Harden deployment env flows and surface external blockers

2026-04-22 14:47:52 -07:00
parent dc123ff647
commit d9a3053a58
19 changed files with 318 additions and 51 deletions
--- a/scripts/deployment/check-deployer-balance-chain138-and-funding-plan.sh
+++ b/scripts/deployment/check-deployer-balance-chain138-and-funding-plan.sh
@@ -11,7 +11,20 @@

 set -euo pipefail

-DEPLOYER="${DEPLOYER_ADDRESS:-0x4A666F96fC8764181194447A7dFdb7d471b301C8}"
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+PROJECT_ROOT="$(cd "$SCRIPT_DIR/../.." && pwd)"
+cd "$PROJECT_ROOT"
+
+if [[ -f "$PROJECT_ROOT/scripts/lib/load-project-env.sh" ]]; then
+  # shellcheck disable=SC1090
+  source "$PROJECT_ROOT/scripts/lib/load-project-env.sh" >/dev/null 2>&1 || true
+fi
+
+DEPLOYER="${DEPLOYER_ADDRESS:-}"
+if [[ -z "$DEPLOYER" && -n "${PRIVATE_KEY:-}" ]]; then
+  DEPLOYER="$(cast wallet address "$PRIVATE_KEY" 2>/dev/null || true)"
+fi
+DEPLOYER="${DEPLOYER:-0x4A666F96fC8764181194447A7dFdb7d471b301C8}"
 CHAIN138_PUBLIC_RPC_DEFAULT="https://rpc-http-pub.d-bis.org"
 RPC="${RPC_URL_138:-${CHAIN138_PUBLIC_RPC_URL:-$CHAIN138_PUBLIC_RPC_DEFAULT}}"

--- a/scripts/deployment/check-deployer-lp-balances.py
+++ b/scripts/deployment/check-deployer-lp-balances.py
@@ -135,8 +135,10 @@ def deployer_address(env: dict[str, str], override: str | None) -> str:
        v = (os.environ.get(k) or "").strip()
        if v:
            return v
-    pk = env.get("PRIVATE_KEY", "") or (os.environ.get("PRIVATE_KEY") or "").strip()
-    if pk:
+    for key in ("PRIVATE_KEY", "DEPLOYER_PRIVATE_KEY"):
+        pk = (os.environ.get(key) or env.get(key) or "").strip()
+        if not pk or "${" in pk:
+            continue
        r = subprocess.run(
            ["cast", "wallet", "address", pk],
            capture_output=True,
@@ -145,7 +147,7 @@ def deployer_address(env: dict[str, str], override: str | None) -> str:
        )
        if r.returncode == 0 and r.stdout.strip():
            return r.stdout.strip()
-    return (env.get("DEPLOYER_ADDRESS") or "").strip()
+    return (env.get("DEPLOYER_ADDRESS") or env.get("DEPLOYER") or "").strip()


 def parse_uint(s: str) -> int:
--- a/scripts/deployment/check-deployer-nonce-and-balance.sh
+++ b/scripts/deployment/check-deployer-nonce-and-balance.sh
@@ -18,12 +18,12 @@ PUBLIC_ETHEREUM_RPC="${ETHEREUM_MAINNET_PUBLIC_RPC:-https://ethereum-rpc.publicn
 PUBLIC_CRONOS_RPC="${CRONOS_MAINNET_PUBLIC_RPC:-https://evm.cronos.org}"
 PUBLIC_ARBITRUM_RPC="${ARBITRUM_MAINNET_PUBLIC_RPC:-https://arbitrum-one-rpc.publicnode.com}"

