feat: add GitHub Codespaces provider#347
Conversation
|
Codex review: needs real behavior proof before merge. Reviewed July 5, 2026, 8:19 AM ET / 12:19 UTC. Summary Reproducibility: yes. for the review blockers from source inspection: the PR auth path accepts signed GitHub tokens without revalidation, and Codespace creation happens before durable recovery state. The successful live provider lifecycle itself has not been reproduced because credentialed proof is missing. Review metrics: 3 noteworthy metrics.
Root-cause cluster Members:
Proposal only: this assessment does not dispatch repair, suppress jobs, mutate sibling items, close, or merge anything. Merge readiness Overall follows the weaker of proof and patch quality, so missing proof can cap an otherwise strong patch. Rank-up moves:
Proof guidance:
Risk before merge
Maintainer options:
Next step before merge
Maintainer decision needed
Security Review findings
Review detailsBest possible solution: Land this only after preserving current worker membership fail-closed behavior, designing durable Codespaces recovery/reconciliation before remote create, and adding redacted successful lifecycle proof for the exact head. Do we have a high-confidence way to reproduce the issue? Yes for the review blockers from source inspection: the PR auth path accepts signed GitHub tokens without revalidation, and Codespace creation happens before durable recovery state. The successful live provider lifecycle itself has not been reproduced because credentialed proof is missing. Is this the best way to solve the issue? No. A Codespaces provider is a reasonable feature direction, but this branch is not the best landing path until it preserves the current auth boundary and records recoverable state before remote creation. Full review comments:
Overall correctness: patch is incorrect AGENTS.md: found and applied where relevant. Codex review notes: model internal, reasoning high; reviewed against 8b1242493774. Label changesLabel justifications:
Evidence reviewedSecurity concerns:
What I checked:
Likely related people:
What the crustacean ranks mean
Shiny media proof means a screenshot, video, or linked artifact directly shows the changed behavior. Runtime, network, CSP, and security claims still need visible diagnostics. How this review workflow works
Review history (5 earlier review cycles)
|
1887b52 to
2afc239
Compare
|
@clawsweeper re-review Maintainer update on
Local validation: GitHub CI on the pushed head is green: Go, Apple VZ, Worker, Scripts, Docs, and Release Check all passed in https://github.com/openclaw/crabbox/actions/runs/28077485642. Still not merging this yet: it remains gated by |
|
🦞🧹 I asked ClawSweeper to review this item again. |
2afc239 to
41ccc44
Compare
|
Rebased this PR onto current New head: Conflict resolution kept both AWS Lambda MicroVM and GitHub Codespaces in generated docs/source-map metadata. Provider matrix now reports Local validation on the rebased head: Still not merging: live GitHub Codespaces create/status/run/ssh/release proof and auth/security/compatibility gates are still required. |
|
Public CI is green on rebased head Green checks: Go, Apple VZ, Worker, Scripts, Docs, and Release Check. Merge state is clean. Still not merging: |
|
Maintainer proof update for Changed:
Local validation at head
Still not claiming live provider proof from this machine because I do not have an authenticated Codespaces smoke repo/token here. The added path is meant to make that live proof one standard command once credentials are available. @clawsweeper re-review |
|
🦞🧹 I asked ClawSweeper to review this item again. |
|
Public CI is now green on current head Green checks: Go, Apple VZ, Worker, Scripts, Docs, and Release Check. Still not merging: authenticated GitHub Codespaces lifecycle proof remains missing, and |
|
@clawsweeper re-review Updated the PR body with current-head validation evidence, full issue link, and the remaining authenticated live-proof gate. No code changes in this update. Still not merging unless the live Codespaces proof labels clear and the auth/compat/security gates are satisfied. |
|
@clawsweeper re-review Follow-up maintainer repair pushed in What changed:
Local validation:
Local live-auth preflight with the current maintainer auth is credential-bound, as expected:
Public CI is green on Still not merge-ready: this proves the local auth blocker and improves the proof harness, but it is not a live Codespaces create/run/ssh/release proof. The PR still needs redacted authenticated lifecycle proof and explicit auth/compat/security acceptance. |
|
🦞🧹 I asked ClawSweeper to review this item again. |
|
@clawsweeper re-review Updated the PR body to current head No code changes in this update. Remaining gate is still redacted authenticated GitHub Codespaces lifecycle proof; my current GitHub token lacks the |
5c493a4 to
4179455
Compare
3bee0c1 to
928f643
Compare
Add the discoverable github-codespaces provider foundation with typed config, provider flags, redaction-safe client and gh runner boundaries, and OpenSSH config parsing for the future SSH lease lifecycle. Keep live Codespaces lifecycle behavior intentionally deferred to the next plan while making doctor fail closed until readiness is implemented.
