chore(deps): bump github.com/openclaw/crawlkit from 0.13.0 to 0.13.1

[dependabot]

Bumps github.com/openclaw/crawlkit from 0.13.0 to 0.13.1.

Changelog

Sourced from github.com/openclaw/crawlkit's changelog.

v0.13.1 - 2026-06-23

• Harden crawlkit scheduler, output, release-check, vector ranking, and CI workflow edges found by clawpatch.
• Expose remote ingest reset progress so crawl publishers can drain large Cloudflare D1 table replacements before sending row batches.

Commits

• 5ebd0de fix(remote): expose ingest reset progress
• 232aef3 fix: harden crawlkit clawpatch findings
• b2a3797 chore: reopen changelog after 0.13.0
• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[clawsweeper]

Codex review: needs maintainer review before merge. Reviewed June 28, 2026, 4:16 PM ET / 20:16 UTC.

Summary
The branch updates the direct Go module dependency github.com/openclaw/crawlkit from v0.13.0 to v0.13.1 and refreshes the go.sum hashes.

Reproducibility: not applicable. this is a dependency maintenance PR rather than a reported bug. The relevant verification is source/diff inspection plus CI on the updated dependency.

Review metrics: 2 noteworthy metrics.

• Dependency files changed: 2 files; +3/-3. The review surface is limited to the direct module requirement and checksum refresh.
• Checks observed: 11 successful, 1 skipped. The routine dependency bump has the main validation signals maintainers normally need before merge.

Merge readiness
Overall: 🐚 platinum hermit
Proof: 🌊 off-meta tidepool
Patch quality: 🐚 platinum hermit
Result: ready for maintainer review.

Overall follows the weaker of proof and patch quality, so missing proof can cap an otherwise strong patch.

Rank-up moves:

• none.

Next step before merge

• [P2] No repair lane is needed; if maintainers want the routine dependency update, it is ready for normal merge once branch protection is satisfied.

Security
Cleared: No concrete security or supply-chain concern was found in this repo diff; it only updates an existing OpenClaw Go module and checksum, with upstream tag/compare/changelog inspected.

Review details

Best possible solution:

Land the patch-level Dependabot bump after normal branch-protection review, keeping the change limited to go.mod and go.sum.

Do we have a high-confidence way to reproduce the issue?

Not applicable; this is a dependency maintenance PR rather than a reported bug. The relevant verification is source/diff inspection plus CI on the updated dependency.

Is this the best way to solve the issue?

Yes; for a patch-level Go module update, changing go.mod and go.sum without vendoring or unrelated edits is the narrowest maintainable path.

AGENTS.md: not found in the target repository.

Codex review notes: model internal, reasoning high; reviewed against 905ac75f8337.

Label changes

Label changes:

• add P3: This is a low-risk dependency maintenance PR with a narrow diff and green validation.
• add rating: 🐚 platinum hermit: Overall readiness is 🐚 platinum hermit; proof is 🌊 off-meta tidepool and patch quality is 🐚 platinum hermit.
• add status: 👀 ready for maintainer look: ClawSweeper has no concrete contributor-facing blocker left for this PR. Not applicable: The real-behavior proof gate is not applicable to this Dependabot bot dependency PR; CI and upstream diff review provide the practical validation signal.

Label justifications:

• P3: This is a low-risk dependency maintenance PR with a narrow diff and green validation.
• rating: 🐚 platinum hermit: Overall readiness is 🐚 platinum hermit; proof is 🌊 off-meta tidepool and patch quality is 🐚 platinum hermit.
• status: 👀 ready for maintainer look: ClawSweeper has no concrete contributor-facing blocker left for this PR. Not applicable: The real-behavior proof gate is not applicable to this Dependabot bot dependency PR; CI and upstream diff review provide the practical validation signal.

Evidence reviewed

What I checked:

• PR diff scope: The PR head changes only go.mod and go.sum, replacing github.com/openclaw/crawlkit v0.13.0 with v0.13.1 and updating the two checksum lines. (go.mod:8, e065e6cd439e)
• Current main dependency: Current main still has the direct crawlkit requirement at v0.13.0, so this bump is not already implemented on the default branch. (go.mod:8, 905ac75f8337)
• Current crawlkit usage: Source search shows slacrawl imports crawlkit packages for control, TUI, progress, release checks, mirroring, config, and store integration, making this a direct production dependency update rather than unused churn. (internal/cli/app.go:20, 905ac75f8337)
• Upstream patch contents: The crawlkit v0.13.0...v0.13.1 compare is three commits ahead and changes runtime hardening in output, releasecheck, remote, scheduler, and vector packages plus upstream workflow files; the changelog matches the PR body. (5ebd0de44689)
• Upstream tag provenance: The v0.13.1 annotated tag points to crawlkit commit 5ebd0de446895e4da4d5c85cefcd69dffaedc34f dated 2026-06-23; no GitHub Release object was found for that tag, so the tag and changelog are the upstream provenance. (5ebd0de44689)
• Checks observed: GitHub reports the PR as mergeable, with CI deps, lint, test, release-check, Docker, CodeQL, and secret scanning completed successfully; release drafter update was skipped. (e065e6cd439e)

Likely related people:

• steipete: Local blame points the current go.mod dependency line to the v0.7.3 release prep, and GitHub history shows recent crawlkit bump and CLI/runtime integration commits in the same dependency surface. (role: recent dependency and runtime area contributor; confidence: high; commits: f5f549466731, 8dea840f6f3d, b1170f036121; files: go.mod, go.sum, internal/cli/app.go)
• vincentkoc: GitHub history shows release-check integration and org-move work touching the relevant slacrawl paths, and the upstream crawlkit v0.13.1 runtime commits are by this contributor. (role: adjacent release-check and crawlkit contributor; confidence: medium; commits: 5c32a2758b19, fa593d98e4e2, 232aef3d30b8; files: internal/cli/releasecheck.go, internal/cli/app.go, go.mod)

What the crustacean ranks mean

• 🦀 challenger crab: rare, exceptional readiness with strong proof, clean implementation, and convincing validation.
• 🦞 diamond lobster: very strong readiness with only minor maintainer review expected.
• 🐚 platinum hermit: good normal PR, likely mergeable with ordinary maintainer review.
• 🦐 gold shrimp: useful signal, but proof or patch confidence is still limited.
• 🦪 silver shellfish: thin signal; proof, validation, or implementation needs work.
• 🧂 unranked krab: not merge-ready because proof is missing/unusable or there are serious correctness or safety concerns.
• 🌊 off-meta tidepool: rating does not apply to this item.

Shiny media proof means a screenshot, video, or linked artifact directly shows the changed behavior. Runtime, network, CSP, and security claims still need visible diagnostics.

How this review workflow works

• ClawSweeper keeps one durable marker-backed review comment per issue or PR.
• Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
• A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
• PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
• Maintainers can also comment @clawsweeper review to request a fresh review only.
• Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
• Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
• Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.