URL Strategy

Opplet Master Architecture: URL Nomenclature & Routing Strategy

Version 5.0 · DRAFT · Tier 1 · part of Charter Release 2026.2 · effective 2026-06-12

Scope

This document establishes the authoritative URL structure, DNS routing rules, and authentication postures across the enclave. It strictly enforces the physical and network boundaries defined by the Sovereign Gap (Constitution §5), including the absolute network isolation of The Den (Constitution §5D).

Applies to: Opplet, KenyaX, WiseNxt, and CNMCyber domains.

Note (v11 alignment). This revision realigns the document to Constitution v11.1. The operator role formerly called the Sovereign is now the Custodian (Constitution v11.0); the term “Sovereign” is retained only where it names an architectural property — the Sovereign Gap, the Doctrine of Sovereign Computation, Pillar 1. Cross-references are re-pointed to v11.1. One genuine reconciliation remains open and is flagged inline as a TBD in §3C.

1. Core Domain Strategy

The enclave utilizes five primary apex domains to separate the Custodian’s personal life, business operations, public logistics, talent-facing recruitment, and volunteer community operations.

Domain Scope Principles

• opplet.com is the infrastructure brand. Services shared between programs (Moodle, Guacamole, the Range) live here, because Opplet operates the metal regardless of which program consumes it.
• kenyax.com and wisenxt.com are public fronts only. Both are reduced to their public static sites. wisenxt.com is the marketing front for the WiseNxt open-source methodology (the methodology itself manifests inside Opplet services, not on this site); kenyax.com is a brand front with no current operational scope.
• cnmcyber.com is community-operational. It hosts the services CNMCyber actually runs (HumHub, BookStack-Beta, Jitsi), not the shared infrastructure those services depend on.
• [custodian-personal] must be distinct from opplet.com to enforce the Life Raft Principle (Constitution §1).

2. The Den (Custodian Life — Zone 1)

Base Domain: [custodian-personal] Accessibility: Publicly resolvable. Routing Rule: All DNS records point to the Den Gateway VPS public IP. The Gateway reverse-proxies application traffic to the Den Engine VPS over private Tailscale. No record on this domain may ever resolve to a Hetzner enclave IP.

2A. The Gateway VPS (Life-Critical Services)

Traditionally managed (no Docker), running directly on HestiaCP.

2B. The Engine VPS (Personal Applications)

All Engine services are reverse-proxied through the Gateway. The Engine has no public-facing ports (Constitution §5D). Every endpoint is guarded by Authentik-Personal OIDC unless otherwise noted.

3. The Manor (Custodian Core — Zones 0, 2)

Base Domain: opplet.com Accessibility: Strictly Internal (Zones 0–2). Routing Rule: These URLs must never have public DNS records. Resolvable exclusively via OPNsense internal resolver, accessible only via Manor LAN or Custodian WireGuard tunnel.

3A. Custodian Management & Business Identity

All services in §3A are Custodian-only posture (Exception §7C-7 — network boundary is primary protection; Authentik defense-in-depth where applicable).

Posture clarification for sso.opplet.com: The Authentik-Business login page and OIDC discovery endpoints are reached by users from anywhere on the public internet (via Annex outpost forwarding). The Authentik admin interface is Custodian-only.

3B. The Hypervisor Fleet

All hypervisor management URLs are Custodian-only posture.

Retired hostnames pve-c{1,2,3}, pve-gateway, and pve-range are permanently forbidden.

3C. ERPNext / Bursar — Special Posture

bursar.opplet.com is the one exception to the §3A Custodian-only default. It is publicly resolvable (via Annex outpost) but Authentik-walled. It hosts:

• The Bursar finance/inventory back-office (LDAP-Alpha admin).
• The Gate 3 recruitment workflow — the ERPNext module in which the Tech Board awards paid contracts (project and operation) to WiseNxt Associates, turning them into Contractors. Authority and mechanics: Constitution §16 and SOP §10.

TBD — v11 reconciliation (bursar posture). Under the pre-ladder model this doc was written for, bursar was publicly resolvable + LDAP-Beta-walled so that community members seeking “track recruitment” could reach it from anywhere, and the workflow was framed as the step that granted LDAP-Alpha. The v11 ladder moves that crossing earlier: LDAP-Alpha is reached at Gate 2 (becoming a WiseNxt Associate), via endorsement and the Track Lead’s Recruitment Decision (Participant Doctrine) — not via bursar. The ERPNext workflow on bursar is now Gate 3 (the Tech Board awarding paid contracts), which SOP §10 runs internal to LDAP-Alpha (“postings visible only inside the directory”). Its audience is therefore LDAP-Alpha Associates, not LDAP-Beta. Decision needed: does bursar stay publicly resolvable + Authentik-walled to LDAP-Alpha, or move into the Custodian/internal DNS set (§6) like the rest of §3A? The LDAP-Beta-public rationale no longer applies; the choice is now a security/convenience trade for LDAP-Alpha members reaching it off-network.

4. The Annex (Delivery Edge — Zones 3, 4)

Accessibility: Publicly Resolvable. Routing Rule: Traffic via external DNS (Cloudflare) → Traefik ingress on the Annex.

4A. Public Brand Fronts

Static sites hosted on the Annex behind Traefik. Posture: public anonymous (Exception §7C-1).

WiseNxt scope reduction: wisenxt.com hosts only its public static site. All previously proposed tooling subdomains have been relocated.

4B. The Engagement Doors (Public Intake)

Posture: public anonymous (Exception §7C-2). These are the only public unauthenticated form endpoints in the enclave. They implement the Four Engagement Doors (Constitution §14) and replace the legacy opplet.com/engage/* path-based URLs.

Naming pattern: Engagement doors use action verbs as subdomain labels. The verbs commit, partner, sync are reserved.

Protection without Authentik: These endpoints accept unauthenticated POST requests, so they require alternative protections — rate limiting (Traefik), captcha, email verification, and n8n-Alpha validation logic before any LDAP write occurs. The form is anonymous-public; the write it triggers is gated.

Legacy URL handling: The legacy paths opplet.com/engage/commit/, /partner/, /sync/, /explore/ and opplet.net/user/register must serve HTTP 301 redirects to their subdomain equivalents.

4C. The Factory (Zone 3 — The Kitchen)

Base Domain: opplet.com Identity Source: LDAP-Alpha via Authentik-Business OIDC; CI tokens for runners.

4D. Shared Talent Infrastructure (Zone 4 — The Lounge)

Base Domain: opplet.com (shared infrastructure stays under the infrastructure brand). Security: All endpoints public + Authentik-Business. Per the Alpha-Override Rule (Constitution §2), admin privileges map to LDAP-Alpha.

4E. CNMCyber Community Services (Zone 4 — The Lounge)

Base Domain: cnmcyber.com Identity Source: Authentik-Business OIDC (LDAP-Beta for volunteers, LDAP-Alpha for admin override).

BookStack-Beta tiered model: The instance supports two shelf categories. Public shelves (read-anonymous): onboarding guides, FAQ, mission docs, public SOPs — the material the engage copy promises is public. Member shelves (read-LDAP-Beta): internal community discussions, draft documents, working materials. Write access on all shelves requires LDAP-Beta authentication.

5. The Outpost (Live Fire Sandbox — Zone 5)

Accessibility: Extreme (Zone 5). Network-isolated. Routing Rule: Public routing strictly prohibited. Resolvable only via internal pseudo-TLD managed by Annex/Outpost local DNS.

• Format: [hostname].range
• Examples: target-01.range, dvwa.range, metasploitable.range
• Access Pathway: Talents access targets only via access.opplet.com (Guacamole proxy). Talent local machines must never resolve .range domains directly.

Range targets run local accounts only — no Authentik integration (Exception §7C-7). The gatekeeper at access.opplet.com handles authentication; targets handle authorization downstream.

