Capability Badges
-
Files
+
+ Files
+
+
Agents
@@ -92,7 +97,7 @@
oAI-Web (agent name: {{ agent_name }} ) is a secure, self-hosted personal AI agent
built on the Claude API with full tool-use support. It runs on your home server and exposes a clean
web interface for use inside your local network. The agent can read email, browse the web, manage
- calendar events, read and write files, send push notifications, generate images, and more — all via
+ calendar events, read and write files, send push notifications, generate images, and more - all via
a structured tool-use loop with optional confirmation prompts before side-effects.
@@ -100,7 +105,7 @@
An API key for at least one AI provider: Anthropic or OpenRouter
Python 3.12+ (or Docker)
- PostgreSQL (with asyncpg) — the main application databasePostgreSQL (with asyncpg) - the main application databasePostgreSQL + pgvector extension only required if you use the 2nd Brain feature (can be the same server)
@@ -111,7 +116,7 @@
On first boot with zero users, you are redirected to /setup to create the first admin account
Open Settings → Credentials and add any additional credentials (CalDAV, email, Pushover, etc.)
Add email recipients via Settings → Whitelists → Email Whitelist
- Add filesystem directories via Settings → Whitelists → Filesystem Sandbox — the agent cannot touch any path outside these directories
+ Add filesystem directories via Settings → Whitelists → Filesystem Sandbox - the agent cannot touch any path outside these directories
Optionally set system:users_base_folder in Credentials to enable per-user file storage (e.g. /data/users)
Optionally configure email accounts and Telegram via their respective Settings tabs
@@ -119,7 +124,7 @@
Key Concepts
Agent
- A configured AI persona with a model, system prompt, optional schedule, and restricted tool set. Agents run headlessly — no confirmation prompts, results logged in run history.
+ A configured AI persona with a model, system prompt, optional schedule, and restricted tool set. Agents run headlessly - no confirmation prompts, results logged in run history.
Tool
A capability the AI can invoke: read a file, send an email, fetch a web page, generate an image, etc. Every tool call is logged in the Audit Log.
Confirmation
@@ -127,7 +132,7 @@
Audit Log
An append-only record of every tool call, its arguments, and outcome. Never auto-deleted unless you configure a retention period.
Credential Store
- An AES-256-GCM encrypted key-value store in PostgreSQL. All secrets (API keys, passwords) live here — never in the agent's context window.
+ An AES-256-GCM encrypted key-value store in PostgreSQL. All secrets (API keys, passwords) live here - never in the agent's context window.
User Folder
When system:users_base_folder is set, each user gets a personal folder at {base}/{username}/. Agents and the Files page scope all file access to this folder automatically.
@@ -143,7 +148,7 @@
Sending Messages
Press Enter to send. Use Shift+Enter for a newline within your message.
- The Clear History button (✕) in the status bar wipes the in-memory conversation for the current session — the agent starts fresh.
+ The Clear History button (✕) in the status bar wipes the in-memory conversation for the current session - the agent starts fresh.
File Attachments
@@ -151,7 +156,7 @@
The paperclip button (📎) in the input bar opens a file picker. Only shown when the active model supports vision or documents. Supported formats:
- Images : JPEG, PNG, GIF, WebP, AVIF — shown as thumbnails in the preview stripImages : JPEG, PNG, GIF, WebP, AVIF - shown as thumbnails in the preview stripPDF : shown as a file chip with the filename in the preview strip
@@ -169,18 +174,18 @@
Capability Badges
Small badges in the status bar show what the active model supports:
- 🎨 Image Gen — can generate images (use via the image_gen tool in agents)
- 👁 Vision — can read images and PDFs; the attachment button is shown
- 🔧 Tools — supports tool/function calling
- 🌐 Online — has live web access built in
+ 🎨 Image Gen - can generate images (use via the image_gen tool in agents)
+ 👁 Vision - can read images and PDFs; the attachment button is shown
+ 🔧 Tools - supports tool/function calling
+ 🌐 Online - has live web access built in
Tool Indicators
While the agent is working, small badges appear below each message:
- ● Pulsing blue — tool is currently running● Solid green — tool completed successfully● Solid red — tool failed or returned an error● Pulsing blue - tool is currently running● Solid green - tool completed successfully● Solid red - tool failed or returned an error
Confirmation Modal
@@ -210,16 +215,38 @@
Downloading
- Download — downloads an individual file.↓ ZIP — downloads an entire folder (and its contents) as a ZIP archive. The Download folder as ZIP button in the header always downloads the current folder.Download - downloads an individual file.↓ ZIP - downloads an entire folder (and its contents) as a ZIP archive. The Download folder as ZIP button in the header always downloads the current folder.
