Sync workspace: config, docs, scripts, CI, operator rules, and submodule pointers.

- Update dbis_core, cross-chain-pmm-lps, explorer-monorepo, metamask-integration, pr-workspace/chains
- Omit embedded publish git dirs and empty placeholders from index

Made-with: Cursor

scripts/op-stack/README.md

@@ -0,0 +1,26 @@
+# OP Stack Standard Rollup — helper scripts
+
+**Runbook:** [docs/03-deployment/OP_STACK_STANDARD_ROLLUP_SUPERCHAIN_RUNBOOK.md](../../docs/03-deployment/OP_STACK_STANDARD_ROLLUP_SUPERCHAIN_RUNBOOK.md)
+
+| Script | Purpose |
+|--------|---------|
+| `fetch-standard-mainnet-toml.sh` | Download governance `validation/standard/*.toml` from superchain-registry into `config/op-stack-superchain/cache/` |
+| `registry-pr-checklist.sh` | Print registry PR checklist (stdout) |
+| `print-sepolia-rehearsal-checklist.sh` | Print Sepolia rehearsal steps |
+| `print-mainnet-deploy-checklist.sh` | Print mainnet deploy steps |
+| `print-mainnet-ops-checklist.sh` | Print mainnet operations checklist |
+
+These scripts do **not** install pinned OP Stack binaries or run chain deployments; they support repo-local documentation, CT preparation, and offline review of Standard Rollup inputs.
+
+For the Proxmox operator landing zone, use:
+
+- `bash scripts/deployment/provision-op-stack-operator-lxcs.sh`
+
+That script creates the dedicated `57xx` deployment/ops CTs on `r630-02` using `thin5`, installs baseline tooling, enables SSH access, and seeds this repo's OP Stack scaffolding into `/opt/op-stack-bootstrap/`.
+
+For post-bootstrap filesystem and service-account preparation inside a CT, use:
+
+- `bash scripts/op-stack/prepare-operator-ct.sh deployer`
+- `bash scripts/op-stack/prepare-operator-ct.sh ops`
+
+This creates the `opstack` service account, runtime directories, blank env files under `/etc/op-stack/`, and a shared JWT secret for `op-node` and the execution client.

scripts/op-stack/fetch-standard-mainnet-toml.sh

@@ -0,0 +1,37 @@
+#!/usr/bin/env bash
+# Download Standard Rollup governance TOML from superchain-registry (mainnet validation inputs).
+# Usage: bash scripts/op-stack/fetch-standard-mainnet-toml.sh [--dry-run]
+set -euo pipefail
+
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+PROJECT_ROOT="$(cd "$SCRIPT_DIR/../.." && pwd)"
+CACHE="${PROJECT_ROOT}/config/op-stack-superchain/cache"
+BASE="https://raw.githubusercontent.com/ethereum-optimism/superchain-registry/main/validation/standard"
+
+DRY_RUN=false
+for a in "$@"; do [[ "$a" == "--dry-run" ]] && DRY_RUN=true; done
+
+FILES=(
+  "standard-versions-mainnet.toml"
+  "standard-config-params-mainnet.toml"
+  "standard-config-roles-mainnet.toml"
+)
+
+if $DRY_RUN; then
+  echo "Would fetch into $CACHE:"
+  for f in "${FILES[@]}"; do echo "  $BASE/$f"; done
+  exit 0
+fi
+
+mkdir -p "$CACHE"
+command -v curl >/dev/null 2>&1 || { echo "ERROR: curl required" >&2; exit 1; }
+
+for f in "${FILES[@]}"; do
+  out="${CACHE}/${f}"
+  echo "Fetching $f ..."
+  curl -fsSL -o "$out.new" "$BASE/$f"
+  mv "$out.new" "$out"
+  echo "  -> $out"
+done
+
+echo "Done. Compare with prior revisions before updating pinned-versions manifest."

