Configuration

Environment variables, AI routing, browser settings, and secrets management.

Configuration

Cartographer is configured through the dashboard (preferred for cloud users) and environment variables (required for self-hosted deployments). This page covers both.


AreaPathWhat you set
AI & models/dashboard/ai-settingsHosted vs BYOK, per-capability model routing
Credentials/dashboard/projects/{id}/credentialsAliases — secrets never shown after save
Project/dashboard/projects/{id}/settingsSeed URLs, scope, extension allowlist

See BYOK & models for hosted vs bring-your-own-key routing.


Per-capability model routing

Cartographer uses different models for different stages:

Capability keyStage
plannerAgent planning
grounding_tier0Accessibility-tree grounding
grounding_tier1_vlmVision escalation + crawl interactive discovery
export_generatorPlaywright code generation
export_healerExport self-verify repair loop
passive_ux_vlmSampled UX screenshot analysis
embeddingsRoute map and skill-cache vectors
stagehand_planner / stagehand_vlmStagehand bridge overrides

Default inference mode: molar (hosted gateway). BYOK integrations add rows per provider (Anthropic, OpenAI, Google, Azure, …).


Core environment variables

API (apps/api)

VariableDefaultDescription
CARTOGRAPHER_ENVlocalDeployment profile
LOG_LEVELinfoLogging verbosity
SECRET_KEYChange in production (≥32 chars)
POSTGRES_URLlocal DSNApplication + Hatchet database

Object storage

VariableDefaultDescription
S3_ENDPOINThttp://localhost:9000MinIO or AWS S3 endpoint
S3_ACCESS_KEY_IDAccess key
S3_SECRET_ACCESS_KEYSecret key
S3_BUCKET_ARTIFACTScartographer-artifactsScreenshots, exports, HAR
S3_BUCKET_TRACESmolar-tracesTrace blobs
S3_BUCKET_DEMOScartographer-demosRecorded demonstrations
S3_FORCE_PATH_STYLEtrueRequired for MinIO
ARTIFACT_RETENTION_DAYS90Blob TTL
RUN_RETENTION_DAYS90Run metadata retention

LLM providers

VariableDescription
ANTHROPIC_API_KEYPlanner / tier-0 / export generator (if not using hosted only)
GOOGLE_API_KEYTier-1 VLM, export healer, passive UX
OPENAI_API_KEYOptional alternate provider
AZURE_OPENAI_*Azure OpenAI endpoint, deployment, API version
LLM_MODEL_PLANNERDefault claude-sonnet-4-5-20251022
LLM_MODEL_HEALERDefault gemini-2.5-pro
LLM_MODEL_VLM_FLASHDefault gemini-2.0-flash
MOLAR_LLM_BASE_URLHosted gateway URL (e.g. http://localhost:14000)
MOLAR_LLM_SERVICE_KEYPlatform service key for molar-managed integration
ORG_LLM_SPEND_CAP_CENTS_DEFAULTOrg hosted-LLM cap (0 = unset)

Browser and grounding

VariableDefaultDescription
CLOAKSERVE_HOSTlocalhostStealth browser multiplexer
CLOAKSERVE_PORT9222CDP port
DEFAULT_BROWSER_ADAPTERcloakbrowsercloakbrowser | camoufox | extension
DEFAULT_GROUNDING_TIER0Default per-run tier
MAX_GROUNDING_TIER1Hard cap (set 2 for local MLX)
GROUNDING_T2_SERVER_URLUI-TARS MLX server when tier 2 enabled

Hatchet (job queue)

VariableDescription
HATCHET_CLIENT_TOKENWorker authentication
HATCHET_CLIENT_HOST_PORTlocalhost:7077
AGENT_WORKER_SPLIT_QUEUESSplit interactive vs exploration workers
AGENT_WORKER_INTERACTIVE_SLOTSConcurrency
AGENT_WORKER_EXPLORATION_SLOTSConcurrency