-DEPLOYER=""
-if [[ -n "${PRIVATE_KEY:-}" ]]; then
+DEPLOYER="${DEPLOYER_ADDRESS:-}"
+if [[ -z "$DEPLOYER" && -n "${PRIVATE_KEY:-}" ]]; then
  DEPLOYER=$(cast wallet address "$PRIVATE_KEY" 2>/dev/null || true)
 fi
 [[ -z "$DEPLOYER" ]] && {
-  echo "Could not derive deployer address. Set PRIVATE_KEY in ${PROJECT_ROOT}/.env, smom-dbis-138/.env, or ~/.secure-secrets/private-keys.env" >&2
+  echo "Could not derive deployer address. Set PRIVATE_KEY or DEPLOYER_ADDRESS in repo .env, smom-dbis-138/.env, or ~/.secure-secrets/private-keys.env" >&2
  exit 1
 }
 echo "Deployer address: $DEPLOYER"
--- a/scripts/deployment/deploy-transaction-mirror-and-pmm-pool-after-txpool-clear.sh
+++ b/scripts/deployment/deploy-transaction-mirror-and-pmm-pool-after-txpool-clear.sh
@@ -40,10 +40,15 @@ fi
 set -a
 source "$SMOM/.env"
 set +a
+if [[ -f "$SMOM/scripts/lib/deployment/dotenv.sh" ]]; then
+  # shellcheck disable=SC1090
+  source "$SMOM/scripts/lib/deployment/dotenv.sh"
+  load_deployment_env --repo-root "$PROJECT_ROOT"
+fi

 # 2) RPC: Core (2101) only — no Public fallback for deployments
 RPC="${RPC_URL_138:-http://192.168.11.211:8545}"
-[[ -z "${PRIVATE_KEY:-}" ]] && echo "PRIVATE_KEY not set in $SMOM/.env. Abort." >&2 && exit 1
+require_private_key_env "Set PRIVATE_KEY in $SMOM/.env, repo .env, or ~/.secure-secrets/private-keys.env." || exit 1
 # Chain 138 gas: min 1 gwei; use GAS_PRICE from .env or default
 GAS_PRICE="${GAS_PRICE_138:-${GAS_PRICE:-1000000000}}"

@@ -73,7 +78,7 @@ else
 fi

 # 4) Always check deployer nonce (pending) and set NEXT_NONCE for scripts
-DEPLOYER=$(cast wallet address --private-key "$PRIVATE_KEY" 2>/dev/null) || { echo "cast wallet address failed. Check PRIVATE_KEY in .env." >&2; exit 1; }
+DEPLOYER="$(derive_deployer_address)" || { echo "Could not derive deployer address from PRIVATE_KEY." >&2; exit 1; }
 NONCE_PENDING=$(cast nonce "$DEPLOYER" --rpc-url "$RPC" --block pending 2>/dev/null) || true
 NONCE_LATEST=$(cast nonce "$DEPLOYER" --rpc-url "$RPC" --block latest 2>/dev/null) || true
 # Normalize: empty or non-numeric -> use latest, then 0; ensure decimal for export
--- a/scripts/deployment/deploy-transaction-mirror-chain138-nonce-fix.sh
+++ b/scripts/deployment/deploy-transaction-mirror-chain138-nonce-fix.sh
@@ -10,11 +10,17 @@ PROJECT_ROOT="$(cd "$SCRIPT_DIR/../.." && pwd)"
 SMOM="${PROJECT_ROOT}/smom-dbis-138"
 NONCE="${1:-13370}"

-[[ -f "${SMOM}/.env" ]] && set -a && source "${SMOM}/.env" 2>/dev/null && set +a
+if [[ -f "${SMOM}/scripts/lib/deployment/dotenv.sh" ]]; then
+  # shellcheck disable=SC1090
+  source "${SMOM}/scripts/lib/deployment/dotenv.sh"
+  load_deployment_env --repo-root "$PROJECT_ROOT"
+elif [[ -f "${SMOM}/.env" ]]; then
+  set -a && source "${SMOM}/.env" 2>/dev/null && set +a
+fi
 RPC="${RPC_URL_138:-${RPC_URL_138_PUBLIC:-http://192.168.11.221:8545}}"
-[[ -z "${PRIVATE_KEY:-}" ]] && echo "PRIVATE_KEY not set." >&2 && exit 1
-[[ "${PRIVATE_KEY#0x}" == "$PRIVATE_KEY" ]] && export PRIVATE_KEY="0x$PRIVATE_KEY"
-ADMIN="${MIRROR_ADMIN:-$(cast wallet address --private-key "$PRIVATE_KEY" 2>/dev/null)}"
+require_private_key_env "Set PRIVATE_KEY in smom-dbis-138/.env, repo .env, or ~/.secure-secrets/private-keys.env." || exit 1
+ADMIN="${MIRROR_ADMIN:-$(derive_deployer_address 2>/dev/null || true)}"
+[[ -n "$ADMIN" ]] || { echo "ERROR: Could not derive deployer address from PRIVATE_KEY." >&2; exit 1; }

