# Crabbox Use Crabbox for remote Linux verification and PR proof only. Allowed jobs: - `crabbox job run unit` - `crabbox job run lint-phase1b` - `crabbox job run ci-contract` - `crabbox job run phase1b-local-proof` - `crabbox job run sync-smoke` Default workflow: 1. Run `crabbox job run --dry-run ci-contract`. 2. Run `crabbox job run --dry-run phase1b-local-proof`. 3. Inspect the planned commands and confirm no production secrets or production deploy commands appear. 4. Run `crabbox job run ci-contract`. 5. Run `crabbox job run phase1b-local-proof`. 6. Save the run id, lease id, stdout, downloaded proof JSON, and JUnit output. 7. Stop the lease unless the CLI has already stopped it. Boundaries: - Do not run production deploy commands from Crabbox. - Do not forward production GitHub, Forgejo, OpenRouter, SSH, Bitwarden, or VPS secrets. - Do not target the production `decision-engine` repo for sandbox proof. - Do not mutate the production VPS. - Do not call Crabbox proof equivalent to production proof unless the lease recreates `/opt/teleo-eval`, systemd services, runtime users, DB paths, timers, and deploy scripts. Failure handling: - If sync sanity fails, stop the lease and retry on a fresh lease. - If a proof script fails, save the full run output and do not summarize it as a pass. - If a remote box has unknown state, stop it instead of debugging against reused state.