rename: zeroclawed → calciforge + drop dead OneCLI HTTP client#48
Merged
rename: zeroclawed → calciforge + drop dead OneCLI HTTP client#48
Conversation
There was a problem hiding this comment.
Pull request overview
Renames the project from ZeroClawed to Calciforge, updates crate/module naming and config paths accordingly, and removes the legacy OneCLI HTTP client surface while keeping the shared secret-resolution library functionality.
Changes:
- Renamed core crates and many references/paths (
zeroclawed→calciforge,onecli-client→secrets-client, etc.). - Updated security-proxy and other crates/tests to use the renamed secrets resolver and new env var prefixes.
- Swept docs/scripts/research files to reflect the new project vocabulary and paths.
Reviewed changes
Copilot reviewed 164 out of 200 changed files in this pull request and generated 3 comments.
Show a summary per file
| File | Description |
|---|---|
| signal-config-example.toml | Update example config text/paths to calciforge |
| scripts/test-config.toml | Update test endpoint hostname to secrets |
| scripts/setup-claude-hooks.sh | Rename build/install instructions and labels |
| scripts/setup-agents.sh | Rename displayed project name and plugin refs |
| scripts/ralph-loop.sh | Update cargo package name in test loop |
| scripts/ralph-loop-overnight.sh | Update cargo package name in overnight loop |
| scripts/pre-push.sh | Update crate name references and warnings |
| scripts/manual-docker-test.sh | Update service/log names to calciforge/secrets |
| scripts/install-security-stack.sh | Update install/config dirs to /opt |
| scripts/docker-compose.yml | Rename services/paths to calciforge/secrets |
| research/vault-parity.md | Rename references to calciforge |
| research/vault-groundwork-summary.md | Rename references to calciforge and related docs |
| research/openclaw-schema-versioning.md | Rename installer naming and sessionKey prefixes |
| research/openclaw-migration.md | Rename references to calciforge |
| research/onecli-architecture.md | Rename references in architecture research doc |
| research/jai-integration-levels.md | Rename references to calciforge |
| research/jai-analysis.md | Rename implications section to calciforge |
| research/fs-transaction-summary.md | Rename incident narrative and installer naming |
| research/fs-transaction-alternatives.md | Rename context to calciforge |
| research/approval-relay-design.md | Rename approval relay naming and example config |
| research/acp-adapter-implementation.md | Rename adapter documentation references |
| research/acp-adapter-design.md | Rename adapter documentation references and paths |
| docs/vendor-067-status.md | Rename workspace references to calciforge |
| docs/vendor-067-comparison.md | Rename workspace path references to calciforge |
| docs/typo-handling-design.md | Rename config paths and component naming |
| docs/security-gateway.md | Rename gateway description to calciforge |
| docs/security-audit-cve-2026-33579.md | Rename scope and crate path references |
| docs/roadmap/v3-ideas.md | Rename roadmap references to calciforge |
| docs/roadmap/outbound-sensitive-data-detection.md | Rename channel layer naming |
| docs/roadmap-v3.md | Rename config ownership text to calciforge |
| docs/rfcs/secret-input-web-ui.md | Update crate name reference to paste-server |
| docs/rfcs/model-gateway-primitives.md | Rename project references and config path example |
| docs/rfcs/browser-harness-integration.md | Rename crate references (mcp-server) and project text |
| docs/installer-open-questions.md | Rename installer concerns to calciforge |
| docs/clash-integration.md | Update repo path references |
| docs/architecture-review-2026-04-25.md | Rename crate list and architecture references |
| docs/agents-of-chaos-lessons.md | Rename lessons framing to calciforge |
