ci: lock deploy workflows across main and master

.gitea/CONTRIBUTING.md

@@ -6,6 +6,10 @@
 2. Make changes, ensure tests pass
 3. Open a pull request
 
+Deploy workflow policy:
+`main` and `master` are both deploy-triggering branches, so `.gitea/workflow-sources/deploy-to-phoenix.yml` and `.gitea/workflow-sources/validate-on-pr.yml` must stay identical across both branches.
+Use `bash scripts/verify/sync-gitea-workflows.sh` after editing workflow-source files, and `bash scripts/verify/run-all-validation.sh --skip-genesis` to catch workflow drift before push.
+
 ## Pull Requests
 
 - Use the PR template when opening a PR

.gitea/workflow-sources/deploy-to-phoenix.yml

@@ -0,0 +1,77 @@
+# Canonical deploy workflow. Keep source and checked-in workflow copies byte-identical.
+# Validation checks both file sync and main/master parity.
+name: Deploy to Phoenix
+
+on:
+  push:
+    branches: [main, master]
+  workflow_dispatch:
+
+jobs:
+  validate:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Fetch deploy branches for workflow parity check
+        run: |
+          git fetch --depth=1 origin main master
+
+      - name: Run repo validation gate
+        run: |
+          bash scripts/verify/run-all-validation.sh --skip-genesis
+
+  deploy:
+    needs: validate
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Trigger Phoenix deployment
+        run: |
+          SHA="$(git rev-parse HEAD)"
+          BRANCH="$(git rev-parse --abbrev-ref HEAD)"
+          curl -sSf -X POST "${{ secrets.PHOENIX_DEPLOY_URL }}" \
+            -H "Authorization: Bearer ${{ secrets.PHOENIX_DEPLOY_TOKEN }}" \
+            -H "Content-Type: application/json" \
+            -d "{\"repo\":\"${{ gitea.repository }}\",\"sha\":\"${SHA}\",\"branch\":\"${BRANCH}\",\"target\":\"default\"}"
+
+  deploy-atomic-swap-dapp:
+    needs: validate
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Trigger Atomic Swap dApp deployment (Phoenix)
+        run: |
+          SHA="$(git rev-parse HEAD)"
+          BRANCH="$(git rev-parse --abbrev-ref HEAD)"
+          curl -sSf -X POST "${{ secrets.PHOENIX_DEPLOY_URL }}" \
+            -H "Authorization: Bearer ${{ secrets.PHOENIX_DEPLOY_TOKEN }}" \
+            -H "Content-Type: application/json" \
+            -d "{\"repo\":\"${{ gitea.repository }}\",\"sha\":\"${SHA}\",\"branch\":\"${BRANCH}\",\"target\":\"atomic-swap-dapp-live\"}"
+
+  # After app deploy, ask Phoenix to run path-gated Cloudflare DNS sync on the host that has
+  # PHOENIX_REPO_ROOT + .env (not on this runner). Skips unless PHOENIX_CLOUDFLARE_SYNC=1 on that host.
+  # continue-on-error: first-time or missing opt-in should not block the main deploy.
+  cloudflare:
+    needs:
+      - deploy
+      - deploy-atomic-swap-dapp
+    runs-on: ubuntu-latest
+    continue-on-error: true
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Request Cloudflare DNS sync (Phoenix)
+        run: |
+          SHA="$(git rev-parse HEAD)"
+          BRANCH="$(git rev-parse --abbrev-ref HEAD)"
+          curl -sSf -X POST "${{ secrets.PHOENIX_DEPLOY_URL }}" \
+            -H "Authorization: Bearer ${{ secrets.PHOENIX_DEPLOY_TOKEN }}" \
+            -H "Content-Type: application/json" \
+            -d "{\"repo\":\"${{ gitea.repository }}\",\"sha\":\"${SHA}\",\"branch\":\"${BRANCH}\",\"target\":\"cloudflare-sync\"}"

.gitea/workflow-sources/validate-on-pr.yml

@@ -0,0 +1,21 @@
+# Canonical PR validation workflow. Keep source and checked-in workflow copies byte-identical.
+# Validation checks both file sync and main/master parity.
+# PR-only: push validation already runs in deploy-to-phoenix.yml; this gives PRs the same
+# no-LAN checks without the deploy job (and without deploy secrets).
+name: Validate (PR)
+on:
+  pull_request:
+    types: [opened, synchronize, reopened]
+    branches: [main, master]
+  workflow_dispatch:
+jobs:
+  run-all-validation:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+      - name: Fetch deploy branches for workflow parity check
+        run: |
+          git fetch --depth=1 origin main master
+      - name: run-all-validation (no LAN, no genesis)
+        run: bash scripts/verify/run-all-validation.sh --skip-genesis

