HomeDocsArchitecture › 11. Glossary, Configuration & Build

11. Glossary, Configuration & Build

A reference appendix: the full glossary, the build system, and the server/CLI configuration.


11.1 Full glossary

Term Meaning
Actor A protoactor-go unit that processes one message at a time from a mailbox; fields need no locks.
Agent A headless autonomous LLM coding actor (no PTY), registered to a pane. Subject agent.{name}.inbox.
Agentic loop The orchestrator's iterate-until-end_turn tool-use cycle.
Approval The handshake (approval.request/approval.response) gating destructive tool calls and diffs.
Bridge (NATSBridge) Subscribes NATS subjects on an actor's behalf and delivers decoded messages into its mailbox.
Bus (bus.Bus) The CLI daemon spine: embedded NATS + JetStream KV + actor system + codec + publisher.
Channel An external communication adapter (Slack/email/WhatsApp/phone/chatbot) attached to a humanoid.
Chatbot An embeddable website widget backed by a server-side PaneToolsNone pane.
Codec (CodecRegistry) Maps message type tags ↔ Go types for JSON encode/decode.
ConversationMessage The unified message type for all conversation surfaces.
Dual-publish shell/ai modes publishing to both per-mode and merged output topics.
Envelope (NATSEnvelope) The JSON wrapper {t: tag, r: replyTo, p: payload} for every NATS message.
Forge (Rysh Forge) Pipeline that turns an OpenAPI/GraphQL spec into governed agent tools (plus SDKs/docs/MCP server). Live via ##integration; server-side catalog via the Integration Catalog.
Grid A tab seeded with R×C lanes/groups at once.
Humanoid An agent plus external channels and per-thread memory. Subject humanoid.{name}.inbox.
JetStream KV NATS key-value store used for persistence (panes, workspace, pipeline, agents, conversations).
Lane A vertical column in a tab; has a flex (horizontal width weight).
LLMPromptExecutionActor The per-pane agent manager; owns conversation/memory, spawns orchestrators.
MCP client Rysh as a Model Context Protocol client: ##mcp add connects an external MCP server (stdio/HTTP) and registers its tools as agent tools (internal/mcp, config .rysh/mcp.json).
Mirror tab A subscriber-side synthetic tab reconstructing a shared tab/lane/group.
Mode A conversation type: shell, ai, rysh, chat, email, slack, chatbot.
Orchestrator The per-prompt actor running the tool-use loop to completion.
Pane One conversation surface: a PTY shell and/or an LLM agent.
Pane group A vertical row slot in a lane holding a rotating stack of panes; has rowFlex.
PaneToolsBrowser / PaneToolsNone Server-side tool profiles: browser-control tools vs zero tools.
Permission policy Declarative allow/deny/ask rules evaluated before the approval prompt (agentic/permissions.go).
PTYRelay The native-speed stdin↔PTY proxy for fullscreen interactive apps.
## command A Rysh system command typed in a pane.
Session A named daemon instance with its own NATS port and KV buckets.
Session prefix The NATS subject namespace prefix (default rysh).
Share Publishing a pane/tab to an upstream NATS workspace for collaboration.
SharedEntity The server-side record of a share (unique share_id, mode, origin, heartbeat).
Sub-agent A real child OrchestratorActor spawned by the sub_agent tool with an isolated context and tool whitelist; depth-capped at MaxSubAgentDepth = 2.
Subject-ACL The streaming NATS-protocol parser that confines a client to ws.{workspaceID}.> + _INBOX.>.
Tab A screen of lanes; owns pipeline state.
Upstream The remote NATS workspace (hosted by rysh-server) used for sharing.
VTerm The terminal emulator (vendored vt10x fork with scrollback) backing each PTY pane.
Workspace A configured set of tabs and the cloud tenancy boundary (identified by UUID).