| docs/acpx-claude-setup.md | Rename setup guide text to calciforge |
| docs/OPS-HARDENING.md | Rename hardening guide title/text |
| docs/MANUAL_INSTALL.md | Rename manual install paths/services to calciforge |
| deploy/nodes.example.json | Rename service list and config_dir to calciforge |
| crates/zeroclawed-policy-plugin/package.json | Rename npm package scope/description |
| crates/zeroclawed-policy-plugin/openclaw.plugin.json | Rename plugin id/name |
| crates/zeroclawed-policy-plugin/docker-compose.yml | Rename compose naming/network |
| crates/zeroclawed-policy-plugin/check-requirements.sh | Rename echoed instructions and image names |
| crates/zeroclawed-policy-plugin/README.md | Rename README title |
| crates/security-proxy/tests/vault_route.rs | Update env var names to SECRETS_* |
| crates/security-proxy/tests/substitution_body_headers.rs | Update env var names to SECRETS_* |
| crates/security-proxy/tests/destination_allowlist.rs | Update env var names to SECRETS_* |
| crates/security-proxy/src/router.rs | Switch vault resolver import path to secrets_client |
| crates/security-proxy/src/proxy.rs | Switch resolver calls to secrets_client |
| crates/security-proxy/src/main.rs | Update default AGENT_CONFIG path to /etc/calciforge |
| crates/security-proxy/src/credentials.rs | Switch resolver calls/env vars to secrets_client/SECRETS_* |
| crates/security-proxy/Cargo.toml | Rename description and dependency to secrets-client |
| crates/secrets-client/tests/vault_fallthrough.rs | Update tests to call secrets_client and SECRETS_* env vars |
| crates/secrets-client/src/vault.rs | Rename env vars to SECRETS_VAULT_URL/TOKEN |
| crates/secrets-client/src/lib.rs | New crate docs/exports for secrets resolution library |
| crates/secrets-client/src/config.rs | New RetryConfig-only module with serde tests |
| crates/secrets-client/Dockerfile | Add docker build artifact for secrets-client (currently inconsistent) |
| crates/secrets-client/Cargo.toml | New library crate manifest |
| crates/paste-server/src/main.rs | Rename imports/log target; use secrets_client::FnoxClient |
| crates/paste-server/Cargo.toml | Rename crate/bin/lib names; depend on secrets-client |
| crates/onecli-client/src/retry.rs | Deleted legacy retry module |
| crates/onecli-client/src/lib.rs | Deleted legacy lib exports |
| crates/onecli-client/src/error.rs | Deleted legacy error types |
| crates/onecli-client/src/config.rs | Deleted legacy config |
| crates/onecli-client/VAULT_SETUP.md | Deleted sensitive/legacy setup doc |
| crates/onecli-client/Cargo.toml | Deleted legacy crate manifest |
| crates/mcp-server/src/main.rs | Rename binary wiring to mcp-server + CalciforgeMcp |
| crates/mcp-server/Cargo.toml | Rename crate/bin/lib and secrets-client dependency |
| crates/loom-tests/src/lib.rs | Rename crate docs to calciforge |
| crates/loom-tests/docs/concurrency-testing.md | Rename docs to calciforge |
| crates/host-agent/src/main.rs | Rename CLI/docs strings to calciforge |
| crates/host-agent/src/approval/signal.rs | Rename approval message header |
| crates/host-agent/install.sh | Rename installer text and cert subject strings |
| crates/host-agent/TODO.md | Rename TODO title |
| crates/host-agent/SDD.md | Rename SDD title/text |
| crates/host-agent/SDD-ROUND2-SUMMARY.md | Rename summary text and paths |
| crates/host-agent/README.md | Rename README and paths |
| crates/host-agent/IMPLEMENTATION.md | Rename overview line |
| crates/host-agent/Cargo.toml | Update description to calciforge |
| crates/clashd/scripts/activate-policy.sh | Rename plugin name/path references |
| crates/clashd/README.md | Rename plugin references |
| crates/calciforge/tests/loom.rs | Rename test docs strings |
| crates/calciforge/tests/e2e/security_tests.rs | Rename module doc text |
