AGH RuntimeConfiguration
config.toml
Complete AGH config.toml schema, defaults, valid values, merge behavior, and annotated examples.
- Audience
- Operators running durable agent work
- Focus
- Configuration guidance shaped for scanability, day-two clarity, and operator context.
config.toml is the main AGH runtime configuration file. AGH loads the built-in defaults, then
overlays global and workspace files when they exist.
| File | Scope | Loaded when |
|---|---|---|
$AGH_HOME/config.toml | Global | Every config load. Defaults to ~/.agh/config.toml. |
$AGH_HOME/mcp.json | Global MCP sidecar | After global TOML. |
<workspace>/.agh/config.toml | Workspace overlay | Only when a workspace root is resolved for the session or command. |
<workspace>/.agh/mcp.json | Workspace MCP sidecar | After workspace TOML. |
Unknown TOML keys are errors. Sandbox profiles are implemented under [sandboxes.<name>]; the old
Use only [sandboxes.<name>] for session execution boundaries.
Quick Reference
| Section | Purpose | Default |
|---|---|---|
[daemon] | Unix domain socket path for CLI and UDS API traffic. | socket = "$AGH_HOME/daemon.sock" |
[http] | HTTP and SSE bind address. | host = "localhost", port = 2123 |
[defaults] | Default agent, provider, and sandbox resolution. | agent = "general", provider = "", sandbox = "" |
[limits] | Daemon-level session and agent caps. | max_sessions = 10, max_concurrent_agents = 20 |
[session.limits] | Session-scoped wall-clock timeout. | timeout = "0s" |
[session.supervision] | Runtime activity heartbeat, progress, warning, and inactivity timeout controls. | heartbeat 30 seconds, progress 10 minutes, warning 15 minutes, timeout 30 minutes |
[agents.soul] | Optional SOUL.md parsing, body limits, and compact projection budget. | enabled, 32 KiB body, 2 KiB compact projection |
[agents.heartbeat] | Optional HEARTBEAT.md policy bounds, wake cadence/limits, and health timing. | enabled, 32 KiB body, 5 min/30 min intervals, 25 wakes per cycle, 168 h retention |
[permissions] | Default permission mode. | mode = "approve-all" |
[tools] | Tool registry lifecycle, hosted MCP enablement, and result budget defaults. | enabled, hosted MCP enabled, 256 KiB result default |
[tools.hosted_mcp] | Hosted MCP session bind nonce lifecycle. | 30 seconds |
[tools.policy] | External tool source defaults, approval timeout, and trusted sources. | external tools disabled, 120 second approval timeout, no trusted sources |
[[mcp_servers]] | Top-level MCP servers passed to agents. | empty list |
[providers.<name>] | Built-in provider override or custom provider definition. | empty map plus built-ins |
[sandboxes.<name>] | Local or provider-backed execution sandbox profiles. | local backend when no profile is selected |
[observability] | Event summary retention and global byte cap. | enabled, 7 days, 1 GiB |
[observability.transcripts] | Transcript segment sizing and per-session cap. | enabled, 1 MiB segments, 256 MiB per session |
[log] | Structured log level. | level = "info" |
[memory] | Persistent memory runtime and global memory directory. | enabled, $AGH_HOME/memory |
[memory.dream] | Background memory consolidation. | enabled, agent general, 24 hours, 3 sessions, 30 minutes |
[skills] | Skill discovery, polling, disable list, and marketplace trust gates. | enabled, poll every 3 seconds |
[skills.marketplace] | Skill registry override. | unset |
[extensions.marketplace] | Extension registry override. | unset |
[automation] | Automation scheduler defaults. | enabled, UTC, 5 concurrent jobs |
[[automation.jobs]] | Scheduled automation jobs. | empty list |
[[automation.triggers]] | Event-driven automation triggers. | empty list |
[autonomy.coordinator] | Coordinator session bootstrap for workspace-scoped task runs. | disabled, agent coordinator, TTL 2 hours, 5 children, 1 active per workspace |
[[hooks.declarations]] | Config-defined runtime hooks. | empty list |
[network] | Experimental AGH network runtime. | enabled, channel default |
Load And Merge Order
| Order | Source | Merge behavior |
|---|---|---|
| 1 | Built-in defaults | Base config. |
| 2 | $AGH_HOME/config.toml | Scalar fields replace defaults. TOML MCP and provider MCP entries merge by name. |
| 3 | $AGH_HOME/mcp.json | Same-name MCP servers replace the whole server object. |
| 4 | <workspace>/.agh/config.toml | Workspace overlay applies over global config. |
| 5 | <workspace>/.agh/mcp.json | Same-name MCP servers replace the whole server object after workspace TOML. |
| 6 | Path normalization and validation | ~ is expanded for daemon.socket and memory.global_dir; invalid values fail startup. |
TOML [[mcp_servers]] entries merge fields by name: non-empty command, non-empty args, and
new env keys overlay the existing server. JSON sidecars replace same-name servers as whole
objects.
Daemon boot uses the home config for boot-time daemon settings. The general config loader applies global and workspace MCP sidecars for session and runtime resolution.