11.2 Build system (root Makefile)

graph TD
    deps["make deps
(tidy shared → cli → server)"] --> build build["make build"] --> buildcli["make build-cli
GOWORK=off → rysh-cli/ry"] build --> buildsrv["make build-server
→ rysh-server/bin/rysh-server"] buildcli --> install["make install → ~/.local/bin/ry"] build --> release["make release VERSION_TAG=x.y.z
tags shared → cli → server"] release --> snapshot["make release-snapshot
(goreleaser, CLI cross-platform)"]
Target Effect
make deps tidy all three modules (shared first — server depends on it)
make build build CLI + server
make build-cli build the CLI with GOWORK=off (isolates its pinned charmbracelet deps from the workspace graph)
make build-server build the server binary
make install build CLI (binary ry, alt name rysh) and install to ~/.local/bin/ry
make test / lint per-module test/lint
make dev-up / dev-down / dev-logs local dev stack
make release VERSION_TAG=… tag + push only rysh-sharedrysh-clirysh-server, in that order (rysh-proto, rysh-chrome-plugin, and rysh-mcp-samples are not tagged by this target)

Why GOWORK=off for the CLI? rysh-cli and rysh-server have conflicting charmbracelet dependency versions, so the CLI is kept out of the unified go.work module graph and built in isolation. The committed go.work includes only rysh-proto, rysh-server, and rysh-shared, with replace directives pointing the two rysh-ai/* modules (rysh-shared, rysh-proto) at their local paths.

Caveat — make workspace drifts from the committed go.work. The workspace Makefile target runs go work init ./rysh-cli ./rysh-server ./rysh-shared, which would include rysh-cli and omit rysh-proto — the opposite of the committed go.work. Do not regenerate go.work from that target; treat the committed file as authoritative.

Chrome extension build

Vite (vite.config.ts) builds popup.html → a React bundle in dist/assets/[name].js (stable names so the manifest needs no edits), then a copyExtensionFiles plugin copies the static service worker, auth page, manifest, and icons into dist/. Tailwind + PostCSS for styling.


11.3 Server configuration (rysh-server)

TOML file (path via RYSH_SERVER_CONFIG, default server.config) with environment overrides that always win.

Section Key fields (with verified defaults) Notes
[server] host (0.0.0.0), port (8080) HTTP listener
[database] host (localhost), port (5432), user/password (rysh), dbname (rysh_server), sslmode (disable) PostgreSQL DSN
[auth] jwt_secret (change-me-in-production), access_token_ttl (15m), refresh_token_ttl (168h), bcrypt_cost (12) HS256 + bcrypt
[firebase] enabled (false), project_id, credentials_file social auth (optional)
[nats] host (0.0.0.0), port (4222), ws_port (9222), data_dir (/tmp/rysh-server-nats), [nats.limits] max_payload (8388608 = 8MB) /max_connections (1024) /max_subscriptions (1024) embedded NATS; monitoring HTTP hardcoded to 8222
[stripe] secret_key, publishable_key, webhook_secret, success_url, cancel_url billing
[shares] workspace (default), max_shares_per_workspace (100), max_subscribers_per_share (50), share_timeout_minutes (30), command_rate_limit (60), output_rate_limit (1000), disable_subject_acl (false) sharing namespace + ACL escape hatch
[logging] level, format slog
[agent] api_key, api_url (https://api.anthropic.com), default_model (claude-opus-4-5), max_tokens (8192), system_prompt, brave_api_key, max_iterations (20), pane_ttl (24h) browser-pane LLM (enables browser panes when api_key set)
[whatsapp] phone_number(_id), access_token, business_account_id, verify_token, app_secret, api_version (v21.0) Meta Cloud API
[chatbot] enabled (true), default_model (claude-sonnet-4-20250514), default_max_tokens (4096), default_max_iterations (10), session_timeout_minutes (30), max_message_length (10000), widget_js_path (/opt/rysh/chatbot/widget.js), cdn_url embeddable widget
(top-level) encryption_key (empty) AES-256-GCM for connection secrets (enables connections when set)

Environment overrides (selected)

