{"id":49498043,"url":"https://github.com/openclaw/crabbox","last_synced_at":"2026-05-29T03:00:58.737Z","repository":{"id":354885928,"uuid":"1225688424","full_name":"openclaw/crabbox","owner":"openclaw","description":"Crabbox: warm a box, sync the diff, run the suite.","archived":false,"fork":false,"pushed_at":"2026-05-24T06:10:45.000Z","size":4641,"stargazers_count":487,"open_issues_count":3,"forks_count":55,"subscribers_count":2,"default_branch":"main","last_synced_at":"2026-05-24T10:06:15.745Z","etag":null,"topics":["remote-test-runner"],"latest_commit_sha":null,"homepage":"http://crabbox.sh","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/openclaw.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":"docs/security.md","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":"AGENTS.md","dco":null,"cla":null},"funding":{"github":["moltbot"]}},"created_at":"2026-04-30T14:31:48.000Z","updated_at":"2026-05-24T08:17:55.000Z","dependencies_parsed_at":null,"dependency_job_id":"ec73766d-4666-4577-9de1-4fe0d851fa56","html_url":"https://github.com/openclaw/crabbox","commit_stats":null,"previous_names":["openclaw/crabbox"],"tags_count":25,"template":false,"template_full_name":null,"purl":"pkg:github/openclaw/crabbox","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/openclaw%2Fcrabbox","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/openclaw%2Fcrabbox/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/openclaw%2Fcrabbox/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/openclaw%2Fcrabbox/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/openclaw","download_url":"https://codeload.github.com/openclaw/crabbox/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/openclaw%2Fcrabbox/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":33634611,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-26T15:22:16.424Z","status":"online","status_checked_at":"2026-05-29T02:00:06.066Z","response_time":107,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["remote-test-runner"],"created_at":"2026-05-01T11:00:23.431Z","updated_at":"2026-05-29T03:00:58.727Z","avatar_url":"https://github.com/openclaw.png","language":"Go","funding_links":["https://github.com/sponsors/moltbot"],"categories":["Go"],"sub_categories":[],"readme":"# 🦀 📦 Crabbox\n\n![Crabbox banner](docs/assets/readme-banner.jpg)\n\n[![CI](https://github.com/openclaw/crabbox/actions/workflows/ci.yml/badge.svg?branch=main)](https://github.com/openclaw/crabbox/actions/workflows/ci.yml)\n[![Release](https://github.com/openclaw/crabbox/actions/workflows/release.yml/badge.svg)](https://github.com/openclaw/crabbox/actions/workflows/release.yml)\n[![Latest release](https://img.shields.io/github/v/release/openclaw/crabbox?sort=semver)](https://github.com/openclaw/crabbox/releases/latest)\n\n**Warm a box, sync the diff, run the suite.**\n\nCrabbox is a remote software testing and execution control plane for maintainers\nand AI agents. Lease fast managed cloud capacity, point at an existing SSH host,\nor use an agent sandbox provider — then sync your dirty checkout, run commands\nremotely, stream output, collect evidence, and release. Local edit-save-run\nloop, cloud-grade compute, agent-ready observability.\n\n```sh\ncrabbox run -- pnpm test\n```\n\nBehind that one command: a Go CLI on your laptop, a Cloudflare Worker broker\nthat owns provider credentials and lease state, and a managed or delegated\nrunner.\n\n## How it works\n\n```text\nyour laptop                Cloudflare Worker            cloud provider\n-------------              ------------------           --------------\ncrabbox CLI    -- HTTPS --\u003e Fleet Durable Object  --\u003e   Hetzner / AWS / Azure / GCP\n   |                         lease + cost state              |\n   |                                                         |\n   +------------ SSH + rsync to leased runner \u003c--------------+\n```\n\n- **CLI** — Go binary. Loads config, mints a per-lease SSH key, asks the broker\n  for a lease, waits for SSH, seeds remote Git, rsyncs the dirty checkout (with\n  a fingerprint skip when nothing changed), runs the command, streams output,\n  releases.\n- **Broker** — Cloudflare Worker plus a single Fleet Durable Object. Owns\n  provider credentials, serializes lease state, enforces active-lease and\n  monthly spend caps, and expires stale leases by alarm. Auth is GitHub browser\n  login or a shared bearer token.\n- **Runner** — a throwaway machine reachable over SSH on the primary port\n  (default `2222`) plus configured fallback ports, prepared with Crabbox's\n  sync/run prerequisites. Linux uses Ubuntu with cloud-init and `/work/crabbox`;\n  native Windows uses OpenSSH, Git for Windows, and `C:\\crabbox`. No broker\n  credentials live on the box. Project runtimes (Go, Node, Docker, services,\n  secrets) come from your repo's GitHub Actions hydration, devcontainer, Nix,\n  mise/asdf, or setup scripts — not from Crabbox.\n\nThe data plane — SSH, rsync, command execution — always runs directly from the\nCLI to the runner. The broker only manages leases, cost, and observability.\n\nOnly `aws`, `azure`, `gcp`, and `hetzner` can be brokered through the Worker,\nand even those run direct from the CLI when no broker URL is configured. Every\nother provider always runs direct. A direct-provider mode\n(`--provider hetzner|aws|azure|gcp|proxmox` with local credentials) exists for\ndebugging the broker itself or using private infrastructure.\n\nFor the full mental model, see [How Crabbox Works](docs/how-it-works.md). For\nthe doc-to-code map, see [Source Map](docs/source-map.md).\n\n## Install\n\n```sh\nbrew install openclaw/tap/crabbox\ncrabbox --version\n```\n\nNo Homebrew? Grab a [GoReleaser archive](https://github.com/openclaw/crabbox/releases)\nfor macOS, Linux, or Windows.\n\nLaptop prerequisites: `git`, `ssh`, `ssh-keygen`, `rsync`, `curl`.\n\n## Quick start\n\nBroker access is deployment-specific. Use a coordinator URL from your team, use\ndirect-provider mode for a personal cloud account, or self-host the Worker\nbroker with your own provider credentials and spend caps. See\n[Getting started](docs/getting-started.md#choosing-an-access-path) and\n[Infrastructure](docs/infrastructure.md#self-hosted-broker-minimum-setup) for the\nsetup paths.\n\n```sh\n# log in once per machine (stores a broker token in user config)\ncrabbox login --url https://broker.example.com\n\n# verify local prerequisites and broker reachability\ncrabbox doctor\n\n# one-shot: lease, sync, run, release\ncrabbox run -- pnpm test\n\n# named repo workflow from .crabbox.yaml\ncrabbox job run full-ci\n\n# or warm a box once, then reuse it\ncrabbox warmup                                       # prints cbx_... + a slug\ncrabbox run --id blue-lobster -- pnpm test:changed\ncrabbox ssh --id blue-lobster\ncrabbox stop blue-lobster\n```\n\nEvery lease has a stable `cbx_...` ID and a friendly crustacean slug\n(`blue-lobster`, `swift-hermit`, …). Either works wherever an `--id` is\naccepted. Use `--slug \u003cname\u003e` on fresh leases when a specific reusable slug\nhelps, and `--label \u003ctext\u003e` on `run` when the history entry needs a\nhuman-readable name.\n\n## Providers\n\n`Coordinator: brokered` providers can run through the Worker (or direct when no\nbroker is configured); every other provider always runs direct from the CLI.\nTargets: **L**inux, **M**acOS, **W**indows.\n\n### SSH-lease providers (provision or connect a box, full lifecycle)\n\n| Provider | `provider:` (aliases) | Targets | Coordinator | Notes |\n| --- | --- | --- | --- | --- |\n| [AWS EC2](docs/providers/aws.md) | `aws` | L / M / W | brokered | EC2 instances and EC2 Mac; native AMI/EBS checkpoints. |\n| [Azure](docs/providers/azure.md) | `azure` | L / W | brokered | VMs with Tailscale support; native Windows and WSL2. |\n| [Google Cloud](docs/providers/gcp.md) | `gcp` (`google`, `google-cloud`) | L | brokered | Linux Compute Engine VMs with Tailscale support. |\n| [Hetzner Cloud](docs/providers/hetzner.md) | `hetzner` | L | brokered | Linux VMs with desktop/browser/code and Tailscale. |\n| [Parallels](docs/providers/parallels.md) | `parallels` | L / M / W | direct | Local or remote macOS host; checkpoint/fork/restore/snapshot. |\n| [Proxmox](docs/providers/proxmox.md) | `proxmox` | L | direct | Clone Linux QEMU templates on a private Proxmox VE cluster. |\n| [Static SSH](docs/providers/ssh.md) | `ssh` (`static`, `static-ssh`) | L / M / W | direct | Existing machines; no provisioning. |\n| [Local Container](docs/providers/local-container.md) | `local-container` (`docker`, `container`, `local-docker`) | L | direct | Local Docker-compatible runtime (Docker Desktop, OrbStack, Colima). |\n| [exe.dev](docs/providers/exe-dev.md) | `exe-dev` (`exe`, `exedev`) | L | direct | exe.dev VMs exposed as public SSH leases. |\n| [Namespace Devbox](docs/providers/namespace-devbox.md) | `namespace-devbox` (`namespace`, `namespace-devboxes`) | L | direct | Namespace.so Devboxes over SSH. |\n| [Semaphore](docs/providers/semaphore.md) | `semaphore` (`sem`) | L | direct | A Semaphore CI job leased as a testbox. |\n| [Sprites](docs/providers/sprites.md) | `sprites` | L | direct | Sprites microVMs through `sprite proxy`. |\n| [Daytona](docs/providers/daytona.md) | `daytona` | L | direct | Daytona-managed dev sandbox over SSH. |\n| [RunPod](docs/providers/runpod.md) | `runpod` (`run-pod`, `runpodio`) | L | direct | RunPod GPU pods with public SSH. |\n\n### Delegated-run providers (sandbox/proof runners, no SSH lease)\n\n| Provider | `provider:` (aliases) | Targets | Notes |\n| --- | --- | --- | --- |\n| [Cloudflare](docs/providers/cloudflare.md) | `cloudflare` (`cf`) | L | Cloudflare Containers via the Worker runtime. |\n| [E2B](docs/providers/e2b.md) | `e2b` | L | E2B Firecracker sandbox. |\n| [Islo](docs/providers/islo.md) | `islo` | L | Islo sandbox. |\n| [Modal](docs/providers/modal.md) | `modal` | L | Modal Sandbox through the local Python client. |\n| [Railway](docs/providers/railway.md) | `railway` (`rail`, `railwayapp`) | L | Redeploy and stream an existing Railway service. |\n| [Tensorlake](docs/providers/tensorlake.md) | `tensorlake` (`tl`, `tensorlake-sbx`) | L | Tensorlake Firecracker sandbox via the Tensorlake CLI. |\n| [Upstash Box](docs/providers/upstash-box.md) | `upstash-box` (`upstash`, `box`, `upstashbox`) | L | Upstash Box through the Box REST API. |\n| [Azure Dynamic Sessions](docs/providers/azure-dynamic-sessions.md) | `azure-dynamic-sessions` | L | Azure Container Apps dynamic sessions. |\n| [Blacksmith Testbox](docs/providers/blacksmith-testbox.md) | `blacksmith-testbox` (`blacksmith`) | L | Delegated Blacksmith CI Testbox lifecycle and execution. |\n| [W\u0026B Sandboxes](docs/providers/wandb.md) | `wandb` (`weights-and-biases`) | L | Weights \u0026 Biases Sandboxes; reuses `wandb login` credentials. |\n\nSee [Providers](docs/providers/README.md) for the full reference, capabilities,\nand authoring guide.