0009 — Erid domain adoption: promote the rocky-hq pantheon to erid.tech

• Date: 2026-05-08
• Status: ratified
• Ratified-by: Devarno · 2026-05-08
• Supersedes: none
• Reinforces: 0001-redesign-bootstrap.md, 0005-rocky-domain-cutover.md

Context

Rocky-hq's named subsystems all draw from Project Hail Mary lore — rocky, eva, petrova, cairnet, lore, hearth, ralph, pebble. The operator console currently lives at rocky.devarno.cloud (per ADR 0005), and every subsystem either lives inside the console (console/src/lib/<ss>/) or is a Railway service under the devarno.cloud apex.

The acquisition of erid.tech provides a lore-faithful umbrella: Erid is the homeworld of the Eridians (Rocky's species). Promoting the rocky-hq pantheon to *.erid.tech makes the conceptual map and the DNS map agree — each subsystem becomes a first-class citizen of Erid rather than a path inside rocky.devarno.cloud or a peer Railway service under devarno.cloud.

This ADR amends ADR 0005: rocky-console remains the production Vercel project and is NOT retired. Only the domain binding changes — rocky.devarno.cloud is replaced with rocky.erid.tech as the canonical production domain for the operator console.

Decision

Citizen layout

Tenant-naming rule

Tenant-scoped names live one level deeper — <tenant>.rocky.erid.tech — so they cannot collide with the reserved citizen names above. The reserved citizen list is the canonical "do-not-claim" set; future ADRs may extend it but never narrow it.

Cutover sequence

The cutover executes in this fixed, reversible order inside a single ADR-gated window. Each step is reversible up to step 5.

1. DNS. Create Cloudflare zone erid.tech. Add records:

   • erid.tech → static apex project (Vercel erid-apex). Post-condition: dig +short erid.tech resolves.
   • www.erid.tech → CNAME cname.vercel-dns.com. (301 to apex via Vercel redirect). Post-condition: curl -sI https://www.erid.tech returns 301.
   • rocky.erid.tech → CNAME cname.vercel-dns.com. (target: rocky-console). Post-condition: dig +short rocky.erid.tech resolves.
   • docs.erid.tech → CNAME cname.vercel-dns.com. (target: erid-docs). Post-condition: dig +short docs.erid.tech resolves.
   • All other reserved citizen names → CNAME cname.vercel-dns.com. (target: erid-coming-soon). Post-condition: no NXDOMAIN for any reserved name.

2. Vercel — rocky-console rebind. Add rocky.erid.tech and www.rocky.erid.tech as production domains on the existing rocky-console Vercel project; mark rocky.erid.tech as the canonical production domain. Do not unbind rocky.devarno.cloud yet. Post-condition: https://rocky.erid.tech and https://rocky.devarno.cloud both serve the console.

3. Vercel env — NEXT_PUBLIC_APP_URL. Set NEXT_PUBLIC_APP_URL=https://rocky.erid.tech on rocky-console production. Trigger a production deploy. Post-condition: the served page's canonical URL references rocky.erid.tech.

4. Airlock TRUSTED_ORIGINS. Atomic replace on Railway airlock service (project DEVARNO • CLOUD, env production): https://rocky.devarno.cloud,https://www.rocky.devarno.cloud → https://rocky.erid.tech,https://www.rocky.erid.tech. Preserve all other entries verbatim. Restart airlock. Wait until /health returns 200. Post-condition: BetterAuth sign-in resolves to rocky.erid.tech without 302-loop. This is the "hard cut" — in-flight sessions on the old origin are sacrificed.

5. Vercel — unbind old. Remove rocky.devarno.cloud and www.rocky.devarno.cloud from rocky-console. Post-condition: curl -sI https://rocky.devarno.cloud returns Vercel's "domain not found" response.

6. Repo sweep. Search-and-replace rocky.devarno.cloud → rocky.erid.tech across the rocky-hq superproject (README, console/.env.example, console/CLAUDE.md, BRAND_ASSETS.md, registry.yaml, cairnet/CAIRNET_UXUI_SPEC.md). Land as a separate commit referenced from this ADR. Post-condition: git grep 'rocky\.devarno\.cloud' returns matches only in docs/decisions/0005-rocky-domain-cutover.md and this ADR.

Rollback lever

If the cutover wedges between steps 4 and 5, both domains are still bound on rocky-console. Reversing step 4 (restoring the old TRUSTED_ORIGINS value below) restores sign-in against rocky.devarno.cloud within one airlock restart. After step 5, rollback additionally requires re-adding rocky.devarno.cloud to Vercel (still possible — the domain stays in the team account) and waiting one DNS-propagation cycle.

The pre-cutover TRUSTED_ORIGINS value is recorded verbatim here so a rollback is not reconstructive:

Pre-cutover Airlock TRUSTED_ORIGINS (verbatim)

Captured 2026-05-08T15:25Z from Railway service airlock, environment production, project DEVARNO • CLOUD, before the swap.

TRUSTED_ORIGINS=https://airlock.devarno.cloud,https://hubble.devarno.cloud,https://hatch.devarno.cloud,https://rocky.devarno.cloud,https://www.rocky.devarno.cloud

Cutover state captured

These subsections are appended during the cutover (Tasks 5–8); they are empty here at ADR open time. Task 9 (ratification) confirms all are filled.

