chore: BSC relay fund script, CCIP RTT report, NPM proxy fixes, submodule

- Add scripts/bridge/fund-bsc-relay-bridge.sh (mirror mainnet helper) - Add reports/ccip-rtt-138-bsc-source-execution-2026-03-24.json (5/5 baseline) - update-npmplus-proxy-hosts-api: case-insensitive host id, refresh on miss, recover duplicate POST via PUT, add-if-missing for dbis-api-2, secure, mim4u* - smom-dbis-138: relay log chunking, START_BLOCK parsing, README, .env.bsc.example Made-with: Cursor
2026-03-24 16:18:29 -07:00
parent be14693184
commit dc68ae8072
4 changed files with 294 additions and 53 deletions
--- a/reports/ccip-rtt-138-bsc-source-execution-2026-03-24.json
+++ b/reports/ccip-rtt-138-bsc-source-execution-2026-03-24.json
@@ -0,0 +1,118 @@
 {
  "schema_version": "rtt-baseline-v1",
  "series_id": "138-bsc-weth-0.001-2026-03-24T08:14Z",
  "collected_at_utc": "2026-03-24T08:14:00Z",
  "chain_pair": "138 → BSC (56)",
  "payload_type": "weth_ccip",
  "amount_wei": "1000000000000000",
  "lane_label": "operator-baseline-5x",
  "destination_lookup_provider": "ccip_explorer",
  "notes": [
    "Each broadcast used GAS_LIMIT=1200000; Core RPC http://192.168.11.211:8545 returned Invalid params on eth_estimateGas without explicit gas.",
    "CCIP_DEST_CHAIN_SELECTOR=11344663589394136015. Bridge 0xcacfd227A040002e49e2e01626363071324f820a. BSC receiver 0x886C6A4ABC064dbf74E7caEc460b7eeC31F1b78C.",
    "BSC destination lookup: binance dataseed often returns -32005 on eth_getLogs; https://bsc.publicnode.com accepted ~10-block windows for CrossChainTransferCompleted(bytes32,uint64,address,uint256) on the relay bridge. CCIP Explorer / BscScan / API keys remain valid fallbacks.",
    "2026-03-24: RelayService eth_getLogs chunking + adaptive split (SOURCE_LOGS_MAX_BLOCK_RANGE) fixes public-RPC range errors. BSC relay bridge under-funded caused relayMessage reverts; wrapped BNB to WETH and transferred to 0x886C6A4ABC064dbf74E7caEc460b7eeC31F1b78C. Runs 1–2 delivered first; runs 3–5 after second top-up: WETH transfer 0x8f3529250dc10b0cadab3f549da6e90a6e2f0ddc380c05672295dc5389fc96e2 (0.003 WETH) then ./start-relay.sh bsc. Destination logs via bsc.publicnode.com (small eth_getLogs windows). RTT for runs 3–5 includes long queue before relay."
  ],
  "source_rpc_used_for_metadata": "https://rpc.public-0138.defi-oracle.io",
  "write_rpc": "http://192.168.11.211:8545",
  "execution_log": "reports/ccip-rtt-138-bsc-execution-20260324T0815Z.log",
  "last_validation_at_utc": "2026-03-24T18:33:25Z",
  "validation": {
    "rtt_metrics_status": "complete_5_of_5",
    "source_only": {
      "message_ids_unique": true,
      "source_timestamps_strictly_increasing": true,
      "source_timestamp_deltas_seconds": [10, 124, 124, 124],
      "notes": "Deltas align with ~120s send spacing plus block time."
    },
    "destination_sample": {
      "runs_completed": 5,
      "runs_pending_bridge_liquidity": 0,
      "notes": "processedTransfers true for all five messageIds; destination txs match BSC receipts. Runs 1–2 destination_block_number corrected 2026-03-24 to cast receipt blockNumber (timestamps/RTT unchanged)."
    }
  },
  "runs": [
    {
      "run": 1,
      "ccip_message_id": "0x6580c9070587976ef0582f9c537312d4b7a44fc9e8009a011677f2279ba54de1",
      "source_tx_hash": "0xa17467afd88ca42ba5a7ab91a15d1ca4ad1e180c97664b1dbca09cb5334a5536",
      "source_block_number": "0x310b2d",
      "source_block_timestamp": 1774340097,
      "destination_tx_hash": "0x12786ddf80adf2b9146587084a39f68fd204412190284113e32f9f09171f91c7",
      "destination_block_number": "0x5458354",
      "destination_block_timestamp": 1774347496,
      "rtt_seconds": 7399,
      "execution_status": "success",
      "validation_status": "complete"
    },
    {
      "run": 2,
      "ccip_message_id": "0x68dca207836fb9fd5e5bffd2dd52e229490e054177d3e2995e79a35404d1e03f",
      "source_tx_hash": "0x55e2b019b79b3dac9aace339cf3d258a0f987bf1ddec06d9e16207758bf5cb5c",
      "source_block_number": "0x310b32",
      "source_block_timestamp": 1774340107,
      "destination_tx_hash": "0x9bc7cd898cd5a06a52f0a0852602d6f9fbca240a35746bd661283b3bb7d7c7b0",
      "destination_block_number": "0x5458360",
      "destination_block_timestamp": 1774347502,
      "rtt_seconds": 7395,
      "execution_status": "success",
      "validation_status": "complete"
    },
    {
      "run": 3,
      "ccip_message_id": "0x26da416a650ecb37d72cda0c029160a288343511695af60b9ae3d8695ce79d8a",
      "source_tx_hash": "0x72c3c947a6812685fb4addde3c49ad9b7e93190ddb8a3e970ec2ba33164a4520",
      "source_block_number": "0x310b70",
      "source_block_timestamp": 1774340231,
      "destination_tx_hash": "0xe6501404232e46baf7af96e953e47f64ed9fc92c02bbc7d051ce5e88b08f4167",
      "destination_block_number": "0x5465efc",
      "destination_block_timestamp": 1774372806,
      "rtt_seconds": 32575,
      "execution_status": "success",
      "validation_status": "complete"
    },
    {
      "run": 4,
      "ccip_message_id": "0x215582078002ad191e05d30fe6145e53d735e6a71288bfa94bd23a465ead3f7f",
      "source_tx_hash": "0x0dff75f13088927fc4d2ee3f76941f006369f3ac9b426a82b57ff7e2f5542ed5",
      "source_block_number": "0x310bae",
      "source_block_timestamp": 1774340355,
      "destination_tx_hash": "0xd0312a148e1ef5914efd0eeb2e5cd4f93f37aa18e5cf0b16f226922d17bcdbbf",
      "destination_block_number": "0x5465f07",
      "destination_block_timestamp": 1774372811,
      "rtt_seconds": 32456,
      "execution_status": "success",
      "validation_status": "complete"
    },
    {
      "run": 5,
      "ccip_message_id": "0xa9c00243b446ad18240e3b3fdf7644559385e68515bf4339a4900334b6ab5945",
      "source_tx_hash": "0x7caa60ec028000255328c97570235106072967142869b6f3bf5a8a64db2c3c85",
      "source_block_number": "0x310bec",
      "source_block_timestamp": 1774340479,
      "destination_tx_hash": "0xd1047eefb7e75a58ef60e551a7d8ff69fede94790a5bd2b2dde8b756d5852401",
      "destination_block_number": "0x5465f12",
      "destination_block_timestamp": 1774372816,
      "rtt_seconds": 32337,
      "execution_status": "success",
      "validation_status": "complete"
    }
  ],
  "failed_runs": [],
  "summary": {
    "successful_runs": 5,
    "failed_runs": 0,
    "median_rtt_seconds": 32337,
    "worst_case_rtt_seconds": 32575,
    "best_case_rtt_seconds": 7395,
    "range_rtt_seconds": 25180,
    "p95_rtt_seconds": null,
    "p95_note": "N/A (N<20)",
    "p99_rtt_seconds": null,
    "p99_note": "N/A (N<20)",
    "timeout_seconds": 40719,
    "min_spacing_seconds": 7399,
    "summary_generated_at_utc": "2026-03-24T18:33:25Z",
    "summary_note": "All 5 runs delivered. Runs 1–2 RTT ~2.05 h (normal relay path). Runs 3–5 RTT ~9 h each because messages queued until second WETH top-up. timeout_seconds = ceil(32575*1.25). min_spacing_seconds left as prior worst-case source→dest for early pair; use destination inter-arrival if you need relay-batch spacing."
  }
 }
--- a/scripts/bridge/fund-bsc-relay-bridge.sh
+++ b/scripts/bridge/fund-bsc-relay-bridge.sh
@@ -0,0 +1,62 @@
 #!/usr/bin/env bash
 # Fund the BSC CCIPRelayBridge with WETH from the deployer wallet.
 # Usage: ./scripts/bridge/fund-bsc-relay-bridge.sh [amount_wei] [--dry-run]
 #   If amount_wei is omitted, transfers the deployer's full WETH balance.
 #   --dry-run: print balances and amount that would be sent; do not broadcast.
 # Env: PRIVATE_KEY (not required for --dry-run), BSC_RPC_URL or DEST_RPC_URL from relay profile
 set -euo pipefail
 SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
 PROJECT_ROOT="$(cd "$SCRIPT_DIR/../.." && pwd)"
 [[ -f "${PROJECT_ROOT}/smom-dbis-138/.env" ]] && source "${PROJECT_ROOT}/smom-dbis-138/.env" 2>/dev/null || true
 # Optional: DEST_RPC_URL from relay .env.bsc (not auto-sourced; user may export)
 if [[ -f "${PROJECT_ROOT}/smom-dbis-138/services/relay/.env.bsc" ]]; then
  # shellcheck disable=SC1090
  source "${PROJECT_ROOT}/smom-dbis-138/services/relay/.env.bsc" 2>/dev/null || true
 fi
 DRY_RUN=false
 ARGS=()
 for a in "$@"; do
  [[ "$a" = "--dry-run" ]] && DRY_RUN=true || ARGS+=("$a")
 done
 DEPLOYER="${DEPLOYER_ADDRESS:-0x4A666F96fC8764181194447A7dFdb7d471b301C8}"
 WETH="${DEST_WETH9_ADDRESS:-0xe0E93247376aa097dB308B92e6Ba36bA015535D0}"
 BRIDGE="${DEST_RELAY_BRIDGE:-0x886C6A4ABC064dbf74E7caEc460b7eeC31F1b78C}"
 RPC="${BSC_RPC_URL:-${DEST_RPC_URL:-https://bsc.publicnode.com}}"
 [[ "$DRY_RUN" = true ]] || [[ -n "${PRIVATE_KEY:-}" ]] || { echo "PRIVATE_KEY required"; exit 1; }
 command -v cast &>/dev/null || { echo "cast not found (install Foundry)"; exit 1; }
 BALANCE=$(cast call "$WETH" "balanceOf(address)(uint256)" "$DEPLOYER" --rpc-url "$RPC" 2>/dev/null || echo "0")
 BRIDGE_BAL=$(cast call "$WETH" "balanceOf(address)(uint256)" "$BRIDGE" --rpc-url "$RPC" 2>/dev/null || echo "0")
 echo "Deployer WETH balance (BSC): $BALANCE wei"
 echo "Bridge WETH balance (BSC):   $BRIDGE_BAL wei"
 if [[ "${ARGS[0]:-}" = "" ]]; then
  AMT="$BALANCE"
  echo "Would transfer full balance: $AMT wei"
 else
  AMT="${ARGS[0]}"
  echo "Would transfer: $AMT wei"
 fi
 if [[ -z "$AMT" ]] || [[ "$AMT" = "0" ]]; then
  echo "Nothing to transfer."
