fix(ops): completable token-aggregation LAN fallback; NPM Phoenix hub env; explorer 502 note

- run-completable: if public explorer HTTPS check fails, retry check-public-report-api against IP_BLOCKSCOUT HTTP (edge WAN vs LAN drift)
- TOKEN_AGGREGATION_REPORT_API_RUNBOOK: troubleshooting when /token-aggregation/ 502s publicly but LAN is 200
- .env.master.example: default SANKOFA_NPM_PHOENIX_PORT=8080 so NPM fleet updates match hub cutover

Made-with: Cursor

.env.master.example

@@ -517,8 +517,8 @@ SANKOFA_PHOENIX_TENANT_ID=
 # IP_SANKOFA_PHOENIX_API_HUB=
 # SANKOFA_PHOENIX_API_HUB_PORT=8080
 # When API hub nginx is live on Phoenix CT (7800), LAN smoke: curl -sS http://${IP_SANKOFA_PHOENIX_API:-192.168.11.50}:8080/health
-# NPM fleet (phoenix.sankofa.nexus): default = SANKOFA_PHOENIX_API_PORT (:4000). Production cutover uses hub :8080:
-# SANKOFA_NPM_PHOENIX_PORT=8080
+# NPM fleet (phoenix.sankofa.nexus): set 8080 when Tier-1 API hub nginx is live (production); leave unset only for break-glass direct :4000.
+SANKOFA_NPM_PHOENIX_PORT=8080
 # Hub listen port for LAN smoke scripts (distinct from SANKOFA_PHOENIX_API_HUB_PORT / Apollo):
 # SANKOFA_API_HUB_LISTEN_PORT=8080
 # WebSocket upgrade smoke (curl HTTP 101): pnpm run verify:phoenix-graphql-wss

docs/04-configuration/TOKEN_AGGREGATION_REPORT_API_RUNBOOK.md

@@ -15,6 +15,10 @@ bash metamask-integration/chain138-snap/scripts/verify-snap-api-and-icons.sh htt
 
 **If you see "no .tokens" or "no .networks":** The `/api/v1/` path is likely proxied to Blockscout (or another backend) instead of token-aggregation. Proceed to §2. **Repo check:** `scripts/verify/check-public-report-api.sh` tries apex `/api/v1/` first, then `/token-aggregation/api/v1/`, and uses whichever returns a `.networks` array.
 
+### 1.1 HTTPS 502 on `/token-aggregation/` while LAN is OK
+
+If `curl https://explorer.d-bis.org/token-aggregation/api/v1/networks` returns **502** but `curl -H "Host: explorer.d-bis.org" http://192.168.11.140/token-aggregation/api/v1/networks` is **200**, nginx and `token-aggregation` on VMID **5000** are healthy; suspect **WAN port-forward or public IP routing** (one public IP may forward correctly while another does not). Compare `curl -k --resolve explorer.d-bis.org:443:<candidate_wan_ip>` across routed NPM addresses, fix UDM/NAT or Cloudflare **A** for `explorer`, or rely on LAN verification: `bash scripts/verify/check-public-report-api.sh "http://192.168.11.140"`. **`run-completable-tasks-from-anywhere.sh`** retries that LAN URL automatically if the public HTTPS check fails.
+
 ---
 
 ## 2. Deploy token-aggregation (if not running)

scripts/run-completable-tasks-from-anywhere.sh

@@ -24,7 +24,7 @@ if $DRY_RUN; then
   echo "   (optional: python3 -m pip install check-jsonschema — step 1 then validates config/dbis-institutional JSON Schemas too)"
   echo "2. On-chain check (138):   SKIP_EXIT=1 bash scripts/verify/check-contracts-on-chain-138.sh || true"
   echo "3. All validation:         bash scripts/verify/run-all-validation.sh --skip-genesis"
-  echo "4. Public report API:      bash scripts/verify/check-public-report-api.sh"
+  echo "4. Public report API:      bash scripts/verify/check-public-report-api.sh (then LAN explorer IP if public URL fails)"
   echo "5. Public PMM dry-run readiness: bash scripts/verify/check-public-pmm-dry-run-readiness.sh"
   echo "6. Reconcile .env:         bash scripts/verify/reconcile-env-canonical.sh --print"
   echo "   Gas scaffold:           bash scripts/verify/print-gas-runtime-env-canonical.sh"
@@ -55,9 +55,15 @@ echo "[Step 3/10] Run all validation (--skip-genesis)..."
 bash scripts/verify/run-all-validation.sh --skip-genesis
 echo ""
 
-# 4. Emit canonical .env lines for reconciliation
+# 4. Public report API (token-aggregation); LAN fallback when public HTTPS/WAN path is broken (e.g. CF → .36 vs working .40/.42).
 echo "[Step 4/10] Public report API / token-aggregation health..."
-bash scripts/verify/check-public-report-api.sh
+if ! bash scripts/verify/check-public-report-api.sh; then
+  # shellcheck source=/dev/null
+  source "${PROJECT_ROOT}/config/ip-addresses.conf" 2>/dev/null || true
+  LAN_EXPLORER="http://${IP_BLOCKSCOUT:-192.168.11.140}"
+  echo "[WARN] Public URL check failed; retrying token-aggregation via explorer LAN ingress (${LAN_EXPLORER})..."
+  bash scripts/verify/check-public-report-api.sh "$LAN_EXPLORER"
+fi
 echo ""
 
 # 5. Emit canonical .env lines for reconciliation