Air-gap deploy

Run TheSpider fully offline with no phone-home

TheSpider is built to run fully air-gapped. Validation is air-gap-safe by default (public keys embedded in the image); telemetry has a documented off switch; methodology ships as a bundled snapshot.

Validate the license offline

License validation uses embedded public keys, so it works with zero outbound network:

  • LICENSE_JWKS_URL defaults to off. Leave it unset/empty for a fully air-gapped install — no JWKS refresh is attempted.
  • LICENSE_PUBLIC_KEY lets you override the embedded key with a base64url raw Ed25519 key for rotation, still with no network.

A boot with a malformed/bad-signature license fails loudly instead of degrading — you'll know at startup, not silently weeks later.

Turn telemetry off

deploy/.env
TELEMETRY=off

TELEMETRY=off means zero outbound traffic. When on, telemetry sends only { version, deployment_mode, instance/license id, usage rollups (counts), error counts } — never findings content (asserted in the test suite and in deploy/verify-onprem.sh).

Ship a methodology snapshot

Every image release bundles a methodology snapshot at build time, so an air-gapped install gets a current methodology with the image — no GET /v1/method-updates pull required. Apply a newer snapshot offline:

docker compose -f deploy/docker-compose.yml exec server \
  bun run src/apply-methodology.ts --project default --file /path/to/snapshot.json

Keep model keys local

On-prem AI dedupe uses your key and endpoint (AI_DEDUPE_API_KEY, AI_DEDUPE_BASE_URL) — a platform key never ships in the image. If your air-gap includes no outbound model access at all, leave AI_DEDUPE_API_KEY unset; dedupe falls back to heuristics-only (the free-tier behavior).

Verify the posture

bash deploy/verify-onprem.sh

The verifier asserts the telemetry-off posture and the license-validation path, among other checks.

Next steps