.gitea/workflows/deploy-to-phoenix.yml

@@ -1,11 +1,29 @@
+# Canonical deploy workflow. Keep source and checked-in workflow copies byte-identical.
+# Validation checks both file sync and main/master parity.
 name: Deploy to Phoenix
 
 on:
   push:
     branches: [main, master]
+  workflow_dispatch:
 
 jobs:
+  validate:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Fetch deploy branches for workflow parity check
+        run: |
+          git fetch --depth=1 origin main master
+
+      - name: Run repo validation gate
+        run: |
+          bash scripts/verify/run-all-validation.sh --skip-genesis
+
   deploy:
+    needs: validate
     runs-on: ubuntu-latest
     steps:
       - name: Checkout code
@@ -13,8 +31,47 @@ jobs:
 
       - name: Trigger Phoenix deployment
         run: |
+          SHA="$(git rev-parse HEAD)"
+          BRANCH="$(git rev-parse --abbrev-ref HEAD)"
           curl -sSf -X POST "${{ secrets.PHOENIX_DEPLOY_URL }}" \
             -H "Authorization: Bearer ${{ secrets.PHOENIX_DEPLOY_TOKEN }}" \
             -H "Content-Type: application/json" \
-            -d "{\"repo\":\"${{ gitea.repository }}\",\"sha\":\"${{ gitea.sha }}\",\"branch\":\"${{ gitea.ref_name }}\"}"
-        continue-on-error: true
+            -d "{\"repo\":\"${{ gitea.repository }}\",\"sha\":\"${SHA}\",\"branch\":\"${BRANCH}\",\"target\":\"default\"}"
+
+  deploy-atomic-swap-dapp:
+    needs: validate
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Trigger Atomic Swap dApp deployment (Phoenix)
+        run: |
+          SHA="$(git rev-parse HEAD)"
+          BRANCH="$(git rev-parse --abbrev-ref HEAD)"
+          curl -sSf -X POST "${{ secrets.PHOENIX_DEPLOY_URL }}" \
+            -H "Authorization: Bearer ${{ secrets.PHOENIX_DEPLOY_TOKEN }}" \
+            -H "Content-Type: application/json" \
+            -d "{\"repo\":\"${{ gitea.repository }}\",\"sha\":\"${SHA}\",\"branch\":\"${BRANCH}\",\"target\":\"atomic-swap-dapp-live\"}"
+
+  # After app deploy, ask Phoenix to run path-gated Cloudflare DNS sync on the host that has
+  # PHOENIX_REPO_ROOT + .env (not on this runner). Skips unless PHOENIX_CLOUDFLARE_SYNC=1 on that host.
+  # continue-on-error: first-time or missing opt-in should not block the main deploy.
+  cloudflare:
+    needs:
+      - deploy
+      - deploy-atomic-swap-dapp
+    runs-on: ubuntu-latest
+    continue-on-error: true
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Request Cloudflare DNS sync (Phoenix)
+        run: |
+          SHA="$(git rev-parse HEAD)"
+          BRANCH="$(git rev-parse --abbrev-ref HEAD)"
+          curl -sSf -X POST "${{ secrets.PHOENIX_DEPLOY_URL }}" \
+            -H "Authorization: Bearer ${{ secrets.PHOENIX_DEPLOY_TOKEN }}" \
+            -H "Content-Type: application/json" \
+            -d "{\"repo\":\"${{ gitea.repository }}\",\"sha\":\"${SHA}\",\"branch\":\"${BRANCH}\",\"target\":\"cloudflare-sync\"}"

