Sakura Configuration Reference
Overview
Sakura uses a layered configuration system: a TOML file for CLI profiles, JSON files for MCP server connections and team orchestration, and environment variables for secrets and runtime overrides.
1. CLI Configuration — config.toml
The primary CLI configuration file lives at .sakura/config.toml in your project directory. It is created automatically by sakura init.
Sources: src/config.ts
Schema
version = 1
defaultProfile = "default"
maxPlanAgeHours = 4
[profiles.default]
provider = "openai"
model = "gpt-5.2"
temperature = 0.2
[profiles.coding-claude]
provider = "anthropic"
model = "claude-sonnet-4-20250514"
temperature = 0.2
[phase]
language = "typescript"
buildCommand = "pnpm build"
lintCommand = "pnpm lint"
referenceFiles = ["src/types.ts", "src/config.ts"]
projectContext = "A deterministic AI CLI tool"
Top-Level Fields
| Field | Type | Default | Description |
|---|---|---|---|
version | 1 (literal) | — | Schema version. Must be 1. |
defaultProfile | string | "default" | Which profile to use when none is specified via --profile. |
maxPlanAgeHours | number | 4 | Plans older than this are considered stale. |
Profile Fields ([profiles.<name>])
| Field | Type | Default | Description |
|---|---|---|---|
provider | "openai" | "anthropic" | "openai" | LLM provider to use for this profile. |
model | string | (provider default) | Model identifier. If omitted, the provider uses its own default. |
temperature | number (0–2) | 0.2 | Sampling temperature. Lower = more deterministic. |
awsProfile | string | — | AWS CLI profile name to use for AWS commands. |
awsRegion | string | — | AWS region override for this profile. |
Sources: src/config.ts — ProfileSchema
Phase Fields ([phase])
Used by the /phase scaffold command to drive code generation.
| Field | Type | Default | Description |
|---|---|---|---|
language | "typescript" | "python" | "go" | "rust" | "typescript" | Target language for generated code. |
buildCommand | string | "pnpm build" | Command to verify the build after code generation. |
lintCommand | string | — | Optional lint command run after build. |
referenceFiles | string[] | [] | Files injected as context into the code generation prompt. |
projectContext | string | "" | Free-text description of the project, injected into prompts. |
Sources: src/config.ts — PhaseSchema, src/scaffold/phase.ts
Config Resolution Flow
Sources: src/config.ts — ensureInitialized, loadConfig, resolveProvider
2. MCP Server Configuration — mcp.json
Configures external Model Context Protocol servers that Sakura connects to at REPL startup. Tools and resources from these servers are registered into the tool registry and made available to the LLM.
Sources: src/mcp/config.ts, src/mcp/lifecycle.ts, src/mcp/bridge.ts
File Locations (searched in order)
| Priority | Path |
|---|---|
| 1 (local) | .sakura/mcp.json (project directory) |
| 2 (global) | ~/.sakura/mcp.json (home directory) |
The first file found is used. If neither exists, MCP is disabled silently.
Schema
{
"mcpServers": {
"my-server": {
"command": "npx",
"args": ["-y", "@my-org/mcp-server"],
"env": {
"API_KEY": "${MY_API_KEY}"
},
"trustLevel": "trust_read_only"
},
"remote-server": {
"url": "https://mcp.example.com/sse",
"transport": "sse",
"trustLevel": "not_trusted"
}
}
}
Server Config Fields
| Field | Type | Required | Description |
|---|---|---|---|
command | string | For stdio | Executable to launch the MCP server process. |
args | string[] | No | Arguments passed to command. |
env | Record<string, string> | No | Environment variables for the server process. Supports ${VAR} expansion from the host environment. |
url | string | For sse/http | URL of the remote MCP server. Supports ${VAR} expansion. |
transport | "stdio" | "sse" | "http" | No | Transport type. Auto-detected: stdio if command is set, sse if url is set. |
trustLevel | TrustLevel | No | Default: "not_trusted". Controls whether tool calls require user confirmation. |
Transport Types
| Transport | When to Use | Required Fields |
|---|---|---|
stdio | Local process (npx, python, binary) | command |
sse | Remote server via Server-Sent Events | url |
http | Remote server via Streamable HTTP | url |
Sources: src/mcp/client.ts — createTransport
Trust Levels
MCP tools inherit the trustLevel from their server config. Resources are always registered as trust_read_only.
| Level | Behavior |
|---|---|
trusted | Executes without any confirmation prompt. |
trust_read_only | Auto-approved for read operations; prompts for writes. |
trust_working_dir | Auto-approved for paths inside cwd; prompts for paths outside. |
not_trusted | Always prompts the user before execution. |
Sources: src/tools/registry.ts, src/tools/executor.ts
MCP Startup Flow
3. Model Tiers and Provider Defaults
Sakura supports two providers. Each has a default model used when model is omitted from the profile.
Sources: src/providers/openai.ts, src/providers/anthropic.ts
Provider Defaults
| Provider | Default Model | Max Tokens | Notes |
|---|---|---|---|
openai | gpt-5.2 | (API default) | Uses OpenAI Responses API. |
anthropic | claude-sonnet-4-20250514 | 4096 (standard), 16000 (thinking) | Supports extended thinking via thinking: true. |
Recommended Profile Configurations
| Use Case | Provider | Model | Temperature |
|---|---|---|---|
| General / AWS tasks | openai | gpt-5.2 | 0.2 |
| Code generation | anthropic | claude-sonnet-4-20250514 | 0.2 |
| Complex reasoning | anthropic | claude-sonnet-4-20250514 | 1.0 (thinking mode) |
| Deterministic output | Either | Any | 0 |
Anthropic-Specific Features
| Feature | How to Enable | Effect |
|---|---|---|
| Extended thinking | req.thinking = true | Raises max_tokens to 16,000, sets temperature = 1 |
| Prompt caching | Automatic | Applied to the last tool in the tools array via cache_control: ephemeral |
| System prompt caching | Automatic | Applied to system prompt when present |
Sources: src/providers/anthropic.ts
4. API Provider — Managed Key Mode
When a user is logged in via sakura login, the ApiProvider is used instead of direct provider SDKs. API keys are managed server-side.
Sources: src/providers/api.ts, src/auth/keys.ts, src/auth/session.ts
Key Resolution Order
Sources: src/repl/index.ts — resolveLlmProvider
Auth Storage
| Item | Path | Permissions |
|---|---|---|
| Auth token | ~/.sakura-cli/auth.json | 0o600 (owner read/write only) |
| Bundled keys | dist/keys.json | Embedded at build time |
Sources: src/auth/session.ts
5. Environment Variables
CLI Environment Variables
| Variable | Purpose | Default | Required |
|---|---|---|---|
OPENAI_API_KEY | OpenAI API key for direct provider use | — | If using OpenAI without login |
ANTHROPIC_API_KEY | Anthropic API key for direct provider use | — | If using Anthropic without login |
SAKURA_API_URL | Base URL for the Sakura API proxy | https://api.sakura-ai.dev | No |
AWS_PAGER | Disables AWS CLI pager (set to "" automatically) | "" | No |
AWS_PROFILE | AWS CLI profile (can also be set in config.toml) | — | No |
AWS_REGION | AWS region override | — | No |
Sources: src/providers/api.ts, src/aws/runner.ts, src/auth/keys.ts
API Server Environment Variables
| Variable | Purpose | Default | Required |
|---|---|---|---|
JWT_SECRET | Secret for signing JWT tokens | — | Yes |
STRIPE_SECRET_KEY | Stripe API key for billing | — | Yes (billing features) |
STRIPE_WEBHOOK_SECRET | Stripe webhook signature verification | — | Yes (billing features) |
OPENAI_API_KEY | OpenAI key used server-side for completions | — | Yes |
ANTHROPIC_API_KEY | Anthropic key used server-side for completions | — | Yes |
AWS_REGION | DynamoDB region | us-east-1 | No |
GITHUB_CLIENT_ID | GitHub OAuth app client ID | — | Yes (GitHub login) |
GITHUB_CLIENT_SECRET | GitHub OAuth app client secret | — | Yes (GitHub login) |
Sources: api/src/services/secrets.ts, api/src/routes/auth.ts, api/.env
SSM Parameter Store (Production)
The API reads secrets from AWS SSM Parameter Store in production. The CLI also checks SSM for API keys before falling back to the API proxy.
| SSM Parameter | Used By | Description |
|---|---|---|
/sakura/api/openai-key | CLI (REPL), API | OpenAI API key |
/sakura/api/anthropic-key | CLI (REPL), API | Anthropic API key |
/sakura/jwt-secret | API | JWT signing secret |
/sakura/stripe-secret | API | Stripe secret key |
Sources: src/repl/index.ts — getKeyFromSsm, api/src/services/secrets.ts
6. Local State Files
Sakura writes runtime state to .sakura/ in the project directory.
| Path | Contents | Created By |
|---|---|---|
.sakura/config.toml | CLI configuration | sakura init |
.sakura/mcp.json | MCP server config (local) | User |
.sakura/plans/ | Saved plan JSON files | Planning system |
.sakura/plans/latest.json | Most recent plan | Planning system |
.sakura/sessions/ | Conversation session files | REPL |
.sakura/mcp/latest.json | MCP knowledge pack | /init command |
.sakura/project.md | Project context for prompts | /init command |
.sakura/build-state.json | /build command progress | Scaffold system |
.sakura/settings.json | Local settings overrides | /set command |
~/.sakura-cli/auth.json | Login token and email | sakura login |
~/.sakura-cli/settings.json | Global settings | /set --global |
~/.sakura/mcp.json | Global MCP server config | User |
Sources: src/planning/store.ts, src/sessions/store.ts, src/mcp/config.ts, src/util/settings.ts, src/auth/session.ts
7. Settings
Runtime settings can be changed