chore: chain138-open-snap canonical repo, submodule, publish script

- Point AGENTS.md at Defi-Oracle-Tooling/chain138-snap-minimal; document nested submodule in SUBMODULE_RELATIONSHIP_MAP
- Bump metamask-integration submodule (chain138-snap-minimal nested submodule on Gitea)
- Add publish-chain138-open-snap.sh with canonical repo comment

Made-with: Cursor

AGENTS.md

@@ -13,13 +13,16 @@ Orchestration for Proxmox VE, Chain 138 (`smom-dbis-138/`), explorers, NPMplus,
 | Doc index | `docs/MASTER_INDEX.md` |
 | Chain 138 info site (`info.defi-oracle.io`) | `info-defi-oracle-138/` — `pnpm --filter info-defi-oracle-138 build`; deploy `dist/`; runbook `docs/04-configuration/INFO_DEFI_ORACLE_IO_DEPLOYMENT.md` |
 | cXAUC/cXAUT unit | 1 full token = 1 troy oz Au — `docs/11-references/EXPLORER_TOKEN_LIST_CROSSCHECK.md` (section 5.1) |
+| GRU / UTRNF token naming (`c*` vs collateral prefix) | `docs/04-configuration/naming-conventions/README.md`, `docs/04-configuration/naming-conventions/02_DBIS_NAMESPACE_AND_UTRNF_MAPPING.md` |
 | PMM mesh 6s tick | `smom-dbis-138/scripts/reserve/pmm-mesh-6s-automation.sh` — `docs/integration/ORACLE_AND_KEEPER_CHAIN138.md` (PMM mesh automation) |
+| Mainnet cWUSD\* peg, TRUU PMM, bot readiness | `docs/03-deployment/MAINNET_PMM_TRUU_CWUSD_PEG_AND_BOT_RUNBOOK.md` (§11 live inventory) — `scripts/verify/check-mainnet-pmm-peg-bot-readiness.sh`, `scripts/deployment/deploy-mainnet-pmm-cw-truu-pool.sh`, `scripts/deployment/add-mainnet-truu-pmm-topup.sh`, `scripts/deployment/compute-mainnet-truu-liquidity-amounts.sh`, `scripts/deployment/compute-mainnet-truu-pmm-seed-amounts.sh`; `cross-chain-pmm-lps/config/deployment-status.json` `pmmPoolsVolatile`; `docs/11-references/CONTRACT_ADDRESSES_REFERENCE.md` (Mainnet TRUU PMM); `check-full-deployment-status.sh` when `ETHEREUM_MAINNET_RPC` + `DODO_PMM_INTEGRATION_MAINNET` are set |
 | VMID / IP / FQDN | `docs/04-configuration/ALL_VMIDS_ENDPOINTS.md` |
 | Proxmox Mail Proxy (LAN SMTP) | VMID **100** `192.168.11.32` (`proxmox-mail-gateway`) — submission **587** / **465**; see Mail Proxy note in `ALL_VMIDS_ENDPOINTS.md` |
+| Spare R630 storage + optional tune-up | `scripts/proxmox/ensure-r630-spare-node-storage.sh`, `scripts/proxmox/provision-r630-03-six-ssd-thinpools.sh`, `scripts/proxmox/pve-spare-host-optional-tuneup.sh` · load balance / migrate: `docs/04-configuration/PROXMOX_LOAD_BALANCING_RUNBOOK.md` |
 | Ops template + JSON | `docs/03-deployment/PROXMOX_VE_OPERATIONAL_DEPLOYMENT_TEMPLATE.md`, `config/proxmox-operational-template.json` |
 | Live vs template (read-only SSH) | `bash scripts/verify/audit-proxmox-operational-template.sh` |
-| Config validation | `bash scripts/validation/validate-config-files.sh` (optional: `python3 -m pip install check-jsonschema` for `validate-dbis-institutional-schemas.sh`, `validate-jvmtm-regulatory-closure-schemas.sh`, `validate-reserve-provenance-package.sh`; includes explorer Chain 138 inventory vs `config/smart-contracts-master.json`) |
