chore: add maintainer setup baseline

[vincentkoc]

Summary

• add maintainer setup baseline files for this repository
• add CODEOWNERS, Dependabot, SECURITY.md, CodeQL, stale automation, and Crabbox/autoreview support
• configure pnpm maintainer hydrate checks

Verification

• git diff --check
• ruby YAML.load_file for added/changed YAML files
• actionlint for added/changed workflow files
• private-data scan for added/changed non-skill setup files; PNPM_VERSION hits, where present, were false positives
• verified Crabbox skill SHA-256 matches openclaw/openclaw: ed512c0b0385fae7f6c5c14a7e9e6236ab68936506687a99ca976873492bdc43

Runtime tests were not run; this is setup, policy, and workflow metadata only.

[github-advanced-security]

You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool.

What Enabling Code Scanning Means:

• The 'Security' tab will display more code scanning analysis results (e.g., for the default branch).
• Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results.
• You will be able to see the analysis results for the pull request's branch on this overview once the scans have completed and the checks have passed.

For more information about GitHub Code Scanning, check out the documentation.

[clawsweeper]

Codex review: found issues before merge.

Latest ClawSweeper review: 2026-05-22 14:46 UTC / May 22, 2026, 10:46 AM ET.

Workflow note: Future ClawSweeper reviews update this same comment in place.

How this review workflow works

• ClawSweeper keeps one durable marker-backed review comment per issue or PR.
• Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
• A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
• PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
• Maintainers can also comment @clawsweeper review to request a fresh review only.
• Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
• Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
• Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.

Summary
The branch adds maintainer setup metadata: CODEOWNERS, Dependabot, SECURITY.md, CodeQL, stale automation, Crabbox hydration, and bundled autoreview/Crabbox skills.

Reproducibility: yes. from source inspection: the new Crabbox skill references pnpm aliases absent from package.json, and the hydrate workflow's runs-on list omits the static labels declared in .crabbox.yaml. No runtime test was needed to identify those wiring defects.

PR rating
Overall: 🦪 silver shellfish
Proof: 🌊 off-meta tidepool
Patch quality: 🦪 silver shellfish
Summary: Useful setup coverage is present, but the patch is not quality-ready until the Crabbox command wiring and self-hosted runner boundary are fixed.

Rank-up moves:

• Require the static Crabbox/OpenClaw/mcporter runner labels, or add equivalent validation, in the hydrate workflow.
• Add the documented Crabbox pnpm aliases to package.json or change the skill examples to commands that exist in mcporter.

What the crustacean ranks mean

• 🦀 challenger crab: rare, exceptional readiness with strong proof, clean implementation, and convincing validation.
• 🦞 diamond lobster: very strong readiness with only minor maintainer review expected.
• 🐚 platinum hermit: good normal PR, likely mergeable with ordinary maintainer review.
• 🦐 gold shrimp: useful signal, but proof or patch confidence is still limited.
• 🦪 silver shellfish: thin signal; proof, validation, or implementation needs work.
• 🧂 unranked krab: not merge-ready because proof is missing/unusable or there are serious correctness or safety concerns.
• 🌊 off-meta tidepool: rating does not apply to this item.

Shiny media proof means a screenshot, video, or linked artifact directly shows the changed behavior. Runtime, network, CSP, and security claims still need visible diagnostics.

Real behavior proof
Not applicable: The external-proof gate is not applied because this is a member-authored maintainer setup PR, and the changed behavior is repository metadata/workflow policy.

Risk before merge

• Merging as-is would give maintainers Crabbox skill commands that fail in this repo because the referenced pnpm aliases are not defined.
• The new workflow dispatches to a self-hosted runner selected only by a user-supplied label, even though the config declares static Crabbox/OpenClaw/mcporter runner labels.
• The PR changes repository security and stale-automation policy, so maintainer/admin acceptance is still needed even after the mechanical blockers are fixed.

