CaveCMS
AI agents

Build it by prompt.
No browser in the loop.

Every CaveCMS install ships an AGENTS.md your AI coding tool reads automatically. Hand it a token, describe the change in plain English, and Cursor, Claude Code, Windsurf, or Codex edits your live site over the HTTP API for pages, posts, the whole block tree, branding.

Before you start

Read API reference first.

The agent guide

What AGENTS.md is.

AGENTS.md sits at the root of every install. It is the agent-facing manual that Cursor, Claude Code, Windsurf, Codex, and Aider read automatically: how to authenticate, the exact endpoints, the content model, and what is off-limits.

You don’t write it; the installer ships it. Your job is to point your AI tool at it, hand over a token, and describe what you want.

What the agent learns from it

  • Authenticate with Authorization: Bearer cave_… (no cookie, no CSRF).
  • Read a page and its section → column → widget tree, then edit it.
  • Batch many edits into one transactional request.
  • What a token can never touch: users, secrets, security settings, the updater.

The full endpoint spec lives in the API reference.

Step 1 · Generate

Mint a token.

In your admin, open Settings → API Tokens → Create. Pick a role (editor or admin), set an optional expiry, re-enter your password, and copy the token. It starts with cave_, is shown exactly once, and is stored only as a SHA-256 hash. Lose it and you simply revoke and mint a new one.

The token is the credential; token requests skip the cookie + CSRF flow entirely. Revoke it in Settings → API Tokens and it returns 401 the same second.

What a token can & can’t do

  • Scoped & capped. Edits pages, posts, blocks, media, and branding, and never user accounts, security/auth settings, secrets, analytics, or the updater. Even an admin-role token.
  • Revocable, instantly. One click in Settings → API Tokens kills it. Deleting the person who created it kills their tokens too.

Confirm the token works (a read)

curl https://your-site.com/api/cms/pages \
  -H "Authorization: Bearer cave_YOUR_TOKEN"
# 200 with a token, 401 without one

Step 2 · Connect

Point your AI at it.

Open your project in your AI coding tool, tell it to read AGENTS.md, hand it the token, and describe the change. It composes the API calls and your live site updates in seconds. Copy a starter prompt:

Claude Code

Read AGENTS.md at the project root. Here is my CaveCMS token: cave_…. Add an FAQ section to the pricing page and make the buttons copper.

Cursor

@AGENTS.md, use the CaveCMS API with token cave_… to draft an About page from our deck, then set it as the home page.

Windsurf

Follow AGENTS.md. Token: cave_…. Rewrite every project blurb and reorder them newest-first.

Codex

Per AGENTS.md, with token cave_…: make the brand accent deep emerald across the whole site.

Works with Cursor, Windsurf, Claude Code, Codex, Aider, or any HTTP client.

Step 3 · Edit

Your first change.

Start small and watch it land. Ask for a single, verifiable edit, then refresh your site. Because every write is validated, sanitized, and audited, an agent can’t corrupt your data, only change content.

Try saying

  • “Add an FAQ to the pricing page and make the buttons copper.”
  • “Draft an About page from our deck, then set it as home.”
  • “Rewrite every project blurb and reorder them newest-first.”

Prefer to see exactly which endpoints fire? The batch API applies many edits in one transaction.

Step 4 · Ship

Then ship it to production.

The agent that edits can also deploy. Built on a local or staging install? Promote the whole site, content and media, to your live URL in one command with cavecms push, using a production admin token.

push replaces production with your source, so it dry-runs first, refuses if production drifted since you pulled, swaps atomically, and snapshots production before the cutover. Moving the whole app to a fresh server instead? See the deploy runbook.

Promote local → production

# save your production profile (URL + an admin token)
cavecms login --url=https://your-site.com --token=cave_PROD

# validate the promote against production, no writes
cavecms push --from=http://localhost:3000 \
  --from-token=cave_LOCAL --dry-run

# promote for real: atomic, drift-guarded, backed up first
cavecms push --from=http://localhost:3000 \
  --from-token=cave_LOCAL

An MCP-aware editor can run this for you. See the MCP guide.