docs/04-configuration/FQDN_EXPECTED_CONTENT.md

# FQDN expected content (what users and clients should see)

**Last Updated:** 2026-03-27 (aligned with EXPECTED_WEB_CONTENT deployment table v1.5)  
**Purpose:** One-page description of **what should be presented** at each public NPM-routed hostname after HTTPS. Use this before pruning evidence or changing proxies so expectations stay aligned with product intent.

**Canonical routing (IPs, VMIDs, ports):** [ALL_VMIDS_ENDPOINTS.md](ALL_VMIDS_ENDPOINTS.md), [RPC_ENDPOINTS_MASTER.md](RPC_ENDPOINTS_MASTER.md).  
**Product depth (Sankofa / Phoenix / explorer narrative):** [EXPECTED_WEB_CONTENT.md](../02-architecture/EXPECTED_WEB_CONTENT.md).  
**Deployment status (VMID / upstream matrix):** same doc, section **Deployment Status** (authoritative for `portal` / `admin` / `dash` / `blockscout.defi-oracle.io` rows).  
**Automated checks:** [E2E_ENDPOINTS_LIST.md](E2E_ENDPOINTS_LIST.md), `scripts/verify/verify-end-to-end-routing.sh`.

---

## Legend

| Kind | Meaning |
|------|---------|
| **Web** | Browser loads HTML (or SPA shell); humans see pages, forms, or dashboards. |
| **API** | Primarily JSON over HTTPS; browsers may see errors unless hitting documented REST paths. |
| **RPC-HTTP** | **No marketing page.** JSON-RPC 2.0 over HTTPS POST to `/` (or provider path); wallets and backends consume JSON. |
| **RPC-WS** | **No HTML.** WebSocket upgrade; JSON-RPC / subscription traffic. |
| **301** | Apex policy: `www.*` redirects to non-www HTTPS (see NPM `advanced_config`). |

---

## sankofa.nexus zone

**Canonical roles:** [EXPECTED_WEB_CONTENT.md](../02-architecture/EXPECTED_WEB_CONTENT.md) (hostname model table).

### Public web (unauthenticated visitors for marketing / division pages)

| FQDN | Kind | What should be displayed or returned |
|------|------|--------------------------------------|
| `sankofa.nexus` | Web | **Sankofa — Sovereign Technologies:** public corporate / brand web (mission, narrative, entry points). |
| `www.sankofa.nexus` | 301 → apex | Browser ends on `https://sankofa.nexus/...`. |
| `phoenix.sankofa.nexus` | Web / API | **Phoenix Cloud Services** (division of Sankofa): public-facing **division web** (intent). Same deployment may still expose API paths (`/health`, `/graphql`, …). E2E verifier may use `/health`. |
| `www.phoenix.sankofa.nexus` | 301 → apex | Browser ends on `https://phoenix.sankofa.nexus/...`. |

### Client SSO (system SSO; Keycloak as IdP)

| FQDN | Kind | What should be displayed or returned |
|------|------|--------------------------------------|
| `keycloak.sankofa.nexus` | Web / IdP | **Identity provider** for client SSO: realm login UI, OIDC/SAML well-known and token endpoints; operator **Keycloak admin** at `/admin`. Backs **`admin`** and **`portal`** redirects—not a substitute for those apps. |
| `admin.sankofa.nexus` | Web | **Client SSO:** administer access (users, roles, org access policy). |
| `portal.sankofa.nexus` | Web | **Client SSO:** Phoenix cloud services, Sankofa Marketplace subscriptions, and other **client-facing** services. |

**Typical upstream (when NPM is wired)** — see [EXPECTED_WEB_CONTENT.md](../02-architecture/EXPECTED_WEB_CONTENT.md) **Deployment Status**:

| FQDN | VMID / target | Notes |
|------|---------------|--------|
| `keycloak.sankofa.nexus` | **7802** (detail in [ALL_VMIDS_ENDPOINTS.md](ALL_VMIDS_ENDPOINTS.md)) | IdP + `/admin` for platform operators |
| `portal.sankofa.nexus` | **7801** · `192.168.11.51:3000` | ✅ **Active** when NPM routes here; public OIDC / `NEXTAUTH_URL` via `scripts/deployment/sync-sankofa-portal-7801.sh` |
| `admin.sankofa.nexus` | 🔶 **Not pinned** in VM inventory | Hostname **intent**; NPM + app upstream TBD; may share **7801** until split |

### Operator / systems (IP-gated + MFA)

| FQDN | Kind | What should be displayed or returned |
|------|------|--------------------------------------|
| `dash.sankofa.nexus` | Web | **IP allowlisting** + **system authentication** + **MFA:** unified admin for Sankofa, Phoenix, Gitea, and related systems (not the client self-service portal). |

**Typical upstream:** 🔶 **Not pinned** in VM inventory until NPM and operator dash app are authoritative (same **Deployment Status** table).

### Other properties on the zone

| FQDN | Kind | What should be displayed or returned |
|------|------|--------------------------------------|
| `the-order.sankofa.nexus` | Web | **OSJ / Order management** portal (secure auth); app **the_order**. Upstream: HAProxy **10210** → portal stack. |
| `www.the-order.sankofa.nexus` | 301 → apex | Browser ends on `https://the-order.sankofa.nexus/...`. |
| `studio.sankofa.nexus` | Web | **Sankofa Studio (FusionAI)** UI under `/studio/` (and related API routes on same origin). |

---

## d-bis.org (DBIS + infrastructure)

| FQDN | Kind | What should be displayed or returned |
|------|------|--------------------------------------|
| `explorer.d-bis.org` | Web | **SolaceScanScout / Blockscout** UI: blocks, txs, addresses, tokens, contract verification for **Chain 138**. Public, no login for browse. |
| `docs.d-bis.org` | Web | Same Blockscout nginx host as explorer where configured; may serve docs paths (see explorer deploy runbooks). |
| `dbis-admin.d-bis.org` | Web | DBIS **admin** frontend (dashboard). |
| `secure.d-bis.org` | Web | DBIS **secure** authenticated portal. |
| `dbis-api.d-bis.org` | API | DBIS **core API** (aggregation, OTC, exchange JSON). |
| `dbis-api-2.d-bis.org` | API | Secondary DBIS API instance. |
| `mim4u.org`, `www.mim4u.org`, `secure.mim4u.org`, `training.mim4u.org` | Web | **MIM4U** property sites (nginx on MIM stack). |
| `rpc-http-pub.d-bis.org`, `rpc.d-bis.org`, `rpc2.d-bis.org` | RPC-HTTP | **Public Besu JSON-RPC** (Chain 138); `eth_chainId` → `0x8a`. |
| `rpc-ws-pub.d-bis.org`, `ws.rpc.d-bis.org`, `ws.rpc2.d-bis.org` | RPC-WS | **Public Besu WebSocket** RPC. |
| `rpc-http-prv.d-bis.org` | RPC-HTTP | **Core / private** JSON-RPC (permissioned use). |
| `rpc-ws-prv.d-bis.org` | RPC-WS | **Core / private** WebSocket RPC. |
| `rpc-fireblocks.d-bis.org` | RPC-HTTP | **Fireblocks-dedicated** JSON-RPC endpoint. |
| `ws.rpc-fireblocks.d-bis.org` | RPC-WS | **Fireblocks-dedicated** WebSocket RPC. |
| `rpc-alltra.d-bis.org`, `rpc-alltra-2.d-bis.org`, `rpc-alltra-3.d-bis.org` | RPC-HTTP | **Alltra** RPC fronts (tunnel to NPM); JSON-RPC for Chain 138 (or as configured on those edges). |
| `rpc-hybx.d-bis.org`, `rpc-hybx-2.d-bis.org`, `rpc-hybx-3.d-bis.org` | RPC-HTTP | **HYBX** RPC fronts; same class as Alltra. |
| `cacti-alltra.d-bis.org`, `cacti-hybx.d-bis.org` | Web | **Cacti** monitoring UI (graphs, device views). |
| `mifos.d-bis.org` | Web | **Mifos** banking platform UI (when backend healthy). |
| `dapp.d-bis.org` | Web | **DApp** static/hosted frontend (VMID per ALL_VMIDS). |
| `gitea.d-bis.org` | Web | **Gitea** git forge UI. |
| `dev.d-bis.org` | Web | **Dev** workspace UI (codespaces / dev host). |
| `codespaces.d-bis.org` | Web | **Codespaces / dev** related web entry (as wired on NPM). |

