feat!: hard cutover to clawdstrike naming and clean Decision API

BREAKING CHANGES:
- Decision type now uses `status: 'allow' | 'warn' | 'deny'` only
- Removed legacy boolean fields (allowed, denied, warn)
- Removed toLegacyDecision/fromLegacyDecision helpers
- Python package renamed from 'hush' to 'clawdstrike'
- Rust env vars changed from HUSHD_* to CLAWDSTRIKE_*
- Config paths changed from /etc/hushd to /etc/clawdstriked

Changes:
- Unified Decision type with single status field across all packages
- Removed deprecated Python 'hush' shim module
- Updated all test mocks to use new Decision format
- Added clawdstriked deployment configs (Kubernetes, systemd, launchd)
- Updated test env vars to CLAWDSTRIKE_* naming
- Cleaned up adapter-core deprecation warnings

All 424 tests passing:
- TypeScript: 165 tests (SDK, adapter-core, all framework adapters)
- Python: 133 tests
- Rust: 258 tests

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

Author: bb-connor

crates/hush-cli/src/hush_run.rs

@@ -188,8 +188,8 @@ pub async fn cmd_run(
 
     let forwarder = hushd_url.map(|url| {
         let token = hushd_token
-            .or_else(|| std::env::var("HUSHD_ADMIN_KEY").ok())
-            .or_else(|| std::env::var("HUSHD_API_KEY").ok());
+            .or_else(|| std::env::var("CLAWDSTRIKE_ADMIN_KEY").ok())
+            .or_else(|| std::env::var("CLAWDSTRIKE_API_KEY").ok());
         HushdForwarder::new(url, token)
     });
 

crates/hush-cli/src/main.rs

@@ -168,7 +168,7 @@ enum Commands {
         #[arg(long)]
         hushd_url: Option<String>,
 
-        /// Bearer token for hushd (if omitted, uses HUSHD_ADMIN_KEY or HUSHD_API_KEY when set)
+        /// Bearer token for daemon (if omitted, uses CLAWDSTRIKE_ADMIN_KEY or CLAWDSTRIKE_API_KEY env vars)
         #[arg(long)]
         hushd_token: Option<String>,
 
@@ -562,7 +562,7 @@ enum DaemonCommands {
         #[arg(default_value = "http://127.0.0.1:9876")]
         url: String,
 
-        /// Bearer token for authenticated daemons (if omitted, uses HUSHD_ADMIN_KEY or HUSHD_API_KEY when set)
+        /// Bearer token for authenticated daemons (if omitted, uses CLAWDSTRIKE_ADMIN_KEY or CLAWDSTRIKE_API_KEY env vars)
         #[arg(long)]
         token: Option<String>,
     },
@@ -578,7 +578,7 @@ enum DaemonCommands {
         #[arg(default_value = "http://127.0.0.1:9876")]
         url: String,
 
-        /// Bearer token for authenticated daemons (if omitted, uses HUSHD_ADMIN_KEY or HUSHD_API_KEY when set)
+        /// Bearer token for authenticated daemons (if omitted, uses CLAWDSTRIKE_ADMIN_KEY or CLAWDSTRIKE_API_KEY env vars)
         #[arg(long)]
         token: Option<String>,
     },
@@ -1797,8 +1797,8 @@ fn cmd_daemon(command: DaemonCommands, stdout: &mut dyn Write, stderr: &mut dyn
         DaemonCommands::Stop { url, token } => {
             let client = reqwest::blocking::Client::new();
             let token = token
-                .or_else(|| std::env::var("HUSHD_ADMIN_KEY").ok())
-                .or_else(|| std::env::var("HUSHD_API_KEY").ok());
+                .or_else(|| std::env::var("CLAWDSTRIKE_ADMIN_KEY").ok())
+                .or_else(|| std::env::var("CLAWDSTRIKE_API_KEY").ok());
 
             let _ = writeln!(stdout, "Requesting shutdown at {}...", url);
 
@@ -1902,8 +1902,8 @@ fn cmd_daemon(command: DaemonCommands, stdout: &mut dyn Write, stderr: &mut dyn
         DaemonCommands::Reload { url, token } => {
             let client = reqwest::blocking::Client::new();
             let token = token
-                .or_else(|| std::env::var("HUSHD_ADMIN_KEY").ok())
-                .or_else(|| std::env::var("HUSHD_API_KEY").ok());
+                .or_else(|| std::env::var("CLAWDSTRIKE_ADMIN_KEY").ok())
+                .or_else(|| std::env::var("CLAWDSTRIKE_API_KEY").ok());
 
             let mut req = client.post(format!("{}/api/v1/policy/reload", url));
             if let Some(token) = token {
@@ -1976,7 +1976,7 @@ fn cmd_daemon(command: DaemonCommands, stdout: &mut dyn Write, stderr: &mut dyn
             }
 
             let _ = writeln!(stdout, "\nOr set environment variable:");
-            let _ = writeln!(stdout, "  export HUSHD_API_KEY=\"{}\"", raw_key);
+            let _ = writeln!(stdout, "  export CLAWDSTRIKE_API_KEY=\"{}\"", raw_key);
             ExitCode::Ok
         }
     }

crates/hushd/Cargo.toml

@@ -19,6 +19,10 @@ path = "src/lib.rs"
 name = "hushd"
 path = "src/main.rs"
 
+[[bin]]
+name = "clawdstriked"
+path = "src/main.rs"
+
 [dependencies]
 hush-core.workspace = true
 hush-proxy.workspace = true

crates/hushd/src/auth/store.rs

@@ -34,12 +34,12 @@ impl AuthStore {
 
     /// Compute a stable hash of an API key token.
     ///
-    /// If `HUSHD_AUTH_PEPPER` is set (recommended), uses HMAC-SHA256 to make offline guessing
-    /// attacks significantly harder if key hashes ever leak.
+    /// If `CLAWDSTRIKE_AUTH_PEPPER` is set (recommended), uses HMAC-SHA256 to make
+    /// offline guessing attacks significantly harder if key hashes ever leak.
     ///
-    /// If unset, falls back to raw SHA-256 for backward compatibility.
+    /// If unset, falls back to raw SHA-256.
     pub fn hash_key(key: &str) -> String {
-        let pepper = std::env::var("HUSHD_AUTH_PEPPER").ok();
+        let pepper = std::env::var("CLAWDSTRIKE_AUTH_PEPPER").ok();
         let pepper = pepper.as_deref().filter(|s| !s.is_empty());
         hash_key_with_pepper(key, pepper.map(|p| p.as_bytes()))
     }

crates/hushd/src/config.rs

@@ -1,4 +1,4 @@
-//! Configuration for hushd daemon
+//! Configuration for clawdstriked daemon
 
 use serde::{Deserialize, Serialize};
 use std::net::IpAddr;
@@ -892,10 +892,8 @@ fn default_ruleset() -> String {
 }
 
 fn default_audit_db() -> PathBuf {
-    dirs::data_local_dir()
-        .unwrap_or_else(|| PathBuf::from("."))
-        .join("hushd")
-        .join("audit.db")
+    let base = dirs::data_local_dir().unwrap_or_else(|| PathBuf::from("."));
+    base.join("clawdstriked").join("audit.db")
 }
 
 fn default_log_level() -> String {
@@ -1252,18 +1250,17 @@ impl Config {
 
     /// Load from default locations or create default
     pub fn load_default() -> anyhow::Result<Self> {
-        // Try standard config locations
         let paths = [
-            PathBuf::from("/etc/hushd/config.yaml"),
-            PathBuf::from("/etc/hushd/config.toml"),
+            PathBuf::from("/etc/clawdstriked/config.yaml"),
+            PathBuf::from("/etc/clawdstriked/config.toml"),
             dirs::config_dir()
-                .map(|d| d.join("hushd/config.yaml"))
+                .map(|d| d.join("clawdstriked/config.yaml"))
                 .unwrap_or_default(),
             dirs::config_dir()
-                .map(|d| d.join("hushd/config.toml"))
+                .map(|d| d.join("clawdstriked/config.toml"))
                 .unwrap_or_default(),
-            PathBuf::from("./hushd.yaml"),
-            PathBuf::from("./hushd.toml"),
+            PathBuf::from("./clawdstriked.yaml"),
+            PathBuf::from("./clawdstriked.toml"),
         ];
 
         let mut errors: Vec<(PathBuf, anyhow::Error)> = Vec::new();
@@ -1286,7 +1283,7 @@ impl Config {
         }
 
         if !errors.is_empty() {
-            let mut msg = String::from("Failed to load hushd config from existing file(s):\n");
+            let mut msg = String::from("Failed to load clawdstriked config from existing file(s):\n");
             for (path, err) in errors {
                 msg.push_str(&format!("  - {}: {err}\n", path.display()));
             }
@@ -1314,13 +1311,12 @@ impl Config {
     pub async fn load_auth_store(&self) -> anyhow::Result<AuthStore> {
         let store = AuthStore::new();
 
-        let has_pepper = std::env::var("HUSHD_AUTH_PEPPER")
-            .ok()
-            .as_deref()
-            .is_some_and(|v| !v.is_empty());
+        let has_pepper = std::env::var("CLAWDSTRIKE_AUTH_PEPPER")
+            .map(|v| !v.is_empty())
+            .unwrap_or(false);
         if self.auth.enabled && !has_pepper {
             tracing::warn!(
-                "Auth is enabled but HUSHD_AUTH_PEPPER is not set; API key hashing will use raw SHA-256"
+                "Auth is enabled but CLAWDSTRIKE_AUTH_PEPPER is not set; API key hashing will use raw SHA-256"
             );
         }
 
@@ -1504,15 +1500,15 @@ scopes = []
 
     #[tokio::test]
     async fn test_load_auth_store_expands_env_refs() -> anyhow::Result<()> {
-        std::env::set_var("HUSHD_TEST_API_KEY", "secret-from-env");
+        std::env::set_var("CLAWDSTRIKE_TEST_API_KEY", "secret-from-env");
 
         let yaml = r#"
 listen: "127.0.0.1:9876"
 auth:
   enabled: true
   api_keys:
     - name: "env"
-      key: "${HUSHD_TEST_API_KEY}"
+      key: "${CLAWDSTRIKE_TEST_API_KEY}"
       scopes: ["check"]
 "#;
 

crates/hushd/tests/common/mod.rs

@@ -1,4 +1,4 @@
-//! Common test utilities for hushd integration tests
+//! Common test utilities for clawdstriked integration tests
 
 use std::net::TcpListener;
 use std::net::{SocketAddr, TcpStream};
@@ -12,7 +12,7 @@ static TEST_DAEMON: OnceLock<Mutex<TestDaemon>> = OnceLock::new();
 
 /// Get the daemon URL from environment or use default
 pub fn daemon_url() -> String {
-    if let Ok(url) = std::env::var("HUSHD_TEST_URL") {
+    if let Ok(url) = std::env::var("CLAWDSTRIKE_TEST_URL") {
         return url;
     }
 
@@ -58,23 +58,23 @@ impl TestDaemon {
         let port = find_available_port();
         let url = format!("http://127.0.0.1:{}", port);
 
-        let test_dir = std::env::temp_dir().join(format!("hushd-test-{}", port));
+        let test_dir = std::env::temp_dir().join(format!("clawdstriked-test-{}", port));
         std::fs::create_dir_all(&test_dir).expect("Failed to create test directory");
 
         // Always isolate storage to the temp dir, regardless of caller config.
         config.listen = format!("127.0.0.1:{}", port);
         config.audit_db = test_dir.join("audit.db");
 
-        let config_path = test_dir.join("hushd.yaml");
+        let config_path = test_dir.join("clawdstriked.yaml");
         let yaml = serde_yaml::to_string(&config).expect("Failed to serialize config");
         std::fs::write(&config_path, yaml).expect("Failed to write test config");
 
-        let daemon_path = std::env::var("HUSHD_BIN")
-            .or_else(|_| std::env::var("CARGO_BIN_EXE_hushd"))
+        let daemon_path = std::env::var("CLAWDSTRIKE_BIN")
+            .or_else(|_| std::env::var("CARGO_BIN_EXE_clawdstriked"))
             .unwrap_or_else(|_| {
-                option_env!("CARGO_BIN_EXE_hushd")
+                option_env!("CARGO_BIN_EXE_clawdstriked")
                     .map(ToString::to_string)
-                    .unwrap_or_else(|| "target/debug/hushd".to_string())
+                    .unwrap_or_else(|| "target/debug/clawdstriked".to_string())
             });
 
         let process = Command::new(&daemon_path)

crates/hushd/tests/integration.rs

@@ -1,8 +1,8 @@
-//! Integration tests for hushd HTTP API
+//! Integration tests for clawdstriked HTTP API
 //!
 //! These tests require either:
-//! 1. A running daemon at HUSHD_TEST_URL (for local development)
-//! 2. The daemon binary at HUSHD_BIN (for CI, will spawn automatically)
+//! 1. A running daemon at CLAWDSTRIKE_TEST_URL (for local development)
+//! 2. The daemon binary at CLAWDSTRIKE_BIN (for CI, will spawn automatically)
 
