URL Nomenclature

Opplet Master Architecture: URL Nomenclature & Routing Strategy

Version 6.0 · DRAFT (reconciles to Constitution v12.8) · Tier 3 · part of Charter Release 2026.3 · effective 2026-06-16

Scope

This document establishes the authoritative URL structure, DNS routing rules, and authentication postures across the enclave. It strictly enforces the physical and network boundaries defined by the Sovereign Gap (Constitution §5), including the absolute network isolation of The Den (Constitution §5D).

Applies to all four governance domains — Enclave, Commons, WiseNxt, Workplace (Constitution §13) — across the five apex DNS domains below. The apex domains (opplet.com, kenyax.com, wisenxt.com, cnmcyber.com) are brand/DNS fronts, not the governance domains: cnmcyber.com and kenyax.com are team brands — the CNMCyber team runs the Commons Lounge, and the KenyaX team operates the Workplace (kenyax.com is one of its public fronts).

Note (v12.8 alignment). This revision (6.0) realigns the document from Constitution v11.1 to v12.8. Three substantive changes: (1) the Forge is now two instances, with the free community forge as the public openness surface hosted on the Range and reached as a Beta web service (§4C, §5B; Constitution §4, §5C); (2) the recruitment model is the current candidate → member → certified-member (Opplet Learner Permit) → the Climb → operator (Operator License) path (§7B), replacing the former Associate/Contractor/Track-Lead three-gate ladder; (3) “real-name” is the real-identity Workplace (§15E). Cross-references are re-pointed to v12.8 — the structure is largely stable (§5, §7, §8, §12, §14, §16 unchanged); only the model described at §11 changed.

1. Core Domain Strategy

The enclave utilizes five primary apex domains to separate the Custodian’s personal life, the platform/infrastructure, public logistics, the methodology front, and volunteer community operations.

Domain Scope Principles

• opplet.com is the infrastructure brand. Services shared regardless of which program consumes them (Moodle, Guacamole, and the Climb’s forge/tracker web services) live here, because Opplet operates the metal.
• kenyax.com and wisenxt.com are public fronts only. wisenxt.com is the marketing front for the WiseNxt open-source methodology (the methodology itself manifests inside Opplet services, not on this site); kenyax.com is the KenyaX team’s brand front — one public front of the Workplace domain (Constitution §15D).
• cnmcyber.com is community-operational. It hosts the services the CNMCyber team actually runs in the Commons Lounge (HumHub, BookStack-Beta, Jitsi), not the shared infrastructure those services depend on.
• [custodian-personal] must be distinct from opplet.com to enforce the Life Raft Principle (Constitution §1).

2. The Den (Custodian Life — Zone 1)

Base Domain: [custodian-personal] Accessibility: Publicly resolvable. Routing Rule: All DNS records point to the Den Gateway VPS public IP. The Gateway reverse-proxies application traffic to the Den Engine VPS over private Tailscale. No record on this domain may ever resolve to a Hetzner enclave IP.

2A. The Gateway VPS (Life-Critical Services)

Traditionally managed (no Docker), running directly on HestiaCP.

2B. The Engine VPS (Personal Applications)

All Engine services are reverse-proxied through the Gateway. The Engine has no public-facing ports (Constitution §5D). Every endpoint is guarded by Authentik-Personal OIDC unless otherwise noted.

3. The Manor (Custodian Core — Zones 0, 2)

Base Domain: opplet.com Accessibility: Strictly Internal (Zones 0–2). Routing Rule: These URLs must never have public DNS records. Resolvable exclusively via OPNsense internal resolver, accessible only via Manor LAN or Custodian WireGuard tunnel.

3A. Custodian Management & Business Identity

All services in §3A are Custodian-only posture (network boundary is primary protection; Authentik defense-in-depth where applicable).

Both directories are Basement-hosted. ldap-a and ldap-b both live in the Basement (Zone 0) under Authentik-Business; LDAP-Beta authenticates outward to the Lounge and Range (Enclave Doctrine §2; Hardware Manifest §2B; Software Stack §3A). Both are Custodian-set: never in public DNS.