-| Chain 138 contract addresses (JSON + bytecode) | `config/smart-contracts-master.json` — `bash scripts/verify/check-contracts-on-chain-138.sh` (expect **64/64** when Core RPC reachable; jq uses JSON when file present) |
+| Config validation | `bash scripts/validation/validate-config-files.sh` (optional: `python3 -m pip install check-jsonschema` for `validate-dbis-institutional-schemas.sh`, `validate-naming-convention-registry-examples.sh`, `validate-jvmtm-regulatory-closure-schemas.sh`, `validate-reserve-provenance-package.sh`; includes explorer Chain 138 inventory vs `config/smart-contracts-master.json`) |
+| Chain 138 contract addresses (JSON + bytecode) | `config/smart-contracts-master.json` — `bash scripts/verify/check-contracts-on-chain-138.sh` (expect **75/75** when Core RPC reachable; jq uses JSON when file present) |
 | OMNL + Core + Chain 138 + RTGS + Smart Vaults | `docs/03-deployment/OMNL_DBIS_CORE_CHAIN138_SMART_VAULT_RTGS_RUNBOOK.md`; identifiers (UETR vs DLT-primary): `docs/03-deployment/OJK_BI_AUDIT_JVMTM_REMEDIATION_AND_UETR_POLICY.md`; JVMTM Tables B/C/D closure matrix: `config/jvmtm-regulatory-closure/INAAUDJVMTM_2025_AUDIT_CLOSURE_MATRIX.md`; **dual-anchor attestation:** `scripts/omnl/omnl-chain138-attestation-tx.sh` (138 + optional mainnet via `ETHEREUM_MAINNET_RPC`); E2E zip: `AUDIT_PROOF.json` `chainAttestationMainnet`; machine-readable: `config/dbis-institutional/` |
 | Blockscout address labels from registry | `bash scripts/verify/sync-blockscout-address-labels-from-registry.sh` (plan); `--apply` with `BLOCKSCOUT_*` env when explorer API confirmed |
 | ISO-20022 on-chain methodology + intake gateway | `docs/04-configuration/SMART_CONTRACTS_ISO20022_FIN_METHODOLOGY.md`, `ISO20022_INTAKE_GATEWAY_CONTRACT_MULTI_NETWORK.md`; Rail: `docs/dbis-rail/ISO_GATEWAY_AND_RELAYER_SPEC.md` |
@@ -32,7 +35,8 @@ Orchestration for Proxmox VE, Chain 138 (`smom-dbis-138/`), explorers, NPMplus,
 | Portal Keycloak OIDC secret on CT 7801 | After client exists: `./scripts/deployment/sankofa-portal-merge-keycloak-env-from-repo.sh` (needs `KEYCLOAK_CLIENT_SECRET` in repo `.env`; base64-safe over SSH) |
 | Sankofa corporate web → CT 7806 | Provision: `./scripts/deployment/provision-sankofa-public-web-lxc-7806.sh`. Sync: `./scripts/deployment/sync-sankofa-public-web-to-ct.sh`. systemd: `config/systemd/sankofa-public-web.service`. Set `IP_SANKOFA_PUBLIC_WEB` in `.env`, then `scripts/nginx-proxy-manager/update-npmplus-proxy-hosts-api.sh` |
 | CCIP relay (r630-01 host) | Unit: `config/systemd/ccip-relay.service` → `/etc/systemd/system/ccip-relay.service`; `systemctl enable --now ccip-relay` |
-| XDC Zero + Chain 138 (parallel to CCIP) | `docs/07-ccip/XDC_ZERO_CHAIN138.md`, `docs/03-deployment/CHAIN138_XDC_ZERO_BRIDGE_RUNBOOK.md`, `config/xdc-zero/`; `bash scripts/verify/xdc-zero-chain138-preflight.sh`; `XDC_ZERO_ENDPOINT_DIR=.../XDC-Zero/endpoint bash scripts/xdc-zero/merge-endpointconfig-chain138.sh --dry-run` — **XDC mainnet RPC:** `https://rpc.xinfin.network` (not Ethereum); Hardhat `chain138` in XDC-Zero `endpoint/` uses `RPC_URL_138` |
