fix(clawhub): preserve base URL path prefix [AI-assisted]

[ThiagoCAltoe]

Summary

• Problem: ClawHub requests dropped non-root path prefixes from OPENCLAW_CLAWHUB_URL / CLAWHUB_URL, causing reverse-proxied ClawHub deployments to hit /api/... instead of /prefix/api/....
• Solution: Build ClawHub request URLs from the normalized base URL first, then append the request path onto the existing base pathname.
• What changed: Updated src/infra/clawhub.ts URL construction and added a focused regression test in src/infra/clawhub.test.ts.
• What did NOT change (scope boundary): No endpoint schemas, auth/token handling, downloads, install logic, or default ClawHub URL behavior changed.

AI-assisted: yes.

Change Type (select all)

• Bug fix
• Feature
• Refactor required for the fix
• Docs
• Security hardening
• Chore/infra

Scope (select all touched areas)

• Gateway / orchestration
• Skills / tool execution
• Auth / tokens
• Memory / storage
• Integrations
• API / contracts
• UI / DX
• CI/CD / infra

Linked Issue/PR

• Closes ClawHub requests fail when OPENCLAW_CLAWHUB_URL contains a path prefix #83975
• This PR fixes a bug or regression

Motivation

• Reverse-proxied ClawHub deployments under a path prefix cannot be used from OpenClaw because every API request silently drops that prefix and returns 404.

Real behavior proof (required for external PRs)

• Behavior or issue addressed: ClawHub API requests preserve a configured base URL path prefix.
• Real environment tested: Local OpenClaw checkout on Linux with Node v22.21.1 and a local HTTP server standing in for a reverse-proxied ClawHub endpoint under /clawhub.
• Exact steps or command run after this patch:
  • OPENCLAW_CLAWHUB_URL=http://127.0.0.1:18799/clawhub node --import tsx -e 'const { searchClawHubSkills } = await import("./src/infra/clawhub.ts"); const results = await searchClawHubSkills({ query: "calendar" }); console.log(JSON.stringify(results));'
• Evidence after fix (copied live terminal output from the real OpenClaw checkout):

SERVER GET /clawhub/api/v1/search?q=calendar
[{"slug":"calendar","displayName":"Calendar","version":"1.0.0","summary":"demo"}]

• Observed result after fix: The request hit /clawhub/api/v1/search, and the search result was returned successfully.
• What was not tested: A live external ClawHub deployment behind nginx; full repository test suite.
• Before evidence: Issue ClawHub requests fail when OPENCLAW_CLAWHUB_URL contains a path prefix #83975 documents the pre-fix behavior where new URL("/api/v1/search", "http://host:port/prefix/") drops /prefix.

Root Cause (if applicable)

• Root cause: new URL(params.path, base) treats leading-slash request paths as absolute paths and replaces the base URL pathname.
• Missing detection / guardrail: Existing ClawHub tests covered root-hosted base URLs but not base URLs with non-root path prefixes.
• Contributing context (if known): The ClawHub request paths are intentionally absolute-looking (/api/v1/...), which is correct for root-hosted deployments but unsafe when passed directly to URL resolution with a prefixed base.

Regression Test Plan (if applicable)

• Coverage level that should have caught this:
  • Unit test
  • Seam / integration test
  • End-to-end test
  • Existing coverage already sufficient
• Target test or file: src/infra/clawhub.test.ts
• Scenario the test should lock in: OPENCLAW_CLAWHUB_URL=https://internal.example.com/clawhub plus searchClawHubSkills({ query: "calendar" }) requests /clawhub/api/v1/search?q=calendar.
• Why this is the smallest reliable guardrail: The bug is entirely in ClawHub URL construction, so the helper-level test catches it without requiring network or install flows.
• Existing test that already covers this (if any): None.
• If no new test is added, why not: N/A.

User-visible / Behavior Changes

OpenClaw now supports ClawHub base URLs configured with a non-root path prefix, for example OPENCLAW_CLAWHUB_URL=http://host:port/clawhub.

Diagram (if applicable)

Before:
OPENCLAW_CLAWHUB_URL=http://host/clawhub -> /api/v1/search -> 404

After:
OPENCLAW_CLAWHUB_URL=http://host/clawhub -> /clawhub/api/v1/search -> 200

Security Impact (required)

• New permissions/capabilities? (Yes/No): No
• Secrets/tokens handling changed? (Yes/No): No
• New/changed network calls? (Yes/No): No
• Command/tool execution surface changed? (Yes/No): No
• Data access scope changed? (Yes/No): No
• If any Yes, explain risk + mitigation: N/A

Repro + Verification

Environment

• OS: Linux
• Runtime/container: Node v22.21.1, local checkout
• Model/provider: N/A
• Integration/channel (if any): ClawHub HTTP API helper
• Relevant config (redacted): OPENCLAW_CLAWHUB_URL=http://127.0.0.1:18799/clawhub

Steps

1. Start a local HTTP server that returns 200 only for /clawhub/api/v1/search.
2. Set OPENCLAW_CLAWHUB_URL to the local server URL with /clawhub path prefix.
3. Run searchClawHubSkills({ query: "calendar" }) through node --import tsx.

Expected

• The request preserves /clawhub and returns search results.

Actual

• The request preserved /clawhub and returned search results.

Evidence

• Failing test/log before + passing after
• Trace/log snippets
• Screenshot/recording
• Perf numbers (if relevant)

Focused validation run:

OPENCLAW_VITEST_MAX_WORKERS=1 node scripts/run-vitest.mjs run --config test/vitest/vitest.infra.config.ts src/infra/clawhub.test.ts

Test Files  1 passed (1)
Tests  39 passed | 2 skipped (41)

Live local HTTP proof after patch:

SERVER GET /clawhub/api/v1/search?q=calendar
[{"slug":"calendar","displayName":"Calendar","version":"1.0.0","summary":"demo"}]

Human Verification (required)

• Verified scenarios: Focused ClawHub infra tests; local HTTP path-prefix request proof.
• Edge cases checked: Existing ClawHub tests still pass for root-hosted default paths.
• What you did not verify: Full test suite, live external ClawHub behind nginx.

Review Conversations

• I replied to or resolved every bot review conversation I addressed in this PR.
• I left unresolved only the conversations that still need reviewer or maintainer judgment.

Compatibility / Migration

• Backward compatible? (Yes/No): Yes
• Config/env changes? (Yes/No): No
• Migration needed? (Yes/No): No
• If yes, exact upgrade steps: N/A

Risks and Mitigations

• Risk: URL path joining could affect existing root-hosted ClawHub requests.
  • Mitigation: Existing ClawHub helper tests still pass, and the new path-prefix test covers the previously missing case.

[clawsweeper]

Codex review: passed.

Workflow note: Future ClawSweeper reviews update this same comment in place.

How this review workflow works

• ClawSweeper keeps one durable marker-backed review comment per issue or PR.
• Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
• A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
• PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
• Maintainers can also comment @clawsweeper review to request a fresh review only.
• Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
• Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
• Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.

Summary
The PR updates src/infra/clawhub.ts URL joining, adds a path-prefix regression test in src/infra/clawhub.test.ts, and adds a changelog bullet.

Reproducibility: yes. Source inspection plus a direct Node URL check show current main drops /clawhub when resolving a leading-slash API path against a prefixed base URL.

PR rating
Overall: 🦞 diamond lobster
Proof: 🦞 diamond lobster
Patch quality: 🦞 diamond lobster
Summary: Strong focused bug-fix PR with source-backed reproduction, live-output proof, and a narrow regression test; remaining confidence depends on exact-head checks.

What the crustacean ranks mean

• 🦀 challenger crab: rare, exceptional readiness with strong proof, clean implementation, and convincing validation.
• 🦞 diamond lobster: very strong readiness with only minor maintainer review expected.
• 🐚 platinum hermit: good normal PR, likely mergeable with ordinary maintainer review.
• 🦐 gold shrimp: useful signal, but proof or patch confidence is still limited.
• 🦪 silver shellfish: thin signal; proof, validation, or implementation needs work.
• 🧂 unranked krab: not merge-ready because proof is missing/unusable or there are serious correctness or safety concerns.
• 🌊 off-meta tidepool: rating does not apply to this item.

Shiny media proof means a screenshot, video, or linked artifact directly shows the changed behavior. Runtime, network, CSP, and security claims still need visible diagnostics.

PR egg
✨ Hatched: 🥚 common Moonlit Proofling

        .--^^^^--.           
     .-'  o    o  '-.        
    /       \__/      \      
   |    /\  ____  /\   |     
   |   /  \/____\/  \  |     
    \  \_.------._/  /       
     '._  `----'  _.'        
        '-.____.-'           
       _/|_|  |_|\_          
      /__|      |__\         
       .-----------.         
      '-------------'        

Rarity: 🥚 common.
Trait: guards the happy path.
Image traits: location workflow harbor; accessory commit compass; palette rose quartz and slate; mood sparkly; pose peeking out from the egg shell; shell glossy opal shell; lighting subtle sparkle highlights; background little resolved-comment flags.
Share on X: post this hatch
Copy: My PR egg hatched a 🥚 common Moonlit Proofling in ClawSweeper.

What is this egg doing here?

