feat: import owned public GitHub skills

[vyctorbrzezowski]

Summary

Adds the owned-public GitHub import flow for ClawHub skills:

• /import now scans the signed-in GitHub account for real SKILL.md / legacy skills.md candidates, then lets users select, review, and publish multiple skills in one flow.
• Server-side import validates the repo is public, owned by the signed-in GitHub account, not a fork, not archived, and not disabled before preview/import.
• Review step supports selected files, slug availability/de-duping, compact icon selection, MIT-0 confirmation, publish progress, partial failure handling, and post-publish sharing.
• Publish/dashboard surfaces now link into the GitHub import path.
• Discovery avoids exhaustive repo-tree scans when GITHUB_TOKEN is configured by using GitHub Code Search; the fallback is bounded and handles truncated trees via archive detection.

Demo

export-1780093667365.mp4

Video demo: https://sleek-vigil-s2a3.here.now/github-import-demo.mp4

Visuals

Review Findings Addressed

Codex review accepted/fixed these P2 findings:

• Paginated owned-repo discovery so the importer no longer only sees the first GitHub repo page.
• Preview failures now render recoverable UI instead of leaving the review step stuck in loading.
• File selection now preserves backend defaultSelected so only intended files start selected.
• Tree/path imports now share the same publish-supported text extension rules.
• Batch retry no longer re-imports already successful rows after partial publish failure.
• Numeric slug suffixing now preserves natural names like gpt-4 and de-dupes to gpt-4-2.
• Slug availability query keys/field ids are collision-safe for similar repo names.
• Discovery no longer relies on unbounded recursive tree scans when Code Search is available.
• Truncated GitHub trees now fall back to archive candidate detection instead of silently hiding candidates.

One P2 recommendation was intentionally not applied: re-adding version/tag controls. The import UX intentionally exposes display name, slug, icon, selected files, and MIT-0 confirmation only; version/tags stay defaulted by the import pipeline.

Latest ClawSweeper follow-up addressed:

• Search now calls GitHub discovery with the search query instead of filtering only the first loaded page.
• Added “Load more” pagination for additional discovery pages.
• Restored legacy skills.md compatibility for URL parsing, archive/tree candidate detection, GitHub Code Search discovery, docs, and specs.
• Kept the owned-public repo boundary for both the picker and older URL-shaped action calls. Older repo/tree/blob URL shapes still work for public repos owned by the signed-in GitHub account; third-party public repo imports are intentionally blocked for new import attempts and no existing published skills are migrated or altered.
• Re-ran focused import tests, bunx tsc --noEmit --pretty false, and bun run ci:static after these fixes.

Validation

• bunx vitest run src/__tests__/import.route.test.tsx convex/githubImport.test.ts convex/lib/githubImport.test.ts — 35 tests passed.
• bunx vitest run src/__tests__/import.route.test.tsx src/__tests__/skills-publish-route.test.tsx src/routes/-dashboard.test.tsx convex/githubImport.test.ts convex/lib/githubImport.test.ts — 58 tests passed during the review/fix pass.
• bun run ci:static — passed.
• bunx tsc --noEmit --pretty false — passed.
• bun run ci:unit — 231 files, 2564 tests passed; coverage summary: 86.52% statements, 75.09% branches, 87.73% functions, 90.17% lines.
• bun run ci:types-build — passed, including app/package typechecks and production build. Build emitted the existing non-fatal Shiki wasm fallback warning.

[vercel]

@vyctorbrzezowski is attempting to deploy a commit to the Amantus Machina Team on Vercel.

A member of the Team first needs to authorize it.

[clawsweeper]

Codex review: needs real behavior proof before merge. Reviewed June 1, 2026, 4:04 PM ET / 20:04 UTC.

Summary
Review failed before ClawSweeper could summarize the requested change.

Reproducibility: unclear. The review failed before ClawSweeper could establish a reproduction path.

Review metrics: none identified.

Merge readiness
Overall: 🌊 off-meta tidepool
Proof: 🌊 off-meta tidepool
Patch quality: 🌊 off-meta tidepool
Result: rating does not apply to this item.

Overall follows the weaker of proof and patch quality, so missing proof can cap an otherwise strong patch.

Risk before merge

• [P1] No close action taken because the review did not complete.

Maintainer options:

1. Decide the mitigation before merge
   Retry the Codex review after fixing the execution failure.
2. Pause or close
   Do not merge this PR until maintainers decide whether the risk is worth taking.

Next step before merge

• [P1] Review did not complete, so no work-lane recommendation was made.

Review details

Best possible solution:

Retry the Codex review after fixing the execution failure.

Do we have a high-confidence way to reproduce the issue?

Unclear. The review failed before ClawSweeper could establish a reproduction path.

Is this the best way to solve the issue?

Unclear. Retry the review first so ClawSweeper can evaluate the actual issue and fix direction.