  [[ "$DRY_RUN" = true ]] && echo "[--dry-run] No tx would be sent."
  exit 0
 fi
 if [[ "$DRY_RUN" = true ]]; then
  echo "[--dry-run] Would run: cast send $WETH transfer(address,uint256) $BRIDGE $AMT --rpc-url <RPC> --private-key <PRIVATE_KEY> --legacy"
  echo "[--dry-run] No transaction sent."
  exit 0
 fi
 cast send "$WETH" "transfer(address,uint256)" "$BRIDGE" "$AMT" \
  --rpc-url "$RPC" \
  --private-key "$PRIVATE_KEY" \
  --legacy
 echo "Done. Bridge WETH balance: $(cast call "$WETH" "balanceOf(address)(uint256)" "$BRIDGE" --rpc-url "$RPC") wei"
--- a/scripts/nginx-proxy-manager/update-npmplus-proxy-hosts-api.sh
+++ b/scripts/nginx-proxy-manager/update-npmplus-proxy-hosts-api.sh
@@ -1,4 +1,6 @@
 #!/usr/bin/env bash
 # Security: do not use `bash -x` or `curl -v` when debugging auth in production — logs may capture secrets.
 # Auth failures: only a short error message is printed by default. For a redacted JSON snippet set NPM_DEBUG_AUTH=1.
 set -euo pipefail
 # Load IP configuration
@@ -8,7 +10,8 @@ source "${PROJECT_ROOT}/config/ip-addresses.conf" 2>/dev/null || true
 # Update existing NPMplus proxy hosts via API with correct VMIDs and IPs
-# This script updates existing proxy hosts, not creates new ones
+# This script updates existing proxy hosts, not creates new ones.
 # PUT payload includes only forward_* / websocket / block_exploits — existing certificate_id and ssl_forced are preserved by NPMplus.
 set -e
@@ -37,7 +40,7 @@ fi
 [ -n "$_orig_npm_password" ] && NPM_PASSWORD="$_orig_npm_password"
 [ -f "$PROJECT_ROOT/config/ip-addresses.conf" ] && source "$PROJECT_ROOT/config/ip-addresses.conf" 2>/dev/null || true
-# Default .167: NPMplus (VMID 10233) reachable on ${IP_NPMPLUS:-${IP_NPMPLUS:-192.168.11.167}}:81; set NPM_URL in .env to override
+# Default: NPMplus (VMID 10233) — IP_NPMPLUS from config/ip-addresses.conf (prefer eth1 / .167); override with NPM_URL in .env
 NPM_URL="${NPM_URL:-https://${IP_NPMPLUS}:81}"
 NPM_EMAIL="${NPM_EMAIL:-nsatoshi2007@hotmail.com}"
 NPM_PASSWORD="${NPM_PASSWORD:-}"
@@ -53,28 +56,44 @@ echo "🔄 Updating NPMplus Proxy Hosts via API"
 echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
 echo ""
-# Connection check (NPMplus is on LAN 192.168.11.x). Try alternate IP if .166/.167 unreachable.
+# NPMplus API can stall indefinitely without --max-time (override e.g. NPM_CURL_MAX_TIME=300)
 NPM_CURL_MAX_TIME="${NPM_CURL_MAX_TIME:-120}"
 curl_npm() { curl -s -k --connect-timeout 10 --max-time "$NPM_CURL_MAX_TIME" "$@"; }
 # Connection check (NPMplus is on LAN 192.168.11.x). Try HTTP if HTTPS fails; try alternate IP .166/.167 if unreachable.
 echo "🔐 Authenticating to NPMplus..."
