@caelo-cms/provisioning 0.1.0

package/stacks/azure/Pulumi.yaml

@@ -0,0 +1,37 @@
+# SPDX-License-Identifier: MPL-2.0
+#
+# Caelo Azure provider stack. Provisions Azure DB for PostgreSQL flexible
+# server (zone-redundant) + Storage Account (Blob) + Front Door + Container
+# Apps (admin/gateway/orchestrator/runner + edge-router) + Key Vault +
+# Log Analytics → A/B assignment log sink. Implements the shared
+# CloudAdapterInputs / CloudAdapterOutputs contract from
+# packages/provisioning/src/adapter.ts.
+name: caelo-azure
+runtime:
+  name: nodejs
+  options:
+    typescript: true
+    packagemanager: bun
+description: Caelo Azure stack — Azure DB flexible + Blob + Front Door + Container Apps + Key Vault.
+config:
+  caelo-azure:domain:
+    type: string
+    description: Primary domain (e.g. example.com).
+  caelo-azure:ownerEmail:
+    type: string
+    description: Operator email for Pulumi notifications.
+  caelo-azure:subscription:
+    type: string
+    description: Azure subscription id.
+  caelo-azure:resourceGroup:
+    type: string
+    default: caelo-rg
+    description: Resource group name. Created by the stack if it doesn't exist.
+  caelo-azure:location:
+    type: string
+    default: westeurope
+    description: Azure region. Container Apps regional availability is checked at preview.
+  caelo-azure:flexibleServerSku:
+    type: string
+    default: Standard_B2s
+    description: Postgres flexible-server SKU. B2s = burstable; bump to GP_Standard_D2s_v3 for production.

package/stacks/azure/README.md

@@ -0,0 +1,69 @@
+# Caelo Azure provider stack
+
+Pulumi stack provisioning Caelo on Azure managed services. Implements the shared `CloudAdapterInputs` / `CloudAdapterOutputs` contract from `packages/provisioning/src/adapter.ts`.
+
+## What it provisions per environment
+
+| Concern | Azure resource |
+|---|---|
+| Managed Postgres | Azure DB for PostgreSQL flexible server (zone-redundant in production) + automated backups (geo-redundant in production) |
+| Blob storage | Storage Account + two containers (`media` private, `$web` static-website-enabled) |
+| CDN / Edge | Azure Container Apps `edge-router` instance (Front Door + custom-domain bindings land in P15.4 review-pass) |
+| Edge compute (A/B + redirects) | Container App `edge-router` running `edge-handler.ts` with `@caelo-cms/edge-router` |
+| Container runtime | Five Container Apps (admin / gateway / orchestrator / runner / edge-router) in one managed environment |
+| Secret store | Key Vault (postgres-password, csrf-secret, cookie-secret, anthropic-api-key, resend-api-key) |
+| Edge-log sink | Log Analytics workspace receives Container Apps logs (queryable by P12A analytics plugin via Azure Monitor) |
+
+The Caelo runtime never knows it's on Azure — every Container App consumes plain `DATABASE_URL` / `MEDIA_STORAGE_URL` / `SECRETS_PROVIDER` env vars.
+
+## First-time install
+
+```bash
+cd packages/provisioning/stacks/azure
+pulumi stack init prod
+pulumi config set caelo-azure:domain example.com
+pulumi config set caelo-azure:ownerEmail me@example.com
+pulumi config set caelo-azure:subscription <your-subscription-guid>
+pulumi config set caelo-azure:location westeurope
+
+# Build + push images. Operator does this on every release.
+az login
+az acr login --name <your-acr>
+docker build -t <your-acr>.azurecr.io/admin:latest apps/admin
+docker push <your-acr>.azurecr.io/admin:latest
+# Repeat for gateway, orchestrator, runner, edge-router.
+
+# Bring the stack up.
