5  Configuration Reference

5.1 .tactus/config.yml

openai_api_key: "sk-..."          # keep private

aws:
  access_key_id: "AKIA..."
  secret_access_key: "..."
  default_region: "us-east-1"

# Defaults (can be overridden per Agent)
default_provider: "openai"
default_model: "gpt-4o-mini"

# Python plugin tool discovery
tool_paths:
  - "./tools"
  - "./plugins"

# MCP servers (tool providers)
mcp_servers:
  filesystem:
    command: "npx"
    args: ["-y", "@modelcontextprotocol/server-filesystem", "/workspace"]

# Sandbox (Docker) execution
sandbox:
  enabled: true
  timeout: 3600
  network: "bridge"
  mount_current_dir: true      # default: mount current directory
  volumes:
    - "../data:/data:ro"        # additional mounts
    - "./output:/output:rw"
  limits:
    memory: "2g"
    cpus: "2"

5.2 Sandbox Volumes

5.2.1 Default Behavior

Current directory automatically mounted to /workspace:rw.

5.2.2 Configuration Syntax

sandbox:
  mount_current_dir: true  # default
  volumes:
    - "../data:/workspace/data:ro"     # read-only
    - "./output:/workspace/output:rw"  # read-write

5.2.3 Common Patterns

Pattern Use Case
.:/workspace:rw Full project access (default)
./output:/workspace/output:rw Output directory only
../repo:/workspace/external:ro Cross-repository data
~/.config:/config:ro User config access

5.2.4 Disabling Default Mount

sandbox:
  mount_current_dir: false
  volumes:
    - "./output:/workspace/output:rw"  # Only mount output

5.2.5 Path Resolution

  • Relative paths resolve from procedure directory
  • ~ expands to home directory
  • Absolute paths used as-is

5.2.6 Volume Modes

  • :ro - Read-only (safer when you don’t need writes)
  • :rw - Read-write (default if not specified)

5.3 Environment Variables

Variable Purpose
OPENAI_API_KEY OpenAI API key
AWS_ACCESS_KEY_ID AWS access key
AWS_SECRET_ACCESS_KEY AWS secret key
AWS_DEFAULT_REGION AWS region
GOOGLE_API_KEY Google API key

5.4 Configuration Priority

  1. CLI args (highest)
  2. Sidecar: {procedure}.tac.yml
  3. Directory cascade: .tactus/config.yml (current directory and parents)
  4. User config: ~/.tactus/config.yml (or ~/.config/tactus/config.yml)
  5. System config: /etc/tactus/config.yml (and /usr/local/etc/tactus/config.yml)
  6. Environment variables (fallback)