Configuration
Maekon's runtime config lives in a JSON file under the platform data dir (~/Library/Application Support/Maekon/config.json on macOS, %APPDATA%\Maekon\config.json on Windows, ~/.config/maekon/config.json on Linux).
The file is rewritten on every change made via the UI — direct editing is supported but not required.
Section overview
AppConfig (defined in maekon-core::config::AppConfig) is composed of ~37 section structs, each owning a slice of behavior. The most user-relevant sections:
| Section | Purpose | Key fields |
|---|---|---|
capture | Screen capture frequency + quality | interval_ms, pii_filter_level, sensitive_apps |
notifications | Tray + desktop notifications | cooldown_seconds, severity_floor |
privacy | What leaves the device | telemetry_enabled, consent_record |
network | Server endpoints | api_url, grpc_url, grpc_fallback_ports |
schedule | When Maekon runs | quiet_hours, weekly_off_days |
integrations | Third-party services | enabled_providers, OAuth tokens (keychain) |
sync | Cross-device sync | lan_peer_pin, transport_mode |
sandbox | Automation isolation | profile (Strict / Standard / Permissive) |
file_access | What paths Maekon may read | allowlist, denylist |
For the full list see crates/maekon-core/src/config/sections/ in the source repo.
Editing via CLI
# Read a value
maekon config get capture.interval_ms
# Set a value
maekon config set capture.interval_ms 5000
# Reset a section to defaults
maekon config reset capture
Editing via UI
The local web dashboard (http://localhost:10090 by default) exposes most sections under Settings. Changes take effect immediately — no restart required.
PII filter levels
The capture pipeline supports four cascading levels (maekon-vision::PiiFilterLevel):
- Off — no masking (development only)
- Basic — phone, email, credit card, SSN
- Standard (default) — Basic + API keys, file paths, IP addresses
- Strict — Standard + all-numeric strings ≥ 6 chars + sensitive-app deny list
Levels are inherited per-app — e.g., bank apps automatically force Strict regardless of global setting.
Sandbox profiles
Automation actions run in an out-of-process maekon-sandbox-worker binary. The sandbox.profile field controls what the worker is allowed to do:
- Strict (default) — read-only file access, no network, no exec
- Standard — read-write under user data dirs, no network
- Permissive — full user-level access (use only for trusted automation scripts)
Each platform applies the profile via Job Object (Windows), seccomp + Landlock (Linux), or App Sandbox (macOS).
Migrating between machines
The config file is the source of truth — copy it to a new machine and you keep your settings. Tokens stored in the platform keychain do not transfer; you'll need to re-authenticate.
For automated migration use the Cross-Device Sync feature instead (LAN peer pairing, end-to-end encrypted).