7ac74f432b
- Institutional / JVMTM / reserve-provenance / GRU transport + standards JSON - Validation and verify scripts (Blockscout labels, x402, GRU preflight, P1 local path) - Wormhole wiring in AGENTS, MCP_SETUP, MASTER_INDEX, 04-configuration README - Meta docs, integration gaps, live verification log, architecture updates - CI validate-config workflow updates Operator/LAN items, submodule working trees, and public token-aggregation edge routes remain follow-up (see TODOS_CONSOLIDATED P1). Made-with: Cursor
11 KiB
FQDN expected content (what users and clients should see)
Last Updated: 2026-03-29 (NPM fleet script includes portal / admin / optional dash; apex uses IP_SANKOFA_PUBLIC_WEB)
Purpose: One-page description of what should be presented at each public NPM-routed hostname after HTTPS. Use this before pruning evidence or changing proxies so expectations stay aligned with product intent.
Canonical routing (IPs, VMIDs, ports): ALL_VMIDS_ENDPOINTS.md, RPC_ENDPOINTS_MASTER.md.
Product depth (Sankofa / Phoenix / explorer narrative): EXPECTED_WEB_CONTENT.md.
Deployment status (VMID / upstream matrix): same doc, section Deployment Status (authoritative for portal / admin / dash / blockscout.defi-oracle.io rows).
Automated checks: E2E_ENDPOINTS_LIST.md, scripts/verify/verify-end-to-end-routing.sh.
Legend
| Kind | Meaning |
|---|---|
| Web | Browser loads HTML (or SPA shell); humans see pages, forms, or dashboards. |
| API | Primarily JSON over HTTPS; browsers may see errors unless hitting documented REST paths. |
| RPC-HTTP | No marketing page. JSON-RPC 2.0 over HTTPS POST to / (or provider path); wallets and backends consume JSON. |
| RPC-WS | No HTML. WebSocket upgrade; JSON-RPC / subscription traffic. |
| 301 | Apex policy: www.* redirects to non-www HTTPS (see NPM advanced_config). |
sankofa.nexus zone
Canonical roles: EXPECTED_WEB_CONTENT.md (hostname model table).
Public web (unauthenticated visitors for marketing / division pages)
| FQDN | Kind | What should be displayed or returned |
|---|---|---|
sankofa.nexus |
Web | Sankofa — Sovereign Technologies: public corporate / brand web (mission, narrative, entry points). NPM upstream: IP_SANKOFA_PUBLIC_WEB:SANKOFA_PUBLIC_WEB_PORT (defaults to portal IP until marketing CT is split). |
www.sankofa.nexus |
301 → apex | Browser ends on https://sankofa.nexus/.... |
phoenix.sankofa.nexus |
Web / API | Phoenix Cloud Services (division of Sankofa): public-facing division web (intent). Same deployment may still expose API paths (/health, /graphql, …). E2E verifier may use /health. |
www.phoenix.sankofa.nexus |
301 → apex | Browser ends on https://phoenix.sankofa.nexus/.... |
Client SSO (system SSO; Keycloak as IdP)
| FQDN | Kind | What should be displayed or returned |
|---|---|---|
keycloak.sankofa.nexus |
Web / IdP | Identity provider for client SSO: realm login UI, OIDC/SAML well-known and token endpoints; operator Keycloak admin at /admin. Backs admin and portal redirects—not a substitute for those apps. |
admin.sankofa.nexus |
Web | Client SSO: administer access (users, roles, org access policy). |
portal.sankofa.nexus |
Web | Client SSO: Phoenix cloud services, Sankofa Marketplace subscriptions, and other client-facing services. |
Typical upstream (when NPM is wired) — see EXPECTED_WEB_CONTENT.md Deployment Status:
| FQDN | VMID / target | Notes |
|---|---|---|
keycloak.sankofa.nexus |
7802 (detail in ALL_VMIDS_ENDPOINTS.md) | IdP + /admin for platform operators |
portal.sankofa.nexus |
IP_SANKOFA_CLIENT_SSO (typ. 7801 · 192.168.11.51:3000) |
Fleet script creates/updates NPM row; default NEXTAUTH_URL=https://portal.sankofa.nexus (sync-sankofa-portal-7801.sh) |
admin.sankofa.nexus |
same as IP_SANKOFA_CLIENT_SSO |
Shares portal upstream until split; NPM row in fleet script |
Operator / systems (IP-gated + MFA)
| FQDN | Kind | What should be displayed or returned |
|---|---|---|
dash.sankofa.nexus |
Web | IP allowlisting + system authentication + MFA: unified admin for Sankofa, Phoenix, Gitea, and related systems (not the client self-service portal). |
Typical upstream: 🔶 Not pinned in VM inventory until NPM and operator dash app are authoritative (same Deployment Status table).
