Sync workspace: config, docs, scripts, CI, operator rules, and submodule pointers.

- Update dbis_core, cross-chain-pmm-lps, explorer-monorepo, metamask-integration, pr-workspace/chains - Omit embedded publish git dirs and empty placeholders from index Made-with: Cursor
2026-04-12 06:12:20 -07:00
parent 6fb6bd3993
commit dbd517b279
2935 changed files with 327972 additions and 5533 deletions
--- a/scripts/cloudflare/configure-alltra-hybx-tunnel-and-dns.sh
+++ b/scripts/cloudflare/configure-alltra-hybx-tunnel-and-dns.sh
@@ -18,9 +18,10 @@ ZONE_ID="${CLOUDFLARE_ZONE_ID:-${CLOUDFLARE_ZONE_ID_D_BIS_ORG}}"
 # Third NPMplus (192.168.11.169) — Alltra, HYBX, rpc-core-2
 ORIGIN="https://192.168.11.169:443"
 CNAME_TARGET="${TUNNEL_ID}.cfargotunnel.com"
+INCLUDE_PLACEHOLDER_HOSTNAMES="${INCLUDE_PLACEHOLDER_HOSTNAMES:-0}"

-# All hostnames on this tunnel (must match NPMplus proxy hosts on 192.168.11.169)
-HOSTNAMES=(
+# Active hostnames on this tunnel (must match live proxy hosts on 192.168.11.169)
+ACTIVE_HOSTNAMES=(
  rpc-core-2.d-bis.org
  rpc-alltra.d-bis.org
  rpc-alltra-2.d-bis.org
@@ -30,6 +31,10 @@ HOSTNAMES=(
  rpc-hybx-3.d-bis.org
  cacti-alltra.d-bis.org
  cacti-hybx.d-bis.org
+)
+
+# Firefly / Fabric / Indy remain placeholders until the real web listener is deployed.
+PLACEHOLDER_HOSTNAMES=(
  firefly-alltra-1.d-bis.org
  firefly-alltra-2.d-bis.org
  firefly-hybx-1.d-bis.org
@@ -40,6 +45,11 @@ HOSTNAMES=(
  indy-hybx.d-bis.org
 )

+HOSTNAMES=("${ACTIVE_HOSTNAMES[@]}")
+if [ "$INCLUDE_PLACEHOLDER_HOSTNAMES" = "1" ]; then
+  HOSTNAMES+=("${PLACEHOLDER_HOSTNAMES[@]}")
+fi
+
 # Auth
 if [ -n "${CLOUDFLARE_API_TOKEN:-}" ]; then
  AUTH_H=(-H "Authorization: Bearer $CLOUDFLARE_API_TOKEN")
@@ -59,6 +69,9 @@ echo "━━━━━━━━━━━━━━━━━━━━━━━━
 echo "Tunnel ID: $TUNNEL_ID"
 echo "Origin: $ORIGIN"
 echo "CNAME target: $CNAME_TARGET"
+if [ "$INCLUDE_PLACEHOLDER_HOSTNAMES" != "1" ]; then
+  echo "Placeholder Firefly/Fabric/Indy hostnames are excluded by default. Set INCLUDE_PLACEHOLDER_HOSTNAMES=1 only after those HTTP services are actually live."
+fi
 echo ""

 # Build ingress config from HOSTNAMES + catch-all
@@ -81,18 +94,20 @@ fi
 echo ""
 echo "Adding/updating DNS CNAME records..."
