Skip to main content

Provider defaults and alias wiring

Runtime config does not introduce a new provider model. It fills in defaults for the env-based provider contracts Loom already uses during local execution.

Use this page when you want to decide:

  • which provider settings belong in config files
  • which values must stay in environment variables
  • how file-based defaults map onto the existing env contract

KeePass aliases

KeePass is the richest part of the current config surface. Each configured alias can provide:

  • path
  • passwordEnv
  • keyfileEnv

Example:

providers:
  keepass:
    aliases:
      team/app:
        path: vaults/team-app.kdbx
        passwordEnv: TEAM_APP_PASSWORD
        keyfileEnv: TEAM_APP_KEYFILE

For local execution, Loom turns that alias into defaults for the existing env contract:

LOOM_KEEPASS_DB_TEAM_APP_PATH=...
LOOM_KEEPASS_DB_TEAM_APP_PASSWORD_ENV=TEAM_APP_PASSWORD
LOOM_KEEPASS_DB_TEAM_APP_KEYFILE_ENV=TEAM_APP_KEYFILE

What belongs in config vs env

Use config files for values that are stable and safe to share:

  • alias names
  • database paths
  • the names of env vars that hold credentials

Keep these out of config files:

  • KeePass master password values
  • keyfile contents
  • any other raw secret material

passwordEnv and keyfileEnv store env var names, not secret values.

That means this is valid:

providers:
  keepass:
    aliases:
      team/app:
        passwordEnv: TEAM_APP_PASSWORD

but the actual password still has to come from the TEAM_APP_PASSWORD environment variable at runtime.

Alias normalization

Loom normalizes alias names when it maps config into env var names:

  • letters are uppercased
  • digits are preserved
  • non-alphanumeric characters become _

Examples:

  • team/app becomes TEAM_APP
  • prod.eu becomes PROD_EU
  • local-main becomes LOCAL_MAIN

This is why the env contract uses LOOM_KEEPASS_DB_<ALIAS>_*.

Env-only aliases

If an alias exists only through LOOM_KEEPASS_DB_* env vars and never appears in a config file, Loom only knows the normalized env form. In loom config show, that alias appears under a normalized name such as TEAM_APP, not the original punctuation-heavy form.

1Password service account token reference

The current 1Password config surface is one field:

providers:
  op:
    serviceAccountTokenEnv: LOOM_OP_TOKEN

providers.op.serviceAccountTokenEnv stores the env var name, not the token value.

During loom run --local, Loom reads that env var reference and, when the named env var is set to a non-empty value, passes the token through the existing runtime env contract.

This means:

  • config files can choose the env var name to use
  • config files do not inline the 1Password token
  • loom config show prints the env var name, not the secret value
  • there is no LOOM_OP_* env overlay layer for this field today

Limits to keep in mind

  • Runtime config helps local execution; it does not change workflow secret references in .loom/workflow.yml.
  • Runtime config can set provider defaults; it does not add support for image registry credentials in this v1 docs surface.
  • If you need a one-off override, use env vars. If you need a stable default, use ~/.config/loom/config.yml or .loom/config.yml.