chore: add constrained Crabbox setup

[vincentkoc]

Summary

• Adds the exact Crabbox skill copied from openclaw/openclaw.
• Adds constrained Crabbox config and hydrate workflow with repo-specific self-hosted runner labels.
• Adds actionlint runner-label config and CODEOWNERS coverage for the new automation surfaces.
• Adds package scripts for the copied skill command surface when the repo already has a root package.json.

This is the narrowed replacement shape for the earlier broad setup baseline. It intentionally does not add CodeQL, stale automation, licensing changes, Dependabot, package-manager files, or unrelated policy defaults.

Verification

• git diff --check
• Ruby YAML parse for .crabbox.yaml, .github/actionlint.yaml, and .github/workflows/crabbox-hydrate.yml
• actionlint -config-file .github/actionlint.yaml .github/workflows/crabbox-hydrate.yml
• Crabbox skill SHA-256 matched openclaw/openclaw: ed512c0b0385fae7f6c5c14a7e9e6236ab68936506687a99ca976873492bdc43
• Package script presence check where a root package.json exists
• Private-path scan for new public files
• test -z "$(gofmt -l .)" for Go repos

Notes

No live Crabbox lease was started for this setup-only patch.

[clawsweeper]

Codex review: found issues before merge.

Latest ClawSweeper review: 2026-05-22 21:44 UTC / May 22, 2026, 5:44 PM ET.

Workflow note: Future ClawSweeper reviews update this same comment in place.

How this review workflow works

• ClawSweeper keeps one durable marker-backed review comment per issue or PR.
• Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
• A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
• PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
• Maintainers can also comment @clawsweeper review to request a fresh review only.
• Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
• Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
• Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.

Summary
The PR adds Crabbox skill/configuration, a self-hosted hydrate workflow, actionlint/CODEOWNERS coverage, and package scripts for Crabbox commands.

Reproducibility: yes. Source inspection is enough: the PR head documents scripts/crabbox-wrapper.mjs and .github/workflows/ci-check-testbox.yml, while current main and the PR head do not provide those support paths.

PR rating
Overall: 🦪 silver shellfish
Proof: 🌊 off-meta tidepool
Patch quality: 🦪 silver shellfish
Summary: The patch has useful setup intent but is not merge-ready because one documented command path is broken and the runner boundary still needs approval.

Rank-up moves:

• Replace the missing Testbox helper/workflow references or add those support files intentionally.
• Get maintainer/secops approval for the self-hosted runner labels, dynamic label input, selected ref checkout, and install model.

What the crustacean ranks mean

• 🦀 challenger crab: rare, exceptional readiness with strong proof, clean implementation, and convincing validation.
• 🦞 diamond lobster: very strong readiness with only minor maintainer review expected.
• 🐚 platinum hermit: good normal PR, likely mergeable with ordinary maintainer review.
• 🦐 gold shrimp: useful signal, but proof or patch confidence is still limited.
• 🦪 silver shellfish: thin signal; proof, validation, or implementation needs work.
• 🧂 unranked krab: not merge-ready because proof is missing/unusable or there are serious correctness or safety concerns.
• 🌊 off-meta tidepool: rating does not apply to this item.

Shiny media proof means a screenshot, video, or linked artifact directly shows the changed behavior. Runtime, network, CSP, and security claims still need visible diagnostics.

Real behavior proof
Not applicable: The external contributor proof gate does not apply to this member-authored setup PR; the body says no live Crabbox lease was started, so live validation remains a maintainer merge consideration.

Risk before merge

• Maintainers following the copied Testbox section would hit missing scripts/crabbox-wrapper.mjs and .github/workflows/ci-check-testbox.yml paths instead of a working proof lane.
• The hydrate workflow checks out a selected ref and runs dependency installation on a self-hosted runner selected partly by dispatch input, so maintainers/secops need to approve that execution boundary before merge.

Maintainer options:

1. Repair Skill And Approve Boundary (recommended)
   Before merge, replace the missing Testbox helper references with mcporter-supported commands or support files, and record secops acceptance of the self-hosted ref/runner model.
2. Accept Runner Model Deliberately
   Maintainers/secops may accept the workflow as-is only if the dynamic runner label, selected ref checkout, and install step match the intended Crabbox trust boundary.
3. Pause The Crabbox Baseline
   If the mcporter Crabbox contract is not settled, pause or close this setup PR until the supported workflow shape is decided.

Next step before merge
Needs maintainer/secops handling because the remaining blocker includes the intended Crabbox trust model, not only a mechanical text repair.

Security
Needs attention: The PR introduces a selected-ref self-hosted workflow, so the Crabbox runner boundary needs maintainer/secops approval before merge.

Review findings

• [P2] Replace the missing Testbox helper references — .agents/skills/crabbox/SKILL.md:199-203

Review details

Best possible solution:

Land a mcporter-specific Crabbox baseline whose skill only points at supported repo commands/files, with explicit secops approval for the self-hosted hydrate ref and runner model.

Do we have a high-confidence way to reproduce the issue?

Yes. Source inspection is enough: the PR head documents scripts/crabbox-wrapper.mjs and .github/workflows/ci-check-testbox.yml, while current main and the PR head do not provide those support paths.

Is this the best way to solve the issue?

No. The narrowed setup direction is plausible, but the mergeable shape should first be repo-specific and have explicit approval for the self-hosted runner/ref execution model.