DNS zone

• DNS host: Hostinger (existing pattern across the team — all other team-owned domains use Hostinger DNS with CNAMEs to cname.vercel-dns.com.; the spec's "Cloudflare" reference was prescriptive, not load-bearing).
• Records added: A @ → 76.76.21.21; CNAMEs www, rocky, www.rocky, docs, eva, petrova, cairnet, lore, hearth, ralph, pebble, airlock, hatch, relay → cname.vercel-dns.com.
• Resolution verified: 2026-05-08T15:18Z (all 15 names resolving via 1.1.1.1 DoH).

Vercel project bindings and deploy SHAs

• erid-apex project ID: prj_Byd1plUrLo3RmhzIcyvaj1su1ne1; live deploy: erid-apex-4dyb4dgh5-devarno-operations.vercel.app (aliased erid.tech, www.erid.tech).
• erid-coming-soon project ID: prj_FwilLvKZSASs9Dlj3iMEzPkjk3yW; live deploy: erid-coming-soon-h1x5z0roy-devarno-operations.vercel.app (aliased to all 10 reserved citizen subdomains).
• erid-docs project ID: prj_vXD0ALvvSLWPMn9B1nDxVp8scaWx; live deploy: erid-docs-g4jr5hbuz-devarno-operations.vercel.app (aliased docs.erid.tech). Built locally and shipped via vercel deploy --prebuilt to give the build access to ../../docs/{decisions,specs} outside the project root directory.
• rocky-console (existing project prj_5ESq8QnlQjmFeCHoBCz1ZnjYtzdu) post-rebind deploy: rocky-console-5fl8v3wum-devarno-operations.vercel.app (aliased rocky.erid.tech, www.rocky.erid.tech; canonical = rocky.erid.tech).

Airlock TRUSTED_ORIGINS rollout

• Railway env-var rollout timestamp: 2026-05-08T15:25Z (atomic replace via railway variables --service airlock --set 'TRUSTED_ORIGINS=...'; airlock auto-redeployed; /health returned 200 within 30s).
• Verified post-cutover TRUSTED_ORIGINS value:

TRUSTED_ORIGINS=https://airlock.devarno.cloud,https://hubble.devarno.cloud,https://hatch.devarno.cloud,https://rocky.erid.tech,https://www.rocky.erid.tech

• Smoke test (post-swap): GET https://rocky.erid.tech/ → 307 Location: https://airlock.devarno.cloud/auth/sign-in?callbackURL=https%3A%2F%2Frocky.erid.tech%2F → 200 (sign-in page rendered; no 302-loop). Confirms BetterAuth accepts the new callback origin.

rocky.devarno.cloud unbind

• Unbind state verified: 2026-05-08T15:27Z. https://rocky.devarno.cloud returns 404 (no rocky-console alias resolves the host). The redeploy of rocky-console against the new canonical domain rocky.erid.tech cleared the prior rocky.devarno.cloud aliases automatically; no explicit vercel domains rm was required.

Consequences

• New auth boundary host. BetterAuth's CSRF allowlist (TRUSTED_ORIGINS) transitions from rocky.devarno.cloud to rocky.erid.tech. Any future Rocky subdomain that participates in BetterAuth requires a matching TRUSTED_ORIGINS update in the same window.
• In-flight session reissue. Sessions established against rocky.devarno.cloud are invalidated at step 4. Operators must re-authenticate after cutover. This is the explicit cost of the hard cut.
• docs.erid.tech is now a public surface. The ADR ledger (docs/decisions/*.md) and spec ledger (docs/specs/*.md) are publicly readable. Content written to those directories should be treated as externally visible.
• Future infra cutovers reference this ADR. Migration of airlock, relay, and hatch off devarno.cloud and onto their reserved erid.tech names lands as separate ADRs that reference this one. This ADR does not execute those migrations.
• The apex erid.tech is a directory, not the operator entry point. The operator entry point remains rocky.erid.tech.
• Tenant-domain provisioning rule is defined; provisioning UX ships separately. The rule (<tenant>.rocky.erid.tech) is canonical from this ADR forward; the provisioning workflow lands as a separate ADR.

What this decision does NOT do

• Does not retire the rocky-console Vercel project. It survives with only the domain binding changed.
• Does not migrate the Airlock service off Railway or off devarno.cloud infrastructure — only TRUSTED_ORIGINS is updated.
• Does not provision tenant subdomains or build the tenant-domain provisioning UX.
• Does not introduce email under @erid.tech — separate decision, different vendor surface and threat model.
• Does not migrate GitHub org names (rocky-hq, eva-hq, petrova-hq).
• Does not activate citizen surfaces beyond rocky, docs, and the apex directory — cairnet, lore, hearth, ralph, pebble, airlock, hatch, relay, eva, petrova are reserved here only.

References

• Spec: docs/specs/2026-05-08-erid-domain-adoption-design.md
• ADR 0005 (prior domain cutover): docs/decisions/0005-rocky-domain-cutover.md
• Brand assets / palette: BRAND_ASSETS.md
• Airlock service: Railway project DEVARNO • CLOUD, service airlock, env production
• rocky-console Vercel project: prj_5ESq8QnlQjmFeCHoBCz1ZnjYtzdu

Amendments

(None yet — append future per-citizen activation entries as ### YYYY-MM-DD: <citizen>.erid.tech bound to <project> subsections.)