feat: add crew bridge plane for delegated and cross-provider peers

[zozo123]

Depends on #129 — merge that first. The diff here currently includes the crew foundation commit plus the bridge commit; once #129 lands and this branch is rebased, only the bridge commit will remain. Marked as DRAFT until #129 merges.

TL;DR

PR #129 introduced crews and the Tailscale plane for managed-Linux providers. This PR makes crabbox crew peers --crew <name> return one row per crew member regardless of provider, with a transport hint and a canonical endpoint. The result: a single command lists tailnet peers, URL peers, SSH peers, and even providers that own their own connectivity, with a documented reachability matrix that is honest about the asymmetric pairs.

Cross-provider unified peer view

crabbox crew peers --crew <name> --json returns the documented { "members": [...] } shape:

{
  "members": [
    { "slug": "web",  "provider": "hetzner",    "transport": "tailnet", "endpoint": "100.64.1.3",                  "labels": {"role": "web"} },
    { "slug": "api",  "provider": "islo",       "transport": "url",     "endpoint": "https://abc.share.islo.dev",  "labels": {"role": "api"} },
    { "slug": "db",   "provider": "runpod",     "transport": "ssh",     "endpoint": "ssh://1.2.3.4:22",            "labels": {"role": "db"} },
    { "slug": "what", "provider": "blacksmith", "transport": "none",    "endpoint": "",                            "labels": {"role": "isolated"}, "note": "blacksmith owns connectivity" }
  ]
}

Transport	Producers	Endpoint
tailnet	AWS / Azure / GCP / Hetzner / Proxmox / Static SSH	tailnet IPv4 (or FQDN)
url	Islo / E2B / Railway (supported); Modal / Cloudflare / Tensorlake (BridgeState=unsupported)	per-sandbox HTTPS URL
ssh	exe.dev / RunPod / Daytona / Sprites / Namespace / Semaphore	ssh://<host>:<port>
pending	tailnet- or SSH-capable provider whose lease record has no endpoint yet	empty (note explains why)
none	Blacksmith; any provider without a bridge adapter	empty (note explains why)

The resolver does not invoke a provider API for tailnet or SSH peers — it reads the endpoint straight off the local claim sidecar (new optional fields tailscaleIPv4, tailscaleFQDN, sshHost, sshPort, bridgeURL, labels). When those fields are empty for a managed-Linux or SSH-lease provider, the peer surfaces as transport=pending with an honest note rather than pretending the endpoint exists.

For URL peers the per-provider BridgeProvider adapter from #136's original commit is still invoked when no canonical endpoint is recorded yet, preserving the islo live-demo behavior and the BridgeState=unsupported signal that Modal/Cloudflare/Tensorlake emit today.

Doctor reachability matrix

crabbox doctor --crew <name> keeps the existing Tailscale ACL row check from #129 and, in the same invocation, prints the per-transport reachability matrix derived from the unified peer list:

crew "alpha": 4 members
  transport breakdown: none=1 ssh=1 tailnet=1 url=1
  reachability:
    tailnet -> tailnet : OK
    tailnet -> url     : OK (via outbound HTTPS)
    tailnet -> ssh     : WARN (requires operator-side bridge — see SSH-mesh DRAFT PR)
    tailnet -> none    : NO (destination has no published endpoint)
    url     -> tailnet : NO (no public endpoint on tailnet members)
    url     -> url     : OK
    url     -> ssh     : WARN (requires operator-side bridge)
    url     -> none    : NO (destination has no published endpoint)
    ssh     -> tailnet : WARN (requires operator-side bridge)
    ssh     -> url     : OK (via outbound HTTPS)
    ssh     -> ssh     : WARN (requires operator-side bridge — peers do not share a mesh)
    ssh     -> none    : NO (destination has no published endpoint)
    none    -> *       : NO (source provider owns its own connectivity)

The matrix is intentionally asymmetric: tailnet -> url works (outbound HTTPS), url -> tailnet does not (no public endpoint on tailnet peers), and SSH pairs are flagged WARN because Crabbox does not currently mesh SSH leases — operator-side bridging is required (see #137 for the SSH-mesh DRAFT).