 for h in "${HOSTNAMES[@]}"; do
-  EXISTING=$(curl -s -X GET "https://api.cloudflare.com/client/v4/zones/${ZONE_ID}/dns_records?name=${h}&type=CNAME" \
+  EXISTING=$(curl -s -X GET "https://api.cloudflare.com/client/v4/zones/${ZONE_ID}/dns_records?name=${h}" \
    "${AUTH_H[@]}" -H "Content-Type: application/json")
+  RECORD_COUNT=$(echo "$EXISTING" | jq -r '.result | length')
  RECORD_ID=$(echo "$EXISTING" | jq -r '.result[0].id // empty')
+  RECORD_TYPE=$(echo "$EXISTING" | jq -r '.result[0].type // empty')
  CONTENT=$(echo "$EXISTING" | jq -r '.result[0].content // empty')

  DATA=$(jq -n --arg name "$h" --arg target "$CNAME_TARGET" \
    '{type:"CNAME",name:$name,content:$target,ttl:1,proxied:true}')

-  if [ -n "$RECORD_ID" ] && [ "$RECORD_ID" != "null" ]; then
-    if [ "$CONTENT" = "$CNAME_TARGET" ]; then
+  if [ "$RECORD_COUNT" -gt 0 ] && [ -n "$RECORD_ID" ] && [ "$RECORD_ID" != "null" ]; then
+    if [ "$RECORD_TYPE" = "CNAME" ] && [ "$CONTENT" = "$CNAME_TARGET" ]; then
      echo "  $h: OK (CNAME → $CNAME_TARGET)"
-    else
+    elif [ "$RECORD_TYPE" = "CNAME" ]; then
      UPD=$(curl -s -X PUT "https://api.cloudflare.com/client/v4/zones/${ZONE_ID}/dns_records/${RECORD_ID}" \
        "${AUTH_H[@]}" -H "Content-Type: application/json" -d "$DATA")
      if echo "$UPD" | jq -e '.success == true' >/dev/null 2>&1; then
@@ -100,6 +115,20 @@ for h in "${HOSTNAMES[@]}"; do
      else
        echo "  $h: Update failed"
      fi
+    else
+      echo "  $h: Replacing existing ${RECORD_TYPE} record(s) with proxied tunnel CNAME"
+      echo "$EXISTING" | jq -r '.result[].id' | while read -r rid; do
+        [ -n "$rid" ] || continue
+        curl -s -X DELETE "https://api.cloudflare.com/client/v4/zones/${ZONE_ID}/dns_records/${rid}" \
+          "${AUTH_H[@]}" -H "Content-Type: application/json" >/dev/null
+      done
+      CR=$(curl -s -X POST "https://api.cloudflare.com/client/v4/zones/${ZONE_ID}/dns_records" \
+        "${AUTH_H[@]}" -H "Content-Type: application/json" -d "$DATA")
+      if echo "$CR" | jq -e '.success == true' >/dev/null 2>&1; then
+        echo "  $h: Created CNAME → $CNAME_TARGET"
+      else
+        echo "  $h: Create failed ($(echo "$CR" | jq -r '.errors[0].message // "unknown"' 2>/dev/null))"
+      fi
    fi
  else
    CR=$(curl -s -X POST "https://api.cloudflare.com/client/v4/zones/${ZONE_ID}/dns_records" \
@@ -112,6 +141,32 @@ for h in "${HOSTNAMES[@]}"; do
  fi
 done

+if [ "$INCLUDE_PLACEHOLDER_HOSTNAMES" != "1" ]; then
+  echo ""
+  echo "Removing placeholder DNS records that should not be published yet..."
+  for h in "${PLACEHOLDER_HOSTNAMES[@]}"; do
+    EXISTING=$(curl -s -X GET "https://api.cloudflare.com/client/v4/zones/${ZONE_ID}/dns_records?name=${h}" \
+      "${AUTH_H[@]}" -H "Content-Type: application/json")
+    RECORD_IDS=$(echo "$EXISTING" | jq -r '.result[]?.id // empty')
+
+    if [ -z "$RECORD_IDS" ]; then
+      echo "  $h: OK (no DNS record)"
+      continue
+    fi
+
+    while read -r rid; do
+      [ -n "$rid" ] || continue
+      DEL=$(curl -s -X DELETE "https://api.cloudflare.com/client/v4/zones/${ZONE_ID}/dns_records/${rid}" \
+        "${AUTH_H[@]}" -H "Content-Type: application/json")
+      if echo "$DEL" | jq -e '.success == true' >/dev/null 2>&1; then
+        echo "  $h: Deleted placeholder DNS record"
+      else
+        echo "  $h: Delete failed ($(echo "$DEL" | jq -r '.errors[0].message // "unknown"' 2>/dev/null))"
+      fi
+    done <<< "$RECORD_IDS"
+  done
+fi
+
 echo ""
 echo "Done. Next: Request Let's Encrypt certs in NPMplus UI for each domain."
 echo "See: docs/04-configuration/UDM_PRO_NPMPLUS_ALLTRA_HYBX_PORT_FORWARD.md for UDM Pro port forward (manual)."
