@chrysb/alphaclaw 0.1.25 → 0.2.1

package/lib/public/js/components/welcome.js

@@ -3,6 +3,7 @@ import { useState, useEffect, useRef } from "https://esm.sh/preact/hooks";
 import htm from "https://esm.sh/htm";
 import {
   runOnboard,
+  verifyGithubOnboardingRepo,
   fetchModels,
   fetchCodexStatus,
   disconnectCodex,
@@ -58,6 +59,7 @@ export const Welcome = ({ onComplete }) => {
   const [codexAuthStarted, setCodexAuthStarted] = useState(false);
   const [codexAuthWaiting, setCodexAuthWaiting] = useState(false);
   const [loading, setLoading] = useState(false);
+  const [githubStepLoading, setGithubStepLoading] = useState(false);
   const [error, setError] = useState(null);
   const codexPopupPollRef = useRef(null);
 
@@ -360,8 +362,27 @@ export const Welcome = ({ onComplete }) => {
     setStep(kWelcomeGroups.length - 1);
   };
 
-  const goNext = () => {
+  const goNext = async () => {
     if (!activeGroup || !currentGroupValid) return;
+    if (activeGroup.id === "github") {
+      setGithubStepLoading(true);
+      setError(null);
+      try {
+        const result = await verifyGithubOnboardingRepo(
+          vals.GITHUB_WORKSPACE_REPO,
+          vals.GITHUB_TOKEN,
+        );
+        if (!result?.ok) {
+          setError(result?.error || "GitHub verification failed");
+          return;
+        }
+      } catch (err) {
+        setError(err?.message || "GitHub verification failed");
+        return;
+      } finally {
+        setGithubStepLoading(false);
+      }
+    }
     setStep((prev) => Math.min(kWelcomeGroups.length - 1, prev + 1));
   };
 
@@ -438,6 +459,7 @@ export const Welcome = ({ onComplete }) => {
                 goBack=${goBack}
                 goNext=${goNext}
                 loading=${loading}
+                githubStepLoading=${githubStepLoading}
                 allValid=${allValid}
                 handleSubmit=${handleSubmit}
               />

package/lib/public/js/lib/api.js

@@ -167,6 +167,15 @@ export async function runOnboard(vars, modelKey) {
   return res.json();
 }
 
+export async function verifyGithubOnboardingRepo(repo, token) {
+  const res = await authFetch('/api/onboard/github/verify', {
+    method: 'POST',
+    headers: { 'Content-Type': 'application/json' },
+    body: JSON.stringify({ repo, token }),
+  });
+  return res.json();
+}
+
 export const fetchModels = async () => {
   const res = await authFetch('/api/models');
   return res.json();

package/lib/server/constants.js

@@ -264,6 +264,7 @@ const SETUP_API_PREFIXES = [
   "/api/openclaw",
   "/api/devices",
   "/api/sync-cron",
+  "/api/telegram",
 ];
 
 module.exports = {

package/lib/server/helpers.js

@@ -63,6 +63,8 @@ const normalizeIp = (ip) => String(ip || "").replace(/^::ffff:/, "");
 
 const isTruthyEnvFlag = (value) =>
   ["1", "true", "yes", "on"].includes(String(value || "").trim().toLowerCase());
+const isDebugEnabled = () =>
+  isTruthyEnvFlag(process.env.ALPHACLAW_DEBUG) || isTruthyEnvFlag(process.env.DEBUG);
 
 const getClientKey = (req) =>
   normalizeIp(
@@ -172,6 +174,33 @@ const readGoogleCredentials = () => {
   }
 };
 