| crates/calciforge/tests/e2e/secrets_proxy.rs | Rename helper and URLs in proxy tests |
| crates/calciforge/tests/e2e/property_tests.rs | Rename module doc text |
| crates/calciforge/tests/e2e/main.rs | Rename integration suite module list |
| crates/calciforge/tests/e2e/adapter_edge_cases.rs | Rename module doc text |
| crates/calciforge/src/voice/tools.rs | Rename tool names and descriptions to calciforge_* |
| crates/calciforge/src/voice/mod.rs | Rename voice module docs to calciforge |
| crates/calciforge/src/sync.rs | Rename module doc to calciforge |
| crates/calciforge/src/router.rs | Rename config header field to calciforge |
| crates/calciforge/src/proxy/voice_handlers.rs | Rename manifest docs to calciforge |
| crates/calciforge/src/proxy/traceloop/test.rs | Add unit tests for traceloop components |
| crates/calciforge/src/proxy/traceloop/mod.rs | Rename docs to calciforge |
| crates/calciforge/src/proxy/traceloop/kimi.rs | Add Kimi provider implementation |
| crates/calciforge/src/proxy/streaming.rs | Add stub SSE streaming module |
| crates/calciforge/src/proxy/routing.rs | Add provider routing table builder |
| crates/calciforge/src/proxy/retry.rs | Add retry config/backoff iterator |
| crates/calciforge/src/proxy/helicone_router.rs | Rename backend trait impl to SecretsBackend |
| crates/calciforge/src/proxy/handlers.rs | Rename owned_by to calciforge |
| crates/calciforge/src/proxy/gateway.rs | Rename backend trait type to SecretsBackend |
| crates/calciforge/src/proxy/backend.rs | Rename OneCliBackend to SecretsBackend + defaults |
| crates/calciforge/src/providers/mod.rs | Rename module doc to calciforge |
| crates/calciforge/src/main.rs | Rename CLI/docs/log target + config header field |
| crates/calciforge/src/local_model/mod.rs | Rename hook env vars to CALCIFORGE_* |
| crates/calciforge/src/install/ssh.rs | Rename installer docs and doctest path |
| crates/calciforge/src/install/model.rs | Rename installer model types to calciforge |
| crates/calciforge/src/install/mod.rs | Rename installer module docs/flag names |
| crates/calciforge/src/install/migration_types.rs | Rename migration owner enum to Calciforge |
| crates/calciforge/src/install/json5.rs | Rename docs to calciforge |
| crates/calciforge/src/install/health.rs | Rename docs to calciforge |
| crates/calciforge/src/install/cli.rs | Rename CLI args to --calciforge-host/--calciforge-key |
| crates/calciforge/src/hooks/mod.rs | Rename spec reference to calciforge |
| crates/calciforge/src/hooks/memory.rs | Rename spec reference to calciforge |
| crates/calciforge/src/config/validator.rs | Rename config header to [calciforge] |
| crates/calciforge/src/channels/whatsapp.rs | Rename docs/test strings/config header to calciforge |
| crates/calciforge/src/channels/telegram.rs | Rename paths in tests to ~/.calciforge |
| crates/calciforge/src/channels/signal.rs | Rename docs to calciforge |
| crates/calciforge/src/channels/mod.rs | Rename module docs to calciforge |
| crates/calciforge/src/channels/mock.rs | Rename router alias type |
| crates/calciforge/src/channels/matrix.rs | Rename docs to calciforge |
| crates/calciforge/src/auth.rs | Rename config header field to calciforge in tests |
| crates/calciforge/src/adapters/openclaw_channel.rs | Rename endpoint/sessionKey prefixes to calciforge |
| crates/calciforge/src/adapters/openclaw.rs | Rename env var fallback and sessionKey prefix |
| crates/calciforge/src/adapters/mod.rs | Rename crate docs/doctest path + env var |
| crates/calciforge/src/adapters/acp.rs | Rename adapter strings to calciforge |
| crates/calciforge/src/adapters/TODO-native-channel.md | Rename sessionKey prefixes and commit text |
| crates/calciforge/examples/config.toml | Rename example config header/paths/capability name |
| crates/calciforge/WHATSAPP-SETUP.md | Rename setup guide text/paths to calciforge |
