Skip to main content

Configuration Schema Reference

Complete reference for config.yaml version 6. This file is the single source of truth for all CCS configuration. Location: ~/.ccs/config.yaml Format: YAML Current Version: 6

Version History

VersionReleaseKey Changes
v62025-12Customizable auth tokens, variant-specific auth
v52025-10Remote proxy configuration
v42025-08Copilot API integration
v32025-06WebSearch config with model configuration
v22025-04Initial YAML unified format
v12025-02Legacy JSON format (deprecated)

Root Schema

version: 6                    # REQUIRED - Schema version
default: <profile-name>       # OPTIONAL - Default profile name

accounts: {...}               # Account-based profiles
profiles: {...}               # API-based profiles
cliproxy: {...}               # OAuth provider configuration
preferences: {...}            # User preferences
websearch: {...}              # WebSearch configuration
global_env: {...}             # Global environment variables
copilot: {...}                # GitHub Copilot integration
cliproxy_server: {...}        # Remote/local proxy configuration

CLIProxy Configuration

cliproxy.backend

Type: String (original | plus) Priority: HIGH Purpose: Select CLIProxy backend variant 
cliproxy:
  backend: plus  # Default: plus
Behavior:
  • original: CLIProxyAPI (no Kiro/ghcp support)
  • plus: CLIProxyAPIPlus (all providers including Kiro/ghcp)
  • Backend-specific binaries stored in ~/.ccs/bin/original/ and ~/.ccs/bin/plus/
Provider Requirements:
  • Kiro, ghcp: Require backend: plus
  • All other providers work on both backends
Use Cases:
  • Use original for minimal install if Kiro/ghcp not needed
  • Use plus for full provider support (recommended, default)
Related: --backend CLI flag, provider compatibility

cliproxy.variants.<name>.auth

Type: Object Priority: HIGH Purpose: Per-variant auth override 
cliproxy:
  variants:
    my-gemini:
      provider: gemini
      auth:
        api_key: "custom-key-123"
        management_secret: "custom-secret-456"
Behavior:
  • Overrides global cliproxy.auth for specific variant
  • Useful for different auth credentials per variant
  • Both keys optional (falls back to global)
Use Cases:
  • Separate auth for dev/prod variants
  • Per-team auth credentials
  • Testing with different API keys

cliproxy.variants.<name>.port

Type: Integer (1-65535, recommended: 8318-8417) Priority: HIGH Purpose: Port isolation for concurrent variants 
cliproxy:
  variants:
    gemini-dev:
      provider: gemini
      port: 8318
    gemini-prod:
      provider: gemini
      port: 8319
Behavior:
  • Assigns unique port for variant isolation
  • Allows multiple variants to run simultaneously
  • Accepts any valid port (1-65535), recommended range: 8318-8417 for CCS variants
  • Default: Auto-assigned if not specified
Use Cases:
  • Run dev and prod variants concurrently
  • Isolate variants for different teams
  • Avoid port conflicts in multi-user environments

cliproxy.auth.api_key

Type: String Priority: MEDIUM Purpose: Global API key for CLIProxyAPI 
cliproxy:
  auth:
    api_key: "ccs-internal-managed"  # Default
Behavior:
  • Used for CLIProxyAPI authentication
  • Sent in x-api-key header
  • Can be overridden per-variant via variants.<name>.auth.api_key
  • Default: "ccs-internal-managed"
Security: Store securely, do not commit to version control

cliproxy.auth.management_secret

Type: String Priority: MEDIUM Purpose: Global management secret for CLIProxyAPI 
cliproxy:
  auth:
    management_secret: "ccs"  # Default
Behavior:
  • Used for CLIProxyAPI management endpoints
  • Sent in x-management-secret header
  • Can be overridden per-variant via variants.<name>.auth.management_secret
  • Default: "ccs"
Use Cases:
  • Separate auth for management vs API operations
  • Enhanced security for admin endpoints