\n\n## Highlights\n\n- **One-shot or warm workspaces.** `crabbox run` for fire-and-forget;\n  `crabbox warmup` + `--id` for repeated runs against the same box. See\n  [warmup](docs/commands/warmup.md) and [run](docs/commands/run.md).\n- **Named repo jobs.** `crabbox job run \u003cname\u003e` lets repos define warmup,\n  optional Actions hydration, run command, and cleanup policy in `.crabbox.yaml`.\n  See [Jobs](docs/features/jobs.md).\n- **Local-first workspace sync.** No clean-checkout requirement. Tracked and\n  nonignored files only, fingerprint skip on no-op runs, sanity checks against\n  suspicious mass deletions, optional shallow base-ref hydration for\n  changed-test workflows. See [Sync](docs/features/sync.md).\n- **Run observability.** Every coordinator-backed run gets an early `run_...`\n  handle. Use `crabbox attach \u003crun-id\u003e` while it is active,\n  `crabbox events \u003crun-id\u003e` for durable lifecycle/output events, and\n  `crabbox logs \u003crun-id\u003e` for retained output after completion. See\n  [History and logs](docs/features/history-logs.md) and\n  [Observability](docs/observability.md).\n- **GitHub Actions hydration.** `crabbox actions hydrate` runs supported setup\n  steps from the repo's workflow locally over SSH, so leased boxes get the same\n  runtimes and tooling without GitHub write access. Use `--github-runner` only\n  when setup needs full Actions semantics such as repository secrets, OIDC,\n  service containers, or unsupported `uses:` steps. See\n  [Actions hydration](docs/features/actions-hydration.md).\n- **Failure capsules.** `crabbox capsule from-actions \u003crun-url\u003e` captures a\n  failing CI run into a portable, replayable bundle; `capsule replay` reruns it.\n  See [Capsules](docs/features/capsules.md).\n- **Checkpoints.** Save VM-or-workspace state and `restore`/`fork` from it, via\n  workspace archives or provider-native snapshots/images. See\n  [Checkpoints](docs/features/checkpoints.md).\n- **Pond peer groups.** Leases that share a `--pond \u003cname\u003e` label form an\n  emergent peer group with discovery (`pond peers`), an SSH-mesh of\n  `ssh -L` forwards to members' `--expose` ports (`pond connect`), and bulk\n  `pond release`. See [Pond](docs/features/pond.md).\n- **Brokered cloud with cost guardrails.** Maintainers and agents share infra\n  without sharing provider tokens. Hetzner, AWS, Azure, and Google Cloud are\n  the managed providers; per-lease and monthly spend caps reject over-budget\n  leases. Providers fall back across compatible instance families when capacity\n  or quota rejects a request. `crabbox usage` summarizes spend by user, org,\n  provider, and type. See [Coordinator](docs/features/coordinator.md),\n  [Capacity fallback](docs/features/capacity-fallback.md), and\n  [Cost and usage](docs/features/cost-usage.md).\n- **Interactive desktop, browser, and code leases.** `--browser` provisions\n  Chrome/Chromium for headless automation, `--desktop` provisions a visible UI\n  with tunnel-only VNC takeover, and `--code` provisions code-server on managed\n  Linux. `crabbox desktop click/paste/type/key` provide first-class input\n  helpers; `desktop proof` captures metadata, screenshot, diagnostics, MP4, and\n  a contact-sheet PNG in one publishable bundle. See\n  [Interactive desktop and VNC](docs/features/interactive-desktop-vnc.md).\n- **Authenticated web portal.