Appearance
Server Overview
The server is the central coordinator in Molf Assistant. It orchestrates LLM interactions, manages sessions and workspaces, dispatches tool calls to workers, and routes events to clients. The server does not execute tools -- that is the worker's responsibility.
Starting the Server
bash
pnpm dev:serverOr run the entry point directly:
bash
tsx packages/server/src/main.tsThe server reads molf.yaml from the current directory by default. See Configuration for all CLI flags, environment variables, and YAML options.
Startup Sequence
On start, the server initializes these components in order:
- Auth system -- loads or creates the master token, initializes API key store
- Provider registry -- detects available LLM providers via API key environment variables
- SessionManager -- loads persisted sessions from disk
- WorkerStore -- loads persisted worker state
- ConnectionRegistry -- tracks connected workers and clients
- EventBus -- per-session event channels for streaming to clients
- ToolDispatch -- promise queue for routing tool calls to workers (120s timeout)
- UploadDispatch -- file upload routing (30s timeout)
- FsDispatch -- filesystem read routing (30s timeout)
- InlineMediaCache -- caches media for LLM context (8h TTL, 200MB max)
- WorkspaceStore -- workspace configuration and session grouping
- WorkspaceNotifier -- pushes workspace events to subscribed clients
- ApprovalGate -- tool approval evaluation engine
- PluginLoader -- loads and initializes server plugins
- AgentRunner -- LLM orchestration engine
- PairingStore -- manages pairing codes for new device setup
- RateLimiter -- rate limiting for public procedures
TLS
TLS is enabled by default. On first start, the server generates a self-signed EC (prime256v1) certificate with TLSv1.3 minimum version and 365-day validity.
Workers and clients verify the certificate using TOFU (trust-on-first-use): the fingerprint is displayed on first connection for manual approval, then pinned for future use.
| Option | Description |
|---|---|
--no-tls | Disable TLS entirely |
--tls-cert / --tls-key | Use custom certificate and key files |
MOLF_TLS_SAN | Subject Alternative Names (default: IP:127.0.0.1,DNS:localhost) |
See Configuration > TLS for full details.
Authentication
The server supports two authentication mechanisms:
- Master token -- generated on first start (or set via
MOLF_TOKEN), SHA-256 hash stored in{dataDir}/server.json - API keys --
yk_prefixed keys issued through the pairing flow, hashes stored inserver.json
All authenticated tRPC procedures verify credentials via constant-time comparison of the Authorization: Bearer header against stored hashes.
See Authentication for the full auth flow, pairing codes, and API key management.
Workspaces
Workspaces group sessions and carry per-workspace configuration. Each workspace can override the default LLM model.
- A default workspace is auto-created on first use
- Configuration stored at
{dataDir}/workers/{workerId}/workspaces/{workspaceId}/workspace.json - Managed via the
workspace.*tRPC procedures
Plugin System
Two plugins are loaded by default:
@molf-ai/plugin-cron-- scheduled task execution withat,every, andcronschedule types@molf-ai/plugin-mcp-- MCP client integration for workers
Configure plugins in molf.yaml:
yaml
plugins:
- "@molf-ai/plugin-cron"
- name: "@molf-ai/plugin-mcp"
config: {}Server plugins can add tRPC routes, tools, session-scoped tools, services, and hook handlers. Worker plugin specifiers are sent to workers on connect so they can load their worker-side counterparts.
See Plugins for the full plugin API and hook reference.
WebSocket Settings
| Setting | Value |
|---|---|
| Max payload | 50MB |
| Keep-alive ping interval | 30s |
| Pong timeout | 10s |
Key Timeouts
| Operation | Timeout |
|---|---|
| Tool dispatch | 120s |
| Upload dispatch | 30s |
| FS read dispatch | 30s |
| Agent turn | 30 min |
| Agent idle eviction | 30 min |
| Subagent execution | 5 min |
tRPC Routers
The server exposes 9 tRPC sub-routers over WebSocket:
| Router | Purpose |
|---|---|
session.* | Create, list, load, delete, rename sessions |
agent.* | Prompt, abort, status, event subscription |
tool.* | List tools, approve/deny tool calls |
worker.* | Worker registration, state sync, tool dispatch |
fs.* | Filesystem read operations |
provider.* | List providers and models |
workspace.* | Workspace management |
auth.* | Pairing codes, API key management |
plugin.* | Plugin route dispatch |
See Protocol for the full API reference.
See Also
- Sessions -- session lifecycle, summarization, context pruning
- LLM Providers -- provider setup, model resolution
- Authentication -- auth flow, pairing, API keys
- Event System -- event types, EventBus, subscriptions
- Architecture -- package dependency graph and module structure