+const kSecretKeyMatchers = [
+  /(?:^|_)TOKEN(?:$|_)/i,
+  /(?:^|_)API_KEY(?:$|_)/i,
+  /(?:^|_)PASSWORD(?:$|_)/i,
+  /(?:^|_)SECRET(?:$|_)/i,
+  /(?:^|_)PRIVATE_KEY(?:$|_)/i,
+];
+
+const isSensitiveKey = (key) =>
+  kSecretKeyMatchers.some((matcher) => matcher.test(String(key || "")));
+
+const buildSecretReplacements = (...sources) => {
+  const replacements = [];
+  const seen = new Set();
+  for (const source of sources) {
+    for (const [rawKey, rawValue] of Object.entries(source || {})) {
+      const key = String(rawKey || "").trim();
+      const value = String(rawValue || "");
+      if (!key || !value || !isSensitiveKey(key)) continue;
+      if (seen.has(value)) continue;
+      seen.add(value);
+      replacements.push([value, `\${${key}}`]);
+    }
+  }
+  return replacements.sort((a, b) => b[0].length - a[0].length);
+};
+
 module.exports = {
   normalizeOpenclawVersion,
   compareVersionParts,
@@ -180,6 +209,7 @@ module.exports = {
   getCodexAccountId,
   normalizeIp,
   isTruthyEnvFlag,
+  isDebugEnabled,
   getClientKey,
   resolveGithubRepoUrl,
   createPkcePair,
@@ -189,4 +219,6 @@ module.exports = {
   getBaseUrl,
   getApiEnableUrl,
   readGoogleCredentials,
+  isSensitiveKey,
+  buildSecretReplacements,
 };

package/lib/server/onboarding/github.js

@@ -1,49 +1,114 @@
-const ensureGithubRepoAccessible = async ({ repoUrl, repoName, remoteUrl, githubToken }) => {
-  void remoteUrl;
-  const ghHeaders = {
-    Authorization: `token ${githubToken}`,
-    "User-Agent": "openclaw-railway",
-    Accept: "application/vnd.github+json",
-  };
+const buildGithubHeaders = (githubToken) => ({
+  Authorization: `token ${githubToken}`,
+  "User-Agent": "openclaw-railway",
+  Accept: "application/vnd.github+json",
+});
 
+const parseGithubErrorMessage = async (response) => {
   try {
-    const checkRes = await fetch(`https://api.github.com/repos/${repoUrl}`, {
+    const payload = await response.json();
+    if (typeof payload?.message === "string" && payload.message.trim()) {
+      return payload.message.trim();
+    }
+  } catch {}
+  return response.statusText || `HTTP ${response.status}`;
+};
+
+const verifyGithubRepoForOnboarding = async ({ repoUrl, githubToken }) => {
+  const ghHeaders = buildGithubHeaders(githubToken);
+  const [repoOwner] = String(repoUrl || "").split("/", 1);
+
+  try {
+    const userRes = await fetch("https://api.github.com/user", {
       headers: ghHeaders,
     });
+    if (!userRes.ok) {
+      const details = await parseGithubErrorMessage(userRes);
+      return {
+        ok: false,
+        status: 400,
+        error: `Cannot verify GitHub token: ${details}`,
+      };
+    }
+    const authedUser = await userRes.json().catch(() => ({}));
+    const authedLogin = String(authedUser?.login || "").trim();
+    if (
+      repoOwner &&
+      authedLogin &&
+      repoOwner.toLowerCase() !== authedLogin.toLowerCase()
+    ) {
+      return {
+        ok: false,
+        status: 400,
+        error: `Workspace repo owner must match your token user "${authedLogin}"`,
+      };
+    }
 
+    const checkRes = await fetch(`https://api.github.com/repos/${repoUrl}`, {
+      headers: ghHeaders,
+    });
     if (checkRes.status === 404) {
-      console.log(`[onboard] Creating repo ${repoUrl}...`);
-      const createRes = await fetch("https://api.github.com/user/repos", {
-        method: "POST",
-        headers: { ...ghHeaders, "Content-Type": "application/json" },
-        body: JSON.stringify({
-          name: repoName,
-          private: true,
-          auto_init: false,
-        }),
-      });
-      if (!createRes.ok) {
-        const err = await createRes.json().catch(() => ({}));
-        return {
-          ok: false,
-          status: 400,
-          error: `Failed to create repo: ${err.message || createRes.statusText}`,
-        };
-      }
-      console.log(`[onboard] Repo ${repoUrl} created`);
       return { ok: true };
     }
+    if (checkRes.ok) {
+      return {
+        ok: false,
+        status: 400,
+        error: `Repository "${repoUrl}" already exists.`,
+      };
+    }
 
