grith.aidocs

Running as a daemon

Operations guide for long-running grith deployments — systemd, logging, restarts.

For multi-session, dashboard, or team deployments, run grith as a long-lived daemon. This guide covers process supervision, logging, and lifecycle.

Quick start

grith dashboard start
grith dashboard status

grith dashboard start runs the daemon in the background and returns immediately. That's it for personal use. For production, use a process supervisor.

systemd

A shipping unit file lives at contrib/systemd/grith.service in the grith repo:

[Unit]
Description=grith — Zero Trust for AI Agents
After=network.target

[Service]
Type=simple
ExecStart=/usr/local/bin/grith daemon start
ExecStop=/usr/local/bin/grith daemon stop
User=%i
Group=%i
Restart=on-failure
RestartSec=10

[Install]
WantedBy=default.target

User-level:

mkdir -p ~/.config/systemd/user
cp contrib/systemd/grith.service ~/.config/systemd/user/
systemctl --user daemon-reload
systemctl --user enable --now grith

System-level (for shared deployments — uncommon for a per-user product):

sudo cp contrib/systemd/grith.service /etc/systemd/system/grith@.service
sudo systemctl daemon-reload
sudo systemctl enable --now grith@alice

Use grith@<user> to template per-user instances.

Bind & TLS

The daemon binds to 127.0.0.1:3141 by default. For LAN exposure, front it with a reverse proxy — see Reverse proxy & TLS.

To bind to all interfaces with native TLS:

[server]
host = "0.0.0.0"

[server.tls]
cert_path = "/etc/grith/cert.pem"
key_path  = "/etc/grith/key.pem"

Logging

LocationWhat
stderr (when foreground)Live logs at general.log_level.
~/.local/share/grith/daemon.log (detached)Rotating, 10MB cap, 5 generations.
~/.local/share/grith/audit/*.sqliteAudit records (structured).

For systemd-managed daemons, logs go to journald:

journalctl --user -u grith -f

Restart safety

The daemon flushes reputation and audit state before exit. A clean stop (SIGTERM) takes 1–5s typically. SIGKILL can drop the most recent reputation updates (the audit log is fsync'd per-event by default).

In-flight digest items survive across restarts on Pro (state checkpointed to SQLite). On community, in-flight digest items expire via the thin-client's review_timeout_seconds (default 300s).

Resource usage

Typical idle daemon (no active sessions): ~30MB RSS, ~0.5% CPU.

Under a single busy session: ~80–120MB RSS depending on filter activity, ~5% CPU.

The biggest consumer is the SQLite audit log; for storage-bounded deployments, see Logging & audit retention.

Health checks

For load balancers / monitoring:

curl http://127.0.0.1:3141/health

Returns 200 OK with daemon version and uptime. Use as a liveness probe.

See also

Last updated: 2026-05-14Edit this page on GitHub →
© 2026 grith. All rights reserved.