--- a/scripts/cloudflare/configure-omdnl-org-dns.sh
+++ b/scripts/cloudflare/configure-omdnl-org-dns.sh
@@ -0,0 +1,84 @@
+#!/usr/bin/env bash
+# Cloudflare DNS for omdnl.org: apex (@) and www → PUBLIC_IP (A records, proxied).
+#
+# Prerequisite: Zone omdnl.org exists in Cloudflare and nameservers are delegated.
+# Requires .env: CLOUDFLARE_API_TOKEN (or CLOUDFLARE_EMAIL + CLOUDFLARE_API_KEY),
+#                 CLOUDFLARE_ZONE_ID_OMDNL_ORG (or CLOUDFLARE_ZONE_ID when zone is omdnl.org)
+#                 PUBLIC_IP (WAN IP that reaches NPMplus, same pattern as other public sites)
+#
+# Usage: bash scripts/cloudflare/configure-omdnl-org-dns.sh [--dry-run]
+set -euo pipefail
+
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+PROJECT_ROOT="$(cd "$SCRIPT_DIR/../.." && pwd)"
+cd "$PROJECT_ROOT"
+source config/ip-addresses.conf 2>/dev/null || true
+[ -f .env ] && set +u && source .env 2>/dev/null || true && set -u
+
+ZONE_ID="${CLOUDFLARE_ZONE_ID_OMDNL_ORG:-${CLOUDFLARE_ZONE_ID:-}}"
+PUBLIC_IP="${PUBLIC_IP:-}"
+ZONE_NAME="${OMDNL_ORG_DNS_ZONE:-omdnl.org}"
+DRY=false
+[[ "${1:-}" == "--dry-run" ]] && DRY=true
+
+[ -n "$PUBLIC_IP" ] || { echo "Set PUBLIC_IP in .env (WAN IP for NPM)" >&2; exit 1; }
+
+if [ -n "${CLOUDFLARE_API_TOKEN:-}" ]; then
+  AUTH_H=(-H "Authorization: Bearer $CLOUDFLARE_API_TOKEN")
+elif [ -n "${CLOUDFLARE_API_KEY:-}" ] && [ -n "${CLOUDFLARE_EMAIL:-}" ]; then
+  AUTH_H=(-H "X-Auth-Email: $CLOUDFLARE_EMAIL" -H "X-Auth-Key: $CLOUDFLARE_API_KEY")
+else
+  echo "Set CLOUDFLARE_API_TOKEN or (CLOUDFLARE_EMAIL + CLOUDFLARE_API_KEY) in .env" >&2
+  exit 1
+fi
+
+[ -n "$ZONE_ID" ] || { echo "Set CLOUDFLARE_ZONE_ID_OMDNL_ORG (or CLOUDFLARE_ZONE_ID) in .env" >&2; exit 1; }
+
+upsert_a() {
+  local api_name="$1"
+  local query_name="$2"
+  local data
+  data=$(jq -n --arg name "$api_name" --arg content "$PUBLIC_IP" \
+    '{type:"A",name:$name,content:$content,ttl:1,proxied:true}')
+
+  if $DRY; then
+    echo "[dry-run] would upsert A $api_name → $PUBLIC_IP"
+    return 0
+  fi
+
+  local existing record_id
+  existing=$(curl -s -G "https://api.cloudflare.com/client/v4/zones/${ZONE_ID}/dns_records" \
+    --data-urlencode "name=${query_name}" \
+    --data-urlencode "type=A" \
+    "${AUTH_H[@]}" -H "Content-Type: application/json")
+  record_id=$(echo "$existing" | jq -r '.result[0].id // empty')
+
+  if [ -n "$record_id" ] && [ "$record_id" != "null" ]; then
+    local upd
+    upd=$(curl -s -X PUT "https://api.cloudflare.com/client/v4/zones/${ZONE_ID}/dns_records/${record_id}" \
+      "${AUTH_H[@]}" -H "Content-Type: application/json" -d "$data")
+    echo "$upd" | jq -e '.success == true' >/dev/null 2>&1 && echo "Updated A ${query_name}" || { echo "$upd" | jq . >&2; return 1; }
+  else
+    local cr code
+    cr=$(curl -s -X POST "https://api.cloudflare.com/client/v4/zones/${ZONE_ID}/dns_records" \
+      "${AUTH_H[@]}" -H "Content-Type: application/json" -d "$data")
