chore(deps): bump plugins/clawrouter from ed699ce to e18d6d7

[dependabot]

Bumps plugins/clawrouter from ed699ce to e18d6d7.

Commits

• e18d6d7 v0.12.194: Seedance per-token pricing + Surf catalog refresh + voice/call fro...
• d7157b6 docs(readme): link ClawRouter-Hermes (Python plugin for NousResearch Hermes)
• 0a8582a v0.12.193: Surf crypto-data API integration (skill-only pattern)
• d917aae chore(skills): release SKILL Step 4 reflects npm-registry auto-fetch
• 030dc4c v0.12.192: phone & voice integration (Twilio lookup + Bland.ai outbound calls)
• 5353067 v0.12.191: delist free/deepseek-v4-pro (NVIDIA hung) → redirect all aliases t...
• 16fc076 chore: remove orphan files + cleanup
• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[clawsweeper]

Codex review: needs changes before merge.

Workflow note: Future ClawSweeper reviews update this same comment in place.

How this review workflow works

• ClawSweeper keeps one durable marker-backed review comment per issue or PR.
• Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
• A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
• PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
• Maintainers can also comment @clawsweeper review to request a fresh review only.
• Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
• Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
• Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.

Summary
This PR advances the plugins/clawrouter submodule from ed699ce to e18d6d7 for the ClawRouter fixture.

Reproducibility: yes. Source inspection shows the PR changes only the submodule gitlink while upstream registration line numbers changed and committed capture reports still reference the old ClawRouter source locations.

PR rating
Overall: 🦪 silver shellfish
Proof: 🌊 off-meta tidepool
Patch quality: 🦪 silver shellfish
Summary: The dependency bump has useful CI signal, but the patch is not merge-ready until generated compatibility artifacts are refreshed.

Rank-up moves:

• Regenerate and commit README.md and reports/ for the e18d6d7 ClawRouter pin.
• Confirm the refreshed branch still has the Check workflow and isolated clawrouter fixture lane green.

What the crustacean ranks mean

• 🦀 challenger crab: rare, exceptional readiness with strong proof, clean implementation, and convincing validation.
• 🦞 diamond lobster: very strong readiness with only minor maintainer review expected.
• 🐚 platinum hermit: good normal PR, likely mergeable with ordinary maintainer review.
• 🦐 gold shrimp: useful signal, but proof or patch confidence is still limited.
• 🦪 silver shellfish: thin signal; proof, validation, or implementation needs work.
• 🧂 unranked krab: not merge-ready because proof is missing/unusable or there are serious correctness or safety concerns.
• 🌊 off-meta tidepool: rating does not apply to this item.

Shiny media proof means a screenshot, video, or linked artifact directly shows the changed behavior. Runtime, network, CSP, and security claims still need visible diagnostics.

Real behavior proof
Not applicable: Not applicable for a Dependabot submodule update; CI and refreshed generated reports are the relevant validation evidence.

Risk before merge

• Merging the gitlink alone would leave committed Crabpot reports pointing at the previous ClawRouter registration line numbers and fixture surface.
• The branch's Dependabot report-refresh workflow was canceled, so the normal generated-artifact commit did not happen.
• The upstream fixture adds and updates paid network-facing phone, voice, Surf, and pricing surfaces; the changed-fixture CI lane passed, but maintainers still need refreshed reports to review the recorded compatibility surface.

Maintainer options:

1. Refresh reports before merge (recommended)
   Rerun the Dependabot report-refresh path or regenerate the same artifacts manually so README.md and reports/ are committed against the new ClawRouter gitlink.
2. Accept stale dashboards temporarily
   Maintainers could merge the gitlink alone only if they intentionally plan a follow-up dashboard/report refresh immediately after merge.
3. Pause this bump
   If the broad upstream ClawRouter surface change is not worth report churn right now, close or leave the Dependabot bump until the fixture lane is ready to refresh cleanly.

Copy recommended automerge instruction

@clawsweeper automerge

Special instructions:
Refresh the generated Crabpot compatibility artifacts for the ClawRouter submodule bump. Keep `plugins/clawrouter` pinned at `e18d6d7c3e9f81e1ed9e55017f78334c9d6f597e`, run the report-refresh sequence from `.github/workflows/dependabot-auto-merge.yml`, and commit only the resulting `README.md` and `reports/` changes unless the fixture sync requires a manifest-consistent metadata update.

Next step before merge
A repair worker can perform the narrow generated-artifact refresh for this existing submodule bump without choosing a new product direction.

Security
Cleared: No concrete security or supply-chain regression was found in the Crabpot diff; the upstream fixture update changes external code but does not add package dependencies or lifecycle scripts.

Review findings

• [P2] Commit the refreshed generated reports before merging — plugins/clawrouter:1

Review details

Best possible solution:

Land the submodule bump together with regenerated README.md and reports/ artifacts for e18d6d7, then let the normal checks gate the refreshed branch.

Do we have a high-confidence way to reproduce the issue?

Yes. Source inspection shows the PR changes only the submodule gitlink while upstream registration line numbers changed and committed capture reports still reference the old ClawRouter source locations.

Is this the best way to solve the issue?

No, not as-is. The submodule bump is reasonable, but the maintainable landing path is to include the regenerated Crabpot report artifacts before merge.

Label changes:

• add P3: This is a low-risk dependency fixture maintenance PR, with the main blocker limited to generated compatibility artifacts.
• add merge-risk: 🚨 automation: The canceled Dependabot refresh path means merging as-is can leave generated dashboards and reports stale even though normal checks passed.
• add rating: 🦪 silver shellfish: Current PR rating is 🦪 silver shellfish because proof is 🌊 off-meta tidepool, patch quality is 🦪 silver shellfish, and The dependency bump has useful CI signal, but the patch is not merge-ready until generated compatibility artifacts are refreshed.
• add status: ⏳ waiting on author: ClawSweeper has contributor-facing work open and is waiting for author action. Not applicable: Not applicable for a Dependabot submodule update; CI and refreshed generated reports are the relevant validation evidence.

