Erid domain adoption — design

• Date: 2026-05-08
• Status: Approved (brainstorming complete; ratify via ADR 0009)
• Related: ADR 0001, ADR 0005 (rocky-domain-cutover)

Context

Rocky-hq's named subsystems all draw from Project Hail Mary lore — rocky, eva, petrova, cairnet, lore, hearth, ralph, pebble. The operator console currently lives at rocky.devarno.cloud (per ADR 0005), and every subsystem either lives inside the console (console/src/lib/<ss>/) or is a Railway service under the devarno.cloud apex.

The acquisition of erid.tech provides a lore-faithful umbrella: Erid is the homeworld of the Eridians (Rocky's species). Promoting the rocky-hq pantheon to *.erid.tech makes the conceptual map and the DNS map agree — each subsystem becomes a first-class citizen of Erid rather than a path inside rocky.devarno.cloud or a peer Railway service under devarno.cloud.

This spec defines the citizen-name layout, the cutover for the only currently-live surface (the operator console), and the reservations for citizens whose surfaces will be activated in later ADRs.

Goal

Land:

1. ADR 0009-erid-domain-adoption opening and ratifying the citizen-name layout below.
2. DNS zone for erid.tech with reserved CNAMEs for every citizen, plus active records for the apex, www, and rocky.
3. Hard cutover of the operator console from rocky.devarno.cloud to rocky.erid.tech, including Airlock TRUSTED_ORIGINS replacement and Vercel domain rebind.
4. Static pantheon-directory page at the apex (erid.tech) that lists citizens with one-liners and links.
5. Static docs.erid.tech reader rendering docs/decisions/ and docs/specs/ from the rocky-hq superproject (read-only).
6. Repo-wide search-and-replace from rocky.devarno.cloud → rocky.erid.tech (README, env examples, CLAUDE.md files, BRAND_ASSETS, registry.yaml).

Out of scope

• Email (@erid.tech) — separate decision; different vendor surface and threat model.
• Migration of rocky-hq / eva-hq / petrova-hq GitHub org names.
• Activation of citizen surfaces beyond rocky/apex/docs (cairnet stone browser, lore reader, hearth fleet manager, etc.) — names are reserved here; surfaces ship in later ADRs.
• Migration of the airlock and relay services off devarno.cloud — reserved names only; cutover lands as separate ADRs.
• Polar/Stripe billing customer-portal domain.
• Tenant-domain provisioning UX (rule is defined here; provisioning ships separately).

Citizen layout

Tenant-naming rule: tenant-scoped names live one level deeper — <tenant>.rocky.erid.tech — so they cannot collide with the reserved citizen names above. The reserved citizen list is the canonical "do-not-claim" set; future ADRs may extend it but never narrow it.

Cutover (hard cut)

Executed inside a single ADR-gated window in this order. Each step is reversible up to step 5.

1. DNS. Cloudflare zone erid.tech. Records:
   • erid.tech → static apex project (Vercel)
   • www → 301 https://erid.tech
   • rocky → cname.vercel-dns.com. (target: existing rocky-console Vercel project)
   • docs → static docs project (Vercel)
   • All other citizen names from the table above → CNAME to a coming-soon Vercel static project (prevents accidental claim, costs nothing).
2. Vercel — rocky-console rebind. Add rocky.erid.tech and www.rocky.erid.tech as production domains on the existing rocky-console project; mark rocky.erid.tech as the canonical production domain. Do not unbind rocky.devarno.cloud yet.
3. Vercel env. Set NEXT_PUBLIC_APP_URL=https://rocky.erid.tech on rocky-console production via vercel env add. Trigger a production deploy so the new value is live before sign-in starts pointing at the new origin.
4. Airlock TRUSTED_ORIGINS. Atomic replace on the Railway airlock service: https://rocky.devarno.cloud,https://www.rocky.devarno.cloud → https://rocky.erid.tech,https://www.rocky.erid.tech. Restart airlock. (Replace, not append — that is the "hard cut".)
5. Vercel — unbind old. Remove rocky.devarno.cloud and www.rocky.devarno.cloud from the rocky-console Vercel project. After this point, the old origin returns Vercel's "domain not found" page.
6. Repo sweep. Search-and-replace rocky.devarno.cloud → rocky.erid.tech across the rocky-hq superproject (README, console/.env.example, console/CLAUDE.md, BRAND_ASSETS.md, registry.yaml, this spec). Land as a separate commit referenced from the ADR.