Label justifications:

• P2: This is a normal-priority repository automation setup PR with concrete merge blockers but limited product runtime blast radius.
• merge-risk: 🚨 security-boundary: The PR adds a workflow that runs selected-ref code on self-hosted Crabbox runners.
• merge-risk: 🚨 automation: The new automation documentation still points at missing Testbox support files, so the setup can fail for maintainers who follow it.
• rating: 🦪 silver shellfish: Current PR rating is 🦪 silver shellfish because proof is 🌊 off-meta tidepool, patch quality is 🦪 silver shellfish, and The patch has useful setup intent but is not merge-ready because one documented command path is broken and the runner boundary still needs approval.
• status: ⏳ waiting on author: ClawSweeper has contributor-facing work open and is waiting for author action. Not applicable: The external contributor proof gate does not apply to this member-authored setup PR; the body says no live Crabbox lease was started, so live validation remains a maintainer merge consideration.

Full review comments:

• [P2] Replace the missing Testbox helper references — .agents/skills/crabbox/SKILL.md:199-203
  The copied skill tells maintainers to run scripts/crabbox-wrapper.mjs and use .github/workflows/ci-check-testbox.yml, but this repo does not contain either path. Following this section will fail before validation starts, so please either add those support files intentionally or rewrite the section to use mcporter's supported Crabbox command surface.
  Confidence: 0.9

Overall correctness: patch is incorrect
Overall confidence: 0.88

Security concerns:

• [medium] Approve selected-ref self-hosted execution — .github/workflows/crabbox-hydrate.yml:39
  The workflow dispatch accepts a ref, checks it out on self-hosted Crabbox runners, and runs pnpm install there; that may be intentional, but it should be explicitly approved for this repository's trust model before landing.
  Confidence: 0.86

What I checked:

• PR surface: The PR head adds a Crabbox skill, .crabbox.yaml, CODEOWNERS, actionlint config, a Crabbox hydrate workflow, and package.json scripts. (d738cf500c3a)
• Missing helper references: The copied skill tells maintainers to run node scripts/crabbox-wrapper.mjs with .github/workflows/ci-check-testbox.yml for Blacksmith Testbox proof. (.agents/skills/crabbox/SKILL.md:199, d738cf500c3a)
• Referenced support files absent: Current main has no scripts/crabbox-wrapper.mjs, .github/workflows/ci-check-testbox.yml, .agents/skills/crabbox/SKILL.md, or .crabbox.yaml; the PR head only adds the skill, .crabbox.yaml, and crabbox-hydrate workflow, not the Testbox wrapper/workflow it documents. (0c36a6d3f833)
• Self-hosted execution boundary: The hydrate workflow runs on self-hosted Crabbox labels plus a dispatcher-provided label, checks out a dispatcher-selected ref, and runs pnpm install on that runner. (.github/workflows/crabbox-hydrate.yml:39, d738cf500c3a)
• Current workflow/package ownership history: Current main workflow and package surfaces were most recently shaped by Peter Steinberger, with adjacent CI/package-manager history from ryoppippi. (package.json:42, 94e65ba0572e)
• Related setup context: The provided GitHub context shows this PR is the narrowed replacement for closed, unmerged setup baseline chore: add maintainer setup baseline #186, so the remaining review should focus on this constrained Crabbox shape rather than the broader baseline.

Likely related people:

• Peter Steinberger: Git history shows recent current-main package.json and workflow changes, including the 0.11.3 release and main workflow strengthening, which are the closest existing surfaces touched by this setup PR. (role: recent CI/package area contributor; confidence: high; commits: 94e65ba0572e, c87150895dd5; files: package.json, .github/workflows/ci.yml)
• ryoppippi: Git history shows prior CI action/matrix updates and package-manager setup work that shaped the workflow conventions this PR extends. (role: adjacent CI/tooling contributor; confidence: medium; commits: 7a611b4e588f, ea60016d3c34, 6c295080c958; files: .github/workflows/ci.yml, package.json)

Codex review notes: model gpt-5.5, reasoning high; reviewed against 0c36a6d3f833.

[clawsweeper]

ClawSweeper PR egg

🔥 Warming up: real-behavior proof passed; findings, security review, or rank-up moves are still in progress.

Hatch command

Comment @clawsweeper hatch when this PR is hatchable.

Hatchability rules:

• Merged PRs are hatchable.
• Open PRs are hatchable when they are status: 👀 ready for maintainer look, status: 🚀 automerge armed, or labeled clawsweeper:automerge.
• Closed unmerged PRs are hatchable only when one of those hatchable labels is still present in the durable record.

What is this egg doing here?

• Eggs appear after the PR passes real-behavior proof. It is here for vibes, not verdicts: it does not change labels, ratings, merge decisions, or automation.
• The shell reacts to review momentum: open follow-up work warms it up, re-review makes it wobble, and a clean final review lets it hatch.
• Hatchability usually comes from sufficient real-behavior proof, no blocking P0/P1/P2 findings, no security attention needed, and clean correctness. A merged PR is already final, so merge makes the egg hatchable independently.
• The hatch is seeded from this repository and PR number, so the same PR keeps the same creature; the reviewed head SHA can only change safe visual details.
• Rarity is just collectible sparkle: 🥚 common, 🌱 uncommon, 💎 rare, ✨ glimmer, and 🌈 legendary.

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: d738cf500c

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Replace missing wrapper command with repository-local entrypoint

The new Crabbox skill instructs users to run node scripts/crabbox-wrapper.mjs run, but this repository does not contain scripts/crabbox-wrapper.mjs (repo-wide file search returns no match), so the documented Blacksmith/Testbox path fails immediately with a file-not-found error. Because this command is presented as the primary delegated-provider run path, users following the skill cannot execute the advertised validation flow until the instruction is rewritten to use an existing command (for example the new pnpm crabbox:run script) or the wrapper file is added.

Useful? React with 👍 / 👎.