** Browser login opens owner-scoped and shared\n  lease/run views with run logs/events, WebVNC, code-server, and telemetry\n  charts. `crabbox webvnc`/`crabbox code` bridge a lease into the portal;\n  `crabbox share` grants a lease to a user or the owning org. See\n  [Portal](docs/features/portal.md).\n- **Agent workspace evidence.** History, logs, events, telemetry, JUnit\n  summaries, screenshots, recordings, artifacts, and PR publishing make\n  autonomous work reviewable instead of only ephemeral terminal output. See\n  [Artifacts](docs/features/artifacts.md) and\n  [Telemetry](docs/features/telemetry.md).\n- **Stable timing records.** `--timing-json` on `run`, `warmup`, and\n  `actions hydrate` gives scripts one machine-readable sync/command/total\n  timing schema across providers.\n- **Hardened coordinator auth.** GitHub browser login, owner-scoped leases,\n  admin-only routes, optional GitHub team allowlists, Cloudflare Access JWT\n  verification, and service-token support keep normal use and operator\n  automation separate. See [Auth and admin](docs/features/auth-admin.md) and\n  [Security](docs/security.md).\n- **OpenClaw plugin.** The repo root is a native OpenClaw plugin for box\n  lifecycle operations. See [OpenClaw plugin](#openclaw-plugin) below and\n  [OpenClaw plugin](docs/features/openclaw-plugin.md).\n\n## Machine classes\n\n`beast` is the default for providers that expose class-based managed capacity.\nThe providers below fall back across ordered instance-type lists unless `--type`\npins a specific provider-native size.\n\n```text\nHetzner    standard  ccx33, cpx62, cx53\n           fast      ccx43, cpx62, cx53\n           large     ccx53, ccx43, cpx62, cx53\n           beast     ccx63, ccx53, ccx43, cpx62, cx53\n\nAWS Linux  standard  c7a/c7i/m7a/m7i.8xlarge family\n           fast      …16xlarge family\n           large     …24xlarge family\n           beast     …48xlarge family, falling back to 32x/24x/16x\n\nAWS Win    standard  m7i.large, m7a.large, t3.large\n           fast      m7i.xlarge, m7a.xlarge, t3.xlarge\n           large     m7i.2xlarge, m7a.2xlarge, t3.2xlarge\n           beast     m7i.4xlarge, m7a.4xlarge, m7i.2xlarge\n\nAWS WSL2   standard  m8i.large, m8i-flex.large, c8i.large, r8i.large\n           fast      m8i.xlarge, m8i-flex.xlarge, c8i.xlarge, r8i.xlarge\n           large     m8i.2xlarge, m8i-flex.2xlarge, c8i.2xlarge, r8i.2xlarge\n           beast     m8i.4xlarge, m8i-flex.4xlarge, c8i.4xlarge, r8i.4xlarge, m8i.2xlarge\n\nAWS macOS  all       mac2.metal, then mac1.metal unless --type is set\n\nAzure      standard  Standard_D32ads_v6, Standard_D32ds_v6, Standard_F32s_v2, then 16-vCPU fallbacks\n           fast      Standard_D64ads_v6, Standard_D64ds_v6, Standard_F64s_v2, then 48/32-vCPU fallbacks\n           large     Standard_D96ads_v6, Standard_D96ds_v6, then 64/48-vCPU fallbacks\n           beast     Standard_D192ds_v6, Standard_D128ds_v6, then 96/64-vCPU fallbacks\n\nAzure Win/\nWSL2       standard  Standard_D2ads_v6, Standard_D2ds_v6, Standard_D2ads_v5, Standard_D2ds_v5, Standard_D2as_v6\n           fast      Standard_D4ads_v6, Standard_D4ds_v6, Standard_D4ads_v5, Standard_D4ds_v5, Standard_D4as_v6\n           large     Standard_D8ads_v6, Standard_D8ds_v6, Standard_D8ads_v5, Standard_D8ds_v5, Standard_D8as_v6\n           beast     Standard_D16ads_v6, Standard_D16ds_v6, Standard_D16ads_v5, Standard_D16ds_v5, Standard_D8ads_v6\n\nNamespace  standard  S\n           fast      M\n           large     L\n           beast     XL\n\nCloudflare standard  standard-4\n           fast      standard-4\n           large     standard-4\n           beast     standard-4\n```\n\nOverride with `--type` or `CRABBOX_SERVER_TYPE` for a specific instance.