| crates/calciforge/INSTALLER-IMPL-NOTES.md | Rename installer notes and paths |
| crates/calciforge/Dockerfile | Add docker build artifact for calciforge (currently inconsistent) |
| crates/calciforge/Cargo.toml | Rename crate/bin and secrets-client dependency |
| crates/calciforge/.hegel/unicode_data/13.0.0/codec-utf-8.json.gz | Add hegel artifact file (generated) |
| crates/calciforge/.hegel/install.log | Add hegel install log (contains conflict markers) |
| crates/calciforge/.hegel/constants/dd705b0115b62e1c | Add hegel constants artifact |
| crates/calciforge/.hegel/constants/aa165829b1a3ffee | Add hegel constants artifact |
| crates/calciforge/.hegel/constants/79b4d33ac928aa30 | Add hegel constants artifact |
| crates/calciforge/.hegel/constants/67b0a8ccf18bf5d2 | Add hegel constants artifact |
| crates/adversary-detector/src/scanner.rs | Rename docs/default paths to ~/.calciforge |
| crates/adversary-detector/src/proxy.rs | Rename docs/default paths to ~/.calciforge |
| crates/adversary-detector/src/profiles.rs | Rename docs to calciforge |
| crates/adversary-detector/src/lib.rs | Rename crate docs to calciforge |
| crates/adversary-detector/src/digest.rs | Rename default digest path to ~/.calciforge |
| crates/adversary-detector/src/audit.rs | Rename audit log path to ~/.calciforge |
| crates/adversary-detector/README.md | Rename README text to calciforge |
| crates/adversary-detector/Cargo.toml | Rename description to calciforge |
| ROADMAP.md | Rename roadmap title |
| Cross.toml | Rename comment header |
| Cargo.toml | Rename workspace members/default-members to new crate paths |
| BACKLOG.md | Rename backlog title and a few references |
| AGENTS.md | Rename host-agent doc header/spec reference |
| .gitleaks.toml | Update allowlist path + add pre-existing IP exceptions |
| .gitignore | Ignore fnox.toml |
| .github/workflows/integration-tests.yml | Rename workflow + update crates referenced |
| .github/workflows/ci.yml | Update crate matrix and release build targets |
| .claude/agents/commit-reviewer.md | Update references from onecli-client to secrets-client |
Comments suppressed due to low confidence (2)
crates/calciforge/src/proxy/backend.rs:28
SecretsNotFoundis the renamed variant, but its error string still says "OneCLI not found or not executable". Update the message to refer tosecrets(or the actual configured command) so logs/errors are accurate after the rename.
crates/calciforge/src/proxy/backend.rs:46- The trait is now
SecretsBackend, but the doc comment still says "Unified backend trait for OneCLI integration". Rename the comment to match the new abstraction to avoid confusion for maintainers and users reading generated docs.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Comment on lines
58
to
+65
| - name: Build OneCLI | ||
| run: cargo build -p onecli-client --release | ||
| run: cargo build -p secrets-client --release | ||
|
|
||
| - name: Start OneCLI service | ||
| run: | | ||
| cargo run -p onecli-client --release & | ||
| ONECLI_PID=$! | ||
| echo "ONECLI_PID=$ONECLI_PID" >> $GITHUB_ENV | ||
| cargo run -p secrets-client --release & | ||
| SECRETS_PID=$! | ||
| echo "SECRETS_PID=$SECRETS_PID" >> $GITHUB_ENV |
There was a problem hiding this comment.
This job starts secrets-client via cargo run -p secrets-client and probes /health, but secrets-client has no binary target (library-only). This step will fail in CI; update it to start the correct executable service (or drop the job if the HTTP proxy was deleted).
Comment on lines
29
to
+34
| # OneCLI credential proxy | ||
| onecli: | ||
| secrets: | ||
| build: | ||
| context: ../../ | ||
| dockerfile: crates/onecli-client/Dockerfile | ||
| container_name: test-onecli | ||
| dockerfile: crates/secrets-client/Dockerfile | ||
| container_name: test-secrets |
There was a problem hiding this comment.
