Reference

escapes Config

Configuration reference for /etc/openape/config.toml.

escapes Configuration

The escapes binary reads its configuration from /etc/openape/config.toml. This file must be owned by root with restricted permissions.

Complete Example

# Hostname for target_host verification (default: system hostname)
host = "prod-server.example.com"

# User to run commands as (default: root)
run_as = "root"

# Audit log location
audit_log = "/var/log/openape/audit.log"

[security]
# REQUIRED: only accept JWTs from these issuers
allowed_issuers = ["https://id.example.com"]

# REQUIRED: only accept approvals from these identities
allowed_approvers = ["admin@example.com", "ops-team@example.com"]

# Allowed JWT audiences (default: ["escapes"])
allowed_audiences = ["escapes"]

[tls]
# Custom CA bundle for IdP certificate verification
ca_bundle = "/etc/ssl/certs/ca-certificates.crt"

Fields

Top-Level

Field	Type	Required	Default	Description
`host`	`string`	No	System hostname	Override hostname for `target_host` claim verification
`run_as`	`string`	Yes	`"root"`	Default user to execute commands as
`audit_log`	`string`	Yes	`"/var/log/openape/audit.log"`	Path for JSONL audit log

`[security]`

Field	Type	Required	Default	Description
`allowed_issuers`	`string[]`	Yes	—	Trusted JWT issuer URLs. Must be non-empty.
`allowed_approvers`	`string[]`	Yes	—	Trusted approver identities. Must be non-empty.
`allowed_audiences`	`string[]`	No	`["escapes"]`	Accepted `aud` claim values

Both allowed_issuers and allowed_approvers are required and must contain at least one entry. escapes will refuse to start with an empty security configuration.

`[tls]`

Field	Type	Required	Default	Description
`ca_bundle`	`string`	No	System default	Custom CA certificate bundle path

Use this when your IdP uses a certificate from a private CA or when the system CA store doesn't include your IdP's certificate.

File Permissions

# Config must be root-owned
sudo chown root:root /etc/openape/config.toml
sudo chmod 644 /etc/openape/config.toml

# Audit log directory must be root-writable
sudo mkdir -p /var/log/openape
sudo chown root:root /var/log/openape
sudo chmod 755 /var/log/openape

Audit Log Format

Each entry is a single JSON line:

{"timestamp":"2025-01-15T10:30:00Z","grant_id":"abc123","command":["systemctl","restart","nginx"],"requester":"agent+deploy@example.com","approver":"admin@example.com","result":"success","exit_code":0,"duration_ms":1234}

Field	Type	Description
`timestamp`	`string`	ISO 8601 timestamp
`grant_id`	`string`	Grant UUID
`command`	`string[]`	Executed command
`requester`	`string`	Agent email
`approver`	`string`	Who approved
`result`	`string`	`success`, `verification_failed`, `exec_failed`
`exit_code`	`number`	Command exit code (0 = success)
`duration_ms`	`number`	Execution time
`error`	`string`	Error message (on failure)

API Endpoints

Complete API reference for IdP and SP endpoints.

Proxy Config

TOML configuration reference for the OpenApe agent proxy.