chore: add constrained Crabbox setup

[vincentkoc]

Summary

• Adds the exact Crabbox skill copied from openclaw/openclaw.
• Adds constrained Crabbox config and hydrate workflow with repo-specific self-hosted runner labels.
• Adds actionlint runner-label config and CODEOWNERS coverage for the new automation surfaces.
• Adds package scripts for the copied skill command surface when the repo already has a root package.json.

This is the narrowed replacement shape for the earlier broad setup baseline. It intentionally does not add CodeQL, stale automation, licensing changes, Dependabot, package-manager files, or unrelated policy defaults.

Verification

• git diff --check
• Ruby YAML parse for .crabbox.yaml, .github/actionlint.yaml, and .github/workflows/crabbox-hydrate.yml
• actionlint -config-file .github/actionlint.yaml .github/workflows/crabbox-hydrate.yml
• Crabbox skill SHA-256 matched openclaw/openclaw: ed512c0b0385fae7f6c5c14a7e9e6236ab68936506687a99ca976873492bdc43
• Package script presence check where a root package.json exists
• Private-path scan for new public files
• test -z "$(gofmt -l .)" for Go repos

Notes

No live Crabbox lease was started for this setup-only patch.

[clawsweeper]

Codex review: needs changes before merge.

Latest ClawSweeper review: 2026-05-22 21:45 UTC / May 22, 2026, 5:45 PM ET.

Workflow note: Future ClawSweeper reviews update this same comment in place.

How this review workflow works

• ClawSweeper keeps one durable marker-backed review comment per issue or PR.
• Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
• A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
• PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
• Maintainers can also comment @clawsweeper review to request a fresh review only.
• Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
• Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
• Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.

Summary
Adds a Crabbox skill, repo Crabbox config, self-hosted hydrate workflow, actionlint/CODEOWNERS automation coverage, and package scripts.

Reproducibility: not applicable. as a user bug. The review finding is source-reproducible: the new workflow uses mutable action refs at the changed lines while current main pins comparable actions to SHAs.

PR rating
Overall: 🧂 unranked krab
Proof: 🌊 off-meta tidepool
Patch quality: 🧂 unranked krab
Summary: The patch is not merge-ready because the new self-hosted workflow has a concrete supply-chain blocker.

Rank-up moves:

• Pin all new third-party workflow actions to immutable SHAs with version comments.
• After pinning, run actionlint/static YAML validation and a redacted Crabbox hydrate smoke on the intended runner labels.

What the crustacean ranks mean

• 🦀 challenger crab: rare, exceptional readiness with strong proof, clean implementation, and convincing validation.
• 🦞 diamond lobster: very strong readiness with only minor maintainer review expected.
• 🐚 platinum hermit: good normal PR, likely mergeable with ordinary maintainer review.
• 🦐 gold shrimp: useful signal, but proof or patch confidence is still limited.
• 🦪 silver shellfish: thin signal; proof, validation, or implementation needs work.
• 🧂 unranked krab: not merge-ready because proof is missing/unusable or there are serious correctness or safety concerns.
• 🌊 off-meta tidepool: rating does not apply to this item.

Shiny media proof means a screenshot, video, or linked artifact directly shows the changed behavior. Runtime, network, CSP, and security claims still need visible diagnostics.

Real behavior proof
Not applicable: The external-contributor proof gate does not apply to this MEMBER-authored PR; the body says no live Crabbox lease was started, so maintainer/operator smoke proof is still useful before merge.

Risk before merge

• Merging as written would execute mutable third-party GitHub Action refs on self-hosted Crabbox runners, creating a supply-chain drift path before repository code runs.
• The PR has static validation but no live Crabbox hydrate smoke on the intended runner labels, so runner readiness and operator behavior remain unproven.

Maintainer options:

1. Pin the action refs (recommended)
   Replace every new third-party action ref in the hydrate workflow with an immutable commit SHA and version comment matching the existing CI style.
2. Accept a policy exception
   Maintainers could deliberately allow mutable refs for this workflow, but that should be an explicit exception because it runs on self-hosted infrastructure.
3. Pause for operator validation
   If the runner labels, CODEOWNERS team, or hydrate path are not ready, pause the PR until a live redacted Crabbox hydrate run proves the setup.

Copy recommended automerge instruction

@clawsweeper automerge

Special instructions:
Pin the third-party action refs in `.github/workflows/crabbox-hydrate.yml` to immutable commit SHAs with version comments, matching the existing `.github/workflows/ci.yml` and `.github/actions/setup-ci-env/action.yml` style; do not otherwise broaden the Crabbox setup.

Next step before merge
A focused repair can pin the workflow refs; runner-label readiness and live hydrate approval should remain with maintainers.

Security
Needs attention: The diff introduces a supply-chain concern by adding self-hosted runner automation with mutable third-party action refs.

Review findings

• [P1] Pin the workflow action refs — .github/workflows/crabbox-hydrate.yml:42-55

Review details

Best possible solution:

Pin the new workflow actions to immutable SHAs with version comments, then validate the constrained Crabbox hydrate path on the intended runner labels before merge.

Do we have a high-confidence way to reproduce the issue?

Not applicable as a user bug. The review finding is source-reproducible: the new workflow uses mutable action refs at the changed lines while current main pins comparable actions to SHAs.

Is this the best way to solve the issue?

No. The constrained Crabbox setup is a plausible direction, but it should follow the existing pinned-action security pattern and receive operator smoke proof before merge.

