@ghl-ai/aw 0.1.71 → 0.1.72

package/c4/codexConfig.mjs

@@ -27,6 +27,7 @@ import TOML from '@iarna/toml';
 
 export const MCP_URL_DEFAULT =
   'https://services.leadconnectorhq.com/agentic-workspace/mcp';
+export const CODEX_MCP_BEARER_TOKEN_ENV = 'GHL_AI_MCP_BEARER_TOKEN';
 
 const FILE_MODE = 0o600;
 
@@ -76,6 +77,12 @@ function configPathFor(home) {
   return join(home, '.codex/config.toml');
 }
 
+function removeAuthorizationHeader(table) {
+  if (!table || typeof table !== 'object' || Array.isArray(table)) return false;
+  delete table.Authorization;
+  return Object.keys(table).length === 0;
+}
+
 /**
  * Ensure `[features] codex_hooks = true` in ~/.codex/config.toml.
  * Preserves all other keys (round-trip via @iarna/toml).
@@ -99,11 +106,11 @@ export function ensureCodexHooksFlag(home) {
 }
 
 /**
- * Ensure `[mcp_servers.ghl-ai]` block with url + Bearer token + transport.
+ * Ensure `[mcp_servers.ghl-ai]` block with url + bearer token env var + transport.
  * URL falls back to env MCP_URL → MCP_URL_DEFAULT.
  *
  * @param {string} home
- * @param {string} token
+ * @param {string} token Validated by the caller, never persisted into Codex config.
  * @returns {{ changed: boolean }}
  */
 export function ensureCodexMcpServer(home, token) {
@@ -132,14 +139,15 @@ export function ensureCodexMcpServer(home, token) {
   // Match the canonical `aw init` reference (libs/aw/mcp.mjs::tomlMcpServerBlock)
   // which always sets startup_timeout_sec = 30 for HTTP MCP servers.
   ghlAi.startup_timeout_sec = 30;
-  if (
-    ghlAi.headers == null ||
-    typeof ghlAi.headers !== 'object' ||
-    Array.isArray(ghlAi.headers)
-  ) {
-    ghlAi.headers = {};
+  ghlAi.bearer_token_env_var = CODEX_MCP_BEARER_TOKEN_ENV;
+  if (removeAuthorizationHeader(ghlAi.http_headers)) delete ghlAi.http_headers;
+  if (removeAuthorizationHeader(ghlAi.env_http_headers)) delete ghlAi.env_http_headers;
+  if (ghlAi.headers && typeof ghlAi.headers === 'object' && !Array.isArray(ghlAi.headers)) {
+    delete ghlAi.headers.Authorization;
+    if (Object.keys(ghlAi.headers).length === 0) {
+      delete ghlAi.headers;
+    }
   }
-  ghlAi.headers.Authorization = `Bearer ${token}`;
   root.mcp_servers['ghl-ai'] = ghlAi;
 
   const serialized = TOML.stringify(root);

package/c4/templates/scripts/aw-c4-bootstrap.sh

@@ -129,30 +129,29 @@ aw_c4_exit=$?
 
 # Defense-in-depth: `aw c4` delegates registry sync to `aw init --silent`,
 # which can fail to fetch in silent mode without surfacing an error. When
-# that happens, the registry (~/.aw/.aw_registry) may be empty or incomplete
-# and only the 10 hardcoded stage commands get linked. Re-run `aw pull`
-# post-c4 if the command count looks low.
-verify_registry_commands() {
-  local aw_cmd_dir="$HOME/.aw/.aw_registry"
-  if [ ! -d "$aw_cmd_dir" ]; then
+# that happens, the registry (~/.aw/.aw_registry) may be empty or incomplete.
+# Re-run `aw pull` post-c4 if the skill surface looks too small.
+verify_registry_skills() {
+  local aw_registry_dir="$HOME/.aw/.aw_registry"
+  if [ ! -d "$aw_registry_dir" ]; then
     echo "[aw-c4-bootstrap] registry dir missing — running aw init + pull"
     aw init --no-integrations --silent 2>&1 | tail -3 || true
     aw pull 2>&1 | tail -5 || true
     return
   fi
 