Label justifications:

• P3: This is a low-risk dependency fixture maintenance PR, with the main blocker limited to generated compatibility artifacts.
• merge-risk: 🚨 automation: The canceled Dependabot refresh path means merging as-is can leave generated dashboards and reports stale even though normal checks passed.
• rating: 🦪 silver shellfish: Current PR rating is 🦪 silver shellfish because proof is 🌊 off-meta tidepool, patch quality is 🦪 silver shellfish, and The dependency bump has useful CI signal, but the patch is not merge-ready until generated compatibility artifacts are refreshed.
• status: ⏳ waiting on author: ClawSweeper has contributor-facing work open and is waiting for author action. Not applicable: Not applicable for a Dependabot submodule update; CI and refreshed generated reports are the relevant validation evidence.

Full review comments:

• [P2] Commit the refreshed generated reports before merging — plugins/clawrouter:1
  This bump moves the ClawRouter fixture to a new upstream source tree, but the branch only updates the gitlink. The committed capture report still points at the old src/index.ts registration lines, and the Dependabot report-refresh run for this branch was canceled, so merging as-is leaves the dashboard/report artifacts stale. Please rerun the report refresh path and commit the resulting README.md/reports/ changes with the pin.
  Confidence: 0.86

Overall correctness: patch is incorrect
Overall confidence: 0.84

Acceptance criteria:

• node scripts/sync-fixtures.mjs --materialize --openclaw ./openclaw
• npm test
• node scripts/sync-fixtures.mjs --check
• node scripts/run-contract-smoke.mjs --strict --openclaw ./openclaw
• node scripts/inspect-fixtures.mjs --check

What I checked:

• Current main pin: Current main still pins plugins/clawrouter to ed699ce6ab9654fe1b3b8431ed6174c5857df3e5, so the PR is not already implemented. (plugins/clawrouter:1, a6d2942b7fae)
• PR diff: The PR changes only the ClawRouter submodule gitlink from ed699ce6ab9654fe1b3b8431ed6174c5857df3e5 to e18d6d7c3e9f81e1ed9e55017f78334c9d6f597e. (plugins/clawrouter:1, c69b5fe14d8e)
• Upstream range: The upstream compare is seven commits ahead and changes ClawRouter from package version 0.12.190 to 0.12.194, including src/index.ts, src/proxy.ts, generated dist files, skills, docs, and tests. (plugins/clawrouter:1, e18d6d7c3e9f)
• Report staleness evidence: The committed capture report still records old ClawRouter registration lines such as registerProvider at 1613 and registerTool at 1707, while upstream e18d6d7 moves those registrations to 1685 and 1779. (reports/crabpot-capture.md:321, a6d2942b7fae)
• Dependabot refresh path: The Dependabot workflow is designed to refresh compatibility reports and commit README.md/reports/ changes after fixture pin bumps, but the run for this branch was canceled before jobs ran. (.github/workflows/dependabot-auto-merge.yml:95, a6d2942b7fae)
• CI status: The normal Check workflow succeeded, including the isolated changed fixture lane for clawrouter, so the remaining blocker is generated artifact freshness rather than an observed fixture execution failure. (.github/workflows/check.yml:161, c69b5fe14d8e)

Likely related people:

• vincentkoc: Introduced the Crabpot fixture/report automation and ClawRouter fixture entry, then authored and merged the recent upstream plugin update PR that touched the same submodule path. (role: recent area contributor; confidence: high; commits: 8f99590e5ec8, 1075bca8ad04, 9d8c0f473d31; files: crabpot.config.json, .github/workflows/dependabot-auto-merge.yml, .github/workflows/check.yml)
• 1bcMax: Authored the upstream ClawRouter commits in the bumped range, so they are relevant for fixture behavior questions if the refreshed reports expose unexpected ClawRouter changes. (role: upstream plugin release author; confidence: medium; commits: 16fc07636b81, 535306790558, 030dc4cccf56; files: plugins/clawrouter)

Codex review notes: model gpt-5.5, reasoning high; reviewed against a6d2942b7fae.

[clawsweeper]

ClawSweeper PR egg

🔥 Warming up: real-behavior proof passed; findings, security review, or rank-up moves are still in progress.

Hatch command

Comment @clawsweeper hatch when this PR is hatchable.

Hatchability rules:

• Merged PRs are hatchable.
• Open PRs are hatchable when they are status: 👀 ready for maintainer look, status: 🚀 automerge armed, or labeled clawsweeper:automerge.
• Closed unmerged PRs are hatchable only when one of those hatchable labels is still present in the durable record.

What is this egg doing here?

• Eggs appear after the PR passes real-behavior proof. It is here for vibes, not verdicts: it does not change labels, ratings, merge decisions, or automation.
• The shell reacts to review momentum: open follow-up work warms it up, re-review makes it wobble, and a clean final review lets it hatch.
• Hatchability usually comes from sufficient real-behavior proof, no blocking P0/P1/P2 findings, no security attention needed, and clean correctness. A merged PR is already final, so merge makes the egg hatchable independently.
• The hatch is seeded from this repository and PR number, so the same PR keeps the same creature; the reviewed head SHA can only change safe visual details.
• Rarity is just collectible sparkle: 🥚 common, 🌱 uncommon, 💎 rare, ✨ glimmer, and 🌈 legendary.