@ghl-ai/aw 0.1.71 → 0.1.73-beta.0

package/c4/codexConfig.mjs

@@ -27,6 +27,7 @@ import TOML from '@iarna/toml';
 
 export const MCP_URL_DEFAULT =
   'https://services.leadconnectorhq.com/agentic-workspace/mcp';
+export const CODEX_MCP_BEARER_TOKEN_ENV = 'GHL_AI_MCP_BEARER_TOKEN';
 
 const FILE_MODE = 0o600;
 
@@ -76,6 +77,12 @@ function configPathFor(home) {
   return join(home, '.codex/config.toml');
 }
 
+function removeAuthorizationHeader(table) {
+  if (!table || typeof table !== 'object' || Array.isArray(table)) return false;
+  delete table.Authorization;
+  return Object.keys(table).length === 0;
+}
+
 /**
  * Ensure `[features] codex_hooks = true` in ~/.codex/config.toml.
  * Preserves all other keys (round-trip via @iarna/toml).
@@ -99,11 +106,11 @@ export function ensureCodexHooksFlag(home) {
 }
 
 /**
- * Ensure `[mcp_servers.ghl-ai]` block with url + Bearer token + transport.
+ * Ensure `[mcp_servers.ghl-ai]` block with url + bearer token env var + transport.
  * URL falls back to env MCP_URL → MCP_URL_DEFAULT.
  *
  * @param {string} home
- * @param {string} token
+ * @param {string} token Validated by the caller, never persisted into Codex config.
  * @returns {{ changed: boolean }}
  */
 export function ensureCodexMcpServer(home, token) {
@@ -132,14 +139,15 @@ export function ensureCodexMcpServer(home, token) {
   // Match the canonical `aw init` reference (libs/aw/mcp.mjs::tomlMcpServerBlock)
   // which always sets startup_timeout_sec = 30 for HTTP MCP servers.
   ghlAi.startup_timeout_sec = 30;
-  if (
-    ghlAi.headers == null ||
-    typeof ghlAi.headers !== 'object' ||
-    Array.isArray(ghlAi.headers)
-  ) {
-    ghlAi.headers = {};
+  ghlAi.bearer_token_env_var = CODEX_MCP_BEARER_TOKEN_ENV;
+  if (removeAuthorizationHeader(ghlAi.http_headers)) delete ghlAi.http_headers;
+  if (removeAuthorizationHeader(ghlAi.env_http_headers)) delete ghlAi.env_http_headers;
+  if (ghlAi.headers && typeof ghlAi.headers === 'object' && !Array.isArray(ghlAi.headers)) {
+    delete ghlAi.headers.Authorization;
+    if (Object.keys(ghlAi.headers).length === 0) {
+      delete ghlAi.headers;
+    }
   }
-  ghlAi.headers.Authorization = `Bearer ${token}`;
   root.mcp_servers['ghl-ai'] = ghlAi;
 
   const serialized = TOML.stringify(root);

package/commands/doctor.mjs

@@ -284,7 +284,7 @@ function tomlMcpHealth(filePath) {
   return {
     present: /\[mcp_servers\.ghl-ai\]/.test(content),
     url: /\[mcp_servers\.ghl-ai\][\s\S]*?url\s*=\s*"https?:\/\/[^"]+"/.test(content),
-    authorization: /\[mcp_servers\.ghl-ai\.headers\][\s\S]*?Authorization\s*=\s*".+"/.test(content),
+    authorization: /\[mcp_servers\.ghl-ai\][\s\S]*?bearer_token_env_var\s*=\s*".+"/.test(content),
   };
 }
 
