# DBIS institutional subdomains — inventory vs E2E

**Purpose:** Track planned `d-bis.org` portal hosts against [E2E_ENDPOINTS_LIST.md](./E2E_ENDPOINTS_LIST.md) and [verify-end-to-end-routing.sh](../../scripts/verify/verify-end-to-end-routing.sh).

## Canonical DBIS web surfaces (operator intent)

| URL | Role |
|-----|------|
| **https://d-bis.org** | **Public** web presence — sovereign / institutional portal (e.g. Gov Portals `DBIS` Next app behind NPM). |
| **https://admin.d-bis.org** | **Admin** console — DBIS operations staff. |
| **https://secure.d-bis.org** | **Member** secure portal — authenticated institution users. |
| **https://core.d-bis.org** | **DBIS Core** banking application — **client** portal for users of the core banking stack (`dbis_core` repo); NPM upstream when provisioned (often alongside API tier). |

**Legacy:** `https://dbis-admin.d-bis.org` may remain in DNS as an alias for the same upstream as `admin.d-bis.org` until names are consolidated.

## Already in E2E inventory

| Host | Type | Notes |
|------|------|--------|
| explorer.d-bis.org | web | Blockscout |
| docs.d-bis.org | web | Docs |
| gitea.d-bis.org | web | Source |
| dbis-api.d-bis.org | api | Core API |
| dbis-api-2.d-bis.org | api | Secondary |
| secure.d-bis.org | web | Member secure portal |
| admin.d-bis.org | web | Admin console (canonical) |
| dbis-admin.d-bis.org | web | Legacy admin hostname (optional alias) |
| core.d-bis.org | web | DBIS Core client portal (TBD upstream) |
| mifos.d-bis.org | web | Fineract |
| dapp.d-bis.org | web | DApp |
| dev.d-bis.org, codespaces.d-bis.org | web | Dev VM |
| RPC / Cacti / Alltra / HYBX | various | As listed in E2E |

## Added to verifier (optional-when-fail until DNS + upstream live)

| Host | Type | Intended upstream |
|------|------|-------------------|
| d-bis.org | web | Public portal (NPM → Next static/server) — same intent as canonical **d-bis.org** row above |
| www.d-bis.org | web | 301/308 → d-bis.org (if used) |
| members.d-bis.org | web | Member BFF + OIDC |
| developers.d-bis.org | web | Developer portal |
| data.d-bis.org | api | Data API service |
| research.d-bis.org | web | Research publications |
| policy.d-bis.org | web | Policy + manifests |
| ops.d-bis.org | web | Staff SSO |
| identity.d-bis.org | web | Trust + DID registry docs/API |
| status.d-bis.org | web | Status page |
| sandbox.d-bis.org | web | Sandbox console |
| interop.d-bis.org | web | Interop lab |

## NPMplus / Cloudflare operator steps (summary)

1. **DNS (Cloudflare):** `DNS_ZONE_ONLY=d-bis.org ./scripts/update-all-dns-to-public-ip.sh --zone-only=d-bis.org` (adds `@`, `www`, `admin`, `core`, plus existing RPC/DBIS rows — see `DBIS_RECORDS` in that script).  
2. **NPMplus upstreams:** `./scripts/nginx-proxy-manager/update-npmplus-proxy-hosts-api.sh` (from LAN with `NPM_PASSWORD` in `.env`) — creates/updates `d-bis.org`, `www.d-bis.org`, `admin.d-bis.org`, `core.d-bis.org`, `dbis-admin.d-bis.org`, `secure.d-bis.org`. Defaults: apex → **7804** `:3001`; admin/legacy admin/secure → **10130** `:80`; core → **10150** `:3000` (override via `IP_DBIS_*` in `config/ip-addresses.conf` or `.env`).  
3. **TLS:** `./scripts/request-npmplus-certificates.sh` (optional `CERT_DOMAINS_FILTER` to limit Let’s Encrypt requests).  
4. Run `bash scripts/verify/verify-end-to-end-routing.sh --profile=public` (optional hosts tolerate failure until configured).  
5. Remove hosts from `E2E_OPTIONAL_WHEN_FAIL` only when SLO requires strict checks.

See [DBIS_WEB_AND_INSTITUTION_MASTER_BLUEPRINT.md](../02-architecture/DBIS_WEB_AND_INSTITUTION_MASTER_BLUEPRINT.md) for architecture context.

**Related:** [OMNL_DBIS_CORE_CHAIN138_SMART_VAULT_RTGS_RUNBOOK.md](../03-deployment/OMNL_DBIS_CORE_CHAIN138_SMART_VAULT_RTGS_RUNBOOK.md) — HYBX OMNL, DBIS Core, Chain 138 vaults, and external RTGS integration map.