.gitea/workflows/validate-on-pr.yml

@@ -0,0 +1,21 @@
+# Canonical PR validation workflow. Keep source and checked-in workflow copies byte-identical.
+# Validation checks both file sync and main/master parity.
+# PR-only: push validation already runs in deploy-to-phoenix.yml; this gives PRs the same
+# no-LAN checks without the deploy job (and without deploy secrets).
+name: Validate (PR)
+on:
+  pull_request:
+    types: [opened, synchronize, reopened]
+    branches: [main, master]
+  workflow_dispatch:
+jobs:
+  run-all-validation:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+      - name: Fetch deploy branches for workflow parity check
+        run: |
+          git fetch --depth=1 origin main master
+      - name: run-all-validation (no LAN, no genesis)
+        run: bash scripts/verify/run-all-validation.sh --skip-genesis

docs/04-configuration/DEVIN_GITEA_PROXMOX_CICD.md

@@ -0,0 +1,217 @@
+# Devin → Gitea → Proxmox CI/CD
+
+**Status:** Working baseline for this repo  
+**Last Updated:** 2026-04-20
+
+## Goal
+
+Create a repeatable path where:
+
+1. Devin lands code in Gitea.
+2. Gitea Actions validates the repo on the site-wide `act_runner`.
+3. A successful workflow calls `phoenix-deploy-api`.
+4. `phoenix-deploy-api` resolves the repo/branch to a deploy target and runs the matching Proxmox publish command.
+5. The deploy service checks the target health URL before it reports success.
+
+## Current baseline in this repo
+
+The path now exists for **`d-bis/proxmox`** on **`main`** and **`master`**:
+
+- Canonical workflow sources: [.gitea/workflow-sources/deploy-to-phoenix.yml](/home/intlc/projects/proxmox/.gitea/workflow-sources/deploy-to-phoenix.yml) and [.gitea/workflow-sources/validate-on-pr.yml](/home/intlc/projects/proxmox/.gitea/workflow-sources/validate-on-pr.yml)
+- Workflow: [deploy-to-phoenix.yml](/home/intlc/projects/proxmox/.gitea/workflows/deploy-to-phoenix.yml)
+- Manual app workflow: [deploy-portal-live.yml](/home/intlc/projects/proxmox/.gitea/workflows/deploy-portal-live.yml)
+- Deploy service: [server.js](/home/intlc/projects/proxmox/phoenix-deploy-api/server.js)
+- Target map: [deploy-targets.json](/home/intlc/projects/proxmox/phoenix-deploy-api/deploy-targets.json)
+- Current live publish script: [deploy-phoenix-deploy-api-to-dev-vm.sh](/home/intlc/projects/proxmox/scripts/deployment/deploy-phoenix-deploy-api-to-dev-vm.sh)
+- Manual smoke trigger: [trigger-phoenix-deploy.sh](/home/intlc/projects/proxmox/scripts/dev-vm/trigger-phoenix-deploy.sh)
+- Target validator: [validate-phoenix-deploy-targets.sh](/home/intlc/projects/proxmox/scripts/validation/validate-phoenix-deploy-targets.sh)
+- Bootstrap helper: [bootstrap-phoenix-cicd.sh](/home/intlc/projects/proxmox/scripts/dev-vm/bootstrap-phoenix-cicd.sh)
+
+That default target publishes the `phoenix-deploy-api` bundle to **VMID 5700** on the correct Proxmox node and starts the CT if needed.
+
+A second target is now available:
+
+- `portal-live` → runs [sync-sankofa-portal-7801.sh](/home/intlc/projects/proxmox/scripts/deployment/sync-sankofa-portal-7801.sh) and then checks `http://192.168.11.51:3000/`
+
+## Workflow lockstep
+
+Because both `main` and `master` can trigger deploys, deploy behavior is now defined from canonical source files and checked for branch parity.
+
+- Edit only the source files under [.gitea/workflow-sources](/home/intlc/projects/proxmox/.gitea/workflow-sources:1)
+- Sync the checked-in workflow copies with:
+
+```bash
+bash scripts/verify/sync-gitea-workflows.sh
+```
+
+- Validate source sync plus `main`/`master` parity with:
+
+```bash
+bash scripts/verify/run-all-validation.sh --skip-genesis
+```
+
+The deploy and PR workflows both fetch `origin/main` and `origin/master` before validation, so branch drift now fails CI instead of silently changing deploy behavior.
+
+## Flow
+
+```text
+Devin
+  -> push to Gitea
+  -> Gitea Actions on act_runner (5700)
+  -> bash scripts/verify/run-all-validation.sh --skip-genesis
+  -> validates deploy-targets.json structure
+  -> POST /api/deploy to phoenix-deploy-api
