Skip to content

feat: add GitHub Codespaces provider#347

Open
coygeek wants to merge 25 commits into
openclaw:mainfrom
coygeek:feat/github-codespaces-provider
Open

feat: add GitHub Codespaces provider#347
coygeek wants to merge 25 commits into
openclaw:mainfrom
coygeek:feat/github-codespaces-provider

Conversation

@coygeek

@coygeek coygeek commented Jun 14, 2026

Copy link
Copy Markdown
Contributor

Closes #348

Summary

Adds a direct GitHub Codespaces Linux SSH-lease provider with aliases codespaces and gh-codespaces.

  • Creates claim-owned GitHub Codespaces through the GitHub REST API and local gh authentication.
  • Uses gh codespace ssh --config for normal Crabbox SSH, rsync, run, ssh, status, stop, and cleanup flows.
  • Keeps the provider direct-only; it does not route through the Crabbox coordinator.
  • Adds provider config/flags/env handling, generated metadata, docs, OpenSSH config parsing, lifecycle tests, and guarded live-smoke coverage.
  • Requires exact local claims and creating-login matches for destructive cleanup; dirty Codespaces stop and retain instead of deleting.
  • Uses bounded rollback cleanup, retains claims/config when deletion fails, and guards local cleanup against concurrent claim replacement.

Verification

Exact candidate: 5f5c202ce2e00dac851f6c7c146eaa776b22e4ac

  • go test -race ./internal/providers/githubcodespaces -count=1
  • go vet ./...
  • go run golang.org/x/tools/cmd/deadcode@v0.45.0 -test ./... (no findings)
  • go test -race ./...
  • node --test scripts/live-github-codespaces-smoke.test.js scripts/live-smoke.test.js
  • bash -n scripts/live-smoke.sh scripts/live-github-codespaces-smoke.sh
  • node scripts/generate-provider-matrix.mjs --check
  • node scripts/check-provider-matrix.mjs
  • node scripts/check-command-docs.mjs
  • node scripts/check-docs-links.mjs
  • focused AutoReview after rollback hardening and deadcode cleanup: clean
  • exact-head hosted CI: Apple VM, Docs, Go, Release Check, Scripts, Worker all green

Generated provider matrix: 72 built-in providers (42 SSH lease, 28 delegated run, 2 service control).

Remaining merge gates

Do not merge yet.

  1. Branch-wide security review found that a Codespace create POST can commit remotely but return a timeout or transport failure. Safe cleanup requires a durable pre-create recovery record and later reconciliation/cleanup semantics; a bounded in-memory name lookup is not enough. This cross-provider storage/lifecycle contract must be designed before landing.
  2. Authenticated live proof still requires a token with the GitHub codespace scope. Current local GitHub auth lacks that scope, so no billable Codespace canary was run.

Prepared live proof:

CRABBOX_LIVE=1 \
CRABBOX_LIVE_PROVIDERS=github-codespaces \
CRABBOX_GITHUB_CODESPACES_SMOKE_REPO=<owner/repo> \
GH_TOKEN=<token-with-codespace-scope> \
scripts/live-smoke.sh

@clawsweeper

clawsweeper Bot commented Jun 14, 2026

Copy link
Copy Markdown
Contributor

Codex review: needs real behavior proof before merge. Reviewed July 5, 2026, 8:19 AM ET / 12:19 UTC.

Summary
Adds a direct GitHub Codespaces SSH-lease provider with config, docs, tests, live-smoke wiring, and worker GitHub OAuth/session membership changes.

Reproducibility: yes. for the review blockers from source inspection: the PR auth path accepts signed GitHub tokens without revalidation, and Codespace creation happens before durable recovery state. The successful live provider lifecycle itself has not been reproduced because credentialed proof is missing.

Review metrics: 3 noteworthy metrics.

  • Diff size: 44 files changed, +4929/-622. The branch is a large provider addition plus auth changes, so reviewers need to treat it as broader than a narrow provider registration.
  • Worker auth surface: 8 worker files changed or deleted. The PR changes OAuth/session enforcement in addition to Codespaces provider code.
  • Successful live lifecycle proof: 0 successful create/run/ssh/release runs shown. The available terminal evidence is credential-bound preflight output, not proof that the new provider works end to end.

