docs(A): sync high-value runbooks for The Order (10210 HAProxy)

- SANKOFA_CUTOVER_PLAN: live backends table, fix TBDs, historical step labels - SANKOFA_THE_ORDER_CHECKLIST: replace with done + bypass + pointers - DNS comprehensive + streamlined tables: the-order row and sankofa zone live - E2E Cloudflare runbook: the-order backend column Made-with: Cursor
2026-03-27 15:24:54 -07:00
parent a086c451c3
commit 4f383490a3
5 changed files with 64 additions and 56 deletions
--- a/docs/04-configuration/DNS_NPMPLUS_VM_COMPREHENSIVE_ARCHITECTURE.md
+++ b/docs/04-configuration/DNS_NPMPLUS_VM_COMPREHENSIVE_ARCHITECTURE.md
@@ -1,7 +1,7 @@
 # DNS → NPMplus → VM Comprehensive Architecture Table

-**Last Updated:** 2026-01-31  
-**Document Version:** 1.0  
+**Last Updated:** 2026-03-27  
+**Document Version:** 1.1  
 **Status:** Active Documentation

 ---
@@ -62,7 +62,7 @@ Backend VMs (Various IPs) - Services with/without Nginx
 | `www.sankofa.nexus` | A | 76.53.10.36 | DNS Only | 64 | 22 | `192.168.11.51:3000` | 7801 | 192.168.11.51 | sankofa-portal-1 | r630-01 | Sankofa Portal | ❌ No | 3000 | HTTP → 3000 |
 | `phoenix.sankofa.nexus` | A | 76.53.10.36 | DNS Only | 51 | 23 | `192.168.11.50:4000` | 7800 | 192.168.11.50 | sankofa-api-1 | r630-01 | Phoenix API | ❌ No | 4000 | HTTP → 4000 |
 | `www.phoenix.sankofa.nexus` | A | 76.53.10.36 | DNS Only | 63 | 24 | `192.168.11.50:4000` | 7800 | 192.168.11.50 | sankofa-api-1 | r630-01 | Phoenix API | ❌ No | 4000 | HTTP → 4000 |
-| `the-order.sankofa.nexus` | A | 76.53.10.36 | DNS Only | 60 | 25 | ⚠️ TBD | TBD | TBD | — | — | The Order Portal | — | — | ⚠️ Configure when deployed |
+| `the-order.sankofa.nexus` | A | 76.53.10.36 | DNS Only | 60 | 25 | `192.168.11.39:80` | 10210 | 192.168.11.39 | order-haproxy | r630-01 | The Order (HAProxy→portal) | ❌ No | 80 | HTTP → 80 → `.51:3000` |
 | **defi-oracle.io Zone** |
 | `rpc.public-0138.defi-oracle.io` | A | 76.53.10.36 | DNS Only | 56 | 26 | `192.168.11.240:443` | 2400 | 192.168.11.240 | thirdweb-rpc-1 | ml110 | ThirdWeb RPC | ✅ Yes | 443 | HTTPS → 443 |

--- a/docs/04-configuration/DNS_NPMPLUS_VM_STREAMLINED_TABLE.md
+++ b/docs/04-configuration/DNS_NPMPLUS_VM_STREAMLINED_TABLE.md
@@ -1,7 +1,7 @@
 # DNS → NPMplus → VM Streamlined Architecture Table

-**Last Updated:** 2026-01-31  
-**Document Version:** 1.0  
+**Last Updated:** 2026-03-27  
+**Document Version:** 1.1  
 **Status:** Active Documentation

 ---
@@ -59,17 +59,17 @@ Backend VMs (Various IPs) - Services with/without Nginx
 | `secure.mim4u.org` | 59 | 19 | 7810 (mim-web-1) | 192.168.11.37 | 80 | ✅ Yes | MIM4U Secure Portal |
 | `training.mim4u.org` | 61 | 20 | 7810 (mim-web-1) | 192.168.11.37 | 80 | ✅ Yes | MIM4U Training Portal |

-### sankofa.nexus Zone (5 Domains) ⚠️
+### sankofa.nexus zone (live backends)

-| Domain | SSL Cert | NPMplus Proxy | Backend VM | IP | Port | Has Nginx | Service Type | Status |
-|--------|----------|---------------|------------|----|----|-----------|--------------|--------|
-| `sankofa.nexus` | 57 | 21 | ⚠️ TBD | 192.168.11.140 ⚠️ | 80 ⚠️ | ⚠️ TBD | Sankofa Main Portal | ⚠️ Not Deployed |
-| `www.sankofa.nexus` | 64 | 22 | ⚠️ TBD | 192.168.11.140 ⚠️ | 80 ⚠️ | ⚠️ TBD | Sankofa Main Portal | ⚠️ Not Deployed |
-| `phoenix.sankofa.nexus` | 51 | 23 | ⚠️ TBD | 192.168.11.140 ⚠️ | 80 ⚠️ | ⚠️ TBD | Phoenix Site | ⚠️ Not Deployed |
-| `www.phoenix.sankofa.nexus` | 63 | 24 | ⚠️ TBD | 192.168.11.140 ⚠️ | 80 ⚠️ | ⚠️ TBD | Phoenix Site | ⚠️ Not Deployed |
-| `the-order.sankofa.nexus` | 60 | 25 | ⚠️ TBD | 192.168.11.140 ⚠️ | 80 ⚠️ | ⚠️ TBD | The Order Portal | ⚠️ Not Deployed |
+| Domain | SSL Cert (ex.) | NPMplus Proxy (ex.) | Backend VM | IP | Port | Has Nginx | Service type | Status |
+|--------|------------------|---------------------|------------|----|------|-----------|--------------|--------|
+| `sankofa.nexus` | 57 | 21 | 7801 | 192.168.11.51 | 3000 | ❌ No | Sankofa portal | ✅ Live |
+| `www.sankofa.nexus` | 64 | 22 | 7801 | 192.168.11.51 | 3000 | ❌ No | Sankofa portal (301 apex) | ✅ Live |
+| `phoenix.sankofa.nexus` | 51 | 23 | 7800 | 192.168.11.50 | 4000 | ❌ No | Phoenix API | ✅ Live |
+| `www.phoenix.sankofa.nexus` | 63 | 24 | 7800 | 192.168.11.50 | 4000 | ❌ No | Phoenix API (301 apex) | ✅ Live |
+| `the-order.sankofa.nexus` | 60 | 25 | 10210 | 192.168.11.39 | 80 | ❌ No | Order via HAProxy→portal | ✅ Live |

-**⚠️ Note**: All Sankofa domains currently route to Blockscout (192.168.11.140) but services are NOT deployed. This is incorrect routing and needs to be fixed once services are deployed.
+**Note:** SSL cert and NPM proxy **IDs** differ per installation—verify in NPM UI. **IPs/ports** are authoritative vs Blockscout (`.140` is only for `explorer.d-bis.org`). See [ALL_VMIDS_ENDPOINTS.md](ALL_VMIDS_ENDPOINTS.md).

 ### defi-oracle.io Zone (3 Domains)

--- a/docs/04-configuration/SANKOFA_CUTOVER_PLAN.md
+++ b/docs/04-configuration/SANKOFA_CUTOVER_PLAN.md
@@ -1,8 +1,10 @@
 # Sankofa Cutover Plan

-**Last Updated:** 2026-01-31  
-**Document Version:** 1.0  
-**Status:** Active Documentation
+**Last Updated:** 2026-03-27  
+**Document Version:** 1.1  
+**Status:** Active Documentation (historical procedure + live targets)
+
+**Live NPM routing (2026-03-27):** Sankofa / Phoenix / The Order / Studio are on production backends. Canonical: [ALL_VMIDS_ENDPOINTS.md](ALL_VMIDS_ENDPOINTS.md), [RPC_ENDPOINTS_MASTER.md](RPC_ENDPOINTS_MASTER.md). **The Order:** NPM → **192.168.11.39:80** (VMID **10210** HAProxy) → **192.168.11.51:3000** (portal 7801). Fleet updater: `scripts/nginx-proxy-manager/update-npmplus-proxy-hosts-api.sh`. NPM proxy host numeric IDs below may differ from your DB—verify in NPM UI.

 ---

@@ -12,23 +14,22 @@

 ---

-## Current State
+## Current state (post-cutover)

-### Sankofa Domains (5 Total)
+### Sankofa zone domains (authoritative backends)

-| Domain | SSL Cert ID | NPMplus Proxy Host ID | Current Backend | Status |
-|--------|-------------|----------------------|-----------------|--------|
-| `sankofa.nexus` | 57 | 21 | 192.168.11.140:80 (Blockscout) | ⚠️ Temporary |
-| `www.sankofa.nexus` | 64 | 22 | 192.168.11.140:80 (Blockscout) | ⚠️ Temporary |
-| `phoenix.sankofa.nexus` | 51 | 23 | 192.168.11.140:80 (Blockscout) | ⚠️ Temporary |
-| `www.phoenix.sankofa.nexus` | 63 | 24 | 192.168.11.140:80 (Blockscout) | ⚠️ Temporary |
-| `the-order.sankofa.nexus` | 60 | 25 | 192.168.11.140:80 (Blockscout) | ⚠️ Temporary |
+| Domain | NPMplus forwards to (HTTP) | Origin stack | Notes |
+|--------|----------------------------|--------------|--------|
+| `sankofa.nexus`, `www.sankofa.nexus` | `192.168.11.51:3000` | VMID 7801 portal | `www` → 301 apex in NPM |
+| `phoenix.sankofa.nexus`, `www.phoenix.sankofa.nexus` | `192.168.11.50:4000` | VMID 7800 API | `www` → 301 apex |
+| `the-order.sankofa.nexus`, `www.the-order.sankofa.nexus` | `192.168.11.39:80` | VMID 10210 → `.51:3000` | `www` → 301 apex; HAProxy: `provision-order-haproxy-10210.sh` |
+| `studio.sankofa.nexus` | `192.168.11.72:8000` | VMID 7805 | — |

-**Current Issue**: All 5 Sankofa domains route to Blockscout (VMID 5000) but Sankofa services are NOT deployed.
+**SSL:** Terminated at NPMplus (Let’s Encrypt). **Do not** point these hostnames at Blockscout (`192.168.11.140`) except for explorer domains.

-**SSL Certificates**: All certificates exist and are valid until 2026-04-16.
+### Historical note (pre-2026 cutover)

-**NPMplus Proxy Hosts**: All proxy hosts exist and are configured, but point to wrong backend.
+Previously these hostnames temporarily targeted Blockscout. The step-by-step below documents that migration; IDs (SSL cert / proxy host #) were examples—confirm in your NPMplus instance.

 ---

@@ -67,9 +68,9 @@ done
 | `www.sankofa.nexus` | 7801 | 192.168.11.51 | 3000 | Portal | Sankofa Portal (Microsoft Website) |
 | `phoenix.sankofa.nexus` | 7800 | 192.168.11.50 | 4000 | API | Phoenix API (Azure-like Portal) |
 | `www.phoenix.sankofa.nexus` | 7800 | 192.168.11.50 | 4000 | API | Phoenix API (Azure-like Portal) |
-| `the-order.sankofa.nexus` | ⚠️ TBD | ⚠️ TBD | ⚠️ TBD | ⚠️ TBD | To be determined |
+| `the-order.sankofa.nexus` | 10210 | 192.168.11.39 | 80 | HAProxy edge | Proxies to portal 7801 `:3000`; app **the_order** |

-**Note**: Replace ⚠️ TBD with actual values once Sankofa services are deployed.
+**Note:** `www.the-order.sankofa.nexus` uses the same NPM upstream as apex; NPM `advanced_config` 301 → `https://the-order.sankofa.nexus`.

 ### 3. Health Endpoints Verified

@@ -143,10 +144,9 @@ curl -s -k -X GET "$NPM_URL/api/nginx/proxy-hosts" \
    jq '.[] | select(.domain_names[] == "sankofa.nexus")'
 ```

-3. **Document Current State**:
-   - All 5 Sankofa domains currently route to `192.168.11.140:80` (Blockscout)
-   - SSL certificates exist (IDs: 51, 57, 60, 63, 64)
-   - Proxy hosts exist (IDs: 21-25)
+3. **Document state (historical pre-cutover)**:
+   - Before cutover, these domains pointed at `192.168.11.140:80` (Blockscout)
+   - SSL certificates existed (example IDs: 51, 57, 60, 63, 64); proxy hosts (example 21–25)—**confirm in your NPM DB**

 ---

@@ -167,9 +167,7 @@ for vmid in <SANKOFA_VMIDS>; do
 done
 ```

-3. **Document Actual IPs/Ports**:
-   - Update the TBD table above with actual values
-   - Record VMIDs, IPs, ports, and service types
+3. **Document actual IPs/ports** (✅ filled in **Current state** section and [ALL_VMIDS_ENDPOINTS.md](ALL_VMIDS_ENDPOINTS.md))

 ---

@@ -224,9 +222,9 @@ curl -s -k -X PUT "$NPM_URL/api/nginx/proxy-hosts/$HOST_ID" \
 | `www.sankofa.nexus` | 22 | 192.168.11.140:80 | 192.168.11.51:3000 |
 | `phoenix.sankofa.nexus` | 23 | 192.168.11.140:80 | 192.168.11.50:4000 |
 | `www.phoenix.sankofa.nexus` | 24 | 192.168.11.140:80 | 192.168.11.50:4000 |
-| `the-order.sankofa.nexus` | 25 | 192.168.11.140:80 | ⚠️ TBD (to be determined) |
+| `the-order.sankofa.nexus` | 25 (example) | 192.168.11.140:80 (old) | `192.168.11.39:80` (10210 HAProxy) |

-**Note**: `the-order.sankofa.nexus` target service needs to be determined.
+**Note:** Use `update-npmplus-proxy-hosts-api.sh` for domain-based updates; proxy host IDs vary.

 ---

@@ -319,19 +317,9 @@ cat docs/04-configuration/INGRESS_SOURCE_OF_TRUTH.json | jq '.backend_vms[] | se

 ---

-### Step 7: Update Baseline Documentation
+### Step 7: Update baseline documentation

-**Update reference docs with actual values**:
-
-1. **Update Comprehensive Architecture Doc**:
-   - File: `docs/04-configuration/DNS_NPMPLUS_VM_COMPREHENSIVE_ARCHITECTURE.md`
-   - Replace TBD values with actual Sankofa VM details
-   - Update status from ⚠️ to ✅
-
-2. **Update Streamlined Table Doc**:
-   - File: `docs/04-configuration/DNS_NPMPLUS_VM_STREAMLINED_TABLE.md`
-   - Replace TBD values with actual Sankofa VM details
-   - Update status from ⚠️ Not Deployed to ✅ Active
+**Status 2026-03-27:** Comprehensive and streamlined DNS/NPM tables, RPC_ENDPOINTS_MASTER, and ALL_VMIDS_ENDPOINTS list live backends (including The Order via 10210). Re-open this step only if VMIDs or IPs change.

 ---

--- a/docs/04-configuration/SANKOFA_THE_ORDER_CHECKLIST.md
+++ b/docs/04-configuration/SANKOFA_THE_ORDER_CHECKLIST.md
@@ -1,3 +1,23 @@
-# Sankofa and The Order deployment checklist
+# Sankofa and The Order — routing checklist

-Replace TBDs with real IPs and ports when deployed. Update ALL_VMIDS_ENDPOINTS, RPC_ENDPOINTS_MASTER. Add NPMplus proxy for the-order.sankofa.nexus when The Order is live. When done update PLACEHOLDERS_AND_TBD and REMAINING_COMPONENTS_TASKS_AND_RECOMMENDATIONS. See NOT_IMPLEMENTED_FULL_SCOPE in docs/00-meta.
+**Canonical:** [ALL_VMIDS_ENDPOINTS.md](ALL_VMIDS_ENDPOINTS.md) (NPM targets), [RPC_ENDPOINTS_MASTER.md](RPC_ENDPOINTS_MASTER.md) (Sankofa table).
+
+## Done (production)
+
+- [x] NPMplus **the-order.sankofa.nexus** / **www.the-order.sankofa.nexus** → **192.168.11.39:80** (VMID **10210** order-haproxy), HAProxy → **192.168.11.51:3000** (portal 7801).
+- [x] **www.the-order** → **301** `https://the-order.sankofa.nexus` (NPM `advanced_config`).
+- [x] HAProxy on 10210: `config/haproxy/order-haproxy-10210.cfg.template`, deploy `scripts/deployment/provision-order-haproxy-10210.sh`.
+
+## If 10210 is down (bypass)
+
+```bash
+THE_ORDER_UPSTREAM_IP=192.168.11.51 THE_ORDER_UPSTREAM_PORT=3000 \
+  bash scripts/nginx-proxy-manager/update-npmplus-proxy-hosts-api.sh
+```
+
+## Ongoing
+
+- [ ] Keep **the_order** app and portal 7801 healthy (HAProxy only forwards).
+- [ ] Re-run E2E: `scripts/verify/verify-end-to-end-routing.sh --profile=public`.
+
+Related: [SANKOFA_CUTOVER_PLAN.md](SANKOFA_CUTOVER_PLAN.md) (history + same targets).
--- a/docs/05-network/E2E_CLOUDFLARE_DOMAINS_RUNBOOK.md
+++ b/docs/05-network/E2E_CLOUDFLARE_DOMAINS_RUNBOOK.md
@@ -1,6 +1,6 @@
 # E2E Success Runbook: Cloudflare Domains

-**Last Updated:** 2026-02-05  
+**Last Updated:** 2026-03-27  
 **Status:** Active  
 **Purpose:** Achieve and verify complete end-to-end success for all public endpoints reachable via Cloudflare DNS (and optionally Fastly). All domains must pass DNS, SSL, and HTTP/RPC/WebSocket tests.

@@ -38,7 +38,7 @@ The verification script covers all public domains that require access from Cloud
 | mim4u.org, www, secure, training | web | 192.168.11.37:80 |
 | sankofa.nexus, www | web | 192.168.11.51:3000 |
 | phoenix.sankofa.nexus, www | web | 192.168.11.50:4000 |
-| the-order.sankofa.nexus | web | TBD |
+| the-order.sankofa.nexus, www.the-order.sankofa.nexus | web | NPM → `192.168.11.39:80` (10210 HAProxy → `192.168.11.51:3000`); www → 301 apex |
 | studio.sankofa.nexus | web | 192.168.11.72:8000 |
 | rpc.public-0138.defi-oracle.io | rpc-http | 192.168.11.240:443 |
 | rpc.defi-oracle.io | rpc-http | 192.168.11.221:8545 |