+  -> match repo + branch + target in deploy-targets.json
+  -> run deploy command
+  -> verify target health URL
+  -> update Gitea commit status success/failure
+```
+
+## Required setup
+
+### 1. Runner
+
+Bring up the site-wide Gitea runner on VMID **5700**:
+
+```bash
+bash scripts/dev-vm/bootstrap-gitea-act-runner-site-wide.sh
+```
+
+Reference: [GITEA_ACT_RUNNER_SETUP.md](GITEA_ACT_RUNNER_SETUP.md)
+
+### 0. One-command bootstrap
+
+If root `.env` already contains the needed values, use:
+
+```bash
+bash scripts/dev-vm/bootstrap-phoenix-cicd.sh --repo d-bis/proxmox
+```
+
+This runs the validation gate, deploys `phoenix-deploy-api`, and smoke-checks the service.
+
+### 2. Deploy API service
+
+Deploy the API to the dev VM:
+
+```bash
+./scripts/deployment/deploy-phoenix-deploy-api-to-dev-vm.sh --dry-run
+./scripts/deployment/deploy-phoenix-deploy-api-to-dev-vm.sh --apply --start-ct
+```
+
+On the target VM, set at least:
+
+```bash
+PORT=4001
+GITEA_URL=https://gitea.d-bis.org
+GITEA_TOKEN=<token with repo status access>
+PHOENIX_DEPLOY_SECRET=<shared secret>
+PHOENIX_REPO_ROOT=/home/intlc/projects/proxmox
+```
+
+Optional:
+
+```bash
+DEPLOY_TARGETS_PATH=/opt/phoenix-deploy-api/deploy-targets.json
+```
+
+For the `portal-live` target, also set:
+
+```bash
+SANKOFA_PORTAL_SRC=/home/intlc/projects/Sankofa/portal
+```
+
+### 3. Gitea repo secrets
+
+Set these in the Gitea repository that should deploy:
+
+- `PHOENIX_DEPLOY_URL`
+- `PHOENIX_DEPLOY_TOKEN`
+
+Example:
+
+- `PHOENIX_DEPLOY_URL=http://192.168.11.59:4001/api/deploy`
+- `PHOENIX_DEPLOY_TOKEN=<same value as PHOENIX_DEPLOY_SECRET>`
+
+For webhook signing, the bootstrap/helper path also expects:
+
+- `PHOENIX_DEPLOY_SECRET`
+- `PHOENIX_WEBHOOK_DEPLOY_ENABLED=1` only if you want webhook events themselves to execute deploys
+
+Do not enable both repo Actions deploys and webhook deploys for the same repo unless you intentionally want duplicate deploy attempts.
+
+## Adding more repos or VM targets
+
+Extend [deploy-targets.json](/home/intlc/projects/proxmox/phoenix-deploy-api/deploy-targets.json) with another entry.
+
+Each target is keyed by:
+
+- `repo`
+- `branch`
+- `target`
+
+Each target defines:
+
+- `cwd`
+- `command`
+- `required_env`
+- optional `healthcheck`
+- optional `timeout_sec`
+
+Example shape:
+
+```json
+{
+  "repo": "d-bis/another-service",
+  "branch": "main",
+  "target": "portal-live",
+  "cwd": "${PHOENIX_REPO_ROOT}",
+  "command": ["bash", "scripts/deployment/sync-sankofa-portal-7801.sh"],
+  "required_env": ["PHOENIX_REPO_ROOT"]
+}
+```
+
+Use separate `target` names when the same repo can publish to different VMIDs or environments.
+
+Target-map validation is already part of:
+
+```bash
+bash scripts/verify/run-all-validation.sh --skip-genesis
+```
+
+and can also be run directly:
+
+```bash
+bash scripts/validation/validate-phoenix-deploy-targets.sh
+```
+
+## Manual testing
+
+Before trusting a new Gitea workflow, trigger the deploy service directly:
+
+```bash
+bash scripts/dev-vm/trigger-phoenix-deploy.sh
+```
+
+Trigger the live portal deployment target directly:
+
+```bash
+bash scripts/dev-vm/trigger-phoenix-deploy.sh d-bis/proxmox main portal-live
+```
+
+Inspect configured targets:
+
+```bash
+curl -s http://192.168.11.59:4001/api/deploy-targets | jq .
+```
+
+## Recommended next expansions
+
+- Add a Phoenix API target for the repo that owns VMID **7800** or **8600**, depending on which deployment line is canonical.
+- Add repo-specific workflows once the Sankofa source repos themselves are mirrored into Gitea Actions.
+- Move secret values from ad hoc `.env` files into the final operator-managed secret source once you settle the production host for `phoenix-deploy-api`.
+
+## Notes
+
+- The Gitea workflow is gated by `scripts/verify/run-all-validation.sh --skip-genesis` before deploy.
+- `phoenix-deploy-api` now returns `404` when no matching target exists and `500` when the deploy command fails.
+- Commit status updates are written back to Gitea from the deploy service itself.

scripts/verify/check-gitea-branch-workflow-parity.sh

@@ -0,0 +1,51 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+PROJECT_ROOT="$(cd "$SCRIPT_DIR/../.." && pwd)"
+cd "$PROJECT_ROOT"
+
+SOURCE_TARGET_PAIRS=(
+  ".gitea/workflow-sources/deploy-to-phoenix.yml:.gitea/workflows/deploy-to-phoenix.yml"
+  ".gitea/workflow-sources/validate-on-pr.yml:.gitea/workflows/validate-on-pr.yml"
+)
+
+missing_ref=false
+for ref in origin/main origin/master; do
+  if ! git rev-parse --verify "$ref" >/dev/null 2>&1; then
+    missing_ref=true
+  fi
+done
+
+if [[ "$missing_ref" == true ]]; then
+  echo "[i] Skipping main/master workflow parity check (origin/main or origin/master not available)"
+  exit 0
+fi
+
+for pair in "${SOURCE_TARGET_PAIRS[@]}"; do
+  source="${pair%%:*}"
+  target="${pair##*:}"
+
+  main_blob="$(git show "origin/main:$source" 2>/dev/null || true)"
+  master_blob="$(git show "origin/master:$source" 2>/dev/null || true)"
+
+  if [[ -z "$main_blob" ]]; then
+    main_blob="$(git show "origin/main:$target" 2>/dev/null || true)"
+  fi
+  if [[ -z "$master_blob" ]]; then
+    master_blob="$(git show "origin/master:$target" 2>/dev/null || true)"
+  fi
+
+  if [[ -z "$main_blob" || -z "$master_blob" ]]; then
+    echo "[✗] Missing $source/$target on origin/main or origin/master" >&2
+    exit 1
+  fi
+
+  if [[ "$main_blob" != "$master_blob" ]]; then
+    echo "[✗] Branch workflow drift: $source differs between origin/main and origin/master" >&2
+    echo "    Keep both deploy branches in lockstep for workflow-source files." >&2
+    exit 1
+  fi
+
+  echo "[✓] Branch parity OK for $source"
+done

scripts/verify/check-gitea-workflows.sh

@@ -0,0 +1,32 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+PROJECT_ROOT="$(cd "$SCRIPT_DIR/../.." && pwd)"
+cd "$PROJECT_ROOT"
+
+check_one() {
+  local source_rel="$1"
+  local target_rel="$2"
+
+  if [[ ! -f "$source_rel" ]]; then
+    echo "[✗] Missing workflow source: $source_rel" >&2
+    return 1
+  fi
+
+  if [[ ! -f "$target_rel" ]]; then
+    echo "[✗] Missing generated workflow: $target_rel" >&2
+    return 1
+  fi
+
+  if ! diff -u "$source_rel" "$target_rel" >/dev/null; then
+    echo "[✗] Workflow drift detected: $target_rel does not match $source_rel" >&2
+    echo "    Run: bash scripts/verify/sync-gitea-workflows.sh" >&2
+    return 1
+  fi
+
+  echo "[✓] $target_rel matches $source_rel"
+}
+
+check_one ".gitea/workflow-sources/deploy-to-phoenix.yml" ".gitea/workflows/deploy-to-phoenix.yml"
+check_one ".gitea/workflow-sources/validate-on-pr.yml" ".gitea/workflows/validate-on-pr.yml"

scripts/verify/run-all-validation.sh

@@ -3,6 +3,7 @@
 # Use for CI or pre-deploy: dependencies, config files, optional genesis.
 # Usage: bash scripts/verify/run-all-validation.sh [--skip-genesis]
 #   --skip-genesis: do not run validate-genesis.sh (default: run if smom-dbis-138 present).
+# Steps: dependencies, config files, cW* mesh matrix (if pair-discovery JSON exists), genesis.
 
 set -euo pipefail
 
@@ -24,15 +25,64 @@ bash "$SCRIPT_DIR/check-dependencies.sh" || log_err "check-dependencies failed"
 log_ok "Dependencies OK"
 echo ""
 