Root-cause cluster
Relationship: fixed_by_candidate
Canonical: #348
Summary: The linked open issue is the canonical feature request; this PR is the current implementation candidate but remains blocked by auth, recovery, and proof gaps.

Members:

Proposal only: this assessment does not dispatch repair, suppress jobs, mutate sibling items, close, or merge anything.

Merge readiness
Overall: 🧂 unranked krab
Proof: 🧂 unranked krab
Patch quality: 🧂 unranked krab
Result: blocked until stronger real behavior proof is added.

Overall follows the weaker of proof and patch quality, so missing proof can cap an otherwise strong patch.

Rank-up moves:

  • Restore or replace current-main GitHub membership/revocation revalidation for signed user sessions.
  • [P1] Add durable pre-create recovery/reconciliation for Codespaces before any billable remote create call.
  • Post redacted successful lifecycle proof for create/status/run/ssh/stop/delete, avoiding tokens, IPs, private endpoints, and other private details.

Proof guidance:

  • [P1] Needs stronger real behavior proof before merge: The PR has tests and credential-bound terminal preflight output, but no successful redacted authenticated Codespaces create/status/run/ssh/stop/delete proof for the exact head. After adding proof, update the PR body; ClawSweeper should re-review automatically. If it does not, the PR author or someone with repository write access can comment @clawsweeper re-review.

Risk before merge

  • [P1] Merging the worker auth diff would let existing GitHub user tokens remain valid after org/team removal or explicit revocation until token expiry.
  • [P1] A GitHub Codespaces create request can leave a billable remote Codespace behind if the POST commits remotely but the response is lost before Crabbox writes local recovery state.
  • [P1] The provider's successful create/status/run/ssh/stop/delete lifecycle remains unproven at the exact head with a token that has the GitHub codespace scope.
  • [P1] The branch mixes a new provider with worker OAuth/session behavior changes, so compatibility and security review cannot be limited to provider registration.

Maintainer options:

  1. Repair auth and recovery before merge (recommended)
    Restore current-main GitHub membership revalidation, add durable Codespaces pre-create recovery/reconciliation, then refresh live lifecycle proof.
  2. Narrow to provider-only changes
    Drop the worker auth/session rollback from this branch and let the Codespaces provider proceed only after its lifecycle storage risk is solved.
  3. Pause until lifecycle contract exists
    Close or park this landing candidate if maintainers want a shared remote-resource recovery design before adding another direct cloud provider.

Next step before merge

  • [P1] The remaining action is maintainer-owned security/lifecycle direction plus contributor live proof, not a narrow automated repair.

Maintainer decision needed

  • Question: Should this PR preserve the current GitHub session revalidation boundary and defer Codespaces creation until a durable pre-create recovery contract exists?
  • Rationale: The remaining blockers affect authorization and billable remote-resource cleanup semantics, which need maintainer-owned security and lifecycle direction before merge.
  • Likely owner: Peter Steinberger — Recent current-main history ties this owner to both GitHub membership revalidation and provider cleanup ownership hardening.
  • Options:
    • Fix before merge (recommended): Restore fail-closed GitHub membership/revocation checks, add durable pre-create Codespaces recovery, and require successful redacted lifecycle proof before landing.
    • Split the branch: Separate worker auth/session changes from the Codespaces provider so the provider can be reviewed after the existing auth boundary is left intact.
    • Pause provider landing: Keep the linked feature issue open and pause this PR until maintainers define the cross-provider recovery contract.

Security
Needs attention: The diff introduces concrete authorization and remote-resource cleanup risks that need to be fixed before merge.

Review findings

  • [P1] Restore GitHub membership revalidation — worker/src/auth.ts:97-105
  • [P1] Persist recovery state before creating Codespaces — internal/providers/githubcodespaces/backend.go:117-127
Review details

Best possible solution:

Land this only after preserving current worker membership fail-closed behavior, designing durable Codespaces recovery/reconciliation before remote create, and adding redacted successful lifecycle proof for the exact head.

Do we have a high-confidence way to reproduce the issue?

Yes for the review blockers from source inspection: the PR auth path accepts signed GitHub tokens without revalidation, and Codespace creation happens before durable recovery state. The successful live provider lifecycle itself has not been reproduced because credentialed proof is missing.

Is this the best way to solve the issue?

No. A Codespaces provider is a reasonable feature direction, but this branch is not the best landing path until it preserves the current auth boundary and records recoverable state before remote creation.

