fix: harden GitHub App setup, sync user-data.sh, and simplify SKILL.md

[proactive-ai-engineer]

What

1. GitHub App Scoping: now saves into the isolated agent profile config directory () instead of the shared . This prevents multi-agent setups on the same machine from overwriting each other's keys.
2. Terraform Drift Fix: The Terraform stock Ubuntu path previously reimplemented the install logic from scratch via cat openclaw.json, completely missing GitHub App credentials. It now properly invokes the actual install.sh and passes the variables down.
3. Committer Config Fix: Fixed a bug in scripts/refresh-github-token.sh. The script was running export GIT_AUTHOR_NAME=... which silently failed because the script is called in a subshell via export GH_TOKEN=$(...). It now directly invokes git config --global user.name/email.
4. Prompt Optimization: Because the refresh script now automatically handles git config, I removed the manual git config steps from SKILL.md. This trims token usage and reduces the LLM hallucination/error surface area.

Why

This resolves structural bugs in multi-tenant agent setups, fixes Terraform drift preventing GitHub App usage on fresh Ubuntu AMIs, and makes the LLM instructions cleaner and less error-prone.

---

EntelligenceAI PR Summary

This PR refactors installation architecture to centralize configuration logic and introduce GitHub App authentication support.

• Separated configuration files from installation files by moving PEM storage to CONFIG_DIR
• Consolidated git identity configuration into refresh-github-token.sh using git config --global commands
• Simplified user-data.sh bootstrap by delegating to upstream install.sh script, removing ~40 lines of manual setup
• Added GitHub App authentication variables (GITHUB_APP_ID, GITHUB_APP_INSTALLATION_ID, GITHUB_APP_PEM_PATH)
• Updated token refresh documentation to reflect consolidated configuration approach

---

Confidence Score: 4/5 - Mostly Safe

• No review comments were generated, indicating no automated issues were detected
• Coverage is good but not complete: 3 out of 4 changed files were reviewed, leaving one file unexamined
• The unreviewed file represents a potential blind spot that prevents a perfect confidence score
• No critical, significant, or high-risk issues were identified by the heuristic analysis

[entelligence-ai-pr-reviews]

Walkthrough

This PR refactors the installation and configuration architecture to improve separation of concerns and reduce code duplication. The changes centralize configuration file storage in a dedicated CONFIG_DIR, consolidate git identity setup into a reusable script, and significantly simplify the Terraform bootstrap process by delegating to an upstream installation script. The refactoring introduces GitHub App authentication support through new environment variables and eliminates approximately 40 lines of manual setup code from the user-data script. Overall, these changes establish a single source of truth for installation logic and reduce maintenance overhead.

Changes

File(s)	Summary
install.sh	Refactored GitHub App PEM file storage to use $CONFIG_DIR instead of $INSTALL_DIR; reordered operations to create $CONFIG_DIR before defining PEM_DEST path.
scripts/refresh-github-token.sh	Replaced environment variable exports (GIT_AUTHOR_NAME, GIT_AUTHOR_EMAIL, GIT_COMMITTER_NAME, GIT_COMMITTER_EMAIL) with git config --global commands for user.name and user.email; added git command availability check; updated header comment to reflect global git configuration.
skills/proactive-engineer/SKILL.md	Simplified token refresh instructions by swapping export order (GH_TOKEN set first, then GITHUB_TOKEN derived from it); removed manual git config commands, delegating to refresh-github-token.sh script.
terraform/user-data.sh	Replaced ~40 lines of manual installation logic with single call to external install script; added GitHub App environment variables (GITHUB_APP_ID, GITHUB_APP_INSTALLATION_ID, GITHUB_APP_PEM_PATH) and SETUP_TAILSCALE flag; removed manual git cloning, symlink creation, JSON config generation, and systemctl service management.

Sequence Diagram

This diagram shows the interactions between components:

sequenceDiagram
    participant Script as Installation Script
    participant FS as File System
    participant Env as Environment Variables

    Note over Script: GitHub App Setup Flow
    
    alt USE_GITHUB_APP = "yes"
        Script->>FS: mkdir -p $CONFIG_DIR
        Note over Script,FS: Changed: Create config directory first
        Script->>Script: Set PEM_DEST = $CONFIG_DIR/github-app.pem
        Note over Script: Changed: PEM now stored in CONFIG_DIR<br/>instead of INSTALL_DIR
        Script->>FS: cp $GITHUB_APP_PEM_PATH to PEM_DEST
        Script->>FS: chmod 600 PEM_DEST
        Script->>Env: export GITHUB_APP_PEM_PATH = PEM_DEST
        Note over Env: Updated path available for<br/>subsequent operations
    else GitHub App not used
        Note over Script: Skip GitHub App setup
    end

Loading

---

🔗 Cross-Repository Impact Analysis

Enable automatic detection of breaking changes across your dependent repositories. → Set up now

Learn more about Cross-Repository Analysis

What It Does

• Automatically identifies repositories that depend on this code
• Analyzes potential breaking changes across your entire codebase
• Provides risk assessment before merging to prevent cross-repo issues

How to Enable

1. Visit Settings → Code Management
2. Configure repository dependencies
3. Future PRs will automatically include cross-repo impact analysis!

Benefits

• 🛡️ Prevent breaking changes across repositories
• 🔍 Catch integration issues before they reach production
• 📊 Better visibility into your multi-repo architecture

---