Runbook — point the app at `app.nightingalepm.com`

How to attach (or move) the production app to a custom subdomain. Written for the app.nightingalepm.com cutover; reuse the same steps for any future subdomain.

Context for this app

Hosted on Vercel (project npm-helper-app); production branch is main.
Auth redirects are built from the request origin (url.origin / host header), not a hardcoded URL — so login, OAuth callback, and password-recovery flows follow whatever domain serves the app automatically. The only code knob is NEXT_PUBLIC_SITE_URL (absolute OG/share URLs via metadataBase); it defaults to https://app.nightingalepm.com.
nightingalepm.com is registered/DNS-managed at GoDaddy (the marketing site). We add a subdomain only — the apex stays on GoDaddy.

1. Vercel — add the domain

Vercel → project npm-helper-app → Settings → Domains → add app.nightingalepm.com. Vercel shows the DNS record to create (a CNAME, target usually cname.vercel-dns.com).

2. GoDaddy — create the DNS record

GoDaddy → nightingalepm.com → DNS → Manage DNS → Add:

Field	Value
Type	`CNAME`
Name / Host	`app`
Value / Points to	`cname.vercel-dns.com` (use the exact value Vercel showed)
TTL	default (1 hr)

⚠️ Do not touch the apex @ or www records — those keep the GoDaddy marketing site live. Vercel auto-issues the Let's Encrypt SSL cert once it sees the CNAME (minutes to ~1 hr).

3. Environment variable (Vercel)

Vercel → Settings → Environment Variables → set for Production (and Preview if desired):

NEXT_PUBLIC_SITE_URL = https://app.nightingalepm.com

Redeploy so it takes effect. (Defaults to this value in code, so OG tags are correct even if unset.)

4. Supabase — allow the new origin

Supabase dashboard → Authentication → URL Configuration:

Site URL → https://app.nightingalepm.com
Redirect URLs → add https://app.nightingalepm.com/** (covers Google SSO callback /api/auth/callback and contractor recovery /api/auth/contractor-recovery → /contractor/reset-password).
Keep the *.vercel.app entry if you still use the Vercel URL.

Google Cloud OAuth: the authorized redirect URI is Supabase's https://<project-ref>.supabase.co/auth/v1/callback (domain-independent — no change). Only if you've restricted Authorized JavaScript origins, add https://app.nightingalepm.com.

5. Cloudflare Turnstile (only if enabled)

Turnstile is optional: if NEXT_PUBLIC_TURNSTILE_SITE_KEY / TURNSTILE_SECRET_KEY are unset in Vercel, the /apply bot-check is off (honeypot + rate-limit still apply) and you can skip this step.

If the keys are set: dash.cloudflare.com → Turnstile → the widget whose Site Key matches NEXT_PUBLIC_TURNSTILE_SITE_KEY → Settings → Hostname Management → add app.nightingalepm.com (keep localhost and any existing *.vercel.app) → Save.

6. Verify after DNS propagates

https://app.nightingalepm.com/apply — form loads, SSL padlock, OG preview resolves to the domain.
https://app.nightingalepm.com/login — Google SSO round-trips back to /admin.
https://app.nightingalepm.com/contractor/login — contractor sign-in + password reset.
Submit a test application end-to-end (lands in application_raw).

Checklist

Vercel: domain added
GoDaddy: app CNAME → cname.vercel-dns.com
Vercel: NEXT_PUBLIC_SITE_URL set + redeploy
Supabase: Site URL + redirect allowlist
Cloudflare Turnstile hostname (only if keys set)
Smoke-tested /apply, /login, /contractor/login on the new domain

1. Vercel — add the domain​

2. GoDaddy — create the DNS record​

3. Environment variable (Vercel)​

4. Supabase — allow the new origin​

5. Cloudflare Turnstile (only if enabled)​

6. Verify after DNS propagates​

Checklist​