Architecture
Configuration
Configure bind addresses, TLS, API keys, workspace defaults, session limits, GitHub App credentials, publisher settings, and grant behavior.
Config path
All CLIs accept a config path. The default is:
/etc/zodex/config.toml
Use --config when operating against another file:
zodex --config /etc/zodex/config.toml status
zodex-agent --config /etc/zodex/config.toml github list-grants
If the file is missing, zodex loads its built-in defaults.
Server and API settings
Important runtime defaults:
bind_host = "0.0.0.0"
bind_port = 443
http_bind_port = 8080
api_key = "zodex-runtime-key"
tls_mode = "auto"
tls_cert_path = "/var/lib/zodex/tls/cert.pem"
tls_key_path = "/var/lib/zodex/tls/key.pem"
zodexd always expects TLS cert and key files for the TLS listener. Run one of these before starting the daemon directly:
zodex tls setup
zodex start
The optional HTTP listener is controlled by http_bind_port. The same app routes are served, but the /v1/* endpoints still require Bearer auth.
Tool execution limits
Execution-related defaults:
max_sessions = 64
default_exec_timeout_ms = 7200000
max_exec_timeout_ms = 7200000
default_exec_yield_time_ms = 10000
default_write_yield_time_ms = 10000
max_output_chars = 200000
default_workdir = "/workspace"
exec_command resolves its working directory from the tool input first, then from default_workdir. Long-running commands can keep a session open and return a session_handle for later polling or stdin writes.
Guest users and paths
Default runtime users and paths:
agent_user = "zodex-agent"
agent_home = "/home/zodex-agent"
publisher_user = "zodex-publisher"
service_group = "zodex"
publisher_socket_path = "/var/lib/zodex/publisher/run/zodex-prd.sock"
The agent should not run as root. The publisher path must be writable by the configured publisher user.
Reader GitHub App
Reader app fields:
reader_app_id = 123456
reader_installation_id = 11111111
reader_private_key_path = "/etc/zodex/reader/private-key.pem"
The reader app should have only Contents: Read-only, and be installed on repositories the runtime may read. Clone/fetch tokens request only Contents: read. publish-pr is handled by the publisher daemon, not the reader app.
Push-grant GitHub App
Publisher and grant fields:
publisher_app_id = 987654
publisher_client_id = "Iv1.real-device-flow-client-id"
publisher_private_key_path = "/etc/zodex/publisher/private-key.pem"
publisher_branch_prefix = "agent"
publisher_max_bundle_bytes = 33554432
publisher_max_title_chars = 240
publisher_max_body_chars = 16000
The publisher / push-grant app should have Contents: Read & write, Pull requests: Read & write, Device Flow enabled, and user access token expiration enabled. Agent-side publish-pr sends a local HEAD bundle to the publisher daemon, which uses the publisher app to push a generated branch and open the PR while keeping credentials inside the daemon.
Publish targets
Publish targets identify repositories that publisher-side flows can operate on:
[[publisher_targets]]
id = "zodex"
repo = "amxv/zodex"
default_base = "main"
installation_id = 22222222
[[publisher_installations]]
account = "amxv"
default_base = "main"
installation_id = 22222222
publisher_targets is the explicit allowlist used by publish-pr. publisher_installations records account-level installations so operator-only GitHub modes can represent an all-installed-repos scope while still staying inside the GitHub App installation boundary.
The day-to-day request-push flow uses the repo argument and active grant state. Publish targets are still useful for internal publisher flows and explicit repo allowlists.