cliproxy.kiro_no_incognito

Type: Boolean Priority: MEDIUM Purpose: Disable incognito mode for Kiro provider 
cliproxy:
  kiro_no_incognito: false  # Default: false
Behavior:
  • false: Use incognito mode (default, no persistent session)
  • true: Use normal browser mode (saves cookies/session)
Use Cases:
  • Persistent AWS SSO login for Kiro
  • Avoid re-entering credentials on each auth
  • Development/testing with saved browser state
Related: --no-incognito CLI flag

cliproxy.logging.enabled

Type: Boolean Priority: LOW Purpose: Enable CLIProxy logging to disk 
cliproxy:
  logging:
    enabled: false  # Default: false
Behavior:
  • false: No disk logging (default, prevents bloat)
  • true: Write logs to ~/.ccs/cliproxy/logs/
Warning: Logging can consume significant disk space. Enable only for debugging.

cliproxy.logging.request_log

Type: Boolean Priority: LOW Purpose: Enable detailed request logging 
cliproxy:
  logging:
    enabled: true
    request_log: false  # Default: false
Behavior:
  • false: Log errors/warnings only
  • true: Log all HTTP requests/responses
  • Requires logging.enabled: true
Warning: Very verbose. Use only for troubleshooting specific issues.

cliproxy.token_refresh.enabled

Type: Boolean Priority: MEDIUM Purpose: Enable background token refresh worker 
cliproxy:
  token_refresh:
    enabled: false  # Default: false
Behavior:
  • false: On-demand refresh only (5 min before expiry)
  • true: Background worker refreshes tokens at intervals
Use Cases:
  • Long-running services needing proactive refresh
  • Preventing mid-request token expiry
  • CI/CD environments with extended sessions

cliproxy.token_refresh.interval_minutes

Type: Integer (minutes) Priority: LOW Purpose: Background refresh check interval 
cliproxy:
  token_refresh:
    enabled: true
    interval_minutes: 30  # Default: 30
Behavior:
  • Worker checks all tokens every N minutes
  • Only refreshes tokens approaching expiry

cliproxy.token_refresh.preemptive_minutes

Type: Integer (minutes) Priority: LOW Purpose: Refresh tokens expiring within N minutes 
cliproxy:
  token_refresh:
    enabled: true
    preemptive_minutes: 45  # Default: 45
Behavior:
  • Tokens expiring within this window are refreshed
  • Higher values = more proactive refresh
  • Prevents UND_ERR_SOCKET errors from stale tokens

cliproxy.token_refresh.max_retries

Type: Integer Priority: LOW Purpose: Maximum refresh retry attempts 
cliproxy:
  token_refresh:
    enabled: true
    max_retries: 3  # Default: 3
Behavior:
  • Retries on transient failures
  • Logs warning after max retries exceeded
  • Does not re-authenticate (requires user action)

cliproxy.token_refresh.verbose

Type: Boolean Priority: LOW Purpose: Enable debug logging for token refresh 
cliproxy:
  token_refresh:
    enabled: true
    verbose: true  # Default: false
Behavior:
  • Logs all refresh attempts to console
  • Useful for debugging token issues
  • Output: timestamps, providers, success/failure

CLIProxy Server Configuration

cliproxy_server.fallback.enabled

Type: Boolean Priority: HIGH Purpose: Enable fallback to local proxy if remote fails 
cliproxy_server:
  fallback:
    enabled: true  # Default: true
Behavior:
  • true: Try local proxy if remote unreachable
  • false: Fail with PROXY_ERROR if remote fails
Use Cases:
  • Graceful degradation for network issues
  • Offline work capability
  • Testing without remote infrastructure
Related: --remote-only CLI flag

cliproxy_server.fallback.auto_start

Type: Boolean Priority: MEDIUM Purpose: Auto-start local proxy on fallback 
cliproxy_server:
  fallback:
    enabled: true
    auto_start: false  # Default: false
Behavior:
  • false: Use existing local proxy only
  • true: Spawn local proxy if not running
Use Cases:
  • Seamless fallback without manual intervention
  • Ensure proxy always available

cliproxy_server.remote.management_key

Type: String Priority: MEDIUM Purpose: Separate management key for remote proxy 
cliproxy_server:
  remote:
    enabled: true
    host: "proxy.example.com"
    auth_token: "api-token-123"
    management_key: "mgmt-key-456"  # Optional
Behavior:
  • Used for management endpoints on remote proxy
  • Falls back to auth_token if not specified
  • Allows separate credentials for API vs management
Security: Use different keys for production environments

cliproxy_server.remote.timeout

Type: Integer (milliseconds) Priority: LOW Purpose: Health check timeout for remote proxy 
cliproxy_server:
  remote:
    enabled: true
    host: "proxy.example.com"
    timeout: 2000  # Milliseconds (defaults to 2000ms if not specified)
Behavior:
  • Used for initial health check only
  • Higher values for slow networks
  • Does NOT affect API request timeouts
Related: --proxy-timeout CLI flag

Quota Management Configuration

quota_management.mode

Type: String (auto | manual | hybrid) Priority: MEDIUM Purpose: Account selection strategy for OAuth providers 
quota_management:
  mode: hybrid  # Default: hybrid
Behavior:
  • auto: CCS selects account based on quota/tier automatically
  • manual: Only use paused/forced_default settings
  • hybrid: Auto-selection respects manual overrides (recommended)

quota_management.auto.preflight_check

Type: Boolean Priority: HIGH Purpose: Check quota before starting Claude session 
quota_management:
  auto:
    preflight_check: true  # Default: true
Behavior:
  • true: Check account quota before request, auto-switch if exhausted
  • false: Skip pre-flight check, rely on 429 error handling
Use Cases:
  • Prevent delays from exhausted accounts
  • Smoother multi-account experience

quota_management.auto.exhaustion_threshold

Type: Integer (0-100, percentage) Priority: LOW Purpose: Quota % below which account is “exhausted” 
quota_management:
  auto:
    exhaustion_threshold: 5  # Default: 5%
Behavior:
  • Accounts below threshold are skipped in rotation
  • Prevents using nearly-exhausted accounts

quota_management.auto.tier_priority

Type: Array of strings Priority: LOW Purpose: Account tier preference order 
quota_management:
  auto:
    tier_priority: ["paid"]  # Default: ["paid"]
Behavior:
  • Accounts sorted by tier priority, then by quota %
  • Tiers not in list get lowest priority
Available Tiers:
  • paid - Paid subscription accounts
  • free - Free tier accounts
  • unknown - Tier detection failed

quota_management.auto.cooldown_minutes

Type: Integer (minutes) Priority: LOW Purpose: Skip exhausted accounts for N minutes 
quota_management:
  auto:
    cooldown_minutes: 5  # Default: 5
Behavior:
  • Exhausted accounts are skipped for cooldown period
  • Prevents repeated failed attempts on same account

quota_management.manual.paused_accounts

Type: Array of strings Priority: HIGH Purpose: Accounts to skip in rotation 
quota_management:
  manual:
    paused_accounts: []  # Default: []
Behavior:
  • Listed accounts are never selected automatically
  • Set via ccs cliproxy pause <provider> <account>
  • Remove via ccs cliproxy resume <provider> <account>

quota_management.manual.forced_default

Type: String | null Priority: HIGH Purpose: Force specific account for all requests 
quota_management:
  manual:
    forced_default: null  # Default: null
Behavior:
  • null: Normal account rotation
  • <email>: Always use this account
Use Cases:
  • Testing specific account
  • Temporarily override rotation

quota_management.manual.tier_lock

Type: String | null Priority: MEDIUM Purpose: Only use accounts of specific tier 
quota_management:
  manual:
    tier_lock: null  # Default: null
Behavior:
  • null: Use all tiers
  • paid: Only paid accounts
  • free: Only free accounts

