Celistra FAQ

If your question isn't here, email hello@celistra.dev or open a discussion on GitHub.

What is Celistra?

A zero-trust process orchestrator. A small Go daemon (celistrad) on each machine you own; one dashboard to spawn, watch, supervise, and kill long-running processes (Claude Code, Codex, training jobs, browser agents) across every box from one screen — including your phone.

How is this different from Claude Code Remote Control?

Remote Control attaches your phone to one Claude Code session at a time, while your terminal stays open. Celistra is multi-machine, multi-process, daemon-supervised, sandboxed by default — works after closing the terminal, works with non-Claude tools, fleet view across every machine. Detailed comparison.

How is the daemon authenticated?

Two paths: a 256-bit machine secret (legacy) or a Firebase ID token (verified offline against Google's JWKS). Pairing is via tray-issued cryptographically-random tokens — single-use, 600s TTL, constant-time compare.

Does it work behind CGNAT?

Yes. The tunnel is outbound from the daemon to mail.ujex.dev:7000 — same CGNAT-friendly model as Cloudflare Tunnel.

Does it work offline?

Pairing needs internet (Firebase Auth). After pairing, LAN-only operation works — the dashboard probes loopback first on every call.

Is data ever sent to the cloud?

Agent metadata (machine name, agent ID, command, runtime) is in your Firebase project's Firestore. PTY output is real-time over WebSocket, never persisted on the server side. The 30-day SQLite history is on the daemon's local disk only.

How much does it cost?

Free for 1 paired node forever. Pro is $2/month for 5 nodes (priority tunnel, scheduled agents, secrets manager). Team is $10/month for unlimited nodes plus RBAC. The daemon binary is and stays free.

What platforms are supported?

macOS (Apple Silicon + Intel), Linux (x86_64 + ARM64 — yes, Pi works), Windows (x86_64). iOS app via TestFlight. Android via Play Store.

Is the daemon open source?

Source-available. The audit-chain library used for the tamper-evident log is Apache-2.0 (@axy/audit-chain).

What does the sandbox protect against?

Filesystem and network containment. By default, an agent can read everywhere but only write inside its workspace. Cannot drive other apps without accessibility. Cannot read TCC-protected files without full_disk_access. The kernel enforces — the agent can't bypass by trying.

Can it run alongside SSH / tmux / Tailscale?

Yes to all three. Celistra is process supervision, not a network layer or a shell replacement. Many users run all of them.

How do I revoke access?

Tray menu → Revoke all sessions. Calls a Firebase Cloud Function that runs admin.auth().revokeRefreshTokens(uid). Existing ID tokens expire within 1 hour; refresh tokens are immediately invalidated.

What about prompt injection in the agent?

Sandbox is a containment story for filesystem and network — it doesn't stop a prompt-injected agent from making bad commits within its workspace. Pair with the audit log (so you can see what happened) and capability minimization (so the agent has less to work with).