@@ -891,7 +891,7 @@ function buildDoctorChecks(homeDir, cwd) {
   const codexMcp = tomlMcpHealth(codexConfigPath);
   checks.push(
     codexMcp.present && codexMcp.url && codexMcp.authorization
-      ? makeCheck('codex-mcp', 'Codex MCP config', 'pass', 'Codex has a ghl-ai MCP server with URL and Authorization header')
+      ? makeCheck('codex-mcp', 'Codex MCP config', 'pass', 'Codex has a ghl-ai MCP server with URL and bearer token env var')
       : makeCheck(
         'codex-mcp',
         'Codex MCP config',

package/commands/init.mjs

@@ -25,6 +25,7 @@ import * as fmt from '../fmt.mjs';
 import { chalk, setSilent } from '../fmt.mjs';
 import { linkWorkspace } from '../link.mjs';
 import { generateCommands, copyInstructions, initAwDocs, syncHomeHarnessInstructions } from '../integrate.mjs';
+import { renderRules } from '../render-rules.mjs';
 import { setupMcp } from '../mcp.mjs';
 import { isContextModeRequested } from '../integrations/context-mode.mjs';
 import { applyStoredStartupPreferences, ensureAwRuntimeHook, isDefaultRoutingEnabled } from '../startup.mjs';
@@ -150,6 +151,11 @@ function syncHomeAndProjectInstructions(cwd, namespace) {
   initAwDocs(HOME);
   if (cwd !== HOME) {
     syncInstructionsAndAwDocs(cwd, namespace);
+  } else {
+    // Running from $HOME (fresh-laptop flow): render global IDE rules directly.
+    // The project branch above is otherwise the only renderRules call site, so
+    // init from $HOME used to leave ~/.claude/rules and ~/.cursor/rules empty.
+    renderRules(HOME, { homeDir: HOME });
   }
 }
 

package/commands/push.mjs

@@ -153,13 +153,45 @@ function normalizeRelPath(value) {
     .replace(/\/+$/, '');
 }
 
+// Root namespaces publish at the AW docs root (aw_docs/<ns>/...), mirroring the
+// local .aw_docs/<ns>/... subtree 1:1 — NO per-workspace <repo>/<user> segment
+// and full nested folders. Use for shared, repo-keyed doc trees such as PR
+// reviews (pr-reviews/<owner>/<repo>/pr-<n>/<run>) so they do not land under the
+// reviewer's workspace namespace as one mangled flat slug.
+const AW_DOCS_ROOT_NAMESPACES = ['pr-reviews'];
+
+function awDocsRootScope(relPath) {
+  const value = normalizeRelPath(relPath);
+  const segments = value.split('/');
+  // A root scope's delete-then-copy target is the resolved subtree. Require the
+  // full pr-reviews/<repo>/pr-<number>/<run> depth so a shallow path (e.g.
+  // `pr-reviews` or `pr-reviews/<repo>`) can never resolve to a broad shared
+  // subtree and wipe unrelated review runs on the remote.
+  if (segments[0] !== 'pr-reviews' || segments.length < 4) {
+    throw new Error(
+      `Root-scope docs publish must target pr-reviews/<repo>/pr-<number>/<run>, got "${relPath}".`
+    );
+  }
+  for (const seg of segments) {
+    if (!seg || seg === '.' || seg === '..' || !/^[A-Za-z0-9._-]+$/.test(seg)) {
+      throw new Error(`Invalid AW docs path segment "${seg}" in "${relPath}". Segments may contain letters, numbers, dot, underscore, and dash only.`);
+    }
+  }
+  return { type: 'root', relPrefix: value };
+}
+
 function featureScopeFromInput(input) {
   const value = normalizeRelPath(input);
   if (!value) return null;
 
