feat: add onboarding CLI and Leptos chat UI

[jbold]

Summary

• Onboarding CLI (exoclaw onboard): Guided first-time setup with secure API key storage. Keys stored in ~/.exoclaw/credentials/{provider}.key (mode 0600), never in config. Resolution chain: env var → credential file → None.
• Leptos Chat UI: Browser-based chat at http://localhost:7200 with WebSocket streaming, markdown rendering, auth prompt for non-loopback binds, and connection status indicator. Built as WASM via trunk, embedded in server binary via rust-embed.
• Cargo workspace: Converted to workspace with root server crate + ui/ frontend crate sharing Cargo.lock and target/.
• 14 new integration tests for credential security, config preservation, env var precedence, and edge cases (134 total tests passing).

Changes

• 35 files changed, +3,885 lines
• New ui/ crate: Leptos 0.7 CSR app (app, state, ws, markdown, 5 components)
• New src/secrets.rs: Credential file read/write with filesystem permissions
• New tests/onboard_test.rs: 14 integration tests
• Modified src/gateway/server.rs: rust-embed UI serving + no-API-key warning
• Modified src/main.rs, src/config.rs: Onboarding CLI command
• Full spec artifacts in specs/002-onboard-chat-ui/

Test plan

• cargo test passes (134 tests)
• cargo clippy clean (0 warnings excluding dead_code)
• cargo fmt --check clean
• cargo check -p exoclaw-ui --target wasm32-unknown-unknown passes
• trunk build produces WASM bundle in ui/dist/
• Manual: cargo run -- onboard → enter provider + key → verify credential file created with 0600 permissions
• Manual: cargo run -- gateway → open browser to localhost:7200 → verify chat UI loads
• Manual: Type message in chat → verify WebSocket connection and streaming response

🤖 Generated with Claude Code

[jbold]

Code review

No issues found. Checked for bugs and CLAUDE.md compliance.

🤖 Generated with Claude Code

_{- If this code review was useful, please react with 👍. Otherwise, react with 👎.}

[jbold]

Code review

Found 1 issue:

1. is_connected flag is misleading -- WebSocket connection is dropped immediately after probe. In app.rs, the initial connection attempt discards the WsConnection via Ok(_) and sets is_connected = true, but the socket closes when the value is dropped. The same pattern appears in the reconnect handler in status.rs. The UI shows "Connected" when no persistent socket exists. Each message send in input.rs creates its own fresh connection, so the status indicator does not reflect actual connectivity.

ui/src/app.rs (initial connection probe drops the socket):

exoclaw/ui/src/app.rs

Lines 13 to 25 in 8e5c11e

	// Attempt initial WebSocket connection
	wasm_bindgen_futures::spawn_local(async move {
	match crate::ws::connect(None).await {
	Ok(_) => {
	state.is_connected.set(true);
	}
	Err(e) => {
	if e.contains("auth") {
	state.needs_auth.set(true);
	}
	}
	}
	});

ui/src/components/status.rs (reconnect handler same pattern):

exoclaw/ui/src/components/status.rs

Lines 24 to 41 in 8e5c11e

	let on_click = move |_| {
	if !state.is_connected.get() {
	// Trigger reconnect by spawning connection attempt
	let token = state.auth_token.get();
	wasm_bindgen_futures::spawn_local(async move {
	match crate::ws::connect(token).await {
	Ok(_) => {
	state.is_connected.set(true);
	}
	Err(e) => {
	if e.contains("auth") {
	state.needs_auth.set(true);
	}
	state.add_error(format!("Reconnect failed: {}", e));
	}
	}
	});
	}

🤖 Generated with Claude Code

_{- If this code review was useful, please react with 👍. Otherwise, react with 👎.}