[server]
Daemon HTTP server settings — host, port, TLS, rate limits.
The [server] section controls the daemon's HTTP API and dashboard server. Only
relevant when running grith daemon.
[server]
| Key | Type | Default | Description |
|---|---|---|---|
| auto_open_dashboard | boolean | true | Open the dashboard in your browser on startup, handing off the auth token via the URL fragment (never printed to the terminal). Auto-skipped on headless/SSH sessions. When false or unavailable, the CLI prints a single-use pairing URL instead. Override per-run with GRITH_AUTO_OPEN_DASHBOARD=0. |
| dashboard_dir | string | "dashboard/dist" | — |
| enabled | boolean | true | — |
| host | string | "127.0.0.1" | — |
| port | integer | 3141 | — |
[server.rate_limit]
| Key | Type | Default | Description |
|---|---|---|---|
| enabled | boolean | true | — |
| general_rps | integer | 100 | — |
| proxy_test_rps | integer | 20 | — |
| write_rps | integer | 10 | — |
TLS
By default the daemon binds to 127.0.0.1 only — there is no remote attack
surface. To expose the API beyond loopback, either configure native TLS:
[server]
host = "0.0.0.0"
[server.tls]
cert_path = "/etc/grith/cert.pem"
key_path = "/etc/grith/key.pem"
— or front the daemon with a reverse proxy that terminates TLS. The reverse-proxy path is usually simpler and more secure (centralised cert management, modern cipher suite policies, etc).
See Reverse proxy & TLS.
Rate limits
The rate limits apply per-source-IP. Defaults are conservative; tighten for shared deployments, loosen for high-traffic local use:
general_rps— most GET endpoints.write_rps— POST/PUT/DELETE on non-IPC routes.proxy_test_rps—/proxy/testspecifically. The dry-run endpoint is cheap, so the limit can be relatively generous, but it does run the full filter pipeline.
IPC endpoints (/ipc/*) are not rate-limited at this layer; they're already
loopback-restricted.
Dashboard
dashboard_dir points at the static dashboard bundle. The grith binary ships with
its dashboard at dashboard/dist. If you build a custom dashboard, point at
your bundle here.
Auto-open & browser authorisation
auto_open_dashboard (default true) controls whether grith dashboard start,
grith run, and grith exec open the dashboard in your browser on startup. The
auth token is handed off through the URL fragment and never printed to the
terminal; auto-open is skipped automatically on headless / SSH sessions, where
the CLI prints a single-use pairing link instead.
[server]
auto_open_dashboard = false # never auto-open; always print a pairing link
Override for a single run with the environment variable:
GRITH_AUTO_OPEN_DASHBOARD=0 grith dashboard start
The dashboard is authenticated on loopback by a per-server token even though it
binds 127.0.0.1 only — see
grith dashboard → Browser authorisation
and Trust boundaries.