Maintainer options:

1. Fix Crabbox Baseline First (recommended)
   Update the hydrate workflow runner selector and the Crabbox skill/package scripts together so the documented maintainer lane works and targets only intended runners.
2. Accept Existing Admin Semantics
   Maintainers can intentionally accept the current workflow and command assumptions if external Crabbox tooling supplies the missing aliases and runner-label restriction elsewhere.
3. Pause The Baseline PR
   If the setup files are copied from another repository baseline, pause this PR until the mcporter-specific command surface and runner policy are confirmed.

Next step before merge
Maintainer/admin review is needed because this draft member PR changes security, CODEOWNERS, stale, and self-hosted workflow policy, with narrow blockers identified before merge.

Security
Needs attention: The new self-hosted hydrate workflow needs a tighter runner selector before merge.

Review findings

• [P1] Require the intended Crabbox runner labels — .github/workflows/crabbox-hydrate.yml:39
• [P2] Make the Crabbox commands exist in this repo — .agents/skills/crabbox/SKILL.md:39

Review details

Best possible solution:

Land a repo-specific setup baseline that constrains Crabbox hydration to the intended ephemeral runner labels and either adds the documented pnpm Crabbox aliases or rewrites the skill to use commands that exist in mcporter.

Do we have a high-confidence way to reproduce the issue?

Yes, from source inspection: the new Crabbox skill references pnpm aliases absent from package.json, and the hydrate workflow's runs-on list omits the static labels declared in .crabbox.yaml. No runtime test was needed to identify those wiring defects.

Is this the best way to solve the issue?

No, not yet. The setup direction is plausible, but the best merge path is a mcporter-specific baseline that fixes the missing command aliases and constrains the self-hosted runner selector before maintainer policy approval.

Label changes:

• add P2: This is a normal-priority repository automation/security baseline with limited runtime blast radius but concrete merge blockers.
• add merge-risk: 🚨 security-boundary: The hydrate workflow introduces self-hosted runner execution selected by a workflow input without requiring the static Crabbox labels declared in config.
• add merge-risk: 🚨 automation: The PR adds CI/stale/Crabbox automation, and the documented Crabbox commands currently do not exist in this repo.
• add rating: 🦪 silver shellfish: Current PR rating is 🦪 silver shellfish because proof is 🌊 off-meta tidepool, patch quality is 🦪 silver shellfish, and Useful setup coverage is present, but the patch is not quality-ready until the Crabbox command wiring and self-hosted runner boundary are fixed.
• add status: ⏳ waiting on author: ClawSweeper has contributor-facing work open and is waiting for author action. Not applicable: The external-proof gate is not applied because this is a member-authored maintainer setup PR, and the changed behavior is repository metadata/workflow policy.

Label justifications:

• P2: This is a normal-priority repository automation/security baseline with limited runtime blast radius but concrete merge blockers.
• merge-risk: 🚨 automation: The PR adds CI/stale/Crabbox automation, and the documented Crabbox commands currently do not exist in this repo.
• merge-risk: 🚨 security-boundary: The hydrate workflow introduces self-hosted runner execution selected by a workflow input without requiring the static Crabbox labels declared in config.
• rating: 🦪 silver shellfish: Current PR rating is 🦪 silver shellfish because proof is 🌊 off-meta tidepool, patch quality is 🦪 silver shellfish, and Useful setup coverage is present, but the patch is not quality-ready until the Crabbox command wiring and self-hosted runner boundary are fixed.
• status: ⏳ waiting on author: ClawSweeper has contributor-facing work open and is waiting for author action. Not applicable: The external-proof gate is not applied because this is a member-authored maintainer setup PR, and the changed behavior is repository metadata/workflow policy.

