proxmox/docs/04-configuration/FQDN_EXPECTED_CONTENT.md

# FQDN expected content (what users and clients should see)

**Last Updated:** 2026-03-27 (Sankofa hostname tiers: public / SSO / dash)  
**Purpose:** One-page description of **what should be presented** at each public NPM-routed hostname after HTTPS. Use this before pruning evidence or changing proxies so expectations stay aligned with product intent.

**Canonical routing (IPs, VMIDs, ports):** [ALL_VMIDS_ENDPOINTS.md](ALL_VMIDS_ENDPOINTS.md), [RPC_ENDPOINTS_MASTER.md](RPC_ENDPOINTS_MASTER.md).  
**Product depth (Sankofa / Phoenix / explorer narrative):** [EXPECTED_WEB_CONTENT.md](../02-architecture/EXPECTED_WEB_CONTENT.md).  
**Automated checks:** [E2E_ENDPOINTS_LIST.md](E2E_ENDPOINTS_LIST.md), `scripts/verify/verify-end-to-end-routing.sh`.

---

## Legend

| Kind | Meaning |
|------|---------|
| **Web** | Browser loads HTML (or SPA shell); humans see pages, forms, or dashboards. |
| **API** | Primarily JSON over HTTPS; browsers may see errors unless hitting documented REST paths. |
| **RPC-HTTP** | **No marketing page.** JSON-RPC 2.0 over HTTPS POST to `/` (or provider path); wallets and backends consume JSON. |
| **RPC-WS** | **No HTML.** WebSocket upgrade; JSON-RPC / subscription traffic. |
| **301** | Apex policy: `www.*` redirects to non-www HTTPS (see NPM `advanced_config`). |

---

## sankofa.nexus zone

**Canonical roles:** [EXPECTED_WEB_CONTENT.md](../02-architecture/EXPECTED_WEB_CONTENT.md) (hostname model table).

### Public web (unauthenticated visitors for marketing / division pages)

| FQDN | Kind | What should be displayed or returned |
|------|------|--------------------------------------|
| `sankofa.nexus` | Web | **Sankofa — Sovereign Technologies:** public corporate / brand web (mission, narrative, entry points). |
| `www.sankofa.nexus` | 301 → apex | Browser ends on `https://sankofa.nexus/...`. |
| `phoenix.sankofa.nexus` | Web / API | **Phoenix Cloud Services** (division of Sankofa): public-facing **division web** (intent). Same deployment may still expose API paths (`/health`, `/graphql`, …). E2E verifier may use `/health`. |
| `www.phoenix.sankofa.nexus` | 301 → apex | Browser ends on `https://phoenix.sankofa.nexus/...`. |

### Client SSO (system SSO; Keycloak as IdP)

| FQDN | Kind | What should be displayed or returned |
|------|------|--------------------------------------|
| `keycloak.sankofa.nexus` | Web / IdP | **Identity provider** for client SSO: realm login UI, OIDC/SAML well-known and token endpoints; operator **Keycloak admin** at `/admin`. Backs **`admin`** and **`portal`** redirects—not a substitute for those apps. |
| `admin.sankofa.nexus` | Web | **Client SSO:** administer access (users, roles, org access policy). |
| `portal.sankofa.nexus` | Web | **Client SSO:** Phoenix cloud services, Sankofa Marketplace subscriptions, and other **client-facing** services. |

### Operator / systems (IP-gated + MFA)

| FQDN | Kind | What should be displayed or returned |
|------|------|--------------------------------------|
| `dash.sankofa.nexus` | Web | **IP allowlisting** + **system authentication** + **MFA:** unified admin for Sankofa, Phoenix, Gitea, and related systems (not the client self-service portal). |

### Other properties on the zone

| FQDN | Kind | What should be displayed or returned |
|------|------|--------------------------------------|
| `the-order.sankofa.nexus` | Web | **OSJ / Order management** portal (secure auth); app **the_order**. Upstream: HAProxy **10210** → portal stack. |
| `www.the-order.sankofa.nexus` | 301 → apex | Browser ends on `https://the-order.sankofa.nexus/...`. |
| `studio.sankofa.nexus` | Web | **Sankofa Studio (FusionAI)** UI under `/studio/` (and related API routes on same origin). |

---

## d-bis.org (DBIS + infrastructure)

| FQDN | Kind | What should be displayed or returned |
|------|------|--------------------------------------|
| `explorer.d-bis.org` | Web | **SolaceScanScout / Blockscout** UI: blocks, txs, addresses, tokens, contract verification for **Chain 138**. Public, no login for browse. |
| `docs.d-bis.org` | Web | Same Blockscout nginx host as explorer where configured; may serve docs paths (see explorer deploy runbooks). |
| `dbis-admin.d-bis.org` | Web | DBIS **admin** frontend (dashboard). |
| `secure.d-bis.org` | Web | DBIS **secure** authenticated portal. |
| `dbis-api.d-bis.org` | API | DBIS **core API** (aggregation, OTC, exchange JSON). |
| `dbis-api-2.d-bis.org` | API | Secondary DBIS API instance. |
| `mim4u.org`, `www.mim4u.org`, `secure.mim4u.org`, `training.mim4u.org` | Web | **MIM4U** property sites (nginx on MIM stack). |
| `rpc-http-pub.d-bis.org`, `rpc.d-bis.org`, `rpc2.d-bis.org` | RPC-HTTP | **Public Besu JSON-RPC** (Chain 138); `eth_chainId` → `0x8a`. |
| `rpc-ws-pub.d-bis.org`, `ws.rpc.d-bis.org`, `ws.rpc2.d-bis.org` | RPC-WS | **Public Besu WebSocket** RPC. |
| `rpc-http-prv.d-bis.org` | RPC-HTTP | **Core / private** JSON-RPC (permissioned use). |
| `rpc-ws-prv.d-bis.org` | RPC-WS | **Core / private** WebSocket RPC. |
| `rpc-fireblocks.d-bis.org` | RPC-HTTP | **Fireblocks-dedicated** JSON-RPC endpoint. |
| `ws.rpc-fireblocks.d-bis.org` | RPC-WS | **Fireblocks-dedicated** WebSocket RPC. |
| `rpc-alltra.d-bis.org`, `rpc-alltra-2.d-bis.org`, `rpc-alltra-3.d-bis.org` | RPC-HTTP | **Alltra** RPC fronts (tunnel to NPM); JSON-RPC for Chain 138 (or as configured on those edges). |
| `rpc-hybx.d-bis.org`, `rpc-hybx-2.d-bis.org`, `rpc-hybx-3.d-bis.org` | RPC-HTTP | **HYBX** RPC fronts; same class as Alltra. |
| `cacti-alltra.d-bis.org`, `cacti-hybx.d-bis.org` | Web | **Cacti** monitoring UI (graphs, device views). |
| `mifos.d-bis.org` | Web | **Mifos** banking platform UI (when backend healthy). |
| `dapp.d-bis.org` | Web | **DApp** static/hosted frontend (VMID per ALL_VMIDS). |
| `gitea.d-bis.org` | Web | **Gitea** git forge UI. |
| `dev.d-bis.org` | Web | **Dev** workspace UI (codespaces / dev host). |
| `codespaces.d-bis.org` | Web | **Codespaces / dev** related web entry (as wired on NPM). |

---

## defi-oracle.io (ThirdWeb / public edge)

| FQDN | Kind | What should be displayed or returned |
|------|------|--------------------------------------|
| `rpc.public-0138.defi-oracle.io` | RPC-HTTP | **ThirdWeb-style HTTPS RPC** terminator on VMID 2400; JSON-RPC to Chain 138. |
| `rpc.defi-oracle.io` | RPC-HTTP | Public JSON-RPC alias (same Besu public stack as `rpc.d-bis.org` family when healthy). |
| `wss.defi-oracle.io` | RPC-WS | Public WebSocket RPC companion. |

**Note:** `blockscout.defi-oracle.io` is a **separate Blockscout** hostname (generic / reference). Not the canonical DBIS explorer; same class of **web** explorer UI as Blockscout. See EXPECTED_WEB_CONTENT.

---

## xom-dev.phoenix.sankofa.nexus (gov portals dev)

| FQDN | Kind | What should be displayed or returned |
|------|------|--------------------------------------|
| `dbis.xom-dev.phoenix.sankofa.nexus` | Web | Gov portals **dev** app on port **3001** (VMID 7804 family). |
| `iccc.xom-dev.phoenix.sankofa.nexus` | Web | Idem, port **3002**. |
| `omnl.xom-dev.phoenix.sankofa.nexus` | Web | Idem, port **3003**. |
| `xom.xom-dev.phoenix.sankofa.nexus` | Web | Idem, port **3004**. |

---

## Operator checklist

- **Wrong content** (e.g. explorer UI on `sankofa.nexus`, or HTML on RPC hostname) usually means **NPM upstream** or **DNS** is wrong — fix with `update-npmplus-proxy-hosts-api.sh` and [ALL_VMIDS_ENDPOINTS.md](ALL_VMIDS_ENDPOINTS.md).
- **301 on `www.*`** is intentional; content is judged on the **apex** hostname after redirect.

---

**Inventory alignment:** Public hostnames above follow `DOMAIN_TYPES_ALL` in `scripts/verify/verify-end-to-end-routing.sh` plus `keycloak.sankofa.nexus`, `docs.d-bis.org`, `blockscout.defi-oracle.io`, and xom-dev hosts. **`admin.sankofa.nexus`**, **`portal.sankofa.nexus`**, and **`dash.sankofa.nexus`** are **product-intent** hostnames—add to NPM and the E2E script when upstreams are wired. Add new rows here when you add NPM hosts.