-  local cmd_count
-  cmd_count=$(find "$aw_cmd_dir" -name '*.md' -path '*/commands/*' ! -path '*/evals/*' 2>/dev/null | wc -l | tr -d ' ')
-  if [ "${cmd_count:-0}" -lt 20 ]; then
-    echo "[aw-c4-bootstrap] only ${cmd_count} registry commands found — running aw pull"
+  local skill_count
+  skill_count=$(find "$aw_registry_dir" -name 'SKILL.md' -path '*/skills/*' ! -path '*/evals/*' 2>/dev/null | wc -l | tr -d ' ')
+  if [ "${skill_count:-0}" -lt 5 ]; then
+    echo "[aw-c4-bootstrap] only ${skill_count} registry skills found — running aw pull"
     aw pull 2>&1 | tail -5 || true
     local new_count
-    new_count=$(find "$aw_cmd_dir" -name '*.md' -path '*/commands/*' ! -path '*/evals/*' 2>/dev/null | wc -l | tr -d ' ')
-    echo "[aw-c4-bootstrap] registry commands: ${cmd_count} → ${new_count}"
+    new_count=$(find "$aw_registry_dir" -name 'SKILL.md' -path '*/skills/*' ! -path '*/evals/*' 2>/dev/null | wc -l | tr -d ' ')
+    echo "[aw-c4-bootstrap] registry skills: ${skill_count} → ${new_count}"
   else
-    echo "[aw-c4-bootstrap] registry: ${cmd_count} commands OK"
+    echo "[aw-c4-bootstrap] registry: ${skill_count} skills OK"
   fi
 }
-verify_registry_commands || true
+verify_registry_skills || true
 
 exit "$aw_c4_exit"

package/commands/c4.mjs

@@ -110,6 +110,11 @@ function safeListNamespaceDirs(dir) {
   } catch { return []; }
 }
 
+function hasRegistrySkillSurface(registryDir, existsSync = fsExistsSync) {
+  if (existsSync(join(registryDir, 'platform', 'core', 'skills'))) return true;
+  return safeListNamespaceDirs(registryDir).length > 0;
+}
+
 async function safeAsync(label, fn, writer) {
   try {
     return { ok: true, value: await fn() };
@@ -405,18 +410,17 @@ export async function c4Command(rawArgs, overrides = {}) {
     return exit(1);
   }
 
-  // Step 9a — verify registry has namespace directories. `aw init --silent`
+  // Step 9a — verify registry has the skill surface. `aw init --silent`
   // can exit 0 but fail to fetch (fetchAndMerge swallows the error in silent
   // mode). Metadata-only artifacts (AW-PROTOCOL.md) pass a simple non-empty
-  // check, so we specifically look for directories (namespaces like
-  // "platform") to confirm the registry content was actually pulled.
+  // check, so we specifically look for the platform skill namespace to confirm
+  // the registry content was actually pulled.
   {
-    const registryNamespaces = safeListNamespaceDirs(awRegistry);
-    if (registryNamespaces.length === 0) {
-      writer.stderr('[aw-c4] registry has no namespace directories after init — retrying with aw pull\n');
+    if (!hasRegistrySkillSurface(awRegistry, fs.existsSync)) {
+      writer.stderr('[aw-c4] registry has no platform skill surface after init — retrying with aw pull\n');
       const pullRes = spawnSync('aw', ['pull'], { stdio: 'pipe' });
-      if (pullRes?.status !== 0 || safeListNamespaceDirs(awRegistry).length === 0) {
-        writer.stderr('[aw-c4] FATAL: registry commands were not fetched\n');
+      if (pullRes?.status !== 0 || !hasRegistrySkillSurface(awRegistry, fs.existsSync)) {
+        writer.stderr('[aw-c4] FATAL: registry skills were not fetched\n');
         return exit(1);
       }
     }
@@ -439,7 +443,7 @@ export async function c4Command(rawArgs, overrides = {}) {
     writer.stdout('[aw-c4] MCP disabled; skipping registerGhlAiMcp\n');
   }
 
-  // Step 12 — slash command surface (10 stage commands from ECC).
+  // Step 12 — legacy slash command surface, when provided by the installed ECC.
   safe('ensureCommandSurface', () => c4.ensureCommandSurface({ harness, home, eccHome }), writer);
 
   // Step 12a — full registry command surface.

package/commands/doctor.mjs

@@ -284,7 +284,7 @@ function tomlMcpHealth(filePath) {
   return {
     present: /\[mcp_servers\.ghl-ai\]/.test(content),
     url: /\[mcp_servers\.ghl-ai\][\s\S]*?url\s*=\s*"https?:\/\/[^"]+"/.test(content),
-    authorization: /\[mcp_servers\.ghl-ai\.headers\][\s\S]*?Authorization\s*=\s*".+"/.test(content),
+    authorization: /\[mcp_servers\.ghl-ai\][\s\S]*?bearer_token_env_var\s*=\s*".+"/.test(content),
   };
 }
 
@@ -891,7 +891,7 @@ function buildDoctorChecks(homeDir, cwd) {
   const codexMcp = tomlMcpHealth(codexConfigPath);
   checks.push(
     codexMcp.present && codexMcp.url && codexMcp.authorization
-      ? makeCheck('codex-mcp', 'Codex MCP config', 'pass', 'Codex has a ghl-ai MCP server with URL and Authorization header')
+      ? makeCheck('codex-mcp', 'Codex MCP config', 'pass', 'Codex has a ghl-ai MCP server with URL and bearer token env var')
       : makeCheck(
         'codex-mcp',
         'Codex MCP config',

package/commands/push.mjs

@@ -153,13 +153,45 @@ function normalizeRelPath(value) {
     .replace(/\/+$/, '');
 }
 
+// Root namespaces publish at the AW docs root (aw_docs/<ns>/...), mirroring the
+// local .aw_docs/<ns>/... subtree 1:1 — NO per-workspace <repo>/<user> segment
+// and full nested folders. Use for shared, repo-keyed doc trees such as PR
+// reviews (pr-reviews/<owner>/<repo>/pr-<n>/<run>) so they do not land under the
+// reviewer's workspace namespace as one mangled flat slug.
+const AW_DOCS_ROOT_NAMESPACES = ['pr-reviews'];
+
+function awDocsRootScope(relPath) {
+  const value = normalizeRelPath(relPath);
+  const segments = value.split('/');
+  // A root scope's delete-then-copy target is the resolved subtree. Require the
+  // full pr-reviews/<repo>/pr-<number>/<run> depth so a shallow path (e.g.
+  // `pr-reviews` or `pr-reviews/<repo>`) can never resolve to a broad shared
+  // subtree and wipe unrelated review runs on the remote.
+  if (segments[0] !== 'pr-reviews' || segments.length < 4) {
+    throw new Error(
+      `Root-scope docs publish must target pr-reviews/<repo>/pr-<number>/<run>, got "${relPath}".`
+    );
+  }
+  for (const seg of segments) {
+    if (!seg || seg === '.' || seg === '..' || !/^[A-Za-z0-9._-]+$/.test(seg)) {
+      throw new Error(`Invalid AW docs path segment "${seg}" in "${relPath}". Segments may contain letters, numbers, dot, underscore, and dash only.`);
+    }
+  }
+  return { type: 'root', relPrefix: value };
+}
+
 function featureScopeFromInput(input) {
   const value = normalizeRelPath(input);
   if (!value) return null;
 
