IUXiUXStudio
RoadmapDomain cutover
Archived runbook

This page documents the April 2026 cutover to woxa-contents.com. That domain has since been retired; the live production host is woxa-studio.com. Kept here for historical reference — the DNS/TLS steps below are accurate in shape and can be reused for future cutovers, but the target hostname is out of date.

Production cutover plan

Ship woxa-contents.com without downtime

This runbook turns the default v0-iux-social-content-gen.vercel.app deployment into a branded, TLS-secured experience on woxa-contents.com. Every step lists the exact action, where it happens, and how to verify success before moving on.

Target host
woxa-contents.com
Apex, preferred canonical.
Alias
www.woxa-contents.com
308 redirects to apex.
TLS
Let's Encrypt · auto-renew
Managed by Vercel — no manual upload.

DNS records to publish

Add these at the registrar that owns the woxa-contents.com zone. Vercel will poll for them the moment you click "Refresh" in the Domains panel.

TypeHostValueTTL
  • A3600

    Apex record. Required for woxa-contents.com (the bare domain).

  • CNAME3600

    Subdomain alias so www.woxa-contents.com resolves too. Will 308-redirect to apex.

Cutover phases

7 phases · run top to bottom
  1. 1

    Pre-flight checks

    Verify the app is healthy on the Vercel default URL before pointing DNS at it — switching domains should never be the first time you test production.

    1. Confirm production deployment is green

      1.1

      Open vercel.com → project v0-iux-social-content-gen → Deployments. The Production deployment must show status Ready with no build errors.

      VerifyLatest Ready deployment < 24h old, with the Hybrid compositor pipeline live.

    2. Verify all environment variables for Production

      1.2

      Settings → Environment Variables. Confirm GOOGLE_CLOUD_PROJECT_ID, GOOGLE_CLOUD_LOCATION, GOOGLE_SERVICE_ACCOUNT_JSON, BLOB_READ_WRITE_TOKEN are present with scope = Production.

      VerifyFour green rows, all scoped 'All Environments' or at minimum 'Production'.

    3. Smoke-test on the default *.vercel.app URL

      1.3

      Walk the full create → generate → library flow against the current vercel.app domain. Fix any blockers before DNS change. A broken site on a branded domain is visible to more people.

      VerifyOne job generated, visible in /library, downloadable PNG.

    4. Identify the DNS registrar

      1.4

      Find where woxa-contents.com is registered (Namecheap / GoDaddy / Cloudflare / Route53 / etc.). You will need login credentials with DNS-edit permission, not just billing access.

    If the domain currently points somewhere else (landing page, email records), export the existing DNS zone first so nothing breaks.

    MX records for email (if any) must be preserved — Vercel only manages A/CNAME, never MX.

  2. 2

    Add the domain in Vercel

    Register the domain with the Vercel project so the edge network starts listening for it and can issue a certificate.

    1. Open the project's Domains settings

      2.1

      Vercel dashboard → project v0-iux-social-content-gen → Settings → Domains.

    2. Add the apex domain

      2.2

      Type `woxa-contents.com` in the input, click Add. Vercel responds with the DNS instructions it wants — either 'Add an A record to 76.76.21.21' (if using external DNS) or 'Use Vercel nameservers'.

      VerifyDomain shows up in the list with status 'Invalid Configuration' (expected — DNS is not pointed yet).

    3. Add the www subdomain and configure redirect

      2.3

      Add `www.woxa-contents.com` as well. Vercel will ask how to handle it — choose 'Redirect to woxa-contents.com (308 Permanent)' so search engines / share cards canonicalize to the apex.

      VerifyBoth entries now appear; www shows a redirect badge.

    Do NOT click 'Assign to a different deployment' — the default production target is correct.

    Ignore any prompt to buy the domain through Vercel; you already own it.

  3. 3

    Configure DNS at the registrar

    Point the public internet at Vercel's edge by adding two DNS records at your registrar. This is the step with real-world propagation delay.

    1. Log in to the DNS registrar

      3.1

      Use an account with permission to edit the zone for woxa-contents.com. If the zone is managed by Cloudflare, ensure the record is set to 'DNS only' (grey cloud, not proxied) — proxying breaks Vercel's certificate issuance on apex.

    2. Add the apex A record

      3.2

      Type A, Host @ (or leave blank depending on UI), Value 76.76.21.21, TTL 3600 or Auto. If your registrar does not support apex A records, switch to Vercel nameservers or use an ALIAS/ANAME record pointing to cname.vercel-dns.com.

    3. Add the www CNAME

      3.3

      Type CNAME, Host www, Value cname.vercel-dns.com. (with trailing dot if your UI requires FQDN), TTL 3600.

    4. Remove or reconcile conflicting records

      3.4

      Delete any existing A/AAAA records on @ or www pointing elsewhere. Keep MX records and TXT records (SPF/DKIM/DMARC) for email intact — they do not conflict.

    5. Save the zone

      3.5

      Most registrars require a save / publish action for records to go live.

      VerifyFrom a terminal: `dig +short woxa-contents.com` returns 76.76.21.21 and `dig +short www.woxa-contents.com` returns a cname.vercel-dns.com line plus IPv4.

  4. 4

    SSL certificate issuance

    Vercel issues a Let's Encrypt certificate automatically once DNS validates. No manual CSR or upload needed — but you must wait.