• Eggs appear after the PR passes real-behavior proof. It is here for vibes, not verdicts: it does not change labels, ratings, merge decisions, or automation.
• The shell reacts to review momentum: open follow-up work warms it up, re-review makes it wobble, and a clean final review lets it hatch.
• How to hatch it: reach status: 👀 ready for maintainer look or status: 🚀 automerge armed; that usually means sufficient real-behavior proof, no blocking P0/P1/P2 findings, no security attention needed, and clean correctness.
• When the egg is hatchable, the PR author or a maintainer can comment @clawsweeper hatch to generate its image.
• The hatch is seeded from this repository and PR number, so the same PR keeps the same creature; the reviewed head SHA can only change safe visual details.
• Rarity is just collectible sparkle: 🥚 common, 🌱 uncommon, 💎 rare, ✨ glimmer, and 🌈 legendary.

Real behavior proof
Sufficient (live_output): The PR body includes copied live output from a local HTTP server showing the after-fix request preserved /clawhub and returned a result.

Risk before merge
Why this matters: - This read-only pass did not execute the test suite or live nginx-backed ClawHub proof; it relies on source inspection plus the PR body's focused test and local HTTP live output.

Maintainer options:

1. Decide the mitigation before merge
   Land this centralized helper fix after exact-head checks pass, keeping root-hosted and path-prefixed ClawHub URL behavior covered by regression tests.
2. Pause or close
   Do not merge this PR until maintainers decide whether the risk is worth taking.

Next step before merge
No repair job is needed; the existing PR is already the focused fix candidate and can proceed through exact-head review, checks, and automerge gates.

Security
Cleared: The diff only changes path joining for existing ClawHub HTTP calls and adds coverage; it does not add dependencies, permissions, hosts, token handling, or execution paths.

Review details

Best possible solution:

Land this centralized helper fix after exact-head checks pass, keeping root-hosted and path-prefixed ClawHub URL behavior covered by regression tests.

Do we have a high-confidence way to reproduce the issue?

Yes. Source inspection plus a direct Node URL check show current main drops /clawhub when resolving a leading-slash API path against a prefixed base URL.

Is this the best way to solve the issue?

Yes. The PR fixes the shared ClawHub URL helper instead of patching individual endpoints, so all search, metadata, security, readiness, and download paths inherit the same corrected behavior.

Label justifications:

• P2: This is a normal-priority focused bug fix for self-hosted or reverse-proxied ClawHub deployments with limited blast radius.

What I checked:

• Current-main bug source: Current main builds ClawHub request URLs with new URL(params.path, normalizedBase), while all relevant ClawHub call sites pass leading-slash /api/v1/... paths that replace any base pathname. (src/infra/clawhub.ts:553, c81271ee6e3a)
• Source-level reproduction: A direct Node URL check against current behavior produced http://host:8080/api/v1/search from base http://host:8080/clawhub/ plus path /api/v1/search, confirming the /clawhub prefix is discarded. (c81271ee6e3a)
• PR implementation: The source commit replaces two-argument URL resolution with base-path preservation plus normalized request-path appending, and adds a focused test asserting /clawhub/api/v1/search. (src/infra/clawhub.ts:553, 31808d220b35)
• After-fix proof supplied: The PR body includes copied live output from a local HTTP server showing SERVER GET /clawhub/api/v1/search?q=calendar and a returned search result, plus a focused infra test run passing the ClawHub test file. (7bb2cb876478)
• Feature history: History shows native ClawHub install flows introduced the central infra helper and later ClawHub auth/security work repeatedly maintained the same file pair. (src/infra/clawhub.ts:553, 91b2800241c1)

Likely related people:

• Peter Steinberger: Introduced the native ClawHub install flows in src/infra/clawhub.ts and appears most frequently in the file-pair history, including later ClawHub compatibility refactors. (role: feature introducer and heavy area contributor; confidence: high; commits: 91b2800241c1, 85ed1a89860d, 5696e24c3fba; files: src/infra/clawhub.ts, src/infra/clawhub.test.ts)
• Ayaan Zaidi: Current-main blame for the buildUrl block points to a recent commit that carried the ClawHub infra files forward in the checked-out history. (role: recent area contributor; confidence: medium; commits: 131577a4dc6d; files: src/infra/clawhub.ts, src/infra/clawhub.test.ts)
• Vincent Koc: Recent merged ClawHub work added auth resolution and test-helper cleanup in the same infra helper and test file. (role: adjacent ClawHub maintainer; confidence: medium; commits: 071de383ffa9, 691aa7e0522d; files: src/infra/clawhub.ts, src/infra/clawhub.test.ts)

Codex review notes: model gpt-5.5, reasoning high; reviewed against c81271ee6e3a.