scripts/op-stack/init-operator-workdirs.sh

@@ -0,0 +1,42 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+ROLE="${1:-}"
+if [[ "$ROLE" != "deployer" && "$ROLE" != "ops" ]]; then
+  echo "Usage: $0 <deployer|ops>" >&2
+  exit 1
+fi
+
+BOOTSTRAP_ROOT="${OP_STACK_BOOTSTRAP_ROOT:-/opt/op-stack-bootstrap}"
+STATE_ROOT="${OP_STACK_STATE_ROOT:-/var/lib/op-stack}"
+CONFIG_ROOT="${OP_STACK_CONFIG_ROOT:-/etc/op-stack}"
+SERVICE_USER="${OP_STACK_SERVICE_USER:-opstack}"
+SERVICE_GROUP="${OP_STACK_SERVICE_GROUP:-opstack}"
+
+install -d -m 750 \
+  "$STATE_ROOT/artifacts/mainnet" \
+  "$STATE_ROOT/artifacts/sepolia" \
+  "$STATE_ROOT/logs/mainnet" \
+  "$STATE_ROOT/logs/sepolia"
+
+if [[ "$ROLE" == "deployer" ]]; then
+  install -d -m 750 "$STATE_ROOT/deployer/mainnet" "$STATE_ROOT/deployer/sepolia"
+  if [[ ! -f "$STATE_ROOT/artifacts/pinned-versions.manifest.yaml" ]]; then
+    cp "$BOOTSTRAP_ROOT/config/op-stack-superchain/pinned-versions.manifest.example.yaml" \
+      "$STATE_ROOT/artifacts/pinned-versions.manifest.yaml"
+    chmod 640 "$STATE_ROOT/artifacts/pinned-versions.manifest.yaml"
+  fi
+fi
+
+if [[ "$ROLE" == "ops" ]]; then
+  install -d -m 750 "$STATE_ROOT/runtime/mainnet" "$STATE_ROOT/runtime/sepolia"
+fi
+
+chown -R "$SERVICE_USER:$SERVICE_GROUP" "$STATE_ROOT"
+chown root:"$SERVICE_GROUP" "$CONFIG_ROOT"/*.env "$CONFIG_ROOT/jwt.hex"
+
+cat <<EOF
+Initialized OP Stack $ROLE workdirs
+  artifacts: $STATE_ROOT/artifacts
+  logs:      $STATE_ROOT/logs
+EOF

