chore: add constrained Crabbox setup

[vincentkoc]

Summary

• Adds the exact Crabbox skill copied from openclaw/openclaw.
• Adds a constrained Crabbox config and hydrate workflow with repo-specific self-hosted runner labels.
• Adds actionlint label config, CODEOWNERS coverage for the new automation surfaces, and package scripts for the copied skill command surface.

This is the narrowed replacement shape for the earlier broad setup baseline. It intentionally does not add CodeQL, stale automation, licensing changes, Dependabot, or other policy-heavy defaults.

Verification

• git diff --check
• Ruby YAML parse for .crabbox.yaml, .github/actionlint.yaml, and .github/workflows/crabbox-hydrate.yml
• actionlint -config-file .github/actionlint.yaml .github/workflows/crabbox-hydrate.yml
• Crabbox skill SHA-256 matched openclaw/openclaw: ed512c0b0385fae7f6c5c14a7e9e6236ab68936506687a99ca976873492bdc43
• Package script presence check for check:changed, test:changed, and crabbox:*
• Private-path scan for new public files
• pnpm run format:check

Notes

• No live Crabbox lease was started for this setup-only patch.

[clawsweeper]

Codex review: needs changes before merge.

Latest ClawSweeper review: 2026-05-22 21:43 UTC / May 22, 2026, 5:43 PM ET.

Workflow note: Future ClawSweeper reviews update this same comment in place.

How this review workflow works

• ClawSweeper keeps one durable marker-backed review comment per issue or PR.
• Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
• A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
• PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
• Maintainers can also comment @clawsweeper review to request a fresh review only.
• Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
• Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
• Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.

Summary
The branch adds a Crabbox skill, .crabbox.yaml, a manual Crabbox hydrate workflow, actionlint runner-label config, CODEOWNERS entries, and Crabbox package scripts.

Reproducibility: yes. Source inspection of the PR tree shows the added skill invokes scripts/crabbox-wrapper.mjs and .github/workflows/ci-check-testbox.yml, while neither file exists in the branch.

PR rating
Overall: 🦐 gold shrimp
Proof: 🌊 off-meta tidepool
Patch quality: 🦐 gold shrimp
Summary: The setup is useful and narrow, but patch confidence is limited by repo-invalid copied skill commands that should be fixed before merge.

Rank-up moves:

• Replace OpenClaw-only Crabbox skill references with clawpatch-valid commands and workflows.
• Add redacted live hydrate or Crabbox help/run output if maintainers want runtime confidence before enabling the workflow.

What the crustacean ranks mean

• 🦀 challenger crab: rare, exceptional readiness with strong proof, clean implementation, and convincing validation.
• 🦞 diamond lobster: very strong readiness with only minor maintainer review expected.
• 🐚 platinum hermit: good normal PR, likely mergeable with ordinary maintainer review.
• 🦐 gold shrimp: useful signal, but proof or patch confidence is still limited.
• 🦪 silver shellfish: thin signal; proof, validation, or implementation needs work.
• 🧂 unranked krab: not merge-ready because proof is missing/unusable or there are serious correctness or safety concerns.
• 🌊 off-meta tidepool: rating does not apply to this item.

Shiny media proof means a screenshot, video, or linked artifact directly shows the changed behavior. Runtime, network, CSP, and security claims still need visible diagnostics.

Real behavior proof
Not applicable: The PR is member-authored, so the external contributor proof gate does not apply; the body also states that no live Crabbox lease was started.

Risk before merge

• Agents following the copied skill can fail or collect misleading proof because the documented Blacksmith/Testbox command references files that are absent from clawpatch.
• The PR body says no live Crabbox lease was started, so the syntax checks do not prove the new hydrate path end to end if maintainers require runtime confidence before enabling it.

Maintainer options:

1. Fix the skill before merge (recommended)
   Update the copied Crabbox skill so every recommended command, workflow, and package-script reference exists in clawpatch or is explicitly marked unsupported.
2. Accept as setup-only foundation
   Maintainers could land the config/workflow first and knowingly treat the copied skill as temporary, but Crabbox proof instructions would remain unreliable until a follow-up fixes them.

Copy recommended automerge instruction

@clawsweeper automerge

Special instructions:
Update .agents/skills/crabbox/SKILL.md so command examples and Testbox workflow references are valid for openclaw/clawpatch: replace or remove OpenClaw-only references such as scripts/crabbox-wrapper.mjs, .github/workflows/ci-check-testbox.yml, unsupported e2e scripts, and nonexistent package scripts; validate with rg for missing referenced files/scripts plus JSON/YAML parse checks.

Next step before merge
A focused repair can make the copied skill match clawpatch; merge timing and any live Crabbox enablement proof remain maintainer-owned.

Security
Cleared: The diff adds a manual self-hosted workflow with read-only repository permissions and validates the state-file ID path; no concrete security or supply-chain regression was found.

Review findings

• [P2] Make the Crabbox skill use clawpatch paths — .agents/skills/crabbox/SKILL.md:199-203

Review details

Best possible solution:

Make the Crabbox skill clawpatch-specific while preserving the constrained config and hydrate workflow, then let maintainers decide whether setup-only validation is enough before merge.

Do we have a high-confidence way to reproduce the issue?

Yes. Source inspection of the PR tree shows the added skill invokes scripts/crabbox-wrapper.mjs and .github/workflows/ci-check-testbox.yml, while neither file exists in the branch.

Is this the best way to solve the issue?

No. Copying the OpenClaw skill verbatim is not the best finish for clawpatch; the maintainable path is to keep the constrained setup and replace or remove repo-invalid examples.

