feat: add GitHub Codespaces provider

[coygeek]

Closes #348

Summary

Adds a direct GitHub Codespaces SSH lease provider with aliases codespaces and gh-codespaces.

• Creates claim-owned GitHub Codespaces via the GitHub REST API and gh authentication.
• Uses gh codespace ssh --config to drive normal Crabbox SSH, rsync, run, ssh, status, stop, and cleanup flows.
• Adds provider config/flags/env handling, docs, provider metadata, and guarded live-smoke coverage.
• Keeps release and cleanup conservative: local claim required, creating login must match, dirty Codespaces fall back to stop/retain, and repo-local config cannot redirect creation to an arbitrary repository.

Verification

• go test ./internal/providers/githubcodespaces ./internal/providers/codesandbox ./internal/providers/all ./internal/cli && go test -race ./internal/providers/githubcodespaces ./internal/providers/codesandbox ./internal/providers/all ./internal/cli
• node scripts/generate-provider-matrix.mjs --check && node scripts/live-github-codespaces-smoke.test.js && node scripts/live-codesandbox-smoke.test.js && node scripts/live-codesandbox-smoke-classify.test.js && bash scripts/check-docs.sh
• cd worker && npm run check && npm test (22 files, 600 tests)
• go vet ./... && go build -trimpath -o bin/crabbox ./cmd/crabbox
• CRABBOX_LIVE= CRABBOX_LIVE_PROVIDERS= CRABBOX_GITHUB_CODESPACES_SMOKE_REPO= scripts/live-github-codespaces-smoke.sh -> classification=environment_blocked reason=CRABBOX_LIVE_not_enabled
• bin/crabbox providers --json assertions for github-codespaces and codesandbox metadata

Live resource creation was not run in this environment because live-provider gates and credentials were intentionally unset. The guarded live-smoke script and its unit tests cover skip, credential, validation, cleanup, and redaction behavior.

Review Notes

Structured review found and the branch fixes:

• default warmup retention incorrectly overriding delete-on-release policy;
• untrusted repo-local config being able to redirect Codespaces creation.

A final Codex autoreview rerun was blocked by account usage quota, and alternate isolated engines were unavailable or failed before returning structured findings. The branch includes full local verification after the review fixes.

[clawsweeper]

Codex review: needs real behavior proof before merge. Reviewed June 14, 2026, 3:18 AM ET / 07:18 UTC.

Summary
The PR adds a direct GitHub Codespaces SSH lease provider, configuration and aliases, provider docs/metadata, and guarded live-smoke coverage.

Reproducibility: not applicable. this is a new provider feature rather than a bug report, and the PR body says live resource creation was not run.

Review metrics: 2 noteworthy metrics.

• Provider scope: 1 provider added, 2 aliases added. A new built-in provider changes user-facing provider selection and maintenance ownership.
• Diff size: 24 files, +4371/-4. The broad provider, docs, CLI, and smoke-test surface needs more than ordinary unit-test confidence before merge.

Merge readiness
Overall: 🧂 unranked krab
Proof: 🧂 unranked krab
Patch quality: 🦐 gold shrimp
Result: blocked until real behavior proof is added.

Overall follows the weaker of proof and patch quality, so missing proof can cap an otherwise strong patch.

Rank-up moves:

• [P1] Add redacted terminal output or logs from a real github-codespaces lease create, Crabbox command run, status, and release/cleanup path.
• [P1] Fix or explain the failed Go CI job once logs are available.

Proof guidance:

• [P1] Needs real behavior proof before merge: The PR body reports unit tests and guarded smoke behavior, but no after-fix live Codespaces resource creation or runtime proof was provided; add redacted terminal output/logs and update the PR body to trigger a fresh review, or ask a maintainer to comment @clawsweeper re-review if it does not rerun.

Risk before merge

• [P1] Live Codespaces creation was explicitly not run, so API, gh SSH config, quota/auth, and cleanup behavior are not proven in a real provider setup yet.
• [P1] The Go CI job is currently failed and its logs were not available during review because the workflow was still in progress.
• [P1] This provider creates/deletes remote billable resources and relies on local claims for ownership, so maintainer review should focus on cleanup safety before merge.

Maintainer options:

1. Require Live Provider Proof (recommended)
   Ask for redacted terminal output or logs showing a real github-codespaces lease acquire/run/status/release path before merge.
2. Accept Provider Risk
   Maintainers may intentionally merge without live creation proof, but they would own any first-user failure in GitHub auth, SSH config, or cleanup behavior.
3. Pause For Provider Direction
   If a first-party Codespaces provider is not yet desired as a built-in surface, pause this PR and keep the linked feature issue as the product discussion.

Next step before merge

• [P1] A new cloud/provider integration needs maintainer review, green Go validation, and contributor live-provider proof rather than an automated repair lane.

Security
Cleared: The diff keeps GitHub tokens out of Crabbox config and argv and did not add dependency or workflow supply-chain changes, but the remote-resource safety path still needs live proof.

Review details

Best possible solution:

Keep the PR open and land it only after the Go check is green or explained and redacted live-provider proof shows a real Codespaces lease can be created, used through Crabbox SSH/run flows, and safely released or retained.

Do we have a high-confidence way to reproduce the issue?

Not applicable: this is a new provider feature rather than a bug report, and the PR body says live resource creation was not run.

Is this the best way to solve the issue?

Unclear: the implementation follows Crabbox's direct SSH-lease provider model, but a new billable remote provider should not merge without green Go validation and live Codespaces proof.