Provider coverage matrix

Provider	Transport	Live in this PR	Notes
AWS / Azure / GCP / Hetzner / Proxmox / Static SSH	tailnet	yes	Endpoint = tailnet IPv4 from the lease record; empty surfaces as pending.
exe.dev / RunPod / Daytona / Sprites / Namespace / Semaphore	ssh	yes	Endpoint = ssh://host:port; empty surfaces as pending.
Islo	url	yes	Live-validated. islo share API, idempotent.
E2B	url	yes	Synthesised https://<port>-<sandboxID>.<domain>.
Railway	url	yes	Existing deployment URL on LatestDeployment. One URL per service.
Modal / Cloudflare / Tensorlake	url	unsupported	Adapters return BridgeState=unsupported so the gap is visible instead of silent.
Blacksmith	none	yes	note: "blacksmith owns connectivity".

Tested

• go test -race ./... — all packages green (39s for internal/cli).
• New tests in internal/cli/crew_bridge_test.go:
  • TestCrewPeersIncludesManagedLinuxWithTailnetTransport
  • TestCrewPeersIncludesSSHLeaseWithSSHTransport
  • TestCrewPeersHandlesPendingTailscaleIP
  • TestCrewPeersHandlesBlacksmithAsNone
  • TestDoctorCrewReachabilityMatrixAsymmetric
  • TestRenderCrewReachabilityMatrixIncludesAsymmetricNotes
• Pre-existing islo / E2B / Railway / Modal / Cloudflare / Tensorlake adapter tests, plus the existing fan-out test, all unchanged and passing.
• Smoke-tested the rendered output by seeding XDG_STATE_HOME/crabbox/claims/*.json for four providers (hetzner, islo, runpod, blacksmith) and confirming the JSON matches the documented shape and the doctor matrix matches the table above.

Live islo evidence from PR #136's first commit (still valid after this refactor): live-validated against two real islo.dev sandboxes. From the client sandbox, dialing the web peer's published share URL via urllib.request.urlopen returned HTTP 200 with the expected Python http.server body. Both sandboxes cleaned up. No new live tests were run for this amend — the resolver path for managed-Linux and SSH-lease peers is exercised by the unit suite against mocked claim sidecars; the URL-transport path is unchanged from the previously live-validated islo run.

Why not Tailscale-here for delegated providers

Delegated providers don't expose a VM Crabbox can install tailscaled on. The Tailscale plane stays the right answer for managed Linux providers; the bridge plane is the narrow HTTP-only primitive that delegated providers can actually provide.

Honest scope

• URL-transport peers are HTTP/HTTPS only, one target per port, no DNS aliasing. Non-HTTP protocols (Postgres, raw TCP, SSH on a custom port) are not in scope for that plane.
• SSH-transport peers are not meshed today. crabbox crew peers reports the SSH endpoint honestly so callers can dial it directly; the matrix flags SSH pairs as WARN. See feat: crew SSH-mesh (DRAFT, stacked on #129) #137 for the operator-orchestrated SSH-mesh alternative.
• Providers without a per-sandbox HTTPS ingress (Modal, Cloudflare, Tensorlake) are honestly reported as BridgeState=unsupported instead of silently emitting empty peer rows.
• Tailnet endpoints are read from the local claim sidecar. The new tailscaleIPv4 / tailscaleFQDN / sshHost / sshPort / bridgeURL / labels fields are optional and additive — existing claim sidecars without them surface as pending (with note) for managed-Linux and SSH-lease providers, which is the same as the previous behavior of "no peer row at all" but more visible.

Follow-ups

• Wire managed-Linux and SSH-lease provisioners to populate the new claim-sidecar endpoint fields at lease creation so transport=pending shrinks to "never" for normal usage.
• Modal tunnel surfacing on the lease record (would flip Modal from unsupported to supported without touching this PR).
• A crabbox doctor crew --bridge flag that also runs ProbeBridgePeers against the URL-transport peers.
• Optional <slug>.cbx alias rewriting once peer URLs are stable enough for clients to assume DNS.
• See DRAFT feat: crew SSH-mesh (DRAFT, stacked on #129) #137 for the operator-orchestrated SSH-mesh alternative.

Note on base

This branch is rooted on main and lands the bridge plane on top of the crew foundation introduced by #129. Until #129 lands, the PR shows two commits: the rebased crew commit (identical to #129's tip) and the bridge commit. Once #129 merges, this PR can be rebased and only the bridge commit will remain.