-    if (checkRes.ok) return { ok: true };
-
+    const details = await parseGithubErrorMessage(checkRes);
     return {
       ok: false,
       status: 400,
-      error: `Cannot access repo "${repoUrl}" — check your token has the "repo" scope`,
+      error: `Cannot verify repo "${repoUrl}": ${details}`,
     };
+  } catch (e) {
+    return {
+      ok: false,
+      status: 400,
+      error: `GitHub verification error: ${e.message}`,
+    };
+  }
+};
+
+const ensureGithubRepoAccessible = async ({
+  repoUrl,
+  repoName,
+  githubToken,
+}) => {
+  const ghHeaders = buildGithubHeaders(githubToken);
+  const verification = await verifyGithubRepoForOnboarding({
+    repoUrl,
+    githubToken,
+  });
+  if (!verification.ok) return verification;
+
+  try {
+    console.log(`[onboard] Creating repo ${repoUrl}...`);
+    const createRes = await fetch("https://api.github.com/user/repos", {
+      method: "POST",
+      headers: { ...ghHeaders, "Content-Type": "application/json" },
+      body: JSON.stringify({
+        name: repoName,
+        private: true,
+        auto_init: false,
+      }),
+    });
+    if (!createRes.ok) {
+      const details = await parseGithubErrorMessage(createRes);
+      return {
+        ok: false,
+        status: 400,
+        error: `Failed to create repo: ${details}`,
+      };
+    }
+    console.log(`[onboard] Repo ${repoUrl} created`);
+    return { ok: true };
   } catch (e) {
     return { ok: false, status: 400, error: `GitHub error: ${e.message}` };
   }
 };
 
-module.exports = { ensureGithubRepoAccessible };
+module.exports = { ensureGithubRepoAccessible, verifyGithubRepoForOnboarding };

package/lib/server/onboarding/index.js

@@ -1,11 +1,22 @@
 const path = require("path");
 const { kSetupDir, kRootDir } = require("../constants");
 const { validateOnboardingInput } = require("./validation");
-const { ensureGithubRepoAccessible } = require("./github");
-const { buildOnboardArgs, writeSanitizedOpenclawConfig } = require("./openclaw");
-const { installControlUiSkill, syncBootstrapPromptFiles } = require("./workspace");
-const { installHourlyGitSyncScript, installHourlyGitSyncCron } = require("./cron");
-const { isTruthyEnvFlag } = require("../helpers");
+const {
+  ensureGithubRepoAccessible,
+  verifyGithubRepoForOnboarding,
+} = require("./github");
+const {
+  buildOnboardArgs,
+  writeSanitizedOpenclawConfig,
+} = require("./openclaw");
+const {
+  installControlUiSkill,
+  syncBootstrapPromptFiles,
+} = require("./workspace");
+const {
+  installHourlyGitSyncScript,
+  installHourlyGitSyncCron,
+} = require("./cron");
 
 const createOnboardingService = ({
   fs,
@@ -23,6 +34,15 @@ const createOnboardingService = ({
 }) => {
   const { OPENCLAW_DIR, WORKSPACE_DIR } = constants;
 
+  const verifyGithubSetup = async ({
+    githubRepoInput,
+    githubToken,
+    resolveGithubRepoUrl,
+  }) => {
+    const repoUrl = resolveGithubRepoUrl(githubRepoInput);
+    return verifyGithubRepoForOnboarding({ repoUrl, githubToken });
+  };
+
   const completeOnboarding = async ({ req, vars, modelKey }) => {
     const validation = validateOnboardingInput({
       vars,
@@ -31,43 +51,62 @@ const createOnboardingService = ({
       hasCodexOauthProfile,
     });
     if (!validation.ok) {
-      return { status: validation.status, body: { ok: false, error: validation.error } };
+      return {
+        status: validation.status,
+        body: { ok: false, error: validation.error },
+      };
     }
 
