Skip to content

chore: add maintainer setup baseline#9

Closed
vincentkoc wants to merge 1 commit into
mainfrom
chore/setup-baseline-20260522
Closed

chore: add maintainer setup baseline#9
vincentkoc wants to merge 1 commit into
mainfrom
chore/setup-baseline-20260522

Conversation

@vincentkoc

Copy link
Copy Markdown
Member

Summary

  • add the OpenClaw Crabbox and autoreview skills
  • add Crabbox hydrate CI support with repo-specific .crabbox.yaml
  • add SECURITY.md and maintainer ownership for setup/security surfaces

Verification

  • git diff --check
  • ruby YAML.load_file for .crabbox.yaml and new workflow files
  • actionlint .github/workflows/crabbox-hydrate.yml .github/workflows/codeql.yml
  • verified Crabbox skill SHA-256 matches openclaw/openclaw: ed512c0b0385fae7f6c5c14a7e9e6236ab68936506687a99ca976873492bdc43
  • verified autoreview skill SHA-256 matches openclaw/openclaw: 3a07642b5815cb5dbec96ff1c448d5af757d9b8188c365219048cb288b48b2fa

Runtime tests were not run; this is setup, policy, and workflow metadata only.

@vincentkoc vincentkoc force-pushed the chore/setup-baseline-20260522 branch from acb0a2e to 77da5ea Compare May 22, 2026 09:00
@clawsweeper

clawsweeper Bot commented May 22, 2026

Copy link
Copy Markdown

Codex review: found issues before merge.

Latest ClawSweeper review: 2026-05-22 09:05 UTC / May 22, 2026, 5:05 AM ET.

Workflow note: Future ClawSweeper reviews update this same comment in place.

How this review workflow works
  • ClawSweeper keeps one durable marker-backed review comment per issue or PR.
  • Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
  • A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
  • PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
  • Maintainers can also comment @clawsweeper review to request a fresh review only.
  • Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
  • Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
  • Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.

Summary
The PR adds OpenClaw autoreview and Crabbox agent skills, a Crabbox hydrate config and workflow, CODEOWNERS coverage for those setup/security surfaces, and SECURITY.md.

Reproducibility: not applicable. This PR adds setup, policy, and workflow metadata rather than reporting a reproducible runtime bug.

PR rating
Overall: 🦐 gold shrimp
Proof: 🌊 off-meta tidepool
Patch quality: 🦐 gold shrimp
Summary: The setup direction is understandable, but the added skill baseline needs crawlkit-specific validation alignment before it is quality-ready.

Rank-up moves:

  • Add or document crawlkit Go validation paths in the new skills/helper.
  • Have the setup/security owner confirm the intended scope of the Crabbox workflow before merge.
What the crustacean ranks mean
  • 🦀 challenger crab: rare, exceptional readiness with strong proof, clean implementation, and convincing validation.
  • 🦞 diamond lobster: very strong readiness with only minor maintainer review expected.
  • 🐚 platinum hermit: good normal PR, likely mergeable with ordinary maintainer review.
  • 🦐 gold shrimp: useful signal, but proof or patch confidence is still limited.
  • 🦪 silver shellfish: thin signal; proof, validation, or implementation needs work.
  • 🧂 unranked krab: not merge-ready because proof is missing/unusable or there are serious correctness or safety concerns.
  • 🌊 off-meta tidepool: rating does not apply to this item.

Shiny media proof means a screenshot, video, or linked artifact directly shows the changed behavior. Runtime, network, CSP, and security claims still need visible diagnostics.

Real behavior proof
Not applicable: The PR is authored by a repository member and changes setup/policy metadata, so the external contributor real-behavior proof gate does not apply.

Risk before merge

  • The bundled skills are copied from OpenClaw and steer validation toward pnpm/Node workflows that do not exist in crawlkit, so maintainers could get a false sense of review coverage unless the skills are adapted or clearly scoped.
  • The PR adds Crabbox/self-hosted-runner automation, so the final merge should be explicitly owned by maintainers responsible for setup and security surfaces.

