Align E2E profile workflow across scripts and runbooks

2026-03-06 08:46:55 -08:00
parent e4c9dda0fd
commit d38174dc25
18 changed files with 345 additions and 53 deletions
--- a/docs/03-deployment/BLOCKSCOUT_FIX_RUNBOOK.md
+++ b/docs/03-deployment/BLOCKSCOUT_FIX_RUNBOOK.md
@@ -145,7 +145,7 @@ BLOCKSCOUT_URL=http://192.168.11.140:4000 node forge-verification-proxy/server.j
 ## E2E completion (Blockscout and other sites)
- **Public routing E2E**: `bash scripts/verify/verify-end-to-end-routing.sh` tests explorer.d-bis.org (DNS, SSL, HTTPS) and an optional Blockscout API check (`/api/v2/stats`). The API check does not fail the run if unreachable; use `SKIP_BLOCKSCOUT_API=1` to skip it. See [E2E_CLOUDFLARE_DOMAINS_RUNBOOK.md](../05-network/E2E_CLOUDFLARE_DOMAINS_RUNBOOK.md).
+- **Public routing E2E**: `bash scripts/verify/verify-end-to-end-routing.sh --profile=public` tests explorer.d-bis.org (DNS, SSL, HTTPS) and an optional Blockscout API check (`/api/v2/stats`). The API check does not fail the run if unreachable; use `SKIP_BLOCKSCOUT_API=1` to skip it. See [E2E_CLOUDFLARE_DOMAINS_RUNBOOK.md](../05-network/E2E_CLOUDFLARE_DOMAINS_RUNBOOK.md).
 - **Full explorer E2E (on LAN)**: From a host that can reach 192.168.11.140, run `explorer-monorepo/scripts/e2e-test-explorer.sh` for frontend, API, and service checks.
 - **Daily checks**: `scripts/maintenance/daily-weekly-checks.sh daily` checks explorer indexer via `/api/v2/stats` (and fallback legacy API).
--- a/docs/03-deployment/OPERATIONAL_RUNBOOKS.md
+++ b/docs/03-deployment/OPERATIONAL_RUNBOOKS.md
@@ -381,7 +381,7 @@ See **[BLOCKSCOUT_FIX_RUNBOOK.md](BLOCKSCOUT_FIX_RUNBOOK.md)** § "Proactive: Wh
 ### After NPMplus or DNS changes
 Run **E2E routing** (includes explorer.d-bis.org):  
-`bash scripts/verify/verify-end-to-end-routing.sh`
+`bash scripts/verify/verify-end-to-end-routing.sh --profile=public`
 ### After frontend or Blockscout deploy
@@ -558,4 +558,3 @@ See [BLOCKSCOUT_FIX_RUNBOOK.md](BLOCKSCOUT_FIX_RUNBOOK.md).
 **Maintained By:** Infrastructure Team  
 **Review Cycle:** Monthly  
 **Last Updated:** 2026-02-05
--- a/docs/03-deployment/SANKOFA_STUDIO_E2E_FLOW.md
+++ b/docs/03-deployment/SANKOFA_STUDIO_E2E_FLOW.md
@@ -112,7 +112,7 @@ curl -s http://192.168.11.72:8000/studio/ -o /dev/null -w "%{http_code}\n"
 ```bash
 cd /home/intlc/projects/proxmox
-bash scripts/verify/verify-end-to-end-routing.sh
+bash scripts/verify/verify-end-to-end-routing.sh --profile=public
 ```
 - Report: `docs/04-configuration/verification-evidence/e2e-verification-<timestamp>/verification_report.md`
--- a/docs/04-configuration/E2E_ENDPOINTS_LIST.md
+++ b/docs/04-configuration/E2E_ENDPOINTS_LIST.md
@@ -0,0 +1,143 @@
 # E2E verification — endpoint inventory and profiles
 **Source:** `scripts/verify/verify-end-to-end-routing.sh` (DOMAIN_TYPES).  
 **List from CLI (public):** `./scripts/verify/verify-end-to-end-routing.sh --list-endpoints --profile=public`  
 **List from CLI (private/admin):** `./scripts/verify/verify-end-to-end-routing.sh --list-endpoints --profile=private`  
 **Run E2E (public profile recommended):** `./scripts/verify/verify-end-to-end-routing.sh --profile=public` (from LAN with DNS or use `E2E_USE_SYSTEM_RESOLVER=1` and `/etc/hosts` per [E2E_DNS_FROM_LAN_RUNBOOK.md](E2E_DNS_FROM_LAN_RUNBOOK.md)).  
 **Run E2E (private/admin):** `./scripts/verify/verify-end-to-end-routing.sh --profile=private`.
 ## Verification profiles
 - **Public profile (default for routine E2E):** web, api, public RPC endpoints.
 - **Private/admin profile:** private RPC and Fireblocks RPC endpoints. Run separately for internal operations.