---

## defi-oracle.io (ThirdWeb / public edge)

| FQDN | Kind | What should be displayed or returned |
|------|------|--------------------------------------|
| `rpc.public-0138.defi-oracle.io` | RPC-HTTP | **ThirdWeb-style HTTPS RPC** terminator on VMID 2400; JSON-RPC to Chain 138. |
| `rpc.defi-oracle.io` | RPC-HTTP | Public JSON-RPC alias (same Besu public stack as `rpc.d-bis.org` family when healthy). |
| `wss.defi-oracle.io` | RPC-WS | Public WebSocket RPC companion. |
| `blockscout.defi-oracle.io` | Web | **Blockscout** explorer UI (generic / reference). When NPM proxies here, routing summaries align with **VMID 5000** (`192.168.11.140:80`, TLS at NPM). **Not** canonical **SolaceScanScout / Chain 138** branding—that is **`explorer.d-bis.org`**. Confirm live NPM if behavior differs. |

---

## xom-dev.phoenix.sankofa.nexus (gov portals dev)

| FQDN | Kind | What should be displayed or returned |
|------|------|--------------------------------------|
| `dbis.xom-dev.phoenix.sankofa.nexus` | Web | Gov portals **dev** app on port **3001** (VMID 7804 family). |
| `iccc.xom-dev.phoenix.sankofa.nexus` | Web | Idem, port **3002**. |
| `omnl.xom-dev.phoenix.sankofa.nexus` | Web | Idem, port **3003**. |
| `xom.xom-dev.phoenix.sankofa.nexus` | Web | Idem, port **3004**. |

---

## Operator checklist

- **Wrong content** (e.g. explorer UI on `sankofa.nexus`, or HTML on RPC hostname) usually means **NPM upstream** or **DNS** is wrong — fix with `update-npmplus-proxy-hosts-api.sh` and [ALL_VMIDS_ENDPOINTS.md](ALL_VMIDS_ENDPOINTS.md).
- **301 on `www.*`** is intentional; content is judged on the **apex** hostname after redirect.

---

**Inventory alignment:** `DOMAIN_TYPES_ALL` in `scripts/verify/verify-end-to-end-routing.sh` includes **`keycloak.sankofa.nexus`**, **`admin.sankofa.nexus`**, **`portal.sankofa.nexus`**, **`dash.sankofa.nexus`**, **`docs.d-bis.org`**, and **`blockscout.defi-oracle.io`** (see [E2E_ENDPOINTS_LIST.md](E2E_ENDPOINTS_LIST.md); `--list-endpoints --profile=public`). They are in **`E2E_OPTIONAL_WHEN_FAIL`** so unwired NPM or off-LAN runs still exit **0**. **`portal.sankofa.nexus`** is expected on **VMID 7801** when NPM is configured ( **Deployment Status** in [EXPECTED_WEB_CONTENT.md](../02-architecture/EXPECTED_WEB_CONTENT.md)). **`admin.sankofa.nexus`** and **`dash.sankofa.nexus`** remain **hostname intent** until pinned in [ALL_VMIDS_ENDPOINTS.md](ALL_VMIDS_ENDPOINTS.md). **`blockscout.defi-oracle.io`** aligns with **VMID 5000** in routing summaries (not **`explorer.d-bis.org`** branding). **xom-dev** hostnames are not in the E2E list yet—add when NPM routes are stable.
docs: FQDN matrix, public-sector baseline, Chain138 runbooks, eIDAS repo reference Made-with: Cursor 2026-03-27 18:46:56 -07:00			`# FQDN expected content (what users and clients should see)`