Label justifications:

• P2: This is a merge-blocking automation/security issue on a setup PR, not a live production outage.
• merge-risk: 🚨 security-boundary: The new self-hosted workflow would run mutable third-party action code before the repository’s own commands execute.
• merge-risk: 🚨 automation: The PR adds a new Crabbox hydrate workflow and runner-label path that has not been live-smoked in this repository.
• rating: 🧂 unranked krab: Current PR rating is 🧂 unranked krab because proof is 🌊 off-meta tidepool, patch quality is 🧂 unranked krab, and The patch is not merge-ready because the new self-hosted workflow has a concrete supply-chain blocker.
• status: ⏳ waiting on author: ClawSweeper has contributor-facing work open and is waiting for author action. Not applicable: The external-contributor proof gate does not apply to this MEMBER-authored PR; the body says no live Crabbox lease was started, so maintainer/operator smoke proof is still useful before merge.

Full review comments:

• [P1] Pin the workflow action refs — .github/workflows/crabbox-hydrate.yml:42-55
  This new self-hosted workflow uses mutable action tags, while main already pins comparable actions to SHAs with comments. Pin these refs before merge so the runner does not execute drifting third-party code.
  Confidence: 0.95

Overall correctness: patch is incorrect
Overall confidence: 0.91

Security concerns:

• [high] Mutable actions on self-hosted runner — .github/workflows/crabbox-hydrate.yml:42
  The hydrate workflow runs on self-hosted Crabbox runners but references third-party actions by mutable version tags instead of immutable SHAs, which can change what code executes before the repo commands run.
  Confidence: 0.95

Acceptance criteria:

• git diff --check 62cf3c3 HEAD
• ruby -e 'require "yaml"; ARGV.each { |f| YAML.load_file(f) }' .crabbox.yaml .github/actionlint.yaml .github/workflows/crabbox-hydrate.yml
• actionlint -config-file .github/actionlint.yaml .github/workflows/crabbox-hydrate.yml

What I checked:

• PR diff scope: The branch adds six automation/setup surfaces: the Crabbox skill, .crabbox.yaml, CODEOWNERS, actionlint runner labels, a new hydrate workflow, and package scripts. (c38d6d0e0905)
• Mutable action refs in new workflow: The new self-hosted hydrate job uses actions/checkout@v6, pnpm/action-setup@v6.0.8, actions/setup-node@v6, and actions/setup-go@v6. (.github/workflows/crabbox-hydrate.yml:42, c38d6d0e0905)
• Current main pins comparable actions: Current CI pins checkout, setup-node, setup-go, and GoReleaser actions to immutable SHAs with version comments. (.github/workflows/ci.yml:19, 62cf3c3163aa)
• Pinned-action provenance: Commit c7800ad changed existing workflow refs from mutable tags to pinned SHAs, establishing the current supply-chain pattern this PR should follow. (.github/workflows/ci.yml:19, c7800adcb450)
• No live hydrate proof yet: The PR body says no live Crabbox lease was started for this setup-only patch, so operator smoke on the intended runner labels remains unproven. (c38d6d0e0905)
• Automation history routing: History around automation and agent/CODEOWNERS surfaces points primarily to current workflow/package ownership plus prior CODEOWNERS maintenance.

Likely related people:

• steipete: Current main’s workflow/package surfaces and the pinned-action hardening commit are authored by Peter Steinberger, and the README maps him to the steipete handle. (role: recent automation and supply-chain pattern owner; confidence: high; commits: 201f7adcaf16, c7800adcb450, 42ce6831bfda; files: .github/workflows/ci.yml, .github/actions/setup-ci-env/action.yml, .github/workflows/release.yml)
• dinakars777: Prior CODEOWNERS and maintainer-contact history appears under Dinakar Sarbada, which is adjacent to this PR’s new CODEOWNERS coverage. (role: adjacent CODEOWNERS/history contributor; confidence: medium; commits: 666f77caed10, f7cbace0e348; files: .github/CODEOWNERS, CHANGELOG.md)

Codex review notes: model gpt-5.5, reasoning high; reviewed against 62cf3c3163aa.

[clawsweeper]

ClawSweeper PR egg

🔥 Warming up: real-behavior proof passed; findings, security review, or rank-up moves are still in progress.

Hatch command

Comment @clawsweeper hatch when this PR is hatchable.

Hatchability rules:

• Merged PRs are hatchable.
• Open PRs are hatchable when they are status: 👀 ready for maintainer look, status: 🚀 automerge armed, or labeled clawsweeper:automerge.
• Closed unmerged PRs are hatchable only when one of those hatchable labels is still present in the durable record.

What is this egg doing here?

• Eggs appear after the PR passes real-behavior proof. It is here for vibes, not verdicts: it does not change labels, ratings, merge decisions, or automation.
• The shell reacts to review momentum: open follow-up work warms it up, re-review makes it wobble, and a clean final review lets it hatch.
• Hatchability usually comes from sufficient real-behavior proof, no blocking P0/P1/P2 findings, no security attention needed, and clean correctness. A merged PR is already final, so merge makes the egg hatchable independently.
• The hatch is seeded from this repository and PR number, so the same PR keeps the same creature; the reviewed head SHA can only change safe visual details.
• Rarity is just collectible sparkle: 🥚 common, 🌱 uncommon, 💎 rare, ✨ glimmer, and 🌈 legendary.