CaveCMS
Trust

Your site,
signed and sealed.

Every release that reaches your server is cryptographically signed by us, verified by your installer, and atomically applied with auto-rollback. Below: every guarantee, in plain English, and the source code that proves it.

Read the full license, what it costs on pricing, or what shipped in the latest release notes.

How do I know the release I am downloading is really yours?

Every release is signed with our private Ed25519 key. Your installer verifies the signature against the matching public key (bundled into the `create-cavecms` command itself) before it unpacks anything. Mismatch means the installer refuses, full stop. Same for SHA-256: the hash of every zip is published in our signed manifest, and the installer re-hashes the download before trusting it.

No network round-trip for verification. The public key travels with the installer, so a compromised npm CDN cannot lie about which key signed the build.

What happens if an update breaks my site?

Every in-app update goes through six steps: pre-flight check, snapshot of your database and files, signature-verified download, atomic swap, restart, and a post-flight health check. If the health check fails (or anything earlier does), the snapshot is restored and your site stays on the version it was on a minute ago.

Snapshots live on your own disk. We never see them. Auto-rollback runs without us, even if our update server is down at the moment of failure. You can also undo an update yourself any time by running the cavecms rollback command, which restores the previous version straight from that on-disk snapshot, no internet required.

Where does my data live?

On your server. CaveCMS is self-hosted: your database, your uploads, your domain. We do not have your DB credentials. We cannot read your content. We cannot reach in to your site.

The only thing your install talks to us about is "is there a new release?", and only when an admin loads /admin/settings/updates or you explicitly click Check Now.

Do you collect anything about my visitors?

Nothing by default. CaveCMS ships with every integration off. If you want Google Analytics, Hotjar, HubSpot, or anything else, you opt in by pasting your own ID, and the moment you toggle it off, those origins disappear from our Content Security Policy on the very next request.

No telemetry. No phone-home. No anonymous usage pings. We do not even know how many sites are running.

What about the AI features?

You bring your own Google Gemini API key. Requests go directly from your server to Google. We never see your key, your prompts, or your AI responses. The AI features can be disabled entirely from Settings → AI.

Who can read my admin password?

Nobody: not us, not your hosting provider, not anyone who can read your database. Passwords are hashed with scrypt (a memory-hard KDF) and compared in constant time so timing attacks cannot probe them.

JWTs that authenticate your admin sessions are HS256-signed with a secret generated once at install time and sealed on disk with mode 600. The secret never leaves your server.

What if you go out of business?

You keep using CaveCMS forever. The Prosperity Public License gives you the right to run, modify, and distribute the software for personal and non-profit use without limit. The full source is on GitHub. Your install does not phone home, does not need our servers to function, and cannot be remotely disabled.

There is no kill switch. There is no required cloud account. There is no DRM. If we vanish tomorrow, your site keeps working.

Can I audit any of this?

Yes. Every claim on this page maps to public source code. The signature verification lives in our installer on npm. The CSP integration toggles live in `lib/security/buildCsp.ts`. The password hashing lives in `lib/auth/scrypt.ts`. The update orchestrator is `scripts/cavecms-update.sh`. Open the repo and read.

Our public key

Verify our signing key yourself.

The fingerprint of our Ed25519 release-signing public key. The same key is bundled into every create-cavecms install on npm. You can verify out-of-band that they match.

SHA-256 fingerprint

3798df9c2257245d374a29fd9ecbdb6e2302f33e0cff35f26846706bf11693ab

Public key (PEM)

-----BEGIN PUBLIC KEY-----
MCowBQYDK2VwAyEAgfwWFnEmpbmRzmmdExV5rjAG5YTeI44tGG1hziyWnJ8=
-----END PUBLIC KEY-----

Verify yourself

# Re-derive the fingerprint from the key above
echo "-----BEGIN PUBLIC KEY-----
MCowBQYDK2VwAyEAgfwWFnEmpbmRzmmdExV5rjAG5YTeI44tGG1hziyWnJ8=
-----END PUBLIC KEY-----" \
  | openssl pkey -pubin -outform DER \
  | shasum -a 256

# Expected:
# 3798df9c2257245d374a29fd9ecbdb6e2302f33e0cff35f26846706bf11693ab
Read the source

Nothing on this page is marketing.

Every promise above maps to source you can read today. We will not write something on this page that does not live, verbatim, in our codebase.

Ed25519 signature verification at install time

packages/create-cavecms/bin/create-cavecms.mjs

In-app update orchestrator (six-step modal)

scripts/cavecms-update.sh

Auto-rollback watchdog

scripts/cavecms-watchdog.sh

scrypt password hashing + timing-safe compare

lib/auth/scrypt.ts

Integration-by-integration CSP allowlist

lib/security/buildCsp.ts

License (Prosperity Public License 3.0.0)

LICENSE.md

Found something we should know?

Email [email protected]. We reply to every disclosure.