docs/04-configuration/FQDN_EXPECTED_CONTENT.md

# FQDN expected content (what users and clients should see)

**Last Updated:** 2026-03-29 (NPM fleet script includes `portal` / `admin` / optional `dash`; apex uses `IP_SANKOFA_PUBLIC_WEB`)  
**Purpose:** One-page description of **what should be presented** at each public NPM-routed hostname after HTTPS. Use this before pruning evidence or changing proxies so expectations stay aligned with product intent.

**Canonical routing (IPs, VMIDs, ports):** [ALL_VMIDS_ENDPOINTS.md](ALL_VMIDS_ENDPOINTS.md), [RPC_ENDPOINTS_MASTER.md](RPC_ENDPOINTS_MASTER.md).  
**Product depth (Sankofa / Phoenix / explorer narrative):** [EXPECTED_WEB_CONTENT.md](../02-architecture/EXPECTED_WEB_CONTENT.md).  
**Deployment status (VMID / upstream matrix):** same doc, section **Deployment Status** (authoritative for `portal` / `admin` / `dash` / `blockscout.defi-oracle.io` rows).  
**Automated checks:** [E2E_ENDPOINTS_LIST.md](E2E_ENDPOINTS_LIST.md), `scripts/verify/verify-end-to-end-routing.sh`.

---

## Legend

| Kind | Meaning |
|------|---------|
| **Web** | Browser loads HTML (or SPA shell); humans see pages, forms, or dashboards. |
| **API** | Primarily JSON over HTTPS; browsers may see errors unless hitting documented REST paths. |
| **RPC-HTTP** | **No marketing page.** JSON-RPC 2.0 over HTTPS POST to `/` (or provider path); wallets and backends consume JSON. |
| **RPC-WS** | **No HTML.** WebSocket upgrade; JSON-RPC / subscription traffic. |
| **301** | Apex policy: `www.*` redirects to non-www HTTPS (see NPM `advanced_config`). |

---

## sankofa.nexus zone

**Canonical roles:** [EXPECTED_WEB_CONTENT.md](../02-architecture/EXPECTED_WEB_CONTENT.md) (hostname model table).

### Public web (unauthenticated visitors for marketing / division pages)

| FQDN | Kind | What should be displayed or returned |
|------|------|--------------------------------------|
| `sankofa.nexus` | Web | **Sankofa — Sovereign Technologies:** public corporate / brand web (mission, narrative, entry points). NPM upstream: **`IP_SANKOFA_PUBLIC_WEB`:`SANKOFA_PUBLIC_WEB_PORT`** (defaults to portal IP until marketing CT is split). |
| `www.sankofa.nexus` | 301 → apex | Browser ends on `https://sankofa.nexus/...`. |
| `phoenix.sankofa.nexus` | Web / API | **Phoenix Cloud Services** (division of Sankofa): public-facing **division web** (intent). Same deployment may still expose API paths (`/health`, `/graphql`, …). E2E verifier may use `/health`. |
| `www.phoenix.sankofa.nexus` | 301 → apex | Browser ends on `https://phoenix.sankofa.nexus/...`. |

### Client SSO (system SSO; Keycloak as IdP)

| FQDN | Kind | What should be displayed or returned |
|------|------|--------------------------------------|
| `keycloak.sankofa.nexus` | Web / IdP | **Identity provider** for client SSO: realm login UI, OIDC/SAML well-known and token endpoints; operator **Keycloak admin** at `/admin`. Backs **`admin`** and **`portal`** redirects—not a substitute for those apps. |
| `admin.sankofa.nexus` | Web | **Client SSO:** administer access (users, roles, org access policy). |
| `portal.sankofa.nexus` | Web | **Client SSO:** Phoenix cloud services, Sankofa Marketplace subscriptions, and other **client-facing** services. |

**Typical upstream (when NPM is wired)** — see [EXPECTED_WEB_CONTENT.md](../02-architecture/EXPECTED_WEB_CONTENT.md) **Deployment Status**:

| FQDN | VMID / target | Notes |
|------|---------------|--------|
| `keycloak.sankofa.nexus` | **7802** (detail in [ALL_VMIDS_ENDPOINTS.md](ALL_VMIDS_ENDPOINTS.md)) | IdP + `/admin` for platform operators |
| `portal.sankofa.nexus` | **`IP_SANKOFA_CLIENT_SSO`** (typ. **7801** · `192.168.11.51:3000`) | Fleet script creates/updates NPM row; default **`NEXTAUTH_URL=https://portal.sankofa.nexus`** (`sync-sankofa-portal-7801.sh`) |
| `admin.sankofa.nexus` | same as **`IP_SANKOFA_CLIENT_SSO`** | Shares portal upstream until split; NPM row in fleet script |

### Operator / systems (IP-gated + MFA)

| FQDN | Kind | What should be displayed or returned |
|------|------|--------------------------------------|
| `dash.sankofa.nexus` | Web | **IP allowlisting** + **system authentication** + **MFA:** unified admin for Sankofa, Phoenix, Gitea, and related systems (not the client self-service portal). |

**Typical upstream:** 🔶 **Not pinned** in VM inventory until NPM and operator dash app are authoritative (same **Deployment Status** table).

### Other properties on the zone

| FQDN | Kind | What should be displayed or returned |
|------|------|--------------------------------------|
| `the-order.sankofa.nexus` | Web | **OSJ / Order management** portal (secure auth); app **the_order**. Upstream: HAProxy **10210** → portal stack. |
| `www.the-order.sankofa.nexus` | 301 → apex | Browser ends on `https://the-order.sankofa.nexus/...`. |
| `studio.sankofa.nexus` | Web | **Sankofa Studio (FusionAI)** UI under `/studio/` (and related API routes on same origin). |

---

## d-bis.org (DBIS + infrastructure)

**Canonical web map:** **d-bis.org** = public institutional site; **admin.d-bis.org** = admin console; **secure.d-bis.org** = member secure portal; **core.d-bis.org** = **DBIS Core** banking **client** portal (`dbis_core`). Detail: [DBIS_INSTITUTIONAL_SUBDOMAINS.md](DBIS_INSTITUTIONAL_SUBDOMAINS.md).

| FQDN | Kind | What should be displayed or returned |
|------|------|--------------------------------------|
| `d-bis.org`, `www.d-bis.org` | Web | **Public** DBIS institutional portal (sovereign / policy / directory). **www** should redirect to apex when used. |
| `explorer.d-bis.org` | Web | **SolaceScanScout / Blockscout** UI: blocks, txs, addresses, tokens, contract verification for **Chain 138**. Public, no login for browse. |
| `docs.d-bis.org` | Web | Same Blockscout nginx host as explorer where configured; may serve docs paths (see explorer deploy runbooks). |
| `admin.d-bis.org` | Web | DBIS **admin** console (operations staff). |
| `dbis-admin.d-bis.org` | Web | **Legacy** admin hostname; same expected content as **admin.d-bis.org** if DNS retained. |
| `secure.d-bis.org` | Web | DBIS **member** secure portal (authenticated institutions); may path-route `/admin`, `/api`, `/` per NPM (see ALL_VMIDS). |
| `core.d-bis.org` | Web | **DBIS Core** banking app — **client**-facing portal (login, accounts, products as implemented in **dbis_core**); upstream when wired. |
| `dbis-api.d-bis.org` | API | DBIS **core API** (aggregation, OTC, exchange JSON). |
| `dbis-api-2.d-bis.org` | API | Secondary DBIS API instance. |
| `mim4u.org`, `www.mim4u.org`, `secure.mim4u.org`, `training.mim4u.org` | Web | **MIM4U** property sites (nginx on MIM stack). |
| `rpc-http-pub.d-bis.org`, `rpc.d-bis.org`, `rpc2.d-bis.org` | RPC-HTTP | **Public Besu JSON-RPC** (Chain 138); `eth_chainId` → `0x8a`. |
| `rpc-ws-pub.d-bis.org`, `ws.rpc.d-bis.org`, `ws.rpc2.d-bis.org` | RPC-WS | **Public Besu WebSocket** RPC. |
| `rpc-http-prv.d-bis.org` | RPC-HTTP | **Core / private** JSON-RPC (permissioned use). |
| `rpc-ws-prv.d-bis.org` | RPC-WS | **Core / private** WebSocket RPC. |
| `rpc-fireblocks.d-bis.org` | RPC-HTTP | **Fireblocks-dedicated** JSON-RPC endpoint. |
| `ws.rpc-fireblocks.d-bis.org` | RPC-WS | **Fireblocks-dedicated** WebSocket RPC. |
| `rpc-alltra.d-bis.org`, `rpc-alltra-2.d-bis.org`, `rpc-alltra-3.d-bis.org` | RPC-HTTP | **Alltra** RPC fronts (tunnel to NPM); JSON-RPC for Chain 138 (or as configured on those edges). |
| `rpc-hybx.d-bis.org`, `rpc-hybx-2.d-bis.org`, `rpc-hybx-3.d-bis.org` | RPC-HTTP | **HYBX** RPC fronts; same class as Alltra. |
| `cacti-alltra.d-bis.org`, `cacti-hybx.d-bis.org` | Web | **Cacti** monitoring UI (graphs, device views). |
| `mifos.d-bis.org` | Web | **Mifos** banking platform UI (when backend healthy). |
| `dapp.d-bis.org` | Web | **DApp** static/hosted frontend (VMID per ALL_VMIDS). |
| `gitea.d-bis.org` | Web | **Gitea** git forge UI. |
| `dev.d-bis.org` | Web | **Dev** workspace UI (codespaces / dev host). |
| `codespaces.d-bis.org` | Web | **Codespaces / dev** related web entry (as wired on NPM). |