-if ! curl -s -k -o /dev/null --connect-timeout 5 "$NPM_URL/" 2>/dev/null; then
+try_connect() { curl -s -k -o /dev/null --connect-timeout 5 --max-time 15 "$1" 2>/dev/null; }
 if ! try_connect "$NPM_URL/"; then
  # Try HTTP instead of HTTPS (NPM admin often listens on HTTP only on port 81)
  http_url="${NPM_URL/https:/http:}"
  if try_connect "$http_url/"; then
    NPM_URL="$http_url"
    echo "   Using HTTP (HTTPS timed out): $NPM_URL"
  else
    alt_url=""
-  if [[ "$NPM_URL" == *"192.168.11.166"* ]]; then
+    if [[ "$NPM_URL" == *"${IP_NPMPLUS_ETH0}"* ]]; then
-    alt_url="${NPM_URL//192.168.11.166/192.168.11.167}"
+      alt_url="https://${IP_NPMPLUS}:81"
-  elif [[ "$NPM_URL" == *"192.168.11.167"* ]]; then
+    elif [[ "$NPM_URL" == *"${IP_NPMPLUS}"* ]] || [[ "$NPM_URL" == *"${IP_NPMPLUS_ETH1}"* ]]; then
-    alt_url="${NPM_URL//192.168.11.167/192.168.11.166}"
+      alt_url="https://${IP_NPMPLUS_ETH0}:81"
    fi
-  if [ -n "$alt_url" ] && curl -s -k -o /dev/null --connect-timeout 5 "$alt_url/" 2>/dev/null; then
+    connected=""
-    NPM_URL="$alt_url"
+    if [ -n "$alt_url" ] && try_connect "$alt_url/"; then connected="$alt_url"; fi
    if [ -z "$connected" ] && [ -n "$alt_url" ] && try_connect "${alt_url/https:/http:}/"; then connected="${alt_url/https:/http:}"; fi
    if [ -n "$connected" ]; then
      NPM_URL="$connected"
      echo "   Using alternate NPMplus URL: $NPM_URL"
    else
      echo "❌ Cannot connect to NPMplus at $NPM_URL"
-    [ -n "$alt_url" ] && echo "   Tried alternate: $alt_url"
+      [ -n "$alt_url" ] && echo "   Tried alternate: $alt_url and ${alt_url/https:/http:}"
-    echo "   Run this script from a host on the same LAN as NPMplus (e.g. 192.168.11.x). Ensure container 10233 is running."
+      echo "   Try in browser: http://${IP_NPMPLUS}:81 (not https). If not on LAN, use SSH tunnel: ssh -L 8181:${IP_NPMPLUS}:81 -N root@${PROXMOX_HOST_R630_01} then http://127.0.0.1:8181"
      echo "   Run this script from a host on the same LAN as NPMplus. Ensure container 10233 is running."
      exit 1
    fi
  fi
 fi
 AUTH_JSON=$(jq -n --arg identity "$NPM_EMAIL" --arg secret "$NPM_PASSWORD" '{identity:$identity,secret:$secret}')
-TOKEN_RESPONSE=$(curl -s -k -X POST "$NPM_URL/api/tokens" \
+TOKEN_RESPONSE=$(curl_npm -X POST "$NPM_URL/api/tokens" \
  -H "Content-Type: application/json" \
  -d "$AUTH_JSON")
@@ -83,10 +102,11 @@ TOKEN=$(echo "$TOKEN_RESPONSE" | jq -r '.token // empty' 2>/dev/null || echo "")
 if [ -z "$TOKEN" ] || [ "$TOKEN" = "null" ]; then
  ERROR_MSG=$(echo "$TOKEN_RESPONSE" | jq -r '.message // .error.message // .error // "Unknown error"' 2>/dev/null || echo "")
  echo "❌ Authentication failed: ${ERROR_MSG:-No token in response}"
-  # Show response (first 300 chars) to help debug
+  if [ "${NPM_DEBUG_AUTH:-0}" = "1" ]; then
-  RESP_PREVIEW=$(echo "$TOKEN_RESPONSE" | head -c 300)
+    # Strip .token from body before preview (never print bearer tokens)
-  if [ -n "$RESP_PREVIEW" ]; then
+    RESP_PREVIEW=$(echo "$TOKEN_RESPONSE" | jq -c 'del(.token) | del(.data)' 2>/dev/null | head -c 300)
-    echo "   Response: $RESP_PREVIEW"
+    [ -z "$RESP_PREVIEW" ] && RESP_PREVIEW=$(echo "$TOKEN_RESPONSE" | head -c 200)
    echo "   Debug (NPM_DEBUG_AUTH=1, token field stripped if jq OK): $RESP_PREVIEW"
  fi
  exit 1
 fi
@@ -96,7 +116,7 @@ echo ""
 # Get all proxy hosts
 echo "📋 Fetching existing proxy hosts..."
-PROXY_HOSTS_JSON=$(curl -s -k -X GET "$NPM_URL/api/nginx/proxy-hosts" \
+PROXY_HOSTS_JSON=$(curl_npm -X GET "$NPM_URL/api/nginx/proxy-hosts" \
  -H "Authorization: Bearer $TOKEN")
 if [ $? -ne 0 ]; then
@@ -104,6 +124,16 @@ if [ $? -ne 0 ]; then
  exit 1
 fi
 # Match proxy host id by domain (case-insensitive). Avoids "not found" when NPM stores different casing.
 resolve_proxy_host_id() {
  local domain="$1"
  local json="${2:-$PROXY_HOSTS_JSON}"
  echo "$json" | jq -r --arg d "$domain" '
    .[] | select(.domain_names | type == "array") |
    select(any(.domain_names[]; (. | tostring | ascii_downcase) == ($d | ascii_downcase))) |
    .id' 2>/dev/null | head -n1
 }
 # Function to add proxy host (POST) when domain does not exist
 add_proxy_host() {
  local domain=$1
@@ -133,7 +163,7 @@ add_proxy_host() {
    return 1
  fi
  local resp
-  resp=$(curl -s -k -X POST "$NPM_URL/api/nginx/proxy-hosts" \
+  resp=$(curl_npm -X POST "$NPM_URL/api/nginx/proxy-hosts" \
    -H "Authorization: Bearer $TOKEN" \
    -H "Content-Type: application/json" \
    -d "$payload" 2>/dev/null)
@@ -146,6 +176,15 @@ add_proxy_host() {
    local err
    err=$(echo "$resp" | jq -r '.message // .error // "unknown"' 2>/dev/null)
    echo "  ❌ Add failed for $domain: $err"
    if echo "$err" | grep -qiE 'already|in use|exist|duplicate|unique'; then
      echo "  ↪ Host likely exists; refreshing list and attempting PUT update..."
