From 1e27cc83c210a004deb0e53b11e06d306690de56 Mon Sep 17 00:00:00 2001 From: defiQUG Date: Fri, 27 Mar 2026 19:10:37 -0700 Subject: [PATCH] =?UTF-8?q?docs:=20EXPECTED=5FWEB=5FCONTENT=20=E2=80=94=20?= =?UTF-8?q?The=20Order=20(10210),=20studio,=20www=20301?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - Hostname model + §2b deployment (HAProxy → portal), alignment summary, diagram, deployment table - Version 1.3; matches FQDN_EXPECTED_CONTENT and live NPM routing Made-with: Cursor --- docs/02-architecture/EXPECTED_WEB_CONTENT.md | 42 ++++++++++++++++++-- 1 file changed, 38 insertions(+), 4 deletions(-) diff --git a/docs/02-architecture/EXPECTED_WEB_CONTENT.md b/docs/02-architecture/EXPECTED_WEB_CONTENT.md index e7dd2cb..2e75bc9 100644 --- a/docs/02-architecture/EXPECTED_WEB_CONTENT.md +++ b/docs/02-architecture/EXPECTED_WEB_CONTENT.md @@ -1,7 +1,7 @@ # Web Properties — Ground Truth & Validation **Last Updated:** 2026-03-27 -**Document Version:** 1.2 +**Document Version:** 1.3 **Status:** Active Documentation --- @@ -20,6 +20,9 @@ This document reconciles **expected intent**, **current deployment state**, and |----------|------|--------|------------------| | `sankofa.nexus` | **Public web** | Unauthenticated visitors | **Sankofa — Sovereign Technologies:** corporate / brand public site (marketing, narrative, entry points). | | `phoenix.sankofa.nexus` | **Public web** | Unauthenticated visitors (for public pages) | **Phoenix Cloud Services** (a division of Sankofa): public-facing web for the cloud services division. | +| `the-order.sankofa.nexus` | **Public web** (program portal) | Secure auth (product-dependent) | **OSJ / Order management** portal; application source **the_order**. **NPM** → VMID **10210** order-haproxy `192.168.11.39:80` → Sankofa portal stack **192.168.11.51:3000** (7801). See `scripts/deployment/provision-order-haproxy-10210.sh`. | +| `www.the-order.sankofa.nexus` | **Redirect** | Browser follows 301 | **301** → `https://the-order.sankofa.nexus` (same policy as `www.sankofa` / `www.phoenix`). | +| `studio.sankofa.nexus` | **Public web** (tooling) | Unauthenticated or app auth per product | **Sankofa Studio** (FusionAI); VMID **7805**, `192.168.11.72:8000`, UI under `/studio/`. | | `keycloak.sankofa.nexus` | **SSO infrastructure** (IdP) | Browser hits login + token flows; operators use admin | **Keycloak:** OIDC/SAML identity provider behind client SSO. Serves realm login UI, well-known and token endpoints, and **admin console** at `/admin`. **Consumes:** `admin.sankofa.nexus` and `portal.sankofa.nexus` (and other registered clients) redirect here for authentication; it does **not** replace those hostnames. | | `admin.sankofa.nexus` | **Client SSO** | SSO (system-mediated) | **Client administration of access:** who can access what (invites, roles, org settings, access policy). | | `portal.sankofa.nexus` | **Client SSO** | SSO | **Client workspace:** Phoenix cloud services, Sankofa Marketplace subscriptions, and other **client-facing** services behind one SSO boundary. | @@ -61,6 +64,24 @@ This document reconciles **expected intent**, **current deployment state**, and --- +## 2b. the-order.sankofa.nexus (public hostname — OSJ / Order portal) + +**Role:** Public hostname for the **Order** / OSJ management experience (secure auth as implemented in **the_order**). +**Comparable to:** A dedicated program or division portal—not the corporate apex (`sankofa.nexus`) and not the generic client SSO workspace (`portal.sankofa.nexus`) unless product explicitly converges them. + +### Expected content +- Order/OSJ management UI and flows behind authentication as defined by the app +- Same **Next.js portal stack** as Sankofa public site today, reached via **HAProxy** so NPM and headers can be tuned independently + +### Current deployment (typical) +- **Edge:** VMID **10210** (order-haproxy) · **192.168.11.39:80** — proxies to **192.168.11.51:3000** (VMID **7801** portal) +- **NPMplus:** `update-npmplus-proxy-hosts-api.sh` defaults `THE_ORDER_UPSTREAM_*` to **.39:80**; bypass with `THE_ORDER_UPSTREAM_IP=192.168.11.51` `THE_ORDER_UPSTREAM_PORT=3000` if 10210 is down + +### Notes +- **`www.the-order.sankofa.nexus`** is only for **canonical URL** policy (301 → apex); do not treat it as a separate product surface. + +--- + ## 3. keycloak.sankofa.nexus (SSO — identity provider) **Role:** **OIDC/SAML IdP** for the Sankofa / Phoenix client ecosystem. @@ -166,6 +187,9 @@ This document reconciles **expected intent**, **current deployment state**, and |--------|---------|------------|------------|-------------| | sankofa.nexus | Sovereign Technologies (corporate) | Yes (intended) | None for public pages | ✅ | | phoenix.sankofa.nexus | Phoenix Cloud Services (division) | Yes (intended) | None for public pages | ✅ | +| the-order.sankofa.nexus | OSJ / Order management portal | Yes (app UI) | Per **the_order** | ✅ | +| www.the-order.sankofa.nexus | Redirect to apex | — | — | ✅ | +| studio.sankofa.nexus | Sankofa Studio (FusionAI) | Yes (`/studio/`) | Per app | ✅ | | keycloak.sankofa.nexus | IdP for client SSO | Login UI only | IdP + admin | ✅ | | admin.sankofa.nexus | Client access administration | No | SSO | ✅ | | portal.sankofa.nexus | Client services + marketplace | No | SSO | ✅ | @@ -178,10 +202,11 @@ This document reconciles **expected intent**, **current deployment state**, and ## Confirmed Architectural Intent - **sankofa.nexus** = public brand for **Sankofa — Sovereign Technologies** - **phoenix.sankofa.nexus** = public web for **Phoenix Cloud Services** (division of Sankofa); API surfaces may share deployment +- **the-order.sankofa.nexus** = **Order / OSJ** program portal at a dedicated hostname; **edge** at 10210 (HAProxy) then portal **7801** unless bypassed for maintenance - **portal / admin** = **client SSO** tier; **Keycloak** = shared IdP - **dash** = **IP-gated** operator systems admin with **MFA** - **DBIS Explorer** = public transparency + settlement inspection -- **No accidental overlap** between public marketing, client SSO, operator dash, and explorer transparency +- **No accidental overlap** between public marketing, client SSO, operator dash, explorer transparency, and **Order** program hostname (unless product explicitly merges flows) --- @@ -221,7 +246,7 @@ This document reconciles **expected intent**, **current deployment state**, and These are **possible futures**, not commitments: -- NPM `www.*` → apex **301** policy vs additional marketing hostnames +- NPM `www.*` → apex **301** policy (incl. `www.sankofa`, `www.phoenix`, `www.the-order`) vs additional marketing hostnames - `admin` / `portal` / `dash` upstream targets on NPM (when split from legacy single-host deployments) - Delegated Phoenix UI development - Explorer rebrand or federation @@ -243,6 +268,9 @@ NPMplus (Reverse Proxy + SSL) ↓ ├─→ sankofa.nexus → Public web: Sankofa — Sovereign Technologies ├─→ phoenix.sankofa.nexus → Public web: Phoenix Cloud Services (division) + ├─→ the-order.sankofa.nexus → Order/OSJ portal (10210 HAProxy → portal 7801) + ├─→ www.the-order.sankofa.nexus → 301 → the-order apex + ├─→ studio.sankofa.nexus → Studio (7805 /studio/) │ ├─→ admin.sankofa.nexus → Client SSO: administer access ├─→ portal.sankofa.nexus → Client SSO: Phoenix cloud + marketplace + client services @@ -256,7 +284,9 @@ NPMplus (Reverse Proxy + SSL) Backend (typical): ├─→ Keycloak VMID 7802, PostgreSQL VMID 7803 - └─→ Phoenix API VMID 7800, Sankofa web VMID 7801 (until admin/portal/dash are split to own upstreams) + ├─→ Phoenix API VMID 7800, Sankofa web VMID 7801 + └─→ Order edge VMID 10210 (HAProxy .39:80 → .51:3000); Studio VMID 7805 + (until admin/portal/dash are split to own upstreams) ``` --- @@ -269,6 +299,8 @@ Backend (typical): |---------|--------|------|-----|------|--------|----------------| | **Phoenix** (API today; division hostname) | phoenix.sankofa.nexus | 7800 | 192.168.11.50 | 4000 | ✅ Active | Public web **intent**; API paths coexist | | **Sankofa public web** | sankofa.nexus | 7801 | 192.168.11.51 | 3000 | ✅ Active | Public **intent** (see hostname model) | +| **The Order (edge)** | the-order.sankofa.nexus | 10210 → 7801 | 192.168.11.39:80 → .51:3000 | 80 → 3000 | ✅ Active | HAProxy then portal; see §2b | +| **Sankofa Studio** | studio.sankofa.nexus | 7805 | 192.168.11.72 | 8000 | ✅ Active | `/studio/` | | **Keycloak IdP** | keycloak.sankofa.nexus | 7802 | (see ALL_VMIDS) | 8080 | ✅ Active | IdP + `/admin` | | **Client admin (SSO)** | admin.sankofa.nexus | ⚠️ TBD | ⚠️ TBD | ⚠️ TBD | Target hostname | SSO | | **Client portal (SSO)** | portal.sankofa.nexus | ⚠️ TBD | ⚠️ TBD | ⚠️ TBD | Target hostname | SSO | @@ -288,6 +320,8 @@ Backend (typical): - **phoenix.sankofa.nexus** = Public division site — **Phoenix Cloud Services** - **portal.sankofa.nexus** / **admin.sankofa.nexus** = **Client SSO** apps (Keycloak as IdP) - **dash.sankofa.nexus** = **IP-gated** operator systems admin (**MFA**) +- **the-order.sankofa.nexus** = **Order / OSJ** portal hostname (edge **10210** → portal **7801**) +- **studio.sankofa.nexus** = **Studio** tooling (**7805**) - **explorer.d-bis.org** = Blockchain explorer (like Etherscan) - **blockscout.defi-oracle.io** = Generic explorer instance