feat(cloud-shared): rebrand-ready agent base domain config

Three coordinated changes prepare the cloud-shared layer for the
in-flight rebrand from waifu.fun / milady.ai / shad0w.xyz to
elizacloud.ai, all gated on env vars so the runtime impact is zero
until ELIZA_CLOUD_AGENT_BASE_DOMAIN flips in deployment env:

1. `DOMAIN_ALIAS_GROUPS` extended from the original
   [waifu.fun, eliza.ai] pair to the full 5-domain group
   [waifu.fun, eliza.ai, elizacloud.ai, milady.ai, shad0w.xyz]. The
   pairing-token CORS Origin check now tries every alternate, so a
   token issued against `<uuid>.waifu.fun` validates when the user
   reaches `<uuid>.elizacloud.ai` (or any other group member).

   The alias resolver is extracted into a standalone pure module
   `pairing-token-domains.ts` so it can be unit-tested without
   dragging in the Postgres repository import chain. The DB-bound
   service in `pairing-token.ts` re-exports the same names for back
   compat with existing callers.

2. `DEFAULT_AGENT_BASE_DOMAIN` in `eliza-agent-web-ui.ts` flips
   from "waifu.fun" to "elizacloud.ai" so a fresh deploy without
   `ELIZA_CLOUD_AGENT_BASE_DOMAIN` set picks the rebrand brand by
   default. Existing deployments override via the env var (currently
   set to "milady.ai" on the prod manager VM) — unchanged.

3. Stale comment `Public URL: https://{agentId}.waifu.fun/...` in
   eliza-sandbox.ts replaced with the env-var-templated equivalent so
   the comment ages with the deployment, not against it.

Tests: 8 sociable specs in `pairing-token.test.ts` cover the alias
matrix (suffix anchoring, UUID prefix preservation, port round-trip,
unparseable input, group membership guarantee). bun test 8/8 pass.

Author: standujar

packages/cloud-shared/src/lib/eliza-agent-web-ui.ts

@@ -1,6 +1,6 @@
 import type { AgentSandbox } from "../db/schemas/agent-sandboxes";
 
-const DEFAULT_AGENT_BASE_DOMAIN = "waifu.fun";
+const DEFAULT_AGENT_BASE_DOMAIN = "elizacloud.ai";
 
 type ElizaAgentWebUiTarget = Pick<
   AgentSandbox,
@@ -16,7 +16,7 @@ export interface ElizaAgentWebUiUrlOptions {
   path?: string;
 }
 
-/** Resolved base domain for the current deployment (e.g. "waifu.fun"). */
+/** Resolved base domain for the current deployment (e.g. "elizacloud.ai"). */
 export function getAgentBaseDomain(): string {
   return (
     normalizeAgentBaseDomain(process.env.ELIZA_CLOUD_AGENT_BASE_DOMAIN) ?? DEFAULT_AGENT_BASE_DOMAIN
@@ -59,7 +59,7 @@ function applyPath(baseUrl: string, path = "/"): string {
  * Public HTTPS URL `{sandbox.id}.{domain}`.
  *
  * **Omit `baseDomain` or set it to `undefined`:** resolve from `ELIZA_CLOUD_AGENT_BASE_DOMAIN`,
- * then the built-in default domain (`waifu.fun`). Empty env is treated like unset (same as
+ * then the built-in default domain (`elizacloud.ai`). Empty env is treated like unset (same as
  * {@link getAgentBaseDomain}).
  *
  * **Pass any other `baseDomain` (including `null` or `""`):** use only that value after

packages/cloud-shared/src/lib/services/eliza-sandbox.ts

@@ -2187,7 +2187,7 @@ export class ElizaSandboxService {
       const agentBaseDomain = process.env.ELIZA_CLOUD_AGENT_BASE_DOMAIN;
       let endpoint: string;
       if (agentBaseDomain) {
-        // Public URL: https://{agentId}.waifu.fun/api/wallet/...
+        // Public URL: https://{agentId}.{ELIZA_CLOUD_AGENT_BASE_DOMAIN}/api/wallet/...
         endpoint = `https://${agentId}.${agentBaseDomain}${fullPath}`;
       } else if (rec.web_ui_port && rec.node_id) {
         // Internal fallback: http://{host}:{web_ui_port}/api/wallet/...

