Configuration Guide

Learn about presets, security levels, and customization options

Configuration Overview

Vectra Guard uses a YAML configuration file to customize behavior. Configuration can be set at the global level (~/.config/vectra-guard/config.yaml) or per-project (.vectra-guard/config.yaml).

Create Local Config
# Initialize local config
vg init --local

# This creates .vectra-guard/config.yaml

Presets

Presets provide pre-configured security levels for different use cases. Choose a preset that matches your workflow.

Maximum Security (Default)

All commands run in sandbox. Best for production environments and untrusted code.

preset: maximum
sandbox:
  enabled: true
  mode: always
  enable_cache: true

Balanced

Smart routing: low-risk commands on host, medium/high-risk in sandbox.

preset: balanced
sandbox:
  enabled: true
  mode: auto
  enable_cache: true

Development

Faster workflow with trust store. Sandbox only for high-risk commands.

preset: development
sandbox:
  enabled: true
  mode: auto
trust_store:
  enabled: true

Security Levels

Security levels control how strictly Vectra Guard enforces protection. Each level has different trade-offs between security and convenience.

Level 1: Permissive

Minimal restrictions. Only blocks obviously dangerous commands.

  • Blocks destructive file operations
  • Warns on network operations
  • Allows most development commands

Level 2: Moderate (Default)

Balanced protection. Blocks risky operations, allows safe commands.

  • Blocks destructive operations
  • Sandboxes network operations
  • Requires approval for system changes

Level 3: Strict

High security. Most commands require approval or run in sandbox.

  • All commands sandboxed by default
  • Explicit approval for host execution
  • Comprehensive logging

Level 4: Maximum

Maximum security. Everything runs in sandbox, no exceptions.

  • All commands in isolated sandbox
  • No host execution allowed
  • Full audit trail
Set Security Level
security:
  level: 2  # 1-4, default is 2
  require_approval: false
  log_all_commands: true

Customization Options

Fine-tune Vectra Guard to match your specific needs with these configuration options.

Full Configuration Example
# Complete configuration example
preset: balanced
security:
  level: 2
  require_approval: false
  log_all_commands: true

sandbox:
  enabled: true
  mode: auto
  enable_cache: true
  cache_ttl: 3600

cve:
  enabled: true
  auto_scan: true
  severity_threshold: medium
  update_interval: 86400

trust_store:
  enabled: true
  auto_approve: false

session:
  auto_start: false
  retention_days: 30

logging:
  level: info
  file: .vectra-guard/logs/vg.log
  max_size: 10MB

Tip: Start with a preset and customize only what you need. Use vg config validate to check your configuration.

Environment Variables

Override configuration with environment variables for CI/CD and automation.

Environment Variables
# Security level
export VECTRAGUARD_SECURITY_LEVEL=3

# Sandbox mode
export VECTRAGUARD_SANDBOX_MODE=always

# CVE scanning
export VECTRAGUARD_CVE_ENABLED=true
export VECTRAGUARD_CVE_SEVERITY_THRESHOLD=high

# Session ID (for tracking)
export VECTRAGUARD_SESSION_ID=session_123