+echo "1b. pnpm workspace vs lockfile..."
+if [[ -f "$PROJECT_ROOT/pnpm-workspace.yaml" ]]; then
+  bash "$SCRIPT_DIR/check-pnpm-workspace-lockfile.sh" || log_err "pnpm lockfile / workspace drift"
+  log_ok "pnpm lockfile aligned with workspace"
+else
+  echo "   (no pnpm-workspace.yaml at root — skip)"
+fi
+echo ""
+
+echo "1c. Gitea workflow source sync..."
+bash "$SCRIPT_DIR/check-gitea-workflows.sh" || log_err "Gitea workflow source drift"
+log_ok "Gitea workflows match source-of-truth files"
+echo ""
+
+echo "1d. main/master workflow parity..."
+bash "$SCRIPT_DIR/check-gitea-branch-workflow-parity.sh" || log_err "main/master workflow parity drift"
+log_ok "main/master workflow parity OK"
+echo ""
+
 echo "2. Config files..."
 bash "$SCRIPT_DIR/../validation/validate-config-files.sh" || log_err "validate-config-files failed"
 log_ok "Config validation OK"
 echo ""
 
-if [[ "$SKIP_GENESIS" == true ]]; then
-  echo "3. Genesis — skipped (--skip-genesis)"
+echo "3. cW* mesh matrix (deployment-status + Uni V2 pair-discovery)..."
+DISCOVERY_JSON="$PROJECT_ROOT/reports/extraction/promod-uniswap-v2-live-pair-discovery-latest.json"
+if [[ -f "$DISCOVERY_JSON" ]]; then
+  MATRIX_JSON="$PROJECT_ROOT/reports/status/cw-mesh-deployment-matrix-latest.json"
+  bash "$SCRIPT_DIR/build-cw-mesh-deployment-matrix.sh" --no-markdown --json-out "$MATRIX_JSON" || log_err "cw mesh matrix merge failed"
+  log_ok "cW mesh matrix OK (also wrote $MATRIX_JSON)"
 else
-  echo "3. Genesis (smom-dbis-138)..."
+  echo "   ($DISCOVERY_JSON missing — run: bash scripts/verify/build-promod-uniswap-v2-live-pair-discovery.sh)"
+fi
+echo ""
+
+echo "3b. deployment-status graph (cross-chain-pmm-lps)..."
+PMM_VALIDATE="$PROJECT_ROOT/cross-chain-pmm-lps/scripts/validate-deployment-status.cjs"
+if [[ -f "$PMM_VALIDATE" ]] && command -v node &>/dev/null; then
+  node "$PMM_VALIDATE" || log_err "validate-deployment-status.cjs failed"
+  log_ok "deployment-status.json rules OK"
+else
+  echo "   (skip: node or $PMM_VALIDATE missing)"
+fi
+echo ""
+
+echo "3c. External dependency blockers..."
+EXT_CHECK="$SCRIPT_DIR/check-external-dependencies.sh"
+if [[ -x "$EXT_CHECK" ]]; then
+  bash "$EXT_CHECK" --advisory || true
+else
+  echo "   (skip: $EXT_CHECK missing)"
+fi
+echo ""
+
+if [[ "$SKIP_GENESIS" == true ]]; then
+  echo "4. Genesis — skipped (--skip-genesis)"
+else
+  echo "4. Genesis (smom-dbis-138)..."
   GENESIS_SCRIPT="$PROJECT_ROOT/smom-dbis-138/scripts/validation/validate-genesis.sh"
   if [[ -x "$GENESIS_SCRIPT" ]]; then
     bash "$GENESIS_SCRIPT" || log_err "validate-genesis failed"

scripts/verify/sync-gitea-workflows.sh

@@ -0,0 +1,18 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+PROJECT_ROOT="$(cd "$SCRIPT_DIR/../.." && pwd)"
+cd "$PROJECT_ROOT"
+
+sync_one() {
+  local source_rel="$1"
+  local target_rel="$2"
+
+  mkdir -p "$(dirname "$target_rel")"
+  cp "$source_rel" "$target_rel"
+  echo "[✓] Synced $target_rel from $source_rel"
+}
+
+sync_one ".gitea/workflow-sources/deploy-to-phoenix.yml" ".gitea/workflows/deploy-to-phoenix.yml"
+sync_one ".gitea/workflow-sources/validate-on-pr.yml" ".gitea/workflows/validate-on-pr.yml"