fix: improve git onboarding and file handling

[davidliuk]

Summary

• add one-click Git initialization and friendlier empty-state onboarding in the Git panel
• avoid noisy not-a-repository and no-commit errors when loading Git state
• switch file-path-sensitive Git operations to argv-based spawning so spaces and parentheses in filenames work correctly

Testing

• npm run typecheck

[Zhang-Henry]

Review Comments

PR scope is too large

This PR is 12,859 additions mixing several unrelated changes:

1. Git onboarding UX improvements (good, small)
2. Safe argv-based spawning for file paths with special characters (good, small)
3. Entire drclaw + vibelab Python CLI packages (~5,000+ lines)
4. Extensive OpenClaw integration docs in README

Please split this into separate PRs. The git fixes are reviewable; the CLI infrastructure needs its own dedicated review.

Shell injection still present in git.js

The PR migrates some exec() calls to spawn() with argv arrays (good), but several file-path-sensitive calls still use template strings with execAsync():

await execAsync(`git status --porcelain "${file}"`, { cwd: projectPath });
await execAsync(`git show HEAD:"${file}"`, { cwd: projectPath });

Quoting doesn't protect against backticks or $(...) in filenames. These should also use argv-based spawning for consistency with the rest of your changes.

Code duplication: drclaw vs vibelab

The two Python packages are byte-for-byte identical except for package names. This creates a maintenance burden — any bug fix must be applied twice. Consider making vibelab a thin wrapper that imports from drclaw, or use a single package with an entry-point alias.

[davidliuk]

Hi @Zhang-Henry

Thank you for the detailed review and for catching those issues!

PR Scope & Cleanup

You were absolutely right about the scope. I realized I had accidentally branched off an unmerged openclaw branch, which caused several unrelated packages and docs to be mixed in.

I have now re-created this branch from scratch to keep it clean. This PR now strictly focuses on the Git initialization and onboarding logic. The CLI infrastructure and other changes have been removed and will be submitted in separate, dedicated PRs later.

• Shell Injection: I have addressed the feedback regarding execAsync. All file-path-sensitive Git operations (like git status and git show) have been migrated to argv-based spawning to ensure full protection against shell injection and better handling of special characters.
• Code Duplication: Since the drclaw and vibelab packages are no longer part of this PR, that duplication issue is resolved here. I will take your suggestion into account when preparing their respective PRs.

The PR should now be much smaller and easier to review. Please let me know if there are any other concerns!

[bbsngg]

Added a follow-up fix in 5f1e52a to address the review findings:

• only show the Git onboarding empty state for true non-repository errors
• preserve real error messages for other git failures instead of always suggesting init
• parse git remote-operation failures from stderr/stdout so fetch/pull/push/publish errors classify correctly after the spawn() refactor
• hide remote action buttons for unborn repositories with no commits
• clear stale diff/history expansion state when switching projects or when git status fails
• also restored rendering for untracked files in the changes list

Validation: npm run typecheck