Configuration
CLI config
The CLI reads its config from ~/.rn/config.toml. Create it with:
rn init
Full reference
[global]
server = "https://rockstar.ninja" # API server URL
privacy = "secret" # Default privacy: "public", "secret", or "private"
expires = "" # Default expiry (e.g., "24h", "7d")
[auth]
private_key = "~/.rn/private.key" # Ed25519 private key path
public_key = "~/.rn/public.key" # Ed25519 public key path
[session]
privacy = "" # Override global privacy for sessions
expires = "" # Override global expiry for sessions
[plan]
privacy = "" # Override global privacy for plans
expires = "" # Override global expiry for plans
[providers]
claude = true # Claude Code sessions (~/.claude/)
copilot = true # VS Code Copilot Chat sessions
[sync]
# sync_all = true # Sync all projects (default)
# sync_projects = ["my-project"] # Only sync these projects when sync_all = false
Inheritance
Settings cascade: CLI flag > resource-specific config > global config > built-in default.
For example, if you set [global] privacy = "public" but [session] privacy = "secret", sessions default to secret while plans default to public.
Skills do not have a dedicated [skill] config section. They use the [plan] section for default privacy and expiry. If you want different defaults for skills, use CLI flags per push.
Providers
The [providers] section controls which session providers are enabled for discovery. Both providers are enabled by default — set one to false to disable it.
[providers]
claude = true # Claude Code sessions (~/.claude/)
copilot = false # Disable VS Code Copilot Chat discovery
The CLI --provider flag overrides this setting for individual commands:
rn session list --provider copilot
Sync filtering
The [sync] section controls which projects the macOS app auto-syncs. By default, all projects are synced. This applies to both sessions and plans — plans are mapped to the project whose session created them.
To limit auto-sync to specific projects:
[sync]
sync_all = false
sync_projects = ["my-project", "another-project"]
Project names must match the labels shown in rn session list or the macOS app's session browser. Plans whose parent project cannot be determined are skipped when per-project filtering is active; they can still be pushed manually.
Redaction rules
The config file supports custom redaction rules that strip secrets before data leaves your machine:
[[redact]]
name = "My custom token"
pattern = "myapp_[A-Za-z0-9]{32}"
Each [[redact]] entry has:
| Field | Type | Description |
|---|---|---|
name |
string | Human-readable label (shown in verbose output) |
pattern |
string | Go regular expression |
Default rules
The example config includes rules for common secret formats. These match patterns like:
| Rule | Matches |
|---|---|
| Anthropic API keys | sk-ant-... |
| OpenAI API keys | sk-... |
| AWS access keys | AKIA... |
| GitHub tokens | ghp_..., gho_..., ghu_..., ghs_..., ghr_... |
| GitLab tokens | glpat-... |
| Slack tokens | xoxb-..., xoxa-..., xoxp-... |
| Stripe keys | sk_test_..., sk_live_..., rk_test_..., rk_live_... |
| Google Cloud API keys | AIza... |
| npm tokens | npm_... |
| PyPI tokens | pypi-... |
| HuggingFace tokens | hf_... |
| DigitalOcean tokens | dop_v1_..., dot_v1_..., dpat_v1_... |
| SendGrid API keys | SG.... |
| Twilio API keys | SK... |
| Age secret keys | AGE-SECRET-KEY-... |
| HashiCorp Vault tokens | hvs.... |
| Database connection URLs | postgres://, mysql://, mongodb://, redis://, amqp:// |
| Bearer tokens | Bearer ... |
| PEM private keys | -----BEGIN ... PRIVATE KEY----- |
| Generic secret assignments | password=..., api_key=..., etc. |
Ad-hoc redaction
For one-off redaction without editing your config, use the -R flag:
rn session push -R "my-literal-secret"
This is repeatable — use multiple -R flags to redact multiple strings.
Important: client-side only
All redaction happens on your machine before data is sent to the server. The server intentionally does not apply its own redaction rules, because enforced patterns could interfere unintentionally with how sessions are displayed. What you upload is what gets stored. If you're building a tool against the API, you are responsible for stripping secrets from session data before pushing it.