Refer friends. Keep the rewards coming! Your friend can unlock up to 10M tokens · earn up to 30% revenue share.
+500K Tokens Generate link Settings (settings.json) CrabCode's JSON config file. Controls permissions, env vars, hooks, model, plugins, and more.
settings.json decides how CrabCode behaves for the current user / project. It loads in layers, later overrides earlier :
User : ~/.crabcode/settings.jsonProject : <repo>/.crabcode/settings.json (committed, team-shared)Local : <repo>/.crabcode/settings.local.json (gitignored, personal overrides)Managed / policy : pushed by enterprise admins, highest precedence
On Windows the user-level path is %USERPROFILE%\.crabcode\settings.json.
Set CRABCODE_CONFIG_DIR to override the user-level root (defaults to ~/.crabcode).
settings.json and CrabCode's runtime global state (~/.crabcode.json — holds things like theme, login info, counters) are two different files . This page only covers settings.json.
The "Learn more" link from /config
A startup-time validation error pointing here
A skill or plugin install prompts you to add config
{ "$schema" : "https://json.schemastore.org/crabcode-settings.json" , "permissions" : { "defaultMode" : "default" , "allow" : [ "Bash(npm test:*)" ], "deny" : [ "Bash(rm -rf:*)" ], "ask" : [ "WebFetch" ], "additionalDirectories" : [ "~/code/sibling-repo" ] }, "env" : { "DEBUG" : "true" , "ACOSMI_BASE_URL" : "https://api-staging.acosmi.com" }, "hooks" : { "PreToolUse" : [{ "matcher" : "Bash" , "hooks" : [ /* ... */ ] }] }, "model" : "deepseek-v4-flash" , "smallModel" : "qwen3.6-plus" , "outputStyle" : "default" , "cleanupPeriodDays" : 30 } { "$schema" : "https://json.schemastore.org/crabcode-settings.json" , "permissions" : { "defaultMode" : "default" , "allow" : [ "Bash(npm test:*)" ], "deny" : [ "Bash(rm -rf:*)" ], "ask" : [ "WebFetch" ], "additionalDirectories" : [ "~/code/sibling-repo" ] }, "env" : { "DEBUG" : "true" , "ACOSMI_BASE_URL" : "https://api-staging.acosmi.com" }, "hooks" : { "PreToolUse" : [{ "matcher" : "Bash" , "hooks" : [ /* ... */ ] }] }, "model" : "deepseek-v4-flash" , "smallModel" : "qwen3.6-plus" , "outputStyle" : "default" , "cleanupPeriodDays" : 30 } The tables below group the main fields with types and defaults. The full source of truth is the JSON schema — set the $schema field and most editors give completion.
Field Type Default Description permissions.defaultModeenum: default / acceptEdits / plan / bypassPermissions / dontAsk defaultPermission mode at startup. See iam permissions.allowstring[] — Allow rules, e.g. Bash(npm test:*) permissions.denystring[] — Deny rules (highest precedence) permissions.askstring[] — Rules that always prompt permissions.additionalDirectoriesstring[] — Extra directories outside cwd that CrabCode may access permissions.disableBypassPermissionsMode"disable"— Disable the bypassPermissions mode (usually managed)
Field Type Default Description modelstring deepseek-v4-flashMain conversation model ID smallModelstring qwen3.6-plusLightweight model for token estimation / compact / hooks / search alwaysThinkingEnabledboolean trueAuto-enable thinking on supported models effortLevelenum: low / medium / high — Persisted effort level fastModeboolean falseEnable fast mode fastModePerSessionOptInboolean falseFast mode does not persist across sessions showThinkingSummariesboolean falseShow thinking summaries in the transcript view (Ctrl+O)
Field Type Default Description envrecord[string,string] — Env vars injected into the CrabCode process; see the env matrix below apiKeyHelperstring — Path to a script whose stdout is used as an auth token awsCredentialExport / awsAuthRefreshstring — AWS credential export / refresh scripts gcpAuthRefreshstring — GCP auth refresh command otelHeadersHelperstring — Script that outputs OpenTelemetry headers