+    if echo "$cr" | jq -e '.success == true' >/dev/null 2>&1; then
+      echo "Created A ${query_name}"
+      return 0
+    fi
+    code=$(echo "$cr" | jq -r '.errors[0].code // empty')
+    if [ "$code" = "81058" ]; then
+      echo "OK A ${query_name} (already exists with same target)"
+      return 0
+    fi
+    echo "$cr" | jq . >&2
+    return 1
+  fi
+}
+
+echo "omdnl.org DNS (zone id set) → ${PUBLIC_IP} (proxied)"
+# Apex: API name @ ; list API returns full record name omdnl.org
+upsert_a "@" "${ZONE_NAME}"
+# www
+upsert_a "www" "www.${ZONE_NAME}"
+echo "Done. After propagation: request NPM TLS for omdnl.org and www.omdnl.org."
--- a/scripts/cloudflare/configure-relay-mainnet-cw-dns.sh
+++ b/scripts/cloudflare/configure-relay-mainnet-cw-dns.sh
@@ -0,0 +1,65 @@
+#!/usr/bin/env bash
+# Create or update Cloudflare DNS for relay-mainnet-cw.d-bis.org → PUBLIC_IP (DNS-only, gray cloud).
+# Matches scripts/update-all-dns-to-public-ip.sh behavior for other NPM-fronted d-bis hosts.
+#
+# Usage: bash scripts/cloudflare/configure-relay-mainnet-cw-dns.sh
+# Requires: .env with CLOUDFLARE_API_TOKEN or (CLOUDFLARE_EMAIL + CLOUDFLARE_API_KEY),
+#           CLOUDFLARE_ZONE_ID_D_BIS_ORG or CLOUDFLARE_ZONE_ID, and PUBLIC_IP (WAN → NPM NAT).
+set -euo pipefail
+
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+PROJECT_ROOT="$(cd "$SCRIPT_DIR/../.." && pwd)"
+cd "$PROJECT_ROOT"
+source config/ip-addresses.conf 2>/dev/null || true
+[ -f .env ] && set +u && source .env 2>/dev/null || true && set -u
+
+ZONE_ID="${CLOUDFLARE_ZONE_ID:-${CLOUDFLARE_ZONE_ID_D_BIS_ORG:-}}"
+HOSTNAME="relay-mainnet-cw.d-bis.org"
+NAME_LABEL="relay-mainnet-cw"
+PUBLIC_IP="${PUBLIC_IP:-76.53.10.36}"
+
+if [ -n "${CLOUDFLARE_API_TOKEN:-}" ]; then
+  AUTH_H=(-H "Authorization: Bearer $CLOUDFLARE_API_TOKEN")
+elif [ -n "${CLOUDFLARE_API_KEY:-}" ] && [ -n "${CLOUDFLARE_EMAIL:-}" ]; then
+  AUTH_H=(-H "X-Auth-Email: $CLOUDFLARE_EMAIL" -H "X-Auth-Key: $CLOUDFLARE_API_KEY")
+else
+  echo "Set CLOUDFLARE_API_TOKEN or (CLOUDFLARE_EMAIL + CLOUDFLARE_API_KEY) in .env" >&2
+  exit 1
+fi
+
+[ -z "${ZONE_ID:-}" ] && { echo "Set CLOUDFLARE_ZONE_ID or CLOUDFLARE_ZONE_ID_D_BIS_ORG in .env" >&2; exit 1; }
+
+DATA=$(jq -n --arg name "$NAME_LABEL" --arg content "$PUBLIC_IP" \
+  '{type:"A",name:$name,content:$content,ttl:1,proxied:false}')
+
+echo "Relay mainnet-cw DNS: $HOSTNAME → $PUBLIC_IP (DNS-only)"
+
+EXISTING=$(curl -s -X GET "https://api.cloudflare.com/client/v4/zones/${ZONE_ID}/dns_records?name=${HOSTNAME}" \
+  "${AUTH_H[@]}" -H "Content-Type: application/json")
+RECORD_ID=$(echo "$EXISTING" | jq -r '.result[0].id // empty')
+CURRENT_CONTENT=$(echo "$EXISTING" | jq -r '.result[0].content // empty')
+CURRENT_PROXIED=$(echo "$EXISTING" | jq -r '.result[0].proxied // false')
+
+if [ -n "$RECORD_ID" ] && [ "$RECORD_ID" != "null" ]; then