docs(fqdn): align SSO/dash/blockscout rows with EXPECTED_WEB_CONTENT v1.5 - Link Deployment Status matrix; portal 7801 + sync script; admin/dash intent - blockscout.defi-oracle.io as full table row (VMID 5000, not canonical 138) - Tighten inventory alignment footer Made-with: Cursor 2026-03-28 16:49:26 -07:00			`Last Updated: 2026-03-27 (aligned with EXPECTED_WEB_CONTENT deployment table v1.5)`
docs: FQDN matrix, public-sector baseline, Chain138 runbooks, eIDAS repo reference Made-with: Cursor 2026-03-27 18:46:56 -07:00			`Purpose: One-page description of what should be presented at each public NPM-routed hostname after HTTPS. Use this before pruning evidence or changing proxies so expectations stay aligned with product intent.`

			`Canonical routing (IPs, VMIDs, ports): [ALL_VMIDS_ENDPOINTS.md](ALL_VMIDS_ENDPOINTS.md), [RPC_ENDPOINTS_MASTER.md](RPC_ENDPOINTS_MASTER.md).`
			`Product depth (Sankofa / Phoenix / explorer narrative): [EXPECTED_WEB_CONTENT.md](../02-architecture/EXPECTED_WEB_CONTENT.md).`
docs(fqdn): align SSO/dash/blockscout rows with EXPECTED_WEB_CONTENT v1.5 - Link Deployment Status matrix; portal 7801 + sync script; admin/dash intent - blockscout.defi-oracle.io as full table row (VMID 5000, not canonical 138) - Tighten inventory alignment footer Made-with: Cursor 2026-03-28 16:49:26 -07:00			Deployment status (VMID / upstream matrix): same doc, section Deployment Status (authoritative for `portal` / `admin` / `dash` / `blockscout.defi-oracle.io` rows).
docs: FQDN matrix, public-sector baseline, Chain138 runbooks, eIDAS repo reference Made-with: Cursor 2026-03-27 18:46:56 -07:00			Automated checks: [E2E_ENDPOINTS_LIST.md](E2E_ENDPOINTS_LIST.md), `scripts/verify/verify-end-to-end-routing.sh`.

			`---`

			`## Legend`

			`\| Kind \| Meaning \|`
			`\|------\|---------\|`
			`\| Web \| Browser loads HTML (or SPA shell); humans see pages, forms, or dashboards. \|`
			`\| API \| Primarily JSON over HTTPS; browsers may see errors unless hitting documented REST paths. \|`
			\| RPC-HTTP \| No marketing page. JSON-RPC 2.0 over HTTPS POST to `/` (or provider path); wallets and backends consume JSON. \|
			`\| RPC-WS \| No HTML. WebSocket upgrade; JSON-RPC / subscription traffic. \|`
			\| 301 \| Apex policy: `www.*` redirects to non-www HTTPS (see NPM `advanced_config`). \|

			`---`

			`## sankofa.nexus zone`

			`Canonical roles: [EXPECTED_WEB_CONTENT.md](../02-architecture/EXPECTED_WEB_CONTENT.md) (hostname model table).`

			`### Public web (unauthenticated visitors for marketing / division pages)`

			`\| FQDN \| Kind \| What should be displayed or returned \|`
			`\|------\|------\|--------------------------------------\|`
			\| `sankofa.nexus` \| Web \| Sankofa — Sovereign Technologies: public corporate / brand web (mission, narrative, entry points). \|
			\| `www.sankofa.nexus` \| 301 → apex \| Browser ends on `https://sankofa.nexus/...`. \|
			\| `phoenix.sankofa.nexus` \| Web / API \| Phoenix Cloud Services (division of Sankofa): public-facing division web (intent). Same deployment may still expose API paths (`/health`, `/graphql`, …). E2E verifier may use `/health`. \|
			\| `www.phoenix.sankofa.nexus` \| 301 → apex \| Browser ends on `https://phoenix.sankofa.nexus/...`. \|

