chore: add constrained Crabbox setup

[vincentkoc]

Summary

• Adds the exact Crabbox skill copied from openclaw/openclaw.
• Adds constrained Crabbox config and hydrate workflow with repo-specific self-hosted runner labels.
• Adds actionlint runner-label config and CODEOWNERS coverage for the new automation surfaces.
• Adds package scripts for the copied skill command surface when the repo already has a root package.json.

This is the narrowed replacement shape for the earlier broad setup baseline. It intentionally does not add CodeQL, stale automation, licensing changes, Dependabot, package-manager files, or unrelated policy defaults.

Verification

• git diff --check
• Ruby YAML parse for .crabbox.yaml, .github/actionlint.yaml, and .github/workflows/crabbox-hydrate.yml
• actionlint -config-file .github/actionlint.yaml .github/workflows/crabbox-hydrate.yml
• Crabbox skill SHA-256 matched openclaw/openclaw: ed512c0b0385fae7f6c5c14a7e9e6236ab68936506687a99ca976873492bdc43
• Package script presence check where a root package.json exists
• Private-path scan for new public files
• test -z "$(gofmt -l .)" for Go repos

Notes

No live Crabbox lease was started for this setup-only patch.

[clawsweeper]

Codex review: needs changes before merge.

Latest ClawSweeper review: 2026-05-22 21:44 UTC / May 22, 2026, 5:44 PM ET.

Workflow note: Future ClawSweeper reviews update this same comment in place.

How this review workflow works

• ClawSweeper keeps one durable marker-backed review comment per issue or PR.
• Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
• A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
• PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
• Maintainers can also comment @clawsweeper review to request a fresh review only.
• Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
• Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
• Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.

Summary
The PR adds a Crabbox skill/config, a self-hosted hydrate workflow, actionlint/CODEOWNERS coverage, and Crabbox package scripts for Kova remote validation.

Reproducibility: yes. for the PR finding from source inspection: Kova's package scripts and self-check invoke bin/kova.mjs, while the new Crabbox config excludes top-level bin. I did not run a live Crabbox lease.

PR rating
Overall: 🦐 gold shrimp
Proof: 🌊 off-meta tidepool
Patch quality: 🦐 gold shrimp
Summary: The setup is focused and reviewable, but the sync exclusion creates a concrete automation correctness blocker before merge.

Rank-up moves:

• Remove or narrow the bin sync exclusion so Crabbox validates the tracked Kova CLI entrypoint.
• Re-run the YAML/actionlint checks after the sync config change.

What the crustacean ranks mean

• 🦀 challenger crab: rare, exceptional readiness with strong proof, clean implementation, and convincing validation.
• 🦞 diamond lobster: very strong readiness with only minor maintainer review expected.
• 🐚 platinum hermit: good normal PR, likely mergeable with ordinary maintainer review.
• 🦐 gold shrimp: useful signal, but proof or patch confidence is still limited.
• 🦪 silver shellfish: thin signal; proof, validation, or implementation needs work.
• 🧂 unranked krab: not merge-ready because proof is missing/unusable or there are serious correctness or safety concerns.
• 🌊 off-meta tidepool: rating does not apply to this item.

Shiny media proof means a screenshot, video, or linked artifact directly shows the changed behavior. Runtime, network, CSP, and security claims still need visible diagnostics.

Real behavior proof
Not applicable: The author association is MEMBER, so the external-contributor real-behavior proof gate does not apply; the PR body notes that no live Crabbox lease was started.

Risk before merge

• Merging as-is can make Crabbox validation for changes under bin/ run against stale git-seeded main content or miss the tracked CLI entrypoint, weakening the proof surface this PR adds.

Maintainer options:

1. Keep tracked entrypoints synced (recommended)
   Remove the top-level bin exclusion, or replace it with a narrower generated-output exclusion that cannot hide bin/kova.mjs from Crabbox validation.
2. Accept limited Crabbox coverage
   Maintainers could merge knowing Crabbox should not be trusted for PRs that change bin/, but that weakens the validation setup this PR introduces.

Copy recommended automerge instruction

@clawsweeper automerge

Special instructions:
Update `.crabbox.yaml` so Crabbox sync includes the tracked top-level `bin/` directory used by Kova's package entrypoint; do not change unrelated workflow action versions or the copied Crabbox skill text.

Next step before merge
A narrow automated repair can remove or narrow the tracked-source sync exclusion without deciding the broader Crabbox rollout policy.

Security
Cleared: No concrete security or supply-chain regression was found; the new workflow uses read-only repository permissions and the sensitive Crabbox identifier is syntax-validated before use.

Review findings

• [P2] Keep the Kova CLI entrypoint in Crabbox sync — .crabbox.yaml:41

Review details

Best possible solution:

Keep the constrained Crabbox setup direction, but include all tracked Kova source and entrypoint files in Crabbox sync before landing the self-hosted workflow.

Do we have a high-confidence way to reproduce the issue?

Yes for the PR finding from source inspection: Kova's package scripts and self-check invoke bin/kova.mjs, while the new Crabbox config excludes top-level bin. I did not run a live Crabbox lease.

Is this the best way to solve the issue?

No. The constrained setup is a reasonable direction, but excluding a tracked CLI entrypoint is not the best implementation for a validation harness.

Label justifications:

• P2: This is a normal-priority automation setup issue with limited blast radius but real validation impact.
• merge-risk: 🚨 automation: The new sync configuration can cause Crabbox proof to validate stale or missing CLI source.
• rating: 🦐 gold shrimp: Current PR rating is 🦐 gold shrimp because proof is 🌊 off-meta tidepool, patch quality is 🦐 gold shrimp, and The setup is focused and reviewable, but the sync exclusion creates a concrete automation correctness blocker before merge.
• status: ⏳ waiting on author: ClawSweeper has contributor-facing work open and is waiting for author action. Not applicable: The author association is MEMBER, so the external-contributor real-behavior proof gate does not apply; the PR body notes that no live Crabbox lease was started.

Full review comments:

• [P2] Keep the Kova CLI entrypoint in Crabbox sync — .crabbox.yaml:41
  Kova's executable and package scripts resolve through bin/kova.mjs, but this excludes top-level bin from Crabbox sync. With git seeding from main, PRs changing the CLI entrypoint can be validated against stale main content or miss the changed entrypoint, making the new remote proof surface unreliable.
  Confidence: 0.9

Overall correctness: patch is incorrect
Overall confidence: 0.88

Acceptance criteria:

• git diff --check
• Ruby YAML parse for .crabbox.yaml, .github/actionlint.yaml, and .github/workflows/crabbox-hydrate.yml
• actionlint -config-file .github/actionlint.yaml .github/workflows/crabbox-hydrate.yml

What I checked:

• PR diff excludes tracked CLI directory: The new .crabbox.yaml adds top-level bin to sync.exclude; with git seeding from main, that can leave bin/kova.mjs stale or absent in Crabbox proof runs. (.crabbox.yaml:41, 147ed371b314)
• Current package entrypoint uses bin/kova.mjs: Current main declares the kova package binary as ./bin/kova.mjs and package scripts invoke node bin/kova.mjs, so bin/ is tracked source for validation. (package.json:7, b1232944f394)
• Self-check validates the CLI entrypoint: Kova self-check explicitly syntax-checks bin/kova.mjs and runs commands through node bin/kova.mjs, confirming the excluded path is part of the validated runtime surface. (src/selfcheck.mjs:131, b1232944f394)
• CLI entrypoint provenance: Blame ties the package binary/scripts and bin/kova.mjs entrypoint to the current Kova harness introduction, so this is established mainline behavior the new automation must include. (package.json:7, 2a94cab089fb)
• Recent workflow provenance: Recent CI workflow work installed npm dependencies before Kova checks, which is adjacent to this PR's automation setup surface and useful for maintainer routing. (.github/workflows/ci.yml:28, 202f3957a62d)

Likely related people:

• Shakker: Introduced the Kova package entrypoint, bin/kova.mjs, and most current validation harness files in commit history. (role: introduced behavior and recent area contributor; confidence: high; commits: 2a94cab089fb, b1232944f394; files: package.json, bin/kova.mjs, src/selfcheck.mjs)
• Peter Steinberger: Recently changed Kova CI and release workflows to install npm dependencies before checks, which is adjacent to the new Crabbox hydrate workflow. (role: recent workflow contributor; confidence: medium; commits: 202f3957a62d; files: .github/workflows/ci.yml, .github/workflows/release.yml)

Codex review notes: model gpt-5.5, reasoning high; reviewed against b1232944f394.

[clawsweeper]

ClawSweeper PR egg

🔥 Warming up: real-behavior proof passed; findings, security review, or rank-up moves are still in progress.

Hatch command

Comment @clawsweeper hatch when this PR is hatchable.

Hatchability rules:

• Merged PRs are hatchable.
• Open PRs are hatchable when they are status: 👀 ready for maintainer look, status: 🚀 automerge armed, or labeled clawsweeper:automerge.
• Closed unmerged PRs are hatchable only when one of those hatchable labels is still present in the durable record.

What is this egg doing here?

• Eggs appear after the PR passes real-behavior proof. It is here for vibes, not verdicts: it does not change labels, ratings, merge decisions, or automation.
• The shell reacts to review momentum: open follow-up work warms it up, re-review makes it wobble, and a clean final review lets it hatch.
• Hatchability usually comes from sufficient real-behavior proof, no blocking P0/P1/P2 findings, no security attention needed, and clean correctness. A merged PR is already final, so merge makes the egg hatchable independently.
• The hatch is seeded from this repository and PR number, so the same PR keeps the same creature; the reviewed head SHA can only change safe visual details.
• Rarity is just collectible sparkle: 🥚 common, 🌱 uncommon, 💎 rare, ✨ glimmer, and 🌈 legendary.