@caelo-cms/provisioning 0.1.0

package/src/compose.ts

@@ -0,0 +1,123 @@
+// SPDX-License-Identifier: MPL-2.0
+
+/**
+ * P14 — production docker-compose.yml generator.
+ *
+ * Emits the production stack: Postgres + pgBackRest sidecar + Caddy +
+ * MinIO + four Caelo services (admin, gateway, orchestrator, runner).
+ * Idempotent: same input → byte-identical output. The CLI's `up`
+ * sub-command writes this to `<repo>/.caelo/docker-compose.yml` and
+ * runs `docker compose up -d`.
+ */
+
+export interface ComposeSpec {
+  readonly domain: string;
+  readonly postgresPassword: string; // generated by cms-provision; persisted in .caelo/secrets
+  readonly minioRootUser: string;
+  readonly minioRootPassword: string;
+  readonly anthropicApiKey?: string;
+  readonly resendApiKey?: string;
+  readonly diskSize: string;
+}
+
+export function generateDockerCompose(spec: ComposeSpec): string {
+  const env = (k: string, v: string | undefined): string => (v ? `      ${k}: "${escape(v)}"` : "");
+  return `# SPDX-License-Identifier: MPL-2.0
+# Generated by cms-provision — do not edit; re-run \`bunx cms-provision up\`.
+# Domain: ${spec.domain}
+
+services:
+  postgres:
+    image: postgres:16-alpine
+    container_name: caelo-postgres
+    restart: unless-stopped
+    environment:
+      POSTGRES_PASSWORD: "${escape(spec.postgresPassword)}"
+      POSTGRES_USER: caelo
+      POSTGRES_DB: caelo
+    volumes:
+      - caelo-pg:/var/lib/postgresql/data
+      - ./bootstrap.sh:/docker-entrypoint-initdb.d/00_bootstrap.sh:ro
+    healthcheck:
+      test: ["CMD-SHELL", "pg_isready -U caelo"]
+      interval: 10s
+      timeout: 5s
+      retries: 5
+
+  pgbackrest:
+    image: pgbackrest/pgbackrest:latest
+    container_name: caelo-pgbackrest
+    restart: unless-stopped
+    depends_on: [postgres]
+    volumes:
+      - caelo-pg-backups:/var/lib/pgbackrest
+      - ./pgbackrest.conf:/etc/pgbackrest.conf:ro
+
+  minio:
+    image: minio/minio:latest
+    container_name: caelo-minio
+    restart: unless-stopped
+    command: server /data --console-address ":9001"
+    environment:
+      MINIO_ROOT_USER: "${escape(spec.minioRootUser)}"
+      MINIO_ROOT_PASSWORD: "${escape(spec.minioRootPassword)}"
+    volumes:
+      - caelo-minio:/data
+
+  caddy:
+    image: caddy:2-alpine
+    container_name: caelo-caddy
+    restart: unless-stopped
+    ports: ["80:80", "443:443"]
+    volumes:
+      - ./Caddyfile:/etc/caddy/Caddyfile:ro
+      - caelo-caddy-data:/data
+      - caelo-caddy-config:/config
+      - ./output:/srv/caelo:ro
+
+  caelo-admin:
+    image: oven/bun:1.3
+    container_name: caelo-admin
+    restart: unless-stopped
+    depends_on:
+      postgres: { condition: service_healthy }
+    working_dir: /app
+    volumes:
+      - ../..:/app
+    command: bun run --filter @caelo-cms/admin start
+    environment:
+      ADMIN_DATABASE_URL: "postgres://caelo:${escape(spec.postgresPassword)}@postgres:5432/cms_admin"
+      PUBLIC_ADMIN_DATABASE_URL: "postgres://caelo:${escape(spec.postgresPassword)}@postgres:5432/cms_public"
+      NODE_ENV: production
+${env("ANTHROPIC_API_KEY", spec.anthropicApiKey)}
+${env("RESEND_API_KEY", spec.resendApiKey)}
+
+  caelo-gateway:
+    image: oven/bun:1.3
+    container_name: caelo-gateway
+    restart: unless-stopped
+    depends_on:
+      postgres: { condition: service_healthy }
+    working_dir: /app
+    volumes:
+      - ../..:/app
+    command: bun run apps/api-gateway/src/server.ts
+    environment:
+      ADMIN_DATABASE_URL: "postgres://caelo:${escape(spec.postgresPassword)}@postgres:5432/cms_admin"
+      PUBLIC_DATABASE_URL: "postgres://caelo:${escape(spec.postgresPassword)}@postgres:5432/cms_public"
+      GATEWAY_PORT: "8090"
+      NODE_ENV: production
+
+volumes:
+  caelo-pg:
+  caelo-pg-backups:
+  caelo-minio:
+  caelo-caddy-data:
+  caelo-caddy-config:
+`;
+}
+
+function escape(s: string): string {
+  // Conservative escape for double-quoted YAML strings.
