Skip to content

chore: add maintainer setup baseline#53

Closed
vincentkoc wants to merge 1 commit into
mainfrom
chore/setup-baseline-20260522
Closed

chore: add maintainer setup baseline#53
vincentkoc wants to merge 1 commit into
mainfrom
chore/setup-baseline-20260522

Conversation

@vincentkoc

Copy link
Copy Markdown
Member

Summary

  • add the OpenClaw Crabbox and autoreview skills
  • add Crabbox hydrate CI support with repo-specific .crabbox.yaml
  • add SECURITY.md and maintainer ownership for setup/security surfaces\n- add the missing Go CodeQL workflow

Verification

  • git diff --check
  • ruby YAML.load_file for .crabbox.yaml and new workflow files
  • actionlint .github/workflows/crabbox-hydrate.yml .github/workflows/codeql.yml
  • verified Crabbox skill SHA-256 matches openclaw/openclaw: ed512c0b0385fae7f6c5c14a7e9e6236ab68936506687a99ca976873492bdc43
  • verified autoreview skill SHA-256 matches openclaw/openclaw: 3a07642b5815cb5dbec96ff1c448d5af757d9b8188c365219048cb288b48b2fa

Runtime tests were not run; this is setup, policy, and workflow metadata only.

@vincentkoc vincentkoc force-pushed the chore/setup-baseline-20260522 branch from 660ed54 to 604b547 Compare May 22, 2026 09:00
@clawsweeper

clawsweeper Bot commented May 22, 2026

Copy link
Copy Markdown

Codex review: needs changes before merge.

Latest ClawSweeper review: 2026-05-22 09:05 UTC / May 22, 2026, 5:05 AM ET.

Workflow note: Future ClawSweeper reviews update this same comment in place.

How this review workflow works
  • ClawSweeper keeps one durable marker-backed review comment per issue or PR.
  • Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
  • A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
  • PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
  • Maintainers can also comment @clawsweeper review to request a fresh review only.
  • Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
  • Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
  • Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.

Summary
The branch adds repo maintainer setup files: Crabbox and autoreview skills, Crabbox hydrate and CodeQL workflows, Crabbox config, SECURITY.md, AGENTS.md, and expanded CODEOWNERS coverage.

Reproducibility: not applicable. this is a setup and CI PR rather than a reported runtime bug. The blocker is source-verifiable by comparing the proposed autoreview copy with current OpenClaw upstream and reading the default sandbox line.

PR rating
Overall: 🦪 silver shellfish
Proof: 🌊 off-meta tidepool
Patch quality: 🦪 silver shellfish
Summary: The setup direction is coherent, but the stale autoreview copy creates a concrete security/tooling blocker before this is merge-ready.

Rank-up moves:

  • Refresh autoreview from current OpenClaw upstream.
  • Rerun the hash checks plus YAML/actionlint validation after the refresh.
What the crustacean ranks mean
  • 🦀 challenger crab: rare, exceptional readiness with strong proof, clean implementation, and convincing validation.
  • 🦞 diamond lobster: very strong readiness with only minor maintainer review expected.
  • 🐚 platinum hermit: good normal PR, likely mergeable with ordinary maintainer review.
  • 🦐 gold shrimp: useful signal, but proof or patch confidence is still limited.
  • 🦪 silver shellfish: thin signal; proof, validation, or implementation needs work.
  • 🧂 unranked krab: not merge-ready because proof is missing/unusable or there are serious correctness or safety concerns.
  • 🌊 off-meta tidepool: rating does not apply to this item.

Shiny media proof means a screenshot, video, or linked artifact directly shows the changed behavior. Runtime, network, CSP, and security claims still need visible diagnostics.

Real behavior proof
Not applicable: This is a member-authored maintainer setup PR, so the external contributor real-behavior proof gate does not apply; the body includes static validation but no runtime proof.

Risk before merge

  • Merging as-is would install a stale autoreview helper that diverges from current OpenClaw's structured read-only helper and defaults local nested Codex review to danger-full-access.
  • The new workflow_dispatch/self-hosted Crabbox path changes repo automation and runner trust boundaries; maintainers should explicitly accept the dynamic runner-label and ref model before merge.

Maintainer options:

  1. Refresh the autoreview baseline (recommended)
    Update the autoreview skill docs and script from current openclaw/openclaw main, preserve the executable bit, and rerun the hash/YAML/actionlint checks before merge.
  2. Intentionally pin the older helper
    Maintainers may accept the older Bash helper, but the PR should state why the full-access default and divergence from current OpenClaw are intentional.
  3. Pause repo-local skill bundling
    If gitcrawl should not vendor repo-local skills, pause this PR and move skill installation to the external OpenClaw or agent-scripts distribution path.
Copy recommended automerge instruction
@clawsweeper automerge

Special instructions:
Refresh `.agents/skills/autoreview/SKILL.md` and `.agents/skills/autoreview/scripts/autoreview` from current `openclaw/openclaw` main, preserve mode 100755 for the script, update the verification hashes, and rerun the documented hash/YAML/actionlint checks.