Full review comments:

• [P1] Require the intended Crabbox runner labels — .github/workflows/crabbox-hydrate.yml:39
  The repo config declares Crabbox runners with crabbox, openclaw, and mcporter labels, but the workflow only requires self-hosted plus the caller-provided label. A workflow_dispatch caller can point the job at a broader self-hosted runner label while also choosing the ref to install, so this should include the static labels or otherwise validate the runner target before merge.
  Confidence: 0.82
• [P2] Make the Crabbox commands exist in this repo — .agents/skills/crabbox/SKILL.md:39
  The added skill tells maintainers to run pnpm crabbox:run, pnpm crabbox:warmup, and changed-test commands, but package.json does not define those aliases. Following the new baseline instructions will fail before dispatching the hydrate workflow; add repo scripts or rewrite the skill to use the actual Crabbox CLI and mcporter checks.
  Confidence: 0.88

Overall correctness: patch is incorrect
Overall confidence: 0.86

Security concerns:

• [medium] Workflow input can broaden self-hosted runner targeting — .github/workflows/crabbox-hydrate.yml:39
runs-on uses only self-hosted and the caller-provided label while the job checks out a caller-provided ref and runs pnpm install; require the static Crabbox/OpenClaw/mcporter labels or an equivalent validation path so hydration cannot land on an unintended self-hosted runner.
  Confidence: 0.82

What I checked:

• PR scope: The proposed commit adds ten new setup files and no existing source changes. (afc0a65273de)
• Crabbox skill uses missing pnpm aliases: The added skill tells maintainers to run pnpm crabbox:run, while the current package scripts do not define any crabbox:*, test:changed, or check:changed aliases. (.agents/skills/crabbox/SKILL.md:39, afc0a65273de)
• Hydrate workflow ignores static runner labels: The PR configures static Crabbox labels in .crabbox.yaml, but the workflow's runs-on selector only requires self-hosted plus the user-provided dynamic label. (.github/workflows/crabbox-hydrate.yml:39, afc0a65273de)
• Whitespace check: The patch has no git diff whitespace errors, matching the PR body's verification claim. (afc0a65273de)
• Current area history: Current main history/blame attributes the existing package and workflow baseline to the v0.11.3 release commit. (.github/workflows/ci.yml:1, 94e65ba0572e)

Likely related people:

• Peter Steinberger: Current checkout blame and history attribute the existing package/workflow baseline adjacent to this setup PR to the v0.11.3 release commit. (role: recent area contributor; confidence: medium; commits: 94e65ba0572e; files: package.json, .github/workflows/ci.yml, AGENTS.md)
• openclaw/openclaw-secops: The PR's new CODEOWNERS file routes the added automation, security, package, docs, and source surfaces to this team, so it is the natural review owner for the baseline policy. (role: proposed code owner; confidence: medium; commits: afc0a65273de; files: .github/CODEOWNERS, .github/workflows/crabbox-hydrate.yml, .agents/skills/crabbox/SKILL.md)

Codex review notes: model gpt-5.5, reasoning high; reviewed against 0c36a6d3f833.

[clawsweeper]

ClawSweeper PR egg

🔥 Warming up: real-behavior proof passed; findings, security review, or rank-up moves are still in progress.

Hatch command

Comment @clawsweeper hatch when this PR is hatchable.

Hatchability rules:

• Merged PRs are hatchable.
• Open PRs are hatchable when they are status: 👀 ready for maintainer look, status: 🚀 automerge armed, or labeled clawsweeper:automerge.
• Closed unmerged PRs are hatchable only when one of those hatchable labels is still present in the durable record.

What is this egg doing here?

• Eggs appear after the PR passes real-behavior proof. It is here for vibes, not verdicts: it does not change labels, ratings, merge decisions, or automation.
• The shell reacts to review momentum: open follow-up work warms it up, re-review makes it wobble, and a clean final review lets it hatch.
• Hatchability usually comes from sufficient real-behavior proof, no blocking P0/P1/P2 findings, no security attention needed, and clean correctness. A merged PR is already final, so merge makes the egg hatchable independently.
• The hatch is seeded from this repository and PR number, so the same PR keeps the same creature; the reviewed head SHA can only change safe visual details.
• Rarity is just collectible sparkle: 🥚 common, 🌱 uncommon, 💎 rare, ✨ glimmer, and 🌈 legendary.

[steipete]

Closing this in favor of the shared public skill source at https://github.com/openclaw/agent-skills.

We do not want to vendor the same maintainer skills into every repo. Repos that need zero-setup guidance should add a small pointer to openclaw/agent-skills; shared skill content should be updated there first and synced only where a vendored snapshot is intentionally required.