      PROXY_HOSTS_JSON=$(curl_npm -X GET "$NPM_URL/api/nginx/proxy-hosts" \
        -H "Authorization: Bearer $TOKEN")
      if update_proxy_host "$domain" "http://${forward_host}:${forward_port}" "$websocket" "$block_exploits"; then
        echo "  ✅ Updated after duplicate-create error: $domain"
        return 0
      fi
    fi
    return 1
  fi
 }
@@ -170,9 +209,14 @@ update_proxy_host() {
    port=$(echo "$target" | sed -E 's|^https://[^:]+:([0-9]+).*|\1|' || echo "443")
  fi
-  # Get host ID - domain_names is an array in the API response
+  # Get host ID (case-insensitive); refresh once if missing (stale list / race with other writers)
-  HOST_ID=$(echo "$PROXY_HOSTS_JSON" | jq -r ".[] | select(.domain_names | type == \"array\") | select(.domain_names[] == \"$domain\") | .id" 2>/dev/null | head -n1 || echo "")
+  HOST_ID=$(resolve_proxy_host_id "$domain" "$PROXY_HOSTS_JSON")
-  
+  if [ -z "$HOST_ID" ] || [ "$HOST_ID" = "null" ]; then
    echo "📋 Refreshing proxy host list (retry lookup for $domain)..."
    PROXY_HOSTS_JSON=$(curl_npm -X GET "$NPM_URL/api/nginx/proxy-hosts" \
      -H "Authorization: Bearer $TOKEN")
    HOST_ID=$(resolve_proxy_host_id "$domain" "$PROXY_HOSTS_JSON")
  fi
  if [ -z "$HOST_ID" ] || [ "$HOST_ID" = "null" ]; then
    echo "⚠️  Domain $domain not found (skipping)"
    return 1
@@ -181,15 +225,15 @@ update_proxy_host() {
  echo "📋 Updating $domain (ID: $HOST_ID)..."
  # Create minimal update payload - NPMplus API only accepts specific fields
-  # block_exploits must be false for RPC so POST to / is allowed (JSON-RPC)
+  # block_exploits must be false for RPC so POST to / is allowed (JSON-RPC); explicit false fixes 405
-  BLOCK_EXPLOITS_JSON="false"
+  local be_json="false"
-  [ "$block_exploits" = "true" ] && BLOCK_EXPLOITS_JSON="true"
+  [ "$block_exploits" = "true" ] && be_json="true"
  UPDATE_PAYLOAD=$(jq -n \
    --arg scheme "$scheme" \
    --arg hostname "$hostname" \
-    --argjson port "$(echo "$port" | sed 's/[^0-9]//g')" \
+    --argjson port "$(echo "$port" | sed 's/[^0-9]//g' || echo "80")" \
    --argjson websocket "$websocket" \
-    --argjson block_exploits "$BLOCK_EXPLOITS_JSON" \
+    --argjson block_exploits "$be_json" \
    '{
      forward_scheme: $scheme,
      forward_host: $hostname,
@@ -198,7 +242,7 @@ update_proxy_host() {
      block_exploits: $block_exploits
    }' 2>/dev/null || echo "")
-  UPDATE_RESPONSE=$(curl -s -k -X PUT "$NPM_URL/api/nginx/proxy-hosts/$HOST_ID" \
+  UPDATE_RESPONSE=$(curl_npm -X PUT "$NPM_URL/api/nginx/proxy-hosts/$HOST_ID" \
    -H "Authorization: Bearer $TOKEN" \
    -H "Content-Type: application/json" \
    -d "$UPDATE_PAYLOAD")
@@ -219,35 +263,52 @@ update_proxy_host() {
 updated_count=0
 failed_count=0
-# Blockscout - Port 80 (nginx serves web UI, proxies /api/* to 4000 internally)
+# Blockscout / SolaceScanScout (VMID 5000) - Port 80 (nginx serves web UI, proxies /api/* to 4000 internally)
 update_proxy_host "explorer.d-bis.org" "http://${IP_BLOCKSCOUT}:80" false && updated_count=$((updated_count + 1)) || failed_count=$((failed_count + 1))
-# RPC hosts: block_exploits must be false so POST to / works (JSON-RPC)
+update_proxy_host "blockscout.defi-oracle.io" "http://${IP_BLOCKSCOUT}:80" false && updated_count=$((updated_count + 1)) || { add_proxy_host "blockscout.defi-oracle.io" "${IP_BLOCKSCOUT}" 80 false false && updated_count=$((updated_count + 1)); } || failed_count=$((failed_count + 1))
-update_proxy_host "rpc-http-pub.d-bis.org" "http://${RPC_PUBLIC_1}:8545" true false && updated_count=$((updated_count + 1)) || failed_count=$((failed_count + 1))
+# docs.d-bis.org — same backend as explorer; nginx on VMID 5000 must serve /transaction-explanation/ (see deploy README)
-update_proxy_host "rpc-ws-pub.d-bis.org" "http://${RPC_PUBLIC_1}:8546" true false && updated_count=$((updated_count + 1)) || failed_count=$((failed_count + 1))
+update_proxy_host "docs.d-bis.org" "http://${IP_BLOCKSCOUT}:80" false && updated_count=$((updated_count + 1)) || { add_proxy_host "docs.d-bis.org" "${IP_BLOCKSCOUT}" 80 false false && updated_count=$((updated_count + 1)); } || failed_count=$((failed_count + 1))
-update_proxy_host "rpc-http-prv.d-bis.org" "http://${RPC_CORE_1}:8545" true false && updated_count=$((updated_count + 1)) || failed_count=$((failed_count + 1))
+# RPC hosts: block_exploits must be false so POST to / works (JSON-RPC). Add if missing to avoid 405.