+ Uploading Files
+
+ The Upload button (↑ arrow icon) in the header lets you upload one or more files directly into your current folder.
+
+
+ Click Upload and select one or more files from your device.
+ Files are uploaded to whichever folder you are currently browsing - navigate to the target folder first.
+ If a file with the same name already exists it will be overwritten without a prompt, so check the folder contents before uploading.
+ The file list refreshes automatically once the upload completes.
+
+ Upload limits
+ Uploads are restricted by a policy configurable by your administrator under Settings → Security → File Upload Policy :
+
+ Allowed types : only common text/code files, images (JPG, PNG, GIF, WebP, SVG, …), and PDF are accepted by default. Files with other extensions are rejected.Max file size : 50 MB per file (default).Max files per upload : 20 files at once (default).
+ Both limits are checked in the browser before the upload starts, and enforced again on the server. Rejected files are listed in a flash notification; accepted files in the same batch are still uploaded.
+
+ The Upload button is only shown when a data folder is configured for your account. If it is missing, ask your administrator to set system:users_base_folder.
+
+
Deleting Files
A red Delete button appears next to downloadable files. Clicking it shows a confirmation dialog before the file is permanently removed. Deletion is instant and cannot be undone.
- Protected files : files whose names start with memory_ or reasoning_ cannot be deleted from the UI. These are agent memory and decision logs maintained by email handling agents — deleting them would disrupt the agent's continuity.
+ Protected files : files whose names start with memory_ or reasoning_ cannot be deleted from the UI. These are agent memory and decision logs maintained by email handling agents - deleting them would disrupt the agent's continuity.
No Folder Configured?
@@ -232,7 +259,7 @@
Agents
- Agents are headless AI personas with a fixed system prompt, model, and optional cron schedule. Unlike interactive chat, agents run without confirmation modals — their allowed tools are declared at creation time. Results and token usage are logged per-run in the Agents page.
+ Agents are headless AI personas with a fixed system prompt, model, and optional cron schedule. Unlike interactive chat, agents run without confirmation modals - their allowed tools are declared at creation time. Results and token usage are logged per-run in the Agents page.
Email handling agents (created automatically by Email Accounts setup) are hidden from the Agents list and Status tab. They are managed exclusively via Settings → Email Accounts .
@@ -241,18 +268,18 @@
Creating an Agent
Click New Agent on the Agents page. Required fields:
- Name — displayed in the UI and logsModel — any model from a configured providerPrompt — the agent's task description or system prompt (see Prompt Modes below)Name - displayed in the UI and logsModel - any model from a configured providerPrompt - the agent's task description or system prompt (see Prompt Modes below)
Optional fields:
- Description — shown in the agent list for referenceSchedule — cron expression for automatic runsAllowed Tools — restrict which tools the agent may useMax Tool Calls — per-run limit (overrides the system default)Sub-agents — toggle to allow this agent to create child agentsPrompt Mode — controls how the prompt is composed (see below)Description - shown in the agent list for referenceSchedule - cron expression for automatic runsAllowed Tools - restrict which tools the agent may useMax Tool Calls - per-run limit (overrides the system default)Sub-agents - toggle to allow this agent to create child agentsPrompt Mode - controls how the prompt is composed (see below)
Scheduling
@@ -260,10 +287,10 @@
minute hour day-of-month month day-of-week
Examples:
- 0 8 * * 1-5 — weekdays at 08:00*/15 * * * * — every 15 minutes0 9 * * 1 — every Monday at 09:0030 18 * * * — every day at 18:300 8 * * 1-5 - weekdays at 08:00*/15 * * * * - every 15 minutes0 9 * * 1 - every Monday at 09:0030 18 * * * - every day at 18:30
Use the Enable / Disable toggle to pause a schedule without deleting the agent.
@@ -278,12 +305,12 @@
System only
The standard system prompt is used as-is; the agent prompt becomes the task message sent to the agent. Useful when you want {{ agent_name }}'s full personality but just need to specify a recurring task.
Agent only
- The agent prompt fully replaces the system prompt — no SOUL.md, no security rules, no USER.md context. Use with caution. Suitable for specialized agents with a completely different persona.
+ The agent prompt fully replaces the system prompt - no SOUL.md, no security rules, no USER.md context. Use with caution. Suitable for specialized agents with a completely different persona.
- Leave Allowed Tools blank to give the agent access to all tools. Select specific tools to restrict — only those tool schemas are sent to the model, making it structurally impossible to use undeclared tools.