 echo "Deploying TransactionMirror (nonce=$NONCE) to $RPC"
 cd "$SMOM"
--- a/scripts/deployment/deploy-transaction-mirror-chain138.sh
+++ b/scripts/deployment/deploy-transaction-mirror-chain138.sh
@@ -17,6 +17,11 @@ for a in "$@"; do [[ "$a" == "--dry-run" ]] && DRY_RUN=true && break; done

 [[ -f "${SCRIPT_DIR}/../lib/load-project-env.sh" ]] && source "${SCRIPT_DIR}/../lib/load-project-env.sh" 2>/dev/null || true
 [[ -f "${SMOM}/.env" ]] && set -a && source "${SMOM}/.env" 2>/dev/null && set +a || true
+if [[ -f "${SMOM}/scripts/lib/deployment/dotenv.sh" ]]; then
+  # shellcheck disable=SC1090
+  source "${SMOM}/scripts/lib/deployment/dotenv.sh"
+  load_deployment_env --repo-root "$PROJECT_ROOT"
+fi

 # RPC_URL_138 or RPC_URL (alias)
 RPC="${RPC_URL_138:-${RPC_URL:-http://192.168.11.211:8545}}"
@@ -24,13 +29,8 @@ export RPC_URL_138="$RPC"
 export ETH_RPC_URL="$RPC"
 GAS_PRICE="${GAS_PRICE:-1000000000}"

-if ! $DRY_RUN && [[ -z "${PRIVATE_KEY:-}" ]]; then
-  echo "ERROR: PRIVATE_KEY not set. Set in smom-dbis-138/.env"
-  exit 1
-fi
-
-if [[ "${PRIVATE_KEY#0x}" == "$PRIVATE_KEY" ]]; then
-  export PRIVATE_KEY="0x$PRIVATE_KEY"
+if ! $DRY_RUN; then
+  require_private_key_env "Set PRIVATE_KEY in smom-dbis-138/.env, repo .env, or ~/.secure-secrets/private-keys.env." || exit 1
 fi
 export PRIVATE_KEY  # Ensure subshells/forge inherit it

@@ -38,7 +38,11 @@ export PRIVATE_KEY  # Ensure subshells/forge inherit it
 if [[ -n "${MIRROR_ADMIN:-}" ]]; then
  ADMIN="$MIRROR_ADMIN"
 else
-  if $DRY_RUN; then ADMIN="<DEPLOYER_ADDRESS>"; else ADMIN=$(cast wallet address --private-key "$PRIVATE_KEY" 2>/dev/null) || { echo "ERROR: cast not found or PRIVATE_KEY invalid"; exit 1; }; fi
+  if $DRY_RUN; then
+    ADMIN="<DEPLOYER_ADDRESS>"
+  else
+    ADMIN="$(derive_deployer_address)" || { echo "ERROR: Could not derive deployer address from PRIVATE_KEY." >&2; exit 1; }
+  fi
 fi

 if $DRY_RUN; then
--- a/scripts/deployment/preflight-chain138-deploy.sh
+++ b/scripts/deployment/preflight-chain138-deploy.sh
@@ -35,16 +35,19 @@ else
 fi

 # 3) Load env for RPC and nonce checks (no secrets printed)
-[[ -f "${PROJECT_ROOT}/config/ip-addresses.conf" ]] && source "${PROJECT_ROOT}/config/ip-addresses.conf" 2>/dev/null || true
-set -a
-source "$SMOM/.env"
-set +a
+if [[ -f "$SMOM/scripts/lib/deployment/dotenv.sh" ]]; then
+  # shellcheck disable=SC1090
+  source "$SMOM/scripts/lib/deployment/dotenv.sh"
+  load_deployment_env --repo-root "$PROJECT_ROOT"
+else
+  [[ -f "${PROJECT_ROOT}/config/ip-addresses.conf" ]] && source "${PROJECT_ROOT}/config/ip-addresses.conf" 2>/dev/null || true
+  set -a
+  source "$SMOM/.env"
+  set +a
+fi

