chore: add maintainer setup baseline

[vincentkoc]

Summary

• add maintainer setup baseline files for this repository
• add CODEOWNERS, Dependabot, SECURITY.md, CodeQL, stale automation, and Crabbox/autoreview support
• configure Swift and JavaScript/TypeScript CodeQL plus Crabbox hydrate checks

Verification

• git diff --check
• ruby YAML.load_file for added/changed YAML files
• actionlint for added/changed workflow files
• private-data scan for added/changed non-skill setup files; PNPM_VERSION hits, where present, were false positives
• verified Crabbox skill SHA-256 matches openclaw/openclaw: ed512c0b0385fae7f6c5c14a7e9e6236ab68936506687a99ca976873492bdc43

Runtime tests were not run; this is setup, policy, and workflow metadata only.

[github-advanced-security]

You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool.

What Enabling Code Scanning Means:

• The 'Security' tab will display more code scanning analysis results (e.g., for the default branch).
• Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results.
• You will be able to see the analysis results for the pull request's branch on this overview once the scans have completed and the checks have passed.

For more information about GitHub Code Scanning, check out the documentation.

[clawsweeper]

Codex review: found issues before merge.

Latest ClawSweeper review: 2026-05-22 14:45 UTC / May 22, 2026, 10:45 AM ET.

Workflow note: Future ClawSweeper reviews update this same comment in place.

How this review workflow works

• ClawSweeper keeps one durable marker-backed review comment per issue or PR.
• Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
• A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
• PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
• Maintainers can also comment @clawsweeper review to request a fresh review only.
• Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
• Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
• Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.

Summary
The PR adds repo setup baseline files: CODEOWNERS, SECURITY.md, Dependabot, CodeQL/stale/Crabbox workflows, Crabbox config, and bundled autoreview/crabbox skills.

Reproducibility: not applicable. this is a setup and automation PR, not a bug report. The review is source-reproducible from the proposed YAML/CODEOWNERS files and current repository layout.

PR rating
Overall: 🦪 silver shellfish
Proof: 🌊 off-meta tidepool
Patch quality: 🦪 silver shellfish
Summary: The baseline is useful but not quality-ready because core ownership, dependency-update, and stale-automation behavior need repo-specific fixes.

Rank-up moves:

• Add CODEOWNERS coverage for the actual Apps/ and Core/ implementation/package paths.
• Add Dependabot Swift entries for the nested package directories maintainers want covered.
• Change the assigned-PR stale lane so normal updates prevent stale closure, or document and approve the stricter policy.

What the crustacean ranks mean

• 🦀 challenger crab: rare, exceptional readiness with strong proof, clean implementation, and convincing validation.
• 🦞 diamond lobster: very strong readiness with only minor maintainer review expected.
• 🐚 platinum hermit: good normal PR, likely mergeable with ordinary maintainer review.
• 🦐 gold shrimp: useful signal, but proof or patch confidence is still limited.
• 🦪 silver shellfish: thin signal; proof, validation, or implementation needs work.
• 🧂 unranked krab: not merge-ready because proof is missing/unusable or there are serious correctness or safety concerns.
• 🌊 off-meta tidepool: rating does not apply to this item.

Shiny media proof means a screenshot, video, or linked artifact directly shows the changed behavior. Runtime, network, CSP, and security claims still need visible diagnostics.

Real behavior proof
Not applicable: The PR is authored by a repository member and changes setup/automation metadata, so the external-contributor real behavior proof gate does not apply.

Risk before merge

• Merging this baseline as-is could give maintainers a false sense of security because CODEOWNERS and Dependabot omit most actual Swift package/source paths.
• The stale workflow can affect issue and PR lifecycle directly, including assigned PRs where updates are ignored for stale calculation.
• The Crabbox/self-hosted workflow and bundled executable review helper are automation surfaces that should receive explicit maintainer approval before merge.

