Configuration

CLI config

The CLI reads its config from ~/.rn/config.toml. Create it with:

rn init

Full reference

[global]
server = "https://rockstar.ninja"   # API server URL
privacy = "secret"                   # Default privacy: "public", "secret", or "private"
expires = ""                         # Default expiry (e.g., "24h", "7d")

[auth]
private_key = "~/.rn/private.key"   # Ed25519 private key path
public_key = "~/.rn/public.key"     # Ed25519 public key path

[session]
privacy = ""                         # Override global privacy for sessions
expires = ""                         # Override global expiry for sessions

[plan]
privacy = ""                         # Override global privacy for plans
expires = ""                         # Override global expiry for plans

Inheritance

Settings cascade: CLI flag > resource-specific config > global config > built-in default.

For example, if you set [global] privacy = "public" but [session] privacy = "secret", sessions default to secret while plans default to public.

Redaction rules

The config file supports custom redaction rules that strip secrets before data leaves your machine:

[[redact]]
name = "My custom token"
pattern = "myapp_[A-Za-z0-9]{32}"

Each [[redact]] entry has:

Field	Type	Description
`name`	string	Human-readable label (shown in verbose output)
`pattern`	string	Go regular expression

Default rules

The example config includes rules for common secret formats. These match patterns like:

Rule	Matches
Anthropic API keys	`sk-ant-...`
OpenAI API keys	`sk-...`
AWS access keys	`AKIA...`
GitHub tokens	`ghp_...`, `gho_...`, `ghu_...`, `ghs_...`, `ghr_...`
GitLab tokens	`glpat-...`
Slack tokens	`xoxb-...`, `xoxa-...`, `xoxp-...`
Stripe keys	`sk_test_...`, `sk_live_...`, `rk_test_...`, `rk_live_...`
Google Cloud API keys	`AIza...`
npm tokens	`npm_...`
PyPI tokens	`pypi-...`
HuggingFace tokens	`hf_...`
DigitalOcean tokens	`dop_v1_...`, `dot_v1_...`, `dpat_v1_...`
SendGrid API keys	`SG....`
Twilio API keys	`SK...`
Age secret keys	`AGE-SECRET-KEY-...`
HashiCorp Vault tokens	`hvs....`
Database connection URLs	`postgres://`, `mysql://`, `mongodb://`, `redis://`, `amqp://`
Bearer tokens	`Bearer ...`
PEM private keys	`-----BEGIN ... PRIVATE KEY-----`
Generic secret assignments	`password=...`, `api_key=...`, etc.

Ad-hoc redaction

For one-off redaction without editing your config, use the -R flag:

rn session push -R "my-literal-secret"

This is repeatable — use multiple -R flags to redact multiple strings.

Important: client-side only

All redaction happens on your machine before data is sent to the server. The server intentionally does not apply its own redaction rules, because enforced patterns could interfere unintentionally with how sessions are displayed. What you upload is what gets stored. If you're building a tool against the API, you are responsible for stripping secrets from session data before pushing it.