Maintainer options:

  1. Add crawlkit validation lanes (recommended)
    Update the new skills or helper defaults so crawlkit reviewers are pointed at GOWORK=off Go checks instead of only OpenClaw pnpm paths.
  2. Accept shared skill drift knowingly
    Maintainers can choose to keep the byte-matched OpenClaw skills, but should document that crawlkit validation still requires explicit Go commands.
  3. Pause for setup owner review
    Because this touches self-hosted validation and security ownership, maintainers can pause the PR until the automation owner confirms the intended repo scope.

Next step before merge
The remaining blocker is maintainer direction on whether to keep byte-matched OpenClaw skills or adapt them for crawlkit's Go validation workflow.

Security
Cleared: The CI/supply-chain pass found no concrete security regression beyond the automation-fit finding; the new workflow uses read-only contents permission and validates the Crabbox id before writing runner state.

Review findings

  • [P2] Add crawlkit Go validation to the skill baseline — .agents/skills/crabbox/SKILL.md:39
Review details

Best possible solution:

Make the setup baseline crawlkit-aware while preserving any shared OpenClaw skill guidance maintainers intentionally want to keep.

Do we have a high-confidence way to reproduce the issue?

Not applicable: this PR adds setup, policy, and workflow metadata rather than reporting a reproducible runtime bug.

Is this the best way to solve the issue?

No: the baseline should be adjusted or explicitly scoped so crawlkit maintainers get Go-module validation guidance instead of only OpenClaw monorepo pnpm guidance.

Label changes:

  • add P3: This is repository setup, policy, and maintainer workflow work rather than an urgent runtime bug.
  • add merge-risk: 🚨 automation: The PR changes agent skills and a Crabbox hydration workflow, and the current skill text does not match crawlkit's Go validation contract.
  • add rating: 🦐 gold shrimp: Current PR rating is 🦐 gold shrimp because proof is 🌊 off-meta tidepool, patch quality is 🦐 gold shrimp, and The setup direction is understandable, but the added skill baseline needs crawlkit-specific validation alignment before it is quality-ready.
  • add status: ⏳ waiting on author: ClawSweeper has contributor-facing work open and is waiting for author action. Not applicable: The PR is authored by a repository member and changes setup/policy metadata, so the external contributor real-behavior proof gate does not apply.

Label justifications:

  • P3: This is repository setup, policy, and maintainer workflow work rather than an urgent runtime bug.
  • merge-risk: 🚨 automation: The PR changes agent skills and a Crabbox hydration workflow, and the current skill text does not match crawlkit's Go validation contract.
  • rating: 🦐 gold shrimp: Current PR rating is 🦐 gold shrimp because proof is 🌊 off-meta tidepool, patch quality is 🦐 gold shrimp, and The setup direction is understandable, but the added skill baseline needs crawlkit-specific validation alignment before it is quality-ready.
  • status: ⏳ waiting on author: ClawSweeper has contributor-facing work open and is waiting for author action. Not applicable: The PR is authored by a repository member and changes setup/policy metadata, so the external contributor real-behavior proof gate does not apply.

Full review comments:

  • [P2] Add crawlkit Go validation to the skill baseline — .agents/skills/crabbox/SKILL.md:39
    This new skill is being installed in the crawlkit repo, but its runnable Crabbox guidance starts with pnpm/OpenClaw monorepo commands while crawlkit is a Go module whose handoff contract is GOWORK=off go vet ./... and GOWORK=off go test -count=1 ./.... Following the bundled skill here will fail or skip the repository's real validation path, so add crawlkit Go lanes or clearly separate the monorepo-only examples before merging.
    Confidence: 0.82

Overall correctness: patch is incorrect
Overall confidence: 0.78

Acceptance criteria:

  • GOWORK=off go mod tidy
  • git diff --exit-code -- go.mod go.sum
  • GOWORK=off go vet ./...
  • GOWORK=off go test -count=1 ./...
  • actionlint .github/workflows/crabbox-hydrate.yml .github/workflows/codeql.yml

What I checked:

  • member-authored draft PR: The provided GitHub context identifies the author association as MEMBER and the PR as draft, so cleanup should not auto-close it absent a definite implemented-on-main result.
  • current main lacks the setup files: Current main has no .agents tree, no .crabbox.yaml, and no SECURITY.md, so the PR is not already implemented on main. (f9b29a07f0a6)
  • PR commit surface: The PR head commit adds six new files and extends CODEOWNERS for the new setup/security surfaces. (77da5eaa2a59)
  • crawlkit validation contract: The repository instructions require GOWORK=off Go validation before handoff, which the added autoreview helper does not auto-detect for this Go module. (AGENTS.md:35, f9b29a07f0a6)
  • added skill is Node/pnpm-oriented: The new Crabbox skill contains many OpenClaw monorepo pnpm examples and no crawlkit Go validation lane, which is the main automation fit concern for this repository. (.agents/skills/crabbox/SKILL.md:39, 77da5eaa2a59)
  • lightweight syntax checks: The PR commit diff has no whitespace errors, the new YAML parses, and the new autoreview shell script passes bash syntax checking. (77da5eaa2a59)

Likely related people:

  • Vincent Koc: Prior history shows this person introduced protected automation ownership and verified secret scanning, and the PR commit adds the new setup baseline files. (role: setup and security automation contributor; confidence: high; commits: 17f8be07db87, ae16f4d, 77da5eaa2a59; files: .github/CODEOWNERS, .github/workflows/secret-scan.yml, .agents/skills/autoreview/SKILL.md)
  • Peter Steinberger: Current main blame for CODEOWNERS points to the v0.7.0-era setup snapshot, making this person relevant for ownership-rule alignment on main. (role: recent adjacent setup contributor; confidence: medium; commits: 0d89ddf3da61; files: .github/CODEOWNERS)

Codex review notes: model gpt-5.5, reasoning high; reviewed against f9b29a07f0a6.

@clawsweeper clawsweeper Bot added rating: 🦐 gold shrimp Decent PR readiness signal, but merge confidence is limited. status: ⏳ waiting on author ClawSweeper has contributor-facing work open and is waiting for author action. labels May 22, 2026
@clawsweeper

clawsweeper Bot commented May 22, 2026

Copy link
Copy Markdown

ClawSweeper PR egg

🔥 Warming up: real-behavior proof passed; findings, security review, or rank-up moves are still in progress.

Hatch command

Comment @clawsweeper hatch when this PR is hatchable.

Hatchability rules:

  • Merged PRs are hatchable.
  • Open PRs are hatchable when they are status: 👀 ready for maintainer look, status: 🚀 automerge armed, or labeled clawsweeper:automerge.
  • Closed unmerged PRs are hatchable only when one of those hatchable labels is still present in the durable record.
What is this egg doing here?
  • Eggs appear after the PR passes real-behavior proof. It is here for vibes, not verdicts: it does not change labels, ratings, merge decisions, or automation.
  • The shell reacts to review momentum: open follow-up work warms it up, re-review makes it wobble, and a clean final review lets it hatch.
  • Hatchability usually comes from sufficient real-behavior proof, no blocking P0/P1/P2 findings, no security attention needed, and clean correctness. A merged PR is already final, so merge makes the egg hatchable independently.
  • The hatch is seeded from this repository and PR number, so the same PR keeps the same creature; the reviewed head SHA can only change safe visual details.
  • Rarity is just collectible sparkle: 🥚 common, 🌱 uncommon, 💎 rare, ✨ glimmer, and 🌈 legendary.

@steipete

Copy link
Copy Markdown
Contributor

Closing this in favor of the shared public skill source at https://github.com/openclaw/agent-skills.

We do not want to vendor the same maintainer skills into every repo. Repos that need zero-setup guidance should add a small pointer to openclaw/agent-skills; shared skill content should be updated there first and synced only where a vendored snapshot is intentionally required.

@steipete steipete closed this May 22, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

rating: 🦐 gold shrimp Decent PR readiness signal, but merge confidence is limited. status: ⏳ waiting on author ClawSweeper has contributor-facing work open and is waiting for author action.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants