Better Harness Tools, not merely storing the archive of leaked Claude Code but also make real things done. Now rewriting in Rust.

Go to file

YeonGyu-Kim b81e6422b4 ROADMAP #120 : .claw.json custom JSON5-partial parser accepts trailing commas but silently drops comments/unquoted/BOM; combined with alias table 'default'→ReadOnly + no-config→DangerFullAccess creates security-critical user-intent inversion Dogfooded 2026-04-18 on main HEAD `7859222` from /tmp/cdVV. Extends #86 (silent-drop general case) with two new angles: 1. JSON5-partial acceptance matrix: ACCEPTED (loaded correctly): - trailing comma (one) SILENTLY DROPPED (loaded_config_files=0, zero stderr, exit 0): - line comments (//) - block comments (/* */) - unquoted keys - UTF-8 BOM - single quotes - hex numbers - leading commas - multiple trailing commas 8 cases tested, 1 accepted, 7 silently dropped. The 1 accepted gives false signal of JSON5 tolerance. 2. Alias table creates user-intent inversion: config.rs:856-858: 'default' \| 'plan' \| 'read-only' => ReadOnly 'acceptEdits' \| 'auto' \| 'workspace-write' => WorkspaceWrite 'dontAsk' \| 'danger-full-access' => DangerFullAccess CRITICAL: 'default' in the config file = ReadOnly no config at all = DangerFullAccess (per #87) These are OPPOSITE modes. Security-inversion chain: user writes: {'// comment', 'defaultMode': 'default'} user intent: read-only parser: rejects comment read_optional_json_object: silently returns Ok(None) config loader: no config present permission_mode: falls back to no-config default = DangerFullAccess ACTUAL RESULT: opposite of intent. ZERO warning. Trace: config.rs:674-692 read_optional_json_object: is_legacy_config = (file_name == '.claw.json') match JsonValue::parse(&contents) { Ok(parsed) => parsed, Err(_error) if is_legacy_config => return Ok(None), Err(error) => return Err(ConfigError::Parse(...)), } is_legacy silent-drop. (#86 covers general case) json.rs JsonValue::parse — custom parser: accepts trailing comma rejects everything else JSON5-ish Fix shape (~80 lines, overlaps with #86): - Pick policy: strict JSON or explicit JSON5. Enforce consistently. - Apply #86 fix here: replace silent-drop with warn-and-continue, structured warning in stderr + JSON surface. - Rename 'default' alias OR map to 'ask' (matches English meaning). - Structure status output: add config_parse_errors:[] field so claws detect silent drops via JSON without stderr-parsing. - Regression matrix per JSON5 feature + security-invariant test. Joins Permission-audit/tool-allow-list (#94, #97, #101, #106, #115) as 6th — this is the CONFIG-PARSE anchor of the permission- posture problem. Complete matrix: #87 absence → DangerFullAccess #101 env-var fail-OPEN → DangerFullAccess #115 init-generated dangerous default → DangerFullAccess #120 config parse-drops → DangerFullAccess Joins Truth-audit on loaded_config_files=0 + permission_mode= danger-full-access inconsistency without config_parse_errors[]. Joins Reporting-surface/config-hygiene (#90, #91, #92, #110, #115, #116) on silent-drop-no-stderr-exit-0 axis. Joins Claude Code migration parity (#103, #109, #116, #117, #119) as 6th — claw-code is strict-where-Claude-was-lax (#116) AND lax-where-Claude-was-strict (#120). Maximum migration confusion. Natural bundles: #86 + #120 — config-parse reliability pair: silent-drop general case (#86) + JSON5-partial-acceptance + alias-inversion (#120) Permission-drift-at-every-boundary 4-way: #87 + #101 + #115 + #120 — absence + env-var + init + config-drop. Complete coverage of every path to DangerFullAccess. Security-critical permission drift audit mega-bundle: #86 + #87 + #101 + #115 + #116 + #120 — five-way sweep of every path to wrong permissions. Filed in response to Clawhip pinpoint nudge 1494955670791913508 in #clawcode-building-in-public.		2026-04-18 16:34:19 +09:00
.claude/sessions	fix: tool input {} prefix bug, tool display after accumulation, max_iterations unlimited	2026-04-01 02:24:18 +00:00
.github	Close the clawability backlog with deterministic CLI output and lane lineage	2026-04-05 18:41:02 +00:00
assets	Refresh docs to match ultraworkers/claw-code source of truth	2026-04-05 18:11:25 +00:00
docs	US-010: Add model compatibility documentation	2026-04-16 10:55:58 +00:00
rust	US-024: Add token limit metadata for kimi models	2026-04-17 04:15:38 +00:00
src	chore: additional AI slop cleanup and enforcer wiring from sessions 1/5	2026-04-03 18:35:27 +09:00
tests	Rewriting Project Claw Code - Python port with Rust on the way	2026-03-31 08:16:20 -07:00
.claude.json	feat: default OAuth config for API endpoint, merge UI polish rendering	2026-04-01 03:20:26 +00:00
.gitignore	Keep local clawhip artifacts from tripping routine repo work	2026-04-12 14:47:40 +00:00
CLAUDE.md	feat: default OAuth config for API endpoint, merge UI polish rendering	2026-04-01 03:20:26 +00:00
Containerfile	Document a repeatable container workflow for the Rust workspace	2026-04-05 18:11:25 +00:00
PARITY.md	docs(PARITY.md): comprehensive status update — all 9 lanes merged, stubs replaced	2026-04-03 19:39:28 +09:00
PHILOSOPHY.md	docs: add philosophy document for autonomous claw development	2026-04-04 16:51:51 +00:00
README.md	Make ACP/Zed status obvious before users go source-diving	2026-04-16 03:13:50 +00:00
ROADMAP.md	ROADMAP #120 : .claw.json custom JSON5-partial parser accepts trailing commas but silently drops comments/unquoted/BOM; combined with alias table 'default'→ReadOnly + no-config→DangerFullAccess creates security-critical user-intent inversion	2026-04-18 16:34:19 +09:00
USAGE.md	Align auth docs with the removed login/logout surface	2026-04-11 17:28:47 +00:00
install.sh	feat: b6-codex-session — batch 6	2026-04-07 15:52:30 +09:00
prd.json	US-024: Add token limit metadata for kimi models	2026-04-17 04:15:38 +00:00
progress.txt	US-011: Performance optimization for API request serialization	2026-04-16 11:11:45 +00:00

README.md

Claw Code

ultraworkers/claw-code · Usage · Rust workspace · Parity · Roadmap · UltraWorkers Discord

Claw Code

Claw Code is the public Rust implementation of the claw CLI agent harness. The canonical implementation lives in rust/, and the current source of truth for this repository is ultraworkers/claw-code.

[!IMPORTANT] Start with USAGE.md for build, auth, CLI, session, and parity-harness workflows. Make claw doctor your first health check after building, use rust/README.md for crate-level details, read PARITY.md for the current Rust-port checkpoint, and see docs/container.md for the container-first workflow.

ACP / Zed status: claw-code does not ship an ACP/Zed daemon entrypoint yet. Run claw acp (or claw --acp) for the current status instead of guessing from source layout; claw acp serve is currently a discoverability alias only, and real ACP support remains tracked separately in ROADMAP.md.

Current repository shape

rust/ — canonical Rust workspace and the claw CLI binary
USAGE.md — task-oriented usage guide for the current product surface
PARITY.md — Rust-port parity status and migration notes
ROADMAP.md — active roadmap and cleanup backlog
PHILOSOPHY.md — project intent and system-design framing
src/ + tests/ — companion Python/reference workspace and audit helpers; not the primary runtime surface

Quick start

[!NOTE] [!WARNING] cargo install claw-code installs the wrong thing. The claw-code crate on crates.io is a deprecated stub that places claw-code-deprecated.exe — not claw. Running it only prints "claw-code has been renamed to agent-code". Do not use cargo install claw-code. Either build from source (this repo) or install the upstream binary:
cargo install agent-code   # upstream binary — installs 'agent.exe' (Windows) / 'agent' (Unix), NOT 'agent-code'
This repo (ultraworkers/claw-code) is build-from-source only — follow the steps below.

# 1. Clone and build
git clone https://github.com/ultraworkers/claw-code
cd claw-code/rust
cargo build --workspace

# 2. Set your API key (Anthropic API key — not a Claude subscription)
export ANTHROPIC_API_KEY="sk-ant-..."

# 3. Verify everything is wired correctly
./target/debug/claw doctor

# 4. Run a prompt
./target/debug/claw prompt "say hello"

[!NOTE] Windows (PowerShell): the binary is claw.exe, not claw. Use .\target\debug\claw.exe or run cargo run -- prompt "say hello" to skip the path lookup.

Windows setup

PowerShell is a supported Windows path. Use whichever shell works for you. The common onboarding issues on Windows are:

Install Rust first — download from https://rustup.rs/ and run the installer. Close and reopen your terminal when it finishes.
Verify Rust is on PATH:
```
cargo --version
```
If this fails, reopen your terminal or run the PATH setup from the Rust installer output, then retry.

Clone and build (works in PowerShell, Git Bash, or WSL):

git clone https://github.com/ultraworkers/claw-code
cd claw-code/rust
cargo build --workspace

Run (PowerShell — note .exe and backslash):

$env:ANTHROPIC_API_KEY = "sk-ant-..."
.\target\debug\claw.exe prompt "say hello"

Git Bash / WSL are optional alternatives, not requirements. If you prefer bash-style paths (/c/Users/you/... instead of C:\Users\you\...), Git Bash (ships with Git for Windows) works well. In Git Bash, the MINGW64 prompt is expected and normal — not a broken install.

[!NOTE] Auth: claw requires an API key (ANTHROPIC_API_KEY, OPENAI_API_KEY, etc.) — Claude subscription login is not a supported auth path.

Run the workspace test suite:

cd rust
cargo test --workspace

Documentation map

USAGE.md — quick commands, auth, sessions, config, parity harness
rust/README.md — crate map, CLI surface, features, workspace layout
PARITY.md — parity status for the Rust port
rust/MOCK_PARITY_HARNESS.md — deterministic mock-service harness details
ROADMAP.md — active roadmap and open cleanup work
PHILOSOPHY.md — why the project exists and how it is operated

Ecosystem

Claw Code is built in the open alongside the broader UltraWorkers toolchain:

Ownership / affiliation disclaimer

This repository does not claim ownership of the original Claude Code source material.
This repository is not affiliated with, endorsed by, or maintained by Anthropic.