Add CI gate: forbid remoteclaw.ai references (regression prevention)

[alexey-pelykh]

Context

Issue #2382 removed all remaining remoteclaw.ai references from the fork (we own .org, not .ai). Without a CI gate, future PRs can silently reintroduce .ai URLs — especially during upstream sync from OpenClaw.

Scope

Add a regression gate following the existing scripts/check-no-*.mjs pattern:

• New: scripts/check-no-remoteclaw-ai.mjs — runs git grep -n "remoteclaw\.ai" against tracked files; exits non-zero on any match
• New: scripts/ci/remoteclaw-ai-allowlist.txt (optional) — allowlist for legitimate exceptions if any emerge (initially empty)
• package.json: add lint:no-remoteclaw-ai script entry
• Wire into check aggregator (same style as lint:tmp:no-random-messaging)

Precedent

Existing gates following this pattern:

• scripts/check-no-zombie-imports.mjs
• scripts/check-no-raw-channel-fetch.mjs
• scripts/check-no-raw-window-open.mjs
• scripts/check-no-random-messaging-tmp.mjs
• scripts/ci/check-rebrand-leakage.sh + rebrand-allowlist.txt (blocks openclaw leakage; closest analogue)

Acceptance criteria

• pnpm lint:no-remoteclaw-ai (or equivalent) exits 0 on current main (after Clean up remaining remoteclaw.ai references (fork owns .org only) #2382 merges)
• Introducing any remoteclaw.ai URL in a non-allowlisted file causes the gate to fail in CI
• Gate runs in the same CI job that runs pnpm check
• Allowlist format documented inline with comment examples (see rebrand-allowlist.txt for reference)

Non-goals

• Does not revisit the openclaw leakage gate (different scope, already exists)
• Does not enforce .org canonical form (only blocks .ai)

Out of scope

• Adding the gate before Clean up remaining remoteclaw.ai references (fork owns .org only) #2382 merges (gate would fail on main until then)

Links

• Blocked by: Clean up remaining remoteclaw.ai references (fork owns .org only) #2382 (must merge first)
• Related: scripts/ci/check-rebrand-leakage.sh (existing analogous gate for openclaw leakage)