scripts/op-stack/prepare-operator-ct.sh

@@ -0,0 +1,125 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+ROLE="${1:-}"
+if [[ "$ROLE" != "deployer" && "$ROLE" != "ops" ]]; then
+  echo "Usage: $0 <deployer|ops>" >&2
+  exit 1
+fi
+
+SERVICE_USER="${OP_STACK_SERVICE_USER:-opstack}"
+SERVICE_GROUP="${OP_STACK_SERVICE_GROUP:-opstack}"
+INSTALL_ROOT="${OP_STACK_INSTALL_ROOT:-/opt/op-stack}"
+STATE_ROOT="${OP_STACK_STATE_ROOT:-/var/lib/op-stack}"
+CONFIG_ROOT="${OP_STACK_CONFIG_ROOT:-/etc/op-stack}"
+
+if ! getent group "$SERVICE_GROUP" >/dev/null 2>&1; then
+  groupadd --system "$SERVICE_GROUP"
+fi
+
+if ! id -u "$SERVICE_USER" >/dev/null 2>&1; then
+  useradd \
+    --system \
+    --home-dir "$STATE_ROOT" \
+    --create-home \
+    --shell /usr/sbin/nologin \
+    --gid "$SERVICE_GROUP" \
+    "$SERVICE_USER"
+fi
+
+install -d -m 755 "$INSTALL_ROOT" "$INSTALL_ROOT/bin" "$INSTALL_ROOT/src" "$INSTALL_ROOT/workdir"
+install -d -m 750 "$STATE_ROOT"
+install -d -m 750 \
+  "$STATE_ROOT/artifacts" \
+  "$STATE_ROOT/jwt" \
+  "$STATE_ROOT/logs" \
+  "$STATE_ROOT/op-node" \
+  "$STATE_ROOT/op-reth" \
+  "$STATE_ROOT/batcher" \
+  "$STATE_ROOT/proposer" \
+  "$STATE_ROOT/challenger"
+
+if [[ "$ROLE" == "deployer" ]]; then
+  install -d -m 750 "$STATE_ROOT/deployer" "$STATE_ROOT/deployer/.deployer"
+else
+  install -d -m 750 "$STATE_ROOT/runtime"
+fi
+
+chown -R "$SERVICE_USER:$SERVICE_GROUP" "$INSTALL_ROOT" "$STATE_ROOT"
+
+install -d -m 755 "$CONFIG_ROOT" "$CONFIG_ROOT/systemd-examples"
+
+write_stub_if_missing() {
+  local path="$1"
+  local content="$2"
+  if [[ ! -s "$path" ]]; then
+    printf '%s\n' "$content" > "$path"
+    chmod 640 "$path"
+  fi
+}
+
+write_stub_if_missing "$CONFIG_ROOT/op-stack-l2.env" "# Fill and keep secret values out of git
+# OP_STACK_L2_CHAIN_ID=
+# L1_RPC_URL=
+# L1_BEACON_URL=
+# L2_CHAIN_NAME=
+"
+
+write_stub_if_missing "$CONFIG_ROOT/op-deployer.env" "# Deployer-side secrets and RPCs
+# L1_RPC_URL=
+# PRIVATE_KEY=
+# DEPLOYER_WORKDIR=/var/lib/op-stack/deployer/.deployer
+"
+
+write_stub_if_missing "$CONFIG_ROOT/op-node.env" "# Consensus client
+# L1_RPC_URL=
+# L1_BEACON_URL=
+# L2_ENGINE_RPC_URL=http://127.0.0.1:8551
+# JWT_SECRET=/etc/op-stack/jwt.hex
+# ROLLUP_CONFIG=/var/lib/op-stack/artifacts/rollup.json
+"
+
+write_stub_if_missing "$CONFIG_ROOT/op-reth.env" "# Preferred execution client
+# DATA_DIR=/var/lib/op-stack/op-reth
+# JWT_SECRET=/etc/op-stack/jwt.hex
+# CHAIN_CONFIG=/var/lib/op-stack/artifacts/genesis.json
+"
+
+write_stub_if_missing "$CONFIG_ROOT/sequencer.env" "# Legacy op-geth fallback only
+# DATA_DIR=/var/lib/op-stack/op-geth
+# JWT_SECRET=/etc/op-stack/jwt.hex
+"
+
+write_stub_if_missing "$CONFIG_ROOT/batcher.env" "# Batcher
+# L1_RPC_URL=
+# L2_RPC_URL=
+# PRIVATE_KEY=
+"
+
+write_stub_if_missing "$CONFIG_ROOT/proposer.env" "# Proposer
+# L1_RPC_URL=
+# L2_RPC_URL=
+# PRIVATE_KEY=
+"
+
+write_stub_if_missing "$CONFIG_ROOT/challenger.env" "# Challenger
+# L1_RPC_URL=
+# L2_RPC_URL=
+# PRIVATE_KEY=
+"
+
+chown root:"$SERVICE_GROUP" "$CONFIG_ROOT"/*.env
+
+if [[ ! -s "$CONFIG_ROOT/jwt.hex" ]]; then
+  openssl rand -hex 32 > "$CONFIG_ROOT/jwt.hex"
+fi
+chmod 640 "$CONFIG_ROOT/jwt.hex"
+chown root:"$SERVICE_GROUP" "$CONFIG_ROOT/jwt.hex"
+
+cat <<EOF
+Prepared OP Stack $ROLE workspace
+  service user:  $SERVICE_USER:$SERVICE_GROUP
+  install root:  $INSTALL_ROOT
+  state root:    $STATE_ROOT
+  config root:   $CONFIG_ROOT
+EOF

