Skip to content
EXTENDED DOCUMENTATION

Deployment

Canonical Production Topology

Morpheus now deploys by responsibility, not by network.

LayerServiceCurrent role
EdgeCloudflare gatewaypublic ingress, caching, optional abuse controls
ControlCloudflare control planeauth, validation, job persistence, queue/workflow dispatch
AppVercel
text
apps/web
docs, explorer, backend APIs used by control plane
StateSupabasejobs, relayer state, automation, feed snapshots, encrypted refs
Confidential executionOracle CVMrequest/response oracle, compute, NeoDID, confidential signing
Confidential executionDataFeed CVMisolated feed publication lane

Source Of Truth

  • text
    config/networks/mainnet.json
  • text
    config/networks/testnet.json
  • text
    docs/ENVIRONMENT.md
  • text
    deploy/nitro/README.md

Recommended operator rules:

  • keep one root secret set in
    text
    .env
  • render dedicated Phala env files per network
  • keep
    text
    MORPHEUS_ACTIVE_CHAINS=neo_n3
    for production
  • never treat separate CVMs as separate networks; networks are selected by path and config

Step 1: Apply Supabase

Apply migrations in order:

  1. text
    supabase/migrations/0001_morpheus_schema.sql
  2. text
    supabase/migrations/0002_morpheus_policies_and_seeds.sql
  3. text
    supabase/migrations/0003_provider_configs.sql
  4. text
    supabase/migrations/0004_relayer_ops.sql
  5. text
    supabase/migrations/0005_operation_logs.sql
  6. text
    supabase/migrations/0006_automation.sql
  7. text
    supabase/migrations/0007_system_backups.sql
  8. text
    supabase/migrations/0008_network_isolation.sql
  9. text
    supabase/migrations/0009_relayer_durable_queue_indexes.sql
  10. text
    supabase/migrations/0010_control_plane_jobs.sql
  11. text
    supabase/migrations/0011_workflow_runtime.sql
  12. text
    supabase/migrations/0012_policy_and_risk_controls.sql

Optional:

  • text
    supabase/seed.sql

Key durable tables:

  • text
    morpheus_requests
  • text
    morpheus_feed_snapshots
  • text
    morpheus_relayer_jobs
  • text
    morpheus_automation_jobs
  • text
    morpheus_automation_runs
  • text
    morpheus_control_plane_jobs
  • text
    morpheus_operation_logs

Step 2: Deploy The Web App

Deploy

text
apps/web
to Vercel.

Required environment:

  • text
    NEXT_PUBLIC_MORPHEUS_NETWORK
  • text
    MORPHEUS_RUNTIME_URL
    or network-scoped runtime URLs
  • text
    MORPHEUS_RUNTIME_TOKEN
    or
    text
    PHALA_API_TOKEN
    /
    text
    PHALA_SHARED_SECRET
  • text
    MORPHEUS_CRON_SECRET
    for operator-triggered feed sync probes
  • text
    NEXT_PUBLIC_SUPABASE_URL
  • text
    NEXT_PUBLIC_SUPABASE_ANON_KEY
  • text
    SUPABASE_SECRET_KEY
  • text
    TWELVEDATA_API_KEY

Recommended production environment:

  • text
    MORPHEUS_CONTROL_PLANE_URL
  • text
    MORPHEUS_CONTROL_PLANE_API_KEY
  • text
    MORPHEUS_PROVIDER_CONFIG_API_KEY
  • text
    MORPHEUS_RELAYER_ADMIN_API_KEY
  • text
    MORPHEUS_SIGNING_ADMIN_API_KEY
  • text
    MORPHEUS_RELAY_ADMIN_API_KEY
  • text
    MORPHEUS_OPERATOR_API_KEY
  • text
    MORPHEUS_BETTERSTACK_CRON_FEED_HEARTBEAT_URL
  • text
    MORPHEUS_BETTERSTACK_CRON_FEED_FAILURE_URL
  • text
    MORPHEUS_BETTERSTACK_CRON_HEALTH_HEARTBEAT_URL
  • text
    NEXT_PUBLIC_WEB3AUTH_CLIENT_ID
  • text
    WEB3AUTH_CLIENT_SECRET
  • text
    NEXT_PUBLIC_WEB3AUTH_NETWORK