+  if [ "$CURRENT_CONTENT" = "$PUBLIC_IP" ] && [ "$CURRENT_PROXIED" = "false" ]; then
+    echo "  $HOSTNAME: OK (A → $PUBLIC_IP, proxied=false)"
+    exit 0
+  fi
+  UPD=$(curl -s -X PUT "https://api.cloudflare.com/client/v4/zones/${ZONE_ID}/dns_records/${RECORD_ID}" \
+    "${AUTH_H[@]}" -H "Content-Type: application/json" -d "$DATA")
+  if echo "$UPD" | jq -e '.success == true' >/dev/null 2>&1; then
+    echo "  $HOSTNAME: Updated A → $PUBLIC_IP (proxied=false)"
+  else
+    echo "  $HOSTNAME: Update failed ($(echo "$UPD" | jq -r '.errors[0].message // "unknown"' 2>/dev/null))" >&2
+    exit 1
+  fi
+else
+  CR=$(curl -s -X POST "https://api.cloudflare.com/client/v4/zones/${ZONE_ID}/dns_records" \
+    "${AUTH_H[@]}" -H "Content-Type: application/json" -d "$DATA")
+  if echo "$CR" | jq -e '.success == true' >/dev/null 2>&1; then
+    echo "  $HOSTNAME: Created A → $PUBLIC_IP (proxied=false)"
+  else
+    echo "  $HOSTNAME: Create failed ($(echo "$CR" | jq -r '.errors[0].message // "unknown"' 2>/dev/null))" >&2
+    exit 1
+  fi
+fi
--- a/scripts/cloudflare/purge-info-defi-oracle-cache.sh
+++ b/scripts/cloudflare/purge-info-defi-oracle-cache.sh
@@ -0,0 +1,31 @@
+#!/usr/bin/env bash
+# Purge Cloudflare edge cache for static paths on info.defi-oracle.io (robots, sitemap, agent-hints).
+# Use when the origin is correct but verify shows HTML fallback for /robots.txt etc.
+set -euo pipefail
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+PROJECT_ROOT="$(cd "$SCRIPT_DIR/../.." && pwd)"
+cd "$PROJECT_ROOT"
+# shellcheck source=/dev/null
+source "$PROJECT_ROOT/config/ip-addresses.conf" 2>/dev/null || true
+if [[ -f "$PROJECT_ROOT/.env" ]]; then
+  set +u
+  # shellcheck source=/dev/null
+  source "$PROJECT_ROOT/.env" 2>/dev/null || true
+  set -u
+fi
+ZONE="${CLOUDFLARE_ZONE_ID_DEFI_ORACLE_IO:?Set CLOUDFLARE_ZONE_ID_DEFI_ORACLE_IO in .env}"
+BASE="${INFO_SITE_BASE:-https://info.defi-oracle.io}"
+BASE="${BASE%/}"
+AUTH=()
+if [[ -n "${CLOUDFLARE_API_TOKEN:-}" ]]; then
+  AUTH=(-H "Authorization: Bearer $CLOUDFLARE_API_TOKEN")
+elif [[ -n "${CLOUDFLARE_API_KEY:-}" && -n "${CLOUDFLARE_EMAIL:-}" ]]; then
+  AUTH=(-H "X-Auth-Email: $CLOUDFLARE_EMAIL" -H "X-Auth-Key: $CLOUDFLARE_API_KEY")
+else
+  echo "Need CLOUDFLARE_API_TOKEN or CLOUDFLARE_EMAIL + CLOUDFLARE_API_KEY" >&2
+  exit 1
+fi
+PAYLOAD=$(jq -n --arg b "$BASE" '{files: [$b+"/robots.txt",$b+"/sitemap.xml",$b+"/agent-hints.json",$b+"/llms.txt"]}')
+curl -sS -X POST "https://api.cloudflare.com/client/v4/zones/${ZONE}/purge_cache" "${AUTH[@]}" \
+  -H "Content-Type: application/json" --data "$PAYLOAD" | jq -e '.success == true' >/dev/null
+echo "Purged static URLs under $BASE"
--- a/scripts/cloudflare/set-info-defi-oracle-dns-to-vmid2400-tunnel.sh
+++ b/scripts/cloudflare/set-info-defi-oracle-dns-to-vmid2400-tunnel.sh
@@ -0,0 +1,150 @@
+#!/usr/bin/env bash
+# Publish info.defi-oracle.io and www.info.defi-oracle.io.