RYSH_SERVER_CONFIG          path to the TOML config
RYSH_SERVER_HOST/PORT
RYSH_DB_HOST/PORT/USER/PASSWORD/NAME
RYSH_JWT_SECRET
RYSH_NATS_HOST/PORT/WS_PORT/DATA_DIR/MAX_PAYLOAD
RYSH_LOG_LEVEL
RYSH_STRIPE_SECRET_KEY / _PUBLISHABLE_KEY / _WEBHOOK_SECRET / _SUCCESS_URL / _CANCEL_URL
RYSH_SHARES_WORKSPACE
RYSH_AGENT_API_KEY / _MODEL / _BRAVE_API_KEY / _MAX_TOKENS / _SYSTEM_PROMPT
RYSH_WHATSAPP_*                       (phone, token, app secret, verify token, api version, ...)
RYSH_CHATBOT_ENABLED / _DEFAULT_MODEL / _DEFAULT_MAX_TOKENS / _SESSION_TIMEOUT / _MAX_MESSAGE_LENGTH / _WIDGET_PATH / _CDN_URL
RYSH_ENCRYPTION_KEY

Feature flags (conditional subsystems)

Subsystem Enabled when
Firebase social auth [firebase] enabled = true
WhatsApp [whatsapp] access_token set
External connections top-level encryption_key set
Browser panes [agent] api_key set
Chatbot panes [chatbot] enabled + agent key + browser-pane service
Subject-ACL isolation on by default; disabled only by [shares] disable_subject_acl = true

11.4 CLI configuration & runtime

  • Session prefix — set per session via SetSessionPrefix so multiple daemons coexist.
  • Workspace config — each workspace has its own upstream endpoint and API key (drives sharing/credentials/limits via rysh-server REST).
  • Logging — disabled by default; debug tees to /tmp/rysh/logs/rysh-<session>-<ts>.log. RYSH_LOG_MESSAGES=true enables the actor-comms message log (.rysh/actor-comms.log).
  • Provider keys — Anthropic API key enables the real agentic provider; Brave key enables web_search; Deepgram/OpenAI keys enable voice transcription.
  • Working-dir artifacts.rysh/ (state), .rysh-notes.md (project_notes tool), RYSH.md (durable project memory written by the memory_edit tool, capped at 64 KB and auto-loaded into the system prompt each session), .rysh/pipelines/*.rysh.yaml (rysh_build_pipeline), declarative .rysh/agents/<name>/SKILL.md / .rysh/humanoids/<name>/SKILL.md skill files (project-local ./.rysh preferred, else $HOME/.rysh), .rysh/mcp.json (external MCP servers, consumed by ##mcp), and .rysh/forge/ (Rysh Forge integrations.json index + per-integration specs and generated artifacts).
  • Agent prompts — all agentic prompts live as markdown under rysh-cli/rysh-cli-agent-prompts/ and are embedded into the binary at build time (//go:embed, prompts.go) — editing one and rebuilding changes the prompt; they are not runtime files. Empty/missing files fall back to in-package constants in internal/agentic/prompts.go.

11.5 Deployment shape

graph TB
    subgraph dev["Developer machine"]
        CLI["rysh daemon + TUI"]
        Chrome["Chrome + extension"]
    end
    subgraph cloud["Cloud"]
        Server["rysh-server binary"]
        PG[("PostgreSQL")]
        Stripe["Stripe"]
        FB["Firebase"]
        Server --- PG
        Server -. webhook .- Stripe
        Server -. verify .- FB
    end
    Site["Customer website
(embedded widget.js)"] Anthropic["Anthropic API"] CLI <-->|"NATS over WS
(ws.{id}.*, ACL-confined)"| Server Chrome <-->|"NATS over WS"| Server Site <-->|"chatbot widget proto"| Server CLI --> Anthropic Server --> Anthropic

The server is a single self-contained binary (embeds NATS + serves the React dashboard from web/dist + serves widget.js); it needs only PostgreSQL and, optionally, Stripe/Firebase/Anthropic credentials. The CLI runs locally and connects to the server for collaboration, channel credentials, and limits. The extension and the website widget connect to the server's NATS WebSocket proxies.


11.6 Cross-references