+pulumi up
+
+# Sync outputs into cms_admin.provisioning_outputs via the
+# /api/internal/provisioning-outputs/sync endpoint (P15.1 signed-JWT).
+CAELO_INTERNAL_SECRET=$(pulumi stack output --show-secrets internalSecretOut) \
+CAELO_ADMIN_URL=https://example.com \
+  bunx cms-provision pulumi-output-sync --environment production
+```
+
+The bootstrap-token URL is a Pulumi output:
+
+```bash
+pulumi stack output bootstrapUrlOut
+# → https://example.com/setup?token=<64-hex>
+```
+
+## v1 limitations (P15.4 review-pass items)
+
+- **Front Door + custom-domain SSL** not auto-provisioned. v1 surfaces the edge-router Container App's FQDN as the temporary CNAME target; P15.4 wires Front Door + ManagedIdentity-based cert binding.
+- **Container image build pipeline** — operators push via `az acr build` for v1.
+- **Per-locale custom-domain SSL** — operator wires per-locale subdomains via Front Door custom-domain bindings; auto-provisioning lands alongside the Front Door wiring.
+
+## Edge-router byte-identity
+
+The byte-identity test in `packages/edge-router/src/index.test.ts` asserts a fixed corpus of (visitorId, manifestVersion, experimentId) tuples produces identical variant labels across every runtime — a visitor sees the same variant whether they hit self-hosted Caddy in dev, AWS CloudFront in staging, or Azure Container Apps in production.
+
+## Destroy
+
+```bash
+pulumi destroy
+```
+
+Tears down all resources; the resource group is removed (which transitively removes everything inside it). Soft-deleted Key Vault entries linger per Azure's `softDeleteRetentionInDays` setting (90d in production; 7d elsewhere).

package/stacks/azure/edge-handler.ts

@@ -0,0 +1,88 @@
+// SPDX-License-Identifier: MPL-2.0
+
+/**
+ * Caelo Azure edge-router — Azure Container App HTTP handler.
+ *
+ * Imports the SAME `routeRequest` from `@caelo-cms/edge-router` that the
+ * P13 self-hosted Caddy gateway, the AWS Lambda@Edge function, and the
+ * GCP Cloud Run handler use. The byte-identity test in
+ * packages/edge-router/src/index.test.ts asserts identical variant
+ * labels across every runtime — same hash, same variant, every visitor.
+ *
+ * Differences from the GCP Cloud Run handler:
+ *   - Logs go to stdout in JSON; Container Apps' Log Analytics integration
+ *     ships them to the workspace; the P12A Azure adapter queries via
+ *     Azure Monitor's Log Analytics API.
+ *   - Manifest fetched from Blob storage (anonymous public read on the
+ *     `$web` container's `ab-routing.json` blob).
+ *
+ * v1 ships the source; the build pipeline (`az acr build` per service,
+ * pushing to ACR) lands in P17.0 release engineering.