6. DNS Authority & Resolution Matrix

Split-Horizon Rule for opplet.com

The opplet.com zone operates split-horizon DNS. The Custodian set (e.g., fw, ldap-a, butler, grimoire, wazuh, watchtower, analytics, vault-biz, pbs, all pve-*) must not exist in the public Cloudflare zone. Leakage of a Custodian-set hostname into public DNS is a Level 2 incident (Kill Switch Matrix, Constitution §8) and triggers immediate remediation.

Hostnames intentionally bridging both zones:

• sso.opplet.com — login page public via Annex outpost; admin UI Custodian-only.
• bursar.opplet.com — publicly resolvable per §3C (posture under reconciliation — see the §3C TBD); Authentik-walled at the application layer.

7. Identity, Authentication & Protection Postures

7A. The Two Domains, Two Identities Principle

Aligned with Constitution §3 (Dual-Authentik Model), URL nomenclature enforces hard separation between personal and business identity.

Zero Cross-Pollination Rule (URL Layer): No URL on opplet.com may redirect to, federate with, or trust a token from [custodian-personal]. The reverse is equally prohibited.

7B. Registration is Not Self-Service (Single Intake Model)

Per the single-intake model (Constitution §12), the enclave operates a single public intake, and the move from community to the operational workforce is sequential along the three-gate ladder (Constitution §11):

• Universal first door (Gate 1): commit.opplet.com is the only public account-creation endpoint. All new members enter here, pass the Moodle exam, and are provisioned in LDAP-Beta with community access (HumHub, BookStack-Beta public + member shelves, Jitsi).
• Crossing to LDAP-Alpha (Gate 2): A subset of LDAP-Beta members become WiseNxt Associates, crossing LDAP-Beta → LDAP-Alpha. This crossing is governed by the Participant Doctrine — endorsement (Developer-space vote plus GitLab curation) and the Track Lead’s Recruitment Decision — not by a public URL. The four work-focus tracks (Engineering, Logistics, Finance, Marketing) describe an Associate’s project focus.
• Paid contracts (Gate 3): Associates are awarded paid contracts — project or operation — by the Tech Board via the ERPNext recruitment workflow at bursar.opplet.com, becoming Contractors (Constitution §16; SOP §10).
• Personal accounts: Manual provisioning by the Custodian in Authentik-Personal.

No Parallel Intake Rule: There is no public URL anywhere in the enclave that creates an LDAP-Alpha account directly. LDAP-Alpha membership is reachable only by recruitment from LDAP-Beta at Gate 2 (Constitution §12). Enabling self-registration on sso.opplet.com or id.[custodian-personal] is a Constitutional violation.

7B.1 Dual Membership on Recruitment

Associates and Contractors retain their LDAP-Beta account in addition to their LDAP-Alpha account (Constitution §12). Rationale:

• The Alpha-Override Rule (Constitution §2) requires LDAP-Beta for normal Zone 4 access; deactivating LDAP-Beta on the Gate 2 crossing would lock an Associate out of HumHub and the Common Library as a community member.
• The “growing from user to governor” framing implies accumulation of role, not replacement of identity.
• Historical posts, contributions, and exam records remain attached to the LDAP-Beta identity without rewriting or orphaning. (This single-identity continuity is also the basis for project-member curation at Gate 2 — Constitution §11.)

Naming convention: LDAP-Alpha account names should be a deterministic transformation of the LDAP-Beta name (e.g., jdoe → jdoe or jdoe-eng) so the human-to-identity mapping is unambiguous.

7C. The Authentik Default Rule

Every HTTP service in the enclave is Authentik-walled (Authentik-Business or Authentik-Personal as appropriate) unless it falls into one of the named exception categories below (Constitution §7). Each exception is justified; new unwalled services require deliberate categorization, not default permission.

Posture taxonomy. Each service falls into one of three protection postures (Constitution §7B):

Every service entry in this document carries an explicit posture label. Adding a new service to the enclave requires assigning it a posture before provisioning.