Other properties on the zone
| FQDN | Kind | What should be displayed or returned |
|---|---|---|
the-order.sankofa.nexus |
Web | OSJ / Order management portal (secure auth); app the_order. Upstream: HAProxy 10210 → portal stack. |
www.the-order.sankofa.nexus |
301 → apex | Browser ends on https://the-order.sankofa.nexus/.... |
studio.sankofa.nexus |
Web | Sankofa Studio (FusionAI) UI under /studio/ (and related API routes on same origin). |
d-bis.org (DBIS + infrastructure)
Canonical web map: d-bis.org = public institutional site; admin.d-bis.org = admin console; secure.d-bis.org = member secure portal; core.d-bis.org = DBIS Core banking client portal (dbis_core). Detail: DBIS_INSTITUTIONAL_SUBDOMAINS.md.
| FQDN | Kind | What should be displayed or returned |
|---|---|---|
d-bis.org, www.d-bis.org |
Web | Public DBIS institutional portal (sovereign / policy / directory). www should redirect to apex when used. |
explorer.d-bis.org |
Web | SolaceScanScout / Blockscout UI: blocks, txs, addresses, tokens, contract verification for Chain 138. Public, no login for browse. |
docs.d-bis.org |
Web | Same Blockscout nginx host as explorer where configured; may serve docs paths (see explorer deploy runbooks). |
admin.d-bis.org |
Web | DBIS admin console (operations staff). |
dbis-admin.d-bis.org |
Web | Legacy admin hostname; same expected content as admin.d-bis.org if DNS retained. |
secure.d-bis.org |
Web | DBIS member secure portal (authenticated institutions); may path-route /admin, /api, / per NPM (see ALL_VMIDS). |
core.d-bis.org |
Web | DBIS Core banking app — client-facing portal (login, accounts, products as implemented in dbis_core); upstream when wired. |
dbis-api.d-bis.org |
API | DBIS core API (aggregation, OTC, exchange JSON). |
dbis-api-2.d-bis.org |
API | Secondary DBIS API instance. |
mim4u.org, www.mim4u.org, secure.mim4u.org, training.mim4u.org |
Web | MIM4U property sites (nginx on MIM stack). |
rpc-http-pub.d-bis.org, rpc.d-bis.org, rpc2.d-bis.org |
RPC-HTTP | Public Besu JSON-RPC (Chain 138); eth_chainId → 0x8a. |
rpc-ws-pub.d-bis.org, ws.rpc.d-bis.org, ws.rpc2.d-bis.org |
RPC-WS | Public Besu WebSocket RPC. |
rpc-http-prv.d-bis.org |
RPC-HTTP | Core / private JSON-RPC (permissioned use). |
rpc-ws-prv.d-bis.org |
RPC-WS | Core / private WebSocket RPC. |
rpc-fireblocks.d-bis.org |
RPC-HTTP | Fireblocks-dedicated JSON-RPC endpoint. |
ws.rpc-fireblocks.d-bis.org |
RPC-WS | Fireblocks-dedicated WebSocket RPC. |
rpc-alltra.d-bis.org, rpc-alltra-2.d-bis.org, rpc-alltra-3.d-bis.org |
RPC-HTTP | Alltra RPC fronts (tunnel to NPM); JSON-RPC for Chain 138 (or as configured on those edges). |
rpc-hybx.d-bis.org, rpc-hybx-2.d-bis.org, rpc-hybx-3.d-bis.org |
RPC-HTTP | HYBX RPC fronts; same class as Alltra. |