Label justifications:

• P2: This is a bounded automation setup PR with a concrete correctness blocker but no current product runtime outage.
• merge-risk: 🚨 automation: Merging the PR as-is could break or misdirect the new Crabbox/Testbox proof workflow because the skill references repo-missing files.
• rating: 🦐 gold shrimp: Current PR rating is 🦐 gold shrimp because proof is 🌊 off-meta tidepool, patch quality is 🦐 gold shrimp, and The setup is useful and narrow, but patch confidence is limited by repo-invalid copied skill commands that should be fixed before merge.
• status: ⏳ waiting on author: ClawSweeper has contributor-facing work open and is waiting for author action. Not applicable: The PR is member-authored, so the external contributor proof gate does not apply; the body also states that no live Crabbox lease was started.

Full review comments:

• [P2] Make the Crabbox skill use clawpatch paths — .agents/skills/crabbox/SKILL.md:199-203
  The Blacksmith lane points agents at scripts/crabbox-wrapper.mjs and .github/workflows/ci-check-testbox.yml, but neither file exists in this repo or in the PR tree. Anyone following this skill will fail before they can produce Testbox proof, so replace these OpenClaw-only references with clawpatch-valid commands or mark the lane unsupported.
  Confidence: 0.93

Overall correctness: patch is incorrect
Overall confidence: 0.9

Acceptance criteria:

• rg -n "scripts/crabbox-wrapper|ci-check-testbox|scripts/e2e|test:live|check:test-types|OPENCLAW" .agents/skills/crabbox/SKILL.md should return no repo-invalid instructions or only clearly marked unsupported notes.
• node -e "JSON.parse(require('fs').readFileSync('package.json','utf8')); console.log('package ok')"
• ruby -e "require 'yaml'; %w[.crabbox.yaml .github/actionlint.yaml .github/workflows/crabbox-hydrate.yml].each { |f| YAML.load_file(f) }; puts 'yaml ok'"
• actionlint -config-file .github/actionlint.yaml .github/workflows/crabbox-hydrate.yml
• pnpm format:check

What I checked:

• Member-authored PR: The provided GitHub context identifies the author as vincentkoc with author association MEMBER, so this workflow should not auto-close the PR and should leave merge/cleanup to maintainer handling.
• Changed automation surface: The PR branch changes six automation/config files: the new Crabbox skill, .crabbox.yaml, CODEOWNERS, actionlint config, hydrate workflow, and package scripts. (4617fdf4cdae)
• Invalid copied skill references: The added skill's Blacksmith path invokes node scripts/crabbox-wrapper.mjs and .github/workflows/ci-check-testbox.yml, which are OpenClaw-specific paths rather than clawpatch paths. (.agents/skills/crabbox/SKILL.md:199, 4617fdf4cdae)
• Referenced files absent from PR tree: The PR tree contains the new Crabbox skill/config/workflow files, but not scripts/crabbox-wrapper.mjs or .github/workflows/ci-check-testbox.yml, so the documented command cannot run as written. (4617fdf4cdae)
• Current main has no existing Crabbox implementation: Current main does not contain .agents, .crabbox.yaml, Crabbox/Testbox workflows, actionlint config, or Crabbox wrapper scripts, so the PR is not already implemented on main. (a0080cf775ad)
• Workflow security shape: The new hydrate workflow uses read-only repository permissions and validates crabbox_id before writing state paths; no concrete security regression was found beyond the automation correctness issue. (.github/workflows/crabbox-hydrate.yml:29, 4617fdf4cdae)

Likely related people:

• Vincent Koc: He authored the prior merged repository hardening workflow/CODEOWNERS commit and has relevant main-branch history on .github automation surfaces. (role: recent security automation contributor; confidence: high; commits: e4a60f499475; files: .github/CODEOWNERS, .github/workflows/ci.yml)
• Peter Steinberger: Current main and the v0.4.0 release commit most recently touched the package and repository automation surface used as the base for this PR. (role: recent area contributor; confidence: medium; commits: a0080cf775ad, cdd58ac59213; files: package.json, .github/CODEOWNERS, .github/workflows/ci.yml)

Codex review notes: model gpt-5.5, reasoning high; reviewed against a0080cf775ad.

[clawsweeper]

ClawSweeper PR egg

🔥 Warming up: real-behavior proof passed; findings, security review, or rank-up moves are still in progress.

Hatch command

Comment @clawsweeper hatch when this PR is hatchable.

Hatchability rules:

• Merged PRs are hatchable.
• Open PRs are hatchable when they are status: 👀 ready for maintainer look, status: 🚀 automerge armed, or labeled clawsweeper:automerge.
• Closed unmerged PRs are hatchable only when one of those hatchable labels is still present in the durable record.

What is this egg doing here?

• Eggs appear after the PR passes real-behavior proof. It is here for vibes, not verdicts: it does not change labels, ratings, merge decisions, or automation.
• The shell reacts to review momentum: open follow-up work warms it up, re-review makes it wobble, and a clean final review lets it hatch.
• Hatchability usually comes from sufficient real-behavior proof, no blocking P0/P1/P2 findings, no security attention needed, and clean correctness. A merged PR is already final, so merge makes the egg hatchable independently.
• The hatch is seeded from this repository and PR number, so the same PR keeps the same creature; the reviewed head SHA can only change safe visual details.
• Rarity is just collectible sparkle: 🥚 common, 🌱 uncommon, 💎 rare, ✨ glimmer, and 🌈 legendary.