+| XDC Zero + Chain 138 (parallel to CCIP) | `bash scripts/xdc-zero/run-xdc-zero-138-operator-sequence.sh` · `docs/03-deployment/CHAIN138_XDC_ZERO_BRIDGE_RUNBOOK.md` · `CHAIN138_XDC_ZERO_DEPLOYMENT_TROUBLESHOOTING.md` · `config/xdc-zero/` · `scripts/xdc-zero/` · systemd `node dist/server.js` template — **XDC mainnet RPC:** `https://rpc.xinfin.network` (chain id 50; more endpoints: [chainid.network/chain/50](https://chainid.network/chain/50/)); **Chain 138 side:** Core `http://192.168.11.211:8545` is operator-only, relayer/services use `https://rpc-http-pub.d-bis.org` |
+| OP Stack Standard Rollup (Ethereum mainnet, Superchain) | `docs/03-deployment/OP_STACK_STANDARD_ROLLUP_SUPERCHAIN_RUNBOOK.md` · optional L2↔Besu notes `docs/03-deployment/OP_STACK_L2_AND_BESU138_BRIDGE_NOTES.md` · `config/op-stack-superchain/` · `scripts/op-stack/` (e.g. `fetch-standard-mainnet-toml.sh`, checklist scripts) · `config/systemd/op-stack-*.example.service` — **distinct L2 chain ID from Besu 138**; follow [Optimism superchain-registry](https://github.com/ethereum-optimism/superchain-registry) for listing |
 | Wormhole protocol (LLM / MCP) vs Chain 138 facts | Wormhole NTT/Connect/VAAs/etc.: `docs/04-configuration/WORMHOLE_AI_RESOURCES_LLM_PLAYBOOK.md`, mirror `scripts/doc/sync-wormhole-ai-resources.sh`, MCP `mcp-wormhole-docs/` + `docs/04-configuration/MCP_SETUP.md`. **Chain 138 addresses, PMM, CCIP:** repo `docs/11-references/` + `docs/07-ccip/` — not Wormhole bundles. Cursor overlay: `.cursor/rules/wormhole-ai-resources.mdc`. |
 | TsunamiSwap VM 5010 check | `./scripts/deployment/tsunamiswap-vm-5010-provision.sh` (inventory only until VM exists) |
 | The Order portal (`https://the-order.sankofa.nexus`) | OSJ management UI (secure auth); source repo **the_order** at `~/projects/the_order`. NPM upstream defaults to **order-haproxy** CT **10210** (`IP_ORDER_HAPROXY:80`); use `THE_ORDER_UPSTREAM_*` to point at the Sankofa portal if 10210 is down. Provision HAProxy: `scripts/deployment/provision-order-haproxy-10210.sh`. **`www.the-order.sankofa.nexus`** → **301** apex (same as www.sankofa / www.phoenix). |
@@ -40,6 +44,7 @@ Orchestration for Proxmox VE, Chain 138 (`smom-dbis-138/`), explorers, NPMplus,
 | Keycloak redirect URIs (portal + admin) | `./scripts/deployment/keycloak-sankofa-ensure-client-redirects-via-proxmox-pct.sh` (or `keycloak-sankofa-ensure-client-redirects.sh` for LAN URL) — needs `KEYCLOAK_ADMIN_PASSWORD` in `.env` |
 | NPM TLS for hosts missing certs | `./scripts/request-npmplus-certificates.sh` — optional `CERT_DOMAINS_FILTER='portal\\.sankofa|admin\\.sankofa'` |
 | Token-aggregation API (Chain 138) | `pnpm run verify:token-aggregation-api` — tokens, pools, quote, `bridge/routes`, networks. Deploy: `scripts/deploy-token-aggregation-for-publication.sh`. After edge deploy: `SKIP_BRIDGE_ROUTES=0 bash scripts/verify/check-public-report-api.sh https://explorer.d-bis.org`. |