+ Leave Allowed Tools blank to give the agent access to all tools. Select specific tools to restrict - only those tool schemas are sent to the model, making it structurally impossible to use undeclared tools.
MCP server tools appear as a single server-level toggle (e.g. Gitea MCP), which enables all tools from that server. Individual built-in tools are listed separately.
@@ -297,7 +324,7 @@
Image Generation in Agents
- Agents can generate images using the image_gen tool. Important: the agent model must be a text/tool-use model (e.g. Claude Sonnet), not an image-generation model. The image_gen tool calls the image-gen model internally, saves the result to disk, and returns the file path. The default image-gen model is openrouter:openai/gpt-5-image — override via the system:default_image_gen_model credential.
+ Agents can generate images using the image_gen tool. Important: the agent model must be a text/tool-use model (e.g. Claude Sonnet), not an image-generation model. The image_gen tool calls the image-gen model internally, saves the result to disk, and returns the file path. The default image-gen model is openrouter:openai/gpt-5-image - override via the system:default_image_gen_model credential.
Generated images are saved to the agent's user folder. The file path is returned as the tool result so the agent can reference it.
@@ -308,7 +335,7 @@
Monitors
- The Monitors page lets you watch web pages and RSS feeds for changes, then automatically dispatch an agent or send a Pushover notification when something new appears. Monitors run on a schedule in the background — no manual checking needed.
+ The Monitors page lets you watch web pages and RSS feeds for changes, then automatically dispatch an agent or send a Pushover notification when something new appears. Monitors run on a schedule in the background - no manual checking needed.
Page Watchers
@@ -317,18 +344,18 @@
Fields when creating a page watcher:
- Name — displayed in the monitor listURL — the page to watchSchedule — cron expression (e.g. 0 * * * * = every hour)CSS Selector — optional; restricts the hash to a specific element on the page (e.g. #price or .headline). Leave blank to watch the entire page.Agent — agent to dispatch when a change is detectedNotification mode — agent (dispatch the agent), pushover (send a push notification), or bothName - displayed in the monitor listURL - the page to watchSchedule - cron expression (e.g. 0 * * * * = every hour)CSS Selector - optional; restricts the hash to a specific element on the page (e.g. #price or .headline). Leave blank to watch the entire page.Agent - agent to dispatch when a change is detectedNotification mode - agent (dispatch the agent), pushover (send a push notification), or both
The table shows Last checked and Last changed timestamps. Use the Check now button to force an immediate check outside the schedule.
- Page watchers use plain HTTP (not a real browser). For JavaScript-heavy pages where the interesting content is rendered client-side, the CSS selector approach may not work — the agent's browser tool is better suited for those.
+ Page watchers use plain HTTP (not a real browser). For JavaScript-heavy pages where the interesting content is rendered client-side, the CSS selector approach may not work - the agent's browser tool is better suited for those.
@@ -337,12 +364,12 @@
Fields when creating an RSS monitor:
- Name — displayed in the monitor listFeed URL — any RSS or Atom feed URLSchedule — cron expression (e.g. 0 */4 * * * = every 4 hours)Agent — agent to dispatch for new itemsMax items per run — cap on how many new items trigger the agent in one run (default: 5)Notification mode — agent, pushover, or bothName - displayed in the monitor listFeed URL - any RSS or Atom feed URLSchedule - cron expression (e.g. 0 */4 * * * = every 4 hours)Agent - agent to dispatch for new itemsMax items per run - cap on how many new items trigger the agent in one run (default: 5)Notification mode - agent, pushover, or both
Already-seen item IDs are tracked so the same item never triggers twice. The monitor sends ETag / If-Modified-Since headers to avoid downloading unchanged feeds unnecessarily. Use the Fetch now button to force an immediate run.
@@ -362,7 +389,7 @@
Expose an SSE endpoint at /sse
Use SSE transport (not stdio)
Be compatible with mcp==1.26.*
- If built with Python FastMCP: use uvicorn.run(mcp.sse_app(), host=..., port=...) — not mcp.run(host=..., port=...) (the latter ignores host/port in mcp 1.26)
+ If built with Python FastMCP: use uvicorn.run(mcp.sse_app(), host=..., port=...) - not mcp.run(host=..., port=...) (the latter ignores host/port in mcp 1.26)
If connecting from a non-localhost IP (e.g. 192.168.x.x): disable DNS rebinding protection:
from mcp.server.transport_security import TransportSecuritySettings
mcp = FastMCP(
@@ -373,7 +400,7 @@ mcp = FastMCP(
)
Without this, the server rejects requests with a 421 Misdirected Request error.