Next step before merge
A narrow repair can refresh the stale autoreview skill copy from current OpenClaw while leaving the broader workflow and runner-trust decisions for maintainer review.

Security
Needs attention: The PR adds security-sensitive maintainer tooling and one copied helper is stale in a way that weakens the local review sandbox compared with current OpenClaw.

Review findings

  • [P2] Replace the stale autoreview helper copy — .agents/skills/autoreview/scripts/autoreview:143
Review details

Best possible solution:

Land the setup baseline only after refreshing autoreview to current OpenClaw upstream and maintainer-accepting the new Crabbox and CodeQL workflow permissions.

Do we have a high-confidence way to reproduce the issue?

Not applicable; this is a setup and CI PR rather than a reported runtime bug. The blocker is source-verifiable by comparing the proposed autoreview copy with current OpenClaw upstream and reading the default sandbox line.

Is this the best way to solve the issue?

No; the Crabbox, CodeQL, SECURITY.md, AGENTS.md, and CODEOWNERS direction fits the setup goal, but the autoreview baseline should be refreshed before merge to avoid a stale higher-risk maintainer helper.

Label changes:

  • add P2: This is a normal-priority maintainer setup PR with a concrete blocker in security-sensitive review tooling.
  • add merge-risk: 🚨 security-boundary: The proposed autoreview helper defaults nested Codex review to danger-full-access and the new self-hosted Crabbox workflow changes runner trust boundaries.
  • add merge-risk: 🚨 automation: The PR adds new CodeQL and Crabbox workflow automation plus repo-local review tooling that CI alone cannot validate for operator behavior.
  • add rating: 🦪 silver shellfish: Current PR rating is 🦪 silver shellfish because proof is 🌊 off-meta tidepool, patch quality is 🦪 silver shellfish, and The setup direction is coherent, but the stale autoreview copy creates a concrete security/tooling blocker before this is merge-ready.
  • add status: ⏳ waiting on author: ClawSweeper has contributor-facing work open and is waiting for author action. Not applicable: This is a member-authored maintainer setup PR, so the external contributor real-behavior proof gate does not apply; the body includes static validation but no runtime proof.

Label justifications:

  • P2: This is a normal-priority maintainer setup PR with a concrete blocker in security-sensitive review tooling.
  • merge-risk: 🚨 automation: The PR adds new CodeQL and Crabbox workflow automation plus repo-local review tooling that CI alone cannot validate for operator behavior.
  • merge-risk: 🚨 security-boundary: The proposed autoreview helper defaults nested Codex review to danger-full-access and the new self-hosted Crabbox workflow changes runner trust boundaries.
  • rating: 🦪 silver shellfish: Current PR rating is 🦪 silver shellfish because proof is 🌊 off-meta tidepool, patch quality is 🦪 silver shellfish, and The setup direction is coherent, but the stale autoreview copy creates a concrete security/tooling blocker before this is merge-ready.
  • status: ⏳ waiting on author: ClawSweeper has contributor-facing work open and is waiting for author action. Not applicable: This is a member-authored maintainer setup PR, so the external contributor real-behavior proof gate does not apply; the body includes static validation but no runtime proof.

Full review comments:

  • [P2] Replace the stale autoreview helper copy — .agents/skills/autoreview/scripts/autoreview:143
    The PR says this skill matches OpenClaw, but the proposed autoreview copy is no longer current: this line makes nested Codex run with danger-full-access by default, while current OpenClaw has moved to a structured Python helper that uses a read-only sandbox. Landing this copy would give gitcrawl a divergent, higher-risk maintainer review path, so refresh the skill from current OpenClaw before merge.
    Confidence: 0.9

Overall correctness: patch is incorrect
Overall confidence: 0.88

Security concerns:

  • [medium] Stale autoreview helper uses full-access review by default — .agents/skills/autoreview/scripts/autoreview:143
    The proposed helper defaults nested Codex review to danger-full-access, while the current upstream OpenClaw autoreview helper is structured around read-only review tooling; this should be refreshed or explicitly accepted before merge.
    Confidence: 0.88

Acceptance criteria:

What I checked:

