Hybrid
Run the M3 Forge control plane in a Marie AI-managed environment while running the Marie AI data plane inside your own cloud or Kubernetes cluster.
This is the model for customers who need private execution, data-plane control, or stricter network boundaries without giving up the central control-plane UI.
What Hybrid means
| Layer | Where it runs | Who operates it |
|---|---|---|
| M3 Forge control plane | Marie AI cloud | Marie AI |
| Marie AI data plane | Your cluster | You |
| Runtime workloads | Your cluster | You |
| Deployment intent and orchestration UI | M3 Forge | Marie AI |
Architecture
Why choose Hybrid
- regulated environments where runtime traffic must stay in your cloud
- customers who need private network attachment to internal systems
- staged adoption where SaaS control plane is acceptable but runtime must remain customer-operated
- organizations that want centralized deployment UX without a fully hosted runtime
Prerequisites
The target Hybrid model assumes:
- a Kubernetes cluster for the customer-run data plane
- ingress or Gateway API for workload exposure
- egress from the data plane to the M3 Forge control plane
- customer-managed secrets, storage, and runtime dependencies
LangSmith’s hybrid setup guide makes the same high-level split and calls out the importance of Kubernetes, ingress or Gateway API, and a listener/operator process that reconciles deployment state from the managed control plane. Source:
Planned workflow
Provision the customer data-plane cluster
Prepare namespaces, ingress or Gateway API, object storage, Postgres, and cluster autoscaling according to your provider baseline.
Register the data plane with M3 Forge
Create a listener identity and bind it to one or more namespaces or deployment targets.
Install the listener/operator package
Deploy the Hybrid attachment components that poll or subscribe to desired state from the control plane and reconcile local workloads.
Deploy runtime workloads through M3 Forge
Users create and manage deployments in the M3 Forge UI, while the customer data plane executes them locally.
Current status
The Hybrid listener/operator package is not shipped yet. The architecture and docs are being written now so the contract is explicit before implementation. Today, the available Kubernetes artifact is the standalone m3forge control-plane chart.
Design constraints we are enforcing
- control plane and data plane must be independently deployable
- listener/operator auth and secret delivery must be explicit
- eventual consistency and failure behavior must be documented
- existing workloads should keep running if control-plane connectivity is lost
- Gateway API support should be designed in early for multi-namespace and multi-plane routing