# DBIS members.d-bis.org — MVP runbook

## Relationship to secure.d-bis.org

| Host | Intended use |
|------|----------------|
| **secure.d-bis.org** | Existing authenticated DBIS frontend (inventory: VMID/backends per [ALL_VMIDS_ENDPOINTS.md](../04-configuration/ALL_VMIDS_ENDPOINTS.md)). |
| **members.d-bis.org** | Sovereign **member institution** portal: OIDC login, institution-scoped dashboard, settlement **read/simulation** tools, policy voting UI (phased). |

**Decision (default):** **Complement** — keep `secure.d-bis.org` for current operator/staff flows; introduce `members.d-bis.org` for central-bank-style members with stronger RBAC and audit. **Supersede** only after data migration and SSO client cutover.

## Architecture

1. **Edge:** NPMplus TLS termination → BFF (Next.js Route Handlers or small Go service).  
2. **Auth:** OIDC (Keycloak or equivalent) — reuse patterns from Sankofa portal runbooks where applicable.  
3. **Session:** HTTP-only cookies; CSRF on mutations.  
4. **Backend:** mTLS from BFF to internal read APIs (`dbis-api`, future data API); no direct browser access to LAN RPC.  
5. **DID (phase 2+):** Wallet or credential presentation (Indy/Aries) **after** [DBIS_IDENTITY_COMPLETION_PACKAGE_RUNBOOK.md](./DBIS_IDENTITY_COMPLETION_PACKAGE_RUNBOOK.md) milestones.

## Audit log

Append-only store for: login, policy votes, settlement simulation runs, document downloads. Minimum fields: `ts`, `actor_sub`, `institution_id`, `action`, `payload_hash`, `ip_hash`.

## Operator checklist

- [ ] DNS + NPM host `members.d-bis.org`  
- [ ] OIDC client + redirect URIs  
- [ ] BFF deployed with secrets from vault/.env (not in git)  
- [ ] mTLS certs issued for BFF → internal APIs  
- [ ] Entry in [E2E_ENDPOINTS_LIST.md](../04-configuration/E2E_ENDPOINTS_LIST.md) when live