Naming
Steve Jobs would circle a Sanctum codebase, see Yoda + Cilghal + Holocron + Sanctum + Manoir + Cathedral + Living Force + DenchClaw + OpenClaw + Force Flow + Bunker + Haus, and ask which mythology. The honest answer used to be “all of them.” This page is the honest answer now.
The rule
Section titled “The rule”One metaphor per layer. No layer borrows from another.
| Layer | Metaphor | Examples |
|---|---|---|
| Software & repositories | ”Sanctum” — a fortified sanctuary | sanctum-config, sanctum-cli, sanctum-rs, sanctum-screen-time, sanctum-docs |
| Physical locations | French manor / Anglo place names | manoir (Mac Mini server), chalet (off-site), satellite (MacBook Pro) |
| User-facing voice & copy | Plain Germanic English | ”haus” in the briefings, “the family network”, “morning briefing” |
| AI agents | Jedi Council (+ one chancellor) | Yoda, Windu, Cilghal, Qui-Gon, Ki-Adi-Mundi, Jocasta, Mon Mothma |
| UI surfaces | Star Wars artefacts | Holocron (dashboard), Force Flow (notifications), Sanctum Bridge (Mac↔VM RPC) |
| Project codenames (one-off) | Anything memorable | OBLITERATUS, CL4R1T4S, TED_Talk, T9-vault — each its own subrepo, never mixed into the metaphor stack |
The rule is not “fewer names” — the rule is no name does two jobs. manoir never refers to the software. Sanctum never names a physical place. Yoda is an agent, not a server.
The agent roster
Section titled “The agent roster”Five Jedi, one Mac-side librarian, and one operations chancellor — seven seats, and the table is full. Each has a single domain. If a request spans two, route it.
| Agent | Domain | Lives on |
|---|---|---|
| Yoda | Conversation, planning, council convener | VM yoda (10.10.10.10) |
| Windu | Security: Firewalla, auth logs, perimeter, screen-time enforcement | VM sandbox |
| Cilghal | Health: Apple Watch, sleep, HRV, environmental sensors | VM sandbox |
| Qui-Gon | Infrastructure: Docker, disk, gateways, backups, optimization | VM sandbox |
| Ki-Adi-Mundi (“Mundi”) | Finance: fund metrics, deal flow, RRSP/TFSA/FBAR | VM sandbox |
| Jocasta | Mac-side librarian: iMessage, Calendar (EventKit), Contacts, Mail | Mac (SanctumBridge.app + jocasta-mcp) |
| Mon Mothma | Operations: deployments, runbooks, drift, stability, backups, secret rotation, upgrades | manoir (Force Flow, Living Force, Watchdog) |
Mon Mothma is the seventh — seated for operations, a domain none of the six owned, which is the only justification a new seat is ever granted. She is the council’s chancellor, not a Jedi; the metaphor stretches to hold her because the work demanded it. There are no others. Adding an eighth requires that same justification: a domain none of these seven own.
VM and host naming
Section titled “VM and host naming”VMs and service hosts run inside a physical location (they live on manoir), so they take neither a place name nor the “Sanctum” software prefix. Two rules and one prohibition:
- An agent’s VM takes the agent’s name. The production conversation host is
yoda(10.10.10.10) — the roster above already assigns it. Not a product label, not a lifecycle word. - A service host takes the service’s plain-English name. The Home Assistant host is
home-assistant, notsanctum-vm. The rule is no name does two jobs — and a generic name that does no job fails the same test. - Never put a lifecycle word —
staging,test,tmp— on a production VM. A host labelled “staging” invites a tired operator to treat the live brain as disposable. If it is production, name it for what it is.
Retired terms ledger
Section titled “Retired terms ledger”Every name we’ve outgrown, with what replaced it. If you find a retired term in active code, either delete it or open a PR retiring it for real.
| Retired term | Status | Replacement |
|---|---|---|
DenchClaw (gateway port :1977) | Retired 2026-04-23 cathedral cleanup | SanctumBridge.app (launchd-managed, no TCP port) — see ~/.sanctum/SECURITY-EXCEPTIONS.md |
| Cathedral (as a brand for the system) | Retired — only the cleanup event of 2026-04-24 keeps the name historically | ”Sanctum” |
| Living Force (as a doctrine pillar) | Retired 2026-04-24 | The ~/.sanctum/exceptions.yaml + per-agent USER.md doctrine. The phrase survives only in commit history and one operations log. |
| OpenClaw (as a public-facing brand) | Internal-only | The agent runtime that powers the Council. Not a user-facing surface; never market it. Repos that depend on it stay namespaced (openclaw-skills, openclaw-config). |
| Bunker | Replaced by T9-vault/ (the disaster-recovery resource bundle) | “T9-vault” |
| Sanctum Watchdog (as a Python service name) | Retired with the Rust rewrite | sanctum-rs/sanctum-watchdog (Rust crate) — see sanctum language maturity doctrine |
| Lmstudio Proxy | Retired with the council-mlx migration | council-mlx (mTLS endpoint at :1337) |
openclaw-staging (Lima VM + openclaw ssh alias for the production Yoda host) | Decided 2026-06-04 — live rename pending (see runbook) | yoda — the roster already names this host; “staging” mislabelled production |
sanctum-vm (the Home Assistant host) | Decided 2026-06-04 — rename or retire pending | home-assistant |
Rules going forward
Section titled “Rules going forward”-
Before introducing a new name, ask which layer it belongs to. If the answer is “two of them,” reuse an existing name. If the answer is “none,” check whether the layer needs to exist at all.
-
Before retiring a name, write its row in the ledger. A retirement isn’t real until the replacement is named.
-
Avoid Greek/Roman/Norse mythology. They rhyme with the Jedi metaphor and create the “which mythology?” problem this page exists to prevent.
-
No internal codenames in user-facing copy. The morning briefing says “Sanctum is healthy” or “the family network is up,” not “Living Force OK.” If a parent reads it and has to ask what the word means, it’s the wrong word.
-
Project subrepos can have any codename they like (
OBLITERATUS,CL4R1T4S) — they are sealed under their own metaphor. Sanctum’s metaphor stops at the submodule boundary. -
The Council is seven. Five Jedi + Jocasta + Mon Mothma — lucky seven, and the table is full. If a domain is unowned, give it to the closest existing seat before inventing an eighth.
Why this matters
Section titled “Why this matters”The Sanctum architecture is doctrine-first. A doctrine layer that contradicts itself in its own vocabulary doesn’t survive contact with a tired operator at 2am. The fastest way to lose trust in a system is to ask it for the gateway and watch it wonder which gateway you mean.
Pick one metaphor per layer, write down which is which, and stop the next argument before it starts.