chore(deps): bump plugins/nemoclaw from 449f6f4 to c84b6f1

[dependabot]

Bumps plugins/nemoclaw from 449f6f4 to c84b6f1.

Commits

• c84b6f1 Revert "fix(openclaw): bump runtime deps EXDEV fix (#3820)" (#4051)
• 6431f33 fix(e2e): pin old gateway base fallback (#4047)
• 99fc8a4 ci(actions): update workflows for Node 24 (#4046)
• a907d28 test: fix crash-loop gateway PID detection (#4045)
• 9130d10 test: resolve Slack proof OpenClaw root (#4043)
• 971c526 fix(e2e): stabilize launchable smoke agent turn (#4039)
• ec70c16 fix(e2e): pin old gateway upgrade install (#4041)
• ad5e185 test: tolerate OpenClaw JSON envelope changes (#4038)
• 45e1f4c fix(openclaw): canonicalize mixed Kimi tool calls (#4040)
• 1bdb519 docs: update deployment topology diagram (#4028)
• Additional commits viewable in compare view

[clawsweeper]

Codex review: needs maintainer review before merge.

Latest ClawSweeper review: 2026-05-22 09:33 UTC / May 22, 2026, 5:33 AM ET.

Workflow note: Future ClawSweeper reviews update this same comment in place.

How this review workflow works

• ClawSweeper keeps one durable marker-backed review comment per issue or PR.
• Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
• A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
• PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
• Maintainers can also comment @clawsweeper review to request a fresh review only.
• Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
• Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
• Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.

Summary
This PR advances the plugins/nemoclaw git submodule from 449f6f4e7f28cd6dbee075836c502b10f1b270ca to c84b6f19dd8a82063e12a391002e045f83bb7b95.

Reproducibility: not applicable. this is a dependency gitlink bump rather than a reported bug. The verification path is Crabpot’s submodule-specific and static CI, not a manual reproduction.

PR rating
Overall: 🐚 platinum hermit
Proof: 🌊 off-meta tidepool
Patch quality: 🐚 platinum hermit
Summary: The patch is a normal, narrow submodule bump with appropriate repo automation, but merge confidence depends on the still-running checks.

Rank-up moves:

• Wait for the in-progress static checks, Socket Security, and any Dependabot report-refresh commit before merging.

What the crustacean ranks mean

• 🦀 challenger crab: rare, exceptional readiness with strong proof, clean implementation, and convincing validation.
• 🦞 diamond lobster: very strong readiness with only minor maintainer review expected.
• 🐚 platinum hermit: good normal PR, likely mergeable with ordinary maintainer review.
• 🦐 gold shrimp: useful signal, but proof or patch confidence is still limited.
• 🦪 silver shellfish: thin signal; proof, validation, or implementation needs work.
• 🧂 unranked krab: not merge-ready because proof is missing/unusable or there are serious correctness or safety concerns.
• 🌊 off-meta tidepool: rating does not apply to this item.

Shiny media proof means a screenshot, video, or linked artifact directly shows the changed behavior. Runtime, network, CSP, and security claims still need visible diagnostics.

Real behavior proof
Not applicable: Not applicable because this is a Dependabot bot submodule PR; runtime proof is replaced by Crabpot’s fixture CI/report validation.

Risk before merge

• Several required static/report/security checks were still pending on the inspected head, so merge should wait for those checks and any generated report refresh commit.
• The upstream range is broad for a high-priority fixture, so the important remaining validation is whether Crabpot’s generated reports and fixture probes stay clean after the pin update.

Maintainer options:

1. Decide the mitigation before merge
   Let the Dependabot workflow refresh reports and merge the reviewed submodule pin only after the changed-fixture and static checks pass.
2. Pause or close
   Do not merge this PR until maintainers decide whether the risk is worth taking.

Next step before merge
No ClawSweeper repair lane is needed because the remaining action is the existing Dependabot CI/report-refresh gate, not a concrete code repair.

Security
Cleared: No concrete security or supply-chain defect was found in the Crabpot diff; it only advances an existing submodule pin and the repo has a Dependabot-only validation workflow for this path.

Review details

Best possible solution:

Let the Dependabot workflow refresh reports and merge the reviewed submodule pin only after the changed-fixture and static checks pass.

Do we have a high-confidence way to reproduce the issue?

Not applicable; this is a dependency gitlink bump rather than a reported bug. The verification path is Crabpot’s submodule-specific and static CI, not a manual reproduction.

Is this the best way to solve the issue?

Yes; updating the existing submodule pin is the narrowest maintainable way to track the upstream NemoClaw fixture, provided the report refresh and checks pass.

Label changes:

• add P3: This is routine dependency fixture maintenance with validation still running and no demonstrated user-facing regression.
• add rating: 🐚 platinum hermit: Current PR rating is 🐚 platinum hermit because proof is 🌊 off-meta tidepool, patch quality is 🐚 platinum hermit, and The patch is a normal, narrow submodule bump with appropriate repo automation, but merge confidence depends on the still-running checks.
• add status: 👀 ready for maintainer look: ClawSweeper has no concrete contributor-facing blocker left for this PR. Not applicable: Not applicable because this is a Dependabot bot submodule PR; runtime proof is replaced by Crabpot’s fixture CI/report validation.

