Keyboard shortcuts

Press or to navigate between chapters

Press S or / to search in the book

Press ? to show this help

Press Esc to hide this help

castellan.toml reference

Layered configuration for governance, shell policy, hooks, and MCP permissions. Schema source: crates/castellan-governance/src/config.rs.

File locations (merge order)

LayerPathPrecedence
User~/.castellan/config.tomllowest
Projectcastellan.toml (walk up from cwd)middle
Local.castellan/local.toml (same repo as project castellan.toml)highest

Later layers override earlier ones. CLI flags and environment variables override all files.

Example

[governance]
session_spend_cap_usd = 12.5
max_risk_score = 0.85
denied_paths = ["/secret", "~/.ssh"]

[shell]
allowed_commands = ["echo", "cargo", "git"]
denied_commands = ["rm", "curl"]
denied_patterns = ["sudo .*"]
max_output_bytes = 65536

[permissions]
default_mode = "ask"
[permissions.tools]
castellan_propose_mutation = "deny"
castellan_deposit_signal = "allow"

[[hooks.hooks]]
event = "PreToolUse"
command = "./scripts/hooks/pre-tool.sh"

Sections

[memory]

KeyTypeDescription
backendjson | sqliteDurable store backend (default: json)
pathstringSQLite database path when backend = "sqlite" (default: .castellan/castellan.db)
mirror_jsonboolAlso write .castellan/episodes/*.json alongside SQL (default: true)
auto_importboolImport existing JSON corpus on first SQLite open (default: true)

See Memory architecture.

[governance]

KeyTypeDescription
session_spend_cap_usdfloatSession spend ceiling
max_risk_scorefloatRisk score threshold
denied_pathsstring[]Paths blocked for tool/file access

[shell]

KeyTypeDescription
allowed_commandsstring[]Allowlist for shell plugin
denied_commandsstring[]Blocked command names
denied_patternsstring[]Regex patterns to block
max_output_bytesintegerCap captured stdout/stderr

[permissions]

KeyTypeDescription
presetcautious | balanced | permissiveApproval preset expanded into a base policy
default_modeallow | ask | denyDefault MCP tool policy (overrides preset base)
[permissions.tools]mapPer-tool overrides

Permission modes filter tools/list before exposure to MCP clients. castellan doctor reports the active preset.

[models]

KeyTypeDescription
defaultstringFallback model spec for all roles (default: mock)
verifystringModel for the verify client
actstringModel for the act client
planstringModel for the plan client

Per-role tiers; the scheduler never routes through an LLM. --model-tier on castellan run selects a role at the CLI.

[[recipes]]

KeyTypeDescription
namestringRecipe identifier for castellan recipes run <name>
descriptionstringShown by castellan recipes list
commandstringShell command executed via sh -c
cwdstringOptional working directory

Recipes inherit [shell] denied_commands / denied_patterns — they are not a policy bypass. Later config layers override recipes by name.

[[recipes]]
name = "gridworld-smoke"
description = "Run gridworld reach-target and write an episode JSON"
command = "castellan run --goal 'reach target' --plugin gridworld --json"

[[hooks.hooks]]

KeyTypeDescription
eventstringHook event name
commandstringShell command to invoke

See Agent hooks.

Environment overrides

VariableMaps to
CASTELLAN_SESSION_SPEND_CAP_USDgovernance.session_spend_cap_usd
CASTELLAN_MAX_RISK_SCOREgovernance.max_risk_score
CASTELLAN_SHELL_ALLOWEDCSV → shell.allowed_commands
CASTELLAN_SHELL_DENIEDCSV → shell.denied_commands
CASTELLAN_DENIED_PATHSCSV → governance.denied_paths
CASTELLAN_PERMISSION_MODEpermissions.default_mode
CASTELLAN_MEMORY_BACKENDmemory.backend
CASTELLAN_MEMORY_DBmemory.path
CASTELLAN_MEMORY_MIRROR_JSONmemory.mirror_json

Full list: Environment variables.