+  return s.replace(/\\/g, "\\\\").replace(/"/g, '\\"');
+}

package/src/index.test.ts

@@ -0,0 +1,246 @@
+// SPDX-License-Identifier: MPL-2.0
+
+import { describe, expect, it } from "bun:test";
+import { generateBootstrapToken } from "./bootstrap-token.js";
+import { generateCaddyfile } from "./caddy.js";
+import { loadCdnCopyAdapter, selfHostedCdnCopy } from "./cdn-copy.js";
+import { generateDockerCompose } from "./compose.js";
+import {
+  emitRedirectsAzureFrontDoor,
+  emitRedirectsCloudFront,
+  emitRedirectsCloudflare,
+  type RedirectRow,
+} from "./redirects-emit.js";
+
+describe("Caddyfile generator", () => {
+  it("emits a vhost per domain + email block", () => {
+    const out = generateCaddyfile({
+      ownerEmail: "owner@example.com",
+      publicSiteRoot: "/srv/caelo/output/production/current",
+      stagingSiteRoot: "/srv/caelo/output/staging/current",
+      adminPort: 5173,
+      gatewayPort: 8090,
+      domains: [
+        { hostname: "example.com", kind: "public", env: "production" },
+        { hostname: "staging.example.com", kind: "public", env: "staging" },
+        { hostname: "admin.example.com", kind: "admin", env: "production" },
+      ],
+    });
+    expect(out).toContain("email owner@example.com");
+    expect(out).toContain("example.com {");
+    expect(out).toContain("staging.example.com {");
+    expect(out).toContain("admin.example.com {");
+    // Staging gets noindex.
+    const stagingBlock = out.match(/staging\.example\.com \{[^]*?\n\}/)?.[0] ?? "";
+    expect(stagingBlock).toContain('X-Robots-Tag "noindex"');
+    // Production does NOT get noindex.
+    const productionBlock = out.match(/(?<!staging\.|admin\.)example\.com \{[^]*?\n\}/)?.[0] ?? "";
+    expect(productionBlock).not.toContain('X-Robots-Tag "noindex"');
+  });
+
+  it("falls back to a localhost dev block when no domains configured", () => {
+    const out = generateCaddyfile({
+      ownerEmail: "x@y.z",
+      publicSiteRoot: "/srv/caelo/output/production/current",
+      stagingSiteRoot: "/srv/caelo/output/staging/current",
+      adminPort: 5173,
+      gatewayPort: 8090,
+      domains: [],
+    });
+    expect(out).toContain(":8081 {");
+    expect(out).toContain("reverse_proxy localhost:5173");
+  });
+
+  it("scopes locale-public vhosts to the per-locale dist subdir", () => {
+    const out = generateCaddyfile({
+      ownerEmail: "x@y.z",
+      publicSiteRoot: "/srv/caelo/output/production/current",
+      stagingSiteRoot: "/srv/caelo/output/staging/current",
+      adminPort: 5173,
+      gatewayPort: 8090,
+      domains: [
+        { hostname: "de.example.com", kind: "locale-public", localeCode: "de", env: "production" },
+      ],
+    });
+    expect(out).toContain("root * /srv/caelo/output/production/current/de");
+  });
+});
+
+describe("docker-compose generator", () => {
+  it("emits postgres + caddy + caelo services with the supplied secrets", () => {
+    const out = generateDockerCompose({
+      domain: "example.com",
+      postgresPassword: "supersecret",
+      minioRootUser: "caelo",
+      minioRootPassword: "miniopass",
+      anthropicApiKey: "sk-ant-…",
+      diskSize: "20Gi",
+    });
+    expect(out).toContain("caelo-postgres");
+    expect(out).toContain("caelo-caddy");
+    expect(out).toContain("caelo-admin");
+    expect(out).toContain("caelo-gateway");
+    expect(out).toContain("supersecret");
+    expect(out).toContain("miniopass");
+    expect(out).toContain("ANTHROPIC_API_KEY");
+  });
+
+  it("escapes secrets containing quotes safely", () => {
+    const out = generateDockerCompose({
+      domain: "example.com",
+      postgresPassword: 'pa"ss',
+      minioRootUser: "caelo",
+      minioRootPassword: "x",
+      diskSize: "1Gi",
+    });
+    expect(out).toContain('pa\\"ss');
+  });
+});
+
+describe("bootstrap token generator", () => {
+  it("emits 64 hex chars + ~24h expiry", () => {
+    const t = generateBootstrapToken();
+    expect(t.token).toMatch(/^[0-9a-f]{64}$/);
+    const ttlHours = (Date.parse(t.expiresAt) - Date.now()) / 3600_000;
+    expect(ttlHours).toBeGreaterThan(23);
+    expect(ttlHours).toBeLessThan(25);
+  });
+
+  it("each call returns a unique token", () => {
+    const a = generateBootstrapToken().token;
+    const b = generateBootstrapToken().token;
+    expect(a).not.toBe(b);
+  });
+});
+
+describe("redirects-emit", () => {
+  const rows: RedirectRow[] = [
+    { fromPath: "/old", toPath: "/new", statusCode: 301 },
+    { fromPath: "/blog/2024", toPath: "/blog", statusCode: 302 },
+    { fromPath: "/legacy", toPath: "/modern", statusCode: 308 },
+  ];
+
+  describe("emitRedirectsCloudflare", () => {
+    it("emits one line per row in `<from> <to> <status>` format", () => {
+      const out = emitRedirectsCloudflare(rows);
+      expect(out).toContain("/old /new 301\n");
+      expect(out).toContain("/blog/2024 /blog 302\n");
+      expect(out).toContain("/legacy /modern 308\n");
+      expect(out.startsWith("# Generated by @caelo-cms/provisioning")).toBe(true);
+    });
+
+    it("empty rows → header only, no trailing newline noise", () => {
+      const out = emitRedirectsCloudflare([]);
+      expect(out).toBe("# Generated by @caelo-cms/provisioning — do not edit by hand.\n");
+    });
+
+    it("is byte-identical for the same input (deterministic)", () => {
+      expect(emitRedirectsCloudflare(rows)).toBe(emitRedirectsCloudflare([...rows]));
+    });
+  });
+
+  describe("emitRedirectsCloudFront", () => {
+    it("returns parseable JSON config + a Lambda source that consumes it", () => {
+      const out = emitRedirectsCloudFront(rows);
+      const parsed = JSON.parse(out.jsonConfig) as {
+        redirects: Array<{ from: string; to: string; status: number }>;
+      };
+      expect(parsed.redirects).toHaveLength(3);
+      expect(parsed.redirects[0]).toEqual({ from: "/old", to: "/new", status: 301 });
+      expect(out.lambdaSource).toContain("exports.handler");
+      expect(out.lambdaSource).toContain('require("./redirects.json")');
+    });
+
+    it("preserves status codes verbatim (301/302/307/308)", () => {
+      const allStatuses: RedirectRow[] = [
+        { fromPath: "/a", toPath: "/x", statusCode: 301 },
+        { fromPath: "/b", toPath: "/x", statusCode: 302 },
+        { fromPath: "/c", toPath: "/x", statusCode: 307 },
+        { fromPath: "/d", toPath: "/x", statusCode: 308 },
+      ];
+      const out = emitRedirectsCloudFront(allStatuses);
+      const parsed = JSON.parse(out.jsonConfig) as {
+        redirects: Array<{ status: number }>;
+      };
+      expect(parsed.redirects.map((r) => r.status)).toEqual([301, 302, 307, 308]);
+    });
+  });
+
+  describe("emitRedirectsAzureFrontDoor", () => {
+    it("emits one rule per row with monotonically-increasing order", () => {
+      const out = emitRedirectsAzureFrontDoor(rows);
+      expect(out).toHaveLength(3);
+      expect(out[0]?.name).toBe("redirect-1");
+      expect(out[0]?.order).toBe(1);
+      expect(out[2]?.order).toBe(3);
+    });
+
+    it("maps status codes to Front Door redirectType vocabulary", () => {
+      const out = emitRedirectsAzureFrontDoor([
+        { fromPath: "/a", toPath: "/x", statusCode: 301 },
+        { fromPath: "/b", toPath: "/x", statusCode: 302 },
+        { fromPath: "/c", toPath: "/x", statusCode: 307 },
+        { fromPath: "/d", toPath: "/x", statusCode: 308 },
+      ]);
+      expect(out.map((r) => r.actions[0]?.parameters.redirectType)).toEqual([
+        "Moved",
+        "Found",
+        "TemporaryRedirect",
+        "PermanentRedirect",
+      ]);
+    });
+
+    it("RequestUri condition matches the from path exactly", () => {
+      const out = emitRedirectsAzureFrontDoor(rows);
+      expect(out[1]?.conditions[0]?.parameters.matchValues).toEqual(["/blog/2024"]);
+      expect(out[1]?.actions[0]?.parameters.destinationPath).toBe("/blog");
+    });
+  });
+
+  describe("path-validation guard (review-pass #9)", () => {
+    it("Cloudflare emitter rejects fromPath with whitespace", () => {
+      expect(() =>
+        emitRedirectsCloudflare([{ fromPath: "/old path", toPath: "/new", statusCode: 301 }]),
+      ).toThrow(/contains whitespace/);
+    });
+
+    it("CloudFront emitter rejects toPath with newline", () => {
+      expect(() =>
+        emitRedirectsCloudFront([{ fromPath: "/old", toPath: "/new\nlies", statusCode: 301 }]),
+      ).toThrow(/contains whitespace/);
+    });
+
+    it("Azure emitter rejects tab in path", () => {
+      expect(() =>
+        emitRedirectsAzureFrontDoor([{ fromPath: "/old\there", toPath: "/x", statusCode: 301 }]),
+      ).toThrow(/contains whitespace/);
+    });
+
+    it("hyphens, dots, slashes, unicode in path segments are accepted", () => {
+      // Regression guard for the original buggy regex `[\s -]` which
+      // rejected hyphens.
+      expect(() =>
+        emitRedirectsCloudflare([
+          { fromPath: "/blog/spring-launch", toPath: "/blog/sommer-2026", statusCode: 301 },
+        ]),
+      ).not.toThrow();
+    });
+  });
+});
+
+describe("cdn-copy adapter loader", () => {
+  it("returns the no-op self-hosted adapter when provider is unset/empty/self-hosted", async () => {
+    expect(await loadCdnCopyAdapter(undefined)).toBe(selfHostedCdnCopy);
+    expect(await loadCdnCopyAdapter("")).toBe(selfHostedCdnCopy);
+    expect(await loadCdnCopyAdapter("self-hosted")).toBe(selfHostedCdnCopy);
+  });
+
+  it("self-hosted adapter pin returns a /media/<key> URL", async () => {
+    const url = await selfHostedCdnCopy.pin("photos/2026/april/sunset.webp");
+    expect(url).toBe("/media/photos/2026/april/sunset.webp");
+  });
+
+  it("rejects unknown provider names loudly (no silent fallback per CLAUDE.md §2)", async () => {
+    await expect(loadCdnCopyAdapter("digitalocean")).rejects.toThrow(/unknown CAELO_PROVIDER/);
+  });
+});

package/src/index.ts

@@ -0,0 +1,52 @@
+// SPDX-License-Identifier: MPL-2.0
+
+/**
+ * @caelo-cms/provisioning — P14.
+ *
+ * Pulumi-driven self-hosted stack + cms-provision CLI helpers.
+ *
+ * Public surface:
+ *   - generateCaddyfile(spec) → string
+ *   - generateDockerCompose(spec) → string
+ *   - generateBootstrapToken() → { token, expiresAt }
+ *
+ * The CLI (cli.ts) wires these into init / up / regenerate-caddy /
+ * backup / restore / status sub-commands. The Pulumi stack files
+ * (stacks/self-hosted/*) are imported by the CLI's `up` path and
+ * declare the actual Docker resources.
+ */
+
+export type {
+  CloudAdapterInputs,
+  CloudAdapterOutputs,
+  DnsRecord,
+  Environment,
+  LocaleConfig,
+  LocaleStrategy,
+  ProvisioningOutputsJson,
+  SupportedProvider,
+} from "./adapter.js";
+export {
+  type BootstrapToken,
+  generateBootstrapToken,
+} from "./bootstrap-token.js";
+export {
+  type CaddyDomainSpec,
+  type CaddyfileSpec,
+  generateCaddyfile,
+} from "./caddy.js";
+export {
+  type CdnCopyAdapter,
+  loadCdnCopyAdapter,
+  selfHostedCdnCopy,
+} from "./cdn-copy.js";
+export { type ComposeSpec, generateDockerCompose } from "./compose.js";
+export {
+  type CloudFrontRedirectArtifact,
+  emitRedirectsAzureFrontDoor,
+  emitRedirectsCloudFront,
+  emitRedirectsCloudflare,
+  type FrontDoorRule,
+  type RedirectRow,
+  type RedirectStatusCode,
+} from "./redirects-emit.js";

package/src/redirects-emit.ts

@@ -0,0 +1,166 @@
+// SPDX-License-Identifier: MPL-2.0
+
+/**
+ * P15 — per-provider redirect file generators.
+ *
+ * P14's self-hosted Caddy consumes a `_redirects.caddy` file. Cloud
+ * providers want different formats: Cloudflare Pages reads `_redirects`
+ * (also a fine fit for any platform that consumes that format),
+ * CloudFront wants a JSON config a Lambda@Edge function reads at
+ * startup, and Azure Front Door wants a rules-engine RuleEngineRule[].
+ *
+ * The deploy step calls the right emitter based on `process.env.CAELO_PROVIDER`
+ * and uploads the result to the right place. Each emitter is pure +
+ * idempotent — same input → same byte output.
+ */
+
+export type RedirectStatusCode = 301 | 302 | 307 | 308;
+
+export interface RedirectRow {
+  readonly fromPath: string;
+  readonly toPath: string;
+  readonly statusCode: RedirectStatusCode;
+}
+
+/**
+ * Reject whitespace + control chars in either path before any emitter
+ * touches them. The Cloudflare `_redirects` format is space-delimited;
+ * a `fromPath` containing a space ambiguates the line (CF parses
+ * `/old foo /new 301` as from=`/old`, to=`foo`, status=`/new`, then
+ * fails on `301`). Caelo's redirects table normally rejects these
+ * upstream but the emitter shouldn't trust that — pure functions
+ * defend their own contract.
+ */
+function assertPathClean(label: "fromPath" | "toPath", path: string): void {
+  if (/[\s\x00-\x1f]/.test(path)) {
+    throw new Error(
+      `redirects-emit: ${label}=${JSON.stringify(path)} contains whitespace or control chars; reject upstream`,
+    );
+  }
+}
+
+function assertRowsClean(rows: ReadonlyArray<RedirectRow>): void {
+  for (const r of rows) {
+    assertPathClean("fromPath", r.fromPath);
+    assertPathClean("toPath", r.toPath);
+  }
+}
+
+/**
+ * Cloudflare Pages `_redirects` format (also consumed by Netlify, Vercel,
+ * Render, etc.). One redirect per line: `<from> <to> <status>`. Wildcards
+ * use `:splat`; we only support exact-path redirects in v1 (matches what
+ * Caelo's redirects table allows).
+ */
+export function emitRedirectsCloudflare(rows: ReadonlyArray<RedirectRow>): string {
+  assertRowsClean(rows);
+  const header = "# Generated by @caelo-cms/provisioning — do not edit by hand.\n";
+  const lines = rows.map((r) => `${r.fromPath} ${r.toPath} ${r.statusCode}`);
+  return header + lines.join("\n") + (rows.length > 0 ? "\n" : "");
+}
+
+/**
+ * CloudFront via Lambda@Edge. Returns a JSON config the L@E function
+ * reads at startup + a tiny Lambda source that consumes it. The L@E
+ * function is deployed to `us-east-1` (CloudFront constraint); the
+ * config blob is bundled into the Lambda deployment artifact.
+ *
+ * Returning both halves lets the AWS stack ship a single asset.
+ */
+export interface CloudFrontRedirectArtifact {
+  readonly jsonConfig: string;
+  readonly lambdaSource: string;
+}
+
+export function emitRedirectsCloudFront(
+  rows: ReadonlyArray<RedirectRow>,
+): CloudFrontRedirectArtifact {
+  assertRowsClean(rows);
+  const jsonConfig = JSON.stringify(
+    { redirects: rows.map((r) => ({ from: r.fromPath, to: r.toPath, status: r.statusCode })) },
+    null,
+    2,
+  );
+  // Tiny Lambda@Edge handler. v1 is exact-path match (matches Caelo's
+  // redirects table). Wildcard support lands when the table grows it.
+  const lambdaSource = `// SPDX-License-Identifier: MPL-2.0
+// Generated by @caelo-cms/provisioning. Bundled with redirects.json.