Complete Annotated Example
# ~/.agh/config.toml
[daemon]
# Path to the Unix domain socket used by AGH CLI commands.
socket = "~/.agh/daemon.sock"
[http]
# HTTP/SSE API bind address.
host = "localhost"
port = 2123
[defaults]
# Agent name used when a command or API request does not specify one.
agent = "general"
# Provider used by AGENT.md files that omit provider.
provider = "claude"
# Sandbox profile used when a workspace does not set sandbox_ref.
sandbox = "local"
[limits]
# Positive daemon-wide limits.
max_sessions = 10
max_concurrent_agents = 20
[session.limits]
# 0 means no configured wall-clock timeout. Use Go durations such as "30m" or "2h".
timeout = "0s"
[session.supervision]
# Short heartbeats update durable liveness only. They are not persisted as session events.
activity_heartbeat_interval = "30s"
# 0 disables periodic progress events.
progress_notify_interval = "10m"
# 0 disables inactivity warnings.
inactivity_warning_after = "15m"
# 0 disables inactivity timeout.
inactivity_timeout = "30m"
# Grace period after cooperative prompt cancel before AGH stops the session as timeout.
timeout_cancel_grace = "30s"
[agents.soul]
# Disabling pauses prompt injection but keeps inspect/validate/write/delete/history/rollback available.
enabled = true
# Hard cap for SOUL.md body bytes after normalization.
max_body_bytes = 32768
# Compact /agent/context projection budget. Must be <= max_body_bytes.
context_projection_bytes = 2048
[agents.heartbeat]
# Disabling pauses wake decisions but keeps managed authoring available for repair.
enabled = true
# Bounded HEARTBEAT.md body size (snapshot uses normalized body).
max_body_bytes = 32768
# Compact projection budget for status surfaces.
context_projection_bytes = 4096
# Hard floor for authored preferences.min_interval. Files below this are clamped.
min_interval = "5m"
# Default cadence baseline used when authored files omit min_interval.
default_interval = "30m"
# Cooldown between wakes for a single session.
wake_cooldown = "1m"
# Maximum scheduler-cycle wakes across the daemon.
max_wakes_per_cycle = 25
# When true, wake only sessions in active runtime state.
active_session_only = true
# When true, authored active_hours/quiet_windows preferences are honored within bounds.
allow_active_hours_preferences = true
# Retention for agent_heartbeat_wake_events audit rows. Minimum 1h.
wake_event_retention = "168h"
# Idle age before metadata-only presence is treated as stale for wake eligibility.
session_health_stale_after = "2m"
# Minimum interval between session.health.update.after hook fires for the same session.
session_health_hook_min_interval = "1m"
[permissions]
# Valid values: deny-all, approve-reads, approve-all.
mode = "approve-all"
[tools]
# Disables registry dispatch and hosted MCP exposure when false.
enabled = true
# Enables AGH-hosted local MCP projection for session-visible tools.
hosted_mcp_enabled = true
# Default result cap for tool descriptors that do not set a smaller cap.
default_max_result_bytes = 262144
[tools.hosted_mcp]
# Non-secret launch correlation nonce lifetime before UDS peer binding.
bind_nonce_ttl_seconds = 30
[tools.policy]
# Valid values: disabled, ask, enabled.
external_default = "disabled"
# Bounded wait for daemon-mediated approval flows.
approval_timeout_seconds = 120
# External read-only sources trusted for approve-reads. Entries use kind:owner.
trusted_sources = []
[[mcp_servers]]
name = "filesystem"
command = "npx"
args = ["-y", "@modelcontextprotocol/server-filesystem", "/Users/you/work"]
env = { LOG_LEVEL = "info" }
[[mcp_servers]]
name = "remote-docs"
transport = "sse"
url = "https://mcp.example.com/sse"
[mcp_servers.auth]
type = "oauth2_pkce"
issuer_url = "https://auth.example.com"
client_id = "agh-desktop"
client_secret_ref = "env:REMOTE_DOCS_MCP_CLIENT_SECRET"
scopes = ["mcp.read", "mcp.write"]
[providers.claude]