+  const stripped = value.replace(/^\.aw_docs\//, '');
+  if (AW_DOCS_ROOT_NAMESPACES.includes(stripped.split('/')[0])) {
+    return awDocsRootScope(stripped);
+  }
+
   const match = value.match(/^(?:\.aw_docs\/)?features\/([^/]+)$/);
   if (!match) {
-    throw new Error('Docs-only publish path must be .aw_docs/features/<feature-slug> or use --feature <feature-slug>.');
+    throw new Error('Docs-only publish path must be .aw_docs/features/<feature-slug>, .aw_docs/pr-reviews/<...>, or use --feature <feature-slug>.');
   }
   return awDocsFeatureScope(match[1]);
 }
@@ -701,9 +733,14 @@ async function publishProjectAwDocs(cwd, home, dryRun, scope = null) {
   const sourceRepo = await getProjectSourceRepo(projectRoot);
   const repoSlug = repoSlugFromSource(sourceRepo, projectRoot);
   const githubUsername = safePathSegment(await getGitHubUser(), 'unknown');
+  // Root-scoped docs mirror to the AW docs root (aw_docs/<relPath>); all other
+  // docs are namespaced under <repo>/<user> as before.
+  const isRootScope = scope?.type === 'root';
   const docs = files.map(file => ({
     ...file,
-    publishedPath: `${publishConfig.dest}/${repoSlug}/${githubUsername}/${file.relPath}`,
+    publishedPath: isRootScope
+      ? `${publishConfig.dest}/${file.relPath}`
+      : `${publishConfig.dest}/${repoSlug}/${githubUsername}/${file.relPath}`,
   }));
   const publishedPaths = docs.map(doc => doc.publishedPath);
   const links = docs.map(doc => ({
@@ -728,9 +765,11 @@ async function publishProjectAwDocs(cwd, home, dryRun, scope = null) {
   s.start(`Publishing ${files.length} AW doc${files.length > 1 ? 's' : ''} to ${publishConfig.repo}...`);
   try {
     const docsRepoDir = await ensureAwDocsRepoClone(home, publishConfig);
-    const deleteTarget = scope?.relPrefix
-      ? join(docsRepoDir, publishConfig.dest, repoSlug, githubUsername, scope.relPrefix)
-      : join(docsRepoDir, publishConfig.dest, repoSlug, githubUsername);
+    const deleteTarget = isRootScope
+      ? join(docsRepoDir, publishConfig.dest, scope.relPrefix)
+      : scope?.relPrefix
+        ? join(docsRepoDir, publishConfig.dest, repoSlug, githubUsername, scope.relPrefix)
+        : join(docsRepoDir, publishConfig.dest, repoSlug, githubUsername);
     rmSync(deleteTarget, {
       recursive: true,
       force: true,
@@ -1627,6 +1666,7 @@ function groupBy(arr, key) {
 export const __test__ = {
   featureScopeFromInput,
   awDocsFeatureScope,
+  awDocsRootScope,
   resolveAwDocsScope,
   assertDocsOnlyScopeOrAll,
 };

package/hooks/aw-usage/lib/aw-usage-telemetry.js

@@ -80,9 +80,9 @@ function isDisabled() {
   return cfg.enabled === false;
 }
 
-// ── AW version ───────────────────────────────────────────────────────
+// ── AW CLI version detection ─────────────────────────────────────────
 
-let _awVersion = null;
+let _awCliVersionDetails = null;
 
 function parseVersionString(raw) {
   if (!raw) return null;
@@ -90,12 +90,20 @@ function parseVersionString(raw) {
   return match ? match[1] : null;
 }
 
-function getAwVersion() {
-  if (_awVersion) return _awVersion;
+function readPackageVersion(pkgPath) {
+  try {
+    return parseVersionString(JSON.parse(fs.readFileSync(pkgPath, 'utf8')).version) || null;
+  } catch {
+    return null;
+  }
+}
+
+function getAwCliVersionDetails() {
+  if (_awCliVersionDetails) return _awCliVersionDetails;
   const envVersion = parseVersionString(process.env.AW_VERSION);
   if (envVersion) {
-    _awVersion = envVersion;
-    return _awVersion;
+    _awCliVersionDetails = { version: envVersion, source: 'env' };
+    return _awCliVersionDetails;
   }
   try {
     const cliVersion = parseVersionString(execSync('aw --version', {
@@ -104,8 +112,8 @@ function getAwVersion() {
       stdio: ['ignore', 'pipe', 'ignore'],
     }));
     if (cliVersion) {
-      _awVersion = cliVersion;
-      return _awVersion;
+      _awCliVersionDetails = { version: cliVersion, source: 'aw_binary' };
+      return _awCliVersionDetails;
     }
   } catch { /* ignore */ }
   const candidates = [
@@ -120,16 +128,15 @@ function getAwVersion() {
     const globalPrefix = execSync('npm prefix -g', { encoding: 'utf8', timeout: 3000 }).trim();
     candidates.push(path.join(globalPrefix, 'lib', 'node_modules', '@ghl-ai', 'aw', 'package.json'));
   } catch { /* ignore */ }
-  // aw-ecc version as last-resort fallback
-  candidates.push(path.join(os.homedir(), '.aw-ecc', 'package.json'));
   for (const pkgPath of candidates) {
-    try {
-      _awVersion = parseVersionString(JSON.parse(fs.readFileSync(pkgPath, 'utf8')).version) || null;
-      if (_awVersion) return _awVersion;
-    } catch { /* ignore */ }
+    const version = readPackageVersion(pkgPath);
+    if (version) {
+      _awCliVersionDetails = { version, source: 'package_json' };
+      return _awCliVersionDetails;
+    }
   }
-  _awVersion = null;
-  return _awVersion;
+  _awCliVersionDetails = { version: null, source: 'unavailable' };
+  return _awCliVersionDetails;
 }
 
 // ── Harness detection ────────────────────────────────────────────────
@@ -427,6 +434,7 @@ function buildEvent(hookInput, eventType, payload) {
   const cfg = loadConfig();
   const git = getGitInfo();
   const harness = detectHarness(input);
+  const awCli = getAwCliVersionDetails();
 
   // Normalize session_id: Claude/Codex use session_id, Cursor uses conversation_id
   const sessionId = input.session_id
@@ -458,7 +466,7 @@ function buildEvent(hookInput, eventType, payload) {
     github_user: git.user || input.user_email || null,
     github_email: git.email || input.user_email || null,
     project_hash: computeProjectHash(cwd),
-    aw_version: getAwVersion(),
+    aw_version: awCli.version,
     event: eventType,
     client_ts: new Date().toISOString(),
     payload: payload || {},
@@ -497,6 +505,7 @@ module.exports = {
   readSessionLastSlashCommand,
   readLastAssistantFromTranscript,
   resolvePromptText,
+  getAwCliVersionDetails,
   tryAcquireDedupe,
   isCodexInternalTaskTitlePrompt,
   isCodexInternalTaskTitleCompletion,

package/mcp.mjs

@@ -17,6 +17,7 @@ const ENABLED_MODE = 'enabled';
 const DISABLED_MODE = 'disabled';
 const DISABLE_MCP_ENV = 'AW_DISABLE_MCP';
 const MCP_SERVER_NAME = 'ghl-ai';
+const CODEX_MCP_BEARER_TOKEN_ENV = 'GHL_AI_MCP_BEARER_TOKEN';
 
 function mcpPrefsPath(homeDir = HOME) {
   return join(homeDir, '.aw', MCP_PREFS_FILENAME);
@@ -77,6 +78,18 @@ function detectPaths() {
   return { ghlMcpUrl };
 }
 
+function resolveCodexBearerTokenEnvVar() {
+  if (process.env[CODEX_MCP_BEARER_TOKEN_ENV]) return CODEX_MCP_BEARER_TOKEN_ENV;
+  if (process.env.GITHUB_TOKEN) return 'GITHUB_TOKEN';
+  return CODEX_MCP_BEARER_TOKEN_ENV;
+}
+
+function warnIfCodexBearerEnvMissing(envVar, silent = false) {
+  if (silent || process.env[envVar]) return;
+  fmt.logWarn(`Codex MCP auth expects ${envVar} in the Codex environment.`);
+  fmt.logWarn(`  Fix: export ${envVar}=<token> and restart Codex.`);
+}
+
 /**
  * Resolve GitHub token for MCP auth. Zero manual steps.
  *
@@ -186,7 +199,7 @@ function findExistingClickUpToken() {
     } catch { /* corrupt file — skip */ }
   }
 
