FAQ

Is this production-ready?

MVP scope is production-ready in a single-tenant self-host configuration. The WebSocket gateway and REST API are tested end-to-end, messages and presence fan out across multiple server instances via Redis, and the Docker image is distroless + non-root. That said, we're pre-1.0 — breaking changes can land in minor versions until v1.0.

Can I run Cariosan without Docker?

Yes. The server is a single Go binary (~17 MB). You need Postgres 15+, Redis 7+, and an S3-compatible store (MinIO, Wasabi, Backblaze, AWS S3) reachable via env vars. See environment variables.

How does pricing work?

The self-hosted distribution is free under the Cariosan License v1.0 — install the Docker image on infrastructure you control, integrate the SDKs, and ship. No payment, no per-user limits, no telemetry. The license forbids redistributing the binary or operating Cariosan as a competing managed service; otherwise commercial use is fine.

A managed offering is live at dashboard.cariosan.com — sign up and you get a free sandbox workspace with rate limits (Cloud onboarding); paid tiers for production-scale workloads will follow. The self-host distribution stays free regardless.

Is the source code public?

No. Cariosan is closed-source. The Docker image, npm packages, and documentation are public; the underlying source code stays in a private repository. This is a deliberate design choice — Cariosan is free to use but not open source.

Does it support threads / reactions / read receipts per message?

Reactions, quoted replies, and read & delivery receipts — yes. Reactions are one-per-user-per-message (WhatsApp-style, replace-on-change). Receipts are cursor-based under the hood (one last_delivered_at + last_read_at per member), which still renders per-message ✓ / ✓✓ / blue-✓✓ ticks in the SDKs; a workspace privacy toggle can disable read receipts. See messages.

Proper threads — a separate threaded-conversation pane à la Slack — remain out of scope.

Can I use it for voice or video?

No. Cariosan is text-plus-images. For voice/video, Stream's Video SDK or Livekit are better fits.

How does horizontal scaling work?

The server is stateless. Run N instances behind any load balancer — no sticky sessions needed. Pub/sub fanout across instances happens via Redis channels (channel:<uuid> for messages, user:<uuid> for presence). One test in the suite explicitly exercises the cross-instance path.

How big is the React bundle?

Measured against the current dist/ build (re-verify with pnpm build && gzip -c dist/index.js | wc -c if you want fresh numbers):

• @cariosan/client: 3.0 KB gzipped (8.6 KB raw)
• @cariosan/react: 2.6 KB gzipped (6.8 KB raw) on top of that, plus a 1.2 KB gzipped CSS file (4.2 KB raw) for the default chat theme

React + React DOM are peer deps so they don't count toward the SDK weight. Together with React 18 (~45 KB gzipped), a complete React + Cariosan client + UI bundle lands around 51 KB gzipped — well under our 200 KB bundle budget.

What about end-to-end encryption?

Not in MVP. The server sees plaintext. If you need E2EE, you probably want a purpose-built protocol like Matrix or Signal rather than Cariosan.

Does it work with my existing auth?

Yes. Cariosan never authenticates end users — you already do that. Upsert users from your backend after sign-in, mint per-user JWTs when the browser needs to connect, and pass the JWT to new Cariosan({ token }).

Is the data model multi-region?

Not out of the box. Postgres primary + read replicas work; cross-region write consistency requires something like CockroachDB or Spanner, which we don't officially support yet.

What's the upgrade story?

Semver-tagged Docker images. docker compose pull && docker compose up -d applies migrations on boot. Rollbacks work because MVP migrations are additive only. See operations.

How do I report a security issue?

Email security@cariosan.com — it reaches the maintainer directly and keeps the report private until a fix ships. Please don't post anything exploitable in public channels.

Why is it called Cariosan?

Cariosan is Sundanese (lemes / refined register) for "the storytelling" or "the conversation" — formed from carios (the formal Sundanese word for "story", cognate to Indonesian cerita) plus the -an noun suffix. The maintainer is Sundanese, and the brand reflects that heritage.

Pronunciation: cha-ri-YO-san (Sundanese c is pronounced like English "chair").

The project is Indonesia-first in positioning; the code is English-only.