# Overrides the built-in Claude provider command/model/credential slot.
command = "npx -y @agentclientprotocol/claude-agent-acp@latest"
default_model = "claude-sonnet-4-6"
[[providers.claude.credential_slots]]
name = "api_key"
target_env = "ANTHROPIC_API_KEY"
secret_ref = "env:ANTHROPIC_API_KEY"
kind = "api_key"
required = false
[[providers.claude.mcp_servers]]
name = "github"
command = "npx"
args = ["-y", "@modelcontextprotocol/server-github"]
secret_env = { GITHUB_TOKEN = "env:GITHUB_TOKEN" }
[sandboxes.local]
backend = "local"
sync_mode = "none"
persistence = "reuse"
runtime_root = "~"
[sandboxes.daytona-dev]
backend = "daytona"
sync_mode = "session-bidirectional"
persistence = "reuse"
runtime_root = "/home/daytona/workspace"
[sandboxes.daytona-dev.env]
NODE_ENV = "development"
[sandboxes.daytona-dev.network]
allow_public_ingress = false
allow_outbound = true
allow_list = ["api.example.test"]
deny_list = ["metadata.google.internal"]
[sandboxes.daytona-dev.daytona]
api_url = "https://app.daytona.io/api"
target = "team-default"
snapshot = "snap-agent-base"
image = "ubuntu:24.04"
class = "cpu-2"
auto_stop = "30m"
auto_archive = "24h"
[observability]
enabled = true
retention_days = 7
max_global_bytes = 1073741824
[observability.transcripts]
enabled = true
segment_bytes = 1048576
max_bytes_per_session = 268435456
[log]
level = "info"
[memory]
enabled = true
global_dir = "~/.agh/memory"
[memory.dream]
enabled = true
agent = "general"
min_hours = 24
min_sessions = 3
check_interval = "30m"
[skills]
enabled = true
disabled_skills = ["experimental-skill"]
poll_interval = "3s"
allowed_marketplace_mcp = ["clawhub:@team/search-skill"]
allowed_marketplace_hooks = ["clawhub:@team/format-hook"]
[skills.marketplace]
registry = "clawhub"
base_url = "https://registry.example.com"
[extensions.marketplace]
registry = "github"
base_url = "https://api.github.com"
[automation]
enabled = true
timezone = "UTC"
max_concurrent_jobs = 5
default_fire_limit = { max = 12, window = "1h" }
[[automation.jobs]]
scope = "workspace"
name = "daily-doc-check"
agent = "docs"
workspace = "workspace-id-or-path"
prompt = "Review changed docs and report stale links."
enabled = true
fire_limit = { max = 2, window = "24h" }
[automation.jobs.schedule]
mode = "cron"
expr = "0 9 * * 1-5"
[automation.jobs.retry]
strategy = "backoff"
max_retries = 3
base_delay = "2s"
[[automation.triggers]]
scope = "workspace"
workspace = "workspace-id-or-path"
name = "failed-session-summary"
agent = "general"
prompt = "Summarize why session {{ index .Data \"session_id\" }} stopped."
event = "session.stopped"
enabled = true
[automation.triggers.filter]
kind = "session.stopped"
data.stop_reason = "error"
[autonomy.coordinator]
# Disabled by default. When enabled, a workspace-scoped coordinated task run may start
# one coordinator session for that workspace after publish, start, approval, or an
# equivalent execution boundary enqueues the run.
enabled = false
agent_name = "coordinator"
# Optional provider/model overrides. Empty values fall through to agent/provider defaults.
provider = ""
model = ""
default_ttl = "2h"
max_children = 5
max_active_per_workspace = 1
[[hooks.declarations]]
name = "record-session-start"
event = "session.post_create"
mode = "async"
required = false
priority = 500
timeout = "5s"
command = "printf"
args = ["session started\n"]
env = { HOOK_LOG = "1" }
[hooks.declarations.matcher]
agent_name = "general"
[network]
enabled = true
default_channel = "default"
port = -1
max_payload = 1048576
greet_interval = 30
max_replay_age = 300
max_queue_depth = 100[daemon]
| Field | Type | Default | Valid values | Description |
|---|---|---|---|---|
socket | string path | $AGH_HOME/daemon.sock | Non-empty path. ~ is expanded. | Unix domain socket used by CLI IPC and the UDS API server. |
[http]
| Field | Type | Default | Valid values | Description |
|---|---|---|---|---|
host | string | localhost | Non-empty host or bind address. | HTTP/SSE server host. |
port | integer | 2123 | 1 through 65535 | HTTP/SSE server port. |
[defaults]
| Field | Type | Default | Valid values | Description |
|---|---|---|---|---|
agent | string | general | Non-empty agent name. | Agent selected when a command or API request omits an agent. |
provider | string | empty | Built-in provider name or configured provider key. | Provider selected when an AGENT.md omits provider. Empty is valid until an agent without provider is resolved. |
[limits]
| Field | Type | Default | Valid values | Description |
|---|---|---|---|---|
max_sessions | integer | 10 | Positive integer. | Daemon-wide cap for sessions retained in active runtime state. |
max_concurrent_agents | integer | 20 | Positive integer. | Daemon-wide cap for concurrently running agent subprocesses. |
[session.limits]
| Field | Type | Default | Valid values | Description |
|---|---|---|---|---|
timeout | duration | 0s | Zero or positive Go duration. | Session-level wall-clock timeout. Zero means no configured wall-clock timeout. |
[session.supervision]
Session supervision keeps long-running prompts observable without turning every heartbeat into a stored event. AGH updates session metadata on short heartbeats and only writes durable events for lower-frequency progress, warnings, and timeout classification.
This timeout is based on inactivity, not total runtime. A prompt can run for hours as long as AGH continues to observe runtime activity or controlled waiting heartbeats.
| Field | Type | Default | Valid values | Description |
|---|---|---|---|---|
activity_heartbeat_interval | duration | 30s | Positive Go duration. | Cadence for metadata-only activity heartbeats while a prompt is waiting on ACP/provider work. |
progress_notify_interval | duration | 10m | Zero or positive Go duration. | Cadence for persisted runtime_progress events. Zero disables periodic progress events. |
inactivity_warning_after | duration | 15m | Zero or positive Go duration. | Idle age before AGH emits one runtime_warning. Zero disables the warning. |
inactivity_timeout | duration | 30m | Zero or positive Go duration. | Idle age before AGH cancels the prompt cooperatively. Zero disables inactivity timeout. |
timeout_cancel_grace | duration | 30s | Positive Go duration. | Grace period after timeout cancel before AGH stops the session with stop reason timeout. |
[agents.soul]
[agents.soul] controls the optional SOUL.md authored persona artifact. Config owns body
limits, compact projection budget, and the enabled toggle. SOUL.md cannot redefine any of
these keys, and forbidden operational fields in SOUL.md are rejected. See
Agent Soul.
| Field | Type | Default | Valid values | Description |
|---|---|---|---|---|
enabled | boolean | true | true or false | When false, AGH stops injecting Soul into prompts and /agent/context but keeps inspect/validate/write/delete/history/rollback available. |
max_body_bytes | integer | 32768 | Positive integer. | Maximum normalized SOUL.md body size. Files beyond this fail validation with oversized_body. |
context_projection_bytes | integer | 2048 | Positive integer; must be <= max_body_bytes. | Compact /agent/context.soul projection budget. |
Workspace overlay merges scalar fields predictably; setting any key zero-clamps to the validated positive value or fails with a typed validation error. Disabling at runtime does not clear stored snapshots; managed authoring keeps working so operators can repair a broken file.
[agents.heartbeat]
[agents.heartbeat] controls the optional HEARTBEAT.md advisory wake policy and the runtime
health/wake-audit subsystem. Config owns cadence, rate limits, retention, and stale thresholds;
authored files express bounded preferences only. See
Agent Heartbeat.
| Field | Type | Default | Valid values | Description |
|---|---|---|---|---|
enabled | boolean | true | true or false | When false, AGH disables wake decisions but keeps managed authoring available so operators can repair a broken policy. |
max_body_bytes | integer | 32768 | Positive integer; capped at the runtime hard limit. | Maximum normalized HEARTBEAT.md body size; oversized files fail validation. |
context_projection_bytes | integer | 4096 | Positive integer; must be <= max_body_bytes. | Compact projection budget for status responses. |
min_interval | duration | 5m | Positive Go duration; must be <= default_interval. | Hard floor for authored preferences.min_interval. Files below this are clamped with heartbeat_preference_clamped. |
default_interval | duration | 30m | Positive Go duration. | Default cadence baseline used when authored files omit min_interval. |
wake_cooldown | duration | 1m | Positive Go duration. | Cooldown between wakes targeting the same session. |
max_wakes_per_cycle | integer | 25 | Positive integer. | Daemon-wide cap on wakes per scheduler cycle. Excess wakes return heartbeat_rate_limited. |
active_session_only | boolean | true | true or false | When true, only sessions reported as active and attachable are wake-eligible. |
allow_active_hours_preferences | boolean | true | true or false | When false, authored active_hours/quiet_windows are ignored with heartbeat_preference_ignored. |
wake_event_retention | duration | 168h | Positive Go duration; minimum 1h. | Retention for agent_heartbeat_wake_events audit rows. Cleanup runs at boot and during scheduler maintenance cycles. |
session_health_stale_after | duration | 2m | Positive Go duration. | Idle age before metadata-only presence becomes stale for wake eligibility. |
session_health_hook_min_interval | duration | 1m | Positive Go duration. | Minimum interval between session.health.update.after hook fires for the same session; metadata-only touches are coalesced. |
[agents.heartbeat] does not own task-run lease heartbeat (task_runs + ClaimNextRun +
HeartbeatRunLease), [session.supervision] activity heartbeat, or AGH Network [network]
greet presence. Those four authorities remain independent.
HEARTBEAT.md snapshot digest covers the normalized body, canonical frontmatter JSON, and a
canonical digest of the resolved [agents.heartbeat] config subset. Editing any field that
affects parsing, preference resolution, eligibility, retention, or coalescing invalidates the
digest and triggers a fresh resolution at the next wake decision.
[permissions]
| Field | Type | Default | Valid values | Description |
|---|---|---|---|---|
mode | string | approve-all | deny-all, approve-reads, approve-all | Default permission policy used when an agent definition does not override permissions. |
[tools]
Tool registry configuration is loaded before runtime policy and dispatch consume it. These keys only
establish defaults and parse-time guardrails; dispatch still revalidates visibility, permission,
availability, hooks, and approval state per call. When enabled = true, the runtime injects the
agh__bootstrap and agh__catalog discovery toolsets for every agent unless effective policy
denies them, and a startup prompt section teaches the search → info → invoke loop.