-update_proxy_host "rpc-ws-prv.d-bis.org" "http://${RPC_CORE_1}:8546" true false && updated_count=$((updated_count + 1)) || failed_count=$((failed_count + 1))
+update_proxy_host "rpc-http-pub.d-bis.org" "http://${RPC_PUBLIC_1}:8545" true false && updated_count=$((updated_count + 1)) || { add_proxy_host "rpc-http-pub.d-bis.org" "${RPC_PUBLIC_1}" 8545 true false && updated_count=$((updated_count + 1)); } || failed_count=$((failed_count + 1))
 update_proxy_host "rpc-ws-pub.d-bis.org" "http://${RPC_PUBLIC_1}:8546" true false && updated_count=$((updated_count + 1)) || { add_proxy_host "rpc-ws-pub.d-bis.org" "${RPC_PUBLIC_1}" 8546 true false && updated_count=$((updated_count + 1)); } || failed_count=$((failed_count + 1))
 update_proxy_host "rpc-http-prv.d-bis.org" "http://${RPC_CORE_1}:8545" true false && updated_count=$((updated_count + 1)) || { add_proxy_host "rpc-http-prv.d-bis.org" "${RPC_CORE_1}" 8545 true false && updated_count=$((updated_count + 1)); } || failed_count=$((failed_count + 1))
 update_proxy_host "rpc-ws-prv.d-bis.org" "http://${RPC_CORE_1}:8546" true false && updated_count=$((updated_count + 1)) || { add_proxy_host "rpc-ws-prv.d-bis.org" "${RPC_CORE_1}" 8546 true false && updated_count=$((updated_count + 1)); } || failed_count=$((failed_count + 1))
 # ThirdWeb Admin Core RPC — VMID ${RPC_THIRDWEB_ADMIN_CORE_VMID:-2103} @ ${RPC_THIRDWEB_ADMIN_CORE} (HTTPS + WSS via NPMplus; block_exploits off for JSON-RPC POST)
 RPC_THIRDWEB_ADMIN_CORE="${RPC_THIRDWEB_ADMIN_CORE:-192.168.11.217}"
 update_proxy_host "rpc.tw-core.d-bis.org" "http://${RPC_THIRDWEB_ADMIN_CORE}:8545" true false && updated_count=$((updated_count + 1)) || { add_proxy_host "rpc.tw-core.d-bis.org" "${RPC_THIRDWEB_ADMIN_CORE}" 8545 true false && updated_count=$((updated_count + 1)); } || failed_count=$((failed_count + 1))
 update_proxy_host "wss.tw-core.d-bis.org" "http://${RPC_THIRDWEB_ADMIN_CORE}:8546" true false && updated_count=$((updated_count + 1)) || { add_proxy_host "wss.tw-core.d-bis.org" "${RPC_THIRDWEB_ADMIN_CORE}" 8546 true false && updated_count=$((updated_count + 1)); } || failed_count=$((failed_count + 1))
 # Catch-all for foo.tw-core.d-bis.org → Besu HTTP JSON-RPC :8545 (exact rpc./wss. hosts above take precedence for nginx server_name)
 update_proxy_host '*.tw-core.d-bis.org' "http://${RPC_THIRDWEB_ADMIN_CORE}:8545" true false && updated_count=$((updated_count + 1)) || { add_proxy_host '*.tw-core.d-bis.org' "${RPC_THIRDWEB_ADMIN_CORE}" 8545 true false && updated_count=$((updated_count + 1)); } || failed_count=$((failed_count + 1))
 # RPC Core-2 (Nathan) is on the THIRD NPMplus (192.168.11.169) — use add-rpc-core-2-npmplus-proxy.sh and update-npmplus-alltra-hybx-proxy-hosts.sh
 update_proxy_host "rpc.public-0138.defi-oracle.io" "https://${RPC_THIRDWEB_PRIMARY}:443" true false && updated_count=$((updated_count + 1)) || failed_count=$((failed_count + 1))
 # rpc.defi-oracle.io / wss.defi-oracle.io → same backend as rpc-http-pub / rpc-ws-pub (VMID 2201)
-update_proxy_host "rpc.defi-oracle.io" "http://${RPC_PUBLIC_1}:8545" true false && updated_count=$((updated_count + 1)) || failed_count=$((failed_count + 1))
+update_proxy_host "rpc.defi-oracle.io" "http://${RPC_PUBLIC_1}:8545" true false && updated_count=$((updated_count + 1)) || { add_proxy_host "rpc.defi-oracle.io" "${RPC_PUBLIC_1}" 8545 true false && updated_count=$((updated_count + 1)); } || failed_count=$((failed_count + 1))
-update_proxy_host "wss.defi-oracle.io" "http://${RPC_PUBLIC_1}:8546" true false && updated_count=$((updated_count + 1)) || failed_count=$((failed_count + 1))
+update_proxy_host "wss.defi-oracle.io" "http://${RPC_PUBLIC_1}:8546" true false && updated_count=$((updated_count + 1)) || { add_proxy_host "wss.defi-oracle.io" "${RPC_PUBLIC_1}" 8546 true false && updated_count=$((updated_count + 1)); } || failed_count=$((failed_count + 1))
