config.toml Reference
Complete field reference for $HOZIRON_HOME/config.toml.
Resolution
The config file location is resolved in this order:
HOZIRON_HOME environment variable → $HOZIRON_HOME/config.toml~/.hoziron/config.toml (local development fallback)
Full Example
# ── Model Configuration ──────────────────────────────────────────
[default_model]
provider = "anthropic"
model_id = "claude-sonnet-4-20250514"
# ── Providers ────────────────────────────────────────────────────
[providers.anthropic]
api_key_env = "ANTHROPIC_API_KEY"
enabled = true
[providers.openai]
api_key_env = "OPENAI_API_KEY"
enabled = true
[providers.groq]
api_key_env = "GROQ_API_KEY"
enabled = true
[providers.ollama]
base_url = "http://localhost:11434"
enabled = true
# ── Provider URL Overrides ───────────────────────────────────────
[provider_urls]
# anthropic = "https://api-proxy.internal.company.com/anthropic"
# ── Complexity-Based Routing (Optional) ──────────────────────────
[routing]
simple_model = "groq/llama-3.1-8b-instant"
medium_model = "anthropic/claude-sonnet-4-20250514"
complex_model = "anthropic/claude-sonnet-4-20250514"
simple_threshold = 100
complex_threshold = 500
# ── Server ───────────────────────────────────────────────────────
[server]
listen = "0.0.0.0:4200"
# allowed_ips = ["10.0.0.0/8", "172.16.0.0/12"]
[server.tls]
enabled = false
# cert_path = "/path/to/cert.pem"
# key_path = "/path/to/key.pem"
[server.limits]
max_request_body_bytes = 10485760 # 10 MB
idle_timeout_secs = 300 # 5 minutes
request_timeout_secs = 600 # 10 minutes
[server.cors]
allowed_origins = ["https://dashboard.company.com"]
allow_credentials = true
max_age_secs = 3600
# ── Health Monitoring ────────────────────────────────────────────
[health]
enabled = true
check_interval_secs = 30 # Range: 5–300
failure_threshold = 5 # Range: 1–50
recovery_cooldown_secs = 60 # Range: 10–600
# ── Agent Auto-Loading ───────────────────────────────────────────
[agents]
manifests_dir = "/data/agents/"
# ── Catalog / Registry ───────────────────────────────────────────
[catalog]
verify_signatures = true
packages_dir = "packages"
cache_ttl_secs = 3600
default_publish_registry = "internal"
[[catalog.registries]]
name = "hoziron"
url = "https://catalog.hoziron.com"
priority = 100
enabled = true
[catalog.scopes]
# internal = "https://packages.internal.company.com"
# ── Logging ──────────────────────────────────────────────────────
[logging]
# format = "json"
# ── Authentication ───────────────────────────────────────────────
[auth]
mode = "disabled" # disabled | local | oidc
[auth.rate_limit]
base_backoff_secs = 1
max_backoff_secs = 300
max_failed_attempts = 10
[auth.oidc]
issuer = ""
audience = ""
jwks_uri = ""
role_claim = "roles"
allowed_algorithms = ["RS256", "ES256"]
jwks_cache_ttl_secs = 3600
[auth.oidc.role_mapping]
# "IdPRole" = "hoziron_role"
# ── Audit ────────────────────────────────────────────────────────
[audit]
enabled = false
# ── Telemetry (requires telemetry feature) ───────────────────────
[telemetry]
enabled = false
endpoint = "http://otel-collector:4317"
service_name = "hoziron"
Section Reference
[default_model]
| Field | Type | Description |
|---|
provider | string | Default provider name |
model_id | string | Default model identifier |
[providers.<name>]
| Field | Type | Description |
|---|
api_key_env | string | Environment variable name containing the API key |
base_url | string | Custom base URL (for local models or proxies) |
enabled | bool | Whether this provider is active |
[server]
| Field | Type | Description |
|---|
listen | string | Address to bind (host:port or unix://path) |
allowed_ips | string[] | CIDR ranges or IPs allowed to connect |
[server.tls]
| Field | Type | Description |
|---|
enabled | bool | Enable native TLS |
cert_path | string | Path to TLS certificate |
key_path | string | Path to TLS private key |
[server.limits]
| Field | Type | Default | Description |
|---|
max_request_body_bytes | int | 10485760 | Max request body size |
idle_timeout_secs | int | 300 | Idle connection timeout |
request_timeout_secs | int | 600 | Request timeout |
[server.cors]
| Field | Type | Description |
|---|
allowed_origins | string[] | Allowed CORS origins |
allow_credentials | bool | Allow credentials |
max_age_secs | int | Preflight cache duration |
[health]
| Field | Type | Range | Default | Description |
|---|
enabled | bool | — | true | Enable health monitoring |
check_interval_secs | int | 5–300 | 30 | Health check interval |
failure_threshold | int | 1–50 | 5 | Failures to trip circuit breaker |
recovery_cooldown_secs | int | 10–600 | 60 | Cooldown before HalfOpen probe |
[routing]
| Field | Type | Description |
|---|
simple_model | string | Model for simple requests |
medium_model | string | Model for medium complexity |
complex_model | string | Model for complex requests |
simple_threshold | int | Score below this → simple |
complex_threshold | int | Score at/above this → complex |
Validation Rules
server.listen must be a valid host:port or unix://pathhealth.check_interval_secs must be 5–300health.failure_threshold must be 1–50health.recovery_cooldown_secs must be 10–600server.limits.max_request_body_bytes must be > 0server.cors.allowed_origins cannot be empty when CORS is configured- Wildcard
* cannot be used with allow_credentials = true
server.allowed_ips cannot be empty when configured (remove the key to allow all)- Provider URLs must start with
http:// or https://
- API key env var names must match
[A-Z_][A-Z0-9_]* (1–128 chars)
Listen Address Priority
- CLI flag:
hoziron start --listen 0.0.0.0:4200
- Environment variable:
HOZIRON_LISTEN=0.0.0.0:4200
- Config file:
[server].listen
- Default:
127.0.0.1:4200
Related: