Follow-ups: DNS dry-run/zone-only, Order NPM IDs, E2E Location assert, the-order block_exploits

- update-all-dns-to-public-ip.sh: --dry-run (no CF API), --zone-only=ZONE, help before .env, env CLOUDFLARE_DNS_DRY_RUN/DNS_ZONE_ONLY
- update-sankofa-npmplus-proxy-hosts.sh: the-order + www.the-order by ID (env SANKOFA_NPM_ID_THE_ORDER, SANKOFA_NPM_ID_WWW_THE_ORDER, THE_ORDER_UPSTREAM_*)
- update-npmplus-proxy-hosts-api.sh: the-order.sankofa.nexus uses block_exploits false like sankofa portal
- verify-end-to-end-routing.sh: E2E_WWW_CANONICAL_BASE + Location validation (fail on wrong apex); keep local redirect vars
- docs: ALL_VMIDS www 301 lines, E2E_ENDPOINTS_LIST verifier/DNS notes; AGENTS.md Cloudflare script pointer

Made-with: Cursor

scripts/verify/verify-end-to-end-routing.sh

@@ -193,6 +193,30 @@ declare -A E2E_HTTPS_PATH=(
     ["studio.sankofa.nexus"]="/studio/"
 )
 
+# Expected apex URL for NPM www → canonical 301/308 (Location must use this host; path from E2E_HTTPS_PATH must appear when set)
+declare -A E2E_WWW_CANONICAL_BASE=(
+    ["www.sankofa.nexus"]="https://sankofa.nexus"
+    ["www.phoenix.sankofa.nexus"]="https://phoenix.sankofa.nexus"
+    ["www.the-order.sankofa.nexus"]="https://the-order.sankofa.nexus"
+)
+
+# Returns 0 if Location URL matches expected canonical apex (and HTTPS path suffix when non-empty).
+e2e_www_redirect_location_ok() {
+    local loc_val="$1" base="$2" path="${3:-}"
+    local loc_lc base_lc
+    loc_lc=$(printf '%s' "$loc_val" | tr '[:upper:]' '[:lower:]')
+    base_lc=$(printf '%s' "$base" | tr '[:upper:]' '[:lower:]')
+    if [[ "$loc_lc" != "$base_lc" && "$loc_lc" != "$base_lc/"* ]]; then
+        return 1
+    fi
+    if [ -n "$path" ] && [ "$path" != "/" ]; then
+        local p_lc
+        p_lc=$(printf '%s' "$path" | tr '[:upper:]' '[:lower:]')
+        [[ "$loc_lc" == *"$p_lc"* ]] || return 1
+    fi
+    return 0
+}
+
 # --list-endpoints: print selected profile endpoints and exit (no tests)
 if [[ "$LIST_ENDPOINTS" == "1" ]]; then
     echo ""
@@ -332,7 +356,8 @@ test_domain() {
         
         if [ -n "$http_code" ]; then
             # NPM canonical www → apex (advanced_config return 301/308)
-            _e2e_canonical_www_redirect=""
+            local _e2e_canonical_www_redirect=""
+            local location_hdr=""
             case "$domain" in
                 www.sankofa.nexus|www.phoenix.sankofa.nexus|www.the-order.sankofa.nexus)
                     if [ "$http_code" = "301" ] || [ "$http_code" = "308" ]; then
@@ -342,9 +367,25 @@ test_domain() {
             esac
             if [ -n "$_e2e_canonical_www_redirect" ]; then
                 location_hdr=$(echo "$headers" | grep -iE '^[Ll]ocation:' | head -1 | tr -d '\r' || echo "")
-                log_success "HTTPS: $domain returned HTTP $http_code (canonical redirect)${https_path:+ at ${https_url}}"
-                result=$(echo "$result" | jq --arg code "$http_code" --arg time "$time_total" --arg loc "$location_hdr" \
-                    '.tests.https = {"status": "pass", "http_code": ($code | tonumber), "response_time_seconds": ($time | tonumber), "canonical_redirect": true, "location_header": $loc}')
+                loc_val=$(printf '%s' "$location_hdr" | sed -E 's/^[Ll][Oo][Cc][Aa][Tt][Ii][Oo][Nn]:[[:space:]]*//' | sed 's/[[:space:]]*$//')
+                expected_base="${E2E_WWW_CANONICAL_BASE[$domain]:-}"
+                if [ -z "$loc_val" ]; then
+                    log_warn "HTTPS: $domain returned HTTP $http_code but no Location header${https_path:+ (${https_url})}"
+                    result=$(echo "$result" | jq --arg code "$http_code" --arg time "$time_total" \
+                        '.tests.https = {"status": "warn", "http_code": ($code | tonumber), "response_time_seconds": ($time | tonumber), "note": "missing Location on redirect"}')
+                elif [ -z "$expected_base" ]; then
+                    log_warn "HTTPS: $domain redirect pass (no E2E_WWW_CANONICAL_BASE entry)"
+                    result=$(echo "$result" | jq --arg code "$http_code" --arg time "$time_total" --arg loc "$location_hdr" \
+                        '.tests.https = {"status": "pass", "http_code": ($code | tonumber), "response_time_seconds": ($time | tonumber), "canonical_redirect": true, "location_header": $loc}')
+                elif ! e2e_www_redirect_location_ok "$loc_val" "$expected_base" "$https_path"; then
+                    log_error "HTTPS: $domain Location mismatch (got \"$loc_val\", expected prefix \"$expected_base\" with path \"${https_path:-/}\")"
+                    result=$(echo "$result" | jq --arg code "$http_code" --arg time "$time_total" --arg loc "$loc_val" --arg exp "$expected_base" --arg pth "${https_path:-}" \
+                        '.tests.https = {"status": "fail", "http_code": ($code | tonumber), "response_time_seconds": ($time | tonumber), "reason": "location_mismatch", "location": $loc, "expected_prefix": $exp, "expected_path_suffix": $pth}')
+                else
+                    log_success "HTTPS: $domain returned HTTP $http_code (canonical redirect → $loc_val)${https_path:+ at ${https_url}}"
+                    result=$(echo "$result" | jq --arg code "$http_code" --arg time "$time_total" --arg loc "$location_hdr" \
+                        '.tests.https = {"status": "pass", "http_code": ($code | tonumber), "response_time_seconds": ($time | tonumber), "canonical_redirect": true, "location_header": $loc}')
+                fi
             elif [ "$http_code" -ge 200 ] && [ "$http_code" -lt 400 ]; then
                 log_success "HTTPS: $domain returned HTTP $http_code (Time: ${time_total}s)${https_path:+ at ${https_path}}"