From 657ebc44b9419dfff44f5bdfd040e5aa323139d5 Mon Sep 17 00:00:00 2001
From: Arthur Belleville <arthur.belleville@datadoghq.com>
Date: Fri, 24 Apr 2026 16:22:51 +0200
Subject: [PATCH] chore(admin): align domain and deploy command

---
 apps/admin/worker/index.test.ts | 10 +++++-----
 apps/admin/wrangler.toml        |  6 +-----
 docs/ADMIN_APP_ACCESS_SETUP.md  | 18 +++++++++++++++++-
 package.json                    |  2 +-
 4 files changed, 24 insertions(+), 12 deletions(-)

diff --git a/apps/admin/worker/index.test.ts b/apps/admin/worker/index.test.ts
index 87124e8..41bc176 100644
--- a/apps/admin/worker/index.test.ts
+++ b/apps/admin/worker/index.test.ts
@@ -22,7 +22,7 @@ describe("admin worker firewall", () => {
 
   it("serves the admin access gate when no session cookie is present", async () => {
     const response = await worker.fetch(
-      new Request("https://admin.internal.xtablo.com/", {
+      new Request("https://admin-panel.xtablo.com/", {
         headers: {
           accept: "text/html",
         },
@@ -35,7 +35,7 @@ describe("admin worker firewall", () => {
   });
 
   it("creates a signed app session cookie from a valid access token", async () => {
-    const request = new Request("https://admin.internal.xtablo.com/__admin/access", {
+    const request = new Request("https://admin-panel.xtablo.com/__admin/access", {
       body: new URLSearchParams({ accessToken: env.ADMIN_APP_ACCESS_TOKEN }),
       headers: {
         "Content-Type": "application/x-www-form-urlencoded",
@@ -46,13 +46,13 @@ describe("admin worker firewall", () => {
     const response = await worker.fetch(request, env);
 
     expect(response.status).toBe(302);
-    expect(response.headers.get("location")).toBe("https://admin.internal.xtablo.com/");
+    expect(response.headers.get("location")).toBe("https://admin-panel.xtablo.com/");
     expect(response.headers.get("set-cookie")).toContain(`${ADMIN_APP_SESSION_COOKIE}=`);
   });
 
   it("allows authenticated requests through to static assets", async () => {
     const session = await createSignedAdminAppSession(env.ADMIN_APP_SESSION_SECRET);
-    const request = new Request("https://admin.internal.xtablo.com/", {
+    const request = new Request("https://admin-panel.xtablo.com/", {
       headers: {
         cookie: `${ADMIN_APP_SESSION_COOKIE}=${session}`,
       },
@@ -65,7 +65,7 @@ describe("admin worker firewall", () => {
   });
 
   it("rejects invalid access tokens", async () => {
-    const request = new Request("https://admin.internal.xtablo.com/__admin/access", {
+    const request = new Request("https://admin-panel.xtablo.com/__admin/access", {
       body: new URLSearchParams({ accessToken: "wrong-token" }),
       headers: {
         accept: "text/html",
diff --git a/apps/admin/wrangler.toml b/apps/admin/wrangler.toml
index 8083093..2786105 100644
--- a/apps/admin/wrangler.toml
+++ b/apps/admin/wrangler.toml
@@ -9,8 +9,4 @@ not_found_handling = "single-page-application"
 [observability]
 enabled = true
 
-[env.staging]
-route = { pattern = "admin-staging.internal.xtablo.com", custom_domain = true }
-
-[env.production]
-route = { pattern = "admin.internal.xtablo.com", custom_domain = true }
+route = { pattern = "admin-panel.xtablo.com", custom_domain = true }
diff --git a/docs/ADMIN_APP_ACCESS_SETUP.md b/docs/ADMIN_APP_ACCESS_SETUP.md
index 8734cca..764575a 100644
--- a/docs/ADMIN_APP_ACCESS_SETUP.md
+++ b/docs/ADMIN_APP_ACCESS_SETUP.md
@@ -12,6 +12,22 @@ Set these values for `apps/admin`:
 `ADMIN_APP_ACCESS_TOKEN` is the first-layer token required before the admin SPA will be served.
 `ADMIN_APP_SESSION_SECRET` signs the worker-issued app session cookie after that token is accepted.
 
+Production domain: `https://admin-panel.xtablo.com`
+
+## Deploy commands
+
+Use the root command:
+
+```bash
+pnpm deploy:admin
+```
+
+Or directly from the app package:
+
+```bash
+pnpm --filter @xtablo/admin deploy
+```
+
 ## Required API configuration
 
 Set these values for `apps/api`:
@@ -22,7 +38,7 @@ Set these values for `apps/api`:
 
 `ADMIN_TOKEN_SIGNING_SECRET` signs short-lived admin session tokens.
 `ADMIN_TOKEN_AUDIENCE` scopes privileged access to the admin app only.
-`ADMIN_APP_URL` is the allowed frontend origin for the internal admin surface.
+`ADMIN_APP_URL` is the allowed frontend origin for the admin surface, for example `https://admin-panel.xtablo.com`.
 
 ## Access model
 
diff --git a/package.json b/package.json
index 6c383b5..9885577 100644
--- a/package.json
+++ b/package.json
@@ -20,7 +20,7 @@
     "dev:api": "turbo dev --filter=@xtablo/api",
     "deploy:main:staging": "turbo deploy:staging --filter=@xtablo/main",
     "deploy:main:prod": "turbo deploy:prod --filter=@xtablo/main",
-    "deploy:admin": "turbo deploy --filter=@xtablo/admin",
+    "deploy:admin": "pnpm --filter @xtablo/admin deploy",
     "deploy:chat": "turbo deploy --filter=@xtablo/chat-worker",
     "deploy:external": "turbo deploy --filter=@xtablo/external",
     "lint": "turbo lint",