Molf Assistant

Appearance

Configuration

Molf Assistant is configured through CLI flags, environment variables, and a YAML config file. This page is the unified reference for all configuration options across every component.

Configuration Sources

Settings are resolved in this priority order (highest wins):

  1. CLI flags -- --port 8080
  2. Environment variables -- MOLF_PORT=8080
  3. YAML config file -- molf.yaml
  4. Defaults

Server Configuration

YAML Config File

The server reads configuration from molf.yaml in the current directory by default. Pass --config to use a different path.

yaml
# molf.yaml
host: 127.0.0.1
port: 7600
dataDir: .
model: google/gemini-2.5-flash

# TLS
noTls: false
tlsCert: /path/to/cert.pem
tlsKey: /path/to/key.pem

# Providers
enabled_providers:
  - google
  - anthropic
enable_all_providers: false
providers:
  my-provider:
    # Custom provider definition

# Behavior
behavior:
  temperature: 0.7
  contextPruning: true

# Plugins
plugins:
  - "@molf-ai/plugin-cron"
  - name: "@molf-ai/plugin-mcp"
    config: {}

CLI Flags

FlagShortDescriptionDefault
--config-cPath to YAML config file--
--data-dir-dData directory for sessions, logs, auth.
--host-HBind address127.0.0.1
--port-pWebSocket port7600
--token-tFixed auth token(auto-generated)
--no-tls--Disable TLSfalse
--tls-cert--Path to TLS certificate file(auto-generated)
--tls-key--Path to TLS private key file(auto-generated)

Environment Variables

VariableDefaultDescription
MOLF_TOKEN(random)Fixed auth token across restarts
MOLF_HOST127.0.0.1Bind address
MOLF_PORT7600WebSocket port
MOLF_DATA_DIR.Data directory
MOLF_DEFAULT_MODEL--Default model in provider/model format
MOLF_ENABLE_ALL_PROVIDERS--Set to 1 to enable all providers with detected API keys
MOLF_TLS_SANIP:127.0.0.1,DNS:localhostTLS certificate Subject Alternative Names
MODELS_DEV_DISABLE--Set to 1 to disable models.dev catalog fetch
MOLF_LOG_LEVELinfoLog verbosity: debug, info, warning, error
MOLF_LOG_FILE(enabled)Set to none to disable file logging

Worker Configuration

Workers are configured via CLI flags and environment variables (no YAML config).

CLI Flags

FlagShortDescriptionDefault
--name-nWorker name (required)--
--workdir-wWorking directory for tool executionCurrent directory
--server-url-sServer WebSocket URLwss://127.0.0.1:7600
--token-tAuth token--
--tls-ca--Path to CA certificate file--

Environment Variables

VariableDefaultDescription
MOLF_SERVER_URLwss://127.0.0.1:7600Server WebSocket URL
MOLF_TOKEN--Auth token
MOLF_TLS_CA--Path to CA certificate file
MOLF_LOG_LEVELinfoLog verbosity
MOLF_LOG_FILE(enabled)Set to none to disable file logging

Default URL uses TLS

The default server URL is wss:// (TLS enabled). If the server was started with --no-tls, use ws:// instead:

bash
pnpm dev:worker -- --name my-worker --server-url ws://127.0.0.1:7600

TUI Client Configuration

CLI Flags

FlagShortDescriptionDefault
--server-url-sServer WebSocket URLwss://127.0.0.1:7600
--token-tAuth token--
--worker-id-wTarget worker UUID(auto)
--session-id--Resume a specific session(auto)
--tls-ca--Path to CA certificate file--

Environment Variables

VariableDefaultDescription
MOLF_SERVER_URLwss://127.0.0.1:7600Server WebSocket URL
MOLF_TOKEN--Auth token
MOLF_WORKER_ID(auto)Target worker UUID
MOLF_SESSION_ID(auto)Resume session UUID
MOLF_TLS_CA--Path to CA certificate

Telegram Bot Configuration

CLI Flags

FlagShortDescriptionDefault
--server-url-sServer WebSocket URLwss://127.0.0.1:7600
--token-tAuth token--
--worker-id-wTarget worker UUID(auto)
--bot-token-bTelegram bot token--
--allowed-users--Comma-separated allowed user IDs or usernames(all)
--config-cPath to YAML config file--
--tls-ca--Path to CA certificate file--

Environment Variables

VariableDefaultDescription
MOLF_SERVER_URLwss://127.0.0.1:7600Server WebSocket URL
MOLF_TOKEN--Auth token
MOLF_WORKER_ID(auto)Target worker UUID
TELEGRAM_BOT_TOKEN--Telegram bot token
TELEGRAM_ALLOWED_USERS(all)Comma-separated allowed user IDs/usernames
MOLF_TLS_CA--Path to CA certificate
MOLF_LOG_FILE(disabled)Set to file path to enable file logging

TLS Configuration

TLS is enabled by default. The server auto-generates a self-signed EC (prime256v1) certificate on first start with TLSv1.3 minimum version and 365-day validity.

