Configuration

Amurg uses two JSON configuration files: one for the Hub and one for the Runtime. Both are passed via the -config flag at startup.

Hub Configuration

The hub config controls the HTTP/WebSocket server, authentication, storage, session management, logging, and rate limiting.

server

Field Type Default Description
addrstringrequiredListen address, e.g. ":8080"
tls_certstring""Path to TLS certificate file
tls_keystring""Path to TLS key file
ui_static_dirstring""Path to built UI static files for embedded serving
allowed_origins[]string["*"]CORS allowed origins
max_body_bytesint641048576Max request body size in bytes (1 MB)
file_storage_pathstring"./amurg-files"Directory for uploaded file storage
max_file_bytesint6410485760Max file upload size in bytes (10 MB)

auth

Field Type Default Description
providerstring"builtin"Auth provider: "builtin" or "clerk"
clerk_issuerstring""Clerk issuer URL (required when provider is "clerk")
clerk_secret_keystring""Clerk secret key for backend operations
jwt_secretstringrequiredHMAC secret for signing JWT tokens (required for builtin provider)
jwt_expiryduration"24h"JWT token lifetime
runtime_tokens[]object[]Array of { runtime_id, token, name } entries for runtime auth
runtime_token_secretstring""HMAC secret for time-limited runtime tokens
runtime_token_lifetimeduration"1h"Lifetime for generated runtime tokens
initial_adminobjectnullBootstrap admin with { username, password }
default_agent_accessstring"all"Default agent access for new users: "all" or "none"

storage

Field Type Default Description
driverstring"sqlite"Database driver
dsnstring"amurg.db"Database connection string or file path
retentionduration"720h"Transcript retention period (30 days)

SQLite In-Memory DSN

If you use an in-memory database for testing, set the DSN to file::memory:?cache=shared instead of plain :memory:. Without the shared cache, each connection opens a separate database and tables created by one connection will not be visible to others.

session

Field Type Default Description
max_per_userint20Max active sessions per user
idle_timeoutduration"30m"Global session idle timeout
turn_basedboolfalseEnforce turn-based messaging globally
replay_bufferint100Messages buffered for WebSocket reconnect
profile_idle_timeoutsmap[string]duration{}Per-profile idle timeout overrides; "0" disables
max_message_bytesint6465536Max WebSocket message size from client (64 KB)

logging

Field Type Default Description
levelstring"info"Log level: debug, info, warn, error
formatstring"json"Output format: "json" or "text"

rate_limit

Field Type Default Description
requests_per_secondfloat6410Requests per second per client
burstint20Burst allowance

Full Hub Config Example

{
  "server": {
    "addr": ":8090",
    "tls_cert": "",
    "tls_key": "",
    "ui_static_dir": "./ui/dist",
    "allowed_origins": ["http://localhost:3000"],
    "max_body_bytes": 1048576,
    "file_storage_path": "./amurg-files",
    "max_file_bytes": 10485760
  },
  "auth": {
    "provider": "builtin",
    "jwt_secret": "change-me-in-production",
    "jwt_expiry": "24h",
    "runtime_tokens": [
      {
        "runtime_id": "local-runtime",
        "token": "dev-token-change-me",
        "name": "Local Dev Runtime"
      }
    ],
    "runtime_token_secret": "",
    "runtime_token_lifetime": "1h",
    "initial_admin": {
      "username": "admin",
      "password": "admin"
    },
    "default_agent_access": "all"
  },
  "storage": {
    "driver": "sqlite",
    "dsn": "amurg.db",
    "retention": "720h"
  },
  "session": {
    "max_per_user": 20,
    "idle_timeout": "30m",
    "turn_based": true,
    "replay_buffer": 100,
    "profile_idle_timeouts": {},
    "max_message_bytes": 65536
  },
  "logging": {
    "level": "info",
    "format": "json"
  },
  "rate_limit": {
    "requests_per_second": 10,
    "burst": 20
  }
}

Runtime Configuration

The runtime config tells the runtime how to connect to the hub and defines which agents to register.

