Configuration overview
Where grith reads config from, the file format, and the top-level sections.
grith is configured by TOML. The shipping defaults live in config/default.toml inside
the grith repo, and that file is the source of truth for this reference.
Precedence
When grith starts, configuration values are layered from highest priority to lowest:
- CLI flags (
--config,--log-level,--project, etc.) - Environment variables prefixed
GRITH_(e.g.GRITH_LOG_LEVEL=debug) - Project-local config at
.grith/config.toml - User config at
~/.config/grith/config.toml - Built-in defaults from
config/default.toml
A value set at a higher layer fully overrides the same key at a lower one. There is no deep-merge for arrays: an array reassignment replaces the whole array.
Top-level sections
[general]
| Key | Type | Default | Description |
|---|---|---|---|
| audit_dir | string | "~/.local/share/grith/audit" | — |
| audit_sync | boolean | true | set to false to keep audit records local-only; license checks still use grith.ai |
| log_level | string | "info" | — |
| plan_tier | string | "community" | "community", "pro", or "enterprise" |
[proxy]
| Key | Type | Default | Description |
|---|---|---|---|
| auto_allow_threshold | float | 3 | — |
| auto_deny_threshold | float | 8 | — |
| cold_start_calls | integer | 0 | — |
| cold_start_escalation_high | float | 10 | — |
| cold_start_escalation_low | float | 2 | — |
| review_timeout_seconds | integer | 300 | auto-deny queued calls after 5 minutes |
[reputation]
| Key | Type | Default | Description |
|---|---|---|---|
| auto_allow_min_observations | integer | 8 | — |
| auto_allow_trust | float | 0.92 | — |
| ceiling_filter_threshold | float | 5 | — |
| decay_lambda | float | 0.98 | — |
| deny_weight | float | 3 | — |
| enabled | boolean | true | — |
| max_auto_allow_raw_score | float | 7 | — |
| max_score_reduction | float | 4 | — |
| save_interval_seconds | integer | 300 | — |
[digest]
| Key | Type | Default | Description |
|---|---|---|---|
| delivery | string | "cli" | — |
| interval_active | string | "30m" | — |
| interval_idle | string | "24h" | — |
| max_queue_size | integer | 100 | — |
[supervisor]
| Key | Type | Default | Description |
|---|---|---|---|
| default_profile | string | "generic" | — |
| enabled | boolean | true | — |
| freeze_timeout_seconds | integer | 300 | — |
| max_concurrent_sessions | integer | 4 | — |
| pty_forwarding | boolean | true | — |
| require_sandbox | boolean | false | — |
[server]
| Key | Type | Default | Description |
|---|---|---|---|
| dashboard_dir | string | "dashboard/dist" | — |
| enabled | boolean | true | — |
| host | string | "127.0.0.1" | — |
| port | integer | 3141 | — |
Each section above has further nested sub-sections (e.g. [proxy.filters.reputation],
[supervisor.platform], [server.rate_limit]). Browse the per-section pages from
the sidebar for the full nested tree.
Reloading
[server] enabled = true exposes PUT /config over the local API. The dashboard, the
CLI's grith config set, and direct curl all route through that endpoint. Most config
changes apply on the next call; some (e.g. server port) require a daemon restart.
See also
- grith config — CLI surface for read/modify
- grith init — generate a starter config
- Filter config files — the standalone TOML files for filter-specific data (paths, secrets, egress, etc.)