11. Glossary, Configuration & Build
A reference appendix: the full glossary, the build system, and the server/CLI configuration.
11.1 Full glossary
| Term | Meaning |
|---|---|
| Actor | A protoactor-go unit that processes one message at a time from a mailbox; fields need no locks. |
| Agent | A headless autonomous LLM coding actor (no PTY), registered to a pane. Subject agent.{name}.inbox. |
| Agentic loop | The orchestrator's iterate-until-end_turn tool-use cycle. |
| Approval | The handshake (approval.request/approval.response) gating destructive tool calls and diffs. |
Bridge (NATSBridge) |
Subscribes NATS subjects on an actor's behalf and delivers decoded messages into its mailbox. |
Bus (bus.Bus) |
The CLI daemon spine: embedded NATS + JetStream KV + actor system + codec + publisher. |
| Channel | An external communication adapter (Slack/email/WhatsApp/phone/chatbot) attached to a humanoid. |
| Chatbot | An embeddable website widget backed by a server-side PaneToolsNone pane. |
Codec (CodecRegistry) |
Maps message type tags ↔ Go types for JSON encode/decode. |
| ConversationMessage | The unified message type for all conversation surfaces. |
| Dual-publish | shell/ai modes publishing to both per-mode and merged output topics. |
Envelope (NATSEnvelope) |
The JSON wrapper {t: tag, r: replyTo, p: payload} for every NATS message. |
| Forge (Rysh Forge) | Pipeline that turns an OpenAPI/GraphQL spec into governed agent tools (plus SDKs/docs/MCP server). Live via ##integration; server-side catalog via the Integration Catalog. |
| Grid | A tab seeded with R×C lanes/groups at once. |
| Humanoid | An agent plus external channels and per-thread memory. Subject humanoid.{name}.inbox. |
| JetStream KV | NATS key-value store used for persistence (panes, workspace, pipeline, agents, conversations). |
| Lane | A vertical column in a tab; has a flex (horizontal width weight). |
| LLMPromptExecutionActor | The per-pane agent manager; owns conversation/memory, spawns orchestrators. |
| MCP client | Rysh as a Model Context Protocol client: ##mcp add connects an external MCP server (stdio/HTTP) and registers its tools as agent tools (internal/mcp, config .rysh/mcp.json). |
| Mirror tab | A subscriber-side synthetic tab reconstructing a shared tab/lane/group. |
| Mode | A conversation type: shell, ai, rysh, chat, email, slack, chatbot. |
| Orchestrator | The per-prompt actor running the tool-use loop to completion. |
| Pane | One conversation surface: a PTY shell and/or an LLM agent. |
| Pane group | A vertical row slot in a lane holding a rotating stack of panes; has rowFlex. |
| PaneToolsBrowser / PaneToolsNone | Server-side tool profiles: browser-control tools vs zero tools. |
| Permission policy | Declarative allow/deny/ask rules evaluated before the approval prompt (agentic/permissions.go). |
| PTYRelay | The native-speed stdin↔PTY proxy for fullscreen interactive apps. |
## command |
A Rysh system command typed in a pane. |
| Session | A named daemon instance with its own NATS port and KV buckets. |
| Session prefix | The NATS subject namespace prefix (default rysh). |
| Share | Publishing a pane/tab to an upstream NATS workspace for collaboration. |
| SharedEntity | The server-side record of a share (unique share_id, mode, origin, heartbeat). |
| Sub-agent | A real child OrchestratorActor spawned by the sub_agent tool with an isolated context and tool whitelist; depth-capped at MaxSubAgentDepth = 2. |
| Subject-ACL | The streaming NATS-protocol parser that confines a client to ws.{workspaceID}.> + _INBOX.>. |
| Tab | A screen of lanes; owns pipeline state. |
| Upstream | The remote NATS workspace (hosted by rysh-server) used for sharing. |
| VTerm | The terminal emulator (vendored vt10x fork with scrollback) backing each PTY pane. |
| Workspace | A configured set of tabs and the cloud tenancy boundary (identified by UUID). |
11.2 Build system (root Makefile)
graph TD
deps["make deps
(tidy shared → cli → server)"] --> build
build["make build"] --> buildcli["make build-cli
GOWORK=off → rysh-cli/ry"]
build --> buildsrv["make build-server
→ rysh-server/bin/rysh-server"]
buildcli --> install["make install → ~/.local/bin/ry"]
