eeef9cce3e
Made-with: Cursor
13 KiB
Web Properties — Ground Truth & Validation
Last Updated: 2026-03-27
Document Version: 1.2
Status: Active Documentation
Last reviewed: authoritative alignment checkpoint
This document reconciles expected intent, current deployment state, and functional role for each public-facing or semi-public web property.
Quick matrix (every FQDN: web vs API vs RPC, and what clients should see): FQDN_EXPECTED_CONTENT.md.
Sankofa.nexus and Phoenix — hostname model (canonical)
| Hostname | Tier | Access | Expected content |
|---|---|---|---|
sankofa.nexus |
Public web | Unauthenticated visitors | Sankofa — Sovereign Technologies: corporate / brand public site (marketing, narrative, entry points). |
phoenix.sankofa.nexus |
Public web | Unauthenticated visitors (for public pages) | Phoenix Cloud Services (a division of Sankofa): public-facing web for the cloud services division. |
keycloak.sankofa.nexus |
SSO infrastructure (IdP) | Browser hits login + token flows; operators use admin | Keycloak: OIDC/SAML identity provider behind client SSO. Serves realm login UI, well-known and token endpoints, and admin console at /admin. Consumes: admin.sankofa.nexus and portal.sankofa.nexus (and other registered clients) redirect here for authentication; it does not replace those hostnames. |
admin.sankofa.nexus |
Client SSO | SSO (system-mediated) | Client administration of access: who can access what (invites, roles, org settings, access policy). |
portal.sankofa.nexus |
Client SSO | SSO | Client workspace: Phoenix cloud services, Sankofa Marketplace subscriptions, and other client-facing services behind one SSO boundary. |
dash.sankofa.nexus |
Operator / systems | IP allowlisting + system authentication + MFA | Internal systems dashboard: administration across Sankofa, Phoenix, Gitea, and additional platform systems—not the same trust boundary as client admin / portal. |
Placement of Keycloak: Treat keycloak.sankofa.nexus as the shared IdP for the SSO-gated client tier (admin, portal). Users often see Keycloak only during login redirects. dash.sankofa.nexus is a separate, stricter surface (network + MFA); it may integrate with Keycloak or other system identity depending on implementation, but the documented intent is IP-gated operator admin, not “client self-service SSO” like portal.
1. sankofa.nexus (public — Sovereign Technologies)
Role: Public corporate web for Sankofa — Sovereign Technologies.
Comparable to: Company apex domain (e.g. microsoft.com).
Expected content
- Brand, mission, Sovereign Technologies positioning
- Philosophy narrative (Remember → Retrieve → Restore → Rise)
- Paths into Phoenix and commercial / program entry points (links may target
phoenix.sankofa.nexus,portal.sankofa.nexus, etc.)
Current deployment (typical)
- VMID: 7801 · Port: 3000 (Next.js) — see ALL_VMIDS_ENDPOINTS.md
Notes
- Unauthenticated public web is the intent for this hostname; authenticated client work belongs on
portal.sankofa.nexus.
2. phoenix.sankofa.nexus (public — Phoenix Cloud Services)
Role: Public-facing web for Phoenix Cloud Services, a division of Sankofa.
Comparable to: Public cloud division landing (e.g. azure.microsoft.com style), not the raw JSON-RPC layer.
Expected content
- Division branding, service overview, how Phoenix fits under Sankofa
- Clear separation from corporate apex (
sankofa.nexus)
Technical note (same origin today)
- VMID 7800 historically exposes API-first surfaces (
/health,/graphql,/graphql-ws). Public marketing or division web may be served from the same stack or split later; this document states product intent for the hostname. Prefer not to present the apexsankofa.nexusportal app as if it were “Phoenix public web.”
3. keycloak.sankofa.nexus (SSO — identity provider)
Role: OIDC/SAML IdP for the Sankofa / Phoenix client ecosystem.
VMID: 7802 (typical)
Expected content / behavior
- End-user login (realm themes), logout, token and well-known endpoints
- Admin console at
/adminfor realm and client configuration (operator-controlled)
Relationship
admin.sankofa.nexusandportal.sankofa.nexusare the client-facing apps; Keycloak is where authentication completes for those SSO flows.
4. admin.sankofa.nexus (client SSO — access administration)
Role: SSO-authenticated surface for clients to administer access (users, groups, delegations, tenant access policy as productized).
Expected content
- IAM-style administration for client orgs (not raw Keycloak admin—that remains on Keycloak’s
/adminfor platform operators).
5. portal.sankofa.nexus (client SSO — services and marketplace)
Role: SSO-authenticated client portal for day-to-day use of subscribed services.
Expected content
- Phoenix cloud service entry and consoles (as entitled)
- Sankofa Marketplace subscriptions and management
- Other client-facing services behind the same SSO boundary
Public URL policy (env): NextAuth / OIDC public URL may be set to https://portal.sankofa.nexus (see scripts/deployment/sync-sankofa-portal-7801.sh).
6. dash.sankofa.nexus (IP-gated — system admin + MFA)
Role: Operator and systems administration across Sankofa, Phoenix, Gitea, and related infrastructure.
Access model
- IP address gating (allowlisted networks / VPN / office)
- System authentication + MFA (stricter than public internet client SSO)
Expected content
- Unified or linked admin views for platform systems—not a substitute for
portal.sankofa.nexusclient self-service.
7. explorer.d-bis.org
Service Name: SolaceScanScout
Role: Block Explorer for ChainID 138
Technology: Blockscout-based
Comparable To: Etherscan, PolygonScan, BscScan
Intended Function
- Public transparency layer for ChainID 138
- Settlement and transaction inspection
Expected Capabilities
- Latest blocks viewer
- Transaction browser
- Address explorer (balances, history)
- Token explorer (ERC-20 or equivalents)
- Network metrics and statistics
- Search (block / tx / address)
- ChainID 138 network identification
Current Deployment
- Status: ✅ Active, separate service
- VMID: 5000
- Address: 192.168.11.140
- Isolation: Independent from Phoenix & Sankofa Portal
Notes
- Correctly positioned as public infrastructure
- No coupling to portal auth systems
8. blockscout.defi-oracle.io
Service Name: Blockscout Explorer (Generic)
Role: Independent / Reference Blockscout Instance
Intended Function
- General-purpose blockchain explorer
- Testing, comparison, or alternate network usage
Capabilities
- Standard Blockscout UI
- Smart contract verification
- API access for blockchain data
Current Status
- Separate and unrelated to ChainID 138 branding
- Not the canonical DBIS explorer
Canonical Alignment Summary
| Domain | Purpose | Public web | Auth model | Canonical |
|---|---|---|---|---|
| sankofa.nexus | Sovereign Technologies (corporate) | Yes (intended) | None for public pages | ✅ |
| phoenix.sankofa.nexus | Phoenix Cloud Services (division) | Yes (intended) | None for public pages | ✅ |
| keycloak.sankofa.nexus | IdP for client SSO | Login UI only | IdP + admin | ✅ |
| admin.sankofa.nexus | Client access administration | No | SSO | ✅ |
| portal.sankofa.nexus | Client services + marketplace | No | SSO | ✅ |
| dash.sankofa.nexus | Systems / operator admin | No | IP + system auth + MFA | ✅ |
| explorer.d-bis.org | ChainID 138 Explorer | Yes | No | ✅ |
| blockscout.defi-oracle.io | Generic Explorer | Yes | No | ❌ |
Confirmed Architectural Intent
- sankofa.nexus = public brand for Sankofa — Sovereign Technologies
- phoenix.sankofa.nexus = public web for Phoenix Cloud Services (division of Sankofa); API surfaces may share deployment
- portal / admin = client SSO tier; Keycloak = shared IdP
- dash = IP-gated operator systems admin with MFA
- DBIS Explorer = public transparency + settlement inspection
- No accidental overlap between public marketing, client SSO, operator dash, and explorer transparency
Open Decisions (Explicitly Unresolved)
Critical: These decisions remain explicitly unresolved. Do not collapse them prematurely.
1. Phoenix UI vs API on phoenix.sankofa.nexus
Status: Implementation may still be API-first on VMID 7800 while hostname intent is public division web; reconcile with a dedicated static/marketing upstream or path split if needed.
2. Rich console UI for Phoenix (beyond public division web)
Status: Open decision point
Question: Whether authenticated Phoenix product consoles live primarily on portal.sankofa.nexus (SSO) vs additional surfaces.
Flexibility: Public division web on phoenix.sankofa.nexus does not preclude deep consoles behind portal SSO.
3. Branding Linkage
Status: Open decision point
Question: Branding linkage between DBIS Core products and explorer UI
Options:
- Maintain independent branding
- Align with DBIS Core products
- Federate with other explorers
Note: Explorer independence is intentional, not permanent.
4. Future Evolution Pathways (Non-Binding)
These are possible futures, not commitments:
- NPM
www.*→ apex 301 policy vs additional marketing hostnames admin/portal/dashupstream targets on NPM (when split from legacy single-host deployments)- Delegated Phoenix UI development
- Explorer rebrand or federation
- Additional service surfaces
Why Documented:
- Signals foresight without commitment
- Prevents future teams from assuming "this was never considered"
- Preserves optionality for governance decisions
Service Relationship Diagram
Internet
↓
NPMplus (Reverse Proxy + SSL)
↓
├─→ sankofa.nexus → Public web: Sankofa — Sovereign Technologies
├─→ phoenix.sankofa.nexus → Public web: Phoenix Cloud Services (division)
│
├─→ admin.sankofa.nexus → Client SSO: administer access
├─→ portal.sankofa.nexus → Client SSO: Phoenix cloud + marketplace + client services
│ └─ (redirects) ──→ keycloak.sankofa.nexus (OIDC/SAML IdP, VMID 7802)
│
├─→ dash.sankofa.nexus → IP allowlist + system auth + MFA: operator systems admin
│ (Sankofa, Phoenix, Gitea, …)
│
├─→ explorer.d-bis.org → SolaceScanScout (ChainID 138, no login for browse)
└─→ blockscout.defi-oracle.io → Generic Blockscout (not canonical 138 explorer)
Backend (typical):
├─→ Keycloak VMID 7802, PostgreSQL VMID 7803
└─→ Phoenix API VMID 7800, Sankofa web VMID 7801 (until admin/portal/dash are split to own upstreams)
Deployment Status
Active Services
| Service | Domain | VMID | IP | Port | Status | Access model |
|---|---|---|---|---|---|---|
| Phoenix (API today; division hostname) | phoenix.sankofa.nexus | 7800 | 192.168.11.50 | 4000 | ✅ Active | Public web intent; API paths coexist |
| Sankofa public web | sankofa.nexus | 7801 | 192.168.11.51 | 3000 | ✅ Active | Public intent (see hostname model) |
| Keycloak IdP | keycloak.sankofa.nexus | 7802 | (see ALL_VMIDS) | 8080 | ✅ Active | IdP + /admin |
| Client admin (SSO) | admin.sankofa.nexus | ⚠️ TBD | ⚠️ TBD | ⚠️ TBD | Target hostname | SSO |
| Client portal (SSO) | portal.sankofa.nexus | ⚠️ TBD | ⚠️ TBD | ⚠️ TBD | Target hostname | SSO |
| Operator dash | dash.sankofa.nexus | ⚠️ TBD | ⚠️ TBD | ⚠️ TBD | Target hostname | IP + MFA |
| SolaceScanScout | explorer.d-bis.org | 5000 | 192.168.11.140 | 80/4000 | ✅ Active | Public |
| Blockscout | blockscout.defi-oracle.io | ⚠️ TBD | ⚠️ TBD | ⚠️ TBD | ⚠️ Separate | Public |
Brand/Product Relationship Context
Sankofa = Company/Brand (like Microsoft, Google, Amazon)
Phoenix = Cloud Platform/Product (like Azure, GCP, AWS)
Sankofa Phoenix = Complete Product (like Microsoft Azure, Google Cloud Platform, Amazon Web Services)
- sankofa.nexus = Public company site — Sankofa — Sovereign Technologies
- phoenix.sankofa.nexus = Public division site — Phoenix Cloud Services
- portal.sankofa.nexus / admin.sankofa.nexus = Client SSO apps (Keycloak as IdP)
- dash.sankofa.nexus = IP-gated operator systems admin (MFA)
- explorer.d-bis.org = Blockchain explorer (like Etherscan)
- blockscout.defi-oracle.io = Generic explorer instance
Review Status: Authoritative alignment checkpoint