Configuration

Configuration is stored in ~/.clauth/config.json. It is created by clauth init and can be edited manually.

Full Schema

{ "transport": "tcp", "host": "127.0.0.1", "port": 4317, "socketPath": "/home/user/.clauth/clauth.sock", "requireSkillToken": true, "skillTokenSalt": "<auto-generated>", "vaultSalt": "<auto-generated>", "kdf": { "memory": 65536, "parallelism": 1, "iterations": 3, "tagLength": 32 }, "firewall": { "minWarmupRequests": 10, "rateSpikeMultiplier": 3, "burstWindowMs": 10000, "burstLimit": 20, "offHoursStart": 1, "offHoursEnd": 5 }, "alertChannels": [], "advisoryFeeds": [], "advisoryPollIntervalMs": 3600000, "hardening": { "enforceHttps": true, "maxRequestBodyBytes": 1048576, "sessionTtlSeconds": 3600, "challengeTtlSeconds": 600, "requireAdminTokenForIdentity": false }

}

Transport

Field

Type

Default

Description

`transport`	`"tcp"` or `"unix"`	`"tcp"`	Daemon transport mode
`host`	string	`"127.0.0.1"`	TCP listen address
`port`	number	`4317`	TCP listen port
`socketPath`	string	`~/.clauth/clauth.sock`	Unix socket path

TCP Mode (default)

{
  "transport": "tcp",
  "host": "127.0.0.1",
  "port": 4317
}

Unix Socket Mode

{
  "transport": "unix",
  "socketPath": "/home/user/.clauth/clauth.sock"
}

Socket is created with 0o600 permissions (owner only).

Authentication

Field

Type

Default

Description

`requireSkillToken`	boolean	`true`	Require skill token for proxy requests
`skillTokenSalt`	string	auto-generated	Salt for skill token HMAC

When requireSkillToken is true, every proxy request must include a valid x-clauth-skill-token header or Authorization: Bearer session token.

KDF (Key Derivation Function)

Field

Type

Default

Description

`kdf.memory`	number	`65536`	Argon2id memory in KiB (64 MiB)
`kdf.parallelism`	number	`1`	Argon2id parallelism
`kdf.iterations`	number	`3`	Argon2id time cost
`kdf.tagLength`	number	`32`	Derived key length in bytes

These parameters affect vault unlock time. Higher values increase security but slow down daemon startup.

Behavioral Firewall

Field

Type

Default

Description

`firewall.minWarmupRequests`	number	`10`	Requests before anomaly detection activates
`firewall.rateSpikeMultiplier`	number	`3`	Threshold multiplier vs average RPM
`firewall.burstWindowMs`	number	`10000`	Burst detection window (10 seconds)
`firewall.burstLimit`	number	`20`	Max requests in burst window
`firewall.offHoursStart`	number	`1`	Off-hours start (hour, 24h format)
`firewall.offHoursEnd`	number	`5`	Off-hours end (hour, 24h format)

Tuning Examples

High-throughput skill:

{
  "firewall": {
    "burstLimit": 100,
    "rateSpikeMultiplier": 5,
    "minWarmupRequests": 50
  }
}

Strict mode:

{
  "firewall": {
    "burstLimit": 5,
    "rateSpikeMultiplier": 2,
    "minWarmupRequests": 5
  }
}

Alert Channels

{
  "alertChannels": [
    {
      "type": "webhook",
      "url": "https://hooks.slack.com/services/T00/B00/xxx",
      "minSeverity": "warning"
    },
    {
      "type": "webhook",
      "url": "https://your-pagerduty-endpoint.com/alerts",
      "minSeverity": "critical"
    }
  ]
}

Field

Type

Description

`type`	`"webhook"`	Channel type (only webhook supported)
`url`	string	Webhook endpoint URL
`minSeverity`	`"info"`, `"warning"`, `"critical"`	Minimum severity to dispatch

Severity ordering: info < warning < critical

Webhooks receive POST with JSON body:

{ "severity": "warning", "category": "firewall", "message": "Rate spike detected (15/min vs baseline 3.2/min).", "timestamp": "2025-01-15T10:05:00.000Z", "metadata": { "skillId": "my-agent", "provider": "github", "allowed": true }

}

Advisory Feeds

{
  "advisoryFeeds": [
    {
      "name": "github",
      "url": "https://api.github.com/advisories",
      "type": "github"
    }
  ],
  "advisoryPollIntervalMs": 3600000
}

Field

Type

Default

Description

`advisoryFeeds[].name`	string	—	Feed display name
`advisoryFeeds[].url`	string	—	Feed URL (returns JSON array)
`advisoryFeeds[].type`	`"github"` or `"custom"`	—	Feed format type
`advisoryPollIntervalMs`	number	`3600000`	Polling interval (1 hour)

On critical advisory, clauth auto-revokes grants and deletes credentials for the affected provider.

Hardening

{ "hardening": { "enforceHttps": true, "maxRequestBodyBytes": 1048576, "sessionTtlSeconds": 3600, "challengeTtlSeconds": 600, "requireAdminTokenForIdentity": false }

}

Field

Type

Default

Description

`hardening.enforceHttps`	boolean	`true`	Require HTTPS for outbound calls
`hardening.maxRequestBodyBytes`	number	`1048576`	Max proxy request body (1 MiB)
`hardening.sessionTtlSeconds`	number	`3600`	Session JWT lifetime (1 hour)
`hardening.challengeTtlSeconds`	number	`600`	Identity challenge TTL (10 min)
`hardening.requireAdminTokenForIdentity`	boolean	`false`	Require admin token for identity endpoints

Vault Salt

Field

Type

Default

Description

vaultSalt string auto-generated Base64url-encoded 16-byte salt

Generated at clauth init. Do not change after vault creation — the vault will become unreadable.

State File Locations

All state files are in the directory specified by CLAUTH_HOME (default: ~/.clauth/):

File	Description

`config.json`	This configuration file
`vault.enc`	Encrypted credential vault
`scopes.json`	Scope grants
`audit.ndjson`	Audit log
`firewall.json`	Firewall baselines
`skill-auth.json`	Skill tokens
`oauth-tokens.json`	OAuth refresh metadata
`advisory-state.json`	Seen advisory IDs
`identity-state.json`	Identity challenges and proofs