Troubleshooting & FAQ
Destructive-call refusal
MolarDestructiveCallError
Symptom: Test fails before any HTTP request with "Molar refused destructive call to https://api.stripe.com/..."
Cause: Your app still points at a live vendor host with a key that matches live patterns (sk_live_, production Twilio SID, etc.).
Fix:
- Set vendor base URL to the clone:
STRIPE_API_BASE,MOLAR_CLONE_STRIPE_URL, or SDKclone.url - Use
clone.testKeyinstead of a live secret - Verify the route proxy is in path if using transparent interception
Escape hatch (intentional live call only):
export MOLAR_DESTRUCTIVE_ALLOW=1
Never set this in CI.
MolarUnknownTargetError
Symptom: "Expected X-Molar-Clone response header"
Cause: URL points to something that is not a Molar clone (misconfigured BYOC URL, stale load balancer).
Fix:
curl -I {url}/t/{runId}/_clone/health— expectX-Molar-Clone: stripe@...- Register correct BYOC endpoint in Fleet
- Enable strict mode only after fleet is verified
SDK / runtime errors
MOLAR_E020: @molar/clones is not installed
npm install @molar/clones
Or remove clone declarations from .molar.md if clones are not needed.
MOLAR_E021: clone "stripe" was not started
Add the kind to scenario frontmatter clones: array. The compiler must emit molar.clones.start([...]) in beforeAll.
MOLAR_E022: unknown clone kind
Check spelling against supported vendors. Fixture kinds use the same names as the catalog (github, not gh).
MOLAR_E023: waitForEvent not supported
Use expectWebhookFired on stripe, or admin poll for other kinds.
Clone won't start locally
clone did not become ready
- Check port conflicts — library mode picks random free ports
- Read stderr from child process (logged on timeout)
- Verify Go binary:
go run ./cmd/clones-stripewith explicitMOLAR_CLONE_ADDR - On Apple Silicon, use
arm64release binaries
Binary not found
export MOLAR_CLONE_STRIPE_BIN=$(which clones-stripe)
# or
npm install @molar/clones-core # triggers postinstall binary fetch
501 Not Implemented
Symptom: Vendor API returns HTTP 501 for a specific path.
Cause: Endpoint not yet inAPI coverage for this clone kind.
Workaround:
- Check per-vendor guide for coverage table
- Log appears in dashboard explorer 501 log
- Submit request via Developers → 501 request form
501s do not indicate misconfiguration — they indicate a spec gap.
Webhook not received
- Confirm webhook endpoint registered in clone (Stripe
/v1/webhook_endpoints) - Check Run workspace → Webhook inspector for delivery attempts
- Increase timeout:
expectWebhookFired("event.type", 60_000) - Advance clock if event is time-dependent (invoice finalize)
- Verify signature secret matches
HKDF(seed, "webhook-secret")
Snapshot restore failed
- Check schema version compatibility (
_schemafield) - Ensure restore targets same
runIdas save - World restore: confirm all kinds in manifest are registered and healthy
- Large snapshots: check retention quota (default 100 MB per snapshot)
During restore, clone may return 503 while state is loading.
Quota exceeded (HTTP 429)
Symptom: Quota Exceeded with resource: concurrent_clones
| Resource | Default behavior |
|---|---|
concurrent_clones | Cap per org; free tier ≈ 1 concurrent |
clone_minute | Metered hosted usage |
Fix:
- Teardown idle sessions in Sessions
- Reduce parallel CI matrix jobs
- Contact support@molar.it to raise limits
Daily quotas reset at 00:00 UTC. See Error codes.
Clock / timing issues
Subscription didn't renew after advanceClock
- Advance past
current_period_endshown on subscription object - Stripe test-clock rate limits don't apply to clones, but verify duration string (
30dnot30)
OTP expired too early/late
- Twilio Verify TTL is clock-driven — use
advanceClocknotsetTimeoutin tests
On-prem / Helm
| Issue | Check |
|---|---|
| Pods not ready | kubectl -n molar-clones get pods |
| Admin port exposed | NetworkPolicy should block :9000 from ingress |
| Egress detected | Re-run air-gap-audit.sh; set denyEgress=true |
| Snapshot store full | Garage bucket capacity in Fleet dashboard |
Full runbook: molar-clones/docs/onprem-runbook.md
FAQ
Is the Auth clone the same as Molar dashboard login?
No. The Auth clone simulates Clerk for your application under test. Molar operators sign in with Better Auth at app.molar.it.
Can I hit real Stripe test mode and Clones together?
Not in the same test without MOLAR_DESTRUCTIVE_ALLOW=1. Clones are designed to fully replace vendor sandboxes for hermetic runs.
Do fixture clones support world snapshots?
Not today. World snapshots cover the five deep clones only.
What's the difference between email and sendgrid in the catalog?
Same binary. sendgrid is the registry name; SDK and .molar.md use email.
How do Guard PR runs get clone URLs?
Guard spawns fresh sessions via the Molar API and injects env vars into the CI job. Failed runs link to the Clones session workspace.
Are webhook signatures identical to production?
Molar uses the same algorithms and header formats as Stripe, Twilio, and Svix (Clerk/Resend). A golden signer corpus runs in CI for fixed test vectors; vendor webhook signatures are verified in CI.
Can agents spawn clones without the dashboard?
Yes — via MCP molar_clone_spawn with OAuth or API key auth.
Where is the OpenAPI spec?
molar-clones/docs/openapi/control-plane.json and dashboard Developers hub.
Getting help
| Channel | Contact |
|---|---|
| support@molar.it | |
| Dashboard | app.molar.it/dashboard/clones → Support |
| Error reference | Error codes |
| Security | See molar-clones/docs/security-trust-domains.md |
Include: runId, clone kind(s), seed, dashboard session URL, and relevant log export from Run workspace.