Posture clarification for sso.opplet.com: The Authentik-Business login page and OIDC discovery endpoints are reached by users from anywhere on the public internet (via Annex outpost forwarding). The Authentik admin interface is Custodian-only.

3B. The Hypervisor Fleet

All hypervisor management URLs are Custodian-only posture.

Retired hostnames pve-c{1,2,3}, pve-gateway, pve-range, and pve-outpost are permanently forbidden (pve-outpost retired in 6.0: the Outpost runs Incus, not Proxmox — Hardware §4A, §7).

3C. ERPNext / Bursar — Special Posture

bursar.opplet.com is the one exception to the §3A Custodian-only default: it is publicly resolvable. ERPNext is a large application with a real vulnerability history, so the exception is constrained on two axes — who may reach it and what of it is reachable.

• Forward-auth, not app-OIDC. Bursar sits behind an Authentik forward-auth proxy (the outpost as a Traefik middleware), not ERPNext’s own OIDC login. An unauthenticated request is challenged by Authentik and never reaches ERPNext; the only public unauthenticated surface is the Authentik login page, already public via sso. Access is walled to LDAP-Alpha.
• Public Portal, internal Desk. ERPNext’s public Portal (web forms) and its Desk admin (/app) are split by posture:
  • The Workplace recruitment interaction is a Portal web form — a proven commons volunteer recruited into real-identity work applies, publicly reachable behind forward-auth (LDAP-Alpha). The work requires a real identity because it enters a legal field — privacy, security, or contract (Constitution §15E, §11.6); whether it is funded and the award of any contract are the Tech Board’s (§16).
  • The finance/inventory Desk (/app) is restricted to the Custodian/internal set at the proxy (source-IP allowlist: Manor LAN + WireGuard only). The host stays a single public A record; the Desk path is simply not served to public sources — path-gating, not split DNS.

So the only things the public internet can touch are an Authentik login and a recruitment form. The finance back-office is never on the public face, and ERPNext is never reached unauthenticated.

4. The Annex (Delivery Edge — Zones 3, 4)

Accessibility: Publicly Resolvable. Routing Rule: Traffic via external DNS (Cloudflare) → Traefik ingress on the Annex.

4A. Public Brand Fronts

Static sites hosted on the Annex behind Traefik. Posture: public anonymous (Exception §7C-1).

WiseNxt scope reduction: wisenxt.com hosts only its public static site. The methodology manifests inside Opplet services; the Climb’s own web services (forge, tracker) are addressed under opplet.com (§5B), not here.

4B. The Engagement Doors (Public Intake)

Posture: public anonymous (Exception §7C-2). These are the only public unauthenticated form endpoints in the enclave. They implement the Four Engagement Doors (Constitution §14).

Naming pattern: Engagement doors use action verbs as subdomain labels. The verbs commit, partner, sync are reserved; the fourth (deploy or fork) is reserved per Constitution §14.

Commit is the only identity-creating door. Registration mints the callsign (LDAP-Beta) and makes the registrant a candidate; graduating the Welcome to Opplet Commons course clears Gate 1 to member (Constitution §11.1). See §7B.

Protection without Authentik: These endpoints accept unauthenticated POST requests, so they require alternative protections — rate limiting (Traefik), captcha, email verification, and n8n-Alpha validation logic before any LDAP write occurs. The form is anonymous-public; the write it triggers is gated.

Legacy URL handling: Legacy paths opplet.com/engage/* and opplet.net/user/register must serve HTTP 301 redirects to their subdomain equivalents.

4C. The Kitchen (Zone 3) — Production Forge & CI

Base Domain: opplet.com Identity Source: LDAP-Alpha via Authentik-Business OIDC; CI tokens for runners.

Two forges, distinct posture (Constitution §4). The Kitchen production GitLab (here, cannery.opplet.com) is the secret-bearing production forge — deploy keys, production CI, infrastructure-as-code with credentials, reachable only by real-identity workers under contract. It is distinct from the free community forge (forge.opplet.com, §5B), the public openness surface on the Range. Vetted code is promoted free → Kitchen by one-way mirror; secrets never flow outward. (The service name is provisional — see §10 #10.)