Related

• feat: introduce pond (peer discovery + bridge + ssh-mesh) #129 — crew foundation (this PR builds on it; merge that first).
• feat: crew SSH-mesh (DRAFT, stacked on #129) #137 — DRAFT SSH-mesh alternative for SSH-only providers (also stacked on feat: introduce pond (peer discovery + bridge + ssh-mesh) #129).
• feat(wandb): native gRPC sandbox provider #132 — wandb provider (independent; no crew interaction).
• feat: add runpod provider #133 — runpod (merged; independent).

[clawsweeper]

Codex review: needs real behavior proof before merge.

Workflow note: Future ClawSweeper reviews update this same comment in place.

How this review workflow works

• ClawSweeper keeps one durable marker-backed review comment per issue or PR.
• Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
• A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
• PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
• Maintainers can also comment @clawsweeper review to request a fresh review only.
• Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
• Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
• Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.

Summary
This draft PR adds crew peer discovery, bridge-provider adapters, claim metadata fields, Tailscale crew ACL/bootstrap logic, doctor reachability output, and docs/tests for cross-provider crew peers.

Reproducibility: not applicable. as an issue reproduction because this is a new feature PR. For the review findings, source inspection gives a high-confidence path: the resolver filters claim.Crew, while most provider claim writers do not populate it.

PR rating
Overall: 🧂 unranked krab
Proof: 🦪 silver shellfish
Patch quality: 🧂 unranked krab
Summary: The idea has useful validation signal, but the current draft is stale against main and has blocking source-of-truth defects in the core peer listing path.

Rank-up moves:

• Rebase after feat: introduce pond (peer discovery + bridge + ssh-mesh) #129 lands and verify the diff no longer removes current main provider files or docs.
• Persist or resolve crew and endpoint metadata for every advertised provider class, then add regression coverage using real claim writers rather than only seeded claims.
• Add redacted terminal output or logs showing final crabbox crew peers --crew ... --json and crabbox doctor --crew ... behavior after the amend.

What the crustacean ranks mean

• 🦀 challenger crab: rare, exceptional readiness with strong proof, clean implementation, and convincing validation.
• 🦞 diamond lobster: very strong readiness with only minor maintainer review expected.
• 🐚 platinum hermit: good normal PR, likely mergeable with ordinary maintainer review.
• 🦐 gold shrimp: useful signal, but proof or patch confidence is still limited.
• 🦪 silver shellfish: thin signal; proof, validation, or implementation needs work.
• 🧂 unranked krab: not merge-ready because proof is missing/unusable or there are serious correctness or safety concerns.
• 🌊 off-meta tidepool: rating does not apply to this item.

Shiny media proof means a screenshot, video, or linked artifact directly shows the changed behavior. Runtime, network, CSP, and security claims still need visible diagnostics.

Real behavior proof
Needs stronger real behavior proof before merge: The body includes useful islo live context, but it does not show final after-amend cross-provider crew peers and doctor behavior; add redacted terminal output, logs, or screenshots, and updating the PR body should trigger a fresh review or a maintainer can comment @clawsweeper re-review. After adding proof, update the PR body; ClawSweeper should re-review automatically. If it does not, the PR author or someone with repository write access can comment @clawsweeper re-review.

Risk before merge

• The branch is merge-dirty and stale against current main; applying the current head would remove current local-container/parallels provider files and stale parts of provider help.
• crew peers uses local claim sidecars as the source of truth, but most advertised provider paths do not persist crew and endpoint fields into those sidecars, so cross-provider peers can be missing or stuck pending.
• The feature intentionally edits Tailscale policy rows and can publish public provider HTTPS share URLs, so maintainers should explicitly accept the security boundary and operator UX before merge.
• The PR body includes useful islo live context, but it does not show final after-amend cross-provider crew peers and doctor output from a real setup.

Maintainer options:

1. Rebase, then repair peer metadata (recommended)
   After the crew foundation lands, rebase on current main and make every advertised provider either persist crew/endpoints into claims or resolve them from provider labels/status with focused tests.
2. Keep as draft until the foundation settles
   Maintainers can leave this open as design work while feat: introduce pond (peer discovery + bridge + ssh-mesh) #129 is reviewed, but it should not merge from the current head.
3. Approve the boundary explicitly
   If maintainers want automatic tailnet ACL edits and public bridge URL publishing, document that acceptance and the operator-visible guardrails before merge.

