Gabriel Koerich Orchestrator

DocsUpdates

All runtime configuration lives in ~/.orch/config.yml (ORCH_HOME), unless overridden via the ORCH_HOME environment variable.

Config Reference

SectionKeyDescriptionDefault
top-levelproject_dirOverride project directory (auto-detected from CWD)""
top-levelrequired_toolsTools that must exist on PATH before launching an agent[]
workflowauto_closeAuto-close GitHub issues when tasks are donetrue
workflowreview_ownerGitHub handle to tag when review is needed@owner
workflowenable_review_agentRun a review agent after task completionfalse
workflowreview_agentFallback reviewer when opposite agent unavailableclaude
workflowmax_attemptsMax attempts before marking task as blocked10
workflowstuck_timeoutTimeout (seconds) for detecting stuck in_progress tasks1800
workflowtimeout_secondsTask execution timeout (0 disables timeout)1800
workflowtimeout_by_complexityPer-complexity task timeouts (takes precedence){}
workflowrequired_skillsSkills always injected into agent prompts (marked [REQUIRED])[]
workflowdisallowed_toolsTool patterns blocked via --disallowedTools["Bash(rm *)","Bash(rm -*)"]
routeragentDefault router executorclaude
routermodelRouter model namehaiku
routertimeout_secondsRouter timeout (0 disables timeout)120
routerdisabled_agentsAgents to exclude from routing (e.g. [opencode])[]
routerfallback_executorFallback executor when router failscodex
routerallowed_toolsDefault tool allowlist used in routing prompts[yq, jq, bash, ...]
routerdefault_skillsSkills always included in routing[gh, git-worktree]
llminput_formatCLI input format override""
llmoutput_formatCLI output format override"json"
ghenabledEnable GitHub synctrue
ghrepoDefault repo (owner/repo)"owner/repo"
ghsync_labelOnly sync tasks/issues with this label (empty = all)"sync"
ghproject_idGitHub Project v2 ID""
ghproject_status_field_idStatus field ID in Project v2""
ghproject_status_namesMapping for backlog/in_progress/review/done status option names (used to resolve option IDs){}
ghproject_status_mapMapping for backlog/in_progress/review/done option IDs{}
gh.backoffmodeRate-limit behavior: wait or skip"wait"
gh.backoffbase_secondsInitial backoff duration in seconds30
gh.backoffmax_secondsMax backoff duration in seconds900
ghallow_gh_fallbackAllow gh auth token CLI fallback when no token is settrue
ghauth.tokenExplicit Personal Access Token""
githubtoken_modeToken resolution mode: env or github_app"env"
githubapp_idGitHub App ID (for token_mode: github_app)""
githubprivate_key_pathPath to GitHub App private key (.pem)""
model_mapsimple/medium/complexAgent-specific model names per complexity level{}

Authentication

The orchestrator supports three authentication methods for GitHub API access:

Personal Access Token (PAT)

gh:
  auth:
    mode: token
    token: "ghp_xxxxxxxxxxxxxxxxxxxx"  # Or use GH_TOKEN/GITHUB_TOKEN env var

Create tokens at GitHub Settings → Developer settings → Personal access tokens.

GitHub App

Recommended for organization automation with better audit trails:

gh:
  auth:
    mode: github_app
    app_id: "123456"
    private_key: "/path/to/app-private-key.pem"
    # Optional: specific installation ID (auto-detected if not set)
    # installation_id: "78901234"

The orchestrator automatically:

  • Generates JWTs from your App credentials
  • Exchanges JWTs for installation access tokens
  • Refreshes tokens before they expire (valid for 1 hour)

gh CLI (Legacy)

gh:
  auth:
    mode: gh_cli

Requires gh auth login to be run interactively. Not recommended for service environments — prefer GH_TOKEN/GITHUB_TOKEN or GitHub App credentials and run orch auth check.

Per-Project Config

Drop a .orch.yml or .orchestrator.yml in your project root to override global config (project-level keys take precedence over global).

# ~/projects/my-app/.orch.yml
required_tools: ["bun"]
gh:
  repo: "myorg/my-app"
  project_id: "PVT_..."
workflow:
  enable_review_agent: true
  required_skills: []
router:
  fallback_executor: "claude"
  • Project config is deep-merged with global config (project wins)
  • The server restarts automatically when .orch.yml changes
  • gh_project_apply.sh / orch project info --fix writes project IDs into the global config overlay when run from the server context

Skills

Skills extend agent capabilities with specialized knowledge:

# ~/.orch/skills.yml
repositories:
  - url: "https://github.com/user/skills-repo"
    commit: "abc123"
catalog:
  - id: "solana-best-practices"
    name: "Solana Best Practices"
    description: "Reviews Solana/Anchor programs for development best practices"
orch skills sync    # clone/update skill repositories
orch skills list    # show available skills

Skills listed in workflow.required_skills are always injected into agent prompts. Other skills are selected per-task by the router.

GitHub Authentication

Orch resolves GitHub tokens in this order — the first match wins:

  1. GH_TOKEN environment variable
  2. GITHUB_TOKEN environment variable
  3. gh.auth.token config value
  4. gh auth token CLI (enabled by default via gh.allow_gh_fallback: true)

The simplest setup is just gh auth login. No extra config needed.

Environment Variables

export GH_TOKEN="ghp_xxxxxxxxxxxxxxxxxxxx"

Explicit token in config

# ~/.orch/config.yml
gh:
  auth:
    token: "ghp_xxxxxxxxxxxxxxxxxxxx"

GitHub App Authentication

For GitHub App authentication, configure the App ID and private key path:

# ~/.orch/config.yml
github:
  token_mode: github_app
  app_id: "123456"
  private_key_path: "/path/to/app.pem"

The resolver automatically generates a JWT from the private key (valid for 9 minutes) and caches it until expiration.

Disable gh CLI fallback

The gh auth token fallback is enabled by default. To enforce explicit token configuration:

# ~/.orch/config.yml
gh:
  allow_gh_fallback: false

Agent Session Tokens

When spawning agents in tmux sessions, tokens are injected via the tmux session environment (tmux set-environment) rather than being embedded in runner scripts. This prevents token leakage to disk and enables centralized token rotation without restarting agents.