Field Type Default Description hooksobject — Shell hooks around tool execution; see hooks disableAllHooksboolean falseDisable all hooks and statusLine execution statusLine{ type: "command", command, padding? }— Custom status line command allowedHttpHookUrlsstring[] — Allowlist of URL patterns HTTP hooks may target httpHookAllowedEnvVarsstring[] — Env var names HTTP hooks may interpolate into headers
Field Type Default Description enableAllProjectMcpServersboolean falseAuto-approve every MCP server in the project's .mcp.json enabledMcpjsonServersstring[] — Approved .mcp.json server list disabledMcpjsonServersstring[] — Rejected .mcp.json server list enabledPluginsrecord[plugin-id@marketplace-id, bool/array] — Enabled plugin map extraKnownMarketplacesrecord[string, object] — Extra marketplaces registered for this repository pluginConfigsrecord[string, object] — Per-plugin config, keyed by plugin@marketplace
Field Type Default Description includeCoAuthoredByboolean trueWhether commits include Co-Authored-By (deprecated; prefer attribution) attribution.commitstring — Custom commit attribution text (empty string hides it) attribution.prstring — Custom PR description attribution text includeGitInstructionsboolean trueInclude built-in commit / PR workflow instructions in the system prompt worktree.symlinkDirectoriesstring[] — Directories to symlink from main repo into worktrees (e.g. node_modules) worktree.sparsePathsstring[] — Sparse-checkout paths for large monorepos defaultShellenum: bash / powershell bashShell backing input-box ! commands respectGitignoreboolean trueWhether the file picker respects .gitignore
Field Type Default Description outputStylestring defaultAssistant output style; switch with /output-style languagestring — Preferred language (e.g. "japanese" / "spanish") syntaxHighlightingDisabledboolean falseDisable syntax highlighting in diffs prefersReducedMotionboolean falseReduce animations (spinner shimmer, flashes, etc.) spinnerTipsEnabledboolean trueWhether to show spinner tips spinnerVerbs{ mode: "append" / "replace", verbs: string[] }— Customize spinner verbs spinnerTipsOverride{ excludeDefault?: bool, tips: string[] }— Override spinner tips terminalTitleFromRenameboolean trueWhether /rename updates the terminal tab title
Field Type Default Description cleanupPeriodDaysint ≥ 0 30Days to retain chat transcripts; 0 disables persistence entirely autoMemoryEnabledboolean — Enable auto-memory (project-scoped memory) autoMemoryDirectorystring ~/.crabcode/projects/[sanitized-cwd]/memory/Auto-memory storage path (supports ~/ prefix) autoDreamEnabledboolean — Enable background memory consolidation (auto-dream) crabcodeMdExcludesstring[] — Glob patterns to exclude when loading CRABCODE.md files
Field Type Default Description autoUpdatesChannelenum: latest / stable latestAuto-update channel minimumVersionstring — Pin a minimum version (prevents downgrades when switching to stable) webSearch.providerenum: ali / bocha — Local search provider (replaces OAuth with a local API key) webSearch.ali.apiKey / endpoint / modelstring — Alibaba DashScope search config webSearch.bocha.apiKey / endpointstring — Bocha search config
Field Type Default Description customModel.providerstring (enum) — Provider type; possible values are listed by the /login → "Custom model configuration" flow customModel.baseUrlstring (URL) — API base URL (e.g. https://api.example.com/v1) customModel.apiKey / apiKeyHandlestring — API key in plaintext or secure-storage handle (one of) customModel.modelsrecord[alias, ModelDef] — Model definitions with id / contextWindow / maxOutputTokens / supportsThinking, etc.
These fields live in managed settings.json (policy layer) and override personal settings ; team members cannot undo them.
