This document collects the configuration and operational details that are useful when setting up, running, or extending the project locally.
These values are required for the app to boot and run its main task flow:
POSTGRES_URL: Postgres connection string used by the app and Drizzle commandsSEALOS_HOST: Sealos region host, for examplestaging-usw-1.sealos.ioDEVBOX_TOKEN: static Devbox API tokenJWE_SECRET: secret for session encryptionENCRYPTION_KEY: symmetric key used to encrypt stored tokens and user API keysGITHUB_CLIENT_ID: GitHub OAuth client IDGITHUB_CLIENT_SECRET: GitHub OAuth client secret
AI_GATEWAY_API_KEY: required for the current Codex execution path unless users are expected to supply their own key through the UI
APP_BASE_URL: explicit public base URL for OAuth callbacks in self-hosted deploymentsNPM_TOKEN: used when runtimes need to install private npm dependenciesMAX_SANDBOX_DURATION: default runtime lifetime in minutesMAX_MESSAGES_PER_DAY: per-user daily limit for tasks and follow-up turnsDEVBOX_NAMESPACE: override the default Devbox namespaceDEVBOX_RUNTIME_IMAGE: override the runtime imageDEVBOX_ARCHIVE_AFTER_PAUSE_TIME: archive timing after runtime pauseDEVBOX_JWT_SIGNING_KEY: required whenDEVBOX_TOKENis not set and JWT auth is used insteadDEVBOX_JWT_TTL_SECONDS: token lifetime for JWT-based Devbox authCODEX_GATEWAY_SESSION_TTL_MS: session TTL for Codex Gateway
The app derives several URLs from SEALOS_HOST in lib/sealos/config.ts.
For a host such as staging-usw-1.sealos.io, the app derives:
- region:
staging-usw-1 - region URL:
https://staging-usw-1.sealos.io - template API:
https://template.staging-usw-1.sealos.io/api/v2alpha/templates/raw - Devbox base URL:
https://devbox-server.staging-usw-1.sealos.io
The only supported sign-in flow is GitHub OAuth.
Required OAuth scopes are defined in lib/auth/oauth.ts:
reporead:useruser:emailread:packageswrite:packages
The GitHub callback route is:
/api/auth/github/callback
For local development, a typical OAuth app setup uses:
- homepage URL:
http://localhost:3000 - callback URL:
http://localhost:3000/api/auth/github/callback
If APP_BASE_URL is set, it is used for callback resolution. Otherwise, the app falls back to forwarded headers and finally to req.nextUrl.origin.
The app supports two ways to authenticate to Devbox:
If DEVBOX_TOKEN is present, it is used directly.
If DEVBOX_TOKEN is absent, the app expects:
DEVBOX_JWT_SIGNING_KEY- optionally
DEVBOX_JWT_TTL_SECONDS
In this mode the app signs short-lived JWTs scoped to the configured namespace.
The main task flow runs inside a Devbox runtime.
Key behaviors:
- runtimes can be created, resumed, and refreshed
- runtime namespace defaults to
ns-testunless overridden - runtime lifetime is bounded by
MAX_SANDBOX_DURATIONor a task-specific duration - if task retention is enabled, the runtime remains available for follow-up work until timeout
The code that governs this behavior lives mainly in:
lib/devbox/runtime.tslib/devbox/config.tslib/sealos/config.ts
The project is intentionally pinned to a fixed execution path:
- agent:
codex - model:
gpt-5.4
Relevant code:
lib/codex/defaults.tslib/codex-gateway/config.tsapp/api/tasks/route.ts
Gateway URL and auth token are primarily resolved from Devbox runtime metadata. Existing stored task values are used as fallback when necessary.
The project uses Drizzle ORM and checked-in SQL migrations under:
lib/db/migrations/
Drizzle configuration lives in:
drizzle.config.ts
Important behavior:
.env.localis loaded first.envis used as fallback- Drizzle commands fail fast if
POSTGRES_URLis missing
Typical commands:
pnpm db:generate
pnpm db:migrate
pnpm db:studio- Create
.env.localwith required values. - Run
pnpm install. - Run
pnpm db:migrate. - Run
pnpm dev. - Sign in with GitHub.
- Choose a repository and create a task.
Users can provide their own API keys through the application. Those values can override global configuration for supported flows.
Connector secrets and user API keys depend on ENCRYPTION_KEY. If that key is missing, encrypted storage paths will not work correctly.
The repository has strict logging rules:
- default to static log messages
- only allow dynamic runtime identifiers through the task-flow logging utility
- avoid sensitive values in logs and user-facing errors
Read AGENTS.md before changing logging, auth, or task execution code.