+  const stripped = value.replace(/^\.aw_docs\//, '');
+  if (AW_DOCS_ROOT_NAMESPACES.includes(stripped.split('/')[0])) {
+    return awDocsRootScope(stripped);
+  }
+
   const match = value.match(/^(?:\.aw_docs\/)?features\/([^/]+)$/);
   if (!match) {
-    throw new Error('Docs-only publish path must be .aw_docs/features/<feature-slug> or use --feature <feature-slug>.');
+    throw new Error('Docs-only publish path must be .aw_docs/features/<feature-slug>, .aw_docs/pr-reviews/<...>, or use --feature <feature-slug>.');
   }
   return awDocsFeatureScope(match[1]);
 }
@@ -701,9 +733,14 @@ async function publishProjectAwDocs(cwd, home, dryRun, scope = null) {
   const sourceRepo = await getProjectSourceRepo(projectRoot);
   const repoSlug = repoSlugFromSource(sourceRepo, projectRoot);
   const githubUsername = safePathSegment(await getGitHubUser(), 'unknown');
+  // Root-scoped docs mirror to the AW docs root (aw_docs/<relPath>); all other
+  // docs are namespaced under <repo>/<user> as before.
+  const isRootScope = scope?.type === 'root';
   const docs = files.map(file => ({
     ...file,
-    publishedPath: `${publishConfig.dest}/${repoSlug}/${githubUsername}/${file.relPath}`,
+    publishedPath: isRootScope
+      ? `${publishConfig.dest}/${file.relPath}`
+      : `${publishConfig.dest}/${repoSlug}/${githubUsername}/${file.relPath}`,
   }));
   const publishedPaths = docs.map(doc => doc.publishedPath);
   const links = docs.map(doc => ({
@@ -728,9 +765,11 @@ async function publishProjectAwDocs(cwd, home, dryRun, scope = null) {
   s.start(`Publishing ${files.length} AW doc${files.length > 1 ? 's' : ''} to ${publishConfig.repo}...`);
   try {
     const docsRepoDir = await ensureAwDocsRepoClone(home, publishConfig);
-    const deleteTarget = scope?.relPrefix
-      ? join(docsRepoDir, publishConfig.dest, repoSlug, githubUsername, scope.relPrefix)
-      : join(docsRepoDir, publishConfig.dest, repoSlug, githubUsername);
+    const deleteTarget = isRootScope
+      ? join(docsRepoDir, publishConfig.dest, scope.relPrefix)
+      : scope?.relPrefix
+        ? join(docsRepoDir, publishConfig.dest, repoSlug, githubUsername, scope.relPrefix)
+        : join(docsRepoDir, publishConfig.dest, repoSlug, githubUsername);
     rmSync(deleteTarget, {
       recursive: true,
       force: true,
@@ -1627,6 +1666,7 @@ function groupBy(arr, key) {
 export const __test__ = {
   featureScopeFromInput,
   awDocsFeatureScope,
+  awDocsRootScope,
   resolveAwDocsScope,
   assertDocsOnlyScopeOrAll,
 };

package/ecc.mjs

@@ -12,7 +12,7 @@ import { applyStoredStartupPreferences } from "./startup.mjs";
 
 const AW_ECC_REPO_SSH = "git@github.com:shreyansh-ghl/aw-ecc.git";
 const AW_ECC_REPO_HTTPS = "https://github.com/shreyansh-ghl/aw-ecc.git";
-export const AW_ECC_TAG = "v1.4.66";
+export const AW_ECC_TAG = "v1.4.67-beta.0";
 const REQUIRED_ECC_FILES = [
   "package.json",
   "scripts/install-apply.js",

package/git.mjs

@@ -390,8 +390,7 @@ export async function fetchAndMerge(awHome, { silent = true } = {}) {
   // drops bare-name patterns (e.g. "content", "CODEOWNERS") when HEAD advances.
   //
   // --autostash: AW writes into the registry working tree from external
-  // sources (ensureAwRuntimeHook copies ~/.aw-ecc/.../session-start.sh into a
-  // tracked path; transformCursorAwRefs rewrites /aw: → /aw- through Cursor
+  // sources (transformCursorAwRefs rewrites /aw: → /aw- through Cursor
   // skill directory symlinks that resolve into .aw_registry/). When those
   // versions drift, the working tree is dirty at rebase time and rebase
   // refuses to run, silently aborting the entire pull. Autostash stashes the

package/hooks/aw-usage/lib/aw-usage-telemetry.js

@@ -80,9 +80,9 @@ function isDisabled() {
   return cfg.enabled === false;
 }
 
-// ── AW version ───────────────────────────────────────────────────────
+// ── AW CLI version detection ─────────────────────────────────────────
 
-let _awVersion = null;
+let _awCliVersionDetails = null;
 
 function parseVersionString(raw) {
   if (!raw) return null;
@@ -90,12 +90,20 @@ function parseVersionString(raw) {
   return match ? match[1] : null;
 }
 
-function getAwVersion() {
-  if (_awVersion) return _awVersion;
+function readPackageVersion(pkgPath) {
+  try {
+    return parseVersionString(JSON.parse(fs.readFileSync(pkgPath, 'utf8')).version) || null;
+  } catch {
+    return null;
+  }
+}
+
+function getAwCliVersionDetails() {
+  if (_awCliVersionDetails) return _awCliVersionDetails;
   const envVersion = parseVersionString(process.env.AW_VERSION);
   if (envVersion) {
-    _awVersion = envVersion;
-    return _awVersion;
+    _awCliVersionDetails = { version: envVersion, source: 'env' };
+    return _awCliVersionDetails;
   }
   try {
     const cliVersion = parseVersionString(execSync('aw --version', {
@@ -104,32 +112,26 @@ function getAwVersion() {
       stdio: ['ignore', 'pipe', 'ignore'],
     }));
     if (cliVersion) {
-      _awVersion = cliVersion;
-      return _awVersion;
+      _awCliVersionDetails = { version: cliVersion, source: 'aw_binary' };
+      return _awCliVersionDetails;
     }
   } catch { /* ignore */ }
   const candidates = [
     path.join(AW_HOME, 'node_modules', '@ghl-ai', 'aw', 'package.json'),
   ];
-  // Derive global npm prefix from the running node binary (no shell needed)
-  try {
-    const nodeDir = path.dirname(process.execPath);
-    candidates.push(path.join(nodeDir, '..', 'lib', 'node_modules', '@ghl-ai', 'aw', 'package.json'));
-  } catch { /* ignore */ }
   try {
     const globalPrefix = execSync('npm prefix -g', { encoding: 'utf8', timeout: 3000 }).trim();
     candidates.push(path.join(globalPrefix, 'lib', 'node_modules', '@ghl-ai', 'aw', 'package.json'));
   } catch { /* ignore */ }
-  // aw-ecc version as last-resort fallback
-  candidates.push(path.join(os.homedir(), '.aw-ecc', 'package.json'));
   for (const pkgPath of candidates) {
-    try {
-      _awVersion = parseVersionString(JSON.parse(fs.readFileSync(pkgPath, 'utf8')).version) || null;
-      if (_awVersion) return _awVersion;
-    } catch { /* ignore */ }
+    const version = readPackageVersion(pkgPath);
+    if (version) {
+      _awCliVersionDetails = { version, source: 'package_json' };
+      return _awCliVersionDetails;
+    }
   }
-  _awVersion = null;
-  return _awVersion;
+  _awCliVersionDetails = { version: null, source: 'unavailable' };
+  return _awCliVersionDetails;
 }
 
 // ── Harness detection ────────────────────────────────────────────────
@@ -427,6 +429,7 @@ function buildEvent(hookInput, eventType, payload) {
   const cfg = loadConfig();
   const git = getGitInfo();
   const harness = detectHarness(input);
+  const awCli = getAwCliVersionDetails();
 