 ## Full endpoint inventory (combined)
 | Endpoint | Type | URL | Description (content provided) |
 |----------|------|-----|--------------------------------|
 | explorer.d-bis.org | web | https://explorer.d-bis.org | Blockscout-style blockchain explorer for Chain 138: blocks, transactions, addresses, contracts, tokens, verification. |
 | dbis-admin.d-bis.org | web | https://dbis-admin.d-bis.org | DBIS admin dashboard and frontend (VMID 10130). |
 | secure.d-bis.org | web | https://secure.d-bis.org | Secure DBIS frontend / authenticated portal. |
 | dbis-api.d-bis.org | api | https://dbis-api.d-bis.org | DBIS core API: token aggregation, Crypto.com OTC, exchange endpoints (VMID 10150). |
 | dbis-api-2.d-bis.org | api | https://dbis-api-2.d-bis.org | DBIS API secondary instance (VMID 10151). |
 | mim4u.org | web | https://mim4u.org | MIM4U main site. |
 | www.mim4u.org | web | https://www.mim4u.org | MIM4U www. |
 | secure.mim4u.org | web | https://secure.mim4u.org | MIM4U secure portal. |
 | training.mim4u.org | web | https://training.mim4u.org | MIM4U training site. |
 | sankofa.nexus | web | https://sankofa.nexus | Sankofa Nexus root / web. |
 | www.sankofa.nexus | web | https://www.sankofa.nexus | Sankofa Nexus www. |
 | phoenix.sankofa.nexus | web | https://phoenix.sankofa.nexus | Phoenix (Sankofa) web app. |
 | www.phoenix.sankofa.nexus | web | https://www.phoenix.sankofa.nexus | Phoenix www. |
 | the-order.sankofa.nexus | web | https://the-order.sankofa.nexus | Hosted client on the Sankofa Phoenix cloud services platform. |
 | studio.sankofa.nexus | web | https://studio.sankofa.nexus | Sankofa Studio (FusionAI Creator) at VMID 7805. |
 | cacti-alltra.d-bis.org | web | https://cacti-alltra.d-bis.org | Cacti monitoring UI for Alltra. |
 | cacti-hybx.d-bis.org | web | https://cacti-hybx.d-bis.org | Cacti monitoring UI for HYBX. |
 | mifos.d-bis.org | web | https://mifos.d-bis.org | Mifos X / Fineract banking and microfinance platform (VMID 5800). |
 | dapp.d-bis.org | web | https://dapp.d-bis.org | DApp frontend for Chain 138 bridge (VMID 5801). |
 | gitea.d-bis.org | web | https://gitea.d-bis.org | Gitea git repository and CI (Dev VM 5700). |
 | dev.d-bis.org | web | https://dev.d-bis.org | Dev VM web / Codespaces entry. |
 | codespaces.d-bis.org | web | https://codespaces.d-bis.org | Codespaces / dev environment entry. |
 | rpc-http-pub.d-bis.org | rpc-http | https://rpc-http-pub.d-bis.org | Chain 138 public JSON-RPC HTTP (VMID 2201). |
 | rpc-ws-pub.d-bis.org | rpc-ws | wss://rpc-ws-pub.d-bis.org | Chain 138 public JSON-RPC WebSocket. |
 | rpc.d-bis.org | rpc-http | https://rpc.d-bis.org | Chain 138 RPC HTTP (alias). |
 | rpc2.d-bis.org | rpc-http | https://rpc2.d-bis.org | Chain 138 RPC HTTP (second). |
 | ws.rpc.d-bis.org | rpc-ws | wss://ws.rpc.d-bis.org | Chain 138 RPC WebSocket. |
 | ws.rpc2.d-bis.org | rpc-ws | wss://ws.rpc2.d-bis.org | Chain 138 RPC WebSocket (second). |
 | rpc-http-prv.d-bis.org | rpc-http | https://rpc-http-prv.d-bis.org | Chain 138 private/admin RPC HTTP (VMID 2101). |
 | rpc-ws-prv.d-bis.org | rpc-ws | wss://rpc-ws-prv.d-bis.org | Chain 138 private RPC WebSocket. |
 | rpc-fireblocks.d-bis.org | rpc-http | https://rpc-fireblocks.d-bis.org | Chain 138 RPC for Fireblocks Web3 (VMID 2301). |
 | ws.rpc-fireblocks.d-bis.org | rpc-ws | wss://ws.rpc-fireblocks.d-bis.org | Chain 138 RPC WebSocket for Fireblocks. |
 | rpc.public-0138.defi-oracle.io | rpc-http | https://rpc.public-0138.defi-oracle.io | Defi Oracle Chain 138 public RPC. |
 | rpc.defi-oracle.io | rpc-http | https://rpc.defi-oracle.io | Defi Oracle RPC. |
 | wss.defi-oracle.io | rpc-ws | wss://wss.defi-oracle.io | Defi Oracle RPC WebSocket. |
 | rpc-alltra.d-bis.org | rpc-http | https://rpc-alltra.d-bis.org | Alltra chain RPC HTTP. |
 | rpc-alltra-2.d-bis.org | rpc-http | https://rpc-alltra-2.d-bis.org | Alltra chain RPC HTTP (2). |
 | rpc-alltra-3.d-bis.org | rpc-http | https://rpc-alltra-3.d-bis.org | Alltra chain RPC HTTP (3). |
 | rpc-hybx.d-bis.org | rpc-http | https://rpc-hybx.d-bis.org | HYBX chain RPC HTTP. |
 | rpc-hybx-2.d-bis.org | rpc-http | https://rpc-hybx-2.d-bis.org | HYBX chain RPC HTTP (2). |
 | rpc-hybx-3.d-bis.org | rpc-http | https://rpc-hybx-3.d-bis.org | HYBX chain RPC HTTP (3). |
 ## Endpoints by type
 ### Web
 | Domain | URL |
 |--------|-----|
 | explorer.d-bis.org | https://explorer.d-bis.org |
 | dbis-admin.d-bis.org | https://dbis-admin.d-bis.org |
 | secure.d-bis.org | https://secure.d-bis.org |
 | mim4u.org | https://mim4u.org |
 | www.mim4u.org | https://www.mim4u.org |
 | secure.mim4u.org | https://secure.mim4u.org |
 | training.mim4u.org | https://training.mim4u.org |
 | sankofa.nexus | https://sankofa.nexus |
 | www.sankofa.nexus | https://www.sankofa.nexus |
 | phoenix.sankofa.nexus | https://phoenix.sankofa.nexus |
 | www.phoenix.sankofa.nexus | https://www.phoenix.sankofa.nexus |
 | the-order.sankofa.nexus | https://the-order.sankofa.nexus |
 | studio.sankofa.nexus | https://studio.sankofa.nexus |
 | cacti-alltra.d-bis.org | https://cacti-alltra.d-bis.org |
 | cacti-hybx.d-bis.org | https://cacti-hybx.d-bis.org |
 | mifos.d-bis.org | https://mifos.d-bis.org |
 | dapp.d-bis.org | https://dapp.d-bis.org |
 | gitea.d-bis.org | https://gitea.d-bis.org |
 | dev.d-bis.org | https://dev.d-bis.org |
 | codespaces.d-bis.org | https://codespaces.d-bis.org |
 ### API
 | Domain | URL |
 |--------|-----|
 | dbis-api.d-bis.org | https://dbis-api.d-bis.org |
 | dbis-api-2.d-bis.org | https://dbis-api-2.d-bis.org |
 ### RPC HTTP (public)
 | Domain | URL |
 |--------|-----|
 | rpc-http-pub.d-bis.org | https://rpc-http-pub.d-bis.org |
 | rpc.d-bis.org | https://rpc.d-bis.org |
 | rpc2.d-bis.org | https://rpc2.d-bis.org |
 | rpc.public-0138.defi-oracle.io | https://rpc.public-0138.defi-oracle.io |
 | rpc.defi-oracle.io | https://rpc.defi-oracle.io |
 | rpc-alltra.d-bis.org | https://rpc-alltra.d-bis.org |
 | rpc-alltra-2.d-bis.org | https://rpc-alltra-2.d-bis.org |
 | rpc-alltra-3.d-bis.org | https://rpc-alltra-3.d-bis.org |
 | rpc-hybx.d-bis.org | https://rpc-hybx.d-bis.org |
 | rpc-hybx-2.d-bis.org | https://rpc-hybx-2.d-bis.org |
 | rpc-hybx-3.d-bis.org | https://rpc-hybx-3.d-bis.org |
 ### RPC WebSocket (public)
 | Domain | URL |
 |--------|-----|
 | rpc-ws-pub.d-bis.org | wss://rpc-ws-pub.d-bis.org |
 | ws.rpc.d-bis.org | wss://ws.rpc.d-bis.org |
 | ws.rpc2.d-bis.org | wss://ws.rpc2.d-bis.org |
 | wss.defi-oracle.io | wss://wss.defi-oracle.io |
 ### RPC HTTP (private/admin profile)
 | Domain | URL |
 |--------|-----|
 | rpc-http-prv.d-bis.org | https://rpc-http-prv.d-bis.org |
 | rpc-fireblocks.d-bis.org | https://rpc-fireblocks.d-bis.org |
 ### RPC WebSocket (private/admin profile)
 | Domain | URL |
 |--------|-----|
 | rpc-ws-prv.d-bis.org | wss://rpc-ws-prv.d-bis.org |
 | ws.rpc-fireblocks.d-bis.org | wss://ws.rpc-fireblocks.d-bis.org |
 ## Report content
 After each run, the verification report includes:
 1. **All endpoints** — table of every domain, type, and URL.
