feat: crew SSH-mesh (DRAFT, stacked on #129)

[zozo123]

Stacked on #openclaw/crabbox#129 — merge that first. The diff here will collapse to just the SSH-mesh additions once #129 lands.

TL;DR

Operator-orchestrated SSH-mesh: crabbox crew connect <name> opens local SSH -L tunnels from the operator's machine to each crew member's --expose'd port. Peers reachable by name at 127.0.0.1:<port> for the operator's shell. Works on every SSH-accessible provider. No Tailscale, no Headscale, no relay, no SaaS — just SSH.

How it works

• --expose <port> on run/warmup: declares the lease wants this port reachable. Repeatable; multi-valued. Written into a reserved provider label.
• crabbox crew connect <name>: reads crew members, opens ssh -L per (member, port), writes ~/.crabbox/crew/<name>/{hosts,env}, holds connections open with SSH ControlMaster reuse. --export prints shell exports; --json dumps the forward table.
• crabbox doctor --crew <name>: reports the SSH-mesh plane alongside the Tailscale plane (crew-mesh sub-check).

What this is NOT

• Lease-to-lease peer dial (true P2P) — future PR with operator-side hub + reverse tunnels.
• UDP — SSH -L is TCP-only.
• Auto-plane selection — manual for v1.

Tested

• Unit tests with mocked SSH exec runner: --expose parsing, label rendering, hosts/env file rendering, doctor counts, ssh -L arg construction, and full launch + teardown over a recording runner. go test -race ./internal/cli/... clean.
• Live validation: skipped — no funded SSH-lease provider available in this dev environment (RunPod balance $0; no live exedev credentials). Mocked-exec test exercises the orchestration end-to-end.

Open questions

• Naming: --expose <port> vs --mesh-port <port> vs --reachable <port>?
• Should crew connect daemonize or stay foreground (current: foreground)?
• Conflict with the in-flight delegated-providers bridge plane PR (feat: add crew bridge plane for delegated and cross-provider peers #136)?

Related

• feat: introduce pond (peer discovery + bridge + ssh-mesh) #129 — crew foundation (this PR stacks on it; merge that first).
• feat: add crew bridge plane for delegated and cross-provider peers #136 — crew bridge plane for delegated providers (parallel solution for non-SSH delegated providers).
• feat(wandb): native gRPC sandbox provider #132 — wandb (independent).
• feat: add runpod provider #133 — runpod (merged; one of the SSH-capable providers this PR targets).

[zozo123]

Closing in favor of #129, which now consolidates all three transport planes. The SSH-mesh work (pond connect --export, --expose, operator-side ssh -L) is preserved in #129 with TOCTOU + reconnection improvements applied. The primitive was renamed crew → pond to align with openclaw's crab-biology naming. Advanced flags (--watch, daemonization) deferred. Keeping the review thread in one place.