4D. Shared Talent Infrastructure (Zone 4 — The Lounge)

Base Domain: opplet.com (shared infrastructure stays under the infrastructure brand). Security: All endpoints public + Authentik-Business. Per the Alpha-Override Rule (Constitution §2), admin privileges map to LDAP-Alpha.

4E. CNMCyber Community Services (Zone 4 — The Lounge)

Base Domain: cnmcyber.com — run by the CNMCyber team (the Commons Lounge). Identity Source: Authentik-Business OIDC (LDAP-Beta for volunteers, LDAP-Alpha for admin override).

BookStack-Beta tiered model: Public shelves (read-anonymous): onboarding guides, FAQ, mission docs, public SOPs. Member shelves (read-LDAP-Beta): internal discussions, draft documents, working materials. Write access on all shelves requires LDAP-Beta authentication.

5. The Outpost (Live-Fire Range and the Climb — Zone 5)

The Outpost is dual-purpose (Hardware §4): it hosts the live-fire range and the Climb’s infrastructure. These reach the user by two different paths, and the URL strategy keeps them strictly apart.

5A. Range Targets (internal-only, via the Air-Lock)

Accessibility: Extreme (Zone 5). Network-isolated. Routing Rule: Public routing strictly prohibited. Resolvable only via internal pseudo-TLD managed by Annex/Outpost local DNS.

• Format: [hostname].range
• Examples: target-01.range, dvwa.range, metasploitable.range
• Access Pathway: Talents reach targets and practice forks only via access.opplet.com (Guacamole / the Air-Lock). Local machines must never resolve .range domains directly (Constitution §5C).

Range targets run local accounts only — no Authentik integration (Exception §7C-7). The gatekeeper at access.opplet.com handles authentication; targets handle authorization downstream.

5B. The Climb’s Web Services (Traefik-fronted, not .range)

The Climb’s durable services are ordinary Beta web services, reached via Traefik — not through the Air-Lock and not on .range. They are physically on the Outpost but addressed in the public/Beta set (Constitution §4, §5C; Hardware §6B).

Forge access is read-as-web-service, not operate-via-Air-Lock. Opplet Learner Permit holders get Range-review — read access to the forge as a Beta web service (Constitution §11.3a) — entirely distinct from operating on a Range fork (which goes through the Air-Lock, §5A). The Deploy/Fork engagement door (§4B; Constitution §14) points at this forge’s public blueprints. Forge CI (Forgejo Actions) runs within the forge; no separate hostname. The forge and tracker are durable — backed up to PBS under the Outpost backup exception (Constitution §9); the practice forks are ephemeral and excluded.

6. DNS Authority & Resolution Matrix

Routing note for forge / tracker: these resolve publicly (Cloudflare) and Traefik routes them to the Outpost over the vSwitch as Beta web services — they are not .range names and not reached through the Air-Lock (§5B; Hardware §6B).

Split-Horizon Rule for opplet.com

The opplet.com zone operates split-horizon DNS. The Custodian set (e.g., fw, ldap-a, ldap-b, butler, grimoire, wazuh, watchtower, analytics, vault-biz, pbs, all pve-*, incus-outpost) must not exist in the public Cloudflare zone. Leakage of a Custodian-set hostname into public DNS is a Level 2 incident (Kill Switch Matrix, Constitution §8) and triggers immediate remediation.

Hostnames intentionally bridging both zones:

• sso.opplet.com — login page public via Annex outpost; admin UI Custodian-only.
• bursar.opplet.com — publicly resolvable per §3C: recruitment Portal public behind Authentik forward-auth (LDAP-Alpha); finance Desk (/app) restricted to the Custodian set by source-IP. One public A record, path-gated.

