docs: Ledger Live integration, contract deploy learnings, NEXT_STEPS updates

- ADD_CHAIN138_TO_LEDGER_LIVE: Ledger form done; public code review repo bis-innovations/LedgerLive; init/push commands
- CONTRACT_DEPLOYMENT_RUNBOOK: Chain 138 gas price 1 gwei, 36-addr check, TransactionMirror workaround
- CONTRACT_*: AddressMapper, MirrorManager deployed 2026-02-12; 36-address on-chain check
- NEXT_STEPS_FOR_YOU: Ledger done; steps completable now (no LAN); run-completable-tasks-from-anywhere
- MASTER_INDEX, OPERATOR_OPTIONAL, SMART_CONTRACTS_INVENTORY_SIMPLE: updates
- LEDGER_BLOCKCHAIN_INTEGRATION_COMPLETE: bis-innovations/LedgerLive reference

Co-authored-by: Cursor <cursoragent@cursor.com>

scripts/security/firewall-proxmox-8006.sh

@@ -0,0 +1,25 @@
+#!/usr/bin/env bash
+# Phase 2 Security: Restrict Proxmox API port 8006 to admin CIDR. Default: dry-run.
+# Usage: ./scripts/security/firewall-proxmox-8006.sh [--dry-run|--apply] [ADMIN_CIDR]
+# Example: ./scripts/security/firewall-proxmox-8006.sh --dry-run ${NETWORK_192_168_11_0:-192.168.11.0}/24
+
+set -euo pipefail
+
+DRY_RUN=true
+ADMIN_CIDR="${ADMIN_CIDR:-${NETWORK_192_168_11_0:-192.168.11.0}/24}"
+for arg in "$@"; do
+  [[ "$arg" == "--apply" ]] && DRY_RUN=false
+  [[ "$arg" =~ ^[0-9].* ]] && ADMIN_CIDR="$arg"
+done
+
+echo "[Phase 2 Security] Firewall 8006 (DRY_RUN=$DRY_RUN) ADMIN_CIDR=$ADMIN_CIDR"
+if $DRY_RUN; then
+  echo "UFW: ufw allow from $ADMIN_CIDR to any port 8006; ufw deny 8006; ufw reload"
+  echo "See: docs/03-deployment/OPERATIONAL_RUNBOOKS.md § Security"
+  exit 0
+fi
+if command -v ufw &>/dev/null; then
+  sudo ufw allow from "$ADMIN_CIDR" to any port 8006
+  sudo ufw reload
+  echo "[OK] UFW updated for 8006."
+fi

scripts/security/run-security-on-proxmox-hosts.sh

@@ -0,0 +1,29 @@
+#!/usr/bin/env bash
+# Run Phase 2 security (SSH key-only, firewall 8006) on all Proxmox hosts via SSH.
+# Usage: bash scripts/security/run-security-on-proxmox-hosts.sh [--dry-run|--apply]
+# Requires: SSH as root to 192.168.11.10, .11, .12 (or PROXMOX_ML110, PROXMOX_R630_01, PROXMOX_R630_02).
+set -euo pipefail
+
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+PROJECT_ROOT="$(cd "$SCRIPT_DIR/../.." && pwd)"
+source "$PROJECT_ROOT/config/ip-addresses.conf" 2>/dev/null || true
+[ -f "$PROJECT_ROOT/.env" ] && set +u && source "$PROJECT_ROOT/.env" 2>/dev/null || true && set -u
+
+DRY_RUN=true
+[[ "${1:-}" == "--apply" ]] && DRY_RUN=false
+
+HOSTS="${PROXMOX_ML110:-192.168.11.10} ${PROXMOX_R630_01:-192.168.11.11} ${PROXMOX_R630_02:-192.168.11.12}"
+ADMIN_CIDR="${ADMIN_CIDR:-${NETWORK_192_168_11_0:-192.168.11.0}/24}"
+SSH_OPTS="-o ConnectTimeout=10 -o StrictHostKeyChecking=accept-new"
+
+echo "[Security] Proxmox hosts: $HOSTS (DRY_RUN=$DRY_RUN)"
+for h in $HOSTS; do
+  echo "--- $h ---"
+  if $DRY_RUN; then
+    echo "  Would run: SSH key-only (disable password) + UFW allow $ADMIN_CIDR to 8006"
+    continue
+  fi
+  ssh $SSH_OPTS root@"$h" "sudo sed -i.bak 's/^#*PasswordAuthentication.*/PasswordAuthentication no/' /etc/ssh/sshd_config && sudo systemctl reload sshd 2>/dev/null || true" && echo "  SSH: password auth disabled" || echo "  SSH: skip or failed"
+  ssh $SSH_OPTS root@"$h" "command -v ufw >/dev/null && (sudo ufw allow from $ADMIN_CIDR to any port 8006; sudo ufw --force reload) || echo '  UFW not found'" && echo "  UFW: 8006 restricted to $ADMIN_CIDR" || echo "  UFW: skip or failed"
+done
+echo "Done."

scripts/security/secure-env-permissions.sh

@@ -0,0 +1,35 @@
+#!/usr/bin/env bash
+# Secure .env file permissions (Quick Win). Run from project root.
+# Usage: bash scripts/security/secure-env-permissions.sh [--dry-run]
+
+set -euo pipefail
+
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+PROJECT_ROOT="$(cd "$SCRIPT_DIR/../.." && pwd)"
+DRY_RUN=false
+[[ "${1:-}" == "--dry-run" ]] && DRY_RUN=true
+
+cd "$PROJECT_ROOT"
+
+# Files to secure (relative to project root)
+ENV_FILES=(
+    ".env"
+    "unifi-api/.env"
+    "smom-dbis-138/.env"
+    "dbis_core/.env"
+)
+
+for f in "${ENV_FILES[@]}"; do
+    if [ -f "$f" ]; then
+        perms=$(stat -c "%a" "$f" 2>/dev/null || stat -f "%A" "$f" 2>/dev/null)
+        if [ "$perms" != "600" ]; then
+            if [[ "$DRY_RUN" == true ]]; then
+                echo "[DRY-RUN] would chmod 600 $f (current: $perms)"
+            else
+                chmod 600 "$f"
+                echo "chmod 600 $f"
+            fi
+        fi
+    fi
+done
+echo "Done. Ensure ownership: chown \$USER:\$USER .env (and other env files) if needed."

scripts/security/setup-ssh-key-auth.sh

@@ -0,0 +1,21 @@
+#!/usr/bin/env bash
+# Phase 2 Security: SSH key-based auth (disable password). Default: dry-run.
+# Usage: ./scripts/security/setup-ssh-key-auth.sh [--dry-run|--apply]
+# --apply: run on LOCAL host only. For remote: ssh root@host 'sudo sed -i.bak "s/^#*PasswordAuthentication.*/PasswordAuthentication no/" /etc/ssh/sshd_config && sudo systemctl reload sshd'
+
+set -euo pipefail
+
+DRY_RUN=true
+[[ "${1:-}" == "--apply" ]] && DRY_RUN=false
+
+echo "[Phase 2 Security] SSH: disable password auth (DRY_RUN=$DRY_RUN)"
+if $DRY_RUN; then
+  echo "On each host run: sudo sed -i.bak 's/^#*PasswordAuthentication.*/PasswordAuthentication no/' /etc/ssh/sshd_config && sudo systemctl reload sshd"
+  echo "See: docs/03-deployment/OPERATIONAL_RUNBOOKS.md § Security"
+  exit 0
+fi
+if [[ -f /etc/ssh/sshd_config ]]; then
+  sudo sed -i.bak 's/^#*PasswordAuthentication.*/PasswordAuthentication no/' /etc/ssh/sshd_config
+  sudo systemctl reload sshd 2>/dev/null || true
+  echo "[OK] PasswordAuthentication disabled on this host."
+fi