Maintainer options:

1. Fix repo-specific automation coverage first (recommended)
   Update CODEOWNERS, Dependabot, and stale settings so they match Peekaboo's actual Apps/Core package layout and intended PR lifecycle behavior before merge.
2. Accept the generic baseline knowingly
   Maintainers can merge the generic OpenClaw baseline as a policy choice, but should knowingly accept that several source/dependency surfaces remain outside the new automation.
3. Pause until setup policy is confirmed
   If stale closure, Crabbox runner behavior, or OpenClaw secops ownership is not yet settled for this repo, leave the draft paused until that policy is explicit.

Next step before merge
This maintainer-authored draft changes repository policy and automation surfaces, so the remaining decisions should stay with maintainers rather than an autonomous repair lane.

Security
Needs attention: Needs attention because the added security baseline omits most real Swift source/package surfaces from ownership and dependency-update coverage.

Review findings

• [P2] Cover the actual Apps/Core source trees — .github/CODEOWNERS:15-18
• [P2] Add Dependabot entries for nested Swift packages — .github/dependabot.yml:19-20
• [P2] Do not ignore updates on assigned PRs — .github/workflows/stale.yml:79

Review details

Best possible solution:

Keep the baseline, but make it Peekaboo-specific by covering Apps/Core package surfaces and using stale/Crabbox settings that match maintainer policy.

Do we have a high-confidence way to reproduce the issue?

Not applicable; this is a setup and automation PR, not a bug report. The review is source-reproducible from the proposed YAML/CODEOWNERS files and current repository layout.

Is this the best way to solve the issue?

No; the current PR direction is useful, but the implementation should be adjusted to cover Peekaboo's real Apps/Core Swift package structure and avoid stale behavior that ignores assigned PR updates.

Label changes:

• add P2: This is a normal-priority repo setup improvement with limited blast radius but concrete automation/security coverage gaps.
• add merge-risk: 🚨 automation: The PR adds workflows and stale automation that can run checks and close issues/PRs after merge.
• add rating: 🦪 silver shellfish: Current PR rating is 🦪 silver shellfish because proof is 🌊 off-meta tidepool, patch quality is 🦪 silver shellfish, and The baseline is useful but not quality-ready because core ownership, dependency-update, and stale-automation behavior need repo-specific fixes.
• add status: ⏳ waiting on author: ClawSweeper has contributor-facing work open and is waiting for author action. Not applicable: The PR is authored by a repository member and changes setup/automation metadata, so the external-contributor real behavior proof gate does not apply.

Label justifications:

• P2: This is a normal-priority repo setup improvement with limited blast radius but concrete automation/security coverage gaps.
• merge-risk: 🚨 automation: The PR adds workflows and stale automation that can run checks and close issues/PRs after merge.
• rating: 🦪 silver shellfish: Current PR rating is 🦪 silver shellfish because proof is 🌊 off-meta tidepool, patch quality is 🦪 silver shellfish, and The baseline is useful but not quality-ready because core ownership, dependency-update, and stale-automation behavior need repo-specific fixes.
• status: ⏳ waiting on author: ClawSweeper has contributor-facing work open and is waiting for author action. Not applicable: The PR is authored by a repository member and changes setup/automation metadata, so the external-contributor real behavior proof gate does not apply.

Full review comments:

• [P2] Cover the actual Apps/Core source trees — .github/CODEOWNERS:15-18
  The ownership baseline claims to protect package, release, and security-sensitive surfaces, but these patterns only cover root package files plus generic /src, /Sources, /cmd, and /internal paths that are not where this repo's Swift app/core code lives. Changes under Apps/ and Core/ would bypass the new CODEOWNERS review expectation, so add the real Peekaboo source/package paths before relying on this baseline.
  Confidence: 0.91
• [P2] Add Dependabot entries for nested Swift packages — .github/dependabot.yml:19-20
  This single Swift entry only scans the root package, while the repo has external dependencies in nested manifests such as Apps/CLI/Package.swift, Apps/Mac/Package.swift, and Core/PeekabooExternalDependencies/Package.swift. As written, the dependency automation will miss the packages most users build and ship, so add separate Swift entries for the nested package directories that should be maintained.
  Confidence: 0.9
• [P2] Do not ignore updates on assigned PRs — .github/workflows/stale.yml:79
  The assigned-PR stale lane sets ignore-pr-updates: true while still closing assigned PRs after 27+7 days, so active assigned PRs can be marked and closed based on age rather than inactivity. Drop this option or add the intended exemptions if assigned PRs should stay open when contributors keep updating them.
  Confidence: 0.84

