# Web Properties — Ground Truth & Validation **Last Updated:** 2026-03-27 **Document Version:** 1.5 **Status:** Active Documentation --- _Last reviewed: authoritative alignment checkpoint_ This document reconciles **expected intent**, **current deployment state**, and **functional role** for each public-facing or semi-public web property. **Quick matrix (every FQDN: web vs API vs RPC, and what clients should see):** [FQDN_EXPECTED_CONTENT.md](../04-configuration/FQDN_EXPECTED_CONTENT.md). --- ## Sankofa.nexus and Phoenix — hostname model (canonical) | Hostname | Tier | Access | Expected content | |----------|------|--------|------------------| | `sankofa.nexus` | **Public web** | Unauthenticated visitors | **Sankofa — Sovereign Technologies:** corporate / brand public site (marketing, narrative, entry points). | | `phoenix.sankofa.nexus` | **Public web** | Unauthenticated visitors (for public pages) | **Phoenix Cloud Services** (a division of Sankofa): public-facing web for the cloud services division. | | `the-order.sankofa.nexus` | **Public web** (program portal) | Secure auth (product-dependent) | **OSJ / Order management** portal; application source **the_order**. **NPM** → VMID **10210** order-haproxy `192.168.11.39:80` → Sankofa portal stack **192.168.11.51:3000** (7801). See `scripts/deployment/provision-order-haproxy-10210.sh`. | | `www.the-order.sankofa.nexus` | **Redirect** | Browser follows 301 | **301** → `https://the-order.sankofa.nexus` (same policy as `www.sankofa` / `www.phoenix`). | | `studio.sankofa.nexus` | **Public web** (tooling) | Unauthenticated or app auth per product | **Sankofa Studio** (FusionAI); VMID **7805**, `192.168.11.72:8000`, UI under `/studio/`. | | `keycloak.sankofa.nexus` | **SSO infrastructure** (IdP) | Browser hits login + token flows; operators use admin | **Keycloak:** OIDC/SAML identity provider behind client SSO. Serves realm login UI, well-known and token endpoints, and **admin console** at `/admin`. **Consumes:** `admin.sankofa.nexus` and `portal.sankofa.nexus` (and other registered clients) redirect here for authentication; it does **not** replace those hostnames. | | `admin.sankofa.nexus` | **Client SSO** | SSO (system-mediated) | **Client administration of access:** who can access what (invites, roles, org settings, access policy). | | `portal.sankofa.nexus` | **Client SSO** | SSO | **Client workspace:** Phoenix cloud services, Sankofa Marketplace subscriptions, and other **client-facing** services behind one SSO boundary. | | `dash.sankofa.nexus` | **Operator / systems** | **IP allowlisting** + **system authentication** + **MFA** | **Internal systems dashboard:** administration across Sankofa, Phoenix, Gitea, and additional platform systems—not the same trust boundary as client `admin` / `portal`. | **Placement of Keycloak:** Treat `keycloak.sankofa.nexus` as the **shared IdP** for the **SSO-gated client tier** (`admin`, `portal`). Users often see Keycloak only during login redirects. **`dash.sankofa.nexus`** is a separate, stricter surface (network + MFA); it may integrate with Keycloak or other system identity depending on implementation, but the **documented intent** is IP-gated operator admin, not “client self-service SSO” like `portal`. --- ## 1. sankofa.nexus (public — Sovereign Technologies) **Role:** Public corporate web for **Sankofa — Sovereign Technologies.** **Comparable to:** Company apex domain (e.g. microsoft.com). ### Expected content - Brand, mission, Sovereign Technologies positioning - Philosophy narrative (**Remember → Retrieve → Restore → Rise**) - Paths into Phoenix and commercial / program entry points (links may target `phoenix.sankofa.nexus`, `portal.sankofa.nexus`, etc.) ### Current deployment (typical) - **VMID:** 7801 · **Port:** 3000 (Next.js) — see [ALL_VMIDS_ENDPOINTS.md](../04-configuration/ALL_VMIDS_ENDPOINTS.md) ### Notes - **Unauthenticated public web** is the **intent** for this hostname; authenticated client work belongs on **`portal.sankofa.nexus`**. --- ## 2. phoenix.sankofa.nexus (public — Phoenix Cloud Services) **Role:** Public-facing web for **Phoenix Cloud Services**, a division of Sankofa. **Comparable to:** Public cloud division landing (e.g. azure.microsoft.com style), not the raw JSON-RPC layer. ### Expected content - Division branding, service overview, how Phoenix fits under Sankofa - Clear separation from corporate apex (`sankofa.nexus`) ### Technical note (same origin today) - **VMID 7800** historically exposes **API-first** surfaces (`/health`, `/graphql`, `/graphql-ws`). Public **marketing or division web** may be served from the same stack or split later; this document states **product intent** for the hostname. Prefer not to present the apex `sankofa.nexus` portal app as if it were “Phoenix public web.” --- ## 2b. the-order.sankofa.nexus (public hostname — OSJ / Order portal) **Role:** Public hostname for the **Order** / OSJ management experience (secure auth as implemented in **the_order**). **Comparable to:** A dedicated program or division portal—not the corporate apex (`sankofa.nexus`) and not the generic client SSO workspace (`portal.sankofa.nexus`) unless product explicitly converges them. ### Expected content - Order/OSJ management UI and flows behind authentication as defined by the app - Same **Next.js portal stack** as Sankofa public site today, reached via **HAProxy** so NPM and headers can be tuned independently ### Current deployment (typical) - **Edge:** VMID **10210** (order-haproxy) · **192.168.11.39:80** — proxies to **192.168.11.51:3000** (VMID **7801** portal) - **NPMplus:** `update-npmplus-proxy-hosts-api.sh` defaults `THE_ORDER_UPSTREAM_*` to **.39:80**; bypass with `THE_ORDER_UPSTREAM_IP=192.168.11.51` `THE_ORDER_UPSTREAM_PORT=3000` if 10210 is down ### Notes - **`www.the-order.sankofa.nexus`** is only for **canonical URL** policy (301 → apex); do not treat it as a separate product surface. --- ## 3. keycloak.sankofa.nexus (SSO — identity provider) **Role:** **OIDC/SAML IdP** for the Sankofa / Phoenix client ecosystem. **VMID:** 7802 (typical) ### Expected content / behavior - End-user **login** (realm themes), **logout**, **token** and **well-known** endpoints - **Admin console** at `/admin` for realm and client configuration (operator-controlled) ### Relationship - **`admin.sankofa.nexus`** and **`portal.sankofa.nexus`** are the **client-facing apps**; Keycloak is where **authentication** completes for those SSO flows. --- ## 4. admin.sankofa.nexus (client SSO — access administration) **Role:** **SSO-authenticated** surface for **clients** to **administer access** (users, groups, delegations, tenant access policy as productized). ### Expected content - IAM-style administration for client orgs (not raw Keycloak admin—that remains on Keycloak’s `/admin` for platform operators). --- ## 5. portal.sankofa.nexus (client SSO — services and marketplace) **Role:** **SSO-authenticated** **client portal** for day-to-day use of subscribed services. ### Expected content - **Phoenix cloud** service entry and consoles (as entitled) - **Sankofa Marketplace** subscriptions and management - Other **client-facing** services behind the same SSO boundary **Public URL policy (env):** NextAuth / OIDC public URL may be set to `https://portal.sankofa.nexus` (see `scripts/deployment/sync-sankofa-portal-7801.sh`). --- ## 6. dash.sankofa.nexus (IP-gated — system admin + MFA) **Role:** **Operator and systems administration** across Sankofa, Phoenix, Gitea, and related infrastructure. ### Access model - **IP address gating** (allowlisted networks / VPN / office) - **System authentication** + **MFA** (stricter than public internet client SSO) ### Expected content - Unified or linked **admin** views for platform systems—not a substitute for `portal.sankofa.nexus` client self-service. --- ## 7. explorer.d-bis.org **Service Name:** SolaceScanScout **Role:** Block Explorer for ChainID 138 **Technology:** Blockscout-based **Comparable To:** Etherscan, PolygonScan, BscScan ### Intended Function - Public transparency layer for ChainID 138 - Settlement and transaction inspection ### Expected Capabilities - Latest blocks viewer - Transaction browser - Address explorer (balances, history) - Token explorer (ERC-20 or equivalents) - Network metrics and statistics - Search (block / tx / address) - ChainID 138 network identification ### Current Deployment - **Status:** ✅ Active, separate service - **VMID:** 5000 - **Address:** 192.168.11.140 - **Isolation:** Independent from Phoenix & Sankofa Portal ### Notes - Correctly positioned as **public infrastructure** - No coupling to portal auth systems --- ## 8. blockscout.defi-oracle.io **Service Name:** Blockscout Explorer (Generic) **Role:** Independent / Reference Blockscout Instance ### Intended Function - General-purpose