 RPC="${RPC_URL_138:-http://192.168.11.211:8545}"
-if [[ -z "${PRIVATE_KEY:-}" ]]; then
-  echo "FAIL: PRIVATE_KEY not set in $SMOM/.env." >&2
-  exit 1
-fi
+require_private_key_env "Set PRIVATE_KEY in $SMOM/.env, repo .env, or ~/.secure-secrets/private-keys.env." || exit 1

 # 4) RPC: must be Core (chainId 138 = 0x8a)
 echo ""
@@ -62,7 +65,7 @@ fi
 echo "OK   RPC (Core): $RPC (chainId 138)."

 # 5) Nonce: warn if pending > latest (stuck txs)
-DEPLOYER=$(cast wallet address --private-key "$PRIVATE_KEY" 2>/dev/null) || { echo "FAIL: cast wallet address failed. Check PRIVATE_KEY in .env." >&2; exit 1; }
+DEPLOYER="$(derive_deployer_address)" || { echo "FAIL: Could not derive deployer address from PRIVATE_KEY." >&2; exit 1; }
 NONCE_PENDING=$(cast nonce "$DEPLOYER" --rpc-url "$RPC" --block pending 2>/dev/null) || true
 NONCE_LATEST=$(cast nonce "$DEPLOYER" --rpc-url "$RPC" --block latest 2>/dev/null) || true
 # Normalize to decimal (cast may return hex 0xN or decimal N)
--- a/scripts/lib/load-project-env.sh
+++ b/scripts/lib/load-project-env.sh
@@ -46,6 +46,16 @@ _lpr_dotenv_source() {
  fi
 }

+_lpr_export_from_private_key() {
+  [[ -n "${DEPLOYER_ADDRESS:-}" || -z "${PRIVATE_KEY:-}" ]] && return 0
+  command -v cast >/dev/null 2>&1 || return 0
+  local _lpr_addr
+  _lpr_addr="$(cast wallet address "$PRIVATE_KEY" 2>/dev/null || true)"
+  [[ -n "$_lpr_addr" ]] || return 0
+  export DEPLOYER_ADDRESS="$_lpr_addr"
+  export DEPLOYER="${DEPLOYER:-$_lpr_addr}"
+}
+
 # Path validation
 [[ -d "$PROJECT_ROOT" ]] || err_exit "PROJECT_ROOT not a directory: $PROJECT_ROOT"
 [[ -f "${PROJECT_ROOT}/config/ip-addresses.conf" ]] || echo "WARN: config/ip-addresses.conf not found; using defaults" >&2
@@ -66,6 +76,9 @@ _lpr_dotenv_source "${PROJECT_ROOT}/smom-dbis-138/.env"
 KEEPER_SECRET_FILE="${KEEPER_SECRET_FILE:-${HOME}/.secure-secrets/chain138-keeper.env}"
 [[ -z "${KEEPER_PRIVATE_KEY:-}" ]] && [[ -f "${KEEPER_SECRET_FILE}" ]] && _lpr_dotenv_source "${KEEPER_SECRET_FILE}"

+# 3d. Normalize a deployer address for scripts that need a read-only owner identity.
+_lpr_export_from_private_key
+
 # 4. dbis_core config if present
 [[ -f "${PROJECT_ROOT}/dbis_core/config/dbis-core-proxmox.conf" ]] && _lpr_source_relaxed "${PROJECT_ROOT}/dbis_core/config/dbis-core-proxmox.conf" || true