-    const { varMap, githubToken, githubRepoInput, selectedProvider, hasCodexOauth } =
-      validation.data;
+    const {
+      varMap,
+      githubToken,
+      githubRepoInput,
+      selectedProvider,
+      hasCodexOauth,
+    } = validation.data;
 
     const repoUrl = resolveGithubRepoUrl(githubRepoInput);
-    const varsToSave = [...vars.filter((v) => v.value && v.key !== "GITHUB_WORKSPACE_REPO")];
+    const varsToSave = [
+      ...vars.filter((v) => v.value && v.key !== "GITHUB_WORKSPACE_REPO"),
+    ];
     varsToSave.push({ key: "GITHUB_WORKSPACE_REPO", value: repoUrl });
     writeEnvFile(varsToSave);
     reloadEnv();
 
-    const remoteUrl = `https://${githubToken}@github.com/${repoUrl}.git`;
+    const remoteUrl = `https://github.com/${repoUrl}.git`;
     const [, repoName] = repoUrl.split("/");
     const repoCheck = await ensureGithubRepoAccessible({
       repoUrl,
       repoName,
-      remoteUrl,
       githubToken,
     });
     if (!repoCheck.ok) {
-      return { status: repoCheck.status, body: { ok: false, error: repoCheck.error } };
+      return {
+        status: repoCheck.status,
+        body: { ok: false, error: repoCheck.error },
+      };
     }
 
     fs.mkdirSync(OPENCLAW_DIR, { recursive: true });
     fs.mkdirSync(WORKSPACE_DIR, { recursive: true });
-    syncBootstrapPromptFiles({ fs, workspaceDir: WORKSPACE_DIR, baseUrl: getBaseUrl(req) });
+    syncBootstrapPromptFiles({
+      fs,
+      workspaceDir: WORKSPACE_DIR,
+      baseUrl: getBaseUrl(req),
+    });
 
     if (!fs.existsSync(`${OPENCLAW_DIR}/.git`)) {
       await shellCmd(
-        `cd ${OPENCLAW_DIR} && git init -b main && git remote add origin "${remoteUrl}" && git config user.email "agent@openclaw.ai" && git config user.name "OpenClaw Agent"`,
+        `cd ${OPENCLAW_DIR} && git init -b main && git remote add origin "${remoteUrl}" && git config user.email "agent@alphaclaw.md" && git config user.name "AlphaClaw Agent"`,
       );
       console.log("[onboard] Git initialized");
     }
 
     if (!fs.existsSync(`${OPENCLAW_DIR}/.gitignore`)) {
-      fs.copyFileSync(path.join(kSetupDir, "gitignore"), `${OPENCLAW_DIR}/.gitignore`);
+      fs.copyFileSync(
+        path.join(kSetupDir, "gitignore"),
+        `${OPENCLAW_DIR}/.gitignore`,
+      );
     }
 
     const onboardArgs = buildOnboardArgs({
@@ -76,14 +115,17 @@ const createOnboardingService = ({
       hasCodexOauth,
       workspaceDir: WORKSPACE_DIR,
     });
-    await shellCmd(`openclaw onboard ${onboardArgs.map((a) => `"${a}"`).join(" ")}`, {
-      env: {
-        ...process.env,
-        OPENCLAW_HOME: kRootDir,
-        OPENCLAW_CONFIG_PATH: `${OPENCLAW_DIR}/openclaw.json`,
+    await shellCmd(
+      `openclaw onboard ${onboardArgs.map((a) => `"${a}"`).join(" ")}`,
+      {
+        env: {
+          ...process.env,
+          OPENCLAW_HOME: kRootDir,
+          OPENCLAW_CONFIG_PATH: `${OPENCLAW_DIR}/openclaw.json`,
+        },
+        timeout: 120000,
       },
-      timeout: 120000,
-    });
+    );
     console.log("[onboard] Onboard complete");
 
