proxmox/docs/03-deployment/ENTITY_INSTITUTIONS_WEB_PORTAL_COMPLETION.md

Entity institutions — web and portal completion tracker

Purpose: Single checklist for Aseret Mortgage Bank, TAJ Private Single Family Trust, and Solace Bank Group PLC public sites and client portals, plus cross-cutting items. Update this file as work completes.

Legend: [x] done in repo or scaffolded · [ ] requires stakeholder, secrets, or production LAN · N/A not applicable

---

0. Governance and scope

• Canonical legal names recorded (TAJ: trust vs OMNL “TAJ Private Single Family Office”)
• Tenancy model chosen (dedicated FQDNs + IdP vs shared Sankofa portal + entitlements)
• Definition of done per surface (marketing, portal, admin, APIs, DR)

---

1. Aseret Mortgage Bank (~/projects/Aseret_Bank)

Product and UX

• Public IA (products, disclosures, contact, privacy, terms)
• Authenticated portal MVP flows signed off
• CFL / lending compliance copy and consent UX (legal review)

Application

• Full-stack codebase present (frontend/, backend/, Prisma, Docker Compose)
• Frontend production hardening (env config, a11y/SEO baseline)
• Backend hardening (rate limits, structured logging, health checks, OpenAPI parity)
• Database migrations + backup/restore runbook
• Tokenization / contracts (if in scope): audit + key management

Infrastructure

• Target host provisioned (LXC/VM or cloud)
• DNS + TLS + WAF / rate limits
• SMTP / notifications

Integration

• OMNL / Fineract office 5 mapping (if required): APIs, idempotency, reconciliation
• Chain 138 / RPC env (if required): per canonical address docs

Verification

• E2E smoke (auth + loan happy path)
• Security review checklist
• Load or backup drill

---

2. TAJ (~/projects/TAJ_PSFO)

Repository

• Next.js 14 scaffold under web/ (/, /portal)
• Replace draft copy with approved marketing and portal modules
• CI (lint, build) on default branch

Product and engineering

• Legal / regulatory pages
• OIDC (Keycloak or equivalent) for /portal
• Confidentiality controls (encryption, audit log requirements)

Infrastructure

• Dedicated FQDN + TLS + monitoring
• OMNL office 4 alignment (if ledger integration applies)

Verification

• Access revocation and DR tested

---

3. Solace Bank Group PLC

Repository (~/projects/Solace_Bank_Group)

• Next.js 14 scaffold under web/ (/, /portal)
• Corporate content and portal modules
• CI (lint, build)

Proxmox repo — related surfaces

• solace-bank-group-portal/ — Dockerfile + nginx.conf.example for static deploy
• Decide: keep static portal vs redirect to web/ vs embed in Phoenix
• dbis_core SolaceNet IRU: Turnstile, TRUST_PROXY, rate limits per SANKOFA_MARKETPLACE_SURFACES.md (verify in prod)

Infrastructure

• NPM / Cloudflare (or standard edge) for chosen hostnames
• Upstream VMID or container IP documented in inventory docs

Verification

• Public + authenticated smoke on production URLs
• Legal sign-off on IRU copy and data handling

---

4. Cross-cutting (all entities)

• Keycloak: realms/clients, MFA, session policy, admin separation
• Centralized logs and uptime checks per hostname
• Secrets in vault only; rotation runbooks
• Operator runbooks: deploy, rollback, cert renew
• Privacy, cookies, retention, incident response (as applicable)

---

5. Monorepo (~/projects/Aseret_Global)

• Submodule URLs and commits pinned to real Aseret_Bank, TAJ_PSFO, Solace_Bank_Group heads
• Root CI (optional) once submodules are wired

---

Consolidated runtime (optional)

To host many non-chain frontends and one Phoenix API surface with fewer LXCs, see SANKOFA_PHOENIX_CONSOLIDATED_FRONTEND_AND_API.md, run bash scripts/verify/check-sankofa-consolidated-nginx-examples.sh, and bash scripts/deployment/plan-sankofa-consolidated-hub-cutover.sh for a read-only cutover checklist.

Shared Sankofa platform (this repo)

• Tier-1 Phoenix API hub installer (scripts/deployment/install-sankofa-api-hub-nginx-on-pve.sh) and LAN verifier (scripts/verify/verify-sankofa-consolidated-hub-lan.sh)
• NPM fleet: SANKOFA_NPM_PHOENIX_PORT / IP_SANKOFA_NPM_PHOENIX_API for phoenix.sankofa.nexus in scripts/nginx-proxy-manager/update-npmplus-proxy-hosts-api.sh
• get_host_for_vmid explicit VMIDs 7800–7806 (Sankofa stack on r630-01)
• dbis_core: configurable TRUST_PROXY_HOPS when TRUST_PROXY=1 (see dbis_core/.env.example)
• Cutover + rollback outline: SANKOFA_API_HUB_NPM_CUTOVER_AND_POST_CUTOVER_RUNBOOK.md
• Production NPM phoenix.sankofa.nexus → hub :8080 + WebSocket upgrades (fleet script); TRUST_PROXY=1 on dbis API CTs 10150 / 10151 (ensure-dbis-api-trust-proxy-on-ct.sh)
• WebSocket upgrade path (HTTP 101) public + optional LAN hub: bash scripts/verify/smoke-phoenix-graphql-wss-public.sh (PHOENIX_WSS_INCLUDE_LAN=1 with load-project-env)
• graphql-ws payload smoke (connection_ack): pnpm run verify:phoenix-graphql-ws-subscription; CT 7800 removes unused @fastify/websocket via ensure-sankofa-phoenix-graphql-ws-remove-fastify-websocket-7800.sh; websocket.ts imports logger (ensure-sankofa-phoenix-websocket-ts-import-logger-7800.sh, avoids crash on disconnect); hub /graphql-ws proxy headers via ensure-sankofa-phoenix-api-hub-graphql-ws-proxy-headers-7800.sh; hub ExecReload ensure-sankofa-phoenix-api-hub-systemd-exec-reload-7800.sh; .env LAN parity ensure-sankofa-phoenix-api-env-lan-parity-7800.sh (align DB_HOST / KEYCLOAK_URL; DB_PASSWORD / DB_USER=sankofa aligned with VMID 7803; pnpm db:migrate:up via ensure-sankofa-phoenix-api-db-migrate-up-7800.sh for audit_logs); TLS terminate-at-edge patch ensure-sankofa-phoenix-tls-config-terminate-at-edge-7800.sh when using production without local certs; optional nft :4000 guard: ensure-sankofa-phoenix-7800-nft-dport-4000-guard.sh
• Apollo :4000 loopback-only on VMID 7800 (HOST=127.0.0.1, ensure-sankofa-phoenix-apollo-bind-loopback-7800.sh); host-firewall alternative still documented in plan-phoenix-apollo-port-4000-restrict-7800.sh

Quick paths

Entity	Code root
Aseret	~/projects/Aseret_Bank
TAJ	~/projects/TAJ_PSFO/web
Solace (Next)	~/projects/Solace_Bank_Group/web
Solace (static program)	proxmox/solace-bank-group-portal
SolaceNet (marketplace)	proxmox/dbis_core