AGENTS.md: found and applied where relevant.

Codex review notes: model internal, reasoning high; reviewed against 1ee493e63bd3.

Label changes

Label changes:

• add P2: A new opt-in provider is a normal-priority feature with bounded but meaningful user-facing impact.
• add merge-risk: 🚨 compatibility: The PR adds new provider config/defaults and release behavior that existing Crabbox commands will route through when selected.
• add merge-risk: 🚨 auth-provider: The PR adds a new GitHub/gh authentication path and provider routing for Codespaces leases.
• add merge-risk: 🚨 security-boundary: The PR creates and deletes remote resources and must keep tokens out of argv/config while refusing unmanaged Codespaces.
• add rating: 🧂 unranked krab: Overall readiness is 🧂 unranked krab; proof is 🧂 unranked krab and patch quality is 🦐 gold shrimp.
• add status: 📣 needs proof: The PR needs real behavior proof before ClawSweeper can clear the contributor ask. Needs real behavior proof before merge: The PR body reports unit tests and guarded smoke behavior, but no after-fix live Codespaces resource creation or runtime proof was provided; add redacted terminal output/logs and update the PR body to trigger a fresh review, or ask a maintainer to comment @clawsweeper re-review if it does not rerun.

Label justifications:

• P2: A new opt-in provider is a normal-priority feature with bounded but meaningful user-facing impact.
• merge-risk: 🚨 auth-provider: The PR adds a new GitHub/gh authentication path and provider routing for Codespaces leases.
• merge-risk: 🚨 security-boundary: The PR creates and deletes remote resources and must keep tokens out of argv/config while refusing unmanaged Codespaces.
• merge-risk: 🚨 compatibility: The PR adds new provider config/defaults and release behavior that existing Crabbox commands will route through when selected.
• rating: 🧂 unranked krab: Overall readiness is 🧂 unranked krab; proof is 🧂 unranked krab and patch quality is 🦐 gold shrimp.
• status: 📣 needs proof: The PR needs real behavior proof before ClawSweeper can clear the contributor ask. Needs real behavior proof before merge: The PR body reports unit tests and guarded smoke behavior, but no after-fix live Codespaces resource creation or runtime proof was provided; add redacted terminal output/logs and update the PR body to trigger a fresh review, or ask a maintainer to comment @clawsweeper re-review if it does not rerun.

Evidence reviewed

Acceptance criteria:

• [P1] go test ./internal/providers/githubcodespaces ./internal/providers/all ./internal/cli.
• [P1] go test -race ./internal/providers/githubcodespaces ./internal/providers/all ./internal/cli.
• [P1] node scripts/live-github-codespaces-smoke.test.js.
• [P1] scripts/live-github-codespaces-smoke.sh with redacted live-provider credentials.

What I checked:

• No implemented-on-main match: Current main imports existing providers but has no githubcodespaces provider import; the PR adds that import and the new provider package. (internal/providers/all/all.go:21, 1887b520abf0)
• Provider implementation exists on the PR branch: The PR branch adds the GitHub Codespaces backend lifecycle, including acquire, resolve, release, cleanup, doctor, and gh/API control-plane paths. (internal/providers/githubcodespaces/backend.go:69, 1887b520abf0)
• Real behavior proof missing: The PR body explicitly says live resource creation was not run because provider gates and credentials were unset; only guarded smoke and unit tests were reported. (1887b520abf0)
• CI still has a Go failure: GitHub reports the Go check failed while other visible checks passed and the release check remains pending; logs were not yet available because the overall run was still in progress. (1887b520abf0)
• Repository policy applied: AGENTS.md was read fully; its provider-neutral core and secret-handling guidance was relevant to this provider review. (AGENTS.md:1, 1ee493e63bd3)

Likely related people:

• coygeek: Authored the PR branch and recently added adjacent provider integrations on current main, including CodeSandbox and other provider work. (role: feature author and recent provider contributor; confidence: high; commits: 1887b520abf0, b55b1ab3c6f3, 460e241d1b71; files: internal/providers/githubcodespaces/backend.go, internal/cli/config.go, internal/providers/codesandbox)
• Peter Steinberger: Authored the current main hardening commit for the adjacent CodeSandbox live lifecycle and broad config/provider scaffolding this PR extends. (role: adjacent recent area contributor; confidence: medium; commits: 1ee493e63bd3, 9e208c80cd1a; files: internal/providers/codesandbox, internal/cli/config.go, internal/providers/all/all.go)

What the crustacean ranks mean

• 🦀 challenger crab: rare, exceptional readiness with strong proof, clean implementation, and convincing validation.
• 🦞 diamond lobster: very strong readiness with only minor maintainer review expected.
• 🐚 platinum hermit: good normal PR, likely mergeable with ordinary maintainer review.
• 🦐 gold shrimp: useful signal, but proof or patch confidence is still limited.
• 🦪 silver shellfish: thin signal; proof, validation, or implementation needs work.
• 🧂 unranked krab: not merge-ready because proof is missing/unusable or there are serious correctness or safety concerns.
• 🌊 off-meta tidepool: rating does not apply to this item.

Shiny media proof means a screenshot, video, or linked artifact directly shows the changed behavior. Runtime, network, CSP, and security claims still need visible diagnostics.

How this review workflow works

• ClawSweeper keeps one durable marker-backed review comment per issue or PR.
• Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
• A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
• PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
• Maintainers can also comment @clawsweeper review to request a fresh review only.
• Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
• Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
• Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.