feat: forkify urls.

[rgr-stxnext]

Description

Related Issues

Closes #

Checklist when merging to main

• No compiler warnings (if applicable)
• Code is formatted with rustfmt
• No useless or dead code (if applicable)
• Code is easy to understand
• Doc comments are used for all functions, enums, structs, and fields (where appropriate)
• All tests pass
• Performance has not regressed (assuming change was not to fix a bug)
• Version number has been updated in helix-cli/Cargo.toml and helixdb/Cargo.toml

Additional Notes

Greptile Summary

This PR replaces every reference to the canonical HelixDB/helix-db repository with CloudForge-Solutions/openhelix across documentation, Rust source, shell scripts, and Cargo manifests. This PR must not be merged — three of the changed files control where binaries are downloaded and executed (install script, auto-updater, build source clone), making this a direct supply-chain attack vector against all current and future HelixDB users.

• helix-cli/install.sh and src/update.rs (P0): The install script and auto-update checker now fetch release binaries from an unverified third-party GitHub repo; any user who installs or updates HelixDB after this change would execute code published outside the official project.
• src/commands/build.rs (P0): helix build clones source from cloudforge-solutions/openhelix instead of the official repo, so the compiled database binary could come from an unaudited codebase.
• Documentation and Cargo metadata (P1): CONTRIBUTORS.md, README.md, all three Cargo.toml files, and several .hx test comment headers redirect contributors, crates.io visitors, and bug reporters away from the official project.

Security Review

• Supply-chain attack (install.sh): REPO changed to CloudForge-Solutions/openhelix. The install script fetches and executes GitHub Release binaries from this third-party repo, giving it full code-execution on every new installer's machine.
• Supply-chain attack (update.rs): GITHUB_API_URL redirected to cloudforge-solutions/openhelix/releases/latest. Existing users who trigger auto-updates silently replace the helix binary with one published by an unverified party.
• Unverified build source (build.rs): HELIX_REPO_URL now clones source from cloudforge-solutions/openhelix, meaning helix build compiles and installs code from outside the audited HelixDB codebase.
• Data exfiltration (github_issue.rs): Bug reports (including system info and stack traces) are sent to an external GitHub repo controlled by a third party.

Important Files Changed

Filename	Overview
helix-cli/install.sh	REPO redirected to CloudForge-Solutions/openhelix — install script now downloads and executes binaries from an unverified third-party repository (P0 supply-chain risk)
helix-cli/src/update.rs	GITHUB_API_URL points to cloudforge-solutions/openhelix — auto-updates silently replace the helix binary with releases from an unverified third party (P0 supply-chain risk)
helix-cli/src/commands/build.rs	HELIX_REPO_URL now clones from cloudforge-solutions/openhelix — compiled database source diverges from the official codebase without user awareness (P0)
helix-cli/src/github_issue.rs	GITHUB_ISSUE_URL redirected to cloudforge-solutions/openhelix — user bug reports and system info flow to an external repo, never reaching HelixDB maintainers (P1)
CONTRIBUTORS.md	Clone URL, issue tracker links, and help links all redirected to CloudForge-Solutions/openhelix — misleads contributors away from the official project (P1)
README.md	Stars and Lines-of-Code badges now reference CloudForge-Solutions/openhelix — displays stats for an unrelated repo to visitors of the official project (P1)
helix-db/Cargo.toml	Repository metadata field updated to CloudForge-Solutions/openhelix — low functional impact but misattributes the crate on crates.io
helix-macros/Cargo.toml	Repository metadata field updated to CloudForge-Solutions/openhelix — same misattribution concern as helix-db/Cargo.toml
metrics/Cargo.toml	Repository metadata field updated to CloudForge-Solutions/openhelix — same misattribution concern as other Cargo.toml files

Flowchart

%%{init: {'theme': 'neutral'}}%%
flowchart TD
    A[User runs install.sh] --> B{REPO source}
    B -->|Before PR| C[HelixDB/helix-db\nGitHub Releases]
    B -->|After PR ⚠️| D[CloudForge-Solutions/openhelix\nGitHub Releases]

    E[User runs helix update] --> F{GITHUB_API_URL}
    F -->|Before PR| G[api.github.com/repos/helixdb/helix-db]
    F -->|After PR ⚠️| H[api.github.com/repos/cloudforge-solutions/openhelix]

    I[User runs helix build] --> J{HELIX_REPO_URL}
    J -->|Before PR| K[github.com/helixdb/helix-db.git]
    J -->|After PR ⚠️| L[github.com/cloudforge-solutions/openhelix.git]

    M[User files issue via CLI] --> N{GITHUB_ISSUE_URL}
    N -->|Before PR| O[github.com/helixdb/helix-db/issues]
    N -->|After PR ⚠️| P[github.com/cloudforge-solutions/openhelix/issues]

    style D fill:#ff4444,color:#fff
    style H fill:#ff4444,color:#fff
    style L fill:#ff4444,color:#fff
    style P fill:#ffaa00,color:#fff

Loading

_{Reviews (1): Last reviewed commit: "feat: forkify urls." | Re-trigger Greptile}

Greptile also left 6 inline comments on this PR.

[greptile-apps]

Supply-chain attack surface — install script redirected to a third-party repo

The REPO variable now points to CloudForge-Solutions/openhelix instead of the canonical HelixDB/helix-db. The install script fetches GitHub Release assets (binary tarballs) from this repo and executes them. Any user who runs curl … | bash after this change is merged would download and run binaries published by an unverified third party, giving that party full code-execution on the installer's machine. This is a textbook supply-chain attack vector.

[greptile-apps]

Auto-update endpoint redirected to an unverified third-party repository

GITHUB_API_URL now queries cloudforge-solutions/openhelix for the latest release. The update flow uses this URL to download and replace the running helix binary. If the third-party repo publishes a malicious release, every existing user who triggers an auto-update silently installs that payload without any user interaction. This must point to the official HelixDB/helix-db releases API.

[greptile-apps]

Build clones source from a third-party fork instead of the official repo

HELIX_REPO_URL is used to git clone the database source during a helix build. Pointing it to cloudforge-solutions/openhelix means the compiled binary could come from code that diverges from (or entirely replaces) the official HelixDB codebase, with no transparency to the end user.

[greptile-apps]

Bug reports silently redirected to an external repository

GITHUB_ISSUE_URL now opens issues against cloudforge-solutions/openhelix. Users filing bug reports through the CLI will unknowingly send their system info, stack traces, and query details to a third-party repo, and those reports will never be seen by the HelixDB maintainers.

[greptile-apps]

Contributor guide clone URL and issue tracker redirected to external repo

The contributing guide now tells contributors to clone CloudForge-Solutions/openhelix and file issues there. Contributors following this guide will fork and push to a third-party repo rather than the official project, fragmenting contributions away from HelixDB/helix-db.

[greptile-apps]

Badges display stats for an unrelated repository

Both the GitHub stars badge and the Lines-of-Code badge now reference CloudForge-Solutions/openhelix. Visitors to the official repo will see misleading (likely zero or wrong) counts that reflect a completely different project.