packages/cloud-shared/src/lib/services/pairing-token-domains.ts

@@ -0,0 +1,48 @@
+// Domain alias groups — all domains in a group resolve to the same agent
+// container. Each agent's public URL may be rewritten between any two
+// domains in the same group (e.g. the dashboard generates an
+// `<uuid>.elizacloud.ai` link but the agent was originally provisioned with
+// an `<uuid>.waifu.fun` Origin), so token validation tries every alias.
+//
+// `.elizacloud.ai` is the canonical post-2026-05 brand; the others are
+// kept during the rebrand grace period and can be retired one by one once
+// no DB rows reference them.
+//
+// Pure data + pure function — extracted from `pairing-token.ts` so the
+// alias logic stays unit-testable without pulling the Postgres repository
+// import chain.
+
+export const DOMAIN_ALIAS_GROUPS: readonly (readonly string[])[] = [
+  [".waifu.fun", ".eliza.ai", ".elizacloud.ai", ".milady.ai", ".shad0w.xyz"],
+];
+
+/**
+ * Given an origin like https://uuid.waifu.fun, return every other origin
+ * that resolves to the same agent container under
+ * {@link DOMAIN_ALIAS_GROUPS}. Empty array if the origin's hostname does
+ * not match any aliased suffix, or if the input is not a parseable URL.
+ */
+export function getAlternateDomainOrigins(origin: string): string[] {
+  let url: URL;
+  try {
+    url = new URL(origin);
+  } catch {
+    return [];
+  }
+  for (const group of DOMAIN_ALIAS_GROUPS) {
+    const matched = group.find((suffix) => url.hostname.endsWith(suffix));
+    if (!matched) continue;
+    const alternates: string[] = [];
+    for (const candidate of group) {
+      if (candidate === matched) continue;
+      const altUrl = new URL(url.toString());
+      altUrl.hostname = url.hostname.replace(
+        new RegExp(`${matched.replaceAll(".", "\\.")}$`),
+        candidate,
+      );
+      alternates.push(altUrl.origin);
+    }
+    return alternates;
+  }
+  return [];
+}

packages/cloud-shared/src/lib/services/pairing-token.test.ts

@@ -0,0 +1,91 @@
+import { describe, expect, it } from "bun:test";
+import { DOMAIN_ALIAS_GROUPS, getAlternateDomainOrigins } from "./pairing-token-domains";
+
+describe("getAlternateDomainOrigins", () => {
+  it("returns every other suffix in the same alias group", () => {
+    // The canonical group is the first entry. Verify all five domains
+    // produce four alternates each (the matched suffix is excluded).
+    const inputs = [
+      "https://abc.waifu.fun",
+      "https://abc.eliza.ai",
+      "https://abc.elizacloud.ai",
+      "https://abc.milady.ai",
+      "https://abc.shad0w.xyz",
+    ];
+
+    for (const origin of inputs) {
+      const alts = getAlternateDomainOrigins(origin);
+      expect(alts).toHaveLength(4);
+      expect(alts).not.toContain(origin);
+      const hostnames = alts.map((url) => new URL(url).hostname);
+      for (const hostname of hostnames) {
+        expect(hostname.startsWith("abc.")).toBe(true);
+      }
+    }
+  });
+
+  it("rewrites the suffix while keeping the agent UUID prefix intact", () => {
+    const alts = getAlternateDomainOrigins(
+      "https://9d77d8b5-1d63-4b4c-9bd1-ec1b5deb4dc8.waifu.fun",
+    );
+    const hostnames = alts.map((u) => new URL(u).hostname).sort();
+    expect(hostnames).toEqual(
+      [
+        "9d77d8b5-1d63-4b4c-9bd1-ec1b5deb4dc8.eliza.ai",
+        "9d77d8b5-1d63-4b4c-9bd1-ec1b5deb4dc8.elizacloud.ai",
+        "9d77d8b5-1d63-4b4c-9bd1-ec1b5deb4dc8.milady.ai",
+        "9d77d8b5-1d63-4b4c-9bd1-ec1b5deb4dc8.shad0w.xyz",
+      ].sort(),
+    );
+  });
+
+  it("preserves the URL port when an origin includes one", () => {
+    // `URL.origin` keeps non-default ports — the alternate origins must
+    // round-trip them so a sandbox served on :8443 still matches its alias.
+    const alts = getAlternateDomainOrigins("https://abc.waifu.fun:8443");
+    expect(alts.length).toBeGreaterThan(0);
+    for (const alt of alts) {
+      const url = new URL(alt);
+      expect(url.port).toBe("8443");
+    }
+  });
+
+  it("returns an empty array when no aliased suffix matches", () => {
+    expect(getAlternateDomainOrigins("https://example.com")).toEqual([]);
+    expect(getAlternateDomainOrigins("https://app.elizacloud.io")).toEqual([]);
+    expect(getAlternateDomainOrigins("https://waifu.fun.evil.tld")).toEqual([]);
+  });
+
+  it("returns an empty array for unparseable input rather than throwing", () => {
+    expect(getAlternateDomainOrigins("not a url")).toEqual([]);
+    expect(getAlternateDomainOrigins("")).toEqual([]);
+    expect(getAlternateDomainOrigins("://no-protocol")).toEqual([]);
+  });
+
+  it("matches the suffix on the right boundary (no partial-domain false positive)", () => {
+    // `notwaifu.fun` contains the literal text `waifu.fun` but does not end
+    // with `.waifu.fun`, so it must not alias into the group.
+    expect(getAlternateDomainOrigins("https://abc.notwaifu.fun")).toEqual([]);
+    expect(getAlternateDomainOrigins("https://abceliza.ai")).toEqual([]);
+  });
+});
+
+describe("DOMAIN_ALIAS_GROUPS", () => {
+  it("declares the rebrand-target domain `.elizacloud.ai` so the suffix matches", () => {
+    // This is the load-bearing guarantee for the rebrand: pairing tokens
+    // issued against `.waifu.fun` must validate when the dashboard rewrites
+    // the agent URL to `.elizacloud.ai`. If someone removes elizacloud.ai
+    // from the group, this test fails loudly.
+    const allDomains = DOMAIN_ALIAS_GROUPS.flat();
+    expect(allDomains).toContain(".elizacloud.ai");
+    expect(allDomains).toContain(".waifu.fun");
+  });
+
+  it("uses leading-dot suffixes so subdomain matching is anchored", () => {
+    for (const group of DOMAIN_ALIAS_GROUPS) {
+      for (const suffix of group) {
+        expect(suffix.startsWith(".")).toBe(true);
+      }
+    }
+  });
+});