@@ -124,6 +137,9 @@ export CHAIN138_RPC="$RPC_URL_138"
 export ETH_RPC_URL="${ETH_RPC_URL:-$RPC_URL_138}"
 export RPC_URL_138_PUBLIC="${RPC_URL_138_PUBLIC:-http://${RPC_PUBLIC_1}:8545}"
 export WS_URL_138_PUBLIC="${WS_URL_138_PUBLIC:-ws://${RPC_PUBLIC_1}:8546}"
+export CHAIN_651940_RPC_URL="${CHAIN_651940_RPC_URL:-${ALL_MAINNET_RPC:-}}"
+export CHAIN_651940_RPC="${CHAIN_651940_RPC:-${CHAIN_651940_RPC_URL:-${ALL_MAINNET_RPC:-}}}"
+export ALLTRA_MAINNET_RPC="${ALLTRA_MAINNET_RPC:-${ALL_MAINNET_RPC:-${CHAIN_651940_RPC_URL:-${CHAIN_651940_RPC:-}}}}"
 export SMOM_DIR="${SMOM_DBIS_138_DIR:-${PROJECT_ROOT}/smom-dbis-138}"
 export DBIS_CORE_DIR="${DBIS_CORE_DIR:-${PROJECT_ROOT}/dbis_core}"

--- a/scripts/mint-tokens-for-deployer.sh
+++ b/scripts/mint-tokens-for-deployer.sh
@@ -16,8 +16,11 @@ SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
 PROJECT_ROOT="$(cd "$SCRIPT_DIR/.." && pwd)"
 cd "$PROJECT_ROOT"

-# Load smom-dbis-138 .env
-if [[ -f smom-dbis-138/.env ]]; then
+# Load normalized project env when available.
+if [[ -f scripts/lib/load-project-env.sh ]]; then
+    # shellcheck disable=SC1091
+    source scripts/lib/load-project-env.sh >/dev/null 2>&1 || true
+elif [[ -f smom-dbis-138/.env ]]; then
    set -a
    source smom-dbis-138/.env
    set +a
@@ -50,11 +53,13 @@ for a in "$@"; do
 done

 DEPLOYER=""
-if [[ -n "${PRIVATE_KEY:-}" ]]; then
+if [[ -n "${DEPLOYER_ADDRESS:-}" ]]; then
+    DEPLOYER="${DEPLOYER_ADDRESS}"
+elif [[ -n "${PRIVATE_KEY:-}" ]]; then
    DEPLOYER=$(cast wallet address --private-key "$PRIVATE_KEY" 2>/dev/null || true)
 fi
 if [[ -z "$DEPLOYER" ]]; then
-    DEPLOYER="${DEPLOYER_ADDRESS:-0x4A666F96fC8764181194447A7dFdb7d471b301C8}"
+    DEPLOYER="0x4A666F96fC8764181194447A7dFdb7d471b301C8"
 fi

 LINK_RAW="${AMOUNT_LINK}000000000000000000"   # 18 decimals
--- a/scripts/verify/build-liquidity-pools-master-map.py
+++ b/scripts/verify/build-liquidity-pools-master-map.py
@@ -38,6 +38,7 @@ RPC_DEFAULTS = {
    or "https://rpc-core.d-bis.org",
    "651940": os.environ.get("CHAIN_651940_RPC")
    or os.environ.get("CHAIN_651940_RPC_URL")
+    or os.environ.get("ALL_MAINNET_RPC")
    or os.environ.get("ALLTRA_MAINNET_RPC")
    or "https://mainnet-rpc.alltra.global",
    "1": os.environ.get("ETHEREUM_MAINNET_RPC") or "https://eth.llamarpc.com",
@@ -335,13 +336,15 @@ class PoolBuilder:
        quote_symbol = venue.get("quote")
        notes = list(venue.get("notes", []))
        if any(note in PLACEHOLDER_NOTES for note in notes):
-            status = "planned_reference_placeholder"
+            status = "documented_reference_surface"
        elif venue.get("live"):
            status = "live"
+        elif venue.get("protocol") == "1inch" and venue.get("supported"):
+            status = "documented_aggregator_surface"
        elif venue.get("supported"):
-            status = "supported_not_live"
+            status = "documented_reference_surface"
        else:
-            status = "unsupported"
+            status = "documented_unsupported_surface"
        return {
            "chainId": int(chain_id),
            "network": chain_data["name"],
--- a/scripts/verify/check-deployer-balance-blockscout-vs-rpc.sh
+++ b/scripts/verify/check-deployer-balance-blockscout-vs-rpc.sh
@@ -8,7 +8,20 @@

 set -euo pipefail

-DEPLOYER="${DEPLOYER_ADDRESS:-0x4A666F96fC8764181194447A7dFdb7d471b301C8}"
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+PROJECT_ROOT="$(cd "$SCRIPT_DIR/../.." && pwd)"
+cd "$PROJECT_ROOT"
+
+if [[ -f "$PROJECT_ROOT/scripts/lib/load-project-env.sh" ]]; then
+  # shellcheck disable=SC1090
+  source "$PROJECT_ROOT/scripts/lib/load-project-env.sh" >/dev/null 2>&1 || true
+fi
+
+DEPLOYER="${DEPLOYER_ADDRESS:-}"
+if [[ -z "$DEPLOYER" && -n "${PRIVATE_KEY:-}" ]]; then
+  DEPLOYER="$(cast wallet address "$PRIVATE_KEY" 2>/dev/null || true)"
+fi
+DEPLOYER="${DEPLOYER:-0x4A666F96fC8764181194447A7dFdb7d471b301C8}"
 RPC="${1:-${RPC_URL_138:-https://rpc-core.d-bis.org}}"
 EXPLORER_API="${2:-https://explorer.d-bis.org/api/v2}"

@@ -67,11 +80,13 @@ fi
 # --- 3. Compare ---
 echo ""
 if [ -n "$RPC_WEI" ] && [ -n "$BLOCKSCOUT_WEI" ]; then
-  if [ "$RPC_WEI" -ge "$BLOCKSCOUT_WEI" ]; then
-    DIFF=$((RPC_WEI - BLOCKSCOUT_WEI))
-  else
-    DIFF=$((BLOCKSCOUT_WEI - RPC_WEI))
-  fi
+  DIFF="$(python3 - "$RPC_WEI" "$BLOCKSCOUT_WEI" <<'PY'
+import sys
+rpc = int(sys.argv[1])
+blockscout = int(sys.argv[2])
+print(abs(rpc - blockscout))
+PY
+)"
  if [ "$DIFF" -le 1 ]; then
    echo "Match: RPC and Blockscout balances match (diff <= 1 wei)."
  else
--- a/scripts/verify/check-external-dependencies.sh
+++ b/scripts/verify/check-external-dependencies.sh
@@ -0,0 +1,130 @@
+#!/usr/bin/env bash
+# Check external dependencies that cannot be satisfied by repo-only changes.
+# Default: fail when any external blocker is unresolved.
+# Use --advisory to always exit 0 while still printing blocker status.
+
+set -euo pipefail
+
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+PROJECT_ROOT="$(cd "$SCRIPT_DIR/../.." && pwd)"
+
+if [[ -f "$PROJECT_ROOT/scripts/lib/load-project-env.sh" ]]; then
+  # shellcheck disable=SC1091
+  source "$PROJECT_ROOT/scripts/lib/load-project-env.sh"
+fi
+
+ADVISORY=0
+[[ "${1:-}" == "--advisory" ]] && ADVISORY=1
+
+PASS_COUNT=0
+FAIL_COUNT=0
+
+log_ok() { printf '[OK] %s\n' "$1"; }
+log_block() { printf '[BLOCKED] %s\n' "$1"; }
+
+record_pass() {
+  PASS_COUNT=$((PASS_COUNT + 1))
+  log_ok "$1"
+}
+
+record_fail() {
+  FAIL_COUNT=$((FAIL_COUNT + 1))
+  log_block "$1"
+}
+
+http_ok() {
+  local url="$1"
+  curl -fsS -m 8 -o /dev/null "$url"
+}
+
+check_url_blocker() {
+  local blocker_id="$1"
+  local label="$2"
+  local url="${3:-}"
+  local hint="$4"
+
+  if [[ -z "$url" ]]; then
+    record_fail "$blocker_id $label: unresolved. $hint"
+    return 0
+  fi
+
+  if http_ok "$url"; then
+    record_pass "$blocker_id $label: reachable at $url"
+  else
+    record_fail "$blocker_id $label: configured but unreachable at $url"
+  fi
+}