7. Identity, Authentication & Protection Postures

7A. The Two Domains, Two Identities Principle

Aligned with Constitution §3 (the two-worlds identity architecture), URL nomenclature enforces hard separation between personal and business identity.

Zero Cross-Pollination Rule (URL Layer): No URL on opplet.com may redirect to, federate with, or trust a token from [custodian-personal]. The reverse is equally prohibited.

7B. Registration is Not Self-Service (Single Intake Model)

Per the single-intake model (Constitution §12), the enclave operates a single public intake, and progression is sequential along the path fixed in Constitution §11. There is one identity-creating URL; everything past it is course completion or recruitment, never a parallel signup.

• Gate 1 — universal first door: commit.opplet.com is the only public account-creation endpoint. Registration mints the callsign and provisions a candidate in LDAP-Beta; graduating the Welcome to Opplet Commons course clears Gate 1 to member, with community access (HumHub, BookStack-Beta public + member shelves, Jitsi) — Constitution §11.1.
• The Opplet Learner Permit (certified member): a member may opt into Enclave Bootcamp (Moodle) to earn the Permit, which grants Range-review of the free community forge (forge.opplet.com, read-only Beta web service), the Opplet-thematic courses, and the WiseNxt Orientation (Constitution §11.3). The holder stays in LDAP-Beta.
• The Climb → operator (the four Gate 2s): a Permit-holder may opt into the Climb via the WiseNxt Orientation; produced work is ranked (tracker.opplet.com), earns a Range deploy, and crosses one of four per-zone Gate 2s into operating a zone, earning the Operator License. The four specialties (Engineering, Logistics, Finance, Marketing) describe focus, discovered in the Climb. This entire ladder is pseudonymous, within LDAP-Beta (Constitution §11.4) — it is not governed by a public URL.
• Crossing to LDAP-Alpha (the Real-Identity Workplace): not a rung — it is taking real-identity work (privacy, security, or contract), reached by human recruitment of a proven commons volunteer (Constitution §11.6, §15E), administered through the bursar Portal (§3C). The Tech Board determines funding and awards contracts (Constitution §16).
• Personal accounts: Manual provisioning by the Custodian in Authentik-Personal.

No Parallel Intake Rule: There is no public URL anywhere in the enclave that creates an LDAP-Alpha account directly. LDAP-Alpha membership is reachable only by recruitment from LDAP-Beta (Constitution §12). Enabling self-registration on sso.opplet.com or id.[custodian-personal] is a Constitutional violation.

7B.1 Dual Membership on Recruitment

Operators and recruited real-identity workers retain their LDAP-Beta account in addition to any LDAP-Alpha real-identity (Constitution §12, dual-hold). Rationale:

• The Alpha-Override Rule (Constitution §2) requires LDAP-Beta for normal Zone 4 access; deactivating it on the crossing would lock a worker out of HumHub and the Common Library as a community member.
• The “growing from user to governor” framing implies accumulation of role, not replacement of identity — crossing to Alpha adds an accountable identity beside the commons one (Constitution §12).
• Historical posts, contributions, course records, and curation records remain attached to the LDAP-Beta identity without orphaning — the basis for project-member curation in the Climb’s ranking (Constitution §11).

Naming convention: LDAP-Alpha account names should be a deterministic transformation of the LDAP-Beta name (e.g., jdoe → jdoe or jdoe-eng) so the human-to-identity mapping is unambiguous.

7C. The Authentik Default Rule

Every HTTP service in the enclave is Authentik-walled (Authentik-Business or Authentik-Personal as appropriate) unless it falls into one of the named exception categories below (Constitution §7). Each exception is justified; new unwalled services require deliberate categorization.

Posture taxonomy (Constitution §7):

Every service entry in this document carries an explicit posture label. Adding a new service requires assigning it a posture before provisioning.

8. Naming Conventions (Authoritative)

8A. The Two Naming Layers

Zones and services use two independent naming layers that must never be conflated:

• Zone names use dwelling metaphors (Basement, Office, Kitchen, Lounge, Range) and describe physical/logical location of workloads.
• Service names use functional metaphors (butler, grimoire, bursar, forge, cannery, ledger, arena, library, access, tracker) and describe what the service does.