This stack still builds a secrets HTTP service from crates/secrets-client/Dockerfile, but secrets-client is now a library-only crate (no server/binary). As a result, this service can’t be built or started; update the compose stack to run the correct proxy binary (or remove the service if it’s intentionally deleted).
Comment on lines
33
to
37
| SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)" | ||
| PLUGIN_SOURCE="$SCRIPT_DIR/../../zeroclawed-policy-plugin/before_tool_call" | ||
| PLUGIN_SOURCE="$SCRIPT_DIR/../../calciforge-policy-plugin/before_tool_call" | ||
|
|
||
| if [ ! -d "$PLUGIN_SOURCE" ]; then | ||
| echo "Error: Plugin source not found at $PLUGIN_SOURCE" |
There was a problem hiding this comment.
PLUGIN_SOURCE points to ../../calciforge-policy-plugin/..., but the repo directory is still crates/zeroclawed-policy-plugin/ (it wasn’t renamed). This makes the script fail with "Plugin source not found". Either rename the directory or update this path to the actual location.
The repo / project gets a real name (Calciforge — coined Calcifer +
forge, greenfield across all registries per scan). Crate-name pattern
follows the existing functional-name convention (security-proxy,
host-agent, adversary-detector, clashd) — no project prefix on
sub-crates.
Crate renames:
- crates/zeroclawed → crates/calciforge
- crates/zeroclawed-mcp → crates/mcp-server
- crates/zeroclawed-secret-paste → crates/paste-server
- crates/onecli-client → crates/secrets-client
The onecli-client rename also drops the OneCLI vestigial naming —
that was the upstream credential-proxy product we migrated AWAY
from when security-proxy + FnoxClient took over. Audit confirmed
zero external callers of the OneCLI HTTP client (SecretsClient,
formerly OneCliClient), so deleted the dead pieces in the same PR
rather than carrying them under a renamed-but-still-dead identifier:
- DELETED: secrets-client/src/client.rs (HTTP client, zero callers)
- DELETED: secrets-client/src/main.rs (OneCLI binary entry point)
- DELETED: secrets-client/src/retry.rs (only used by client.rs)
- DELETED: secrets-client/src/error.rs (SecretsError, only used
by client.rs)
- DELETED: secrets-client/VAULT_SETUP.md (OneCLI setup guide,
contained vault.enjyn.com URL + example JWT)
- SLIMMED: config.rs to just RetryConfig (the only struct calciforge
proxy/retry.rs imports externally); dropped SecretsConfig,
SecretsServiceConfig, VaultConfig, ProviderConfig
- SLIMMED: lib.rs re-exports to vault::, FnoxClient, FnoxError,
RetryConfig (all confirmed externally used)
- Removed [[bin]] section from secrets-client/Cargo.toml
What survives in secrets-client:
- vault::get_secret() — env → fnox → vaultwarden resolver chain
(used by security-proxy 3 files)
- FnoxClient — subprocess wrapper (used by paste-server, mcp-server,
calciforge !secure command)
- FnoxError — typed errors
- RetryConfig — used by calciforge proxy/retry.rs
Sed sweep across 200 files: zeroclawed → calciforge (lowercase),
ZeroClawed/Zeroclawed → Calciforge (PascalCase/TitleCase),
ZEROCLAWED → CALCIFORGE (constants/env vars). Then secondary
rename pass: calciforge-mcp → mcp-server, calciforge-paste →
paste-server, OneCliClient → SecretsClient (since-deleted) etc.
Vocabulary mapping (per discussion):
- Calciforge = the project / CLI / shipped tool
- Calcifer = a single agent's bound contract (runtime concept)
- Moving Castle = a deployment hosting a household of Calcifers
- Doors = thresholds the Calcifer guards (per-secret allowlist,
per-host bypass, per-identity gate, per-MCP-tool
exposure)
- "Doors to other Castles" = future federation between Calciforge
instances — see roadmap follow-up
gitleaks: added narrow allowlist for 5 specific RFC 1918 IPs that
pre-exist in main and would otherwise block this rename PR (tracked
for sanitization in a follow-up). Path allowlist for paste-server
predicate test rewritten to its new path.