8. Naming Conventions (Authoritative)

8A. The Two Naming Layers

Zones and services use two independent naming layers that must never be conflated:

• Zone names use dwelling metaphors (Basement, Office, Kitchen, Lounge, Range) and describe physical/logical location of workloads.
• Service names use functional metaphors (butler, grimoire, bursar, forge, ledger, arena, library, access) and describe what the service does.

Zone names must never appear as service hostnames. Service metaphors must never be used to refer to zones. A Kitchen contains multiple services (Forge, Build Farm, LDAP-Beta, Forum); a service’s metaphorical name is meaningful to its users regardless of which zone hosts it.

8B. Hostname Rules

1. Business hostnames use metaphorical service names per §8A.
2. Hypervisor hostnames follow pve-{nodename} (e.g., pve-m1, pve-annex).
3. Personal hostnames use functional names (mail, vault, files, tasks).
4. Engagement door hostnames use action verbs (commit, partner, sync, reserved fourth).
5. No hostname reuse across personal/business identity split. vault.opplet.com is forbidden; vault-biz.opplet.com makes context explicit.
6. Retired hostnames are permanently forbidden: pve-c{1,2,3}.opplet.com, pve-gateway.opplet.com, pve-range.opplet.com, drive.opplet.com, vault.opplet.com, arena.wisenxt.com, library.wisenxt.com, comms.wisenxt.com, ledger.wisenxt.com, access.wisenxt.com.

9. Changelog

r4 → 5.0 (Constitution v11 alignment)

• Versioning normalized to major.minor. The revision-counter scheme (r1–r4) is retired; r4’s lineage continues as the 4.x line, and this substantive realignment cuts as 5.0, matching the Constitution, SOP, and Doctrine. (doc_id is unchanged — url-nomenclature remains the stable key, never renamed.)
• “Sovereign” → “Custodian” (the role). Applied the Constitution’s v11.0 role/principle rule: where the word named the operator it is now the Custodian (the Den, manual provisioning, the WireGuard tunnel, the Custodian-only posture, the Custodian set in split-horizon DNS, “Open Questions for the Custodian”); where it names an architectural property it is unchanged — the Sovereign Gap, the Doctrine of Sovereign Computation, Pillar 1. The personal-domain placeholder [sovereign-personal] → [custodian-personal].
• Cross-references re-pointed to v11.1. Single-intake §8E → §12; Dual-Authentik §4C → §3; the Sovereign Gap and Den isolation now cite §5 / §5D; the Four Engagement Doors cite §14; a Level 2 incident cites the Kill Switch Matrix §8; version references v9.0–v9.2 → v11.1. (Life-Raft §1 and Alpha-Override §2 were already current and kept.)
• Recruitment framing aligned to the ladder. The LDAP-Alpha crossing is Gate 2 (WiseNxt Associate), via endorsement and the Track Lead’s Recruitment Decision (Participant Doctrine) — not via bursar. The ERPNext/bursar workflow is Gate 3 (the Tech Board awarding paid contracts to Associates → Contractors), per §16 and SOP §10. The old single-step “track recruitment grants LDAP-Alpha” framing in §3C/§7B is corrected.
• Open reconciliation (TBD): the DNS posture and audience of bursar.opplet.com under the ladder — see the flag in §3C.
• Status: DRAFT pending ratification; folds into Charter Release 2026.3 with the rest of the v11 set.

