From 614d0458420e288642c830749e5b57ac1d95ae1a Mon Sep 17 00:00:00 2001
From: defiQUG <defi@defi-oracle.io>
Date: Sun, 12 Apr 2026 19:02:51 -0700
Subject: [PATCH] Add MEV hostnames to tunnel helper

---
 .../MEV_CONTROL_DEFI_ORACLE_IO_DEPLOYMENT.md  |  8 ++++++++
 scripts/update-vmid2400-tunnel-config.sh      | 19 ++++++++++++++++++-
 2 files changed, 26 insertions(+), 1 deletion(-)

diff --git a/docs/04-configuration/MEV_CONTROL_DEFI_ORACLE_IO_DEPLOYMENT.md b/docs/04-configuration/MEV_CONTROL_DEFI_ORACLE_IO_DEPLOYMENT.md
index b5fcf4f9..19f99d69 100644
--- a/docs/04-configuration/MEV_CONTROL_DEFI_ORACLE_IO_DEPLOYMENT.md
+++ b/docs/04-configuration/MEV_CONTROL_DEFI_ORACLE_IO_DEPLOYMENT.md
@@ -58,6 +58,14 @@ bash scripts/cloudflare/set-mev-defi-oracle-dns.sh
 
 Optional: `MEV_DEFI_ORACLE_EDGE_MODE=tunnel|public_ip|auto`, `MEV_DEFI_ORACLE_PUBLIC_IP=…`.
 
+If `MEV_DEFI_ORACLE_EDGE_MODE=auto` selects the VMID 2400 tunnel but the tunnel is not manageable in the current Cloudflare account, fall back to the public NPMplus edge explicitly:
+
+```bash
+MEV_DEFI_ORACLE_EDGE_MODE=public_ip bash scripts/cloudflare/set-mev-defi-oracle-dns.sh
+```
+
+If you intentionally carry **MEV** traffic on the same Cloudflare tunnel stack as RPC / `info`, run `scripts/update-vmid2400-tunnel-config.sh` so the tunnel ingress includes `mev.defi-oracle.io` and `www.mev.defi-oracle.io`.
+
 ## Configuration reference
 
 | Variable | Default (see `config/ip-addresses.conf`) | Purpose |
diff --git a/scripts/update-vmid2400-tunnel-config.sh b/scripts/update-vmid2400-tunnel-config.sh
index 041722e2..ccb99ad3 100644
--- a/scripts/update-vmid2400-tunnel-config.sh
+++ b/scripts/update-vmid2400-tunnel-config.sh
@@ -9,8 +9,9 @@ PROJECT_ROOT="$(cd "$SCRIPT_DIR/.." && pwd)"
 ENV_FILE="$PROJECT_ROOT/.env"
 # shellcheck source=/dev/null
 source "${PROJECT_ROOT}/config/ip-addresses.conf" 2>/dev/null || true
-# Dedicated info SPA LXC (VMID 2410); tunnel connector on 2400 must reach this IP:80
+# Dedicated info / MEV SPA LXC (VMID 2410 by default); tunnel connector on 2400 must reach this IP:80
 INFO_WEB_UPSTREAM="${INFO_DEFI_ORACLE_TUNNEL_UPSTREAM:-${IP_INFO_DEFI_ORACLE_WEB:-192.168.11.218}}"
+MEV_WEB_UPSTREAM="${MEV_DEFI_ORACLE_TUNNEL_UPSTREAM:-${MEV_DEFI_ORACLE_UPSTREAM_IP:-${IP_INFO_DEFI_ORACLE_WEB:-192.168.11.218}}}"
 
 # Colors
 RED='\033[0;31m'
@@ -76,6 +77,7 @@ log_info "Building tunnel ingress configuration..."
 log_info "  HTTP RPC → http://127.0.0.1:${RPC_HTTP_PORT}"
 log_info "  WebSocket RPC → ws://127.0.0.1:${RPC_WS_PORT}"
 log_info "  info.defi-oracle.io → http://${INFO_WEB_UPSTREAM}:80 (dedicated web LXC)"
+log_info "  mev.defi-oracle.io → http://${MEV_WEB_UPSTREAM}:80 (dedicated web LXC)"
 
 # Note: Cloudflare tunnels handle WebSocket upgrades automatically
 # We route HTTP to 8545, and WebSocket will also route there initially
@@ -87,6 +89,7 @@ INGRESS_CONFIG=$(jq -n \
     --arg http_port "$RPC_HTTP_PORT" \
     --arg ws_port "$RPC_WS_PORT" \
     --arg info_web "$INFO_WEB_UPSTREAM" \
+    --arg mev_web "$MEV_WEB_UPSTREAM" \
     '{
         config: {
             ingress: [
@@ -112,6 +115,20 @@ INGRESS_CONFIG=$(jq -n \
                         httpHostHeader: "www.info.defi-oracle.io"
                     }
                 },
+                {
+                    hostname: "mev.defi-oracle.io",
+                    service: ("http://" + $mev_web + ":80"),
+                    originRequest: {
+                        httpHostHeader: "mev.defi-oracle.io"
+                    }
+                },
+                {
+                    hostname: "www.mev.defi-oracle.io",
+                    service: ("http://" + $mev_web + ":80"),
+                    originRequest: {
+                        httpHostHeader: "www.mev.defi-oracle.io"
+                    }
+                },
                 {
                     service: "http_status:404"
                 }