hub

Field Type Default Description
urlstringrequiredHub WebSocket URL, e.g. ws://localhost:8090/ws/runtime
tokenstringrequiredPre-shared token matching a runtime_tokens entry on the hub
tls_skip_verifyboolfalseSkip TLS verification (development only)
reconnect_intervalduration"2s"Initial reconnect delay
max_reconnect_delayduration"60s"Maximum backoff delay for reconnection

runtime

Field Type Default Description
idstringrequiredUnique runtime identifier, must match a runtime_tokens entry
org_idstring"default"Organization ID for multi-tenant deployments
max_sessionsint10Max concurrent sessions across all agents
default_timeoutduration"30m"Default session timeout
max_output_bytesint6410485760Max output bytes per session (10 MB)
idle_timeoutduration"30s"Idle timeout for output collection
log_levelstring"info"Log level: debug, info, warn, error
file_storage_pathstring"./amurg-files"Directory for file storage
max_file_bytesint6410485760Max file size in bytes (10 MB)

agents[]

Each entry in the agents array defines an agent that the runtime will register with the hub.

Field Type Description
idstringUnique agent identifier (required)
namestringHuman-readable display name
profile string Adapter profile (required). One of: "generic-cli", "generic-job", "generic-http", "external", "claude-code", "github-copilot", "codex", "kilo-code"
tagsmap[string]stringArbitrary key-value metadata
limitsobjectPer-agent operational limits (see below)
securityobjectSecurity constraints for this agent (see below)

Each agent also includes a profile-specific config key. The key must match the profile:

Profile Config Key
generic-clicli
generic-jobjob
generic-httphttp
externalexternal
claude-codeclaude_code
github-copilotcopilot
codexcodex
kilo-codekilo

Tip

For detailed adapter config fields and examples for each profile, see the Adapters page.

limits (per-agent)

Field Type Default Description
max_sessionsint0 (unlimited)Max concurrent sessions for this agent
session_timeoutduration"0" (uses runtime default)Override session timeout for this agent
max_output_bytesint640 (uses runtime default)Override max output bytes for this agent
idle_timeoutduration"0" (uses runtime default)Override idle timeout for this agent

security (per-agent)

The optional security block on each agent defines filesystem, tool, and environment constraints for the agent process.

Field Type Default Description
allowed_paths[]string[]Filesystem paths the agent may access
denied_paths[]string[]Filesystem paths denied to the agent
allowed_tools[]string[]Tools the agent is allowed to use
permission_modestring""Permission enforcement mode: "skip", "strict", or "auto"
cwdstring""Override working directory for the agent
env_whitelist[]string[]Environment variables passed to the agent

Full Runtime Config Example

{
  "hub": {
    "url": "ws://localhost:8090/ws/runtime",
    "token": "dev-token-change-me",
    "tls_skip_verify": false,
    "reconnect_interval": "2s",
    "max_reconnect_delay": "60s"
  },
  "runtime": {
    "id": "local-runtime",
    "org_id": "default",
    "max_sessions": 10,
    "default_timeout": "30m",
    "max_output_bytes": 10485760,
    "idle_timeout": "30s",
    "log_level": "info",
    "file_storage_path": "./amurg-files",
    "max_file_bytes": 10485760
  },
  "agents": [
    {
      "id": "my-agent",
      "name": "My CLI Agent",
      "profile": "generic-cli",
      "tags": { "env": "dev" },
      "limits": {
        "max_sessions": 5,
        "session_timeout": "1h",
        "max_output_bytes": 5242880,
        "idle_timeout": "10m"
      },
      "security": {
        "allowed_paths": ["/home/user/projects"],
        "denied_paths": ["/etc", "/root"],
        "allowed_tools": [],
        "permission_mode": "auto",
        "cwd": "/home/user/projects",
        "env_whitelist": ["PATH", "HOME"]
      },
      "cli": {
        "command": "/usr/local/bin/my-agent",
        "args": ["--interactive"],
        "work_dir": "/home/user/projects",
        "env": { "AGENT_MODE": "chat" },
        "spawn_policy": "per-session"
      }
    }
  ]
}