			`### Client SSO (system SSO; Keycloak as IdP)`

			`\| FQDN \| Kind \| What should be displayed or returned \|`
			`\|------\|------\|--------------------------------------\|`
			\| `keycloak.sankofa.nexus` \| Web / IdP \| Identity provider for client SSO: realm login UI, OIDC/SAML well-known and token endpoints; operator Keycloak admin at `/admin`. Backs `admin` and `portal` redirects—not a substitute for those apps. \|
			\| `admin.sankofa.nexus` \| Web \| Client SSO: administer access (users, roles, org access policy). \|
			\| `portal.sankofa.nexus` \| Web \| Client SSO: Phoenix cloud services, Sankofa Marketplace subscriptions, and other client-facing services. \|

docs(fqdn): align SSO/dash/blockscout rows with EXPECTED_WEB_CONTENT v1.5 - Link Deployment Status matrix; portal 7801 + sync script; admin/dash intent - blockscout.defi-oracle.io as full table row (VMID 5000, not canonical 138) - Tighten inventory alignment footer Made-with: Cursor 2026-03-28 16:49:26 -07:00			`Typical upstream (when NPM is wired) — see [EXPECTED_WEB_CONTENT.md](../02-architecture/EXPECTED_WEB_CONTENT.md) Deployment Status:`

			`\| FQDN \| VMID / target \| Notes \|`
			`\|------\|---------------\|--------\|`
			\| `keycloak.sankofa.nexus` \| 7802 (detail in [ALL_VMIDS_ENDPOINTS.md](ALL_VMIDS_ENDPOINTS.md)) \| IdP + `/admin` for platform operators \|
			\| `portal.sankofa.nexus` \| 7801 · `192.168.11.51:3000` \| ✅ Active when NPM routes here; public OIDC / `NEXTAUTH_URL` via `scripts/deployment/sync-sankofa-portal-7801.sh` \|
			\| `admin.sankofa.nexus` \| 🔶 Not pinned in VM inventory \| Hostname intent; NPM + app upstream TBD; may share 7801 until split \|

docs: FQDN matrix, public-sector baseline, Chain138 runbooks, eIDAS repo reference Made-with: Cursor 2026-03-27 18:46:56 -07:00			`### Operator / systems (IP-gated + MFA)`

			`\| FQDN \| Kind \| What should be displayed or returned \|`
			`\|------\|------\|--------------------------------------\|`
			\| `dash.sankofa.nexus` \| Web \| IP allowlisting + system authentication + MFA: unified admin for Sankofa, Phoenix, Gitea, and related systems (not the client self-service portal). \|

docs(fqdn): align SSO/dash/blockscout rows with EXPECTED_WEB_CONTENT v1.5 - Link Deployment Status matrix; portal 7801 + sync script; admin/dash intent - blockscout.defi-oracle.io as full table row (VMID 5000, not canonical 138) - Tighten inventory alignment footer Made-with: Cursor 2026-03-28 16:49:26 -07:00			`Typical upstream: 🔶 Not pinned in VM inventory until NPM and operator dash app are authoritative (same Deployment Status table).`

docs: FQDN matrix, public-sector baseline, Chain138 runbooks, eIDAS repo reference Made-with: Cursor 2026-03-27 18:46:56 -07:00			`### Other properties on the zone`

			`\| FQDN \| Kind \| What should be displayed or returned \|`
			`\|------\|------\|--------------------------------------\|`
			\| `the-order.sankofa.nexus` \| Web \| OSJ / Order management portal (secure auth); app the_order. Upstream: HAProxy 10210 → portal stack. \|
			\| `www.the-order.sankofa.nexus` \| 301 → apex \| Browser ends on `https://the-order.sankofa.nexus/...`. \|
			\| `studio.sankofa.nexus` \| Web \| Sankofa Studio (FusionAI) UI under `/studio/` (and related API routes on same origin). \|