Old draft → r1 (initial v9.0 alignment)

• Added fourth apex domain for the Den.
• Renamed Citadel → Manor, Gateway → Annex, Range → Outpost.
• sso.opplet.com scoped to Authentik-Business only.
• vault.opplet.com → vault-biz.opplet.com.
• drive.opplet.com removed (Nextcloud decommissioned).
• Hypervisor renames pve-c{1,2,3} → pve-m{1,2,3}, pve-gateway → pve-annex, pve-range → pve-outpost.
• Added forum.opplet.com (Discourse moves to Zone 3).
• Added §6 DNS Matrix with split-horizon rule, §7 Two Domains principle, §8 Naming Conventions.

r1 → r2 (CNMCyber rebalance + engagement doors)

• Added fifth apex domain cnmcyber.com.
• WiseNxt reduced to public site only.
• HumHub, BookStack-Beta, Jitsi relocated from *.wisenxt.com to *.cnmcyber.com.
• Moodle and Guacamole relocated from *.wisenxt.com to *.opplet.com (shared infrastructure principle).
• Added engagement doors commit.opplet.com, partner.opplet.com, sync.opplet.com.
• §8A Two Naming Layers rule added.

r2 → r3 (single-intake model + Authentik default rule)

• Single-intake model adopted. §7B rewritten — commit.opplet.com is the universal first door; LDAP-Alpha is reachable only via recruitment from LDAP-Beta.
• §3C added — bursar.opplet.com reframed as internal workflow plus finance back-office. No longer a public recruitment funnel.
• §7B.1 added — dual membership confirmed. Recruited members retain LDAP-Beta alongside new LDAP-Alpha.
• §7C added — The Authentik Default Rule and seven exception categories. Every service in the document now carries an explicit protection posture.
• BookStack-Beta tiered posture documented in §4E.

r3 → r4 (recruitment terminology + three-layer alignment)

• Terminology: promotion → recruitment for the LDAP-Beta → LDAP-Alpha move. (The candidate→member transition inside LDAP-Beta remains a promotion.)
• WiseNxt reframed — wisenxt.com is the public front for the WiseNxt open-source work-discovery methodology.
• Parent policy updated to Constitution v9.2.

10. Open Questions for the Custodian

1. Personal apex domain selection. Recommendation: short, memorable domain on a TLD distinct from .com.
2. Webmail subdomain choice. Recommendation: keep mail. (protocols) and webmail. (web UI) split.
3. GitLab Pages routing. Confirm enablement and whether wildcard certs (*.pages.opplet.com) are required for per-project subdomains.
4. Phone number portability path. SIP provider portal CNAME implications.
5. Fourth engagement door naming (deploy vs. fork). Reserved per Constitution §14; deferred — not blocking.
6. Status of opplet.net. Retire entirely, keep as permanent redirect host, or retain for other purpose?
7. CNMCyber landing page tech. Hugo recommended for parity; CNMCyber’s preference may differ.
8. LDAP-Alpha account naming convention on recruitment. §7B.1 suggests deterministic transformation (e.g., jdoe → jdoe-eng). Confirm convention or pick alternative.
9. Bursar posture under the ladder (see §3C TBD). Decide whether bursar.opplet.com stays publicly resolvable + Authentik-walled to LDAP-Alpha, or moves into the Custodian/internal set. This also settles the Gate 3 workflow’s location within ERPNext (custom app vs. repurposed module) and its URL path.

11. Constitutional Status

The single-intake model this document depends on is ratified in Constitution §12 (“Single Intake, Sequential Recruitment”). The three-gate ladder it now references is Constitution §11, and the Tech Board that awards Gate 3 contracts is Constitution §16.

This revision (5.0) is DRAFT: it realigns the document to Constitution v11.1 but is not yet ratified, and one reconciliation remains open (the bursar posture, §3C). It folds into Charter Release 2026.3 once the v11 set is ratified, at which point this document returns to RATIFIED.

For reference, the ratified single-intake rule reads:

All members enter through commit.opplet.com and join LDAP-Beta after passing the Moodle exam (Gate 1). A subset become WiseNxt Associates, crossing into LDAP-Alpha (Gate 2); Associates may then be awarded paid contracts by the Tech Board (Gate 3), becoming Contractors, while retaining their LDAP-Beta membership throughout.

END OF DOCUMENT

• Opplet Master Architecture: Enclave Constitution, URL Strategy (this document)
• Opplet Operations: Enclave SOP, Hardware Manifest, Software Stack
• Opplet Development Plan: Den Migration