Redis and live streams

VariableDefaultDescription
REDIS_URLredis://localhost:6379/0Run event pub/sub
MCP_EVENTSTORE_REDIS_URLsameMCP task resumption

MCP server

VariableDescription
MCP_HTTP_BASE_URLInternal base URL MCP tools use to call REST (default http://localhost:8001 in .env.example — set to http://localhost:8000 locally so tools hit the API)
MCP_SERVICE_ACCOUNT_TOKENService token for MCP internal calls — not the user's OAuth token
MCP_AUDIENCEcartographer-mcp
MCP_EVENTSTORE_REDIS_URLRedis backing for MCP task state

Clients connect to {API_URL}/mcp (e.g. http://localhost:8000/mcp), not a separate port.

Auth (web + API)

VariableDescription
BETTER_AUTH_URLAuth app URL — standalone: same as web; combined: https://app.molar.it
BETTER_AUTH_SECRETSession signing secret
DATABASE_URLAuth-core schema (web app)
AUTH_COOKIE_ENABLEDtrue when browser calls API with cookies
BFF_JWT_SECRETShort-lived internal JWT (Better Auth → FastAPI)

Credentials vault

VariableDescription
SECRETS_BACKENDlocal_file | vault | aws_secrets_manager
CREDENTIAL_ENCRYPTION_KEYFernet key for integration secrets
VAULT_ADDR / VAULT_TOKENHashiCorp Vault
AWS_SECRETS_PREFIXPrefix for AWS SM paths

Extension

VariableDescription
EXTENSION_EXPECTED_IDchrome-extension://<id> after install

Enterprise

VariableDescription
LICENSE_REQUIREDEnforce offline license file
LICENSE_FILEPath to signed license
LICENSE_PUBLIC_KEYVerify key

Local Tier 2 grounding (optional)

For air-gapped or privacy-strict vision without cloud APIs:

make grounding-install   # UI-TARS-1.5-7B-4bit (~4 GB)
make grounding-serve     # MLX server on :8765

Set DEFAULT_GROUNDING_TIER=2 and MAX_GROUNDING_TIER=2 in .env.


Crawl defaults (project settings JSON)

KeyDefaultMeaning
crawl_depth4BFS depth
crawl_max_pages500Page cap
interactive_crawltrueSPA click discovery
interactive_grounding_tier1Vision for crawl clicks
interactive_max_clicks_per_pageSequential retry budget
robots_overridefalseIgnore robots.txt

Run defaults

KeyDefaultMeaning
max_steps50Agent step budget
grounding_tier0Starting tier
human_presetdefaultcareful for strict timing sites
headlesstruefalse for local debugging
vlm_budget_centsPer-run vision spend cap

Trace Debugger budgets

Monthly LLM budget for Debugger chat (cents):

Plan env varDefault cents
TRACE_BUDGET_FREE_CENTS500
TRACE_BUDGET_STARTER_CENTS10000
TRACE_BUDGET_TEAM_CENTS50000
TRACE_BUDGET_BUSINESS_CENTS250000

CLI configuration

cartog config set api_url https://api.cartographer.example
cartog config set token <pat>
cartog whoami

Config file location is printed by cartog config path.


.env file (local)

Copy .env.example from your Cartographer self-host bundle after make bootstrap. Never commit .env to git.

Minimum for a working dev loop:

ANTHROPIC_API_KEY=sk-ant-...
GOOGLE_API_KEY=...
POSTGRES_URL=postgresql+psycopg://cartographer:cartographer@localhost:5432/cartographer

Provider-agnostic hosted routing can substitute Azure/DeepSeek/Nemotron via MOLAR_LLM_BASE_URL without Anthropic keys — see GA deployment notes in the repo.


PracticeConfiguration
No secrets in logsAliases only in API payloads
CSRFEnable cookies + X-CSRF-Token on mutating browser requests
Rate limitsAPI_RATE_LIMIT_*, API_RATE_LIMIT_TENANT_* for hosted multi-tenant
Internal callbacksINTERNAL_SERVICE_TOKEN for worker → API