feat(e2e): add SSO, docs.d-bis, blockscout.defi-oracle to routing verifier

- DOMAIN_TYPES_ALL: keycloak/admin/portal/dash, docs.d-bis.org, blockscout.defi-oracle.io (web) - E2E_OPTIONAL_WHEN_FAIL: same set for soft failures off-LAN - Optional Blockscout /api/v2/stats for blockscout.defi-oracle.io - print-gitea-actions-urls.sh: browser URLs (Actions API not relied on) - E2E_ENDPOINTS_LIST + FQDN inventory alignment updated Made-with: Cursor
2026-03-28 17:29:50 -07:00
parent 7245e3e9d4
commit 7e546ec9e3
4 changed files with 47 additions and 7 deletions
--- a/docs/04-configuration/E2E_ENDPOINTS_LIST.md
+++ b/docs/04-configuration/E2E_ENDPOINTS_LIST.md
@@ -4,7 +4,8 @@
 **List from CLI (public):** `./scripts/verify/verify-end-to-end-routing.sh --list-endpoints --profile=public`  
 **List from CLI (private/admin):** `./scripts/verify/verify-end-to-end-routing.sh --list-endpoints --profile=private`  
 **Run E2E (public profile recommended):** `./scripts/verify/verify-end-to-end-routing.sh --profile=public` (from LAN with DNS or use `E2E_USE_SYSTEM_RESOLVER=1` and `/etc/hosts` per [E2E_DNS_FROM_LAN_RUNBOOK.md](E2E_DNS_FROM_LAN_RUNBOOK.md)).  
-**Run E2E (private/admin):** `./scripts/verify/verify-end-to-end-routing.sh --profile=private`.
+**Run E2E (private/admin):** `./scripts/verify/verify-end-to-end-routing.sh --profile=private`.  
+**Gitea Actions (umbrella / cc-*):** no stable unauthenticated REST for all Gitea versions — print UI URLs with `./scripts/verify/print-gitea-actions-urls.sh` and confirm jobs in the browser after push.

 **What each hostname should present (operator narrative):** [FQDN_EXPECTED_CONTENT.md](FQDN_EXPECTED_CONTENT.md).

@@ -38,6 +39,12 @@
 | the-order.sankofa.nexus | web | https://the-order.sankofa.nexus | OSJ management portal (secure auth); app **the_order** at `~/projects/the_order`. NPM upstream default: **order-haproxy** VMID **10210** `http://192.168.11.39:80` → portal **192.168.11.51:3000** (`provision-order-haproxy-10210.sh`). Override with `THE_ORDER_UPSTREAM_*` for direct portal if 10210 is down. |
 | www.the-order.sankofa.nexus | web | https://www.the-order.sankofa.nexus | **301** to `https://the-order.sankofa.nexus` (canonical apex; NPM `advanced_config`). |
 | studio.sankofa.nexus | web | https://studio.sankofa.nexus | Sankofa Studio (FusionAI Creator) at VMID 7805. |
+| keycloak.sankofa.nexus | web | https://keycloak.sankofa.nexus | Keycloak IdP (VMID 7802); client SSO for admin/portal. |
+| admin.sankofa.nexus | web | https://admin.sankofa.nexus | Client SSO: access administration (hostname intent; NPM upstream TBD). |
+| portal.sankofa.nexus | web | https://portal.sankofa.nexus | Client SSO: portal / marketplace (typical upstream VMID 7801). |
+| dash.sankofa.nexus | web | https://dash.sankofa.nexus | Operator systems dashboard (IP allowlist + MFA intent; upstream TBD). |
+| docs.d-bis.org | web | https://docs.d-bis.org | Docs on explorer nginx where configured. |
+| blockscout.defi-oracle.io | web | https://blockscout.defi-oracle.io | Generic Blockscout hostname (often VMID 5000); not canonical Chain 138 **explorer.d-bis.org**. |
 | cacti-alltra.d-bis.org | web | https://cacti-alltra.d-bis.org | Cacti monitoring UI for Alltra. |
 | cacti-hybx.d-bis.org | web | https://cacti-hybx.d-bis.org | Cacti monitoring UI for HYBX. |
 | mifos.d-bis.org | web | https://mifos.d-bis.org | Mifos X / Fineract banking and microfinance platform (VMID 5800). |
@@ -85,6 +92,12 @@
 | the-order.sankofa.nexus | https://the-order.sankofa.nexus |
 | www.the-order.sankofa.nexus | https://www.the-order.sankofa.nexus |
 | studio.sankofa.nexus | https://studio.sankofa.nexus |
+| keycloak.sankofa.nexus | https://keycloak.sankofa.nexus |
+| admin.sankofa.nexus | https://admin.sankofa.nexus |
+| portal.sankofa.nexus | https://portal.sankofa.nexus |
+| dash.sankofa.nexus | https://dash.sankofa.nexus |
+| docs.d-bis.org | https://docs.d-bis.org |
+| blockscout.defi-oracle.io | https://blockscout.defi-oracle.io |
 | cacti-alltra.d-bis.org | https://cacti-alltra.d-bis.org |
 | cacti-hybx.d-bis.org | https://cacti-hybx.d-bis.org |
 | mifos.d-bis.org | https://mifos.d-bis.org |
@@ -169,6 +182,8 @@ When running from outside LAN or when backends are down, the following endpoints
 | studio.sankofa.nexus | Historically 404 when the proxy misses `/studio/` or backend `192.168.11.72:8000`; verifier checks `/studio/`. Passed on 2026-03-26 after the NPMplus host update |
 | phoenix.sankofa.nexus, www.phoenix.sankofa.nexus | (Resolved in verifier) Phoenix API (7800) is API-first; `verify-end-to-end-routing.sh` checks `https://…/health` (200), not `/`. A separate **marketing** site on the apex hostname (if desired) needs another upstream or app routes—NPM still points `phoenix.sankofa.nexus` at the Fastify API today. |
 | the-order.sankofa.nexus | 502 if **10210** HAProxy or backend portal is down. NPM defaults upstream to **192.168.11.39:80** (order-haproxy). Fallback: `THE_ORDER_UPSTREAM_IP` / `THE_ORDER_UPSTREAM_PORT` = portal **192.168.11.51:3000** |
+| keycloak.sankofa.nexus, admin.sankofa.nexus, portal.sankofa.nexus, dash.sankofa.nexus | DNS/SSL/HTTPS **warn** or **skip** when NPM or backends are unwired; listed in `E2E_OPTIONAL_WHEN_FAIL` so the public profile still exits **0**. |
+| docs.d-bis.org, blockscout.defi-oracle.io | Same optional-when-fail behavior; **blockscout.defi-oracle.io** also runs optional `/api/v2/stats` like **explorer.d-bis.org**. |

 **Verifier behavior (2026-03):** `openssl s_client` is wrapped with `timeout` (`E2E_OPENSSL_TIMEOUT` default 15s, `E2E_OPENSSL_X509_TIMEOUT` default 5s) so `--profile=private` / `--profile=all` cannot hang. **`--profile=all`** merges private and public `E2E_OPTIONAL_WHEN_FAIL` lists for temporary regressions. Install **`wscat`** (`npm install -g wscat`) for full WSS JSON-RPC checks; the script uses `wscat -n` to match `curl -k`, and now treats a clean `wscat` exit as a successful full WebSocket check even when the tool prints no JSON output.

--- a/docs/04-configuration/FQDN_EXPECTED_CONTENT.md
+++ b/docs/04-configuration/FQDN_EXPECTED_CONTENT.md
@@ -126,4 +126,4 @@

 ---

-**Inventory alignment:** Public hostnames above follow `DOMAIN_TYPES_ALL` in `scripts/verify/verify-end-to-end-routing.sh` plus `keycloak.sankofa.nexus`, `docs.d-bis.org`, `blockscout.defi-oracle.io`, and xom-dev hosts. **`portal.sankofa.nexus`** is expected to terminate on **VMID 7801** when NPM is configured (see **Deployment Status** in [EXPECTED_WEB_CONTENT.md](../02-architecture/EXPECTED_WEB_CONTENT.md)). **`admin.sankofa.nexus`** and **`dash.sankofa.nexus`** remain **hostname intent** until pinned in [ALL_VMIDS_ENDPOINTS.md](ALL_VMIDS_ENDPOINTS.md) and NPM. **`blockscout.defi-oracle.io`** aligns with **VMID 5000** in routing summaries (parallel Blockscout-class UI, not **`explorer.d-bis.org`** product branding). Extend `verify-end-to-end-routing.sh` when new proxy rows are production-required.
+**Inventory alignment:** `DOMAIN_TYPES_ALL` in `scripts/verify/verify-end-to-end-routing.sh` includes **`keycloak.sankofa.nexus`**, **`admin.sankofa.nexus`**, **`portal.sankofa.nexus`**, **`dash.sankofa.nexus`**, **`docs.d-bis.org`**, and **`blockscout.defi-oracle.io`** (see [E2E_ENDPOINTS_LIST.md](E2E_ENDPOINTS_LIST.md); `--list-endpoints --profile=public`). They are in **`E2E_OPTIONAL_WHEN_FAIL`** so unwired NPM or off-LAN runs still exit **0**. **`portal.sankofa.nexus`** is expected on **VMID 7801** when NPM is configured ( **Deployment Status** in [EXPECTED_WEB_CONTENT.md](../02-architecture/EXPECTED_WEB_CONTENT.md)). **`admin.sankofa.nexus`** and **`dash.sankofa.nexus`** remain **hostname intent** until pinned in [ALL_VMIDS_ENDPOINTS.md](ALL_VMIDS_ENDPOINTS.md). **`blockscout.defi-oracle.io`** aligns with **VMID 5000** in routing summaries (not **`explorer.d-bis.org`** branding). **xom-dev** hostnames are not in the E2E list yet—add when NPM routes are stable.
--- a/scripts/verify/print-gitea-actions-urls.sh
+++ b/scripts/verify/print-gitea-actions-urls.sh
@@ -0,0 +1,16 @@
+#!/usr/bin/env bash
+# Print Gitea Actions UI URLs (no token). Use after pushing complete-credential / cc-* repos.
+# Gitea REST "actions runs" APIs vary by version; the web UI is the reliable check.
+set -euo pipefail
+GITEA_URL="${GITEA_URL:-https://gitea.d-bis.org}"
+ORG="${GITEA_ORG:-DBIS}"
+REPOS=(
+  complete-credential
+  cc-shared-authz
+  cc-audit-ledger
+  cc-eidas-connector
+)
+echo "Open in browser (Actions tab):"
+for r in "${REPOS[@]}"; do
+  echo "  ${GITEA_URL}/${ORG}/${r}/actions"
+done
--- a/scripts/verify/verify-end-to-end-routing.sh
+++ b/scripts/verify/verify-end-to-end-routing.sh
@@ -83,6 +83,14 @@ declare -A DOMAIN_TYPES_ALL=(
    ["the-order.sankofa.nexus"]="web"   # OSJ portal (secure auth); app: ~/projects/the_order
    ["www.the-order.sankofa.nexus"]="web"   # 301 → https://the-order.sankofa.nexus
    ["studio.sankofa.nexus"]="web"
+    # Client SSO / IdP / operator dash (FQDN_EXPECTED_CONTENT + EXPECTED_WEB_CONTENT Deployment Status)
+    ["keycloak.sankofa.nexus"]="web"
+    ["admin.sankofa.nexus"]="web"
+    ["portal.sankofa.nexus"]="web"
+    ["dash.sankofa.nexus"]="web"
+    # d-bis.org docs on explorer nginx where configured; generic Blockscout hostname (VMID 5000 when proxied)
+    ["docs.d-bis.org"]="web"
+    ["blockscout.defi-oracle.io"]="web"
    ["rpc.public-0138.defi-oracle.io"]="rpc-http"
    ["rpc.defi-oracle.io"]="rpc-http"
    ["wss.defi-oracle.io"]="rpc-ws"
@@ -166,7 +174,7 @@ else
 fi

 # Domains that are optional when any test fails (off-LAN, 502, unreachable); fail → skip so run passes.
-_PUB_OPTIONAL_WHEN_FAIL="dapp.d-bis.org mifos.d-bis.org explorer.d-bis.org dbis-admin.d-bis.org dbis-api.d-bis.org dbis-api-2.d-bis.org secure.d-bis.org sankofa.nexus www.sankofa.nexus phoenix.sankofa.nexus www.phoenix.sankofa.nexus the-order.sankofa.nexus www.the-order.sankofa.nexus studio.sankofa.nexus mim4u.org www.mim4u.org secure.mim4u.org training.mim4u.org rpc-http-pub.d-bis.org rpc.d-bis.org rpc2.d-bis.org rpc.public-0138.defi-oracle.io rpc.defi-oracle.io ws.rpc.d-bis.org ws.rpc2.d-bis.org"
+_PUB_OPTIONAL_WHEN_FAIL="dapp.d-bis.org mifos.d-bis.org explorer.d-bis.org dbis-admin.d-bis.org dbis-api.d-bis.org dbis-api-2.d-bis.org secure.d-bis.org sankofa.nexus www.sankofa.nexus phoenix.sankofa.nexus www.phoenix.sankofa.nexus the-order.sankofa.nexus www.the-order.sankofa.nexus studio.sankofa.nexus keycloak.sankofa.nexus admin.sankofa.nexus portal.sankofa.nexus dash.sankofa.nexus docs.d-bis.org blockscout.defi-oracle.io mim4u.org www.mim4u.org secure.mim4u.org training.mim4u.org rpc-http-pub.d-bis.org rpc.d-bis.org rpc2.d-bis.org rpc.public-0138.defi-oracle.io rpc.defi-oracle.io ws.rpc.d-bis.org ws.rpc2.d-bis.org"
 _PRIV_OPTIONAL_WHEN_FAIL="rpc-http-prv.d-bis.org rpc-ws-prv.d-bis.org rpc-fireblocks.d-bis.org ws.rpc-fireblocks.d-bis.org"
 if [[ -z "${E2E_OPTIONAL_WHEN_FAIL:-}" ]]; then
    if [[ "$PROFILE" == "private" ]]; then
@@ -410,15 +418,16 @@ test_domain() {
            result=$(echo "$result" | jq --arg time "$time_total" '.tests.https = {"status": "fail", "response_time_seconds": ($time | tonumber)}')
        fi
        # Optional: Blockscout API check for explorer.d-bis.org (does not affect E2E pass/fail)
-        if [ "$domain" = "explorer.d-bis.org" ] && [ "${SKIP_BLOCKSCOUT_API:-0}" != "1" ]; then
+        if { [ "$domain" = "explorer.d-bis.org" ] || [ "$domain" = "blockscout.defi-oracle.io" ]; } && [ "${SKIP_BLOCKSCOUT_API:-0}" != "1" ]; then
            log_info "Test 3b: Blockscout API (optional)"
-            api_body_file="$OUTPUT_DIR/explorer_d-bis_org_blockscout_api.txt"
+            api_safe="${domain//./_}"
+            api_body_file="$OUTPUT_DIR/${api_safe}_blockscout_api.txt"
            api_code=$(curl -s -o "$api_body_file" -w "%{http_code}" -k --connect-timeout 10 "https://$domain/api/v2/stats" 2>/dev/null || echo "000")
            if [ "$api_code" = "200" ] && [ -s "$api_body_file" ] && (grep -qE '"total_blocks"|"total_transactions"' "$api_body_file" 2>/dev/null); then
-                log_success "Blockscout API: /api/v2/stats returned 200 with stats"
+                log_success "Blockscout API: $domain /api/v2/stats returned 200 with stats"
                result=$(echo "$result" | jq '.tests.blockscout_api = {"status": "pass", "http_code": 200}')
            else
-                log_warn "Blockscout API: HTTP $api_code or invalid response (optional; run from LAN if backend unreachable)"
+                log_warn "Blockscout API: $domain HTTP $api_code or invalid response (optional; run from LAN if backend unreachable)"
                result=$(echo "$result" | jq --arg code "$api_code" '.tests.blockscout_api = {"status": "skip", "http_code": $code}')
            fi
        fi