chore: bump smom-dbis-138 (operator WIP merge, PMM JSON sync, dotenv trim)

Made-with: Cursor
chore: bump explorer-monorepo and smom-dbis-138 submodule pointers
2026-03-27 19:03:15 -07:00 · 2026-03-27 18:52:26 -07:00 · 2026-03-27 18:51:27 -07:00 · 2026-03-27 18:51:19 -07:00 · 2026-03-27 18:51:09 -07:00 · 2026-03-27 18:51:02 -07:00
1836 changed files with 20905 additions and 48168 deletions
--- a/.cursor/rules/chain138-tokens-and-pmm.mdc
+++ b/.cursor/rules/chain138-tokens-and-pmm.mdc
@@ -14,4 +14,6 @@ alwaysApply: true
 **PMM pools:** cUSDT/cUSDC `0x9fcB06Aa1FD5215DC0E91Fd098aeff4B62fEa5C8` | cUSDT/USDT `0xa3Ee6091696B28e5497b6F491fA1e99047250c59` | cUSDC/USDC `0x90bd9Bf18Daa26Af3e814ea224032d015db58Ea5`
 **cXAUC / cXAUT (XAU):** `0x290E52a8819A4fbD0714E517225429aA2B70EC6b`, `0x94e408E26c6FD8F4ee00b54dF19082FDA07dC96E` (6 decimals). **1 full token = 1 troy ounce Au** — not USD face value; see `EXPLORER_TOKEN_LIST_CROSSCHECK.md` section 5.1.
 **RPC (deploy):** `RPC_URL_138=http://192.168.11.211:8545`. **Deployer:** `0x4A666F96fC8764181194447A7dFdb7d471b301C8`. Add-liquidity reads tokens from the integration contract, not env. Do not use non-canonical Blockscout addresses (§2 of EXPLORER_TOKEN_LIST_CROSSCHECK).
--- a/.env.master.example
+++ b/.env.master.example
@@ -17,6 +17,8 @@ PROXMOX_TOKEN_VALUE=
 PROXMOX_ALLOW_ELEVATED=
 # --- Cloudflare ---
 # Prefer CLOUDFLARE_API_TOKEN scoped to Zone:DNS:Edit on the zones you use (avoid global Account API key when possible).
 # Bulk DNS script: scripts/update-all-dns-to-public-ip.sh — use --dry-run and --zone-only=sankofa.nexus (etc.) before wide updates.
 CLOUDFLARE_API_TOKEN=
 CLOUDFLARE_EMAIL=
 CLOUDFLARE_API_KEY=
--- a/.gitignore
+++ b/.gitignore
@@ -16,6 +16,9 @@ yarn.lock
 *.log
 logs/
 # NPMplus backups (backup-npmplus.sh — tarballs and extracted trees; may contain certs/DB)
 backups/npmplus/
 # OS files
 .DS_Store
 Thumbs.db
--- a/AGENTS.md
+++ b/AGENTS.md
@@ -0,0 +1,36 @@
 # Proxmox workspace — agent instructions
 Single canonical copy for Cursor/Codex. (If your editor also loads `.cursor/rules`, treat those as overlays.)
 ## Scope
 Orchestration for Proxmox VE, Chain 138 (`smom-dbis-138/`), explorers, NPMplus, and deployment runbooks.
 ## Quick pointers
 | Need | Location |
 |------|-----------|
 | Doc index | `docs/MASTER_INDEX.md` |
 | cXAUC/cXAUT unit | 1 full token = 1 troy oz Au — `docs/11-references/EXPLORER_TOKEN_LIST_CROSSCHECK.md` (section 5.1) |
 | PMM mesh 6s tick | `smom-dbis-138/scripts/reserve/pmm-mesh-6s-automation.sh` — `docs/integration/ORACLE_AND_KEEPER_CHAIN138.md` (PMM mesh automation) |
 | VMID / IP / FQDN | `docs/04-configuration/ALL_VMIDS_ENDPOINTS.md` |
 | Ops template + JSON | `docs/03-deployment/PROXMOX_VE_OPERATIONAL_DEPLOYMENT_TEMPLATE.md`, `config/proxmox-operational-template.json` |
 | Live vs template (read-only SSH) | `bash scripts/verify/audit-proxmox-operational-template.sh` |
 | Config validation | `bash scripts/validation/validate-config-files.sh` |
 | smom-dbis-138 `.env` in bash scripts | Prefer `source smom-dbis-138/scripts/lib/deployment/dotenv.sh` + `load_deployment_env --repo-root "$PROJECT_ROOT"` (trims RPC URL line endings). From an interactive shell: `source smom-dbis-138/scripts/load-env.sh`. Proxmox root scripts: `source scripts/lib/load-project-env.sh` (also trims common RPC vars). |
 | Sankofa portal → CT 7801 (build + restart) | `./scripts/deployment/sync-sankofa-portal-7801.sh` (`--dry-run` first); sets `NEXTAUTH_URL` on CT via `sankofa-portal-ensure-nextauth-on-ct.sh` |
 | CCIP relay (r630-01 host) | Unit: `config/systemd/ccip-relay.service` → `/etc/systemd/system/ccip-relay.service`; `systemctl enable --now ccip-relay` |
 | TsunamiSwap VM 5010 check | `./scripts/deployment/tsunamiswap-vm-5010-provision.sh` (inventory only until VM exists) |
 | The Order portal (`https://the-order.sankofa.nexus`) | OSJ management UI (secure auth); source repo **the_order** at `~/projects/the_order`. NPM upstream defaults to **order-haproxy** CT **10210** (`IP_ORDER_HAPROXY:80`); use `THE_ORDER_UPSTREAM_*` to point at the Sankofa portal if 10210 is down. Provision HAProxy: `scripts/deployment/provision-order-haproxy-10210.sh`. **`www.the-order.sankofa.nexus`** → **301** apex (same as www.sankofa / www.phoenix). |
 | Portal login + Keycloak systemd + `.env` (prints password once) | `./scripts/deployment/enable-sankofa-portal-login-7801.sh` (`--dry-run` first) |
 | Completable (no LAN) | `./scripts/run-completable-tasks-from-anywhere.sh` |
 | Operator (LAN + secrets) | `./scripts/run-all-operator-tasks-from-lan.sh` (use `--skip-backup` if `NPM_PASSWORD` unset) |
 | Cloudflare bulk DNS → `PUBLIC_IP` | `./scripts/update-all-dns-to-public-ip.sh` — use **`--dry-run`** and **`--zone-only=sankofa.nexus`** (or `d-bis.org` / `mim4u.org` / `defi-oracle.io`) to limit scope; see script header. Prefer scoped **`CLOUDFLARE_API_TOKEN`** (see `.env.master.example`). |
 ## Rules of engagement
 - Review scripts before running; prefer `--dry-run` where supported.
 - Do not run the full operator flow when everything is healthy unless the user explicitly wants broad fixes (NPM/nginx/RPC churn).
 - Chain 138 deploy RPC: `http://192.168.11.211:8545` (Core). Read-only / non-deploy checks may use public RPC per project rules.
 Full detail: see embedded workspace rules and `docs/00-meta/OPERATOR_READY_CHECKLIST.md`.
--- a/README.md
+++ b/README.md
@@ -8,7 +8,7 @@ This workspace contains multiple Proxmox-related projects managed as a monorepo
 - **`ProxmoxVE/`** - ProxmoxVE Helper Scripts - Collection of scripts and frontend for managing Proxmox containers and VMs
 - **`smom-dbis-138/`** - Blockchain network and services (Chain 138); **`smom-dbis-138-proxmox/`** - Deployment scripts (if present)
 - For the full submodule list and relationships, see [docs/11-references/SUBMODULE_RELATIONSHIP_MAP.md](docs/11-references/SUBMODULE_RELATIONSHIP_MAP.md)
- **Documentation:** [docs/README.md](docs/README.md) · [docs/MASTER_INDEX.md](docs/MASTER_INDEX.md) · Next steps: [docs/00-meta/NEXT_STEPS_INDEX.md](docs/00-meta/NEXT_STEPS_INDEX.md). Root status reports moved to [docs/archive/](docs/archive/README.md) (2026-02-20).
+- **Documentation:** [docs/README.md](docs/README.md) · [docs/MASTER_INDEX.md](docs/MASTER_INDEX.md) · Next steps: [docs/00-meta/NEXT_STEPS_INDEX.md](docs/00-meta/NEXT_STEPS_INDEX.md). Historical files live under `docs/archive/` on disk — inventory: [docs/00-meta/ARCHIVE_CANDIDATES.md](docs/00-meta/ARCHIVE_CANDIDATES.md) (do not treat archive paths as primary doc links).
 ## Prerequisites
--- a/2
+++ b/2
--- a/backups/npmplus/npmplus-backup-20260119_005333.tar.gz
+++ b/backups/npmplus/npmplus-backup-20260119_005333.tar.gz
--- a/backups/npmplus/npmplus-backup-20260119_012539.tar.gz
+++ b/backups/npmplus/npmplus-backup-20260119_012539.tar.gz
--- a/config/aggregator-route-matrix.csv
+++ b/config/aggregator-route-matrix.csv
@@ -0,0 +1,26 @@
 kind,routeId,status,routeType,fromChainId,toChainId,tokenInSymbol,tokenInAddress,tokenOutSymbol,tokenOutAddress,hopCount,bridgeType,bridgeAddress,aggregatorFamilies,tags,intermediateSymbols,legRefs,notesOrReason
 liveSwapRoute,138-cUSDT-cUSDC-direct,live,swap,138,138,cUSDT,0x93E66202A11B1772E55407B32B44e5Cd8eda7f22,cUSDC,0xf22258f57794CC8E06237084b353Ab30fFfa640b,1,,,1inch|0x|LiFi,stable|direct|public,,0xff8d3b8fDF7B112759F076B69f4271D4209C0849,
 liveSwapRoute,138-cUSDT-USDT-direct,live,swap,138,138,cUSDT,0x93E66202A11B1772E55407B32B44e5Cd8eda7f22,USDT,0x004b63A7B5b0E06f6bB6adb4a5F9f590BF3182D1,1,,,1inch|0x|LiFi,stable|official-mirror|public,,0x6fc60DEDc92a2047062294488539992710b99D71,
 liveSwapRoute,138-cUSDC-USDC-direct,live,swap,138,138,cUSDC,0xf22258f57794CC8E06237084b353Ab30fFfa640b,USDC,0x71D6687F38b93CCad569Fa6352c876eea967201b,1,,,1inch|0x|LiFi,stable|official-mirror|public,,0x0309178ae30302D83c76d6Dd402a684eF3160eec,
 liveSwapRoute,138-cUSDT-cXAUC-direct,live,swap,138,138,cUSDT,0x93E66202A11B1772E55407B32B44e5Cd8eda7f22,cXAUC,0x290E52a8819A4fbD0714E517225429aA2B70EC6b,1,,,1inch|0x|LiFi,xau-hub|public,,0x1AA55E2001E5651349AfF5A63FD7A7Ae44f0F1b0,
 liveSwapRoute,138-cUSDC-cXAUC-direct,live,swap,138,138,cUSDC,0xf22258f57794CC8E06237084b353Ab30fFfa640b,cXAUC,0x290E52a8819A4fbD0714E517225429aA2B70EC6b,1,,,1inch|0x|LiFi,xau-hub|public,,0xEA9Ac6357CaCB42a83b9082B870610363B177cBa,
 liveSwapRoute,138-cEURT-cXAUC-direct,live,swap,138,138,cEURT,0xdf4b71c61E5912712C1Bdd451416B9aC26949d72,cXAUC,0x290E52a8819A4fbD0714E517225429aA2B70EC6b,1,,,1inch|0x|LiFi,xau-hub|public,,0xbA99bc1eAAC164569d5AcA96C806934DDaF970Cf,
 liveSwapRoute,138-cEURT-cUSDT-via-cXAUC,live,swap,138,138,cEURT,0xdf4b71c61E5912712C1Bdd451416B9aC26949d72,cUSDT,0x93E66202A11B1772E55407B32B44e5Cd8eda7f22,2,,,1inch|0x|LiFi,multihop|xau-hub|public,cXAUC,0xbA99bc1eAAC164569d5AcA96C806934DDaF970Cf|0x1AA55E2001E5651349AfF5A63FD7A7Ae44f0F1b0,Inferred from two live public pools.
 liveSwapRoute,138-cEURT-cUSDC-via-cXAUC,live,swap,138,138,cEURT,0xdf4b71c61E5912712C1Bdd451416B9aC26949d72,cUSDC,0xf22258f57794CC8E06237084b353Ab30fFfa640b,2,,,1inch|0x|LiFi,multihop|xau-hub|public,cXAUC,0xbA99bc1eAAC164569d5AcA96C806934DDaF970Cf|0xEA9Ac6357CaCB42a83b9082B870610363B177cBa,Inferred from two live public pools.
 liveSwapRoute,138-cUSDT-cUSDC-via-cXAUC,live,swap,138,138,cUSDT,0x93E66202A11B1772E55407B32B44e5Cd8eda7f22,cUSDC,0xf22258f57794CC8E06237084b353Ab30fFfa640b,2,,,1inch|0x|LiFi,multihop|xau-hub|public|alternate,cXAUC,0x1AA55E2001E5651349AfF5A63FD7A7Ae44f0F1b0|0xEA9Ac6357CaCB42a83b9082B870610363B177cBa,Alternate path to the deeper direct cUSDT/cUSDC pool.
 liveBridgeRoute,138-WETH-1-ccip,live,bridge,138,1,WETH,0xC02aaA39b223FE8D0A0e5C4F27eAD9083C756Cc2,WETH,0xC02aaA39b223FE8D0A0e5C4F27eAD9083C756Cc2,,CCIP,0xcacfd227A040002e49e2e01626363071324f820a,LiFi,,,,
 liveBridgeRoute,138-WETH-56-ccip,live,bridge,138,56,WETH,0xC02aaA39b223FE8D0A0e5C4F27eAD9083C756Cc2,WETH,0xC02aaA39b223FE8D0A0e5C4F27eAD9083C756Cc2,,CCIP,0xcacfd227A040002e49e2e01626363071324f820a,LiFi,,,,
 liveBridgeRoute,138-WETH-137-ccip,live,bridge,138,137,WETH,0xC02aaA39b223FE8D0A0e5C4F27eAD9083C756Cc2,WETH,0xC02aaA39b223FE8D0A0e5C4F27eAD9083C756Cc2,,CCIP,0xcacfd227A040002e49e2e01626363071324f820a,LiFi,,,,
 liveBridgeRoute,138-WETH-10-ccip,live,bridge,138,10,WETH,0xC02aaA39b223FE8D0A0e5C4F27eAD9083C756Cc2,WETH,0xC02aaA39b223FE8D0A0e5C4F27eAD9083C756Cc2,,CCIP,0xcacfd227A040002e49e2e01626363071324f820a,LiFi,,,,
 liveBridgeRoute,138-WETH-42161-ccip,live,bridge,138,42161,WETH,0xC02aaA39b223FE8D0A0e5C4F27eAD9083C756Cc2,WETH,0xC02aaA39b223FE8D0A0e5C4F27eAD9083C756Cc2,,CCIP,0xcacfd227A040002e49e2e01626363071324f820a,LiFi,,,,
 liveBridgeRoute,138-WETH-43114-ccip,live,bridge,138,43114,WETH,0xC02aaA39b223FE8D0A0e5C4F27eAD9083C756Cc2,WETH,0xC02aaA39b223FE8D0A0e5C4F27eAD9083C756Cc2,,CCIP,0xcacfd227A040002e49e2e01626363071324f820a,LiFi,,,,
 liveBridgeRoute,138-WETH-8453-ccip,live,bridge,138,8453,WETH,0xC02aaA39b223FE8D0A0e5C4F27eAD9083C756Cc2,WETH,0xC02aaA39b223FE8D0A0e5C4F27eAD9083C756Cc2,,CCIP,0xcacfd227A040002e49e2e01626363071324f820a,LiFi,,,,
 liveBridgeRoute,138-WETH-100-ccip,live,bridge,138,100,WETH,0xC02aaA39b223FE8D0A0e5C4F27eAD9083C756Cc2,WETH,0xC02aaA39b223FE8D0A0e5C4F27eAD9083C756Cc2,,CCIP,0xcacfd227A040002e49e2e01626363071324f820a,LiFi,,,,
 liveBridgeRoute,138-WETH-25-ccip,live,bridge,138,25,WETH,0xC02aaA39b223FE8D0A0e5C4F27eAD9083C756Cc2,WETH,0xC02aaA39b223FE8D0A0e5C4F27eAD9083C756Cc2,,CCIP,0xcacfd227A040002e49e2e01626363071324f820a,LiFi,,,,
 liveBridgeRoute,138-WETH-42220-ccip,live,bridge,138,42220,WETH,0xC02aaA39b223FE8D0A0e5C4F27eAD9083C756Cc2,WETH,0xC02aaA39b223FE8D0A0e5C4F27eAD9083C756Cc2,,CCIP,0xcacfd227A040002e49e2e01626363071324f820a,LiFi,,,,
 liveBridgeRoute,138-WETH-651940-alltra,live,bridge,138,651940,WETH,0xC02aaA39b223FE8D0A0e5C4F27eAD9083C756Cc2,WETH,0xC02aaA39b223FE8D0A0e5C4F27eAD9083C756Cc2,,ALT,0x66FEBA2fC9a0B47F26DD4284DAd24F970436B8Dc,LiFi,,,,
 liveBridgeRoute,138-WETH10-1-ccip,live,bridge,138,1,WETH10,0xf4BB2e28688e89fCcE3c0580D37d36A7672E8A9f,WETH10,0xf4BB2e28688e89fCcE3c0580D37d36A7672E8A9f,,CCIP,0xe0E93247376aa097dB308B92e6Ba36bA015535D0,LiFi,,,,
 blockedOrPlannedRoute,138-compliant-stable-to-weth-bridgeable,blocked,swap-bridge-swap,138,1,cUSDT|cUSDC|cEURT,,,,,,,,,,,"No live public cUSDT/WETH, cUSDC/WETH, or cEURT/WETH pool on Chain 138."
 blockedOrPlannedRoute,651940-public-dex-routes,planned,swap,651940,651940,,,,,,,,,,,,Uniswap V2/V3 and DODO are env placeholders only; no pool addresses are documented in-repo.
 blockedOrPlannedRoute,cw-edge-pools-public-chains,planned,swap,1,43114,,,,,,,,,,,,"cW* token addresses exist on several public chains, but deployment-status.json contains no PMM pools."
 blockedOrPlannedRoute,138-weth-1111-ccip,planned,bridge,138,1111,,,,,,,,,,,,Wemix bridge is pending funding and deployment.
--- a/config/aggregator-route-matrix.json
+++ b/config/aggregator-route-matrix.json
@@ -0,0 +1,678 @@
 {
  "$schema": "https://json-schema.org/draft/2020-12/schema",
  "description": "Canonical route matrix for 1inch/0x/LiFi-style adapter ingestion. Captures live Chain 138 public DEX routes, live bridge lanes, and planned-but-not-live routes that should be filtered out by executors.",
  "version": "1.0.0",
  "updated": "2026-03-27",
  "homeChainId": 138,
  "metadata": {
    "generatedFrom": [
      "docs/11-references/LIQUIDITY_POOLS_MASTER_MAP.md",
      "docs/11-references/DEPLOYED_TOKENS_BRIDGES_LPS_AND_ROUTING_STATUS.md",
      "config/routing-registry.json",
      "config/token-mapping-multichain.json",
      "cross-chain-pmm-lps/config/deployment-status.json"
    ],
    "verification": {
      "verifiedAt": "2026-03-27",
      "verifiedBy": "scripts/verify/check-pmm-pool-balances-chain138.sh",
      "rpc": "http://192.168.11.211:8545"
    },
    "adapterNotes": [
      "Executors should ingest only entries with status=live.",
      "Entries with status=planned or blocked are included to make missing routes explicit and prevent false discovery.",
      "Chain 138 has live DODO PMM pools but no native 1inch/0x support in this repo; adapter layers must map these routes into their own quote/execution abstractions."
    ]
  },
  "chains": {
    "138": {
      "name": "SMOM-DBIS-138 (DeFi Oracle Meta)",
      "rpc": "https://rpc-core.d-bis.org",
      "nativeDexes": [
        {
          "dexId": "dodo_pmm_chain138",
          "type": "dodo_pmm",
          "integrationAddress": "0x5BDc62f1ae7D630c37A8B363a1d49845356Ee72d",
          "providerAddress": "0x5CAe6Ce155b7f08D3a956F5Dc82fC9945f29B381",
          "status": "live"
        }
      ]
    },
    "651940": {
      "name": "ALL Mainnet (Alltra)",
      "nativeDexes": [
        {
          "dexId": "allmainnet_uniswap_v2",
          "type": "uniswap_v2",
          "status": "planned"
        },
        {
          "dexId": "allmainnet_uniswap_v3",
          "type": "uniswap_v3",
          "status": "planned"
        },
        {
          "dexId": "allmainnet_dodo",
          "type": "dodo_pmm",
          "status": "planned"
        }
      ]
    }
  },
  "tokens": {
    "138": {
      "cUSDT": {
        "address": "0x93E66202A11B1772E55407B32B44e5Cd8eda7f22",
        "decimals": 6
      },
      "cUSDC": {
        "address": "0xf22258f57794CC8E06237084b353Ab30fFfa640b",
        "decimals": 6
      },
      "USDT": {
        "address": "0x004b63A7B5b0E06f6bB6adb4a5F9f590BF3182D1",
        "decimals": 6
      },
      "USDC": {
        "address": "0x71D6687F38b93CCad569Fa6352c876eea967201b",
        "decimals": 6
      },
      "cXAUC": {
        "address": "0x290E52a8819A4fbD0714E517225429aA2B70EC6b",
        "decimals": 6
      },
      "cEURT": {
        "address": "0xdf4b71c61E5912712C1Bdd451416B9aC26949d72",
        "decimals": 6
      },
      "WETH": {
        "address": "0xC02aaA39b223FE8D0A0e5C4F27eAD9083C756Cc2",
        "decimals": 18
      },
      "WETH10": {
        "address": "0xf4BB2e28688e89fCcE3c0580D37d36A7672E8A9f",
        "decimals": 18
      }
    }
  },
  "liveSwapRoutes": [
    {
      "routeId": "138-cUSDT-cUSDC-direct",
      "status": "live",
      "aggregatorFamilies": [
        "1inch",
        "0x",
        "LiFi"
      ],
      "fromChainId": 138,
      "toChainId": 138,
      "tokenInSymbol": "cUSDT",
      "tokenInAddress": "0x93E66202A11B1772E55407B32B44e5Cd8eda7f22",
      "tokenOutSymbol": "cUSDC",
      "tokenOutAddress": "0xf22258f57794CC8E06237084b353Ab30fFfa640b",
      "routeType": "swap",
      "hopCount": 1,
      "legs": [
        {
          "kind": "swap",
          "protocol": "dodo_pmm",
          "executor": "DODOPMMIntegration",
          "executorAddress": "0x5BDc62f1ae7D630c37A8B363a1d49845356Ee72d",
          "poolAddress": "0xff8d3b8fDF7B112759F076B69f4271D4209C0849",
          "tokenInAddress": "0x93E66202A11B1772E55407B32B44e5Cd8eda7f22",
          "tokenOutAddress": "0xf22258f57794CC8E06237084b353Ab30fFfa640b",
          "reserves": {
            "cUSDT": "10000000.000000",
            "cUSDC": "10000000.000000"
          }
        }
      ],
      "tags": [
        "stable",
        "direct",
        "public"
      ]
    },
    {
      "routeId": "138-cUSDT-USDT-direct",
      "status": "live",
      "aggregatorFamilies": [
        "1inch",
        "0x",
        "LiFi"
      ],
      "fromChainId": 138,
      "toChainId": 138,
      "tokenInSymbol": "cUSDT",
      "tokenInAddress": "0x93E66202A11B1772E55407B32B44e5Cd8eda7f22",
      "tokenOutSymbol": "USDT",
      "tokenOutAddress": "0x004b63A7B5b0E06f6bB6adb4a5F9f590BF3182D1",
      "routeType": "swap",
      "hopCount": 1,
      "legs": [
        {
          "kind": "swap",
          "protocol": "dodo_pmm",
          "executor": "DODOPMMIntegration",
          "executorAddress": "0x5BDc62f1ae7D630c37A8B363a1d49845356Ee72d",
          "poolAddress": "0x6fc60DEDc92a2047062294488539992710b99D71",
          "tokenInAddress": "0x93E66202A11B1772E55407B32B44e5Cd8eda7f22",
          "tokenOutAddress": "0x004b63A7B5b0E06f6bB6adb4a5F9f590BF3182D1",
          "reserves": {
            "cUSDT": "10000000.000000",
            "USDT": "10000000.000000"
          }
        }
      ],
      "tags": [
        "stable",
        "official-mirror",
        "public"
      ]
    },
    {
      "routeId": "138-cUSDC-USDC-direct",
      "status": "live",
      "aggregatorFamilies": [
        "1inch",
        "0x",
        "LiFi"
      ],
      "fromChainId": 138,
      "toChainId": 138,
      "tokenInSymbol": "cUSDC",
      "tokenInAddress": "0xf22258f57794CC8E06237084b353Ab30fFfa640b",
      "tokenOutSymbol": "USDC",
      "tokenOutAddress": "0x71D6687F38b93CCad569Fa6352c876eea967201b",
      "routeType": "swap",
      "hopCount": 1,
      "legs": [
        {
          "kind": "swap",
          "protocol": "dodo_pmm",
          "executor": "DODOPMMIntegration",
          "executorAddress": "0x5BDc62f1ae7D630c37A8B363a1d49845356Ee72d",
          "poolAddress": "0x0309178ae30302D83c76d6Dd402a684eF3160eec",
          "tokenInAddress": "0xf22258f57794CC8E06237084b353Ab30fFfa640b",
          "tokenOutAddress": "0x71D6687F38b93CCad569Fa6352c876eea967201b",
          "reserves": {
            "cUSDC": "10000000.000000",
            "USDC": "10000000.000000"
          }
        }
      ],
      "tags": [
        "stable",
        "official-mirror",
        "public"
      ]
    },
    {
      "routeId": "138-cUSDT-cXAUC-direct",
      "status": "live",
      "aggregatorFamilies": [
        "1inch",
        "0x",
        "LiFi"
      ],
      "fromChainId": 138,
      "toChainId": 138,
      "tokenInSymbol": "cUSDT",
      "tokenInAddress": "0x93E66202A11B1772E55407B32B44e5Cd8eda7f22",
      "tokenOutSymbol": "cXAUC",
      "tokenOutAddress": "0x290E52a8819A4fbD0714E517225429aA2B70EC6b",
      "routeType": "swap",
      "hopCount": 1,
      "legs": [
        {
          "kind": "swap",
          "protocol": "dodo_pmm",
          "executor": "DODOPMMIntegration",
          "executorAddress": "0x5BDc62f1ae7D630c37A8B363a1d49845356Ee72d",
          "poolAddress": "0x1AA55E2001E5651349AfF5A63FD7A7Ae44f0F1b0",
          "tokenInAddress": "0x93E66202A11B1772E55407B32B44e5Cd8eda7f22",
          "tokenOutAddress": "0x290E52a8819A4fbD0714E517225429aA2B70EC6b",
          "reserves": {
            "cUSDT": "2666965.000000",
            "cXAUC": "519.477000"
          }
        }
      ],
      "tags": [
        "xau-hub",
        "public"
      ]
    },
    {
      "routeId": "138-cUSDC-cXAUC-direct",
      "status": "live",
      "aggregatorFamilies": [
        "1inch",
        "0x",
        "LiFi"
      ],
      "fromChainId": 138,
      "toChainId": 138,
      "tokenInSymbol": "cUSDC",
      "tokenInAddress": "0xf22258f57794CC8E06237084b353Ab30fFfa640b",
      "tokenOutSymbol": "cXAUC",
      "tokenOutAddress": "0x290E52a8819A4fbD0714E517225429aA2B70EC6b",
      "routeType": "swap",
      "hopCount": 1,
      "legs": [
        {
          "kind": "swap",
          "protocol": "dodo_pmm",
          "executor": "DODOPMMIntegration",
          "executorAddress": "0x5BDc62f1ae7D630c37A8B363a1d49845356Ee72d",
          "poolAddress": "0xEA9Ac6357CaCB42a83b9082B870610363B177cBa",
          "tokenInAddress": "0xf22258f57794CC8E06237084b353Ab30fFfa640b",
          "tokenOutAddress": "0x290E52a8819A4fbD0714E517225429aA2B70EC6b",
          "reserves": {
            "cUSDC": "1000000.000000",
            "cXAUC": "194.782554"
          }
        }
      ],
      "tags": [
        "xau-hub",
        "public"
      ]
    },
    {
      "routeId": "138-cEURT-cXAUC-direct",
      "status": "live",
      "aggregatorFamilies": [
        "1inch",
        "0x",
        "LiFi"
      ],
      "fromChainId": 138,
      "toChainId": 138,
      "tokenInSymbol": "cEURT",
      "tokenInAddress": "0xdf4b71c61E5912712C1Bdd451416B9aC26949d72",
      "tokenOutSymbol": "cXAUC",
      "tokenOutAddress": "0x290E52a8819A4fbD0714E517225429aA2B70EC6b",
      "routeType": "swap",
      "hopCount": 1,
      "legs": [
        {
          "kind": "swap",
          "protocol": "dodo_pmm",
          "executor": "DODOPMMIntegration",
          "executorAddress": "0x5BDc62f1ae7D630c37A8B363a1d49845356Ee72d",
          "poolAddress": "0xbA99bc1eAAC164569d5AcA96C806934DDaF970Cf",
          "tokenInAddress": "0xdf4b71c61E5912712C1Bdd451416B9aC26949d72",
          "tokenOutAddress": "0x290E52a8819A4fbD0714E517225429aA2B70EC6b",
          "reserves": {
            "cEURT": "1000000.000000",
            "cXAUC": "225.577676"
          }
        }
      ],
      "tags": [
        "xau-hub",
        "public"
      ]
    },
    {
      "routeId": "138-cEURT-cUSDT-via-cXAUC",
      "status": "live",
      "aggregatorFamilies": [
        "1inch",
        "0x",
        "LiFi"
      ],
      "fromChainId": 138,
      "toChainId": 138,
      "tokenInSymbol": "cEURT",
      "tokenInAddress": "0xdf4b71c61E5912712C1Bdd451416B9aC26949d72",
      "tokenOutSymbol": "cUSDT",
      "tokenOutAddress": "0x93E66202A11B1772E55407B32B44e5Cd8eda7f22",
      "routeType": "swap",
      "hopCount": 2,
      "intermediateSymbols": [
        "cXAUC"
      ],
      "legs": [
        {
          "kind": "swap",
          "protocol": "dodo_pmm",
          "executorAddress": "0x5BDc62f1ae7D630c37A8B363a1d49845356Ee72d",
          "poolAddress": "0xbA99bc1eAAC164569d5AcA96C806934DDaF970Cf",
          "tokenInAddress": "0xdf4b71c61E5912712C1Bdd451416B9aC26949d72",
          "tokenOutAddress": "0x290E52a8819A4fbD0714E517225429aA2B70EC6b"
        },
        {
          "kind": "swap",
          "protocol": "dodo_pmm",
          "executorAddress": "0x5BDc62f1ae7D630c37A8B363a1d49845356Ee72d",
          "poolAddress": "0x1AA55E2001E5651349AfF5A63FD7A7Ae44f0F1b0",
          "tokenInAddress": "0x290E52a8819A4fbD0714E517225429aA2B70EC6b",
          "tokenOutAddress": "0x93E66202A11B1772E55407B32B44e5Cd8eda7f22"
        }
      ],
      "tags": [
        "multihop",
        "xau-hub",
        "public"
      ],
      "notes": [
        "Inferred from two live public pools."
      ]
    },
    {
      "routeId": "138-cEURT-cUSDC-via-cXAUC",
      "status": "live",
      "aggregatorFamilies": [
        "1inch",
        "0x",
        "LiFi"
      ],
      "fromChainId": 138,
      "toChainId": 138,
      "tokenInSymbol": "cEURT",
      "tokenInAddress": "0xdf4b71c61E5912712C1Bdd451416B9aC26949d72",
      "tokenOutSymbol": "cUSDC",
      "tokenOutAddress": "0xf22258f57794CC8E06237084b353Ab30fFfa640b",
      "routeType": "swap",
      "hopCount": 2,
      "intermediateSymbols": [
        "cXAUC"
      ],
      "legs": [
        {
          "kind": "swap",
          "protocol": "dodo_pmm",
          "executorAddress": "0x5BDc62f1ae7D630c37A8B363a1d49845356Ee72d",
          "poolAddress": "0xbA99bc1eAAC164569d5AcA96C806934DDaF970Cf",
          "tokenInAddress": "0xdf4b71c61E5912712C1Bdd451416B9aC26949d72",
          "tokenOutAddress": "0x290E52a8819A4fbD0714E517225429aA2B70EC6b"
        },
        {
          "kind": "swap",
          "protocol": "dodo_pmm",
          "executorAddress": "0x5BDc62f1ae7D630c37A8B363a1d49845356Ee72d",
          "poolAddress": "0xEA9Ac6357CaCB42a83b9082B870610363B177cBa",
          "tokenInAddress": "0x290E52a8819A4fbD0714E517225429aA2B70EC6b",
          "tokenOutAddress": "0xf22258f57794CC8E06237084b353Ab30fFfa640b"
        }
      ],
      "tags": [
        "multihop",
        "xau-hub",
        "public"
      ],
      "notes": [
        "Inferred from two live public pools."
      ]
    },
    {
      "routeId": "138-cUSDT-cUSDC-via-cXAUC",
      "status": "live",
      "aggregatorFamilies": [
        "1inch",
        "0x",
        "LiFi"
      ],
      "fromChainId": 138,
      "toChainId": 138,
      "tokenInSymbol": "cUSDT",
      "tokenInAddress": "0x93E66202A11B1772E55407B32B44e5Cd8eda7f22",
      "tokenOutSymbol": "cUSDC",
      "tokenOutAddress": "0xf22258f57794CC8E06237084b353Ab30fFfa640b",
      "routeType": "swap",
      "hopCount": 2,
      "intermediateSymbols": [
        "cXAUC"
      ],
      "legs": [
        {
          "kind": "swap",
          "protocol": "dodo_pmm",
          "executorAddress": "0x5BDc62f1ae7D630c37A8B363a1d49845356Ee72d",
          "poolAddress": "0x1AA55E2001E5651349AfF5A63FD7A7Ae44f0F1b0",
          "tokenInAddress": "0x93E66202A11B1772E55407B32B44e5Cd8eda7f22",
          "tokenOutAddress": "0x290E52a8819A4fbD0714E517225429aA2B70EC6b"
        },
        {
          "kind": "swap",
          "protocol": "dodo_pmm",
          "executorAddress": "0x5BDc62f1ae7D630c37A8B363a1d49845356Ee72d",
          "poolAddress": "0xEA9Ac6357CaCB42a83b9082B870610363B177cBa",
          "tokenInAddress": "0x290E52a8819A4fbD0714E517225429aA2B70EC6b",
          "tokenOutAddress": "0xf22258f57794CC8E06237084b353Ab30fFfa640b"
        }
      ],
      "tags": [
        "multihop",
        "xau-hub",
        "public",
        "alternate"
      ],
      "notes": [
        "Alternate path to the deeper direct cUSDT/cUSDC pool."
      ]
    }
  ],
  "liveBridgeRoutes": [
    {
      "routeId": "138-WETH-1-ccip",
      "status": "live",
      "aggregatorFamilies": [
        "LiFi"
      ],
      "fromChainId": 138,
      "toChainId": 1,
      "assetSymbol": "WETH",
      "assetAddress": "0xC02aaA39b223FE8D0A0e5C4F27eAD9083C756Cc2",
      "routeType": "bridge",
      "bridgeType": "CCIP",
      "bridgeAddress": "0xcacfd227A040002e49e2e01626363071324f820a",
      "label": "CCIPWETH9Bridge"
    },
    {
      "routeId": "138-WETH-56-ccip",
      "status": "live",
      "aggregatorFamilies": [
        "LiFi"
      ],
      "fromChainId": 138,
      "toChainId": 56,
      "assetSymbol": "WETH",
      "assetAddress": "0xC02aaA39b223FE8D0A0e5C4F27eAD9083C756Cc2",
      "routeType": "bridge",
      "bridgeType": "CCIP",
      "bridgeAddress": "0xcacfd227A040002e49e2e01626363071324f820a",
      "label": "CCIPWETH9Bridge"
    },
    {
      "routeId": "138-WETH-137-ccip",
      "status": "live",
      "aggregatorFamilies": [
        "LiFi"
      ],
      "fromChainId": 138,
      "toChainId": 137,
      "assetSymbol": "WETH",
      "assetAddress": "0xC02aaA39b223FE8D0A0e5C4F27eAD9083C756Cc2",
      "routeType": "bridge",
      "bridgeType": "CCIP",
      "bridgeAddress": "0xcacfd227A040002e49e2e01626363071324f820a",
      "label": "CCIPWETH9Bridge"
    },
    {
      "routeId": "138-WETH-10-ccip",
      "status": "live",
      "aggregatorFamilies": [
        "LiFi"
      ],
      "fromChainId": 138,
      "toChainId": 10,
      "assetSymbol": "WETH",
      "assetAddress": "0xC02aaA39b223FE8D0A0e5C4F27eAD9083C756Cc2",
      "routeType": "bridge",
      "bridgeType": "CCIP",
      "bridgeAddress": "0xcacfd227A040002e49e2e01626363071324f820a",
      "label": "CCIPWETH9Bridge"
    },
    {
      "routeId": "138-WETH-42161-ccip",
      "status": "live",
      "aggregatorFamilies": [
        "LiFi"
      ],
      "fromChainId": 138,
      "toChainId": 42161,
      "assetSymbol": "WETH",
      "assetAddress": "0xC02aaA39b223FE8D0A0e5C4F27eAD9083C756Cc2",
      "routeType": "bridge",
      "bridgeType": "CCIP",
      "bridgeAddress": "0xcacfd227A040002e49e2e01626363071324f820a",
      "label": "CCIPWETH9Bridge"
    },
    {
      "routeId": "138-WETH-43114-ccip",
      "status": "live",
      "aggregatorFamilies": [
        "LiFi"
      ],
      "fromChainId": 138,
      "toChainId": 43114,
      "assetSymbol": "WETH",
      "assetAddress": "0xC02aaA39b223FE8D0A0e5C4F27eAD9083C756Cc2",
      "routeType": "bridge",
      "bridgeType": "CCIP",
      "bridgeAddress": "0xcacfd227A040002e49e2e01626363071324f820a",
      "label": "CCIPWETH9Bridge"
    },
    {
      "routeId": "138-WETH-8453-ccip",
      "status": "live",
      "aggregatorFamilies": [
        "LiFi"
      ],
      "fromChainId": 138,
      "toChainId": 8453,
      "assetSymbol": "WETH",
      "assetAddress": "0xC02aaA39b223FE8D0A0e5C4F27eAD9083C756Cc2",
      "routeType": "bridge",
      "bridgeType": "CCIP",
      "bridgeAddress": "0xcacfd227A040002e49e2e01626363071324f820a",
      "label": "CCIPWETH9Bridge"
    },
    {
      "routeId": "138-WETH-100-ccip",
      "status": "live",
      "aggregatorFamilies": [
        "LiFi"
      ],
      "fromChainId": 138,
      "toChainId": 100,
      "assetSymbol": "WETH",
      "assetAddress": "0xC02aaA39b223FE8D0A0e5C4F27eAD9083C756Cc2",
      "routeType": "bridge",
      "bridgeType": "CCIP",
      "bridgeAddress": "0xcacfd227A040002e49e2e01626363071324f820a",
      "label": "CCIPWETH9Bridge"
    },
    {
      "routeId": "138-WETH-25-ccip",
      "status": "live",
      "aggregatorFamilies": [
        "LiFi"
      ],
      "fromChainId": 138,
      "toChainId": 25,
      "assetSymbol": "WETH",
      "assetAddress": "0xC02aaA39b223FE8D0A0e5C4F27eAD9083C756Cc2",
      "routeType": "bridge",
      "bridgeType": "CCIP",
      "bridgeAddress": "0xcacfd227A040002e49e2e01626363071324f820a",
      "label": "CCIPWETH9Bridge"
    },
    {
      "routeId": "138-WETH-42220-ccip",
      "status": "live",
      "aggregatorFamilies": [
        "LiFi"
      ],
      "fromChainId": 138,
      "toChainId": 42220,
      "assetSymbol": "WETH",
      "assetAddress": "0xC02aaA39b223FE8D0A0e5C4F27eAD9083C756Cc2",
      "routeType": "bridge",
      "bridgeType": "CCIP",
      "bridgeAddress": "0xcacfd227A040002e49e2e01626363071324f820a",
      "label": "CCIPWETH9Bridge"
    },
    {
      "routeId": "138-WETH-651940-alltra",
      "status": "live",
      "aggregatorFamilies": [
        "LiFi"
      ],
      "fromChainId": 138,
      "toChainId": 651940,
      "assetSymbol": "WETH",
      "assetAddress": "0xC02aaA39b223FE8D0A0e5C4F27eAD9083C756Cc2",
      "routeType": "bridge",
      "bridgeType": "ALT",
      "bridgeAddress": "0x66FEBA2fC9a0B47F26DD4284DAd24F970436B8Dc",
      "label": "AlltraAdapter"
    },
    {
      "routeId": "138-WETH10-1-ccip",
      "status": "live",
      "aggregatorFamilies": [
        "LiFi"
      ],
      "fromChainId": 138,
      "toChainId": 1,
      "assetSymbol": "WETH10",
      "assetAddress": "0xf4BB2e28688e89fCcE3c0580D37d36A7672E8A9f",
      "routeType": "bridge",
      "bridgeType": "CCIP",
      "bridgeAddress": "0xe0E93247376aa097dB308B92e6Ba36bA015535D0",
      "label": "CCIPWETH10Bridge"
    }
  ],
  "blockedOrPlannedRoutes": [
    {
      "routeId": "138-compliant-stable-to-weth-bridgeable",
      "status": "blocked",
      "fromChainId": 138,
      "toChainId": 1,
      "tokenInSymbols": [
        "cUSDT",
        "cUSDC",
        "cEURT"
      ],
      "routeType": "swap-bridge-swap",
      "reason": "No live public cUSDT/WETH, cUSDC/WETH, or cEURT/WETH pool on Chain 138."
    },
    {
      "routeId": "651940-public-dex-routes",
      "status": "planned",
      "fromChainId": 651940,
      "toChainId": 651940,
      "routeType": "swap",
      "reason": "Uniswap V2/V3 and DODO are env placeholders only; no pool addresses are documented in-repo."
    },
    {
      "routeId": "cw-edge-pools-public-chains",
      "status": "planned",
      "fromChainId": 1,
      "toChainId": 43114,
      "routeType": "swap",
      "reason": "cW* token addresses exist on several public chains, but deployment-status.json contains no PMM pools."
    },
    {
      "routeId": "138-weth-1111-ccip",
      "status": "planned",
      "fromChainId": 138,
      "toChainId": 1111,
      "routeType": "bridge",
      "reason": "Wemix bridge is pending funding and deployment."
    }
  ]
 }
--- a/config/haproxy/order-haproxy-10210.cfg.template
+++ b/config/haproxy/order-haproxy-10210.cfg.template
@@ -0,0 +1,27 @@
 # HAProxy on VMID 10210 (order-haproxy @ 192.168.11.39).
 # NPMplus terminates TLS and forwards HTTP to :80 here; we proxy to the Sankofa/Order Next.js portal.
 # Deploy: scripts/deployment/provision-order-haproxy-10210.sh (substitutes __BACKEND_HOST__ / __BACKEND_PORT__).
 global
    log stdout format raw local0
    maxconn 4096
 defaults
    log     global
    mode    http
    option  httplog
    option  dontlognull
    option  forwardfor
    timeout connect 10s
    timeout client  300s
    timeout server  300s
    timeout tunnel  3600s
 frontend fe_http
    bind *:80
    # Client used HTTPS at NPM; help Next.js / auth callbacks
    http-request set-header X-Forwarded-Proto https if !{ hdr(X-Forwarded-Proto) -m found }
    default_backend be_portal
 backend be_portal
    server portal __BACKEND_HOST__:__BACKEND_PORT__ check inter 10s fall 3 rise 2 maxconn 1000
--- a/config/ip-addresses.conf
+++ b/config/ip-addresses.conf
@@ -85,12 +85,13 @@ IP_VAULT_PHOENIX_2="192.168.11.201"
 # Order Service IPs
 ORDER_POSTGRES_PRIMARY="192.168.11.44"
 ORDER_POSTGRES_REPLICA="192.168.11.45"
 # Dedicated order-redis LXC (e.g. VMID 10020) not present on cluster as of 2026-03; reserve for scripts / future CT
 ORDER_REDIS_IP="192.168.11.38"
 # DBIS Service IPs
 DBIS_POSTGRES_PRIMARY="192.168.11.105"
 DBIS_POSTGRES_REPLICA="192.168.11.106"
-DBIS_REDIS_IP="192.168.11.120"
+DBIS_REDIS_IP="192.168.11.125"
 # Load this file in scripts:
 # source "$(dirname "$0")/../config/ip-addresses.conf"
@@ -133,7 +134,9 @@ NETWORK_192_168_11_0="192.168.11.0"
 IP_INDY="192.168.11.68"
 IP_FABRIC="192.168.11.65"
 IP_CACTI="192.168.11.64"
-ORDER_REDIS_REPLICA="192.168.11.46"
+# VMID 10200 order-prometheus (NOT Redis). Legacy scripts use ORDER_REDIS_REPLICA for this IP — prefer IP_ORDER_PROMETHEUS.
 IP_ORDER_PROMETHEUS="192.168.11.46"
 ORDER_REDIS_REPLICA="${IP_ORDER_PROMETHEUS}"
 # VMIDs 2506, 2507, 2508 destroyed 2026-02-08; IPs freed for reuse
 RPC_PUTU_1="192.168.11.203"
 RPC_PUTU_2="192.168.11.204"
@@ -166,9 +169,21 @@ PUBLIC_IP_MIFOS="76.53.10.41"
 # DApp LXC (VMID 5801) — frontend-dapp for Chain 138 bridge. See docs/03-deployment/DAPP_LXC_DEPLOYMENT.md; E2E: tunnel + NPMplus dapp.d-bis.org
 IP_DAPP_LXC="192.168.11.58"
 # Phoenix / Sankofa public edge (NPMplus → CT 7800 API, 7801 portal). Legacy scripts use IP_SERVICE_50 / IP_SERVICE_51.
 # SolaceScanScout / Blockscout is IP_BLOCKSCOUT:80 — do NOT point sankofa.nexus or phoenix.sankofa.nexus there.
 IP_SERVICE_50="${IP_SERVICE_50:-192.168.11.50}"
 IP_SERVICE_51="${IP_SERVICE_51:-192.168.11.51}"
 SANKOFA_PHOENIX_API_PORT="${SANKOFA_PHOENIX_API_PORT:-4000}"
 SANKOFA_PORTAL_PORT="${SANKOFA_PORTAL_PORT:-3000}"
 IP_SANKOFA_PHOENIX_API="${IP_SANKOFA_PHOENIX_API:-$IP_SERVICE_50}"
 IP_SANKOFA_PORTAL="${IP_SANKOFA_PORTAL:-$IP_SERVICE_51}"
 # Gov Portals dev (VMID 7804) — DBIS, ICCC, OMNL, XOM at *.xom-dev.phoenix.sankofa.nexus
 IP_GOV_PORTALS_DEV="192.168.11.54"
 # Order legal (VMID 10070) — **not** .54 (that is exclusive to VMID 7804 gov-portals). Fixed duplicate ARP 2026-03-25.
 IP_ORDER_LEGAL="192.168.11.87"
 # Sankofa Studio (VMID 7805) — FusionAI Creator / Phoenix Marketplace SaaS at studio.sankofa.nexus
 # Note: 192.168.11.55 is used by VMID 10230 (order-vault); .72 chosen to avoid conflict.
 IP_SANKOFA_STUDIO="192.168.11.72"
--- a/config/proxmox-operational-template.json
+++ b/config/proxmox-operational-template.json
--- a/config/public-sector-program-manifest.json
+++ b/config/public-sector-program-manifest.json
@@ -0,0 +1,75 @@
 {
  "schemaVersion": "1.0.0",
  "updated": "2026-03-25",
  "description": "Registry of public-sector and eIDAS-related programs outside or beside proxmox; used by runbooks and docs. Verify repoUrl on Gitea if a repo is renamed. Unauthenticated HTTP to gitea.d-bis.org may return 404 for private or missing repos — confirm in Gitea UI or with credentials.",
  "programs": [
    {
      "id": "smoa",
      "displayName": "Secure Mobile Operations Application (SMOA)",
      "role": "Android credential-holder / mission client; Spring Boot backend",
      "repoUrl": "https://gitea.d-bis.org/Sankofa_Phoenix/SMOA.git",
      "localPathHint": "../smoa",
      "proxmoxDocRefs": [
        "docs/02-architecture/SERVICE_DESCRIPTIONS.md",
        "docs/02-architecture/PUBLIC_SECTOR_TENANCY_MARKETPLACE_AND_DEPLOYMENT_BASELINE.md"
      ],
      "externalDocRefs": [
        "backend/docs/LXC-PROXMOX-CONTAINERS.md",
        "docs/compliance/evidence/eidas-compliance-evidence.md"
      ]
    },
    {
      "id": "complete-credential",
      "displayName": "Complete Credential (umbrella program)",
      "role": "eIDAS / SMOA / credential integration program documentation and services",
      "repoUrl": "https://gitea.d-bis.org/Sankofa_Phoenix/complete-credential.git",
      "localPathHint": "../complete-credential",
      "proxmoxDocRefs": [
        "docs/11-references/COMPLETE_CREDENTIAL_EIDAS_PROGRAM_REPOS.md"
      ],
      "externalDocRefs": []
    },
    {
      "id": "cc-eidas-connector",
      "displayName": "eIDAS SAML connector (receiving MS)",
      "role": "SAML ACS / connector implementation (E-05 / E-05b roadmap)",
      "repoUrl": "https://gitea.d-bis.org/Sankofa_Phoenix/cc-eidas-connector.git",
      "localPathHint": "../complete-credential/submodules/cc-eidas-connector",
      "proxmoxDocRefs": [
        "docs/11-references/COMPLETE_CREDENTIAL_EIDAS_PROGRAM_REPOS.md"
      ],
      "externalDocRefs": [
        "docs/E05B_SAML_VERIFICATION_ROADMAP.md"
      ]
    }
  ],
  "catalogSkus": [
    {
      "id": "cc-phase1-lab",
      "displayName": "Complete Credential Phase 1 lab (compose)",
      "programManifestId": "complete-credential",
      "deploymentProfile": "A",
      "artifactKind": "compose_profile",
      "artifactRef": "integration/docker-compose.phase1.yml",
      "specRef": "complete-credential/docs/integrations/PHOENIX_SERVICE_CATALOG_SPEC.md"
    },
    {
      "id": "cc-phase2-lab",
      "displayName": "Complete Credential Phase 2 lab (NFC + device-registry stubs + Phase 1)",
      "programManifestId": "complete-credential",
      "deploymentProfile": "A",
      "artifactKind": "compose_profile",
      "artifactRef": "integration/docker-compose.phase1.yml + integration/docker-compose.phase2.lab.yml",
      "specRef": "complete-credential/docs/integrations/PHOENIX_SERVICE_CATALOG_SPEC.md"
    },
    {
      "id": "cc-eidas-connector-stack",
      "displayName": "eIDAS connector (reference submodule)",
      "programManifestId": "cc-eidas-connector",
      "deploymentProfile": "B",
      "artifactKind": "manual_runbook",
      "artifactRef": "complete-credential/docs/integrations/EIDAS_CONNECTOR_DEPTH_RUNBOOK.md",
      "specRef": "complete-credential/docs/integrations/PHOENIX_SERVICE_CATALOG_SPEC.md"
    }
  ]
 }
--- a/config/systemd/ccip-relay.service
+++ b/config/systemd/ccip-relay.service
@@ -0,0 +1,23 @@
 # Install on Proxmox host (e.g. r630-01) where /opt/smom-dbis-138/services/relay exists:
 #   sudo cp config/systemd/ccip-relay.service /etc/systemd/system/ccip-relay.service
 #   sudo systemctl daemon-reload && sudo systemctl enable --now ccip-relay
 #
 # Uses start-relay.sh (loads parent .env and relay/.env.local).
 [Unit]
 Description=CCIP relay service (Chain 138 to Mainnet)
 After=network-online.target
 Wants=network-online.target
 [Service]
 Type=simple
 User=root
 WorkingDirectory=/opt/smom-dbis-138/services/relay
 ExecStart=/bin/bash /opt/smom-dbis-138/services/relay/start-relay.sh
 Restart=on-failure
 RestartSec=15
 StartLimitIntervalSec=300
 StartLimitBurst=5
 [Install]
 WantedBy=multi-user.target
--- a/config/systemd/chain138-pmm-mesh-automation.service.example
+++ b/config/systemd/chain138-pmm-mesh-automation.service.example
@@ -0,0 +1,33 @@
 # Copy to /etc/systemd/system/chain138-pmm-mesh-automation.service (or ~/.config/systemd/user/)
 # Adjust paths and EnvironmentFile to your host.
 #
 # sudo cp chain138-pmm-mesh-automation.service.example /etc/systemd/system/chain138-pmm-mesh-automation.service
 # sudo systemctl daemon-reload
 # sudo systemctl enable --now chain138-pmm-mesh-automation.service
 # journalctl -u chain138-pmm-mesh-automation -f
 [Unit]
 Description=Chain 138 PMM mesh — oracle/keeper/WETH poll every 6s
 After=network-online.target
 Wants=network-online.target
 [Service]
 Type=simple
 User=YOUR_UNIX_USER
 WorkingDirectory=/ABSOLUTE/PATH/TO/proxmox/smom-dbis-138
 Environment=PMM_MESH_INTERVAL_SEC=6
 Environment=MESH_CAST_GAS_PRICE=2gwei
 # Set to 0 until ETH-USD oracle allows your key as transmitter (see update-oracle-price.sh output).
 Environment=ENABLE_MESH_ORACLE_TICK=1
 Environment=ENABLE_MESH_KEEPER_TICK=1
 Environment=ENABLE_MESH_PMM_READS=1
 Environment=ENABLE_MESH_WETH_READS=1
 # Prefer EnvironmentFile over committing secrets:
 EnvironmentFile=-/ABSOLUTE/PATH/TO/proxmox/smom-dbis-138/.env
 # Required in .env: PRIVATE_KEY, AGGREGATOR_ADDRESS; recommended: PRICE_FEED_KEEPER_ADDRESS (see ORACLE_AND_KEEPER_CHAIN138.md)
 ExecStart=/bin/bash /ABSOLUTE/PATH/TO/proxmox/smom-dbis-138/scripts/reserve/pmm-mesh-6s-automation.sh
 Restart=always
 RestartSec=3
 [Install]
 WantedBy=multi-user.target
--- a/2
+++ b/2
--- a/2
+++ b/2
--- a/docs/00-meta/ALL_RECOMMENDATIONS_AND_IMPROVEMENTS_LIST.md
+++ b/docs/00-meta/ALL_RECOMMENDATIONS_AND_IMPROVEMENTS_LIST.md
@@ -270,7 +270,7 @@
 | R18 | Ensure Blockscout (VMID 5000) is up and /api reachable | Health checks |
 | R19 | Run forge test before deploying; integration tests where available | Pre-deploy |
 | R20 | NatSpec on public contract functions | Code quality |
-| R21 | When The Order deployed: NPMplus proxy host; document in RPC_ENDPOINTS_MASTER | Sankofa/The Order go-live |
+| R21 | **Done 2026-03:** NPMplus Order via 10210; documented in RPC_ENDPOINTS_MASTER, ALL_VMIDS | Complete |
 | R22 | Document or configure blocks #2–#6 in NETWORK_ARCHITECTURE | When decided |
 | R23 | Scripts: progress indicators; --dry-run; config validation | Script updates |
 | R24 | Keep config/token-mapping.json as single source of truth for 138↔Mainnet | Adding tokens |
@@ -299,8 +299,8 @@
 | Item | Recommendation |
 |------|----------------|
-| the-order.sankofa.nexus | When The Order portal deployed: add NPMplus proxy host; document in RPC_ENDPOINTS_MASTER, ALL_VMIDS_ENDPOINTS |
+| the-order.sankofa.nexus | **Live:** NPM → `192.168.11.39:80` (10210 → portal :3000) |
-| Sankofa cutover plan | Replace &lt;TARGET_IP&gt;, &lt;TARGET_PORT&gt;, TBDs with actual IPs/ports when deployed |
+| Sankofa cutover plan | **Updated** v1.1 (2026-03-27); legacy API snippets may still use &lt;TARGET_*&gt; |
 | sankofa.nexus / phoenix routing | Ensure NPMplus proxy targets 192.168.11.51:3000 and 192.168.11.50:4000 per master docs; only explorer.d-bis.org → 192.168.11.140 |
 | Public blocks #2–#6 | Document in NETWORK_ARCHITECTURE / NETWORK_CONFIGURATION_MASTER when assigned or mark reserved |
--- a/docs/00-meta/ALL_RECOMMENDATIONS_HIGH_PRIORITY.md
+++ b/docs/00-meta/ALL_RECOMMENDATIONS_HIGH_PRIORITY.md
@@ -125,7 +125,7 @@ Full operator actions: **[RECOMMENDATIONS_OPERATOR_CHECKLIST.md](RECOMMENDATIONS
 | R8–R11 | RPC_URL_138; GAS_PRICE on 138; phased deploy; nonce/tx stuck runbooks |
 | R12–R16 | Keep runbooks in sync; document addresses per chain; run verification after deploy; env per env |
 | R17–R20 | Monitor bridges; Blockscout up; forge test pre-deploy; NatSpec |
-| R21–R24 | The Order NPMplus; blocks #2–#6; script progress/dry-run/validation; token-mapping.json source of truth |
+| R21–R24 | **R21 done 2026-03** (Order NPM/10210); R22 blocks #2–#6; R23 script UX/validation; R24 token-mapping.json |
 ---
--- a/docs/00-meta/ALL_RECOMMENDATIONS_OPERATOR_ONLY.md
+++ b/docs/00-meta/ALL_RECOMMENDATIONS_OPERATOR_ONLY.md
@@ -96,9 +96,9 @@
 | # | Action | When |
 |---|--------|------|
-| R21 | The Order / Sankofa NPMplus proxy host | When The Order portal deployed: add proxy; document in RPC_ENDPOINTS_MASTER, ALL_VMIDS_ENDPOINTS |
+| R21 | The Order / Sankofa NPMplus | **Done 2026-03** — Order → 10210 `.39:80`; see ALL_VMIDS, RPC_ENDPOINTS_MASTER |
 | R22 | Document or configure blocks #2–#6 in NETWORK_ARCHITECTURE | When decided |
-| Sankofa cutover | Replace &lt;TARGET_IP&gt;, &lt;TARGET_PORT&gt;, TBDs in SANKOFA_CUTOVER_PLAN | When deployed |
+| Sankofa cutover | **Done** — SANKOFA_CUTOVER_PLAN v1.1; fleet script `update-npmplus-proxy-hosts-api.sh` |
 | 75–81 | VLAN enablement, observability stack, CCIP fleet, sovereign tenants, missing containers | Per NEXT_STEPS_MASTER and deployment phases |
 ---
--- a/docs/00-meta/ARCHIVE_CANDIDATES.md
+++ b/docs/00-meta/ARCHIVE_CANDIDATES.md
@@ -39,11 +39,11 @@
 **Last consolidation run:** 2026-02-05. Moved 32 files from `docs/00-meta/` to `docs/archive/00-meta-status/`. See `docs/archive/00-meta-status/` for the list.
-**2026-02-08 prune/archive:** Superseded 05-network docs → `archive/05-network-superseded/` (stubs in 05-network). **Batch 1:** 10 redundant 00-meta docs → `archive/00-meta-pruned/`. **Batch 2:** 17 planning/script/audit docs (DEPLOYMENT_MASTER_DOC_PLAN, script reduction/audit set, migration/framework set, BREAKING_CHANGES, TODOS_COMPLETION_SUMMARY, etc.) → `archive/00-meta-pruned/`. See `archive/00-meta-pruned/README.md` and `archive/05-network-superseded/README.md`.
+**2026-02-08 prune/archive:** Superseded 05-network docs → `docs/archive/05-network-superseded/` (stubs in `docs/05-network/`). **Batch 1:** 10 redundant 00-meta docs → `docs/archive/00-meta-pruned/`. **Batch 2:** 17 planning/script/audit docs → `docs/archive/00-meta-pruned/`.
 **2026-02-16:** **Batch 3:** 3 Blitzkrieg dated exports (Blitzkrieg_Super_Pro_Max_Plan_2026-02-13.md, .txt, .json) → `archive/00-meta-pruned/`. Canonical plan remains `00-meta/BLITZKRIEG_SUPER_PRO_MAX_MASTER_PLAN.md`. **Note:** `DOCUMENTATION_FIXES_COMPLETE.md` does not exist; completed fixes are in [DOCUMENTATION_FIX_TASK_LIST.md](DOCUMENTATION_FIX_TASK_LIST.md).
-**2026-02-20:** **Batch 4:** 12 one-off/dated docs from 00-meta → `archive/00-meta-pruned/`: COMPLETION_STATUS_20260215, MASTER_DOCUMENTATION_REVIEW_20260205, DOCUMENTATION_REVIEW_20260216, DOCUMENTATION_REVIEW_CONTINUED_20260216, COMPREHENSIVE_DOCUMENTATION_REVIEW_2026-01-31, DOCUMENTATION_UPGRADE_SUMMARY, DOCUMENTATION_REVIEW, DOCUMENTATION_METRICS, DOCUMENTATION_RELATIONSHIP_MAP (duplicate of DOCUMENT_RELATIONSHIP_MAP), JNA_WHY_NOT_WORKING_REVIEW, VMID_2101_CHANGES_AND_FAILURES, COMPREHENSIVE_PROJECT_REVIEW. **Batch 5:** CONTINUE_AND_COMPLETE, FULL_PARALLEL_RUN_LOG → 00-meta-pruned. **Root cleanup:** ALL_TASKS_COMPLETE → archive/root-status-reports; 40+ root status/temp files + screenshots → [archive/root-cleanup-20260220/](../archive/root-cleanup-20260220/README.md). fix-wsl-ip.sh → scripts/. **Added:** DOCUMENTATION_CONSOLIDATION_PLAN, NEXT_STEPS_INDEX. See archive/00-meta-pruned/README.md Batches 4–5.
+**2026-02-20:** **Batch 4:** 12 one-off/dated docs from 00-meta → `docs/archive/00-meta-pruned/`: COMPLETION_STATUS_20260215, MASTER_DOCUMENTATION_REVIEW_20260205, DOCUMENTATION_REVIEW_20260216, DOCUMENTATION_REVIEW_CONTINUED_20260216, COMPREHENSIVE_DOCUMENTATION_REVIEW_2026-01-31, DOCUMENTATION_UPGRADE_SUMMARY, DOCUMENTATION_REVIEW, DOCUMENTATION_METRICS, DOCUMENTATION_RELATIONSHIP_MAP (duplicate of DOCUMENT_RELATIONSHIP_MAP), JNA_WHY_NOT_WORKING_REVIEW, VMID_2101_CHANGES_AND_FAILURES, COMPREHENSIVE_PROJECT_REVIEW. **Batch 5:** CONTINUE_AND_COMPLETE, FULL_PARALLEL_RUN_LOG → `docs/archive/00-meta-pruned/`. **Root cleanup:** ALL_TASKS_COMPLETE → `docs/archive/root-status-reports/`; 40+ root status/temp files + screenshots → `docs/archive/root-cleanup-20260220/`. fix-wsl-ip.sh → `scripts/fix-wsl-ip.sh`. **Added:** DOCUMENTATION_CONSOLIDATION_PLAN, NEXT_STEPS_INDEX.
 **2026-03-02:** Review only. docs/MASTER_INDEX.md and docs/README.md created; RUNBOOKS_MASTER_INDEX.md added (redirect). Deprecated list in MASTER_INDEX. ALL_IMPROVEMENTS_AND_GAPS_INDEX remains as redirect; canonical = ALL_RECOMMENDATIONS_AND_IMPROVEMENTS_LIST.
--- a/docs/00-meta/BLITZKRIEG_SUPER_PRO_MAX_MASTER_PLAN.md
+++ b/docs/00-meta/BLITZKRIEG_SUPER_PRO_MAX_MASTER_PLAN.md
@@ -172,7 +172,7 @@ Dry-run deployments and cross-chain reconciliation.
 Source: NOT_CHANGED_BY_DESIGN.
 **Configuration and DNS (R21–R22)**  
-Sankofa alignment and configuration blocks 2–6.  
+Sankofa zone NPM/docs **aligned (R21 done 2026-03)**; blocks #2–#6 still TBD.  
 Source: ALL_REQUIREMENTS.
 **Quick Wins (R23)**  
--- a/docs/00-meta/CONTRIBUTOR_GUIDELINES.md
+++ b/docs/00-meta/CONTRIBUTOR_GUIDELINES.md
@@ -199,7 +199,7 @@ This document provides guidelines for contributing to the documentation, includi
 - **[DOCUMENTATION_STYLE_GUIDE.md](DOCUMENTATION_STYLE_GUIDE.md)** ⭐⭐⭐ - Style guide
 - **[MASTER_INDEX.md](../MASTER_INDEX.md)** ⭐⭐⭐ - Documentation index
- **[DOCUMENTATION_METRICS.md](../archive/00-meta-pruned/DOCUMENTATION_METRICS.md)** ⭐ - Documentation health and review
+- **[DOCUMENTATION_CONSOLIDATION_PLAN.md](DOCUMENTATION_CONSOLIDATION_PLAN.md)** — consolidation scope; **[DOCUMENTATION_QUALITY_REVIEW.md](DOCUMENTATION_QUALITY_REVIEW.md)** — quality review
 ---
--- a/docs/00-meta/DOCUMENTATION_CONSOLIDATION_PLAN.md
+++ b/docs/00-meta/DOCUMENTATION_CONSOLIDATION_PLAN.md
@@ -3,7 +3,7 @@
 **Last Updated:** 2026-03-02  
 **Purpose:** Review, consolidate, and prune markdown docs. Single reference for what to keep, merge, or archive.
-**Related:** [ARCHIVE_CANDIDATES.md](ARCHIVE_CANDIDATES.md) | [archive/00-meta-pruned/README.md](../archive/00-meta-pruned/README.md). (Dated review docs, e.g. DOCUMENTATION_REVIEW_20260216, are in archive/00-meta-pruned.)
+**Related:** [ARCHIVE_CANDIDATES.md](ARCHIVE_CANDIDATES.md) — inventory of moved material. Dated review docs from 2026-02 live only on disk under `docs/archive/`; **active runbooks should not link there** — use [MASTER_INDEX.md](../MASTER_INDEX.md) and living paths in this plan.
 ---
@@ -123,7 +123,7 @@ Moved to `docs/archive/00-meta-pruned/` in 2026-02-20 batch:
 **Kept at root:** README.md, PROJECT_STRUCTURE.md, INTEGRATIONS_QUICK_REFERENCE.md, COMPREHENSIVE_STATUS_BRIDGE_READY.md (linked from docs), package.json, pnpm-lock.yaml, pnpm-workspace.yaml, renovate.json, .env.example, claude_desktop_config.json.example, token-list.json, .gitignore, .gitmodules.
-**Moved:** 40+ status/completion/temp files and screenshots → [docs/archive/root-cleanup-20260220/](../archive/root-cleanup-20260220/README.md). **fix-wsl-ip.sh** → scripts/fix-wsl-ip.sh.
+**Moved:** 40+ status/completion/temp files and screenshots → `docs/archive/root-cleanup-20260220/` (on disk; not a doc navigation target). **fix-wsl-ip.sh** → `scripts/fix-wsl-ip.sh`.
 ---
--- a/docs/00-meta/DOCUMENTATION_FIX_TASK_LIST.md
+++ b/docs/00-meta/DOCUMENTATION_FIX_TASK_LIST.md
@@ -234,7 +234,7 @@
 ## 7. Related Documents
- **[COMPREHENSIVE_DOCUMENTATION_REVIEW_2026-01-31.md](../archive/00-meta-pruned/COMPREHENSIVE_DOCUMENTATION_REVIEW_2026-01-31.md)** – Full review methodology and findings
+- **[DOCUMENTATION_CONSOLIDATION_PLAN.md](DOCUMENTATION_CONSOLIDATION_PLAN.md)** — scope and keep/archive decisions; **[DOCUMENTATION_QUALITY_REVIEW.md](DOCUMENTATION_QUALITY_REVIEW.md)** — ongoing quality bar
 - **[DOCUMENTATION_QUALITY_REVIEW.md](DOCUMENTATION_QUALITY_REVIEW.md)** – Duplicates, gaps, inconsistencies
 - **[DOCUMENTATION_ENHANCEMENTS_RECOMMENDATIONS.md](DOCUMENTATION_ENHANCEMENTS_RECOMMENDATIONS.md)** – Content, visual, organization, usability
 - **[DOCUMENTATION_STYLE_GUIDE.md](DOCUMENTATION_STYLE_GUIDE.md)** – Standards for headers, naming, markdown
--- a/docs/00-meta/DOTENV_AND_MARKDOWN_AUDIT_GAPS_AND_RECOMMENDATIONS.md
+++ b/docs/00-meta/DOTENV_AND_MARKDOWN_AUDIT_GAPS_AND_RECOMMENDATIONS.md
@@ -28,7 +28,7 @@
 | **RPC_URL_138** | Deploy, verify, on-chain checks | Use IP:port for deploy: `http://192.168.11.211:8545` |
 | **ETH_MAINNET_RPC_URL** / **ETHEREUM_MAINNET_RPC** | Mainnet verify, CCIP, relay | Infura/Alchemy |
 | **CCIPWETH9_BRIDGE_CHAIN138**, **CCIPWETH10_BRIDGE_CHAIN138** | Bridge scripts, token-aggregation, routing | Canonical: WETH9 `0xcacfd227A040002e49e2e01626363071324f820a`; WETH10 `0xe0E93247376aa097dB308B92e6Ba36bA015535D0` |
-| **CHAIN_138_DODO_PMM_INTEGRATION** | Token-aggregation indexer, quotes | `0x79cdbaFBaA0FdF9F55D26F360F54cddE5c743F7D` |
+| **CHAIN_138_DODO_PMM_INTEGRATION** | Token-aggregation indexer, quotes | `0x5BDc62f1ae7D630c37A8B363a1d49845356Ee72d` |
 | **CUSDT_ADDRESS_138**, **CUSDC_ADDRESS_138** | Scripts, token-aggregation | Canonical in EXPLORER_TOKEN_LIST_CROSSCHECK §5 |
 | **DATABASE_URL** | Token-aggregation DB, migrations | When using PostgreSQL (e.g. VMID 5000) |
 | **CRONOS_RPC**, **CELO_RPC**, **WEMIX_RPC**, **GNOSIS_RPC** | complete-config-ready-chains, deployer-gas | Celo: CELO_RPC; Wemix: WEMIX_RPC; etc. |
--- a/docs/00-meta/FULL_PARALLEL_EXECUTION_ORDER.md
+++ b/docs/00-meta/FULL_PARALLEL_EXECUTION_ORDER.md
@@ -5,7 +5,7 @@
 **Sources:** [TODO_TASK_LIST_MASTER.md](TODO_TASK_LIST_MASTER.md), [REMAINING_TASKS_NEXT_STEPS_PHASES_REVIEW.md](REMAINING_TASKS_NEXT_STEPS_PHASES_REVIEW.md), [PARALLEL_TASK_STRUCTURE.md](PARALLEL_TASK_STRUCTURE.md), [ALL_IMPROVEMENTS_AND_GAPS_INDEX.md](../ALL_IMPROVEMENTS_AND_GAPS_INDEX.md). **Single plan (required/optional/recommended):** [COMPLETE_REQUIRED_OPTIONAL_RECOMMENDED_INDEX.md](COMPLETE_REQUIRED_OPTIONAL_RECOMMENDED_INDEX.md).
-**Run log:** [FULL_PARALLEL_RUN_LOG.md](../archive/00-meta-pruned/FULL_PARALLEL_RUN_LOG.md) (archived) — record of what was executed by wave (2026-02-05).  
+**Run record (2026-02-05):** [REMAINING_ITEMS_FULL_PARALLEL_LIST.md](REMAINING_ITEMS_FULL_PARALLEL_LIST.md) (batch 11 summary); **current validation:** `./scripts/validation/validate-config-files.sh`, `./scripts/verify/run-all-validation.sh`.  
 **Wave 1 status:** [WAVE1_COMPLETION_SUMMARY.md](WAVE1_COMPLETION_SUMMARY.md). **Wave 2/3 checklist:** [WAVE2_WAVE3_OPERATOR_CHECKLIST.md](WAVE2_WAVE3_OPERATOR_CHECKLIST.md).  
 **Full remaining list (all items by wave):** [REMAINING_ITEMS_FULL_PARALLEL_LIST.md](REMAINING_ITEMS_FULL_PARALLEL_LIST.md).
--- a/docs/00-meta/MAINNET_LIQUIDITY_AND_RAMPS_PRIORITY.md
+++ b/docs/00-meta/MAINNET_LIQUIDITY_AND_RAMPS_PRIORITY.md
@@ -36,7 +36,7 @@ Without mainnet liquidity, users cannot receive value when bridging from Chain 1
 | Step | Action |
 |------|--------|
 | 1 | Ensure deployer has WETH on mainnet (swap ETH→WETH or receive WETH). |
-| 2 | Run: `./scripts/bridge/fund-mainnet-relay-bridge.sh [amount_wei]` (omit for full balance). Env: `PRIVATE_KEY`, `ETHEREUM_MAINNET_RPC` (or `RPC_URL_MAINNET`). |
+| 2 | Run: `./scripts/bridge/fund-mainnet-relay-bridge.sh [amount_wei]` (omit for full deployer WETH balance). Env: `PRIVATE_KEY`, `ETHEREUM_MAINNET_RPC` (or `RPC_URL_MAINNET`), `CCIP_RELAY_BRIDGE_MAINNET`. |
 | 3 | Verify bridge balance: `cast call 0xC02aaA39b223FE8D0A0e5C4F27eAD9083C756Cc2 "balanceOf(address)(uint256)" 0xF9A32F37099c582D28b4dE7Fca6eaC1e5259f939 --rpc-url $ETHEREUM_MAINNET_RPC`. |
 **Refs:** [CCIP_BRIDGE_MAINNET_CONNECTION](../07-ccip/CCIP_BRIDGE_MAINNET_CONNECTION.md), [REMAINING_WORK_BREAKDOWN_AND_ANSWERS](REMAINING_WORK_BREAKDOWN_AND_ANSWERS.md) § 2.6.
@@ -48,6 +48,8 @@ Without mainnet liquidity, users cannot receive value when bridging from Chain 1
 3. Run `fund-mainnet-lp.sh --eth 1 --weth 0.5`.  
 4. Run `fund-mainnet-relay-bridge.sh` if using CCIP relay.
 **Current operator target:** see [FINAL_UNBLOCK_CHECKLIST_MAINNET_BSC](../03-deployment/FINAL_UNBLOCK_CHECKLIST_MAINNET_BSC.md) for exact current-to-target top-up deltas.
 ---
 ## Priority 2 — Wire off-ramps and on-ramps
--- a/docs/00-meta/MASTER_PLAN.md
+++ b/docs/00-meta/MASTER_PLAN.md
@@ -119,7 +119,7 @@ flowchart TB
 Consolidated from [GAPS_AND_RECOMMENDATIONS_CONSOLIDATED.md](../GAPS_AND_RECOMMENDATIONS_CONSOLIDATED.md), [REQUIRED_FIXES_UPDATES_GAPS.md](../REQUIRED_FIXES_UPDATES_GAPS.md), [ALL_IMPROVEMENTS_AND_GAPS_INDEX.md](../ALL_IMPROVEMENTS_AND_GAPS_INDEX.md), and [NEXT_STEPS_MASTER.md](NEXT_STEPS_MASTER.md). Detailed tables stay in those docs; below are the resolution rules.
 - **Secrets and API keys:** No real keys in `.env.example` (token-aggregation, root); use placeholders; document in [MASTER_SECRETS_INVENTORY.md](../04-configuration/MASTER_SECRETS_INVENTORY.md). Rotate any exposed keys.
- **Config/DNS TBDs:** the-order.sankofa.nexus, Sankofa cutover plan `<TARGET_IP>`, RPC_ENDPOINTS_MASTER placeholders — **When The Order / Sankofa deployed, update NPMplus and docs; remove TBD.**
+- **Config/DNS (Sankofa zone):** **Done 2026-03** — the-order via **10210** `192.168.11.39:80`; cutover plan v1.1; RPC_ENDPOINTS_MASTER + ALL_VMIDS updated. Re-run `update-npmplus-proxy-hosts-api.sh` after infra changes. Legacy doc snippets may still show `<TARGET_IP>` in API examples.
 - **Network placeholders:** Public blocks #2–#6 in [NETWORK_ARCHITECTURE.md](../02-architecture/NETWORK_ARCHITECTURE.md) — **Document when assigned or mark reserved.**
 - **Code placeholders:** See Section 3.1 below (one-line resolution table).
 - **Documentation placeholders:** Emergency hotline and example URLs in dbis_core nostro-vostro — Done ("To be configured"). the-order REMAINING_TODOS.md — **Create or archive and fix links.**
@@ -131,8 +131,8 @@ Consolidated from [GAPS_AND_RECOMMENDATIONS_CONSOLIDATED.md](../GAPS_AND_RECOMME
 | Item | Location | Resolution |
 |------|----------|------------|
 | API keys in .env.example | token-aggregation, root | Replace with placeholders; document in MASTER_SECRETS_INVENTORY; rotate if exposed. |
-| the-order.sankofa.nexus | RPC_ENDPOINTS_MASTER, ALL_VMIDS_ENDPOINTS | When The Order portal deployed: add NPMplus proxy host and document IP:port. |
+| the-order.sankofa.nexus | RPC_ENDPOINTS_MASTER, ALL_VMIDS_ENDPOINTS | **Done:** NPM → 10210 `.39:80` → portal `:3000`. |
-| Sankofa cutover plan TBDs | SANKOFA_CUTOVER_PLAN | Replace `<TARGET_IP>`, `<TARGET_PORT>` when Sankofa deployed. |
+| Sankofa cutover plan | SANKOFA_CUTOVER_PLAN | **Done v1.1** — live tables; substitute `<TARGET_*>` only if reusing old API curl templates. |
 | sankofa.nexus / phoenix routes | RPC_ENDPOINTS_MASTER | Keep in sync with NPMplus; remove "placeholder (routes to Blockscout)" when pointing to Sankofa/Phoenix. |
 | Public blocks #2–#6 | NETWORK_ARCHITECTURE, NETWORK_CONFIGURATION_MASTER | Document when assigned or mark reserved. |
 | AlltraAdapter fee | AlltraAdapter.sol | Implement configurable setBridgeFee; document in PLACEHOLDERS_AND_TBD. Update when ALL Mainnet fee known. |
--- a/docs/00-meta/MASTER_TODO_EXPANDED.md
+++ b/docs/00-meta/MASTER_TODO_EXPANDED.md
@@ -60,7 +60,7 @@
 | R18 | Explorer health: Blockscout VMID 5000, /api reachable | [ ] |
 | R19 | Test before deploy: forge test smom-dbis-138, alltra-lifi-settlement; integration tests | [x] |
 | R20 | NatSpec on public contract functions | [x] |
-| R21 | Sankofa/The Order: when deployed add NPMplus proxy; RPC_ENDPOINTS_MASTER, SANKOFA_CUTOVER_PLAN TBDs | [ ] |
+| R21 | Sankofa/The Order: NPMplus + docs (10210 HAProxy path) | [x] |
 | R22 | Network placeholders: blocks #2–#6 in NETWORK_ARCHITECTURE when assigned | [ ] |
 | R23 | Scripts: progress indicators; --dry-run where missing; extend config validation | [x] |
@@ -252,9 +252,9 @@
 | Task | Status |
 |------|--------|
-| the-order.sankofa.nexus when portal deployed; NPMplus proxy + RPC_ENDPOINTS_MASTER | [ ] |
+| the-order.sankofa.nexus; NPMplus + RPC_ENDPOINTS_MASTER | [x] |
-| Sankofa cutover: replace TBDs in SANKOFA_CUTOVER_PLAN | [ ] |
+| Sankofa cutover: SANKOFA_CUTOVER_PLAN v1.1 | [x] |
-| NPMplus proxy: sankofa → 7801/.51:3000, phoenix → 7800/.50:4000; only explorer → .140 | [ ] |
+| NPMplus proxy: sankofa → .51:3000, phoenix → .50:4000, the-order → .39:80; only explorer → .140 | [x] |
 | Blocks #2–#6 in NETWORK_ARCHITECTURE when assigned | [ ] |
 ### smom-dbis-138 (GAPS §3)
--- a/docs/00-meta/NEXT_STEPS_ALL.md
+++ b/docs/00-meta/NEXT_STEPS_ALL.md
@@ -2,7 +2,7 @@
 **Last Updated:** 2026-02-08  
 **Purpose:** Single ordered list of everything left to do (Dev/Codespaces + general operator).  
-**Run-order checklist:** [CONTINUE_AND_COMPLETE.md](../archive/00-meta-pruned/CONTINUE_AND_COMPLETE.md) (archived) — commands in order when ready.  
+**Run-order:** [NEXT_STEPS_INDEX.md](NEXT_STEPS_INDEX.md) → [OPERATOR_READY_CHECKLIST.md](OPERATOR_READY_CHECKLIST.md); completable first: `./scripts/run-completable-tasks-from-anywhere.sh`, then `./scripts/run-all-operator-tasks-from-lan.sh` from LAN.  
 **References:** [DEV_CODESPACES_NEXT_STEPS_CHECKLIST.md](../04-configuration/DEV_CODESPACES_NEXT_STEPS_CHECKLIST.md) | [NEXT_STEPS_OPERATOR.md](NEXT_STEPS_OPERATOR.md)  
 **Completion evidence:** [DEV_CODESPACES_COMPLETION_20260207.md](../04-configuration/verification-evidence/DEV_CODESPACES_COMPLETION_20260207.md)  
 **Secrets & remaining actions:** [REMAINING_ITEMS_DOTENV_AND_ACTIONS.md](../04-configuration/REMAINING_ITEMS_DOTENV_AND_ACTIONS.md)
--- a/docs/00-meta/NEXT_STEPS_AND_REMAINING_TODOS.md
+++ b/docs/00-meta/NEXT_STEPS_AND_REMAINING_TODOS.md
@@ -1,5 +1,7 @@
 # Next Steps and Remaining TODOs — Consolidated List
 > Historical note (2026-03-26): this consolidated TODO list includes superseded PMM-address references from earlier deployment phases. The current canonical Chain 138 PMM stack is `DODOPMMIntegration=0x5BDc62f1ae7D630c37A8B363a1d49845356Ee72d` and `DODOPMMProvider=0x5CAe6Ce155b7f08D3a956F5Dc82fC9945f29B381`.
 **Last Updated:** 2026-03-02  
 **Purpose:** Single checklist of all next steps and remaining tasks. **Single-file task list:** [TODOS_CONSOLIDATED.md](TODOS_CONSOLIDATED.md). Items marked **Operator/LAN** require Proxmox access, deploy keys, or external parties; others can be done in-repo (code, config, docs).
@@ -71,7 +73,7 @@ Steps 1–2 and the Chain 138 “all in one” run (step 3) are **done** (2026-0
 |---|------|
 | — | **Preflight:** Passed (RPC Core, dotenv, nonce). |
 | — | **PMM pools:** All three created (cUSDT/cUSDC `0x9fcB…`, cUSDT/USDT `0xa3Ee…`, cUSDC/USDC `0x90bd…`). |
-| — | **DODOPMMProvider:** Deployed at `0x8EF6657D2a86c569F6ffc337EE6b4260Bd2e59d0`; all three pools registered via `RegisterDODOPools.s.sol`. |
+| — | **DODOPMMProvider:** Deployed at `0x5CAe6Ce155b7f08D3a956F5Dc82fC9945f29B381`; corrected canonical stack aligned via desired-state sync. |
 | — | **Operator script:** NPMplus RPC fix + backup + Blockscout verify run. |
 | — | **Wemix:** Re-fetched scan.wemix.com/tokens; WEMIX_TOKEN_VERIFICATION.md updated. |
 | — | **Docs:** PRE_DEPLOYMENT_CHECKLIST, LIQUIDITY_POOLS_MASTER_MAP updated. **Remaining (operator/external):** [WHATS_LEFT_OPERATOR_AND_EXTERNAL.md](WHATS_LEFT_OPERATOR_AND_EXTERNAL.md). |
--- a/docs/00-meta/NEXT_STEPS_OPERATOR.md
+++ b/docs/00-meta/NEXT_STEPS_OPERATOR.md
@@ -1,18 +1,36 @@
 # Next Steps — Operator Runbook
-**Last Updated:** 2026-02-20  
+**Last Updated:** 2026-03-26  
 **Purpose:** Single runbook of copy-paste commands for all remaining operator/LAN/creds steps. Use after automated steps are done.
 **References:** [REMAINING_WORK_DETAILED_STEPS.md](REMAINING_WORK_DETAILED_STEPS.md), [WAVE2_WAVE3_OPERATOR_CHECKLIST.md](WAVE2_WAVE3_OPERATOR_CHECKLIST.md), [INFRA_DEPLOYMENT_LOCKED_AND_LOADED.md](../03-deployment/INFRA_DEPLOYMENT_LOCKED_AND_LOADED.md). **Single fixes checklist (required + optional):** [FIXES_PREPARED.md](../04-configuration/FIXES_PREPARED.md). **Full fixes (validators, block/tx, Sentries, RPCs, network, optional):** [FULL_FIXES_PREPARED.md](../04-configuration/FULL_FIXES_PREPARED.md). **All next steps (consolidated):** [NEXT_STEPS_ALL.md](NEXT_STEPS_ALL.md). **Dev/Codespaces (76.53.10.40):** [DEV_CODESPACES_NEXT_STEPS_CHECKLIST.md](../04-configuration/DEV_CODESPACES_NEXT_STEPS_CHECKLIST.md). **Dev/Codespaces completion evidence:** [DEV_CODESPACES_COMPLETION_20260207.md](../04-configuration/verification-evidence/DEV_CODESPACES_COMPLETION_20260207.md).
 ---
 ## Completed in this session (2026-03-26)
 | Item | Result |
 |------|--------|
 | NPMplus CT recovery | Port `81` on `192.168.11.167` accepted TCP but stalled at HTTP; `pct reboot 10233` on `r630-01` restored the expected `301`. |
 | NPMplus proxy host update | `NPM_URL=https://192.168.11.167:81 bash scripts/nginx-proxy-manager/update-npmplus-proxy-hosts-api.sh` completed with **39 hosts updated, 0 failed**. |
 | Sankofa routing | `sankofa.nexus`, `www.sankofa.nexus`, `phoenix.sankofa.nexus`, `www.phoenix.sankofa.nexus`, `studio.sankofa.nexus`, and `the-order.sankofa.nexus` now pass in the public E2E profile. |
 | Public E2E verification | Latest run `bash scripts/verify/verify-end-to-end-routing.sh --profile=public` exited `0`; **Failed: 0**, **DNS passed: 37**, **HTTPS passed: 22**. DBIS, Mifos, and MIM4U public endpoints also passed. Evidence: `docs/04-configuration/verification-evidence/e2e-verification-20260326_115013/`. |
 | Private E2E verification | Latest run `bash scripts/verify/verify-end-to-end-routing.sh --profile=private` exited `0`; **Failed: 0**, **DNS passed: 4**. Private HTTP and WS RPC endpoints all passed. Evidence: `docs/04-configuration/verification-evidence/e2e-verification-20260326_120939/`. |
 | NPMplus backup | Fresh backup completed at `backups/npmplus/backup-20260326_115622.tar.gz`. |
 | Blockscout verification | `./scripts/verify/run-contract-verification-with-proxy.sh` completed; contracts were submitted or skipped if already verified. |
 | Private RPC redirect fix | `rpc-http-prv.d-bis.org` now responds with JSON-RPC `200` after updating the NPMplus host to stop forcing HTTPS redirects on POSTs. |
 | `.env` handling | NPM-only runs should use targeted `NPM_EMAIL` / `NPM_PASSWORD` extraction when exporting the full `.env` causes `Argument list too long`. |
 **Still from LAN:** no public or private E2E follow-up was needed in the latest runs; only re-run the maintenance section if those endpoints regress.
 ---
 ## Completed in this session (2026-02-20)
 | Item | Result |
 |------|--------|
 | Completable tasks | `run-completable-tasks-from-anywhere.sh` — config validation OK, on-chain 45/45, run-all-validation --skip-genesis OK, reconcile-env --print. |
-| Doc consolidation | NEXT_STEPS_INDEX, DOCUMENTATION_CONSOLIDATION_PLAN; Batch 4+5 → 00-meta-pruned; root cleanup → archive/root-cleanup-20260220; ARCHIVE_CANDIDATES "Last reviewed" set. |
+| Doc consolidation | NEXT_STEPS_INDEX, DOCUMENTATION_CONSOLIDATION_PLAN; batches and root cleanup recorded in [ARCHIVE_CANDIDATES.md](ARCHIVE_CANDIDATES.md) ("Last reviewed" set). |
 ## Completed in previous session (2026-02-19)
@@ -25,7 +43,7 @@
 | Optional Phase 9 | Smart accounts kit (informational) — ran; next: deploy EntryPoint/AccountFactory/Paymaster. |
 | E2E verification | `verify-end-to-end-routing.sh` with E2E_ACCEPT_502_INTERNAL=1 — run (report in verification-evidence). |
-**Still from LAN:** NPMplus backup, Blockscout verification, full 502/NPMplus proxy update. See [COMPLETION_STATUS_20260215](../archive/00-meta-pruned/COMPLETION_STATUS_20260215.md).