Disabling TLS

For development, disable TLS with:

bash
pnpm dev:server -- --no-tls

Workers and clients must then use ws:// instead of wss:// in their server URL.

Custom Certificates

Provide your own certificate and key:

bash
pnpm dev:server -- --tls-cert /path/to/cert.pem --tls-key /path/to/key.pem

Subject Alternative Names

The auto-generated certificate includes SANs for 127.0.0.1 and localhost by default. Override with:

bash
MOLF_TLS_SAN="IP:192.168.1.100,DNS:myhost.local" pnpm dev:server

TOFU Trust Model

On first connection, workers and clients probe the server's certificate via a raw TLS handshake (5s timeout) and display the fingerprint for manual approval. Once approved, the certificate is pinned to ~/.molf/known_certs/ and verified on all future connections (rejectUnauthorized: true).

The trust resolution priority is: CA file > saved (pinned) cert > TOFU prompt.

CA Certificate Mode

If you use a proper CA-signed certificate, workers and clients can verify it with:

bash
pnpm dev:worker -- --name my-worker --tls-ca /path/to/ca.pem

Authentication

See Authentication for the full reference.

Summary:

  • Master token -- auto-generated on first start or fixed via MOLF_TOKEN. SHA-256 hash stored in {dataDir}/server.json.
  • API keys -- yk_ prefixed, issued through the pairing flow. Hashes stored in server.json.
  • Pairing -- 6-digit codes for interactive device setup. Rate-limited.
  • Credential storage -- ~/.molf/credentials.json (configurable via MOLF_CREDENTIALS_DIR).

Logging

VariableDefaultApplies ToDescription
MOLF_LOG_LEVELinfoAll processesLog verbosity: debug, info, warning, error
MOLF_LOG_FILEEnabledServer, WorkerSet to none to disable file logging
MOLF_LOG_FILEDisabledTelegramSet to a file path to enable

Log file locations:

ProcessLocationRotation
Server{dataDir}/logs/server.log5MB x 5 files
Worker{workdir}/.molf/logs/worker.log5MB x 5 files
Telegram(disabled by default)5MB x 3 files

See Logging for categories, formats, and troubleshooting.

Data Directory Layout

Server ({dataDir}/) 

server.json                           # Auth token hash + API keys
sessions/{id}.json                    # Session state files
workers/{workerId}/
  worker.json                         # Persisted worker state
  permissions.jsonc                   # Tool approval rules
  workspaces/{workspaceId}/
    workspace.json                    # Workspace config + session list
    cron/jobs.json                    # Cron job definitions
logs/
  server.log                          # JSONL rotating log

Worker ({workdir}/) 

.molf/
  worker.json                         # Worker UUID
  uploads/                            # Uploaded files
  tool-output/                        # Truncated tool output files
  logs/
    worker.log                        # JSONL rotating log
.agents/
  skills/{name}/SKILL.md              # Skill definitions
  agents/{name}.md                    # Agent definitions
.mcp.json                             # MCP server config
AGENTS.md (or CLAUDE.md)              # Root instruction document

User Home (~/.molf/) 

credentials.json                      # Server credentials (API key per server URL)
known_certs/                          # Pinned TLS certificates

Provider API Keys

LLM providers are auto-detected based on environment variables. Set the API key for the provider you want to use:

VariableProvider
GEMINI_API_KEYGoogle Gemini
ANTHROPIC_API_KEYAnthropic
OPENAI_API_KEYOpenAI
XAI_API_KEYxAI
MISTRAL_API_KEYMistral
GROQ_API_KEYGroq
DEEPINFRA_API_KEYDeepInfra
CEREBRAS_API_KEYCerebras
COHERE_API_KEYCohere
TOGETHER_AI_API_KEYTogether AI
PERPLEXITY_API_KEYPerplexity
AWS_ACCESS_KEY_IDAmazon Bedrock
GOOGLE_APPLICATION_CREDENTIALSGoogle Vertex AI
AZURE_OPENAI_API_KEYAzure OpenAI
OPENROUTER_API_KEYOpenRouter

See LLM Providers for model resolution, custom providers, and the models.dev catalog.

See Also