| Field | Type | Default | Valid values | Description |
|---|---|---|---|---|
enabled | boolean | true | true or false. | When false, disables AGH-owned registry dispatch and hosted MCP exposure. |
hosted_mcp_enabled | boolean | true | true or false. | Allows AGH to expose the local hosted MCP proxy for session-visible tools. |
default_max_result_bytes | integer | 262144 | 0 through 16777216. | Result cap used when a descriptor does not specify a smaller limit. |
[tools.hosted_mcp]
| Field | Type | Default | Valid values | Description |
|---|---|---|---|---|
bind_nonce_ttl_seconds | integer | 30 | 1 through 300 seconds. | Lifetime for the non-secret hosted MCP bind nonce before UDS peer binding. |
[tools.policy]
| Field | Type | Default | Valid values | Description |
|---|---|---|---|---|
external_default | string | disabled | disabled, ask, enabled. | Default executable policy for extension, MCP, and dynamic tools before explicit tool/source grants. |
approval_timeout_seconds | integer | 120 | 1 through 600 seconds. | Maximum wait for daemon-mediated approval flows. |
trusted_sources | string array | [] | mcp:<server> or extension:<name>. | External read-only sources trusted for approve-reads; MCP entries must reference configured MCP servers. |
trusted_sources does not store credentials. Remote MCP OAuth tokens remain in the MCP auth store,
and hosted MCP bind nonces are transient session launch state.
[[mcp_servers]]
Top-level MCP servers are merged with provider, agent, and skill MCP servers during session startup. They can point at local stdio processes or remote HTTP/SSE MCP endpoints.
| Field | Type | Default | Valid values | Description |
|---|---|---|---|---|
name | string | required | Non-empty after trimming. | Stable server key used for merge and replacement. |
transport | string | inferred | stdio, http, sse. | Transport kind. Command servers default to stdio; URL servers default to http. |
command | string | required for stdio | Non-empty command. | Executable command for a local stdio MCP server. Invalid for remote transports. |
url | string URL | required for remote | Absolute URL. | Remote MCP endpoint for http or sse transports. Invalid for stdio. |
auth | object | empty | OAuth 2.1 PKCE settings. | Remote auth metadata and client settings. Invalid for stdio. |
args | string array | empty | Strings. | Process arguments passed to the command. |
env | string map | empty | String keys and values. | Literal environment values passed to the MCP server. AGH does not perform shell expansion. |
secret_env | string map | empty | env:NAME or vault:mcp/<server>/env/<KEY> refs. | Secret environment bindings for stdio servers. Values are resolved at launch and redacted from diagnostics. |
OAuth-enabled remote servers store only metadata in config. Token material is kept in the AGH
Vault as encrypted refs and is exposed through API, settings, CLI, logs, and the agent-callable
agh__mcp_auth_status tool only as redacted status. Login/logout happen on CLI and HTTP. These are
operator-only management flows.
auth field | Type | Required | Description |
|---|---|---|---|
type | string | yes | Must be oauth2_pkce. |
client_id | string | yes | OAuth client ID. |
client_secret_ref | string | no | env:NAME or vault:mcp/<server>/oauth/client-secret ref containing the client secret, when required. |
issuer_url | string URL | conditional | Issuer for OAuth metadata discovery. |
metadata_url | string URL | conditional | Explicit OAuth authorization-server metadata URL. |
authorization_url | string URL | conditional | Direct authorization endpoint. Pair with token_url. |
token_url | string URL | conditional | Direct token endpoint. Pair with authorization_url. |
revocation_url | string URL | no | Optional endpoint used by agh mcp auth logout. |
scopes | string array | no | Requested OAuth scopes. |
Configure one of metadata_url, issuer_url, or both authorization_url and token_url, then
authenticate with:
agh mcp auth login remote-docs
agh mcp auth status remote-docs
agh mcp auth status remote-docs --refresh
agh mcp auth logout remote-docsAgents can read the same redacted status from inside a session through the
agh__mcp_auth_status tool. The tool never triggers an OAuth browser flow; missing or expired
authentication is repaired through the operator login/logout commands above.
[providers.<name>]
Provider keys override built-ins with the same name or create a custom provider. Built-ins are
claude, codex, gemini, opencode, copilot, cursor, kiro, blackbox, cline,
goose, hermes, junie, kimi-cli, openclaw, openhands, qoder, qwen-code, pi,
openrouter, zai, moonshot, vercel-ai-gateway, xai, minimax, mistral, and groq.