			`---`

			`## d-bis.org (DBIS + infrastructure)`

			`\| FQDN \| Kind \| What should be displayed or returned \|`
			`\|------\|------\|--------------------------------------\|`
			\| `explorer.d-bis.org` \| Web \| SolaceScanScout / Blockscout UI: blocks, txs, addresses, tokens, contract verification for Chain 138. Public, no login for browse. \|
			\| `docs.d-bis.org` \| Web \| Same Blockscout nginx host as explorer where configured; may serve docs paths (see explorer deploy runbooks). \|
			\| `dbis-admin.d-bis.org` \| Web \| DBIS admin frontend (dashboard). \|
			\| `secure.d-bis.org` \| Web \| DBIS secure authenticated portal. \|
			\| `dbis-api.d-bis.org` \| API \| DBIS core API (aggregation, OTC, exchange JSON). \|
			\| `dbis-api-2.d-bis.org` \| API \| Secondary DBIS API instance. \|
			\| `mim4u.org`, `www.mim4u.org`, `secure.mim4u.org`, `training.mim4u.org` \| Web \| MIM4U property sites (nginx on MIM stack). \|
			\| `rpc-http-pub.d-bis.org`, `rpc.d-bis.org`, `rpc2.d-bis.org` \| RPC-HTTP \| Public Besu JSON-RPC (Chain 138); `eth_chainId` → `0x8a`. \|
			\| `rpc-ws-pub.d-bis.org`, `ws.rpc.d-bis.org`, `ws.rpc2.d-bis.org` \| RPC-WS \| Public Besu WebSocket RPC. \|
			\| `rpc-http-prv.d-bis.org` \| RPC-HTTP \| Core / private JSON-RPC (permissioned use). \|
			\| `rpc-ws-prv.d-bis.org` \| RPC-WS \| Core / private WebSocket RPC. \|
			\| `rpc-fireblocks.d-bis.org` \| RPC-HTTP \| Fireblocks-dedicated JSON-RPC endpoint. \|
			\| `ws.rpc-fireblocks.d-bis.org` \| RPC-WS \| Fireblocks-dedicated WebSocket RPC. \|
			\| `rpc-alltra.d-bis.org`, `rpc-alltra-2.d-bis.org`, `rpc-alltra-3.d-bis.org` \| RPC-HTTP \| Alltra RPC fronts (tunnel to NPM); JSON-RPC for Chain 138 (or as configured on those edges). \|
			\| `rpc-hybx.d-bis.org`, `rpc-hybx-2.d-bis.org`, `rpc-hybx-3.d-bis.org` \| RPC-HTTP \| HYBX RPC fronts; same class as Alltra. \|
			\| `cacti-alltra.d-bis.org`, `cacti-hybx.d-bis.org` \| Web \| Cacti monitoring UI (graphs, device views). \|
			\| `mifos.d-bis.org` \| Web \| Mifos banking platform UI (when backend healthy). \|
			\| `dapp.d-bis.org` \| Web \| DApp static/hosted frontend (VMID per ALL_VMIDS). \|
			\| `gitea.d-bis.org` \| Web \| Gitea git forge UI. \|
			\| `dev.d-bis.org` \| Web \| Dev workspace UI (codespaces / dev host). \|
			\| `codespaces.d-bis.org` \| Web \| Codespaces / dev related web entry (as wired on NPM). \|

