From 47e3c00928ff39e49ff357a7fb00dde9438be2c2 Mon Sep 17 00:00:00 2001
From: defiQUG <defi@defi-oracle.io>
Date: Mon, 13 Apr 2026 22:04:23 -0700
Subject: [PATCH] fix(ops): completable token-aggregation LAN fallback; NPM
 Phoenix hub env; explorer 502 note

- run-completable: if public explorer HTTPS check fails, retry check-public-report-api against IP_BLOCKSCOUT HTTP (edge WAN vs LAN drift)
- TOKEN_AGGREGATION_REPORT_API_RUNBOOK: troubleshooting when /token-aggregation/ 502s publicly but LAN is 200
- .env.master.example: default SANKOFA_NPM_PHOENIX_PORT=8080 so NPM fleet updates match hub cutover

Made-with: Cursor
---
 .env.master.example                                  |  4 ++--
 .../TOKEN_AGGREGATION_REPORT_API_RUNBOOK.md          |  4 ++++
 scripts/run-completable-tasks-from-anywhere.sh       | 12 +++++++++---
 3 files changed, 15 insertions(+), 5 deletions(-)

diff --git a/.env.master.example b/.env.master.example
index e37243f0..6dfdb5ad 100644
--- a/.env.master.example
+++ b/.env.master.example
@@ -517,8 +517,8 @@ SANKOFA_PHOENIX_TENANT_ID=
 # IP_SANKOFA_PHOENIX_API_HUB=
 # SANKOFA_PHOENIX_API_HUB_PORT=8080
 # When API hub nginx is live on Phoenix CT (7800), LAN smoke: curl -sS http://${IP_SANKOFA_PHOENIX_API:-192.168.11.50}:8080/health
-# NPM fleet (phoenix.sankofa.nexus): default = SANKOFA_PHOENIX_API_PORT (:4000). Production cutover uses hub :8080:
-# SANKOFA_NPM_PHOENIX_PORT=8080
+# NPM fleet (phoenix.sankofa.nexus): set 8080 when Tier-1 API hub nginx is live (production); leave unset only for break-glass direct :4000.
+SANKOFA_NPM_PHOENIX_PORT=8080
 # Hub listen port for LAN smoke scripts (distinct from SANKOFA_PHOENIX_API_HUB_PORT / Apollo):
 # SANKOFA_API_HUB_LISTEN_PORT=8080
 # WebSocket upgrade smoke (curl HTTP 101): pnpm run verify:phoenix-graphql-wss
diff --git a/docs/04-configuration/TOKEN_AGGREGATION_REPORT_API_RUNBOOK.md b/docs/04-configuration/TOKEN_AGGREGATION_REPORT_API_RUNBOOK.md
index 6214c088..313f2fb0 100644
--- a/docs/04-configuration/TOKEN_AGGREGATION_REPORT_API_RUNBOOK.md
+++ b/docs/04-configuration/TOKEN_AGGREGATION_REPORT_API_RUNBOOK.md
@@ -15,6 +15,10 @@ bash metamask-integration/chain138-snap/scripts/verify-snap-api-and-icons.sh htt
 
 **If you see "no .tokens" or "no .networks":** The `/api/v1/` path is likely proxied to Blockscout (or another backend) instead of token-aggregation. Proceed to §2. **Repo check:** `scripts/verify/check-public-report-api.sh` tries apex `/api/v1/` first, then `/token-aggregation/api/v1/`, and uses whichever returns a `.networks` array.
 
+### 1.1 HTTPS 502 on `/token-aggregation/` while LAN is OK
+
+If `curl https://explorer.d-bis.org/token-aggregation/api/v1/networks` returns **502** but `curl -H "Host: explorer.d-bis.org" http://192.168.11.140/token-aggregation/api/v1/networks` is **200**, nginx and `token-aggregation` on VMID **5000** are healthy; suspect **WAN port-forward or public IP routing** (one public IP may forward correctly while another does not). Compare `curl -k --resolve explorer.d-bis.org:443:<candidate_wan_ip>` across routed NPM addresses, fix UDM/NAT or Cloudflare **A** for `explorer`, or rely on LAN verification: `bash scripts/verify/check-public-report-api.sh "http://192.168.11.140"`. **`run-completable-tasks-from-anywhere.sh`** retries that LAN URL automatically if the public HTTPS check fails.
+
 ---
 
 ## 2. Deploy token-aggregation (if not running)
diff --git a/scripts/run-completable-tasks-from-anywhere.sh b/scripts/run-completable-tasks-from-anywhere.sh
index 92e300c7..0006623a 100755
--- a/scripts/run-completable-tasks-from-anywhere.sh
+++ b/scripts/run-completable-tasks-from-anywhere.sh
@@ -24,7 +24,7 @@ if $DRY_RUN; then
   echo "   (optional: python3 -m pip install check-jsonschema — step 1 then validates config/dbis-institutional JSON Schemas too)"
   echo "2. On-chain check (138):   SKIP_EXIT=1 bash scripts/verify/check-contracts-on-chain-138.sh || true"
   echo "3. All validation:         bash scripts/verify/run-all-validation.sh --skip-genesis"
-  echo "4. Public report API:      bash scripts/verify/check-public-report-api.sh"
+  echo "4. Public report API:      bash scripts/verify/check-public-report-api.sh (then LAN explorer IP if public URL fails)"
   echo "5. Public PMM dry-run readiness: bash scripts/verify/check-public-pmm-dry-run-readiness.sh"
   echo "6. Reconcile .env:         bash scripts/verify/reconcile-env-canonical.sh --print"
   echo "   Gas scaffold:           bash scripts/verify/print-gas-runtime-env-canonical.sh"
@@ -55,9 +55,15 @@ echo "[Step 3/10] Run all validation (--skip-genesis)..."
 bash scripts/verify/run-all-validation.sh --skip-genesis
 echo ""
 
-# 4. Emit canonical .env lines for reconciliation
+# 4. Public report API (token-aggregation); LAN fallback when public HTTPS/WAN path is broken (e.g. CF → .36 vs working .40/.42).
 echo "[Step 4/10] Public report API / token-aggregation health..."
-bash scripts/verify/check-public-report-api.sh
+if ! bash scripts/verify/check-public-report-api.sh; then
+  # shellcheck source=/dev/null
+  source "${PROJECT_ROOT}/config/ip-addresses.conf" 2>/dev/null || true
+  LAN_EXPLORER="http://${IP_BLOCKSCOUT:-192.168.11.140}"
+  echo "[WARN] Public URL check failed; retrying token-aggregation via explorer LAN ingress (${LAN_EXPLORER})..."
+  bash scripts/verify/check-public-report-api.sh "$LAN_EXPLORER"
+fi
 echo ""
 
 # 5. Emit canonical .env lines for reconciliation