     await shellCmd(`openclaw models set "${modelKey}"`, {
@@ -91,7 +133,9 @@ const createOnboardingService = ({
       timeout: 30000,
     }).catch((e) => {
       console.error("[onboard] Failed to set model:", e.message);
-      throw new Error(`Onboarding completed but failed to set model "${modelKey}"`);
+      throw new Error(
+        `Onboarding completed but failed to set model "${modelKey}"`,
+      );
     });
 
     try {
@@ -101,24 +145,33 @@ const createOnboardingService = ({
     writeSanitizedOpenclawConfig({ fs, openclawDir: OPENCLAW_DIR, varMap });
     ensureGatewayProxyConfig(getBaseUrl(req));
 
-    installControlUiSkill({ fs, openclawDir: OPENCLAW_DIR, baseUrl: getBaseUrl(req) });
-
-    const shouldForcePush = isTruthyEnvFlag(process.env.OPENCLAW_DEBUG_FORCE_PUSH);
-    const pushArgs = shouldForcePush ? "-u --force" : "-u";
-    await shellCmd(
-      `cd ${OPENCLAW_DIR} && git add -A && git commit -m "initial setup" && git push ${pushArgs} origin main`,
-      { timeout: 30000 },
-    ).catch((e) => console.error("[onboard] Git push error:", e.message));
-    console.log("[onboard] Initial state committed and pushed");
+    installControlUiSkill({
+      fs,
+      openclawDir: OPENCLAW_DIR,
+      baseUrl: getBaseUrl(req),
+    });
 
     installHourlyGitSyncScript({ fs, openclawDir: OPENCLAW_DIR });
     await installHourlyGitSyncCron({ fs, openclawDir: OPENCLAW_DIR });
 
+    try {
+      await shellCmd(`alphaclaw git-sync -m "initial setup"`, {
+        timeout: 30000,
+        env: {
+          ...process.env,
+          GITHUB_TOKEN: githubToken,
+        },
+      });
+      console.log("[onboard] Initial state committed and pushed");
+    } catch (e) {
+      console.error("[onboard] Git push error:", e.message);
+    }
+
     startGateway();
     return { status: 200, body: { ok: true } };
   };
 
-  return { completeOnboarding };
+  return { completeOnboarding, verifyGithubSetup };
 };
 
 module.exports = { createOnboardingService };

package/lib/server/onboarding/openclaw.js

@@ -1,3 +1,5 @@
+const { buildSecretReplacements } = require("../helpers");
+
 const buildOnboardArgs = ({ varMap, selectedProvider, hasCodexOauth, workspaceDir }) => {
   const onboardArgs = [
     "--non-interactive",
@@ -149,18 +151,9 @@ const writeSanitizedOpenclawConfig = ({ fs, openclawDir, varMap }) => {
   }
 
   let content = JSON.stringify(cfg, null, 2);
-  const replacements = [
-    [process.env.OPENCLAW_GATEWAY_TOKEN, "${OPENCLAW_GATEWAY_TOKEN}"],
-    [varMap.ANTHROPIC_API_KEY, "${ANTHROPIC_API_KEY}"],
-    [varMap.ANTHROPIC_TOKEN, "${ANTHROPIC_TOKEN}"],
-    [varMap.TELEGRAM_BOT_TOKEN, "${TELEGRAM_BOT_TOKEN}"],
-    [varMap.DISCORD_BOT_TOKEN, "${DISCORD_BOT_TOKEN}"],
-    [varMap.OPENAI_API_KEY, "${OPENAI_API_KEY}"],
-    [varMap.GEMINI_API_KEY, "${GEMINI_API_KEY}"],
-    [varMap.BRAVE_API_KEY, "${BRAVE_API_KEY}"],
-  ];
+  const replacements = buildSecretReplacements(varMap, process.env);
   for (const [secret, envRef] of replacements) {
-    if (secret && secret.length > 8) {
+    if (secret) {
       content = content.split(secret).join(envRef);
     }
   }