| Field | Type | Default | Valid values | Description |
|---|---|---|---|---|
command | string | Built-in command or empty for custom providers. | Required after built-in plus override resolution. | ACP launch command for this provider. |
display_name | string | Built-in label or empty. | Any string. | Operator-facing label shown in settings and provider pickers. |
default_model | string | Built-in model or empty. | Any string. | Model used when an agent omits model; Pi-backed providers receive it in session config. |
harness | string | acp unless a built-in sets pi_acp. | acp, pi_acp. | Launch strategy. pi_acp routes the provider through Pi's ACP adapter. |
runtime_provider | string | Provider key. | Harness-specific provider id. | Downstream provider id used by Pi and other harnesses. |
transport | string | empty. | Harness-specific string. | Optional Pi models override transport/API family. |
base_url | string | empty. | URL string. | Optional Pi models override base URL for custom gateways. |
credential_slots | array | Built-in slots for providers that need one. | See below. | Bound secret refs injected into provider subprocess environment variables at launch. |
mcp_servers | array of MCP server objects | empty. | Same shape as [[mcp_servers]]. | Provider-specific MCP servers merged after top-level config and before agent MCP servers. |
Credential slots use this shape:
[[providers.openrouter.credential_slots]]
name = "api_key"
target_env = "OPENROUTER_API_KEY"
secret_ref = "vault:providers/openrouter/api-key"
kind = "api_key"
required = truesecret_ref supports env:NAME for operator-managed environment variables and
vault:providers/<provider>/<slot> for AGH-managed encrypted provider credentials written through
the settings API, agh vault, or web provider editor. The vault: form accepts lowercase
provider/slot identifiers only, with letters, numbers, hyphens, underscores, or dots; arbitrary
vault paths are not valid provider credential refs.
The slot required flag is enforced at session start for both env: and vault: refs. Direct ACP
built-ins keep their default API-key slots optional because the underlying CLI may already be logged
in; Pi-backed API-key providers keep their built-in API-key slots required.
| Built-in | Harness | Runtime provider | Default model | API key env |
|---|---|---|---|---|
claude | acp | claude | claude-sonnet-4-6 | ANTHROPIC_API_KEY |
codex | acp | codex | gpt-5.4 | OPENAI_API_KEY |
gemini | acp | gemini | gemini-3.1-pro-preview | GEMINI_API_KEY |
opencode | acp | opencode | none | none |
copilot | acp | copilot | none | none |
cursor | acp | cursor | none | none |
kiro | acp | kiro | none | none |
blackbox | acp | blackbox | none | BLACKBOX_API_KEY |
cline | acp | cline | none | none |
goose | acp | goose | none | none |
hermes | acp | hermes | none | none |
junie | acp | junie | none | none |
kimi-cli | acp | kimi-cli | none | KIMI_API_KEY |
openclaw | acp | openclaw | none | none |
openhands | acp | openhands | none | none |
qoder | acp | qoder | none | QODER_PERSONAL_ACCESS_TOKEN |
qwen-code | acp | qwen-code | qwen3.6-plus | none |
pi | pi_acp | anthropic | claude-opus-4-7 | ANTHROPIC_API_KEY |
openrouter | pi_acp | openrouter | openai/gpt-5.4 | OPENROUTER_API_KEY |
zai | pi_acp | zai | glm-4.6 | ZAI_API_KEY |
moonshot | pi_acp | kimi-coding | kimi-k2-thinking | KIMI_API_KEY |
vercel-ai-gateway | pi_acp | vercel-ai-gateway | anthropic/claude-opus-4-7 | AI_GATEWAY_API_KEY |
xai | pi_acp | xai | grok-4-fast-non-reasoning | XAI_API_KEY |
minimax | pi_acp | minimax | MiniMax-M2.1 | MINIMAX_API_KEY |
mistral | pi_acp | mistral | devstral-medium-latest | MISTRAL_API_KEY |
groq | pi_acp | groq | openai/gpt-oss-120b | GROQ_API_KEY |
[observability]
| Field | Type | Default | Valid values | Description |
|---|---|---|---|---|
enabled | boolean | true | true or false | Enables global event summary and health observation paths. |
retention_days | integer | 7 | Zero or positive. | Retention window for global event summaries, token stats, and permission logs. 0 keeps history. |
max_global_bytes | integer | 1073741824 | Positive integer. | Size cap for global observability storage. |
[observability.transcripts]
| Field | Type | Default | Valid values | Description |
|---|---|---|---|---|
enabled | boolean | true | true or false | Enables transcript capture from persisted session events. |
segment_bytes | integer | 1048576 | Positive integer. | Segment size for transcript retention. |
max_bytes_per_session | integer | 268435456 | Positive integer. | Per-session transcript byte cap. |
[log]
| Field | Type | Default | Valid values | Description |
|---|---|---|---|---|
level | string | info | debug, info, warn, error | Structured daemon log level. |
[memory]
| Field | Type | Default | Valid values | Description |
|---|---|---|---|---|
enabled | boolean | true | true or false | Enables memory assembly and consolidation runtime paths. |
global_dir | string path | $AGH_HOME/memory | Non-empty path when set. ~ is expanded. | Global memory directory. Blank overlays are ignored and keep the previous value. |
[memory.dream]
If enabled = false, the remaining dream validation is skipped.
| Field | Type | Default | Valid values | Description |
|---|---|---|---|---|
enabled | boolean | true | true or false | Enables background dream consolidation. |
agent | string | general | Non-empty when enabled. | Agent used for consolidation sessions. |
min_hours | float | 24 | Positive number. | Minimum age threshold before consolidation. |
min_sessions | integer | 3 | Positive integer. | Minimum session count threshold before consolidation. |
check_interval | duration | 30m | Positive Go duration. | Background check interval. |
[skills]
If enabled = false, skill polling and marketplace validation are skipped.
| Field | Type | Default | Valid values | Description |
|---|---|---|---|---|
enabled | boolean | true | true or false | Enables skill catalog discovery and polling. |
disabled_skills | string array | empty | Skill names. | Replaces the disabled-skill list in overlays. |
poll_interval | duration | 3s | Positive Go duration. | Filesystem poll interval for skill catalog refresh. |
allowed_marketplace_mcp | string array | empty | Marketplace slug, registry:slug, or verified hash. | Trust allowlist for MCP servers declared by marketplace skills. |
allowed_marketplace_hooks | string array | empty | Marketplace slug, registry:slug, or verified hash. | Trust allowlist for hooks declared by marketplace skills. |
[skills.marketplace]
| Field | Type | Default | Valid values | Description |
|---|---|---|---|---|
registry | string | empty | Empty or clawhub. Required when base_url is set. | Skill marketplace registry adapter. |
base_url | string URL | empty | Empty or http or https URL with host. | Registry base URL override. |
[extensions.marketplace]
| Field | Type | Default | Valid values | Description |
|---|---|---|---|---|
registry | string | empty | Empty or github. Required when base_url is set. | Extension marketplace registry adapter. |
base_url | string URL | empty | Empty or http or https URL with host. | Registry base URL override. http is accepted but logs a warning. |
[automation]
| Field | Type | Default | Valid values | Description |
|---|---|---|---|---|
enabled | boolean | true | true or false | Enables config-defined automation jobs and triggers. |
timezone | string | UTC | IANA timezone loadable by Go, such as UTC or America/Sao_Paulo. | Schedule timezone for automation. |
max_concurrent_jobs | integer | 5 | Positive integer. | Global automation concurrency cap. |
default_fire_limit | object | { max = 12, window = "1h" } | max positive, window positive Go duration. | Default rolling fire limit copied into jobs and triggers that omit their own limit. |
[[automation.jobs]]
Jobs are appended by overlays; they do not replace earlier jobs with the same name.
| Field | Type | Default | Valid values | Description |
|---|---|---|---|---|
scope | string | required | global or workspace | Binding scope. |
name | string | required | Non-empty. | Job name. |
agent | string | required unless task is configured | Non-empty. | Agent that handles the scheduled prompt. |
workspace | string | required when scope = "workspace", empty when scope = "global" | Workspace ID or root accepted by the automation resolver. | Workspace binding. |
prompt | string | required unless task is configured | Non-empty. | Prompt submitted when the job fires. |
schedule.mode | string | required | cron, every, at | Schedule mode. |
schedule.expr | string | empty | Required only for cron; standard five-field cron. | Cron expression. |
schedule.interval | string | empty | Required only for every; positive Go duration. | Repeating interval. |
schedule.time | string | empty | Required only for at; RFC3339 timestamp. | One-shot fire time. |
task.title | string | empty | Any string. | Task title when the job materializes a task instead of starting an agent session. |
task.description | string | empty | Any string. | Task description. |
task.owner | object | empty | Task ownership object. | Owner metadata validated by the task package. |
task.network_channel | string | empty | Valid network channel. | Network channel attached to generated tasks. |
enabled | boolean | true | true or false | Enables this job. |
retry.strategy | string | none | none or backoff | Retry behavior. Must be none when task is configured. |
retry.max_retries | integer | 0 | 0 for none; positive for backoff. | Maximum retry count. |
retry.base_delay | string | empty | Empty for none; positive Go duration for backoff. | Base backoff delay. |
fire_limit | object | [automation].default_fire_limit | max positive, window positive Go duration. | Per-job fire limit. |
[[automation.triggers]]
Triggers are appended by overlays; they do not replace earlier triggers with the same name.
| Field | Type | Default | Valid values | Description |
|---|---|---|---|---|
scope | string | required | global or workspace | Binding scope. |
name | string | required | Non-empty. | Trigger name. |
agent | string | required | Non-empty. | Agent that handles the trigger prompt. |
workspace | string | required when scope = "workspace", empty when scope = "global" | Workspace ID or root accepted by the automation resolver. | Workspace binding. |
prompt | string | required | Valid Go template over the activation envelope. | Prompt submitted when the trigger fires. |
event | string | required | Non-empty; webhook has extra requirements. | Event name. |
filter | string map | empty | Keys kind, scope, workspace_id, source, or data.<field>; values non-empty. | Activation-envelope filter. |
enabled | boolean | true | true or false | Enables this trigger. |
retry.strategy | string | none | none or backoff | Retry behavior. |
retry.max_retries | integer | 0 | 0 for none; positive for backoff. | Maximum retry count. |
retry.base_delay | string | empty | Empty for none; positive Go duration for backoff. | Base backoff delay. |
fire_limit | object | [automation].default_fire_limit | max positive, window positive Go duration. | Per-trigger fire limit. |
endpoint_slug | string | empty | Required when event = "webhook"; empty otherwise. | Webhook endpoint slug. |
webhook_secret_ref | string | empty | Required when event = "webhook"; must be env:NAME or vault:automation/...; empty otherwise. | Secret ref used to validate webhook requests. |
See Vault for the CLI, HTTP, UDS, web, and session-scoped surfaces that store and inspect encrypted AGH-managed secret refs.