+**Still from LAN:** NPMplus backup, Blockscout verification, full 502/NPMplus proxy update. **Runbooks:** [OPERATOR_READY_CHECKLIST.md](OPERATOR_READY_CHECKLIST.md), [../04-configuration/NPMPLUS_QUICK_REF.md](../04-configuration/NPMPLUS_QUICK_REF.md), [../04-configuration/EXPLORER_LINKS_AND_ISSUES_DIAGNOSTIC.md](../04-configuration/EXPLORER_LINKS_AND_ISSUES_DIAGNOSTIC.md) (`scripts/verify/check-explorer-links.sh`).
 ---
--- a/docs/00-meta/NOT_IMPLEMENTED_FULL_SCOPE.md
+++ b/docs/00-meta/NOT_IMPLEMENTED_FULL_SCOPE.md
@@ -71,7 +71,7 @@
 | Area | Deliverables |
 |------|--------------|
-| **Sankofa / The Order** | Checklist: replace &lt;TARGET_IP&gt;/&lt;TARGET_PORT&gt;; update ALL_VMIDS_ENDPOINTS, RPC_ENDPOINTS_MASTER; NPMplus proxy for the-order.sankofa.nexus; "where to update when done" (PLACEHOLDERS_AND_TBD, REMAINING_COMPONENTS). See [SANKOFA_THE_ORDER_CHECKLIST](../04-configuration/SANKOFA_THE_ORDER_CHECKLIST.md) or SANKOFA_CUTOVER_PLAN. |
+| **Sankofa / The Order** | **Routing done 2026-03** (NPM, ALL_VMIDS, RPC_ENDPOINTS_MASTER, SANKOFA_CUTOVER_PLAN v1.1, [SANKOFA_THE_ORDER_CHECKLIST](../04-configuration/SANKOFA_THE_ORDER_CHECKLIST.md)). This row retained for design-scope doc; implementation of app features (OMNIS SDK, legal vendors, etc.) remains separate. |
 | **OMNIS — Sankofa Phoenix SDK** | Integration spec: required SDK interface (getAuthUrl, validateToken, getUserInfo), env vars, fallback. See [OMNIS_SANKOFA_PHOENIX_SDK_INTEGRATION_SPEC](../04-configuration/OMNIS_SANKOFA_PHOENIX_SDK_INTEGRATION_SPEC.md). Dependency note in PLACEHOLDERS_AND_TBD / PLACEHOLDERS_AND_COMPLETION_MASTER_LIST: "Blocked on Sankofa Phoenix SDK availability." |
 | **the-order — legal-documents** | Vendor/implementation matrix (court-efiling, e-signature, document-security): Option, Prerequisites, Steps, "Where to update when done." See [LEGAL_DOCUMENTS_IMPLEMENTATION](LEGAL_DOCUMENTS_IMPLEMENTATION.md). Update GAPS_AND_RECOMMENDATIONS_CONSOLIDATED, PLACEHOLDERS_AND_COMPLETION_MASTER_LIST when done. |
 | **dbis_core** | Runbook or comment "When to implement": Prometheus when monitoring stack is up; Redis when caching needed. See [DBIS_CORE_WHEN_TO_IMPLEMENT](DBIS_CORE_WHEN_TO_IMPLEMENT.md). No new code; doc/checklist only. |
--- a/docs/00-meta/OPERATOR_AND_EXTERNAL_COMPLETION_CHECKLIST.md
+++ b/docs/00-meta/OPERATOR_AND_EXTERNAL_COMPLETION_CHECKLIST.md
@@ -39,8 +39,8 @@ Use this checklist when you have operator or LAN access to complete the remainin
 | # | Action | Notes |
 |---|--------|-------|
-| R21 | The Order / Sankofa NPMplus proxy host | When The Order portal deployed: add proxy in NPMplus; document in RPC_ENDPOINTS_MASTER, ALL_VMIDS_ENDPOINTS |
+| R21 | The Order / Sankofa NPMplus | **Done 2026-03** — see ALL_VMIDS, RPC_ENDPOINTS_MASTER, `update-npmplus-proxy-hosts-api.sh` |
-| Sankofa cutover | Replace &lt;TARGET_IP&gt;, &lt;TARGET_PORT&gt;, TBDs in SANKOFA_CUTOVER_PLAN with actual values |
+| Sankofa cutover | **Done** — SANKOFA_CUTOVER_PLAN v1.1 |
 | Blocks #2–#6 | Document in NETWORK_ARCHITECTURE / NETWORK_CONFIGURATION_MASTER when assigned or mark reserved |
 | 75–81 | VLAN enablement, observability stack, CCIP fleet, sovereign tenants, missing containers | Per NEXT_STEPS_MASTER and deployment phases |
--- a/docs/00-meta/OPERATOR_READY_CHECKLIST.md
+++ b/docs/00-meta/OPERATOR_READY_CHECKLIST.md
@@ -1,6 +1,6 @@
 # Operator Ready Checklist — Copy-Paste Commands
-**Last Updated:** 2026-03-04  
+**Last Updated:** 2026-03-27  
 **Purpose:** Single page with exact commands to complete every pending todo. Run from **repo root** on a host with **LAN** access (and `smom-dbis-138/.env` with `PRIVATE_KEY`, `NPM_PASSWORD` where noted).
 **Do you have all necessary creds?** See [OPERATOR_CREDENTIALS_CHECKLIST.md](OPERATOR_CREDENTIALS_CHECKLIST.md) — per-task list of LAN, PRIVATE_KEY, NPM_PASSWORD, RPC_URL_138, SSH, LINK, gas, token balance.
@@ -15,6 +15,22 @@
 ---
 ## Completed in this session (2026-03-26)
 | Item | Result |
 |------|--------|
 | NPMplus recovery | VMID `10233` was wedged on `192.168.11.167:81` (TCP connect, no HTTP). `pct reboot 10233` on `r630-01` restored the expected `301` response on port `81`. |
 | NPMplus API updater | `NPM_URL=https://192.168.11.167:81 bash scripts/nginx-proxy-manager/update-npmplus-proxy-hosts-api.sh` completed with **39 hosts updated, 0 failed**. |
 | Sankofa / Order / Studio routing | **Superseded 2026-03-27:** Order hostnames default to **order-haproxy** `http://192.168.11.39:80` (10210 → `.51:3000`). Through 2026-03-26 NPM pointed Order directly at portal `:3000`. `studio.sankofa.nexus` → `http://192.168.11.72:8000`. |
 | Public E2E | Latest run `bash scripts/verify/verify-end-to-end-routing.sh --profile=public` exited `0` with **Failed: 0**, **DNS passed: 37**, **HTTPS passed: 22**. Sankofa, Phoenix, Studio, The Order, DBIS, Mifos, and MIM4U public endpoints passed. Evidence: `docs/04-configuration/verification-evidence/e2e-verification-20260326_115013/`. |
 | Private E2E | Latest run `bash scripts/verify/verify-end-to-end-routing.sh --profile=private` exited `0` with **Failed: 0** and **DNS passed: 4**. `rpc-http-prv.d-bis.org`, `rpc-fireblocks.d-bis.org`, `rpc-ws-prv.d-bis.org`, and `ws.rpc-fireblocks.d-bis.org` all passed. Evidence: `docs/04-configuration/verification-evidence/e2e-verification-20260326_120939/`. |
 | NPMplus backup | Fresh backup completed: `backups/npmplus/backup-20260326_115622.tar.gz`. API exports succeeded; direct SQLite file copy and certbot path copy were partial/warn-only, but the backup manifest and compressed bundle were created successfully. |
 | Blockscout verification run | `./scripts/verify/run-contract-verification-with-proxy.sh` completed; contracts were submitted or skipped if already verified. `WETH10` returned `The address is not a smart contract`; others like `Multicall`, `Aggregator`, `Proxy`, `CCIPSender`, `CCIPWETH10Bridge`, and `CCIPWETH9Bridge` submitted successfully. |
 | Private RPC redirect fix | `rpc-http-prv.d-bis.org` no longer returns HTTP `301` on JSON-RPC POST. Live NPMplus host `11` was updated to `ssl_forced=false` while preserving upstream `192.168.11.211:8545`. |
 | NPM creds loading | For NPM-only runs, prefer targeted `grep` of `NPM_EMAIL` / `NPM_PASSWORD` if full `.env` export triggers `Argument list too long`. |
 ---
 ## 1. High: Cronos closure + reachable CCIP funding
 **Ref:** [CONFIG_READY_CHAINS_COMPLETION_RUNBOOK](../07-ccip/CONFIG_READY_CHAINS_COMPLETION_RUNBOOK.md)
@@ -84,6 +100,8 @@ Single contract retry: `./scripts/verify/run-contract-verification-with-proxy.sh
 **Runbook:** [502_DEEP_DIVE_ROOT_CAUSES_AND_FIXES.md](502_DEEP_DIVE_ROOT_CAUSES_AND_FIXES.md)
 **Current status after 2026-03-26:** no public 502s reproduced in the latest public E2E run. Use this section only if those endpoints regress.
 ---
 ## 5. LAN: Run all operator tasks (backup + verify ± deploy ± create-vms)
@@ -211,8 +229,14 @@ bash scripts/verify/backup-npmplus.sh
 **NPMplus RPC fix (405):** From LAN: `bash scripts/nginx-proxy-manager/update-npmplus-proxy-hosts-api.sh`. Verify: `bash scripts/verify/verify-end-to-end-routing.sh`.
 **Status (2026-03-26):** main NPMplus API update completed successfully with `39 hosts updated, 0 failed`; public E2E now passes for Sankofa root, Phoenix, Studio, and The Order. Re-run only when upstream targets or proxy definitions change.
 **Latest backup evidence:** `backups/npmplus/backup-20260326_115622.tar.gz`
 **NPMplus API unreachable (167/169):** Restart Docker inside NPMplus LXC: `./scripts/maintenance/fix-npmplus-services-via-proxmox-ssh.sh` (SSH to r630-01, restarts npmplus in 10233 and 10235).
 **If port 81 accepts TCP but hangs at HTTP:** reboot CT `10233` with `pct reboot 10233` on `r630-01`, then retry the API updater.
 **E2E from LAN (no public DNS):** If E2E fails at DNS (`Could not resolve host`), use [E2E_DNS_FROM_LAN_RUNBOOK.md](../04-configuration/E2E_DNS_FROM_LAN_RUNBOOK.md): append `config/e2e-hosts-append.txt` to `/etc/hosts`, then run `E2E_USE_SYSTEM_RESOLVER=1 ./scripts/verify/verify-end-to-end-routing.sh --profile=public`. Revert with `sudo ./scripts/verify/remove-e2e-hosts-from-etc-hosts.sh`.
 **E2E profiles:** Use `--profile=public` for public endpoints (default) or `--profile=private` for private/admin RPC only. Run sequentially to avoid timestamp collision in evidence dirs. **Known E2E warnings** (502/404 and WS): [E2E_ENDPOINTS_LIST.md](../04-configuration/E2E_ENDPOINTS_LIST.md) § Known E2E warnings and Remediation. MIM4U web 502s and WS test-format warnings are **non-blocking** for contract/pool completion.
@@ -221,6 +245,25 @@ bash scripts/verify/backup-npmplus.sh
 ---
 ## 8.5 PMM mesh (6s oracle / keeper / PMM–WETH poll)
 **Ref:** `smom-dbis-138/docs/integration/ORACLE_AND_KEEPER_CHAIN138.md` (PMM mesh automation)
 ```bash
 cd smom-dbis-138
 # .env should include: PRIVATE_KEY, AGGREGATOR_ADDRESS, PRICE_FEED_KEEPER_ADDRESS (optional: KEEPER_PRIVATE_KEY if different from PRIVATE_KEY)
 ./scripts/reserve/set-price-feed-keeper-interval.sh 6   # once per keeper deployment if interval was 30s
 ./scripts/update-oracle-price.sh   # verify transmitter + gas (Besu needs explicit gas limit in script)
 ./scripts/reserve/sync-weth-mock-price.sh   # if CHAIN138_WETH_MOCK_PRICE_FEED is set (keeper WETH path)
 mkdir -p logs
 nohup ./scripts/reserve/pmm-mesh-6s-automation.sh >> logs/pmm-mesh-automation.log 2>&1 &
 # journalctl equivalent: tail -f logs/pmm-mesh-automation.log
 ```
 **systemd:** `config/systemd/chain138-pmm-mesh-automation.service.example` — copy, set `User` and absolute paths, `enable --now`.
 ---
 ## 9. Wemix token verification (Deferred)
 This is intentionally deferred with the rest of the Wemix path. If the chain is brought back into scope later, open [scan.wemix.com/tokens](https://scan.wemix.com/tokens); confirm WETH, USDT, USDC addresses. If different, update `config/token-mapping-multichain.json` and [WEMIX_TOKEN_VERIFICATION.md](../07-ccip/WEMIX_TOKEN_VERIFICATION.md). Then:
--- a/docs/00-meta/PLACEHOLDERS_AND_COMPLETION_MASTER_LIST.md
+++ b/docs/00-meta/PLACEHOLDERS_AND_COMPLETION_MASTER_LIST.md
@@ -1,6 +1,6 @@
 # Placeholders and What Needs to Be Completed — Master List
-**Last Updated:** 2026-02-13  
+**Last Updated:** 2026-03-27  
 **Purpose:** Single list of every placeholder and what must be completed (code, config, docs, ops).
 **Completion pass (2026-02-13):** OMNIS backend routes (POST/PUT budgets, POST documents/upload, PATCH profile) done; authController token blacklisting (in-memory + TOKEN_BLACKLIST_ENABLED); TezosRelayService Taquito skeleton + mock gated; Smart accounts .env.example + runbook; dbis_core Redis stub, Prometheus/risk comments, deal-execution tests skipped with ticket; CCIPLogger decision (omit unless monitoring); .bak listed and deprecated in BAK_FILES_DEPRECATION; deployment gaps (env table, TransactionMirror script, DEPLOYMENT_GAPS_COMPLETED); NPMplus HA and storage monitor already have ALERT_EMAIL/ALERT_WEBHOOK; deploy.sh TODO comments for migration/health; the-order legal-documents vendor integration README; root .gitignore (venv, __pycache__, .phase1).
@@ -25,8 +25,8 @@
 | Placeholder | Location | What to complete |
 |-------------|----------|------------------|
-| **the-order.sankofa.nexus** | [ALL_VMIDS_ENDPOINTS](../04-configuration/ALL_VMIDS_ENDPOINTS.md), [RPC_ENDPOINTS_MASTER](../04-configuration/RPC_ENDPOINTS_MASTER.md) | When The Order portal is deployed: add NPMplus proxy host and document IP:port in RPC_ENDPOINTS_MASTER and ALL_VMIDS_ENDPOINTS. |
+| **the-order.sankofa.nexus** | [ALL_VMIDS_ENDPOINTS](../04-configuration/ALL_VMIDS_ENDPOINTS.md), [RPC_ENDPOINTS_MASTER](../04-configuration/RPC_ENDPOINTS_MASTER.md) | **Done 2026-03-27:** NPM → 10210 `192.168.11.39:80` (HAProxy → portal :3000). Keep docs in sync if routing changes. |
-| **Sankofa cutover plan** | [SANKOFA_CUTOVER_PLAN](../04-configuration/SANKOFA_CUTOVER_PLAN.md) | Replace `<TARGET_IP>`, `<TARGET_PORT>`, and table TBDs with actual Sankofa service IPs/ports when deployed. |
+| **Sankofa cutover plan** | [SANKOFA_CUTOVER_PLAN](../04-configuration/SANKOFA_CUTOVER_PLAN.md) | **Done 2026-03-27:** v1.1 lists live backends (incl. The Order via 10210). Legacy API examples may still contain `<TARGET_*>` placeholders—substitute real values if you reuse them. |
 | **sankofa.nexus / phoenix.sankofa.nexus** | [ALL_VMIDS_ENDPOINTS](../04-configuration/ALL_VMIDS_ENDPOINTS.md), [RPC_ENDPOINTS_MASTER](../04-configuration/RPC_ENDPOINTS_MASTER.md), [DNS_NPMPLUS_VM](../04-configuration/DNS_NPMPLUS_VM_COMPREHENSIVE_ARCHITECTURE.md) | **Doc fix done:** Correct targets: sankofa → 192.168.11.51:3000 (VMID 7801), phoenix → 192.168.11.50:4000 (VMID 7800). **Operator:** Ensure NPMplus proxy hosts use these, not 192.168.11.140. Only explorer.d-bis.org → .140. |
 | **Public blocks #2–#6** | [NETWORK_ARCHITECTURE](../02-architecture/NETWORK_ARCHITECTURE.md), [NETWORK_CONFIGURATION_MASTER](../11-references/NETWORK_CONFIGURATION_MASTER.md) | Document when blocks are assigned or mark as “reserved”. |
 | **PROXMOX_HOST / PROXMOX_TOKEN_SECRET** | smom-dbis-138-proxmox/README.md | Keep as `proxmox.example.com`, `your-token-secret`; document in deployment guide. |
--- a/docs/00-meta/PROJECT_AND_SUBMODULES_REVIEW.md
+++ b/docs/00-meta/PROJECT_AND_SUBMODULES_REVIEW.md
@@ -1,5 +1,7 @@
 # Project and Submodules — Full Review
 > Historical note (2026-03-26): this review includes superseded PMM-address references from earlier validation passes. The current canonical Chain 138 PMM stack is `DODOPMMIntegration=0x5BDc62f1ae7D630c37A8B363a1d49845356Ee72d` and `DODOPMMProvider=0x5CAe6Ce155b7f08D3a956F5Dc82fC9945f29B381`.
 **Last Updated:** 2026-03-05  
 **Purpose:** Single-document review of the **proxmox** workspace and all submodules (content, roles, and relationships).
@@ -134,7 +136,7 @@
 ## 7. Canonical References (Token / Contracts)
 - **Canonical tokens (138):** cUSDT, cUSDC per [docs/11-references/EXPLORER_TOKEN_LIST_CROSSCHECK.md](../11-references/EXPLORER_TOKEN_LIST_CROSSCHECK.md) §5 and §8.
- **DODOPMMIntegration:** `0x79cdbaFBaA0FdF9F55D26F360F54cddE5c743F7D` (on-chain verified 2026-03-04).
+- **DODOPMMIntegration:** `0x5BDc62f1ae7D630c37A8B363a1d49845356Ee72d` (current canonical corrected stack).
 - **PMM pools:** cUSDT/cUSDC, cUSDT/USDT, cUSDC/USDC addresses in CONTRACT_ADDRESSES_REFERENCE and ADDRESS_MATRIX_AND_STATUS.
 - **Contract source of truth:** `config/smart-contracts-master.json`; overrides via `.env`.
--- a/docs/00-meta/RECOMMENDATIONS_OPERATOR_CHECKLIST.md
+++ b/docs/00-meta/RECOMMENDATIONS_OPERATOR_CHECKLIST.md
@@ -65,7 +65,7 @@
 | # | Action | When |
 |---|--------|------|
-| R21 | When The Order is deployed: NPMplus proxy host; document in RPC_ENDPOINTS_MASTER and ALL_VMIDS_ENDPOINTS; replace SANKOFA_CUTOVER_PLAN TBDs | Sankofa/The Order go-live |
+| R21 | **Done 2026-03:** NPMplus + ALL_VMIDS + RPC_ENDPOINTS_MASTER + SANKOFA_CUTOVER_PLAN v1.1 | Complete |
 | R22 | Document or configure blocks #2–#6 in NETWORK_ARCHITECTURE and NETWORK_CONFIGURATION_MASTER (or mark reserved); see NETWORK_PLACEHOLDERS_DECISION | When decided |
 ## Quick wins (R23)
--- a/docs/00-meta/REMAINING_COMPONENTS_TASKS_AND_RECOMMENDATIONS.md
+++ b/docs/00-meta/REMAINING_COMPONENTS_TASKS_AND_RECOMMENDATIONS.md
@@ -166,7 +166,7 @@ See **Part 2** and [GAPS_AND_RECOMMENDATIONS_CONSOLIDATED](../GAPS_AND_RECOMMEND
 | # | Recommendation | Action |
 |---|----------------|--------|
-| R21 | **Sankofa / The Order** | When The Order portal is deployed, add NPMplus proxy host and document in RPC_ENDPOINTS_MASTER and ALL_VMIDS_ENDPOINTS; replace SANKOFA_CUTOVER_PLAN TBDs with actual IPs/ports. |
+| R21 | **Sankofa / The Order** | **Done 2026-03:** NPMplus + docs (ALL_VMIDS, RPC_ENDPOINTS_MASTER, SANKOFA_CUTOVER_PLAN v1.1). HAProxy: `provision-order-haproxy-10210.sh`. |
 | R22 | **Network placeholders** | Document or configure blocks #2–#6 in NETWORK_ARCHITECTURE and NETWORK_CONFIGURATION_MASTER when assigned. |
 ### 2.9 Quick wins (code)
--- a/docs/00-meta/REMAINING_ITEMS_FULL_PARALLEL_LIST.md
+++ b/docs/00-meta/REMAINING_ITEMS_FULL_PARALLEL_LIST.md
@@ -172,4 +172,4 @@
 **Total remaining (actionable):** Wave 0: 3 · Wave 1: 44 · Wave 2: 8 · Wave 3: 2 · Ongoing: 5.
-**Last parallel run (2026-02-05):** Run log batch 11 — CI validation, config validation, security dry-runs (W1-1, W1-2), phase2 config, CCIP checklist, phase4 show-steps, config backup, shellcheck --optional, Wave 0 dry-run. See [FULL_PARALLEL_RUN_LOG.md](../archive/00-meta-pruned/FULL_PARALLEL_RUN_LOG.md) (archived).
+**Last parallel run (2026-02-05):** Batch 11 covered CI validation, `validate-config-files.sh`, security dry-runs, phase2 config, CCIP checklist, phase4 show-steps, config backup, shellcheck --optional, Wave 0 dry-run. **Current checks:** `./scripts/validation/validate-config-files.sh`, `./scripts/verify/run-all-validation.sh` (optional `--skip-genesis`), [WAVE1_COMPLETION_SUMMARY.md](WAVE1_COMPLETION_SUMMARY.md).
--- a/docs/00-meta/REMAINING_TASKS_BREAKDOWN_MISSING_INFO.md
+++ b/docs/00-meta/REMAINING_TASKS_BREAKDOWN_MISSING_INFO.md
@@ -108,13 +108,12 @@
 ---
-## 2. Sankofa cutover (missing TBDs)
+## 2. Sankofa cutover (**documented — 2026-03**)
 | | Detail |
 |---|--------|
-| **Needed** | For each Sankofa domain: target VMID, target IP, target port, service type. |
+| **Status** | Live backends in [SANKOFA_CUTOVER_PLAN.md](../04-configuration/SANKOFA_CUTOVER_PLAN.md) v1.1, [ALL_VMIDS_ENDPOINTS.md](../04-configuration/ALL_VMIDS_ENDPOINTS.md), [RPC_ENDPOINTS_MASTER.md](../04-configuration/RPC_ENDPOINTS_MASTER.md). The Order: NPM → **10210** `192.168.11.39:80` → portal **192.168.11.51:3000**. |
-| **Missing** | **the-order.sankofa.nexus:** VMID, IP, port, service type still **TBD** in [SANKOFA_CUTOVER_PLAN.md](../04-configuration/SANKOFA_CUTOVER_PLAN.md). Other four domains have values (e.g. 7801/192.168.11.51/3000 for sankofa.nexus). |
+| **Ongoing** | If IPs/VMIDs change, run `scripts/nginx-proxy-manager/update-npmplus-proxy-hosts-api.sh` and update the master docs. |
 | **Where to get** | Deploy The Order portal; assign VMID and IP; document in SANKOFA_CUTOVER_PLAN.md table; then run cutover steps (replace proxy backends in NPMplus). |
 ---
@@ -227,8 +226,8 @@
   - Run `address-all-remaining-502s.sh --run-besu-fix --e2e` from LAN.  
   - Run Blockscout verification script.
-4. **Fill TBDs**  
+4. **Sankofa / Order**  
-   - Sankofa: set the-order.sankofa.nexus target (VMID, IP, port) in SANKOFA_CUTOVER_PLAN.md.  
+   - **Done:** targets documented; refresh NPM with `update-npmplus-proxy-hosts-api.sh` after infra changes.  
   - CCIP: collect per-chain addresses (CCIP directory) and fund deployer wallets for Gnosis/Celo/Wemix.
 5. **dbis_core**  
--- a/docs/00-meta/REMAINING_WORK_BREAKDOWN_AND_ANSWERS.md
+++ b/docs/00-meta/REMAINING_WORK_BREAKDOWN_AND_ANSWERS.md
@@ -78,11 +78,11 @@
 | Question | Answer |
 |----------|--------|
-| **What is it?** | Sankofa and The Order services deployed; DNS and NPMplus point to real IPs/ports; replace TBDs in docs. |
+| **What is it?** | Sankofa zone on production backends; NPMplus and master docs aligned (incl. The Order via **10210** HAProxy). |
-| **Prerequisites** | Sankofa and The Order deployed; IPs and ports known (e.g. sankofa 192.168.11.51:3000 VMID 7801, phoenix 192.168.11.50:4000 VMID 7800 — already in docs). |
+| **Prerequisites** | LAN + `NPM_PASSWORD` for fleet updater; portal 7801 and Phoenix 7800 healthy. |
-| **Who** | Ops when services are live. |
+| **Who** | Ops for NPM refresh after any VM/IP change. |
-| **Steps to complete** | 1. Deploy Sankofa/The Order per your deployment process. 2. In [SANKOFA_CUTOVER_PLAN](../04-configuration/SANKOFA_CUTOVER_PLAN.md): replace `<TARGET_IP>`, `<TARGET_PORT>`, table TBDs with actual IPs/ports. 3. In NPMplus: ensure proxy hosts for sankofa.nexus and phoenix.sankofa.nexus point to 192.168.11.51:3000 and 192.168.11.50:4000 (not .140). 4. When The Order portal is deployed: add NPMplus proxy for the-order.sankofa.nexus; document in [RPC_ENDPOINTS_MASTER](../04-configuration/RPC_ENDPOINTS_MASTER.md) and [ALL_VMIDS_ENDPOINTS](../04-configuration/ALL_VMIDS_ENDPOINTS.md). |
+| **Steps to complete** | **Done 2026-03:** See [SANKOFA_CUTOVER_PLAN](../04-configuration/SANKOFA_CUTOVER_PLAN.md) v1.1. Maintain with `scripts/nginx-proxy-manager/update-npmplus-proxy-hosts-api.sh`. Bypass Order HAProxy if needed: `THE_ORDER_UPSTREAM_IP=192.168.11.51 THE_ORDER_UPSTREAM_PORT=3000`. |
-| **Where to update when done** | [PLACEHOLDERS](PLACEHOLDERS_AND_COMPLETION_MASTER_LIST.md) §2; [GAPS](../GAPS_AND_RECOMMENDATIONS_CONSOLIDATED.md) §2.1–2.2; [REMAINING](REMAINING_COMPONENTS_TASKS_AND_RECOMMENDATIONS.md) R21. |
+| **Where to update when done** | [PLACEHOLDERS](PLACEHOLDERS_AND_COMPLETION_MASTER_LIST.md) §2; [GAPS](../GAPS_AND_RECOMMENDATIONS_CONSOLIDATED.md) §2.1–2.2; R21 marked **done** in [REMAINING_COMPONENTS](REMAINING_COMPONENTS_TASKS_AND_RECOMMENDATIONS.md). |
 ---
@@ -295,7 +295,7 @@
 | Trust official | Open PR to trustwallet/wallet-core with registry entry (coinId 10000138, chainId 138); run codegen/tests. |
 | CoinGecko/CMC | Submit chain + tokens via CoinGecko (and CMC) process; use COINGECKO_SUBMISSION_GUIDE and token docs. |
 | Consensys | Use CONSENSYS_OUTREACH_PACKAGE; contact Consensys for Swaps/Bridge support for 138. |
-| Sankofa cutover | When deployed: replace TBDs in SANKOFA_CUTOVER_PLAN; set NPMplus proxies to .51/.50; add the-order when live. |
+| Sankofa cutover | **Done:** v1.1 cutover plan + NPM; Order via .39:80 (10210). Re-run updater after changes. |
 | Blockscout verify | From LAN: `source smom-dbis-138/.env; ./scripts/verify/run-contract-verification-with-proxy.sh`. |
 | Multicall vs Oracle | Check explorer for 0x99b35...; document which contract it is in CONTRACT_ADDRESSES_REFERENCE. |
 | AlltraAdapter fee | After deploy: call `setBridgeFee(fee_wei)`; set ALLTRA_BRIDGE_FEE in .env; document in PLACEHOLDERS_AND_TBD. |
--- a/docs/00-meta/REMAINING_WORK_DETAILED_STEPS.md
+++ b/docs/00-meta/REMAINING_WORK_DETAILED_STEPS.md
@@ -38,9 +38,9 @@ These can be done from your current environment (e.g. dev machine, WSL, CI) with
 **Not doable now (need LAN, Proxmox, or creds):** W0-1, W0-2, W0-3, crontab --install, W1-1, W1-2, W1-8 (backup run), W1-19, W2-* (all deploy), W3-* (all), CT-1a, O-4 (explorer logs via SSH). Deferred/backlog (W1-3, W1-4) are “assign to backlog,” not execute now.
-**Completed (2026-02-05):** W1-11 (32 files archived to docs/archive/00-meta-status/), W1-12 (decision tree links, 04-config README, QUICK_REFERENCE_CARDS), W1-9/10/13 (NETWORK_ARCHITECTURE runbook cross-links), W1-20 (shellcheck --optional run), W1-21 (ENV_STANDARDIZATION + validate-config-files ref), W1-22–W1-24 (CoinGecko/Snap/Explorer refs in QUICK_REFERENCE_CARDS), W1-26/API keys (report + .env.example pointer), W1-14 (dbis_core: sample TS fix in cbdc-fx.service.ts; doc for prisma generate + implicit any), W1-15–W1-17 (PLACEHOLDERS canonical env note), CCIP checklist + all validation commands run.
+**Completed (2026-02-05):** W1-11 (32 files consolidated per ARCHIVE_CANDIDATES.md), W1-12 (decision tree links, 04-config README, QUICK_REFERENCE_CARDS), W1-9/10/13 (NETWORK_ARCHITECTURE runbook cross-links), W1-20 (shellcheck --optional run), W1-21 (ENV_STANDARDIZATION + validate-config-files ref), W1-22–W1-24 (CoinGecko/Snap/Explorer refs in QUICK_REFERENCE_CARDS), W1-26/API keys (report + .env.example pointer), W1-14 (dbis_core: sample TS fix in cbdc-fx.service.ts; doc for prisma generate + implicit any), W1-15–W1-17 (PLACEHOLDERS canonical env note), CCIP checklist + all validation commands run.
-**Completed (2026-02-20):** Doc consolidation continued — NEXT_STEPS_INDEX, DOCUMENTATION_CONSOLIDATION_PLAN; Batch 4+5 → 00-meta-pruned; ALL_TASKS_COMPLETE → root-status-reports; project root cleanup → archive/root-cleanup-20260220; fix-wsl-ip.sh → scripts/. Completable-from-anywhere run: config validation OK, on-chain check 45/45, run-all-validation --skip-genesis OK, reconcile-env --print. ARCHIVE_CANDIDATES "Last reviewed" set.
+**Completed (2026-02-20):** Doc consolidation continued — NEXT_STEPS_INDEX, DOCUMENTATION_CONSOLIDATION_PLAN; batches and root cleanup recorded in ARCHIVE_CANDIDATES.md; fix-wsl-ip.sh → scripts/. Completable-from-anywhere run: config validation OK, on-chain check 45/45, run-all-validation --skip-genesis OK, reconcile-env --print. ARCHIVE_CANDIDATES "Last reviewed" set.
 **Completed (plan implementation):** [COMPLETE_REQUIRED_OPTIONAL_RECOMMENDED_INDEX.md](COMPLETE_REQUIRED_OPTIONAL_RECOMMENDED_INDEX.md) added; cross-links from PHASES_AND_TASKS_MASTER, TODO_TASK_LIST_MASTER, RECOMMENDATIONS_OPERATOR_CHECKLIST, REMAINING_WORK_DETAILED_STEPS, OPTIONAL_RECOMMENDATIONS_INDEX, RUNBOOKS_MASTER_INDEX, ALL_RECOMMENDATIONS_AND_IMPROVEMENTS_LIST, OPERATOR_AND_EXTERNAL_COMPLETION_CHECKLIST, FULL_PARALLEL_EXECUTION_ORDER, NEXT_STEPS_INDEX, MASTER_INDEX. Validation: run-all-validation --skip-genesis OK; run-completable-tasks-from-anywhere.sh OK (config, on-chain 36/36, reconcile-env); phase4-sovereign-tenants.sh --show-steps and schedule-daily-weekly-cron.sh --show run.
--- a/docs/00-meta/REMAINING_WORK_DETAILED_TASKS.md
+++ b/docs/00-meta/REMAINING_WORK_DETAILED_TASKS.md
@@ -239,4 +239,4 @@ Use [WAVE2_WAVE3_OPERATOR_CHECKLIST.md](WAVE2_WAVE3_OPERATOR_CHECKLIST.md) and r
 | Wave 3 | 2 (W3-1, W3-2) |
 | Ongoing | 5 (scheduled) |
-**References:** [FULL_PARALLEL_EXECUTION_ORDER.md](FULL_PARALLEL_EXECUTION_ORDER.md) · [WAVE2_WAVE3_OPERATOR_CHECKLIST.md](WAVE2_WAVE3_OPERATOR_CHECKLIST.md) · [REMAINING_ITEMS_FULL_PARALLEL_LIST.md](REMAINING_ITEMS_FULL_PARALLEL_LIST.md) · [MISSING_CONTAINERS_LIST.md](../03-deployment/MISSING_CONTAINERS_LIST.md) · [FULL_PARALLEL_RUN_LOG.md](../archive/00-meta-pruned/FULL_PARALLEL_RUN_LOG.md) (archived)
+**References:** [FULL_PARALLEL_EXECUTION_ORDER.md](FULL_PARALLEL_EXECUTION_ORDER.md) · [WAVE2_WAVE3_OPERATOR_CHECKLIST.md](WAVE2_WAVE3_OPERATOR_CHECKLIST.md) · [REMAINING_ITEMS_FULL_PARALLEL_LIST.md](REMAINING_ITEMS_FULL_PARALLEL_LIST.md) · [MISSING_CONTAINERS_LIST.md](../03-deployment/MISSING_CONTAINERS_LIST.md)
--- a/docs/00-meta/REQUIRED_FIXES_GAPS_AND_DEPLOYMENTS_LIST.md
+++ b/docs/00-meta/REQUIRED_FIXES_GAPS_AND_DEPLOYMENTS_LIST.md
@@ -1,5 +1,7 @@
 # Required Fixes, Gaps, and Additional Deployments — Master List
 > Historical note (2026-03-26): this master list contains older PMM verification snapshots. The current canonical Chain 138 PMM stack is `DODOPMMIntegration=0x5BDc62f1ae7D630c37A8B363a1d49845356Ee72d` and `DODOPMMProvider=0x5CAe6Ce155b7f08D3a956F5Dc82fC9945f29B381`.
 **Last Updated:** 2026-03-04  
 **Purpose:** Single consolidated list of all required fixes, gaps, and additional deployments. Sources: REQUIRED_FIXES_AND_DEPLOYMENTS_STATUS, REMAINING_SUMMARY, TOKEN_CONTRACT_DEPLOYMENTS_REMAINING, PRE_DEPLOYMENT_CHECKLIST, RECOMMENDATIONS_AND_FIXES_BEFORE_DEPLOY, DETAILED_GAPS_AND_ISSUES_LIST, GAPS_STATUS, WHATS_LEFT_OPERATOR_AND_EXTERNAL, and token-aggregation build.
@@ -20,7 +22,7 @@ Commands run from repo root on operator/LAN host. Use as baseline; re-run when e
 | Test-all-contracts script | `test -f scripts/deployment/test-all-contracts-before-deploy.sh` | **exists** |
 | Token-aggregation build | `cd smom-dbis-138/services/token-aggregation && npm run build` | **PASSES** (fixed 2026-03-03: token-mapping, bridge route, cross-chain-bridges config, indexer types). See §1.3 for historical ref. |
 | Token-aggregation /health | `curl -s -o /dev/null -w "%{http_code}" http://192.168.11.140:3001/health` (or localhost:3001) | **200** — service running and healthy at tested endpoint. |
-| DODOPMMIntegration token addresses (2026-03-04) | `eth_call` to `compliantUSDT()` / `compliantUSDC()` at `0x79cdbaFBaA0FdF9F55D26F360F54cddE5c743F7D` | **PASSED** — returns canonical cUSDT/cUSDC; Explorer, mint script, and PMM aligned. See [EXPLORER_TOKEN_LIST_CROSSCHECK](../11-references/EXPLORER_TOKEN_LIST_CROSSCHECK.md) §8. |
+| DODOPMMIntegration token addresses (2026-03-04) | `eth_call` to `compliantUSDT()` / `compliantUSDC()` at `0x5BDc62f1ae7D630c37A8B363a1d49845356Ee72d` | **PASSED** — returns canonical cUSDT/cUSDC; Explorer, mint script, and PMM aligned. See [EXPLORER_TOKEN_LIST_CROSSCHECK](../11-references/EXPLORER_TOKEN_LIST_CROSSCHECK.md) §8. |
 **Remaining to complete (verified 2026-03-06):** Add liquidity to PMM pools once deployer has cUSDT/cUSDC (or mint); Celo/Wemix CCIP bridges; LINK relay runbook. **Done:** E2E 502s fixed 2026-03-06; operator run + Blockscout verify run 2026-03-06. **Pending:** external (Ledger, Trust, CoinGecko/CMC, on-ramps). See §4–5 and [TODOS_CONSOLIDATED](TODOS_CONSOLIDATED.md).
--- a/docs/00-meta/SCRIPT_INVENTORY.md
+++ b/docs/00-meta/SCRIPT_INVENTORY.md
@@ -71,7 +71,7 @@ scripts/archive/
 ## Framework Usage
-All old scripts have been consolidated into unified frameworks. Reference (archived 2026-02-08): [archive/00-meta-pruned/FRAMEWORK_USAGE_GUIDE.md](../archive/00-meta-pruned/FRAMEWORK_USAGE_GUIDE.md), [FRAMEWORK_MIGRATION_GUIDES.md](../archive/00-meta-pruned/FRAMEWORK_MIGRATION_GUIDES.md), [MIGRATION_EXAMPLES.md](../archive/00-meta-pruned/MIGRATION_EXAMPLES.md).
+All old scripts have been consolidated into unified frameworks. **Canonical:** [scripts/README.md](../../scripts/README.md) (framework layout, entrypoints). Historical migration notes remain on disk under `docs/archive/00-meta-pruned/` for forensics only — do not link from runbooks.
 ---
--- a/docs/00-meta/TASK_CHECK_REPORT.md
+++ b/docs/00-meta/TASK_CHECK_REPORT.md
@@ -1,5 +1,7 @@
 # Task Check Report — Remaining Tasks Verified Before Completion
 > Historical note (2026-03-26): this report preserves an earlier PMM status snapshot. The current canonical Chain 138 PMM stack is `DODOPMMIntegration=0x5BDc62f1ae7D630c37A8B363a1d49845356Ee72d` and `DODOPMMProvider=0x5CAe6Ce155b7f08D3a956F5Dc82fC9945f29B381`.
 **Date:** 2026-03-02  
 **Purpose:** For each remaining task, verify current state before marking complete or executing. Use this report to decide what still needs to be run by Operator/LAN vs what is already satisfied.
@@ -23,7 +25,7 @@
 | Phase 0 (prereqs) | Satisfied | Preflight passed; .env and RPC OK |
 | Phase 1 (Chain 138 core) | Done | 59/59 contracts present |
 | Phase 2 (TransactionMirror + PMM pools) | Done | Mirror deployed; all three pools created (cUSDT/cUSDC, cUSDT/USDT, cUSDC/USDC) |
-| Phase 3 (Liquidity + DODOPMMProvider) | Partially done | DODOPMMProvider deployed at `0x8EF6657D2a86c569F6ffc337EE6b4260Bd2e59d0`; pools registered. **Remaining:** add liquidity (optional per doc) via `AddLiquidityPMMPoolsChain138.s.sol` or cast |
+| Phase 3 (Liquidity + DODOPMMProvider) | Partially done | DODOPMMProvider deployed at `0x5CAe6Ce155b7f08D3a956F5Dc82fC9945f29B381`; corrected canonical stack aligned. **Remaining:** add liquidity (optional per doc) via `AddLiquidityPMMPoolsChain138.s.sol` or cast |
 | Phase 4–6 | Not run | Optional / other chains; Operator |
 **Conclusion:** Phases 0–3 (required) are done except adding liquidity. Full “completion” of Phase 0–6 requires Operator for Phase 4–6 and, if desired, adding liquidity in Phase 3.
@@ -34,7 +36,7 @@
 | Item | Status | Notes |
 |------|--------|-------|
-| DODOPMMProvider deployed | Done | `0x8EF6657D2a86c569F6ffc337EE6b4260Bd2e59d0`; pools registered (2026-02-28) |
+| DODOPMMProvider deployed | Done | `0x5CAe6Ce155b7f08D3a956F5Dc82fC9945f29B381`; corrected canonical stack live (2026-03-26) |
 | Pools created | Done | 0x9fcB… (cUSDT/cUSDC), 0xa3Ee… (cUSDT/USDT), 0x90bd… (cUSDC/USDC) |
 | Add liquidity | Not run | Script: `smom-dbis-138/script/dex/AddLiquidityPMMPoolsChain138.s.sol`; runbook: [ADD_LIQUIDITY_PMM_CHAIN138_RUNBOOK.md](../03-deployment/ADD_LIQUIDITY_PMM_CHAIN138_RUNBOOK.md). Requires `ADD_LIQUIDITY_BASE_AMOUNT`, `ADD_LIQUIDITY_QUOTE_AMOUNT` in .env and deployer holding base/quote tokens |
--- a/docs/00-meta/TODO_TASK_LIST_MASTER.md
+++ b/docs/00-meta/TODO_TASK_LIST_MASTER.md
@@ -8,9 +8,9 @@
 **Execution mode: Full maximum parallel.** Run all remaining items in parallel by wave. See **[FULL_PARALLEL_EXECUTION_ORDER.md](FULL_PARALLEL_EXECUTION_ORDER.md)** for the ordered wave list (Wave 0 → Wave 1 → Wave 2 → Wave 3). Within each wave, execute every item concurrently; no artificial sequencing. Validation commands at bottom.
-**Status:** [FULL_PARALLEL_RUN_LOG.md](../archive/00-meta-pruned/FULL_PARALLEL_RUN_LOG.md) (archived) | [WAVE1_COMPLETION_SUMMARY.md](WAVE1_COMPLETION_SUMMARY.md) | [WAVE2_WAVE3_OPERATOR_CHECKLIST.md](WAVE2_WAVE3_OPERATOR_CHECKLIST.md) | [REMAINING_WORK_DETAILED_STEPS.md](REMAINING_WORK_DETAILED_STEPS.md) (step-by-step; 2026-02-05 completion) | **[REMAINING_TASKS_AND_API_FEATURES.md](REMAINING_TASKS_AND_API_FEATURES.md)** (2026-02-10: consolidated remaining tasks + API features inventory). **Single plan (required/optional/recommended):** [COMPLETE_REQUIRED_OPTIONAL_RECOMMENDED_INDEX.md](COMPLETE_REQUIRED_OPTIONAL_RECOMMENDED_INDEX.md).
+**Status:** `./scripts/validation/validate-config-files.sh` · `./scripts/verify/run-all-validation.sh` | [WAVE1_COMPLETION_SUMMARY.md](WAVE1_COMPLETION_SUMMARY.md) | [WAVE2_WAVE3_OPERATOR_CHECKLIST.md](WAVE2_WAVE3_OPERATOR_CHECKLIST.md) | [REMAINING_WORK_DETAILED_STEPS.md](REMAINING_WORK_DETAILED_STEPS.md) (step-by-step; 2026-02-05 completion) | **[REMAINING_TASKS_AND_API_FEATURES.md](REMAINING_TASKS_AND_API_FEATURES.md)** (2026-02-10: consolidated remaining tasks + API features inventory). **Single plan (required/optional/recommended):** [COMPLETE_REQUIRED_OPTIONAL_RECOMMENDED_INDEX.md](COMPLETE_REQUIRED_OPTIONAL_RECOMMENDED_INDEX.md).