build --> release["make release VERSION_TAG=x.y.z
tags shared → cli → server"]
release --> snapshot["make release-snapshot
(goreleaser, CLI cross-platform)"]
| Target | Effect |
|---|---|
make deps |
tidy all three modules (shared first — server depends on it) |
make build |
build CLI + server |
make build-cli |
build the CLI with GOWORK=off (isolates its pinned charmbracelet deps from the workspace graph) |
make build-server |
build the server binary |
make install |
build CLI (binary ry, alt name rysh) and install to ~/.local/bin/ry |
make test / lint |
per-module test/lint |
make dev-up / dev-down / dev-logs |
local dev stack |
make release VERSION_TAG=… |
tag + push only rysh-shared → rysh-cli → rysh-server, in that order (rysh-proto, rysh-chrome-plugin, and rysh-mcp-samples are not tagged by this target) |
Why
GOWORK=offfor the CLI?rysh-cliandrysh-serverhave conflictingcharmbraceletdependency versions, so the CLI is kept out of the unifiedgo.workmodule graph and built in isolation. The committedgo.workincludes onlyrysh-proto,rysh-server, andrysh-shared, withreplacedirectives pointing the tworysh-ai/*modules (rysh-shared,rysh-proto) at their local paths.Caveat —
make workspacedrifts from the committedgo.work. TheworkspaceMakefile target runsgo work init ./rysh-cli ./rysh-server ./rysh-shared, which would includerysh-cliand omitrysh-proto— the opposite of the committedgo.work. Do not regeneratego.workfrom that target; treat the committed file as authoritative.
Chrome extension build
Vite (vite.config.ts) builds popup.html → a React bundle in dist/assets/[name].js (stable names so the manifest needs no edits), then a copyExtensionFiles plugin copies the static service worker, auth page, manifest, and icons into dist/. Tailwind + PostCSS for styling.
11.3 Server configuration (rysh-server)
TOML file (path via RYSH_SERVER_CONFIG, default server.config) with environment overrides that always win.
| Section | Key fields (with verified defaults) | Notes |
|---|---|---|
[server] |
host (0.0.0.0), port (8080) |
HTTP listener |
[database] |
host (localhost), port (5432), user/password (rysh), dbname (rysh_server), sslmode (disable) |
PostgreSQL DSN |
[auth] |
jwt_secret (change-me-in-production), access_token_ttl (15m), refresh_token_ttl (168h), bcrypt_cost (12) |
HS256 + bcrypt |
[firebase] |
enabled (false), project_id, credentials_file |
social auth (optional) |
[nats] |
host (0.0.0.0), port (4222), ws_port (9222), data_dir (/tmp/rysh-server-nats), [nats.limits] max_payload (8388608 = 8MB) /max_connections (1024) /max_subscriptions (1024) |
embedded NATS; monitoring HTTP hardcoded to 8222 |
[stripe] |
secret_key, publishable_key, webhook_secret, success_url, cancel_url |
billing |
[shares] |
workspace (default), max_shares_per_workspace (100), max_subscribers_per_share (50), share_timeout_minutes (30), command_rate_limit (60), output_rate_limit (1000), disable_subject_acl (false) |
sharing namespace + ACL escape hatch |
[logging] |
level, format |
slog |
[agent] |
api_key, api_url (https://api.anthropic.com), default_model (claude-opus-4-5), max_tokens (8192), system_prompt, brave_api_key, max_iterations (20), pane_ttl (24h) |
browser-pane LLM (enables browser panes when api_key set) |
[whatsapp] |
phone_number(_id), access_token, business_account_id, verify_token, app_secret, api_version (v21.0) |
Meta Cloud API |
[chatbot] |
enabled (true), default_model (claude-sonnet-4-20250514), default_max_tokens (4096), default_max_iterations (10), session_timeout_minutes (30), max_message_length (10000), widget_js_path (/opt/rysh/chatbot/widget.js), cdn_url |
embeddable widget |
| (top-level) | encryption_key (empty) |
AES-256-GCM for connection secrets (enables connections when set) |
Environment overrides (selected)
RYSH_SERVER_CONFIG path to the TOML config
RYSH_SERVER_HOST/PORT
RYSH_DB_HOST/PORT/USER/PASSWORD/NAME
RYSH_JWT_SECRET
RYSH_NATS_HOST/PORT/WS_PORT/DATA_DIR/MAX_PAYLOAD
RYSH_LOG_LEVEL
RYSH_STRIPE_SECRET_KEY / _PUBLISHABLE_KEY / _WEBHOOK_SECRET / _SUCCESS_URL / _CANCEL_URL
RYSH_SHARES_WORKSPACE
RYSH_AGENT_API_KEY / _MODEL / _BRAVE_API_KEY / _MAX_TOKENS / _SYSTEM_PROMPT
RYSH_WHATSAPP_* (phone, token, app secret, verify token, api version, ...)