Overall correctness: patch is incorrect
Overall confidence: 0.87

Security concerns:

• [medium] CODEOWNERS misses primary source paths — .github/CODEOWNERS:15
  The new CODEOWNERS protects generic paths but not the actual Apps/ and Core/ source trees, so branch protection based on CODEOWNERS would not require the intended security review for most implementation changes.
  Confidence: 0.9
• [medium] Dependabot misses nested Swift manifests — .github/dependabot.yml:19
  The Swift Dependabot entry only targets /, leaving nested packages with external dependencies outside the new supply-chain update coverage.
  Confidence: 0.88

What I checked:

• PR scope: The branch adds 10 new setup, workflow, security, and skill files with 2,137 insertions. (4d4d1ff7ead7)
• Protected author signal: The GitHub context marks the PR author association as MEMBER, so this cleanup workflow should not auto-close it.
• CODEOWNERS mismatch: The proposed CODEOWNERS protects root Package files and generic /src, /Sources, /cmd, and /internal paths, but those do not cover the real app/core source layout. (.github/CODEOWNERS:15, 4d4d1ff7ead7)
• Current source layout: Current main has Swift package manifests and implementation surfaces under Apps/, Core/, and Examples/, including many nested Package.swift files outside the PR's root-only ownership/dependency coverage. (4a4bd3b060e2)
• Dependabot root-only Swift entry: The proposed Dependabot config has a single Swift ecosystem entry for directory /, which misses nested Swift package manifests such as Apps/CLI, Apps/Mac, and Core packages. (.github/dependabot.yml:19, 4d4d1ff7ead7)
• Nested dependency evidence: Current main contains external Swift dependencies in nested manifests, including Apps/CLI/Package.swift, Apps/Mac/Package.swift, Core/PeekabooExternalDependencies/Package.swift, and Core/PeekabooCore/Package.swift. (4a4bd3b060e2)

Likely related people:

• Peter Steinberger: Current main history/blame for Package.swift, package.json, CHANGELOG.md, and .github/workflows/macos-ci.yml points to recent package/workflow/release work by this author, making him the best routing candidate from main history. (role: recent area contributor; confidence: medium; commits: 4a4bd3b060e2, d7b665c5df8b; files: Package.swift, package.json, CHANGELOG.md)

Codex review notes: model gpt-5.5, reasoning high; reviewed against 4a4bd3b060e2.

[clawsweeper]

ClawSweeper PR egg

🔥 Warming up: real-behavior proof passed; findings, security review, or rank-up moves are still in progress.

Hatch command

Comment @clawsweeper hatch when this PR is hatchable.

Hatchability rules:

• Merged PRs are hatchable.
• Open PRs are hatchable when they are status: 👀 ready for maintainer look, status: 🚀 automerge armed, or labeled clawsweeper:automerge.
• Closed unmerged PRs are hatchable only when one of those hatchable labels is still present in the durable record.

What is this egg doing here?

• Eggs appear after the PR passes real-behavior proof. It is here for vibes, not verdicts: it does not change labels, ratings, merge decisions, or automation.
• The shell reacts to review momentum: open follow-up work warms it up, re-review makes it wobble, and a clean final review lets it hatch.
• Hatchability usually comes from sufficient real-behavior proof, no blocking P0/P1/P2 findings, no security attention needed, and clean correctness. A merged PR is already final, so merge makes the egg hatchable independently.
• The hatch is seeded from this repository and PR number, so the same PR keeps the same creature; the reviewed head SHA can only change safe visual details.
• Rarity is just collectible sparkle: 🥚 common, 🌱 uncommon, 💎 rare, ✨ glimmer, and 🌈 legendary.

[steipete]

Closing this in favor of the shared public skill source at https://github.com/openclaw/agent-skills.

We do not want to vendor the same maintainer skills into every repo. Repos that need zero-setup guidance should add a small pointer to openclaw/agent-skills; shared skill content should be updated there first and synced only where a vendored snapshot is intentionally required.