chore(deps): bump plugins/clawmetry from f57a40d to 7bb425b

[dependabot]

Bumps plugins/clawmetry from f57a40d to 7bb425b.

Commits

• 7bb425b [RELEASE] daemon gateway-token detection fix (#1874)
• 2faa190 fix(sync): detect gateway token in daemon so snapshot auth_token_status isn't...
• 732c8ce chore: bump to v0.12.274 [skip ci] (#1872)
• 68dcce2 [RELEASE] feat(replay): tool turns as compact chips (#1871)
• 3f9127f feat(replay): render tool turns as compact chips, not blank bubbles (#1870)
• c53fdd6 chore: bump to v0.12.273 [skip ci] (#1869)
• ddb4943 [RELEASE] perf: tab-scope system-health fan-out (#1868)
• 643f2d5 perf: tab-scope loadSystemHealth (4-endpoint fan-out) to Overview (#1867)
• 8bfcb4f chore: bump to v0.12.272 [skip ci] (#1866)
• cd4a4f5 [RELEASE] perf: tab-scope tool prefetch (#1865)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[clawsweeper]

Codex review: found issues before merge.

Latest ClawSweeper review: 2026-05-22 09:33 UTC / May 22, 2026, 5:33 AM ET.

Workflow note: Future ClawSweeper reviews update this same comment in place.

How this review workflow works

• ClawSweeper keeps one durable marker-backed review comment per issue or PR.
• Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
• A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
• PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
• Maintainers can also comment @clawsweeper review to request a fresh review only.
• Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
• Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
• Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.

Summary
This PR updates the plugins/clawmetry submodule from f57a40d to 7bb425b.

Reproducibility: not applicable. this is a dependency pin update rather than a bug report. The current-main check shows the old f57a40d gitlink is still present.

PR rating
Overall: 🦐 gold shrimp
Proof: 🌊 off-meta tidepool
Patch quality: 🦐 gold shrimp
Summary: The bump itself is straightforward, but the branch is not merge-ready until the generated Crabpot reports refresh for the new fixture revision.

Rank-up moves:

• Let or rerun Dependabot Auto Merge so README.md and reports/ are regenerated.
• Confirm the full Check workflow completes after the report refresh.

What the crustacean ranks mean

• 🦀 challenger crab: rare, exceptional readiness with strong proof, clean implementation, and convincing validation.
• 🦞 diamond lobster: very strong readiness with only minor maintainer review expected.
• 🐚 platinum hermit: good normal PR, likely mergeable with ordinary maintainer review.
• 🦐 gold shrimp: useful signal, but proof or patch confidence is still limited.
• 🦪 silver shellfish: thin signal; proof, validation, or implementation needs work.
• 🧂 unranked krab: not merge-ready because proof is missing/unusable or there are serious correctness or safety concerns.
• 🌊 off-meta tidepool: rating does not apply to this item.

Shiny media proof means a screenshot, video, or linked artifact directly shows the changed behavior. Runtime, network, CSP, and security claims still need visible diagnostics.

Real behavior proof
Not applicable: This is a Dependabot bot PR, so the contributor real-behavior proof gate does not apply; CI and fixture-report validation are the relevant proof.

Risk before merge

• Merging the single gitlink change before the report-refresh commit would leave README.md and reports/ describing the old f57a40d fixture state.
• The upstream bump spans 94 commits, including daemon diagnostics/auth-token status behavior, so the full static and report-refresh pipeline should finish before merge.

Maintainer options:

1. Wait for refreshed reports (recommended)
   Let the Dependabot workflow complete or rerun it so the branch includes regenerated README.md and reports/ artifacts for the new clawmetry revision before merge.
2. Accept stale-report risk
   Maintainers could merge the gitlink-only bump and refresh reports afterward, but the dashboard would temporarily describe the wrong fixture revision.
3. Close if superseded
   If a newer Dependabot clawmetry bump replaces this one before the workflow finishes, close this PR in favor of the newer pin.

Next step before merge
The next action is to let or rerun the repository's Dependabot report-refresh workflow rather than have ClawSweeper independently rewrite the bot branch.

Security
Cleared: No concrete security or supply-chain regression is visible in the target diff beyond the normal external submodule-bump review surface.

Review findings

• [P2] Refresh the generated compatibility reports — plugins/clawmetry:1

Review details

Best possible solution:

Let the Dependabot/report-refresh workflow regenerate the Crabpot reports against 7bb425b, then merge only after the generated artifacts and checks agree with the new fixture pin.

Do we have a high-confidence way to reproduce the issue?

Not applicable; this is a dependency pin update rather than a bug report. The current-main check shows the old f57a40d gitlink is still present.

Is this the best way to solve the issue?

Unclear until the generated reports land; the narrow maintainable path is the existing Dependabot workflow that refreshes reports and merges only after validation.

Label changes:

• add P2: This is a normal fixture dependency update with limited blast radius, but it affects Crabpot compatibility evidence.
• add merge-risk: 🚨 compatibility: The PR changes the external fixture revision that Crabpot uses to detect OpenClaw plugin contract drift.
• add rating: 🦐 gold shrimp: Current PR rating is 🦐 gold shrimp because proof is 🌊 off-meta tidepool, patch quality is 🦐 gold shrimp, and The bump itself is straightforward, but the branch is not merge-ready until the generated Crabpot reports refresh for the new fixture revision.
• add status: ⏳ waiting on author: ClawSweeper has contributor-facing work open and is waiting for author action. Not applicable: This is a Dependabot bot PR, so the contributor real-behavior proof gate does not apply; CI and fixture-report validation are the relevant proof.

Label justifications:

• P2: This is a normal fixture dependency update with limited blast radius, but it affects Crabpot compatibility evidence.
• merge-risk: 🚨 compatibility: The PR changes the external fixture revision that Crabpot uses to detect OpenClaw plugin contract drift.
• rating: 🦐 gold shrimp: Current PR rating is 🦐 gold shrimp because proof is 🌊 off-meta tidepool, patch quality is 🦐 gold shrimp, and The bump itself is straightforward, but the branch is not merge-ready until the generated Crabpot reports refresh for the new fixture revision.
• status: ⏳ waiting on author: ClawSweeper has contributor-facing work open and is waiting for author action. Not applicable: This is a Dependabot bot PR, so the contributor real-behavior proof gate does not apply; CI and fixture-report validation are the relevant proof.

Full review comments:

• [P2] Refresh the generated compatibility reports — plugins/clawmetry:1
  This gitlink now points at 7bb425b, but the checked-in dashboard and reports still describe the old f57a40d fixture state. The repo's Dependabot workflow normally commits refreshed README.md and reports/ artifacts for fixture-pin bumps, so merging this lone gitlink would leave Crabpot's compatibility evidence stale.
  Confidence: 0.78

Overall correctness: patch is incorrect
Overall confidence: 0.78

Acceptance criteria:

• node scripts/sync-fixtures.mjs --check
• node scripts/generate-report.mjs --check --openclaw ./openclaw
• node scripts/capture-contracts.mjs --check --openclaw ./openclaw
• node scripts/synthetic-probes.mjs --check --openclaw ./openclaw
• node scripts/update-readme-summary.mjs --check

What I checked:

• Current main pin: Current main still records plugins/clawmetry at f57a40df1f1e0dd04707c063cb99c0084b8778f2, so the PR's target 7bb425b80c402485d5f75e2221c4887f5cf29dac is not already implemented. (plugins/clawmetry:1, a6d2942b7fae)
• PR diff: The PR changes only the clawmetry submodule gitlink from f57a40df1f1e0dd04707c063cb99c0084b8778f2 to 7bb425b80c402485d5f75e2221c4887f5cf29dac. (plugins/clawmetry:1, 1e874dff223c)
• Fixture purpose: crabpot.config.json registers clawmetry as a diagnostics/log-transport/gateway-service/sidecar/telemetry fixture expecting registerService, so changing its upstream revision changes a compatibility fixture surface. (crabpot.config.json:1315, a6d2942b7fae)
• Generated report refresh path: The Dependabot workflow is designed to refresh compatibility reports and commit README.md plus reports/ after fixture-pin changes before merging. (.github/workflows/dependabot-auto-merge.yml:95, a6d2942b7fae)
• Previous clawmetry bump precedent: The previous merged clawmetry bump included a follow-up chore(reports): refresh dependabot compatibility reports commit that updated README.md and many reports/* artifacts along with the submodule pin. (plugins/clawmetry:1, dafb646b0baa)
• Upstream change scope: The upstream compare from f57a40d to 7bb425b is 94 commits and includes source changes such as clawmetry/sync.py plus the release commit for daemon gateway-token detection. (plugins/clawmetry:1, 7bb425b80c40)

Likely related people:

• Vincent Koc: Introduced the clawmetry fixture entry and later updated fixture pins/config in the central Crabpot fixture paths. (role: fixture history owner; confidence: high; commits: 8f99590e5ec8, 1075bca8ad04; files: crabpot.config.json, .gitmodules, plugins/clawmetry)
• Vivek Chand: Auth-token detection and release commits included in the upstream clawmetry bump were authored in the external plugin repository. (role: upstream plugin author; confidence: medium; commits: 2faa19079160, 7bb425b80c40; files: plugins/clawmetry)

Codex review notes: model gpt-5.5, reasoning high; reviewed against a6d2942b7fae.

[clawsweeper]

ClawSweeper PR egg

🔥 Warming up: real-behavior proof passed; findings, security review, or rank-up moves are still in progress.

Hatch command

Comment @clawsweeper hatch when this PR is hatchable.

Hatchability rules:

• Merged PRs are hatchable.
• Open PRs are hatchable when they are status: 👀 ready for maintainer look, status: 🚀 automerge armed, or labeled clawsweeper:automerge.
• Closed unmerged PRs are hatchable only when one of those hatchable labels is still present in the durable record.

What is this egg doing here?

• Eggs appear after the PR passes real-behavior proof. It is here for vibes, not verdicts: it does not change labels, ratings, merge decisions, or automation.
• The shell reacts to review momentum: open follow-up work warms it up, re-review makes it wobble, and a clean final review lets it hatch.
• Hatchability usually comes from sufficient real-behavior proof, no blocking P0/P1/P2 findings, no security attention needed, and clean correctness. A merged PR is already final, so merge makes the egg hatchable independently.
• The hatch is seeded from this repository and PR number, so the same PR keeps the same creature; the reviewed head SHA can only change safe visual details.
• Rarity is just collectible sparkle: 🥚 common, 🌱 uncommon, 💎 rare, ✨ glimmer, and 🌈 legendary.