Editors chat with an agent that holds the full site model in context. The admin panel is the fallback, not the primary surface. Bring your own cloud account — Caelo provisions it in under twenty minutes.
The agent is the primary user of the admin. Every API is designed for it. The panel UI exists for Owner-only tasks the agent can't safely perform.
Editors describe changes in chat. The agent rewrites HTML, edits modules, sets SEO, restructures templates. The panel is a fallback — most editing sessions never open it.
*.create_many, update_many, and composite tools like compose_page_from_spec collapse N+1 round-trips into a single call. The agent gets through more work per turn.
The system prompt ships layouts, templates, pages, locales, and users inline. The agent plans without burning tool calls on list_*. Stale context is cheaper than wasted turns.
Claude-style skills are the official path to teach the agent new behaviour. Auto-engaged per call by trigger keyword; user-overridable per chat. No hardcoded prompt scaffolding — skills compose.
Every entity in the panel has chips that append to the current chat instead of forking a new one. Context accumulates in one place; the agent stays oriented.
Every write emits a snapshot. Undo is scoped to the chat that produced the change — the primary history surface for editors, no diff-archaeology required.
Anthropic, OpenAI, and Gemini behind one interface. The brand never surfaces in the editor. Swap providers per environment; the agent's behaviour stays stable.
Every chat is its own write-branch. Stage merges; production publish gates per-kind. Two editors can work in parallel without stepping on each other's drafts.
Twelve permission scopes. Two isolated Postgres roles. Plugin tiers with a hard sandbox boundary. Hard-to-revert ops are gated on human confirmation, not AI judgement.
Roles compose from twelve named scopes — no monolithic admin flag.
Authoring data and visitor data live on separate Postgres roles. RLS is FORCEd — even owners go through policy.
Two execution surfaces with different trust boundaries.
--no-read --no-write --no-net. Owner click-to-activate. Rendered into Shadow DOM Web Components so plugin CSS can't leak.Auth and deploy logic are excluded from AI regeneration. Hard-to-revert ops require an explicit human click.
Same architectural shape across providers — Cloud Run-style container + managed Postgres + object storage + CDN + WAF + IAP. Bring your own cloud account; Caelo provisions in-place.
Cloud Run · Cloud SQL · Cloud Storage · Cloud CDN · Load Balancer · Cloud Armor
LB-IAP gates the admin endpoint. Full WAF + DDoS protection. Production-grade default.
Cloud Run · Cloud SQL · Firebase Hosting (no LB)
Native clean URLs, preview channels per chat branch, atomic rollback. IAP-on-Cloud-Run gates the admin. Cheapest path to production.
Docker Compose · Postgres · Caddy · admin · gateway
One Linux box. Auto-Let's-Encrypt via Caddy. Same provisioning wizard, same lifecycle commands.
Lambda or Fargate · RDS · S3 · CloudFront · ALB · AWS WAF · Cognito
Cognito gates the admin. Same provisioning shape — single command, idempotent reruns.
Container Apps · Azure DB for Postgres · Blob · Front Door · WAF
Easy Auth via Entra ID gates the admin. Targeting v1.1.
The provisioning wizard auto-detects cloud auth, prompts for domain + owner email, shows a cost estimate, and provisions end-to-end on your own cloud account in under twenty minutes. Idempotent re-runs.
$ bunx @caelo-cms/provisioning
✓ Detected gcloud auth (project: acme-prod, account: ops@acme.io)
✓ Caelo v0.9.4 · provider preset: gcp-firebase
? Domain › acme.dev
? Owner email › ops@acme.io
? AI provider › anthropic
? Region › europe-west1
Cost estimate (monthly, idle):
Cloud Run (min-instances=0) $0.00
Cloud SQL (db-f1-micro) $9.20
Firebase Hosting + egress $0.50
Cloud Storage (media, 5 GB) $0.13
Secret Manager + logging $3.00
─────────────────────────────────────
Total floor ~$12.83 / mo
? Proceed? [y/N] › y
→ Enabling 11 APIs........................ 47s
→ Provisioning Cloud SQL.................. 4m 12s
→ Creating service accounts & IAM......... 18s
→ Building admin + gateway images......... 3m 41s
→ Deploying Cloud Run services............ 1m 06s
→ Configuring Firebase Hosting............ 22s
→ Seeding owner + writing site_defaults... 4s
→ Running smoke tests..................... ok
✓ Deployed in 14m 38s
Admin https://admin.acme.dev
Public https://acme.dev
Owner login emailed to ops@acme.io
$ _caelo statuscaelo upgradecaelo backupcaelo restorecaelo rotate-secretcaelo destroy