Global Environment Variables

global_env.enabled

Type: Boolean Priority: MEDIUM Purpose: Enable global env var injection 
global_env:
  enabled: true  # Default: true
Behavior:
  • true: Inject global_env.env into all non-Claude profiles
  • false: Disable feature
Use Cases:
  • Disable Claude Code telemetry for proxy providers
  • Set common env vars across all profiles

global_env.env

Type: Object (key-value pairs) Priority: MEDIUM Purpose: Environment variables for all non-Claude profiles 
global_env:
  enabled: true
  env:
    DISABLE_BUG_COMMAND: "1"
    DISABLE_ERROR_REPORTING: "1"
    DISABLE_TELEMETRY: "1"
Behavior:
  • Applied to settings-based and CLIProxy profiles
  • NOT applied to native Claude or account-based profiles
  • Merged with profile-specific env vars
Default Values:
  • DISABLE_BUG_COMMAND: "1"
  • DISABLE_ERROR_REPORTING: "1"
  • DISABLE_TELEMETRY: "1"
Use Cases:
  • Disable Claude Code telemetry globally
  • Set API base URLs
  • Configure logging levels

WebSearch Configuration

websearch.providers.gemini.model

Type: String Priority: LOW Purpose: Gemini model for WebSearch feature 
websearch:
  providers:
    gemini:
      enabled: true
      model: "gemini-2.5-flash"  # Default
      timeout: 55
Behavior:
  • Used by WebSearch hook for third-party profiles
  • Free tier: 1000 requests/day
  • Falls back to OpenCode/Grok if fails
Available Models:
  • gemini-2.5-flash (default, fastest)
  • gemini-2.5-pro (more accurate)

websearch.providers.gemini.timeout

Type: Integer (seconds) Priority: LOW Purpose: Gemini CLI timeout for WebSearch 
websearch:
  providers:
    gemini:
      timeout: 55  # Default: 55 seconds
Behavior:
  • Max time for single WebSearch request
  • Prevents hanging on slow responses
  • Falls back to next provider on timeout

websearch.providers.opencode

Type: Object Priority: LOW Purpose: OpenCode provider configuration 
websearch:
  providers:
    opencode:
      enabled: false  # Default: false
      model: "opencode/grok-code"
      timeout: 90
Behavior:
  • Free provider via Zen platform
  • Requires OpenCode CLI installed
  • Fallback option after Gemini
Activation:
  • Set enabled: true
  • Install: npm install -g opencode

websearch.providers.grok

Type: Object Priority: LOW Purpose: Grok CLI provider configuration 
websearch:
  providers:
    grok:
      enabled: false  # Default: false
      timeout: 55
Behavior:
  • Requires GROK_API_KEY environment variable
  • Paid API, better quality than free providers
  • Last fallback option
Activation:
  • Set enabled: true
  • Set GROK_API_KEY env var
  • Install: npm install -g @vibe-kit/grok-cli

Copilot Configuration

copilot.account_type

Type: String (individual | business) Priority: LOW Purpose: GitHub Copilot subscription type 
copilot:
  enabled: false
  account_type: individual  # Default: individual
Behavior:
  • individual: Personal subscription
  • business: Enterprise/team subscription
Use Cases:
  • Billing/usage tracking
  • Feature access control

copilot.rate_limit

Type: Integer | null Priority: LOW Purpose: Rate limiting for Copilot API 
copilot:
  rate_limit: null  # Default: null (no limit)
Behavior:
  • null: No rate limiting
  • Integer: Max requests per minute
Use Cases:
  • Prevent API abuse
  • Control costs for business accounts

copilot.wait_on_limit

Type: Boolean Priority: LOW Purpose: Wait vs fail on rate limit 
copilot:
  rate_limit: 60
  wait_on_limit: true  # Default: true
Behavior:
  • true: Wait until rate limit window resets
  • false: Fail with error immediately