-**2026-02-05:** Master documentation updated (MASTER_INDEX v5.8, docs/README, MASTER_PLAN, NEXT_STEPS_MASTER); "Can be accomplished now" list completed; 32 files archived to docs/archive/00-meta-status/.
+**2026-02-05:** Master documentation updated (MASTER_INDEX v5.8, docs/README, MASTER_PLAN, NEXT_STEPS_MASTER); "Can be accomplished now" list completed; 32 files consolidated per [ARCHIVE_CANDIDATES.md](ARCHIVE_CANDIDATES.md).
 **2026-02-23:** Placeholders/fixes sync: TODOS_CONSOLIDATED, NEXT_STEPS_AND_REMAINING_TODOS, NEXT_STEPS_FOR_YOU updated to reference REQUIRED_FIXES_UPDATES_GAPS §4 (canonical addresses, AlltraAdapter, smart accounts, quote FABRIC_CHAIN_ID, .bak — all Done or Documented). Remaining in-repo fixes complete; operator/LAN and deferred items unchanged.
@@ -68,7 +68,7 @@
 - [x] verify-udm-pro: internal failure → warn
 - [x] verify-all-systems: flexible patterns; bash --norc
 - [x] Re-run: `bash scripts/verify/run-full-verification.sh` (2026-02-03)
- [x] **validate-genesis.sh (smom-dbis-138):** Fixed 2026-02-05 — runs standalone; QBFT supported. See [FULL_PARALLEL_RUN_LOG.md](../archive/00-meta-pruned/FULL_PARALLEL_RUN_LOG.md) Wave 1 fifth batch.
+- [x] **validate-genesis.sh (smom-dbis-138):** Fixed 2026-02-05 — runs standalone; QBFT supported. See [WAVE1_COMPLETION_SUMMARY.md](WAVE1_COMPLETION_SUMMARY.md) (Wave 1 verification section).
 - [x] **validate-config-files.sh:** Pass (ip-addresses.conf, .env.example). Optional env warnings only.
 - [x] **E2E routing:** verify-end-to-end-routing.sh run; 25 DNS pass, 14 HTTPS pass, 6 RPC 405 until NPMplus fix from LAN.
 - [x] **502 fix flow:** When E2E 502s persist (dbis-admin, secure, dbis-api, rpc-http-prv, rpc-alltra/hybx), from LAN run `./scripts/maintenance/address-all-remaining-502s.sh` (optionally `--run-besu-fix --e2e`). Runbook: [502_DEEP_DIVE_ROOT_CAUSES_AND_FIXES.md](502_DEEP_DIVE_ROOT_CAUSES_AND_FIXES.md).
@@ -98,7 +98,7 @@
 | 131–134 | Orchestration portal | 4 |
 | 135–139 | Maintenance | 5 |
- [ ] **1–139** — Work through [ALL_IMPROVEMENTS_AND_GAPS_INDEX.md](../ALL_IMPROVEMENTS_AND_GAPS_INDEX.md) (parallel by cohort where no deps). Docs 68–74 index: [QUICK_REFERENCE_CARDS.md](../12-quick-reference/QUICK_REFERENCE_CARDS.md) §3.1. **CI validation:** `bash scripts/verify/run-all-validation.sh [--skip-genesis]` (dependencies + config + optional genesis). Config only: `scripts/validation/validate-config-files.sh` (set VALIDATE_REQUIRED_FILES for CI/pre-deploy). **Last full parallel run (2026-02-05):** run-all-validation, validate-config-files, security dry-runs, phase2 --config-only, CCIP checklist, phase4 --show-steps, config backup, Wave 0 --dry-run — see [FULL_PARALLEL_RUN_LOG.md](../archive/00-meta-pruned/FULL_PARALLEL_RUN_LOG.md) batch 11.
+- [ ] **1–139** — Work through [ALL_IMPROVEMENTS_AND_GAPS_INDEX.md](../ALL_IMPROVEMENTS_AND_GAPS_INDEX.md) (parallel by cohort where no deps). Docs 68–74 index: [QUICK_REFERENCE_CARDS.md](../12-quick-reference/QUICK_REFERENCE_CARDS.md) §3.1. **CI validation:** `bash scripts/verify/run-all-validation.sh [--skip-genesis]` (dependencies + config + optional genesis). Config only: `scripts/validation/validate-config-files.sh` (set VALIDATE_REQUIRED_FILES for CI/pre-deploy). **Last full parallel run (2026-02-05):** run-all-validation, validate-config-files, security dry-runs, phase2 --config-only, CCIP checklist, phase4 --show-steps, config backup, Wave 0 --dry-run — summarized in [REMAINING_ITEMS_FULL_PARALLEL_LIST.md](REMAINING_ITEMS_FULL_PARALLEL_LIST.md) and [WAVE1_COMPLETION_SUMMARY.md](WAVE1_COMPLETION_SUMMARY.md).
 ---
--- a/docs/00-meta/UNBLOCK_MAINNET_RPC_403.md
+++ b/docs/00-meta/UNBLOCK_MAINNET_RPC_403.md
@@ -41,4 +41,4 @@ Examples (no API key or key without private-key restriction):
 ---
-**Refs:** [OPTIONAL_DEPLOYMENTS_START_HERE](../07-ccip/OPTIONAL_DEPLOYMENTS_START_HERE.md) §2C | [COMPLETION_STATUS_20260215](../archive/00-meta-pruned/COMPLETION_STATUS_20260215.md)
+**Refs:** [OPTIONAL_DEPLOYMENTS_START_HERE](../07-ccip/OPTIONAL_DEPLOYMENTS_START_HERE.md) §2C | [OPERATOR_READY_CHECKLIST.md](OPERATOR_READY_CHECKLIST.md)
--- a/docs/00-meta/WAVE1_COMPLETION_SUMMARY.md
+++ b/docs/00-meta/WAVE1_COMPLETION_SUMMARY.md
@@ -1,7 +1,7 @@
 # Wave 1 — Completion Summary
 **Last Updated:** 2026-02-05  
-**Purpose:** Status of every Wave 1 task from the full parallel run. Used with [FULL_PARALLEL_EXECUTION_ORDER.md](FULL_PARALLEL_EXECUTION_ORDER.md) and [FULL_PARALLEL_RUN_LOG.md](../archive/00-meta-pruned/FULL_PARALLEL_RUN_LOG.md) (archived).
+**Purpose:** Status of every Wave 1 task from the full parallel run. Used with [FULL_PARALLEL_EXECUTION_ORDER.md](FULL_PARALLEL_EXECUTION_ORDER.md) and [REMAINING_ITEMS_FULL_PARALLEL_LIST.md](REMAINING_ITEMS_FULL_PARALLEL_LIST.md) (2026-02-05 batch summary).
 **Legend:** ✅ Done (this run or prior) | ⏳ Operator (SSH/creds/LAN) | 📄 Documented (config/design exists; no code change) | ➖ Deferred
--- a/docs/00-meta/WAVE2_WAVE3_OPERATOR_CHECKLIST.md
+++ b/docs/00-meta/WAVE2_WAVE3_OPERATOR_CHECKLIST.md
@@ -60,5 +60,5 @@
 ## References
 - [FULL_PARALLEL_EXECUTION_ORDER.md](FULL_PARALLEL_EXECUTION_ORDER.md) — Full wave definitions
- [FULL_PARALLEL_RUN_LOG.md](../archive/00-meta-pruned/FULL_PARALLEL_RUN_LOG.md) (archived) — What was run and results
+- `./scripts/validation/validate-config-files.sh` · `./scripts/verify/run-all-validation.sh` — current validation; [WAVE1_COMPLETION_SUMMARY.md](WAVE1_COMPLETION_SUMMARY.md) — Wave 1 outcomes
 - [OPERATIONAL_RUNBOOKS.md](../03-deployment/OPERATIONAL_RUNBOOKS.md) — Procedures and maintenance
--- a/docs/00-meta/WHATS_LEFT_OPERATOR_AND_EXTERNAL.md
+++ b/docs/00-meta/WHATS_LEFT_OPERATOR_AND_EXTERNAL.md
@@ -1,5 +1,7 @@
 # What’s Left — Operator and External Only
 > Historical note (2026-03-26): this status snapshot includes superseded PMM-address references from the earlier three-pool stack. The current canonical Chain 138 PMM stack is `DODOPMMIntegration=0x5BDc62f1ae7D630c37A8B363a1d49845356Ee72d` and `DODOPMMProvider=0x5CAe6Ce155b7f08D3a956F5Dc82fC9945f29B381`.
 **Last Updated:** 2026-02-27  
 **Purpose:** After completing in-repo and on-chain tasks (preflight, PMM pools, DODOPMMProvider, operator script NPMplus/backup/verify, Wemix re-check), these items require **operator (LAN/Proxmox/credentials)** or **you (third-party)**. **Short summary:** [REMAINING_SUMMARY.md](REMAINING_SUMMARY.md).
@@ -9,7 +11,7 @@
 - **Preflight:** Passed (RPC Core, dotenv, nonce consistent).
 - **PMM pools:** All three created (cUSDT/cUSDC, cUSDT/USDT, cUSDC/USDC) and addresses documented.
- **DODOPMMProvider:** Deployed at `0x8EF6657D2a86c569F6ffc337EE6b4260Bd2e59d0`; all three pools registered via `RegisterDODOPools.s.sol`.
+- **DODOPMMProvider:** Deployed at `0x5CAe6Ce155b7f08D3a956F5Dc82fC9945f29B381`; corrected canonical stack aligned via desired-state sync.
 - **Operator script:** NPMplus RPC fix + backup + Blockscout verify run (see `run-all-operator-tasks-from-lan.sh`).
 - **Wemix:** Re-fetched scan.wemix.com/tokens; WWEMIX confirmed; doc updated.
 - **Docs:** PRE_DEPLOYMENT_CHECKLIST, LIQUIDITY_POOLS_MASTER_MAP updated with new pool and provider addresses.
--- a/docs/01-getting-started/CHAIN138_QUICK_START.md
+++ b/docs/01-getting-started/CHAIN138_QUICK_START.md
@@ -152,8 +152,8 @@ pct exec <VMID> -- chmod 644 /var/lib/besu/permissions/permissioned-nodes.json
 ## 📖 Full Documentation
- **Complete Guide:** [CHAIN138_BESU_CONFIGURATION.md](../06-besu/CHAIN138_BESU_CONFIGURATION.md)
+- **Complete guide:** [CHAIN138_BESU_CONFIGURATION.md](../06-besu/CHAIN138_BESU_CONFIGURATION.md)
- **Summary:** [CHAIN138_CONFIGURATION_SUMMARY.md](../archive/configuration/CHAIN138_CONFIGURATION_SUMMARY.md)
+- **Wallet / env validation:** [CHAIN138_WALLET_CONFIG_VALIDATION.md](../04-configuration/CHAIN138_WALLET_CONFIG_VALIDATION.md)
 ---
--- a/docs/02-architecture/AI_AGENTS_57XX_MCP_CONTRACTS_AND_CHAINS.md
+++ b/docs/02-architecture/AI_AGENTS_57XX_MCP_CONTRACTS_AND_CHAINS.md
@@ -22,7 +22,7 @@ The MCP supports one chain at a time via `CHAIN` and `RPC_URL`. To support multi
 | Item | Status | Notes |
 |------|--------|--------|
-| **DODOPMMIntegration** | Deployed | `0x79cdbaFBaA0FdF9F55D26F360F54cddE5c743F7D` — creates and owns PMM pools |
+| **DODOPMMIntegration** | Deployed | `0x5BDc62f1ae7D630c37A8B363a1d49845356Ee72d` — canonical corrected integration for Chain 138 PMM pools |
 | **Pools** | Created via integration | Call `createPool` / `createCUSDTCUSDCPool` etc.; pool addresses from creation or `pools(base, quote)` |
 | **Base tokens (cUSDT, cUSDC, …)** | Deployed (core) | e.g. cUSDT `0x93E66202A11B1772E55407B32B44e5Cd8eda7f22`, cUSDC `0xf22258f57794CC8E06237084b353Ab30fFfa640b` (see [CHAIN138_TOKEN_ADDRESSES](../11-references/CHAIN138_TOKEN_ADDRESSES.md)) |
 | **Quote tokens (USDT, USDC)** | On-chain | Use addresses from Chain 138 config / token API |
--- a/docs/02-architecture/ARCHITECTURAL_INTENT.md
+++ b/docs/02-architecture/ARCHITECTURAL_INTENT.md
@@ -1,7 +1,7 @@
 # Architectural Intent — Sankofa Phoenix
-**Last Updated:** 2026-01-31  
+**Last Updated:** 2026-03-25  
-**Document Version:** 1.0  
+**Document Version:** 1.1  
 **Status:** Active Documentation
 ---
@@ -43,6 +43,8 @@ This document describes **intended architectural roles and boundaries** for Sank
 - Future: May evolve to include public UI, delegated access, or other interfaces
 - No permanent restriction on access patterns
 **Public sector baseline:** Tenancy, **service catalog vs public marketing** (NON_GOALS §9), SMOA / Complete Credential repo registry: [PUBLIC_SECTOR_TENANCY_MARKETPLACE_AND_DEPLOYMENT_BASELINE.md](PUBLIC_SECTOR_TENANCY_MARKETPLACE_AND_DEPLOYMENT_BASELINE.md), [../../config/public-sector-program-manifest.json](../../config/public-sector-program-manifest.json).
 ---
 ### 2. Sankofa Brand & Access Layer
@@ -177,10 +179,12 @@ These are **possible futures**, not commitments:
 ### Possible Future Evolutions
-1. **Public Marketing Split**
+1. **Sankofa / Phoenix hostname split (canonical intent)**
-   - `www.sankofa.nexus` → Public marketing
+   - `sankofa.nexus` → public **Sovereign Technologies** web
-   - `portal.sankofa.nexus` → Authenticated portal
+   - `phoenix.sankofa.nexus` → public **Phoenix Cloud Services** division web
-   - Or maintain unified model
+   - `portal.sankofa.nexus` / `admin.sankofa.nexus` → **client SSO** (Keycloak IdP at `keycloak.sankofa.nexus`)
   - `dash.sankofa.nexus` → **IP-gated** systems admin + **MFA**
   - Detail: [EXPECTED_WEB_CONTENT.md](EXPECTED_WEB_CONTENT.md)
 2. **Phoenix UI Evolution**
   - May develop delegated UI interfaces
--- a/docs/02-architecture/BRAND_RELATIONSHIP.md
+++ b/docs/02-architecture/BRAND_RELATIONSHIP.md
@@ -129,6 +129,8 @@ Backend Services:
 **Sankofa Phoenix** is a sovereign cloud platform that combines corporate identity (Sankofa) with cloud infrastructure capabilities (Phoenix), providing a complete alternative to major cloud providers while maintaining sovereign identity and independence.
 **Regulatory / tenancy baseline (public sector, catalog wording, external repos):** [PUBLIC_SECTOR_TENANCY_MARKETPLACE_AND_DEPLOYMENT_BASELINE.md](PUBLIC_SECTOR_TENANCY_MARKETPLACE_AND_DEPLOYMENT_BASELINE.md)
 ---
-**Last Updated:** 2026-01-20
+**Last Updated:** 2026-03-25
--- a/docs/02-architecture/COMPREHENSIVE_INFRASTRUCTURE_REVIEW.md
+++ b/docs/02-architecture/COMPREHENSIVE_INFRASTRUCTURE_REVIEW.md
@@ -205,7 +205,7 @@ This document provides a comprehensive review of:
 |------|------|----|----|---------|-------|
 | 10100 | dbis-postgres-primary | 192.168.11.100 | ✅ Running | PostgreSQL Primary | Located on ml110 (192.168.11.10) |
 | 10101 | dbis-postgres-replica-1 | 192.168.11.101 | ✅ Running | PostgreSQL Replica | Located on ml110 (192.168.11.10) |
-| 10120 | dbis-redis | 192.168.11.120 | ✅ Running | Redis Cache | Located on ml110 (192.168.11.10) |
+| 10120 | dbis-redis | 192.168.11.125 | ✅ Running | Redis Cache | r630-01 (see ALL_VMIDS_ENDPOINTS) |
 | 10130 | dbis-frontend | 192.168.11.130 | ✅ Running | Frontend Admin | Located on ml110 (192.168.11.10) |
 | 10150 | dbis-api-primary | 192.168.11.150 | ✅ Running | API Primary | Located on ml110 (192.168.11.10) |
 | 10151 | dbis-api-secondary | 192.168.11.151 | ✅ Running | API Secondary | Located on ml110 (192.168.11.10) |
--- a/docs/02-architecture/DOMAIN_STRUCTURE.md
+++ b/docs/02-architecture/DOMAIN_STRUCTURE.md
@@ -70,7 +70,7 @@ This document defines the domain structure for the infrastructure, clarifying wh
 **Related Documentation:**
 - [Cloudflare Tunnel Setup](../04-configuration/cloudflare/CLOUDFLARE_TUNNEL_CONFIGURATION_GUIDE.md)
 - [RPC Configuration](/docs/04-configuration/RPC_DNS_CONFIGURATION.md)
- [Blockscout Setup](../archive/completion/BLOCKSCOUT_COMPLETE_SUMMARY.md)
+- [EXPLORER_LINKS_AND_ISSUES_DIAGNOSTIC.md](../04-configuration/EXPLORER_LINKS_AND_ISSUES_DIAGNOSTIC.md) · [EXPLORER_FRONTEND_404_FIX_RUNBOOK.md](../03-deployment/EXPLORER_FRONTEND_404_FIX_RUNBOOK.md)
 ---
--- a/docs/02-architecture/EXPECTED_WEB_CONTENT.md
+++ b/docs/02-architecture/EXPECTED_WEB_CONTENT.md
@@ -1,7 +1,7 @@
 # Web Properties — Ground Truth & Validation
-**Last Updated:** 2026-01-31  
+**Last Updated:** 2026-03-27  
-**Document Version:** 1.0  
+**Document Version:** 1.2  
 **Status:** Active Documentation
 ---
@@ -10,78 +10,107 @@ _Last reviewed: authoritative alignment checkpoint_
 This document reconciles **expected intent**, **current deployment state**, and **functional role** for each public-facing or semi-public web property.
 **Quick matrix (every FQDN: web vs API vs RPC, and what clients should see):** [FQDN_EXPECTED_CONTENT.md](../04-configuration/FQDN_EXPECTED_CONTENT.md).
 ---
-## 1. phoenix.sankofa.nexus
+## Sankofa.nexus and Phoenix — hostname model (canonical)
 **Service Name:** Phoenix API / Cloud Platform Portal  
 **Role:** Cloud Service Provider (CSP) for Sankofa  
 **Comparable To:** AWS Console, Azure Portal, GCP Console
-### Intended Function
+| Hostname | Tier | Access | Expected content |
- Sovereign-grade cloud infrastructure control plane
+|----------|------|--------|------------------|
- Multi-tenant resource provisioning
+| `sankofa.nexus` | **Public web** | Unauthenticated visitors | **Sankofa — Sovereign Technologies:** corporate / brand public site (marketing, narrative, entry points). |
- Service orchestration and lifecycle management
+| `phoenix.sankofa.nexus` | **Public web** | Unauthenticated visitors (for public pages) | **Phoenix Cloud Services** (a division of Sankofa): public-facing web for the cloud services division. |
 | `keycloak.sankofa.nexus` | **SSO infrastructure** (IdP) | Browser hits login + token flows; operators use admin | **Keycloak:** OIDC/SAML identity provider behind client SSO. Serves realm login UI, well-known and token endpoints, and **admin console** at `/admin`. **Consumes:** `admin.sankofa.nexus` and `portal.sankofa.nexus` (and other registered clients) redirect here for authentication; it does **not** replace those hostnames. |
 | `admin.sankofa.nexus` | **Client SSO** | SSO (system-mediated) | **Client administration of access:** who can access what (invites, roles, org settings, access policy). |
 | `portal.sankofa.nexus` | **Client SSO** | SSO | **Client workspace:** Phoenix cloud services, Sankofa Marketplace subscriptions, and other **client-facing** services behind one SSO boundary. |
 | `dash.sankofa.nexus` | **Operator / systems** | **IP allowlisting** + **system authentication** + **MFA** | **Internal systems dashboard:** administration across Sankofa, Phoenix, Gitea, and additional platform systems—not the same trust boundary as client `admin` / `portal`. |
-### Expected Capabilities
+**Placement of Keycloak:** Treat `keycloak.sankofa.nexus` as the **shared IdP** for the **SSO-gated client tier** (`admin`, `portal`). Users often see Keycloak only during login redirects. **`dash.sankofa.nexus`** is a separate, stricter surface (network + MFA); it may integrate with Keycloak or other system identity depending on implementation, but the **documented intent** is IP-gated operator admin, not “client self-service SSO” like `portal`.
 - GraphQL API endpoint: `/graphql`
 - WebSocket endpoint: `/graphql-ws`
 - Health check endpoint: `/health`
 - Cloud resource management (compute, network, storage)
 - Tenant, IAM, and billing controls
 - Internal service catalog / marketplace
-### Current Deployment
+---
- **Status:** ✅ Deployed and active
+
- **VMID:** 7800
+## 1. sankofa.nexus (public — Sovereign Technologies)
- **Address:** 192.168.11.50:4000
+
- **Access Model:** API-first (not a marketing site)
+**Role:** Public corporate web for **Sankofa — Sovereign Technologies.**  
 **Comparable to:** Company apex domain (e.g. microsoft.com).
 ### Expected content
 - Brand, mission, Sovereign Technologies positioning  
 - Philosophy narrative (**Remember → Retrieve → Restore → Rise**)  
 - Paths into Phoenix and commercial / program entry points (links may target `phoenix.sankofa.nexus`, `portal.sankofa.nexus`, etc.)
 ### Current deployment (typical)
 - **VMID:** 7801 · **Port:** 3000 (Next.js) — see [ALL_VMIDS_ENDPOINTS.md](../04-configuration/ALL_VMIDS_ENDPOINTS.md)
 ### Notes
- This is **not** a public brochure site  
+- **Unauthenticated public web** is the **intent** for this hostname; authenticated client work belongs on **`portal.sankofa.nexus`**.
 - UI is assumed to be console-style or API-driven  
 - Sovereign / operator-facing only
 ---
-## 2. sankofa.nexus
+## 2. phoenix.sankofa.nexus (public — Phoenix Cloud Services)
 **Service Name:** Sankofa Portal  
 **Role:** Corporate & Product Website  
 **Comparable To:** Microsoft.com, Google.com, Amazon.com
-### Intended Function
+**Role:** Public-facing web for **Phoenix Cloud Services**, a division of Sankofa.  
- Public-facing corporate presence
+**Comparable to:** Public cloud division landing (e.g. azure.microsoft.com style), not the raw JSON-RPC layer.
 - Brand narrative and philosophy
 - Product overview and entry point to Phoenix
-### Expected Content
+### Expected content
- Company overview and mission
+- Division branding, service overview, how Phoenix fits under Sankofa  
- Sankofa brand philosophy:
+- Clear separation from corporate apex (`sankofa.nexus`)
  **"Remember → Retrieve → Restore → Rise"**
 - Phoenix product introduction
 - Navigation to services
 - Contact and inquiry paths
-### Current Deployment
+### Technical note (same origin today)
- **Status:** ✅ Deployed
+- **VMID 7800** historically exposes **API-first** surfaces (`/health`, `/graphql`, `/graphql-ws`). Public **marketing or division web** may be served from the same stack or split later; this document states **product intent** for the hostname. Prefer not to present the apex `sankofa.nexus` portal app as if it were “Phoenix public web.”
 - **VMID:** 7801
 - **Address:** 192.168.11.51:3000
 - **Technology:** Next.js
 ### Observed Behavior
 - Portal currently presents a **login-gated interface**
 - Authentication handled via **Keycloak**
 - Dashboard requires credentials
 ### Alignment Note
 - ⚠️ **Decision point:**
  - Either split into:
    - `www.sankofa.nexus` (public marketing)
    - `portal.sankofa.nexus` (authenticated)
  - Or intentionally maintain a gated-first model
 ---
-## 3. explorer.d-bis.org
+## 3. keycloak.sankofa.nexus (SSO — identity provider)
 **Role:** **OIDC/SAML IdP** for the Sankofa / Phoenix client ecosystem.  
 **VMID:** 7802 (typical)
 ### Expected content / behavior
 - End-user **login** (realm themes), **logout**, **token** and **well-known** endpoints  
 - **Admin console** at `/admin` for realm and client configuration (operator-controlled)
 ### Relationship
 - **`admin.sankofa.nexus`** and **`portal.sankofa.nexus`** are the **client-facing apps**; Keycloak is where **authentication** completes for those SSO flows.
 ---
 ## 4. admin.sankofa.nexus (client SSO — access administration)
 **Role:** **SSO-authenticated** surface for **clients** to **administer access** (users, groups, delegations, tenant access policy as productized).
 ### Expected content
 - IAM-style administration for client orgs (not raw Keycloak admin—that remains on Keycloak’s `/admin` for platform operators).
 ---
 ## 5. portal.sankofa.nexus (client SSO — services and marketplace)
 **Role:** **SSO-authenticated** **client portal** for day-to-day use of subscribed services.
 ### Expected content
 - **Phoenix cloud** service entry and consoles (as entitled)  
 - **Sankofa Marketplace** subscriptions and management  
 - Other **client-facing** services behind the same SSO boundary
 **Public URL policy (env):** NextAuth / OIDC public URL may be set to `https://portal.sankofa.nexus` (see `scripts/deployment/sync-sankofa-portal-7801.sh`).
 ---
 ## 6. dash.sankofa.nexus (IP-gated — system admin + MFA)
 **Role:** **Operator and systems administration** across Sankofa, Phoenix, Gitea, and related infrastructure.
 ### Access model
 - **IP address gating** (allowlisted networks / VPN / office)  
 - **System authentication** + **MFA** (stricter than public internet client SSO)
 ### Expected content
 - Unified or linked **admin** views for platform systems—not a substitute for `portal.sankofa.nexus` client self-service.
 ---
 ## 7. explorer.d-bis.org
 **Service Name:** SolaceScanScout  
 **Role:** Block Explorer for ChainID 138  
 **Technology:** Blockscout-based  
@@ -112,7 +141,7 @@ This document reconciles **expected intent**, **current deployment state**, and
 ---
-## 4. blockscout.defi-oracle.io
+## 8. blockscout.defi-oracle.io
 **Service Name:** Blockscout Explorer (Generic)  
 **Role:** Independent / Reference Blockscout Instance
@@ -133,20 +162,26 @@ This document reconciles **expected intent**, **current deployment state**, and
 ## Canonical Alignment Summary
-| Domain | Purpose | Public | Auth Required | Canonical |
+| Domain | Purpose | Public web | Auth model | Canonical |
-|--------|---------|--------|---------------|-----------|
+|--------|---------|------------|------------|-------------|
-| sankofa.nexus | Corporate / Brand | Yes | Partial | ✅ |
+| sankofa.nexus | Sovereign Technologies (corporate) | Yes (intended) | None for public pages | ✅ |
-| phoenix.sankofa.nexus | Cloud Control Plane | No | Yes | ✅ |
+| phoenix.sankofa.nexus | Phoenix Cloud Services (division) | Yes (intended) | None for public pages | ✅ |
 | keycloak.sankofa.nexus | IdP for client SSO | Login UI only | IdP + admin | ✅ |
 | admin.sankofa.nexus | Client access administration | No | SSO | ✅ |
 | portal.sankofa.nexus | Client services + marketplace | No | SSO | ✅ |
 | dash.sankofa.nexus | Systems / operator admin | No | IP + system auth + MFA | ✅ |
 | explorer.d-bis.org | ChainID 138 Explorer | Yes | No | ✅ |
 | blockscout.defi-oracle.io | Generic Explorer | Yes | No | ❌ |
 ---
 ## Confirmed Architectural Intent
- **Phoenix** = infrastructure + API + control plane  
+- **sankofa.nexus** = public brand for **Sankofa — Sovereign Technologies**  
- **Sankofa** = sovereign-facing brand & access layer  
+- **phoenix.sankofa.nexus** = public web for **Phoenix Cloud Services** (division of Sankofa); API surfaces may share deployment  
 - **portal / admin** = **client SSO** tier; **Keycloak** = shared IdP  
 - **dash** = **IP-gated** operator systems admin with **MFA**  
 - **DBIS Explorer** = public transparency + settlement inspection  
- **No accidental overlap** between marketing, control, and transparency layers
+- **No accidental overlap** between public marketing, client SSO, operator dash, and explorer transparency
 ---
@@ -154,33 +189,17 @@ This document reconciles **expected intent**, **current deployment state**, and
 **Critical:** These decisions remain **explicitly unresolved**. Do not collapse them prematurely.
-### 1. Public vs Gated Split for `sankofa.nexus`
+### 1. Phoenix UI vs API on `phoenix.sankofa.nexus`
-**Status:** Open decision point
+**Status:** Implementation may still be API-first on VMID 7800 while **hostname intent** is public division web; reconcile with a dedicated static/marketing upstream or path split if needed.
 **Options:**
 - Option A: Split into public marketing site and authenticated portal
 - Option B: Maintain gated-first model with selective public content
 - Option C: Evolve to unified model with public sections
 **Authority:** Governance decision, not implementation drift
 **Note:** Auth is a policy boundary, not a permanent architectural constraint.
 ---
-### 2. Phoenix UI Exposure
+### 2. Rich console UI for Phoenix (beyond public division web)
 **Status:** Open decision point
-**Question:** Whether Phoenix ever exposes a human UI beyond operators
+**Question:** Whether authenticated **Phoenix product consoles** live primarily on **`portal.sankofa.nexus`** (SSO) vs additional surfaces.
-**Current State:** API-first, operator-facing
+**Flexibility:** Public division web on `phoenix.sankofa.nexus` does not preclude deep consoles behind **`portal`** SSO.
 **Flexibility:**
 - API-first does not preclude future UI
 - Console-based access patterns are possible
 - Delegated interfaces are not precluded
 **Note:** Intent document states: "This does not preclude future public or delegated interfaces."
 ---
@@ -202,7 +221,8 @@ This document reconciles **expected intent**, **current deployment state**, and
 These are **possible futures**, not commitments:
- Public marketing split (`www` vs `portal`)
+- NPM `www.*` → apex **301** policy vs additional marketing hostnames
 - `admin` / `portal` / `dash` upstream targets on NPM (when split from legacy single-host deployments)
 - Delegated Phoenix UI development
 - Explorer rebrand or federation
 - Additional service surfaces
@@ -221,24 +241,22 @@ Internet
   ↓
 NPMplus (Reverse Proxy + SSL)
   ↓
-   ├─→ sankofa.nexus → Sankofa Portal
+   ├─→ sankofa.nexus              → Public web: Sankofa — Sovereign Technologies
-   │                     └─→ Corporate Brand / Product Website
+   ├─→ phoenix.sankofa.nexus      → Public web: Phoenix Cloud Services (division)
   │                     └─→ ⚠️ Currently: Login-gated
   │
-   ├─→ phoenix.sankofa.nexus → Phoenix API
+   ├─→ admin.sankofa.nexus        → Client SSO: administer access
-   │                            └─→ Cloud Control Plane (API-first)
+   ├─→ portal.sankofa.nexus       → Client SSO: Phoenix cloud + marketplace + client services
-   │                            └─→ Operator-facing only
+   │        └─ (redirects) ──→ keycloak.sankofa.nexus  (OIDC/SAML IdP, VMID 7802)
   │
-   ├─→ explorer.d-bis.org → SolaceScanScout
+   ├─→ dash.sankofa.nexus         → IP allowlist + system auth + MFA: operator systems admin
-   │                         └─→ Public Block Explorer (ChainID 138)
+   │        (Sankofa, Phoenix, Gitea, …)
   │                         └─→ No auth required
   │
-   └─→ blockscout.defi-oracle.io → Generic Blockscout
+   ├─→ explorer.d-bis.org         → SolaceScanScout (ChainID 138, no login for browse)
-                                    └─→ Reference instance (not canonical)
+   └─→ blockscout.defi-oracle.io  → Generic Blockscout (not canonical 138 explorer)
-   
+
-Backend Services:
+Backend (typical):
-   ├─→ Keycloak (Authentication) - VMID 7802
+   ├─→ Keycloak VMID 7802, PostgreSQL VMID 7803
-   └─→ PostgreSQL (Database) - VMID 7803
+   └─→ Phoenix API VMID 7800, Sankofa web VMID 7801 (until admin/portal/dash are split to own upstreams)
 ```
 ---
@@ -247,10 +265,14 @@ Backend Services:
 ### Active Services
-| Service | Domain | VMID | IP | Port | Status | Public Access |
+| Service | Domain | VMID | IP | Port | Status | Access model |
-|---------|--------|------|-----|------|--------|---------------|
+|---------|--------|------|-----|------|--------|----------------|
-| **Phoenix API** | phoenix.sankofa.nexus | 7800 | 192.168.11.50 | 4000 | ✅ Active | Authenticated |
+| **Phoenix** (API today; division hostname) | phoenix.sankofa.nexus | 7800 | 192.168.11.50 | 4000 | ✅ Active | Public web **intent**; API paths coexist |
-| **Sankofa Portal** | sankofa.nexus | 7801 | 192.168.11.51 | 3000 | ✅ Active | Partially Public |
+| **Sankofa public web** | sankofa.nexus | 7801 | 192.168.11.51 | 3000 | ✅ Active | Public **intent** (see hostname model) |
 | **Keycloak IdP** | keycloak.sankofa.nexus | 7802 | (see ALL_VMIDS) | 8080 | ✅ Active | IdP + `/admin` |
 | **Client admin (SSO)** | admin.sankofa.nexus | ⚠️ TBD | ⚠️ TBD | ⚠️ TBD | Target hostname | SSO |
 | **Client portal (SSO)** | portal.sankofa.nexus | ⚠️ TBD | ⚠️ TBD | ⚠️ TBD | Target hostname | SSO |
 | **Operator dash** | dash.sankofa.nexus | ⚠️ TBD | ⚠️ TBD | ⚠️ TBD | Target hostname | IP + MFA |
 | **SolaceScanScout** | explorer.d-bis.org | 5000 | 192.168.11.140 | 80/4000 | ✅ Active | Public |
 | **Blockscout** | blockscout.defi-oracle.io | ⚠️ TBD | ⚠️ TBD | ⚠️ TBD | ⚠️ Separate | Public |
@@ -262,12 +284,13 @@ Backend Services:
 **Phoenix** = Cloud Platform/Product (like Azure, GCP, AWS)  
 **Sankofa Phoenix** = Complete Product (like Microsoft Azure, Google Cloud Platform, Amazon Web Services)
- **sankofa.nexus** = Company website (like Microsoft.com)
+- **sankofa.nexus** = Public company site — **Sankofa — Sovereign Technologies**
- **phoenix.sankofa.nexus** = Cloud platform portal (like Azure Portal)
+- **phoenix.sankofa.nexus** = Public division site — **Phoenix Cloud Services**
 - **portal.sankofa.nexus** / **admin.sankofa.nexus** = **Client SSO** apps (Keycloak as IdP)
 - **dash.sankofa.nexus** = **IP-gated** operator systems admin (**MFA**)
 - **explorer.d-bis.org** = Blockchain explorer (like Etherscan)
 - **blockscout.defi-oracle.io** = Generic explorer instance
 ---
 **Last Updated:** 2026-01-20  
 **Review Status:** Authoritative alignment checkpoint
--- a/docs/02-architecture/NON_GOALS.md
+++ b/docs/02-architecture/NON_GOALS.md
@@ -1,7 +1,7 @@
 # Non-Goals — Sankofa Phoenix
-**Last Updated:** 2026-01-31  
+**Last Updated:** 2026-03-25  
-**Document Version:** 1.0  
+**Document Version:** 1.1  
 **Status:** Active Documentation
 ---
@@ -174,6 +174,21 @@ This document explicitly states **what Sankofa Phoenix is NOT intended to be**,
 ---
 ### 9. Phoenix IS Allowed an Internal Service Catalog (Not a Public Marketing Site)
 **Clarification (2026-03-25):** Non-goal **§1** means Phoenix is **not** a **public brochure** or **anonymous consumer storefront**. It does **not** exclude:
 - An **authenticated internal service catalog** (sometimes called “marketplace” in product language)
 - **Entitlement management** and **provisioning APIs** for **public sector tenants**
 **Wording discipline:** Prefer **service catalog** + **entitlements** in external/regulatory packs until **procurement-backed billing** exists. See [PUBLIC_SECTOR_TENANCY_MARKETPLACE_AND_DEPLOYMENT_BASELINE.md](PUBLIC_SECTOR_TENANCY_MARKETPLACE_AND_DEPLOYMENT_BASELINE.md).
 **Why This Matters:**
 - Reconciles [EXPECTED_WEB_CONTENT.md](EXPECTED_WEB_CONTENT.md) (“internal service catalog / marketplace”) with **§1** without turning Phoenix into a public marketing site.
 ---
 ### 8. We Are NOT Encoding Technology Choices in Names
 **What We Use:**
@@ -219,6 +234,7 @@ This document does **not** mean:
 - `ARCHITECTURAL_INTENT.md` — What we intend to build
 - `EXPECTED_WEB_CONTENT.md` — What each service should provide
 - `BRAND_RELATIONSHIP.md` — Brand/product structure
 - `PUBLIC_SECTOR_TENANCY_MARKETPLACE_AND_DEPLOYMENT_BASELINE.md` — Tenancy, catalog vs marketing, repo boundaries
 **Together They:**
 - Define intent without constraining implementation
@@ -240,5 +256,5 @@ This document does **not** mean:
 ---
-**Last Updated:** 2026-01-20  
+**Last Updated:** 2026-03-25  
 **Status:** Explicit Non-Goals (Preserves Optionality)
--- a/docs/02-architecture/PROXMOX_COMPREHENSIVE_REVIEW.md
+++ b/docs/02-architecture/PROXMOX_COMPREHENSIVE_REVIEW.md
@@ -63,7 +63,7 @@ ssh root@192.168.11.12 "hostname"  # Returns: r630-02 ✅
 | 192.168.11.100-104 | 5 | Besu Validators |
 | 192.168.11.105-106 | 2 | DBIS PostgreSQL |
 | 192.168.11.112 | 1 | Fabric |
-| 192.168.11.120 | 1 | DBIS Redis |
+| 192.168.11.125 | 1 | DBIS Redis (VMID 10120) |
 | 192.168.11.130 | 1 | DBIS Frontend |
 | 192.168.11.150-154 | 5 | Besu Sentries |
 | 192.168.11.155-156 | 2 | DBIS API |
--- a/docs/02-architecture/PUBLIC_SECTOR_TENANCY_MARKETPLACE_AND_DEPLOYMENT_BASELINE.md
+++ b/docs/02-architecture/PUBLIC_SECTOR_TENANCY_MARKETPLACE_AND_DEPLOYMENT_BASELINE.md
@@ -0,0 +1,95 @@
 # Public sector tenancy, service catalog, and deployment baseline
 **Last Updated:** 2026-03-25  
 **Status:** Canonical baseline (reconciles assurance, Phoenix intent, and repo boundaries)  
 **Related:** [NON_GOALS.md](NON_GOALS.md), [EXPECTED_WEB_CONTENT.md](EXPECTED_WEB_CONTENT.md), [SERVICE_DESCRIPTIONS.md](SERVICE_DESCRIPTIONS.md), [BRAND_RELATIONSHIP.md](BRAND_RELATIONSHIP.md), [../11-references/COMPLETE_CREDENTIAL_EIDAS_PROGRAM_REPOS.md](../11-references/COMPLETE_CREDENTIAL_EIDAS_PROGRAM_REPOS.md), [config/public-sector-program-manifest.json](../../config/public-sector-program-manifest.json)
 ---
 ## Purpose
 This document **closes documented gaps** between:
 - **Assurance claims** (e.g. SMOA eIDAS evidence: partial / QTSP pending — see SMOA repo `docs/compliance/evidence/eidas-compliance-evidence.md`)
 - **Platform intent** (Phoenix as CSP-style control plane with tenant/IAM/catalog expectations)
 - **Repository reality** (Complete Credential / eIDAS connector code lives **outside** this `proxmox` tree)
 It does **not** replace legal advice, DPIAs, or national eID supervision requirements.
 ---
 ## Official-style descriptors (use in contracts and external comms)
 | Avoid (ambiguous) | Prefer |
 |-------------------|--------|
 | Government client | **Public sector organization**, **procuring entity** (procurement context), **data controller** (GDPR context) |
 | Subdivision | **Organizational unit**, **child public body**, **agency** (if legally distinct) |
 | Phoenix portal (colloquial) | **Phoenix control plane** / **Phoenix API** (API-first); **Sankofa Portal** for brand site (`sankofa.nexus`) |
 | Marketplace (product) | **Service catalog** + **entitlement management** until procurement-backed billing is implemented; use **marketplace** only if contractually defined |
 | Wallet (in gov packs) | **Credential holder application**, **authenticator**, **SMOA client** — do not mix with **self-custody cryptocurrency wallet** language from Chain 138 / DeFi docs |
 ---
 ## Deployment profiles (flexibility bridge)
 | Profile | Use when | Isolation |
 |---------|----------|-----------|
 | **A — Shared platform** | Pilot, single legal controller, non-qualified flows | Multi-tenant logical separation; **per-tenant** keys and metadata |
 | **B — Dedicated stack** | Jurisdiction rule, qualified-trust boundary, or security classification | Separate LXC/VM (or cluster) per **controller** or **Member State** deployment |
 | **C — Hybrid** | Shared orchestration (Phoenix), isolated crypto/PII | Phoenix + shared IdP; **connector + HSM/DB** isolated per tenant |
 **Promotion path:** tenant IDs and APIs should allow moving **A → B** without rewriting mobile or portal clients.
 ---
 ## Illustrative reference topology (time-scoped)
 _Label: **Illustrative — as of 2026-Q1**. Per [NON_GOALS.md](NON_GOALS.md) §4, this is not an immutable enterprise diagram; update when VMIDs/FQDNs change._
 ```
                    [ Internet / VPN ]
                            |
                     NPMplus / Edge
                            |
        +-------------------+-------------------+
        |                   |                   |
  sankofa.nexus      phoenix.sankofa.nexus   api.smoa… (example)
  (Portal 7801)      (Phoenix API 7800)      (SMOA edge LXC — see SMOA repo)
        |                   |                   |
   Keycloak 7802       GraphQL / health         SMOA API / DB (LXC)
        |
   PostgreSQL 7803
        |
  [Optional: Complete Credential / eIDAS connector — dedicated LXC; not on Phoenix VMIDs]
 ```
 **SMOA** Proxmox LXC layout (edge, API, DB, optional TURN/signal): see **SMOA** repository `backend/docs/LXC-PROXMOX-CONTAINERS.md` (not duplicated here).
 **Complete Credential / eIDAS connector:** register in [public-sector-program-manifest.json](../../config/public-sector-program-manifest.json) and deploy per [COMPLETE_CREDENTIAL_EIDAS_PROGRAM_REPOS.md](../11-references/COMPLETE_CREDENTIAL_EIDAS_PROGRAM_REPOS.md).
 ---
 ## Regulatory-aligned defaults (summary)
 1. **Credential / connector deployment:** isolate by **legal controller** and **jurisdiction** for qualified or sensitive PII; use **Profile B** when in doubt.
 2. **Service catalog:** **entitlements** tied to **contracts / purchase orders** before automated public payment rails; same **SKU** model can later attach **e-invoicing / payment**.
 3. **SMOA APK:** prefer **MDM / managed distribution** for production public-sector devices; public download only for **pilot / low classification** with explicit scope.
 ---
 ## Known technical gaps (tracked)
 | ID | Gap | Mitigation owner |
 |----|-----|------------------|
 | G1 | SMOA eIDAS: QTSP, EU trust lists, qualified timestamping — **partial** in evidence doc | SMOA + legal + QTSP partnership |
 | G2 | Phoenix: **billing** in EXPECTED_WEB_CONTENT is **roadmap**, not implemented | Phoenix product + procurement counsel |
 | G3 | **proxmox** repo does not contain Complete Credential source | Use manifest + sibling clone; deploy via runbook |
 | G4 | Terminology: **wallet** in DeFi docs vs **credential app** in gov context | Use this doc + review gov-facing PDFs |
 | G5 | Single **sovereign reference diagram** in one place | This file + SERVICE_DESCRIPTIONS VM table; refresh quarterly |
 ---
 ## Review cadence
 - **Quarterly** or when VMID/DNS/procurement model changes: update manifest FQDN hints and this diagram note.
 - **After** QTSP or national eID milestone: update G1 and external-facing assurance statements.
