Troubleshooting & FAQ
Answers to the most common Guard questions. Still stuck? Email support@molar.it or see docs.molar.it/support.
Product help: guard.molar.it
General
What does Guard cover that PR checks alone don't?
Guard runs the same scenario file on PR (with affected selection + Clones), production (synthetics), and shadow-prod (vendor drift), then feeds failures to Mender for fix PRs against your application code. See What is Molar Guard?.
Do I need Cartographer or Clones to use Guard?
No. Guard is plug-and-play with any Playwright suite via the CLI (molar-guard run / list) or a registered scenario in the GitHub Action. Cartographer and Clones are optional enrichments.
Where is the dashboard?
- Hosted: app.molar.it/dashboard/guard
- Product info: guard.molar.it
- Local dev:
http://localhost:3000afterpnpm dev
PR gating
The Check Run never appears
- Confirm the GitHub App is installed on the repository (Settings → GitHub in dashboard).
- Check GitHub Webhook deliveries for
api.molar.it— expect200responses. - Verify
GH_APP_IDandGH_WEBHOOK_SECRETare set on the Guard API (self-hosted). - Ensure the PR event is not from a draft you haven't marked ready (Guard listens to
ready_for_review).
Check stuck on "queued" or "in progress"
- Worker not running:
pnpm --filter @molar/guard-worker devlocally; check VM worker health in production. - Redis down:
curl localhost:4000/readyzshould show Redis healthy. - Queue backlog: noisy neighbor on shared infra — contact support for dedicated worker pool (Business tier).
Full suite runs on every small PR
Guard fell back to affected detection safety net:
- 0 scenarios selected on large diff → full suite +
guard.affected_fallbackmetric - >50 scenarios selected → full suite
Fix: Refresh scenario graph (push to default branch triggers Cartographer graph-only mode). Inspect:
molar-guard affected --base $BASE --head $HEAD
Check passes but production is broken
Your scenario catalog has a coverage gap. Add a scenario for the failing flow; set cache: never on critical paths.
Advisory mode — merge allowed on failure
Expected during the first 30 days. Promote to required in molar-guard.config.ts or branch protection when ready.
Destructive call blocked in PR
MolarDestructiveCallError: destructive call to real Stripe blocked in PR context
Your test or app hit live api.stripe.com during a PR run with Clones enabled. Point SDK at Clone URL from env (MOLAR_CLONE_STRIPE_URL) or disable Clones for that repo.
GitHub Action
MOLAR_API_KEY invalid
Regenerate key at Settings → API keys. Confirm secret name in GitHub repo settings matches workflow.
Action times out
Increase timeout-minutes (default 20). Large suites may need sharding (Business tier) or affected selection via GitHub App instead of Action-only mode.
scenario-id not found
Create the scenario in the dashboard or import from your repo, then copy its UUID into the workflow scenario-id input. The Action requires a registered scenario — it does not auto-discover Playwright tests yet.
Production monitoring
Cannot enable scheduled check — onboarding blocked
Complete Synthetic safety checklist:
- Analytics filter acknowledgement (
POST /v1/onboarding/analytics-ack) - Synthetic middleware installed
- Preflight audit events in dashboard
Real Stripe charge occurred
Stop schedules immediately (pause all checks). This is a Sev-1:
- Verify
is_syntheticmiddleware is active on the code path hit - Confirm synthetic user has
is_synthetic = truein DB - Contact support@molar.it with run ID
Incidents not resolving
Auto-resolve requires 2 consecutive successes. Flapping scenarios keep incident open — fix root cause or suppress with reason while investigating.
Analytics polluted by synthetic traffic
Review analytics filter onboarding. Exclude users where is_synthetic is true in both server-side traits and client-side event filters.
Shadow-prod
Too many shadow_diff false positives
- Approve expected vendor change → create snooze rule
- Tune
shadowDiffThresholdin alert policy - Add volatile fields to semantic diff allowlist
Shadow-prod not running
Requires shadow_prod: true on scheduled check and Clones enabled for the scenario.
Mender
Mender did not open a PR
| Cause | What to check |
|---|---|
Mode is off | mender.mode in config |
Classified as flake | Retries passed 2/3 |
Classified as scenario_bug | PR goes to .molar/scenarios/, not app code |
| Forbidden path | File matches forbiddenPaths |
| Circuit breaker | 3+ attempts in 24h on same scenario |
| Budget exceeded | 402 org LLM spend cap exceeded |
| Suggestive mode | Patch in dashboard/comment only — click Apply |
Low confidence / wrong classification
Reject with reason (POST /v1/mender/:id/reject) — feeds model improvement. Set mode to suggestive until merge rate improves.
Mender PR fails Guard on push
Expected occasionally — iterate on the PR manually or reject and let Mender retry (if circuit breaker allows).
Token budget exhausted
Switch to BYOK or raise cap via support (Team/Business).
API & auth
401 Unauthorized
Missing or expired token. Refresh session (dashboard) or regenerate API key (CI).
403 Forbidden
Authenticated but wrong org or insufficient role. Send correct x-org-id header.
429 Quota Exceeded
{
"error": "Quota Exceeded",
"resource": "runs_per_day",
"limit": 200,
"used": 200
}
Quota resets 00:00 UTC. Upgrade plan or contact support.
503 unavailable
Transient dependency failure (Postgres/Redis). Retry with backoff.
Full table: Error codes
Webhooks
GitHub deliveries return 4xx
| Code | Cause |
|---|---|
| 401 | Signature mismatch — rotate GH_WEBHOOK_SECRET |
| 413 | Body > 25 MB (rare) |
| 409 | Duplicate delivery ID (replay) — safe to ignore |
Outbound alert webhook not firing
Verify integration in Settings → Notifications; test with manual incident; confirm endpoint returns 2xx within timeout.
Local development
pnpm migrate fails
Postgres not running: docker compose up -d postgres.
Clones not starting
Set MOLAR_CLONES_ROOT to sibling molar-clones checkout. Requires Go toolchain for go run ./cmd/clones-*.
Health check fails
curl localhost:4000/healthz # liveness
curl localhost:4000/readyz # postgres + redis
FAQ — billing & plans
Can I use Guard without the rest of Molar?
Yes — Guard is a standalone SKU with its own dashboard and billing.
What counts as a "PR run" vs "prod run"?
PR runs: run_type = pr. Prod runs: run_type = schedule (and shadow_diff ticks). Manual runs may count against daily quota depending on plan.
Does BYOK affect Mender budget caps?
BYOK bills your upstream LLM provider directly. Molar-hosted caps apply only to molar-managed integration.
FAQ — compliance
Is Guard SOC 2 certified?
SOC 2 Type II report available on request for enterprise customers — email support@molar.it.
Where is data stored?
Molar API: Postgres (region-configurable on Business). Artifacts: S3-compatible object storage. Workers: regional pools (us-east-1, eu-west-1, ap-south-1).
Can I self-host Guard?
Yes — full stack with Docker Compose for local/CI. Contact support@molar.it for air-gapped Helm guidance.
Getting more help
- Collect run ID, incident ID, or webhook delivery ID
- Note timestamp (UTC) and org ID
- Email support@molar.it with reproduction steps
Include curl -v output for API issues (redact API keys).