fix(ops): completable token-aggregation LAN fallback; NPM Phoenix hub env; explorer 502 note

- run-completable: if public explorer HTTPS check fails, retry check-public-report-api against IP_BLOCKSCOUT HTTP (edge WAN vs LAN drift)
- TOKEN_AGGREGATION_REPORT_API_RUNBOOK: troubleshooting when /token-aggregation/ 502s publicly but LAN is 200
- .env.master.example: default SANKOFA_NPM_PHOENIX_PORT=8080 so NPM fleet updates match hub cutover

Made-with: Cursor

docs/04-configuration/TOKEN_AGGREGATION_REPORT_API_RUNBOOK.md

@@ -15,6 +15,10 @@ bash metamask-integration/chain138-snap/scripts/verify-snap-api-and-icons.sh htt
 
 **If you see "no .tokens" or "no .networks":** The `/api/v1/` path is likely proxied to Blockscout (or another backend) instead of token-aggregation. Proceed to §2. **Repo check:** `scripts/verify/check-public-report-api.sh` tries apex `/api/v1/` first, then `/token-aggregation/api/v1/`, and uses whichever returns a `.networks` array.
 
+### 1.1 HTTPS 502 on `/token-aggregation/` while LAN is OK
+
+If `curl https://explorer.d-bis.org/token-aggregation/api/v1/networks` returns **502** but `curl -H "Host: explorer.d-bis.org" http://192.168.11.140/token-aggregation/api/v1/networks` is **200**, nginx and `token-aggregation` on VMID **5000** are healthy; suspect **WAN port-forward or public IP routing** (one public IP may forward correctly while another does not). Compare `curl -k --resolve explorer.d-bis.org:443:<candidate_wan_ip>` across routed NPM addresses, fix UDM/NAT or Cloudflare **A** for `explorer`, or rely on LAN verification: `bash scripts/verify/check-public-report-api.sh "http://192.168.11.140"`. **`run-completable-tasks-from-anywhere.sh`** retries that LAN URL automatically if the public HTTPS check fails.
+
 ---
 
 ## 2. Deploy token-aggregation (if not running)