Configuration
Configuration is stored in ~/.clauth/config.json. It is created by clauth init and can be edited manually.
Full Schema
{
"transport": "tcp",
"host": "127.0.0.1",
"port": 4317,
"socketPath": "/home/user/.clauth/clauth.sock",
"skillTokenSalt": "<auto-generated>",
"vaultSalt": "<auto-generated>",
"kdf": {
"memory": 65536,
"parallelism": 1,
"iterations": 3,
"tagLength": 32
},
"firewall": {
"minWarmupRequests": 10,
"rateSpikeMultiplier": 3,
"burstWindowMs": 10000,
"burstLimit": 20,
"offHoursStart": 1,
"offHoursEnd": 5
},
"alertChannels": [],
"advisoryFeeds": [
{
"name": "github",
"url": "https://api.github.com/advisories",
"type": "github"
}
],
"advisoryPollIntervalMs": 3600000,
"hardening": {
"enforceHttps": true,
"maxRequestBodyBytes": 1048576,
"sessionTtlSeconds": 3600,
"challengeTtlSeconds": 600,
"identityMaxVerifyAttempts": 5,
"identityVerifyPerSkillPerMinute": 30,
"identityVerifyPerIpPerMinute": 60,
"requireAdminTokenForIdentity": false
}
}
Transport
| Field | Type | Default | Description |
transport | "tcp" or "unix" | "tcp" | Daemon transport mode |
host | string | "127.0.0.1" | TCP listen address |
port | number | 4317 | TCP listen port |
socketPath | string | ~/.clauth/clauth.sock | Unix socket path |
TCP Mode (default)
{
"transport": "tcp",
"host": "127.0.0.1",
"port": 4317
}
Unix Socket Mode
{
"transport": "unix",
"socketPath": "/home/user/.clauth/clauth.sock"
}
Socket is created with 0o600 permissions (owner only).
Authentication
| Field | Type | Default | Description |
skillTokenSalt | string | auto-generated | Salt for skill token HMAC |
Proxy and identity endpoints require either a valid x-clauth-skill-token header or Authorization: Bearer session token.
KDF (Key Derivation Function)
| Field | Type | Default | Description |
kdf.memory | number | 65536 | Argon2id memory in KiB (64 MiB), when available |
kdf.parallelism | number | 1 | Argon2id/scrypt parallelism (scrypt uses this as p) |
kdf.iterations | number | 3 | Argon2id time cost, when available |
kdf.tagLength | number | 32 | Derived key length in bytes |
Clauth prefers Argon2id when the runtime provides crypto.argon2Sync. On runtimes without Argon2id support (including Node.js 22), Clauth uses scrypt.
These parameters affect vault unlock time. Higher values increase security but slow down daemon startup.
Behavioral Firewall
| Field | Type | Default | Description |
firewall.minWarmupRequests | number | 10 | Requests before anomaly detection activates |
firewall.rateSpikeMultiplier | number | 3 | Threshold multiplier vs average RPM |
firewall.burstWindowMs | number | 10000 | Burst detection window (10 seconds) |
firewall.burstLimit | number | 20 | Max requests in burst window |
firewall.offHoursStart | number | 1 | Off-hours start (hour, 24h format) |
firewall.offHoursEnd | number | 5 | Off-hours end (hour, 24h format) |
Tuning Examples
High-throughput skill:
{
"firewall": {
"burstLimit": 100,
"rateSpikeMultiplier": 5,
"minWarmupRequests": 50
}
}
Strict mode:
{
"firewall": {
"burstLimit": 5,
"rateSpikeMultiplier": 2,
"minWarmupRequests": 5
}
}
Alert Channels
{
"alertChannels": [
{
"type": "webhook",
"url": "https://hooks.slack.com/services/T00/B00/xxx",
"minSeverity": "warning"
},
{
"type": "webhook",
"url": "https://your-pagerduty-endpoint.com/alerts",
"minSeverity": "critical"
}
]
}
| Field | Type | Description |
type | "webhook" | Channel type (only webhook supported) |
url | string | Webhook endpoint URL |
minSeverity | "info", "warning", "critical" | Minimum severity to dispatch |
Severity ordering: info < warning < critical
Webhooks receive POST with JSON body:
{
"severity": "warning",
"category": "firewall",
"message": "Rate spike detected (15/min vs baseline 3.2/min).",
"timestamp": "2025-01-15T10:05:00.000Z",
"metadata": {
"skillId": "my-agent",
"provider": "github",
"allowed": true
}
}
Advisory Feeds
{
"advisoryFeeds": [
{
"name": "github",
"url": "https://api.github.com/advisories",
"type": "github"
}
],
"advisoryPollIntervalMs": 3600000
}
| Field | Type | Default | Description |
advisoryFeeds[].name | string | — | Feed display name |
advisoryFeeds[].url | string | — | Feed URL (returns JSON array) |
advisoryFeeds[].type | "github" or "custom" | — | Feed format type |
advisoryPollIntervalMs | number | 3600000 | Polling interval (1 hour) |
On critical advisory, clauth auto-revokes grants and deletes credentials for the affected provider.
Hardening
{
"hardening": {
"enforceHttps": true,
"maxRequestBodyBytes": 1048576,
"sessionTtlSeconds": 3600,
"challengeTtlSeconds": 600,
"identityMaxVerifyAttempts": 5,
"identityVerifyPerSkillPerMinute": 30,
"identityVerifyPerIpPerMinute": 60,
"requireAdminTokenForIdentity": false
}
}
| Field | Type | Default | Description |
hardening.enforceHttps | boolean | true | Require HTTPS for outbound calls |
hardening.maxRequestBodyBytes | number | 1048576 | Max proxy request body (1 MiB) |
hardening.sessionTtlSeconds | number | 3600 | Session JWT lifetime (1 hour) |
hardening.challengeTtlSeconds | number | 600 | Identity challenge TTL (10 min) |
hardening.identityMaxVerifyAttempts | number | 5 | Max verification attempts allowed per identity challenge before failing closed |
hardening.identityVerifyPerSkillPerMinute | number | 30 | Max identity verification requests per skill per minute |
hardening.identityVerifyPerIpPerMinute | number | 60 | Max identity verification requests per source IP per minute |
hardening.requireAdminTokenForIdentity | boolean | false | Require admin token for identity endpoints (except OAuth callback) |
Identity Email Delivery
Email proof delivery is configured via environment variable, not config.json:
| Variable | Required | Description |
CLAUTH_EMAIL_CHALLENGE_WEBHOOK_URL | For method: "email" | Webhook that receives { challengeId, accountId, code, expiresAt, ... } for out-of-band delivery |
Vault Salt
| Field | Type | Default | Description |
vaultSalt | string | auto-generated | Base64url-encoded 16-byte salt |
Generated at clauth init. Do not change after vault creation — the vault will become unreadable.
State File Locations
All state files are in the directory specified by CLAUTH_HOME (default: ~/.clauth/):
| File | Description |
config.json | This configuration file |
vault.enc | Encrypted credential vault |
scopes.json | Scope grants |
audit.ndjson | Audit log |
firewall.json | Firewall baselines |
skill-auth.json | Skill tokens |
session-revocations.json | Revoked session JWT IDs (jti) |
oauth-tokens.json | OAuth refresh metadata (encrypted with vault master key; invalid/tampered data is rejected on load) |
advisory-state.json | Seen advisory IDs |
identity-state.json | Identity challenges and proofs |