-# rpc.d-bis.org / rpc2.d-bis.org and WS variants → VMID 2201 (besu-rpc-public-1)
+# rpc.d-bis.org / rpc2.d-bis.org and WS variants → VMID 2201 (besu-rpc-public-1); add if missing to fix 405
-update_proxy_host "rpc.d-bis.org" "http://${RPC_PUBLIC_1}:8545" true false && updated_count=$((updated_count + 1)) || failed_count=$((failed_count + 1))
+update_proxy_host "rpc.d-bis.org" "http://${RPC_PUBLIC_1}:8545" true false && updated_count=$((updated_count + 1)) || { add_proxy_host "rpc.d-bis.org" "${RPC_PUBLIC_1}" 8545 true false && updated_count=$((updated_count + 1)); } || failed_count=$((failed_count + 1))
-update_proxy_host "rpc2.d-bis.org" "http://${RPC_PUBLIC_1}:8545" true false && updated_count=$((updated_count + 1)) || failed_count=$((failed_count + 1))
+update_proxy_host "rpc2.d-bis.org" "http://${RPC_PUBLIC_1}:8545" true false && updated_count=$((updated_count + 1)) || { add_proxy_host "rpc2.d-bis.org" "${RPC_PUBLIC_1}" 8545 true false && updated_count=$((updated_count + 1)); } || failed_count=$((failed_count + 1))
-update_proxy_host "ws.rpc.d-bis.org" "http://${RPC_PUBLIC_1}:8546" true false && updated_count=$((updated_count + 1)) || failed_count=$((failed_count + 1))
+update_proxy_host "ws.rpc.d-bis.org" "http://${RPC_PUBLIC_1}:8546" true false && updated_count=$((updated_count + 1)) || { add_proxy_host "ws.rpc.d-bis.org" "${RPC_PUBLIC_1}" 8546 true false && updated_count=$((updated_count + 1)); } || failed_count=$((failed_count + 1))
-update_proxy_host "ws.rpc2.d-bis.org" "http://${RPC_PUBLIC_1}:8546" true false && updated_count=$((updated_count + 1)) || failed_count=$((failed_count + 1))
+update_proxy_host "ws.rpc2.d-bis.org" "http://${RPC_PUBLIC_1}:8546" true false && updated_count=$((updated_count + 1)) || { add_proxy_host "ws.rpc2.d-bis.org" "${RPC_PUBLIC_1}" 8546 true false && updated_count=$((updated_count + 1)); } || failed_count=$((failed_count + 1))
 # Fireblocks-dedicated RPC (VMID 2301)
 update_proxy_host "rpc-fireblocks.d-bis.org" "http://${RPC_FIREBLOCKS_1:-${RPC_PRIVATE_1}}:8545" true false && updated_count=$((updated_count + 1)) || { add_proxy_host "rpc-fireblocks.d-bis.org" "${RPC_FIREBLOCKS_1:-${RPC_PRIVATE_1}}" 8545 true false && updated_count=$((updated_count + 1)); } || failed_count=$((failed_count + 1))
 update_proxy_host "ws.rpc-fireblocks.d-bis.org" "http://${RPC_FIREBLOCKS_1:-${RPC_PRIVATE_1}}:8546" true false && updated_count=$((updated_count + 1)) || { add_proxy_host "ws.rpc-fireblocks.d-bis.org" "${RPC_FIREBLOCKS_1:-${RPC_PRIVATE_1}}" 8546 true false && updated_count=$((updated_count + 1)); } || failed_count=$((failed_count + 1))
 update_proxy_host "dbis-admin.d-bis.org" "http://${IP_DBIS_FRONTEND:-192.168.11.130}:80" false && updated_count=$((updated_count + 1)) || failed_count=$((failed_count + 1))
 update_proxy_host "dbis-api.d-bis.org" "http://${IP_DBIS_API:-192.168.11.155}:3000" false && updated_count=$((updated_count + 1)) || failed_count=$((failed_count + 1))
-update_proxy_host "dbis-api-2.d-bis.org" "http://${IP_DBIS_API_2:-192.168.11.156}:3000" false && updated_count=$((updated_count + 1)) || failed_count=$((failed_count + 1))
+update_proxy_host "dbis-api-2.d-bis.org" "http://${IP_DBIS_API_2:-192.168.11.156}:3000" false && updated_count=$((updated_count + 1)) || { add_proxy_host "dbis-api-2.d-bis.org" "${IP_DBIS_API_2:-192.168.11.156}" 3000 false true && updated_count=$((updated_count + 1)); } || failed_count=$((failed_count + 1))
-update_proxy_host "secure.d-bis.org" "http://${IP_DBIS_FRONTEND:-192.168.11.130}:80" false && updated_count=$((updated_count + 1)) || failed_count=$((failed_count + 1))
+update_proxy_host "secure.d-bis.org" "http://${IP_DBIS_FRONTEND:-192.168.11.130}:80" false && updated_count=$((updated_count + 1)) || { add_proxy_host "secure.d-bis.org" "${IP_DBIS_FRONTEND:-192.168.11.130}" 80 false true && updated_count=$((updated_count + 1)); } || failed_count=$((failed_count + 1))
 # DApp (VMID 5801) — frontend-dapp for Chain 138 bridge
 update_proxy_host "dapp.d-bis.org" "http://${IP_DAPP_LXC:-192.168.11.58}:80" false && updated_count=$((updated_count + 1)) || { add_proxy_host "dapp.d-bis.org" "${IP_DAPP_LXC:-192.168.11.58}" 80 false false && updated_count=$((updated_count + 1)); } || failed_count=$((failed_count + 1))
 # MIM4U - VMID 7810 (mim-web-1) @ ${IP_MIM_WEB:-192.168.11.37} - Web Frontend serves main site and proxies /api/* to 7811
-update_proxy_host "mim4u.org" "http://${IP_MIM_WEB:-192.168.11.37}:80" false && updated_count=$((updated_count + 1)) || failed_count=$((failed_count + 1))
+update_proxy_host "mim4u.org" "http://${IP_MIM_WEB:-192.168.11.37}:80" false && updated_count=$((updated_count + 1)) || { add_proxy_host "mim4u.org" "${IP_MIM_WEB:-192.168.11.37}" 80 false true && updated_count=$((updated_count + 1)); } || failed_count=$((failed_count + 1))
-update_proxy_host "www.mim4u.org" "http://${IP_MIM_WEB:-192.168.11.37}:80" false && updated_count=$((updated_count + 1)) || failed_count=$((failed_count + 1))
+update_proxy_host "www.mim4u.org" "http://${IP_MIM_WEB:-192.168.11.37}:80" false && updated_count=$((updated_count + 1)) || { add_proxy_host "www.mim4u.org" "${IP_MIM_WEB:-192.168.11.37}" 80 false true && updated_count=$((updated_count + 1)); } || failed_count=$((failed_count + 1))
-update_proxy_host "secure.mim4u.org" "http://${IP_MIM_WEB:-192.168.11.37}:80" false && updated_count=$((updated_count + 1)) || failed_count=$((failed_count + 1))
+update_proxy_host "secure.mim4u.org" "http://${IP_MIM_WEB:-192.168.11.37}:80" false && updated_count=$((updated_count + 1)) || { add_proxy_host "secure.mim4u.org" "${IP_MIM_WEB:-192.168.11.37}" 80 false true && updated_count=$((updated_count + 1)); } || failed_count=$((failed_count + 1))
-update_proxy_host "training.mim4u.org" "http://${IP_MIM_WEB:-192.168.11.37}:80" false && updated_count=$((updated_count + 1)) || failed_count=$((failed_count + 1))
+update_proxy_host "training.mim4u.org" "http://${IP_MIM_WEB:-192.168.11.37}:80" false && updated_count=$((updated_count + 1)) || { add_proxy_host "training.mim4u.org" "${IP_MIM_WEB:-192.168.11.37}" 80 false true && updated_count=$((updated_count + 1)); } || failed_count=$((failed_count + 1))
 # Gov Portals xom-dev (VMID 7804) — public https:// at NPM (LE); upstream HTTP
 IP_GOV_PORTALS_DEV="${IP_GOV_PORTALS_DEV:-192.168.11.54}"
 update_proxy_host "dbis.xom-dev.phoenix.sankofa.nexus" "http://${IP_GOV_PORTALS_DEV}:3001" false && updated_count=$((updated_count + 1)) || { add_proxy_host "dbis.xom-dev.phoenix.sankofa.nexus" "${IP_GOV_PORTALS_DEV}" 3001 false false && updated_count=$((updated_count + 1)); } || failed_count=$((failed_count + 1))
 update_proxy_host "iccc.xom-dev.phoenix.sankofa.nexus" "http://${IP_GOV_PORTALS_DEV}:3002" false && updated_count=$((updated_count + 1)) || { add_proxy_host "iccc.xom-dev.phoenix.sankofa.nexus" "${IP_GOV_PORTALS_DEV}" 3002 false false && updated_count=$((updated_count + 1)); } || failed_count=$((failed_count + 1))
 update_proxy_host "omnl.xom-dev.phoenix.sankofa.nexus" "http://${IP_GOV_PORTALS_DEV}:3003" false && updated_count=$((updated_count + 1)) || { add_proxy_host "omnl.xom-dev.phoenix.sankofa.nexus" "${IP_GOV_PORTALS_DEV}" 3003 false false && updated_count=$((updated_count + 1)); } || failed_count=$((failed_count + 1))
 update_proxy_host "xom.xom-dev.phoenix.sankofa.nexus" "http://${IP_GOV_PORTALS_DEV}:3004" false && updated_count=$((updated_count + 1)) || { add_proxy_host "xom.xom-dev.phoenix.sankofa.nexus" "${IP_GOV_PORTALS_DEV}" 3004 false false && updated_count=$((updated_count + 1)); } || failed_count=$((failed_count + 1))
 echo ""
 echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
--- a/2
+++ b/2