# Entity institutions — web and portal completion tracker **Purpose:** Single checklist for **Aseret Mortgage Bank**, **TAJ Private Single Family Trust**, and **Solace Bank Group PLC** public sites and client portals, plus cross-cutting items. Update this file as work completes. **Legend:** `[x]` done in repo or scaffolded · `[ ]` requires stakeholder, secrets, or production LAN · `N/A` not applicable --- ## 0. Governance and scope - [ ] Canonical legal names recorded (TAJ: trust vs OMNL “TAJ Private Single Family Office”) - [ ] Tenancy model chosen (dedicated FQDNs + IdP vs shared Sankofa portal + entitlements) - [ ] Definition of done per surface (marketing, portal, admin, APIs, DR) --- ## 1. Aseret Mortgage Bank (`~/projects/Aseret_Bank`) ### Product and UX - [ ] Public IA (products, disclosures, contact, privacy, terms) - [ ] Authenticated portal MVP flows signed off - [ ] CFL / lending compliance copy and consent UX (legal review) ### Application - [x] Full-stack codebase present (`frontend/`, `backend/`, Prisma, Docker Compose) - [ ] Frontend production hardening (env config, a11y/SEO baseline) - [ ] Backend hardening (rate limits, structured logging, health checks, OpenAPI parity) - [ ] Database migrations + backup/restore runbook - [ ] Tokenization / contracts (if in scope): audit + key management ### Infrastructure - [ ] Target host provisioned (LXC/VM or cloud) - [ ] DNS + TLS + WAF / rate limits - [ ] SMTP / notifications ### Integration - [ ] OMNL / Fineract office 5 mapping (if required): APIs, idempotency, reconciliation - [ ] Chain 138 / RPC env (if required): per canonical address docs ### Verification - [ ] E2E smoke (auth + loan happy path) - [ ] Security review checklist - [ ] Load or backup drill --- ## 2. TAJ (`~/projects/TAJ_PSFO`) ### Repository - [x] Next.js 14 scaffold under `web/` (`/`, `/portal`) - [ ] Replace draft copy with approved marketing and portal modules - [ ] CI (lint, build) on default branch ### Product and engineering - [ ] Legal / regulatory pages - [ ] OIDC (Keycloak or equivalent) for `/portal` - [ ] Confidentiality controls (encryption, audit log requirements) ### Infrastructure - [ ] Dedicated FQDN + TLS + monitoring - [ ] OMNL office 4 alignment (if ledger integration applies) ### Verification - [ ] Access revocation and DR tested --- ## 3. Solace Bank Group PLC ### Repository (`~/projects/Solace_Bank_Group`) - [x] Next.js 14 scaffold under `web/` (`/`, `/portal`) - [ ] Corporate content and portal modules - [ ] CI (lint, build) ### Proxmox repo — related surfaces - [x] `solace-bank-group-portal/` — `Dockerfile` + `nginx.conf.example` for static deploy - [ ] Decide: keep static portal vs redirect to `web/` vs embed in Phoenix - [ ] `dbis_core` SolaceNet IRU: Turnstile, `TRUST_PROXY`, rate limits per `SANKOFA_MARKETPLACE_SURFACES.md` (verify in prod) ### Infrastructure - [ ] NPM / Cloudflare (or standard edge) for chosen hostnames - [ ] Upstream VMID or container IP documented in inventory docs ### Verification - [ ] Public + authenticated smoke on production URLs - [ ] Legal sign-off on IRU copy and data handling --- ## 4. Cross-cutting (all entities) - [ ] Keycloak: realms/clients, MFA, session policy, admin separation - [ ] Centralized logs and uptime checks per hostname - [ ] Secrets in vault only; rotation runbooks - [ ] Operator runbooks: deploy, rollback, cert renew - [ ] Privacy, cookies, retention, incident response (as applicable) --- ## 5. Monorepo (`~/projects/Aseret_Global`) - [ ] Submodule URLs and commits pinned to real `Aseret_Bank`, `TAJ_PSFO`, `Solace_Bank_Group` heads - [ ] Root CI (optional) once submodules are wired --- ## Consolidated runtime (optional) To host many non-chain frontends and one Phoenix API surface with fewer LXCs, see [SANKOFA_PHOENIX_CONSOLIDATED_FRONTEND_AND_API.md](../02-architecture/SANKOFA_PHOENIX_CONSOLIDATED_FRONTEND_AND_API.md), run `bash scripts/verify/check-sankofa-consolidated-nginx-examples.sh`, and `bash scripts/deployment/plan-sankofa-consolidated-hub-cutover.sh` for a read-only cutover checklist. ### Shared Sankofa platform (this repo) - [x] Tier-1 Phoenix API hub installer (`scripts/deployment/install-sankofa-api-hub-nginx-on-pve.sh`) and LAN verifier (`scripts/verify/verify-sankofa-consolidated-hub-lan.sh`) - [x] NPM fleet: `SANKOFA_NPM_PHOENIX_PORT` / `IP_SANKOFA_NPM_PHOENIX_API` for `phoenix.sankofa.nexus` in `scripts/nginx-proxy-manager/update-npmplus-proxy-hosts-api.sh` - [x] `get_host_for_vmid` explicit VMIDs **7800–7806** (Sankofa stack on r630-01) - [x] `dbis_core`: configurable **`TRUST_PROXY_HOPS`** when `TRUST_PROXY=1` (see `dbis_core/.env.example`) - [x] Cutover + rollback outline: [SANKOFA_API_HUB_NPM_CUTOVER_AND_POST_CUTOVER_RUNBOOK.md](./SANKOFA_API_HUB_NPM_CUTOVER_AND_POST_CUTOVER_RUNBOOK.md) - [x] Production NPM `phoenix.sankofa.nexus` → hub `:8080` + WebSocket upgrades (fleet script); `TRUST_PROXY=1` on dbis API CTs **10150** / **10151** (`ensure-dbis-api-trust-proxy-on-ct.sh`) - [x] WebSocket upgrade path (HTTP **101**) public + optional LAN hub: `bash scripts/verify/smoke-phoenix-graphql-wss-public.sh` (`PHOENIX_WSS_INCLUDE_LAN=1` with `load-project-env`) - [x] graphql-ws payload smoke (`connection_ack`): `pnpm run verify:phoenix-graphql-ws-subscription`; CT **7800** removes unused `@fastify/websocket` via `ensure-sankofa-phoenix-graphql-ws-remove-fastify-websocket-7800.sh`; `websocket.ts` imports **logger** (`ensure-sankofa-phoenix-websocket-ts-import-logger-7800.sh`, avoids crash on disconnect); hub `/graphql-ws` proxy headers via `ensure-sankofa-phoenix-api-hub-graphql-ws-proxy-headers-7800.sh`; hub **ExecReload** `ensure-sankofa-phoenix-api-hub-systemd-exec-reload-7800.sh`; **.env** LAN parity `ensure-sankofa-phoenix-api-env-lan-parity-7800.sh` (align **DB_HOST** / **KEYCLOAK_URL**; **DB_PASSWORD** / **DB_USER=sankofa** aligned with VMID **7803**; **`pnpm db:migrate:up`** via `ensure-sankofa-phoenix-api-db-migrate-up-7800.sh` for **audit_logs**); TLS terminate-at-edge patch `ensure-sankofa-phoenix-tls-config-terminate-at-edge-7800.sh` when using production without local certs; optional **nft** `:4000` guard: `ensure-sankofa-phoenix-7800-nft-dport-4000-guard.sh` - [x] Apollo **:4000** loopback-only on VMID **7800** (`HOST=127.0.0.1`, `ensure-sankofa-phoenix-apollo-bind-loopback-7800.sh`); host-firewall alternative still documented in `plan-phoenix-apollo-port-4000-restrict-7800.sh` ## Quick paths | Entity | Code root | |--------|-----------| | Aseret | `~/projects/Aseret_Bank` | | TAJ | `~/projects/TAJ_PSFO/web` | | Solace (Next) | `~/projects/Solace_Bank_Group/web` | | Solace (static program) | `proxmox/solace-bank-group-portal` | | SolaceNet (marketplace) | `proxmox/dbis_core` |