\nCloudflare also accepts `lite`, `basic`, `standard-1`, `standard-2`, and\n`standard-3` as smaller explicit `--type` values; `standard-4` is the default.\nProviders without a row either use provider-native capacity settings or reject\nclass/type selection.\n\n## Configuration\n\nConfig resolves in order: flags → env → repo `.crabbox.yaml` → user\n`~/.config/crabbox/config.yaml` → defaults.\n\n```yaml\nbroker:\n  url: https://broker.example.com\n  provider: aws\n  token: ...\nclass: beast\ncapacity:\n  market: spot\n  strategy: most-available\n  fallback: on-demand-after-120s\n  hints: true\naws:\n  region: eu-west-1\n  rootGB: 400\nlease:\n  idleTimeout: 30m\n  ttl: 90m\nssh:\n  key: ~/.ssh/id_ed25519\n  user: crabbox\n  port: \"2222\"\n  # Ordered fallback ports tried after ssh.port; use [] to disable fallback.\n  fallbackPorts:\n    - \"22\"\n```\n\nForwarded environment is intentionally narrow: `NODE_OPTIONS` and `CI`. Do not\npass secrets as command-line arguments. For live-secret smoke tests, use\n`crabbox run --env-from-profile \u003cfile\u003e --allow-env NAME` so Crabbox forwards\nonly selected names and prints redacted presence/length metadata. For stale warm\nboxes, `--full-resync` (alias `--fresh-sync`) resets the remote workdir before\nsyncing. For larger commands, use `--script \u003cfile\u003e` or `--script-stdin` so the\nremote runner executes an uploaded file instead of a giant quoted shell string.\n\nFor binary or terminal-hostile output, use `crabbox run --capture-stdout \u003cpath\u003e`\nor `--capture-stderr \u003cpath\u003e`. Add `--preflight` for a remote capability\nsnapshot, `--keep-on-failure` to SSH into the exact failed one-shot lease, or\n`--download remote=local` to copy a successful-run artifact back. Failed\nSSH-backed and Blacksmith delegated runs save local `.crabbox/captures/*.tar.gz`\nbundles by default. Captured files are not redacted by Crabbox.\n\nOptional Tailscale reachability for managed Linux leases:\n\n```yaml\ntailscale:\n  enabled: true\n  network: auto\n  tags:\n    - tag:crabbox\n  hostnameTemplate: crabbox-{slug}\n  authKeyEnv: CRABBOX_TAILSCALE_AUTH_KEY\n  exitNode: mac-studio.example.ts.net\n  exitNodeAllowLanAccess: true\n```\n\nTailscale is a network plane, not a provider. `--tailscale` joins new managed\nLinux leases to the tailnet; `--network auto|tailscale|public` chooses how SSH\nand VNC tunnel commands resolve the host. Brokered mode uses Worker OAuth\nsecrets to mint one-off keys; direct-provider mode reads the auth key from the\nconfigured env var. See [Tailscale](docs/features/tailscale.md).\n\nA few provider-specific config snippets:\n\n```yaml\n# Static macOS or Windows target (existing machine, no provisioning)\nprovider: ssh\ntarget: windows\nwindows:\n  mode: normal # or wsl2\nstatic:\n  host: win-dev.local\n  user: alice\n  port: \"22\"\n  workRoot: C:\\crabbox\n```\n\n```yaml\n# Local container (alias: docker; works with OrbStack as the active context)\nprovider: local-container\nlocalContainer:\n  runtime: docker\n  image: debian:bookworm\n  workRoot: /work/crabbox\n```\n\n```yaml\n# Delegated Blacksmith CI Testbox\nprovider: blacksmith-testbox\nblacksmith:\n  org: example-org\n  workflow: .github/workflows/ci-check-testbox.yml\n  job: test\n  ref: main\n  idleTimeout: 90m\n```\n\nKeep provider tokens in environment variables, not repo config (for example\n`CRABBOX_SEMAPHORE_TOKEN`, `CRABBOX_SPRITES_TOKEN`, `RUNPOD_API_KEY`,\n`E2B_API_KEY`, `DAYTONA_API_KEY`). The full env-var reference, per-provider\nsections, and per-command flags are in [docs/cli.md](docs/cli.md),\n[Configuration](docs/features/configuration.md), and the\n[provider docs](docs/providers/README.md).