d-bis/proxmox
4
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
2cf2ef43eb622754f8ce36f2aa5477db47c374e8
proxmox/docs/03-deployment/ENTITY_INSTITUTIONS_WEB_PORTAL_COMPLETION.md

145 lines
6.6 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
# Entity institutions — web and portal completion tracker
**Purpose:** Single checklist for **Aseret Mortgage Bank**, **TAJ Private Single Family Trust**, and **Solace Bank Group PLC** public sites and client portals, plus cross-cutting items. Update this file as work completes.
**Legend:** `[x]` done in repo or scaffolded · `[ ]` requires stakeholder, secrets, or production LAN · `N/A` not applicable
---
## 0. Governance and scope
- [ ] Canonical legal names recorded (TAJ: trust vs OMNL “TAJ Private Single Family Office”)
- [ ] Tenancy model chosen (dedicated FQDNs + IdP vs shared Sankofa portal + entitlements)
- [ ] Definition of done per surface (marketing, portal, admin, APIs, DR)
---
## 1. Aseret Mortgage Bank (`~/projects/Aseret_Bank`)
### Product and UX
- [ ] Public IA (products, disclosures, contact, privacy, terms)
- [ ] Authenticated portal MVP flows signed off
- [ ] CFL / lending compliance copy and consent UX (legal review)
### Application
- [x] Full-stack codebase present (`frontend/`, `backend/`, Prisma, Docker Compose)
- [ ] Frontend production hardening (env config, a11y/SEO baseline)
- [ ] Backend hardening (rate limits, structured logging, health checks, OpenAPI parity)
- [ ] Database migrations + backup/restore runbook
- [ ] Tokenization / contracts (if in scope): audit + key management
### Infrastructure
- [ ] Target host provisioned (LXC/VM or cloud)
- [ ] DNS + TLS + WAF / rate limits
- [ ] SMTP / notifications
### Integration
- [ ] OMNL / Fineract office 5 mapping (if required): APIs, idempotency, reconciliation
- [ ] Chain 138 / RPC env (if required): per canonical address docs
### Verification
- [ ] E2E smoke (auth + loan happy path)
- [ ] Security review checklist
- [ ] Load or backup drill
---
## 2. TAJ (`~/projects/TAJ_PSFO`)
### Repository
- [x] Next.js 14 scaffold under `web/` (`/`, `/portal`)
- [ ] Replace draft copy with approved marketing and portal modules
- [ ] CI (lint, build) on default branch
### Product and engineering
- [ ] Legal / regulatory pages
- [ ] OIDC (Keycloak or equivalent) for `/portal`
- [ ] Confidentiality controls (encryption, audit log requirements)
### Infrastructure
- [ ] Dedicated FQDN + TLS + monitoring
- [ ] OMNL office 4 alignment (if ledger integration applies)
### Verification
- [ ] Access revocation and DR tested
---
## 3. Solace Bank Group PLC
### Repository (`~/projects/Solace_Bank_Group`)
- [x] Next.js 14 scaffold under `web/` (`/`, `/portal`)
- [ ] Corporate content and portal modules
- [ ] CI (lint, build)
### Proxmox repo — related surfaces
- [x] `solace-bank-group-portal/``Dockerfile` + `nginx.conf.example` for static deploy
- [ ] Decide: keep static portal vs redirect to `web/` vs embed in Phoenix
- [ ] `dbis_core` SolaceNet IRU: Turnstile, `TRUST_PROXY`, rate limits per `SANKOFA_MARKETPLACE_SURFACES.md` (verify in prod)
### Infrastructure
- [ ] NPM / Cloudflare (or standard edge) for chosen hostnames
- [ ] Upstream VMID or container IP documented in inventory docs
### Verification
- [ ] Public + authenticated smoke on production URLs
- [ ] Legal sign-off on IRU copy and data handling
---
## 4. Cross-cutting (all entities)
- [ ] Keycloak: realms/clients, MFA, session policy, admin separation
- [ ] Centralized logs and uptime checks per hostname
- [ ] Secrets in vault only; rotation runbooks
- [ ] Operator runbooks: deploy, rollback, cert renew
- [ ] Privacy, cookies, retention, incident response (as applicable)
---
## 5. Monorepo (`~/projects/Aseret_Global`)
- [ ] Submodule URLs and commits pinned to real `Aseret_Bank`, `TAJ_PSFO`, `Solace_Bank_Group` heads
- [ ] Root CI (optional) once submodules are wired
---
## Consolidated runtime (optional)
To host many non-chain frontends and one Phoenix API surface with fewer LXCs, see [SANKOFA_PHOENIX_CONSOLIDATED_FRONTEND_AND_API.md](../02-architecture/SANKOFA_PHOENIX_CONSOLIDATED_FRONTEND_AND_API.md), run `bash scripts/verify/check-sankofa-consolidated-nginx-examples.sh`, and `bash scripts/deployment/plan-sankofa-consolidated-hub-cutover.sh` for a read-only cutover checklist.
### Shared Sankofa platform (this repo)
- [x] Tier-1 Phoenix API hub installer (`scripts/deployment/install-sankofa-api-hub-nginx-on-pve.sh`) and LAN verifier (`scripts/verify/verify-sankofa-consolidated-hub-lan.sh`)
- [x] NPM fleet: `SANKOFA_NPM_PHOENIX_PORT` / `IP_SANKOFA_NPM_PHOENIX_API` for `phoenix.sankofa.nexus` in `scripts/nginx-proxy-manager/update-npmplus-proxy-hosts-api.sh`
- [x] `get_host_for_vmid` explicit VMIDs **78007806** (Sankofa stack on r630-01)
- [x] `dbis_core`: configurable **`TRUST_PROXY_HOPS`** when `TRUST_PROXY=1` (see `dbis_core/.env.example`)
- [x] Cutover + rollback outline: [SANKOFA_API_HUB_NPM_CUTOVER_AND_POST_CUTOVER_RUNBOOK.md](./SANKOFA_API_HUB_NPM_CUTOVER_AND_POST_CUTOVER_RUNBOOK.md)
- [x] Production NPM `phoenix.sankofa.nexus` → hub `:8080` + WebSocket upgrades (fleet script); `TRUST_PROXY=1` on dbis API CTs **10150** / **10151** (`ensure-dbis-api-trust-proxy-on-ct.sh`)
- [x] WebSocket upgrade path (HTTP **101**) public + optional LAN hub: `bash scripts/verify/smoke-phoenix-graphql-wss-public.sh` (`PHOENIX_WSS_INCLUDE_LAN=1` with `load-project-env`)
- [x] graphql-ws payload smoke (`connection_ack`): `pnpm run verify:phoenix-graphql-ws-subscription`; CT **7800** removes unused `@fastify/websocket` via `ensure-sankofa-phoenix-graphql-ws-remove-fastify-websocket-7800.sh`; `websocket.ts` imports **logger** (`ensure-sankofa-phoenix-websocket-ts-import-logger-7800.sh`, avoids crash on disconnect); hub `/graphql-ws` proxy headers via `ensure-sankofa-phoenix-api-hub-graphql-ws-proxy-headers-7800.sh`; hub **ExecReload** `ensure-sankofa-phoenix-api-hub-systemd-exec-reload-7800.sh`; **.env** LAN parity `ensure-sankofa-phoenix-api-env-lan-parity-7800.sh` (align **DB_HOST** / **KEYCLOAK_URL**; **DB_PASSWORD** / **DB_USER=sankofa** aligned with VMID **7803**; **`pnpm db:migrate:up`** via `ensure-sankofa-phoenix-api-db-migrate-up-7800.sh` for **audit_logs**); TLS terminate-at-edge patch `ensure-sankofa-phoenix-tls-config-terminate-at-edge-7800.sh` when using production without local certs; optional **nft** `:4000` guard: `ensure-sankofa-phoenix-7800-nft-dport-4000-guard.sh`
- [x] Apollo **:4000** loopback-only on VMID **7800** (`HOST=127.0.0.1`, `ensure-sankofa-phoenix-apollo-bind-loopback-7800.sh`); host-firewall alternative still documented in `plan-phoenix-apollo-port-4000-restrict-7800.sh`
## Quick paths
| Entity | Code root |
|--------|-----------|
| Aseret | `~/projects/Aseret_Bank` |
| TAJ | `~/projects/TAJ_PSFO/web` |
| Solace (Next) | `~/projects/Solace_Bank_Group/web` |
| Solace (static program) | `proxmox/solace-bank-group-portal` |
| SolaceNet (marketplace) | `proxmox/dbis_core` |
Reference in New Issue View Git Blame Copy Permalink