+# Prefers the VMID 2400 tunnel when it exists; otherwise falls back to the public NPMplus edge.
+
+set -euo pipefail
+
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+PROJECT_ROOT="$(cd "$SCRIPT_DIR/../.." && pwd)"
+cd "$PROJECT_ROOT"
+
+source "$PROJECT_ROOT/config/ip-addresses.conf" 2>/dev/null || true
+
+if [[ -f "$PROJECT_ROOT/.env" ]]; then
+  set +u
+  source "$PROJECT_ROOT/.env" 2>/dev/null || true
+  set -u
+fi
+
+TUNNEL_ID="${VMID2400_TUNNEL_ID:-${CLOUDFLARE_TUNNEL_ID_VMID2400:-26138c21-db00-4a02-95db-ec75c07bda5b}}"
+ZONE_ID="${CLOUDFLARE_ZONE_ID_DEFI_ORACLE_IO:-}"
+TUNNEL_TARGET="${TUNNEL_ID}.cfargotunnel.com"
+EDGE_MODE="${INFO_DEFI_ORACLE_EDGE_MODE:-auto}"
+PUBLIC_EDGE_IP="${INFO_DEFI_ORACLE_PUBLIC_IP:-${PUBLIC_IP:-76.53.10.36}}"
+ACCOUNT_ID="${CLOUDFLARE_ACCOUNT_ID:-}"
+HOSTS=( "info.defi-oracle.io" "www.info.defi-oracle.io" )
+
+if [[ -z "$ZONE_ID" ]]; then
+  echo "CLOUDFLARE_ZONE_ID_DEFI_ORACLE_IO is required." >&2
+  exit 1
+fi
+
+cf_api() {
+  local method="$1"
+  local endpoint="$2"
+  local data="${3:-}"
+  local url="https://api.cloudflare.com/client/v4/zones/${ZONE_ID}${endpoint}"
+
+  if [[ -n "${CLOUDFLARE_API_TOKEN:-}" ]]; then
+    if [[ -n "$data" ]]; then
+      curl -s -X "$method" "$url" -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" -H "Content-Type: application/json" --data "$data"
+    else
+      curl -s -X "$method" "$url" -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" -H "Content-Type: application/json"
+    fi
+  elif [[ -n "${CLOUDFLARE_EMAIL:-}" && -n "${CLOUDFLARE_API_KEY:-}" ]]; then
+    if [[ -n "$data" ]]; then
+      curl -s -X "$method" "$url" -H "X-Auth-Email: $CLOUDFLARE_EMAIL" -H "X-Auth-Key: $CLOUDFLARE_API_KEY" -H "Content-Type: application/json" --data "$data"
+    else
+      curl -s -X "$method" "$url" -H "X-Auth-Email: $CLOUDFLARE_EMAIL" -H "X-Auth-Key: $CLOUDFLARE_API_KEY" -H "Content-Type: application/json"
+    fi
+  else
+    echo "Cloudflare credentials are required." >&2
+    exit 1
+  fi
+}
+
+cf_global_api() {
+  local method="$1"
+  local url="$2"
+
+  if [[ -n "${CLOUDFLARE_API_TOKEN:-}" ]]; then
+    curl -s -X "$method" "$url" -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" -H "Content-Type: application/json"
+  elif [[ -n "${CLOUDFLARE_EMAIL:-}" && -n "${CLOUDFLARE_API_KEY:-}" ]]; then
+    curl -s -X "$method" "$url" -H "X-Auth-Email: $CLOUDFLARE_EMAIL" -H "X-Auth-Key: $CLOUDFLARE_API_KEY" -H "Content-Type: application/json"
+  else