Full review comments:

  • [P1] Restore GitHub membership revalidation — worker/src/auth.ts:97-105
    The current branch returns an authorized GitHub context as soon as the signed user token verifies, and it no longer decrypts a GitHub credential or calls the current-main membership check. That lets a user who is removed from an allowed org/team or listed in CRABBOX_GITHUB_REVOKED_USERS keep using an existing session until expiry, so this needs the per-request fail-closed revalidation restored or replaced with an equivalent boundary.
    Confidence: 0.96
  • [P1] Persist recovery state before creating Codespaces — internal/providers/githubcodespaces/backend.go:117-127
    Acquire calls the GitHub create API before writing any durable local claim or recovery record. If GitHub creates the Codespace but the POST times out or the response is lost, Crabbox has no saved remote name or lease to reconcile/delete later, leaving a billable resource behind; record durable pre-create recovery state before the remote mutation and update it after the create returns.
    Confidence: 0.93

Overall correctness: patch is incorrect
Overall confidence: 0.93

AGENTS.md: found and applied where relevant.

Codex review notes: model internal, reasoning high; reviewed against 8b1242493774.

Label changes

Label justifications:

  • P2: This is a significant optional provider feature with merge-blocking risks, but it is not an already-shipped user regression.
  • merge-risk: 🚨 auth-provider: The diff changes GitHub OAuth/session token behavior and would alter how existing GitHub user sessions are authorized.
  • merge-risk: 🚨 compatibility: The PR changes stored user-token schema and provider configuration behavior, so existing deployments and sessions need explicit upgrade safety.
  • merge-risk: 🚨 security-boundary: The diff removes current-main membership/revocation revalidation and adds remote resource deletion semantics for billable Codespaces.
  • rating: 🧂 unranked krab: Overall readiness is 🧂 unranked krab; proof is 🧂 unranked krab and patch quality is 🧂 unranked krab.
  • status: 📣 needs proof: The PR needs real behavior proof before ClawSweeper can clear the contributor ask. Needs stronger real behavior proof before merge: The PR has tests and credential-bound terminal preflight output, but no successful redacted authenticated Codespaces create/status/run/ssh/stop/delete proof for the exact head. After adding proof, update the PR body; ClawSweeper should re-review automatically. If it does not, the PR author or someone with repository write access can comment @clawsweeper re-review.
Evidence reviewed

Security concerns:

  • [high] GitHub sessions no longer fail closed after membership changes — worker/src/auth.ts:97
    Existing user tokens would be accepted without current org/team/revocation revalidation, weakening the coordinator authorization boundary.
    Confidence: 0.96
  • [medium] Codespace creation lacks durable recovery before mutation — internal/providers/githubcodespaces/backend.go:117
    A lost create response can leave a billable Codespace without a durable Crabbox claim or recovery record for later cleanup.
    Confidence: 0.91

What I checked:

  • Current main does not already include the provider: Searching the current main tree for github-codespaces/githubcodespaces paths returned no matches, so the central provider work is not implemented on main or the latest release line. (8b1242493774)
  • Broad PR surface: The local diff against current main changes 44 files with 4929 insertions and 622 deletions, including the new provider plus worker auth/session files. (5f5c202ce2e0)
  • Worker token auth now accepts signed GitHub sessions without membership revalidation: At the PR head, authenticateRequest returns an authorized GitHub auth context immediately after token signature verification. (worker/src/auth.ts:97, 5f5c202ce2e0)
  • Current main revalidates GitHub membership on each user-token auth path: Current main decrypts the stored GitHub credential and calls requireCurrentGitHubMembership before accepting the user token. (worker/src/auth.ts:114, 8b1242493774)
  • Codespace create precedes durable local recovery state: Acquire calls createCodespace before claimLeaseTargetForRepoConfig writes a local claim, leaving no durable record if the create POST commits remotely but returns a timeout or transport error. (internal/providers/githubcodespaces/backend.go:117, 5f5c202ce2e0)
  • Rollback test covers post-claim failure, not lost create response: The rollback-retention test starts from a created codespace that can be named and claimed before rollback; it does not prove recovery when create succeeds remotely but the response is lost before the local claim exists. (internal/providers/githubcodespaces/backend_test.go:100, 5f5c202ce2e0)

Likely related people:

  • Peter Steinberger: Git history shows recent current-main work adding GitHub membership revalidation and provider cleanup ownership hardening. (role: recent auth and provider-safety contributor; confidence: high; commits: 8b1242493774, 574e917a6e3c, b62586c99afb; files: worker/src/auth.ts, worker/src/github-membership.ts, internal/providers/aws/backend.go)
  • Vincent Koc: Git history shows recent GCP release-ownership hardening, and PR comments document current proof and risk gates for this Codespaces branch. (role: recent provider lifecycle contributor and reviewer; confidence: medium; commits: af9bfc2f61e6, dc792eedd58d, b9eaa73e8bfb; files: internal/providers/gcp/backend.go, internal/providers/gcp/backend_doctor_test.go, internal/providers/githubcodespaces/core.go)
  • Coy Geek: Git history shows prior merged work on Coder and Firecracker provider lifecycle safety, making this person relevant beyond merely authoring this PR. (role: adjacent provider lifecycle contributor; confidence: medium; commits: 1b5e52ddaf66, 16744f30c9f4, badcc156e51e; files: internal/providers/coder, internal/providers/firecracker)
What the crustacean ranks mean
  • 🦀 challenger crab: rare, exceptional readiness with strong proof, clean implementation, and convincing validation.
  • 🦞 diamond lobster: very strong readiness with only minor maintainer review expected.
  • 🐚 platinum hermit: good normal PR, likely mergeable with ordinary maintainer review.
  • 🦐 gold shrimp: useful signal, but proof or patch confidence is still limited.
  • 🦪 silver shellfish: thin signal; proof, validation, or implementation needs work.
  • 🧂 unranked krab: not merge-ready because proof is missing/unusable or there are serious correctness or safety concerns.
  • 🌊 off-meta tidepool: rating does not apply to this item.

Shiny media proof means a screenshot, video, or linked artifact directly shows the changed behavior. Runtime, network, CSP, and security claims still need visible diagnostics.

How this review workflow works
  • ClawSweeper keeps one durable marker-backed review comment per issue or PR.
  • Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
  • A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
  • PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
  • Maintainers can also comment @clawsweeper review to request a fresh review only.
  • Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
  • Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
  • Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.
Review history (5 earlier review cycles)
  • reviewed 2026-07-03T22:50:45.328Z sha 928f643 :: needs real behavior proof before merge. :: none
  • reviewed 2026-07-05T11:52:52.592Z sha f8fb09a :: needs real behavior proof before merge. :: none
  • reviewed 2026-07-05T11:57:41.411Z sha f8fb09a :: needs real behavior proof before merge. :: [P1] Persist recovery state before creating Codespaces
  • reviewed 2026-07-05T12:04:46.449Z sha 5f5c202 :: needs real behavior proof before merge. :: [P1] Persist recovery state before creating Codespaces
  • reviewed 2026-07-05T12:12:54.759Z sha 5f5c202 :: needs real behavior proof before merge. :: [P1] Restore GitHub membership revalidation | [P1] Persist recovery state before creating Codespaces

@coygeek coygeek marked this pull request as ready for review June 14, 2026 07:10
@clawsweeper clawsweeper Bot added rating: 🧂 unranked krab Not merge-ready due to missing proof or serious correctness/safety concerns. status: 📣 needs proof The PR needs real behavior proof before ClawSweeper can clear the contributor ask. P2 Normal priority bug or improvement with limited blast radius. merge-risk: 🚨 compatibility 🚨 Merging this PR could break existing users, config, migrations, defaults, or upgrades. merge-risk: 🚨 auth-provider 🚨 Merging this PR could break OAuth, tokens, provider routing, model choice, or credentials. merge-risk: 🚨 security-boundary 🚨 Merging this PR could weaken sandboxing, authorization, credentials, or sensitive data. labels Jun 14, 2026
@vincentkoc vincentkoc force-pushed the feat/github-codespaces-provider branch from 1887b52 to 2afc239 Compare June 24, 2026 05:32
@vincentkoc

Copy link
Copy Markdown
Member

@clawsweeper re-review

Maintainer update on 2afc239e021e093fd021e2b09657d7831e7cb0ba:

  • rebased the GitHub Codespaces provider branch onto current main
  • fixed the CI Go/deadcode failure by removing unreachable helper wrappers from internal/providers/githubcodespaces/core.go
  • regenerated the provider category matrix so the generated docs check stays in sync

Local validation:

go run golang.org/x/tools/cmd/deadcode@v0.45.0 -test ./...
go test ./internal/providers/githubcodespaces ./internal/providers/all ./internal/cli ./cmd/crabbox
node scripts/live-github-codespaces-smoke.test.js
node scripts/generate-provider-matrix.mjs --check
node scripts/check-command-docs.mjs
node scripts/check-docs-links.mjs
go vet ./...
go build -trimpath -o bin/crabbox ./cmd/crabbox

GitHub CI on the pushed head is green: Go, Apple VZ, Worker, Scripts, Docs, and Release Check all passed in https://github.com/openclaw/crabbox/actions/runs/28077485642.