Next step before merge
This needs maintainer review rather than an automated repair because it is a draft stacked on an open foundation PR, lacks sufficient final real-behavior proof, and includes security-boundary/product choices.

Security
Cleared: No direct secret leakage or supply-chain regression was found, but the ACL-editing and public-share behavior is security-sensitive and should be an explicit maintainer acceptance point.

Review findings

• [P1] Persist crew metadata before filtering peer claims — internal/cli/crew_bridge.go:416-420
• [P1] Rebase before dropping current provider support — internal/cli/provider_backend.go:386-390

Review details

Best possible solution:

Land or otherwise settle the crew foundation first, rebase this branch on current main, then make the bridge resolver’s source of truth match every advertised provider class before merging the bridge plane.

Do we have a high-confidence way to reproduce the issue?

Not applicable as an issue reproduction because this is a new feature PR. For the review findings, source inspection gives a high-confidence path: the resolver filters claim.Crew, while most provider claim writers do not populate it.

Is this the best way to solve the issue?

No, not as currently proposed. The unified peer view should either persist crew and endpoint metadata for every advertised provider at claim time or resolve from provider-owned labels/status, and the stale stacked branch needs a rebase before merge review can be trusted.

Label changes:

• add P2: This is a substantial but non-urgent feature PR with blocking correctness and merge-safety issues.
• add merge-risk: 🚨 compatibility: The current head is stale against main and would drop current provider files/help unless rebased and resolved carefully.
• add merge-risk: 🚨 security-boundary: The branch adds opt-in Tailscale policy mutation and public bridge URL publishing, both of which cross operator security boundaries.
• add rating: 🧂 unranked krab: Current PR rating is 🧂 unranked krab because proof is 🦪 silver shellfish, patch quality is 🧂 unranked krab, and The idea has useful validation signal, but the current draft is stale against main and has blocking source-of-truth defects in the core peer listing path.
• add status: 📣 needs proof: The PR needs real behavior proof before ClawSweeper can clear the contributor ask. Needs stronger real behavior proof before merge: The body includes useful islo live context, but it does not show final after-amend cross-provider crew peers and doctor behavior; add redacted terminal output, logs, or screenshots, and updating the PR body should trigger a fresh review or a maintainer can comment @clawsweeper re-review. After adding proof, update the PR body; ClawSweeper should re-review automatically. If it does not, the PR author or someone with repository write access can comment @clawsweeper re-review.

Label justifications:

• P2: This is a substantial but non-urgent feature PR with blocking correctness and merge-safety issues.
• merge-risk: 🚨 compatibility: The current head is stale against main and would drop current provider files/help unless rebased and resolved carefully.
• merge-risk: 🚨 security-boundary: The branch adds opt-in Tailscale policy mutation and public bridge URL publishing, both of which cross operator security boundaries.
• rating: 🧂 unranked krab: Current PR rating is 🧂 unranked krab because proof is 🦪 silver shellfish, patch quality is 🧂 unranked krab, and The idea has useful validation signal, but the current draft is stale against main and has blocking source-of-truth defects in the core peer listing path.
• status: 📣 needs proof: The PR needs real behavior proof before ClawSweeper can clear the contributor ask. Needs stronger real behavior proof before merge: The body includes useful islo live context, but it does not show final after-amend cross-provider crew peers and doctor behavior; add redacted terminal output, logs, or screenshots, and updating the PR body should trigger a fresh review or a maintainer can comment @clawsweeper re-review. After adding proof, update the PR body; ClawSweeper should re-review automatically. If it does not, the PR author or someone with repository write access can comment @clawsweeper re-review.

