feat: add ARM Linux lease architecture selection

[vincentkoc]

Summary

• add --arch / architecture lease selection for Linux ARM64 on Azure and AWS
• route ARM64 class fallback to Azure Dpsv6/Dpdsv6 and AWS Graviton families
• resolve matching Ubuntu ARM64 Azure images and AWS AMI queries across CLI and Worker paths
• keep AWS promoted-image lookup architecture-scoped and reject explicit architecture/type mismatches early
• document ARM lease selection in provider, command, config, job, README, and changelog docs

Verification

• go test ./internal/cli ./internal/providers/azure ./internal/providers/aws
• go vet ./...
• npm test --prefix worker -- config.test.ts azure.test.ts aws.test.ts fleet.test.ts
• npm run format:check --prefix worker
• npm run lint --prefix worker
• npm run check --prefix worker
• git diff --check
• .agents/skills/autoreview/scripts/autoreview --mode branch --base origin/main -> clean, no accepted/actionable findings

[clawsweeper]

Codex review: found issues before merge. Reviewed May 29, 2026, 6:02 PM ET / 22:02 UTC.

Summary
The PR adds --arch / architecture ARM64 selection for AWS and Azure Linux leases across the Go CLI, Worker broker, provider image/type selection, tests, docs, and release metadata.

Reproducibility: not applicable. this is a feature PR, not a bug report. Source inspection shows current main lacks lease-level ARM architecture selection, while the branch adds unit coverage for the new behavior.

Review metrics: 2 noteworthy metrics.

• Changed files: 43 files, +1124/-113. The feature spans CLI, Worker, provider routing, docs, and release metadata, so maintainers should review it as a cross-runtime contract change.
• Runtime surfaces: 2 runtime implementations changed. Go CLI and Worker broker behavior must agree on architecture defaults, inference, and validation before merge.

Merge readiness
Overall: 🦐 gold shrimp
Proof: 🌊 off-meta tidepool
Patch quality: 🦐 gold shrimp
Result: ready for maintainer review.

Overall follows the weaker of proof and patch quality, so missing proof can cap an otherwise strong patch.

Rank-up moves:

• Have maintainers accept or revise the --arch / architecture contract.
• Resolve or document the GitHub Advanced Security regex alert.
• Remove release metadata changes unless this is intentionally release prep.

Risk before merge

• [P1] The new --arch / architecture field becomes a stable CLI, config, job, and broker request contract across Go and Worker code, so maintainers should explicitly accept the API before merge.
• [P1] The branch includes release metadata and package version bumps for 0.22.1; that should be intentional release prep or split out before landing the feature.
• [P1] The PR body lists unit, lint, typecheck, and vet validation, but this read-only review did not see live AWS/Azure ARM lease output proving cloud SKU and image availability.
• [P1] GitHub Advanced Security left a CodeQL regex-performance review comment; the alert should be resolved or deliberately suppressed before merge.

Maintainer options:

1. Accept the Architecture Contract (recommended)
   Maintainers can merge once they explicitly accept --arch / architecture as the stable CLI, config, job, and broker request API.
2. Split Release Prep
   Remove the 0.22.1 date and package version bumps unless this draft is intentionally serving as the release-prep PR.
3. Ask for Live ARM Smoke Output
   If provider availability is a concern, ask for redacted CLI/log output from one AWS ARM64 and one Azure ARM64 Linux lease before merge.

Next step before merge

• [P2] This MEMBER-authored draft changes a stable config/broker API and release metadata, so the next step is maintainer acceptance rather than an automated repair lane.

Security
Needs attention: No secret, permission, dependency-source, or workflow regression was found, but the existing GitHub Advanced Security regex alert needs maintainer resolution before merge.

Review findings

• [P3] Drop release-owned version metadata — CHANGELOG.md:3-7

Review details

Best possible solution:

Land the ARM lease feature only after maintainers accept the stable architecture API, resolve the CodeQL/release-metadata items, and decide whether live AWS/Azure ARM smoke output is required.

Do we have a high-confidence way to reproduce the issue?

Not applicable: this is a feature PR, not a bug report. Source inspection shows current main lacks lease-level ARM architecture selection, while the branch adds unit coverage for the new behavior.

Is this the best way to solve the issue?

Mostly yes if maintainers want this API. The implementation keeps provider-specific type and image choices in provider-adjacent code, but the stable contract and release metadata need explicit maintainer acceptance.

Full review comments:

• [P3] Drop release-owned version metadata — CHANGELOG.md:3-7
  This feature branch also dates 0.22.1 and bumps package versions. Release metadata is release-owned in this review lane, so please remove these edits unless maintainers are intentionally treating this PR as release prep.
  Confidence: 0.82

Overall correctness: patch is correct
Overall confidence: 0.78

AGENTS.md: found and applied where relevant.

Codex review notes: model gpt-5.5, reasoning high; reviewed against 0adbe1e63f66.

Label changes

Label changes:

• add rating: 🦐 gold shrimp: Overall readiness is 🦐 gold shrimp; proof is 🌊 off-meta tidepool and patch quality is 🦐 gold shrimp.
• add status: ⏳ waiting on author: ClawSweeper has contributor-facing work open and is waiting for author action. Not applicable: The external-contributor proof gate does not apply to a MEMBER-authored PR; the PR body lists automated validation but no live ARM lease proof.
• remove rating: 🐚 platinum hermit: Current PR rating is rating: 🦐 gold shrimp, so this older rating label is no longer current.
• remove status: 👀 ready for maintainer look: Current PR status label is status: ⏳ waiting on author.

Label justifications:

• P2: This is a normal-priority provider/config feature with bounded but meaningful upgrade and API surface.
• merge-risk: 🚨 compatibility: Merging creates a new stable architecture setting and broker field that existing and upgraded clients/workers must interpret consistently.
• rating: 🦐 gold shrimp: Overall readiness is 🦐 gold shrimp; proof is 🌊 off-meta tidepool and patch quality is 🦐 gold shrimp.
• status: ⏳ waiting on author: ClawSweeper has contributor-facing work open and is waiting for author action. Not applicable: The external-contributor proof gate does not apply to a MEMBER-authored PR; the PR body lists automated validation but no live ARM lease proof.

Evidence reviewed

Security concerns:

• [low] Resolve the CodeQL regex alert
  GitHub Advanced Security left a polynomial-regex review comment on this PR; maintainers should inspect the alert and either fix the flagged path or suppress it with rationale before merge.
  Confidence: 0.65

What I checked:

• repository-policy: AGENTS.md was read in full and applies because the PR touches provider boundaries, release metadata, docs, Go CLI, Worker TypeScript, and tests. (AGENTS.md:1, 0adbe1e63f66)
• main-capability-check: Current main has existing AWS image architecture metadata, but no lease-level --arch, CRABBOX_ARCH, or config architecture selection for AWS/Azure Linux capacity, so the PR is not obsolete. (0adbe1e63f66)
• cli-api-change: The branch adds a new --arch flag and records explicit architecture selection in lease config, making this a user-facing CLI/config contract. (internal/cli/lease_flags.go:42, e24014f0b84c)
• worker-api-change: The Worker lease parser adds architecture, infers ARM from explicit provider types, validates mismatches, and includes the field in LeaseConfig. (worker/src/config.ts:104, e24014f0b84c)
• provider-routing-tests: The branch adds Worker tests for Azure/AWS ARM defaults, explicit ARM type inference, and mismatch rejection, which covers the new broker contract at unit level. (worker/test/config.test.ts:355, e24014f0b84c)
• release-metadata-change: The branch dates 0.22.1 and adds release text while also bumping package versions, which is release-owned metadata that maintainers should consciously accept or split out. (CHANGELOG.md:3, e24014f0b84c)

Likely related people:

• Vincent Koc: Recent main history shows repeated merged work on broker cost caps, AWS/Worker retries, Azure capacity fallback, and image promotion/provider paths touched by this PR. (role: recent area contributor; confidence: high; commits: 0adbe1e63f66, 811d48708f8d, f141596b46d2; files: worker/src/fleet.ts, worker/src/aws.ts, worker/src/azure.ts)
• Peter Steinberger: Blame and git history tie the current main config/provider defaults and latest release state to Peter’s commits, including the 0.22.0 release and broker diagnostics work. (role: core config and release history owner; confidence: high; commits: e7139b210d9b, 98347e385ecb, b8ea92a792de; files: internal/cli/config.go, worker/src/config.ts, CHANGELOG.md)
• Jonathan Moss: History search shows the Azure Linux/native Windows lease support commit as the earlier feature root for part of the provider surface this PR extends. (role: adjacent Azure feature contributor; confidence: medium; commits: 00725544c767; files: internal/cli/azure.go, worker/src/azure.ts)

What the crustacean ranks mean

• 🦀 challenger crab: rare, exceptional readiness with strong proof, clean implementation, and convincing validation.
• 🦞 diamond lobster: very strong readiness with only minor maintainer review expected.
• 🐚 platinum hermit: good normal PR, likely mergeable with ordinary maintainer review.
• 🦐 gold shrimp: useful signal, but proof or patch confidence is still limited.
• 🦪 silver shellfish: thin signal; proof, validation, or implementation needs work.
• 🧂 unranked krab: not merge-ready because proof is missing/unusable or there are serious correctness or safety concerns.
• 🌊 off-meta tidepool: rating does not apply to this item.

Shiny media proof means a screenshot, video, or linked artifact directly shows the changed behavior. Runtime, network, CSP, and security claims still need visible diagnostics.

How this review workflow works

• ClawSweeper keeps one durable marker-backed review comment per issue or PR.
• Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
• A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
• PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
• Maintainers can also comment @clawsweeper review to request a fresh review only.
• Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
• Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
• Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.