Sorat stores its configuration in ~/.sorat/config.json. You can edit it directly or use the web UI / CLI.
Config file structure
{
"llm": { ... },
"server": { ... },
"agent": { ... },
"tools": { ... },
"auth": { ... },
"skills": { ... },
"cron": { ... }
}
PUT /api/config) are written atomically (write to .tmp, then rename).
LLM providers
Sorat supports multiple LLM providers. Each provider has:
| Field | Description |
|---|
id | UUID (auto-generated) |
name | Display name (e.g. “OpenAI”) |
endpoint | Base URL (e.g. https://api.openai.com/v1) |
api_key | API key for authentication |
auth_method | "api_key" (default) or "oauth" |
oauth_provider | OAuth provider identifier (e.g. "google-antigravity") |
Provider examples
OpenAI
Google Gemini
Ollama (local)
{
"name": "OpenAI",
"endpoint": "https://api.openai.com/v1",
"api_key": "sk-..."
}
{
"name": "Google AI (Gemini)",
"endpoint": "https://generativelanguage.googleapis.com/v1beta/openai",
"api_key": "AIza..."
}
{
"name": "Ollama",
"endpoint": "http://localhost:11434/v1",
"api_key": "ollama"
}
llm.active_provider_id to the UUID of the provider you want to use, and llm.active_model to the model name.
LLM settings
| Field | Type | Default | Description |
|---|
active_provider_id | string | "" | UUID of the active provider |
active_model | string | "gemini-2.0-flash" | Model identifier |
temperature | float | 0.7 | Sampling temperature (0.0–2.0) |
max_tokens | int | 4096 | Maximum output tokens |
Server settings
| Field | Type | Default | Description |
|---|
port | int | 8080 | HTTP server port |
host | string | "0.0.0.0" | Bind address |
auth_token | string | "" | Static bearer token (alternative to user auth) |
open_browser_on_start | bool | false | Auto-open web UI on startup |
Agent settings
| Field | Type | Default | Description |
|---|
name | string | "Sorat" | Agent display name |
max_iterations | int | 30 | Max tool-call iterations per request |
memory_enabled | bool | true | Enable persistent memory |
Retry settings
| Field | Type | Default | Description |
|---|
retry.max_retries | int | 3 | Max LLM call retries (0 = disabled) |
retry.base_delay_ms | int | 1000 | Initial retry delay |
retry.max_delay_ms | int | 30000 | Maximum retry delay |
| Section | Key fields |
|---|
shell | whitelist_enabled, whitelist[] |
filesystem | enabled |
web | enabled |
system | enabled |
memory | enabled |
Shell whitelist
By default, the shell tool runs in unrestricted mode (whitelist_enabled: false). When whitelist_enabled: true, only commands in the whitelist array may be executed. If the whitelist is empty with whitelist_enabled: true, shell access is fully disabled.
Default whitelist (used when enabled):
["ls", "cat", "echo", "pwd", "whoami", "ps", "df", "find", "grep", "git", "curl"]
Filesystem confinement
The filesystem tool is confined to ~/.sorat/workspace/. All paths are resolved relative to the workspace root, and traversal attempts (..) are blocked.
Skills settings
| Field | Type | Default | Description |
|---|
skills.enabled | bool | true | Enable the skills system |
skills.registry_url | string | "https://clawhub.ai" | Default skill registry URL |
Cron settings
| Field | Type | Default | Description |
|---|
cron.enabled | bool | true | Enable the cron scheduler |
Authentication
| Field | Description |
|---|
auth.email | User email |
auth.password_hash | bcrypt hash |
auth.role | "super_admin", "admin", or "user" |
auth.session_token | Active session token |
auth.token_expiry | Token expiry (RFC 3339) |
POST /api/auth/register.
Hot-reload
When configuration is updated via the admin API, Sorat calls reinitAgent() which creates an entirely new ADK agent (runner + session service + tools).
This resets the in-memory ADK session service — all active ADK sessions are lost. Persisted session messages on disk are preserved.