AGENTS.md: unclear because the file could not be read completely.

Codex review notes: model gpt-5.5, reasoning high; reviewed against cb6ced7906f7.

Label changes

Label changes:

• add rating: 🌊 off-meta tidepool: Overall readiness is 🌊 off-meta tidepool; proof is 🌊 off-meta tidepool and patch quality is 🌊 off-meta tidepool.
• remove P2: Current review triage priority is none.
• remove proof: sufficient: Current real behavior proof status is not_applicable, not sufficient.
• remove merge-risk: 🚨 compatibility: Current PR review selected no merge-risk labels.
• remove status: ⏳ waiting on author: Current PR status no longer selects a status label.
• remove rating: 🦪 silver shellfish: Current PR rating is rating: 🌊 off-meta tidepool, so this older rating label is no longer current.
• remove proof: 🎥 video: Current real behavior proof evidence kind is not_applicable.

Label justifications:

• rating: 🌊 off-meta tidepool: Overall readiness is 🌊 off-meta tidepool; proof is 🌊 off-meta tidepool and patch quality is 🌊 off-meta tidepool.

Evidence reviewed

What I checked:

• failure reason: timeout.
• codex failure detail: Codex review failed for this PR: spawnSync codex ETIMEDOUT.
• codex stdout: Per-item Codex failure; continuing with the rest of the shard.

Likely related people:

• unknown: Codex failed before it could trace repository history. (role: review did not complete; confidence: low)

What the crustacean ranks mean

• 🦀 challenger crab: rare, exceptional readiness with strong proof, clean implementation, and convincing validation.
• 🦞 diamond lobster: very strong readiness with only minor maintainer review expected.
• 🐚 platinum hermit: good normal PR, likely mergeable with ordinary maintainer review.
• 🦐 gold shrimp: useful signal, but proof or patch confidence is still limited.
• 🦪 silver shellfish: thin signal; proof, validation, or implementation needs work.
• 🧂 unranked krab: not merge-ready because proof is missing/unusable or there are serious correctness or safety concerns.
• 🌊 off-meta tidepool: rating does not apply to this item.

Shiny media proof means a screenshot, video, or linked artifact directly shows the changed behavior. Runtime, network, CSP, and security claims still need visible diagnostics.

How this review workflow works

• ClawSweeper keeps one durable marker-backed review comment per issue or PR.
• Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
• A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
• PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
• Maintainers can also comment @clawsweeper review to request a fresh review only.
• Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
• Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
• Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.

[clawsweeper]

🦞🧹
ClawSweeper re-review requested.

I asked ClawSweeper to review this item again.
Action: item re-review queued (workflow sweep.yml, event repository_dispatch).
Result: the existing ClawSweeper review comment will be edited in place when the review finishes.

Re-review progress:

• State: Complete
• Detail: The targeted re-review finished, the durable review comment was updated, and the synced verdict was routed.
• Run: https://github.com/openclaw/clawsweeper/actions/runs/26670695549
• Updated: 2026-05-30T01:35:24.622Z

[vyctorbrzezowski]

@clawsweeper re-review

Addressed the remaining compatibility point in 55e98ee3:

• restored skills.md support alongside SKILL.md for blob URLs, archive/tree detection, GitHub Code Search discovery, docs, and specs
• kept owned-public repo validation for both picker imports and older URL-shaped action calls
• clarified in the PR/spec that blocking third-party public repo imports is an intentional boundary for new import attempts only; no existing published skills are migrated or altered

Validation after the fix:

• bunx vitest run src/__tests__/import.route.test.tsx convex/githubImport.test.ts convex/lib/githubImport.test.ts — 35 tests passed
• bunx tsc --noEmit --pretty false — passed
• bun run ci:static — passed

[clawsweeper]

🦞🧹
ClawSweeper re-review requested.

I asked ClawSweeper to review this item again.
Action: item re-review queued (workflow sweep.yml, event repository_dispatch).
Result: the existing ClawSweeper review comment will be edited in place when the review finishes.

Re-review progress:

• State: Complete
• Detail: The targeted re-review finished, the durable review comment was updated, and the synced verdict was routed.
• Run: https://github.com/openclaw/clawsweeper/actions/runs/26671144886
• Updated: 2026-05-30T01:54:03.445Z

[vyctorbrzezowski]

@clawsweeper re-review

[clawsweeper]

🦞🧹
ClawSweeper re-review requested.

I asked ClawSweeper to review this item again.
Action: item re-review queued (workflow sweep.yml, event repository_dispatch).
Result: the existing ClawSweeper review comment will be edited in place when the review finishes.

Re-review progress:

• State: Failed
• Detail: The targeted re-review did not finish cleanly. Check the workflow run for details.
• Run: https://github.com/openclaw/clawsweeper/actions/runs/26778276195
• Updated: 2026-06-01T20:05:34.012Z