Tests: 700+ across the workspace, all green. cargo check + cargo
fmt + clippy all clean.
Repo rename (bglusman/zeroclawed → bglusman/calciforge) is a
separate operation via gh, do AFTER this PR merges.
3efff41 to
d43bc02
Compare
bglusman
added a commit
that referenced
this pull request
Apr 25, 2026
The big rename. Project gets a real name (Calciforge), 4 crates renamed,
dead OneCLI HTTP client + binary deleted, ETXTBSY-resilient subprocess wrapper.
Crate renames (Path A: drop calciforge- prefix from sub-crates to match
existing functional-name convention):
- crates/zeroclawed → crates/calciforge
- crates/zeroclawed-mcp → crates/mcp-server
- crates/zeroclawed-secret-paste → crates/paste-server
- crates/onecli-client → crates/secrets-client
Dead-code purge in same PR (zero external callers found):
- DELETED secrets-client/src/{client,main,retry,error}.rs + VAULT_SETUP.md
- SLIMMED config.rs to just RetryConfig (the one externally-used struct)
- SLIMMED lib.rs re-exports
ETXTBSY fix (the Linux flake that broke main after #44):
- FnoxClient::run retries on ErrorKind::ExecutableFileBusy with
5ms/25ms backoff, max 3 attempts (rustup/npm/cargo's pattern)
- Test fake_fnox uses atomic OpenOptions::mode(0o755) instead of
write+chmod to avoid the kernel race in the first place
Vocabulary: Calciforge (project) → Calcifer (per-agent contract) →
Moving Castle (deployment) → Doors (thresholds the Calcifer guards).
"Doors to other Castles" = future federation (roadmap).
CI: 14/14 green. cargo check + cargo fmt + clippy all clean.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
The big rename. Project gets a coined name (Calciforge — Calcifer + forge, greenfield across crates.io / npm / PyPI / SourceForge / USPTO per scan; all 6 major TLDs available).
Crate renames (4)
crates/zeroclawedcrates/calciforgecrates/zeroclawed-mcpcrates/mcp-serversecurity-proxy/host-agent/etc. functional-name patterncrates/zeroclawed-secret-pastecrates/paste-servercrates/onecli-clientcrates/secrets-clientThe
host-agent/security-proxy/adversary-detector/clashd/loom-testscrates keep their names — they describe what they do, no project prefix.Dead OneCLI HTTP client deleted in same PR
Audit confirmed zero external callers of the OneCLI HTTP client (
SecretsClient, formerlyOneCliClient). Per @bglusman's "no point renaming if we're deleting":secrets-client/src/client.rs(the HTTP client)secrets-client/src/main.rs(OneCLI binary entry point)secrets-client/src/retry.rs(only used by client.rs)secrets-client/src/error.rs(SecretsError, only used by client.rs)secrets-client/VAULT_SETUP.md(OneCLI setup doc, contained a real vault URL + example JWT)config.rsto justRetryConfig(used by calciforge proxy)lib.rsre-exportsWhat survives in
secrets-client:vault::get_secret()— env → fnox → vaultwarden chain (used by security-proxy)FnoxClient— subprocess wrapper (used by paste-server, mcp-server, calciforge!secure)FnoxError,RetryConfigVocabulary mapping (per discussion)
Mechanics
zeroclawed→calciforge(lowercase),ZeroClawed/Zeroclawed→Calciforge,ZEROCLAWED→CALCIFORGEOneCli*→Secrets*,onecli_client→secrets_client, etc.Test status
cargo test --workspace --exclude loom-tests)cargo check --workspace: cleancargo fmt, clippy: cleanFollow-ups after merge
bglusman/zeroclawed→bglusman/calciforge(single `gh` operation, can be reverted)🤖 Generated with Claude Code