--- a/docs/02-architecture/SERVICE_DESCRIPTIONS.md
+++ b/docs/02-architecture/SERVICE_DESCRIPTIONS.md
@@ -1,6 +1,6 @@
 # Sankofa Services - Service Descriptions
-**Last Updated:** 2026-01-31
+**Last Updated:** 2026-03-25
 **Status:** Active Documentation
 ---
@@ -53,6 +53,8 @@ This document describes the purpose and function of each service in the Sankofa
  - GraphQL WebSocket: `/graphql-ws`
  - Health: `/health`
 **Cross-reference:** Public-sector tenancy, **service catalog vs marketing** boundaries, and **SMOA / Complete Credential** repo pointers: [PUBLIC_SECTOR_TENANCY_MARKETPLACE_AND_DEPLOYMENT_BASELINE.md](PUBLIC_SECTOR_TENANCY_MARKETPLACE_AND_DEPLOYMENT_BASELINE.md), [../11-references/COMPLETE_CREDENTIAL_EIDAS_PROGRAM_REPOS.md](../11-references/COMPLETE_CREDENTIAL_EIDAS_PROGRAM_REPOS.md), [../../config/public-sector-program-manifest.json](../../config/public-sector-program-manifest.json).
 ---
 ### 3. SolaceScanScout (Explorer)
--- a/docs/03-deployment/ADD_LIQUIDITY_PMM_CHAIN138_RUNBOOK.md
+++ b/docs/03-deployment/ADD_LIQUIDITY_PMM_CHAIN138_RUNBOOK.md
@@ -1,5 +1,7 @@
 # Add Liquidity to PMM Pools (Chain 138) — Runbook
 > Historical note (2026-03-26): this runbook originated during the earlier three-pool PMM phase. Current canonical Chain 138 PMM addresses are `DODOPMMIntegration=0x5BDc62f1ae7D630c37A8B363a1d49845356Ee72d` and `DODOPMMProvider=0x5CAe6Ce155b7f08D3a956F5Dc82fC9945f29B381`.
 **Purpose:** Add base/quote liquidity to the three DODO PMM pools on Chain 138 (cUSDT/cUSDC, cUSDT/USDT, cUSDC/USDC).
 **Prerequisites:**
@@ -36,9 +38,9 @@ Add or set in `smom-dbis-138/.env`:
 ```bash
 # Pool addresses (from PRE_DEPLOYMENT_CHECKLIST / create-all-pmm-pools-chain138.sh)
-POOL_CUSDTCUSDC=0x9fcB06Aa1FD5215DC0E91Fd098aeff4B62fEa5C8
+POOL_CUSDTCUSDC=0xff8d3b8fDF7B112759F076B69f4271D4209C0849
-POOL_CUSDTUSDT=0xa3Ee6091696B28e5497b6F491fA1e99047250c59
+POOL_CUSDTUSDT=0x6fc60DEDc92a2047062294488539992710b99D71
-POOL_CUSDCUSDC=0x90bd9Bf18Daa26Af3e814ea224032d015db58Ea5
+POOL_CUSDCUSDC=0x9f74Be42725f2Aa072a9E0CdCce0E7203C510263
 # Amounts in base units (6 decimals): 1M tokens = 1000000000000
 ADD_LIQUIDITY_BASE_AMOUNT=1000000000000
--- a/docs/03-deployment/CHAIN138_AUTOMATION_SCRIPTS.md
+++ b/docs/03-deployment/CHAIN138_AUTOMATION_SCRIPTS.md
@@ -218,10 +218,10 @@ If configuration files are missing:
 ## Related Documentation
- [Next Steps](../archive/historical/CHAIN138_NEXT_STEPS.md)
+- [DEPLOYMENT_ORDER_OF_OPERATIONS.md](DEPLOYMENT_ORDER_OF_OPERATIONS.md)
 - [Missing Containers List](MISSING_CONTAINERS_LIST.md)
 - [JWT Authentication Requirements](../04-configuration/CHAIN138_JWT_AUTH_REQUIREMENTS.md)
- [Complete Implementation](../archive/completion/CHAIN138_COMPLETE_IMPLEMENTATION.md)
+- [CHAIN138_BESU_CONFIGURATION.md](../06-besu/CHAIN138_BESU_CONFIGURATION.md) · [CONTRACT_NEXT_STEPS_LIST.md](../11-references/CONTRACT_NEXT_STEPS_LIST.md)
 ---
--- a/docs/03-deployment/CHAIN138_OFFICIAL_STABLE_BLOCKER_REMOVAL_PATH.md
+++ b/docs/03-deployment/CHAIN138_OFFICIAL_STABLE_BLOCKER_REMOVAL_PATH.md
@@ -0,0 +1,152 @@
 # Chain 138 Official Stable Blocker Removal Path
 **Purpose:** Remove the last local PMM blocker on Chain 138 by replacing stale placeholder addresses with live quote-side ERC-20 contracts and then redeploying the integration against them.
 ---
 ## 1. The blocker, stated plainly
 The current local PMM path for:
 - `cUSDT / USDT`
 - `cUSDC / USDC`
 is blocked because the integration is wired to addresses that are **not live ERC-20 contracts on Chain 138**.
 That means:
 - the pools may exist in metadata
 - the integration can still report those addresses
 - but liquidity add and swap flows will fail locally because the quote-side token has no bytecode
 ---
 ## 2. What is real in the repo today
 ### Live on Chain 138
 - `cUSDT`
 - `cUSDC`
 - `cXAUC`
 - `cXAUT`
 - `DODOPMMIntegration`
 - live funded `cUSDT / cUSDC`
 - live funded XAU-side pools
 ### Not present as live local ERC-20s
 - a real local `USDT` contract for Chain 138 official-pair PMM use
 - a real local `USDC` contract for Chain 138 official-pair PMM use
 ### Not valid for this PMM blocker
 - `MainnetTether.sol`
  - this is a state anchor, not an ERC-20 token
 - `StablecoinReserveVault.sol`
  - this is for mainnet reserve custody/redemption, not a local Chain 138 quote token
 ---
 ## 3. Exact contract/deploy path
 ### Step 1. Deploy local Chain 138 quote-side mirrors
 Deploy these contracts:
 - [OfficialStableMirrorToken.sol](/home/intlc/projects/proxmox/smom-dbis-138/contracts/tokens/OfficialStableMirrorToken.sol)
 - [DeployOfficialUSDT138.s.sol](/home/intlc/projects/proxmox/smom-dbis-138/script/DeployOfficialUSDT138.s.sol)
 - [DeployOfficialUSDC138.s.sol](/home/intlc/projects/proxmox/smom-dbis-138/script/DeployOfficialUSDC138.s.sol)
 These tokens are:
 - lightweight ERC-20s
 - 6 decimals
 - owner-mintable
 - meant only to provide live local quote-side assets for Chain 138 PMM pools
 They are intentionally separate from the compliant token layer.
 ### Step 2. Persist live addresses
 Write these into `smom-dbis-138/.env`:
 ```bash
 OFFICIAL_USDT_ADDRESS=0x...
 OFFICIAL_USDC_ADDRESS=0x...
 ```
 ### Step 3. Redeploy PMM integration against the live local quote assets
 Use:
 - [DeployDODOPMMIntegration.s.sol](/home/intlc/projects/proxmox/smom-dbis-138/script/dex/DeployDODOPMMIntegration.s.sol)
 Important: this deploy script no longer falls back to stale hardcoded Chain 138 addresses. The operator must supply real addresses explicitly through env.
 ### Step 4. Create the stable pools on the new integration
 Use:
 - [CreateCUSDTUSDTPool.s.sol](/home/intlc/projects/proxmox/smom-dbis-138/script/dex/CreateCUSDTUSDTPool.s.sol)
 - [CreateCUSDCUSDCPool.s.sol](/home/intlc/projects/proxmox/smom-dbis-138/script/dex/CreateCUSDCUSDCPool.s.sol)
 - [CreateCUSDTCUSDCPool.s.sol](/home/intlc/projects/proxmox/smom-dbis-138/script/dex/CreateCUSDTCUSDCPool.s.sol)
 ### Step 5. Fund in this order
 1. `cUSDT / cUSDC`
 2. `cUSDT / USDT`
 3. `cUSDC / USDC`
 Use:
 - [AddLiquidityPMMPoolsChain138.s.sol](/home/intlc/projects/proxmox/smom-dbis-138/script/dex/AddLiquidityPMMPoolsChain138.s.sol)
 ---
 ## 4. Verification gates
 Before PMM redeploy:
 ```bash
 cast code "$OFFICIAL_USDT_ADDRESS" --rpc-url "$RPC_URL_138"
 cast code "$OFFICIAL_USDC_ADDRESS" --rpc-url "$RPC_URL_138"
 cast call "$OFFICIAL_USDT_ADDRESS" "symbol()(string)" --rpc-url "$RPC_URL_138"
 cast call "$OFFICIAL_USDC_ADDRESS" "symbol()(string)" --rpc-url "$RPC_URL_138"
 ```
 After PMM redeploy:
 ```bash
 cast call "$DODO_PMM_INTEGRATION_ADDRESS" "officialUSDT()(address)" --rpc-url "$RPC_URL_138"
 cast call "$DODO_PMM_INTEGRATION_ADDRESS" "officialUSDC()(address)" --rpc-url "$RPC_URL_138"
 ```
 After pool creation:
 ```bash
 cast call "$DODO_PMM_INTEGRATION_ADDRESS" "pools(address,address)(address)" \
  "$COMPLIANT_USDT_ADDRESS" "$OFFICIAL_USDT_ADDRESS" --rpc-url "$RPC_URL_138"
 cast call "$DODO_PMM_INTEGRATION_ADDRESS" "pools(address,address)(address)" \
  "$COMPLIANT_USDC_ADDRESS" "$OFFICIAL_USDC_ADDRESS" --rpc-url "$RPC_URL_138"
 ```
 After funding:
 ```bash
 cast call "$OFFICIAL_USDT_ADDRESS" "balanceOf(address)(uint256)" "$POOL_CUSDTUSDT" --rpc-url "$RPC_URL_138"
 cast call "$OFFICIAL_USDC_ADDRESS" "balanceOf(address)(uint256)" "$POOL_CUSDCUSDC" --rpc-url "$RPC_URL_138"
 ```
 ---
 ## 5. Recommendation
 The safe path is:
 1. stop relying on the stale Chain 138 placeholder addresses
 2. deploy explicit local quote-side mirror tokens
 3. redeploy PMM integration using those real local token addresses
 4. create and fund the stable pools
 That is the narrowest change that removes the blocker without redefining the compliant token layer or pretending a non-existent Chain 138 official stable already exists.
--- a/docs/03-deployment/CHAIN138_PMM_REDEPLOY_AND_POOL_FUNDING_RUNBOOK.md
+++ b/docs/03-deployment/CHAIN138_PMM_REDEPLOY_AND_POOL_FUNDING_RUNBOOK.md
@@ -0,0 +1,475 @@
 # Chain 138 PMM Redeploy and Pool Funding Runbook
 **Purpose:** Execute the live on-chain PMM remediation and funding sequence on Chain 138 in the correct order:
 1. deploy live Chain 138 quote-side `USDT` and `USDC` ERC-20 mirror tokens  
 2. redeploy `DODOPMMIntegration` with those live Chain 138 official stable addresses  
 3. recreate the usable public stable pools on the new integration  
 4. create public XAU pools using `cXAUC` or `cXAUT` as the Chain 138 XAU anchor  
 5. deploy the `PrivatePoolRegistry` and register the XAU private stabilization pools  
 6. fund the pools in the correct order
 **Primary chain:** Chain 138  
 **Operator requirement:** deployer EOA with `PRIVATE_KEY`, gas, and the required token balances / mint authority.
 ---
 ## 0. Preconditions
 ### 0.1 Required environment
 From `smom-dbis-138/.env`:
 ```bash
 PRIVATE_KEY=0x...
 RPC_URL_138=http://...
 DODO_VENDING_MACHINE_ADDRESS=0x...
 COMPLIANT_USDT_ADDRESS=0x93E66202A11B1772E55407B32B44e5Cd8eda7f22
 COMPLIANT_USDC_ADDRESS=0xf22258f57794CC8E06237084b353Ab30fFfa640b
 OFFICIAL_USDT_ADDRESS=0x...
 OFFICIAL_USDC_ADDRESS=0x...
 ```
 ### 0.2 XAU anchor selection
 Choose one Chain 138 XAU anchor for the PMM and private stabilization pools:
 ```bash
 # Preferred default
 XAU_ADDRESS_138=0x290E52a8819A4fbD0714E517225429aA2B70EC6b   # cXAUC
 # Optional alternate
 CXAUT_ADDRESS_138=0x94e408E26c6FD8F4ee00b54dF19082FDA07dC96E  # cXAUT
 ```
 If `XAU_ADDRESS_138` is unset, the scripts default to `cXAUC` on Chain 138.
 ### 0.3 Stop conditions
 Stop immediately if any of these checks fail:
 ```bash
 cd /home/intlc/projects/proxmox/smom-dbis-138
 source .env
 cast wallet address "$PRIVATE_KEY"
 cast code "$DODO_VENDING_MACHINE_ADDRESS" --rpc-url "$RPC_URL_138"
 cast code "$COMPLIANT_USDT_ADDRESS" --rpc-url "$RPC_URL_138"
 cast code "$COMPLIANT_USDC_ADDRESS" --rpc-url "$RPC_URL_138"
 cast code "$OFFICIAL_USDT_ADDRESS" --rpc-url "$RPC_URL_138"
 cast code "$OFFICIAL_USDC_ADDRESS" --rpc-url "$RPC_URL_138"
 cast code "${XAU_ADDRESS_138:-0x290E52a8819A4fbD0714E517225429aA2B70EC6b}" --rpc-url "$RPC_URL_138"
 ```
 Expected result: each `cast code` returns non-empty bytecode.
 ### 0.4 Important blocker note
 Do **not** use the historical placeholder addresses `0x15DF...` or `0xA0b8...` on Chain 138 unless `cast code` proves they are live ERC-20 contracts on Chain 138.
 The local PMM integration requires live quote-side ERC-20s on Chain 138. If `OFFICIAL_USDT_ADDRESS` and `OFFICIAL_USDC_ADDRESS` have no bytecode, deploy the local mirror tokens first.
 ---
 ## 1. Snapshot the current state
 Record the current integration and pool state before redeploying:
 ```bash
 cd /home/intlc/projects/proxmox/smom-dbis-138
 source .env
 echo "Current integration: ${DODO_PMM_INTEGRATION_ADDRESS:-${DODO_PMM_INTEGRATION:-unset}}"
 echo "Current cUSDT/cUSDC pool: ${POOL_CUSDTCUSDC:-unset}"
 echo "Current cUSDT/USDT pool: ${POOL_CUSDTUSDT:-unset}"
 echo "Current cUSDC/USDC pool: ${POOL_CUSDCUSDC:-unset}"
 ```
 If the current integration exists, record its immutable token addresses:
 ```bash
 INT="${DODO_PMM_INTEGRATION_ADDRESS:-${DODO_PMM_INTEGRATION:-}}"
 [ -n "$INT" ] && cast call "$INT" "officialUSDT()(address)" --rpc-url "$RPC_URL_138"
 [ -n "$INT" ] && cast call "$INT" "officialUSDC()(address)" --rpc-url "$RPC_URL_138"
 ```
 ---
 ## 1. Deploy the Chain 138 official stable mirrors
 Deploy the local quote-side assets first. These are lightweight ERC-20 mirrors used only to unblock local PMM pools on Chain 138.
 ```bash
 cd /home/intlc/projects/proxmox/smom-dbis-138
 source .env
 forge script script/DeployOfficialUSDT138.s.sol:DeployOfficialUSDT138 \
  --rpc-url "$RPC_URL_138" \
  --broadcast \
  --private-key "$PRIVATE_KEY" \
  --with-gas-price "${GAS_PRICE_138:-1000000000}" \
  --legacy \
  -vv
 forge script script/DeployOfficialUSDC138.s.sol:DeployOfficialUSDC138 \
  --rpc-url "$RPC_URL_138" \
  --broadcast \
  --private-key "$PRIVATE_KEY" \
  --with-gas-price "${GAS_PRICE_138:-1000000000}" \
  --legacy \
  -vv
 ```
 Persist the deployed addresses into `.env`:
 ```bash
 OFFICIAL_USDT_ADDRESS=0x...
 OFFICIAL_USDC_ADDRESS=0x...
 ```
 Verify both:
 ```bash
 cast code "$OFFICIAL_USDT_ADDRESS" --rpc-url "$RPC_URL_138"
 cast code "$OFFICIAL_USDC_ADDRESS" --rpc-url "$RPC_URL_138"
 cast call "$OFFICIAL_USDT_ADDRESS" "symbol()(string)" --rpc-url "$RPC_URL_138"
 cast call "$OFFICIAL_USDC_ADDRESS" "symbol()(string)" --rpc-url "$RPC_URL_138"
 ```
 Expected result:
 - both return non-empty bytecode
 - symbols return `USDT` and `USDC`
 ---
 ## 2. Redeploy PMM integration on Chain 138
 This step creates a fresh `DODOPMMIntegration` using the corrected Chain 138 official stable addresses.
 ```bash
 cd /home/intlc/projects/proxmox/smom-dbis-138
 source .env
 forge script script/dex/DeployDODOPMMIntegration.s.sol:DeployDODOPMMIntegration \
  --rpc-url "$RPC_URL_138" \
  --broadcast \
  --private-key "$PRIVATE_KEY" \
  --with-gas-price "${GAS_PRICE_138:-1000000000}" \
  --legacy \
  -vv
 ```
 After deployment, update `.env` with the new integration address:
 ```bash
 DODO_PMM_INTEGRATION_ADDRESS=0x...
 DODO_PMM_INTEGRATION=0x...
 ```
 Verify the new immutables:
 ```bash
 INT="${DODO_PMM_INTEGRATION_ADDRESS:-${DODO_PMM_INTEGRATION:-}}"
 cast call "$INT" "officialUSDT()(address)" --rpc-url "$RPC_URL_138"
 cast call "$INT" "officialUSDC()(address)" --rpc-url "$RPC_URL_138"
 cast call "$INT" "compliantUSDT()(address)" --rpc-url "$RPC_URL_138"
 cast call "$INT" "compliantUSDC()(address)" --rpc-url "$RPC_URL_138"
 ```
 Expected result:
 - `officialUSDT` = the live `OFFICIAL_USDT_ADDRESS` you just deployed or verified
 - `officialUSDC` = the live `OFFICIAL_USDC_ADDRESS` you just deployed or verified
 ---
 ## 3. Create the corrected public stable pools
 Create the three public PMM pools on the **new** integration:
 ```bash
 cd /home/intlc/projects/proxmox/smom-dbis-138
 source .env
 forge script script/dex/CreateCUSDTCUSDCPool.s.sol:CreateCUSDTCUSDCPool \
  --rpc-url "$RPC_URL_138" --broadcast --private-key "$PRIVATE_KEY" --with-gas-price "${GAS_PRICE_138:-1000000000}" -vv
 forge script script/dex/CreateCUSDTUSDTPool.s.sol:CreateCUSDTUSDTPool \
  --rpc-url "$RPC_URL_138" --broadcast --private-key "$PRIVATE_KEY" --with-gas-price "${GAS_PRICE_138:-1000000000}" -vv
 forge script script/dex/CreateCUSDCUSDCPool.s.sol:CreateCUSDCUSDCPool \
  --rpc-url "$RPC_URL_138" --broadcast --private-key "$PRIVATE_KEY" --with-gas-price "${GAS_PRICE_138:-1000000000}" -vv
 ```
 Record the new pool addresses:
 ```bash
 INT="${DODO_PMM_INTEGRATION_ADDRESS:-${DODO_PMM_INTEGRATION:-}}"
 POOL_CUSDTCUSDC=$(cast call "$INT" "pools(address,address)(address)" \
  "$COMPLIANT_USDT_ADDRESS" "$COMPLIANT_USDC_ADDRESS" --rpc-url "$RPC_URL_138" | cast --to-addr)
 POOL_CUSDTUSDT=$(cast call "$INT" "pools(address,address)(address)" \
  "$COMPLIANT_USDT_ADDRESS" "$OFFICIAL_USDT_ADDRESS" --rpc-url "$RPC_URL_138" | cast --to-addr)
 POOL_CUSDCUSDC=$(cast call "$INT" "pools(address,address)(address)" \
  "$COMPLIANT_USDC_ADDRESS" "$OFFICIAL_USDC_ADDRESS" --rpc-url "$RPC_URL_138" | cast --to-addr)
 echo "$POOL_CUSDTCUSDC"
 echo "$POOL_CUSDTUSDT"
 echo "$POOL_CUSDCUSDC"
 ```
 Persist them into `.env`.
 ---
 ## 4. Create the public XAU pools
 Use the new public XAU script so the XAU side is explicit as `cXAUC` or `cXAUT`.
 ```bash
 cd /home/intlc/projects/proxmox/smom-dbis-138
 source .env
 forge script script/dex/CreatePublicXAUPoolsChain138.s.sol:CreatePublicXAUPoolsChain138 \
  --rpc-url "$RPC_URL_138" \
  --broadcast \
  --private-key "$PRIVATE_KEY" \
  --with-gas-price "${GAS_PRICE_138:-1000000000}" \
  --legacy \
  -vv
 ```
 Optional controls:
 ```bash
 CREATE_CUSDT_XAU=true
 CREATE_CUSDC_XAU=true
 CREATE_CEURT_XAU=true
 ```
 Verify the created public XAU pools:
 ```bash
 INT="${DODO_PMM_INTEGRATION_ADDRESS:-${DODO_PMM_INTEGRATION:-}}"
 XAU="${XAU_ADDRESS_138:-0x290E52a8819A4fbD0714E517225429aA2B70EC6b}"
 cast call "$INT" "pools(address,address)(address)" "$COMPLIANT_USDT_ADDRESS" "$XAU" --rpc-url "$RPC_URL_138"
 cast call "$INT" "pools(address,address)(address)" "$COMPLIANT_USDC_ADDRESS" "$XAU" --rpc-url "$RPC_URL_138"
 cast call "$INT" "pools(address,address)(address)" "0xdf4b71c61E5912712C1Bdd451416B9aC26949d72" "$XAU" --rpc-url "$RPC_URL_138"
 ```
 Persist the returned pool addresses if they are non-zero.
 ---
 ## 5. Deploy `PrivatePoolRegistry` and register private XAU pools
 ```bash
 cd /home/intlc/projects/proxmox/smom-dbis-138
 source .env
 forge script script/dex/DeployPrivatePoolRegistryAndPools.s.sol:DeployPrivatePoolRegistryAndPools \
  --rpc-url "$RPC_URL_138" \
  --broadcast \
  --private-key "$PRIVATE_KEY" \
  --with-gas-price "${GAS_PRICE_138:-1000000000}" \
  --legacy \
  -vv
 ```
 Record:
 ```bash
 PRIVATE_POOL_REGISTRY=0x...
 ```
 Verify registrations:
 ```bash
 REG="$PRIVATE_POOL_REGISTRY"
 XAU="${XAU_ADDRESS_138:-0x290E52a8819A4fbD0714E517225429aA2B70EC6b}"
 cast call "$REG" "getPool(address,address)(address)" "$COMPLIANT_USDT_ADDRESS" "$XAU" --rpc-url "$RPC_URL_138"
 cast call "$REG" "getPool(address,address)(address)" "$COMPLIANT_USDC_ADDRESS" "$XAU" --rpc-url "$RPC_URL_138"
 cast call "$REG" "getPool(address,address)(address)" "0xdf4b71c61E5912712C1Bdd451416B9aC26949d72" "$XAU" --rpc-url "$RPC_URL_138"
 ```
 ---
 ## 6. Fund the pools in the correct order
 ### 6.1 Funding order
 Fund in this order:
 1. `cUSDT / cUSDC`
 2. `cUSDT / USDT`
 3. `cUSDC / USDC`
 4. public XAU pools:
   - `cUSDT / XAU`
   - `cUSDC / XAU`
   - `cEURT / XAU`
 5. private stabilization pools last
 Reason:
 - `cUSDT/cUSDC` establishes the base compliant market first
 - official stable pools come next after the corrected addresses are live
 - XAU public pools should discover price before private stabilization paths are seeded
 ### 6.2 Mint compliant balances
 Mint the compliant side first:
 ```bash
 cd /home/intlc/projects/proxmox/smom-dbis-138
 source .env
 MINT_CUSDT_AMOUNT=2000000 \
 MINT_CUSDC_AMOUNT=2000000 \
 ./scripts/mint-for-liquidity.sh
 ```
 Mint additional compliant assets as needed:
 ```bash
 DEPLOYER=$(cast wallet address "$PRIVATE_KEY")
 cast send 0xdf4b71c61E5912712C1Bdd451416B9aC26949d72 \
  "mint(address,uint256)" "$DEPLOYER" 1000000000000 \
  --rpc-url "$RPC_URL_138" --private-key "$PRIVATE_KEY"
 ```
 ### 6.3 Acquire / verify non-mintable sides
 Before adding liquidity, confirm balances of:
 - `OFFICIAL_USDT_ADDRESS`
 - `OFFICIAL_USDC_ADDRESS`
 - `XAU_ADDRESS_138` (`cXAUC` or `cXAUT`)
 ```bash
 DEPLOYER=$(cast wallet address "$PRIVATE_KEY")
 cast call "$OFFICIAL_USDT_ADDRESS" "balanceOf(address)(uint256)" "$DEPLOYER" --rpc-url "$RPC_URL_138"
 cast call "$OFFICIAL_USDC_ADDRESS" "balanceOf(address)(uint256)" "$DEPLOYER" --rpc-url "$RPC_URL_138"
 cast call "${XAU_ADDRESS_138:-0x290E52a8819A4fbD0714E517225429aA2B70EC6b}" "balanceOf(address)(uint256)" "$DEPLOYER" --rpc-url "$RPC_URL_138"
 ```
 Do **not** proceed on a pool until both sides have sufficient balance.
 ### 6.4 Fund `cUSDT / cUSDC`
 Use the existing add-liquidity script first:
 ```bash
 export ADD_LIQUIDITY_CUSDTCUSDC_BASE=1000000000000
 export ADD_LIQUIDITY_CUSDTCUSDC_QUOTE=1000000000000
 forge script script/dex/AddLiquidityPMMPoolsChain138.s.sol:AddLiquidityPMMPoolsChain138 \
  --rpc-url "$RPC_URL_138" \
  --broadcast \
  --private-key "$PRIVATE_KEY" \
  --with-gas-price "${GAS_PRICE_138:-1000000000}" \
  -vv
 ```
 ### 6.5 Fund `cUSDT / USDT` and `cUSDC / USDC`
 Set per-pool liquidity amounts:
 ```bash
 export ADD_LIQUIDITY_CUSDTUSDT_BASE=1000000000000
 export ADD_LIQUIDITY_CUSDTUSDT_QUOTE=1000000000000
 export ADD_LIQUIDITY_CUSDCUSDC_BASE=1000000000000
 export ADD_LIQUIDITY_CUSDCUSDC_QUOTE=1000000000000
 ```
 Then run the same liquidity script:
 ```bash
 forge script script/dex/AddLiquidityPMMPoolsChain138.s.sol:AddLiquidityPMMPoolsChain138 \
  --rpc-url "$RPC_URL_138" \
  --broadcast \
  --private-key "$PRIVATE_KEY" \
  --with-gas-price "${GAS_PRICE_138:-1000000000}" \
  -vv
 ```
 ### 6.6 Fund public XAU pools
 For each public XAU pool:
 1. approve both tokens to the integration  
 2. call `addLiquidity(pool, baseAmount, quoteAmount)`
 Example for `cUSDT / XAU`:
 ```bash
 INT="${DODO_PMM_INTEGRATION_ADDRESS:-${DODO_PMM_INTEGRATION:-}}"
 XAU="${XAU_ADDRESS_138:-0x290E52a8819A4fbD0714E517225429aA2B70EC6b}"
 POOL=$(cast call "$INT" "pools(address,address)(address)" "$COMPLIANT_USDT_ADDRESS" "$XAU" --rpc-url "$RPC_URL_138" | cast --to-addr)
 cast send "$COMPLIANT_USDT_ADDRESS" "approve(address,uint256)" "$INT" 1000000000000 --rpc-url "$RPC_URL_138" --private-key "$PRIVATE_KEY"
 cast send "$XAU" "approve(address,uint256)" "$INT" 1000000000000 --rpc-url "$RPC_URL_138" --private-key "$PRIVATE_KEY"
 cast send "$INT" "addLiquidity(address,uint256,uint256)" "$POOL" 1000000000000 1000000000000 --rpc-url "$RPC_URL_138" --private-key "$PRIVATE_KEY"
 ```
 Repeat for:
 - `cUSDC / XAU`
 - `cEURT / XAU`
 ### 6.7 Seed private stabilization pools last
 Only after the public pools have been created and seeded:
 1. verify private registry entries exist  
 2. approve both sides  
 3. fund the corresponding private pool addresses with smaller initial depth than the public pools
 Use the same `addLiquidity(address,uint256,uint256)` pattern against the registered pool addresses.
 ---
 ## 7. Post-funding verification
 ### 7.1 Pool reserves
 ```bash
 cast call "$POOL_CUSDTCUSDC" "getVaultReserve()(uint256,uint256)" --rpc-url "$RPC_URL_138"
 cast call "$POOL_CUSDTUSDT" "getVaultReserve()(uint256,uint256)" --rpc-url "$RPC_URL_138"
 cast call "$POOL_CUSDCUSDC" "getVaultReserve()(uint256,uint256)" --rpc-url "$RPC_URL_138"
 ```
 Repeat for each XAU pool address.
 ### 7.2 Explorer alignment
 After successful execution, update:
 - [ADDRESS_MATRIX_AND_STATUS.md](../11-references/ADDRESS_MATRIX_AND_STATUS.md)
 - [DEPLOYED_TOKENS_BRIDGES_LPS_AND_ROUTING_STATUS.md](../11-references/DEPLOYED_TOKENS_BRIDGES_LPS_AND_ROUTING_STATUS.md)
 Also update the explorer pool inventory if new pool addresses were created.
 ---
 ## 8. Rollback / abort guidance
 Abort if any of the following occurs:
 - official token bytecode missing on 138
 - integration deployed with wrong immutables
 - pool creation returns zero or reverts unexpectedly
 - deployer lacks balance for either side of a target pool
 If the new integration is deployed but pool creation fails, stop there and do **not** fund the old incorrect pools.
 ---
 ## 9. References
 - [DeployDODOPMMIntegration.s.sol](../../smom-dbis-138/script/dex/DeployDODOPMMIntegration.s.sol)
 - [CreateCUSDTCUSDCPool.s.sol](../../smom-dbis-138/script/dex/CreateCUSDTCUSDCPool.s.sol)
 - [CreateCUSDTUSDTPool.s.sol](../../smom-dbis-138/script/dex/CreateCUSDTUSDTPool.s.sol)
 - [CreateCUSDCUSDCPool.s.sol](../../smom-dbis-138/script/dex/CreateCUSDCUSDCPool.s.sol)
 - [CreatePublicXAUPoolsChain138.s.sol](../../smom-dbis-138/script/dex/CreatePublicXAUPoolsChain138.s.sol)
 - [DeployPrivatePoolRegistryAndPools.s.sol](../../smom-dbis-138/script/dex/DeployPrivatePoolRegistryAndPools.s.sol)
 - [AddLiquidityPMMPoolsChain138.s.sol](../../smom-dbis-138/script/dex/AddLiquidityPMMPoolsChain138.s.sol)
 - [ADD_LIQUIDITY_PMM_CHAIN138_RUNBOOK.md](/home/intlc/projects/proxmox/docs/03-deployment/ADD_LIQUIDITY_PMM_CHAIN138_RUNBOOK.md)
--- a/docs/03-deployment/CHAIN138_XAU_POOL_STATUS_AND_PUBLIC_CREATION_PATH.md
+++ b/docs/03-deployment/CHAIN138_XAU_POOL_STATUS_AND_PUBLIC_CREATION_PATH.md
@@ -0,0 +1,247 @@
 # Chain 138 XAU Pool Status and Public Creation Path
 **Date:** 2026-03-26  
 **Scope:** Verify live private and public XAU pools on Chain 138 and record the exact creation/funding path used.
 ## Current live state
 ### Private XAU pools: live on-chain now
 Verified against:
 - `PrivatePoolRegistry`: `0xb27057B27db09e8Df353AF722c299f200519882A`
 - `cXAUC`: `0x290E52a8819A4fbD0714E517225429aA2B70EC6b`
 Registered private pools:
 - `cUSDT / cXAUC`
  - pool: `0x94316511621430423a2cff0C036902BAB4aA70c2`
 - `cUSDC / cXAUC`
  - pool: `0x7867D58567948e5b9908F1057055Ee4440de0851`
 - `cEURT / cXAUC`
  - pool: `0x505403093826D494983A93b43Aa0B8601078A44e`
 Code verification:
 - all three pool addresses return non-empty bytecode on Chain 138
 Observed reserves:
 - `cUSDT / cXAUC`
  - `cUSDT`: `2,666,965`
  - `cXAUC`: `519.477`
 - `cUSDC / cXAUC`
  - `cUSDC`: `1,000,000`
  - `cXAUC`: `194.782554`
 - `cEURT / cXAUC`
  - `cEURT`: `1,000,000`
  - `cXAUC`: `225.577676`
 ### Public XAU pools: now created and funded in the live PMM integration
 Verified against:
 - `DODOPMMIntegration`: `0x5BDc62f1ae7D630c37A8B363a1d49845356Ee72d`
 Current mapping state:
 - `pools(cUSDT, cXAUC) = 0x1AA55E2001E5651349AfF5A63FD7A7Ae44f0F1b0`
 - `pools(cUSDC, cXAUC) = 0xEA9Ac6357CaCB42a83b9082B870610363B177cBa`
 - `pools(cEURT, cXAUC) = 0xbA99bc1eAAC164569d5AcA96C806934DDaF970Cf`
 All three public pool addresses return non-empty bytecode on Chain 138.
 Observed public reserves:
 - `cUSDT / cXAUC`
  - `cUSDT`: `2,666,965`
  - `cXAUC`: `519.477`
 - `cUSDC / cXAUC`
  - `cUSDC`: `1,000,000`
  - `cXAUC`: `194.782554`
 - `cEURT / cXAUC`
  - `cEURT`: `1,000,000`
  - `cXAUC`: `225.577676`
 The explorer should now show these rows with:
 - real pool address
 - `Funded (live)`
 - notes derived from live integration mapping and reserves
 ## Exact creation and funding path used for the three public XAU pools
 ### 1. Preconditions
 Confirm the required contracts and tokens are already live:
 - `DODOPMMIntegration`: `0x5BDc62f1ae7D630c37A8B363a1d49845356Ee72d`
 - `cUSDT`: `0x93E66202A11B1772E55407B32B44e5Cd8eda7f22`
 - `cUSDC`: `0xf22258f57794CC8E06237084b353Ab30fFfa640b`
 - `cEURT`: `0xdf4b71c61E5912712C1Bdd451416B9aC26949d72`
 - `cXAUC`: `0x290E52a8819A4fbD0714E517225429aA2B70EC6b`
 Recommended env:
 ```bash
 export RPC_URL_138=http://192.168.11.211:8545
 export DODOPMM_INTEGRATION=0x5BDc62f1ae7D630c37A8B363a1d49845356Ee72d
 export COMPLIANT_USDT_ADDRESS=0x93E66202A11B1772E55407B32B44e5Cd8eda7f22
 export COMPLIANT_USDC_ADDRESS=0xf22258f57794CC8E06237084b353Ab30fFfa640b
 export cEURT_ADDRESS_138=0xdf4b71c61E5912712C1Bdd451416B9aC26949d72
 export XAU_ADDRESS_138=0x290E52a8819A4fbD0714E517225429aA2B70EC6b
 ```
 ### 2. Create the public XAU pools
 Use the existing script:
 - [CreatePublicXAUPoolsChain138.s.sol](../../smom-dbis-138/script/dex/CreatePublicXAUPoolsChain138.s.sol)
 Run:
 ```bash
 cd /home/intlc/projects/proxmox/smom-dbis-138
 source .env
 forge script script/dex/CreatePublicXAUPoolsChain138.s.sol:CreatePublicXAUPoolsChain138 \
  --rpc-url "$RPC_URL_138" \
  --broadcast \
  --private-key "$PRIVATE_KEY" \
  --with-gas-price "${GAS_PRICE_138:-1000000000}" \
  --legacy \
  -vv
 ```
 Optional toggles:
 ```bash
 export CREATE_CUSDT_XAU=true
 export CREATE_CUSDC_XAU=true
 export CREATE_CEURT_XAU=true
 ```
 ### 3. Verify creation immediately
 ```bash
 INT="${DODOPMM_INTEGRATION:-$DODOPMM_INTEGRATION_ADDRESS}"
 XAU="${XAU_ADDRESS_138:-0x290E52a8819A4fbD0714E517225429aA2B70EC6b}"
 cast call "$INT" "pools(address,address)(address)" "$COMPLIANT_USDT_ADDRESS" "$XAU" --rpc-url "$RPC_URL_138"
 cast call "$INT" "pools(address,address)(address)" "$COMPLIANT_USDC_ADDRESS" "$XAU" --rpc-url "$RPC_URL_138"
 cast call "$INT" "pools(address,address)(address)" "0xdf4b71c61E5912712C1Bdd451416B9aC26949d72" "$XAU" --rpc-url "$RPC_URL_138"
 ```
 Each result should now be a non-zero pool address.
 Persist them into `.env` or the relevant operator notes.
 ### 4. Public pool addresses created
 - `cUSDT / cXAUC`
  - pool: `0x1AA55E2001E5651349AfF5A63FD7A7Ae44f0F1b0`
  - create tx: `0xb38df32e7f51cff2ec283aa70ebf0e98b195721efa58d9b0a6e1df7fb55c05a1`
 - `cUSDC / cXAUC`
  - pool: `0xEA9Ac6357CaCB42a83b9082B870610363B177cBa`
  - create tx: `0xae16081faf9762500d14883be814393695d6a854afe84c9c1521ec5486babe23`
 - `cEURT / cXAUC`
  - pool: `0xbA99bc1eAAC164569d5AcA96C806934DDaF970Cf`
  - create tx: `0x1adaca76b3e34acd0807d5e11e334dd773b2146e4aeb45d67d5a54c1934d0e55`
 ## Exact funding path for the public XAU pools
 ### 5. Funding order
 Fund public XAU pools before changing private stabilization depth:
 1. `cUSDT / cXAUC`
 2. `cUSDC / cXAUC`
 3. `cEURT / cXAUC`
 4. only then revisit private stabilization depth if needed
 ### 6. Funding method
 The public XAU pools use the same PMM integration liquidity path:
 1. approve both tokens to `DODOPMMIntegration`
 2. call `addLiquidity(pool, baseAmount, quoteAmount)`
 Example for `cUSDT / cXAUC`:
 ```bash
 INT="${DODOPMM_INTEGRATION:-$DODOPMM_INTEGRATION_ADDRESS}"
 XAU="${XAU_ADDRESS_138:-0x290E52a8819A4fbD0714E517225429aA2B70EC6b}"
 POOL=$(cast call "$INT" "pools(address,address)(address)" "$COMPLIANT_USDT_ADDRESS" "$XAU" --rpc-url "$RPC_URL_138" | cast --to-addr)
 cast send "$COMPLIANT_USDT_ADDRESS" "approve(address,uint256)" "$INT" 1000000000000 --rpc-url "$RPC_URL_138" --private-key "$PRIVATE_KEY"
 cast send "$XAU" "approve(address,uint256)" "$INT" 1000000000000 --rpc-url "$RPC_URL_138" --private-key "$PRIVATE_KEY"
 cast send "$INT" "addLiquidity(address,uint256,uint256)" "$POOL" 1000000000000 1000000000000 --rpc-url "$RPC_URL_138" --private-key "$PRIVATE_KEY"
 ```
 Repeat the same pattern for:
 - `cUSDC / cXAUC`
 - `cEURT / cXAUC`
 ### 7. Funding completed
 Successful funding transactions:
 - `cUSDT / cXAUC`
  - fund tx: `0x7e00ec7a97fada7a9c238638bc019c6755feeb68be06c4b69e519b0eec6dd3b6`
  - final reserves: `2,666,965 cUSDT / 519.477 cXAUC`
 - `cUSDC / cXAUC`
  - fund tx: `0x87ec3a710dfb785de6adaa4f191440cd4968e090c0afb1f21ba02c8e0501f7eb`
  - final reserves: `1,000,000 cUSDC / 194.782554 cXAUC`
 - `cEURT / cXAUC`
  - fund tx: `0x995b785ab49f0ffc8f782a7d573259cf09fc57176d4fae19c1f6b274712e9e93`
  - final reserves: `1,000,000 cEURT / 225.577676 cXAUC`
 Supporting approvals:
 - `cXAUC` approval: `0xd194c80b8246816ef88141736eb17dece478183b37053cfbe1fffd6efe2abc99`
 - `cEURT` approval: `0x922d530cd65fdd139ff4e8c43a219b254d0c3df4e461a45f02f7832205735983`
 ### 8. Suggested bootstrap amounts
 Use the same scale already proven on the private side unless treasury wants a different public depth target.
 Reasonable bootstrap examples:
 - `cUSDT / cXAUC`
  - base: `1,000,000e6`
  - quote: `200e6` to `500e6` depending on desired starting depth
 - `cUSDC / cXAUC`
  - base: `1,000,000e6`
  - quote: `150e6` to `250e6`
 - `cEURT / cXAUC`
  - base: `1,000,000e6`
  - quote: `200e6` to `250e6`
 Final quote-side amounts should be treasury/policy-driven. The exact `cXAUC` depth can be calibrated against the current private pool ratios if parity is desired.
 ## Post-funding verification
 After funding, verify:
 ```bash
 cast call "$COMPLIANT_USDT_ADDRESS" "balanceOf(address)(uint256)" "$POOL_CUSDT_XAU" --rpc-url "$RPC_URL_138"
 cast call "$COMPLIANT_USDC_ADDRESS" "balanceOf(address)(uint256)" "$POOL_CUSDC_XAU" --rpc-url "$RPC_URL_138"
 cast call "0xdf4b71c61E5912712C1Bdd451416B9aC26949d72" "balanceOf(address)(uint256)" "$POOL_CEURT_XAU" --rpc-url "$RPC_URL_138"
 cast call "$XAU" "balanceOf(address)(uint256)" "$POOL_CUSDT_XAU" --rpc-url "$RPC_URL_138"
 cast call "$XAU" "balanceOf(address)(uint256)" "$POOL_CUSDC_XAU" --rpc-url "$RPC_URL_138"
 cast call "$XAU" "balanceOf(address)(uint256)" "$POOL_CEURT_XAU" --rpc-url "$RPC_URL_138"
 ```
 Then verify the explorer `/pools` page shows:
 - real pool address
 - `Funded (live)`
 - a live note path derived from the integration mapping instead of the old `Not created` state
 ## References
 - [CreatePublicXAUPoolsChain138.s.sol](../../smom-dbis-138/script/dex/CreatePublicXAUPoolsChain138.s.sol)
 - [DeployPrivatePoolRegistryAndPools.s.sol](../../smom-dbis-138/script/dex/DeployPrivatePoolRegistryAndPools.s.sol)
 - [AddLiquidityPMMPoolsChain138.s.sol](../../smom-dbis-138/script/dex/AddLiquidityPMMPoolsChain138.s.sol)
 - [CHAIN138_PMM_REDEPLOY_AND_POOL_FUNDING_RUNBOOK.md](./CHAIN138_PMM_REDEPLOY_AND_POOL_FUNDING_RUNBOOK.md)
--- a/docs/03-deployment/CONTRACT_DEPLOYMENT_RUNBOOK.md
+++ b/docs/03-deployment/CONTRACT_DEPLOYMENT_RUNBOOK.md
@@ -179,6 +179,42 @@ Deployer must have `VAULT_DEPLOYER_ROLE` on VaultFactory. Each configured base t
 When Uniswap V3, Balancer, or DODO PMM pools exist on Chain 138 / 651940, configure the router and provider so on-chain quotes and swaps work.
 **Chain 138 dry-run helper (safe preflight):**
 ```bash
 cd smom-dbis-138
 bash scripts/deployment/dry-run-enhanced-swap-router-chain138.sh
 ```
 This helper loads `smom-dbis-138/.env`, verifies the minimum required env (`PRIVATE_KEY`, `RPC_URL_138`), prints the exact token/provider vars the deploy script will use, and shows the sourced non-broadcast `forge script` command for a safe Chain 138 dry-run. It also distinguishes "env preflight passed" from "router would actually be usable after deploy". The updated deploy script now preloads the live 2026-03-26 DODO pair map on Chain 138:
 - `cUSDT ↔ cUSDC`
 - `cUSDT ↔ USDT`
 - `cUSDC ↔ USDC`
 - `cUSDT ↔ cXAUC`
 - `cUSDC ↔ cXAUC`
 - `cEURT ↔ cXAUC`
 If provider env vars like `DODOEX_ROUTER`, `DODO_PMM_PROVIDER_ADDRESS`, `UNISWAP_V3_ROUTER`, `BALANCER_VAULT`, `CURVE_3POOL`, or `ONEINCH_ROUTER` are unset, the deploy script uses placeholders and disables those providers after deployment. This keeps the Chain 138 deployment honest: token-to-token DODO pairs are registered immediately, while `swapToStablecoin()` still requires real `WETH -> stable` routes before it is operational.