---

## defi-oracle.io (ThirdWeb / public edge)

| FQDN | Kind | What should be displayed or returned |
|------|------|--------------------------------------|
| `rpc.public-0138.defi-oracle.io` | RPC-HTTP | **ThirdWeb-style HTTPS RPC** terminator on VMID 2400; JSON-RPC to Chain 138. |
| `rpc.defi-oracle.io` | RPC-HTTP | Public JSON-RPC alias (same Besu public stack as `rpc.d-bis.org` family when healthy). |
| `wss.defi-oracle.io` | RPC-WS | Public WebSocket RPC companion. |
| `blockscout.defi-oracle.io` | Web | **Blockscout** explorer UI (generic / reference). When NPM proxies here, routing summaries align with **VMID 5000** (`192.168.11.140:80`, TLS at NPM). **Not** canonical **SolaceScanScout / Chain 138** branding—that is **`explorer.d-bis.org`**. Confirm live NPM if behavior differs. |

---

## xom-dev.phoenix.sankofa.nexus (gov portals dev)

| FQDN | Kind | What should be displayed or returned |
|------|------|--------------------------------------|
| `dbis.xom-dev.phoenix.sankofa.nexus` | Web | Gov portals **dev** app on port **3001** (VMID 7804 family). |
| `iccc.xom-dev.phoenix.sankofa.nexus` | Web | Idem, port **3002**. |
| `omnl.xom-dev.phoenix.sankofa.nexus` | Web | Idem, port **3003**. |
| `xom.xom-dev.phoenix.sankofa.nexus` | Web | Idem, port **3004**. |

---

## Operator checklist

- **Wrong content** (e.g. explorer UI on `sankofa.nexus`, or HTML on RPC hostname) usually means **NPM upstream** or **DNS** is wrong — fix with `update-npmplus-proxy-hosts-api.sh` and [ALL_VMIDS_ENDPOINTS.md](ALL_VMIDS_ENDPOINTS.md). Ensure **`portal.sankofa.nexus`** / **`admin.sankofa.nexus`** DNS exist; **`dash`** is created in NPM only when **`IP_SANKOFA_DASH`** is set in `config/ip-addresses.conf`.
- **301 on `www.*`** is intentional; content is judged on the **apex** hostname after redirect.

---

**Inventory alignment:** `DOMAIN_TYPES_ALL` in `scripts/verify/verify-end-to-end-routing.sh` includes **`keycloak.sankofa.nexus`**, **`admin.sankofa.nexus`**, **`portal.sankofa.nexus`**, **`dash.sankofa.nexus`**, **`docs.d-bis.org`**, and **`blockscout.defi-oracle.io`** (see [E2E_ENDPOINTS_LIST.md](E2E_ENDPOINTS_LIST.md); `--list-endpoints --profile=public`). They are in **`E2E_OPTIONAL_WHEN_FAIL`** so unwired NPM or off-LAN runs still exit **0**. **`portal.sankofa.nexus`** is expected on **VMID 7801** when NPM is configured ( **Deployment Status** in [EXPECTED_WEB_CONTENT.md](../02-architecture/EXPECTED_WEB_CONTENT.md)). **`admin.sankofa.nexus`** and **`dash.sankofa.nexus`** remain **hostname intent** until pinned in [ALL_VMIDS_ENDPOINTS.md](ALL_VMIDS_ENDPOINTS.md). **`blockscout.defi-oracle.io`** aligns with **VMID 5000** in routing summaries (not **`explorer.d-bis.org`** branding). **xom-dev** hostnames are not in the E2E list yet—add when NPM routes are stable.
docs: FQDN matrix, public-sector baseline, Chain138 runbooks, eIDAS repo reference Made-with: Cursor 2026-03-27 18:46:56 -07:00			`# FQDN expected content (what users and clients should see)`

