Skip to main content

Server Capabilities

The Loom server is a production-ready HTTP API that provides:
  • LLM Proxy: Route requests to Anthropic/OpenAI with authentication
  • Thread Persistence: Store and sync conversation history
  • Weaver Orchestration: Manage ephemeral Kubernetes execution environments
  • Crash Analytics: Error tracking and symbolication
  • Cron Monitoring: Job scheduling and health checks
  • Session Analytics: User session tracking and release health

Architecture

Starting the Server

Configuration

Server configuration is loaded from:
  1. Environment variables (LOOM_SERVER_*)
  2. .env file (via dotenvy)
  3. Built-in defaults

Required Configuration

DATABASE_URL
string
required
PostgreSQL connection stringExample: postgres://user:pass@localhost/loom

HTTP Server

LOOM_SERVER_HOST
string
Bind address
Default: 0.0.0.0
LOOM_SERVER_PORT
integer
HTTP port
Default: 8080

Authentication

LOOM_SERVER_AUTH_DEV_MODE
boolean
Bypass authentication (development only)
Default: false
LOOM_SERVER_AUTH_SESSION_CLEANUP_INTERVAL_SECS
integer
Session cleanup job interval
Default: 3600 (1 hour)
LOOM_SERVER_AUTH_OAUTH_STATE_CLEANUP_INTERVAL_SECS
integer
OAuth state cleanup interval
Default: 300 (5 minutes)

Weaver Configuration

LOOM_SERVER_WEAVER_ENABLED
boolean
Enable weaver provisioning
Default: false
LOOM_SERVER_WEAVER_NAMESPACE
string
Kubernetes namespace for weavers
Default: loom-weavers
LOOM_SERVER_WEAVER_CLEANUP_INTERVAL_SECS
integer
Weaver TTL cleanup job interval
Default: 60 (1 minute)

Logging

LOOM_SERVER_LOGGING_LEVEL
string
Log level: trace, debug, info, warn, error
Default: info

Core APIs

Health Check

Returns server status and version information.

LLM Proxy

The LLM proxy routes requests to configured providers (Anthropic/OpenAI) while handling authentication, rate limiting, and token management.
Request:
Streaming Response:
  • Server-Sent Events (SSE)
  • Event types: text_delta, tool_call_delta, completed, error

Thread APIs

Save or update a conversation thread with full state:
  • Messages (user, assistant, tool)
  • Agent state (waiting, executing, error)
  • Git metadata (branch, commits, remote)
  • Workspace info

Weaver APIs

See Weavers documentation for complete API reference.

Background Jobs

The server runs scheduled background jobs using the JobScheduler:

Weaver Cleanup

Deletes expired weavers based on TTL
Interval: 60 seconds

Session Cleanup

Removes expired auth sessions
Interval: 1 hour

OAuth State Cleanup

Purges expired OAuth states
Interval: 5 minutes

Job History Cleanup

Archives old job execution logs
Interval: 24 hours

Token Refresh

Refreshes OAuth tokens for LLM pool
Interval: 5 minutes

SCM Maintenance

Runs git gc on SCM repositories
Interval: Configurable

Cron Monitoring

Detects missed runs and timeouts
Interval: 60 seconds

Session Aggregation

Aggregates app sessions into metrics
Interval: 1 hour

Database Schema

Migrations are in crates/loom-server/migrations/ as numbered SQL files:
Migration workflow:
  1. Create new file: NNN_description.sql
  2. Run cargo2nix-update to regenerate Cargo.nix
  3. Migrations auto-run on server startup
Always run cargo2nix-update after adding migrations! The Nix build doesn’t detect include_str! changes automatically.

Self-Monitoring

Loom uses itself for crash reporting:
Creates crash projects for:
  • loom-server (backend crashes)
  • loom-web (frontend crashes)
  • loom-cli (CLI crashes)

Deployment

NixOS Auto-Update

Production server runs NixOS with automatic deployment:
Deployment flow:
  1. Push to trunk branch
  2. Auto-update service polls every 10 seconds
  3. Pulls latest commit
  4. Rebuilds with Nix
  5. Switches to new configuration
  6. Restarts loom-server.service

Verify Deployment

1

Check revision

2

Check service status

Look for recent start time.
3

Test health endpoint

Monitoring

Logs

Admin UI

The server includes a log streaming endpoint for admin dashboards:
Returns Server-Sent Events with structured log entries (redacted secrets).

Security

Authentication

  • OAuth 2.0: GitHub, Google providers
  • Magic Links: Email-based passwordless auth
  • Session Tokens: Secure, httpOnly cookies
  • API Keys: For programmatic access

Secrets Management

All secrets use loom-common-secret::SecretString:
  • Auto-redacts in Debug/Display/Serialize
  • Access via .expose() only when needed
  • Never logged by tracing instrumentation

CORS

Configured to allow:
  • Any origin (development)
  • Any methods
  • Any headers
Production deployments should restrict CORS to trusted domains.

Performance

Database Connection Pooling

Uses sqlx::PgPool with:
  • Automatic connection management
  • Prepared statement caching
  • Health checks

Caching

  • Thread Store: In-memory cache for recent threads
  • Docs Index: Loaded once on startup
  • Job Scheduler: Periodic task execution without polling

Troubleshooting

Check PostgreSQL connection:
Verify migrations:
Check Kubernetes access:
Verify namespace exists:
Enable debug logging:
Check provider credentials in database.