 2. **Summary** — counts (DNS pass, HTTPS pass, failed, skipped) and average response time.
 3. **Results overview** — table of each domain with DNS | SSL | HTTPS | RPC status.
 4. **Test Results by Domain** — per-domain detail (DNS, SSL, HTTPS, Blockscout API, RPC).
 Output directory: `docs/04-configuration/verification-evidence/e2e-verification-<timestamp>/`  
 Files: `verification_report.md`, `all_e2e_results.json`, `*_https_headers.txt`, `*_rpc_response.txt`.
--- a/docs/04-configuration/README.md
+++ b/docs/04-configuration/README.md
@@ -24,6 +24,8 @@ This directory contains setup and configuration guides.
 - **[NPMPLUS_PROXY_HOSTS_SNAPSHOT_2026-03.md](NPMPLUS_PROXY_HOSTS_SNAPSHOT_2026-03.md)** - Snapshot of NPMplus proxy destinations (IP:port) and VMID mapping (March 2026)
 - **[NPMPLUS_CUSTOM_NGINX_CONFIG.md](NPMPLUS_CUSTOM_NGINX_CONFIG.md)** - NPMplus custom config: proxy variables, security headers (CSP with unsafe-eval for ethers.js), and caveat (do not add `location '/'`)
 - **[NPMPLUS_UI_APIERROR_400_RUNBOOK.md](NPMPLUS_UI_APIERROR_400_RUNBOOK.md)** - NPMplus UI ApiError 400 on dashboard load: find failing request, test API with curl, logs, fixes
 - **[E2E_DNS_FROM_LAN_RUNBOOK.md](E2E_DNS_FROM_LAN_RUNBOOK.md)** - Run E2E domain sweep from LAN when public DNS is unavailable: /etc/hosts option, DNS path, or bastion
 - **[E2E_ENDPOINTS_LIST.md](E2E_ENDPOINTS_LIST.md)** - All E2E verification endpoints (domain, type, URL); list from CLI: `./scripts/verify/verify-end-to-end-routing.sh --list-endpoints --profile=public`
 - **[PROXMOX_LOAD_BALANCING_RUNBOOK.md](PROXMOX_LOAD_BALANCING_RUNBOOK.md)** - Balance Proxmox load: migrate containers from r630-01 to r630-02/ml110; candidates, script, cluster vs backup/restore
 - **[PROXMOX_ADD_THIRD_FOURTH_R630_DECISION.md](PROXMOX_ADD_THIRD_FOURTH_R630_DECISION.md)** - Add 3rd/4th R630 before migration? r630-03/04 status, HA/Ceph (3–4 nodes), order of operations
 - **[ER605_ROUTER_CONFIGURATION.md](ER605_ROUTER_CONFIGURATION.md)** ⭐⭐ - ER605 router configuration
@@ -122,4 +124,3 @@ This directory contains setup and configuration guides.
 - **[../01-getting-started/](../01-getting-started/)** - Getting started
 - **[../02-architecture/](../02-architecture/)** - Architecture reference
 - **[../05-network/](../05-network/)** - Network infrastructure
--- a/docs/05-network/CHECK_ALL_UPDATES_AND_CLOUDFLARE_TUNNELS.md
+++ b/docs/05-network/CHECK_ALL_UPDATES_AND_CLOUDFLARE_TUNNELS.md
@@ -69,7 +69,7 @@ The dev/Codespaces FQDN (gitea.d-bis.org, dev.d-bis.org, codespaces.d-bis.org) i
 | Check | Command |
 |-------|--------|
-| **E2E (all domains incl. Gitea)** | `bash scripts/verify/verify-end-to-end-routing.sh` |
+| **E2E (all domains incl. Gitea)** | `bash scripts/verify/verify-end-to-end-routing.sh --profile=public` |
 | **RPC tunnel ingress (from host with VMID 102)** | `bash scripts/verify/verify-cloudflare-tunnel-ingress.sh [--host 192.168.11.11]` |
 | **Dev/Codespaces tunnel + DNS** | `bash scripts/cloudflare/configure-dev-codespaces-tunnel-and-dns.sh` (updates ingress + CNAMEs) |
 | **NPMplus Fourth proxy (gitea → .59:3000)** | `NPM_PASSWORD=xxx bash scripts/nginx-proxy-manager/update-npmplus-fourth-proxy-hosts.sh` |
--- a/docs/05-network/E2E_CLOUDFLARE_DOMAINS_RUNBOOK.md
+++ b/docs/05-network/E2E_CLOUDFLARE_DOMAINS_RUNBOOK.md
@@ -80,7 +80,7 @@ From the project root:
 ```bash
 cd /home/intlc/projects/proxmox
-bash scripts/verify/verify-end-to-end-routing.sh
+bash scripts/verify/verify-end-to-end-routing.sh --profile=public
 ```
 Optional environment variables:
@@ -95,7 +95,7 @@ Optional environment variables:
 Example when using Fastly (DNS points to Fastly, not 76.53.10.36):
 ```bash
-ACCEPT_ANY_DNS=1 bash scripts/verify/verify-end-to-end-routing.sh
+ACCEPT_ANY_DNS=1 bash scripts/verify/verify-end-to-end-routing.sh --profile=public
 ```
 Outputs:
@@ -141,7 +141,7 @@ If any domain fails:
 ## Blockscout and explorer.d-bis.org (E2E completion)
- **Public E2E**: `verify-end-to-end-routing.sh` tests explorer.d-bis.org as **web** (DNS, SSL, HTTPS). It also runs an **optional** Blockscout API check (GET `https://explorer.d-bis.org/api/v2/stats`). If the API is unreachable (e.g. run from off-LAN), the result is recorded as `skip` and does not fail the run. Use `SKIP_BLOCKSCOUT_API=1` to skip this check entirely.