feat(sankofa): public web CT 7806, portal NPM/DNS defaults, Keycloak redirect helper - Provision/sync scripts and systemd for corporate Next on 7806; IP_SANKOFA_PUBLIC_WEB for apex NPM - Portal stack: NEXTAUTH_URL default portal.sankofa.nexus; NPM fleet + migrate + DNS ordering - keycloak-sankofa-ensure-client-redirects.sh (KEYCLOAK_ADMIN_PASSWORD); .env.master.example hints - Docs: task list, inventory, FQDN/E2E/EXPECTED_WEB_CONTENT, AGENTS pointers Made-with: Cursor 2026-03-29 13:41:02 -07:00			Last Updated: 2026-03-29 (NPM fleet script includes `portal` / `admin` / optional `dash`; apex uses `IP_SANKOFA_PUBLIC_WEB`)
docs: FQDN matrix, public-sector baseline, Chain138 runbooks, eIDAS repo reference Made-with: Cursor 2026-03-27 18:46:56 -07:00			`Purpose: One-page description of what should be presented at each public NPM-routed hostname after HTTPS. Use this before pruning evidence or changing proxies so expectations stay aligned with product intent.`

			`Canonical routing (IPs, VMIDs, ports): [ALL_VMIDS_ENDPOINTS.md](ALL_VMIDS_ENDPOINTS.md), [RPC_ENDPOINTS_MASTER.md](RPC_ENDPOINTS_MASTER.md).`
			`Product depth (Sankofa / Phoenix / explorer narrative): [EXPECTED_WEB_CONTENT.md](../02-architecture/EXPECTED_WEB_CONTENT.md).`
docs(fqdn): align SSO/dash/blockscout rows with EXPECTED_WEB_CONTENT v1.5 - Link Deployment Status matrix; portal 7801 + sync script; admin/dash intent - blockscout.defi-oracle.io as full table row (VMID 5000, not canonical 138) - Tighten inventory alignment footer Made-with: Cursor 2026-03-28 16:49:26 -07:00			Deployment status (VMID / upstream matrix): same doc, section Deployment Status (authoritative for `portal` / `admin` / `dash` / `blockscout.defi-oracle.io` rows).
docs: FQDN matrix, public-sector baseline, Chain138 runbooks, eIDAS repo reference Made-with: Cursor 2026-03-27 18:46:56 -07:00			Automated checks: [E2E_ENDPOINTS_LIST.md](E2E_ENDPOINTS_LIST.md), `scripts/verify/verify-end-to-end-routing.sh`.

			`---`

			`## Legend`

			`\| Kind \| Meaning \|`
			`\|------\|---------\|`
			`\| Web \| Browser loads HTML (or SPA shell); humans see pages, forms, or dashboards. \|`
			`\| API \| Primarily JSON over HTTPS; browsers may see errors unless hitting documented REST paths. \|`
			\| RPC-HTTP \| No marketing page. JSON-RPC 2.0 over HTTPS POST to `/` (or provider path); wallets and backends consume JSON. \|
			`\| RPC-WS \| No HTML. WebSocket upgrade; JSON-RPC / subscription traffic. \|`
			\| 301 \| Apex policy: `www.*` redirects to non-www HTTPS (see NPM `advanced_config`). \|

			`---`

			`## sankofa.nexus zone`

			`Canonical roles: [EXPECTED_WEB_CONTENT.md](../02-architecture/EXPECTED_WEB_CONTENT.md) (hostname model table).`

			`### Public web (unauthenticated visitors for marketing / division pages)`

			`\| FQDN \| Kind \| What should be displayed or returned \|`
			`\|------\|------\|--------------------------------------\|`
feat(sankofa): public web CT 7806, portal NPM/DNS defaults, Keycloak redirect helper - Provision/sync scripts and systemd for corporate Next on 7806; IP_SANKOFA_PUBLIC_WEB for apex NPM - Portal stack: NEXTAUTH_URL default portal.sankofa.nexus; NPM fleet + migrate + DNS ordering - keycloak-sankofa-ensure-client-redirects.sh (KEYCLOAK_ADMIN_PASSWORD); .env.master.example hints - Docs: task list, inventory, FQDN/E2E/EXPECTED_WEB_CONTENT, AGENTS pointers Made-with: Cursor 2026-03-29 13:41:02 -07:00			\| `sankofa.nexus` \| Web \| Sankofa — Sovereign Technologies: public corporate / brand web (mission, narrative, entry points). NPM upstream: `IP_SANKOFA_PUBLIC_WEB`:`SANKOFA_PUBLIC_WEB_PORT` (defaults to portal IP until marketing CT is split). \|
docs: FQDN matrix, public-sector baseline, Chain138 runbooks, eIDAS repo reference Made-with: Cursor 2026-03-27 18:46:56 -07:00			\| `www.sankofa.nexus` \| 301 → apex \| Browser ends on `https://sankofa.nexus/...`. \|
			\| `phoenix.sankofa.nexus` \| Web / API \| Phoenix Cloud Services (division of Sankofa): public-facing division web (intent). Same deployment may still expose API paths (`/health`, `/graphql`, …). E2E verifier may use `/health`. \|
			\| `www.phoenix.sankofa.nexus` \| 301 → apex \| Browser ends on `https://phoenix.sankofa.nexus/...`. \|

