proxmox/docs/04-configuration/FQDN_EXPECTED_CONTENT.md

FQDN expected content (what users and clients should see)

Last Updated: 2026-03-27 (aligned with EXPECTED_WEB_CONTENT deployment table v1.5)
Purpose: One-page description of what should be presented at each public NPM-routed hostname after HTTPS. Use this before pruning evidence or changing proxies so expectations stay aligned with product intent.

Canonical routing (IPs, VMIDs, ports): ALL_VMIDS_ENDPOINTS.md, RPC_ENDPOINTS_MASTER.md.
Product depth (Sankofa / Phoenix / explorer narrative): EXPECTED_WEB_CONTENT.md.
Deployment status (VMID / upstream matrix): same doc, section Deployment Status (authoritative for portal / admin / dash / blockscout.defi-oracle.io rows).
Automated checks: E2E_ENDPOINTS_LIST.md, scripts/verify/verify-end-to-end-routing.sh.

---

Legend

Kind	Meaning
Web	Browser loads HTML (or SPA shell); humans see pages, forms, or dashboards.
API	Primarily JSON over HTTPS; browsers may see errors unless hitting documented REST paths.
RPC-HTTP	No marketing page. JSON-RPC 2.0 over HTTPS POST to / (or provider path); wallets and backends consume JSON.
RPC-WS	No HTML. WebSocket upgrade; JSON-RPC / subscription traffic.
301	Apex policy: www.* redirects to non-www HTTPS (see NPM advanced_config).

---

sankofa.nexus zone

Canonical roles: EXPECTED_WEB_CONTENT.md (hostname model table).

Public web (unauthenticated visitors for marketing / division pages)

FQDN	Kind	What should be displayed or returned
sankofa.nexus	Web	Sankofa — Sovereign Technologies: public corporate / brand web (mission, narrative, entry points).
www.sankofa.nexus	301 → apex	Browser ends on https://sankofa.nexus/....
phoenix.sankofa.nexus	Web / API	Phoenix Cloud Services (division of Sankofa): public-facing division web (intent). Same deployment may still expose API paths (/health, /graphql, …). E2E verifier may use /health.
www.phoenix.sankofa.nexus	301 → apex	Browser ends on https://phoenix.sankofa.nexus/....

Client SSO (system SSO; Keycloak as IdP)

FQDN	Kind	What should be displayed or returned
keycloak.sankofa.nexus	Web / IdP	Identity provider for client SSO: realm login UI, OIDC/SAML well-known and token endpoints; operator Keycloak admin at /admin. Backs admin and portal redirects—not a substitute for those apps.
admin.sankofa.nexus	Web	Client SSO: administer access (users, roles, org access policy).
portal.sankofa.nexus	Web	Client SSO: Phoenix cloud services, Sankofa Marketplace subscriptions, and other client-facing services.

Typical upstream (when NPM is wired) — see EXPECTED_WEB_CONTENT.md Deployment Status:

FQDN	VMID / target	Notes
keycloak.sankofa.nexus	7802 (detail in ALL_VMIDS_ENDPOINTS.md)	IdP + /admin for platform operators
portal.sankofa.nexus	7801 · 192.168.11.51:3000	✅ Active when NPM routes here; public OIDC / NEXTAUTH_URL via scripts/deployment/sync-sankofa-portal-7801.sh
admin.sankofa.nexus	🔶 Not pinned in VM inventory	Hostname intent; NPM + app upstream TBD; may share 7801 until split

Operator / systems (IP-gated + MFA)

FQDN	Kind	What should be displayed or returned
dash.sankofa.nexus	Web	IP allowlisting + system authentication + MFA: unified admin for Sankofa, Phoenix, Gitea, and related systems (not the client self-service portal).

Typical upstream: 🔶 Not pinned in VM inventory until NPM and operator dash app are authoritative (same Deployment Status table).

Other properties on the zone

FQDN	Kind	What should be displayed or returned
the-order.sankofa.nexus	Web	OSJ / Order management portal (secure auth); app the_order. Upstream: HAProxy 10210 → portal stack.
www.the-order.sankofa.nexus	301 → apex	Browser ends on https://the-order.sankofa.nexus/....
studio.sankofa.nexus	Web	Sankofa Studio (FusionAI) UI under /studio/ (and related API routes on same origin).

---

d-bis.org (DBIS + infrastructure)

FQDN	Kind	What should be displayed or returned
explorer.d-bis.org	Web	SolaceScanScout / Blockscout UI: blocks, txs, addresses, tokens, contract verification for Chain 138. Public, no login for browse.
docs.d-bis.org	Web	Same Blockscout nginx host as explorer where configured; may serve docs paths (see explorer deploy runbooks).
dbis-admin.d-bis.org	Web	DBIS admin frontend (dashboard).
secure.d-bis.org	Web	DBIS secure authenticated portal.
dbis-api.d-bis.org	API	DBIS core API (aggregation, OTC, exchange JSON).
dbis-api-2.d-bis.org	API	Secondary DBIS API instance.
mim4u.org, www.mim4u.org, secure.mim4u.org, training.mim4u.org	Web	MIM4U property sites (nginx on MIM stack).
rpc-http-pub.d-bis.org, rpc.d-bis.org, rpc2.d-bis.org	RPC-HTTP	Public Besu JSON-RPC (Chain 138); eth_chainId → 0x8a.
rpc-ws-pub.d-bis.org, ws.rpc.d-bis.org, ws.rpc2.d-bis.org	RPC-WS	Public Besu WebSocket RPC.
rpc-http-prv.d-bis.org	RPC-HTTP	Core / private JSON-RPC (permissioned use).
rpc-ws-prv.d-bis.org	RPC-WS	Core / private WebSocket RPC.
rpc-fireblocks.d-bis.org	RPC-HTTP	Fireblocks-dedicated JSON-RPC endpoint.
ws.rpc-fireblocks.d-bis.org	RPC-WS	Fireblocks-dedicated WebSocket RPC.
rpc-alltra.d-bis.org, rpc-alltra-2.d-bis.org, rpc-alltra-3.d-bis.org	RPC-HTTP	Alltra RPC fronts (tunnel to NPM); JSON-RPC for Chain 138 (or as configured on those edges).
rpc-hybx.d-bis.org, rpc-hybx-2.d-bis.org, rpc-hybx-3.d-bis.org	RPC-HTTP	HYBX RPC fronts; same class as Alltra.
cacti-alltra.d-bis.org, cacti-hybx.d-bis.org	Web	Cacti monitoring UI (graphs, device views).
mifos.d-bis.org	Web	Mifos banking platform UI (when backend healthy).
dapp.d-bis.org	Web	DApp static/hosted frontend (VMID per ALL_VMIDS).
gitea.d-bis.org	Web	Gitea git forge UI.
dev.d-bis.org	Web	Dev workspace UI (codespaces / dev host).
codespaces.d-bis.org	Web	Codespaces / dev related web entry (as wired on NPM).

---

defi-oracle.io (ThirdWeb / public edge)

FQDN	Kind	What should be displayed or returned
rpc.public-0138.defi-oracle.io	RPC-HTTP	ThirdWeb-style HTTPS RPC terminator on VMID 2400; JSON-RPC to Chain 138.
rpc.defi-oracle.io	RPC-HTTP	Public JSON-RPC alias (same Besu public stack as rpc.d-bis.org family when healthy).
wss.defi-oracle.io	RPC-WS	Public WebSocket RPC companion.
blockscout.defi-oracle.io	Web	Blockscout explorer UI (generic / reference). When NPM proxies here, routing summaries align with VMID 5000 (192.168.11.140:80, TLS at NPM). Not canonical SolaceScanScout / Chain 138 branding—that is explorer.d-bis.org. Confirm live NPM if behavior differs.

---

xom-dev.phoenix.sankofa.nexus (gov portals dev)

FQDN	Kind	What should be displayed or returned
dbis.xom-dev.phoenix.sankofa.nexus	Web	Gov portals dev app on port 3001 (VMID 7804 family).
iccc.xom-dev.phoenix.sankofa.nexus	Web	Idem, port 3002.
omnl.xom-dev.phoenix.sankofa.nexus	Web	Idem, port 3003.
xom.xom-dev.phoenix.sankofa.nexus	Web	Idem, port 3004.

---

Operator checklist

• Wrong content (e.g. explorer UI on sankofa.nexus, or HTML on RPC hostname) usually means NPM upstream or DNS is wrong — fix with update-npmplus-proxy-hosts-api.sh and ALL_VMIDS_ENDPOINTS.md.
• 301 on www.* is intentional; content is judged on the apex hostname after redirect.

---

Inventory alignment: DOMAIN_TYPES_ALL in scripts/verify/verify-end-to-end-routing.sh includes keycloak.sankofa.nexus, admin.sankofa.nexus, portal.sankofa.nexus, dash.sankofa.nexus, docs.d-bis.org, and blockscout.defi-oracle.io (see E2E_ENDPOINTS_LIST.md; --list-endpoints --profile=public). They are in E2E_OPTIONAL_WHEN_FAIL so unwired NPM or off-LAN runs still exit 0. portal.sankofa.nexus is expected on VMID 7801 when NPM is configured ( Deployment Status in EXPECTED_WEB_CONTENT.md). admin.sankofa.nexus and dash.sankofa.nexus remain hostname intent until pinned in ALL_VMIDS_ENDPOINTS.md. blockscout.defi-oracle.io aligns with VMID 5000 in routing summaries (not explorer.d-bis.org branding). xom-dev hostnames are not in the E2E list yet—add when NPM routes are stable.