feat: add GitHub Codespaces provider#347
Conversation
|
Codex review: needs real behavior proof before merge. Reviewed July 3, 2026, 6:50 PM ET / 22:50 UTC. Summary Reproducibility: not applicable. this is a new provider PR, not a bug report. Current main lacks a GitHub Codespaces provider, and the PR supplies the implementation candidate. Review metrics: 2 noteworthy metrics.
Root-cause cluster Members:
Proposal only: this assessment does not dispatch repair, suppress jobs, mutate sibling items, close, or merge anything. Merge readiness Overall follows the weaker of proof and patch quality, so missing proof can cap an otherwise strong patch. Rank-up moves:
Proof guidance:
Risk before merge
Maintainer options:
Next step before merge
Security Review detailsBest possible solution: Merge only after current-head live-smoke proof demonstrates the full Codespaces lifecycle with redacted output and maintainers explicitly accept the provider API, defaults, and cleanup/security behavior. Do we have a high-confidence way to reproduce the issue? Not applicable: this is a new provider PR, not a bug report. Current main lacks a GitHub Codespaces provider, and the PR supplies the implementation candidate. Is this the best way to solve the issue? Unclear for merge readiness: the dedicated provider adapter matches the repository architecture, but it should not land until current-head live proof and maintainer product/security acceptance are in place. AGENTS.md: found and applied where relevant. Codex review notes: model internal, reasoning high; reviewed against 62831c8972de. Label changesLabel justifications:
Evidence reviewedSecurity concerns:
What I checked:
Likely related people:
What the crustacean ranks mean
Shiny media proof means a screenshot, video, or linked artifact directly shows the changed behavior. Runtime, network, CSP, and security claims still need visible diagnostics. How this review workflow works
|
1887b52 to
2afc239
Compare
|
@clawsweeper re-review Maintainer update on
Local validation: GitHub CI on the pushed head is green: Go, Apple VZ, Worker, Scripts, Docs, and Release Check all passed in https://github.com/openclaw/crabbox/actions/runs/28077485642. Still not merging this yet: it remains gated by |
|
🦞🧹 I asked ClawSweeper to review this item again. |
2afc239 to
41ccc44
Compare
|
Rebased this PR onto current New head: Conflict resolution kept both AWS Lambda MicroVM and GitHub Codespaces in generated docs/source-map metadata. Provider matrix now reports Local validation on the rebased head: Still not merging: live GitHub Codespaces create/status/run/ssh/release proof and auth/security/compatibility gates are still required. |
|
Public CI is green on rebased head Green checks: Go, Apple VZ, Worker, Scripts, Docs, and Release Check. Merge state is clean. Still not merging: |
|
Maintainer proof update for Changed:
Local validation at head
Still not claiming live provider proof from this machine because I do not have an authenticated Codespaces smoke repo/token here. The added path is meant to make that live proof one standard command once credentials are available. @clawsweeper re-review |
|
🦞🧹 I asked ClawSweeper to review this item again. |
|
Public CI is now green on current head Green checks: Go, Apple VZ, Worker, Scripts, Docs, and Release Check. Still not merging: authenticated GitHub Codespaces lifecycle proof remains missing, and |
|
@clawsweeper re-review Updated the PR body with current-head validation evidence, full issue link, and the remaining authenticated live-proof gate. No code changes in this update. Still not merging unless the live Codespaces proof labels clear and the auth/compat/security gates are satisfied. |
|
@clawsweeper re-review Follow-up maintainer repair pushed in What changed:
Local validation:
Local live-auth preflight with the current maintainer auth is credential-bound, as expected:
Public CI is green on Still not merge-ready: this proves the local auth blocker and improves the proof harness, but it is not a live Codespaces create/run/ssh/release proof. The PR still needs redacted authenticated lifecycle proof and explicit auth/compat/security acceptance. |
|
🦞🧹 I asked ClawSweeper to review this item again. |
|
@clawsweeper re-review Updated the PR body to current head No code changes in this update. Remaining gate is still redacted authenticated GitHub Codespaces lifecycle proof; my current GitHub token lacks the |
5c493a4 to
4179455
Compare
Add the discoverable github-codespaces provider foundation with typed config, provider flags, redaction-safe client and gh runner boundaries, and OpenSSH config parsing for the future SSH lease lifecycle. Keep live Codespaces lifecycle behavior intentionally deferred to the next plan while making doctor fail closed until readiness is implemented.