- oAI-Web connects per-call (open → use → close), not persistent — the server must handle this gracefully
+ oAI-Web connects per-call (open → use → close), not persistent - the server must handle this gracefully
Adding an MCP Server
@@ -382,10 +409,10 @@ mcp = FastMCP(
Click Add Server
Enter:
- Name — display name; also used for tool namespacing (slugified)URL — full SSE endpoint, e.g. http://192.168.1.72:8812/sseTransport — select sseAPI Key — optional bearer token if the server requires authenticationName - display name; also used for tool namespacing (slugified)URL - full SSE endpoint, e.g. http://192.168.1.72:8812/sseTransport - select sseAPI Key - optional bearer token if the server requires authentication
Click Save
@@ -395,7 +422,7 @@ mcp = FastMCP(
Tool Namespacing
A server named Gitea MCP (slugified: gitea_mcp) exposes tools as mcp__gitea_mcp__list_repos, mcp__gitea_mcp__create_issue, etc.
- In the agent tool picker, the entire server appears as a single toggle — enabling it grants access to all of its tools.
+ In the agent tool picker, the entire server appears as a single toggle - enabling it grants access to all of its tools.
Refreshing Tool Discovery
@@ -412,7 +439,7 @@ mcp = FastMCP(
General (Admin)
Agent Control : Pause / Resume the global kill switchRuntime Limits : Max Tool Calls (per run) and Max Autonomous Runs per Hour — stored in the credential store for live override without restartRuntime Limits : Max Tool Calls (per run) and Max Autonomous Runs per Hour - stored in the credential store for live override without restartTrusted Proxy IPs : Comma-separated IPs for X-Forwarded-For trust (requires restart)Users Base Folder : Set system:users_base_folder to an absolute path (e.g. /data/users) to enable per-user file storage. Each user's folder at {base}/{username}/ is created automatically.Audit Log Retention : Set a retention period in days (0 = keep forever); manual clear availableCredentials (Admin)
- A generic AES-256-GCM encrypted key-value store for API keys and other secrets. Keys use a namespace:key convention. Service-specific credentials (CalDAV, CardDAV, Pushover) are managed in their own dedicated tabs — they do not appear here. See the Credential Key Reference for a full list of system keys.
+ A generic AES-256-GCM encrypted key-value store for API keys and other secrets. Keys use a namespace:key convention. Service-specific credentials (CalDAV, CardDAV, Pushover) are managed in their own dedicated tabs - they do not appear here. See the Credential Key Reference for a full list of system keys.
DAV (CalDAV & CardDAV) (Admin)
- Configure CalDAV and CardDAV for the admin user. There is no system-wide fallback — every user configures their own credentials independently via this tab (admin) or the CalDAV / CardDAV tab (regular users).
+ Configure CalDAV and CardDAV for the admin user. There is no system-wide fallback - every user configures their own credentials independently via this tab (admin) or the CalDAV / CardDAV tab (regular users).
- CalDAV : server URL, username, password, and calendar name. Bare hostnames (e.g. mail.example.com) are accepted — https:// is prepended automatically.CalDAV : server URL, username, password, and calendar name. Bare hostnames (e.g. mail.example.com) are accepted - https:// is prepended automatically.CardDAV : tick Same server as CalDAV to reuse the same credentials, or enter a separate URL, username, and password. The SOGo URL pattern (/SOGo/dav/{user}/Contacts/personal/) is built automatically.Allow contact writes : when enabled, agents can create, update, and delete contacts (not just read them). This is per-user — enabling it for your account does not affect other users.Allow contact writes : when enabled, agents can create, update, and delete contacts (not just read them). This is per-user - enabling it for your account does not affect other users.Test buttons : verify CalDAV and CardDAV connectivity without saving.
@@ -446,7 +473,7 @@ mcp = FastMCP(
Pushover sends push notifications to iOS and Android devices.
- App Token : registered once at pushover.net for this oAI-Web installation. Shared by all users — they cannot see or change it.App Token : registered once at pushover.net for this oAI-Web installation. Shared by all users - they cannot see or change it.User Key : the admin's personal Pushover user key, shown on your pushover.net dashboard. Each user sets their own User Key in Settings → Pushover .
