~/.zeropath/config.env
Read by the stop hooks on every invocation; real environment variables
override file values.
| Variable | Default | Meaning |
|---|---|---|
ZEROPATH_BLOCKING_STOP_HOOKS | false | true makes the Claude Code Stop hook block the agent while findings at/above the threshold exist, feeding findings back for remediation. (Cursor stop hooks cannot block regardless.) |
ZEROPATH_HOOK_SEVERITY_THRESHOLD | high | Minimum severity that triggers blocking: critical, high, medium, low, or info. All findings are reported and logged regardless. |
ZEROPATH_HOOK_TIMEOUT_SECONDS | 240 | How long a hook waits for scan completion. On timeout the hook fails open (warns, never blocks). Keep below the hook timeout registered with the agent (300s for Claude Code). |
ZEROPATH_HOOK_MAX_BLOCKS_PER_SESSION | 3 | Blocking-mode budget per agent session; prevents infinite remediation loops when the agent cannot fix a finding. |
ZEROPATH_HOOKS_DISABLED | false | true turns the hooks into no-ops without uninstalling them. |
ZEROPATH_BASE_URL | https://zeropath.com | API base URL for self-hosted / branch environments. |
Credentials
~/.config/zeropath/credentials.json— written byzeropath auth, used by the CLI and therefore the hooks.- Each agent’s MCP config carries the token as
ZEROPATH_TOKEN_ID/ZEROPATH_TOKEN_SECRETenv vars (plus optionalZEROPATH_ORG_ID,ZEROPATH_BASE_URL).
--token-id/--token-secret (it
rewrites both places), or run zeropath auth NEW_ID NEW_SECRET and update the
MCP config blocks manually.
Installer environment overrides
| Variable | Purpose |
|---|---|
ZEROPATH_AGENT_INSTALL_RAW_BASE | Where install.sh fetches support files (default: the agent_install repo’s raw URL on main). Point at a branch/fork for testing. |
ZEROPATH_CLI_RELEASE_BASE | Where the zeropath CLI binary is downloaded from. |
ZEROPATH_MCP_SERVER_SOURCE | The uvx --from source for the MCP server (default: its GitHub repo; pin a tag/commit for reproducibility). |
ZEROPATH_HOME | Install root (default ~/.zeropath). |
Logs and cache
~/.zeropath/logs/scan-<agent>-<timestamp>.json— full scan outcome (submitted job, status, vulnerabilities, suggested fixes) for every hook scan, including failed ones.~/.zeropath/cache/hook-state.json— per-workspace diff hash (skip rescanning unchanged diffs) and per-session block budgets. Safe to delete.