Add claim-backed acquire, resolve, list, release, touch, cleanup, and doctor behavior for GitHub Codespaces, including generated OpenSSH config targets and conservative delete safety checks. Release and cleanup mutations now require local ownership claims, refuse dirty or unpushed codespaces before delete, and keep retained lease labels/endpoints consistent across stop and wake flows. Verification: go test ./internal/providers/githubcodespaces; go test -race ./internal/providers/githubcodespaces ./internal/providers/all ./internal/cli
Document the direct GitHub Codespaces provider, add generated matrix metadata, and add a guarded live smoke with deterministic gating/redaction tests.
Align the GitHub Codespaces backend with the documented default cleanup policy, GitHub CLI token precedence, bounded provisioning waits, explicit generic work root handling, and the real gh SSH config Host alias shape.
Validate that the guarded GitHub Codespaces smoke lease is absent after cleanup without failing on unrelated retained claim-owned Codespaces leases.
Persist the effective Codespaces work root into lease labels and claims, and rewrite generated gh SSH proxy commands to honor the configured GitHub CLI path.
Keep GitHub Codespaces display names within the documented limit for long but valid Crabbox slugs while preserving the collision-resistant suffix. Also assert that create requests continue using the current geo field rather than the legacy location field.
Fall back to stopping and retaining a Codespace when default delete-on-release is unsafe because the remote worktree has uncommitted or unpushed changes. This avoids turning successful runs into failed cleanup while still clearing stale SSH endpoints.
Make the release-claim retention hook read the post-release claim state so dirty Codespaces that fall back from delete to stop are not orphaned by higher-level release finalizers.
Treat GitHub Codespaces 304 Not Modified start responses as successful no-ops so resolving retained Codespaces can continue polling the existing codespace.
Apply the generic --type machine override for the canonical provider and advertised Codespaces aliases so alias-based invocations do not silently provision the default machine size.
Treat GitHub Codespaces 304 Not Modified delete responses as successful no-ops so release and cleanup remain idempotent when GitHub reports no remote state change is needed.
Allow StatusOnly resolves with ReadyProbe to refresh and probe the SSH target so status --wait can observe readiness for healthy Codespaces leases.
Warmup keep semantics should keep a lease available after provisioning, not rewrite the later provider release action. Preserve the delete-on-release policy in stored Codespaces claims so default stop and cleanup paths delete claim-owned Codespaces unless configuration explicitly retains them.
Treat githubCodespaces.repo like the other Codespaces connection selectors when loading untrusted repository config. Repo-local config can no longer redirect creation to an arbitrary repository; operators can still select a repo through trusted config, environment, or explicit CLI flags.
3bee0c1 to
928f643
Compare
Closes #348
Summary
Adds a direct GitHub Codespaces Linux SSH-lease provider with aliases
codespacesandgh-codespaces.ghauthentication.gh codespace ssh --configto drive normal Crabbox SSH, rsync,run,ssh,status,stop, and cleanup flows.scripts/live-smoke.shdispatch.main, retaining both the newvastdefaults/provider docs and this Codespaces provider surface.Verification
Local validation on current head
928f643a2398dc64608abf8680396e3c2da97aab:Generated provider matrix was refreshed after the rebase: current docs now report 71 built-in providers and 42 SSH-lease providers.
Exact-head CI is terminal green: https://github.com/openclaw/crabbox/actions/runs/28685912168
Remaining Merge Gate
Do not merge yet while
status: 📣 needs proof,merge-risk: 🚨 auth-provider,merge-risk: 🚨 compatibility, andmerge-risk: 🚨 security-boundaryremain. This still needs redacted authenticated GitHub Codespaces lifecycle proof:Required proof should show
doctor, create/wait for a short-lived Codespace lease, synced command execution, rendered SSH command, release/delete or safe stop/retain fallback, dry-run cleanup, final claim-owned inventory state, and no leaked token/output. Local GitHub auth still lacks the requiredcodespacescope, so live provider proof remains the only blocker after exact-head local and CI validation.