scripts/op-stack/print-mainnet-deploy-checklist.sh

@@ -0,0 +1,14 @@
+#!/usr/bin/env bash
+# Mainnet L1 deploy + L2 genesis checklist.
+set -euo pipefail
+
+cat <<'EOF'
+Phase 2 — Mainnet deploy
+========================
+[ ] Confirm Sepolia gate signed off
+[ ] Re-verify standard-versions-mainnet.toml vs pinned manifest
+[ ] op-deployer against Ethereum mainnet (L1 system contracts)
+[ ] Capture L1 addresses + L2 genesis/rollup config (artifact store + deployed/ notes)
+[ ] op-validator on MAINNET artifacts — must be clean before registry PR
+[ ] Record non-secrets under config/op-stack-superchain/deployed/
+EOF

scripts/op-stack/print-mainnet-ops-checklist.sh

@@ -0,0 +1,15 @@
+#!/usr/bin/env bash
+# Mainnet operations checklist.
+set -euo pipefail
+
+cat <<'EOF'
+Phase 3 — Mainnet operations
+============================
+[ ] HA sequencer (op-node + op-geth) per your SRE standard
+[ ] op-batcher healthy; L1 gas / blob policy monitored
+[ ] op-proposer publishing outputs; withdrawal path tested
+[ ] op-challenger running; alert on failures
+[ ] Replica RPC (+ optional WS); rate limits; dashboards
+[ ] Small real-value deposit/withdraw E2E; incident runbook linked
+[ ] systemd (or k8s) units from config/systemd/op-stack-*.example.service adapted
+EOF

scripts/op-stack/print-sepolia-rehearsal-checklist.sh

@@ -0,0 +1,17 @@
+#!/usr/bin/env bash
+# Sepolia rehearsal checklist (Standard Rollup gate before mainnet).
+set -euo pipefail
+
+cat <<'EOF'
+Phase 1 — Sepolia rehearsal
+===========================
+[ ] Pin op-deployer / OP Stack monorepo release = intended mainnet release
+[ ] op-deployer: deploy L1 (Sepolia) + generate L2 genesis / rollup config
+[ ] op-validator: clean report on artifacts
+[ ] Start op-node + op-geth (sequencer)
+[ ] Start op-batcher, op-proposer, op-challenger
+[ ] E2E: deposit / withdraw on test L2
+[ ] Drill: batcher or sequencer failover
+[ ] Soak 24–72h; capture metrics
+[ ] Freeze pinned-versions.manifest + archive logs for change board
+EOF

scripts/op-stack/registry-pr-checklist.sh

@@ -0,0 +1,18 @@
+#!/usr/bin/env bash
+# Print superchain-registry PR checklist (Standard Rollup).
+set -euo pipefail
+
+cat <<'EOF'
+Superchain registry PR — operator checklist
+============================================
+Reference: https://github.com/ethereum-optimism/superchain-registry/blob/main/docs/ops.md#adding-a-chain
+
+[ ] Local superchain-registry validation passes (per upstream guide / Makefile)
+[ ] Chain metadata + TOML/JSON artifacts match op-deployer output for YOUR L1/L2
+[ ] L2 chain ID unique; documented as distinct from Besu DBIS 138 if parallel
+[ ] op-validator clean on MAINNET artifacts (run before opening PR)
+[ ] standard-versions / bytecode alignment with standard-versions-mainnet.toml
+[ ] PR description includes release tags, L1 network (ethereum mainnet), Security Council / roles pointers
+[ ] Off-chain: Optimism Foundation review items (security config, governance authenticity)
+[ ] After merge: plan --network / --op-network for node hard-fork inheritance
+EOF