{% endif %}
@@ -457,7 +484,7 @@ mcp = FastMCP(
Trigger Rules : keyword phrases that, when matched in an incoming email subject/body, dispatch a specific agent and optionally send an auto-replyMatching is case-insensitive and order-independent — all tokens in the phrase must appear somewhere in the message
+ Matching is case-insensitive and order-independent - all tokens in the phrase must appear somewhere in the message
Email Accounts
@@ -491,10 +518,10 @@ mcp = FastMCP(
{% if not (current_user and current_user.is_admin) %}
CalDAV / CardDAV
- Configure your personal CalDAV and CardDAV connection. There is no system-wide fallback — if you don't configure it, the tools are unavailable to you.
+ Configure your personal CalDAV and CardDAV connection. There is no system-wide fallback - if you don't configure it, the tools are unavailable to you.
- CalDAV : server URL, username, password, and calendar name. Bare hostnames are accepted — https:// is added automatically.CalDAV : server URL, username, password, and calendar name. Bare hostnames are accepted - https:// is added automatically.CardDAV : tick Same server as CalDAV to reuse credentials, or enter separate details.Allow contact writes : when enabled, agents can create, update, and delete contacts.Test buttons : verify connectivity before saving.Pushover
- Set your personal User Key to receive push notifications on your Pushover-connected devices. Your User Key is shown on your pushover.net dashboard. The App Token (the shared application credential) is managed by the admin — you only need your own User Key.
+ Set your personal User Key to receive push notifications on your Pushover-connected devices. Your User Key is shown on your pushover.net dashboard. The App Token (the shared application credential) is managed by the admin - you only need your own User Key.
{% endif %}
Webhooks
- Inbound webhooks let external services trigger agents via HTTP — useful for iOS Shortcuts, GitHub actions, Home Assistant automations, or any tool that can send an HTTP request.
+ Inbound webhooks let external services trigger agents via HTTP - useful for iOS Shortcuts, GitHub actions, Home Assistant automations, or any tool that can send an HTTP request.
- Create a webhook : assign a name, description, and target agent. The secret token is shown once at creation — copy it immediately. Use Rotate Token to generate a new one if it is ever compromised.Create a webhook : assign a name, description, and target agent. The secret token is shown once at creation - copy it immediately. Use Rotate Token to generate a new one if it is ever compromised.Trigger via POST : POST /webhook/{token} with body {"message": "..."}Trigger via GET : GET /webhook/{token}?q=your+message — useful for iOS Shortcuts URL actionsTrigger via GET : GET /webhook/{token}?q=your+message - useful for iOS Shortcuts URL actionsEnable/disable : toggle a webhook on/off without deleting it
The Outbound Targets section (same tab) manages named URLs that agents can send JSON payloads to via the webhook tool.
@@ -527,11 +554,26 @@ mcp = FastMCP(
Two-Factor Authentication (TOTP) : enable/disable TOTP-based MFA. On setup, a QR code is shown to scan with any authenticator app (e.g. Aegis, Google Authenticator). Once enabled, every login requires a 6-digit code.Data Folder : shows the path of your auto-provisioned personal folder (set by admin via system:users_base_folder). This folder is where the Files page browses and where agent memory files are stored.Telegram Bot Token : per-user Telegram bot token (optional). Overrides the global token for your sessions.SSH Key : generate a personal ed25519 SSH key pair stored in your data folder. See below.
+ SSH Key
+
+ The SSH Key section lets you generate an ed25519 key pair directly from the browser. The private key is stored in your data folder ({your_folder}/.ssh/id_ed25519) and never leaves the server. The public key is displayed so you can copy it to any remote server's ~/.ssh/authorized_keys.
+
+
+ Click Generate SSH Key to create a new key pair. The registered email address is used as the key comment.
+ If a key already exists, the button changes to Regenerate - doing so replaces the existing key pair. Any remote servers that trusted the old public key will need to be updated.
+ Use the Copy button to copy the public key to the clipboard, then paste it into ~/.ssh/authorized_keys on the remote server.
+ Agents with bash tool access can use this key to run scp or ssh commands against remote servers that have the public key in their authorized_keys.
+
+
+ The SSH Key section only appears when a data folder is configured for your account. The global ~/.ssh/known_hosts file (mounted from the host system) is still used for host key verification - if you get a host key error, connect manually from the server once to accept it.
+
+
Personality
- Edit SOUL.md (agent identity, values, communication style) and USER.md (owner context: name, location, preferences) directly in the browser. Changes take effect immediately — no restart required.
+ Edit SOUL.md (agent identity, values, communication style) and USER.md (owner context: name, location, preferences) directly in the browser. Changes take effect immediately - no restart required.
Both files are injected into every system prompt in order: SOUL.md → date/time → USER.md → security rules.