Field Type Description availableModelsstring[] Allowlist of selectable models; accepts family aliases / version prefixes / full IDs. Empty array means only the default model modelOverridesrecord[string, string] Map from acosmi-canonical model ID to provider-specific ID (e.g. a Bedrock inference profile ARN) allowManagedHooksOnlyboolean Only managed hooks run; user/project/local hooks ignored allowManagedPermissionRulesOnlyboolean Only managed allow/deny/ask rules apply allowManagedMcpServersOnlyboolean allowedMcpServers read from managed only (deniedMcpServers still merges)allowedMcpServersobject[] MCP server allowlist (one of serverName / serverCommand / serverUrl) deniedMcpServersobject[] MCP server denylist (takes precedence over the allowlist) strictPluginOnlyCustomizationboolean / ("skills" / "agents" / "hooks" / "mcp")[] Lock the listed surfaces so they can only be customized via plugins strictKnownMarketplacesobject[] Strict allowlist of marketplace sources (checked before download) blockedMarketplacesobject[] Marketplace source blocklist (checked before download) forceLoginMethodenum: acosmi / console Force a specific login method forceLoginOrgUUIDstring Organization UUID used for OAuth login pluginTrustMessagestring Custom text appended to the plugin trust warning companyAnnouncementsstring[] Startup announcements (one is picked at random when multiple are set) skipWebFetchPreflightboolean Skip WebFetch blocklist preflight (for environments with restrictive network policies) sshConfigsobject[] Pre-configured SSH connections for remote environments
env accepts a wide set of variables. Common ones:
Variable Use ACOSMI_BASE_URLAcosmi gateway address (self-hosted / staging) ACOSMI_API_KEY / ACOSMI_AUTH_TOKENDirect Acosmi auth ACOSMI_MODELMain model default (equivalent to model, env wins) ACOSMI_DEFAULT_MODEL / ACOSMI_DEFAULT_FAST_MODE_MODEL / ACOSMI_DEFAULT_MAX_EFFORT_MODELDefault / fast / max-effort model overrides ACOSMI_SMALL_FAST_MODELsmallModel default CRABCODE_USE_BEDROCK=1Route through Amazon Bedrock CRABCODE_USE_VERTEX=1Route through Google Vertex AI CRABCODE_USE_FOUNDRY=1Route through Microsoft Foundry ACOSMI_BEDROCK_BASE_URL / ACOSMI_VERTEX_BASE_URL / ACOSMI_FOUNDRY_BASE_URLPer-provider base URL overrides VERTEX_REGION_[model-id]Per-model Vertex region routing (prefix-matched) BASH_DEFAULT_TIMEOUT_MS / BASH_MAX_TIMEOUT_MS / BASH_MAX_OUTPUT_LENGTHBash tool default / max timeouts and output cap MCP_TIMEOUT / MCP_TOOL_TIMEOUT / MAX_MCP_OUTPUT_TOKENSMCP startup / tool-call timeouts; per-call output cap CRABCODE_MAX_OUTPUT_TOKENSModel output token cap MAX_THINKING_TOKENSThinking budget cap CRABCODE_BASH_MAINTAIN_PROJECT_WORKING_DIR=1Bash tool keeps project cwd (no drift after cd) CRABCODE_DISABLE_NONESSENTIAL_TRAFFIC=1Disable non-essential telemetry / analytics traffic CRABCODE_DISABLE_TERMINAL_TITLE=1Disable terminal title updates CRABCODE_IDE_SKIP_AUTO_INSTALL=1Skip IDE auto-install prompts DISABLE_BUG_COMMAND=1Disable /bug DISABLE_FEEDBACK_COMMAND=1Disable /feedback DISABLE_TELEMETRY=1Disable telemetry upload DISABLE_ERROR_REPORTING=1Disable error reporting DISABLE_AUTOUPDATER=1Disable auto-update DISABLE_COST_WARNINGS=1Suppress cost warning dialogs
For safety, redirect-class variables (ACOSMI_BASE_URL, etc.), trust-root variables (NODE_TLS_REJECT_UNAUTHORIZED, NODE_EXTRA_CA_CERTS), and project-switching vars (API keys / tokens) trigger an extra confirmation dialog when injected via remote managed settings. Writing them in your own user-level settings.json is not gated.
Strict JSON : no comments, no trailing commasThree layers merge : settings.local.json is the best place to tweak while debugging without polluting team configenv is not exportedUnknown keys are preserved : when a schema field is renamed across versions, your old key isn't silently deleted — it's just not validatedLoad order : user → project → local → managed; later layers override same-named scalar keys; array-shaped fields merge per their declared semanticsEnterprise policy fields only apply in managed settings.json : setting allowManagedHooksOnly in personal settings has no effect
Previous CLI commands Next Error codes 