chore: add constrained Crabbox setup

[vincentkoc]

Summary

• Adds the exact Crabbox skill copied from openclaw/openclaw.
• Adds constrained Crabbox config and hydrate workflow with repo-specific self-hosted runner labels.
• Adds actionlint runner-label config and CODEOWNERS coverage for the new automation surfaces.
• Adds package scripts for the copied skill command surface when the repo already has a root package.json.

This is the narrowed replacement shape for the earlier broad setup baseline. It intentionally does not add CodeQL, stale automation, licensing changes, Dependabot, package-manager files, or unrelated policy defaults.

Verification

• git diff --check
• Ruby YAML parse for .crabbox.yaml, .github/actionlint.yaml, and .github/workflows/crabbox-hydrate.yml
• actionlint -config-file .github/actionlint.yaml .github/workflows/crabbox-hydrate.yml
• Crabbox skill SHA-256 matched openclaw/openclaw: ed512c0b0385fae7f6c5c14a7e9e6236ab68936506687a99ca976873492bdc43
• Package script presence check where a root package.json exists
• Private-path scan for new public files
• test -z "$(gofmt -l .)" for Go repos

Notes

No live Crabbox lease was started for this setup-only patch.

[clawsweeper]

Codex review: needs changes before merge.

Latest ClawSweeper review: 2026-05-22 21:44 UTC / May 22, 2026, 5:44 PM ET.

Workflow note: Future ClawSweeper reviews update this same comment in place.

How this review workflow works

• ClawSweeper keeps one durable marker-backed review comment per issue or PR.
• Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
• A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
• PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
• Maintainers can also comment @clawsweeper review to request a fresh review only.
• Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
• Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
• Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.

Summary
The PR adds Crabbox setup for imsg, including a copied Crabbox skill, .crabbox.yaml, actionlint runner labels, CODEOWNERS coverage, and a manual hydrate workflow.

Reproducibility: yes. for the review finding: source inspection shows current main has no package.json, Crabbox wrapper script, or Testbox workflow, while the PR skill repeatedly instructs agents to use those pnpm lanes. I did not execute failing commands because this review kept the checkout read-only.

PR rating
Overall: 🦐 gold shrimp
Proof: 🌊 off-meta tidepool
Patch quality: 🦐 gold shrimp
Summary: Useful automation setup is present, but the copied skill has a blocking repository-fit defect before the patch is merge-ready.

Rank-up moves:

• Adapt the Crabbox skill examples to imsg’s Makefile and Swift validation commands.
• Link one successful live Crabbox hydrate run if maintainers want runner-level proof before merge.

What the crustacean ranks mean

• 🦀 challenger crab: rare, exceptional readiness with strong proof, clean implementation, and convincing validation.
• 🦞 diamond lobster: very strong readiness with only minor maintainer review expected.
• 🐚 platinum hermit: good normal PR, likely mergeable with ordinary maintainer review.
• 🦐 gold shrimp: useful signal, but proof or patch confidence is still limited.
• 🦪 silver shellfish: thin signal; proof, validation, or implementation needs work.
• 🧂 unranked krab: not merge-ready because proof is missing/unusable or there are serious correctness or safety concerns.
• 🌊 off-meta tidepool: rating does not apply to this item.

Shiny media proof means a screenshot, video, or linked artifact directly shows the changed behavior. Runtime, network, CSP, and security claims still need visible diagnostics.

Real behavior proof
Not applicable: This is a member-authored setup PR, so the external contributor real-behavior proof gate does not apply; the missing live Crabbox lease remains a maintainer validation risk.

Risk before merge

• Merging the copied skill as-is could send maintainers or agents to nonexistent pnpm, scripts/crabbox-wrapper.mjs, and .github/workflows/ci-check-testbox.yml paths in this repository.
• The new self-hosted hydrate path has not been proven with a live Crabbox lease, so runner labels and workflow handoff remain maintainer validation risk rather than CI-settled behavior.

Maintainer options:

1. Adapt the copied skill before merge (recommended)
   Replace or clearly quarantine the monorepo pnpm/Testbox examples so the imsg skill points to Makefile and Swift validation commands that exist here.
2. Accept the shared playbook intentionally
   Maintainers can merge the broad copied skill if they explicitly want common OpenClaw-wide operator documentation here despite irrelevant commands.
3. Wait for live hydrate proof
   Keep the PR open until a maintainer links one successful Crabbox hydrate run for the new workflow and runner labels.

Copy recommended automerge instruction

@clawsweeper automerge

Special instructions:
Update `.agents/skills/crabbox/SKILL.md` so Crabbox command examples and validation lanes match imsg’s Swift/Makefile surfaces: use `make lint`, `make test`, `make build`, `swift test`, and `swift package resolve`; remove or clearly label OpenClaw monorepo pnpm/Testbox examples that require `package.json`, `scripts/crabbox-wrapper.mjs`, or `.github/workflows/ci-check-testbox.yml`. Keep the `.crabbox.yaml` and hydrate workflow semantics intact unless wording must stay consistent.

Next step before merge
A focused repair can adapt the added Crabbox skill to this repository’s existing Makefile/Swift validation surface without changing the broader workflow intent.

Security
Cleared: The diff adds a manual self-hosted runner workflow with contents: read and no concrete secret exposure, dependency-source change, or privileged token broadening found.

Review findings

• [P2] Replace copied pnpm gates with imsg commands — .agents/skills/crabbox/SKILL.md:147-174

Review details

Best possible solution:

Merge after the Crabbox skill is narrowed to imsg’s Swift/Makefile validation commands and, if maintainers want runner-level assurance, after one successful hydrate lease is linked.