cacti-alltra.d-bis.org, cacti-hybx.d-bis.org |
Web | Cacti monitoring UI (graphs, device views). |
mifos.d-bis.org |
Web | Mifos banking platform UI (when backend healthy). |
dapp.d-bis.org |
Web | DApp static/hosted frontend (VMID per ALL_VMIDS). |
gitea.d-bis.org |
Web | Gitea git forge UI. |
dev.d-bis.org |
Web | Dev workspace UI (codespaces / dev host). |
codespaces.d-bis.org |
Web | Codespaces / dev related web entry (as wired on NPM). |
defi-oracle.io (ThirdWeb / public edge)
| FQDN | Kind | What should be displayed or returned |
|---|---|---|
rpc.public-0138.defi-oracle.io |
RPC-HTTP | ThirdWeb-style HTTPS RPC terminator on VMID 2400; JSON-RPC to Chain 138. |
rpc.defi-oracle.io |
RPC-HTTP | Public JSON-RPC alias (same Besu public stack as rpc.d-bis.org family when healthy). |
wss.defi-oracle.io |
RPC-WS | Public WebSocket RPC companion. |
blockscout.defi-oracle.io |
Web | Blockscout explorer UI (generic / reference). When NPM proxies here, routing summaries align with VMID 5000 (192.168.11.140:80, TLS at NPM). Not canonical SolaceScanScout / Chain 138 branding—that is explorer.d-bis.org. Confirm live NPM if behavior differs. |
xom-dev.phoenix.sankofa.nexus (gov portals dev)
| FQDN | Kind | What should be displayed or returned |
|---|---|---|
dbis.xom-dev.phoenix.sankofa.nexus |
Web | Gov portals dev app on port 3001 (VMID 7804 family). |
iccc.xom-dev.phoenix.sankofa.nexus |
Web | Idem, port 3002. |
omnl.xom-dev.phoenix.sankofa.nexus |
Web | Idem, port 3003. |
xom.xom-dev.phoenix.sankofa.nexus |
Web | Idem, port 3004. |
Operator checklist
- Wrong content (e.g. explorer UI on
sankofa.nexus, or HTML on RPC hostname) usually means NPM upstream or DNS is wrong — fix withupdate-npmplus-proxy-hosts-api.shand ALL_VMIDS_ENDPOINTS.md. Ensureportal.sankofa.nexus/admin.sankofa.nexusDNS exist;dashis created in NPM only whenIP_SANKOFA_DASHis set inconfig/ip-addresses.conf. - 301 on
www.*is intentional; content is judged on the apex hostname after redirect.
Inventory alignment: DOMAIN_TYPES_ALL in scripts/verify/verify-end-to-end-routing.sh includes keycloak.sankofa.nexus, admin.sankofa.nexus, portal.sankofa.nexus, dash.sankofa.nexus, docs.d-bis.org, and blockscout.defi-oracle.io (see E2E_ENDPOINTS_LIST.md; --list-endpoints --profile=public). They are in E2E_OPTIONAL_WHEN_FAIL so unwired NPM or off-LAN runs still exit 0. portal.sankofa.nexus is expected on VMID 7801 when NPM is configured ( Deployment Status in EXPECTED_WEB_CONTENT.md). admin.sankofa.nexus and dash.sankofa.nexus remain hostname intent until pinned in ALL_VMIDS_ENDPOINTS.md. blockscout.defi-oracle.io aligns with VMID 5000 in routing summaries (not explorer.d-bis.org branding). xom-dev hostnames are not in the E2E list yet—add when NPM routes are stable.