GUI Configuration

Precedence

autonomy-gui initializes each flag default from environment variables, then parses CLI flags. Practical precedence:

1. Explicit CLI flag

2. Environment variable

3. Built-in default

Flags and environment variables

Flag	Env var	Default	Notes
--db	AUTONOMY_GUI_DB	required	Path to control-plane SQLite DB
--addr	AUTONOMY_GUI_ADDR	:8090	Listen address
--dev-mode	AUTONOMY_GUI_DEV_MODE	false	Enables ?dev_role= and /api/v1/auth/token
--log-level	AUTONOMY_GUI_LOG_LEVEL	info	debug|info|warn|error
--enable-hsts	AUTONOMY_GUI_ENABLE_HSTS	false	Adds HSTS header when GUI terminates TLS
--dev-csp-connect-src	AUTONOMY_GUI_DEV_CSP_CONNECT_SRC	empty	Extra dev-only CSP connect-src origins (CSV)

Auth credential mapping env vars

Static bearer tokens

• AUTONOMY_GUI_TOKEN_OPERATOR

• AUTONOMY_GUI_TOKEN_ANALYST

• AUTONOMY_GUI_TOKEN_AUDITOR

• AUTONOMY_GUI_TOKEN_INTEGRATOR

Basic auth user mapping

AUTONOMY_GUI_USER_<NAME>=<role>

Example:

export AUTONOMY_GUI_USER_alice=operator
export AUTONOMY_GUI_USER_bob=auditor

Defaults and implicit values

• StaleThresholdSeconds defaults to 300 when unset/non-positive in auth config.

• /api/v1/config exposes stale_threshold_seconds for frontend initialization.

Not implemented / no evidence

• --registry-token CLI flag is not implemented in flag registration.

• AUTONOMY_GUI_REGISTRY_TOKEN is documented in comments but not consumed by run().

Minimal examples

Minimal (token-based)

export AUTONOMY_GUI_TOKEN_AUDITOR='replace-me'
bin/autonomy-gui --db /data/orchestrator.db --addr :8090

Dev mode

bin/autonomy-gui --db demo/data/contested.db --addr :8090 --dev-mode

Evidence

• gui/cmd/gui/main.go (run, buildAuthConfig, envOr, envBool)

• gui/internal/auth/middleware.go (Config, /api/v1/config header behavior)

• gui/internal/api/config.go

• docs/_generated/test-outputs/gui-help.txt