[Takhoffman]

@clawsweeper automerge

[clawsweeper]

🦞✅
ClawSweeper merged this PR after the passing review.

Source: clawsweeper[bot]
Feedback: structured ClawSweeper verdict: pass (sha=7bb2cb876478e6ad6caa2d241f1fa069e4f9c3f0)
Merge status: merged by ClawSweeper automerge
Merged at: 2026-05-19T23:22:02Z
Merge commit: b9a2c1152100

What merged:

• The PR updates src/infra/clawhub.ts URL joining, adds a path-prefix regression test in src/infra/clawhub.test.ts, and adds a changelog bullet.
• Reproducibility: yes. Source inspection plus a direct Node URL check show current main drops /clawhub when resolving a leading-slash API path against a prefixed base URL.

Automerge notes:

• PR branch already contained follow-up commit before automerge: fix(clawhub): preserve base URL path prefix [AI-assisted]

The automerge loop is complete.

Automerge progress:

• 2026-05-19 17:27:00 UTC review queued 774fc7c45182 (queued)

• 2026-05-19 17:29:20 UTC repair queued 774fc7c45182 (autonomous) Run: https://github.com/openclaw/clawsweeper/actions/runs/26113950304

• 2026-05-19 20:36:49 UTC repair started (running) in 1s Run: https://github.com/openclaw/clawsweeper/actions/runs/26123598038 automerge-openclaw-openclaw-83982

• 2026-05-19 20:37:05 UTC validation plan (passed) in 17s Run: https://github.com/openclaw/clawsweeper/actions/runs/26123598038 pnpm check:changed; pnpm lint; pnpm check:test-types

• 2026-05-19 20:37:21 UTC Codex write preflight (passed) in 32s Run: https://github.com/openclaw/clawsweeper/actions/runs/26123598038 danger-full-access

• 2026-05-19 20:50:01 UTC Codex edit 1 31808d220b35 (complete) in 13m 13s Run: https://github.com/openclaw/clawsweeper/actions/runs/26123598038 exit 0

• 2026-05-19 20:54:28 UTC validation and review 1 7bb2cb876478 (complete) in 17m 39s Run: https://github.com/openclaw/clawsweeper/actions/runs/26123598038 already-current

• 2026-05-19 20:54:33 UTC repair completed 7bb2cb876478 (branch updated) in 17m 45s Run: https://github.com/openclaw/clawsweeper/actions/runs/26123598038 initial automerge rebase is delegated to Codex repair

• 2026-05-19 20:54:33 UTC review queued 7bb2cb876478 (after repair)

• 2026-05-19 21:04:35 UTC automerge wait 7bb2cb876478 (waiting) in 27m 47s Run: https://github.com/openclaw/clawsweeper/actions/runs/26123598038 waiting for GitHub checks: preflight:QUEUED, Security High (core-auth-secrets):QUEUED, Select Critical Quality shards:QUEUED, Scan changed paths (precise):QUEU...

• 2026-05-19 21:04:37 UTC repair finished 7bb2cb876478 (pushed) in 27m 48s Run: https://github.com/openclaw/clawsweeper/actions/runs/26123598038 repair_contributor_branch

• 2026-05-19 21:00:21 UTC review passed 7bb2cb876478 (structured ClawSweeper verdict: pass (sha=7bb2cb876478e6ad6caa2d241f1fa069e4f9c...)

• 2026-05-19 23:22:04 UTC merged 7bb2cb876478 (merged by ClawSweeper automerge)

[clawsweeper]

🦞✅
ClawSweeper is pausing this repair loop for human review.

Source: clawsweeper[bot]
Reason: No repair lane is needed; the existing PR is the fix candidate and the remaining action is normal required-check and maintainer merge validation.; Cleared: The diff only changes URL path joining for existing ClawHub HTTP calls and adds a test; it does not add dependencies, permissions, secret handling, or new execution paths. (sha=774fc7c45182bf44c191feb64e9ec8a1cf8789b7)

Why human review is needed:
This item has security-sensitive risk. ClawSweeper is pausing instead of making an autonomous change that could affect trust, credentials, permissions, or exposure.

Recommended next action:
Have a maintainer review the security-sensitive detail and provide an explicit safe path before asking ClawSweeper to continue.

I added clawsweeper:human-review and left the final call with a maintainer.

[ThiagoCAltoe]

@clawsweeper thanks for the review. The latest CI and real-behavior proof are passing on 774fc7c45182, and I do not see a code issue called out in the human-review pause. I will leave this with maintainers for the security-sensitive review; happy to adjust if there is a specific URL-joining or trust-boundary concern you want handled differently.