-  // TOML config: Codex — extract from [mcp_servers.ghl-ai.headers] section
+  // Legacy Codex TOML may still carry a ClickUp token in the old headers section.
   const codexToml = join(HOME, '.codex', 'config.toml');
   if (existsSync(codexToml)) {
     try {
@@ -356,6 +369,11 @@ export async function setupMcp(cwd, namespace, { silent = false } = {}) {
     url: mcpUrl,
     headers,
   };
+  const ghlAiServerCodex = {
+    url: mcpUrl,
+    bearer_token_env_var: resolveCodexBearerTokenEnvVar(),
+  };
+  warnIfCodexBearerEnvMissing(ghlAiServerCodex.bearer_token_env_var, silent);
 
   // ── Claude Code: ~/.claude.json (global) ──
   const claudeJsonPath = join(HOME, '.claude.json');
@@ -375,11 +393,11 @@ export async function setupMcp(cwd, namespace, { silent = false } = {}) {
   // survives — without this, each re-init overwrites ~/.codex/config.toml
   // from the ECC source which doesn't have the ghl-ai block.
   const codexTomlPath = join(HOME, '.codex', 'config.toml');
-  if (mergeTomlMcpServer(codexTomlPath, MCP_SERVER_NAME, ghlAiServerLocal)) {
+  if (mergeTomlMcpServer(codexTomlPath, MCP_SERVER_NAME, ghlAiServerCodex)) {
     updatedFiles.push(codexTomlPath);
   }
   const eccCodexTomlPath = join(HOME, '.aw-ecc', '.codex', 'config.toml');
-  mergeTomlMcpServer(eccCodexTomlPath, MCP_SERVER_NAME, ghlAiServerLocal);
+  mergeTomlMcpServer(eccCodexTomlPath, MCP_SERVER_NAME, ghlAiServerCodex);
 
   // Deduplicate
   const unique = [...new Set(updatedFiles)];
@@ -454,7 +472,7 @@ function tomlMcpHealth(filePath) {
       path: filePath,
       present: new RegExp(`\\[mcp_servers\\.${MCP_SERVER_NAME}\\]`).test(content),
       url: new RegExp(`\\[mcp_servers\\.${MCP_SERVER_NAME}\\][\\s\\S]*?url\\s*=\\s*"https?:\\/\\/[^"]+"`).test(content),
-      authorization: new RegExp(`\\[mcp_servers\\.${MCP_SERVER_NAME}\\.headers\\][\\s\\S]*?Authorization\\s*=\\s*".+"`).test(content),
+      authorization: new RegExp(`\\[mcp_servers\\.${MCP_SERVER_NAME}\\][\\s\\S]*?bearer_token_env_var\\s*=\\s*".+"`).test(content),
     };
   } catch {
     // Unreadable TOML should behave like an absent optional MCP config.
@@ -510,6 +528,9 @@ function tomlMcpServerBlock(serverName, serverConfig) {
   if (serverConfig.args) {
     block += `args = [${serverConfig.args.map((a) => JSON.stringify(a)).join(', ')}]\n`;
   }
+  if (serverConfig.bearer_token_env_var) {
+    block += `bearer_token_env_var = ${JSON.stringify(serverConfig.bearer_token_env_var)}\n`;
+  }
   block += `startup_timeout_sec = 30\n`;
   if (serverConfig.headers && Object.keys(serverConfig.headers).length > 0) {
     block += `\n[mcp_servers.${serverName}.headers]\n`;

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "@ghl-ai/aw",
-  "version": "0.1.71",
-  "description": "Agentic Workspace CLI — pull, push & manage agents, skills and commands from the registry",
+  "version": "0.1.73-beta.0",
+  "description": "Agentic Workspace CLI \u2014 pull, push & manage agents, skills and commands from the registry",
   "type": "module",
   "bin": {
     "aw": "bin.js"
@@ -74,4 +74,4 @@
   "devDependencies": {
     "vitest": "^4.1.2"
   }
-}
+}