package/lib/server/onboarding/workspace.js

@@ -1,5 +1,6 @@
 const path = require("path");
-const { kSetupDir } = require("../constants");
+const { kSetupDir, OPENCLAW_DIR } = require("../constants");
+const { renderTopicRegistryMarkdown } = require("../topic-registry");
 
 const resolveSetupUiUrl = (baseUrl) => {
   const normalizedBaseUrl = String(baseUrl || "").trim().replace(/\/+$/, "");
@@ -19,16 +20,38 @@ const resolveSetupUiUrl = (baseUrl) => {
   return "http://localhost:3000";
 };
 
+// Single assembly point for TOOLS.md: template + topic registry.
+// Idempotent — always rebuilds from source so deploys never clobber topic data.
+const isTelegramWorkspaceEnabled = (fs) => {
+  try {
+    const configPath = `${OPENCLAW_DIR}/openclaw.json`;
+    const cfg = JSON.parse(fs.readFileSync(configPath, "utf8"));
+    return Object.keys(cfg.channels?.telegram?.groups || {}).length > 0;
+  } catch {
+    return false;
+  }
+};
+
 const syncBootstrapPromptFiles = ({ fs, workspaceDir, baseUrl }) => {
   try {
+    const setupUiUrl = resolveSetupUiUrl(baseUrl);
     const bootstrapDir = `${workspaceDir}/hooks/bootstrap`;
     fs.mkdirSync(bootstrapDir, { recursive: true });
     fs.copyFileSync(path.join(kSetupDir, "core-prompts", "AGENTS.md"), `${bootstrapDir}/AGENTS.md`);
+
     const toolsTemplate = fs.readFileSync(path.join(kSetupDir, "core-prompts", "TOOLS.md"), "utf8");
-    const toolsContent = toolsTemplate.replace(
+    let toolsContent = toolsTemplate.replace(
       /\{\{SETUP_UI_URL\}\}/g,
-      resolveSetupUiUrl(baseUrl),
+      setupUiUrl,
     );
+
+    const topicSection = renderTopicRegistryMarkdown({
+      includeSyncGuidance: isTelegramWorkspaceEnabled(fs),
+    });
+    if (topicSection) {
+      toolsContent += topicSection;
+    }
+
     fs.writeFileSync(`${bootstrapDir}/TOOLS.md`, toolsContent);
     console.log("[onboard] Bootstrap prompt files synced");
   } catch (e) {

package/lib/server/routes/auth.js

@@ -2,7 +2,8 @@ const crypto = require("crypto");
 const { kLoginCleanupIntervalMs } = require("../constants");
 
 const registerAuthRoutes = ({ app, loginThrottle }) => {
-  const SETUP_PASSWORD = process.env.SETUP_PASSWORD || "";
+  const SETUP_PASSWORD = String(process.env.SETUP_PASSWORD || "").trim();
+  const kAuthMisconfigured = !SETUP_PASSWORD;
   const kSessionTtlMs = 7 * 24 * 60 * 60 * 1000;
 
   const signSessionPayload = (payload) =>
@@ -50,7 +51,13 @@ const registerAuthRoutes = ({ app, loginThrottle }) => {
   };
 
   app.post("/api/auth/login", (req, res) => {
-    if (!SETUP_PASSWORD) return res.json({ ok: true });
+    if (kAuthMisconfigured) {
+      return res.status(503).json({
+        ok: false,
+        error:
+          "Server misconfigured: SETUP_PASSWORD is missing. Set it in your deployment environment variables and restart.",
+      });
+    }
     const now = Date.now();
     const clientKey = loginThrottle.getClientKey(req);
     const state = loginThrottle.getOrCreateLoginAttemptState(clientKey, now);
@@ -92,18 +99,29 @@ const registerAuthRoutes = ({ app, loginThrottle }) => {
   }, kLoginCleanupIntervalMs).unref();
 