\n\n## OpenClaw plugin\n\nThe repo root is a native OpenClaw plugin package. Once installed, it exposes\nCrabbox as agent tools:\n\n- `crabbox_run`, `crabbox_warmup`, `crabbox_status`, `crabbox_list`,\n  `crabbox_stop`\n\nThe plugin shells out to the configured `crabbox` binary with argv arrays, so\nlocal config, broker login, repo claims, and sync behavior stay owned by the\nCLI. Set `plugins.entries.crabbox.config.binary` if `crabbox` is not on `PATH`.\n\nDurable run inspection is intentionally CLI/skill-led instead of additional\nplugin tools: use `crabbox history`, `crabbox events --after --limit`,\n`crabbox attach`, `crabbox logs`, `crabbox results`, and `crabbox usage` from a\nshell-capable agent. See [OpenClaw plugin](docs/features/openclaw-plugin.md).\n\n## Development\n\n```sh\n# Go CLI\ngo build -trimpath -o bin/crabbox ./cmd/crabbox\ngo vet ./...\ngo test -race ./...\n\n# Cloudflare Worker (Node 22+ locally; CI runs Node 24)\nnpm ci --prefix worker\nnpm test --prefix worker\nnpm run build --prefix worker\n\n# Docs\nnpm run docs:check\n\n# Optional live smoke, when broker/provider credentials are available\nCRABBOX_LIVE=1 CRABBOX_LIVE_REPO=/path/to/my-app scripts/live-smoke.sh\n```\n\nCI runs the full gate (gofmt, vet, race tests, all Go modules, coverage\nthreshold, docs link/build check, GoReleaser snapshot, and Worker\nlint/typecheck/tests/build) on every push and PR. Tagged pushes matching `v*`\npublish Go archives via GoReleaser and bump the Homebrew formula at\n[openclaw/homebrew-tap](https://github.com/openclaw/homebrew-tap).\n\nWorker deployment, required secrets, and DNS routing live in\n[docs/infrastructure.md](docs/infrastructure.md).\n\n## Docs\n\n- **Get the model:** [How Crabbox Works](docs/how-it-works.md), [Architecture](docs/architecture.md), [Concepts](docs/concepts.md), [Orchestrator](docs/orchestrator.md)\n- **Use the CLI:** [CLI](docs/cli.md), [Commands](docs/commands/README.md), [Features](docs/features/README.md), [Configuration](docs/features/configuration.md)\n- **Choose a provider:** [Providers](docs/providers/README.md), [AWS](docs/providers/aws.md), [Azure](docs/providers/azure.md), [GCP](docs/providers/gcp.md), [Hetzner](docs/providers/hetzner.md)\n- **Advanced features:** [Actions hydration](docs/features/actions-hydration.md), [Capsules](docs/features/capsules.md), [Checkpoints](docs/features/checkpoints.md), [Jobs](docs/features/jobs.md), [Pond](docs/features/pond.md)\n- **Interactive QA:** [Interactive Desktop and VNC](docs/features/interactive-desktop-vnc.md), [Artifacts](docs/features/artifacts.md), [Portal](docs/features/portal.md)\n- **Operate it:** [Operations](docs/operations.md), [Observability](docs/observability.md), [Troubleshooting](docs/troubleshooting.md), [Performance](docs/performance.md)\n- **Set it up or audit it:** [Infrastructure](docs/infrastructure.md), [Security](docs/security.md), [Getting Started](docs/getting-started.md), [Source Map](docs/source-map.md)\n- **Changes:** [CHANGELOG.md](CHANGELOG.md)\n\nThe GitHub Pages site at \u003chttps://openclaw.github.io/crabbox/\u003e is generated from\nthe `docs/` Markdown:\n\n```sh\nnpm run docs:check\nopen dist/docs-site/index.html\n```\n\n## License\n\nMIT — see [LICENSE](LICENSE).\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fopenclaw%2Fcrabbox","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fopenclaw%2Fcrabbox","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fopenclaw%2Fcrabbox/lists"}