Deployment
Cartographer supports three deployment patterns:
| Mode | Who | Auth | Dashboard |
|---|---|---|---|
| Molar Cloud | SaaS customers | Better Auth at app.molar.it | Combined or Cartographer-only SKU |
| Local dev | Engineers | Local Better Auth / dev tokens | localhost:3000 |
| Self-hosted / on-prem | Enterprise | Your IdP + optional license file | Your domain |
The application behavior is the same across modes — only topology, auth issuer URL, and who operates workers/storage changes.
Molar Cloud (managed)
Best for: teams that want crawls, runs, and exports without running Docker.
- Sign up at app.molar.it
- Ensure your org has the Cartographer entitlement (standalone or bundle)
- Open app.molar.it/dashboard/cartographer
- Connect MCP via OAuth from Integrations → MCP
Infrastructure (operated by Molar):
- Molar API + Better Auth (combined mode)
- Cartographer API, workers (crawl, agent, export, trace)
- Postgres (Supabase), Redis (Upstash), object storage
- LiteLLM gateway for hosted models
- MCP endpoint:
https://mcp.molar.cloud
Your responsibilities:
- Target app URLs and credentials
- BYOK keys (optional)
- GitHub App install for export PRs
Product marketing and deep links: cartographer.molar.it
Local development
Best for: contributing, debugging, or evaluating before purchase.
# From your Cartographer self-host bundle (contact support@molar.it for access)
make bootstrap
make dev
make seed
Services and ports
| Service | Port | Purpose |
|---|---|---|
| Next.js Web UI | 3000 | Dashboard /dashboard/*, trace viewer /traces/* |
| Orchestration API | 8000 | REST, WebSockets, MCP at /mcp |
| WSS relay | 8443 | Browser extension |
| Hatchet API / UI | 7077 / 8080 | Job orchestration |
| Postgres | 5432 | App + Hatchet state |
| MinIO API / console | 9000 / 9001 | Artifacts |
| Langfuse | 3001 | LLM traces |
| Jaeger | 16686 | Infra traces |
CloakBrowser (cloakserve) | 9222 | Stealth CDP pool |
| Crawl4AI | 11235 | Static crawler sidecar |
| MLX grounding (opt-in) | 8765 | Tier 2 local VLM |
Start workers in separate terminals:
make agent-worker
make crawl-worker
make export-worker
Customer docs are always at docs.molar.it.
Docker Compose (self-hosted)
Best for: single-node production, pilots, or air-gapped connected deployments.
The Cartographer self-host bundle includes Docker Compose definitions used by make dev. Production self-hosters typically:
- Pin image tags and CloakBrowser binary checksums (never set
CLOAKBROWSER_SKIP_CHECKSUM=true) - Point
POSTGRES_URL,REDIS_URL, andS3_*at managed services or HA clusters - Set
SECRET_KEY,BETTER_AUTH_SECRET,CREDENTIAL_ENCRYPTION_KEY, JWT keys from a secrets manager - Scale worker containers horizontally; Hatchet coordinates concurrency
- Terminate TLS at your ingress; set
AUTH_COOKIE_SECURE=true
Minimum production topology
┌─────────────┐
Users ───────────►│ Ingress │
│ (TLS) │
└──────┬──────┘
┌───────────────┴───────────────┐
▼ ▼
┌─────────┐ ┌───────────┐
│ Web UI │ │ API :8000 │
│ :3000 │ │ REST + MCP│
└─────────┘ │ /mcp │
└─────┬─────┘
│
┌───────────┼───────────┐
▼ ▼ ▼
┌──────────┐ ┌─────────┐ ┌─────────┐
│ Hatchet │ │ Workers │ │cloakserve│
└──────────┘ └─────────┘ └─────────┘
│ │
▼ ▼
┌─────────────────────────┐
│ Postgres + Redis + S3 │
└─────────────────────────┘
Worker types
| Worker | Responsibility |
|---|---|
crawl-worker | BFS + interactive route discovery |
agent-worker | LangGraph planner/actor/verifier |
export-worker | Playwright generation + healer |
trace-worker | Trace postprocess, GC |
Standalone vs combined auth
Both modes use Better Auth and the shared @molar/auth-core schema — not two different login stacks.
| Standalone Cartographer | Combined Molar bundle | |
|---|---|---|
| Login URL | Cartographer host /login | app.molar.it/login |
BETTER_AUTH_URL | Same as web app | Molar API URL |
| MCP OAuth | Optional until hosted MCP | Molar API AS |
| Domain API | Cartographer FastAPI | Same |
FastAPI remains authoritative for projects, runs, credentials, exports, and extension tokens. Browser signup flows through Better Auth; the API validates session via dashboard API JWT or shared session lookup.
For enterprise auth topology (standalone SKU vs combined bundle), contact support@molar.it.
On-prem / air-gapped
Best for: regulated industries, no outbound screenshot policy, or contractual data residency.
| Requirement | Approach |
|---|---|
| No cloud LLM | MAX_GROUNDING_TIER=2 + local MLX; text planner on local model via BYOK OpenAI-compat endpoint |
| No phone-home | LICENSE_REQUIRED=true + signed license file |
| Secrets | HashiCorp Vault or AWS Secrets Manager (SECRETS_BACKEND) |
| Egress | Lock worker network policies; mitmproxy allowlist for agent sandbox |
| Object storage | MinIO on-prem or S3-compatible appliance |
Tier 2 grounding install:
make grounding-install
make grounding-serve
Helm charts for enterprise SKUs are available from Molar support. Contact support@molar.it for packaging and cluster install guidance.
E2B / code sandbox (export verify)
Export self-verify runs generated tests in an isolated sandbox (E2B Firecracker in production, microsandbox on Apple Silicon dev). Ensure workers can reach the sandbox API and that egress policies allow only your target app origins.
Observability
| System | URL (local) | Purpose |
|---|---|---|
| Langfuse | :3001 | LLM/agent spans |
| Jaeger | :16686 | Infra traces |
| Hatchet dashboard | :8080 | Job queue depth, failures |
| Dashboard health strip | Home | Operator-facing readiness |
Correlate by trace_id across Langfuse and Jaeger.
Upgrades and migrations
- Database schema: Alembic migrations only — run
make migrateafter pulling new versions - CloakBrowser: binary updates via
make bootstrapwith checksum verification - Zero-downtime: roll API first, then workers (workers tolerate brief API version skew)
Deployment checklist
- Postgres backups and
org_idRLS verified - S3 bucket policies scoped per org prefix
- LLM keys or hosted gateway configured
- All four workers healthy in Hatchet
-
cloakservereachable from agent-worker - TLS and
BETTER_AUTH_SECRETrotated from dev defaults - Credential vault backend production-ready (not
local_file) - Rate limits enabled for multi-tenant hosted (
API_RATE_LIMIT_TENANT_*)
Related
- Quick start — bootstrap commands
- Configuration — full env var list
- Dashboard — entitlements and usage on cloud