chore: add constrained Crabbox setup

[vincentkoc]

Summary

• Adds the exact Crabbox skill copied from openclaw/openclaw.
• Adds constrained Crabbox config and hydrate workflow with repo-specific self-hosted runner labels.
• Adds actionlint runner-label config and CODEOWNERS coverage for the new automation surfaces.
• Adds package scripts for the copied skill command surface when the repo already has a root package.json.

This is the narrowed replacement shape for the earlier broad setup baseline. It intentionally does not add CodeQL, stale automation, licensing changes, Dependabot, package-manager files, or unrelated policy defaults.

Verification

• git diff --check
• Ruby YAML parse for .crabbox.yaml, .github/actionlint.yaml, and .github/workflows/crabbox-hydrate.yml
• actionlint -config-file .github/actionlint.yaml .github/workflows/crabbox-hydrate.yml
• Crabbox skill SHA-256 matched openclaw/openclaw: ed512c0b0385fae7f6c5c14a7e9e6236ab68936506687a99ca976873492bdc43
• Package script presence check where a root package.json exists
• Private-path scan for new public files
• test -z "$(gofmt -l .)" for Go repos

Notes

No live Crabbox lease was started for this setup-only patch.

[clawsweeper]

Codex review: found issues before merge.

Latest ClawSweeper review: 2026-05-22 21:45 UTC / May 22, 2026, 5:45 PM ET.

Workflow note: Future ClawSweeper reviews update this same comment in place.

How this review workflow works

• ClawSweeper keeps one durable marker-backed review comment per issue or PR.
• Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
• A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
• PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
• Maintainers can also comment @clawsweeper review to request a fresh review only.
• Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
• Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
• Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.

Summary
The PR adds a Crabbox skill, .crabbox.yaml, a workflow_dispatch hydrate workflow, actionlint runner labels, and CODEOWNERS ownership for the new automation surfaces.

Reproducibility: not applicable. this is an automation setup PR rather than a product bug. The review is source/diff based against current main’s workflow pinning and command layout.

PR rating
Overall: 🧂 unranked krab
Proof: 🌊 off-meta tidepool
Patch quality: 🧂 unranked krab
Summary: The patch is not quality-ready because it has a concrete workflow supply-chain blocker and the copied skill does not match gogcli’s command surface.

Rank-up moves:

• Pin the new workflow actions to reviewed commit SHAs.
• Replace OpenClaw-only Crabbox examples with gogcli commands or add the referenced root scripts after maintainer approval.
• Confirm the CODEOWNERS team and self-hosted runner dispatch model with repo owners.

What the crustacean ranks mean

• 🦀 challenger crab: rare, exceptional readiness with strong proof, clean implementation, and convincing validation.
• 🦞 diamond lobster: very strong readiness with only minor maintainer review expected.
• 🐚 platinum hermit: good normal PR, likely mergeable with ordinary maintainer review.
• 🦐 gold shrimp: useful signal, but proof or patch confidence is still limited.
• 🦪 silver shellfish: thin signal; proof, validation, or implementation needs work.
• 🧂 unranked krab: not merge-ready because proof is missing/unusable or there are serious correctness or safety concerns.
• 🌊 off-meta tidepool: rating does not apply to this item.

Shiny media proof means a screenshot, video, or linked artifact directly shows the changed behavior. Runtime, network, CSP, and security claims still need visible diagnostics.

Real behavior proof
Not applicable: The contributor proof gate does not apply to this member-authored setup PR; the body lists static checks and says no live Crabbox lease was started.

Risk before merge

• Merging the hydrate workflow as written would run floating third-party action tags on a self-hosted runner path, weakening the repo’s current pinned-action supply-chain posture.
• The copied Crabbox skill references root pnpm crabbox:* commands that do not exist in gogcli, so agents may fail before reaching the repo’s actual Go validation gates.
• The CODEOWNERS team, self-hosted runner labels, and workflow_dispatch operating model are repository policy changes that need owner confirmation before landing.

Maintainer options:

1. Pin and adapt before merge (recommended)
   Pin the new workflow actions to reviewed full commit SHAs and replace copied OpenClaw-only Crabbox examples with gogcli commands that exist in this repository.
2. Confirm automation ownership
   Have the relevant repo owners explicitly approve the CODEOWNERS team, self-hosted runner labels, and workflow_dispatch operating model before enabling this path on main.
3. Pause the copied-skill approach
   If the OpenClaw Crabbox skill must stay unchanged, pause this PR until gogcli has the matching root package scripts and workflow surface.

Next step before merge
A maintainer should approve the self-hosted runner and CODEOWNERS operating model before any mechanical repair or merge path proceeds.

Security
Needs attention: The diff introduces a self-hosted workflow that uses floating third-party action tags, which is a concrete supply-chain regression from current main’s pinned workflow style.

Review findings

• [P1] Pin the hydrate workflow actions — .github/workflows/crabbox-hydrate.yml:38-42
• [P2] Replace the copied pnpm Crabbox commands — .agents/skills/crabbox/SKILL.md:39

Review details

Best possible solution:

Land a repo-specific Crabbox setup only after action refs are pinned to reviewed SHAs, the skill commands match gogcli’s Makefile and worker scripts, and maintainers approve the self-hosted runner and CODEOWNERS contract.

Do we have a high-confidence way to reproduce the issue?

Not applicable; this is an automation setup PR rather than a product bug. The review is source/diff based against current main’s workflow pinning and command layout.

Is this the best way to solve the issue?

