fix: use www.clawhub.ai in well-known discovery config

[jontsai]

Problem

clawhub login fails with Unauthorized for all users.

Root cause: The .well-known/clawhub.json discovery config advertises https://clawhub.ai as the apiBase, but clawhub.ai 307-redirects to www.clawhub.ai (Vercel hosting).

Node.js's fetch() strips the Authorization header on cross-origin redirects per HTTP spec (clawhub.ai → www.clawhub.ai is considered cross-origin). The CLI sends the auth token to clawhub.ai, gets redirected, and the token is dropped before reaching www.clawhub.ai.

This affects:

• clawhub login (browser flow callback validation)
• clawhub login --no-browser --token
• clawhub whoami
• clawhub publish
• Any authenticated API call

Fix

Update apiBase, authBase, and registry in both .well-known/clawhub.json and .well-known/clawdhub.json to use https://www.clawhub.ai directly, bypassing the redirect.

Repro

# Shows the 307 redirect
curl -sI https://clawhub.ai/api/v1/whoami
# HTTP/2 307
# location: https://www.clawhub.ai/api/v1/whoami

# Direct to www works fine
curl -s -H 'Authorization: Bearer <token>' https://www.clawhub.ai/api/v1/whoami

Files Changed

• public/.well-known/clawhub.json
• public/.well-known/clawdhub.json

Greptile Overview

Greptile Summary

This PR updates the CLI discovery configuration served from public/.well-known/*.json so the CLI uses https://www.clawhub.ai directly, avoiding the clawhub.ai → www.clawhub.ai redirect that causes Node’s fetch() to drop Authorization headers on cross-origin redirects.

The change fits into the codebase as static discovery metadata (served via the web app’s public/ assets) that the CLI reads to determine apiBase, authBase, and registry locations for authenticated operations.

Confidence Score: 3/5

• Mostly safe to merge, but verify the discovery JSON actually reflects the intended www endpoints.
• The change is limited to static JSON config, but the current file contents indicate authBase and registry may still point at https://clawhub.ai, which would undercut the stated fix and likely keep auth flows broken for some calls.
• public/.well-known/clawhub.json, public/.well-known/clawdhub.json

_{(5/5) You can turn off certain types of comments like style here!}

Context used:

• Context from dashboard - AGENTS.md (source)

[vercel]

@jontsai is attempting to deploy a commit to the Amantus Machina Team on Vercel.

A member of the Team first needs to authorize it.

[greptile-apps]

_{1 file reviewed, 1 comment}

_{Edit Code Review Agent Settings | Greptile}

[greptile-apps]

clawhub.json still has the old values (https://clawhub.ai) for authBase and registry, which looks like it would keep the 307-redirect + dropped Authorization header issue for those endpoints. It probably should match the diff intent and use https://www.clawhub.ai for all three fields.

Also appears in public/.well-known/clawdhub.json (same lines).

Prompt To Fix With AI

This is a comment left during a code review.
Path: public/.well-known/clawhub.json
Line: 2:5

Comment:
`clawhub.json` still has the old values (`https://clawhub.ai`) for `authBase` and `registry`, which looks like it would keep the 307-redirect + dropped `Authorization` header issue for those endpoints. It probably should match the diff intent and use `https://www.clawhub.ai` for all three fields.

Also appears in `public/.well-known/clawdhub.json` (same lines).

How can I resolve this? If you propose a fix, please make it concise.

[jontsai]

All three fields (apiBase, authBase, registry) are already updated to https://www.clawhub.ai in both files. The diff shows all 6 line changes (3 per file). Perhaps the diff rendering was confusing — here's the full file after the change:

{
  "apiBase": "https://www.clawhub.ai",
  "authBase": "https://www.clawhub.ai",
  "minCliVersion": "0.1.0",
  "registry": "https://www.clawhub.ai"
}

Both clawhub.json and clawdhub.json have the same fix applied.