In-flight cookies on the old origin are sacrificed by step 4 — sessions reissue on next sign-in against the new TRUSTED_ORIGINS. That is the explicit cost of "hard cut".

Rollback lever. If the cutover wedges between steps 4 and 5, both domains are still bound on rocky-console. Reversing step 4 (restore the old TRUSTED_ORIGINS value) restores the old origin within one airlock restart. After step 5, rollback requires re-adding the domain to Vercel — still possible (the domain remains in the Vercel team account) but takes one DNS-propagation cycle. The ADR records the exact pre-cutover TRUSTED_ORIGINS value verbatim so a rollback isn't reconstructive.

Apex page

Static, single-page, server-rendered or pre-built. Contents:

• One-line scene from BRAND_ASSETS.md ("An operator watches a RALPH run advance one node at a time…") as the visual hook.
• Citizen list from §Citizen layout — name, one-liner, link (greyed-out for reserved names).
• Footer link to docs.erid.tech and to the public rocky-hq GitHub org.

The apex page is not the operator entry point — rocky.erid.tech is. The apex is a directory and identity surface.

docs.erid.tech

Static site that renders docs/decisions/*.md and docs/specs/*.md from the rocky-hq superproject. Read-only. No auth. Generated on push to main. Justification for shipping now (vs. deferring): the ADR ledger is already public-facing in spirit (referenced from CLAUDE.md as a "projection source"), the toolchain is cheap (any markdown-to-static generator pinned to the repo), and having a stable public URL for ADRs makes the cross-links from cairnet/CAIRNET_UXUI_SPEC.md and future per-citizen surfaces resolvable from outside the repo.

ADR shape

Single ADR docs/decisions/0009-erid-domain-adoption.md:

• Status: open → ratified at end of cutover
• Supersedes: none (this ADR amends ADR 0005; it does not retire rocky-console as the production project — only the domain binding changes)
• Reinforces: ADR 0001, ADR 0005
• Decision body: the citizen-name table (§Citizen layout), the cutover sequence (§Cutover), the rollback lever (with the pre-cutover TRUSTED_ORIGINS value captured verbatim), the tenant-naming rule
• Consequences: new auth boundary host; in-flight session reissue; future infra cutovers (airlock/relay/hatch off devarno.cloud) land as separate ADRs that reference this one; docs.erid.tech is now a public surface for the ADR ledger
• Amendments section: future per-citizen activation entries, e.g. ### YYYY-MM-DD: cairnet.erid.tech bound to <project>

Verification

• https://rocky.erid.tech serves the operator console and BetterAuth sign-in completes (no 302-loop on callback).
• https://www.rocky.erid.tech 301s to https://rocky.erid.tech.
• https://rocky.devarno.cloud returns Vercel's "domain not found" response (post-step-5).
• https://erid.tech serves the pantheon directory; reserved-citizen links resolve to the coming-soon placeholder.
• https://docs.erid.tech/decisions/0009-erid-domain-adoption renders this ADR.
• dig +short rocky.erid.tech returns cname.vercel-dns.com. and the cert is valid.
• Airlock TRUSTED_ORIGINS contains the new origins and not the old ones.
• A repo-wide grep for rocky.devarno.cloud returns matches only in the historical ADR 0005 and in the captured pre-cutover value inside ADR 0009.

What this unlocks

• Per-citizen ADRs to activate cairnet.erid.tech, lore.erid.tech, hearth.erid.tech etc. as their surfaces are built.
• A separate ADR to migrate airlock off Railway's devarno.cloud apex onto airlock.erid.tech (deferred — auth-boundary cutovers are higher-risk than console domain rebinds).
• A separate ADR for tenant-domain provisioning under the <tenant>.rocky.erid.tech rule.
• Brand and identity work that can refer to the system as "Erid" rather than "the rocky-hq stack".