RYSH_CHATBOT_ENABLED / _DEFAULT_MODEL / _DEFAULT_MAX_TOKENS / _SESSION_TIMEOUT / _MAX_MESSAGE_LENGTH / _WIDGET_PATH / _CDN_URL
RYSH_ENCRYPTION_KEY
Feature flags (conditional subsystems)
| Subsystem | Enabled when |
|---|---|
| Firebase social auth | [firebase] enabled = true |
[whatsapp] access_token set |
|
| External connections | top-level encryption_key set |
| Browser panes | [agent] api_key set |
| Chatbot panes | [chatbot] enabled + agent key + browser-pane service |
| Subject-ACL isolation | on by default; disabled only by [shares] disable_subject_acl = true |
11.4 CLI configuration & runtime
- Session prefix — set per session via
SetSessionPrefixso multiple daemons coexist. - Workspace config — each workspace has its own upstream endpoint and API key (drives sharing/credentials/limits via
rysh-serverREST). - Logging — disabled by default;
debugtees to/tmp/rysh/logs/rysh-<session>-<ts>.log.RYSH_LOG_MESSAGES=trueenables the actor-comms message log (.rysh/actor-comms.log). - Provider keys — Anthropic API key enables the real agentic provider; Brave key enables
web_search; Deepgram/OpenAI keys enable voice transcription. - Working-dir artifacts —
.rysh/(state),.rysh-notes.md(project_notestool),RYSH.md(durable project memory written by thememory_edittool, capped at 64 KB and auto-loaded into the system prompt each session),.rysh/pipelines/*.rysh.yaml(rysh_build_pipeline), declarative.rysh/agents/<name>/SKILL.md/.rysh/humanoids/<name>/SKILL.mdskill files (project-local./.ryshpreferred, else$HOME/.rysh),.rysh/mcp.json(external MCP servers, consumed by##mcp), and.rysh/forge/(Rysh Forgeintegrations.jsonindex + per-integration specs and generated artifacts). - Agent prompts — all agentic prompts live as markdown under
rysh-cli/rysh-cli-agent-prompts/and are embedded into the binary at build time (//go:embed,prompts.go) — editing one and rebuilding changes the prompt; they are not runtime files. Empty/missing files fall back to in-package constants ininternal/agentic/prompts.go.
11.5 Deployment shape
graph TB
subgraph dev["Developer machine"]
CLI["rysh daemon + TUI"]
Chrome["Chrome + extension"]
end
subgraph cloud["Cloud"]
Server["rysh-server binary"]
PG[("PostgreSQL")]
Stripe["Stripe"]
FB["Firebase"]
Server --- PG
Server -. webhook .- Stripe
Server -. verify .- FB
end
Site["Customer website
(embedded widget.js)"]
Anthropic["Anthropic API"]
CLI <-->|"NATS over WS
(ws.{id}.*, ACL-confined)"| Server
Chrome <-->|"NATS over WS"| Server
Site <-->|"chatbot widget proto"| Server
CLI --> Anthropic
Server --> Anthropic
The server is a single self-contained binary (embeds NATS + serves the React dashboard from web/dist + serves widget.js); it needs only PostgreSQL and, optionally, Stripe/Firebase/Anthropic credentials. The CLI runs locally and connects to the server for collaboration, channel credentials, and limits. The extension and the website widget connect to the server's NATS WebSocket proxies.
11.6 Cross-references
- Protocol details → 3. Messaging & Protocol
- The agent loop → 4. Agentic Engine
- Per-component internals → 5–9
- How it all flows → 10. End-to-End Flows