After pulling or configuring Vercel production env, run:

bash
npm run check:web-cron-env -- --fail-on-missing
npm run check:betterstack

The first command validates only key presence and never prints secret values. If

text
morpheus-cron-feed
or
text
morpheus-cron-health
is still
text
pending
, the web cron environment is not deployed or Vercel Cron is not triggering the routes. Root
text
.env
/
text
.env.local
values are intentionally ignored by this check because the Vercel
text
apps/web
deployment does not inherit them automatically.

Do not set Vercel's special

text
CRON_SECRET
on the production web deployment when Secure Compute is enabled. Vercel Cron requests are accepted by the
text
vercel-cron/1.0
user agent guarantee, while manual operator probes use
text
MORPHEUS_CRON_SECRET
through the
text
X-Morpheus-Cron
header. If the control-plane feed endpoint rejects web dispatch credentials with 401/403, the cron route falls back to direct runtime feed sync by default; set
text
MORPHEUS_CONTROL_PLANE_FEED_FALLBACK_ON_AUTH=0
only after the control-plane key mapping is confirmed.

Step 3: Deploy Cloudflare Edge

Deploy

text
deploy/cloudflare/morpheus-edge-gateway
.

Required bindings:

  • text
    MORPHEUS_ORIGIN_URL
  • text
    MORPHEUS_MAINNET_ORIGIN_URL
  • text
    MORPHEUS_TESTNET_ORIGIN_URL
  • text
    MORPHEUS_ORIGIN_TOKEN

Optional:

  • text
    UPSTASH_REDIS_REST_URL
  • text
    UPSTASH_REDIS_REST_TOKEN
  • text
    TURNSTILE_SECRET_KEY
  • text
    MORPHEUS_RATE_LIMITER

Current public pattern:

  • text
    https://edge.meshmini.app/mainnet/*
  • text
    https://edge.meshmini.app/testnet/*
  • text
    https://oracle.meshmini.app/mainnet/api/runtime/catalog
  • text
    https://oracle.meshmini.app/mainnet/api/runtime/status
  • text
    https://oracle.meshmini.app/testnet/api/runtime/catalog
  • text
    https://oracle.meshmini.app/testnet/api/runtime/status

Step 4: Deploy Cloudflare Control Plane

Deploy

text
deploy/cloudflare/morpheus-control-plane
.

Required bindings:

  • text
    MORPHEUS_ORACLE_REQUEST_QUEUE
  • text
    MORPHEUS_FEED_TICK_QUEUE
  • text
    CALLBACK_BROADCAST_WORKFLOW
  • text
    AUTOMATION_EXECUTE_WORKFLOW

Required secrets:

  • text
    SUPABASE_URL
  • text
    SUPABASE_SECRET_KEY
    or
    text
    SUPABASE_SERVICE_ROLE_KEY

Recommended:

  • text
    MORPHEUS_CONTROL_PLANE_API_KEY
  • text
    UPSTASH_REDIS_REST_URL
  • text
    UPSTASH_REDIS_REST_TOKEN
  • text
    MORPHEUS_MAINNET_EXECUTION_BASE_URL
  • text
    MORPHEUS_TESTNET_EXECUTION_BASE_URL
  • text
    MORPHEUS_MAINNET_FEED_EXECUTION_BASE_URL
  • text
    MORPHEUS_TESTNET_FEED_EXECUTION_BASE_URL
  • text
    MORPHEUS_EXECUTION_TOKEN
  • text
    MORPHEUS_APP_BACKEND_URL
  • text
    MORPHEUS_APP_BACKEND_TOKEN

Current public pattern:

  • text
    https://control.meshmini.app/mainnet/*
  • text
    https://control.meshmini.app/testnet/*

Step 5: Render Phala Runtime Envs

Generate fresh env files before each deployment:

bash
npm run render:nitro-compose-env:mainnet
npm run render:nitro-compose-env:testnet
npm run render:nitro-hub-env
npm run check:signers
npm run check:nitro-env

Notes:

  • text
    npm run render:nitro-compose-env
    aliases mainnet generation
  • signer drift should fail deployment review
  • generated env files stay local and uncommitted

Step 6: Deploy The CVMs

Oracle CVM

  • name:
    text
    oracle-morpheus-neo-r3e
  • app id:
    text
    ddff154546fe22d15b65667156dd4b7c611e6093
  • role: request/response, compute, NeoDID, confidential signing
  • baseline size:
    text
    Large TDX

DataFeed CVM

  • name:
    text
    datafeed-morpheus-neo-r3e
  • app id:
    text
    ac5b6886a2832df36e479294206611652400178f
  • role: feed publication only
  • baseline size:
    text
    Small TDX

Tracked launchers:

  • text
    nitro.request-hub.toml
  • text
    nitro.feed-hub.toml

Deployment files:

  • text
    deploy/nitro/docker-compose.request-hub.yml
  • text
    deploy/nitro/docker-compose.feed-hub.yml
  • text
    workers/phala-worker/Dockerfile
  • text
    workers/morpheus-relayer/Dockerfile

Step 7: Configure The Relayer Modes

The relayer is split by role:

  • Oracle CVM:
    text
    MORPHEUS_RELAYER_MODE=requests_only
  • DataFeed CVM:
    text
    MORPHEUS_RELAYER_MODE=feed_only

Important relayer durability settings:

  • text
    MORPHEUS_DURABLE_QUEUE_ENABLED=true
  • text
    MORPHEUS_DURABLE_QUEUE_FAIL_CLOSED=true
  • text
    MORPHEUS_RELAYER_INSTANCE_ID
  • text
    MORPHEUS_RELAYER_NEO_N3_SCAN_MODE=request_cursor
    on testnet

Step 8: Publish Keys And Verify

After the runtime is live:

bash
npm run publish:oracle-key
npm run publish:oracle-verifier-key
npm run smoke:control-plane
npm run smoke:n3
MORPHEUS_NETWORK=testnet npm run verify:n3

If you are deploying a new updater path:

bash
npm run set:updater:n3

Current Service Anchors

  • Oracle runtime:
    • text
      https://oracle.meshmini.app/mainnet
    • text
      https://oracle.meshmini.app/testnet
    • public runtime contract:
      text
      /api/runtime/catalog
      ,
      text
      /api/runtime/status
  • Edge gateway:
    • text
      https://edge.meshmini.app/mainnet
    • text
      https://edge.meshmini.app/testnet
  • Control plane:
    • text
      https://control.meshmini.app/mainnet
    • text
      https://control.meshmini.app/testnet
  • Oracle attestation explorer:
    • text
      https://cloud.phala.com/explorer/app_ddff154546fe22d15b65667156dd4b7c611e6093
  • DataFeed attestation explorer:
    • text
      https://cloud.phala.com/explorer/app_ac5b6886a2832df36e479294206611652400178f
  • Neo N3 service anchors:
    • text
      oracle.morpheus.neo
    • text
      pricefeed.morpheus.neo
    • text
      neodid.morpheus.neo
    • text
      smartwallet.neo
  • NeoDID anchor contract:
    • text
      NeoDIDRegistry
    • published in
      text
      config/networks/mainnet.json

Operational Notes

  • DataFeed is isolated so price updates keep their own execution lane.
  • Mainnet and testnet share the same Oracle and DataFeed CVMs.
  • Network separation happens in config and request metadata, not in VM topology.
  • Neo N3 remains the only supported production chain.
CURRENT DESIGNUPDATED FOR DUAL-CVM ARCHITECTURE
Morpheus Oracle