+    echo "Cloudflare credentials are required." >&2
+    exit 1
+  fi
+}
+
+resolve_account_id() {
+  if [[ -n "$ACCOUNT_ID" ]]; then
+    printf '%s\n' "$ACCOUNT_ID"
+    return 0
+  fi
+
+  local response
+  response="$(cf_global_api GET "https://api.cloudflare.com/client/v4/accounts")"
+  ACCOUNT_ID="$(printf '%s\n' "$response" | jq -r '.result[0].id // empty')"
+  printf '%s\n' "$ACCOUNT_ID"
+}
+
+tunnel_exists() {
+  local account_id
+  account_id="$(resolve_account_id)"
+  [[ -z "$account_id" ]] && return 1
+
+  local response
+  response="$(cf_global_api GET "https://api.cloudflare.com/client/v4/accounts/${account_id}/cfd_tunnel/${TUNNEL_ID}")"
+  printf '%s\n' "$response" | jq -e '.success == true' >/dev/null 2>&1
+}
+
+delete_conflicting_records() {
+  local name="$1"
+  local existing
+  existing="$(cf_api GET "/dns_records?name=${name}")"
+  printf '%s\n' "$existing" | jq -r '.result[]? | "\(.id) \(.type)"' | while read -r record_id record_type; do
+    [[ -z "$record_id" ]] && continue
+    if [[ "$record_type" == "A" || "$record_type" == "AAAA" || "$record_type" == "CNAME" ]]; then
+      cf_api DELETE "/dns_records/${record_id}" >/dev/null
+    fi
+  done
+}
+
+create_cname() {
+  local name="$1"
+  local payload
+  payload="$(jq -n --arg name "$name" --arg content "$TUNNEL_TARGET" '{type:"CNAME",name:$name,content:$content,proxied:true,ttl:1}')"
+  cf_api POST "/dns_records" "$payload" | jq -e '.success == true' >/dev/null
+}
+
+create_a_record() {
+  local name="$1"
+  local payload
+  payload="$(jq -n --arg name "$name" --arg content "$PUBLIC_EDGE_IP" '{type:"A",name:$name,content:$content,proxied:true,ttl:1}')"
+  cf_api POST "/dns_records" "$payload" | jq -e '.success == true' >/dev/null
+}
+
+TARGET_MODE="$EDGE_MODE"
+if [[ "$TARGET_MODE" == "auto" ]]; then
+  if tunnel_exists; then
+    TARGET_MODE="tunnel"
+  else
+    TARGET_MODE="public_ip"
+  fi
+fi
+
+case "$TARGET_MODE" in
+  tunnel)
+    echo "Publishing info.defi-oracle.io hostnames to tunnel ${TUNNEL_TARGET}"
+    ;;
+  public_ip|npmplus)
+    echo "Publishing info.defi-oracle.io hostnames to public edge ${PUBLIC_EDGE_IP}"
+    ;;
+  *)
+    echo "Unsupported INFO_DEFI_ORACLE_EDGE_MODE=${TARGET_MODE}" >&2
+    exit 1
+    ;;
+esac
+
+for host in "${HOSTS[@]}"; do
+  delete_conflicting_records "$host"
+  if [[ "$TARGET_MODE" == "tunnel" ]]; then
+    create_cname "$host"
+  else
+    create_a_record "$host"
+  fi
+  echo "  - ${host}"
+done
+
+echo "Done."