[autonomy.coordinator]
Coordinator config controls whether AGH may start a workspace coordinator when executable task-run work is enqueued. Task creation is not executable work. Creating or saving a task does not enqueue a run, create a coordination channel, or spawn a coordinator. Publish, start, approval, and equivalent run-enqueue APIs are the execution boundary.
Coordinator launch only applies to workspace-scoped coordinated runs with a stable
coordination_channel_id. Global runs and intent-only tasks do not start coordinators in the MVP.
| Field | Type | Default | Valid values | Description |
|---|---|---|---|---|
enabled | boolean | false | true or false | Allows coordinator bootstrap after a coordinated workspace run is enqueued. |
agent_name | string | coordinator | Non-empty when enabled. | Agent definition used for managed coordinator sessions. |
provider | string | empty | Empty or a configured provider key. | Optional provider override for the coordinator agent. |
model | string | empty | Empty or provider-supported model string. | Optional model override. If set, provider or provider default resolution must exist. |
default_ttl | duration | 2h | 1m through 24h. | Lifetime assigned to managed coordinator sessions. |
max_children | integer | 5 | 0 through 5. | Maximum safe-spawn children a coordinator may hold at once. |
max_active_per_workspace | integer | 1 | Must be 1 in the MVP. | Enforces one active managed coordinator per workspace. |
Provider and model resolution is intentionally narrow. The daemon applies:
- Workspace
.agh/config.tomloverride for the resolved workspace. - Global
$AGH_HOME/config.toml. - The bundled/default coordinator agent definition and provider defaults.
Safe-spawn limits still apply after a coordinator starts. Coordinator children inherit the workspace and coordination channel, must use a positive TTL, and can only narrow the coordinator's permission set.
[[hooks.declarations]]
Config hooks merge by name; a later overlay replaces the whole hook declaration with the same
name.
| Field | Type | Default | Valid values | Description |
|---|---|---|---|---|
name | string | required | Non-empty. | Hook declaration name. |
event | string | required | Current dot-form hook event. | Event that triggers the hook. |
mode | string | async | sync or async; sync only for sync-eligible events. | Dispatch mode. |
required | boolean | false | true or false; required hooks must be sync. | Whether a hook failure blocks the source operation. |
priority | integer | Config source default 500 when omitted. | Integer. | Ordering priority. |
timeout | duration | 0s; subprocess executor uses 5 seconds when zero. | Non-negative Go duration. | Hook timeout. |
matcher | object | empty | Supported matcher fields listed below. | Narrows hook eligibility. |
command | string | empty | Required for subprocess hooks unless nested executor fields are used. | Subprocess command. |
args | string array | empty | Strings. | Subprocess arguments. |
env | string map | empty | String keys and values. | Explicit hook environment values. |
executor.kind | string | subprocess when a command is present. | subprocess or wasm for user config. native is internal only. | Executor kind. |
executor.command | string | empty | Same as command. | Nested command form. Cannot be mixed with top-level command/args/env. |
executor.args | string array | empty | Strings. | Nested args form. |
executor.env | string map | empty | String keys and values. | Nested env form. |
Supported matcher fields are agent_name, agent_type, workspace_id, workspace_root,
session_type, input_class, acp_event_type, turn_id, tool_name, tool_namespace,
tool_read_only, decision_class, message_role, message_delta_type, compaction_reason, and
compaction_strategy.
Current hook events are:
session.pre_create
session.post_create
session.pre_resume
session.post_resume
session.pre_stop
session.post_stop
input.pre_submit
prompt.post_assemble
event.pre_record
event.post_record
automation.job.pre_fire
automation.job.post_fire
automation.trigger.pre_fire
automation.trigger.post_fire
automation.run.completed
automation.run.failed
agent.pre_start
agent.spawned
agent.crashed
agent.stopped
turn.start
turn.end
message.start
message.delta
message.end
tool.pre_call
tool.post_call
tool.post_error
permission.request
permission.resolved
permission.denied
context.pre_compact
context.post_compact[network]
| Field | Type | Default | Valid values | Description |
|---|---|---|---|---|
enabled | boolean | true | true or false | Enables the embedded AGH network runtime. |
default_channel | string | default | Regex ^[a-z0-9][a-z0-9_-]{0,63}$ | Default network channel for sessions. |
port | integer | -1 | -1 or 1 through 65535 | Network listener port. -1 lets the runtime choose. |
max_payload | integer bytes | 1048576 | Positive integer no greater than 2147483647. | Maximum network payload size. |
greet_interval | integer seconds | 30 | Positive integer seconds. | Peer greeting interval. |
max_replay_age | integer seconds | 300 | Positive integer seconds. | Maximum replay window for network messages. |
max_queue_depth | integer | 100 | Positive integer. | Maximum queued network messages. |
Related Pages
- mcp.json documents JSON sidecars and whole-object replacement.
- AGENT.md documents agent-local
mcp_serversand hooks. - File Locations lists the exact global and workspace paths.