chore: add constrained Crabbox setup

[vincentkoc]

Summary

• Adds the exact Crabbox skill copied from openclaw/openclaw.
• Adds constrained Crabbox config and hydrate workflow with repo-specific self-hosted runner labels.
• Adds actionlint runner-label config and CODEOWNERS coverage for the new automation surfaces.
• Adds package scripts for the copied skill command surface when the repo already has a root package.json.

This is the narrowed replacement shape for the earlier broad setup baseline. It intentionally does not add CodeQL, stale automation, licensing changes, Dependabot, package-manager files, or unrelated policy defaults.

Verification

• git diff --check
• Ruby YAML parse for .crabbox.yaml, .github/actionlint.yaml, and .github/workflows/crabbox-hydrate.yml
• actionlint -config-file .github/actionlint.yaml .github/workflows/crabbox-hydrate.yml
• Crabbox skill SHA-256 matched openclaw/openclaw: ed512c0b0385fae7f6c5c14a7e9e6236ab68936506687a99ca976873492bdc43
• Package script presence check where a root package.json exists
• Private-path scan for new public files
• test -z "$(gofmt -l .)" for Go repos

Notes

No live Crabbox lease was started for this setup-only patch.

[clawsweeper]

Codex review: needs changes before merge.

Latest ClawSweeper review: 2026-05-22 21:44 UTC / May 22, 2026, 5:44 PM ET.

Workflow note: Future ClawSweeper reviews update this same comment in place.

How this review workflow works

• ClawSweeper keeps one durable marker-backed review comment per issue or PR.
• Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
• A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
• PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
• Maintainers can also comment @clawsweeper review to request a fresh review only.
• Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
• Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
• Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.

Summary
The PR adds Crabbox skill/configuration, a self-hosted hydrate workflow, actionlint/CODEOWNERS coverage, and package scripts for Crabbox commands.

Reproducibility: not applicable. as a user bug, but yes for the review finding: the PR diff directly shows mutable uses: refs in the self-hosted hydrate workflow, and current CI shows the established pinned-action pattern.

PR rating
Overall: 🧂 unranked krab
Proof: 🌊 off-meta tidepool
Patch quality: 🧂 unranked krab
Summary: The patch is not merge-ready because the new self-hosted workflow has a concrete action-pinning security blocker.

Rank-up moves:

• Pin the new workflow action refs to full commit SHAs.
• Add redacted live Crabbox hydrate or run output if maintainers want runtime setup proof before landing.

What the crustacean ranks mean

• 🦀 challenger crab: rare, exceptional readiness with strong proof, clean implementation, and convincing validation.
• 🦞 diamond lobster: very strong readiness with only minor maintainer review expected.
• 🐚 platinum hermit: good normal PR, likely mergeable with ordinary maintainer review.
• 🦐 gold shrimp: useful signal, but proof or patch confidence is still limited.
• 🦪 silver shellfish: thin signal; proof, validation, or implementation needs work.
• 🧂 unranked krab: not merge-ready because proof is missing/unusable or there are serious correctness or safety concerns.
• 🌊 off-meta tidepool: rating does not apply to this item.

Shiny media proof means a screenshot, video, or linked artifact directly shows the changed behavior. Runtime, network, CSP, and security claims still need visible diagnostics.

Real behavior proof
Not applicable: The external-contributor proof gate does not apply because the PR author is a repository member; maintainers may still request redacted live Crabbox hydrate or run output.

Risk before merge

• Merging as written would execute mutable action refs on a self-hosted Crabbox runner path.
• The branch adds a new repository hydrate path without live Crabbox hydrate/run output, so maintainers still need to decide whether that automation surface is ready to own.

Maintainer options:

1. Pin action refs before merge (recommended)
   Update every third-party uses: entry in .github/workflows/crabbox-hydrate.yml to the intended immutable full commit SHA before the workflow can run on self-hosted Crabbox workers.
2. Require live hydrate proof
   Before accepting the new automation path, maintainers can require redacted terminal or log output showing a Crabbox hydrate or run succeeds for this repository.
3. Defer the Crabbox setup
   If the repo does not need Crabbox automation yet, maintainers can pause or close the PR rather than adding a self-hosted workflow surface now.

Copy recommended automerge instruction

@clawsweeper automerge

Special instructions:
Pin `.github/workflows/crabbox-hydrate.yml` action `uses:` entries to immutable full commit SHAs for the intended versions, preserving the workflow behavior and avoiding unrelated changes.

Next step before merge
A narrow automated repair can pin the mutable workflow action refs; maintainer acceptance of the Crabbox automation surface remains a merge decision after that.

Security
Needs attention: The PR adds a self-hosted workflow that uses mutable third-party action refs instead of immutable SHAs.

Review findings

• [P1] Pin the hydrate workflow actions — .github/workflows/crabbox-hydrate.yml:39-47

Review details

Best possible solution:

Pin the new workflow actions to immutable full SHAs, then merge only if maintainers want this repo-level Crabbox automation and are satisfied with the setup proof.

Do we have a high-confidence way to reproduce the issue?

Not applicable as a user bug, but yes for the review finding: the PR diff directly shows mutable uses: refs in the self-hosted hydrate workflow, and current CI shows the established pinned-action pattern.

