🚀 Installation

Self-host installs run a 14-day free trial from first boot — full access to every engine, no credit card, no platform-side AI caps. You bring your own Gemini key during setup (we never mark up the API call). After 14 days, write actions are blocked until you install a Sovereign licence file.

Buy a Sovereign licence at scarifone.com/pricing — single tier, £1,999 one-time (plus optional £499/year maintenance for updates + security patches from year 2 onwards). You get an email with a one-line licence code (format SCARIF-...) plus the signed JSON file as an attachment. Boot your install, open the URL, paste the code on the auto-shown /installscreen — engine unlocks immediately.

The signature is verified offline using an embedded Ed25519 public key — no phone-home, works fully air-gapped, and your install keeps running forever even if scarifone.com goes away.

• Docker + docker-compose v2 — Docker Desktop on Mac/Win, Engine on Linux
• ~2GB RAM, 20GB disk — Scarif One uses a few hundred MB; the rest is for tenant data + cache
• A free Gemini API key — get one at aistudio.google.com/apikey

If you want to expose the dashboard to the public internet, also: Cloudflare Tunnel (free, easiest) OR an SSL reverse proxy.

curl -fsSL https://raw.githubusercontent.com/Scarif-One/scarif-one/main/scripts/install.sh | bash

This:

1. Verifies Docker is installed
2. Creates ~/scarif-one/
3. Downloads docker-compose.yml + .env.example
4. Prompts for your GEMINI_API_KEY
5. Pulls the image from GHCR + starts the container
6. Tells you when http://localhost:3000 is ready

If you don't want to pipe a script to bash, do it yourself:

mkdir scarif-one && cd scarif-one

curl -fsSL https://raw.githubusercontent.com/Scarif-One/scarif-one/main/docker-compose.yml -o docker-compose.yml
curl -fsSL https://raw.githubusercontent.com/Scarif-One/scarif-one/main/.env.example -o .env.local

# Edit .env.local — at minimum set GEMINI_API_KEY
nano .env.local

docker compose up -d

1. Open http://localhost:3000 in your browser
2. You'll land on /installautomatically — that's the pre-setup licence gate. (Or hit the 14-day-trial path below if you're evaluating.)
3. Triple-click the SCARIF-...licence code in your purchase email, paste into the textarea. The form auto-detects the format with a green “SCARIF code detected” badge.
4. Click Install licence. Signature is verified locally against the embedded Ed25519 public key — no phone-home. ~1 second.
5. Auto-redirected to /setup.

The licence file lands at /data/licence.json, mode 0600, so a backup of /data includes the licence. If you prefer the raw JSON path: drag the .jsonattachment onto the form, or expand the “Prefer the raw JSON?” disclosure in your purchase email.

After installing the licence, the 6-step wizard runs:

1. AI key — paste a Gemini / OpenAI / Anthropic key. Free tier at aistudio.google.com/apikey covers most starter usage. BYOK: you pay the vendor directly, no Scarif markup.
2. Business basics — workspace slug, business name, website
3. Brand voice — AI scans your site + drafts a voice doc (~30s)
4. Locale — currency, free-shipping threshold, hashtags, landmarks
5. Integrations — Shopify, Meta, Klaviyo, Mailchimp, Judge.me (optional)
6. Activate — set your admin username + password. Your password manager should offer to save the credentials when you hit Activate.

Total time: ~5-10 minutes. At the end you see a recovery codescreen (format SCARIF-RECOVER-...) — save it. That code is your self-service password reset if you ever forget your dashboard password. Successful acknowledgement → confetti + you land on the dashboard, logged in.

Three recovery paths, from easiest to operator-of-last-resort:

1. Paste the recovery code at /operator/reset. This is the code you saved at the end of setup. Single-use.
2. Mint a CLI-issued token if you lost the recovery code too. Shell into the container and run:

   docker compose exec scarif-one node /app/scripts/operator-reset.mjs --list
   docker compose exec scarif-one node /app/scripts/operator-reset.mjs \
     --tenant <slug> --username <name>

   The script prints a 64-char hex token + a 30-minute expiry. Paste that at /operator/reset instead of the recovery code.
3. Last resort: delete /data/tenants/<slug>/auth.jsonand re-run setup. You keep the licence, brand profile, integrations, AI key. Only the operator credentials reset.

If you don't install a licence within the 14-day trial window, the install enters read-only mode:

• The dashboard, settings, and existing data stay fully accessible
• Mutating API calls return HTTP 402 Payment Required with a JSON pointer to /sovereignty
• Generation, publishing, and integrations all stop working until a licence is installed
• /install still works — paste your licence any time to unlock

Install a licence at any point — even months later — and the engine unlocks immediately without restarting the container. The trial state isn't reset by an install (it can't be re-triggered once consumed).

Optional. Adds a Watchtower container that polls GHCR every 24h:

cd ~/scarif-one
docker compose --profile auto-update up -d

To pin a specific version (skip auto-updates):

SCARIF_VERSION=v0.2.0 docker compose up -d

The simplest path: Cloudflare Tunnel.

1. Sign up at cloudflare.com + add your domain
2. Cloudflare Zero Trust → Networks → Tunnels → Create tunnel
3. Run the cloudflared install command Cloudflare gives you
4. Map your subdomain to localhost:3000
5. Done — your dashboard is accessible at e.g. scarif.yourdomain.com

Cloudflare handles the SSL + DDoS protection automatically. Free.

Set SCARIF_BACKUP_DIR in .env.local to enable nightly tarball backups at 04:00:

SCARIF_BACKUP_DIR=/path/to/backups

Manual backup any time: POST /api/admin/backup-now with SCARIF_SUPERADMIN_TOKEN.

S3-compatible (R2, B2, AWS) backup support is on the v1.5 roadmap — for now, sync your SCARIF_BACKUP_DIR to S3 with rclone or similar.

cd ~/scarif-one
docker compose pull
docker compose up -d

Your tenant data persists across updates (it's in ./data).

Check the container logs:

cd ~/scarif-one && docker compose logs -f

Or email [email protected] with the output.