Still not merging this yet: it remains gated by status: 📣 needs proof, merge-risk: 🚨 auth-provider, merge-risk: 🚨 compatibility, and merge-risk: 🚨 security-boundary. I do not have live GitHub Codespaces provider credentials/quota proof here, so this still needs real live create/status/run/ssh/release evidence before merge readiness.

@clawsweeper

clawsweeper Bot commented Jun 24, 2026

Copy link
Copy Markdown
Contributor

🦞🧹
ClawSweeper re-review requested.

I asked ClawSweeper to review this item again.
Action: item re-review queued (workflow sweep.yml, event repository_dispatch).
Result: the existing ClawSweeper review comment will be edited in place when the review finishes.

@vincentkoc vincentkoc force-pushed the feat/github-codespaces-provider branch from 2afc239 to 41ccc44 Compare June 24, 2026 08:58
@vincentkoc

Copy link
Copy Markdown
Member

Rebased this PR onto current main after #674 landed.

New head: 41ccc44ed02061a53eb20a55a848ed18aa91f352

Conflict resolution kept both AWS Lambda MicroVM and GitHub Codespaces in generated docs/source-map metadata. Provider matrix now reports 67 providers.

Local validation on the rebased head:

go test ./internal/providers/githubcodespaces ./internal/providers/all ./internal/cli ./cmd/crabbox
node --test scripts/live-github-codespaces-smoke.test.js
node scripts/generate-provider-matrix.mjs --check
node scripts/check-command-docs.mjs
node scripts/check-docs-links.mjs
go vet ./...
go run golang.org/x/tools/cmd/deadcode@v0.45.0 -test ./...
go build -trimpath -o bin/crabbox ./cmd/crabbox
git diff --check

Still not merging: live GitHub Codespaces create/status/run/ssh/release proof and auth/security/compatibility gates are still required.

@vincentkoc

Copy link
Copy Markdown
Member

Public CI is green on rebased head 41ccc44ed02061a53eb20a55a848ed18aa91f352: https://github.com/openclaw/crabbox/actions/runs/28087205563

Green checks: Go, Apple VZ, Worker, Scripts, Docs, and Release Check. Merge state is clean.

Still not merging: status: 📣 needs proof plus auth-provider/compatibility/security-boundary labels remain, and this still needs redacted live GitHub Codespaces create/status/run/ssh/release proof.

@vincentkoc

Copy link
Copy Markdown
Member

Maintainer proof update for github-codespaces shared live-smoke wiring.

Changed:

  • wired CRABBOX_LIVE_PROVIDERS=github-codespaces|codespaces|gh-codespaces through scripts/live-smoke.sh to the guarded standalone Codespaces smoke
  • added shared dispatch regression coverage that proves the shared smoke exits before provider mutation when the smoke repo is missing
  • documented the shared operations entry point and provider prerequisites

Local validation at head 2eb4f8af:

  • bash -n scripts/live-smoke.sh scripts/live-github-codespaces-smoke.sh
  • node --test scripts/live-smoke.test.js scripts/live-github-codespaces-smoke.test.js
  • go test ./internal/providers/githubcodespaces ./internal/providers/all ./internal/cli ./cmd/crabbox
  • node scripts/check-docs-links.mjs
  • node scripts/check-command-docs.mjs
  • git diff --check

Still not claiming live provider proof from this machine because I do not have an authenticated Codespaces smoke repo/token here. The added path is meant to make that live proof one standard command once credentials are available.

@clawsweeper re-review

@clawsweeper

clawsweeper Bot commented Jun 24, 2026

Copy link
Copy Markdown
Contributor

🦞🧹
ClawSweeper re-review requested.