 For current Chain 138, prefer `DODO_PMM_PROVIDER_ADDRESS` when the deployed `DODOPMMProvider` is available. The router now supports that provider as its DODO backend on Chain 138. If neither `DODO_PMM_PROVIDER_ADDRESS` nor `DODOEX_ROUTER` is set, the router can still deploy and register the live pair map, but the DODO provider will be disabled and no DODO execution path will remain enabled.
 The dry-run helper also probes the live `DODOPMMProvider` over `RPC_URL_138` for `WETH -> stable` support. This is important because the current public/private PMM set is stable/stable and stable/XAU; `swapToStablecoin()` is still only operational when at least one live `WETH -> stable` route exists.
 To run the sourced non-broadcast Forge simulation directly from the helper:
 ```bash
 cd smom-dbis-138
 bash scripts/deployment/dry-run-enhanced-swap-router-chain138.sh --run
 ```
 You can increase visibility or the timeout if compilation/simulation is slow:
 ```bash
 cd smom-dbis-138
 bash scripts/deployment/dry-run-enhanced-swap-router-chain138.sh --run --timeout-seconds 180 --verbosity -vvv
 ```
 **EnhancedSwapRouter** (set by address with `ROUTING_MANAGER_ROLE`):
 | Config | Method | Env (optional) | When |
@@ -199,6 +235,8 @@ cd smom-dbis-138 && source .env
 **DODOPMMProvider:** Register existing DODO PMM pools so `getQuote` / `executeSwap` work. Address with `POOL_MANAGER_ROLE` calls `registerPool(tokenIn, tokenOut, pool)`.
 The corrected `RegisterDODOPools.s.sol` now reads `DODOPMMIntegration.getAllPools()` and `getPoolConfig(pool)` on-chain, then registers both directions for every discovered pool. That means it covers the current 2026-03-26 public live set and any future c* full-mesh pools already created in the integration. This is required because `DODOPMMProvider` stores routes as `pools[tokenIn][tokenOut]`. If the dry-run helper shows a documented live pair as missing, rerun this script before treating the provider as fully reconciled.
 ```bash
 # After DODO pool is deployed (e.g. cUSDT↔USDT)
 cast send "$DODO_PMM_PROVIDER_ADDRESS" "registerPool(address,address,address)" "<CUSDT>" "<USDT>" "<POOL_ADDRESS>" --rpc-url "$RPC_URL_138" --private-key "$PRIVATE_KEY" --gas-price 1000000000
--- a/docs/03-deployment/DEPLOYMENT_ORDER_OF_OPERATIONS.md
+++ b/docs/03-deployment/DEPLOYMENT_ORDER_OF_OPERATIONS.md
@@ -1,5 +1,7 @@
 # Full Deployment Order of Operations
 > Historical note (2026-03-26): this run order includes earlier PMM deployment phases. The current canonical Chain 138 PMM stack is `DODOPMMIntegration=0x5BDc62f1ae7D630c37A8B363a1d49845356Ee72d` and `DODOPMMProvider=0x5CAe6Ce155b7f08D3a956F5Dc82fC9945f29B381`. Use [ADDRESS_MATRIX_AND_STATUS.md](../11-references/ADDRESS_MATRIX_AND_STATUS.md) for live addresses.
 **Last Updated:** 2026-02-28  
 **Purpose:** Single canonical sequence for deploying and completing the system: prerequisites → Chain 138 core → PMM/pools → provider → optional → cW* → verification. Use this as the master order; other runbooks give per-step detail.
@@ -42,7 +44,7 @@ Execute in any order where no dependency; all must be satisfied before Phase 1
 |---|------|--------|
 | 0.1 | **RPC 2101 (Core) writable** | If read-only: `./scripts/maintenance/make-rpc-vmids-writable-via-ssh.sh` then `./scripts/maintenance/health-check-rpc-2101.sh`. See [RPC_2101_READONLY_FIX.md](RPC_2101_READONLY_FIX.md). |
 | 0.2 | **Deployer wallet funded (Chain 138)** | ≥ ~0.006 ETH (recommended 1–2 ETH). Check: `cd smom-dbis-138 && ./scripts/deployment/check-balances-gas-and-deploy.sh`. |
-| 0.3 | **Env configured** | `smom-dbis-138/.env` only: `PRIVATE_KEY`, `RPC_URL_138` (Core); for PMM: `DODO_PMM_INTEGRATION_ADDRESS=0x79cdbaFBaA0FdF9F55D26F360F54cddE5c743F7D`. Optional: `GAS_PRICE_138`, `GAS_PRICE`. Run: `cd smom-dbis-138 && ./scripts/deployment/check-env-required.sh`. Or from repo root: `./scripts/deployment/preflight-chain138-deploy.sh`. |
+| 0.3 | **Env configured** | `smom-dbis-138/.env` only: `PRIVATE_KEY`, `RPC_URL_138` (Core); for PMM: `DODO_PMM_INTEGRATION_ADDRESS=0x5BDc62f1ae7D630c37A8B363a1d49845356Ee72d`, `DODO_PMM_PROVIDER_ADDRESS=0x5CAe6Ce155b7f08D3a956F5Dc82fC9945f29B381`. Optional: `GAS_PRICE_138`, `GAS_PRICE`. Run: `cd smom-dbis-138 && ./scripts/deployment/check-env-required.sh`. Or from repo root: `./scripts/deployment/preflight-chain138-deploy.sh`. |
 | 0.4 | **Gas / cost estimate** | Run cost estimate before deploy: `cd smom-dbis-138 && ./scripts/deployment/calculate-costs-consolidated.sh` (or see [DEPLOYMENT_GAS_COSTS_REALTIME](../11-references/DEPLOYMENT_GAS_COSTS_REALTIME.md)). Chain 138 uses min 1 gwei; script gives estimated total cost. |
 | 0.5 | **POOL_MANAGER_ROLE** | Deployer must have POOL_MANAGER_ROLE on DODOPMMIntegration for pool creation and provider registration. |
 | 0.6 | **No stuck transactions** | If nonce has pending txs or "Replacement transaction underpriced": run `./scripts/clear-all-transaction-pools.sh` then wait ~60s. Use Core RPC only (no Public fallback). Prefer deploy scripts that check nonce (e.g. `deploy-transaction-mirror-and-pmm-pool-after-txpool-clear.sh`). |
--- a/docs/03-deployment/EXPLORER_FRONTEND_404_FIX_RUNBOOK.md
+++ b/docs/03-deployment/EXPLORER_FRONTEND_404_FIX_RUNBOOK.md
@@ -23,7 +23,7 @@ This deployment uses a **custom frontend** (SolaceScanScout), not the built-in B
 - `explorer-monorepo/scripts/fix-nginx-serve-custom-frontend.sh` — nginx config that serves `/var/www/html` for `/` and SPA paths.
 - `explorer-monorepo/scripts/fix-nginx-conflicts-vmid5000.sh` — current “conflicts” config: proxies `location /` to :4000 (no static root).
 - `explorer-monorepo/scripts/deploy-frontend-to-vmid5000.sh` — deploys frontend files and can apply the custom-frontend nginx config.
- `docs/archive/fixes/BLOCKSCOUT_WEB_INTERFACE_404_FIX.md` — historical 404 investigation.
+- This runbook replaces ad-hoc 404 notes; use `explorer-monorepo/scripts/` above for nginx and deploy.
 - `explorer-monorepo/docs/BLOCKSCOUT_START_AND_BUILD.md` — Blockscout container/assets; UI in this setup is the custom frontend, not Blockscout’s own UI.
 ---
--- a/docs/03-deployment/FINAL_UNBLOCK_CHECKLIST_MAINNET_BSC.md
+++ b/docs/03-deployment/FINAL_UNBLOCK_CHECKLIST_MAINNET_BSC.md
@@ -0,0 +1,137 @@
 # Final Unblock Checklist: Mainnet and BSC
 **Date:** 2026-03-26  
 **Wallet:** `0x4A666F96fC8764181194447A7dFdb7d471b301C8`
 This checklist captures the **exact remaining top-up targets** after the live funding pass already completed on Ethereum Mainnet.
 ## Current post-funding state
 ### Mainnet
 - Deployer ETH: `0.003345428710812742`
 - Deployer LINK: `0`
 - Deployer WETH9: `0`
 - `MAINNET_CCIP_WETH9_BRIDGE` LINK: `0.215485646892774955`
 - `MAINNET_CCIP_WETH10_BRIDGE` LINK: `0.215485646892774955`
 - `CCIP_RELAY_BRIDGE_MAINNET` WETH: `0.002634280582011289`
 - `LiquidityPoolETH` available ETH: `0.015`
 - `LiquidityPoolETH` available WETH: `0.001`
 ### BSC
 - Deployer BNB: `0.0091250643`
 - Deployer LINK: `0`
 - Deployer WETH: `0`
 - `CCIPWETH9_BRIDGE_BSC` LINK: `0`
 - `CCIPWETH10_BRIDGE_BSC` LINK: `0`
 ## Exact top-up targets
 ### 1. Mainnet deployer gas reserve
 Repo recommendation: keep **`0.05 ETH`** on the deployer for safe operator headroom.
 - Current: `0.003345428710812742 ETH`
 - Target: `0.05 ETH`
 - **Top up:** `0.046654571289187258 ETH`
 ### 2. Mainnet CCIP bridge LINK
 Repo recommendation: **`10 LINK per bridge`**.
 - `MAINNET_CCIP_WETH9_BRIDGE`
  - Current: `0.215485646892774955 LINK`
  - Target: `10 LINK`
  - **Top up:** `9.784514353107225045 LINK`
 - `MAINNET_CCIP_WETH10_BRIDGE`
  - Current: `0.215485646892774955 LINK`
  - Target: `10 LINK`
  - **Top up:** `9.784514353107225045 LINK`
 - **Mainnet CCIP LINK total top-up:** `19.56902870621445009 LINK`
 ### 3. Mainnet trustless LP target
 Operator runbook example target:
 - LP ETH target: **`1 ETH`**
 - LP WETH target: **`0.5 WETH`**
 Current:
 - LP ETH available: `0.015 ETH`
 - LP WETH available: `0.001 WETH`
 Top-ups:
 - **ETH top-up:** `0.985 ETH`
 - **WETH top-up:** `0.499 WETH`
 ### 4. Mainnet relay bridge WETH target
 There is no hardcoded repo target for relay inventory, so use a small bootstrap target unless you have a higher payout requirement.
 - Suggested bootstrap target: **`0.01 WETH`**
 - Current: `0.002634280582011289 WETH`
 - **Top up:** `0.007365719417988711 WETH`
 ### 5. BSC deployer gas reserve
 Repo recommendation: keep **`0.06 BNB`** on the deployer.
 - Current: `0.0091250643 BNB`
 - Target: `0.06 BNB`
 - **Top up:** `0.0508749357 BNB`
 ### 6. BSC CCIP bridge LINK
 Repo recommendation: **`10 LINK per bridge`**.
 - `CCIPWETH9_BRIDGE_BSC`
  - Current: `0 LINK`
  - Target: `10 LINK`
  - **Top up:** `10 LINK`
 - `CCIPWETH10_BRIDGE_BSC`
  - Current: `0 LINK`
  - Target: `10 LINK`
  - **Top up:** `10 LINK`
 - **BSC CCIP LINK total top-up:** `20 LINK`
 ### 7. BSC relay bridge WETH (optional, only if relay mode is used)
 If you are operating the BSC relay flow from `services/relay/.env.bsc`, top up the destination relay bridge too.
 - Suggested bootstrap target: **`0.01 WETH`**
 - Current deployer WETH on BSC: `0`
 - **Acquire and transfer:** `0.01 WETH` to `DEST_RELAY_BRIDGE`
 ## One-pass operator sequence after top-up
 1. Fund Mainnet deployer ETH reserve to `0.05 ETH`.
 2. Fund Mainnet CCIP bridges to `10 LINK` each:
   - `MAINNET_CCIP_WETH9_BRIDGE`
   - `MAINNET_CCIP_WETH10_BRIDGE`
 3. Fund Mainnet LP to `1 ETH` and `0.5 WETH`.
 4. Fund Mainnet relay bridge to `0.01 WETH` minimum.
 5. Fund BSC deployer to `0.06 BNB`.
 6. Fund BSC CCIP bridges to `10 LINK` each.
 7. If relay mode is used on BSC, fund the BSC relay bridge with at least `0.01 WETH`.
 8. Set `BOND_MANAGER_MAINNET` and `CHALLENGE_MANAGER_MAINNET` in `.env`.
 9. Run the full live bridge test from [`live-test-trustless-bridge.sh`](../../smom-dbis-138/scripts/deployment/live-test-trustless-bridge.sh).
 ## Scripted paths
 - One-command operator wrapper:
  - [`run-final-unblock-checklist.sh`](../../smom-dbis-138/scripts/deployment/run-final-unblock-checklist.sh)
  - Status-only preflight:
    - `./scripts/deployment/run-final-unblock-checklist.sh --status-only`
  - JSON preflight for CI/dashboards:
    - `./scripts/deployment/run-final-unblock-checklist.sh --status-only --json`
 - Mainnet LP funding:
  - [`fund-mainnet-lp.sh`](../../smom-dbis-138/scripts/deployment/fund-mainnet-lp.sh)
 - Mainnet relay bridge funding:
  - [`fund-mainnet-relay-bridge.sh`](../../smom-dbis-138/scripts/bridge/fund-mainnet-relay-bridge.sh)
 - BSC relay bridge funding:
  - [`fund-bsc-relay-bridge.sh`](../../smom-dbis-138/scripts/bridge/fund-bsc-relay-bridge.sh)
 - Multi-chain LINK funding:
  - [`fund-ccip-bridges-with-link.sh`](../../smom-dbis-138/scripts/deployment/fund-ccip-bridges-with-link.sh)
--- a/docs/03-deployment/MIGRATE_CT_R630_01_TO_R630_02.md
+++ b/docs/03-deployment/MIGRATE_CT_R630_01_TO_R630_02.md
@@ -175,5 +175,5 @@ See the script for exact steps (stop, vzdump, scp, restore, start, optional dest
 - [502_DEEP_DIVE_ROOT_CAUSES_AND_FIXES.md](../00-meta/502_DEEP_DIVE_ROOT_CAUSES_AND_FIXES.md) — LVM thin pool full, 2101/2500–2505
 - [BLOCKSCOUT_FIX_RUNBOOK.md](BLOCKSCOUT_FIX_RUNBOOK.md) — Migrate VM 5000 to thin5 (same-host example)
- [R630_01_02_COMPLETE_INVENTORY.md](../archive/root-cleanup-20260220/R630_01_02_COMPLETE_INVENTORY.md) — VMID list and IPs
+- [ALL_VMIDS_ENDPOINTS.md](../04-configuration/ALL_VMIDS_ENDPOINTS.md) · [`config/proxmox-operational-template.json`](../../config/proxmox-operational-template.json) — VMID list and IPs
 - Proxmox: [Backup and Restore](https://pve.proxmox.com/pve-docs/chapter-vzdump.html)
--- a/docs/03-deployment/NEXT_STEPS_PMM_FULL_PARITY_AND_ALL_POOLS.md
+++ b/docs/03-deployment/NEXT_STEPS_PMM_FULL_PARITY_AND_ALL_POOLS.md
@@ -1,5 +1,7 @@
 # Next Steps: Full Parity and Deploy All PMM Pools
 > Historical note (2026-03-26): this document captures an earlier parity plan. The current canonical Chain 138 PMM stack is `DODOPMMIntegration=0x5BDc62f1ae7D630c37A8B363a1d49845356Ee72d` and `DODOPMMProvider=0x5CAe6Ce155b7f08D3a956F5Dc82fC9945f29B381`, with the desired-state mesh reconciled. Use [ADDRESS_MATRIX_AND_STATUS.md](../11-references/ADDRESS_MATRIX_AND_STATUS.md) and [LIQUIDITY_POOLS_MASTER_MAP.md](../11-references/LIQUIDITY_POOLS_MASTER_MAP.md) for live status.
 **Last Updated:** 2026-02-28  
 **Purpose:** Ordered list of steps to achieve full PMM parity and deploy all DODO PMM pools (Chain 138 first, then multichain).
@@ -9,7 +11,7 @@
 | Scope | DODOPMMIntegration | Pools (cUSDT/cUSDC, cUSDT/USDT, cUSDC/USDC) | DODOPMMProvider | Liquidity |
 |-------|--------------------|-----------------------------------------------|-----------------|-----------|
-| **Chain 138** | Deployed (`0x79cdbaFBaA0FdF9F55D26F360F54cddE5c743F7D`) | Created (addresses in .env / LIQUIDITY_POOLS_MASTER_MAP) | Deployed (`0x8EF6657D2a86c569F6ffc337EE6b4260Bd2e59d0`) | **Zero** (pools empty) |
+| **Chain 138** | Deployed (`0x5BDc62f1ae7D630c37A8B363a1d49845356Ee72d`) | Reconciled (addresses in ADDRESS_MATRIX / LIQUIDITY_POOLS_MASTER_MAP) | Deployed (`0x5CAe6Ce155b7f08D3a956F5Dc82fC9945f29B381`) | Public stable and XAU pools funded |
 | **L2s (BSC, Polygon, Base, etc.)** | Script exists (`deploy-pmm-all-l2s.sh`) | Not created | Not deployed | N/A |
 | **cW* mesh (11 chains)** | Design only | 111 pools in design | Not deployed | N/A |
@@ -28,9 +30,9 @@
 2. **Verify or create the three PMM pools**
   - Pools (from PRE_DEPLOYMENT_CHECKLIST / .env):  
-     - cUSDT/cUSDC: `0x9fcB06Aa1FD5215DC0E91Fd098aeff4B62fEa5C8`  
+     - cUSDT/cUSDC: `0xff8d3b8fDF7B112759F076B69f4271D4209C0849`  
-     - cUSDT/USDT: `0xa3Ee6091696B28e5497b6F491fA1e99047250c59`  
+     - cUSDT/USDT: `0x6fc60DEDc92a2047062294488539992710b99D71`  
-     - cUSDC/USDC: `0x90bd9Bf18Daa26Af3e814ea224032d015db58Ea5`
+     - cUSDC/USDC: `0x9f74Be42725f2Aa072a9E0CdCce0E7203C510263`
   - If any pool is missing on-chain, create it:
     - `forge script script/dex/CreateCUSDTCUSDCPool.s.sol:CreateCUSDTCUSDCPool --rpc-url "$RPC_URL_138" --broadcast --private-key "$PRIVATE_KEY"`
     - `forge script script/dex/CreateCUSDTUSDTPool.s.sol:CreateCUSDTUSDTPool --rpc-url "$RPC_URL_138" --broadcast --private-key "$PRIVATE_KEY"`
@@ -42,7 +44,7 @@
   - Run: `forge script script/liquidity/RegisterDODOPools.s.sol:RegisterDODOPools --rpc-url "$RPC_URL_138" --broadcast --private-key "$PRIVATE_KEY"`.
 4. **Add liquidity to all three pools**
-   - Approve base/quote tokens to `DODOPMMIntegration` (`0x79cdbaFBaA0FdF9F55D26F360F54cddE5c743F7D`).
+   - Approve base/quote tokens to `DODOPMMIntegration` (`0x5BDc62f1ae7D630c37A8B363a1d49845356Ee72d`).
   - Call `DODOPMMIntegration.addLiquidity(pool, baseAmount, quoteAmount)` for each pool. See [DODO_PMM_INTEGRATION.md](../../smom-dbis-138/docs/integration/DODO_PMM_INTEGRATION.md).
   - **Forge script:** `forge script script/dex/AddLiquidityPMMPoolsChain138.s.sol:AddLiquidityPMMPoolsChain138 --rpc-url "$RPC_URL_138" --broadcast --private-key "$PRIVATE_KEY"` with env `ADD_LIQUIDITY_BASE_AMOUNT` and `ADD_LIQUIDITY_QUOTE_AMOUNT` (e.g. `1000000e6`). Or use **full-parity runner:** `./scripts/deployment/run-pmm-full-parity-all-phases.sh` (Phase 1 creates pools in parallel, registers, then adds liquidity when amounts are set).
--- a/docs/03-deployment/OPERATIONAL_RUNBOOKS.md
+++ b/docs/03-deployment/OPERATIONAL_RUNBOOKS.md
@@ -2,7 +2,7 @@
 **Navigation:** [Home](../01-getting-started/README.md) > [Deployment](README.md) > Operational Runbooks
-**Last Updated:** 2026-02-18  
+**Last Updated:** 2026-03-26  
 **Document Version:** 1.3  
 **Status:** Active Documentation
@@ -12,6 +12,8 @@
 This document provides a master index of all operational runbooks and procedures for the Sankofa/Phoenix/PanTel Proxmox deployment. For issue-specific troubleshooting (RPC, QBFT, SSH, tunnel, etc.), see **[../09-troubleshooting/README.md](../09-troubleshooting/README.md)** and [TROUBLESHOOTING_FAQ.md](../09-troubleshooting/TROUBLESHOOTING_FAQ.md).
 **Proxmox VE hosts, peering, FQDN/NPMplus summary, deployment gates (human + JSON):** [PROXMOX_VE_OPERATIONAL_DEPLOYMENT_TEMPLATE.md](PROXMOX_VE_OPERATIONAL_DEPLOYMENT_TEMPLATE.md).
 ---
 ## Quick Reference
@@ -76,6 +78,25 @@ ssh root@HOST "pct start VMID"
 - **NPMplus HA failover:** [NPMPLUS_HA_SETUP_GUIDE.md](../04-configuration/NPMPLUS_HA_SETUP_GUIDE.md) - Keepalived/HAProxy; failover to 10234
 - **502 runbook:** Check (1) NPMplus (192.168.11.167) up and proxy hosts correct, (2) backend VMID 2201 (RPC) or 5000 (Blockscout) up and reachable, (3) if using Fastly, origin reachability from Fastly to 76.53.10.36; if Option B RPC, tunnel connector (e.g. VMID 102) running. Blockscout 502: [BLOCKSCOUT_FIX_RUNBOOK.md](BLOCKSCOUT_FIX_RUNBOOK.md)
 ### NPMplus API update and recovery
 - **Primary admin URL:** `https://192.168.11.167:81` (VMID `10233` on `r630-01`)
 - **If TCP connects but HTTP never returns:** treat CT `10233` as wedged and reboot it from `r630-01` with `pct reboot 10233`, then re-check `:81` for the expected `301` redirect.
 - **API updater:** `NPM_URL=https://192.168.11.167:81 bash scripts/nginx-proxy-manager/update-npmplus-proxy-hosts-api.sh`
 - **Script behavior:** `curl_npm` and `try_connect` use `-L`, so port `81` redirects do not break `POST /api/tokens` with `400 Payload is undefined`; `IP_NPMPLUS_ETH1` is optional-safe under `set -u`.
 - **Large `.env` warning:** if your normal `set -a; source .env` flow fails with `Argument list too long`, avoid exporting the entire file for NPM-only runs. Pull only the needed credentials, for example:
 ```bash
 NPM_EMAIL="$(grep '^NPM_EMAIL=' .env | tail -n1 | cut -d= -f2-)"
 NPM_PASSWORD="$(grep '^NPM_PASSWORD=' .env | tail -n1 | cut -d= -f2-)"
 NPM_URL=https://192.168.11.167:81 \
 NPM_EMAIL="$NPM_EMAIL" \
 NPM_PASSWORD="$NPM_PASSWORD" \
 bash scripts/nginx-proxy-manager/update-npmplus-proxy-hosts-api.sh
 ```
 - **Verified on 2026-03-26:** after rebooting CT `10233`, `bash scripts/nginx-proxy-manager/update-npmplus-proxy-hosts-api.sh` completed with `39 hosts updated, 0 failed`, including `the-order.sankofa.nexus`, `www.the-order.sankofa.nexus`, and `studio.sankofa.nexus`.
 ### Cloudflare (DNS and optional Access)
 - **[CLOUDFLARE_ZERO_TRUST_GUIDE.md](../04-configuration/cloudflare/CLOUDFLARE_ZERO_TRUST_GUIDE.md)** - Cloudflare setup (DNS retained; Option B tunnel for RPC only)
--- a/docs/03-deployment/PHOENIX_MIGRATION_PLAN_DBIS_CHAIN138.md
+++ b/docs/03-deployment/PHOENIX_MIGRATION_PLAN_DBIS_CHAIN138.md
@@ -45,7 +45,7 @@ This document provides a comprehensive migration plan for migrating DBIS Core se
 |------|---------|------------|--------|---------|
 | 10100 | dbis-postgres-primary | 192.168.11.100 | ✅ Running | PostgreSQL Primary |
 | 10101 | dbis-postgres-replica-1 | 192.168.11.101 | ✅ Running | PostgreSQL Replica |
-| 10120 | dbis-redis | 192.168.11.120 | ✅ Running | Redis Cache |
+| 10120 | dbis-redis | 192.168.11.125 | ✅ Running | Redis Cache |
 | 10130 | dbis-frontend | 192.168.11.130 | ✅ Running | Frontend Admin Console |
 | 10150 | dbis-api-primary | 192.168.11.150 | ✅ Running | API Primary |
 | 10151 | dbis-api-secondary | 192.168.11.151 | ✅ Running | API Secondary |
@@ -565,7 +565,7 @@ ssh root@192.168.11.11 "pct exec 8610 -- psql -U phoenix -d phoenix -c 'SELECT C
 ### 6.2 Redis Migration
-**Source:** Redis on 192.168.11.120 (VMID 10120)  
+**Source:** Redis on 192.168.11.125 (VMID 10120)  
 **Target:** Redis on 10.160.0.22 (VMID 8612)
 **Procedure:**
--- a/docs/03-deployment/PMM_FULL_MESH_AND_PUBLIC_SINGLE_SIDED_PLAN.md
+++ b/docs/03-deployment/PMM_FULL_MESH_AND_PUBLIC_SINGLE_SIDED_PLAN.md
@@ -22,8 +22,8 @@
 | Contract | Address (Chain 138) | Role |
 |----------|---------------------|------|
-| DODOPMMIntegration | `0x79cdbaFBaA0FdF9F55D26F360F54cddE5c743F7D` | `createPool(base, quote, ...)`; `swapExactIn(pool, tokenIn, amountIn, minAmountOut)` for generic routing |
+| DODOPMMIntegration | `0x5BDc62f1ae7D630c37A8B363a1d49845356Ee72d` | `createPool(base, quote, ...)`; `swapExactIn(pool, tokenIn, amountIn, minAmountOut)` for generic routing |
-| DODOPMMProvider | `0x8EF6657D2a86c569F6ffc337EE6b4260Bd2e59d0` | `registerPool(tokenIn, tokenOut, pool)`; `executeSwap` uses `swapExactIn` for any registered pool |
+| DODOPMMProvider | `0x5CAe6Ce155b7f08D3a956F5Dc82fC9945f29B381` | `registerPool(tokenIn, tokenOut, pool)`; `executeSwap` uses `swapExactIn` for any registered pool |
 - Deployer (or the account that holds **POOL_MANAGER_ROLE** on the integration and **POOL_MANAGER_ROLE** on the provider) must run pool creation and registration.
 - **Generic routing:** `DODOPMMIntegration.swapExactIn` allows any registered pool to be used for swaps; `DODOPMMProvider.executeSwap` routes through it when the pair is not one of the six legacy pairs.
@@ -34,26 +34,24 @@ From repo root (or from `smom-dbis-138/`):
 ```bash
 # Ensure .env has: PRIVATE_KEY, RPC_URL_138, DODO_PMM_INTEGRATION_ADDRESS, DODO_PMM_PROVIDER_ADDRESS
 # Desired-state config lives in smom-dbis-138/config/chain138-pmm-pools.json
-# Create all c* vs c* pools and register with provider
+# Create or register only the pools missing from the desired-state JSON
 # (plus optional c* vs official USDT/USDC and c* vs WETH)
 ./scripts/create-pmm-full-mesh-chain138.sh
 # Only c* vs c* (no official USDT/USDC pairs)
 MESH_ONLY_C_STAR=1 ./scripts/create-pmm-full-mesh-chain138.sh
 # Keep official pairs but disable c* vs WETH
 MESH_INCLUDE_WETH=0 ./scripts/create-pmm-full-mesh-chain138.sh
 # Keep c* vs WETH but disable official USDT/WETH and USDC/WETH
 MESH_INCLUDE_OFFICIAL_WETH=0 ./scripts/create-pmm-full-mesh-chain138.sh
 # Preview only (no transactions)
 DRY_RUN=1 ./scripts/create-pmm-full-mesh-chain138.sh
 # Use a different desired-state file if needed
 POOL_CONFIG_JSON=/path/to/chain138-pmm-pools.json ./scripts/create-pmm-full-mesh-chain138.sh
 # Inventory desired-state vs on-chain before broadcast
 bash scripts/deployment/inventory-chain138-pmm-desired-state.sh
 ```
- The script uses `DODOPMMIntegration.createPool(base, quote, lpFeeRate, initialPrice, k, isOpenTWAP)` with defaults: `lpFeeRate=3`, `initialPrice=1e18`, `k=0.5e18`, `isOpenTWAP=false`.
+- The JSON file is now the source of truth for desired Chain 138 pools, including `c* vs c*`, `c* vs official`, and `* / WETH` groups.
- After each pool is created, it calls `DODOPMMProvider.registerPool(base, quote, pool)` so the pool is used for quotes and execution.
+- The sync script uses `DODOPMMIntegration.createPool(base, quote, lpFeeRate, initialPrice, k, isOpenTWAP)` with defaults from the JSON file unless overridden by env.
 - It only creates missing pools and only registers missing provider routes, so reruns are idempotent operational syncs rather than repeated “redeploy everything” passes.
 ### 1.4 Funding the mesh
--- a/docs/03-deployment/PMM_POOLS_FUNDING_PLAN.md
+++ b/docs/03-deployment/PMM_POOLS_FUNDING_PLAN.md
@@ -1,8 +1,10 @@
 # PMM Pools Funding Plan - Chain 138
 > Historical note (2026-03-26): this funding plan documents an earlier three-pool PMM phase. The live canonical Chain 138 PMM stack is `DODOPMMIntegration=0x5BDc62f1ae7D630c37A8B363a1d49845356Ee72d` and `DODOPMMProvider=0x5CAe6Ce155b7f08D3a956F5Dc82fC9945f29B381`. Current public funded pool addresses are maintained in [LIQUIDITY_POOLS_MASTER_MAP.md](../11-references/LIQUIDITY_POOLS_MASTER_MAP.md).
 **Purpose:** Step-by-step plan to fund the three DODO PMM liquidity pools on Chain 138.
 **Deployer:** `0x4A666F96fC8764181194447A7dFdb7d471b301C8`
-**Integration:** `DODOPMMIntegration` at `0x79cdbaFBaA0FdF9F55D26F360F54cddE5c743F7D`
+**Integration:** `DODOPMMIntegration` at `0x5BDc62f1ae7D630c37A8B363a1d49845356Ee72d`
 ---
@@ -10,9 +12,9 @@
 | Pool | Base token | Quote token | Pool address | Fund when |
 |------|------------|-------------|--------------|-----------|
-| **1. cUSDT/cUSDC** | cUSDT | cUSDC | `0x9fcB06Aa1FD5215DC0E91Fd098aeff4B62fEa5C8` | Deployer has cUSDT + cUSDC (mintable) |
+| **1. cUSDT/cUSDC** | cUSDT | cUSDC | `0xff8d3b8fDF7B112759F076B69f4271D4209C0849` | Deployer has cUSDT + cUSDC (mintable) |
-| **2. cUSDT/USDT** | cUSDT | USDT (official) | `0xa3Ee6091696B28e5497b6F491fA1e99047250c59` | Deployer has cUSDT + official USDT |
+| **2. cUSDT/USDT** | cUSDT | USDT (official) | `0x6fc60DEDc92a2047062294488539992710b99D71` | Deployer has cUSDT + official USDT |
-| **3. cUSDC/USDC** | cUSDC | USDC (official) | `0x90bd9Bf18Daa26Af3e814ea224032d015db58Ea5` | Deployer has cUSDC + official USDC |
+| **3. cUSDC/USDC** | cUSDC | USDC (official) | `0x9f74Be42725f2Aa072a9E0CdCce0E7203C510263` | Deployer has cUSDC + official USDC |
 - **Pool 1** uses only c* tokens; you can mint both on Chain 138 and fund fully.
 - **Pools 2 and 3** need "official" USDT/USDC on 138 (set in DODOPMMIntegration at deploy time). If those are deployer-owned mocks, mint them too; otherwise fund only from existing balance.
@@ -83,8 +85,8 @@ From repo root, with smom-dbis-138/.env sourced:
 ```bash
 cd smom-dbis-138 && source .env
-INT=0x79cdbaFBaA0FdF9F55D26F360F54cddE5c743F7D
+INT=0x5BDc62f1ae7D630c37A8B363a1d49845356Ee72d
-POOL1=0x9fcB06Aa1FD5215DC0E91Fd098aeff4B62fEa5C8
+POOL1=0xff8d3b8fDF7B112759F076B69f4271D4209C0849
 CUSDT=0x93E66202A11B1772E55407B32B44e5Cd8eda7f22
 CUSDC=0xf22258f57794CC8E06237084b353Ab30fFfa640b
 RPC="$RPC_URL_138"
@@ -104,7 +106,7 @@ cast send "$INT" "addLiquidity(address,uint256,uint256)" "$POOL1" "$BASE_AMOUNT"
 ```bash
 cd smom-dbis-138 && source .env
-export POOL_CUSDTCUSDC=0x9fcB06Aa1FD5215DC0E91Fd098aeff4B62fEa5C8
+export POOL_CUSDTCUSDC=0xff8d3b8fDF7B112759F076B69f4271D4209C0849
 export ADD_LIQUIDITY_BASE_AMOUNT=1000000000000
 export ADD_LIQUIDITY_QUOTE_AMOUNT=1000000000000
--- a/docs/03-deployment/PRE_DEPLOYMENT_CHECKLIST.md
+++ b/docs/03-deployment/PRE_DEPLOYMENT_CHECKLIST.md
@@ -1,6 +1,6 @@
 # Pre-Deployment Checklist — DODO PMM, Pools, Provider, Router & APIs
-**Last Updated:** 2026-02-28  
+**Last Updated:** 2026-03-26  
 **Purpose:** Single source of truth for component status and ordered steps required before deployment (Chain 138).
 **See also:** [DEPLOYMENT_ORDER_OF_OPERATIONS.md](DEPLOYMENT_ORDER_OF_OPERATIONS.md) — full deployment order (Phase 0–6) and remaining recommendations.
@@ -18,9 +18,9 @@
 | Component | Status | Address / Notes |
 |-----------|--------|-----------------|
-| **DODOPMMIntegration** | ✅ Deployed | Chain 138: `0x79cdbaFBaA0FdF9F55D26F360F54cddE5c743F7D` (Mock DVM). |
+| **DODOPMMIntegration** | ✅ Deployed | Chain 138 canonical corrected stack: `0x5BDc62f1ae7D630c37A8B363a1d49845356Ee72d`. |
-| **PMM pools (cUSDT/cUSDC, cUSDT/USDT, cUSDC/USDC)** | ✅ Created | cUSDT/cUSDC: `0x9fcB06Aa1FD5215DC0E91Fd098aeff4B62fEa5C8`; cUSDT/USDT: `0xa3Ee6091696B28e5497b6F491fA1e99047250c59`; cUSDC/USDC: `0x90bd9Bf18Daa26Af3e814ea224032d015db58Ea5`. |
+| **PMM pools** | ✅ Reconciled | 104 desired-state pools aligned; live funded public pools include cUSDT/cUSDC `0xff8d3b8fDF7B112759F076B69f4271D4209C0849`, cUSDT/USDT `0x6fc60DEDc92a2047062294488539992710b99D71`, cUSDC/USDC `0x9f74Be42725f2Aa072a9E0CdCce0E7203C510263`, cUSDT/cXAUC `0x94316511621430423a2cff0C036902BAB4aA70c2`, cUSDC/cXAUC `0x7867D58567948e5b9908F1057055Ee4440de0851`, cEURT/cXAUC `0x505403093826D494983A93b43Aa0B8601078A44e`. |
-| **DODOPMMProvider** | ✅ Deployed | `0x8EF6657D2a86c569F6ffc337EE6b4260Bd2e59d0`; all three pools registered via `script/liquidity/RegisterDODOPools.s.sol`. |
+| **DODOPMMProvider** | ✅ Deployed | `0x5CAe6Ce155b7f08D3a956F5Dc82fC9945f29B381`; 104/104 desired-state routes aligned. |
 | **EnhancedSwapRouter** | ❌ Not deployed | Mainnet-only script today; for Chain 138 deploy when Uniswap/Balancer pools exist; set quoter/poolId. |
 | **Token-aggregation API** | ✅ Implemented, runnable | Single-hop quotes; can index DODO once pools exist (set `CHAIN_138_DODO_PMM_INTEGRATION`). |
 | **Bridge quote (swap+bridge+swap)** | ✅ Implemented | `POST /api/bridge/quote`; on-chain coordinator optional. |
@@ -42,7 +42,7 @@
 - [ ] **Env set in `smom-dbis-138/.env` only**  
  Required: `PRIVATE_KEY`, `RPC_URL_138` (must be Core RPC, not Public).  
-  For PMM: `DODO_PMM_INTEGRATION_ADDRESS=0x79cdbaFBaA0FdF9F55D26F360F54cddE5c743F7D`.  
+  For PMM: `DODO_PMM_INTEGRATION_ADDRESS=0x5BDc62f1ae7D630c37A8B363a1d49845356Ee72d`, `DODO_PMM_PROVIDER_ADDRESS=0x5CAe6Ce155b7f08D3a956F5Dc82fC9945f29B381`.  
  Optional: `GAS_PRICE_138` or `GAS_PRICE` (default 1 gwei).  
  After TransactionMirror deploy: set `TRANSACTION_MIRROR_ADDRESS` from script output.  
  Verify: `cd smom-dbis-138 && ./scripts/deployment/check-env-required.sh`.
@@ -100,7 +100,7 @@ This deploys TransactionMirror then creates **only** the cUSDT/cUSDC pool. For m
 ```bash
 cd smom-dbis-138
-export DODO_PMM_INTEGRATION="${DODO_PMM_INTEGRATION_ADDRESS:-0x79cdbaFBaA0FdF9F55D26F360F54cddE5c743F7D}"
+export DODO_PMM_INTEGRATION="${DODO_PMM_INTEGRATION_ADDRESS:-0x5BDc62f1ae7D630c37A8B363a1d49845356Ee72d}"
 export RPC_URL_138="${RPC_URL_138:-http://192.168.11.211:8545}"
 export GAS_PRICE="${GAS_PRICE_138:-${GAS_PRICE:-1000000000}}"
@@ -149,7 +149,7 @@ Current deploy script is mainnet-only (`block.chainid == 1`). For Chain 138:
 ### Step 6: Token-aggregation API (DODO indexing)
- Ensure `CHAIN_138_DODO_PMM_INTEGRATION=0x79cdbaFBaA0FdF9F55D26F360F54cddE5c743F7D` (or equivalent) is set where the token-aggregation service runs. Optional: `CHAIN_138_DODO_POOL_MANAGER`, `CHAIN_138_DODO_VENDING_MACHINE` (see token-aggregation `.env.example` and [dex-factories.ts](../../smom-dbis-138/services/token-aggregation/src/config/dex-factories.ts)).
+- Ensure `CHAIN_138_DODO_PMM_INTEGRATION=0x5BDc62f1ae7D630c37A8B363a1d49845356Ee72d` (or equivalent) is set where the token-aggregation service runs. Optional: `CHAIN_138_DODO_POOL_MANAGER`, `CHAIN_138_DODO_VENDING_MACHINE` (see token-aggregation `.env.example` and [dex-factories.ts](../../smom-dbis-138/services/token-aggregation/src/config/dex-factories.ts)).
 - Once pools exist, the service can index DODO pools from DODOPMMIntegration and expose single-hop quotes.
 ### Step 7: On-chain verification
--- a/docs/03-deployment/PRE_START_AUDIT_PLAN.md
+++ b/docs/03-deployment/PRE_START_AUDIT_PLAN.md
@@ -72,7 +72,7 @@
 ### DBIS Core
 - 192.168.11.105-106 (PostgreSQL)
- 192.168.11.120 (Redis)
+- 192.168.11.125 (Redis, VMID 10120 dbis-redis)
 - 192.168.11.130 (Frontend)
 - 192.168.11.155-156 (API)
--- a/docs/03-deployment/PROXMOX_VE_OPERATIONAL_DEPLOYMENT_TEMPLATE.md
+++ b/docs/03-deployment/PROXMOX_VE_OPERATIONAL_DEPLOYMENT_TEMPLATE.md
@@ -0,0 +1,143 @@
 # Proxmox VE — Operational deployment template
 **Last Updated:** 2026-03-25  
 **Status:** Active — ties hypervisors, LAN/WAN, cluster peering, Chain 138 Besu tiers, NPMplus ingress, FQDNs, and deployment gates into one place.
 **Machine-readable:** [`config/proxmox-operational-template.json`](../../config/proxmox-operational-template.json) (sync when you change VMIDs/IPs/FQDNs).
 **Authoritative detail (do not drift):**
 - VMID, port, status tables: [`docs/04-configuration/ALL_VMIDS_ENDPOINTS.md`](../04-configuration/ALL_VMIDS_ENDPOINTS.md)
 - Shell/env single source: [`config/ip-addresses.conf`](../../config/ip-addresses.conf)
 - Edge, port forwards, four NPMplus picture: [`docs/11-references/NETWORK_CONFIGURATION_MASTER.md`](../11-references/NETWORK_CONFIGURATION_MASTER.md)
 - Contract deploy order / gates: [`docs/03-deployment/DEPLOYMENT_ORDER_OF_OPERATIONS.md`](DEPLOYMENT_ORDER_OF_OPERATIONS.md)
 ---
 ## 1. Proxmox VE hosts (management)
 | Hostname | MGMT IP | Proxmox UI | Cluster | Role (target) |
 |----------|---------|------------|---------|----------------|
 | ml110 | 192.168.11.10 | https://192.168.11.10:8006 | h (legacy) | Planned WAN aggregator (OPNsense/pfSense); **migrate CT/VM off before repurpose** |
 | r630-01 | 192.168.11.11 | https://192.168.11.11:8006 | h | Primary: Chain 138 RPC/CCIP-adjacent workloads, Sankofa Phoenix stack, much of DBIS |
 | r630-02 | 192.168.11.12 | https://192.168.11.12:8006 | h | Firefly, MIM4U, Mifos LXC, extra NPMplus instances, supporting infra |
 **LAN:** 192.168.11.0/24, gateway **192.168.11.1** (UDM Pro), VLAN 11. Extended node IP plan (r630-03 …): `config/ip-addresses.conf` comments.
 ---
 ## 2. Cluster peering (Corosync / quorum)
 | Item | Value / note |
 |------|----------------|
 | Cluster name | **h** (verify live: `pvecm status`) |
 | Ring | Typically same L2/L3 as MGMT — **192.168.11.0/24** |
 | UDP ports | **5405–5412** between all nodes (+ SSH 22, API **8006** TCP) |
 | Quorum | Odd node count preferred; during ml110 removal use 2-node awareness (risk window) or add qdevice |
 Cluster and UDM: [`docs/04-configuration/UDM_PRO_PROXMOX_CLUSTER.md`](../04-configuration/UDM_PRO_PROXMOX_CLUSTER.md). **Live inventory:** [`docs/04-configuration/ALL_VMIDS_ENDPOINTS.md`](../04-configuration/ALL_VMIDS_ENDPOINTS.md), [`config/proxmox-operational-template.json`](../../config/proxmox-operational-template.json).
 ---
 ## 3. Chain 138 Besu — peering model (summary)
 | Layer | VMID range (typical) | IPv4 pattern | P2P |
 |--------|----------------------|--------------|-----|
 | Validators | 1000–1004 | 192.168.11.100–104 | 30303 — **to sentries**, not raw public |
 | Sentries | 1500–1506 | .150–.154, .213–.214 | Boundary / fan-out |
 | Core RPC (deploy) | 2101 | **192.168.11.211** | 8545/8546 + 30303 |
 | Core RPC (Nathan core-2) | 2102 | **192.168.11.212** | NPMplus **10235** / tunnel |
 | Public RPC | 2201 | **192.168.11.221** | Frontends / bridge / read-mostly |
 | Named RPC | 2303–2308 | .233–.238 | Partner-dedicated |
 | ThirdWeb stack | 2400–2403 | .240–.243 | Includes translator/nginx on 2400 |
 Canonical roles and adjacency rules: [`docs/02-architecture/CHAIN138_CANONICAL_NETWORK_ROLES_VALIDATORS_SENTRY_AND_RPC.md`](../02-architecture/CHAIN138_CANONICAL_NETWORK_ROLES_VALIDATORS_SENTRY_AND_RPC.md).
