From 7245e3e9d41cd6228c41eb40a1b029ee7f4ee45e Mon Sep 17 00:00:00 2001
From: defiQUG <defi@defi-oracle.io>
Date: Sat, 28 Mar 2026 16:49:26 -0700
Subject: [PATCH] docs(fqdn): align SSO/dash/blockscout rows with
 EXPECTED_WEB_CONTENT v1.5

- Link Deployment Status matrix; portal 7801 + sync script; admin/dash intent
- blockscout.defi-oracle.io as full table row (VMID 5000, not canonical 138)
- Tighten inventory alignment footer

Made-with: Cursor
---
 docs/04-configuration/FQDN_EXPECTED_CONTENT.md | 18 ++++++++++++++----
 1 file changed, 14 insertions(+), 4 deletions(-)

diff --git a/docs/04-configuration/FQDN_EXPECTED_CONTENT.md b/docs/04-configuration/FQDN_EXPECTED_CONTENT.md
index e0b550d..aaa8585 100644
--- a/docs/04-configuration/FQDN_EXPECTED_CONTENT.md
+++ b/docs/04-configuration/FQDN_EXPECTED_CONTENT.md
@@ -1,10 +1,11 @@
 # FQDN expected content (what users and clients should see)
 
-**Last Updated:** 2026-03-27 (Sankofa hostname tiers: public / SSO / dash)  
+**Last Updated:** 2026-03-27 (aligned with EXPECTED_WEB_CONTENT deployment table v1.5)  
 **Purpose:** One-page description of **what should be presented** at each public NPM-routed hostname after HTTPS. Use this before pruning evidence or changing proxies so expectations stay aligned with product intent.
 
 **Canonical routing (IPs, VMIDs, ports):** [ALL_VMIDS_ENDPOINTS.md](ALL_VMIDS_ENDPOINTS.md), [RPC_ENDPOINTS_MASTER.md](RPC_ENDPOINTS_MASTER.md).  
 **Product depth (Sankofa / Phoenix / explorer narrative):** [EXPECTED_WEB_CONTENT.md](../02-architecture/EXPECTED_WEB_CONTENT.md).  
+**Deployment status (VMID / upstream matrix):** same doc, section **Deployment Status** (authoritative for `portal` / `admin` / `dash` / `blockscout.defi-oracle.io` rows).  
 **Automated checks:** [E2E_ENDPOINTS_LIST.md](E2E_ENDPOINTS_LIST.md), `scripts/verify/verify-end-to-end-routing.sh`.
 
 ---
@@ -42,12 +43,22 @@
 | `admin.sankofa.nexus` | Web | **Client SSO:** administer access (users, roles, org access policy). |
 | `portal.sankofa.nexus` | Web | **Client SSO:** Phoenix cloud services, Sankofa Marketplace subscriptions, and other **client-facing** services. |
 
+**Typical upstream (when NPM is wired)** — see [EXPECTED_WEB_CONTENT.md](../02-architecture/EXPECTED_WEB_CONTENT.md) **Deployment Status**:
+
+| FQDN | VMID / target | Notes |
+|------|---------------|--------|
+| `keycloak.sankofa.nexus` | **7802** (detail in [ALL_VMIDS_ENDPOINTS.md](ALL_VMIDS_ENDPOINTS.md)) | IdP + `/admin` for platform operators |
+| `portal.sankofa.nexus` | **7801** · `192.168.11.51:3000` | ✅ **Active** when NPM routes here; public OIDC / `NEXTAUTH_URL` via `scripts/deployment/sync-sankofa-portal-7801.sh` |
+| `admin.sankofa.nexus` | 🔶 **Not pinned** in VM inventory | Hostname **intent**; NPM + app upstream TBD; may share **7801** until split |
+
 ### Operator / systems (IP-gated + MFA)
 
 | FQDN | Kind | What should be displayed or returned |
 |------|------|--------------------------------------|
 | `dash.sankofa.nexus` | Web | **IP allowlisting** + **system authentication** + **MFA:** unified admin for Sankofa, Phoenix, Gitea, and related systems (not the client self-service portal). |
 
+**Typical upstream:** 🔶 **Not pinned** in VM inventory until NPM and operator dash app are authoritative (same **Deployment Status** table).
+
 ### Other properties on the zone
 
 | FQDN | Kind | What should be displayed or returned |
@@ -93,8 +104,7 @@
 | `rpc.public-0138.defi-oracle.io` | RPC-HTTP | **ThirdWeb-style HTTPS RPC** terminator on VMID 2400; JSON-RPC to Chain 138. |
 | `rpc.defi-oracle.io` | RPC-HTTP | Public JSON-RPC alias (same Besu public stack as `rpc.d-bis.org` family when healthy). |
 | `wss.defi-oracle.io` | RPC-WS | Public WebSocket RPC companion. |
-
-**Note:** `blockscout.defi-oracle.io` is a **separate Blockscout** hostname (generic / reference). Not the canonical DBIS explorer; same class of **web** explorer UI as Blockscout. See EXPECTED_WEB_CONTENT.
+| `blockscout.defi-oracle.io` | Web | **Blockscout** explorer UI (generic / reference). When NPM proxies here, routing summaries align with **VMID 5000** (`192.168.11.140:80`, TLS at NPM). **Not** canonical **SolaceScanScout / Chain 138** branding—that is **`explorer.d-bis.org`**. Confirm live NPM if behavior differs. |
 
 ---
 
@@ -116,4 +126,4 @@
 
 ---
 
-**Inventory alignment:** Public hostnames above follow `DOMAIN_TYPES_ALL` in `scripts/verify/verify-end-to-end-routing.sh` plus `keycloak.sankofa.nexus`, `docs.d-bis.org`, `blockscout.defi-oracle.io`, and xom-dev hosts. **`admin.sankofa.nexus`**, **`portal.sankofa.nexus`**, and **`dash.sankofa.nexus`** are **product-intent** hostnames—add to NPM and the E2E script when upstreams are wired. Add new rows here when you add NPM hosts.
+**Inventory alignment:** Public hostnames above follow `DOMAIN_TYPES_ALL` in `scripts/verify/verify-end-to-end-routing.sh` plus `keycloak.sankofa.nexus`, `docs.d-bis.org`, `blockscout.defi-oracle.io`, and xom-dev hosts. **`portal.sankofa.nexus`** is expected to terminate on **VMID 7801** when NPM is configured (see **Deployment Status** in [EXPECTED_WEB_CONTENT.md](../02-architecture/EXPECTED_WEB_CONTENT.md)). **`admin.sankofa.nexus`** and **`dash.sankofa.nexus`** remain **hostname intent** until pinned in [ALL_VMIDS_ENDPOINTS.md](ALL_VMIDS_ENDPOINTS.md) and NPM. **`blockscout.defi-oracle.io`** aligns with **VMID 5000** in routing summaries (parallel Blockscout-class UI, not **`explorer.d-bis.org`** product branding). Extend `verify-end-to-end-routing.sh` when new proxy rows are production-required.