Cloudflare Pages projects — domain mapping

Last updated: 2026-05-17 UTC — #653 (support.raxx.app infra)

Project inventory

History

2026-04-29 — cohabitation (Option B)

internal-docs.raxx.app was attached to the raxx-mockups project as a custom domain. The mockups build script (mockups-site/build.sh) was extended to also build dist/internal-docs/ by running scripts/build-internal-docs.py. CF Pages _redirects rules rewrote internal-docs.raxx.app/* to /internal-docs/:splat so that visiting the docs domain did not land on the mockups root index.

2026-05-08 — split (fixes #1367)

The cohabitation approach caused user-facing confusion: internal-docs.raxx.app/ showed the mockups gallery, not the docs, whenever CF Pages served the project root instead of applying the redirect. The fix:

• New CF Pages project raxx-internal-docs created for internal docs only.
• deploy-internal-docs.yml updated to deploy dist/internal-docs/ (not dist/) to raxx-internal-docs.
• deploy-mockups.yml created to own dist/ → raxx-mockups deploys.
• DNS CNAME internal-docs.raxx.app updated from raxx-mockups.pages.dev to raxx-internal-docs.pages.dev (idempotent via CF API in the workflow).
• CF Access policy applied to raxx-internal-docs matching the existing email-allowlist policy (kris@moosequest.net).
• The _redirects rules in mockups-site/_redirects that rewrote internal-docs.raxx.app/* requests are no longer needed; the file is retained with the rules removed.

2026-05-08 — getraxx.com landing page (fixes #1369)

Resolved the 403 reported in #1368 (RCA: CF Pages project named getraxx did not exist; DNS CNAME pointed to getraxx.pages.dev with no matching project).

• New standalone project frontend/getraxx-landing/ extracted from feature/brand-tokens-getraxx-landing commit a837db0. Uses Vite + React, not the Antlers CRA shell.
• CF Pages project getraxx created on first workflow run.
• getraxx.com (apex, canonical) and www.getraxx.com both attached.
• www.getraxx.com → getraxx.com 301 redirect via _redirects rule.
• CLOUDFLARE_EDIT_DNS token must cover the getraxx.com zone (Zone ID 0bdcee38d1da2d021eb6166f0bd6204f) — operator prerequisite for the DNS bootstrap step.

2026-05-15 — SC-D1: raxx-docs builder bootstrap verified (#2169)

Confirmed the raxx-docs CF Pages binding for docs.raxx.app:

• scripts/build-customer-docs.py exits 0 locally; produces dist-customer-docs/ containing index.html, customer/*.html, customer-docs-theme.css, and build-manifest.txt.
• dist-customer-docs/ confirmed in .gitignore — build artifacts never committed.
• Deploy workflow .github/workflows/deploy-customer-docs.yml references project name raxx-docs and deploys dist-customer-docs/ via wrangler.
• docs/customer/index.md landing-page placeholder added (H1 + one paragraph).
• All 21 builder smoke tests passing (scripts/build-customer-docs/test_smoke.py).
• Broker-name lint: zero hits across all build inputs and output HTML.
• DNS CNAME and custom-domain attach handled idempotently by the workflow.

2026-05-15 — SC-D2: docs.raxx.app DNS + CF Pages custom domain confirmed (#2174)

Confirmed the DNS CNAME and CF Pages custom domain binding for docs.raxx.app:

• CNAME record docs.raxx.app → raxx-docs.pages.dev declared in terraform/cf-pages-docs-customer/dns.tf (proxied = true, TTL automatic). The deploy workflow (Ensure docs.raxx.app DNS CNAME step) creates this idempotently on every run if it does not exist.
• cloudflare_pages_domain resource in terraform/cf-pages-docs-customer/main.tf attaches docs.raxx.app to the raxx-docs Pages project. The deploy workflow also attaches idempotently via Ensure CF Pages custom domain step.
• terraform/cf-pages-docs-customer/terraform.tfvars.example added (#2174) with zone ID f12dbb5cac57d5591a5058874498a6d1 and account ID pre-filled.
• Verification script: scripts/ops/verify-docs-domain.sh — checks CNAME via CF DNS API, domain attachment status, TLS handshake, and HTTP response.
• TLS: CF-managed certificate auto-issued when docs.raxx.app domain is in active state; no manual cert provisioning required.
• DNS provider: Cloudflare (raxx.app zone). Not Dyn — Dyn manages moosequest.net only (see memory: feedback_dyndns_stays).
• Token used for DNS record: CLOUDFLARE_EDIT_DNS (DNS:Edit scope on raxx.app zone) — NOT CLOUDFLARE_RAXX_AUTOMATION_API_TOKEN which lacks DNS edit scope.

2026-05-17 — #653: support.raxx.app infra shell

Wired the deploy infrastructure for the customer support portal:

• New standalone project frontend/support/ (Vite + React SPA shell; full portal UI is card 4).
• CF Pages project raxx-support — created on first workflow run via idempotent wrangler call.
• DNS CNAME support.raxx.app → raxx-support.pages.dev (proxied); created idempotently by the workflow.
• support.raxx.app custom domain attached to raxx-support via CF API (idempotent).
• robots.txt: allows / and /sign-in; disallows /tickets/ (RFC-9309 prefix form, covers path + descendants).
• _headers: CSP, X-Frame-Options: DENY, X-Content-Type-Options, HSTS, Referrer-Policy, Permissions-Policy.
• Terraform stack: terraform/cf-pages-support/ (mirrors cf-pages-docs-customer pattern).
• Deploy workflow: .github/workflows/deploy-support.yml — triggers on push to main for frontend/support/**.
• No CF Access gate at the edge; authentication for /tickets/* is app-level (card 3).

Token usage

The CLOUDFLARE_RAXX_AUTOMATION_API_TOKEN token is NOT used for DNS edits. See reference_cloudflare_tokens.md for the full scope breakdown.

Zone IDs

raxx.app zone: f12dbb5cac57d5591a5058874498a6d1

getraxx.com zone: 0bdcee38d1da2d021eb6166f0bd6204f