feat(smartem-workspace): add smart SSH/HTTPS auto-detection for repo cloning

- Auto-detect SSH authentication for GitHub repos (test via ssh -T [email protected])
- If SSH works, clone via SSH URLs (enables push); otherwise use HTTPS
- Replace --ssh flag with --git-ssh (force SSH) and --git-https (force HTTPS)
- Cache SSH check results to avoid repeated connection attempts
- Notify user about clone method being used
- GitLab repos continue to use HTTPS by default (read-only reference)

Author: Val Redchenko

packages/smartem-workspace/README.md

@@ -97,12 +97,15 @@ smartem-workspace add DiamondLightSource/smartem-frontend
 --path PATH         Target directory (default: current directory)
 --preset NAME       Use preset: smartem-core, full, aria-reference, minimal
 --no-interactive    Skip prompts, use preset only
---ssh               Use SSH URLs (default: HTTPS)
+--git-ssh           Force SSH URLs for all repos
+--git-https         Force HTTPS URLs (skip auto-detection)
 --with-claude       Enable Claude Code integration setup
 --skip-serena       Skip Serena MCP setup
 --skip-dev-requirements  Skip developer requirements check
 ```
 
+**Git URL auto-detection:** By default, the CLI automatically detects if you have SSH authentication configured for GitHub. If SSH works, repos are cloned via SSH (enabling push); otherwise HTTPS is used (read-only). Use `--git-ssh` or `--git-https` to override.
+
 ### Check options
 
 ```

packages/smartem-workspace/smartem_workspace/cli.py

@@ -82,9 +82,13 @@ def init(
         bool,
         typer.Option("--interactive/--no-interactive", help="Enable/disable interactive prompts"),
     ] = True,
-    ssh: Annotated[
+    git_ssh: Annotated[
         bool,
-        typer.Option("--ssh", help="Use SSH URLs instead of HTTPS"),
+        typer.Option("--git-ssh", help="Force SSH URLs for all repos"),
+    ] = False,
+    git_https: Annotated[
+        bool,
+        typer.Option("--git-https", help="Force HTTPS URLs (skip auto-detection)"),
     ] = False,
     with_claude: Annotated[
         bool,
@@ -129,12 +133,22 @@ def init(
             out.print("[red]Failed to load Claude Code configuration[/red]")
             raise typer.Exit(1)
 
+    # Determine use_ssh: True=force SSH, False=force HTTPS, None=auto-detect
+    use_ssh: bool | None = None
+    if git_ssh and git_https:
+        out.print("[red]Cannot specify both --git-ssh and --git-https[/red]")
+        raise typer.Exit(1)
+    elif git_ssh:
+        use_ssh = True
+    elif git_https:
+        use_ssh = False
+
     bootstrap_workspace(
         config=config,
         workspace_path=workspace_path,
         preset=preset,
         interactive=effective_interactive,
-        use_ssh=ssh,
+        use_ssh=use_ssh,
         skip_claude=skip_claude,
         skip_serena=skip_serena,
         claude_config=claude_config,

packages/smartem-workspace/smartem_workspace/setup/bootstrap.py

@@ -43,7 +43,7 @@ def bootstrap_workspace(
     workspace_path: Path,
     preset: str | None = None,
     interactive: bool = True,
-    use_ssh: bool = False,
+    use_ssh: bool | None = None,
     skip_claude: bool = False,
     skip_serena: bool = False,
     claude_config: ClaudeCodeConfig | None = None,
@@ -56,7 +56,7 @@ def bootstrap_workspace(
         workspace_path: Target directory for workspace
         preset: Preset name (if provided, skips repo selection)
         interactive: Enable interactive prompts
-        use_ssh: Use SSH URLs for cloning
+        use_ssh: True=force SSH, False=force HTTPS, None=auto-detect for GitHub
         skip_claude: Skip Claude Code setup
         skip_serena: Skip Serena MCP setup
         claude_config: Claude Code configuration (required if skip_claude is False)

packages/smartem-workspace/smartem_workspace/setup/repos.py

@@ -7,13 +7,35 @@
 from rich.progress import Progress, SpinnerColumn, TextColumn
 
 from smartem_workspace.config.schema import Organization, Repository
+from smartem_workspace.utils.git import check_github_ssh_auth
 
 console = Console()
 
 
-def get_repo_url(repo: Repository, use_ssh: bool) -> str:
-    """Get the clone URL based on preference."""
-    return repo.urls.ssh if use_ssh else repo.urls.https
+def get_repo_url(repo: Repository, org: Organization, use_ssh: bool | None, github_ssh_ok: bool | None = None) -> str:
+    """Get the clone URL based on preference or auto-detection.
+
+    Args:
+        repo: Repository to get URL for
+        org: Organization the repo belongs to
+        use_ssh: True=force SSH, False=force HTTPS, None=auto-detect
+        github_ssh_ok: Cached result of GitHub SSH check (for auto-detect)
+
+    Returns:
+        Clone URL (SSH or HTTPS)
+    """
+    # Explicit override
+    if use_ssh is True:
+        return repo.urls.ssh
+    if use_ssh is False:
+        return repo.urls.https
+
+    # Auto-detect mode
+    if org.provider == "github" and github_ssh_ok:
+        return repo.urls.ssh
+
+    # Default to HTTPS (GitLab or GitHub without SSH)
+    return repo.urls.https
 
 
 def get_local_dir(org: Organization) -> str:
@@ -25,11 +47,19 @@ def clone_repo(
     repo: Repository,
     org: Organization,
     repos_dir: Path,
-    use_ssh: bool = False,
+    use_ssh: bool | None = None,
+    github_ssh_ok: bool | None = None,
 ) -> bool:
     """
     Clone a single repository.
 
