# FQDN expected content (what users and clients should see)

**Last Updated:** 2026-03-29 (NPM fleet script includes `portal` / `admin` / optional `dash`; apex uses `IP_SANKOFA_PUBLIC_WEB`)  
**Purpose:** One-page description of **what should be presented** at each public NPM-routed hostname after HTTPS. Use this before pruning evidence or changing proxies so expectations stay aligned with product intent.

**Canonical routing (IPs, VMIDs, ports):** [ALL_VMIDS_ENDPOINTS.md](ALL_VMIDS_ENDPOINTS.md), [RPC_ENDPOINTS_MASTER.md](RPC_ENDPOINTS_MASTER.md).  
**Product depth (Sankofa / Phoenix / explorer narrative):** [EXPECTED_WEB_CONTENT.md](../02-architecture/EXPECTED_WEB_CONTENT.md).  
**Deployment status (VMID / upstream matrix):** same doc, section **Deployment Status** (authoritative for `portal` / `admin` / `dash` / `blockscout.defi-oracle.io` rows).  
**Automated checks:** [E2E_ENDPOINTS_LIST.md](E2E_ENDPOINTS_LIST.md), `scripts/verify/verify-end-to-end-routing.sh`.

---

## Legend

| Kind | Meaning |
|------|---------|
| **Web** | Browser loads HTML (or SPA shell); humans see pages, forms, or dashboards. |
| **API** | Primarily JSON over HTTPS; browsers may see errors unless hitting documented REST paths. |
| **RPC-HTTP** | **No marketing page.** JSON-RPC 2.0 over HTTPS POST to `/` (or provider path); wallets and backends consume JSON. |
| **RPC-WS** | **No HTML.** WebSocket upgrade; JSON-RPC / subscription traffic. |
| **301** | Apex policy: `www.*` redirects to non-www HTTPS (see NPM `advanced_config`). |

---

## sankofa.nexus zone

**Canonical roles:** [EXPECTED_WEB_CONTENT.md](../02-architecture/EXPECTED_WEB_CONTENT.md) (hostname model table).

### Public web (unauthenticated visitors for marketing / division pages)

| FQDN | Kind | What should be displayed or returned |
|------|------|--------------------------------------|
| `sankofa.nexus` | Web | **Sankofa — Sovereign Technologies:** public corporate / brand web (mission, narrative, entry points). NPM upstream: **`IP_SANKOFA_PUBLIC_WEB`:`SANKOFA_PUBLIC_WEB_PORT`** (defaults to portal IP until marketing CT is split). |
| `www.sankofa.nexus` | 301 → apex | Browser ends on `https://sankofa.nexus/...`. |
| `phoenix.sankofa.nexus` | Web / API | **Phoenix Cloud Services** (division of Sankofa): public-facing **division web** (intent). Same deployment may still expose API paths (`/health`, `/graphql`, …). E2E verifier may use `/health`. |
| `www.phoenix.sankofa.nexus` | 301 → apex | Browser ends on `https://phoenix.sankofa.nexus/...`. |

### Client SSO (system SSO; Keycloak as IdP)

| FQDN | Kind | What should be displayed or returned |
|------|------|--------------------------------------|
| `keycloak.sankofa.nexus` | Web / IdP | **Identity provider** for client SSO: realm login UI, OIDC/SAML well-known and token endpoints; operator **Keycloak admin** at `/admin`. Backs **`admin`** and **`portal`** redirects—not a substitute for those apps. |
| `admin.sankofa.nexus` | Web | **Client SSO:** administer access (users, roles, org access policy). |
| `portal.sankofa.nexus` | Web | **Client SSO:** Phoenix cloud services, Sankofa Marketplace subscriptions, and other **client-facing** services. |

**Typical upstream (when NPM is wired)** — see [EXPECTED_WEB_CONTENT.md](../02-architecture/EXPECTED_WEB_CONTENT.md) **Deployment Status**:

| FQDN | VMID / target | Notes |
|------|---------------|--------|
| `keycloak.sankofa.nexus` | **7802** (detail in [ALL_VMIDS_ENDPOINTS.md](ALL_VMIDS_ENDPOINTS.md)) | IdP + `/admin` for platform operators |
| `portal.sankofa.nexus` | **`IP_SANKOFA_CLIENT_SSO`** (typ. **7801** · `192.168.11.51:3000`) | Fleet script creates/updates NPM row; default **`NEXTAUTH_URL=https://portal.sankofa.nexus`** (`sync-sankofa-portal-7801.sh`) |
| `admin.sankofa.nexus` | same as **`IP_SANKOFA_CLIENT_SSO`** | Shares portal upstream until split; NPM row in fleet script |