   // Normalize session_id: Claude/Codex use session_id, Cursor uses conversation_id
   const sessionId = input.session_id
@@ -458,7 +461,7 @@ function buildEvent(hookInput, eventType, payload) {
     github_user: git.user || input.user_email || null,
     github_email: git.email || input.user_email || null,
     project_hash: computeProjectHash(cwd),
-    aw_version: getAwVersion(),
+    aw_version: awCli.version,
     event: eventType,
     client_ts: new Date().toISOString(),
     payload: payload || {},
@@ -497,6 +500,7 @@ module.exports = {
   readSessionLastSlashCommand,
   readLastAssistantFromTranscript,
   resolvePromptText,
+  getAwCliVersionDetails,
   tryAcquireDedupe,
   isCodexInternalTaskTitlePrompt,
   isCodexInternalTaskTitleCompletion,

package/mcp.mjs

@@ -17,6 +17,7 @@ const ENABLED_MODE = 'enabled';
 const DISABLED_MODE = 'disabled';
 const DISABLE_MCP_ENV = 'AW_DISABLE_MCP';
 const MCP_SERVER_NAME = 'ghl-ai';
+const CODEX_MCP_BEARER_TOKEN_ENV = 'GHL_AI_MCP_BEARER_TOKEN';
 
 function mcpPrefsPath(homeDir = HOME) {
   return join(homeDir, '.aw', MCP_PREFS_FILENAME);
@@ -77,6 +78,18 @@ function detectPaths() {
   return { ghlMcpUrl };
 }
 
+function resolveCodexBearerTokenEnvVar() {
+  if (process.env[CODEX_MCP_BEARER_TOKEN_ENV]) return CODEX_MCP_BEARER_TOKEN_ENV;
+  if (process.env.GITHUB_TOKEN) return 'GITHUB_TOKEN';
+  return CODEX_MCP_BEARER_TOKEN_ENV;
+}
+
+function warnIfCodexBearerEnvMissing(envVar, silent = false) {
+  if (silent || process.env[envVar]) return;
+  fmt.logWarn(`Codex MCP auth expects ${envVar} in the Codex environment.`);
+  fmt.logWarn(`  Fix: export ${envVar}=<token> and restart Codex.`);
+}
+
 /**
  * Resolve GitHub token for MCP auth. Zero manual steps.
  *
@@ -186,7 +199,7 @@ function findExistingClickUpToken() {
     } catch { /* corrupt file — skip */ }
   }
 
-  // TOML config: Codex — extract from [mcp_servers.ghl-ai.headers] section
+  // Legacy Codex TOML may still carry a ClickUp token in the old headers section.
   const codexToml = join(HOME, '.codex', 'config.toml');
   if (existsSync(codexToml)) {
     try {
@@ -356,6 +369,11 @@ export async function setupMcp(cwd, namespace, { silent = false } = {}) {
     url: mcpUrl,
     headers,
   };
+  const ghlAiServerCodex = {
+    url: mcpUrl,
+    bearer_token_env_var: resolveCodexBearerTokenEnvVar(),
+  };
+  warnIfCodexBearerEnvMissing(ghlAiServerCodex.bearer_token_env_var, silent);
 
   // ── Claude Code: ~/.claude.json (global) ──
   const claudeJsonPath = join(HOME, '.claude.json');
@@ -375,11 +393,11 @@ export async function setupMcp(cwd, namespace, { silent = false } = {}) {
   // survives — without this, each re-init overwrites ~/.codex/config.toml
   // from the ECC source which doesn't have the ghl-ai block.
   const codexTomlPath = join(HOME, '.codex', 'config.toml');
-  if (mergeTomlMcpServer(codexTomlPath, MCP_SERVER_NAME, ghlAiServerLocal)) {
+  if (mergeTomlMcpServer(codexTomlPath, MCP_SERVER_NAME, ghlAiServerCodex)) {
     updatedFiles.push(codexTomlPath);
   }
   const eccCodexTomlPath = join(HOME, '.aw-ecc', '.codex', 'config.toml');
-  mergeTomlMcpServer(eccCodexTomlPath, MCP_SERVER_NAME, ghlAiServerLocal);
+  mergeTomlMcpServer(eccCodexTomlPath, MCP_SERVER_NAME, ghlAiServerCodex);
 
