holon 0.14.1

A headless, event-driven runtime for long-lived agents
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163

---
title: Remote access
summary: Remote daemon access — tunnel, tailnet, LAN modes, token management, and connecting from a remote TUI.
order: 22
---

# Remote Access

Holon supports running as a remote daemon and connecting from a TUI or API
client on another machine. This is the foundation for team-shared agents,
headless deployment, and remote development workflows.

## Access Modes

Both `holon daemon start` and `holon serve` accept an `--access` flag:

| Mode | Description | Use Case |
|------|-------------|----------|
| `local` | Loopback only (127.0.0.1) | Default; single-machine use |
| `lan` | Local network | Same LAN, known IP |
| `tunnel` | Cloudflare Tunnel | Public access through a tunnel |
| `tailnet` | Tailscale network | Private mesh between your devices |

## Remote Server

### Tunnel Mode (Cloudflare)

Start a daemon accessible through a Cloudflare Tunnel:

```bash
holon daemon start --access tunnel
```

Or use the standalone server:

```bash
holon serve --access tunnel
```

The runtime manages the tunnel lifecycle. No Cloudflare configuration is
required on your side — Holon creates and manages ephemeral tunnels
automatically.

### Tailnet Mode (Tailscale)

For private mesh access between your own devices:

```bash
holon daemon start --access tailnet
holon serve --access tailnet
```

Requires Tailscale to be installed and authenticated on the host machine.

### LAN Mode

For same-network access with a known IP:

```bash
holon serve --access lan --host 192.168.1.10 --port 8787
```

### Custom Host and Port

Override the default listen address:

```bash
holon daemon start --access tunnel --port 9000
holon serve --access lan --host 0.0.0.0 --port 8787
```

## Connecting Remotely

### TUI Connection

Connect from a remote terminal:

```bash
holon tui --connect https://your-server:8787 --token "your-token"
```

Read the token from a file:

```bash
holon tui --connect https://your-server:8787 --token-file ~/.holon/remote.token
```

Use a stored token profile:

```bash
holon tui --connect https://your-server:8787 --token-profile my-profile
```

### HTTP API

The same token authenticates HTTP control plane requests:

```bash
curl -H "Authorization: Bearer your-token" \
  https://your-server:8787/v1/agents/list
```

See the [HTTP Control Plane reference](/reference/http-control-plane.md) for
the full API surface.

## Token Management

### Generating a Token

Tokens are generated when the server starts. Capture the token from the
startup output or create a dedicated file:

```bash
# On the server, save the token
holon daemon start --access tunnel --token-file ~/.holon/remote.token
```

### Token Profiles

Store multiple tokens as named profiles in your configuration:

```bash
holon config set tokens.office "token-for-office-server"
holon config set tokens.home "token-for-home-server"
```

Then connect by profile name:

```bash
holon tui --connect https://office:8787 --token-profile office
holon tui --connect https://home:8787 --token-profile home
```

## Daemon Management

Once the daemon is running, standard management commands work remotely:

```bash
holon daemon status
holon daemon logs
holon daemon restart
holon daemon stop
```

## Security Considerations

- **Always use a token**. Remote connections without a token are rejected for
  non-local access modes.
- **Prefer tunnel or tailnet** over LAN mode when connecting across the
  internet. These provide encryption and authentication without exposing raw
  ports.
- **Rotate tokens** by restarting the daemon with a new `--token-file`.
- **Use `--access local`** when only local connections are needed. This is
  the default and the most secure option.
- The HTTP control plane applies trust-boundary rules: read-only routes
  (agent state, events, tasks) still require a valid token for remote access.

## See Also

- [TUI Guide](/guides/tui.md) — Full TUI navigation and slash command reference
- [HTTP Control Plane](/reference/http-control-plane.md) — API reference for programmatic access
- [Troubleshooting](/guides/troubleshooting.md) — TUI connection issues
- [Integration Guide](/guides/integration.md) — Programmatic integration patterns