Add Solace portal container scaffold and entity tracker

2026-04-13 21:43:42 -07:00
parent ee1625a79b
commit d8b0dd0115
5 changed files with 177 additions and 0 deletions
--- a/docs/03-deployment/ENTITY_INSTITUTIONS_WEB_PORTAL_COMPLETION.md
+++ b/docs/03-deployment/ENTITY_INSTITUTIONS_WEB_PORTAL_COMPLETION.md
@@ -0,0 +1,144 @@
+# Entity institutions — web and portal completion tracker
+
+**Purpose:** Single checklist for **Aseret Mortgage Bank**, **TAJ Private Single Family Trust**, and **Solace Bank Group PLC** public sites and client portals, plus cross-cutting items. Update this file as work completes.
+
+**Legend:** `[x]` done in repo or scaffolded · `[ ]` requires stakeholder, secrets, or production LAN · `N/A` not applicable
+
+---
+
+## 0. Governance and scope
+
+- [ ] Canonical legal names recorded (TAJ: trust vs OMNL “TAJ Private Single Family Office”)
+- [ ] Tenancy model chosen (dedicated FQDNs + IdP vs shared Sankofa portal + entitlements)
+- [ ] Definition of done per surface (marketing, portal, admin, APIs, DR)
+
+---
+
+## 1. Aseret Mortgage Bank (`~/projects/Aseret_Bank`)
+
+### Product and UX
+
+- [ ] Public IA (products, disclosures, contact, privacy, terms)
+- [ ] Authenticated portal MVP flows signed off
+- [ ] CFL / lending compliance copy and consent UX (legal review)
+
+### Application
+
+- [x] Full-stack codebase present (`frontend/`, `backend/`, Prisma, Docker Compose)
+- [ ] Frontend production hardening (env config, a11y/SEO baseline)
+- [ ] Backend hardening (rate limits, structured logging, health checks, OpenAPI parity)
+- [ ] Database migrations + backup/restore runbook
+- [ ] Tokenization / contracts (if in scope): audit + key management
+
+### Infrastructure
+
+- [ ] Target host provisioned (LXC/VM or cloud)
+- [ ] DNS + TLS + WAF / rate limits
+- [ ] SMTP / notifications
+
+### Integration
+
+- [ ] OMNL / Fineract office 5 mapping (if required): APIs, idempotency, reconciliation
+- [ ] Chain 138 / RPC env (if required): per canonical address docs
+
+### Verification
+
+- [ ] E2E smoke (auth + loan happy path)
+- [ ] Security review checklist
+- [ ] Load or backup drill
+
+---
+
+## 2. TAJ (`~/projects/TAJ_PSFO`)
+
+### Repository
+
+- [x] Next.js 14 scaffold under `web/` (`/`, `/portal`)
+- [ ] Replace draft copy with approved marketing and portal modules
+- [ ] CI (lint, build) on default branch
+
+### Product and engineering
+
+- [ ] Legal / regulatory pages
+- [ ] OIDC (Keycloak or equivalent) for `/portal`
+- [ ] Confidentiality controls (encryption, audit log requirements)
+
+### Infrastructure
+
+- [ ] Dedicated FQDN + TLS + monitoring
+- [ ] OMNL office 4 alignment (if ledger integration applies)
+
+### Verification
+
+- [ ] Access revocation and DR tested
+
+---
+
+## 3. Solace Bank Group PLC
+
+### Repository (`~/projects/Solace_Bank_Group`)
+
+- [x] Next.js 14 scaffold under `web/` (`/`, `/portal`)
+- [ ] Corporate content and portal modules
+- [ ] CI (lint, build)
+
+### Proxmox repo — related surfaces
+
+- [x] `solace-bank-group-portal/` — `Dockerfile` + `nginx.conf.example` for static deploy
+- [ ] Decide: keep static portal vs redirect to `web/` vs embed in Phoenix
+- [ ] `dbis_core` SolaceNet IRU: Turnstile, `TRUST_PROXY`, rate limits per `SANKOFA_MARKETPLACE_SURFACES.md` (verify in prod)
+
+### Infrastructure
+
+- [ ] NPM / Cloudflare (or standard edge) for chosen hostnames
+- [ ] Upstream VMID or container IP documented in inventory docs
+
+### Verification
+
+- [ ] Public + authenticated smoke on production URLs
+- [ ] Legal sign-off on IRU copy and data handling
+
+---
+
+## 4. Cross-cutting (all entities)
+
+- [ ] Keycloak: realms/clients, MFA, session policy, admin separation
+- [ ] Centralized logs and uptime checks per hostname
+- [ ] Secrets in vault only; rotation runbooks
+- [ ] Operator runbooks: deploy, rollback, cert renew
+- [ ] Privacy, cookies, retention, incident response (as applicable)
+
+---
+
+## 5. Monorepo (`~/projects/Aseret_Global`)
+
+- [ ] Submodule URLs and commits pinned to real `Aseret_Bank`, `TAJ_PSFO`, `Solace_Bank_Group` heads
+- [ ] Root CI (optional) once submodules are wired
+
+---
+
+## Consolidated runtime (optional)
+
+To host many non-chain frontends and one Phoenix API surface with fewer LXCs, see [SANKOFA_PHOENIX_CONSOLIDATED_FRONTEND_AND_API.md](../02-architecture/SANKOFA_PHOENIX_CONSOLIDATED_FRONTEND_AND_API.md), run `bash scripts/verify/check-sankofa-consolidated-nginx-examples.sh`, and `bash scripts/deployment/plan-sankofa-consolidated-hub-cutover.sh` for a read-only cutover checklist.
+
+### Shared Sankofa platform (this repo)
+
+- [x] Tier-1 Phoenix API hub installer (`scripts/deployment/install-sankofa-api-hub-nginx-on-pve.sh`) and LAN verifier (`scripts/verify/verify-sankofa-consolidated-hub-lan.sh`)
+- [x] NPM fleet: `SANKOFA_NPM_PHOENIX_PORT` / `IP_SANKOFA_NPM_PHOENIX_API` for `phoenix.sankofa.nexus` in `scripts/nginx-proxy-manager/update-npmplus-proxy-hosts-api.sh`
+- [x] `get_host_for_vmid` explicit VMIDs **7800–7806** (Sankofa stack on r630-01)
+- [x] `dbis_core`: configurable **`TRUST_PROXY_HOPS`** when `TRUST_PROXY=1` (see `dbis_core/.env.example`)
+- [x] Cutover + rollback outline: [SANKOFA_API_HUB_NPM_CUTOVER_AND_POST_CUTOVER_RUNBOOK.md](./SANKOFA_API_HUB_NPM_CUTOVER_AND_POST_CUTOVER_RUNBOOK.md)
+- [x] Production NPM `phoenix.sankofa.nexus` → hub `:8080` + WebSocket upgrades (fleet script); `TRUST_PROXY=1` on dbis API CTs **10150** / **10151** (`ensure-dbis-api-trust-proxy-on-ct.sh`)
+- [x] WebSocket upgrade path (HTTP **101**) public + optional LAN hub: `bash scripts/verify/smoke-phoenix-graphql-wss-public.sh` (`PHOENIX_WSS_INCLUDE_LAN=1` with `load-project-env`)
+- [x] graphql-ws payload smoke (`connection_ack`): `pnpm run verify:phoenix-graphql-ws-subscription`; CT **7800** removes unused `@fastify/websocket` via `ensure-sankofa-phoenix-graphql-ws-remove-fastify-websocket-7800.sh`; `websocket.ts` imports **logger** (`ensure-sankofa-phoenix-websocket-ts-import-logger-7800.sh`, avoids crash on disconnect); hub `/graphql-ws` proxy headers via `ensure-sankofa-phoenix-api-hub-graphql-ws-proxy-headers-7800.sh`; hub **ExecReload** `ensure-sankofa-phoenix-api-hub-systemd-exec-reload-7800.sh`; **.env** LAN parity `ensure-sankofa-phoenix-api-env-lan-parity-7800.sh` (align **DB_HOST** / **KEYCLOAK_URL**; **DB_PASSWORD** / **DB_USER=sankofa** aligned with VMID **7803**; **`pnpm db:migrate:up`** via `ensure-sankofa-phoenix-api-db-migrate-up-7800.sh` for **audit_logs**); TLS terminate-at-edge patch `ensure-sankofa-phoenix-tls-config-terminate-at-edge-7800.sh` when using production without local certs; optional **nft** `:4000` guard: `ensure-sankofa-phoenix-7800-nft-dport-4000-guard.sh`
+- [x] Apollo **:4000** loopback-only on VMID **7800** (`HOST=127.0.0.1`, `ensure-sankofa-phoenix-apollo-bind-loopback-7800.sh`); host-firewall alternative still documented in `plan-phoenix-apollo-port-4000-restrict-7800.sh`
+
+## Quick paths
+
+| Entity | Code root |
+|--------|-----------|
+| Aseret | `~/projects/Aseret_Bank` |
+| TAJ | `~/projects/TAJ_PSFO/web` |
+| Solace (Next) | `~/projects/Solace_Bank_Group/web` |
+| Solace (static program) | `proxmox/solace-bank-group-portal` |
+| SolaceNet (marketplace) | `proxmox/dbis_core` |
--- a/solace-bank-group-portal/.dockerignore
+++ b/solace-bank-group-portal/.dockerignore
@@ -0,0 +1,3 @@
+Dockerfile
+.dockerignore
+README.md
--- a/solace-bank-group-portal/Dockerfile
+++ b/solace-bank-group-portal/Dockerfile
@@ -0,0 +1,6 @@
+# Build: docker build -t solace-bank-group-portal:local .
+# Run:  docker run --rm -p 8080:80 solace-bank-group-portal:local
+FROM nginx:1.27-alpine
+COPY nginx.conf.example /etc/nginx/conf.d/default.conf
+COPY index.html app.js styles.css /usr/share/nginx/html/
+EXPOSE 80
--- a/solace-bank-group-portal/README.md
+++ b/solace-bank-group-portal/README.md
@@ -21,3 +21,14 @@ python3 -m http.server 8080
 ```

 Then open `http://localhost:8080`.
+
+## Container (nginx)
+
+From this directory:
+
+```bash
+docker build -t solace-bank-group-portal:local .
+docker run --rm -p 8080:80 solace-bank-group-portal:local
+```
+
+Then open `http://localhost:8080`. For Proxmox/LXC, point NPM upstream at the container LAN IP and port, or sync static files to an existing nginx CT per your fleet pattern.
--- a/solace-bank-group-portal/nginx.conf.example
+++ b/solace-bank-group-portal/nginx.conf.example
@@ -0,0 +1,13 @@
+server {
+    listen 80;
+    server_name _;
+    root /usr/share/nginx/html;
+    index index.html;
+
+    location / {
+        try_files $uri $uri/ /index.html;
+    }
+
+    add_header X-Content-Type-Options nosniff;
+    add_header Referrer-Policy strict-origin-when-cross-origin;
+}