### Operator / systems (IP-gated + MFA)

| FQDN | Kind | What should be displayed or returned |
|------|------|--------------------------------------|
| `dash.sankofa.nexus` | Web | **IP allowlisting** + **system authentication** + **MFA:** unified admin for Sankofa, Phoenix, Gitea, and related systems (not the client self-service portal). |

**Typical upstream:** 🔶 **Not pinned** in VM inventory until NPM and operator dash app are authoritative (same **Deployment Status** table).

### Other properties on the zone

| FQDN | Kind | What should be displayed or returned |
|------|------|--------------------------------------|
| `the-order.sankofa.nexus` | Web | **OSJ / Order management** portal (secure auth); app **the_order**. Upstream: HAProxy **10210** → portal stack. |
| `www.the-order.sankofa.nexus` | 301 → apex | Browser ends on `https://the-order.sankofa.nexus/...`. |
| `studio.sankofa.nexus` | Web | **Sankofa Studio (FusionAI)** UI under `/studio/` (and related API routes on same origin). |

---

## d-bis.org (DBIS + infrastructure)

**Canonical web map:** **d-bis.org** = public institutional site; **admin.d-bis.org** = admin console; **secure.d-bis.org** = member secure portal; **core.d-bis.org** = **DBIS Core** banking **client** portal (`dbis_core`). Detail: [DBIS_INSTITUTIONAL_SUBDOMAINS.md](DBIS_INSTITUTIONAL_SUBDOMAINS.md).

| FQDN | Kind | What should be displayed or returned |
|------|------|--------------------------------------|
| `d-bis.org`, `www.d-bis.org` | Web | **Public** DBIS institutional portal (sovereign / policy / directory). **www** should redirect to apex when used. |
| `explorer.d-bis.org` | Web | **SolaceScanScout / Blockscout** UI: blocks, txs, addresses, tokens, contract verification for **Chain 138**. Public, no login for browse. |
| `docs.d-bis.org` | Web | Same Blockscout nginx host as explorer where configured; may serve docs paths (see explorer deploy runbooks). |
| `admin.d-bis.org` | Web | DBIS **admin** console (operations staff). |
| `dbis-admin.d-bis.org` | Web | **Legacy** admin hostname; same expected content as **admin.d-bis.org** if DNS retained. |
| `secure.d-bis.org` | Web | DBIS **member** secure portal (authenticated institutions); may path-route `/admin`, `/api`, `/` per NPM (see ALL_VMIDS). |
| `core.d-bis.org` | Web | **DBIS Core** banking app — **client**-facing portal (login, accounts, products as implemented in **dbis_core**); upstream when wired. |
| `dbis-api.d-bis.org` | API | DBIS **core API** (aggregation, OTC, exchange JSON). |
| `dbis-api-2.d-bis.org` | API | Secondary DBIS API instance. |
| `mim4u.org`, `www.mim4u.org`, `secure.mim4u.org`, `training.mim4u.org` | Web | **MIM4U** property sites (nginx on MIM stack). |
| `rpc-http-pub.d-bis.org`, `rpc.d-bis.org`, `rpc2.d-bis.org` | RPC-HTTP | **Public Besu JSON-RPC** (Chain 138); `eth_chainId` → `0x8a`. |
| `rpc-ws-pub.d-bis.org`, `ws.rpc.d-bis.org`, `ws.rpc2.d-bis.org` | RPC-WS | **Public Besu WebSocket** RPC. |
| `rpc-http-prv.d-bis.org` | RPC-HTTP | **Core / private** JSON-RPC (permissioned use). |
| `rpc-ws-prv.d-bis.org` | RPC-WS | **Core / private** WebSocket RPC. |
| `rpc-fireblocks.d-bis.org` | RPC-HTTP | **Fireblocks-dedicated** JSON-RPC endpoint. |
| `ws.rpc-fireblocks.d-bis.org` | RPC-WS | **Fireblocks-dedicated** WebSocket RPC. |
| `rpc-alltra.d-bis.org`, `rpc-alltra-2.d-bis.org`, `rpc-alltra-3.d-bis.org` | RPC-HTTP | **Alltra** RPC fronts (tunnel to NPM); JSON-RPC for Chain 138 (or as configured on those edges). |
| `rpc-hybx.d-bis.org`, `rpc-hybx-2.d-bis.org`, `rpc-hybx-3.d-bis.org` | RPC-HTTP | **HYBX** RPC fronts; same class as Alltra. |
| `cacti-alltra.d-bis.org`, `cacti-hybx.d-bis.org` | Web | **Cacti** monitoring UI (graphs, device views). |
| `mifos.d-bis.org` | Web | **Mifos** banking platform UI (when backend healthy). |
| `dapp.d-bis.org` | Web | **DApp** static/hosted frontend (VMID per ALL_VMIDS). |
| `gitea.d-bis.org` | Web | **Gitea** git forge UI. |
| `dev.d-bis.org` | Web | **Dev** workspace UI (codespaces / dev host). |
| `codespaces.d-bis.org` | Web | **Codespaces / dev** related web entry (as wired on NPM). |

---

## defi-oracle.io (ThirdWeb / public edge)

| FQDN | Kind | What should be displayed or returned |
|------|------|--------------------------------------|
| `rpc.public-0138.defi-oracle.io` | RPC-HTTP | **ThirdWeb-style HTTPS RPC** terminator on VMID 2400; JSON-RPC to Chain 138. |
| `rpc.defi-oracle.io` | RPC-HTTP | Public JSON-RPC alias (same Besu public stack as `rpc.d-bis.org` family when healthy). |
| `wss.defi-oracle.io` | RPC-WS | Public WebSocket RPC companion. |
| `blockscout.defi-oracle.io` | Web | **Blockscout** explorer UI (generic / reference). When NPM proxies here, routing summaries align with **VMID 5000** (`192.168.11.140:80`, TLS at NPM). **Not** canonical **SolaceScanScout / Chain 138** branding—that is **`explorer.d-bis.org`**. Confirm live NPM if behavior differs. |

---

## xom-dev.phoenix.sankofa.nexus (gov portals dev)

| FQDN | Kind | What should be displayed or returned |
|------|------|--------------------------------------|
| `dbis.xom-dev.phoenix.sankofa.nexus` | Web | Gov portals **dev** app on port **3001** (VMID 7804 family). |
| `iccc.xom-dev.phoenix.sankofa.nexus` | Web | Idem, port **3002**. |
| `omnl.xom-dev.phoenix.sankofa.nexus` | Web | Idem, port **3003**. |
| `xom.xom-dev.phoenix.sankofa.nexus` | Web | Idem, port **3004**. |

---

## Operator checklist

- **Wrong content** (e.g. explorer UI on `sankofa.nexus`, or HTML on RPC hostname) usually means **NPM upstream** or **DNS** is wrong — fix with `update-npmplus-proxy-hosts-api.sh` and [ALL_VMIDS_ENDPOINTS.md](ALL_VMIDS_ENDPOINTS.md). Ensure **`portal.sankofa.nexus`** / **`admin.sankofa.nexus`** DNS exist; **`dash`** is created in NPM only when **`IP_SANKOFA_DASH`** is set in `config/ip-addresses.conf`.
- **301 on `www.*`** is intentional; content is judged on the **apex** hostname after redirect.

---

**Inventory alignment:** `DOMAIN_TYPES_ALL` in `scripts/verify/verify-end-to-end-routing.sh` includes **`keycloak.sankofa.nexus`**, **`admin.sankofa.nexus`**, **`portal.sankofa.nexus`**, **`dash.sankofa.nexus`**, **`docs.d-bis.org`**, and **`blockscout.defi-oracle.io`** (see [E2E_ENDPOINTS_LIST.md](E2E_ENDPOINTS_LIST.md); `--list-endpoints --profile=public`). They are in **`E2E_OPTIONAL_WHEN_FAIL`** so unwired NPM or off-LAN runs still exit **0**. **`portal.sankofa.nexus`** is expected on **VMID 7801** when NPM is configured ( **Deployment Status** in [EXPECTED_WEB_CONTENT.md](../02-architecture/EXPECTED_WEB_CONTENT.md)). **`admin.sankofa.nexus`** and **`dash.sankofa.nexus`** remain **hostname intent** until pinned in [ALL_VMIDS_ENDPOINTS.md](ALL_VMIDS_ENDPOINTS.md). **`blockscout.defi-oracle.io`** aligns with **VMID 5000** in routing summaries (not **`explorer.d-bis.org`** branding). **xom-dev** hostnames are not in the E2E list yet—add when NPM routes are stable.