Configuration Reference
Setting Your API Key
Section titled “Setting Your API Key”After installing the package, configure your API key:
sec-gemini set-keyThis shows a welcome banner, prompts for your key, verifies it against the API, and saves it to config.toml. You can also pass the key directly:
sec-gemini set-key YOUR_API_KEY| Flag | Description |
|---|---|
--force | Overwrite an existing key |
--skip-verify | Save without verifying against the API |
Once set, the TUI, BYOT client, and SDK all pick up the key automatically.
Environment Variables
Section titled “Environment Variables”| Variable | Default | Description |
|---|---|---|
SEC_GEMINI_API_KEY | — | API key (overrides config.toml for TUI, BYOT, and scripts) |
SEC_GEMINI_CONFIG_DIR | ~/.config/sec-gemini/ | Override the config directory |
SEC_GEMINI_API_HUB_HOST | production hub | Override the API Hub hostname (advanced/dev use) |
The BYOT client resolves the API key in this order: --api-key flag, SEC_GEMINI_API_KEY env var, config.toml.
config.toml
Section titled “config.toml”All persistent configuration lives in ~/.config/sec-gemini/config.toml. The file is created automatically on first use with 0600 permissions.
# Authenticationapi_key = "your-api-key"
# Auto-approve tool confirmations (default: false)auto_confirm_tools = false
# Log verbosity: DEBUG, INFO, WARNING, ERROR, CRITICALlog_level = "INFO"
# Max sessions shown in the TUI session list (1-500)max_sessions_displayed = 50
# Optional: path to a directory of skill files to auto-load# skills_directory = "/path/to/my/skills"
# Base tools (file ops, shell, network) used by BYOT[baseline_tools]enabled = true# Disable specific tools by name (new tools are enabled by default)disabled_tools = []# Example: disabled_tools = ["bash", "remove_file"]
# Display preferences (TUI)[display]theme = "dark" # "dark" or "light"font_size = 14 # 8-32terminal_colors = trueshow_timestamps = truecompact_mode = false
# Register persistent MCP servers# [[mcp_servers]]# name = "my-mcp"# uri = "https://my-mcp-server.example.com/sse"# enabled_by_default = true
# Register local tool servers (FastMCP .py files)# [[local_tools]]# name = "my-tools"# path = "/path/to/my_tools.py"# enabled_by_default = trueConfig CLI Commands
Section titled “Config CLI Commands”The TUI provides commands for managing config from the terminal:
# Show current configurationsec-gemini config show
# Set a value (dotted keys for nested fields)sec-gemini config set api_key "your-key"sec-gemini config set display.theme "light"sec-gemini config set log_level "DEBUG"
# Reset to defaultssec-gemini config resetLog Files
Section titled “Log Files”Logs are written to ~/.config/sec-gemini/logs/ in JSON format with automatic rotation.
| File | Source |
|---|---|
ui.log | TUI |
byot.log | BYOT client |
mcp.log | MCP server |
Stream recordings are saved as JSONL files under ~/.config/sec-gemini/runs/.