packages/cloud-shared/src/lib/services/pairing-token.ts

@@ -1,4 +1,7 @@
 import { agentPairingTokensRepository } from "../../db/repositories/agent-pairing-tokens";
+import { DOMAIN_ALIAS_GROUPS, getAlternateDomainOrigins } from "./pairing-token-domains";
+
+export { DOMAIN_ALIAS_GROUPS, getAlternateDomainOrigins };
 
 interface PairingToken {
   userId: string;
@@ -47,35 +50,7 @@ function createPairingToken(): string {
   return base64UrlEncode(bytes);
 }
 
-// Domain aliases — waifu.fun and eliza.ai resolve to the same containers.
-// The dashboard rewrites URLs from one to the other, so the Origin header
-// sent by pair.html may use either domain.
-const DOMAIN_ALIASES: [string, string][] = [[".waifu.fun", ".eliza.ai"]];
-
 class PairingTokenService {
-  /**
-   * Given an origin like https://uuid.waifu.fun, return https://uuid.eliza.ai
-   * (and vice versa). Returns null if no alias applies.
-   */
-  private getAlternateDomainOrigin(origin: string): string | null {
-    for (const [a, b] of DOMAIN_ALIASES) {
-      try {
-        const url = new URL(origin);
-        if (url.hostname.endsWith(a)) {
-          url.hostname = url.hostname.replace(new RegExp(`${a.replaceAll(".", "\\.")}$`), b);
-          return url.origin;
-        }
-        if (url.hostname.endsWith(b)) {
-          url.hostname = url.hostname.replace(new RegExp(`${b.replaceAll(".", "\\.")}$`), a);
-          return url.origin;
-        }
-      } catch {
-        // Invalid URL — skip
-      }
-    }
-    return null;
-  }
-
   async generateToken(
     userId: string,
     orgId: string,
@@ -117,16 +92,18 @@ class PairingTokenService {
       normalizedOrigin,
     );
 
-    // If no match, try the alternate domain. The dashboard may rewrite
-    // waifu.fun → eliza.ai (or vice versa) which changes the Origin header
-    // but both domains resolve to the same agent container.
+    // If no match, try each alternate domain in the same alias group. The
+    // dashboard may rewrite the agent URL between any two aliased domains
+    // (waifu.fun ↔ eliza.ai ↔ elizacloud.ai ↔ milady.ai ↔ shad0w.xyz), and
+    // we cannot predict which one is stored as `expected_origin` for a
+    // given token row.
     if (!row) {
-      const alternateOrigin = this.getAlternateDomainOrigin(normalizedOrigin);
-      if (alternateOrigin) {
+      for (const alternateOrigin of getAlternateDomainOrigins(normalizedOrigin)) {
         row = await agentPairingTokensRepository.consumeValidToken(
           await hashToken(token),
           alternateOrigin,
         );
+        if (row) break;
       }
     }