Skip to main content

Config & ports

AGP Community Edition keeps everything on your machine. There are two config surfaces: the per-service env files (where each service listens and what it depends on) and the CLI config (your profiles, credentials, and output preferences).

The ~/.agp home

~/.agp/
├── bin/ # service binaries (agp-identity, agp-proxy, …)
├── services/ # per-service env files
│ ├── identity.env
│ ├── proxy.env
│ ├── … # one per service (.env.bak after --force)
├── secrets/
│ ├── admin-token # the shared admin token (read-only)
│ └── console-password # the console password (read-only)
├── data/ # SQLite databases, one per service
└── logs/ # service + bridge logs

Recover the console password any time with cat ~/.agp/secrets/console-password.

Service env files

Each ~/.agp/services/<service>.env is the source of truth for where that service listens. agp status / start / stop read it directly, so a port edit there takes effect on the next restart. The files are written by agp init with internally-consistent cross-references (each service's listeners and its dependencies' addresses), so you normally never touch them.

Default ports

All services bind 127.0.0.1 by default, in the quiet 27860+ range so conflicts are rare:

ServiceHTTPgRPCEnv key
identity2786027880HTTP_LISTEN_ADDR
registry2786127881HTTP_LISTEN_ADDR
behavior-profile2786227882HTTP_LISTEN_ADDR
policy2786327883HTTP_LISTEN_ADDR
audit2786427884HTTP_LISTEN_ADDR
approval2786527885HTTP_LISTEN_ADDR
approval-ops27866LISTEN_ADDR
proxy27867LISTEN_ADDR
admin-ui (console)27868ADMIN_UI_LISTEN_ADDR

Changing a port

If something already holds one of these ports:

  1. Edit the address in ~/.agp/services/<service>.env, e.g. HTTP_LISTEN_ADDR=127.0.0.1:37863.
  2. Restart it: agp restart <service>.

If a dependency's port changes, update the consumers' env files too (each service's .env lists the addresses it dials). The cleanest reset is:

agp init --force

--force re-renders every service .env from the current defaults, keeping a .bak of each. Your secrets are never regenerated.

--force re-renders env files, not your CLI config

agp init --force rewrites the service .env files. It does not touch your CLI config.yaml — see below. If you remap a port with --force, update the matching *_http endpoint in your CLI profile by hand so service commands keep reaching the right address.

The CLI config

Default location ~/.config/agp/config.yaml (override with --config). It holds your profiles, stored agent credentials, and output preferences:

default_profile: local
output: table # table | json
json_pretty: true # pretty-print JSON output by default

profiles:
local:
identity_http: http://localhost:27860
registry_http: http://localhost:27861
behavior_profile_http: http://localhost:27862
policy_http: http://localhost:27863
audit_http: http://localhost:27864
approval_http: http://localhost:27865
proxy_http: http://localhost:27867
token: <admin-token>
agent_credentials:
my-agent:
client_id: <id>
client_secret: <secret>
behavior_profile_id: my-agent.local.default
agp never overwrites your config

config.yaml is created once by agp init and is then owned by you — agp never modifies it, not even with --force. It accrues your agents and credentials over time, and rewriting it would lose them. Edit it freely.

Output preferences

  • output: table | json — the default rendering. Override per-command with --output.
  • json_pretty: true — pretty-print JSON by default. Override with --no-pretty (compact) or --pretty.

Profiles

A profile is a named set of endpoints + token. Most users only ever have local. You can add more profiles to point the CLI at different stacks and select one with --profile <name> (or set default_profile).