+    Args:
+        repo: Repository to clone
+        org: Organization the repo belongs to
+        repos_dir: Directory to clone into
+        use_ssh: True=force SSH, False=force HTTPS, None=auto-detect
+        github_ssh_ok: Cached result of GitHub SSH check
+
     Returns:
         True if successful or already exists, False on error
     """
@@ -42,7 +72,7 @@ def clone_repo(
         console.print(f"  [dim]Skipping {repo.name} (already exists)[/dim]")
         return True
 
-    url = get_repo_url(repo, use_ssh)
+    url = get_repo_url(repo, org, use_ssh, github_ssh_ok)
 
     try:
         result = subprocess.run(
@@ -67,7 +97,7 @@ def clone_repo(
 def clone_repos(
     repos: list[tuple[Organization, Repository]],
     workspace_path: Path,
-    use_ssh: bool = False,
+    use_ssh: bool | None = None,
     devtools_first: bool = True,
 ) -> tuple[int, int]:
     """
@@ -76,7 +106,7 @@ def clone_repos(
     Args:
         repos: List of (org, repo) tuples to clone
         workspace_path: Root workspace directory
-        use_ssh: Use SSH URLs instead of HTTPS
+        use_ssh: True=force SSH, False=force HTTPS, None=auto-detect for GitHub
         devtools_first: Clone smartem-devtools first (required for config)
 
     Returns:
@@ -85,6 +115,26 @@ def clone_repos(
     repos_dir = workspace_path / "repos"
     repos_dir.mkdir(parents=True, exist_ok=True)
 
+    # Check SSH auth once at start for auto-detect mode
+    github_ssh_ok: bool | None = None
+    has_github_repos = any(org.provider == "github" for org, _ in repos)
+
+    if use_ssh is None and has_github_repos:
+        console.print()
+        console.print("[dim]Checking GitHub SSH authentication...[/dim]")
+        github_ssh_ok = check_github_ssh_auth()
+        if github_ssh_ok:
+            console.print("[green]SSH authentication successful - using SSH for GitHub repos[/green]")
+        else:
+            console.print("[yellow]SSH not configured for GitHub - using HTTPS (anonymous/read-only)[/yellow]")
+            console.print("[dim]To enable push access, configure SSH keys: https://docs.github.com/en/authentication/connecting-to-github-with-ssh[/dim]")
+    elif use_ssh is True:
+        console.print()
+        console.print("[dim]Using SSH URLs (--git-ssh)[/dim]")
+    elif use_ssh is False:
+        console.print()
+        console.print("[dim]Using HTTPS URLs (--git-https)[/dim]")
+
     success = 0
     failed = 0
 
@@ -101,7 +151,7 @@ def clone_repos(
             console.print()
             console.print("[bold]Cloning smartem-devtools (required)...[/bold]")
             org, repo = devtools
-            if clone_repo(repo, org, repos_dir, use_ssh):
+            if clone_repo(repo, org, repos_dir, use_ssh, github_ssh_ok):
                 success += 1
             else:
                 failed += 1
@@ -122,7 +172,7 @@ def clone_repos(
 
         for org, repo in repos:
             progress.update(task, description=f"Cloning {org.name}/{repo.name}...")
-            if clone_repo(repo, org, repos_dir, use_ssh):
+            if clone_repo(repo, org, repos_dir, use_ssh, github_ssh_ok):
                 success += 1
             else:
                 failed += 1

packages/smartem-workspace/smartem_workspace/utils/git.py

@@ -140,3 +140,64 @@ def has_remote(repo_path: Path, remote: str = "origin") -> bool:
     if returncode == 0:
         return remote in stdout.split()
     return False
+
+
+_ssh_auth_cache: dict[str, bool] = {}
+
+
+def check_github_ssh_auth() -> bool:
+    """Test if SSH authentication to GitHub works.
+
+    GitHub's SSH test returns exit code 1 on successful authentication
+    (with message "successfully authenticated"), and exit code 255 or
+    timeout if SSH is not configured.
+
+    Results are cached to avoid repeated SSH connection attempts.
+    """
+    if "github" in _ssh_auth_cache:
+        return _ssh_auth_cache["github"]
+
+    try:
+        result = subprocess.run(
+            ["ssh", "-T", "-o", "BatchMode=yes", "-o", "ConnectTimeout=5", "[email protected]"],
+            capture_output=True,
+            text=True,
+            timeout=10,
+        )
+        # GitHub returns exit code 1 on successful auth with specific message
+        success = "successfully authenticated" in result.stderr.lower()
+        _ssh_auth_cache["github"] = success
+        return success
+    except (subprocess.TimeoutExpired, FileNotFoundError):
+        _ssh_auth_cache["github"] = False
+        return False
+
+
+def check_gitlab_ssh_auth() -> bool:
+    """Test if SSH authentication to GitLab works.
+
+    Similar to GitHub, GitLab returns a welcome message on successful auth.
+    Results are cached.
+    """
+    if "gitlab" in _ssh_auth_cache:
+        return _ssh_auth_cache["gitlab"]
+
+    try:
+        result = subprocess.run(
+            ["ssh", "-T", "-o", "BatchMode=yes", "-o", "ConnectTimeout=5", "[email protected]"],
+            capture_output=True,
+            text=True,
+            timeout=10,
+        )
+        # GitLab returns exit code 0 on successful auth
+        success = result.returncode == 0 or "welcome to gitlab" in result.stderr.lower()
+        _ssh_auth_cache["gitlab"] = success
+        return success
+    except (subprocess.TimeoutExpired, FileNotFoundError):
+        _ssh_auth_cache["gitlab"] = False
+        return False
+
+
+def clear_ssh_auth_cache() -> None:
+    """Clear the SSH authentication cache (mainly for testing)."""
+    _ssh_auth_cache.clear()