ahamie.config.ts

import { defineAhamieConfig } from "@ahamie/sdk";

export default defineAhamieConfig({
  identity: {
    provider: "better-auth",
    organization: { enabled: true },
    plugins: ["magic-link", "passkey", "2fa", "bearer", "multi-session"],
    sessionTtl: "7d",
  },
  storage: {
    url: process.env.AHAMIE_DB_URL ?? "auto-spin-docker",
    pgvector: true,
    blobstore: { kind: "local-fs", path: "./.ahamie/blobs" },
    cas:       { kind: "local-fs", path: "./.ahamie/cas" },
  },
  connectorProxy: {
    listen: "127.0.0.1:7787",
    bearer: process.env.AHAMIE_PROXY_TOKEN,
    invariants: {
      stripAuthOnRequest:  true, // I3
      stripAuthOnResponse: true, // I4
      hmacOnIngress:       true, // I5
    },
    mcp: { mode: "inside-proxy" },
  },
  sandbox: { rule: "auto", egress: { policy: "unrestricted" } },
  automation: {
    engine: "in-process",
    triggers: { allow: ["cron", "webhook", "manual", "appEvent", "channel"] },
  },
  telemetry: { mastra: { enabled: true }, otel: { exporter: "console" } },
  eval:      { hiddenGoldenPrefix: "ahamie://golden" },
  outcomes:  { instrument: ["automation", "approval", "factory", "proxy"] },
  ui: {
    registry: "@ahamie/ui",
    components: ["AgentRunTree", "RunConsole", "ApprovalInbox", "ConnectorSetup", "ManifestEditor"],
  },
});

Field reference

identity

• provider: "better-auth" | "authentik" | "keycloak" | "custom". Default better-auth.
• organization.enabled: tenant from day 1 (T19). Required for multi-tenant.
• plugins: Better-Auth plugins to enable.
• sessionTtl: max session age.

storage

• url: Postgres URL or "auto-spin-docker".
• pgvector: install pgvector (default true).
• blobstore: local-fs (v0) or s3 (v1).
• cas: same shape as blobstore.

connectorProxy

• listen: address the proxy binds to. Default 127.0.0.1:7787.
• bearer: per-launch token. Generated by ahamie dev if unset.
• invariants: I3–I5 enforce flags. Do not turn off in production.
• mcp.mode: "inside-proxy" | "out-of-proxy". Default inside-proxy (T8).

sandbox

• rule: "auto" | "local" | "docker" | "compute-sdk".
• egress.policy: "unrestricted" (v0 default) → "localhost+allowlist" (v1) → "deny" (v2).

automation

• engine: "in-process" (v0) or "inngest" (v1).
• triggers.allow: trigger kinds the runtime accepts.

telemetry

• mastra.enabled: Mastra Observability (AI spans).
• otel.exporter: "console" | "memory" | "otlp" | "langfuse" | "sentry".

eval

• hiddenGoldenPrefix: separate-IAM prefix the agent cannot reach.

outcomes

• instrument: which subsystems auto-record outcomes.