Is this the best way to solve the issue?

No; the setup direction may be acceptable, but the proposed workflow should follow the repo’s pinned-action hardening before merge.

Label justifications:

• P2: This is a repository automation improvement with a concrete blocker but no immediate runtime-user outage.
• merge-risk: 🚨 security-boundary: The PR adds a self-hosted workflow that would execute mutable third-party action refs.
• merge-risk: 🚨 automation: The PR introduces a new Crabbox hydrate workflow and package command surface without live runtime proof.
• rating: 🧂 unranked krab: Current PR rating is 🧂 unranked krab because proof is 🌊 off-meta tidepool, patch quality is 🧂 unranked krab, and The patch is not merge-ready because the new self-hosted workflow has a concrete action-pinning security blocker.
• status: ⏳ waiting on author: ClawSweeper has contributor-facing work open and is waiting for author action. Not applicable: The external-contributor proof gate does not apply because the PR author is a repository member; maintainers may still request redacted live Crabbox hydrate or run output.

Full review comments:

• [P1] Pin the hydrate workflow actions — .github/workflows/crabbox-hydrate.yml:39-47
  The new self-hosted hydrate job runs actions/checkout@v6, pnpm/action-setup@v6.0.8, and actions/setup-node@v6 from mutable refs. Existing setup workflows pin these actions to full commit SHAs, so this runner path would execute moving third-party code on Crabbox workers; pin the intended versions before merge.
  Confidence: 0.92

Overall correctness: patch is incorrect
Overall confidence: 0.9

Security concerns:

• [medium] Mutable action refs on self-hosted runner — .github/workflows/crabbox-hydrate.yml:39
  The hydrate workflow would run checkout, pnpm setup, and Node setup actions by tag on a self-hosted Crabbox runner, creating a supply-chain hardening regression compared with the pinned setup workflows in main.
  Confidence: 0.9

Acceptance criteria:

• git diff --check
• actionlint -config-file .github/actionlint.yaml .github/workflows/crabbox-hydrate.yml

What I checked:

• Current main lacks Crabbox setup: A repository search on current main found no existing Crabbox skill, config, workflow, CODEOWNERS, actionlint, or package-script surface, so the PR is not superseded by main. (26809ef0007c)
• PR adds mutable action refs on a self-hosted workflow: The proposed hydrate job runs on self-hosted Crabbox labels and uses actions/checkout@v6, pnpm/action-setup@v6.0.8, and actions/setup-node@v6 instead of immutable commit SHAs. (.github/workflows/crabbox-hydrate.yml:39, 01b0d6d84153)
• Existing setup workflows pin equivalent actions: Current CI pins checkout, pnpm/action-setup, and setup-node to full commit SHAs for equivalent setup steps, which makes the new hydrate workflow less hardened than the established setup path. (.github/workflows/ci.yml:24, 26809ef0007c)
• No live hydrate proof in PR body: The PR verification lists static checks and explicitly says no live Crabbox lease was started, so runtime setup proof is still a maintainer choice rather than demonstrated behavior. (01b0d6d84153)
• Workflow and package history provenance: The current workflow and package surfaces in main appear to have been introduced in the v0.3.3 release commit, which is the clearest local routing history for this automation area. (.github/workflows/ci.yml:1, 8430d51d183b)
• Checkout remained clean: The final read-only status check showed no worktree changes from this review. (26809ef0007c)

Likely related people:

• Peter Steinberger: Local history shows the current workflow files and package scripts were introduced in commit 8430d51, and blame for the existing package script block points to the same commit. (role: current workflow/package area introducer; confidence: medium; commits: 8430d51d183b; files: .github/workflows/ci.yml, .github/workflows/package.yml, .github/workflows/pages.yml)

Codex review notes: model gpt-5.5, reasoning high; reviewed against 26809ef0007c.

[clawsweeper]

ClawSweeper PR egg

🔥 Warming up: real-behavior proof passed; findings, security review, or rank-up moves are still in progress.

Hatch command

Comment @clawsweeper hatch when this PR is hatchable.

Hatchability rules:

• Merged PRs are hatchable.
• Open PRs are hatchable when they are status: 👀 ready for maintainer look, status: 🚀 automerge armed, or labeled clawsweeper:automerge.
• Closed unmerged PRs are hatchable only when one of those hatchable labels is still present in the durable record.

What is this egg doing here?

• Eggs appear after the PR passes real-behavior proof. It is here for vibes, not verdicts: it does not change labels, ratings, merge decisions, or automation.
• The shell reacts to review momentum: open follow-up work warms it up, re-review makes it wobble, and a clean final review lets it hatch.
• Hatchability usually comes from sufficient real-behavior proof, no blocking P0/P1/P2 findings, no security attention needed, and clean correctness. A merged PR is already final, so merge makes the egg hatchable independently.
• The hatch is seeded from this repository and PR number, so the same PR keeps the same creature; the reviewed head SHA can only change safe visual details.
• Rarity is just collectible sparkle: 🥚 common, 🌱 uncommon, 💎 rare, ✨ glimmer, and 🌈 legendary.