			`### Client SSO (system SSO; Keycloak as IdP)`

			`\| FQDN \| Kind \| What should be displayed or returned \|`
			`\|------\|------\|--------------------------------------\|`
			\| `keycloak.sankofa.nexus` \| Web / IdP \| Identity provider for client SSO: realm login UI, OIDC/SAML well-known and token endpoints; operator Keycloak admin at `/admin`. Backs `admin` and `portal` redirects—not a substitute for those apps. \|
			\| `admin.sankofa.nexus` \| Web \| Client SSO: administer access (users, roles, org access policy). \|
			\| `portal.sankofa.nexus` \| Web \| Client SSO: Phoenix cloud services, Sankofa Marketplace subscriptions, and other client-facing services. \|

docs(fqdn): align SSO/dash/blockscout rows with EXPECTED_WEB_CONTENT v1.5 - Link Deployment Status matrix; portal 7801 + sync script; admin/dash intent - blockscout.defi-oracle.io as full table row (VMID 5000, not canonical 138) - Tighten inventory alignment footer Made-with: Cursor 2026-03-28 16:49:26 -07:00			`Typical upstream (when NPM is wired) — see [EXPECTED_WEB_CONTENT.md](../02-architecture/EXPECTED_WEB_CONTENT.md) Deployment Status:`

			`\| FQDN \| VMID / target \| Notes \|`
			`\|------\|---------------\|--------\|`
			\| `keycloak.sankofa.nexus` \| 7802 (detail in [ALL_VMIDS_ENDPOINTS.md](ALL_VMIDS_ENDPOINTS.md)) \| IdP + `/admin` for platform operators \|
feat(sankofa): public web CT 7806, portal NPM/DNS defaults, Keycloak redirect helper - Provision/sync scripts and systemd for corporate Next on 7806; IP_SANKOFA_PUBLIC_WEB for apex NPM - Portal stack: NEXTAUTH_URL default portal.sankofa.nexus; NPM fleet + migrate + DNS ordering - keycloak-sankofa-ensure-client-redirects.sh (KEYCLOAK_ADMIN_PASSWORD); .env.master.example hints - Docs: task list, inventory, FQDN/E2E/EXPECTED_WEB_CONTENT, AGENTS pointers Made-with: Cursor 2026-03-29 13:41:02 -07:00			\| `portal.sankofa.nexus` \| `IP_SANKOFA_CLIENT_SSO` (typ. 7801 · `192.168.11.51:3000`) \| Fleet script creates/updates NPM row; default `NEXTAUTH_URL=https://portal.sankofa.nexus` (`sync-sankofa-portal-7801.sh`) \|
			\| `admin.sankofa.nexus` \| same as `IP_SANKOFA_CLIENT_SSO` \| Shares portal upstream until split; NPM row in fleet script \|
docs(fqdn): align SSO/dash/blockscout rows with EXPECTED_WEB_CONTENT v1.5 - Link Deployment Status matrix; portal 7801 + sync script; admin/dash intent - blockscout.defi-oracle.io as full table row (VMID 5000, not canonical 138) - Tighten inventory alignment footer Made-with: Cursor 2026-03-28 16:49:26 -07:00
docs: FQDN matrix, public-sector baseline, Chain138 runbooks, eIDAS repo reference Made-with: Cursor 2026-03-27 18:46:56 -07:00			`### Operator / systems (IP-gated + MFA)`