Full review comments:

• [P1] Persist crew metadata before filtering peer claims — internal/cli/crew_bridge.go:416-420
resolveCrewPeers only keeps claims whose sidecar has claim.Crew, but most real claim writers still call the plain helper that passes an empty crew and do not write the new endpoint fields. As a result, leases created with --crew for E2B, RunPod, managed Linux, and other advertised providers will be absent from crew peers or show as pending, so the unified cross-provider listing does not work outside the manually seeded tests.
  Confidence: 0.89
• [P1] Rebase before dropping current provider support — internal/cli/provider_backend.go:386-390
  Against current main, this branch removes the current local-container/parallels provider docs and packages, and the provider help here is stale enough to drop current entries such as RunPod from the SSH provider help. The PR is already merge-dirty; please rebase after the stacked foundation lands and preserve the current provider registry/files before this can merge.
  Confidence: 0.86

Overall correctness: patch is incorrect
Overall confidence: 0.87

What I checked:

• Current main lacks crew bridge implementation: A current-main search found no crew command, BridgeProvider, BridgePeer, or crew docs; the only related hit was the existing status JSON sshHost field, so the PR is not already implemented on main. (35f1863259fa)
• PR is stacked and not mergeable as-is: GitHub reports this PR is draft, has mergeStateStatus=DIRTY, contains the crew-foundation commit plus the bridge commit, and its body says it depends on feat: introduce pond (peer discovery + bridge + ssh-mesh) #129 landing first. (8834570490c0)
• Branch is stale against current main: A direct diff from current main to the PR head shows 104 changed files, including deletion of current local-container and parallels provider files/docs and stale provider help that drops current providers from help text. (internal/cli/provider_backend.go:386, 8834570490c0)
• Peer resolver filters only local claim sidecars: The new resolver lists local lease claims and keeps only claims whose claim.Crew matches; it does not query provider labels or live provider inventory for crew membership. (internal/cli/crew_bridge.go:198, 8834570490c0)
• Most claim writers do not persist crew or endpoint metadata: The added crew-aware claim helper stores Crew only when a caller passes it, while the plain claim helpers still pass an empty crew; source inspection also showed E2B and current RunPod claim paths using the plain helper, so advertised cross-provider rows can be missing or pending. (internal/cli/claim.go:64, 8834570490c0)
• Provider history and routing context: History around provider registry, claim helpers, Islo/E2B, and recent RunPod work points to Peter Steinberger and zozo123/Yossi Eliaz as the main routing candidates for this area, with E2B hardening also touched by stain lu.

Likely related people:

• Peter Steinberger: Current-main claim/list/provider files are attributed to Peter in blame because of the release snapshot, and git history shows Peter introduced or refactored core provider registry, Daytona/Islo, run labels, and the RunPod merge commit that this branch must preserve. (role: recent area contributor and merger; confidence: medium; commits: 494f3a4d779e, e0a85bc780b6, 10da40d2c2c9; files: internal/cli/claim.go, internal/cli/provider_backend.go, internal/cli/pool.go)
• zozo123: The same contributor authored this stacked PR, the open crew foundation it depends on, and the merged RunPod provider used by the new SSH transport path; git history also ties Yossi Eliaz to E2B, Modal, and Tensorlake provider work. (role: recent provider contributor and crew-stack author; confidence: high; commits: 1b6397871cb4, 9c7c06cc470c, 0067c7194a8d; files: internal/providers/e2b/backend.go, internal/providers/modal/bridge.go, internal/providers/tensorlake/bridge.go)
• stain lu: Recent E2B hardening commits changed the delegated provider path that this bridge adapter now depends on for URL-peer behavior. (role: adjacent E2B provider contributor; confidence: medium; commits: cfd309468fcb, fa1861e34c7d, 41f274b597b1; files: internal/providers/e2b/backend.go)

Codex review notes: model gpt-5.5, reasoning high; reviewed against 35f1863259fa.

[clawsweeper]

ClawSweeper PR egg

🎁 Pass real behavior proof to wake the egg and unlock a hatchable treat.

Where did the egg go?

• The egg game starts only after the PR passes the real-behavior proof check.
• Before that, no creature or rarity is rolled. The treat waits for real proof.
• This is still just collectible flavor: proof affects review readiness, not creature quality.

[zozo123]

Closing in favor of #129, which now consolidates all three transport planes (Tailscale + Bridge + SSH-mesh) into a single PR. The Bridge plane work (Islo / E2B / Railway adapters, BridgeProvider interface, doctor reachability matrix) is preserved in #129. The primitive was renamed crew → pond to align with openclaw's crab-biology naming. Modal / Cloudflare / Tensorlake stub adapters deferred until real API surfaces exist to validate against. One review thread is simpler than three.