blockchain explorer - Testing, comparison, or alternate network usage ### Capabilities - Standard Blockscout UI - Smart contract verification - API access for blockchain data ### Current Status - Separate and unrelated to ChainID 138 branding - **Not** the canonical DBIS explorer --- ## 8b. public-2138.defi-oracle.io & rpc.public-2138.defi-oracle.io (testnet) **Role:** Public explorer UI and JSON-RPC for **Defi Oracle Meta Testnet** (chain ID **2138**, hex `0x85a`). Not the Chain 138 explorer (`explorer.d-bis.org`). ### Intended function - Explorer: `https://public-2138.defi-oracle.io` (per `pr-workspace/chains/_data/chains/eip155-2138.json`) - RPC: `https://rpc.public-2138.defi-oracle.io`, `wss://rpc.public-2138.defi-oracle.io` ### References - `docs/04-configuration/CHAIN2138_WALLET_CONFIG_VALIDATION.md` - `docs/testnet/DEFI_ORACLE_META_TESTNET_2138_RUNBOOK.md` --- ## Canonical Alignment Summary | Domain | Purpose | Public web | Auth model | Canonical | |--------|---------|------------|------------|-------------| | sankofa.nexus | Sovereign Technologies (corporate) | Yes (intended) | None for public pages | ✅ | | phoenix.sankofa.nexus | Phoenix Cloud Services (division) | Yes (intended) | None for public pages | ✅ | | the-order.sankofa.nexus | OSJ / Order management portal | Yes (app UI) | Per **the_order** | ✅ | | www.the-order.sankofa.nexus | Redirect to apex | — | — | ✅ | | studio.sankofa.nexus | Sankofa Studio (FusionAI) | Yes (`/studio/`) | Per app | ✅ | | keycloak.sankofa.nexus | IdP for client SSO | Login UI only | IdP + admin | ✅ | | admin.sankofa.nexus | Client access administration | No | SSO | ✅ | | portal.sankofa.nexus | Client services + marketplace | No | SSO | ✅ | | dash.sankofa.nexus | Systems / operator admin | No | IP + system auth + MFA | ✅ | | explorer.d-bis.org | ChainID 138 Explorer | Yes | No | ✅ | | public-2138.defi-oracle.io | ChainID 2138 Testnet Explorer | Yes | No | ⚠️ Per chainlist | | rpc.public-2138.defi-oracle.io | ChainID 2138 JSON-RPC | API | No | ⚠️ Per chainlist | | blockscout.defi-oracle.io | Generic Explorer | Yes | No | ❌ | --- ## Confirmed Architectural Intent - **sankofa.nexus** = public brand for **Sankofa — Sovereign Technologies** - **phoenix.sankofa.nexus** = public web for **Phoenix Cloud Services** (division of Sankofa); API surfaces may share deployment - **the-order.sankofa.nexus** = **Order / OSJ** program portal at a dedicated hostname; **edge** at 10210 (HAProxy) then portal **7801** unless bypassed for maintenance - **portal / admin** = **client SSO** tier; **Keycloak** = shared IdP - **dash** = **IP-gated** operator systems admin with **MFA** - **DBIS Explorer** = public transparency + settlement inspection - **No accidental overlap** between public marketing, client SSO, operator dash, explorer transparency, and **Order** program hostname (unless product explicitly merges flows) --- ## Open Decisions (Explicitly Unresolved) **Critical:** These decisions remain **explicitly unresolved**. Do not collapse them prematurely. ### 1. Phoenix UI vs API on `phoenix.sankofa.nexus` **Status:** Implementation may still be API-first on VMID 7800 while **hostname intent** is public division web; reconcile with a dedicated static/marketing upstream or path split if needed. --- ### 2. Rich console UI for Phoenix (beyond public division web) **Status:** Open decision point **Question:** Whether authenticated **Phoenix product consoles** live primarily on **`portal.sankofa.nexus`** (SSO) vs additional surfaces. **Flexibility:** Public division web on `phoenix.sankofa.nexus` does not preclude deep consoles behind **`portal`** SSO. --- ### 3. Branding Linkage **Status:** Open decision point **Question:** Branding linkage between DBIS Core products and explorer UI **Options:** - Maintain independent branding - Align with DBIS Core products - Federate with other explorers **Note:** Explorer independence is intentional, not permanent. --- ### 4. Future Evolution Pathways (Non-Binding) These are **possible futures**, not commitments: - NPM `www.*` → apex **301** policy (incl. `www.sankofa`, `www.phoenix`, `www.the-order`) vs additional marketing hostnames - `admin` / `portal` / `dash` upstream targets on NPM (when split from legacy single-host deployments) - Delegated Phoenix UI development - Explorer rebrand or federation - Additional service surfaces **Why Documented:** - Signals foresight without commitment - Prevents future teams from assuming "this was never considered" - Preserves optionality for governance decisions --- ## Service Relationship Diagram ``` Internet ↓ NPMplus (Reverse Proxy + SSL) ↓ ├─→ sankofa.nexus → Public web: Sankofa — Sovereign Technologies ├─→ phoenix.sankofa.nexus → Public web: Phoenix Cloud Services (division) ├─→ the-order.sankofa.nexus → Order/OSJ portal (10210 HAProxy → portal 7801) ├─→ www.the-order.sankofa.nexus → 301 → the-order apex ├─→ studio.sankofa.nexus → Studio (7805 /studio/) │ ├─→ admin.sankofa.nexus → Client SSO: administer access ├─→ portal.sankofa.nexus → Client SSO: Phoenix cloud + marketplace + client services │ └─ (redirects) ──→ keycloak.sankofa.nexus (OIDC/SAML IdP, VMID 7802) │ ├─→ dash.sankofa.nexus → IP allowlist + system auth + MFA: operator systems admin │ (Sankofa, Phoenix, Gitea, …) │ ├─→ explorer.d-bis.org → SolaceScanScout (ChainID 138, no login for browse) └─→ blockscout.defi-oracle.io → Generic Blockscout (not canonical 138 explorer) Backend (typical): ├─→ Keycloak VMID 7802, PostgreSQL VMID 7803 ├─→ Phoenix API VMID 7800, Sankofa web VMID 7801 └─→ Order edge VMID 10210 (HAProxy .39:80 → .51:3000); Studio VMID 7805 (until admin/portal/dash are split to own upstreams) ``` --- ## Deployment Status ### Active Services | Service | Domain | VMID | IP | Port | Status | Access model | |---------|--------|------|-----|------|--------|----------------| | **Phoenix** (API today; division hostname) | phoenix.sankofa.nexus | 7800 | 192.168.11.50 | 4000 | ✅ Active | Public web **intent**; API paths coexist | | **Sankofa public web** | sankofa.nexus | 7801 | 192.168.11.51 | 3000 | ✅ Active | Public **intent** (see hostname model) | | **The Order (edge)** | the-order.sankofa.nexus | 10210 → 7801 | 192.168.11.39:80 → .51:3000 | 80 → 3000 | ✅ Active | HAProxy then portal; see §2b | | **Sankofa Studio** | studio.sankofa.nexus | 7805 | 192.168.11.72 | 8000 | ✅ Active | `/studio/` | | **Keycloak IdP** | keycloak.sankofa.nexus | 7802 | (see ALL_VMIDS) | 8080 | ✅ Active | IdP + `/admin` | | **Client admin (SSO)** | admin.sankofa.nexus | — | — | — | 🔶 **Intent** — NPM + app upstream not pinned in VM inventory; may share portal stack (**7801**) until split (see §4, Open Decisions §4) | SSO | | **Client portal (SSO)** | portal.sankofa.nexus | **7801** (typical) | 192.168.11.51 | 3000 | ✅ **Active** when NPM routes this hostname to the Sankofa portal stack; `NEXTAUTH_URL` / public OIDC URL per `scripts/deployment/sync-sankofa-portal-7801.sh` | SSO | | **Operator dash** | dash.sankofa.nexus | — | — | — | 🔶 **Intent** — IP allowlist + system auth + MFA; **VMID/IP not fixed** in this matrix until NPM/upstream is wired (see §6) | IP + MFA | | **SolaceScanScout** | explorer.d-bis.org | 5000 | 192.168.11.140 | 80/4000 | ✅ Active | Public | | **Blockscout (generic hostname)** | blockscout.defi-oracle.io | **5000** | 192.168.11.140 | **80** (TLS at NPM) | ✅ **Active** when NPM proxies here; **same class** of Blockscout UI as §7 but **not** canonical **SolaceScanScout / Chain 138** branding (see §8) | Public | **Table notes:** `admin` / `dash` rows stay **non-numeric** on VMID until inventory and NPM proxy rows are authoritative in [ALL_VMIDS_ENDPOINTS.md](../04-configuration/ALL_VMIDS_ENDPOINTS.md) and your NPM export. **`blockscout.defi-oracle.io`** has been documented in routing summaries as terminating on **VMID 5000** (`192.168.11.140:80`); confirm live NPM if behavior differs. --- ## Brand/Product Relationship Context **Sankofa** = Company/Brand (like Microsoft, Google, Amazon) **Phoenix** = Cloud Platform/Product (like Azure, GCP, AWS) **Sankofa Phoenix** = Complete Product (like Microsoft Azure, Google Cloud Platform, Amazon Web Services) - **sankofa.nexus** = Public company site — **Sankofa — Sovereign Technologies** - **phoenix.sankofa.nexus** = Public division site — **Phoenix Cloud Services** - **portal.sankofa.nexus** / **admin.sankofa.nexus** = **Client SSO** apps (Keycloak as IdP) - **dash.sankofa.nexus** = **IP-gated** operator systems admin (**MFA**) - **the-order.sankofa.nexus** = **Order / OSJ** portal hostname (edge **10210** → portal **7801**) - **studio.sankofa.nexus** = **Studio** tooling (**7805**) - **explorer.d-bis.org** = Blockchain explorer (like Etherscan) - **blockscout.defi-oracle.io** = Generic explorer instance --- **Review Status:** Authoritative alignment checkpoint