modulex.toml.example

# modulex example configuration — the good-morning routine.
#
# Search order: $MODULEX_CONFIG → ./modulex.toml → ~/.modulex/config.toml
#
# SECURITY: this file holds credential REFERENCES, never values.
#   {env = "NAME"}   read from the modulex process environment
#   {file = "path"}  read from a file (~ expanded, trimmed)
#   {cmd = "..."}    run a command (exec-gated) and use its stdout
#
# Leash: without [caveats] (and without $MODULEX_CAVEATS), the exec grant
# defaults to exactly the programs the steps below declare — nothing else
# can be spawned.

[identity]
username = "your-forge-username"
gitlab_host = "gitlab.example.com"

[shared]
repos = ["~/workspaces/project-a", "~/workspaces/project-b"]
github_repos = ["you/project-a"]
gitlab_projects = ["group/service"]

[[shared.gitlab_groups]]
name = "group"
scan = "recent" # last 7 days; "all" = all open
per_page = 20

[board]
path = "~/workspaces/knowledge/board"
lanes = ["p0", "p1"]

[chores]
path = "~/workspaces/knowledge/board"

[[deadlines]]
label = "Conference CFP"
date = "2026-07-01"
notes = "submit abstract"

[[countdowns]]
label = "Project ramp"
start_date = "2026-06-01"
end_date = "2026-07-15"
total_work_days = 30
display = "{label}: work day {n} of {total}"

# Optional MCP tool exposure (progressive disclosure). Without [mcp] the
# default index is exposed: core (run/list/report/discovery) + the store
# dispatch trio — ≤12 tools, CI-pinned. The classic per-record store tools
# (reminder_add, watch_add, ...) live in the "store-classic" facet:
# unlisted but discoverable via tool_search and callable via tool_invoke.
# $MODULEX_TOOLS="core,store,store-classic" overrides; `deny` kills a facet
# entirely (unlisted, undiscoverable, uncallable). The "board" and "mcp"
# (downstream-MCP registry, mcp_register) facets are also opt-in: unlisted by
# default, discoverable via tool_search and callable via tool_invoke.
# [mcp]
# expose = ["core", "store", "store-classic", "mcp"]
# deny = []

# Optional explicit leash (tier 2; $MODULEX_CAVEATS JSON is tier 1):
# [caveats]
# fs_read = "all"
# fs_write = "all"
# exec = { only = ["git", "gh", "glab", "pa", "python3"] }
# net = "all"
# max_calls = "unlimited"
# valid_for_generation = "all"

[routines.morning]
description = "Good morning dashboard"

# --- Phase: repo health (parallel batch) ---

[[routines.morning.steps]]
name = "tend repos"
type = "git-tend" # git fetch --all --prune && git pull --ff-only per repo
parallel = true

[[routines.morning.steps]]
name = "working trees"
type = "git-status"
parallel = true

[[routines.morning.steps]]
name = "unpushed"
type = "git-unpushed"
parallel = true

# --- Phase: agent state (reminders + watched pages) ---
# Agents register these at any time via MCP tools (reminder_add, watch_add,
# countdown_add, ...) or `modulex remind add` — no config edits. State lives
# in the store ($MODULEX_STORE → [store] path → ~/.modulex/store.db).

[[routines.morning.steps]]
name = "reminders"
type = "reminders"

[[routines.morning.steps]]
name = "watched pages"
type = "url-watch" # leashed in-proc fetch: net Caveats axis + SSRF screening

# --- Phase: downstream MCP proxy (issue #7) ---
# Register a downstream MCP server once (mcp_register tool or `store import`):
#   mcp_register{action:"add", name:"gh", command:"gh-mcp", args:["serve"]}
# then call its tools through modulex — the agent never sees the credentials.
# The downstream command must be in the exec grant (declare `command` inline
# below so it joins the declared-default grant, or list it in [caveats] exec).
# Credentials are REFERENCES resolved at spawn time, never inlined or stored.
# [[routines.morning.steps]]
# name = "open issues"
# type = "mcp-query"
# server = "gh"                       # a name registered via mcp_register
# tool = "list_issues"                # the downstream tool to call
# command = "gh-mcp"                  # declare for the grant (store can't widen it)
# arguments = { repo = "owner/name", state = "open" }
# env = { GITHUB_TOKEN = { cmd = "secret-tool lookup gh-token" } }

# --- Phase: deadlines & countdowns (config + store, merged) ---

[[routines.morning.steps]]
name = "deadlines"
type = "deadline-calc"

[[routines.morning.steps]]
name = "countdowns"
type = "countdown-calc"

# --- Phase: review queues (parallel batch) ---

[[routines.morning.steps]]
name = "github PRs"
type = "github-pr-scan"
parallel = true
env = { GH_TOKEN = { env = "GH_TOKEN" } }

[[routines.morning.steps]]
name = "review queue"
type = "gitlab-mr-review"
parallel = true
env = { GITLAB_TOKEN = { cmd = "pass show gitlab/token" } }

[[routines.morning.steps]]
name = "team MRs"
type = "gitlab-group-mrs"

[[routines.morning.steps]]
name = "MR SLA"
type = "mr-sla-check"
response_hours = 24

# --- Phase: board & chores (pure fs scans) ---

[[routines.morning.steps]]
name = "board"
type = "board-scan"

[[routines.morning.steps]]
name = "chores"
type = "chores-check"

# --- Phase: host health (modulex-plugin-health, default feature) ---

[[routines.morning.steps]]
name = "disk"
type = "disk-check"
mounts = ["/"]
warn_percent = 80
crit_percent = 90

[[routines.morning.steps]]
name = "gpu"
type = "gpu-check" # nvidia-smi → /proc driver → lspci fallback chain

# [[routines.morning.steps]]
# name = "services"
# type = "service-check"
# services = ["sshd"]

# --- Phase: external tools ---

# An AI harness in an enclave: flags in, one JSON object out.
[[routines.morning.steps]]
name = "assistant briefing"
type = "harness"
command = "pa"
args = ["briefing", "--json"]
timeout = 120
env = { PA_TOKEN = { file = "~/.keys/pa-token" } }

# Any script; trimmed stdout becomes the report section.
[[routines.morning.steps]]
name = "weather"
type = "script"
command = "~/bin/weather.sh"
timeout = 30

# A plugin under the modulex-plugin/1 contract (one JSON object stdin→stdout,
# any language; see examples/standup_notes.py).
[[routines.morning.steps]]
name = "standup notes"
type = "python"
script = "~/.modulex/plugins/standup_notes.py"
interpreter = "python3"
timeout = 60