@@ -563,15 +605,15 @@ mcp = FastMCP(
API Key (Admin)
Protects the REST API for external programmatic access (scripts, home automations, other services, Swagger).
- The web UI always works without a key — a signed session cookie is set automatically on login.
+ The web UI always works without a key - a signed session cookie is set automatically on login.
The API key is only required for:
External tools and scripts calling /api/* directly
- Swagger UI (/docs ) — click Authorize and enter the key
+ Swagger UI (/docs ) - click Authorize and enter the key
- The raw key is shown once at generation time — copy it to your external tool. Only a SHA-256 hash is stored server-side. Regenerating invalidates the previous key immediately.
+ The raw key is shown once at generation time - copy it to your external tool. Only a SHA-256 hash is stored server-side. Regenerating invalidates the previous key immediately.
Use header X-API-Key: <key> or Authorization: Bearer <key> in external requests.
@@ -606,7 +648,7 @@ mcp = FastMCP(
MFA Management
- Users set up their own TOTP in Settings → Profile → Two-Factor Authentication . As admin, you can clear any user's MFA from the Users page (useful if they lose their authenticator). The Clear MFA button resets their TOTP secret — they must set it up again on next login.
+ Users set up their own TOTP in Settings → Profile → Two-Factor Authentication . As admin, you can clear any user's MFA from the Users page (useful if they lose their authenticator). The Clear MFA button resets their TOTP secret - they must set it up again on next login.
User Filesystem Scoping
@@ -626,7 +668,7 @@ mcp = FastMCP(
Key Description
- system:pausedKill switch — set to "1" to pause all agent activity system:pausedKill switch - set to "1" to pause all agent activity system:max_tool_callsLive override of MAX_TOOL_CALLS env var system:max_autonomous_runs_per_hourLive override of MAX_AUTONOMOUS_RUNS_PER_HOUR system:audit_retention_daysDays to keep audit entries (0 = keep forever) system:canary_rotated_atTimestamp of last canary rotation (read-only) system:security_llm_screen_enabledOption 3: LLM content screening enabled system:security_llm_screen_modelModel for LLM screening (default: google/gemini-flash-1.5) system:security_llm_screen_blockOption 3 block mode — block vs flag on UNSAFE verdict system:security_llm_screen_blockOption 3 block mode - block vs flag on UNSAFE verdict system:security_output_validation_enabledOption 4: output validation for inbox sessions system:security_truncation_enabledOption 5: content truncation system:security_max_web_charsMax chars from web fetch (default: 20 000) system:security_max_subject_charsMax chars of email subject (default: 200) telegram:bot_tokenGlobal Telegram bot API token telegram:default_agent_idUUID of agent for unmatched Telegram messages pushover_app_tokenPushover App Token — managed via Settings → Pushover , not this tab pushover_app_tokenPushover App Token - managed via Settings → Pushover , not this tab brain:mcp_key2nd Brain MCP authentication key system:api_key_hashSHA-256 hash of the external API key (raw key never stored) system:api_key_created_atTimestamp of last API key generation
Method Path Description
- GET /api/settings/api-keyReturns {configured: bool, created_at} — never returns the raw key POST /api/settings/api-keyGenerate a new key — returns {key} once only; invalidates previous key GET /api/settings/api-keyReturns {configured: bool, created_at} - never returns the raw key POST /api/settings/api-keyGenerate a new key - returns {key} once only; invalidates previous key DELETE /api/settings/api-keyRevoke the current key
@@ -849,6 +891,8 @@ mcp = FastMCP(
DELETE /api/my/filesDelete a file; param: ?path=. Protected names (memory_*, reasoning_*) return 403. GET /api/my/files/downloadDownload a single file; param: ?path= GET /api/my/files/download-zipDownload a folder as ZIP; param: ?path= POST /api/my/files/uploadUpload one or more files to the user's folder; param: ?path=, multipart form body GET /api/my/files/viewReturn text file contents (max 512 KB); param: ?path= GET /api/my/data-folderReturn the user's provisioned data folder path
@@ -864,7 +908,7 @@ mcp = FastMCP(
GET /api/my/themeGet current theme POST /api/my/themeSet theme {theme_id} GET /api/my/mfa/statusWhether MFA is enabled for the current user POST /api/my/mfa/setup/beginStart MFA setup — returns QR code PNG (base64) and provisioning URI POST /api/my/mfa/setup/beginStart MFA setup - returns QR code PNG (base64) and provisioning URI POST /api/my/mfa/setup/confirmConfirm setup with a valid TOTP code {code} DELETE /api/my/mfa/disableDisable MFA for the current user GET /api/my/caldav/configGet per-user CalDAV & CardDAV config POST /api/my/pushoverSave personal User Key {user_key} DELETE /api/my/pushoverRemove personal User Key GET /api/my/telegram/whitelisted-chatsList Telegram chat IDs whitelisted for the current user GET /api/my/ssh/pubkeyReturn the user's SSH public key (or {exists: false} if not generated yet) POST /api/my/ssh/generateGenerate (or regenerate) an ed25519 SSH key pair in the user's data folder; returns the public key
GET /api/webhooksList inbound webhook endpoints (admin) POST /api/webhooksCreate endpoint — returns token once (admin) POST /api/webhooksCreate endpoint - returns token once (admin) PUT /api/webhooks/{id}Update name/description/agent/enabled (admin) DELETE /api/webhooks/{id}Delete endpoint (admin) POST /api/webhooks/{id}/rotateRegenerate token — returns new token once (admin) POST /api/webhooks/{id}/rotateRegenerate token - returns new token once (admin) GET /api/my/webhooksList current user's webhook endpoints POST /api/my/webhooksCreate personal webhook endpoint PUT /api/my/webhooks/{id}Update personal webhook endpoint DELETE /api/my/webhooks/{id}Delete personal webhook endpoint GET /webhook/{token}Trigger via GET — param: ?q=message (no auth) POST /webhook/{token}Trigger via POST — body: {"message": "...", "async": true} (no auth) GET /webhook/{token}Trigger via GET - param: ?q=message (no auth) POST /webhook/{token}Trigger via POST - body: {"message": "...", "async": true} (no auth) GET /api/webhook-targetsList outbound webhook targets (admin) POST /api/webhook-targetsCreate outbound target (admin) PUT /api/webhook-targets/{id}Update outbound target (admin) Core Principle
- External input is data, never instructions. Email body text, calendar content, web page content, and file contents are all passed as tool results — they are never injected into the system prompt where they could alter {{ agent_name }}'s instructions.
+ External input is data, never instructions. Email body text, calendar content, web page content, and file contents are all passed as tool results - they are never injected into the system prompt where they could alter {{ agent_name }}'s instructions.
Three DB-Managed Whitelists
- Email whitelist — {{ agent_name }} can only send email to addresses explicitly approved hereWeb whitelist (Tier 1) — domains always accessible; subdomains included automaticallyFilesystem sandbox — {{ agent_name }} can only read/write within declared directories (or a user's personal folder)Email whitelist - {{ agent_name }} can only send email to addresses explicitly approved hereWeb whitelist (Tier 1) - domains always accessible; subdomains included automaticallyFilesystem sandbox - {{ agent_name }} can only read/write within declared directories (or a user's personal folder)
Tier 2 web access (any URL) is only available in user-initiated chat sessions, never in autonomous agent runs.
@@ -980,21 +1026,21 @@ mcp = FastMCP(
Confirmation Flow
- In interactive chat, any tool with side effects (send email, write/delete files, send notifications, create/delete calendar events) triggers a confirmation modal. The agent pauses until you approve or deny. Agents running headlessly skip confirmations — their scope is declared at creation time.
+ In interactive chat, any tool with side effects (send email, write/delete files, send notifications, create/delete calendar events) triggers a confirmation modal. The agent pauses until you approve or deny. Agents running headlessly skip confirmations - their scope is declared at creation time.
Five Security Options
- Enhanced Sanitization — removes known prompt-injection patterns from all external content before it reaches the agentCanary Token — a daily-rotating secret in the system prompt; any tool call argument containing the canary is blocked and triggers a Pushover alert, detecting prompt-injection exfiltration attemptsLLM Content Screening — a cheap secondary model screens fetched content for malicious instructions; operates in flag or block modeOutput Validation — prevents inbox auto-reply loops by blocking outbound emails back to the triggering senderContent Truncation — enforces maximum character limits on web fetch, email, and file content to limit the attack surface of large malicious documentsEnhanced Sanitization - removes known prompt-injection patterns from all external content before it reaches the agentCanary Token - a daily-rotating secret in the system prompt; any tool call argument containing the canary is blocked and triggers a Pushover alert, detecting prompt-injection exfiltration attemptsLLM Content Screening - a cheap secondary model screens fetched content for malicious instructions; operates in flag or block modeOutput Validation - prevents inbox auto-reply loops by blocking outbound emails back to the triggering senderContent Truncation - enforces maximum character limits on web fetch, email, and file content to limit the attack surface of large malicious documents
Audit Log
- Every tool call — arguments, result summary, confirmation status, session ID, task ID — is written to an append-only audit log. Logs are never auto-deleted unless you configure a retention period. View them at Audit Log .