			`---`

			`## defi-oracle.io (ThirdWeb / public edge)`

			`\| FQDN \| Kind \| What should be displayed or returned \|`
			`\|------\|------\|--------------------------------------\|`
			\| `rpc.public-0138.defi-oracle.io` \| RPC-HTTP \| ThirdWeb-style HTTPS RPC terminator on VMID 2400; JSON-RPC to Chain 138. \|
			\| `rpc.defi-oracle.io` \| RPC-HTTP \| Public JSON-RPC alias (same Besu public stack as `rpc.d-bis.org` family when healthy). \|
			\| `wss.defi-oracle.io` \| RPC-WS \| Public WebSocket RPC companion. \|
docs(fqdn): align SSO/dash/blockscout rows with EXPECTED_WEB_CONTENT v1.5 - Link Deployment Status matrix; portal 7801 + sync script; admin/dash intent - blockscout.defi-oracle.io as full table row (VMID 5000, not canonical 138) - Tighten inventory alignment footer Made-with: Cursor 2026-03-28 16:49:26 -07:00			\| `blockscout.defi-oracle.io` \| Web \| Blockscout explorer UI (generic / reference). When NPM proxies here, routing summaries align with VMID 5000 (`192.168.11.140:80`, TLS at NPM). Not canonical SolaceScanScout / Chain 138 branding—that is `explorer.d-bis.org`. Confirm live NPM if behavior differs. \|
docs: FQDN matrix, public-sector baseline, Chain138 runbooks, eIDAS repo reference Made-with: Cursor 2026-03-27 18:46:56 -07:00
			`---`

			`## xom-dev.phoenix.sankofa.nexus (gov portals dev)`

			`\| FQDN \| Kind \| What should be displayed or returned \|`
			`\|------\|------\|--------------------------------------\|`
			\| `dbis.xom-dev.phoenix.sankofa.nexus` \| Web \| Gov portals dev app on port 3001 (VMID 7804 family). \|
			\| `iccc.xom-dev.phoenix.sankofa.nexus` \| Web \| Idem, port 3002. \|
			\| `omnl.xom-dev.phoenix.sankofa.nexus` \| Web \| Idem, port 3003. \|
			\| `xom.xom-dev.phoenix.sankofa.nexus` \| Web \| Idem, port 3004. \|

			`---`

			`## Operator checklist`

			- Wrong content (e.g. explorer UI on `sankofa.nexus`, or HTML on RPC hostname) usually means NPM upstream or DNS is wrong — fix with `update-npmplus-proxy-hosts-api.sh` and [ALL_VMIDS_ENDPOINTS.md](ALL_VMIDS_ENDPOINTS.md).
			- *301 on `www.` is intentional; content is judged on the apex** hostname after redirect.

			`---`

feat(e2e): add SSO, docs.d-bis, blockscout.defi-oracle to routing verifier - DOMAIN_TYPES_ALL: keycloak/admin/portal/dash, docs.d-bis.org, blockscout.defi-oracle.io (web) - E2E_OPTIONAL_WHEN_FAIL: same set for soft failures off-LAN - Optional Blockscout /api/v2/stats for blockscout.defi-oracle.io - print-gitea-actions-urls.sh: browser URLs (Actions API not relied on) - E2E_ENDPOINTS_LIST + FQDN inventory alignment updated Made-with: Cursor 2026-03-28 17:29:50 -07:00			Inventory alignment: `DOMAIN_TYPES_ALL` in `scripts/verify/verify-end-to-end-routing.sh` includes `keycloak.sankofa.nexus`, `admin.sankofa.nexus`, `portal.sankofa.nexus`, `dash.sankofa.nexus`, `docs.d-bis.org`, and `blockscout.defi-oracle.io` (see [E2E_ENDPOINTS_LIST.md](E2E_ENDPOINTS_LIST.md); `--list-endpoints --profile=public`). They are in `E2E_OPTIONAL_WHEN_FAIL` so unwired NPM or off-LAN runs still exit 0. `portal.sankofa.nexus` is expected on VMID 7801 when NPM is configured ( Deployment Status in [EXPECTED_WEB_CONTENT.md](../02-architecture/EXPECTED_WEB_CONTENT.md)). `admin.sankofa.nexus` and `dash.sankofa.nexus` remain hostname intent until pinned in [ALL_VMIDS_ENDPOINTS.md](ALL_VMIDS_ENDPOINTS.md). `blockscout.defi-oracle.io` aligns with VMID 5000 in routing summaries (not `explorer.d-bis.org` branding). xom-dev hostnames are not in the E2E list yet—add when NPM routes are stable.