+const REDIRECTS = require("./redirects.json").redirects;
+const TABLE = new Map(REDIRECTS.map((r) => [r.from, r]));
+exports.handler = (event, _ctx, callback) => {
+  const req = event.Records[0].cf.request;
+  const m = TABLE.get(req.uri);
+  if (!m) return callback(null, req);
+  callback(null, {
+    status: String(m.status),
+    statusDescription: "Redirect",
+    headers: { location: [{ key: "Location", value: m.to }] },
+  });
+};`;
+  return { jsonConfig, lambdaSource };
+}
+
+/**
+ * Azure Front Door rules engine. Returns a Pulumi-compatible
+ * RuleEngineRule[]-shaped array (untyped here so callers don't need to
+ * import @pulumi/azure-native). Each rule fires on a path-equals match
+ * + executes a 301/302/etc. response.
+ */
+export interface FrontDoorRule {
+  readonly name: string;
+  readonly order: number;
+  readonly conditions: ReadonlyArray<{
+    readonly name: "RequestUri";
+    readonly parameters: {
+      readonly operator: "Equal";
+      readonly matchValues: ReadonlyArray<string>;
+    };
+  }>;
+  readonly actions: ReadonlyArray<{
+    readonly name: "UrlRedirect";
+    readonly parameters: {
+      readonly redirectType: "Moved" | "Found" | "TemporaryRedirect" | "PermanentRedirect";
+      readonly destinationPath: string;
+    };
+  }>;
+}
+
+export function emitRedirectsAzureFrontDoor(
+  rows: ReadonlyArray<RedirectRow>,
+): ReadonlyArray<FrontDoorRule> {
+  assertRowsClean(rows);
+  return rows.map((r, i) => ({
+    name: `redirect-${i + 1}`,
+    order: i + 1,
+    conditions: [
+      {
+        name: "RequestUri" as const,
+        parameters: { operator: "Equal" as const, matchValues: [r.fromPath] },
+      },
+    ],
+    actions: [
+      {
+        name: "UrlRedirect" as const,
+        parameters: {
+          redirectType: statusToFrontDoor(r.statusCode),
+          destinationPath: r.toPath,
+        },
+      },
+    ],
+  }));
+}
+
+function statusToFrontDoor(
+  status: RedirectStatusCode,
+): FrontDoorRule["actions"][0]["parameters"]["redirectType"] {
+  switch (status) {
+    case 301:
+      return "Moved";
+    case 302:
+      return "Found";
+    case 307:
+      return "TemporaryRedirect";
+    case 308:
+      return "PermanentRedirect";
+  }
+}

package/stacks/aws/Pulumi.yaml

@@ -0,0 +1,39 @@
+# SPDX-License-Identifier: MPL-2.0
+#
+# Caelo AWS provider stack. Provisions RDS Postgres + S3 (media + static
+# output) + CloudFront + Lambda@Edge (A/B split + redirects) + ECS
+# Fargate (admin / gateway / orchestrator / runner) + Secrets Manager.
+# Implements the shared CloudAdapterInputs/CloudAdapterOutputs contract
+# from packages/provisioning/src/adapter.ts so the cms-provision CLI's
+# pulumi-output-sync subcommand can consume the outputs uniformly with
+# the GCP + Azure stacks.
+name: caelo-aws
+runtime:
+  name: nodejs
+  options:
+    typescript: true
+    packagemanager: bun
+description: Caelo AWS stack — RDS Multi-AZ + S3 + CloudFront + Lambda@Edge + ECS Fargate.
+config:
+  caelo-aws:domain:
+    type: string
+    description: Primary domain (e.g. example.com). Admin + production public both bind here.
+  caelo-aws:ownerEmail:
+    type: string
+    description: Operator email used for ACM cert validation + Pulumi notifications.
+  caelo-aws:region:
+    type: string
+    default: us-east-1
+    description: Primary AWS region (RDS, S3, ECS). Lambda@Edge always pinned to us-east-1 regardless.
+  caelo-aws:rdsInstanceClass:
+    type: string
+    default: db.t4g.small
+    description: RDS instance class. db.t4g.small is the cheapest Multi-AZ-capable Graviton class.
+  caelo-aws:fargateCpu:
+    type: string
+    default: "512"
+    description: vCPU units per Fargate task (512 = 0.5 vCPU). Bump for production.
+  caelo-aws:fargateMemoryMb:
+    type: string
+    default: "1024"
+    description: Memory MB per Fargate task. Bump alongside CPU.