+| **Chain 138 Open Snap** (MetaMask, open Snap permissions only; stable MetaMask requires MetaMask install allowlist for npm Snaps) | Source repo: [Defi-Oracle-Tooling/chain138-snap-minimal](https://github.com/Defi-Oracle-Tooling/chain138-snap-minimal). Vendored in this workspace: `metamask-integration/chain138-snap-minimal/`. Snap ID `npm:chain138-open-snap`; **`npm run verify`** = `npm audit --omit=dev` + build. **Publish:** token in `chain138-snap/.env` or `npm login`, then `./scripts/deployment/publish-chain138-open-snap.sh`. **Full-feature Snap** (API quotes, allowlist): `metamask-integration/chain138-snap/`. Explorer `/wallet` install works on stable MetaMask only after allowlisting; use Flask or local serve for dev. |
 | Completable (no LAN) | `./scripts/run-completable-tasks-from-anywhere.sh` |
 | Operator (LAN + secrets) | `./scripts/run-all-operator-tasks-from-lan.sh` (use `--skip-backup` if `NPM_PASSWORD` unset) |
 | Cloudflare bulk DNS → `PUBLIC_IP` | `./scripts/update-all-dns-to-public-ip.sh` — use **`--dry-run`** and **`--zone-only=sankofa.nexus`** (or `d-bis.org` / `mim4u.org` / `defi-oracle.io`) to limit scope; see script header. Prefer scoped **`CLOUDFLARE_API_TOKEN`** (see `.env.master.example`). |

docs/11-references/SUBMODULE_RELATIONSHIP_MAP.md

@@ -34,6 +34,12 @@
 | **explorer-monorepo** | `explorer-monorepo/` | https://github.com/Order-of-Hospitallers/chain-138-explorer.git | Blockchain explorer | smom-dbis-138 |
 | **metamask-integration** | `metamask-integration/` | git@github.com:Defi-Oracle-Meta-Blockchain/metamask-integration.git | MetaMask integration | smom-dbis-138 |
 | **fireblocks-integration** | `fireblocks-integration/` | https://gitea.d-bis.org/d-bis/fireblocks-integration.git | Fireblocks Web3 (Chain 138 RPC, docs) | smom-dbis-138 (RPC) |
+
+#### Nested under metamask-integration
+
+| Path | Repository | Purpose |
+|------|------------|---------|
+| `metamask-integration/chain138-snap-minimal/` | https://github.com/Defi-Oracle-Tooling/chain138-snap-minimal.git | npm package **`chain138-open-snap`** (Chain 138 Open Snap). Registered as a nested submodule; use **`git submodule update --init --recursive`** from the repo root (or from `metamask-integration/` after `submodule update`) so this path is populated. Publish from proxmox: `scripts/deployment/publish-chain138-open-snap.sh`. |
 | **alltra-lifi-settlement** | `alltra-lifi-settlement/` | https://github.com/bis-innovations/LiFi_Pay_Alltra_Integration_Submodule.git | LiFi/Alltra settlement | None |
 | **cross-chain-pmm-lps** | `cross-chain-pmm-lps/` | https://gitea.d-bis.org/d-bis/cross-chain-pmm-lps.git | cW* M1 public-chain single-sided PMM stabilization mesh (bot, pool topology, peg bands, oracles) | smom-dbis-138 / token-mapping (reference) |
 | **ai-mcp-pmm-controller** | `ai-mcp-pmm-controller/` | https://gitea.d-bis.org/d-bis/ai-mcp-pmm-controller.git | 5701 MCP hub for DODO PMM (read-only + risk scoring, pool allowlist, policy gate) | See [AI_AGENTS_57XX_DEPLOYMENT_PLAN.md](../02-architecture/AI_AGENTS_57XX_DEPLOYMENT_PLAN.md) Appendix F |

scripts/deployment/publish-chain138-open-snap.sh

@@ -0,0 +1,77 @@
+#!/usr/bin/env bash
+# Publish chain138-open-snap to the public npm registry (open-permission MetaMask Snap).