Label justifications:

• P3: This is routine dependency fixture maintenance with validation still running and no demonstrated user-facing regression.
• rating: 🐚 platinum hermit: Current PR rating is 🐚 platinum hermit because proof is 🌊 off-meta tidepool, patch quality is 🐚 platinum hermit, and The patch is a normal, narrow submodule bump with appropriate repo automation, but merge confidence depends on the still-running checks.
• status: 👀 ready for maintainer look: ClawSweeper has no concrete contributor-facing blocker left for this PR. Not applicable: Not applicable because this is a Dependabot bot submodule PR; runtime proof is replaced by Crabpot’s fixture CI/report validation.

What I checked:

• PR diff: The pull request changes only the plugins/nemoclaw gitlink from 449f6f4e7f28cd6dbee075836c502b10f1b270ca to c84b6f19dd8a82063e12a391002e045f83bb7b95. (plugins/nemoclaw, fcd405fbe3e0)
• Current main pin: Current main still pins plugins/nemoclaw at 449f6f4e7f28cd6dbee075836c502b10f1b270ca, so the PR is not already implemented on the default branch. (plugins/nemoclaw, a6d2942b7fae)
• Fixture manifest: The NemoClaw fixture is explicitly configured as a high-priority fixture covering provider capability, prompt mutation, security audit, process spawn, command, and config-schema seams. (crabpot.config.json:1086, a6d2942b7fae)
• Dependabot validation path: The Dependabot auto-merge workflow restricts accepted files to fixture pins/generated reports, refreshes compatibility reports, runs fixture checks, and commits refreshed reports before merge. (.github/workflows/dependabot-auto-merge.yml:69, a6d2942b7fae)
• Submodule CI coverage: The normal check workflow intentionally runs on unfiltered pull requests because plugin submodule gitlink bumps under plugins/** must be retested. (.github/workflows/check.yml:3, a6d2942b7fae)
• Upstream compare: The upstream NemoClaw compare is 38 commits ahead and includes docs, tests, runtime, policy, OpenClaw version, and E2E changes; that breadth makes Crabpot’s generated report refresh and CI the relevant merge gate. (c84b6f19dd8a)

Likely related people:

• Vincent Koc: Blame shows Vincent Koc introduced the NemoClaw fixture entry and submodule metadata, then updated the expected hook coverage and fixture rationale. (role: fixture area contributor; confidence: high; commits: 8f99590e5ec8, 1075bca8ad04; files: crabpot.config.json, .gitmodules, plugins/nemoclaw)
• dependabot[bot]: Recent merged history on plugins/nemoclaw is primarily Dependabot submodule pin bumps, including the current main pin. (role: recent automation actor; confidence: medium; commits: a6d2942b7fae, 93c8b349f172, 7e8617909b15; files: plugins/nemoclaw)
• Aaron Erickson: The target upstream NemoClaw commit c84b6f1 was authored by Aaron Erickson and changes OpenClaw versioning, Dockerfile patching, and E2E behavior in the external fixture source. (role: upstream change author; confidence: medium; commits: c84b6f19dd8a; files: plugins/nemoclaw)

Codex review notes: model gpt-5.5, reasoning high; reviewed against a6d2942b7fae.

[clawsweeper]

ClawSweeper PR egg

✨ Hatched: 🥚 common Cosmic Diff Drake

Hatch command

Comment @clawsweeper hatch when this PR is hatchable.

Hatchability rules:

• Merged PRs are hatchable.
• Open PRs are hatchable when they are status: 👀 ready for maintainer look, status: 🚀 automerge armed, or labeled clawsweeper:automerge.
• Closed unmerged PRs are hatchable only when one of those hatchable labels is still present in the durable record.

Rarity: 🥚 common.
Trait: polishes edge cases.
Image traits: location CI tidepool; accessory review stamp; palette amber, ink, and glacier blue; mood focused; pose sitting proudly on a smooth stone; shell polished stone shell; lighting soft underwater shimmer; background gentle dashboard dots.
Share on X: post this hatch
Copy: My PR egg hatched a 🥚 common Cosmic Diff Drake in ClawSweeper.

What is this egg doing here?

• Eggs appear after the PR passes real-behavior proof. It is here for vibes, not verdicts: it does not change labels, ratings, merge decisions, or automation.
• The shell reacts to review momentum: open follow-up work warms it up, re-review makes it wobble, and a clean final review lets it hatch.
• Hatchability usually comes from sufficient real-behavior proof, no blocking P0/P1/P2 findings, no security attention needed, and clean correctness. A merged PR is already final, so merge makes the egg hatchable independently.
• The hatch is seeded from this repository and PR number, so the same PR keeps the same creature; the reviewed head SHA can only change safe visual details.
• Rarity is just collectible sparkle: 🥚 common, 🌱 uncommon, 💎 rare, ✨ glimmer, and 🌈 legendary.