Configuration Patterns

Priority Resolution

CCS resolves configuration values in this order:
  1. CLI Flags (highest priority)
  2. Environment Variables
  3. config.yaml
  4. Defaults (lowest priority)
Example: 
# All three set the same value
ccs gemini --proxy-host proxy.example.com                # CLI flag
CCS_PROXY_HOST=proxy.example.com ccs gemini              # Env var
# config.yaml: cliproxy_server.remote.host: proxy.example.com
Result: CLI flag wins, then env var, then config file

Variant Isolation Pattern

Run multiple variants concurrently without conflicts: 
cliproxy:
  variants:
    gemini-dev:
      provider: gemini
      port: 8318
      auth:
        api_key: "dev-key"
        management_secret: "dev-secret"

    gemini-prod:
      provider: gemini
      port: 8319
      auth:
        api_key: "prod-key"
        management_secret: "prod-secret"
Usage: 
ccs gemini-dev   # Port 8318, dev credentials
ccs gemini-prod  # Port 8319, prod credentials

Remote Proxy with Fallback Pattern

Graceful degradation for network issues: 
cliproxy_server:
  remote:
    enabled: true
    host: "proxy.example.com"
    port: 8443
    protocol: "https"
    auth_token: "remote-token"
    timeout: 5000

  fallback:
    enabled: true
    auto_start: true

  local:
    port: 8317
    auto_start: true
Behavior:
  1. Try remote proxy at https://proxy.example.com:8443
  2. If unreachable after 5s, fall back to local proxy
  3. Auto-start local proxy if not running
  4. Use local proxy on port 8317

Dashboard Authentication

Optional username/password protection for the CCS dashboard.
See Dashboard Authentication for full setup guide.

dashboard_auth.enabled

Type: Boolean Priority: HIGH Purpose: Enable dashboard login requirement 
dashboard_auth:
  enabled: false  # Default: false
Behavior:
  • false: Dashboard accessible without login (default)
  • true: Requires username/password to access dashboard

dashboard_auth.username

Type: String Priority: HIGH Purpose: Login username 
dashboard_auth:
  username: "admin"

dashboard_auth.password_hash

Type: String (bcrypt hash) Priority: HIGH Purpose: Bcrypt-hashed password 
dashboard_auth:
  password_hash: "$2b$10$..."
Generate hash: 
npx bcrypt-cli hash 'your-password'
Never store plain-text passwords. Always use bcrypt hash.

dashboard_auth.session_timeout_hours

Type: Integer Priority: LOW Purpose: Session duration before re-login required 
dashboard_auth:
  session_timeout_hours: 24  # Default: 24

Dashboard Auth Environment Variables

VariableMaps To
CCS_DASHBOARD_AUTH_ENABLEDdashboard_auth.enabled
CCS_DASHBOARD_USERNAMEdashboard_auth.username
CCS_DASHBOARD_PASSWORD_HASHdashboard_auth.password_hash
CCS_SESSION_SECRETCustom session encryption key
Environment variables override config.yaml values.

Migration from v5 to v6

Version 6 adds customizable auth tokens. Migration is automatic. Changes:
  • Added cliproxy.auth.api_key (default: "ccs-internal-managed")
  • Added cliproxy.auth.management_secret (default: "ccs")
  • Added cliproxy.variants.<name>.auth for per-variant override
  • Added cliproxy_server.remote.management_key for separate management auth
Action Required:
  • None (automatic migration with defaults)
  • Optional: Customize auth keys for enhanced security

Validation Rules

CCS validates configuration on load. Common errors: Schema Errors:
  • version must be integer 2-6
  • Ports must be 1-65535
  • Boolean fields reject non-boolean values
Semantic Errors:
  • Variant names must not conflict with built-in providers
  • Profile names cannot be reserved words
  • Email addresses must be valid format
  • Hostnames must be valid DNS/IP
Recovery:
  • Run ccs doctor --fix for auto-repair
  • Run ccs migrate for version upgrades
  • Delete corrupt config and run ccs setup