No; copying OpenClaw’s skill unchanged and using floating action tags is not the best landing shape. A narrower gogcli-specific setup should pin actions, use the repo’s actual validation commands, and land after owner approval.

Label justifications:

• P2: This is a normal-priority automation setup improvement with concrete merge blockers but no current-user production regression.
• merge-risk: 🚨 security-boundary: The PR adds a self-hosted workflow that runs floating third-party GitHub Action tags.
• merge-risk: 🚨 automation: The PR changes Crabbox workflow, actionlint, CODEOWNERS, and skill automation surfaces that can break validation if misconfigured.
• rating: 🧂 unranked krab: Current PR rating is 🧂 unranked krab because proof is 🌊 off-meta tidepool, patch quality is 🧂 unranked krab, and The patch is not quality-ready because it has a concrete workflow supply-chain blocker and the copied skill does not match gogcli’s command surface.
• status: ⏳ waiting on author: ClawSweeper has contributor-facing work open and is waiting for author action. Not applicable: The contributor proof gate does not apply to this member-authored setup PR; the body lists static checks and says no live Crabbox lease was started.

Full review comments:

• [P1] Pin the hydrate workflow actions — .github/workflows/crabbox-hydrate.yml:38-42
  The new self-hosted workflow uses actions/checkout@v6 and actions/setup-go@v6, while the repo’s existing workflows pin actions to full commit SHAs. Please pin these refs before enabling third-party action execution on the Crabbox runner path.
  Confidence: 0.95
• [P2] Replace the copied pnpm Crabbox commands — .agents/skills/crabbox/SKILL.md:39
  The added skill tells agents to run pnpm crabbox:run, but gogcli has no root package.json or crabbox:* scripts. Point the skill at this repo’s real validation commands, such as the Makefile gates, so Crabbox proof does not fail before exercising the Go project.
  Confidence: 0.9

Overall correctness: patch is incorrect
Overall confidence: 0.93

Security concerns:

• [high] Floating actions on a self-hosted runner — .github/workflows/crabbox-hydrate.yml:38
  The new hydrate workflow runs on self-hosted Crabbox labels but uses actions/checkout@v6 and actions/setup-go@v6; current workflows pin action refs to full SHAs, so this broadens unpinned third-party code execution on the runner.
  Confidence: 0.95

What I checked:

• PR workflow diff: The added hydrate workflow uses floating actions/checkout@v6 and actions/setup-go@v6 refs on a self-hosted Crabbox runner path. (.github/workflows/crabbox-hydrate.yml:38, 6d5cb7370582)
• Current workflow pinning pattern: Current main pins GitHub Actions to full commit SHAs across existing workflows, including checkout, setup-go, setup-node, cache, Docker, Pages, and GoReleaser actions. (.github/workflows/ci.yml:15, 4dcf7b103dd3)
• Action-pinning history: The existing pinned-action posture is supported by the historical ci: pin workflow actions commit, so the new floating refs are a regression from the current automation convention. (.github/workflows/ci.yml:15, 2892765ea3df)
• Copied skill command mismatch: The added Crabbox skill tells agents to run pnpm crabbox:run, but current main has no root package.json or root crabbox:* scripts. (.agents/skills/crabbox/SKILL.md:39, 6d5cb7370582)
• Current command surface: Current main exposes Go validation through Makefile targets such as make ci and make test; pnpm commands are either skipped at the root or scoped to internal/tracking/worker. (Makefile:110, 4dcf7b103dd3)
• Operational ownership change: The PR adds new CODEOWNERS coverage for workflows, .crabbox.yaml, .agents/skills/, go.mod, and go.sum, which is a repository ownership policy change that needs maintainer approval. (.github/CODEOWNERS:1, 6d5cb7370582)

Likely related people:

• Peter Steinberger: History shows Peter introduced or recently maintained the pinned workflow actions, actionlint runner labels, and Makefile validation surface that this Crabbox setup changes. (role: recent area contributor; confidence: high; commits: 2892765ea3df, 9ae286075492, b25a3c029b37; files: .github/workflows/ci.yml, .github/actionlint.yaml, Makefile)

Codex review notes: model gpt-5.5, reasoning high; reviewed against 4dcf7b103dd3.

[clawsweeper]

ClawSweeper PR egg

🔥 Warming up: real-behavior proof passed; findings, security review, or rank-up moves are still in progress.

Hatch command

Comment @clawsweeper hatch when this PR is hatchable.

Hatchability rules:

• Merged PRs are hatchable.
• Open PRs are hatchable when they are status: 👀 ready for maintainer look, status: 🚀 automerge armed, or labeled clawsweeper:automerge.
• Closed unmerged PRs are hatchable only when one of those hatchable labels is still present in the durable record.

What is this egg doing here?

• Eggs appear after the PR passes real-behavior proof. It is here for vibes, not verdicts: it does not change labels, ratings, merge decisions, or automation.
• The shell reacts to review momentum: open follow-up work warms it up, re-review makes it wobble, and a clean final review lets it hatch.
• Hatchability usually comes from sufficient real-behavior proof, no blocking P0/P1/P2 findings, no security attention needed, and clean correctness. A merged PR is already final, so merge makes the egg hatchable independently.
• The hatch is seeded from this repository and PR number, so the same PR keeps the same creature; the reviewed head SHA can only change safe visual details.
• Rarity is just collectible sparkle: 🥚 common, 🌱 uncommon, 💎 rare, ✨ glimmer, and 🌈 legendary.