I asked ClawSweeper to review this item again.
Action: item re-review queued (workflow sweep.yml, event repository_dispatch).
Result: the existing ClawSweeper review comment will be edited in place when the review finishes.

@vincentkoc

Copy link
Copy Markdown
Member

Public CI is now green on current head 2eb4f8afe67f3072bea093d085795641290acc9c: https://github.com/openclaw/crabbox/actions/runs/28098639697.

Green checks: Go, Apple VZ, Worker, Scripts, Docs, and Release Check.

Still not merging: authenticated GitHub Codespaces lifecycle proof remains missing, and status: 📣 needs proof plus auth/compat/security risk labels remain.

@vincentkoc

Copy link
Copy Markdown
Member

@clawsweeper re-review

Updated the PR body with current-head validation evidence, full issue link, and the remaining authenticated live-proof gate. No code changes in this update.

Still not merging unless the live Codespaces proof labels clear and the auth/compat/security gates are satisfied.

@vincentkoc

Copy link
Copy Markdown
Member

@clawsweeper re-review

Follow-up maintainer repair pushed in a96ae6283bac22de7fce0f091fe7035d9cf32a7f.

What changed:

  • GitHub API 401/403 errors now explicitly call out the required codespace scope and the gh auth refresh -h github.com -s codespace fix.
  • scripts/live-github-codespaces-smoke.sh now runs gh codespace list --limit 1 as a non-mutating scope preflight after gh auth status.
  • Missing scope exits as classification=credential_bound ... reason=github_codespaces_scope_missing before any provider mutation.
  • Docs and tests cover the new preflight.

Local validation:

  • go test ./internal/providers/githubcodespaces ./internal/providers/all ./internal/cli ./cmd/crabbox
  • node --test scripts/live-github-codespaces-smoke.test.js scripts/live-smoke.test.js
  • bash -n scripts/live-smoke.sh scripts/live-github-codespaces-smoke.sh
  • node scripts/check-docs-links.mjs
  • node scripts/check-command-docs.mjs
  • go vet ./...
  • go build -trimpath -o bin/crabbox ./cmd/crabbox
  • git diff --check

Local live-auth preflight with the current maintainer auth is credential-bound, as expected:

classification=credential_bound command=gh\ codespace\ list\ --limit\ 1 exit=1 reason=github_codespaces_scope_missing
error getting codespaces: HTTP 403: Must have admin rights to Repository. (https://api.github.com/user/codespaces?per_page=1)
This API operation needs the "codespace" scope. To request it, run:  gh auth refresh -h github.com -s codespace

crabbox doctor --provider github-codespaces --github-codespaces-repo openclaw/crabbox now surfaces the same actionable scope hint.

Public CI is green on a96ae6283bac22de7fce0f091fe7035d9cf32a7f: https://github.com/openclaw/crabbox/actions/runs/28107119948. Green checks: Go, Apple VZ, Worker, Scripts, Docs, and Release Check.

Still not merge-ready: this proves the local auth blocker and improves the proof harness, but it is not a live Codespaces create/run/ssh/release proof. The PR still needs redacted authenticated lifecycle proof and explicit auth/compat/security acceptance.

@clawsweeper

clawsweeper Bot commented Jun 24, 2026

Copy link
Copy Markdown
Contributor

🦞🧹
ClawSweeper re-review requested.

I asked ClawSweeper to review this item again.
Action: item re-review queued (workflow sweep.yml, event repository_dispatch).
Result: the existing ClawSweeper review comment will be edited in place when the review finishes.

@vincentkoc

Copy link
Copy Markdown
Member

@clawsweeper re-review

Updated the PR body to current head a96ae6283bac22de7fce0f091fe7035d9cf32a7f and current green public CI: https://github.com/openclaw/crabbox/actions/runs/28107119948

No code changes in this update. Remaining gate is still redacted authenticated GitHub Codespaces lifecycle proof; my current GitHub token lacks the codespace scope, so I cannot produce that live proof non-interactively from here.

@steipete steipete force-pushed the feat/github-codespaces-provider branch 2 times, most recently from 5c493a4 to 4179455 Compare July 2, 2026 19:12
@vincentkoc vincentkoc force-pushed the feat/github-codespaces-provider branch from 3bee0c1 to 928f643 Compare July 3, 2026 22:24
coygeek added 5 commits July 5, 2026 04:31
Add the discoverable github-codespaces provider foundation with typed config, provider flags, redaction-safe client and gh runner boundaries, and OpenSSH config parsing for the future SSH lease lifecycle.

