d-bis/proxmox
4
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
dc8abb06e2bbd33e30803ca59d284ead8ea970c6
proxmox/docs/03-deployment/DBIS_MEMBERS_PORTAL_RUNBOOK.md
defiQUG 7ac74f432b chore: sync docs, config schemas, scripts, and meta task alignment 
- Institutional / JVMTM / reserve-provenance / GRU transport + standards JSON
- Validation and verify scripts (Blockscout labels, x402, GRU preflight, P1 local path)
- Wormhole wiring in AGENTS, MCP_SETUP, MASTER_INDEX, 04-configuration README
- Meta docs, integration gaps, live verification log, architecture updates
- CI validate-config workflow updates

Operator/LAN items, submodule working trees, and public token-aggregation edge
routes remain follow-up (see TODOS_CONSOLIDATED P1).

Made-with: Cursor
2026-03-31 22:31:39 -07:00

31 lines
1.8 KiB
Markdown
Raw Blame History

# DBIS members.d-bis.org — MVP runbook
## Relationship to secure.d-bis.org
| Host | Intended use |
|------|----------------|
| **secure.d-bis.org** | Existing authenticated DBIS frontend (inventory: VMID/backends per [ALL_VMIDS_ENDPOINTS.md](../04-configuration/ALL_VMIDS_ENDPOINTS.md)). |
| **members.d-bis.org** | Sovereign **member institution** portal: OIDC login, institution-scoped dashboard, settlement **read/simulation** tools, policy voting UI (phased). |
**Decision (default):** **Complement** — keep `secure.d-bis.org` for current operator/staff flows; introduce `members.d-bis.org` for central-bank-style members with stronger RBAC and audit. **Supersede** only after data migration and SSO client cutover.
## Architecture
1. **Edge:** NPMplus TLS termination → BFF (Next.js Route Handlers or small Go service).
2. **Auth:** OIDC (Keycloak or equivalent) — reuse patterns from Sankofa portal runbooks where applicable.
3. **Session:** HTTP-only cookies; CSRF on mutations.
4. **Backend:** mTLS from BFF to internal read APIs (`dbis-api`, future data API); no direct browser access to LAN RPC.
5. **DID (phase 2+):** Wallet or credential presentation (Indy/Aries) **after** [DBIS_IDENTITY_COMPLETION_PACKAGE_RUNBOOK.md](./DBIS_IDENTITY_COMPLETION_PACKAGE_RUNBOOK.md) milestones.
## Audit log
Append-only store for: login, policy votes, settlement simulation runs, document downloads. Minimum fields: `ts`, `actor_sub`, `institution_id`, `action`, `payload_hash`, `ip_hash`.
## Operator checklist
- [ ] DNS + NPM host `members.d-bis.org`
- [ ] OIDC client + redirect URIs
- [ ] BFF deployed with secrets from vault/.env (not in git)
- [ ] mTLS certs issued for BFF → internal APIs
- [ ] Entry in [E2E_ENDPOINTS_LIST.md](../04-configuration/E2E_ENDPOINTS_LIST.md) when live
Reference in New Issue View Git Blame Copy Permalink