+- **Public E2E**: `verify-end-to-end-routing.sh --profile=public` tests explorer.d-bis.org as **web** (DNS, SSL, HTTPS). It also runs an **optional** Blockscout API check (GET `https://explorer.d-bis.org/api/v2/stats`). If the API is unreachable (e.g. run from off-LAN), the result is recorded as `skip` and does not fail the run. Use `SKIP_BLOCKSCOUT_API=1` to skip this check entirely.
 - **Fix Blockscout** (502, DB, migrations): Run on Proxmox host or from LAN per [BLOCKSCOUT_FIX_RUNBOOK.md](../03-deployment/BLOCKSCOUT_FIX_RUNBOOK.md). Key script: `scripts/fix-blockscout-ssl-and-migrations.sh`.
 - **Full explorer E2E on LAN**: For comprehensive explorer tests (frontend, API, services on VMID 5000), run from a host that can reach 192.168.11.140: `explorer-monorepo/scripts/e2e-test-explorer.sh`. Report: [explorer-monorepo/E2E_TEST_REPORT.md](../../../explorer-monorepo/E2E_TEST_REPORT.md).
 - **Daily checks**: Explorer indexer is checked by `scripts/maintenance/daily-weekly-checks.sh daily` using Blockscout `/api/v2/stats` (and fallback to `?module=stats&action=eth_price`).
--- a/docs/05-network/E2E_RPC_EDGE_LIMITATION.md
+++ b/docs/05-network/E2E_RPC_EDGE_LIMITATION.md
@@ -74,7 +74,7 @@ Follow the **Option B runbook** for step-by-step instructions and the DNS script
   - Follow [CLOUDFLARE_TUNNEL_502_FIX_RUNBOOK.md](../04-configuration/cloudflare/CLOUDFLARE_TUNNEL_502_FIX_RUNBOOK.md): point all Public Hostnames (including the 6 RPC) to `http://192.168.11.167:80`, verify from VMID 102, restart cloudflared.
 2. **Point RPC hostnames to the tunnel** in Cloudflare DNS:
   - Run: `./scripts/set-rpc-dns-to-tunnel.sh` (uses `CLOUDFLARE_TUNNEL_ID` and zone IDs from `.env`), or set CNAME manually per the runbook.
-3. **Re-run E2E:** After DNS propagates, run `bash scripts/verify/troubleshoot-rpc-failures.sh` and `./scripts/verify/verify-end-to-end-routing.sh`; POST will succeed and the 6 RPC checks can pass.
+3. **Re-run E2E:** After DNS propagates, run `bash scripts/verify/troubleshoot-rpc-failures.sh` and `./scripts/verify/verify-end-to-end-routing.sh --profile=public`; POST will succeed and the 6 RPC checks can pass.
 ---
@@ -83,7 +83,7 @@ Follow the **Option B runbook** for step-by-step instructions and the DNS script
 When the only failures are the 6 RPC (edge blocking POST), you can still treat E2E as successful for DNS and HTTPS:
 ```bash
-E2E_SUCCESS_IF_ONLY_RPC_BLOCKED=1 ./scripts/verify/verify-end-to-end-routing.sh
+E2E_SUCCESS_IF_ONLY_RPC_BLOCKED=1 ./scripts/verify/verify-end-to-end-routing.sh --profile=public
 ```
 - Exit code is **0** when DNS and HTTPS all pass and all failures are RPC.
--- a/docs/05-network/OPTION_B_RPC_VIA_TUNNEL_RUNBOOK.md
+++ b/docs/05-network/OPTION_B_RPC_VIA_TUNNEL_RUNBOOK.md
@@ -117,7 +117,7 @@ bash scripts/verify/troubleshoot-rpc-failures.sh
 # Full E2E (no need for E2E_SUCCESS_IF_ONLY_RPC_BLOCKED when RPC passes)
 # Use ACCEPT_ANY_DNS=1 so the 6 RPC hostnames (resolving to Cloudflare) count as DNS pass
-ACCEPT_ANY_DNS=1 ./scripts/verify/verify-end-to-end-routing.sh
+ACCEPT_ANY_DNS=1 ./scripts/verify/verify-end-to-end-routing.sh --profile=public
 ```
 ---
@@ -150,4 +150,4 @@ To send RPC traffic back through the UDM Pro (and accept 405 again):
 | 1 | Tunnel Public Hostnames: all 6 RPC hostnames → https://192.168.11.167:443 (No TLS Verify) |
 | 2 | (Optional) Verify origin from VMID 102 |
 | 3 | DNS: 6 RPC hostnames → CNAME to &lt;tunnel-id&gt;.cfargotunnel.com (Proxied) |
-| 4 | Re-run troubleshoot-rpc-failures.sh and verify-end-to-end-routing.sh |
+| 4 | Re-run troubleshoot-rpc-failures.sh and verify-end-to-end-routing.sh --profile=public |
--- a/docs/05-network/README.md
+++ b/docs/05-network/README.md
@@ -26,7 +26,7 @@ This directory contains network infrastructure documentation.
 ## Quick Reference
-**Edge:** UDM Pro (76.53.10.34); origin 76.53.10.36 → NPMplus 192.168.11.167. **Option B:** 6 RPC hostnames via Cloudflare Tunnel. E2E: `ACCEPT_ANY_DNS=1 bash scripts/verify/verify-end-to-end-routing.sh` when using Option B.
+**Edge:** UDM Pro (76.53.10.34); origin 76.53.10.36 → NPMplus 192.168.11.167. **Option B:** 6 RPC hostnames via Cloudflare Tunnel. E2E: `ACCEPT_ANY_DNS=1 bash scripts/verify/verify-end-to-end-routing.sh --profile=public` when using Option B.