   const isAuthorizedRequest = (req) => {
-    if (!SETUP_PASSWORD) return true;
+    if (kAuthMisconfigured) return false;
     const requestPath = req.path || "";
     if (requestPath.startsWith("/auth/google/callback")) return true;
     if (requestPath.startsWith("/auth/codex/callback")) return true;
     const cookies = cookieParser(req);
-    const query = req.query || {};
-    const token = cookies.setup_token || query.token;
+    const token = cookies.setup_token;
     return verifySessionToken(token);
   };
 
   const requireAuth = (req, res, next) => {
-    if (!SETUP_PASSWORD) return next();
+    if (kAuthMisconfigured) {
+      if (req.path.startsWith("/api/")) {
+        return res.status(503).json({
+          error:
+            "Server misconfigured: SETUP_PASSWORD is missing. Set it in your deployment environment variables and restart.",
+        });
+      }
+      return res
+        .status(503)
+        .send(
+          "Setup auth is not configured. Set SETUP_PASSWORD in your deployment environment and restart.",
+        );
+    }
     if (req.path.startsWith("/auth/google/callback")) return next();
     if (req.path.startsWith("/auth/codex/callback")) return next();
     if (isAuthorizedRequest(req)) return next();

package/lib/server/routes/onboarding.js

@@ -111,6 +111,42 @@ const registerOnboardingRoutes = ({
       res.status(500).json({ ok: false, error: sanitizeOnboardingError(err) });
     }
   });
+
+  app.post("/api/onboard/github/verify", async (req, res) => {
+    if (isOnboarded()) {
+      return res.json({ ok: false, error: "Already onboarded" });
+    }
+
+    try {
+      const githubRepoInput = String(req.body?.repo || "").trim();
+      const githubToken = String(req.body?.token || "").trim();
+      if (!githubRepoInput || !githubToken) {
+        return res
+          .status(400)
+          .json({
+            ok: false,
+            error: "GitHub token and workspace repo are required",
+          });
+      }
+
+      const result = await onboardingService.verifyGithubSetup({
+        githubRepoInput,
+        githubToken,
+        resolveGithubRepoUrl,
+      });
+      if (!result.ok) {
+        return res
+          .status(result.status || 400)
+          .json({ ok: false, error: result.error });
+      }
+      return res.json({ ok: true });
+    } catch (err) {
+      console.error("[onboard] GitHub verify error:", err);
+      return res
+        .status(500)
+        .json({ ok: false, error: sanitizeOnboardingError(err) });
+    }
+  });
 };
 
 module.exports = { registerOnboardingRoutes };

package/lib/server/routes/proxy.js

@@ -3,13 +3,13 @@ const registerProxyRoutes = ({ app, proxy, SETUP_API_PREFIXES, requireAuth }) =>
     req.url = "/";
     proxy.web(req, res);
   });
-  app.all("/openclaw/*", requireAuth, (req, res) => {
+  app.all("/openclaw/*path", requireAuth, (req, res) => {
     req.url = req.url.replace(/^\/openclaw/, "");
     proxy.web(req, res);
   });
-  app.all("/assets/*", requireAuth, (req, res) => proxy.web(req, res));
+  app.all("/assets/*path", requireAuth, (req, res) => proxy.web(req, res));
 
-  app.all("/webhook/*", (req, res) => {
+  app.all("/webhook/*path", (req, res) => {
     if (!req.headers.authorization && req.query.token) {
       req.headers.authorization = `Bearer ${req.query.token}`;
       delete req.query.token;
@@ -20,7 +20,7 @@ const registerProxyRoutes = ({ app, proxy, SETUP_API_PREFIXES, requireAuth }) =>
     proxy.web(req, res);
   });
 
-  app.all("/api/*", (req, res) => {
+  app.all("/api/*path", (req, res) => {
     if (SETUP_API_PREFIXES.some((p) => req.path.startsWith(p))) return;
     proxy.web(req, res);
   });