+
+check_chain138_ci_rpc() {
+  local blocker_id="EXT-CHAIN138-CI-RPC"
+  local rpc="${CHAIN138_CI_RPC_URL:-${RPC_URL_138_PUBLIC:-${CHAIN138_PUBLIC_RPC_URL:-}}}"
+
+  if [[ -z "$rpc" ]]; then
+    record_fail "$blocker_id Chain 138 CI RPC: unresolved. Set CHAIN138_CI_RPC_URL (preferred) or RPC_URL_138_PUBLIC to a runner-reachable endpoint."
+    return 0
+  fi
+
+  if ! command -v cast >/dev/null 2>&1; then
+    record_fail "$blocker_id Chain 138 CI RPC: cast not available to verify $rpc"
+    return 0
+  fi
+
+  local block_number
+  block_number="$(cast block-number --rpc-url "$rpc" 2>/dev/null || true)"
+  if [[ -n "$block_number" ]]; then
+    record_pass "$blocker_id Chain 138 CI RPC: reachable at $rpc (block $block_number)"
+  else
+    record_fail "$blocker_id Chain 138 CI RPC: configured but unreachable at $rpc"
+  fi
+}
+
+echo "=== External Dependency Check ==="
+echo ""
+
+check_url_blocker \
+  "EXT-DBIS-CORE" \
+  "dbis_core deployment" \
+  "${DBIS_CORE_URL:-}" \
+  "Deploy dbis_core or set DBIS_CORE_URL to an existing reachable instance."
+
+check_url_blocker \
+  "EXT-CC-PAYMENT-ADAPTERS" \
+  "cc-payment-adapters implementation" \
+  "${CC_PAYMENT_ADAPTERS_URL:-}" \
+  "Implement/host cc-payment-adapters and set CC_PAYMENT_ADAPTERS_URL."
+
+check_url_blocker \
+  "EXT-CC-AUDIT-LEDGER" \
+  "cc-audit-ledger implementation" \
+  "${CC_AUDIT_LEDGER_URL:-}" \
+  "Implement/host cc-audit-ledger and set CC_AUDIT_LEDGER_URL."
+
+check_url_blocker \
+  "EXT-CC-SHARED-EVENTS" \
+  "cc-shared-events implementation" \
+  "${CC_SHARED_EVENTS_URL:-}" \
+  "Implement/host cc-shared-events and set CC_SHARED_EVENTS_URL."
+
+check_url_blocker \
+  "EXT-CC-SHARED-SCHEMAS" \
+  "cc-shared-schemas implementation" \
+  "${CC_SHARED_SCHEMAS_URL:-}" \
+  "Implement/host cc-shared-schemas and set CC_SHARED_SCHEMAS_URL."
+
+check_url_blocker \
+  "EXT-FIN-GATEWAY" \
+  "FIN / Alliance Access gateway" \
+  "${FIN_GATEWAY_URL:-${ALLIANCE_ACCESS_URL:-}}" \
+  "Provision a real FIN / Alliance Access gateway and set FIN_GATEWAY_URL or ALLIANCE_ACCESS_URL."
+
+check_chain138_ci_rpc
+
+echo ""
+echo "Resolved: $PASS_COUNT"
+echo "Blocked:  $FAIL_COUNT"
+
+if (( FAIL_COUNT > 0 )) && (( ADVISORY == 0 )); then
+  exit 1
+fi
+
+exit 0
--- a/scripts/verify/run-all-validation.sh
+++ b/scripts/verify/run-all-validation.sh
@@ -60,6 +60,15 @@ else
 fi
 echo ""

+echo "3c. External dependency blockers..."
+EXT_CHECK="$SCRIPT_DIR/check-external-dependencies.sh"
+if [[ -x "$EXT_CHECK" ]]; then
+  bash "$EXT_CHECK" --advisory || true
+else
+  echo "   (skip: $EXT_CHECK missing)"
+fi
+echo ""
+
 if [[ "$SKIP_GENESIS" == true ]]; then
  echo "4. Genesis — skipped (--skip-genesis)"
 else