 ## Related Documentation
@@ -34,4 +34,3 @@ This directory contains network infrastructure documentation.
 - **[../02-architecture/NETWORK_ARCHITECTURE.md](../02-architecture/NETWORK_ARCHITECTURE.md)** - Complete network architecture
 - **[../04-configuration/RPC_ENDPOINTS_MASTER.md](../04-configuration/RPC_ENDPOINTS_MASTER.md)** - RPC proxy and DNS
 - **[../04-configuration/cloudflare/TUNNEL_SFVALLEY01_INSTALL.md](../04-configuration/cloudflare/TUNNEL_SFVALLEY01_INSTALL.md)** - Option B tunnel connector install
--- a/docs/12-quick-reference/QUICK_REFERENCE.md
+++ b/docs/12-quick-reference/QUICK_REFERENCE.md
@@ -15,7 +15,7 @@
 | Wave 2/3 operator checklist | [WAVE2_WAVE3_OPERATOR_CHECKLIST.md](../00-meta/WAVE2_WAVE3_OPERATOR_CHECKLIST.md) |
 | Run log | [FULL_PARALLEL_RUN_LOG.md](../archive/00-meta-pruned/FULL_PARALLEL_RUN_LOG.md) (archived) |
 | Full verification | `bash scripts/verify/run-full-verification.sh` |
-| E2E routing only | `bash scripts/verify/verify-end-to-end-routing.sh` |
+| E2E routing only | `bash scripts/verify/verify-end-to-end-routing.sh --profile=public` |
 ---
@@ -203,4 +203,3 @@ bash ProxmoxVE/ct/AppName.sh -u
 - [ ] Test on Proxmox VE 8.4+ or 9.0+
 - [ ] Implement update function (if applicable)
 - [ ] Update documentation (if needed)
--- a/docs/12-quick-reference/QUICK_REFERENCE_CARDS.md
+++ b/docs/12-quick-reference/QUICK_REFERENCE_CARDS.md
@@ -142,8 +142,8 @@ Expected: Table with columns VMID, status, name, type (e.g. `running`, `ubuntu-2
 | Task | Command / Location |
 |------|--------------------|
 | Full verification (deps + E2E) | `bash scripts/verify/run-full-verification.sh` |
-| E2E routing only | `bash scripts/verify/verify-end-to-end-routing.sh` |
+| E2E routing only | `bash scripts/verify/verify-end-to-end-routing.sh --profile=public` |
-| E2E with Option B (RPC via tunnel) | `ACCEPT_ANY_DNS=1 bash scripts/verify/verify-end-to-end-routing.sh` |
+| E2E with Option B (RPC via tunnel) | `ACCEPT_ANY_DNS=1 bash scripts/verify/verify-end-to-end-routing.sh --profile=public` |
 | Dependencies check | `bash scripts/verify/check-dependencies.sh` |
 | NPMplus RPC fix (from LAN) | `bash scripts/nginx-proxy-manager/update-npmplus-proxy-hosts-api.sh` |
 | NPMplus backup | `bash scripts/verify/backup-npmplus.sh` |
--- a/scripts/deployment/run-all-next-steps-chain138.sh
+++ b/scripts/deployment/run-all-next-steps-chain138.sh
@@ -1,9 +1,13 @@
 #!/usr/bin/env bash
-# Run all deployment next steps for Chain 138 in order: preflight → mirror+pool (or pool-only) → register c* as GRU → verify.
+# Run all deployment next steps for Chain 138 in order:
 # preflight → (optional mirror+seed pool) → PMM mesh (default) → register c* as GRU → verify.
 #
-# Usage: ./scripts/deployment/run-all-next-steps-chain138.sh [--dry-run] [--skip-mirror] [--skip-register-gru] [--skip-verify]
+# Usage: ./scripts/deployment/run-all-next-steps-chain138.sh [--dry-run] [--skip-mirror] [--skip-mesh] [--legacy-pools-only] [--mesh-only] [--skip-register-gru] [--skip-verify]
 #   --dry-run         Print steps only; do not run deploy/scripts.
-#   --skip-mirror     Do not deploy TransactionMirror (pool-only; requires TRANSACTION_MIRROR_ADDRESS in smom-dbis-138/.env).
+#   --skip-mirror     Do not deploy TransactionMirror + seed pool step.