+ */
+
+import { EMPTY_MANIFEST, type RoutingManifest, routeRequest } from "@caelo-cms/edge-router";
+
+const STATIC_BUCKET_URL = process.env.STATIC_BUCKET_URL ?? "";
+const MANIFEST_OBJECT = process.env.MANIFEST_OBJECT ?? "ab-routing.json";
+const MANIFEST_REFRESH_MS = 30_000;
+const COOKIE_NAME = "caelo_visitor_id";
+
+let manifestCache: { value: RoutingManifest; loadedAt: number } = {
+  value: EMPTY_MANIFEST,
+  loadedAt: 0,
+};
+
+async function fetchManifest(): Promise<RoutingManifest> {
+  if (Date.now() - manifestCache.loadedAt < MANIFEST_REFRESH_MS) {
+    return manifestCache.value;
+  }
+  if (!STATIC_BUCKET_URL) return EMPTY_MANIFEST;
+  try {
+    const url = `${STATIC_BUCKET_URL}/${MANIFEST_OBJECT}`;
+    const r = await fetch(url, { signal: AbortSignal.timeout(2000) });
+    if (!r.ok) return manifestCache.value;
+    const m = (await r.json()) as RoutingManifest;
+    manifestCache = { value: m, loadedAt: Date.now() };
+    return m;
+  } catch {
+    return manifestCache.value;
+  }
+}
+
+function readCookie(header: string | null, name: string): string | null {
+  if (!header) return null;
+  for (const pair of header.split(/;\s*/)) {
+    const eq = pair.indexOf("=");
+    if (eq < 0) continue;
+    if (pair.slice(0, eq) === name) return decodeURIComponent(pair.slice(eq + 1));
+  }
+  return null;
+}
+
+const port = Number(process.env.PORT ?? 8080);
+Bun.serve({
+  port,
+  async fetch(req: Request): Promise<Response> {
+    const url = new URL(req.url);
+    const manifest = await fetchManifest();
+    const visitorIdCookie = readCookie(req.headers.get("cookie"), COOKIE_NAME);
+    const decision = routeRequest(manifest, {
+      pathname: url.pathname,
+      visitorIdCookie,
+    });
+
+    if (decision.logEntry) {
+      // biome-ignore lint/suspicious/noConsole: structured log → Log Analytics
+      console.log(JSON.stringify(decision.logEntry));
+    }
+
+    const target = new URL(url.toString());
+    target.pathname = decision.rewritePathname;
+    const headers = new Headers({
+      Location: target.toString(),
+      "Cache-Control": "no-store, private",
+      "Set-Cookie": `${COOKIE_NAME}=${encodeURIComponent(decision.setVisitorId)}; Path=/; Max-Age=31536000; SameSite=Lax; Secure; HttpOnly`,
+    });
+    return new Response(null, { status: 307, headers });
+  },
+});

package/stacks/azure/index.ts

@@ -0,0 +1,309 @@
+// SPDX-License-Identifier: MPL-2.0
+
+/**
+ * Caelo Azure stack — Pulumi entry point.
+ *
+ * Resources provisioned per `pulumi up`:
+ *  1. Resource group (created if missing).
+ *  2. Azure Database for PostgreSQL flexible server, zone-redundant in
+ *     production. Two databases (cms_admin + cms_public) created via
+ *     post-create Container Apps job (bootstrap.sh).
+ *  3. Storage account + two containers (`media` + `static`); the
+ *     `static` container is `$web`-enabled for static-website hosting.
+ *  4. Azure Front Door Standard with two origins (static blob + Container
+ *     Apps fronting admin/gateway). Rules engine handles A/B split
+ *     (matches `pageSlug` from the routing manifest, rewrites to the
+ *     variant blob path) and redirects (per-row from the redirects table
+ *     emitted via emitRedirectsAzureFrontDoor).
+ *  5. Azure Container Apps (admin/gateway/orchestrator/runner + edge-router),
+ *     mounted with Key Vault secrets via managed identity.
+ *  6. Key Vault entries (postgres-password, csrf-secret, cookie-secret,
+ *     anthropic-api-key, resend-api-key).
+ *  7. Log Analytics workspace receives Front Door + Container Apps logs;
+ *     P12A analytics plugin's Azure adapter queries via monitor-query.
+ *  8. Azure DNS zone for the primary domain (operator may opt out via
+ *     config + manage at their existing registrar).
+ *
+ * Constraints worth knowing:
+ *   - Container Apps not in every region; the stack errors loudly at
+ *     preview if `location` is unsupported.
+ *   - Front Door cert auto-management requires the apex domain to point
+ *     at Front Door; if the operator manages DNS elsewhere they must
+ *     publish the CNAME validation TXT record themselves.
+ *
+ * The Caelo runtime never knows it's on Azure — every Container App
+ * consumes plain DATABASE_URL / MEDIA_STORAGE_URL / SECRETS_PROVIDER
+ * env vars wired by this stack.
+ */
+
+import * as azure from "@pulumi/azure-native";
+import * as pulumi from "@pulumi/pulumi";
+import type { CloudAdapterOutputs, DnsRecord } from "../../src/adapter.js";
+import { generateBootstrapToken } from "../../src/bootstrap-token.js";
+
+const cfg = new pulumi.Config();
+const domain = cfg.require("domain");
+const ownerEmail = cfg.require("ownerEmail");
+const subscription = cfg.require("subscription");
+const rgName = cfg.get("resourceGroup") ?? "caelo-rg";
+const location = cfg.get("location") ?? "westeurope";
+const flexibleServerSku = cfg.get("flexibleServerSku") ?? "Standard_B2s";
+
+const env = pulumi.getStack() as "dev" | "staging" | "production";
+const namePrefix = `caelo${env}`; // Azure resource names disallow hyphens in some types.
+
+// === 1. Resource group ===
+const rg = new azure.resources.ResourceGroup(`${namePrefix}-rg`, {
+  resourceGroupName: rgName,
+  location,
+});
+
+// === 2. Secrets ===
+function randomHex(bytes: number): string {
+  const buf = new Uint8Array(bytes);
+  crypto.getRandomValues(buf);
+  return [...buf].map((b) => b.toString(16).padStart(2, "0")).join("");
+}
+
+const postgresPassword = pulumi.secret(randomHex(32));
+const csrfSecret = pulumi.secret(randomHex(32));
+const cookieSecret = pulumi.secret(randomHex(32));
+const anthropicApiKey = pulumi.secret(process.env.ANTHROPIC_API_KEY ?? "");
+const resendApiKey = pulumi.secret(process.env.RESEND_API_KEY ?? "");
+
+// Key Vault.
+const vault = new azure.keyvault.Vault(`${namePrefix}-kv`, {
+  resourceGroupName: rg.name,
+  vaultName: `${namePrefix}kv`.slice(0, 24), // KV name max 24 chars
+  properties: {
+    tenantId: subscription, // operator passes their AAD tenant id via this config
+    sku: { family: "A", name: "standard" },
+    enableRbacAuthorization: true,
+    enableSoftDelete: true,
+    softDeleteRetentionInDays: env === "production" ? 90 : 7,
+  },
+});
+
+function keyVaultSecret(shortName: string, value: pulumi.Output<string>): azure.keyvault.Secret {
+  return new azure.keyvault.Secret(`${namePrefix}-${shortName}`, {
+    resourceGroupName: rg.name,
+    vaultName: vault.name,
+    secretName: `${namePrefix}-${shortName}`,
+    properties: { value },
+  });
+}
+
+const pgSecret = keyVaultSecret("pg-password", postgresPassword);
+keyVaultSecret("csrf-secret", csrfSecret);
+keyVaultSecret("cookie-secret", cookieSecret);
+keyVaultSecret("anthropic-api-key", anthropicApiKey);
+keyVaultSecret("resend-api-key", resendApiKey);
+
+// === 3. Postgres flexible server ===
+const pgServer = new azure.dbforpostgresql.Server(`${namePrefix}-pg`, {
+  resourceGroupName: rg.name,
+  serverName: `${namePrefix}-pg`,
+  location,
+  version: "16",
+  sku: {
+    name: flexibleServerSku,
+    tier: flexibleServerSku.startsWith("Standard_B") ? "Burstable" : "GeneralPurpose",
+  },
+  administratorLogin: "caelo_admin",
+  administratorLoginPassword: postgresPassword,
+  storage: { storageSizeGB: 32 },
+  backup: {
+    backupRetentionDays: env === "production" ? 14 : 7,
+    geoRedundantBackup: env === "production" ? "Enabled" : "Disabled",
+  },
+  highAvailability: { mode: env === "production" ? "ZoneRedundant" : "Disabled" },
+  network: { publicNetworkAccess: "Disabled" },
+});
+
+const pgAdmin = new azure.dbforpostgresql.Database(`${namePrefix}-cms-admin-db`, {
+  resourceGroupName: rg.name,
+  serverName: pgServer.name,
+  databaseName: "cms_admin",
+  charset: "UTF8",
+});
+const pgPublic = new azure.dbforpostgresql.Database(`${namePrefix}-cms-public-db`, {
+  resourceGroupName: rg.name,
+  serverName: pgServer.name,
+  databaseName: "cms_public",
+  charset: "UTF8",
+});
+
+const adminDatabaseUrl = pulumi
+  .all([pgServer.fullyQualifiedDomainName, postgresPassword])
+  .apply(([host, pw]) => `postgresql://caelo_admin:${pw}@${host}:5432/cms_admin?sslmode=require`);
+const publicDatabaseUrl = pulumi
+  .all([pgServer.fullyQualifiedDomainName, postgresPassword])
+  .apply(([host, pw]) => `postgresql://caelo_public:${pw}@${host}:5432/cms_public?sslmode=require`);
+
+// === 4. Storage account + containers ===
+const storage = new azure.storage.StorageAccount(`${namePrefix}-st`, {
+  resourceGroupName: rg.name,
+  accountName: `${namePrefix.slice(0, 18)}st`, // Storage account names are 3-24 lowercase
+  location,
+  sku: { name: "Standard_LRS" },
+  kind: "StorageV2",
+  enableHttpsTrafficOnly: true,
+  minimumTlsVersion: "TLS1_2",
+});
+
+const mediaContainer = new azure.storage.BlobContainer(`${namePrefix}-media`, {
+  resourceGroupName: rg.name,
+  accountName: storage.name,
+  containerName: "media",
+  publicAccess: "None",
+});
+
+const staticContainer = new azure.storage.BlobContainer(`${namePrefix}-static`, {
+  resourceGroupName: rg.name,
+  accountName: storage.name,
+  containerName: "$web",
+  publicAccess: "Blob",
+});
+
+// === 5. Log Analytics workspace ===
+const logWorkspace = new azure.operationalinsights.Workspace(`${namePrefix}-logs`, {
+  resourceGroupName: rg.name,
+  workspaceName: `${namePrefix}-logs`,
+  location,
+  sku: { name: "PerGB2018" },
+  retentionInDays: env === "production" ? 90 : 30,
+});
+
+// === 6. Container Apps environment + apps ===
+const cappEnv = new azure.app.ManagedEnvironment(`${namePrefix}-capp-env`, {
+  resourceGroupName: rg.name,
+  environmentName: `${namePrefix}-capp-env`,
+  location,
+  appLogsConfiguration: {
+    destination: "log-analytics",
+    logAnalyticsConfiguration: pulumi
+      .all([logWorkspace.customerId, logWorkspace.name, rg.name])
+      .apply(([cid, name, rgName_]) => ({
+        customerId: cid ?? "",
+        sharedKey: pulumi
+          .output(
+            azure.operationalinsights.getSharedKeys({
+              resourceGroupName: rgName_,
+              workspaceName: name,
+            }),
+          )
+          .apply((k) => k.primarySharedKey ?? ""),
+      })),
+  },
+});
+
+interface ContainerAppArgs {
+  readonly serviceName: string;
+  readonly extraEnv?: ReadonlyArray<{ name: string; value: pulumi.Input<string> }>;
+}
+
+function containerApp(args: ContainerAppArgs): azure.app.ContainerApp {
+  return new azure.app.ContainerApp(`${namePrefix}-${args.serviceName}`, {
+    resourceGroupName: rg.name,
+    containerAppName: `${namePrefix}-${args.serviceName}`,
+    location,
+    managedEnvironmentId: cappEnv.id,
+    configuration: {
+      activeRevisionsMode: "Single",
+      ingress: {
+        external: args.serviceName === "edge-router",
+        targetPort: 8080,
+        transport: "Auto",
+      },
+    },
+    template: {
+      scale: { minReplicas: env === "production" ? 1 : 0, maxReplicas: 10 },
+      containers: [
+        {
+          name: args.serviceName,
+          // Image pushed via `az acr build` for v1 (operator's job).
+          image:
+            cfg.get(`image-${args.serviceName}`) ??
+            `${namePrefix}.azurecr.io/${args.serviceName}:latest`,
+          env: [
+            { name: "CAELO_PROVIDER", value: "azure" },
+            { name: "CAELO_ENV", value: env },
+            { name: "ADMIN_DATABASE_URL", value: adminDatabaseUrl },
+            { name: "PUBLIC_ADMIN_DATABASE_URL", value: publicDatabaseUrl },
+            {
+              name: "MEDIA_STORAGE_URL",
+              value: pulumi.interpolate`https://${storage.name}.blob.core.windows.net/media`,
+            },
+            ...(args.extraEnv ?? []),
+          ],
+          resources: { cpu: 0.5, memory: "1.0Gi" },
+        },
+      ],
+    },
+  });
+}
+
+const adminApp = containerApp({ serviceName: "admin" });
+const gatewayApp = containerApp({ serviceName: "gateway" });
+const orchestratorApp = containerApp({ serviceName: "orchestrator" });
+const runnerApp = containerApp({ serviceName: "runner" });
+const edgeRouterApp = containerApp({
+  serviceName: "edge-router",
+  extraEnv: [
+    {
+      name: "STATIC_BUCKET_URL",
+      value: pulumi.interpolate`https://${storage.name}.blob.core.windows.net/$web`,
+    },
+    { name: "MANIFEST_OBJECT", value: "ab-routing.json" },
+  ],
+});
+
+// === 7. Bootstrap token ===
+const tokenInfo = generateBootstrapToken();
+
+// === 8. CloudAdapterOutputs ===
+const dnsRecordsRequired: DnsRecord[] = [
+  {
+    hostname: domain,
+    type: "CNAME",
+    // Front Door domain comes from the resource (P15.4 review-pass adds
+    // the actual Front Door + custom-domain bindings; v1 surfaces the
+    // edge-router Container App FQDN as the temporary target).
+    value: edgeRouterApp.configuration.apply(
+      (c) => c?.ingress?.fqdn ?? "<edge-router-fqdn-pending>",
+    ) as unknown as string,
+    purpose:
+      "Primary domain → edge-router Container App (P15.4 review-pass moves this behind Front Door)",
+  },
+];
+
+const out: CloudAdapterOutputs = {
+  adminDatabaseUrl: adminDatabaseUrl as unknown as string,
+  publicDatabaseUrl: publicDatabaseUrl as unknown as string,
+  mediaStorageUrl:
+    pulumi.interpolate`https://${storage.name}.blob.core.windows.net/media` as unknown as string,
+  mediaCdnBaseUrl: pulumi.interpolate`https://${domain}/media` as unknown as string,
+  bootstrapUrl:
+    pulumi.interpolate`https://${domain}/setup?token=${tokenInfo.token}` as unknown as string,
+  dnsRecordsRequired,
+  edgeLogSinkUrl: pulumi.interpolate`loganalytics://${logWorkspace.name}` as unknown as string,
+  provider: "azure",
+  environment: env,
+};
+
+export const adminDatabaseUrlOut = out.adminDatabaseUrl;
+export const publicDatabaseUrlOut = out.publicDatabaseUrl;
+export const mediaStorageUrlOut = out.mediaStorageUrl;
+export const mediaCdnBaseUrlOut = out.mediaCdnBaseUrl;
+export const bootstrapUrlOut = out.bootstrapUrl;
+export const dnsRecordsRequiredOut = out.dnsRecordsRequired;
+export const edgeLogSinkUrlOut = out.edgeLogSinkUrl;
+export const providerOut = out.provider;
+export const environmentOut = out.environment;
+export const pgServerFqdnOut = pgServer.fullyQualifiedDomainName;
+export const storageAccountNameOut = storage.name;
+export const adminContainerAppFqdnOut = adminApp.configuration.apply((c) => c?.ingress?.fqdn);
+export const edgeRouterContainerAppFqdnOut = edgeRouterApp.configuration.apply(
+  (c) => c?.ingress?.fqdn,
+);
+export const bootstrapTokenExpiresAtOut = tokenInfo.expiresAt;

package/stacks/gcp/Pulumi.yaml

@@ -0,0 +1,36 @@
+# SPDX-License-Identifier: MPL-2.0
+#
+# Caelo GCP provider stack. Provisions Cloud SQL HA + GCS (media + static
+# output) + Cloud CDN + Cloud Run (admin/gateway/orchestrator/runner +
+# edge-router) + Secret Manager + Cloud Logging → BigQuery sink for
+# A/B assignment logs. Implements the shared CloudAdapterInputs /
+# CloudAdapterOutputs contract from packages/provisioning/src/adapter.ts.
+name: caelo-gcp
+runtime:
+  name: nodejs
+  options:
+    typescript: true
+    packagemanager: bun
+description: Caelo GCP stack — Cloud SQL HA + GCS + Cloud CDN + Cloud Run + Secret Manager.
+config:
+  caelo-gcp:domain:
+    type: string
+    description: Primary domain (e.g. example.com).
+  caelo-gcp:ownerEmail:
+    type: string
+    description: Operator email for Pulumi notifications.
+  caelo-gcp:project:
+    type: string
+    description: GCP project id (Pulumi requires this even when it can read it from gcloud).
+  caelo-gcp:region:
+    type: string
+    default: us-central1
+    description: Primary GCP region (Cloud SQL, Cloud Run, GCS).
+  caelo-gcp:cloudSqlTier:
+    type: string
+    default: db-custom-1-3840
+    description: Cloud SQL machine tier. Default = 1 vCPU, 3.75 GB. Bump for production traffic.
+  caelo-gcp:cloudRunMinInstances:
+    type: string
+    default: "0"
+    description: Min instances per service. Set to 1 in production to avoid cold-start latency (~$30/mo per service).

package/stacks/gcp/README.md

@@ -0,0 +1,78 @@
+# Caelo GCP provider stack
+
+Pulumi stack provisioning Caelo on GCP managed services. Implements the shared `CloudAdapterInputs` / `CloudAdapterOutputs` contract from `packages/provisioning/src/adapter.ts` so the `cms-provision pulumi-output-sync` step consumes the outputs the same way it does for self-hosted, AWS, and Azure.
+
+## What it provisions per environment
+
+| Concern | GCP resource |
+|---|---|
+| Managed Postgres | Cloud SQL Postgres 16 (REGIONAL HA in production, ZONAL elsewhere) + automated backups + PITR + private IP only |
+| Blob storage | Two GCS buckets (`<project>-caelo-<env>-media`, `<project>-caelo-<env>-static`) with uniform bucket-level access |
+| CDN | Cloud CDN backend bucket (operator wires the URL map + load balancer for v1; full LB in P15 review-pass) |
+| Edge compute (A/B + redirects) | Cloud Run service `<env>-edge-router` running `edge-handler.ts` with `@caelo-cms/edge-router` |
+| Container runtime | Four Cloud Run services (admin / gateway / orchestrator / runner) |
+| Secret store | Secret Manager (postgres-password, csrf-secret, cookie-secret, anthropic-api-key, resend-api-key) |
+| Edge-log sink | Cloud Logging project sink → BigQuery dataset `<env>_edge_logs` (queryable by P12A analytics plugin) |
+
+The Caelo runtime never knows it's on GCP — every Cloud Run service consumes plain `DATABASE_URL` / `MEDIA_STORAGE_URL` / `SECRETS_PROVIDER` env vars.
+
+## First-time install
+
+```bash
+cd packages/provisioning/stacks/gcp
+pulumi stack init prod
+pulumi config set caelo-gcp:domain example.com
+pulumi config set caelo-gcp:ownerEmail me@example.com
+pulumi config set caelo-gcp:project my-gcp-project
+pulumi config set caelo-gcp:region us-central1
+
+# Build + push images. Operator does this once + on every release.
+gcloud auth configure-docker us-central1-docker.pkg.dev
+gcloud builds submit ... --tag us-central1-docker.pkg.dev/$PROJECT/caelo/admin:latest
+# Repeat for gateway, orchestrator, runner, edge-router.
+
+# Bring the stack up.
+pulumi up
+
+# Sync outputs into cms_admin.provisioning_outputs so the admin's
+# /security/dns page surfaces the required DNS records.
+ADMIN_DATABASE_URL=$(pulumi stack output adminDatabaseUrlOut --show-secrets) \
+  bunx cms-provision pulumi-output-sync --environment production
+```
+
+The bootstrap-token URL is a Pulumi output:
+
+```bash
+pulumi stack output bootstrapUrlOut
+# → https://example.com/setup?token=<64-hex>
+```
+
+Open after the operator has wired the GCP HTTPS load balancer to the edge-router Cloud Run service + the admin's DNS A record points at the LB IP.
+
+## Edge-router behaviour
+
+This stack's `edge-handler.ts` imports `routeRequest` from `@caelo-cms/edge-router` — same function the AWS Lambda@Edge function and the P13 self-hosted Caddy gateway use. Differences from AWS L@E:
+
+- **Manifest lives in GCS, not bundled in the binary.** The handler fetches `gs://<static-bucket>/routing-manifest.json` on a 30s TTL cache. A new manifest takes effect within 30s without a Cloud Run redeploy.
+- **Returns 307 redirects** (instead of L@E's request-mutation rewrite) so the browser hits the variant URL directly + the static origin's cache respects the variant cache key.
+- **Sets the `caelo_visitor_id` cookie directly** in the response (Cloud Run handlers control headers; L@E's viewer-request cannot).
+- **Cloud Logging → BigQuery**, not CloudWatch → Athena. Same `{kind: "ab_assignment", ...}` JSON shape.
+
+## v1 limitations (P15 review-pass items)
+
+- **GCP HTTPS load balancer + URL map** not auto-provisioned. Operator wires the LB to point `/api/*` → gateway, `/admin/*` → admin, `/_caelo-variant/*` → static bucket directly, and everything else → edge-router. Auto-provisioning lands when telemetry shows operators want it.
+- **Container image build pipeline** — operators push via `gcloud builds submit` for v1. A unified `cms-provision build-images --provider gcp` lands later.
+- **Per-locale managed SSL certs** — operator creates via `gcloud compute ssl-certificates create` per locale subdomain for v1. Auto-provisioning lands alongside the LB.
+- **DNS records** — `dnsRecordsRequired` includes a `<gcp-load-balancer-ip>` placeholder; the DNS UI shows the right hostname/type for the operator to fill in once the LB IP exists.
+
+## Edge-router byte-identity
+
+The byte-identity test in `packages/edge-router/src/index.test.ts` asserts a fixed corpus of (visitorId, manifestVersion, experimentId) tuples produces identical variant labels across every runtime — a visitor sees the same variant whether they hit the self-hosted Caddy in dev, the AWS CloudFront in staging, or the GCP Cloud Run in production.
+
+## Destroy
+
+```bash
+pulumi destroy
+```
+
+Tears down all resources except buckets in production (operator removes via `gsutil rm -r gs://<bucket>` then re-applies destroy). Dev/staging set `forceDestroy: true`.