+#
+# Authentication (first that applies):
+#   1) NPM_ACCESS_TOKEN or NPM_TOKEN (e.g. in metamask-integration/chain138-snap/.env,
+#      auto-sourced by this script). Use a Granular token with permission to publish
+#      this package and enable "Bypass two-factor authentication (2FA)" so publish does
+#      not require an authenticator code (see npm token settings).
+#   2) Otherwise: existing npm login — npm whoami must succeed.
+#
+# If npm returns EOTP, either recreate the token with 2FA bypass for publish, or pass
+# a one-time code through to npm publish, e.g.:
+#   ./scripts/deployment/publish-chain138-open-snap.sh --otp=123456
+#
+# Canonical source repo: https://github.com/Defi-Oracle-Tooling/chain138-snap-minimal
+# Usage: from repo root: ./scripts/deployment/publish-chain138-open-snap.sh [--dry-run] [npm publish args...]
+set -euo pipefail
+
+ROOT="$(cd "$(dirname "$0")/../.." && pwd)"
+DIR="$ROOT/metamask-integration/chain138-snap-minimal"
+CHAIN138_ENV="$ROOT/metamask-integration/chain138-snap/.env"
+
+if [[ ! -f "$DIR/package.json" ]]; then
+  echo "error: missing $DIR/package.json" >&2
+  exit 1
+fi
+
+# Optional: load npm token from sibling chain138-snap .env (gitignored; do not commit tokens).
+if [[ -f "$CHAIN138_ENV" ]]; then
+  _had_u=0
+  [[ -o nounset ]] && _had_u=1
+  set +u
+  set -a
+  # shellcheck disable=SC1090
+  source "$CHAIN138_ENV"
+  set +a
+  if [[ "$_had_u" -eq 1 ]]; then
+    set -u
+  else
+    set +u
+  fi
+fi
+
+AUTH_TOKEN="${NPM_ACCESS_TOKEN:-${NPM_TOKEN:-}}"
+
+cd "$DIR"
+
+# Quiet the common nvm + npm warning: ~/.npmrc `prefix` vs nvm-managed Node.
+unset npm_config_prefix 2>/dev/null || true
+if [[ -n "${NVM_DIR:-}" && -f "${NVM_DIR}/nvm.sh" ]]; then
+  # shellcheck disable=SC1090
+  source "${NVM_DIR}/nvm.sh" 2>/dev/null || true
+  _nvm_cur="$(nvm current 2>/dev/null || true)"
+  if [[ -n "${_nvm_cur}" && "${_nvm_cur}" != "system" && "${_nvm_cur}" != "none" ]]; then
+    nvm use --delete-prefix "${_nvm_cur}" --silent 2>/dev/null || true
+  fi
+  unset _nvm_cur
+fi
+
+cleanup() {
+  [[ -n "${NPMRC_TMP:-}" && -f "${NPMRC_TMP:-}" ]] && rm -f "$NPMRC_TMP"
+}
+trap cleanup EXIT
+
+if [[ -n "$AUTH_TOKEN" ]]; then
+  echo "Publishing chain138-open-snap from $DIR using registry token from env (prepack runs npm run build)..."
+  NPMRC_TMP="$(mktemp)"
+  printf '//registry.npmjs.org/:_authToken=%s\n' "$AUTH_TOKEN" >"$NPMRC_TMP"
+  npm publish --userconfig "$NPMRC_TMP" "$@"
+else
+  if ! npm whoami >/dev/null 2>&1; then
+    echo "error: not authenticated. Set NPM_ACCESS_TOKEN (see metamask-integration/chain138-snap/.env.example) or run: npm login" >&2
+    exit 1
+  fi
+  echo "Publishing chain138-open-snap from $DIR (logged-in npm user; prepack runs npm run build)..."
+  npm publish "$@"
+fi