 #   --skip-mesh       Do not run full PMM mesh creation script.
 #   --legacy-pools-only  Equivalent to --skip-mesh (keeps legacy mirror+seed behavior only).
 #   --mesh-only       Skip mirror+seed step and run mesh creation only.
 #   --skip-register-gru  Skip RegisterGRUCompliantTokens (e.g. if already registered).
 #   --skip-verify     Skip final on-chain verification.
 #
@@ -17,17 +21,22 @@ SMOM="$PROJECT_ROOT/smom-dbis-138"
 DRY_RUN=""
 SKIP_MIRROR=""
 SKIP_MESH=""
 MESH_ONLY=""
 SKIP_REGISTER_GRU=""
 SKIP_VERIFY=""
 for a in "$@"; do
  [[ "$a" == "--dry-run" ]] && DRY_RUN=1
  [[ "$a" == "--skip-mirror" ]] && SKIP_MIRROR=1
  [[ "$a" == "--skip-mesh" ]] && SKIP_MESH=1
  [[ "$a" == "--legacy-pools-only" ]] && SKIP_MESH=1
  [[ "$a" == "--mesh-only" ]] && MESH_ONLY=1 && SKIP_MIRROR=1
  [[ "$a" == "--skip-register-gru" ]] && SKIP_REGISTER_GRU=1
  [[ "$a" == "--skip-verify" ]] && SKIP_VERIFY=1
 done
 echo "=== Chain 138 — run all next steps ==="
-echo "  dry-run: $DRY_RUN  skip-mirror: $SKIP_MIRROR  skip-register-gru: $SKIP_REGISTER_GRU  skip-verify: $SKIP_VERIFY"
+echo "  dry-run: $DRY_RUN  skip-mirror: $SKIP_MIRROR  skip-mesh: $SKIP_MESH  mesh-only: $MESH_ONLY  skip-register-gru: $SKIP_REGISTER_GRU  skip-verify: $SKIP_VERIFY"
 echo ""
 # 1) Preflight
@@ -39,26 +48,37 @@ else
 fi
 echo ""
-# 2) TransactionMirror + PMM pool (or pool-only)
+# 2) TransactionMirror + seed pool (legacy step; optional)
-echo "--- Step 2: TransactionMirror + PMM pool ---"
+if [[ -z "$SKIP_MIRROR" ]]; then
-if [[ -n "$DRY_RUN" ]]; then
+  echo "--- Step 2: TransactionMirror + seed pool ---"
-  if [[ -n "$SKIP_MIRROR" ]]; then
+  if [[ -n "$DRY_RUN" ]]; then
    echo "[DRY-RUN] $PROJECT_ROOT/scripts/deployment/deploy-transaction-mirror-and-pmm-pool-after-txpool-clear.sh --skip-mirror"
  else
    echo "[DRY-RUN] $PROJECT_ROOT/scripts/deployment/deploy-transaction-mirror-and-pmm-pool-after-txpool-clear.sh"
  fi
 else
  if [[ -n "$SKIP_MIRROR" ]]; then
    "$PROJECT_ROOT/scripts/deployment/deploy-transaction-mirror-and-pmm-pool-after-txpool-clear.sh" --skip-mirror || { echo "Deploy (pool-only) failed." >&2; exit 1; }
  else
    "$PROJECT_ROOT/scripts/deployment/deploy-transaction-mirror-and-pmm-pool-after-txpool-clear.sh" || { echo "Deploy failed." >&2; exit 1; }
  fi
  echo ""
 else
  echo "--- Step 2: TransactionMirror + seed pool (skipped) ---"
  echo ""
 fi
 echo ""
-# 3) Register c* as GRU (optional)
+# 3) PMM full mesh (default on Chain 138)
 if [[ -z "$SKIP_MESH" ]]; then
  echo "--- Step 3: PMM full mesh (Chain 138) ---"
  if [[ -n "$DRY_RUN" ]]; then
    echo "[DRY-RUN] $PROJECT_ROOT/scripts/create-pmm-full-mesh-chain138.sh"
  else
    "$PROJECT_ROOT/scripts/create-pmm-full-mesh-chain138.sh" || { echo "PMM full mesh failed." >&2; exit 1; }
  fi
  echo ""
 else
  echo "--- Step 3: PMM full mesh (skipped; legacy-only mode) ---"
  echo ""
 fi
 # 4) Register c* as GRU (optional)
 if [[ -z "$SKIP_REGISTER_GRU" ]]; then
-  echo "--- Step 3: Register c* as GRU (UniversalAssetRegistry) ---"
+  echo "--- Step 4: Register c* as GRU (UniversalAssetRegistry) ---"
  if [[ -n "$DRY_RUN" ]]; then
    echo "[DRY-RUN] cd $SMOM && forge script script/deploy/RegisterGRUCompliantTokens.s.sol --rpc-url \$RPC_URL_138 --broadcast --private-key \$PRIVATE_KEY --with-gas-price 1000000000"
  else
@@ -78,13 +98,13 @@ if [[ -z "$SKIP_REGISTER_GRU" ]]; then
  fi
  echo ""
 else
-  echo "--- Step 3: Register c* as GRU (skipped) ---"
+  echo "--- Step 4: Register c* as GRU (skipped) ---"
  echo ""
 fi
-# 4) Verify
+# 5) Verify
 if [[ -z "$SKIP_VERIFY" ]]; then
-  echo "--- Step 4: On-chain verification ---"
+  echo "--- Step 5: On-chain verification ---"
  if [[ -n "$DRY_RUN" ]]; then
    echo "[DRY-RUN] $PROJECT_ROOT/scripts/verify/check-contracts-on-chain-138.sh"
  else
@@ -93,7 +113,7 @@ if [[ -z "$SKIP_VERIFY" ]]; then
  fi
  echo ""
 else
-  echo "--- Step 4: Verify (skipped) ---"
+  echo "--- Step 5: Verify (skipped) ---"
  echo ""
 fi
--- a/scripts/deployment/run-sankofa-studio-e2e.sh
+++ b/scripts/deployment/run-sankofa-studio-e2e.sh
@@ -53,7 +53,7 @@ echo "   If using tunnel: add Public Hostname studio.sankofa.nexus → https://1
 echo ""
 echo "4. Verify:"
 echo "   curl -s http://${IP}:8000/health"
-echo "   bash scripts/verify/verify-end-to-end-routing.sh"
+echo "   bash scripts/verify/verify-end-to-end-routing.sh --profile=public"
 echo "   https://studio.sankofa.nexus/studio/"
 echo ""
 echo "Full flow: docs/03-deployment/SANKOFA_STUDIO_E2E_FLOW.md"
--- a/scripts/run-all-next-steps.sh
+++ b/scripts/run-all-next-steps.sh
@@ -80,12 +80,12 @@ echo "" >> "$REPORT_FILE"
 # 4. E2E routing (may have RPC/Blockscout skip when off-LAN)
 log_info "4. End-to-end routing verification"
-if E2E_SUCCESS_IF_ONLY_RPC_BLOCKED=1 bash "$SCRIPT_DIR/verify/verify-end-to-end-routing.sh" >> "$REPORT_FILE" 2>&1; then
+if E2E_SUCCESS_IF_ONLY_RPC_BLOCKED=1 bash "$SCRIPT_DIR/verify/verify-end-to-end-routing.sh" --profile=public >> "$REPORT_FILE" 2>&1; then
  log_ok "E2E routing"
-  echo "| E2E routing | OK | \`verify-end-to-end-routing.sh\` (RPC may skip off-LAN) |" >> "$REPORT_FILE"