 ---
 ## 4. NPMplus and public ingress
 | VMID | Internal IP(s) | Public IP (typical) | Purpose |
 |------|----------------|---------------------|---------|
 | 10233 | 192.168.11.166 / **.167** | 76.53.10.36 | Main d-bis.org, explorer, Option B RPC, MIM4U |
 | 10234 | 192.168.11.168 | 76.53.10.37 | Secondary HA (confirm running) |
 | 10235 | 192.168.11.169 | 76.53.10.38 (alt **76.53.10.42**) | rpc-core-2, Alltra, HYBX |
 | 10236 | 192.168.11.170 | 76.53.10.40 | Dev / Codespaces tunnel, Gitea, Proxmox admin |
 | 10237 | 192.168.11.171 | (tunnel/Mifos) | mifos.d-bis.org → VMID 5800 |
 UDM Pro forwards **80 / 443** (and **81** where documented) to the matching internal IP. Detail: [`docs/04-configuration/NPMPLUS_FOUR_INSTANCES_MASTER.md`](../04-configuration/NPMPLUS_FOUR_INSTANCES_MASTER.md).
 ---
 ## 5. FQDN → backend (high level)
 Use the full table in **ALL_VMIDS_ENDPOINTS** (“NPMplus Endpoint Configuration Reference”). Critical correctness checks:
 - **explorer.d-bis.org** → VMID **5000**, **192.168.11.140** (not Sankofa IPs).
 - **sankofa.nexus** / **phoenix.sankofa.nexus** → VMID **7801** / **7800** at **.51:3000** / **.50:4000**.
 - **rpc-http-prv / rpc-ws-prv** → **2101** (.211); **rpc-http-pub / rpc-ws-pub** → **2201** (.221).
 - **rpc.public-0138.defi-oracle.io** → **2400** **192.168.11.240:443** (update NPM if still pointing at decommissioned IPs).
 **the-order.sankofa.nexus:** NPMplus → order HAProxy **10210** @ **192.168.11.39:80** (proxies to Sankofa portal **192.168.11.51:3000**). See `scripts/deployment/provision-order-haproxy-10210.sh`.
 ### 5.1 Order stack (live VMIDs, r630-01 unless noted)
 | VMID | Hostname | IP | Role (short) |
 |------|----------|-----|----------------|
 | 10030 | order-identity | 192.168.11.40 | Identity |
 | 10040 | order-intake | 192.168.11.41 | Intake |
 | 10050 | order-finance | 192.168.11.49 | Finance |
 | 10060 | order-dataroom | 192.168.11.42 | Dataroom |
 | 10070 | order-legal | **192.168.11.87** | Legal — **moved off .54 2026-03-25** (`IP_ORDER_LEGAL`); .54 is **only** VMID 7804 gov-portals |
 | 10080 | order-eresidency | 192.168.11.43 | eResidency |
 | 10090 | order-portal-public | 192.168.11.36 | Public portal |
 | 10091 | order-portal-internal | 192.168.11.35 | Internal portal |
 | 10092 | order-mcp-legal | 192.168.11.37 | MCP legal |
 | 10200 | order-prometheus | 192.168.11.46 | Metrics |
 | 10201 | order-grafana | 192.168.11.47 | Dashboards |
 | 10202 | order-opensearch | 192.168.11.48 | Search |
 | 10210 | order-haproxy | 192.168.11.39 | Edge / HAProxy |
 **Redis:** `ORDER_REDIS_IP` = 192.168.11.38 in `ip-addresses.conf` — bind to live VMID via `pct list` / audit script.
 ---
 ## 6. Deployment requirements (cross-domain)
 ### 6.1 Platform (Proxmox / network)
 - [ ] All cluster nodes **quorate**; storage sufficient for CT/VM disks (local-lvm / future Ceph per master plan).
 - [ ] **vmbr0** VLAN-aware; each workload IP **unique** on 192.168.11.0/24 (see ALL_VMIDS conflict section).
 - [ ] UDM Pro routes and port-forwards match **NETWORK_CONFIGURATION_MASTER**.
 - [ ] NPMplus proxy host rows match **ALL_VMIDS** (no Blockscout IP on Sankofa hostnames).
 ### 6.2 Chain 138 (contracts / ops)
 - [ ] **Core RPC** 2101 reachable: `http://192.168.11.211:8545` for **deploy only** (not public RPC).
 - [ ] `smom-dbis-138/.env`: `PRIVATE_KEY`, `RPC_URL_138`, nonce discipline — **DEPLOYMENT_ORDER_OF_OPERATIONS** Phase 0.
 - [ ] Optional: `./scripts/deployment/preflight-chain138-deploy.sh` before any broadcast.
 ### 6.3 Application / operator
 - [ ] Repo **`.env`** + **`smom-dbis-138/.env`** for operator scripts (`scripts/lib/load-project-env.sh`).
 - [ ] Blockscout / verify / NPM backup scripts per **OPERATOR_READY_CHECKLIST** when doing release ops.
 ---
 ## 7. Maintaining this template
 1. Change **ALL_VMIDS_ENDPOINTS** and/or **ip-addresses.conf** first (operator truth).
 2. Update **`config/proxmox-operational-template.json`** so automation (future CMDB, checks) stays aligned.
 3. Run **`./scripts/validation/validate-config-files.sh`** (includes JSON shape check for the template).
 4. **Live diff (read-only, SSH):** from repo root on a host with SSH to Proxmox nodes: **`bash scripts/verify/audit-proxmox-operational-template.sh`**. Compares template VMIDs to `pct`/`qm` lists on ML110 + R630s (override **`PROXMOX_HOSTS`** if needed).
 ---
 ## 8. Related runbooks
 | Topic | Doc |
 |-------|-----|
 | Operational runbooks index | [`OPERATIONAL_RUNBOOKS.md`](OPERATIONAL_RUNBOOKS.md) |
 | Phoenix / Sankofa deploy | [`PHOENIX_DEPLOYMENT_RUNBOOK.md`](PHOENIX_DEPLOYMENT_RUNBOOK.md) |
 | NPMplus health | [`docs/04-configuration/NPMPLUS_QUICK_REF.md`](../04-configuration/NPMPLUS_QUICK_REF.md) |
 | 13-node / HA roadmap | [`docs/02-architecture/R630_13_NODE_DOD_HA_MASTER_PLAN.md`](../02-architecture/R630_13_NODE_DOD_HA_MASTER_PLAN.md) |
--- a/docs/03-deployment/PUBLIC_SECTOR_LIVE_DEPLOYMENT_CHECKLIST.md
+++ b/docs/03-deployment/PUBLIC_SECTOR_LIVE_DEPLOYMENT_CHECKLIST.md
@@ -0,0 +1,120 @@
 # Public sector live deployment checklist (Complete Credential, SMOA, Phoenix)
 **Last updated:** 2026-03-26  
 **Related:** [PUBLIC_SECTOR_TENANCY_MARKETPLACE_AND_DEPLOYMENT_BASELINE.md](../02-architecture/PUBLIC_SECTOR_TENANCY_MARKETPLACE_AND_DEPLOYMENT_BASELINE.md), [COMPLETE_CREDENTIAL_EIDAS_PROGRAM_REPOS.md](../11-references/COMPLETE_CREDENTIAL_EIDAS_PROGRAM_REPOS.md), [DEPLOY_CONFIRM_AND_FULL_E2E_RUNBOOK.md](../00-meta/DEPLOY_CONFIRM_AND_FULL_E2E_RUNBOOK.md), [`config/public-sector-program-manifest.json`](../../config/public-sector-program-manifest.json)
 This checklist tracks **proxmox-repo automation** and **sibling repos** (`../complete-credential`, `../smoa`). Rows marked **Done (session)** were executed from an operator host with LAN access unless noted.
 ---
 ## Execution log (2026-03-23)
 | Action | Result |
 |--------|--------|
 | Sankofa `api` + `portal` (workstation) | API: `websocket.ts` imports `logger`; GraphQL/schema fixes under `api/src`. Portal: Apollo + dashboard GraphQL, UI primitives, **`root: true`** `.eslintrc.json` with **`@typescript-eslint` + strict `no-explicit-any` / `no-console` / a11y / `import/order`** (optional hardening: lib clients typed with `unknown`, form `htmlFor`/`id`, escaped entities). **`pnpm exec tsc --noEmit`** + **`pnpm build`** clean. **Deploy:** sync `portal/` (+ lockfile) to CT **7801**, `pnpm install && pnpm build`, restart `sankofa-portal`; sync **7800** API if needed |
 ## Execution log (2026-03-26)
 | Action | Result |
 |--------|--------|
 | `./scripts/run-all-operator-tasks-from-lan.sh` (live, no `--dry-run`) | Exit 0 (~36 min); W0-1 NPMplus RPC/proxy host updates; W0-3 live NPMplus backup; Blockscout verification step ran |
 | NPMplus update script | Some hosts logged duplicate-create then PUT recovery; `rpc.tw-core.d-bis.org` and `*.tw-core.d-bis.org` showed repeated failures — **review those rows in NPM UI** if traffic depends on them |
 | `scripts/maintenance/diagnose-vm-health-via-proxmox-ssh.sh` | Completed: Phoenix CTs **7800–7803** running on r630-01; NPMplus **10233** up; port 81 check OK |
 | `scripts/maintenance/npmplus-verify-port81.sh` | **Restored** in repo; loopback :81 returns HTTP 301 (redirect) — treated as reachable |
 | `pct exec 7800` / `7801`: `ss -tlnp` | **As of 2026-03-26 session:** no listeners. **As of 2026-03-23 follow-up:** **7800** API can reach `active` + `/health` on **:4000** when `sankofa-api` is deployed; **7801** portal needs **current** portal tree + successful **`pnpm build`** on the CT (see 2026-03-23 log row above) |
 | `pct exec 7802` Keycloak | `http://127.0.0.1:8080/` → **200**; `/health/ready` → 404 (version may use different health path) |
 | `./scripts/run-completable-tasks-from-anywhere.sh` | Exit 0 |
 | `E2E_ACCEPT_502_INTERNAL=1 ./scripts/verify/verify-end-to-end-routing.sh` | 0 failed; report `docs/04-configuration/verification-evidence/e2e-verification-20260325_182512/` |
 | `./scripts/verify/run-contract-verification-with-proxy.sh` | Exit 0 |
 | `complete-credential` Phase 1 compose + `run-phase1-synthetic.sh` | OK (operator console 8087 = 200) |
 | `../smoa`: `./gradlew :app:assembleDebug` | BUILD SUCCESSFUL; APK: `smoa/app/build/outputs/apk/debug/app-debug.apk` |
 | `scripts/deployment/sync-sankofa-portal-7801.sh` + NPM alignment | Portal tree synced to CT **7801**, `pnpm install` + `pnpm build`, `sankofa-portal` **active** (`*:3000`). NPM proxy IDs **3–6**: `sankofa.nexus` / `www` → **192.168.11.51:3000**; `phoenix.sankofa.nexus` / `www` → **192.168.11.50:4000**. Repeatable deploy: `./scripts/deployment/sync-sankofa-portal-7801.sh` (`--dry-run` first). |
 | `validate-config-files.sh` / `run-completable-tasks-from-anywhere.sh` | Exit 0 |
 ---
 ## Execution log (2026-03-25)
 | Action | Result |
 |--------|--------|
 | RPC `192.168.11.221:8545` / `192.168.11.211:8545` | HTTP 201 |
 | SSH `root@192.168.11.10` / `.11` | OK (BatchMode) |
 | `./scripts/run-completable-tasks-from-anywhere.sh` | Exit 0 |
 | `./scripts/verify/check-contracts-on-chain-138.sh` | 59/59 present |
 | `E2E_ACCEPT_502_INTERNAL=1 ./scripts/verify/verify-end-to-end-routing.sh` | 37 domains, 0 failed; report under `docs/04-configuration/verification-evidence/e2e-verification-20260325_165153/` |
 | `https://phoenix.sankofa.nexus/`, `https://sankofa.nexus/` | HTTP 200 |
 | `http://192.168.11.50:4000/health`, `:51:3000`, `:52:8080/health/ready` | No HTTP response from operator host (hosts ping; services may be down, firewalled, or not bound) — **re-check on Proxmox / in-container** |
 | `./scripts/verify/backup-npmplus.sh --dry-run` | OK |
 | `./scripts/verify/run-contract-verification-with-proxy.sh` | Exit 0 |
 | `./scripts/run-all-operator-tasks-from-lan.sh --dry-run` | Printed wave0 + verify sequence |
 | `cd smom-dbis-138 && forge test --match-path 'test/e2e/*.sol'` | Exit 0 |
 | `cd ../smoa && ./gradlew smoaVerify --no-daemon` | Exit 0 |
 | `complete-credential`: `git submodule status` | Submodules present on commits |
 | `docker compose -f integration/docker-compose.phase1.yml config` | Valid |
 | `docker compose -f integration/docker-compose.phase1.yml up -d` | All Phase 1 containers up |
 | Rebuild + recreate `cc-operator-console`; `./integration/run-phase1-synthetic.sh` | OK |
 ---
 ## Checklist
 | ID | Task | Status |
 |----|------|--------|
 | A1 | LAN / VPN; Proxmox SSH | Done (session) |
 | A2 | Root `.env` + `smom-dbis-138/.env` for operator | Operator to confirm secrets present |
 | A3 | `config/public-sector-program-manifest.json` valid | Done (completable) |
 | B1 | NPMplus proxy + TLS for public FQDNs | **Done (2026-03-26)** — `run-wave0-from-lan.sh` / update script applied; spot-check `rpc.tw-core` / `*.tw-core` in NPM if needed |
 | B2 | `scripts/verify/backup-npmplus.sh` (live) | **Done (2026-03-26)** — W0-3 as part of `run-all-operator-tasks-from-lan.sh` |
 | B3 | `scripts/maintenance/npmplus-verify-port81.sh` | **Done** — script restored; SSH `pct exec 10233` loopback :81 |
 | C1 | Phoenix stack VMIDs 7800–7803 per `SERVICE_DESCRIPTIONS.md` | **7802 Keycloak:** HTTP 200 on `/` inside CT. **7800 API:** listener **:4000** (`/health` OK). **7801 portal:** `sankofa-portal` active, Next on **:3000** (sync via `scripts/deployment/sync-sankofa-portal-7801.sh`) |
 | C2 | Keycloak realms: admin / tenant / org-unit RBAC | Product + IdP work — not automated here |
 | C3 | Phoenix API + portal wired; GraphQL `/graphql`, `/health` | **API:** `curl -sS http://192.168.11.50:4000/health`. **Portal:** `curl -sS http://192.168.11.51:3000/` (Next HTML). NPM: apex `sankofa` / `phoenix` hosts → **.51:3000** / **.50:4000** (not Blockscout) |
 | C4 | Service catalog SKUs + entitlements (billing optional) | Product — see tenancy baseline G2 |
 | D1 | SMOA LXC per `smoa/backend/docs/LXC-PROXMOX-CONTAINERS.md` | Deploy on Proxmox |
 | D2 | SMOA API behind NPM | After D1 |
 | D3 | Release APK + download URL or MDM | **Debug APK built (2026-03-26):** `../smoa/app/build/outputs/apk/debug/app-debug.apk` — publish via CI signed release + NPM/static URL or MDM |
 | D4 | Device E2E against prod API | After D2–D3 |
 | E1 | `complete-credential` submodules initialized | Done (session) |
 | E2 | Phase 1 Docker stack local/CI | Done (session) — not yet Proxmox production |
 | E3 | `./integration/run-phase1-synthetic.sh` after console rebuild | Done (session) |
 | E4 | Production slice / dedicated LXC for `cc-*` | Architecture choice (profile A/B/C) |
 | F1 | Chain 138 on-chain contract check | Done (session) |
 | F2 | Blockscout verification | Done (session) |
 | F3 | Public E2E routing | Done (session, 502-tolerant flag) |
 | G1 | Logs, metrics, DB backups for Phoenix + SMOA + CC DBs | Operational runbooks |
 | G2 | Incident ownership per stack | Process |
 ---
 ## Quick commands (repo root unless noted)
 ```bash
 ./scripts/run-completable-tasks-from-anywhere.sh
 source scripts/lib/load-project-env.sh && ./scripts/verify/check-contracts-on-chain-138.sh
 E2E_ACCEPT_502_INTERNAL=1 ./scripts/verify/verify-end-to-end-routing.sh
 ./scripts/verify/run-contract-verification-with-proxy.sh
 ./scripts/deployment/sync-sankofa-portal-7801.sh --dry-run   # then run without --dry-run (portal → CT 7801)
 ./scripts/verify/backup-npmplus.sh --dry-run   # then run without --dry-run
 ```
 **Complete Credential (sibling clone):**
 ```bash
 cd ../complete-credential
 docker compose -f integration/docker-compose.phase1.yml up -d --build
 ./integration/run-phase1-synthetic.sh
 ```
 **SMOA:**
 ```bash
 cd ../smoa && ./gradlew smoaVerify --no-daemon
 ```
 ---
 ## Follow-ups
 1. **Phoenix LAN services:** Curl `192.168.11.50:4000/health` and `192.168.11.51:3000/`; if portal is down, run `sync-sankofa-portal-7801.sh` or `systemctl status sankofa-portal` on CT **7801**.
 2. **Operator full wave:** `./scripts/run-all-operator-tasks-from-lan.sh` only when NPM RPC fix + backup + verify are intentionally desired (mutates NPM).
 3. **Production Complete Credential:** Move from laptop Docker to **dedicated LXC** and NPM routes per deployment profile.
--- a/docs/03-deployment/RECOMMENDATIONS_AND_FIXES_BEFORE_DEPLOY.md
+++ b/docs/03-deployment/RECOMMENDATIONS_AND_FIXES_BEFORE_DEPLOY.md
@@ -1,5 +1,7 @@
 # Recommendations and Fixes Before Deploying Smart Contracts and PMM Pools
 > Historical note (2026-03-26): this checklist spans earlier deployment phases and may reference superseded PMM workflows. The current canonical Chain 138 PMM stack is `DODOPMMIntegration=0x5BDc62f1ae7D630c37A8B363a1d49845356Ee72d` and `DODOPMMProvider=0x5CAe6Ce155b7f08D3a956F5Dc82fC9945f29B381`. Use [ADDRESS_MATRIX_AND_STATUS.md](../11-references/ADDRESS_MATRIX_AND_STATUS.md) for live operations.
 **Last Updated:** 2026-02-27  
 **Purpose:** Single checklist of all **recommendations** and **required fixes** to complete before deploying smart contracts and PMM pools on Chain 138 (and related chains). Use this with [DEPLOYMENT_ORDER_OF_OPERATIONS.md](DEPLOYMENT_ORDER_OF_OPERATIONS.md) and [PRE_DEPLOYMENT_CHECKLIST.md](PRE_DEPLOYMENT_CHECKLIST.md).
@@ -18,7 +20,7 @@ These must be satisfied before **any** Chain 138 deployment. Run preflight once;
 | **1.1** | **Run preflight** | From repo root: `./scripts/deployment/preflight-chain138-deploy.sh [--cost]`. Verifies: dotenv exists, required env keys, RPC returns chainId 0x8a (138), deployer nonce (warns if stuck). Use `--cost` for gas/cost estimate. |
 | **1.2** | **Core RPC = IP:port, not FQDN** | In `smom-dbis-138/.env` set `RPC_URL_138=http://192.168.11.211:8545` (Core RPC, VMID 2101). Do **not** use `https://rpc-core.d-bis.org` for deployment (DNS/tunnel can fail). See [RPC_ENDPOINTS_MASTER](../04-configuration/RPC_ENDPOINTS_MASTER.md), [TODOS_CONSOLIDATED](../00-meta/TODOS_CONSOLIDATED.md) § 0b. |
 | **1.3** | **Deployer gas (Chain 138)** | Ensure deployer has ≥ ~0.006 ETH (recommended 1–2 ETH). Check: `RPC_URL_138=http://192.168.11.211:8545 ./scripts/deployment/check-deployer-balance-chain138-and-funding-plan.sh` or `cd smom-dbis-138 && ./scripts/deployment/check-balances-gas-and-deploy.sh`. |
-| **1.4** | **Env from smom-dbis-138/.env only** | All deploy secrets from **`smom-dbis-138/.env`** only. Required: `PRIVATE_KEY`, `RPC_URL_138`. For PMM: `DODO_PMM_INTEGRATION_ADDRESS=0x79cdbaFBaA0FdF9F55D26F360F54cddE5c743F7D`. Optional: `GAS_PRICE_138`, `GAS_PRICE` (default 1 gwei). Verify: `cd smom-dbis-138 && ./scripts/deployment/check-env-required.sh`. |
+| **1.4** | **Env from smom-dbis-138/.env only** | All deploy secrets from **`smom-dbis-138/.env`** only. Required: `PRIVATE_KEY`, `RPC_URL_138`. For PMM: `DODO_PMM_INTEGRATION_ADDRESS=0x5BDc62f1ae7D630c37A8B363a1d49845356Ee72d`, `DODO_PMM_PROVIDER_ADDRESS=0x5CAe6Ce155b7f08D3a956F5Dc82fC9945f29B381`. Optional: `GAS_PRICE_138`, `GAS_PRICE` (default 1 gwei). Verify: `cd smom-dbis-138 && ./scripts/deployment/check-env-required.sh`. |
 | **1.5** | **No stuck transactions** | If nonce has pending txs or you see "Replacement transaction underpriced": run `./scripts/clear-all-transaction-pools.sh` then wait **~60s** before deploying. Prefer scripts that check nonce (e.g. `deploy-transaction-mirror-and-pmm-pool-after-txpool-clear.sh`). |
 | **1.6** | **RPC 2101 (Core) writable** | If Core was read-only: `./scripts/maintenance/make-rpc-vmids-writable-via-ssh.sh` then `./scripts/maintenance/health-check-rpc-2101.sh`. See [RPC_2101_READONLY_FIX.md](RPC_2101_READONLY_FIX.md). |
 | **1.7** | **Test all contracts** | Run **before** any deploy: `./scripts/deployment/test-all-contracts-before-deploy.sh`. Use `--dry-run` to print commands; `--no-match "Fork|Mainnet|Integration|e2e"` for unit-only; `--alltra` to include alltra-lifi-settlement. See [DEPLOYMENT_ORDER_OF_OPERATIONS](DEPLOYMENT_ORDER_OF_OPERATIONS.md) § Phase 0.8. |
@@ -71,7 +73,7 @@ If you plan to deploy **additional** tokens or vaults after core + PMM, ensure p
 | # | Item | Action |
 |---|------|--------|
-| 5.1 | **DODOPMMIntegration** | Already deployed: `0x79cdbaFBaA0FdF9F55D26F360F54cddE5c743F7D`. Ensure `DODO_PMM_INTEGRATION_ADDRESS` set in .env. |
+| 5.1 | **DODOPMMIntegration** | Already deployed: `0x5BDc62f1ae7D630c37A8B363a1d49845356Ee72d`. Ensure `DODO_PMM_INTEGRATION_ADDRESS` set in .env. |
 | 5.2 | **PMM pools (all three)** | cUSDT/cUSDC, cUSDT/USDT, cUSDC/USDC must be **created** (CreateCUSDTCUSDCPool, CreateCUSDTUSDTPool, CreateCUSDCUSDCPool). Use Core RPC only. |
 | 5.3 | **DODOPMMProvider** | Deploy via DeployDODOPMMProvider.s.sol; set `DODO_PMM_PROVIDER_ADDRESS` in .env. Register each pool: `provider.registerPool(tokenIn, tokenOut, poolAddress)`. |
 | 5.4 | **Liquidity (optional)** | Per pool: approve base/quote to DODOPMMIntegration, then `addLiquidity(pool, baseAmount, quoteAmount)`. See [DODO_PMM_INTEGRATION](../../smom-dbis-138/docs/integration/DODO_PMM_INTEGRATION.md). |
--- a/docs/03-deployment/REMAINING_DEPLOYMENTS_FOR_FULL_NETWORK_COVERAGE.md
+++ b/docs/03-deployment/REMAINING_DEPLOYMENTS_FOR_FULL_NETWORK_COVERAGE.md
@@ -1,5 +1,7 @@
 # Remaining Deployments for Full Network Coverage
 > Historical note (2026-03-26): this status tracker includes earlier PMM-address snapshots. The current canonical Chain 138 PMM stack is `DODOPMMIntegration=0x5BDc62f1ae7D630c37A8B363a1d49845356Ee72d` and `DODOPMMProvider=0x5CAe6Ce155b7f08D3a956F5Dc82fC9945f29B381`.
 **Last Updated:** 2026-03-04  
 **Purpose:** Ordered list of remaining deployments to achieve **maximum effective execution across all networks** (13-chain hub model: Chain 138 + 12 edge/alt). Use after [REQUIRED_FIXES_GAPS_AND_DEPLOYMENTS_LIST](../00-meta/REQUIRED_FIXES_GAPS_AND_DEPLOYMENTS_LIST.md) and [DEPLOYMENT_ORDER_OF_OPERATIONS](DEPLOYMENT_ORDER_OF_OPERATIONS.md).
@@ -14,7 +16,7 @@
 | Phase | Step | Status | Notes |
 |-------|------|--------|-------|
 | A | A.1 Mint cUSDT/cUSDC (138) | ✅ Done (2026-03-04) | Minted via `mint-for-liquidity.sh` using `GAS_PRICE_138=500000000000`; cUSDT/cUSDC mints confirmed at blocks 2551250/2551251/2551253/2551254. |
-| A | A.2 Add liquidity PMM (138) | ⚠️ Partial (2026-03-04) | `mint-for-liquidity.sh --add-liquidity` executed and added liquidity to cUSDT/cUSDC pool `0x9fcB06Aa1FD5215DC0E91Fd098aeff4B62fEa5C8`; later checks indicate funding state must be re-verified before proceeding. |
+| A | A.2 Add liquidity PMM (138) | ⚠️ Historical snapshot (2026-03-04) | Earlier run referenced cUSDT/cUSDC pool `0x9fcB06Aa1FD5215DC0E91Fd098aeff4B62fEa5C8` on a superseded stack; use [LIQUIDITY_POOLS_MASTER_MAP.md](../11-references/LIQUIDITY_POOLS_MASTER_MAP.md) for current live pools. |
 | B | B.1 Celo CCIP bridges | ✅ Done | Deployed; 0xD3AD6831aacB5386B8A25BB8D8176a6C8a026f04 (WETH9), 0xa4B9DD039565AeD9641D45b57061f99d9cA6Df08 (WETH10); .env updated; complete-config Celo→138 OK. |
 | B | **B.2a Add Cronos (25)** | ⏳ Pending | Fund deployer with ~15 CRO ([acquire-cro-and-wemix-gas.sh](../../scripts/deployment/acquire-cro-and-wemix-gas.sh)); set CRONOS_RPC, CCIP_ROUTER_CRONOS, WETH9_CRONOS, WETH10_CRONOS in .env; run `deploy-bridges-config-ready-chains.sh cronos` then `complete-config-ready-chains.sh`. |
 | B | B.2b Wemix CCIP bridges | 📋 Tabled | No route to acquire WEMIX from ETH/BNB/POLY in-repo; tabled until route exists or manual acquisition. Fund ~0.4 WEMIX ([acquire-cro-and-wemix-gas.sh](../../scripts/deployment/acquire-cro-and-wemix-gas.sh)); then `deploy-bridges-config-ready-chains.sh wemix` + complete-config. See [WEMIX_ACQUISITION_TABLED.md](WEMIX_ACQUISITION_TABLED.md). |
--- a/docs/03-deployment/REQUIRED_FIXES_AND_DEPLOYMENTS_STATUS.md
+++ b/docs/03-deployment/REQUIRED_FIXES_AND_DEPLOYMENTS_STATUS.md
@@ -1,5 +1,7 @@
 # Required Fixes and Deployments — Status
 > Historical note (2026-03-26): this tracker includes earlier PMM-address snapshots. The current canonical Chain 138 PMM stack is `DODOPMMIntegration=0x5BDc62f1ae7D630c37A8B363a1d49845356Ee72d` and `DODOPMMProvider=0x5CAe6Ce155b7f08D3a956F5Dc82fC9945f29B381`.
 **Last Updated:** 2026-02-28
 ## Required fixes
@@ -19,7 +21,7 @@
 ## On-chain verification (Chain 138)
 **Last run (2026-03-01):** `./scripts/verify/check-contracts-on-chain-138.sh` (use Core RPC URL or run from LAN).  
-**Result:** **59 present, 0 missing** (59 addresses per check-contracts-on-chain-138.sh; list expanded 2026-03-06). TransactionMirror: `0x7131F887DBEEb2e44c1Ed267D2A68b5b83285afc`. DODO cUSDT/cUSDC pool: `0x9fcB06Aa1FD5215DC0E91Fd098aeff4B62fEa5C8` (created). **DeployCompliantFiatTokens** was run 2026-02-27 (10 tokens: cEURC, cEURT, cGBPC, cGBPT, cAUDC, cJPYC, cCHFC, cCADC, cXAUC, cXAUT); see [CHAIN138_TOKEN_ADDRESSES](../11-references/CHAIN138_TOKEN_ADDRESSES.md).
+**Result:** **59 present, 0 missing** (59 addresses per check-contracts-on-chain-138.sh; list expanded 2026-03-06). TransactionMirror: `0x7131F887DBEEb2e44c1Ed267D2A68b5b83285afc`. Current canonical DODO cUSDT/cUSDC pool: `0xff8d3b8fDF7B112759F076B69f4271D4209C0849`. **DeployCompliantFiatTokens** was run 2026-02-27 (10 tokens: cEURC, cEURT, cGBPC, cGBPT, cAUDC, cJPYC, cCHFC, cCADC, cXAUC, cXAUT); see [CHAIN138_TOKEN_ADDRESSES](../11-references/CHAIN138_TOKEN_ADDRESSES.md).
 ---
@@ -28,7 +30,7 @@
 | Item | Address | Status |
 |------|---------|--------|
 | TransactionMirror | `0x7131F887DBEEb2e44c1Ed267D2A68b5b83285afc` | Deployed 2026-02-27. Set `TRANSACTION_MIRROR_ADDRESS` in smom-dbis-138/.env. |
-| DODO cUSDT/cUSDC pool | 0x9fcB06Aa1FD5215DC0E91Fd098aeff4B62fEa5C8 | Created (all three PMM pools exist). Add liquidity via [ADD_LIQUIDITY_PMM_CHAIN138_RUNBOOK](ADD_LIQUIDITY_PMM_CHAIN138_RUNBOOK.md). |
+| DODO cUSDT/cUSDC pool | 0xff8d3b8fDF7B112759F076B69f4271D4209C0849 | Current canonical public pool on corrected stack. Add liquidity via [ADD_LIQUIDITY_PMM_CHAIN138_RUNBOOK](ADD_LIQUIDITY_PMM_CHAIN138_RUNBOOK.md). |
 | Compliant Fiat (10 tokens) | See CHAIN138_TOKEN_ADDRESSES | Deployed via DeployCompliantFiatTokens 2026-02-27. |
 ---
--- a/docs/03-deployment/UNDEPLOYED_CONTRACTS_PRE_DEPLOYMENT_TASKS.md
+++ b/docs/03-deployment/UNDEPLOYED_CONTRACTS_PRE_DEPLOYMENT_TASKS.md
@@ -1,5 +1,7 @@
 # Undeployed Contracts — Pre-Deployment Tasks
 > Historical note (2026-03-26): this pre-deployment checklist preserves an earlier PMM bring-up phase. The current canonical Chain 138 PMM stack is `DODOPMMIntegration=0x5BDc62f1ae7D630c37A8B363a1d49845356Ee72d` and `DODOPMMProvider=0x5CAe6Ce155b7f08D3a956F5Dc82fC9945f29B381`.
 **Last Updated:** 2026-02-28  
 **Execution summary (2026-02-27):** On-chain verification **36/38**. Two missing: TransactionMirror (set `TRANSACTION_MIRROR_ADDRESS` in .env from script output) and DODO cUSDT/cUSDC pool (0x9fcB...). **Deploy uses Core RPC only.** Before deploy: if Core was read-only, run `./scripts/maintenance/make-rpc-vmids-writable-via-ssh.sh` then `./scripts/maintenance/health-check-rpc-2101.sh`. See [REQUIRED_FIXES_AND_DEPLOYMENTS_STATUS.md](REQUIRED_FIXES_AND_DEPLOYMENTS_STATUS.md), [RPC_2101_READONLY_FIX.md](RPC_2101_READONLY_FIX.md).
@@ -9,7 +11,7 @@
 This checklist covers: **testing** anything not yet deployed, **checking deployer wallet gas**, **using the gas API to estimate deployment costs**, and **dry-running deployments** before live execution.
-**Optional env vars (add/set when needed):** In `smom-dbis-138/.env`, if missing, add (public addresses only): `DODO_PMM_INTEGRATION_ADDRESS=0x79cdbaFBaA0FdF9F55D26F360F54cddE5c743F7D`, `QUOTE_TOKEN_ADDRESS=0xC02aaA39b223FE8D0A0e5C4F27eAD9083C756Cc2`, `WETH_ADDRESS_138=0xC02aaA39b223FE8D0A0e5C4F27eAD9083C756Cc2` so PMM pool script and dry-runs work with .env only. Check: `./scripts/deployment/check-env-required.sh`.
+**Optional env vars (add/set when needed):** In `smom-dbis-138/.env`, if missing, add (public addresses only): `DODO_PMM_INTEGRATION_ADDRESS=0x5BDc62f1ae7D630c37A8B363a1d49845356Ee72d`, `DODO_PMM_PROVIDER_ADDRESS=0x5CAe6Ce155b7f08D3a956F5Dc82fC9945f29B381`, `QUOTE_TOKEN_ADDRESS=0xC02aaA39b223FE8D0A0e5C4F27eAD9083C756Cc2`, `WETH_ADDRESS_138=0xC02aaA39b223FE8D0A0e5C4F27eAD9083C756Cc2` so PMM pool script and dry-runs work with .env only. Check: `./scripts/deployment/check-env-required.sh`.
 ---
--- a/docs/03-deployment/VALIDATED_SET_DEPLOYMENT_GUIDE.md
+++ b/docs/03-deployment/VALIDATED_SET_DEPLOYMENT_GUIDE.md
@@ -290,6 +290,6 @@ After successful deployment:
 - [Besu Nodes File Reference](../06-besu/BESU_NODES_FILE_REFERENCE.md)
 - [Network Bootstrap Guide](../02-architecture/NETWORK_ARCHITECTURE.md) (network bootstrap section)
- [Boot Node Runbook](../archive/NEXT_STEPS_BOOT_VALIDATED_SET.md) (if using boot node)
+- [BESU_ALLOWLIST_RUNBOOK.md](../06-besu/BESU_ALLOWLIST_RUNBOOK.md) (permissioned / boot-node adjacency)
 - [Besu Allowlist Runbook](../06-besu/BESU_ALLOWLIST_RUNBOOK.md)
--- a/docs/04-configuration/ALL_VMIDS_ENDPOINTS.md
+++ b/docs/04-configuration/ALL_VMIDS_ENDPOINTS.md
@@ -1,9 +1,11 @@
 # Complete VMID and Endpoints Reference
-**Last Updated:** 2026-02-12  
+**Last Updated:** 2026-03-26  
 **Document Version:** 1.2  
 **Status:** Active Documentation — **Master (source of truth)** for VMID, IP, port, and domain mapping. See [MASTER_DOCUMENTATION_INDEX.md](../00-meta/MASTER_DOCUMENTATION_INDEX.md).
 **Operational template (hosts, peering, deployment gates, JSON):** [../03-deployment/PROXMOX_VE_OPERATIONAL_DEPLOYMENT_TEMPLATE.md](../03-deployment/PROXMOX_VE_OPERATIONAL_DEPLOYMENT_TEMPLATE.md) · [`config/proxmox-operational-template.json`](../../config/proxmox-operational-template.json)
 ---
 **Date**: 2026-01-20  
@@ -46,6 +48,8 @@
 **Note**: NPMplus primary is on VLAN 11 (192.168.11.167). Secondary NPMplus instance on r630-02 for HA configuration.
 **Operational note (2026-03-26):** if `192.168.11.167:81` accepts TCP but hangs without returning HTTP, CT `10233` may be wedged even when networking looks healthy. Rebooting it from `r630-01` with `pct reboot 10233` restored the expected `301` on port `81` and unblocked the API updater.
 ---
 ## RPC Translator Supporting Services
@@ -198,7 +202,7 @@ The following VMIDs have been permanently removed:
 |------|------------|----------|--------|-----------|---------|
 | 10100 | 192.168.11.105 | dbis-postgres-primary | ✅ Running | PostgreSQL: 5432 | Primary database |
 | 10101 | 192.168.11.106 | dbis-postgres-replica-1 | ✅ Running | PostgreSQL: 5432 | Database replica |
-| 10120 | 192.168.11.120 | dbis-redis | ✅ Running | Redis: 6379 | Cache layer |
+| 10120 | 192.168.11.125 | dbis-redis | ✅ Running | Redis: 6379 | Cache layer |
 | 10130 | 192.168.11.130 | dbis-frontend | ✅ Running | Web: 80, 443 | Frontend admin console |
 | 10150 | 192.168.11.155 | dbis-api-primary | ✅ Running | API: 3000 | Primary API server |
 | 10151 | 192.168.11.156 | dbis-api-secondary | ✅ Running | API: 3000 | Secondary API server |
@@ -245,12 +249,14 @@ The following VMIDs have been permanently removed:
 **Public Domains** (NPMplus routing):
 - `sankofa.nexus` → Routes to `http://192.168.11.51:3000` (Sankofa Portal/VMID 7801) ✅
- `www.sankofa.nexus` → Routes to `http://192.168.11.51:3000` (Sankofa Portal/VMID 7801) ✅
+- `www.sankofa.nexus` → Same upstream as apex; NPM **`advanced_config`** issues **301** to **`https://sankofa.nexus`** (preserve path/query via `$request_uri`). ✅
 - `phoenix.sankofa.nexus` → Routes to `http://192.168.11.50:4000` (Phoenix API/VMID 7800) ✅
- `www.phoenix.sankofa.nexus` → Routes to `http://192.168.11.50:4000` (Phoenix API/VMID 7800) ✅
+- `www.phoenix.sankofa.nexus` → Same upstream; **301** to **`https://phoenix.sankofa.nexus`**. ✅
- `the-order.sankofa.nexus` → ⚠️ **TBD** (not yet configured)
+- `the-order.sankofa.nexus` / `www.the-order.sankofa.nexus` → OSJ management portal (secure auth). App source: **the_order** at `~/projects/the_order`. NPMplus default upstream: **order-haproxy** `http://192.168.11.39:80` (VMID **10210**), which proxies to Sankofa portal `http://192.168.11.51:3000` (7801). Fallback: set `THE_ORDER_UPSTREAM_IP` / `THE_ORDER_UPSTREAM_PORT` to `.51` / `3000` if HAProxy is offline. **`www.the-order.sankofa.nexus`** → **301** **`https://the-order.sankofa.nexus`** (same as `www.sankofa` / `www.phoenix`).
 - `studio.sankofa.nexus` → Routes to `http://192.168.11.72:8000` (Sankofa Studio / VMID 7805)
 **Public verification evidence (2026-03-26):** `bash scripts/verify/verify-end-to-end-routing.sh --profile=public` passed with `Failed: 0`; Sankofa root, Phoenix, Studio, and The Order returned `200`. See [verification_report.md](verification-evidence/e2e-verification-20260326_100057/verification_report.md).
 **Service Details:**
 - **Host:** r630-01 (192.168.11.11)
 - **Network:** VLAN 11 (192.168.11.0/24)
@@ -261,6 +267,28 @@ The following VMIDs have been permanently removed:
 ---
 ### The Order — microservices (r630-01)
 | VMID | IP Address | Hostname | Status | Endpoints | Purpose |
 |------|------------|----------|--------|-----------|---------|
 | 10030 | 192.168.11.40 | order-identity | ✅ Running | API | Identity |
 | 10040 | 192.168.11.41 | order-intake | ✅ Running | API | Intake |
 | 10050 | 192.168.11.49 | order-finance | ✅ Running | API | Finance |
 | 10060 | 192.168.11.42 | order-dataroom | ✅ Running | Web: 80 | Dataroom |
 | 10070 | **192.168.11.87** | order-legal | ✅ Running | API | Legal — **use `IP_ORDER_LEGAL` (.87); not .54** |
 | 10080 | 192.168.11.43 | order-eresidency | ✅ Running | API | eResidency |
 | 10090 | 192.168.11.36 | order-portal-public | ✅ Running | Web | Public portal |
 | 10091 | 192.168.11.35 | order-portal-internal | ✅ Running | Web | Internal portal |
 | 10092 | 192.168.11.37 | order-mcp-legal | ✅ Running | API | MCP legal |
 | 10200 | 192.168.11.46 | order-prometheus | ✅ Running | 9090 | Metrics (`IP_ORDER_PROMETHEUS`; not Order Redis) |
 | 10201 | 192.168.11.47 | order-grafana | ✅ Running | 3000 | Dashboards |
 | 10202 | 192.168.11.48 | order-opensearch | ✅ Running | 9200 | Search |
 | 10210 | 192.168.11.39 | order-haproxy | ✅ Running | 80 (HAProxy → portal :3000) | Edge for **the-order.sankofa.nexus**; HAProxy config via `config/haproxy/order-haproxy-10210.cfg.template` + `scripts/deployment/provision-order-haproxy-10210.sh` |
 **Gov portals vs Order:** VMID **7804** alone uses **192.168.11.54** (`IP_GOV_PORTALS_DEV`). Order-legal must not use .54.
 ---
 ### Phoenix Vault Cluster (8640-8642)
 | VMID | IP Address | Hostname | Status | Endpoints | Purpose |
@@ -368,7 +396,7 @@ Direct to RPC Nodes:
 1. **192.168.11.50**: ✅ **RESOLVED**
   - VMID 7800 (sankofa-api-1): 192.168.11.50 ✅ **UNIQUE**
-   - VMID 10070 (order-legal): Reassigned to 192.168.11.54 ✅
+   - VMID 10070 (order-legal): **192.168.11.87** (`IP_ORDER_LEGAL`) — moved off .54 2026-03-25 (ARP conflict with VMID 7804 gov-portals) ✅
 2. **192.168.11.51**: ✅ **RESOLVED**
   - VMID 7801 (sankofa-portal-1): 192.168.11.51 ✅ **UNIQUE**
@@ -384,7 +412,7 @@ Direct to RPC Nodes:
 **Verification:** ✅ All IPs verified unique, all services operational
-**Documentation:** See `docs/archive/root-status-reports/IP_CONFLICT_RESOLUTION_COMPLETE.md` for historical details.
+**IP conflicts (canonical):** [reports/status/IP_CONFLICTS_RESOLUTION_COMPLETE.md](../../reports/status/IP_CONFLICTS_RESOLUTION_COMPLETE.md); CCIP range move: [reports/status/IP_CONFLICTS_CCIP_RANGE_RESOLVED_20260201.md](../../reports/status/IP_CONFLICTS_CCIP_RANGE_RESOLVED_20260201.md). **Script:** `scripts/resolve-ip-conflicts.sh` (uses `config/ip-addresses.conf`).
 ---
@@ -481,7 +509,7 @@ This section lists all endpoints that should be configured in NPMplus, extracted
 | `www.sankofa.nexus` | `192.168.11.51` | `http` | `3000` | ❌ No | Sankofa Portal (VMID 7801) ✅ **Deployed** |
 | `phoenix.sankofa.nexus` | `192.168.11.50` | `http` | `4000` | ❌ No | Phoenix API - Cloud Platform Portal (VMID 7800) ✅ **Deployed** |
 | `www.phoenix.sankofa.nexus` | `192.168.11.50` | `http` | `4000` | ❌ No | Phoenix API (VMID 7800) ✅ **Deployed** |
-| `the-order.sankofa.nexus` | ⚠️ **TBD** | `http` | `TBD` | ❌ No | The Order Portal - ⚠️ **Not yet configured** |
+| `the-order.sankofa.nexus`, `www.the-order.sankofa.nexus` | `192.168.11.39` (10210 HAProxy; default) or `192.168.11.51` (direct portal if env override) | `http` | `80` or `3000` | ❌ No | NPM → **.39:80** by default; HAProxy → **.51:3000** |
 | `studio.sankofa.nexus` | `192.168.11.72` | `http` | `8000` | ❌ No | Sankofa Studio (FusionAI Creator) — VMID 7805 |
 ### Path-Based Routing Notes
@@ -509,7 +537,7 @@ Some domains use path-based routing in NPM configs:
 | `explorer.d-bis.org` | 5000, 192.168.11.140:80 (web), :4000 (API) | — |
 | `sankofa.nexus`, `www.sankofa.nexus` | 7801, 192.168.11.51:3000 | 192.168.11.140 (Blockscout) |
 | `phoenix.sankofa.nexus`, `www.phoenix.sankofa.nexus` | 7800, 192.168.11.50:4000 | 192.168.11.140 (Blockscout) |
-| `the-order.sankofa.nexus` | TBD (when The Order portal is deployed) | 192.168.11.140 (Blockscout) |
+| `the-order.sankofa.nexus`, `www.the-order.sankofa.nexus` | 10210, 192.168.11.39:80 | 192.168.11.140 (Blockscout) |
 | `studio.sankofa.nexus` | 7805, 192.168.11.72:8000 | — |
 If NPMplus proxy hosts for sankofa.nexus or phoenix.sankofa.nexus currently point to 192.168.11.140, update them to the correct IP:port above. See [RPC_ENDPOINTS_MASTER.md](RPC_ENDPOINTS_MASTER.md) and table "Sankofa Phoenix Services" in this document.