 #![allow(clippy::expect_used, clippy::unwrap_used)]
 
@@ -639,7 +639,7 @@ fn test_config_tracing_level() {
 }
 
 // Auth tests - these require auth to be enabled on the daemon
-// Run with: HUSHD_TEST_AUTH_ENABLED=1 cargo test -p hushd --test integration
+// Run with: CLAWDSTRIKE_TEST_AUTH_ENABLED=1 cargo test -p hushd --test integration
 
 #[tokio::test]
 #[ignore = "requires running daemon with auth enabled"]
@@ -662,7 +662,7 @@ async fn test_auth_required_without_token() {
 #[ignore = "requires running daemon with auth enabled"]
 async fn test_auth_with_valid_token() {
     let (client, url) = test_setup();
-    let api_key = std::env::var("HUSHD_API_KEY").expect("HUSHD_API_KEY not set");
+    let api_key = std::env::var("CLAWDSTRIKE_API_KEY").expect("CLAWDSTRIKE_API_KEY not set");
 
     let resp = client
         .post(format!("{}/api/v1/check", url))
@@ -701,7 +701,7 @@ async fn test_auth_with_invalid_token() {
 #[ignore = "requires running daemon with auth enabled"]
 async fn test_admin_endpoint_requires_admin_scope() {
     let (client, url) = test_setup();
-    let api_key = std::env::var("HUSHD_API_KEY").expect("HUSHD_API_KEY not set");
+    let api_key = std::env::var("CLAWDSTRIKE_API_KEY").expect("CLAWDSTRIKE_API_KEY not set");
 
     let resp = client
         .post(format!("{}/api/v1/policy/reload", url))

crates/hushd/tests/tls.rs

@@ -61,12 +61,12 @@ PgOEzGSV8wm/fPgrYyiEqrM=
 "#;
 
 fn daemon_path() -> String {
-    std::env::var("HUSHD_BIN")
-        .or_else(|_| std::env::var("CARGO_BIN_EXE_hushd"))
+    std::env::var("CLAWDSTRIKE_BIN")
+        .or_else(|_| std::env::var("CARGO_BIN_EXE_clawdstriked"))
         .unwrap_or_else(|_| {
-            option_env!("CARGO_BIN_EXE_hushd")
+            option_env!("CARGO_BIN_EXE_clawdstriked")
                 .map(ToString::to_string)
-                .unwrap_or_else(|| "target/debug/hushd".to_string())
+                .unwrap_or_else(|| "target/debug/clawdstriked".to_string())
         })
 }
 

deploy/kubernetes/clawdstriked/README.md

@@ -0,0 +1,19 @@
+# Kubernetes Deployment (hushd)
+
+Minimal Kustomize manifests for running `hushd` in Kubernetes.
+
+This is a **reference deployment**, not an operator.
+
+## Apply (example)
+
+```bash
+kubectl apply -k deploy/kubernetes/hushd
+kubectl -n hushd-system get pods
+kubectl -n hushd-system port-forward svc/hushd 9876:9876
+curl http://127.0.0.1:9876/health
+curl http://127.0.0.1:9876/metrics
+```
+
+## Secrets
+
+Edit `deploy/kubernetes/hushd/secret.yaml` before applying (demo values are placeholders).

deploy/kubernetes/clawdstriked/configmap.yaml

@@ -0,0 +1,20 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: clawdstriked-config
+data:
+  config.yaml: |
+    listen: "0.0.0.0:9876"
+    ruleset: "default"
+    audit_db: "/var/lib/clawdstriked/audit.db"
+    log_level: "info"
+
+    auth:
+      enabled: true
+      api_keys:
+        - name: "default"
+          key: "${CLAWDSTRIKE_API_KEY}"
+          scopes: ["check", "read"]
+        - name: "admin"
+          key: "${CLAWDSTRIKE_ADMIN_KEY}"
+          scopes: ["*"]