Skip to content

Configuration

dcluomax edited this page Jun 1, 2026 · 1 revision

Configuration

coopd is configured entirely through environment variables — no config file.

Core

Variable Default Purpose
COOP_DATA_DIR ~/.coop Data directory (vault, redb state, hen workdirs; 0700).
COOP_LOG info Tracing filter, e.g. coopd=debug.
COOP_VAULT + COOP_PASSPHRASE (unset) Auto-unlock this sealed vault at startup.
COOP_SANDBOX 1 Set to 0 to disable the per-hen bash OS sandbox (not recommended).
COOP_MARKET_URL https://farm.startcaas.com Public Market URL shown in the Farm UI.

Exposure & auth

Variable Default Purpose
COOP_API_TOKEN (unset) Bearer token for the API/UI. Required before exposing beyond loopback. Unset = auth disabled.
COOP_PUBLIC (unset) Set to 1 to accept non-loopback Host/Origin headers (needed for LAN/public binds).
COOP_LOGIN_MAX_ATTEMPTS 10 Failed /auth/login attempts per client IP per 60s before HTTP 429.
COOP_MAX_PROMPT_BYTES 262144 Max job/task prompt size in bytes (0 disables); over-size → HTTP 413.

Auth is opt-in: with COOP_API_TOKEN set, every /api/v1/* request and the UI must present the token via Authorization: Bearer <token>, a ?token= query param, or the coop_token cookie (set by the /login page). Healthchecks are always exempt.

BYOK secret backends

A Hen's brain.provider_id selects where its model API key comes from:

provider_id Backend Notes
vault:<secret> Local sealed vault Default. Unlocked via COOP_PASSPHRASE / /api/v1/vault/unlock.
azure-kv://<vault>/<secret> Azure Key Vault Fetched over HTTPS at run time; never written to disk.

Azure Key Vault credentials (env-driven):

Variable(s) Auth mode
AZURE_KEYVAULT_TOKEN A pre-acquired AAD bearer token. Not auto-refreshed.
AZURE_TENANT_ID + AZURE_CLIENT_ID + AZURE_CLIENT_SECRET Service principal (client-credentials); tokens cached automatically.
AZURE_KEYVAULT_DNS_SUFFIX Sovereign-cloud Key Vault suffix (default vault.azure.net).
AZURE_AUTHORITY_HOST Sovereign-cloud AAD authority (default https://login.microsoftonline.com).

Full walkthrough → BYOK Secrets.

Discord connector

Variable Purpose
COOP_DISCORD_TOKEN Bot token.
COOP_DISCORD_GUILD_ID Server (guild) ID.
COOP_DISCORD_PREFIX Command prefix (default !coop).
COOP_DISCORD_ALLOWED_USERS Comma-separated user IDs allowed to dispatch jobs (default-deny).

See Discord Connector.

CLI

The coop CLI talks to COOP_API (default http://127.0.0.1:9700). Set it to reach a remote daemon. When the daemon has auth enabled, give the CLI the same token via COOP_API_TOKEN (env) or --token <TOKEN>; it is sent as an Authorization: Bearer header.

export COOP_API=https://farm.example.com
export COOP_API_TOKEN=…   # same value the daemon was started with
coop farm
coop hen list

Clone this wiki locally