+  echo "| E2E routing | OK | \`verify-end-to-end-routing.sh --profile=public\` (RPC may skip off-LAN) |" >> "$REPORT_FILE"
 else
  log_skip "E2E routing (check report in verification-evidence/e2e-verification-*)"
-  echo "| E2E routing | WARN/FAIL | \`verify-end-to-end-routing.sh\` — see latest e2e-verification-* |" >> "$REPORT_FILE"
+  echo "| E2E routing | WARN/FAIL | \`verify-end-to-end-routing.sh --profile=public\` — see latest e2e-verification-* |" >> "$REPORT_FILE"
 fi
 echo "" >> "$REPORT_FILE"
--- a/scripts/verify/run-full-connection-and-fastly-tests.sh
+++ b/scripts/verify/run-full-connection-and-fastly-tests.sh
@@ -91,7 +91,7 @@ echo ""
 # 5) End-to-end routing (full domain list: DNS, SSL, HTTPS, RPC where applicable)
 # When only RPC fails (edge blocks POST), treat as success so full run passes
 info "5. End-to-end routing (all domains)"
-if E2E_SUCCESS_IF_ONLY_RPC_BLOCKED=1 bash scripts/verify/verify-end-to-end-routing.sh 2>&1; then
+if E2E_SUCCESS_IF_ONLY_RPC_BLOCKED=1 bash scripts/verify/verify-end-to-end-routing.sh --profile=public 2>&1; then
  ok "E2E routing completed"
 else
  warn "E2E routing had failures (see above)"
--- a/scripts/verify/run-full-verification.sh
+++ b/scripts/verify/run-full-verification.sh
@@ -102,7 +102,7 @@ log_info "Progress: 5/$TOTAL_STEPS steps"
 log_info ""
 log_info "Step 5/$TOTAL_STEPS: End-to-End Routing Verification"
 echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
-if bash "$SCRIPT_DIR/verify-end-to-end-routing.sh"; then
+if bash "$SCRIPT_DIR/verify-end-to-end-routing.sh" --profile=public; then
    log_success "E2E verification complete"
 else
    log_warn "E2E verification completed with warnings"
--- a/scripts/verify/verify-end-to-end-routing.sh
+++ b/scripts/verify/verify-end-to-end-routing.sh
@@ -32,6 +32,12 @@ PUBLIC_IP="${PUBLIC_IP:-76.53.10.36}"
 PUBLIC_IP_FOURTH="${PUBLIC_IP_FOURTH:-76.53.10.40}"
 # Set ACCEPT_ANY_DNS=1 to pass DNS if domain resolves to any IP (e.g. Fastly CNAME or Cloudflare Tunnel)
 ACCEPT_ANY_DNS="${ACCEPT_ANY_DNS:-0}"
 # Use system resolver (e.g. /etc/hosts) instead of dig @8.8.8.8 — set when running from LAN with generate-e2e-hosts.sh entries
 E2E_USE_SYSTEM_RESOLVER="${E2E_USE_SYSTEM_RESOLVER:-0}"
 if [ "$E2E_USE_SYSTEM_RESOLVER" = "1" ]; then
    ACCEPT_ANY_DNS=1
    log_info "E2E_USE_SYSTEM_RESOLVER=1: using getent (respects /etc/hosts); ACCEPT_ANY_DNS=1"
 fi
 # When using Option B (RPC via Cloudflare Tunnel), RPC hostnames resolve to Cloudflare IPs; auto-enable if tunnel ID set
 if [ "$ACCEPT_ANY_DNS" = "0" ] && [ -n "${CLOUDFLARE_TUNNEL_ID:-}" ]; then
    ACCEPT_ANY_DNS=1
@@ -46,8 +52,8 @@ if [ "$ACCEPT_ANY_DNS" = "0" ] && [ -f "$PROJECT_ROOT/.env" ]; then
    fi
 fi
-# Expected domains and their types (all Cloudflare/DNS-facing public endpoints)
+# Expected domains and their types (full combined inventory)
-declare -A DOMAIN_TYPES=(
+declare -A DOMAIN_TYPES_ALL=(
    ["explorer.d-bis.org"]="web"
    ["rpc-http-pub.d-bis.org"]="rpc-http"
    ["rpc-ws-pub.d-bis.org"]="rpc-ws"
@@ -94,10 +100,77 @@ declare -A DOMAIN_TYPES=(
    ["dev.d-bis.org"]="web"
    ["codespaces.d-bis.org"]="web"
 )
 # Private/admin profile domains (private RPC + Fireblocks RPC only).
 declare -a PRIVATE_PROFILE_DOMAINS=(
    "rpc-http-prv.d-bis.org"
    "rpc-ws-prv.d-bis.org"
    "rpc-fireblocks.d-bis.org"
    "ws.rpc-fireblocks.d-bis.org"
 )
 PRIVATE_PROFILE_SET=" ${PRIVATE_PROFILE_DOMAINS[*]} "
 PROFILE="${E2E_PROFILE:-public}"
 LIST_ENDPOINTS=0
 for arg in "$@"; do
    case "$arg" in
        --list-endpoints) LIST_ENDPOINTS=1 ;;
        --profile=*) PROFILE="${arg#*=}" ;;
        --profile-public) PROFILE="public" ;;
        --profile-private) PROFILE="private" ;;
        --profile-all) PROFILE="all" ;;
        *)
            if [[ "$arg" != "--list-endpoints" ]]; then
                echo "Unknown argument: $arg" >&2
                echo "Usage: $0 [--list-endpoints] [--profile=public|private|all]" >&2
                exit 2
            fi
            ;;
    esac
 done
 declare -A DOMAIN_TYPES=()
 for domain in "${!DOMAIN_TYPES_ALL[@]}"; do
    is_private=0
    [[ "$PRIVATE_PROFILE_SET" == *" $domain "* ]] && is_private=1
    case "$PROFILE" in
        public)
            [[ "$is_private" -eq 0 ]] && DOMAIN_TYPES["$domain"]="${DOMAIN_TYPES_ALL[$domain]}"
            ;;
        private)
            [[ "$is_private" -eq 1 ]] && DOMAIN_TYPES["$domain"]="${DOMAIN_TYPES_ALL[$domain]}"
            ;;
        all)
            DOMAIN_TYPES["$domain"]="${DOMAIN_TYPES_ALL[$domain]}"
            ;;
        *)
            echo "Invalid profile: $PROFILE (expected public|private|all)" >&2
            exit 2
            ;;
    esac
 done
 # Domains that are optional (not yet configured); no DNS = skip instead of fail. Space-separated.
-E2E_OPTIONAL_DOMAINS="${E2E_OPTIONAL_DOMAINS:-dapp.d-bis.org}"
+if [[ -z "${E2E_OPTIONAL_DOMAINS:-}" ]]; then
-# Domains that are optional when any test fails (off-LAN, 502, unreachable); fail → skip so run passes. Set to empty for strict.
+    if [[ "$PROFILE" == "private" ]]; then
-E2E_OPTIONAL_WHEN_FAIL="${E2E_OPTIONAL_WHEN_FAIL:-dapp.d-bis.org mifos.d-bis.org explorer.d-bis.org dbis-admin.d-bis.org dbis-api.d-bis.org dbis-api-2.d-bis.org secure.d-bis.org sankofa.nexus www.sankofa.nexus phoenix.sankofa.nexus www.phoenix.sankofa.nexus the-order.sankofa.nexus studio.sankofa.nexus mim4u.org www.mim4u.org secure.mim4u.org training.mim4u.org rpc-http-pub.d-bis.org rpc.d-bis.org rpc2.d-bis.org rpc-http-prv.d-bis.org rpc-fireblocks.d-bis.org ws.rpc-fireblocks.d-bis.org rpc.public-0138.defi-oracle.io rpc.defi-oracle.io ws.rpc.d-bis.org rpc-ws-prv.d-bis.org ws.rpc2.d-bis.org}"
+        E2E_OPTIONAL_DOMAINS=""
    else
        E2E_OPTIONAL_DOMAINS="dapp.d-bis.org"
    fi
 else
    E2E_OPTIONAL_DOMAINS="${E2E_OPTIONAL_DOMAINS}"
 fi
 # Domains that are optional when any test fails (off-LAN, 502, unreachable); fail → skip so run passes.
 if [[ -z "${E2E_OPTIONAL_WHEN_FAIL:-}" ]]; then
    if [[ "$PROFILE" == "private" ]]; then
        E2E_OPTIONAL_WHEN_FAIL="rpc-http-prv.d-bis.org rpc-ws-prv.d-bis.org rpc-fireblocks.d-bis.org ws.rpc-fireblocks.d-bis.org"
    else
        E2E_OPTIONAL_WHEN_FAIL="dapp.d-bis.org mifos.d-bis.org explorer.d-bis.org dbis-admin.d-bis.org dbis-api.d-bis.org dbis-api-2.d-bis.org secure.d-bis.org sankofa.nexus www.sankofa.nexus phoenix.sankofa.nexus www.phoenix.sankofa.nexus the-order.sankofa.nexus studio.sankofa.nexus mim4u.org www.mim4u.org secure.mim4u.org training.mim4u.org rpc-http-pub.d-bis.org rpc.d-bis.org rpc2.d-bis.org rpc.public-0138.defi-oracle.io rpc.defi-oracle.io ws.rpc.d-bis.org ws.rpc2.d-bis.org"
    fi
 else
    E2E_OPTIONAL_WHEN_FAIL="${E2E_OPTIONAL_WHEN_FAIL}"
 fi
 # Per-domain expected DNS IP (optional). Unset = use PUBLIC_IP.
 declare -A EXPECTED_IP=(
@@ -106,11 +179,34 @@ declare -A EXPECTED_IP=(
    ["codespaces.d-bis.org"]="$PUBLIC_IP_FOURTH"
 )
 # --list-endpoints: print selected profile endpoints and exit (no tests)
 if [[ "$LIST_ENDPOINTS" == "1" ]]; then
    echo ""
    echo "E2E endpoints (${#DOMAIN_TYPES[@]} total, profile: $PROFILE) — verify-end-to-end-routing.sh"
    echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
    echo ""
    printf "%-40s %-12s %s\n" "Domain" "Type" "URL"
    printf "%-40s %-12s %s\n" "------" "----" "---"
    for domain in $(echo "${!DOMAIN_TYPES[@]}" | tr ' ' '\n' | sort); do
        dtype="${DOMAIN_TYPES[$domain]:-unknown}"
        if [[ "$dtype" == "rpc-http" || "$dtype" == "rpc-ws" ]]; then
            url="https://$domain (RPC)"
        else
            url="https://$domain"
        fi
        printf "%-40s %-12s %s\n" "$domain" "$dtype" "$url"
    done
    echo ""
    exit 0
 fi
 echo ""
 echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
 echo "🔍 End-to-End Routing Verification"
 echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
 echo ""
 echo "Profile: $PROFILE"
 echo ""
 E2E_RESULTS=()
@@ -126,7 +222,11 @@ test_domain() {
    # Test 1: DNS Resolution
    log_info "Test 1: DNS Resolution"
-    dns_result=$(dig +short "$domain" @8.8.8.8 2>/dev/null | grep -E '^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$' | head -1 || echo "")
+    if [ "${E2E_USE_SYSTEM_RESOLVER:-0}" = "1" ]; then
        dns_result=$(getent hosts "$domain" 2>/dev/null | awk '{print $1}' | head -1 || echo "")
    else
        dns_result=$(dig +short "$domain" @8.8.8.8 2>/dev/null | grep -E '^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$' | head -1 || echo "")
    fi
    expected_ip="${EXPECTED_IP[$domain]:-$PUBLIC_IP}"
    if [ "$dns_result" = "$expected_ip" ]; then
@@ -372,8 +472,21 @@ cat > "$REPORT_FILE" <<EOF
 **Date**: $(date -Iseconds)
 **Public IP**: $PUBLIC_IP
 **Profile**: $PROFILE
 **Verifier**: $(whoami)
 ## All endpoints ($TOTAL_TESTS)
 | Domain | Type | URL |
 |--------|------|-----|
 EOF
 for domain in $(echo "${!DOMAIN_TYPES[@]}" | tr ' ' '\n' | sort); do
    dtype="${DOMAIN_TYPES[$domain]:-unknown}"
    echo "| $domain | $dtype | https://$domain |" >> "$REPORT_FILE"
 done
 cat >> "$REPORT_FILE" <<EOF
 ## Summary
 - **Total domains tested**: $TOTAL_TESTS
@@ -383,7 +496,25 @@ cat > "$REPORT_FILE" <<EOF
 - **Skipped / optional (not configured or unreachable)**: $SKIPPED_OPTIONAL
 - **Average response time**: ${AVG_RESPONSE_TIME}s
-## Test Results by Domain
+## Results overview
 | Domain | Type | DNS | SSL | HTTPS | RPC |
 |--------|------|-----|-----|-------|-----|
 EOF
 for result in "${E2E_RESULTS[@]}"; do
    domain=$(echo "$result" | jq -r '.domain' 2>/dev/null || echo "")
    domain_type=$(echo "$result" | jq -r '.domain_type' 2>/dev/null || echo "")
    dns_status=$(echo "$result" | jq -r '.tests.dns.status // "-"' 2>/dev/null || echo "-")
    ssl_status=$(echo "$result" | jq -r '.tests.ssl.status // "-"' 2>/dev/null || echo "-")
    https_status=$(echo "$result" | jq -r '.tests.https.status // "-"' 2>/dev/null || echo "-")
    rpc_status=$(echo "$result" | jq -r '.tests.rpc_http.status // "-"' 2>/dev/null || echo "-")
    echo "| $domain | $domain_type | $dns_status | $ssl_status | $https_status | $rpc_status |" >> "$REPORT_FILE"
 done
 cat >> "$REPORT_FILE" <<EOF
 ## Test Results by Domain (detail)
 EOF