			`\| FQDN \| Kind \| What should be displayed or returned \|`
			`\|------\|------\|--------------------------------------\|`
			\| `dash.sankofa.nexus` \| Web \| IP allowlisting + system authentication + MFA: unified admin for Sankofa, Phoenix, Gitea, and related systems (not the client self-service portal). \|

docs(fqdn): align SSO/dash/blockscout rows with EXPECTED_WEB_CONTENT v1.5 - Link Deployment Status matrix; portal 7801 + sync script; admin/dash intent - blockscout.defi-oracle.io as full table row (VMID 5000, not canonical 138) - Tighten inventory alignment footer Made-with: Cursor 2026-03-28 16:49:26 -07:00			`Typical upstream: 🔶 Not pinned in VM inventory until NPM and operator dash app are authoritative (same Deployment Status table).`

docs: FQDN matrix, public-sector baseline, Chain138 runbooks, eIDAS repo reference Made-with: Cursor 2026-03-27 18:46:56 -07:00			`### Other properties on the zone`

			`\| FQDN \| Kind \| What should be displayed or returned \|`
			`\|------\|------\|--------------------------------------\|`
			\| `the-order.sankofa.nexus` \| Web \| OSJ / Order management portal (secure auth); app the_order. Upstream: HAProxy 10210 → portal stack. \|
			\| `www.the-order.sankofa.nexus` \| 301 → apex \| Browser ends on `https://the-order.sankofa.nexus/...`. \|
			\| `studio.sankofa.nexus` \| Web \| Sankofa Studio (FusionAI) UI under `/studio/` (and related API routes on same origin). \|

			`---`

			`## d-bis.org (DBIS + infrastructure)`

chore: sync docs, config schemas, scripts, and meta task alignment - Institutional / JVMTM / reserve-provenance / GRU transport + standards JSON - Validation and verify scripts (Blockscout labels, x402, GRU preflight, P1 local path) - Wormhole wiring in AGENTS, MCP_SETUP, MASTER_INDEX, 04-configuration README - Meta docs, integration gaps, live verification log, architecture updates - CI validate-config workflow updates Operator/LAN items, submodule working trees, and public token-aggregation edge routes remain follow-up (see TODOS_CONSOLIDATED P1). Made-with: Cursor 2026-03-31 22:31:39 -07:00			Canonical web map: d-bis.org = public institutional site; admin.d-bis.org = admin console; secure.d-bis.org = member secure portal; core.d-bis.org = DBIS Core banking client portal (`dbis_core`). Detail: [DBIS_INSTITUTIONAL_SUBDOMAINS.md](DBIS_INSTITUTIONAL_SUBDOMAINS.md).

docs: FQDN matrix, public-sector baseline, Chain138 runbooks, eIDAS repo reference Made-with: Cursor 2026-03-27 18:46:56 -07:00			`\| FQDN \| Kind \| What should be displayed or returned \|`
			`\|------\|------\|--------------------------------------\|`
chore: sync docs, config schemas, scripts, and meta task alignment - Institutional / JVMTM / reserve-provenance / GRU transport + standards JSON - Validation and verify scripts (Blockscout labels, x402, GRU preflight, P1 local path) - Wormhole wiring in AGENTS, MCP_SETUP, MASTER_INDEX, 04-configuration README - Meta docs, integration gaps, live verification log, architecture updates - CI validate-config workflow updates Operator/LAN items, submodule working trees, and public token-aggregation edge routes remain follow-up (see TODOS_CONSOLIDATED P1). Made-with: Cursor 2026-03-31 22:31:39 -07:00			\| `d-bis.org`, `www.d-bis.org` \| Web \| Public DBIS institutional portal (sovereign / policy / directory). www should redirect to apex when used. \|
docs: FQDN matrix, public-sector baseline, Chain138 runbooks, eIDAS repo reference Made-with: Cursor 2026-03-27 18:46:56 -07:00			\| `explorer.d-bis.org` \| Web \| SolaceScanScout / Blockscout UI: blocks, txs, addresses, tokens, contract verification for Chain 138. Public, no login for browse. \|
			\| `docs.d-bis.org` \| Web \| Same Blockscout nginx host as explorer where configured; may serve docs paths (see explorer deploy runbooks). \|
chore: sync docs, config schemas, scripts, and meta task alignment - Institutional / JVMTM / reserve-provenance / GRU transport + standards JSON - Validation and verify scripts (Blockscout labels, x402, GRU preflight, P1 local path) - Wormhole wiring in AGENTS, MCP_SETUP, MASTER_INDEX, 04-configuration README - Meta docs, integration gaps, live verification log, architecture updates - CI validate-config workflow updates Operator/LAN items, submodule working trees, and public token-aggregation edge routes remain follow-up (see TODOS_CONSOLIDATED P1). Made-with: Cursor 2026-03-31 22:31:39 -07:00			\| `admin.d-bis.org` \| Web \| DBIS admin console (operations staff). \|
			\| `dbis-admin.d-bis.org` \| Web \| Legacy admin hostname; same expected content as admin.d-bis.org if DNS retained. \|
			\| `secure.d-bis.org` \| Web \| DBIS member secure portal (authenticated institutions); may path-route `/admin`, `/api`, `/` per NPM (see ALL_VMIDS). \|
			\| `core.d-bis.org` \| Web \| DBIS Core banking app — client-facing portal (login, accounts, products as implemented in dbis_core); upstream when wired. \|
docs: FQDN matrix, public-sector baseline, Chain138 runbooks, eIDAS repo reference Made-with: Cursor 2026-03-27 18:46:56 -07:00			\| `dbis-api.d-bis.org` \| API \| DBIS core API (aggregation, OTC, exchange JSON). \|
			\| `dbis-api-2.d-bis.org` \| API \| Secondary DBIS API instance. \|
			\| `mim4u.org`, `www.mim4u.org`, `secure.mim4u.org`, `training.mim4u.org` \| Web \| MIM4U property sites (nginx on MIM stack). \|
			\| `rpc-http-pub.d-bis.org`, `rpc.d-bis.org`, `rpc2.d-bis.org` \| RPC-HTTP \| Public Besu JSON-RPC (Chain 138); `eth_chainId` → `0x8a`. \|
			\| `rpc-ws-pub.d-bis.org`, `ws.rpc.d-bis.org`, `ws.rpc2.d-bis.org` \| RPC-WS \| Public Besu WebSocket RPC. \|
			\| `rpc-http-prv.d-bis.org` \| RPC-HTTP \| Core / private JSON-RPC (permissioned use). \|
			\| `rpc-ws-prv.d-bis.org` \| RPC-WS \| Core / private WebSocket RPC. \|
			\| `rpc-fireblocks.d-bis.org` \| RPC-HTTP \| Fireblocks-dedicated JSON-RPC endpoint. \|
			\| `ws.rpc-fireblocks.d-bis.org` \| RPC-WS \| Fireblocks-dedicated WebSocket RPC. \|
			\| `rpc-alltra.d-bis.org`, `rpc-alltra-2.d-bis.org`, `rpc-alltra-3.d-bis.org` \| RPC-HTTP \| Alltra RPC fronts (tunnel to NPM); JSON-RPC for Chain 138 (or as configured on those edges). \|
			\| `rpc-hybx.d-bis.org`, `rpc-hybx-2.d-bis.org`, `rpc-hybx-3.d-bis.org` \| RPC-HTTP \| HYBX RPC fronts; same class as Alltra. \|
			\| `cacti-alltra.d-bis.org`, `cacti-hybx.d-bis.org` \| Web \| Cacti monitoring UI (graphs, device views). \|
			\| `mifos.d-bis.org` \| Web \| Mifos banking platform UI (when backend healthy). \|
			\| `dapp.d-bis.org` \| Web \| DApp static/hosted frontend (VMID per ALL_VMIDS). \|
			\| `gitea.d-bis.org` \| Web \| Gitea git forge UI. \|
			\| `dev.d-bis.org` \| Web \| Dev workspace UI (codespaces / dev host). \|
			\| `codespaces.d-bis.org` \| Web \| Codespaces / dev related web entry (as wired on NPM). \|

			`---`

			`## defi-oracle.io (ThirdWeb / public edge)`

			`\| FQDN \| Kind \| What should be displayed or returned \|`
			`\|------\|------\|--------------------------------------\|`
			\| `rpc.public-0138.defi-oracle.io` \| RPC-HTTP \| ThirdWeb-style HTTPS RPC terminator on VMID 2400; JSON-RPC to Chain 138. \|
			\| `rpc.defi-oracle.io` \| RPC-HTTP \| Public JSON-RPC alias (same Besu public stack as `rpc.d-bis.org` family when healthy). \|
			\| `wss.defi-oracle.io` \| RPC-WS \| Public WebSocket RPC companion. \|
docs(fqdn): align SSO/dash/blockscout rows with EXPECTED_WEB_CONTENT v1.5 - Link Deployment Status matrix; portal 7801 + sync script; admin/dash intent - blockscout.defi-oracle.io as full table row (VMID 5000, not canonical 138) - Tighten inventory alignment footer Made-with: Cursor 2026-03-28 16:49:26 -07:00			\| `blockscout.defi-oracle.io` \| Web \| Blockscout explorer UI (generic / reference). When NPM proxies here, routing summaries align with VMID 5000 (`192.168.11.140:80`, TLS at NPM). Not canonical SolaceScanScout / Chain 138 branding—that is `explorer.d-bis.org`. Confirm live NPM if behavior differs. \|
docs: FQDN matrix, public-sector baseline, Chain138 runbooks, eIDAS repo reference Made-with: Cursor 2026-03-27 18:46:56 -07:00
			`---`