    1. Return to Vercel → Settings → Domains

      4.1

      Hit the 'Refresh' button on the woxa-contents.com row. Once DNS propagates Vercel flips the status to 'Valid Configuration' and begins certificate provisioning automatically.

    2. Wait for the certificate

      4.2

      Certificate issuance typically takes 10–60 seconds after the DNS check passes. If it stalls beyond 10 minutes, the most common cause is a CAA record at the registrar that doesn't include letsencrypt.org — add one (`CAA 0 issue "letsencrypt.org"`) or remove the existing CAA block.

      VerifyDomain row shows a lock icon and 'SSL Certificate Active'. `curl -I https://woxa-contents.com` returns 200 with a valid `server: Vercel` header.

    3. Force HTTPS for all traffic

      4.3

      Vercel enables HSTS and HTTP→HTTPS 308 redirect by default; no action needed. Confirm by visiting `http://woxa-contents.com` — it must redirect to `https://`.

    Do NOT manually upload a custom certificate for the initial launch. Let Vercel manage renewal via ACME.

    If a CAA record exists, it MUST include `letsencrypt.org` or Vercel cannot issue.

  5. 5

    App-side configuration

    Make the app aware of its new host so that canonical URLs, OAuth callbacks (when Phase 4 auth lands), and absolute links resolve correctly.

    1. Set NEXT_PUBLIC_SITE_URL in Vercel

      5.1

      Settings → Environment Variables → Add: key `NEXT_PUBLIC_SITE_URL`, value `https://woxa-contents.com`, scope Production only. The layout.tsx metadata loader already reads this — preview deployments will keep using the vercel.app URL.

    2. Redeploy Production

      5.2

      Environment variable changes only apply to NEW deployments. Deployments → three dots → Redeploy (uncheck 'use existing build cache').

      VerifyView HTML source of https://woxa-contents.com — `<meta property="og:url" content="https://woxa-contents.com/">` and canonical link tag both use the new host.

    3. Pre-register OAuth redirect URIs (Phase 4 only)

      5.3

      When Supabase Auth lands, add `https://woxa-contents.com/auth/callback` and `https://www.woxa-contents.com/auth/callback` to both Supabase's redirect-URL allowlist and Google OAuth's authorized redirect URIs.

  6. 6

    End-to-end verification

    A disciplined checklist to confirm the domain is healthy before announcing it to the team.

    1. DNS propagation

      6.1

      Check from multiple resolvers to catch regional cache staleness. Use dnschecker.org/#A/woxa-contents.com — all or nearly all nodes must return 76.76.21.21.

    2. Certificate chain

      6.2

      Run `openssl s_client -connect woxa-contents.com:443 -servername woxa-contents.com < /dev/null | openssl x509 -noout -subject -issuer -dates` — subject must include woxa-contents.com, issuer must be Let's Encrypt, notAfter must be > 30 days out.

    3. Apex ↔ www redirect

      6.3

      Visit `https://www.woxa-contents.com` — must 308-redirect to `https://woxa-contents.com`. Visit `http://woxa-contents.com` — must 308 to `https://woxa-contents.com`.

    4. Full app smoke test on the new host

      6.4

      Open `https://woxa-contents.com` → dashboard loads → /create wizard completes → a generation lands in /library. Every private asset served from Blob must still load (no mixed content warnings).

    5. Security headers

      6.5

      Run `curl -sI https://woxa-contents.com` — expect `strict-transport-security: max-age=...` (HSTS), `x-frame-options`, and `x-content-type-options: nosniff` from Vercel's default edge.

    6. Social preview rendering

      6.6

      Paste `https://woxa-contents.com` into Slack, LinkedIn, or a Telegram chat to force a new unfurl. Card should show the IUX title, description, and theme color — not a bare URL.

    If any step fails, roll back by unassigning the domain in Vercel (Settings → Domains → Remove). The old *.vercel.app URL keeps working unchanged.

  7. 7

    Post-launch hygiene

    Ongoing checks so the domain stays healthy long after the excitement fades.

    1. Renew-watch the certificate

      7.1

      Vercel auto-renews 30 days before expiry. Set a calendar reminder for 45 days pre-expiry to manually confirm — preventing a silent failure.

    2. Monitor uptime externally

      7.2

      Add https://woxa-contents.com to an external monitor (UptimeRobot, Checkly). Internal Vercel alerts don't fire if DNS is the problem — only outside checks do.

    3. Rotate secrets on cutover

      7.3

      Best practice after a domain migration: rotate GOOGLE_SERVICE_ACCOUNT_JSON and BLOB_READ_WRITE_TOKEN so old previews can't silently keep calling production APIs.

    4. Update internal docs and bookmarks

      7.4

      Search-and-replace the old URL in Notion / Slack canvases / Linear. Keep at least one cross-reference to the vercel.app URL for 2 weeks as a fallback link.

Definition of done

  • https://woxa-contents.com returns the dashboard over HTTPS with a lock icon.
  • https://www.woxa-contents.com 308-redirects to the apex.
  • http://woxa-contents.com 308-redirects to HTTPS.
  • TLS certificate issued by Let's Encrypt, expiry > 60 days out.
  • OG preview in Slack / LinkedIn renders branded card with woxa-contents.com URL.
  • A full generation completes end-to-end on the new host.
IUX Social Studio · Prototype · CI Guideline v1.0Model: imagen-4.0-ultra-generate-001 · Vertex AI