Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.acornops.dev/llms.txt

Use this file to discover all available pages before exploring further.

Configuration is split between public host settings, Kubernetes or Compose deployment values, and secret values. Keep secrets out of source control and inject them through the platform secret mechanism for your deployment target.

Public hosts

SettingDefault production valueUsed by
Platform public URLhttps://acornops.devPrimary API route examples and agent install commands
Management console URLhttps://console.acornops.devBrowser app origin, same-origin /api calls, and default OIDC callback derivation
Public docs URLhttps://docs.acornops.devDocumentation links
Agent WebSocket URLwss://acornops.dev/api/v1/agent/connectk8s agent connections
The platform route and the management console route are separate, but both default deployment paths proxy /api to the control plane. The management console uses its own origin for browser session flows so cookies stay same-origin.

Required secret keys

The Kubernetes chart defaults to an existing Secret named acornops-platform-secrets. These keys are required for the central platform:
KeyPurpose
CONTROL_PLANE_DATABASE_URLControl-plane Postgres connection
CONTROL_PLANE_REDIS_URLControl-plane Redis connection
OIDC_CLIENT_SECRETBrowser sign-in client secret
ORCH_SERVICE_TOKENExecution-engine and builtin MCP calls into control plane
WEBHOOK_SECRET_ENCRYPTION_KEYEncryption for webhook signing secrets
EXECUTION_ENGINE_REDIS_URLExecution-engine Redis connection
EXECUTION_ENGINE_DISPATCH_TOKENControl-plane dispatch auth into execution engine
LLM_GATEWAY_DATABASE_URLLLM-gateway Postgres connection
LLM_GATEWAY_REDIS_URLLLM-gateway Redis connection
LLM_GATEWAY_ADMIN_TOKENControl-plane admin auth into LLM gateway
SECRETS_KEK_BASE64LLM-gateway database secret encryption key
Optional provider and secret-backend keys include:
KeyPurpose
OPENAI_API_KEYOpenAI provider access
ANTHROPIC_API_KEYAnthropic provider access
GEMINI_API_KEYGemini provider access
VAULT_TOKENVault secret-backend access when Vault is enabled
Generate unique values for every internal token and encryption key per environment.

OIDC

The control plane owns OIDC login and callback handling:
  • Login entrypoint: GET /api/v1/auth/oidc/login?return_to=<management-console-url>
  • Callback entrypoint: GET /api/v1/auth/oidc/callback
For the default Kubernetes and VM Compose settings, register this redirect URI with your provider: 
https://console.acornops.dev/api/v1/auth/oidc/callback
That URL is still served by the control plane through the console host’s /api proxy. If you override controlPlane.oidc.redirectUri or OIDC_REDIRECT_URI, register the exact override value instead. Registering only https://acornops.dev/api/v1/auth/oidc/callback will fail unless your deployment is configured to use that URL as the OIDC redirect URI. Common OIDC settings:
SettingNotes
Issuer URLProvider issuer used for discovery and token validation
Public issuer URLOptional override when internal and public issuer URLs differ
Client IDOIDC client configured for AcornOps
Client secretStored in the platform secret bundle
ScopesDefaults to openid profile email
Token endpoint auth methodDefaults to client-secret based auth

Password and device auth

Password auth is disabled by default for production-style deployments. Device auth can be enabled for CLI or device-style flows with an allow-list of client IDs. Development deployments may expose a dev-login endpoint. Do not enable dev-login in production.

LLM providers and run limits

The control plane sets default model policy and runtime budgets for runs:
Setting areaExamples
Providersopenai, anthropic, gemini
ModelsProvider-specific allowed model list
Runtime limitsmax runtime, max steps, max tool calls, duplicate tool-call limit
Output limitsmax context tokens, max output tokens, budget cents
Samplingdefault temperature
The LLM gateway enforces the run-scoped JWT minted by the control plane. It should not infer provider, model, or tool permissions from request body fields alone.

MCP egress policy

Remote MCP servers are configured per workspace and cluster. In production, the gateway should require HTTPS and block private, local, and reserved network targets unless you intentionally allow specific hosts. Use allow-lists for trusted internal MCP endpoints instead of broad private-network access.

Webhooks

Webhook signing secrets are generated per subscription and returned only once at creation time. The control plane stores encrypted webhook secrets and signs deliveries with HMAC-SHA256. Webhook delivery is best-effort. Consumers should handle duplicate events and should verify signatures before processing payloads.