
+
+const VERIFY_MODES = ['rest-api', 'ls-remote-with-auth', 'ls-remote-via-rewrite'];
+
+/**
+ * @typedef {'rest-api' | 'ls-remote-with-auth' | 'ls-remote-via-rewrite'} AuthVerifyMode
+ *
+ * @param {AuthVerifyMode} mode
+ * @param {string} token
+ * @param {object} [opts]
+ * @param {Function} [opts.shell]
+ * @param {Function} [opts.fetchImpl]
+ * @returns {Promise<{ ok: boolean, status?: number, error?: string }>}
+ */
+export async function verifyAuth(mode, token, { shell = defaultShell, fetchImpl = globalThis.fetch } = {}) {
+  if (!VERIFY_MODES.includes(mode)) {
+    throw new Error(`verifyAuth: unknown mode "${mode}" (expected one of ${VERIFY_MODES.join(', ')})`);
+  }
+  assertToken(token);
+
+  if (mode === 'rest-api') {
+    try {
+      const res = await fetchImpl(`https://api.github.com/repos/${PLATFORM_DOCS_REPO}`, {
+        headers: {
+          Authorization: `token ${token}`,
+          Accept: 'application/vnd.github+json',
+        },
+      });
+      const status = res.status;
+      if (status === 200) return { ok: true, status };
+      return { ok: false, status };
+    } catch (err) {
+      return { ok: false, error: String(err?.message ?? err) };
+    }
+  }
+
+  const url = mode === 'ls-remote-with-auth'
+    ? `https://x-access-token:${token}@github.com/${PLATFORM_DOCS_REPO}.git`
+    : `https://github.com/${PLATFORM_DOCS_REPO}.git`;
+
+  const result = runSafe(shell, `git ls-remote "${url}" HEAD`);
+  if (result.ok) return { ok: true };
+  const errMsg = (result.stderr || result.stdout || `git ls-remote exit ${result.exitCode}`).trim();
+  return { ok: false, error: errMsg };
+}
+
+/**
+ * Run all three verifyAuth modes and reduce to a single diagnosis token.
+ *
+ * Diagnosis priority (top to bottom):
+ *   all FAIL    → 'network'      (none of the paths work — likely network/PAT unusable)
+ *   a FAIL      → 'pat-invalid'  (REST API rejected; org/SAML/scope problem)
+ *   b FAIL      → 'helper-mismatch' (auth-in-URL fails but REST passed — odd)
+ *   c FAIL      → 'rewrite-conflict' (the Cursor scenario)
+ *   else        → 'ok'
+ *
+ * @param {string} token
+ * @param {object} [opts]
+ * @returns {Promise<{
+ *   apiOk: boolean,
+ *   lsRemoteWithAuthOk: boolean,
+ *   lsRemoteViaRewriteOk: boolean,
+ *   diagnosis: 'ok' | 'pat-invalid' | 'rewrite-conflict' | 'helper-mismatch' | 'network'
+ * }>}
+ */
+export async function preflightPlatformDocs(token, opts = {}) {
+  const a = await verifyAuth('rest-api', token, opts);
+  const b = await verifyAuth('ls-remote-with-auth', token, opts);
+  const c = await verifyAuth('ls-remote-via-rewrite', token, opts);
+
+  const apiOk = a.ok;
+  const lsRemoteWithAuthOk = b.ok;
+  const lsRemoteViaRewriteOk = c.ok;
+
+  let diagnosis;
+  if (!apiOk && !lsRemoteWithAuthOk && !lsRemoteViaRewriteOk) {
+    diagnosis = 'network';
+  } else if (!apiOk) {
+    diagnosis = 'pat-invalid';
+  } else if (!lsRemoteWithAuthOk) {
+    diagnosis = 'helper-mismatch';
+  } else if (!lsRemoteViaRewriteOk) {
+    diagnosis = 'rewrite-conflict';
+  } else {
+    diagnosis = 'ok';
+  }
+
+  return { apiOk, lsRemoteWithAuthOk, lsRemoteViaRewriteOk, diagnosis };
+}