0005 — Cut rocky.devarno.cloud over to the lifted console

• Date: 2026-05-03
• Status: Accepted
• Supersedes: none
• Reinforces: 0001-redesign-bootstrap.md §Decision (Phase-2 console lift), 0003-rocky-consolidation-policy.md

Context

Phase 2 (console lift, May 2) created a new Vercel project rocky-console (prj_5ESq8QnlQjmFeCHoBCz1ZnjYtzdu) connected to the new rocky-hq/console submodule. The pre-existing project rocky-web (prj_63A4xYCldIAGJ0XFgxWadWT2nIYy, created 16 Apr 2026) — connected to the legacy devarno-cloud/rocky repo — kept ownership of the public domain rocky.devarno.cloud through Phases 2–4. As a result, every subsystem advancement (SS-04/05/06 lifts, SS-07 RALPH wrapper + CRDT sidecar wiring in Phase 3a–3e, contracts adoption in Phase 4) was reaching only console-ochre-zeta.vercel.app and never the public URL. Operator UX was demonstrably stale.

Two adjacent gaps surfaced during the cutover and are recorded here so future infra changes don't re-introduce them:

1. rocky-console's production env was empty except for NPM_TOKEN; the eight runtime variables required by the lifted console (AIRLOCK_URL, NEXT_PUBLIC_AIRLOCK_URL, ROCKY_VAULT_MASTER_KEY, PEBBLE_URL, N8N_URL, ANTHROPIC_BOOTSTRAP_KEY, RELAY_WEBHOOK_SECRET, NEXT_PUBLIC_APP_URL) lived only on rocky-web.
2. Airlock's TRUSTED_ORIGINS (Railway airlock service) listed only airlock/hubble/hatch subdomains; BetterAuth therefore rejected the sign-in callback from rocky.devarno.cloud and 302-looped, blanking the page.

Decision

rocky.devarno.cloud and www.rocky.devarno.cloud belong to the rocky-console Vercel project. The legacy rocky-web project is retired as the production target effective this date. It remains in the Vercel team for one release cycle as rollback insurance, then will be deleted in a housekeeping commit.

Going forward:

• Production target for the rocky-hq console is rocky-console only. Any new domain (*.rocky.devarno.cloud, custom-tenant domains) is added to rocky-console; nothing should be added to rocky-web.
• Env parity is the operator's responsibility on cutover. When a new env var is introduced in console/.env.example, it ships to rocky-console production via vercel env add before the deploy that consumes it lands on main. The pull-from-rocky-web-and-replay path used today is not repeated; it was a one-off migration.
• Airlock's TRUSTED_ORIGINS is the canonical CSRF allowlist for the cross-subdomain SSO surface. Every Rocky subdomain that participates in BetterAuth (currently rocky + www.rocky) lives in that variable. Adding a new tenant subdomain requires a TRUSTED_ORIGINS update in the same window.

Cutover state captured (2026-05-03)

• rocky-console production deploy dpl_<live> aliased at rocky.devarno.cloud and www.rocky.devarno.cloud.
• rocky-console production env: 11 vars (8 mirrored + RALPH_CRDT_TRANSPORT=disabled + AUTH_DISABLED=false + pre-existing NPM_TOKEN).
• Airlock TRUSTED_ORIGINS extended to include https://rocky.devarno.cloud,https://www.rocky.devarno.cloud.
• HANDOFF_ALLOWED_APEXES on Airlock unchanged (only https://stratt.dev); no Rocky handoff flow exists yet.
• rocky-web retains its non-public aliases (rocky-web-devarno-operations.vercel.app, rocky-web-git-main-devarno-operations.vercel.app); production domain bindings removed.

Consequences

• Phase-1–4 work is now visible at rocky.devarno.cloud. First operator-visible delivery of the lift since Phase 2.
• RALPH_CRDT_TRANSPORT=disabled is the production default. The Phase-3e Y-WebSocket sidecar (scripts/crdt-server.mjs) is a long-running Node process and cannot run on Vercel. Collaborative editing in production stays gated until Phase 6 (DevarnoCloud) stands up a Railway sidecar; until then the offline banner renders, per console/CLAUDE.md §CRDT.
• RALPH_TRANSPORT not set on rocky-console. SS-07 falls back to its in-process default until a Railway-hosted ralph serve exists. RALPH-driven flows in production therefore degrade gracefully (no run submission); not blocking for Phase 5.
• Append-only ledger commitment. Future infra cutovers (rocky-web deletion, Polar.sh wiring in Phase 7, hearth Railway service in Phase 5/6) land as new decisions or amendments here, not as silent dashboard edits.
• What this decision does NOT do: delete the rocky-web Vercel project (deferred to housekeeping); change DNS records (rocky.devarno.cloud → cname.vercel-dns.com is unchanged); modify Airlock's session/cookie config beyond TRUSTED_ORIGINS.

Amendments

(None yet — append future tightenings as ### YYYY-MM-DD: <change> subsections.)

References

• Phase-2 console lift: docs/plans/2026-05-02-rocky-lift-console-phase-2.md
• Phase-4 close-out (the deploy that prompted the cutover): MILESTONES.md Phase-4 row + 0007f7d055 superproject commit
• Console env contract: console/.env.example
• CRDT production posture: console/CLAUDE.md §CRDT (Phase 3e)
• Airlock service: Railway airlock (project DEVARNO • CLOUD, env production)