  • Member-authored draft PR: The provided GitHub context shows the PR is open, draft, authored by vincentkoc with authorAssociation MEMBER, and has head SHA 604b547. (604b5471d115)
  • Current setup ownership baseline: Current main already protects CODEOWNERS, Dependabot, workflows, release config, modules, and release/publish scripts under @openclaw/openclaw-secops; the PR extends that existing pattern to new setup/security files. (.github/CODEOWNERS:1, a85851779501)
  • CODEOWNERS provenance: git blame shows the existing CODEOWNERS/security workflow baseline was introduced in a73f216 by Vincent Koc. (.github/CODEOWNERS:1, a73f2162d2a6)
  • Autoreview helper defaults to full access: The proposed autoreview script adds danger-full-access Codex review arguments by default unless yolo is explicitly disabled. (.agents/skills/autoreview/scripts/autoreview:143, 604b5471d115)
  • Autoreview copy is stale against OpenClaw upstream: The PR autoreview SKILL.md hash is 3a07642b5815cb5dbec96ff1c448d5af757d9b8188c365219048cb288b48b2fa while current openclaw/openclaw main is 0542f1ef7884281c572081353bf69e0c6277bbf96e38bc104ef226951e52158a; the scripts also differ, with the PR bash helper hash c4a069886c5bae5cc24d93330bc424347ff94cae92a83345ba81046861eaafce vs upstream 75bc6b3a2285b60fec1afab16e44a351bdc09f7a1df4d5007314759e84cb6720. (.agents/skills/autoreview/SKILL.md:1, 604b5471d115)
  • Crabbox skill copy matches OpenClaw upstream: The proposed Crabbox skill hash matches current openclaw/openclaw main at ed512c0b0385fae7f6c5c14a7e9e6236ab68936506687a99ca976873492bdc43, so the copy-drift concern is specific to autoreview. (.agents/skills/crabbox/SKILL.md:1, 604b5471d115)

Likely related people:

  • Vincent Koc: Blame and history show Vincent Koc introduced the current CODEOWNERS, workflow, Dependabot, release, and module baseline that this PR extends. (role: introduced current setup/security baseline; confidence: high; commits: a73f2162d2a6; files: .github/CODEOWNERS, .github/workflows/ci.yml, .github/workflows/secret-scan.yml)
  • Peter Steinberger: Recent main commits adjusted crawlkit module versions in go.mod/go.sum, which are adjacent to the setup-go and CodeQL workflow surfaces added here. (role: recent adjacent dependency contributor; confidence: low; commits: a85851779501, 563d067b9743; files: go.mod, go.sum)

Codex review notes: model gpt-5.5, reasoning high; reviewed against a85851779501.

@clawsweeper clawsweeper Bot added rating: 🦪 silver shellfish Thin PR readiness signal; proof, validation, or implementation needs work. status: ⏳ waiting on author ClawSweeper has contributor-facing work open and is waiting for author action. P2 Normal priority bug or improvement with limited blast radius. merge-risk: 🚨 security-boundary 🚨 Merging this PR could weaken sandboxing, authorization, credentials, or sensitive data. merge-risk: 🚨 automation 🚨 Merging this PR could break CI, automerge, proof capture, label sync, or automation. labels May 22, 2026
@clawsweeper

clawsweeper Bot commented May 22, 2026

Copy link
Copy Markdown

ClawSweeper PR egg

🔥 Warming up: real-behavior proof passed; findings, security review, or rank-up moves are still in progress.

Hatch command

Comment @clawsweeper hatch when this PR is hatchable.

Hatchability rules:

  • Merged PRs are hatchable.
  • Open PRs are hatchable when they are status: 👀 ready for maintainer look, status: 🚀 automerge armed, or labeled clawsweeper:automerge.
  • Closed unmerged PRs are hatchable only when one of those hatchable labels is still present in the durable record.
What is this egg doing here?
  • Eggs appear after the PR passes real-behavior proof. It is here for vibes, not verdicts: it does not change labels, ratings, merge decisions, or automation.
  • The shell reacts to review momentum: open follow-up work warms it up, re-review makes it wobble, and a clean final review lets it hatch.
  • Hatchability usually comes from sufficient real-behavior proof, no blocking P0/P1/P2 findings, no security attention needed, and clean correctness. A merged PR is already final, so merge makes the egg hatchable independently.
  • The hatch is seeded from this repository and PR number, so the same PR keeps the same creature; the reviewed head SHA can only change safe visual details.
  • Rarity is just collectible sparkle: 🥚 common, 🌱 uncommon, 💎 rare, ✨ glimmer, and 🌈 legendary.

@steipete

Copy link
Copy Markdown
Contributor

Closing this in favor of the shared public skill source at https://github.com/openclaw/agent-skills.

We do not want to vendor the same maintainer skills into every repo. Repos that need zero-setup guidance should add a small pointer to openclaw/agent-skills; shared skill content should be updated there first and synced only where a vendored snapshot is intentionally required.

@steipete steipete closed this May 22, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

merge-risk: 🚨 automation 🚨 Merging this PR could break CI, automerge, proof capture, label sync, or automation. merge-risk: 🚨 security-boundary 🚨 Merging this PR could weaken sandboxing, authorization, credentials, or sensitive data. P2 Normal priority bug or improvement with limited blast radius. rating: 🦪 silver shellfish Thin PR readiness signal; proof, validation, or implementation needs work. status: ⏳ waiting on author ClawSweeper has contributor-facing work open and is waiting for author action.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants