From d8b0dd0115f3de0a71633e0f60ace12b2febfd2c Mon Sep 17 00:00:00 2001 From: defiQUG Date: Mon, 13 Apr 2026 21:43:42 -0700 Subject: [PATCH] Add Solace portal container scaffold and entity tracker --- ...TITY_INSTITUTIONS_WEB_PORTAL_COMPLETION.md | 144 ++++++++++++++++++ solace-bank-group-portal/.dockerignore | 3 + solace-bank-group-portal/Dockerfile | 6 + solace-bank-group-portal/README.md | 11 ++ solace-bank-group-portal/nginx.conf.example | 13 ++ 5 files changed, 177 insertions(+) create mode 100644 docs/03-deployment/ENTITY_INSTITUTIONS_WEB_PORTAL_COMPLETION.md create mode 100644 solace-bank-group-portal/.dockerignore create mode 100644 solace-bank-group-portal/Dockerfile create mode 100644 solace-bank-group-portal/nginx.conf.example diff --git a/docs/03-deployment/ENTITY_INSTITUTIONS_WEB_PORTAL_COMPLETION.md b/docs/03-deployment/ENTITY_INSTITUTIONS_WEB_PORTAL_COMPLETION.md new file mode 100644 index 00000000..4698db74 --- /dev/null +++ b/docs/03-deployment/ENTITY_INSTITUTIONS_WEB_PORTAL_COMPLETION.md @@ -0,0 +1,144 @@ +# Entity institutions — web and portal completion tracker + +**Purpose:** Single checklist for **Aseret Mortgage Bank**, **TAJ Private Single Family Trust**, and **Solace Bank Group PLC** public sites and client portals, plus cross-cutting items. Update this file as work completes. + +**Legend:** `[x]` done in repo or scaffolded · `[ ]` requires stakeholder, secrets, or production LAN · `N/A` not applicable + +--- + +## 0. Governance and scope + +- [ ] Canonical legal names recorded (TAJ: trust vs OMNL “TAJ Private Single Family Office”) +- [ ] Tenancy model chosen (dedicated FQDNs + IdP vs shared Sankofa portal + entitlements) +- [ ] Definition of done per surface (marketing, portal, admin, APIs, DR) + +--- + +## 1. Aseret Mortgage Bank (`~/projects/Aseret_Bank`) + +### Product and UX + +- [ ] Public IA (products, disclosures, contact, privacy, terms) +- [ ] Authenticated portal MVP flows signed off +- [ ] CFL / lending compliance copy and consent UX (legal review) + +### Application + +- [x] Full-stack codebase present (`frontend/`, `backend/`, Prisma, Docker Compose) +- [ ] Frontend production hardening (env config, a11y/SEO baseline) +- [ ] Backend hardening (rate limits, structured logging, health checks, OpenAPI parity) +- [ ] Database migrations + backup/restore runbook +- [ ] Tokenization / contracts (if in scope): audit + key management + +### Infrastructure + +- [ ] Target host provisioned (LXC/VM or cloud) +- [ ] DNS + TLS + WAF / rate limits +- [ ] SMTP / notifications + +### Integration + +- [ ] OMNL / Fineract office 5 mapping (if required): APIs, idempotency, reconciliation +- [ ] Chain 138 / RPC env (if required): per canonical address docs + +### Verification + +- [ ] E2E smoke (auth + loan happy path) +- [ ] Security review checklist +- [ ] Load or backup drill + +--- + +## 2. TAJ (`~/projects/TAJ_PSFO`) + +### Repository + +- [x] Next.js 14 scaffold under `web/` (`/`, `/portal`) +- [ ] Replace draft copy with approved marketing and portal modules +- [ ] CI (lint, build) on default branch + +### Product and engineering + +- [ ] Legal / regulatory pages +- [ ] OIDC (Keycloak or equivalent) for `/portal` +- [ ] Confidentiality controls (encryption, audit log requirements) + +### Infrastructure + +- [ ] Dedicated FQDN + TLS + monitoring +- [ ] OMNL office 4 alignment (if ledger integration applies) + +### Verification + +- [ ] Access revocation and DR tested + +--- + +## 3. Solace Bank Group PLC + +### Repository (`~/projects/Solace_Bank_Group`) + +- [x] Next.js 14 scaffold under `web/` (`/`, `/portal`) +- [ ] Corporate content and portal modules +- [ ] CI (lint, build) + +### Proxmox repo — related surfaces + +- [x] `solace-bank-group-portal/` — `Dockerfile` + `nginx.conf.example` for static deploy +- [ ] Decide: keep static portal vs redirect to `web/` vs embed in Phoenix +- [ ] `dbis_core` SolaceNet IRU: Turnstile, `TRUST_PROXY`, rate limits per `SANKOFA_MARKETPLACE_SURFACES.md` (verify in prod) + +### Infrastructure + +- [ ] NPM / Cloudflare (or standard edge) for chosen hostnames +- [ ] Upstream VMID or container IP documented in inventory docs + +### Verification + +- [ ] Public + authenticated smoke on production URLs +- [ ] Legal sign-off on IRU copy and data handling + +--- + +## 4. Cross-cutting (all entities) + +- [ ] Keycloak: realms/clients, MFA, session policy, admin separation +- [ ] Centralized logs and uptime checks per hostname +- [ ] Secrets in vault only; rotation runbooks +- [ ] Operator runbooks: deploy, rollback, cert renew +- [ ] Privacy, cookies, retention, incident response (as applicable) + +--- + +## 5. Monorepo (`~/projects/Aseret_Global`) + +- [ ] Submodule URLs and commits pinned to real `Aseret_Bank`, `TAJ_PSFO`, `Solace_Bank_Group` heads +- [ ] Root CI (optional) once submodules are wired + +--- + +## Consolidated runtime (optional) + +To host many non-chain frontends and one Phoenix API surface with fewer LXCs, see [SANKOFA_PHOENIX_CONSOLIDATED_FRONTEND_AND_API.md](../02-architecture/SANKOFA_PHOENIX_CONSOLIDATED_FRONTEND_AND_API.md), run `bash scripts/verify/check-sankofa-consolidated-nginx-examples.sh`, and `bash scripts/deployment/plan-sankofa-consolidated-hub-cutover.sh` for a read-only cutover checklist. + +### Shared Sankofa platform (this repo) + +- [x] Tier-1 Phoenix API hub installer (`scripts/deployment/install-sankofa-api-hub-nginx-on-pve.sh`) and LAN verifier (`scripts/verify/verify-sankofa-consolidated-hub-lan.sh`) +- [x] NPM fleet: `SANKOFA_NPM_PHOENIX_PORT` / `IP_SANKOFA_NPM_PHOENIX_API` for `phoenix.sankofa.nexus` in `scripts/nginx-proxy-manager/update-npmplus-proxy-hosts-api.sh` +- [x] `get_host_for_vmid` explicit VMIDs **7800–7806** (Sankofa stack on r630-01) +- [x] `dbis_core`: configurable **`TRUST_PROXY_HOPS`** when `TRUST_PROXY=1` (see `dbis_core/.env.example`) +- [x] Cutover + rollback outline: [SANKOFA_API_HUB_NPM_CUTOVER_AND_POST_CUTOVER_RUNBOOK.md](./SANKOFA_API_HUB_NPM_CUTOVER_AND_POST_CUTOVER_RUNBOOK.md) +- [x] Production NPM `phoenix.sankofa.nexus` → hub `:8080` + WebSocket upgrades (fleet script); `TRUST_PROXY=1` on dbis API CTs **10150** / **10151** (`ensure-dbis-api-trust-proxy-on-ct.sh`) +- [x] WebSocket upgrade path (HTTP **101**) public + optional LAN hub: `bash scripts/verify/smoke-phoenix-graphql-wss-public.sh` (`PHOENIX_WSS_INCLUDE_LAN=1` with `load-project-env`) +- [x] graphql-ws payload smoke (`connection_ack`): `pnpm run verify:phoenix-graphql-ws-subscription`; CT **7800** removes unused `@fastify/websocket` via `ensure-sankofa-phoenix-graphql-ws-remove-fastify-websocket-7800.sh`; `websocket.ts` imports **logger** (`ensure-sankofa-phoenix-websocket-ts-import-logger-7800.sh`, avoids crash on disconnect); hub `/graphql-ws` proxy headers via `ensure-sankofa-phoenix-api-hub-graphql-ws-proxy-headers-7800.sh`; hub **ExecReload** `ensure-sankofa-phoenix-api-hub-systemd-exec-reload-7800.sh`; **.env** LAN parity `ensure-sankofa-phoenix-api-env-lan-parity-7800.sh` (align **DB_HOST** / **KEYCLOAK_URL**; **DB_PASSWORD** / **DB_USER=sankofa** aligned with VMID **7803**; **`pnpm db:migrate:up`** via `ensure-sankofa-phoenix-api-db-migrate-up-7800.sh` for **audit_logs**); TLS terminate-at-edge patch `ensure-sankofa-phoenix-tls-config-terminate-at-edge-7800.sh` when using production without local certs; optional **nft** `:4000` guard: `ensure-sankofa-phoenix-7800-nft-dport-4000-guard.sh` +- [x] Apollo **:4000** loopback-only on VMID **7800** (`HOST=127.0.0.1`, `ensure-sankofa-phoenix-apollo-bind-loopback-7800.sh`); host-firewall alternative still documented in `plan-phoenix-apollo-port-4000-restrict-7800.sh` + +## Quick paths + +| Entity | Code root | +|--------|-----------| +| Aseret | `~/projects/Aseret_Bank` | +| TAJ | `~/projects/TAJ_PSFO/web` | +| Solace (Next) | `~/projects/Solace_Bank_Group/web` | +| Solace (static program) | `proxmox/solace-bank-group-portal` | +| SolaceNet (marketplace) | `proxmox/dbis_core` | diff --git a/solace-bank-group-portal/.dockerignore b/solace-bank-group-portal/.dockerignore new file mode 100644 index 00000000..d8bab601 --- /dev/null +++ b/solace-bank-group-portal/.dockerignore @@ -0,0 +1,3 @@ +Dockerfile +.dockerignore +README.md diff --git a/solace-bank-group-portal/Dockerfile b/solace-bank-group-portal/Dockerfile new file mode 100644 index 00000000..62057748 --- /dev/null +++ b/solace-bank-group-portal/Dockerfile @@ -0,0 +1,6 @@ +# Build: docker build -t solace-bank-group-portal:local . +# Run: docker run --rm -p 8080:80 solace-bank-group-portal:local +FROM nginx:1.27-alpine +COPY nginx.conf.example /etc/nginx/conf.d/default.conf +COPY index.html app.js styles.css /usr/share/nginx/html/ +EXPOSE 80 diff --git a/solace-bank-group-portal/README.md b/solace-bank-group-portal/README.md index bca0936b..57a6ab7f 100644 --- a/solace-bank-group-portal/README.md +++ b/solace-bank-group-portal/README.md @@ -21,3 +21,14 @@ python3 -m http.server 8080 ``` Then open `http://localhost:8080`. + +## Container (nginx) + +From this directory: + +```bash +docker build -t solace-bank-group-portal:local . +docker run --rm -p 8080:80 solace-bank-group-portal:local +``` + +Then open `http://localhost:8080`. For Proxmox/LXC, point NPM upstream at the container LAN IP and port, or sync static files to an existing nginx CT per your fleet pattern. diff --git a/solace-bank-group-portal/nginx.conf.example b/solace-bank-group-portal/nginx.conf.example new file mode 100644 index 00000000..1dbaca2d --- /dev/null +++ b/solace-bank-group-portal/nginx.conf.example @@ -0,0 +1,13 @@ +server { + listen 80; + server_name _; + root /usr/share/nginx/html; + index index.html; + + location / { + try_files $uri $uri/ /index.html; + } + + add_header X-Content-Type-Options nosniff; + add_header Referrer-Policy strict-origin-when-cross-origin; +}