Do we have a high-confidence way to reproduce the issue?

Yes for the review finding: source inspection shows current main has no package.json, Crabbox wrapper script, or Testbox workflow, while the PR skill repeatedly instructs agents to use those pnpm lanes. I did not execute failing commands because this review kept the checkout read-only.

Is this the best way to solve the issue?

No. The repo-specific Crabbox workflow/config direction is plausible, but copying the OpenClaw monorepo skill verbatim is not the narrowest maintainable fit for this Swift package.

Label justifications:

• P3: This is low-risk internal automation setup with no direct user-facing imsg runtime impact.
• merge-risk: 🚨 automation: The PR adds self-hosted runner automation, actionlint/CODEOWNERS surfaces, and agent skill instructions that can steer maintainer validation behavior.
• rating: 🦐 gold shrimp: Current PR rating is 🦐 gold shrimp because proof is 🌊 off-meta tidepool, patch quality is 🦐 gold shrimp, and Useful automation setup is present, but the copied skill has a blocking repository-fit defect before the patch is merge-ready.
• status: ⏳ waiting on author: ClawSweeper has contributor-facing work open and is waiting for author action. Not applicable: This is a member-authored setup PR, so the external contributor real-behavior proof gate does not apply; the missing live Crabbox lease remains a maintainer validation risk.

Full review comments:

• [P2] Replace copied pnpm gates with imsg commands — .agents/skills/crabbox/SKILL.md:147-174
  This skill is installed in imsg, but these examples tell agents to run pnpm crabbox:run, pnpm test:changed, and pnpm test. Current main has no package.json, no pnpm scripts, no scripts/crabbox-wrapper.mjs, and its supported validation surface is make lint, make test, and make build, so merging this as-is would make the new Crabbox guidance fail or send maintainers to the wrong repo playbook.
  Confidence: 0.93

Overall correctness: patch is incorrect
Overall confidence: 0.88

Acceptance criteria:

• git diff --check
• ruby -e 'require "yaml"; %w[.crabbox.yaml .github/actionlint.yaml .github/workflows/crabbox-hydrate.yml].each { |p| YAML.load_file(p) }'
• actionlint -config-file .github/actionlint.yaml .github/workflows/crabbox-hydrate.yml
• rg -n "pnpm|ci-check-testbox|crabbox-wrapper|package.json" .agents/skills/crabbox/SKILL.md

What I checked:

• PR discussion: The PR body says the Crabbox skill was copied exactly from openclaw/openclaw and that no live Crabbox lease was started for this setup-only patch. (347cdd7eccfb)
• Copied skill references missing repo lanes: The added skill tells agents to run pnpm crabbox:run, pnpm test:changed, pnpm test, and OpenClaw Testbox commands in the main validation examples. (.agents/skills/crabbox/SKILL.md:147, 347cdd7eccfb)
• Current repo validation surface is Makefile/Swift: Current main defines make lint, make test, and make build around Swift tooling rather than package-manager scripts. (Makefile:19, c7ae79c1b195)
• Current main lacks the copied skill's Node/package surface: No package.json, pnpm-lock.yaml, .crabbox.yaml, CODEOWNERS, actionlint config, Crabbox skill, or Testbox workflow exists on current main before this PR. (c7ae79c1b195)
• History shows pnpm was intentionally removed: The repository previously deleted package.json and added the Makefile in chore: replace pnpm with make, so the copied pnpm guidance conflicts with established repo direction. (e763fa7d63f7)
• Hydrate workflow is constrained but unproven live: The added workflow is manual, contents: read, and targets self-hosted Crabbox labels, but the PR body reports no live lease validation. (.github/workflows/crabbox-hydrate.yml:29, 347cdd7eccfb)

Likely related people:

• Peter Steinberger: Authored the current Makefile/CI release state and the earlier pnpm-to-make migration that deleted package.json, so he is the clearest current-main routing candidate for this repo automation surface. (role: recent automation and validation surface contributor; confidence: high; commits: b85e701f2b0b, e763fa7d63f7, c7ae79c1b195; files: Makefile, .github/workflows/ci.yml, CHANGELOG.md)

Codex review notes: model gpt-5.5, reasoning high; reviewed against c7ae79c1b195.

[clawsweeper]

ClawSweeper PR egg

🔥 Warming up: real-behavior proof passed; findings, security review, or rank-up moves are still in progress.

Hatch command

Comment @clawsweeper hatch when this PR is hatchable.

Hatchability rules:

• Merged PRs are hatchable.
• Open PRs are hatchable when they are status: 👀 ready for maintainer look, status: 🚀 automerge armed, or labeled clawsweeper:automerge.
• Closed unmerged PRs are hatchable only when one of those hatchable labels is still present in the durable record.

What is this egg doing here?

• Eggs appear after the PR passes real-behavior proof. It is here for vibes, not verdicts: it does not change labels, ratings, merge decisions, or automation.
• The shell reacts to review momentum: open follow-up work warms it up, re-review makes it wobble, and a clean final review lets it hatch.
• Hatchability usually comes from sufficient real-behavior proof, no blocking P0/P1/P2 findings, no security attention needed, and clean correctness. A merged PR is already final, so merge makes the egg hatchable independently.
• The hatch is seeded from this repository and PR number, so the same PR keeps the same creature; the reviewed head SHA can only change safe visual details.
• Rarity is just collectible sparkle: 🥚 common, 🌱 uncommon, 💎 rare, ✨ glimmer, and 🌈 legendary.