Keep live Codespaces lifecycle behavior intentionally deferred to the next plan while making doctor fail closed until readiness is implemented.
Add claim-backed acquire, resolve, list, release, touch, cleanup, and doctor behavior for GitHub Codespaces, including generated OpenSSH config targets and conservative delete safety checks.

Release and cleanup mutations now require local ownership claims, refuse dirty or unpushed codespaces before delete, and keep retained lease labels/endpoints consistent across stop and wake flows.

Verification: go test ./internal/providers/githubcodespaces; go test -race ./internal/providers/githubcodespaces ./internal/providers/all ./internal/cli
Document the direct GitHub Codespaces provider, add generated matrix metadata, and add a guarded live smoke with deterministic gating/redaction tests.
Align the GitHub Codespaces backend with the documented default cleanup policy, GitHub CLI token precedence, bounded provisioning waits, explicit generic work root handling, and the real gh SSH config Host alias shape.
Validate that the guarded GitHub Codespaces smoke lease is absent after cleanup without failing on unrelated retained claim-owned Codespaces leases.
coygeek and others added 19 commits July 5, 2026 04:32
Persist the effective Codespaces work root into lease labels and claims, and rewrite generated gh SSH proxy commands to honor the configured GitHub CLI path.
Keep GitHub Codespaces display names within the documented limit for long but valid Crabbox slugs while preserving the collision-resistant suffix. Also assert that create requests continue using the current geo field rather than the legacy location field.
Fall back to stopping and retaining a Codespace when default delete-on-release is unsafe because the remote worktree has uncommitted or unpushed changes. This avoids turning successful runs into failed cleanup while still clearing stale SSH endpoints.
Make the release-claim retention hook read the post-release claim state so dirty Codespaces that fall back from delete to stop are not orphaned by higher-level release finalizers.
Treat GitHub Codespaces 304 Not Modified start responses as successful no-ops so resolving retained Codespaces can continue polling the existing codespace.
Apply the generic --type machine override for the canonical provider and advertised Codespaces aliases so alias-based invocations do not silently provision the default machine size.
Treat GitHub Codespaces 304 Not Modified delete responses as successful no-ops so release and cleanup remain idempotent when GitHub reports no remote state change is needed.
Allow StatusOnly resolves with ReadyProbe to refresh and probe the SSH target so status --wait can observe readiness for healthy Codespaces leases.
Warmup keep semantics should keep a lease available after provisioning, not rewrite the later provider release action. Preserve the delete-on-release policy in stored Codespaces claims so default stop and cleanup paths delete claim-owned Codespaces unless configuration explicitly retains them.
Treat githubCodespaces.repo like the other Codespaces connection selectors when loading untrusted repository config. Repo-local config can no longer redirect creation to an arbitrary repository; operators can still select a repo through trusted config, environment, or explicit CLI flags.
@steipete steipete force-pushed the feat/github-codespaces-provider branch from 928f643 to f8fb09a Compare July 5, 2026 11:48
@clawsweeper clawsweeper Bot added rating: 🦪 silver shellfish Thin PR readiness signal; proof, validation, or implementation needs work. and removed rating: 🧂 unranked krab Not merge-ready due to missing proof or serious correctness/safety concerns. labels Jul 5, 2026
@clawsweeper clawsweeper Bot added rating: 🧂 unranked krab Not merge-ready due to missing proof or serious correctness/safety concerns. and removed rating: 🦪 silver shellfish Thin PR readiness signal; proof, validation, or implementation needs work. labels Jul 5, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

merge-risk: 🚨 auth-provider 🚨 Merging this PR could break OAuth, tokens, provider routing, model choice, or credentials. merge-risk: 🚨 compatibility 🚨 Merging this PR could break existing users, config, migrations, defaults, or upgrades. merge-risk: 🚨 security-boundary 🚨 Merging this PR could weaken sandboxing, authorization, credentials, or sensitive data. P2 Normal priority bug or improvement with limited blast radius. rating: 🧂 unranked krab Not merge-ready due to missing proof or serious correctness/safety concerns. status: 📣 needs proof The PR needs real behavior proof before ClawSweeper can clear the contributor ask.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Add GitHub Codespaces as a Crabbox Linux provider

3 participants