Zone names must never appear as service hostnames. Service metaphors must never be used to refer to zones. A Kitchen contains multiple services; a service’s metaphorical name is meaningful to its users regardless of which zone hosts it. The free community forge (forge) is metaphor-named for its function and addressed under opplet.com even though it physically runs on the Range.

8B. Hostname Rules

1. Business hostnames use metaphorical service names per §8A.
2. Hypervisor / container-host hostnames follow pve-{nodename} for Proxmox nodes and incus-{nodename} for Incus nodes (e.g., pve-m1, pve-annex, incus-outpost).
3. Personal hostnames use functional names (mail, vault, files, tasks).
4. Engagement door hostnames use action verbs (commit, partner, sync, reserved fourth).
5. No hostname reuse across personal/business identity split. vault.opplet.com is forbidden; vault-biz.opplet.com makes context explicit.
6. Retired hostnames are permanently forbidden: pve-c{1,2,3}.opplet.com, pve-gateway.opplet.com, pve-range.opplet.com, pve-outpost.opplet.com, drive.opplet.com, vault.opplet.com, arena.wisenxt.com, library.wisenxt.com, comms.wisenxt.com, ledger.wisenxt.com, access.wisenxt.com.

Reassignment note (6.0): forge.opplet.com previously named the Kitchen GitLab; it now names the free community forge (Forgejo). The Kitchen production GitLab is cannery.opplet.com. This is a reassignment, not a retirement — any old reference to forge.opplet.com meaning the Kitchen GitLab must be updated.

9. Changelog

5.0 → 6.0 (Constitution v12.8 alignment)

• The Forge is two instances (§4C, §5B; Constitution §4). The free community forge (Forgejo) is recorded as the public openness surface on the Range, addressed forge.opplet.com and reached as an ordinary Beta web service via Traefik (public-read; Authentik-walled push) — not a .range target and not via the Air-Lock. The Kitchen production GitLab (secret-bearing, LDAP-Alpha) is renamed forge.opplet.com → cannery.opplet.com (§8B reassignment). Added tracker.opplet.com (Vikunja, the Climb’s queue/ranking/curation).
• Recruitment model replaced (§7B, §3C, §11). The former Associate / Contractor / Track-Lead three-gate ladder is replaced by the current path: candidate → member (Welcome to Opplet Commons, Gate 1) → certified member (Opplet Learner Permit, Enclave Bootcamp) → the Climb (WiseNxt Orientation) → operator across four per-zone Gate 2s (Operator License), all pseudonymous in LDAP-Beta; crossing to LDAP-Alpha is recruitment into real-identity work (privacy/security/contract — §15E), funded at the Tech Board’s discretion (§16). The bursar Portal (§3C) is reframed from “Gate 3 paid contracts” to Workplace real-identity recruitment.
• Domain/team framing (Scope, §1). The four governance domains are Enclave / Commons / WiseNxt / Workplace; cnmcyber.com and kenyax.com are team brands (CNMCyber runs the Commons Lounge; KenyaX operates the Workplace — §13, §15D).
• Real-identity sweep. “real-name workforce” → Real-Identity Workplace; LDAP-Alpha is the real-identity directory, LDAP-Beta the commons directory, both Basement-hosted (§3A; Enclave Doctrine §2).
• Outpost hypervisor. pve-outpost retired; the Outpost runs Incus (incus-outpost, Custodian-set) — Hardware §4A, §7.
• Cross-references re-pointed to v12.8 — structure largely stable (§5, §7, §8, §12, §14, §16 unchanged); the model at §11 is the part that changed. §7C exception #5 extended to the forge’s public projects.
• Status: DRAFT pending ratification of the v12.6–v12.8 cluster; returns to RATIFIED with the Charter Release that ratifies it.