+ Every tool call - arguments, result summary, confirmation status, session ID, task ID - is written to an append-only audit log. Logs are never auto-deleted unless you configure a retention period. View them at Audit Log .
Kill Switch
@@ -1004,7 +1050,7 @@ mcp = FastMCP(
No Credentials in Agent Context
- API keys, passwords, and tokens are only accessed by the server-side tool implementations. The agent itself never sees a raw credential — it only receives structured results (e.g. a list of calendar events, a fetched page).
+ API keys, passwords, and tokens are only accessed by the server-side tool implementations. The agent itself never sees a raw credential - it only receives structured results (e.g. a list of calendar events, a fetched page).
@@ -1036,16 +1082,16 @@ mcp = FastMCP(
Built-in sub-commands (e.g. for keyword work):
- /work pause — temporarily pause the email account's listener/work resume — resume the listener/work status — show the account's current status/work <any message> — pass the message to the handling agent/work pause - temporarily pause the email account's listener/work resume - resume the listener/work status - show the account's current status/work <any message> - pass the message to the handling agent
Only the Telegram chat ID associated with the email account can use its keyword commands. Other chat IDs are rejected.
- Email Inbox — Trigger Accounts
+ Email Inbox - Trigger Accounts
Trigger accounts use IMAP IDLE for instant push notification. When a new email arrives:
@@ -1064,15 +1110,15 @@ mcp = FastMCP(
Non-whitelisted sender + no trigger → silently dropped (reveals nothing to the sender)
- Email Inbox — Handling Accounts
+ Email Inbox - Handling Accounts
Handling accounts poll every 60 seconds. A dedicated AI agent reads each new email and decides how to handle it. The agent has access to:
- Email tool — list, read, mark as read, move, create foldersFilesystem tool — scoped to the user's data folder (if configured)Memory files — memory_<username>.md (persistent notes) and reasoning_<username>.md (append-only decision log) are injected into each runTelegram tool (optional) — bound to the account's associated chat ID; reply messages automatically include a /keyword <reply> footer for easy follow-upEmail tool - list, read, mark as read, move, create foldersFilesystem tool - scoped to the user's data folder (if configured)Memory files - memory_<username>.md (persistent notes) and reasoning_<username>.md (append-only decision log) are injected into each runTelegram tool (optional) - bound to the account's associated chat ID; reply messages automatically include a /keyword <reply> footer for easy follow-upPushover tool (optional, admin only)
@@ -1081,8 +1127,8 @@ mcp = FastMCP(
Both Telegram and email inbox use the same trigger-matching algorithm:
- Case-insensitive — URGENT matches urgentOrder-independent — all tokens in the trigger phrase must appear somewhere in the message, but not necessarily in sequenceCase-insensitive - URGENT matches urgentOrder-independent - all tokens in the trigger phrase must appear somewhere in the message, but not necessarily in sequenceExample: trigger phrase daily report matches "Send me the report for the daily standup" but also "Daily summary report please"
diff --git a/server/web/templates/settings.html b/server/web/templates/settings.html
index 076994a..ca8b073 100644
--- a/server/web/templates/settings.html
+++ b/server/web/templates/settings.html
@@ -20,11 +20,11 @@
DAV
Pushover
Inbox
- Email Accounts
+ Email
Telegram
Personality
2nd Brain
- MCP Servers
+ MCP
Security
Branding
Webhooks
@@ -36,10 +36,10 @@
API Keys
Personality
Inbox
- Email Accounts
+ Email
CalDAV / CardDAV
Telegram
- MCP Servers
+ MCP
2nd Brain
Pushover
Webhooks
@@ -1110,6 +1110,33 @@
+
+
+ File Upload Policy
+
+ Controls what users can upload via the Files page. Extensions are checked on both client and server.
+ Separate extensions with commas or spaces (without dots). Leave unchanged to use the system default
+ (common text, code, image, and PDF formats). Extensionless files are controlled by a fixed server-side
+ allowlist (known_hosts, authorized_keys, config, .gitignore, etc.) and cannot be overridden here.
+
+
+ Allowed extensions
+
+
+
+
+
Save security settings
@@ -1232,6 +1259,15 @@
Loading…
+
+ SSH Key
+
+ Generate an ed25519 SSH key pair stored in your data folder. The private key never leaves the server.
+ Copy the public key to remote servers' ~/.ssh/authorized_keys to allow agents to connect.
+
+ Loading…
+
+
{% endif %}
