Add Sankofa consolidated hub operator tooling

AGENTS.md

@@ -58,6 +58,8 @@ Orchestration for Proxmox VE, Chain 138 (`smom-dbis-138/`), explorers, NPMplus,
 | Sankofa portal → CT 7801 (build + restart) | `./scripts/deployment/sync-sankofa-portal-7801.sh` (`--dry-run` first); default `NEXTAUTH_URL=https://portal.sankofa.nexus` via `sankofa-portal-ensure-nextauth-on-ct.sh`; IT `/it` env: `sankofa-portal-merge-it-read-api-env-from-repo.sh` (`IT_READ_API_URL` in repo `.env`) |
 | Portal Keycloak OIDC secret on CT 7801 | After client exists: `./scripts/deployment/sankofa-portal-merge-keycloak-env-from-repo.sh` (needs `KEYCLOAK_CLIENT_SECRET` in repo `.env`; base64-safe over SSH) |
 | Sankofa corporate web → CT 7806 | Provision: `./scripts/deployment/provision-sankofa-public-web-lxc-7806.sh`. Sync: `./scripts/deployment/sync-sankofa-public-web-to-ct.sh`. systemd: `config/systemd/sankofa-public-web.service`. Set `IP_SANKOFA_PUBLIC_WEB` in `.env`, then `scripts/nginx-proxy-manager/update-npmplus-proxy-hosts-api.sh` |
+| **Non-chain ecosystem** (hyperscaler-style: edge / API hub / IdP / data cells; **not** chain CTs) | `docs/02-architecture/NON_CHAIN_ECOSYSTEM_HYPERSCALER_STYLE_MODEL.md` — gap review: `docs/02-architecture/NON_CHAIN_ECOSYSTEM_PLAN_REVIEW_AND_GAPS.md` |
+| Sankofa / Phoenix **consolidated hub** (optional — fewer non-chain LXCs) | `docs/02-architecture/SANKOFA_PHOENIX_CONSOLIDATED_FRONTEND_AND_API.md` — `docs/03-deployment/SANKOFA_R630_01_CONSOLIDATION_AND_HUB_PLACEMENT_GOAL.md` (offload r630-01: consolidate + **place** hubs on quieter nodes); `docs/03-deployment/SANKOFA_API_HUB_NPM_CUTOVER_AND_POST_CUTOVER_RUNBOOK.md` (NPM → `:8080`, `TRUST_PROXY`, rollback); `bash scripts/verify/check-sankofa-consolidated-nginx-examples.sh`; `bash scripts/verify/verify-sankofa-consolidated-hub-lan.sh`; `bash scripts/verify/smoke-phoenix-api-hub-lan.sh` (hub **:8080**); `pnpm run verify:phoenix-graphql-wss` or `PHOENIX_WSS_INCLUDE_LAN=1 bash scripts/verify/smoke-phoenix-graphql-wss-public.sh` (HTTP **101** WS upgrade); `pnpm run verify:phoenix-graphql-ws-subscription` (**connection_ack**); `bash scripts/deployment/ensure-sankofa-phoenix-graphql-ws-remove-fastify-websocket-7800.sh` (fix RSV1 / competing upgrade listener); `bash scripts/deployment/ensure-sankofa-phoenix-websocket-ts-import-logger-7800.sh` (**logger** import in `websocket.ts` — avoids **crash on WS disconnect**); `bash scripts/deployment/ensure-sankofa-phoenix-7800-nft-dport-4000-guard.sh` (optional **nft** reject :4000 from non-loopback); `bash scripts/deployment/ensure-sankofa-phoenix-api-hub-graphql-ws-proxy-headers-7800.sh` (hub `/graphql-ws` **Accept-Encoding** / **proxy_buffering**); `bash scripts/deployment/ensure-sankofa-phoenix-api-hub-systemd-exec-reload-7800.sh` (hub **ExecReload**); `bash scripts/deployment/ensure-sankofa-phoenix-api-env-lan-parity-7800.sh` (**.env** Keycloak + Postgres LAN + `NODE_ENV` policy); `bash scripts/deployment/ensure-sankofa-phoenix-api-db-migrate-up-7800.sh` (**pnpm db:migrate:up** on **7800**); `bash scripts/deployment/ensure-sankofa-phoenix-tls-config-terminate-at-edge-7800.sh` (production **HTTP** behind NPM); `bash scripts/deployment/plan-phoenix-apollo-port-4000-restrict-7800.sh` (`--ssh`); **Apollo loopback:** `PROXMOX_OPS_APPLY=1` `PROXMOX_OPS_ALLOWED_VMIDS=7800` `bash scripts/deployment/ensure-sankofa-phoenix-apollo-bind-loopback-7800.sh --apply --vmid 7800`; `bash scripts/deployment/plan-sankofa-consolidated-hub-cutover.sh`; **API hub on CT:** `bash scripts/deployment/install-sankofa-api-hub-nginx-on-pve.sh --dry-run --vmid 7800` (live: `PROXMOX_OPS_APPLY=1` `PROXMOX_OPS_ALLOWED_VMIDS=7800` `--apply --vmid 7800`); **dbis API `TRUST_PROXY`:** `PROXMOX_OPS_APPLY=1` `PROXMOX_OPS_ALLOWED_VMIDS=10150` `bash scripts/deployment/ensure-dbis-api-trust-proxy-on-ct.sh --apply --vmid 10150` (repeat **10151**); NPM fleet: `SANKOFA_NPM_PHOENIX_PORT=8080` + `scripts/nginx-proxy-manager/update-npmplus-proxy-hosts-api.sh` (Phoenix rows use **WebSocket: true**); `.env` hub overrides optional |
 | CCIP relay (r630-01 host) | WETH lane: `config/systemd/ccip-relay.service`. Mainnet cW lane: `config/systemd/ccip-relay-mainnet-cw.service` (health `http://192.168.11.11:9863/healthz`). Public edge: set `CCIP_RELAY_MAINNET_CW_PUBLIC_HOST`, run `scripts/nginx-proxy-manager/update-npmplus-proxy-hosts-api.sh`, relay-only `scripts/nginx-proxy-manager/upsert-ccip-relay-mainnet-cw-proxy-host.sh`, or SSH hop `scripts/nginx-proxy-manager/upsert-ccip-relay-mainnet-cw-via-ssh.sh`; DNS `scripts/cloudflare/configure-relay-mainnet-cw-dns.sh`. Use `NPM_URL=https://…:81` for API scripts (HTTP on :81 301s to HTTPS). |
 | XDC Zero + Chain 138 (parallel to CCIP) | `bash scripts/xdc-zero/run-xdc-zero-138-operator-sequence.sh` · `docs/03-deployment/CHAIN138_XDC_ZERO_BRIDGE_RUNBOOK.md` · `CHAIN138_XDC_ZERO_DEPLOYMENT_TROUBLESHOOTING.md` · `config/xdc-zero/` · `scripts/xdc-zero/` · systemd `node dist/server.js` template — **XDC mainnet RPC:** `https://rpc.xinfin.network` (chain id 50; more endpoints: [chainid.network/chain/50](https://chainid.network/chain/50/)); **Chain 138 side:** Core `http://192.168.11.211:8545` is operator-only, relayer/services use `https://rpc-http-pub.d-bis.org` |
 | OP Stack Standard Rollup (Ethereum mainnet, Superchain) | `docs/03-deployment/OP_STACK_STANDARD_ROLLUP_SUPERCHAIN_RUNBOOK.md` · optional L2↔Besu notes `docs/03-deployment/OP_STACK_L2_AND_BESU138_BRIDGE_NOTES.md` · `config/op-stack-superchain/` · `scripts/op-stack/` (e.g. `fetch-standard-mainnet-toml.sh`, checklist scripts) · `config/systemd/op-stack-*.example.service` — **distinct L2 chain ID from Besu 138**; follow [Optimism superchain-registry](https://github.com/ethereum-optimism/superchain-registry) for listing |