Earlier history (condensed)

• 5.0 — Constitution v11 alignment: “Sovereign” (role) → “Custodian”; versioning normalized to major.minor; bursar posture resolved (forward-auth, Portal/Desk split).
• r1–r4 — fifth apex domain cnmcyber.com added; WiseNxt reduced to a public front; HumHub/BookStack-Beta/Jitsi homed on cnmcyber.com; Moodle/Guacamole kept on opplet.com; engagement doors commit/partner/sync added; single-intake model and the Authentik Default Rule with seven exception categories established; node renames (pve-c*→pve-m*, pve-gateway→pve-annex).

10. Open Questions for the Custodian

1. Personal apex domain selection. Recommendation: short, memorable domain on a TLD distinct from .com.
2. Webmail subdomain choice. Recommendation: keep mail. (protocols) and webmail. (web UI) split.
3. GitLab Pages routing. Confirm enablement and whether wildcard certs (*.pages.opplet.com) are required.
4. Phone number portability path. SIP provider portal CNAME implications.
5. Fourth engagement door naming (deploy vs. fork). Reserved per Constitution §14; it points at the free forge’s public blueprints (§4B, §5B). Deferred — not blocking.
6. Status of opplet.net. Retire entirely, keep as permanent redirect host, or retain for other purpose?
7. CNMCyber landing page tech. Hugo recommended for parity; CNMCyber’s preference may differ.
8. LDAP-Alpha account naming convention on recruitment. §7B.1 suggests deterministic transformation (e.g., jdoe → jdoe-eng). Confirm or pick alternative.
9. Workplace recruitment implementation in ERPNext. Posture is settled (§3C: public Portal + internal Desk). Remaining: build the applicant-facing form as a Frappe Portal Web Form feeding the HR/Recruitment Desk module the Tech Board manages internally, and confirm its URL path under bursar.opplet.com.
10. Production-forge hostname (new in 6.0). cannery.opplet.com is a provisional name for the Kitchen production GitLab (Kitchen-family metaphor for sealed production). Confirm it or pick another single-word service metaphor — forge is now the free community forge. Also confirm tracker.opplet.com for the Climb’s Vikunja.

11. Constitutional Status

The single-intake model this document depends on is ratified in Constitution §12 (“Single Intake, Sequential Recruitment — Four Rules”). The progression path it references is Constitution §11 (The Two Worlds and the Climb); the real-identity requirement is §15E; the Tech Board that determines funding and awards contracts is §16; the four governance domains and the Charter are §13.

This revision (6.0) is DRAFT: it realigns the document to Constitution v12.8 and is not yet ratified. The forge model and recruitment model are reconciled in-text; residual items are implementation/naming details (Open Questions #9, #10), not constitutional conflicts. It folds into the Charter Release that ratifies the v12.6–v12.8 cluster, at which point this document returns to RATIFIED.

For reference, the current intake/progression rule reads:

All participants enter through commit.opplet.com, which mints a callsign and a candidate identity in LDAP-Beta; graduating Welcome to Opplet Commons makes them members of the Volunteer Commons (Gate 1). A member may earn the Opplet Learner Permit (Enclave Bootcamp) and opt into the Climb (WiseNxt Orientation), crossing four per-zone Gate 2s into operating — all pseudonymous, within LDAP-Beta, with the Operator License as the credential. Crossing into LDAP-Alpha is recruitment into real-identity work (privacy, security, or contract — §15E), drawn only from proven commons volunteers (§12); whether such work is funded is the Tech Board’s determination (§16). No public flow creates an Alpha identity.

END OF DOCUMENT

• Tier 0 — Keystone: Opplet Constitution
• Tier 1 — Doctrine & Architecture: Enclave Doctrine, Commons Doctrine, WiseNxt Doctrine, Workplace Doctrine
• Tier 2 — Operations & Learning: Enclave SOP, Enclave Bootcamp, Commons SOP, Commons Welcome, WiseNxt SOP, WiseNxt Orientation, Workplace SOP
• Tier 3 — Manifests & Reports: Software Stack, Hardware Manifest, URL Nomenclature (this document), Opplet.Com Website
• Tier 4 — Zone Projects: Den Migration