   // Deduplicate
   const unique = [...new Set(updatedFiles)];
@@ -454,7 +472,7 @@ function tomlMcpHealth(filePath) {
       path: filePath,
       present: new RegExp(`\\[mcp_servers\\.${MCP_SERVER_NAME}\\]`).test(content),
       url: new RegExp(`\\[mcp_servers\\.${MCP_SERVER_NAME}\\][\\s\\S]*?url\\s*=\\s*"https?:\\/\\/[^"]+"`).test(content),
-      authorization: new RegExp(`\\[mcp_servers\\.${MCP_SERVER_NAME}\\.headers\\][\\s\\S]*?Authorization\\s*=\\s*".+"`).test(content),
+      authorization: new RegExp(`\\[mcp_servers\\.${MCP_SERVER_NAME}\\][\\s\\S]*?bearer_token_env_var\\s*=\\s*".+"`).test(content),
     };
   } catch {
     // Unreadable TOML should behave like an absent optional MCP config.
@@ -510,6 +528,9 @@ function tomlMcpServerBlock(serverName, serverConfig) {
   if (serverConfig.args) {
     block += `args = [${serverConfig.args.map((a) => JSON.stringify(a)).join(', ')}]\n`;
   }
+  if (serverConfig.bearer_token_env_var) {
+    block += `bearer_token_env_var = ${JSON.stringify(serverConfig.bearer_token_env_var)}\n`;
+  }
   block += `startup_timeout_sec = 30\n`;
   if (serverConfig.headers && Object.keys(serverConfig.headers).length > 0) {
     block += `\n[mcp_servers.${serverName}.headers]\n`;

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@ghl-ai/aw",
-  "version": "0.1.71",
+  "version": "0.1.72",
   "description": "Agentic Workspace CLI — pull, push & manage agents, skills and commands from the registry",
   "type": "module",
   "bin": {

package/startup.mjs

@@ -1,4 +1,4 @@
-import { chmodSync, existsSync, mkdirSync, readFileSync, readdirSync, renameSync, rmSync, writeFileSync } from 'node:fs';
+import { existsSync, mkdirSync, readFileSync, readdirSync, renameSync, rmSync, writeFileSync } from 'node:fs';
 import { dirname, join } from 'node:path';
 import { homedir } from 'node:os';
 import { randomBytes } from 'node:crypto';
@@ -83,10 +83,6 @@ function resolveRegistryRoot(homeDir = homedir()) {
   ].find(existsSync) || null;
 }
 
-function awRuntimeHookSourcePath(homeDir = homedir()) {
-  return join(homeDir, '.aw-ecc', 'skills', 'using-aw-skills', 'hooks', 'session-start.sh');
-}
-
 function readJson(filePath, fallback = {}) {
   if (!existsSync(filePath)) return fallback;
   try {
@@ -393,27 +389,10 @@ function hasCodexSessionStartScript(homeDir = homedir()) {
 }
 
 export function ensureAwRuntimeHook(homeDir = homedir()) {
-  const sourcePath = awRuntimeHookSourcePath(homeDir);
-  const registryRoot = resolveRegistryRoot(homeDir);
-  if (!existsSync(sourcePath) || !registryRoot) return [];
-
-  const destinationPath = join(
-    registryRoot,
-    'platform',
-    'core',
-    'skills',
-    'using-aw-skills',
-    'hooks',
-    'session-start.sh',
-  );
-  const sourceContent = readFileSync(sourcePath, 'utf8');
-  const existingContent = existsSync(destinationPath) ? readFileSync(destinationPath, 'utf8') : null;
-  if (existingContent === sourceContent) return [];
-
-  mkdirSync(dirname(destinationPath), { recursive: true });
-  writeFileSync(destinationPath, sourceContent);
-  try { chmodSync(destinationPath, 0o755); } catch { /* best effort */ }
-  return [destinationPath];
+  resolveRegistryRoot(homeDir);
+  // The AW router hook is registry-owned. aw-ecc no longer ships SDLC skills
+  // or using-aw-skills, so init/pull must not recreate it from ~/.aw-ecc.
+  return [];
 }
 
 function hasCodexHooksEnabled(homeDir = homedir()) {