			`## xom-dev.phoenix.sankofa.nexus (gov portals dev)`

			`\| FQDN \| Kind \| What should be displayed or returned \|`
			`\|------\|------\|--------------------------------------\|`
			\| `dbis.xom-dev.phoenix.sankofa.nexus` \| Web \| Gov portals dev app on port 3001 (VMID 7804 family). \|
			\| `iccc.xom-dev.phoenix.sankofa.nexus` \| Web \| Idem, port 3002. \|
			\| `omnl.xom-dev.phoenix.sankofa.nexus` \| Web \| Idem, port 3003. \|
			\| `xom.xom-dev.phoenix.sankofa.nexus` \| Web \| Idem, port 3004. \|

			`---`

			`## Operator checklist`

feat(sankofa): public web CT 7806, portal NPM/DNS defaults, Keycloak redirect helper - Provision/sync scripts and systemd for corporate Next on 7806; IP_SANKOFA_PUBLIC_WEB for apex NPM - Portal stack: NEXTAUTH_URL default portal.sankofa.nexus; NPM fleet + migrate + DNS ordering - keycloak-sankofa-ensure-client-redirects.sh (KEYCLOAK_ADMIN_PASSWORD); .env.master.example hints - Docs: task list, inventory, FQDN/E2E/EXPECTED_WEB_CONTENT, AGENTS pointers Made-with: Cursor 2026-03-29 13:41:02 -07:00			- Wrong content (e.g. explorer UI on `sankofa.nexus`, or HTML on RPC hostname) usually means NPM upstream or DNS is wrong — fix with `update-npmplus-proxy-hosts-api.sh` and [ALL_VMIDS_ENDPOINTS.md](ALL_VMIDS_ENDPOINTS.md). Ensure `portal.sankofa.nexus` / `admin.sankofa.nexus` DNS exist; `dash` is created in NPM only when `IP_SANKOFA_DASH` is set in `config/ip-addresses.conf`.
docs: FQDN matrix, public-sector baseline, Chain138 runbooks, eIDAS repo reference Made-with: Cursor 2026-03-27 18:46:56 -07:00			- *301 on `www.` is intentional; content is judged on the apex** hostname after redirect.

			`---`

feat(e2e): add SSO, docs.d-bis, blockscout.defi-oracle to routing verifier - DOMAIN_TYPES_ALL: keycloak/admin/portal/dash, docs.d-bis.org, blockscout.defi-oracle.io (web) - E2E_OPTIONAL_WHEN_FAIL: same set for soft failures off-LAN - Optional Blockscout /api/v2/stats for blockscout.defi-oracle.io - print-gitea-actions-urls.sh: browser URLs (Actions API not relied on) - E2E_ENDPOINTS_LIST + FQDN inventory alignment updated Made-with: Cursor 2026-03-28 17:29:50 -07:00			Inventory alignment: `DOMAIN_TYPES_ALL` in `scripts/verify/verify-end-to-end-routing.sh` includes `keycloak.sankofa.nexus`, `admin.sankofa.nexus`, `portal.sankofa.nexus`, `dash.sankofa.nexus`, `docs.d-bis.org`, and `blockscout.defi-oracle.io` (see [E2E_ENDPOINTS_LIST.md](E2E_ENDPOINTS_LIST.md); `--list-endpoints --profile=public`). They are in `E2E_OPTIONAL_WHEN_FAIL` so unwired NPM or off-LAN runs still exit 0. `portal.sankofa.nexus` is expected on VMID 7801 when NPM is configured ( Deployment Status in [EXPECTED_WEB_CONTENT.md](../02-architecture/EXPECTED_WEB_CONTENT.md)). `admin.sankofa.nexus` and `dash.sankofa.nexus` remain hostname intent until pinned in [ALL_VMIDS_ENDPOINTS.md](ALL_VMIDS_ENDPOINTS.md). `blockscout.defi-oracle.io` aligns with VMID 5000 in routing summaries (not `explorer.d-bis.org` branding). xom-dev hostnames are not in the E2E list yet—add when NPM routes are stable.