Add claim-backed acquire, resolve, list, release, touch, cleanup, and doctor behavior for GitHub Codespaces, including generated OpenSSH config targets and conservative delete safety checks. Release and cleanup mutations now require local ownership claims, refuse dirty or unpushed codespaces before delete, and keep retained lease labels/endpoints consistent across stop and wake flows. Verification: go test ./internal/providers/githubcodespaces; go test -race ./internal/providers/githubcodespaces ./internal/providers/all ./internal/cli
Document the direct GitHub Codespaces provider, add generated matrix metadata, and add a guarded live smoke with deterministic gating/redaction tests.
Align the GitHub Codespaces backend with the documented default cleanup policy, GitHub CLI token precedence, bounded provisioning waits, explicit generic work root handling, and the real gh SSH config Host alias shape.
Validate that the guarded GitHub Codespaces smoke lease is absent after cleanup without failing on unrelated retained claim-owned Codespaces leases.
Persist the effective Codespaces work root into lease labels and claims, and rewrite generated gh SSH proxy commands to honor the configured GitHub CLI path.
Keep GitHub Codespaces display names within the documented limit for long but valid Crabbox slugs while preserving the collision-resistant suffix. Also assert that create requests continue using the current geo field rather than the legacy location field.
Fall back to stopping and retaining a Codespace when default delete-on-release is unsafe because the remote worktree has uncommitted or unpushed changes. This avoids turning successful runs into failed cleanup while still clearing stale SSH endpoints.
Make the release-claim retention hook read the post-release claim state so dirty Codespaces that fall back from delete to stop are not orphaned by higher-level release finalizers.
Treat GitHub Codespaces 304 Not Modified start responses as successful no-ops so resolving retained Codespaces can continue polling the existing codespace.
Apply the generic --type machine override for the canonical provider and advertised Codespaces aliases so alias-based invocations do not silently provision the default machine size.
Treat GitHub Codespaces 304 Not Modified delete responses as successful no-ops so release and cleanup remain idempotent when GitHub reports no remote state change is needed.
Allow StatusOnly resolves with ReadyProbe to refresh and probe the SSH target so status --wait can observe readiness for healthy Codespaces leases.
Warmup keep semantics should keep a lease available after provisioning, not rewrite the later provider release action. Preserve the delete-on-release policy in stored Codespaces claims so default stop and cleanup paths delete claim-owned Codespaces unless configuration explicitly retains them.
Treat githubCodespaces.repo like the other Codespaces connection selectors when loading untrusted repository config. Repo-local config can no longer redirect creation to an arbitrary repository; operators can still select a repo through trusted config, environment, or explicit CLI flags.
928f643 to
f8fb09a
Compare
Closes #348
Summary
Adds a direct GitHub Codespaces Linux SSH-lease provider with aliases
codespacesandgh-codespaces.ghauthentication.gh codespace ssh --configfor normal Crabbox SSH, rsync,run,ssh,status,stop, and cleanup flows.Verification
Exact candidate:
5f5c202ce2e00dac851f6c7c146eaa776b22e4acgo test -race ./internal/providers/githubcodespaces -count=1go vet ./...go run golang.org/x/tools/cmd/deadcode@v0.45.0 -test ./...(no findings)go test -race ./...node --test scripts/live-github-codespaces-smoke.test.js scripts/live-smoke.test.jsbash -n scripts/live-smoke.sh scripts/live-github-codespaces-smoke.shnode scripts/generate-provider-matrix.mjs --checknode scripts/check-provider-matrix.mjsnode scripts/check-command-docs.mjsnode scripts/check-docs-links.mjsGenerated provider matrix: 72 built-in providers (42 SSH lease, 28 delegated run, 2 service control).
Remaining merge gates
Do not merge yet.
codespacescope. Current local GitHub auth lacks that scope, so no billable Codespace canary was run.Prepared live proof: