Self-host ERPHive on your own Cloudflare account

ERPHive runs on Cloudflare primitives — Workers, Workflows, D1, R2, KV, Queues, Cron Triggers. Self-host means you point a Worker at your own Cloudflare account, your own AI provider keys, your own vault. The runtime is BSL 1.1 source-available; the AI build agent + control-plane bits are proprietary and ship under a perpetual licence with paid support.

Prerequisites

• A Cloudflare account on the Workers Paid plan ($5/mo). Workflows requires it.
• A domain or Workers subdomain you control.
• An Anthropic API key (or DeepSeek / OpenAI for the fallback chain).
• Your secret store of choice — env vars, HashiCorp Vault, AWS Secrets Manager, or OCI Vault.
• Node 20+, pnpm, wrangler 4.x.

Quick start (60 minutes)

1. Clone the runtime

git clone https://github.com/meruada/erphive
cd erphive
pnpm install

2. Provision Cloudflare resources

# D1 control-plane database
wrangler d1 create erphive_control

# R2 buckets (per-step payloads + flow archives)
wrangler r2 bucket create erphive-payloads
wrangler r2 bucket create erphive-flow-archives

# KV namespace (connection metadata + env config cache)
wrangler kv:namespace create META

# Queue (async fan-out)
wrangler queues create erphive-flow-events
wrangler queues create erphive-flow-events-dlq

Update wrangler.toml with the IDs the CLI prints. Every reference goes through env bindings — nothing is hardcoded to MeruTech accounts.

3. Set secrets

# Required: at least one AI provider
wrangler secret put ANTHROPIC_API_KEY

# Recommended: backup providers (AnthropicModel + FallbackModel rotate
# automatically on credit/auth/rate-limit failures)
wrangler secret put ANTHROPIC_API_KEY_ALT
wrangler secret put DEEPSEEK_API_KEY

# Required: admin bearer for /v1/admin/* and dashboard proxy
wrangler secret put ADMIN_BEARER

# Optional: Resend for email alerts (dispatcher channel="email")
wrangler secret put RESEND_API_KEY

# Optional: public RAG access (use ours or point at your own)
wrangler secret put RAG_API_KEY

4. Configure your vault

The runtime resolves customer Oracle credentials via a Vault interface. Pick the implementation that fits your security policy:

# wrangler.toml — pick ONE implementation:
[vars]
VAULT_IMPL = "env"          # creds in worker secrets (smallest blast radius)
# VAULT_IMPL = "hashicorp"  # POST to your Vault server
# VAULT_IMPL = "aws-secrets"  # AWS Secrets Manager
# VAULT_IMPL = "oci-vault"  # OCI Vault (Oracle's own)

5. Configure CORS for your dashboard origin

# wrangler.toml
[vars]
ALLOWED_ORIGINS = "https://erphive.acme-internal.com,https://app.acme-internal.com"
DEPLOYMENT_TIER = "self-host"

Setting DEPLOYMENT_TIER = "self-host" is what disables the Meru CRM lead-capture route, downgrades any internal-RAG references to public-only, and tells the health endpoint to omit Meru-managed fields.

6. Apply the schema

pnpm db:migrate:remote
# Applies migrations 0001 → 0004 (or whatever the current head is)
# to your D1.

7. Set R2 lifecycle

bash scripts/r2-lifecycle.sh
# Idempotent. Sets:
#   payloads/        → 30-day expiry (default trace retention)
#   payloads-long/   → 365-day expiry (flows that opt into long retention)
#   *                → 7-day cleanup of incomplete multipart uploads

8. Deploy

pnpm deploy
# Confirm bindings + secrets are present in the wrangler output.

9. Verify the boot

curl https://erphive.your-org.workers.dev/health | jq

# Expected — the json reports which providers are configured, which
# bindings are wired, which RAG endpoint is in use, etc.
# {
#   "status": "ok",
#   "tier": "self-host",
#   "config": {
#     "vault_impl": "env",
#     "ai_providers": ["anthropic", "deepseek"],
#     "rag_url": "https://rag.bipagent.com",
#     "telemetry_enabled": false,
#     ...
#   },
#   "bindings": { "db": true, "payloads": true, ... }
# }

Upgrades

Releases are pinned tags. Pull the next tag, review the migration delta in src/db/migrations/, run pnpm db:migrate:remote, then pnpm deploy. We support each release tag for 12 months; CVE-class issues are backported.

Optional: deploy the dashboard

The runtime is the load-bearing component. The Next.js dashboard at app/ is a thin client that talks to /v1/* via a proxy route — convenient but not required. Some self-host customers skip it and drive the API from their own internal portal.

cd app
pnpm install
pnpm cf:build
pnpm cf:deploy

Support

• Self-host customers get a private Slack channel with the engineering team for upgrade questions.
• Bug reports filed via private GitHub issue tracker on your team's repo fork.
• Security disclosures: security@merutech.com, PGP key on the security page.
• SLA: P0 same-day, P1 next-business-day, P2/P3 weekly cadence.