chore: establish ProdClaw governance

[timeleft--]

Summary

Establishes ProdClaw as MachineWisdom's production-stability downstream of OpenClaw, with the boundary kept generic to the runtime and away from private deployment/customer operations.

What changed

• Adds PRODCLAW.md with the downstream boundary, upstream intake rules, GA/LTS maturity channels, SemVer policy, and hardening-default expectations.
• Adds docs/reference/prodclaw-release-policy.md for release-channel policy and release gates.
• Updates README.md, CONTRIBUTING.md, and AGENTS.md so contributors and agents understand the ProdClaw boundary.
• Adds prodclaw-governance.yml for Conventional Commit PR titles, boundary-file checks, and ProdClaw tag policy validation.
• Adds prodclaw-release.yml to package SemVer release tags into GitHub Release artifacts with SHA256 and metadata.
• Adds PRODCLAW_UPSTREAM.json so release metadata records upstream OpenClaw package provenance without relying on a CI git remote.
• Pins new workflow runners to ubuntu-24.04, pins first-party release/governance actions by SHA, rejects v0.x.y release tags, and removes unused release attestation permissions until attestations are implemented.
• Adds CODEOWNERS entries for the new ProdClaw governance/release surfaces.
• Scopes inherited OpenClaw maintainer-secret workflows (Auto response, Labeler) to upstream repositories only. They were also disabled at the ProdClaw repo level because pull_request_target evaluates main until this PR lands.
• Removes an unnecessary TypeScript assertion in src/commands/doctor-state-integrity.ts that blocked the inherited lint CI on this branch.

Repo configuration applied

• Renamed MachineWisdomAI/openclaw to MachineWisdomAI/ProdClaw.
• Enabled secret scanning and secret scanning push protection.
• Restricted main with required Validate PR and ProdClaw Governance checks, strict status checks, one approval, stale-review dismissal, conversation resolution, linear history, no force pushes, and no deletions.
• Added active rulesets for ga/* and lts/* release branches.
• Added active ruleset protection for v* release tags.
• Disabled inherited upstream-only Auto response and Labeler workflows in repo settings pending this tracked guard.

Validation

• pnpm docs:list
• pnpm install --frozen-lockfile
• pnpm format:docs:check
• pnpm docs:check-mdx docs README.md PRODCLAW.md CONTRIBUTING.md
• pnpm lint:docs
• git diff --check
• Ruby YAML parse for the modified workflows
• Local execution of the ProdClaw governance boundary/tag-policy checks
• GitHub Workflow Sanity actionlint/no-tabs passed on this PR
• GitHub ProdClaw Governance passed on this PR
• pnpm lint --threads=8
• GitHub check-lint and aggregate check passed after the lint cleanup
• Release workflow YAML parse, tag-policy checks, upstream metadata checks, and release-metadata generation smoke

pnpm check:workflows could not run locally because this machine has neither actionlint nor go; GitHub's Workflow Sanity covers actionlint for this PR.

Follow-up

Runtime hardening defaults should land in a separate PR after this boundary/release practice is reviewed, especially customer-visible tool progress, config writes, and restart/config command surfaces.

[timeleft--]

Round 2 addressed in commit d76f0e8:

• Moved ProdClaw CODEOWNERS rules to the end of the file and added PRODCLAW_UPSTREAM.json ownership so broader upstream rules cannot override @timeleft-- under last-match-wins semantics.
• Added manual governance reruns via workflow_dispatch, with the semantic PR-title job limited to pull_request events.
• Replaced brittle GA/LTS substring checks with explicit boundary-doc tripwires and comments that CODEOWNERS review remains authoritative.
• Added release channel resolution and branch-of-origin validation: GA must be reachable from main/ga/* and LTS from lts/*; manual runs require a channel input.
• Changed release metadata from hardcoded releaseChannels: [GA, LTS] to a single releaseChannel.
• Switched release packing from npm pack to pnpm pack and kept a tarball existence fallback for pnpm JSON shape differences.
• Removed --clobber; release asset upload now fails if the tarball, checksum, or metadata asset already exists.

Validation run locally:

• git diff --check
• parsed prodclaw-release.yml and prodclaw-governance.yml with PyYAML
• replayed the governance boundary/tag shell checks locally

Note: actionlint is not installed locally on this machine, so workflow-level validation is left to CI.

[timeleft--]

Round 3 grep bug fixed in commit a6a4b4c.

Changed the GA branch detection regex from:

to:

so / cannot satisfy the alternative.

Validation:

• parsed with PyYAML

[timeleft--]

Round 3 grep bug fixed in commit a6a4b4c2cf.

Changed the GA branch detection regex from:

'^(origin/main|origin/ga/)'

to:

'^(origin/main$|origin/ga/)'

so origin/main-feature / origin/maintenance cannot satisfy the main alternative.

Validation:

• git diff --check
• parsed .github/workflows/prodclaw-release.yml with PyYAML

[ogamel]

Left some suggestions. otherwise LGTM