@@ -518,7 +546,7 @@ If NPMplus proxy hosts for sankofa.nexus or phoenix.sankofa.nexus currently poin
 ---
-**Last Updated**: 2026-01-18  
+**Last Updated**: 2026-03-27  
 **Maintained By**: Infrastructure Team
 ---
--- a/docs/04-configuration/AS4_411_PHOENIX_SUBMODULE_AND_PUSH_ALL.md
+++ b/docs/04-configuration/AS4_411_PHOENIX_SUBMODULE_AND_PUSH_ALL.md
@@ -49,6 +49,6 @@ Running `bash scripts/dev-vm/push-all-projects-to-gitea.sh --dry-run` reports **
 ## References
- [CONTINUE_AND_COMPLETE.md](../archive/00-meta-pruned/CONTINUE_AND_COMPLETE.md) (archived) — Push-all and submodule steps in the main checklist
+- [NEXT_STEPS_INDEX.md](../00-meta/NEXT_STEPS_INDEX.md) · [OPERATOR_READY_CHECKLIST.md](../00-meta/OPERATOR_READY_CHECKLIST.md) — push/submodule steps follow your repo’s `push-to-gitea.sh` / submodule workflow after env is set
 - [NEXT_STEPS_ALL.md](../00-meta/NEXT_STEPS_ALL.md) — Quick command index
 - Sankofa marketplace: `docs/marketplace/sovereign-stack/`, portal.sankofa.nexus/marketplace
--- a/docs/04-configuration/CHAIN138_JWT_AUTH_REQUIREMENTS.md
+++ b/docs/04-configuration/CHAIN138_JWT_AUTH_REQUIREMENTS.md
@@ -151,7 +151,7 @@ location / {
 - [Missing Containers List](../03-deployment/MISSING_CONTAINERS_LIST.md)
 - [ChainID 138 Configuration Guide](../06-besu/CHAIN138_BESU_CONFIGURATION.md)
- [Access Control Model](../archive/fixes/CHAIN138_ACCESS_CONTROL_CORRECTED.md)
+- [BESU_ALLOWLIST_RUNBOOK.md](../06-besu/BESU_ALLOWLIST_RUNBOOK.md) — permissioned network access patterns
 - [Nginx JWT Auth](RPC_JWT_SETUP_COMPLETE.md) – JWT setup and scripts
 ---
--- a/docs/04-configuration/COINGECKO_API_KEY_SETUP.md
+++ b/docs/04-configuration/COINGECKO_API_KEY_SETUP.md
@@ -243,7 +243,7 @@ ssh root@192.168.11.10 "pct exec 3500 -- journalctl -u oracle-publisher -n 50 |
 - **Oracle Setup:** `docs/04-configuration/metamask/ORACLE_PRICE_FEED_SETUP.md`
 - **Token Aggregation:** `smom-dbis-138/services/token-aggregation/README.md`
- **Oracle Publisher:** `docs/archive/status/ORACLE_PUBLISHER_SERVICE_STATUS.md`
+- **Oracle Publisher (VMID 3500):** [ALL_VMIDS_ENDPOINTS.md](ALL_VMIDS_ENDPOINTS.md) (Oracle & Monitoring table)
 ---
--- a/docs/04-configuration/DEX_AND_AGGREGATORS_CHAIN138_EXPLAINER.md
+++ b/docs/04-configuration/DEX_AND_AGGREGATORS_CHAIN138_EXPLAINER.md
@@ -1,6 +1,6 @@
 # Using DEX and Aggregators with ChainID 138 Coins/Tokens — Explainer
-**Last Updated:** 2026-02-28  
+**Last Updated:** 2026-03-26  
 **Purpose:** Explain how to use DEXs and aggregators with coins/tokens from ChainID 138 (DeFi Oracle Meta Mainnet), and how routing works for swaps and cross-chain flows.
 ---
@@ -17,7 +17,7 @@
 | **WETH10** | `0xf4BB2e28688e89fCcE3c0580D37d36A7672E8A9f` | Alternative WETH; used in CCIP bridge flows |
 | **LINK** | `0xb7721dD53A8c629d9f1Ba31a5819AFe250002b03` | CCIP fee token; not typically a DEX pair |
-**Official reference tokens (for pool pairs):** USDT at `0x15DF1D5BFDD8Aa4b380445D4e3E9B38d34283619`, USDC per deployment. These are used in **cUSDT/USDT** and **cUSDC/USDC** DODO PMM pools so users can swap between compliant and official stablecoins.
+**Official reference tokens (for pool pairs):** USDT at `0x004b63A7B5b0E06f6bB6adb4a5F9f590BF3182D1`, USDC at `0x71D6687F38b93CCad569Fa6352c876eea967201b`. These are used in **cUSDT/USDT** and **cUSDC/USDC** DODO PMM pools so users can swap between compliant and official stablecoins.
 When building swap UIs or aggregator integrations, use these addresses for **tokenIn** / **tokenOut** and for resolving symbols (e.g. from token list or `/api/v1/tokens`).
@@ -27,20 +27,22 @@ When building swap UIs or aggregator integrations, use these addresses for **tok
 ### 2.1 Native DEX: DODO PMM
-On Chain 138, the primary DEX layer is **DODO-style PMM** (Proactive Market Maker) via:
+On Chain 138, the canonical DEX layer is the corrected **DODO-style PMM** stack via:
- **DODOPMMIntegration** — `0x79cdbaFBaA0FdF9F55D26F360F54cddE5c743F7D`  
+- **DODOPMMIntegration** — `0x5BDc62f1ae7D630c37A8B363a1d49845356Ee72d`  
-  Creates and manages pools; exposes swap functions and pool state.
+  Corrected canonical integration; manages the full JSON-defined pool inventory.
- **DODOPMMProvider** — `0x8EF6657D2a86c569F6ffc337EE6b4260Bd2e59d0`  
+- **DODOPMMProvider** — `0x5CAe6Ce155b7f08D3a956F5Dc82fC9945f29B381`  
-  Used by routing/aggregation to get quotes and execute swaps for registered pools.
+  Corrected canonical provider; used by routing/aggregation to get quotes and execute swaps for registered pools.
-**Pools (created and registered):**
+**Core stable pools (canonical corrected-stack addresses):**
 | Pair | Pool address | Use case |
 |------|--------------|----------|
-| cUSDT / cUSDC | `0x9fcB06Aa1FD5215DC0E91Fd098aeff4B62fEa5C8` | Compliant↔compliant stablecoin |
+| cUSDT / cUSDC | `0xff8d3b8fDF7B112759F076B69f4271D4209C0849` | Compliant↔compliant stablecoin |
-| cUSDT / USDT | `0xa3Ee6091696B28e5497b6F491fA1e99047250c59` | Compliant↔official USDT |
+| cUSDT / USDT | `0x6fc60DEDc92a2047062294488539992710b99D71` | Compliant↔official USDT |
-| cUSDC / USDC | `0x90bd9Bf18Daa26Af3e814ea224032d015db58Ea5` | Compliant↔official USDC |
+| cUSDC / USDC | `0x9f74Be42725f2Aa072a9E0CdCce0E7203C510263` | Compliant↔official USDC |
 **Current canonical PMM state:** the corrected stack has a fully reconciled desired-state inventory with `104` existing pools and `104` aligned provider routes, including the broader `c* / c*`, `c* / official`, and `* / WETH` mesh.
 **How to swap on-chain (direct):**
@@ -176,7 +178,7 @@ The **explorer-monorepo** backend has a bridge aggregator that uses Li.Fi, Socke
 | Use case | Env / config |
 |----------|---------------|
-| **Token-aggregation indexing DODO on 138** | `CHAIN_138_DODO_PMM_INTEGRATION=0x79cdbaFBaA0FdF9F55D26F360F54cddE5c743F7D` (and RPC, DB). Optional: `CHAIN_138_DODO_POOL_MANAGER`, `CHAIN_138_DODO_VENDING_MACHINE`. |
+| **Token-aggregation indexing DODO on 138** | `CHAIN_138_DODO_PMM_INTEGRATION=0x5BDc62f1ae7D630c37A8B363a1d49845356Ee72d` (and RPC, DB). Optional: `CHAIN_138_DODO_POOL_MANAGER`, `CHAIN_138_DODO_VENDING_MACHINE`. |
 | **Uniswap on 138 (if deployed)** | `CHAIN_138_UNISWAP_V2_FACTORY`, `CHAIN_138_UNISWAP_V2_ROUTER`, `CHAIN_138_UNISWAP_V2_START_BLOCK` (and V3 equivalents). |
 | **Bridge quote (swap+bridge+swap)** | `RPC_URL`, `BRIDGE_REGISTRY_ADDRESS`; optional `ENHANCED_SWAP_ROUTER_ADDRESS`, `DESTINATION_RPC_URL`, `DESTINATION_SWAP_ROUTER_ADDRESS`. |
 | **Token list / MetaMask** | Token-aggregation `GET /api/v1/report/token-list?chainId=138` or static list; point MetaMask/dApp to this URL. |
--- a/docs/04-configuration/DNS_NPMPLUS_VM_COMPREHENSIVE_ARCHITECTURE.md
+++ b/docs/04-configuration/DNS_NPMPLUS_VM_COMPREHENSIVE_ARCHITECTURE.md
@@ -1,7 +1,7 @@
 # DNS → NPMplus → VM Comprehensive Architecture Table
-**Last Updated:** 2026-01-31  
+**Last Updated:** 2026-03-27  
-**Document Version:** 1.0  
+**Document Version:** 1.1  
 **Status:** Active Documentation
 ---
@@ -62,7 +62,7 @@ Backend VMs (Various IPs) - Services with/without Nginx
 | `www.sankofa.nexus` | A | 76.53.10.36 | DNS Only | 64 | 22 | `192.168.11.51:3000` | 7801 | 192.168.11.51 | sankofa-portal-1 | r630-01 | Sankofa Portal | ❌ No | 3000 | HTTP → 3000 |
 | `phoenix.sankofa.nexus` | A | 76.53.10.36 | DNS Only | 51 | 23 | `192.168.11.50:4000` | 7800 | 192.168.11.50 | sankofa-api-1 | r630-01 | Phoenix API | ❌ No | 4000 | HTTP → 4000 |
 | `www.phoenix.sankofa.nexus` | A | 76.53.10.36 | DNS Only | 63 | 24 | `192.168.11.50:4000` | 7800 | 192.168.11.50 | sankofa-api-1 | r630-01 | Phoenix API | ❌ No | 4000 | HTTP → 4000 |
-| `the-order.sankofa.nexus` | A | 76.53.10.36 | DNS Only | 60 | 25 | ⚠️ TBD | TBD | TBD | — | — | The Order Portal | — | — | ⚠️ Configure when deployed |
+| `the-order.sankofa.nexus` | A | 76.53.10.36 | DNS Only | 60 | 25 | `192.168.11.39:80` | 10210 | 192.168.11.39 | order-haproxy | r630-01 | The Order (HAProxy→portal) | ❌ No | 80 | HTTP → 80 → `.51:3000` |
 | **defi-oracle.io Zone** |
 | `rpc.public-0138.defi-oracle.io` | A | 76.53.10.36 | DNS Only | 56 | 26 | `192.168.11.240:443` | 2400 | 192.168.11.240 | thirdweb-rpc-1 | ml110 | ThirdWeb RPC | ✅ Yes | 443 | HTTPS → 443 |
@@ -291,7 +291,7 @@ nginx on VMID 2400 (192.168.11.240:443):
 |--------|------------------|---------------------|
 | `sankofa.nexus`, `www.sankofa.nexus` | 192.168.11.51:3000 (VMID 7801) | 192.168.11.140 |
 | `phoenix.sankofa.nexus`, `www.phoenix.sankofa.nexus` | 192.168.11.50:4000 (VMID 7800) | 192.168.11.140 |
-| `the-order.sankofa.nexus` | TBD when The Order portal is deployed | 192.168.11.140 |
+| `the-order.sankofa.nexus`, `www.the-order.sankofa.nexus` | 192.168.11.39:80 (10210 HAProxy → .51:3000); www → 301 apex | 192.168.11.140 |
 **Action:** If any Sankofa/Phoenix proxy host in NPMplus points to 192.168.11.140 (Blockscout), update it to the correct IP:port above. Only `explorer.d-bis.org` should point to 192.168.11.140.
--- a/docs/04-configuration/DNS_NPMPLUS_VM_STREAMLINED_TABLE.md
+++ b/docs/04-configuration/DNS_NPMPLUS_VM_STREAMLINED_TABLE.md
@@ -1,7 +1,7 @@
 # DNS → NPMplus → VM Streamlined Architecture Table
-**Last Updated:** 2026-01-31  
+**Last Updated:** 2026-03-27  
-**Document Version:** 1.0  
+**Document Version:** 1.1  
 **Status:** Active Documentation
 ---
@@ -59,17 +59,17 @@ Backend VMs (Various IPs) - Services with/without Nginx
 | `secure.mim4u.org` | 59 | 19 | 7810 (mim-web-1) | 192.168.11.37 | 80 | ✅ Yes | MIM4U Secure Portal |
 | `training.mim4u.org` | 61 | 20 | 7810 (mim-web-1) | 192.168.11.37 | 80 | ✅ Yes | MIM4U Training Portal |
-### sankofa.nexus Zone (5 Domains) ⚠️
+### sankofa.nexus zone (live backends)
-| Domain | SSL Cert | NPMplus Proxy | Backend VM | IP | Port | Has Nginx | Service Type | Status |
+| Domain | SSL Cert (ex.) | NPMplus Proxy (ex.) | Backend VM | IP | Port | Has Nginx | Service type | Status |
-|--------|----------|---------------|------------|----|----|-----------|--------------|--------|
+|--------|------------------|---------------------|------------|----|------|-----------|--------------|--------|
-| `sankofa.nexus` | 57 | 21 | ⚠️ TBD | 192.168.11.140 ⚠️ | 80 ⚠️ | ⚠️ TBD | Sankofa Main Portal | ⚠️ Not Deployed |
+| `sankofa.nexus` | 57 | 21 | 7801 | 192.168.11.51 | 3000 | ❌ No | Sankofa portal | ✅ Live |
-| `www.sankofa.nexus` | 64 | 22 | ⚠️ TBD | 192.168.11.140 ⚠️ | 80 ⚠️ | ⚠️ TBD | Sankofa Main Portal | ⚠️ Not Deployed |
+| `www.sankofa.nexus` | 64 | 22 | 7801 | 192.168.11.51 | 3000 | ❌ No | Sankofa portal (301 apex) | ✅ Live |
-| `phoenix.sankofa.nexus` | 51 | 23 | ⚠️ TBD | 192.168.11.140 ⚠️ | 80 ⚠️ | ⚠️ TBD | Phoenix Site | ⚠️ Not Deployed |
+| `phoenix.sankofa.nexus` | 51 | 23 | 7800 | 192.168.11.50 | 4000 | ❌ No | Phoenix API | ✅ Live |
-| `www.phoenix.sankofa.nexus` | 63 | 24 | ⚠️ TBD | 192.168.11.140 ⚠️ | 80 ⚠️ | ⚠️ TBD | Phoenix Site | ⚠️ Not Deployed |
+| `www.phoenix.sankofa.nexus` | 63 | 24 | 7800 | 192.168.11.50 | 4000 | ❌ No | Phoenix API (301 apex) | ✅ Live |
-| `the-order.sankofa.nexus` | 60 | 25 | ⚠️ TBD | 192.168.11.140 ⚠️ | 80 ⚠️ | ⚠️ TBD | The Order Portal | ⚠️ Not Deployed |
+| `the-order.sankofa.nexus` | 60 | 25 | 10210 | 192.168.11.39 | 80 | ❌ No | Order via HAProxy→portal | ✅ Live |
-**⚠️ Note**: All Sankofa domains currently route to Blockscout (192.168.11.140) but services are NOT deployed. This is incorrect routing and needs to be fixed once services are deployed.
+**Note:** SSL cert and NPM proxy **IDs** differ per installation—verify in NPM UI. **IPs/ports** are authoritative vs Blockscout (`.140` is only for `explorer.d-bis.org`). See [ALL_VMIDS_ENDPOINTS.md](ALL_VMIDS_ENDPOINTS.md).
 ### defi-oracle.io Zone (3 Domains)
--- a/docs/04-configuration/E2E_ENDPOINTS_LIST.md
+++ b/docs/04-configuration/E2E_ENDPOINTS_LIST.md
@@ -6,6 +6,13 @@
 **Run E2E (public profile recommended):** `./scripts/verify/verify-end-to-end-routing.sh --profile=public` (from LAN with DNS or use `E2E_USE_SYSTEM_RESOLVER=1` and `/etc/hosts` per [E2E_DNS_FROM_LAN_RUNBOOK.md](E2E_DNS_FROM_LAN_RUNBOOK.md)).  
 **Run E2E (private/admin):** `./scripts/verify/verify-end-to-end-routing.sh --profile=private`.
 **What each hostname should present (operator narrative):** [FQDN_EXPECTED_CONTENT.md](FQDN_EXPECTED_CONTENT.md).
 **Latest verified public pass:** `2026-03-27` via `bash scripts/verify/verify-end-to-end-routing.sh --profile=public` with report at [verification_report.md](verification-evidence/e2e-verification-20260327_134032/verification_report.md). Result: exit `0`, `DNS passed: 38`, `Failed: 0`, `HTTPS passed: 19`, `Skipped / optional: 1` (after `run-all-operator-tasks-from-lan.sh` NPM sync; `rpc.defi-oracle.io` may log HTTP 405 on the verifier probe but stays non-failing for the profile).
 **Latest verified private/admin pass:** `2026-03-27` via `bash scripts/verify/verify-end-to-end-routing.sh --profile=private` with report at [verification_report.md](verification-evidence/e2e-verification-20260327_134137/verification_report.md). Result: exit `0`, `DNS passed: 4`, `Failed: 0`.
 **Evidence folders:** Each run creates `verification-evidence/e2e-verification-YYYYMMDD_HHMMSS/`. Commit the runs you want on record; older dirs can be removed locally to reduce noise (`scripts/maintenance/prune-e2e-verification-evidence.sh --dry-run` lists candidates). Routing truth is **not** inferred from old reports—use [ALL_VMIDS_ENDPOINTS.md](ALL_VMIDS_ENDPOINTS.md).
 ## Verification profiles
 - **Public profile (default for routine E2E):** web, api, public RPC endpoints.
@@ -25,10 +32,11 @@
 | secure.mim4u.org | web | https://secure.mim4u.org | MIM4U secure portal. |
 | training.mim4u.org | web | https://training.mim4u.org | MIM4U training site. |
 | sankofa.nexus | web | https://sankofa.nexus | Sankofa Nexus root / web. |
-| www.sankofa.nexus | web | https://www.sankofa.nexus | Sankofa Nexus www. |
+| www.sankofa.nexus | web | https://www.sankofa.nexus | **301** to `https://sankofa.nexus` (canonical apex; NPM `advanced_config`). |
-| phoenix.sankofa.nexus | web | https://phoenix.sankofa.nexus | Phoenix (Sankofa) web app. |
+| phoenix.sankofa.nexus | web | https://phoenix.sankofa.nexus | Phoenix API (7800); E2E uses `/health` for HTTPS check. |
-| www.phoenix.sankofa.nexus | web | https://www.phoenix.sankofa.nexus | Phoenix www. |
+| www.phoenix.sankofa.nexus | web | https://www.phoenix.sankofa.nexus | **301** to `https://phoenix.sankofa.nexus` (canonical apex; NPM `advanced_config`). |
-| the-order.sankofa.nexus | web | https://the-order.sankofa.nexus | Hosted client on the Sankofa Phoenix cloud services platform. |
+| the-order.sankofa.nexus | web | https://the-order.sankofa.nexus | OSJ management portal (secure auth); app **the_order** at `~/projects/the_order`. NPM upstream default: **order-haproxy** VMID **10210** `http://192.168.11.39:80` → portal **192.168.11.51:3000** (`provision-order-haproxy-10210.sh`). Override with `THE_ORDER_UPSTREAM_*` for direct portal if 10210 is down. |
 | www.the-order.sankofa.nexus | web | https://www.the-order.sankofa.nexus | **301** to `https://the-order.sankofa.nexus` (canonical apex; NPM `advanced_config`). |
 | studio.sankofa.nexus | web | https://studio.sankofa.nexus | Sankofa Studio (FusionAI Creator) at VMID 7805. |
 | cacti-alltra.d-bis.org | web | https://cacti-alltra.d-bis.org | Cacti monitoring UI for Alltra. |
 | cacti-hybx.d-bis.org | web | https://cacti-hybx.d-bis.org | Cacti monitoring UI for HYBX. |
@@ -75,6 +83,7 @@
 | phoenix.sankofa.nexus | https://phoenix.sankofa.nexus |
 | www.phoenix.sankofa.nexus | https://www.phoenix.sankofa.nexus |
 | the-order.sankofa.nexus | https://the-order.sankofa.nexus |
 | www.the-order.sankofa.nexus | https://www.the-order.sankofa.nexus |
 | studio.sankofa.nexus | https://studio.sankofa.nexus |
 | cacti-alltra.d-bis.org | https://cacti-alltra.d-bis.org |
 | cacti-hybx.d-bis.org | https://cacti-hybx.d-bis.org |
@@ -148,6 +157,8 @@ When running from outside LAN or when backends are down, the following endpoints
 **These known items do not block contract or pool completion.** Fix when convenient; E2E still passes when they are in `E2E_OPTIONAL_WHEN_FAIL`.
 **2026-03-26 note:** after recovering NPMplus CT `10233` and re-running `update-npmplus-proxy-hosts-api.sh`, the latest public profile passed for all currently tested public domains, including Sankofa, Phoenix, Studio, The Order, DBIS, Mifos, and MIM4U.
 | Endpoint | Typical cause |
 |----------|----------------|
 | dbis-admin.d-bis.org | 502 — backend (VMID 10130) unreachable from public |
@@ -155,9 +166,17 @@ When running from outside LAN or when backends are down, the following endpoints
 | secure.d-bis.org | 502 — secure portal backend unreachable |
 | mifos.d-bis.org | 502 — Mifos (VMID 5800) unreachable from public |
 | mim4u.org, www.mim4u.org, secure.mim4u.org, training.mim4u.org | 502 — MIM4U web backends (192.168.11.37:80); non-blocking for contract/pool |
-| studio.sankofa.nexus | 404 — FusionAI Creator (VMID 7805) path or proxy config |
+| studio.sankofa.nexus | Historically 404 when the proxy misses `/studio/` or backend `192.168.11.72:8000`; verifier checks `/studio/`. Passed on 2026-03-26 after the NPMplus host update |
 | phoenix.sankofa.nexus, www.phoenix.sankofa.nexus | (Resolved in verifier) Phoenix API (7800) is API-first; `verify-end-to-end-routing.sh` checks `https://…/health` (200), not `/`. A separate **marketing** site on the apex hostname (if desired) needs another upstream or app routes—NPM still points `phoenix.sankofa.nexus` at the Fastify API today. |
 | the-order.sankofa.nexus | 502 if **10210** HAProxy or backend portal is down. NPM defaults upstream to **192.168.11.39:80** (order-haproxy). Fallback: `THE_ORDER_UPSTREAM_IP` / `THE_ORDER_UPSTREAM_PORT` = portal **192.168.11.51:3000** |
-**WebSocket test-format warnings:** RPC WS tests may show "connection established but RPC test failed" when `wscat` is used: the upgrade succeeds but the script’s check for `"result"` in `wscat` output may miss due to output format or timing. Non-blocking for contract/pool. The script now also accepts Chain 138 chainId `0x8a` in output; WS connectivity is still confirmed by the upgrade (101).
+**Verifier behavior (2026-03):** `openssl s_client` is wrapped with `timeout` (`E2E_OPENSSL_TIMEOUT` default 15s, `E2E_OPENSSL_X509_TIMEOUT` default 5s) so `--profile=private` / `--profile=all` cannot hang. **`--profile=all`** merges private and public `E2E_OPTIONAL_WHEN_FAIL` lists for temporary regressions. Install **`wscat`** (`npm install -g wscat`) for full WSS JSON-RPC checks; the script uses `wscat -n` to match `curl -k`, and now treats a clean `wscat` exit as a successful full WebSocket check even when the tool prints no JSON output.
 **Canonical www redirects (2026-03):** For `www.sankofa.nexus`, `www.phoenix.sankofa.nexus`, and `www.the-order.sankofa.nexus`, HTTP **301**/**308** must include a **`Location`** whose host matches the expected apex (`E2E_WWW_CANONICAL_BASE` in `verify-end-to-end-routing.sh`). Wrong apex → HTTPS **fail**. Missing `Location` → **warn**.
 **Cloudflare bulk DNS:** `scripts/update-all-dns-to-public-ip.sh` supports **`--dry-run`** (no API calls) and **`--zone-only=sankofa.nexus`** (or `d-bis.org` | `mim4u.org` | `defi-oracle.io`) to limit blast radius. Env: `CLOUDFLARE_DNS_DRY_RUN=1`, `DNS_ZONE_ONLY=…`.
 **WebSocket test-format warnings:** Older runs may show "connection established but RPC test failed" when `wscat` is used: the upgrade succeeded but the verifier expected printable `"result"` output. The script now accepts either explicit JSON output or a clean `wscat` exit, so current runs treat those WS checks as pass when the connection completes successfully. The script also accepts Chain 138 chainId `0x8a` in output.
 ### Remediation (when you want these to pass from public)
@@ -165,3 +184,4 @@ When running from outside LAN or when backends are down, the following endpoints
 |------|--------|
 | **502s (dbis-admin, dbis-api, secure, mifos)** | From LAN: `./scripts/maintenance/address-all-remaining-502s.sh [--run-besu-fix] [--e2e]` or `./scripts/maintenance/run-all-maintenance-via-proxmox-ssh.sh --e2e`. If NPMplus API is unreachable: `./scripts/maintenance/fix-npmplus-services-via-proxmox-ssh.sh`. Runbook: [502_DEEP_DIVE_ROOT_CAUSES_AND_FIXES.md](../00-meta/502_DEEP_DIVE_ROOT_CAUSES_AND_FIXES.md). |
 | **404 studio.sankofa.nexus** | Ensure backend (VMID 7805, 192.168.11.72:8000) is up and NPMplus proxy for `studio.sankofa.nexus` points to it. See [ALL_VMIDS_ENDPOINTS.md](ALL_VMIDS_ENDPOINTS.md), [SANKOFA_STUDIO_E2E_FLOW.md](../03-deployment/SANKOFA_STUDIO_E2E_FLOW.md), [SANKOFA_STUDIO_DEPLOYMENT.md](../03-deployment/SANKOFA_STUDIO_DEPLOYMENT.md). |
 | **the-order 502** | Check **10210** HAProxy (`curl http://192.168.11.39:80/` with `Host: the-order.sankofa.nexus`) and portal **192.168.11.51:3000**. Re-provision: `bash scripts/deployment/provision-order-haproxy-10210.sh`. NPM refresh: `bash scripts/nginx-proxy-manager/update-npmplus-proxy-hosts-api.sh`. Direct portal bypass: `THE_ORDER_UPSTREAM_IP=192.168.11.51 THE_ORDER_UPSTREAM_PORT=3000` for that run. |
--- a/docs/04-configuration/EXPLORER_METAMASK_TECHNICAL_RESPONSE.md
+++ b/docs/04-configuration/EXPLORER_METAMASK_TECHNICAL_RESPONSE.md
@@ -113,7 +113,7 @@ So the **intended wrapped-native (WETH9-equivalent) address** on Chain 138 is **
 ## 5. EIP-1559 (baseFeePerGas)
 - **Yes.** The chain uses EIP-1559; blocks include **baseFeePerGas**.
- Deployment and gas scripts (e.g. in `scripts/archive/consolidated/deploy/`) use `eth_getBlockByNumber("latest", false)` and read `baseFeePerGas` for gas pricing.
+- Deployment and gas scripts under `scripts/deployment/` and `smom-dbis-138/scripts/` typically use `eth_getBlockByNumber("latest", false)` and read `baseFeePerGas` for gas pricing.
 - Docs state EIP-1559 is supported (e.g. `docs/11-references/DEFI_ORACLE_META_MAINNET_PROJECT_DESCRIPTION.md`, `docs/04-configuration/ADD_CHAIN138_TO_LEDGER_LIVE.md`).
 ---
--- a/docs/04-configuration/FQDN_EXPECTED_CONTENT.md
+++ b/docs/04-configuration/FQDN_EXPECTED_CONTENT.md
@@ -0,0 +1,119 @@
 # FQDN expected content (what users and clients should see)
 **Last Updated:** 2026-03-27 (Sankofa hostname tiers: public / SSO / dash)  
 **Purpose:** One-page description of **what should be presented** at each public NPM-routed hostname after HTTPS. Use this before pruning evidence or changing proxies so expectations stay aligned with product intent.
 **Canonical routing (IPs, VMIDs, ports):** [ALL_VMIDS_ENDPOINTS.md](ALL_VMIDS_ENDPOINTS.md), [RPC_ENDPOINTS_MASTER.md](RPC_ENDPOINTS_MASTER.md).  
 **Product depth (Sankofa / Phoenix / explorer narrative):** [EXPECTED_WEB_CONTENT.md](../02-architecture/EXPECTED_WEB_CONTENT.md).  
 **Automated checks:** [E2E_ENDPOINTS_LIST.md](E2E_ENDPOINTS_LIST.md), `scripts/verify/verify-end-to-end-routing.sh`.
 ---
 ## Legend
 | Kind | Meaning |
 |------|---------|
 | **Web** | Browser loads HTML (or SPA shell); humans see pages, forms, or dashboards. |
 | **API** | Primarily JSON over HTTPS; browsers may see errors unless hitting documented REST paths. |
 | **RPC-HTTP** | **No marketing page.** JSON-RPC 2.0 over HTTPS POST to `/` (or provider path); wallets and backends consume JSON. |
 | **RPC-WS** | **No HTML.** WebSocket upgrade; JSON-RPC / subscription traffic. |
 | **301** | Apex policy: `www.*` redirects to non-www HTTPS (see NPM `advanced_config`). |
 ---
 ## sankofa.nexus zone
 **Canonical roles:** [EXPECTED_WEB_CONTENT.md](../02-architecture/EXPECTED_WEB_CONTENT.md) (hostname model table).
 ### Public web (unauthenticated visitors for marketing / division pages)
 | FQDN | Kind | What should be displayed or returned |
 |------|------|--------------------------------------|
 | `sankofa.nexus` | Web | **Sankofa — Sovereign Technologies:** public corporate / brand web (mission, narrative, entry points). |
 | `www.sankofa.nexus` | 301 → apex | Browser ends on `https://sankofa.nexus/...`. |
 | `phoenix.sankofa.nexus` | Web / API | **Phoenix Cloud Services** (division of Sankofa): public-facing **division web** (intent). Same deployment may still expose API paths (`/health`, `/graphql`, …). E2E verifier may use `/health`. |
 | `www.phoenix.sankofa.nexus` | 301 → apex | Browser ends on `https://phoenix.sankofa.nexus/...`. |
 ### Client SSO (system SSO; Keycloak as IdP)
 | FQDN | Kind | What should be displayed or returned |
 |------|------|--------------------------------------|
 | `keycloak.sankofa.nexus` | Web / IdP | **Identity provider** for client SSO: realm login UI, OIDC/SAML well-known and token endpoints; operator **Keycloak admin** at `/admin`. Backs **`admin`** and **`portal`** redirects—not a substitute for those apps. |
 | `admin.sankofa.nexus` | Web | **Client SSO:** administer access (users, roles, org access policy). |
 | `portal.sankofa.nexus` | Web | **Client SSO:** Phoenix cloud services, Sankofa Marketplace subscriptions, and other **client-facing** services. |
 ### Operator / systems (IP-gated + MFA)
 | FQDN | Kind | What should be displayed or returned |
 |------|------|--------------------------------------|
 | `dash.sankofa.nexus` | Web | **IP allowlisting** + **system authentication** + **MFA:** unified admin for Sankofa, Phoenix, Gitea, and related systems (not the client self-service portal). |
 ### Other properties on the zone
 | FQDN | Kind | What should be displayed or returned |
 |------|------|--------------------------------------|
 | `the-order.sankofa.nexus` | Web | **OSJ / Order management** portal (secure auth); app **the_order**. Upstream: HAProxy **10210** → portal stack. |
 | `www.the-order.sankofa.nexus` | 301 → apex | Browser ends on `https://the-order.sankofa.nexus/...`. |
 | `studio.sankofa.nexus` | Web | **Sankofa Studio (FusionAI)** UI under `/studio/` (and related API routes on same origin). |
 ---
 ## d-bis.org (DBIS + infrastructure)
 | FQDN | Kind | What should be displayed or returned |
 |------|------|--------------------------------------|
 | `explorer.d-bis.org` | Web | **SolaceScanScout / Blockscout** UI: blocks, txs, addresses, tokens, contract verification for **Chain 138**. Public, no login for browse. |
 | `docs.d-bis.org` | Web | Same Blockscout nginx host as explorer where configured; may serve docs paths (see explorer deploy runbooks). |
 | `dbis-admin.d-bis.org` | Web | DBIS **admin** frontend (dashboard). |
 | `secure.d-bis.org` | Web | DBIS **secure** authenticated portal. |
 | `dbis-api.d-bis.org` | API | DBIS **core API** (aggregation, OTC, exchange JSON). |
 | `dbis-api-2.d-bis.org` | API | Secondary DBIS API instance. |
 | `mim4u.org`, `www.mim4u.org`, `secure.mim4u.org`, `training.mim4u.org` | Web | **MIM4U** property sites (nginx on MIM stack). |
 | `rpc-http-pub.d-bis.org`, `rpc.d-bis.org`, `rpc2.d-bis.org` | RPC-HTTP | **Public Besu JSON-RPC** (Chain 138); `eth_chainId` → `0x8a`. |
 | `rpc-ws-pub.d-bis.org`, `ws.rpc.d-bis.org`, `ws.rpc2.d-bis.org` | RPC-WS | **Public Besu WebSocket** RPC. |
 | `rpc-http-prv.d-bis.org` | RPC-HTTP | **Core / private** JSON-RPC (permissioned use). |
 | `rpc-ws-prv.d-bis.org` | RPC-WS | **Core / private** WebSocket RPC. |
 | `rpc-fireblocks.d-bis.org` | RPC-HTTP | **Fireblocks-dedicated** JSON-RPC endpoint. |
 | `ws.rpc-fireblocks.d-bis.org` | RPC-WS | **Fireblocks-dedicated** WebSocket RPC. |
 | `rpc-alltra.d-bis.org`, `rpc-alltra-2.d-bis.org`, `rpc-alltra-3.d-bis.org` | RPC-HTTP | **Alltra** RPC fronts (tunnel to NPM); JSON-RPC for Chain 138 (or as configured on those edges). |
 | `rpc-hybx.d-bis.org`, `rpc-hybx-2.d-bis.org`, `rpc-hybx-3.d-bis.org` | RPC-HTTP | **HYBX** RPC fronts; same class as Alltra. |
 | `cacti-alltra.d-bis.org`, `cacti-hybx.d-bis.org` | Web | **Cacti** monitoring UI (graphs, device views). |
 | `mifos.d-bis.org` | Web | **Mifos** banking platform UI (when backend healthy). |
 | `dapp.d-bis.org` | Web | **DApp** static/hosted frontend (VMID per ALL_VMIDS). |
 | `gitea.d-bis.org` | Web | **Gitea** git forge UI. |
 | `dev.d-bis.org` | Web | **Dev** workspace UI (codespaces / dev host). |
 | `codespaces.d-bis.org` | Web | **Codespaces / dev** related web entry (as wired on NPM). |
 ---
 ## defi-oracle.io (ThirdWeb / public edge)
 | FQDN | Kind | What should be displayed or returned |
 |------|------|--------------------------------------|
 | `rpc.public-0138.defi-oracle.io` | RPC-HTTP | **ThirdWeb-style HTTPS RPC** terminator on VMID 2400; JSON-RPC to Chain 138. |
 | `rpc.defi-oracle.io` | RPC-HTTP | Public JSON-RPC alias (same Besu public stack as `rpc.d-bis.org` family when healthy). |
 | `wss.defi-oracle.io` | RPC-WS | Public WebSocket RPC companion. |
 **Note:** `blockscout.defi-oracle.io` is a **separate Blockscout** hostname (generic / reference). Not the canonical DBIS explorer; same class of **web** explorer UI as Blockscout. See EXPECTED_WEB_CONTENT.
 ---
 ## xom-dev.phoenix.sankofa.nexus (gov portals dev)
 | FQDN | Kind | What should be displayed or returned |
 |------|------|--------------------------------------|
 | `dbis.xom-dev.phoenix.sankofa.nexus` | Web | Gov portals **dev** app on port **3001** (VMID 7804 family). |
 | `iccc.xom-dev.phoenix.sankofa.nexus` | Web | Idem, port **3002**. |
 | `omnl.xom-dev.phoenix.sankofa.nexus` | Web | Idem, port **3003**. |
 | `xom.xom-dev.phoenix.sankofa.nexus` | Web | Idem, port **3004**. |
 ---
 ## Operator checklist
 - **Wrong content** (e.g. explorer UI on `sankofa.nexus`, or HTML on RPC hostname) usually means **NPM upstream** or **DNS** is wrong — fix with `update-npmplus-proxy-hosts-api.sh` and [ALL_VMIDS_ENDPOINTS.md](ALL_VMIDS_ENDPOINTS.md).
 - **301 on `www.*`** is intentional; content is judged on the **apex** hostname after redirect.
 ---
 **Inventory alignment:** Public hostnames above follow `DOMAIN_TYPES_ALL` in `scripts/verify/verify-end-to-end-routing.sh` plus `keycloak.sankofa.nexus`, `docs.d-bis.org`, `blockscout.defi-oracle.io`, and xom-dev hosts. **`admin.sankofa.nexus`**, **`portal.sankofa.nexus`**, and **`dash.sankofa.nexus`** are **product-intent** hostnames—add to NPM and the E2E script when upstreams are wired. Add new rows here when you add NPM hosts.
--- a/docs/04-configuration/MIM4U_502_ERROR_RESOLUTION.md
+++ b/docs/04-configuration/MIM4U_502_ERROR_RESOLUTION.md
@@ -149,7 +149,7 @@ This will at least allow nginx to respond and stop the 502 error.
 For full MIM4U deployment, see:
 - `scripts/deploy-miracles-in-motion-pve2.sh` - Full deployment script
- `docs/archive/completion/MIRACLES_IN_MOTION_DEPLOYMENT_COMPLETE.md` - Deployment guide
+- [MIM4U_FIRST_PARTY_ANALYTICS.md](./MIM4U_FIRST_PARTY_ANALYTICS.md) — related MIM4U ops context
 ---
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
defiQUG	e6c9a2e6f9	chore: bump smom-dbis-138 (operator WIP merge, PMM JSON sync, dotenv trim) Some checks are pending Deploy to Phoenix / deploy (push) Waiting to run Details Made-with: Cursor	2026-03-27 19:03:15 -07:00
defiQUG	53767dfe2c	chore: bump explorer-monorepo and smom-dbis-138 submodule pointers Some checks failed Deploy to Phoenix / deploy (push) Has been cancelled Details Made-with: Cursor	2026-03-27 18:52:26 -07:00
defiQUG	76fda2119a	config: IP matrix, token list, Chain138 genesis mirror Some checks failed Deploy to Phoenix / deploy (push) Has been cancelled Details Made-with: Cursor	2026-03-27 18:51:27 -07:00
defiQUG	ea1a71cbe5	reports: inventories, status exports, and endpoint snapshots Some checks failed Deploy to Phoenix / deploy (push) Has been cancelled Details Made-with: Cursor	2026-03-27 18:51:19 -07:00
defiQUG	8fc4fc7811	scripts(archive): consolidated helpers and backup copies sync Some checks failed Deploy to Phoenix / deploy (push) Has been cancelled Details Made-with: Cursor	2026-03-27 18:51:09 -07:00
defiQUG	875454f449	scripts: deployment, NPM, verify, validation, env loader, operator helpers Some checks failed Deploy to Phoenix / deploy (push) Has been cancelled Details Made-with: Cursor	2026-03-27 18:51:02 -07:00
defiQUG	92d854a31c	phoenix-deploy-api: OpenAPI, server, systemd install, env example Some checks failed Deploy to Phoenix / deploy (push) Has been cancelled Details Made-with: Cursor	2026-03-27 18:50:54 -07:00
defiQUG	d38581f04a	docs: README, master index, Cursor rules, summary reports Some checks failed Deploy to Phoenix / deploy (push) Has been cancelled Details Made-with: Cursor	2026-03-27 18:50:37 -07:00
defiQUG	cc6d0705da	docs: references, network, besu, CCIP, troubleshooting, archive, quick ref Some checks failed Deploy to Phoenix / deploy (push) Has been cancelled Details Made-with: Cursor	2026-03-27 18:50:28 -07:00
defiQUG	dedb55e05c	docs(03-deployment): runbooks and deployment status updates Some checks failed Deploy to Phoenix / deploy (push) Has been cancelled Details Made-with: Cursor	2026-03-27 18:48:41 -07:00
defiQUG	eeef9cce3e	docs(02-architecture): hostname model, intent, and architecture updates Some checks failed Deploy to Phoenix / deploy (push) Has been cancelled Details Made-with: Cursor	2026-03-27 18:47:18 -07:00
defiQUG	563729aa19	docs(00-meta): refresh task lists, gaps, and operator indexes Some checks failed Deploy to Phoenix / deploy (push) Has been cancelled Details Made-with: Cursor	2026-03-27 18:47:08 -07:00
defiQUG	790e489538	docs: FQDN matrix, public-sector baseline, Chain138 runbooks, eIDAS repo reference Some checks failed Deploy to Phoenix / deploy (push) Has been cancelled Details Made-with: Cursor	2026-03-27 18:46:56 -07:00
defiQUG	bad8fdc98c	scripts: portal login, PMM mesh install, ops template audit, NPM verify, route matrix export Some checks failed Deploy to Phoenix / deploy (push) Has been cancelled Details Made-with: Cursor	2026-03-27 18:46:42 -07:00
defiQUG	3e2d94b12d	config: add route matrix, ops template, public-sector manifest, PMM mesh unit example Some checks failed Deploy to Phoenix / deploy (push) Has been cancelled Details Made-with: Cursor	2026-03-27 18:46:34 -07:00
defiQUG	2a5748ddc0	chore(docs): prune E2E verification dirs older than 30d; sync evidence tree Some checks failed Deploy to Phoenix / deploy (push) Has been cancelled Details Made-with: Cursor	2026-03-27 18:46:17 -07:00
defiQUG	8d5540bf1d	chore: sync submodule pointers (ai-mcp, cross-chain, dbis_core, explorer, gru-docs, metamask, smom-dbis-138) Some checks failed Deploy to Phoenix / deploy (push) Has been cancelled Details Made-with: Cursor	2026-03-27 18:38:10 -07:00
defiQUG	2d4b35c3ee	docs(stage4): archive deployment-reports README + E2E evidence hygiene - deployment-reports: historical notice + SOT links (no per-file edits) - archive README: link deployment-reports folder - E2E_ENDPOINTS_LIST: evidence retention + prune script pointer - prune-e2e-verification-evidence.sh: dry-run default, --apply + KEEP_DAYS Made-with: Cursor	2026-03-27 16:41:49 -07:00
defiQUG	f0fb00987a	docs(stage3): MASTER_PLAN/TODO + NOT_IMPLEMENTED — R21 complete - MASTER_PLAN gaps + §3.1 table rows for the-order / cutover - MASTER_TODO_EXPANDED: R21 [x]; Config/DNS GAPS tasks [x] - NOT_IMPLEMENTED: Sankofa/Order row = routing done, scope note - HIGH_PRIORITY R21–R24 line; BLITZKRIEG R21–R22 blurb Made-with: Cursor	2026-03-27 15:41:47 -07:00
defiQUG	70a6d66e4d	docs(stage2): mark R21 / Sankofa cutover done across 00-meta checklists - REMAINING_TASKS_BREAKDOWN_MISSING_INFO §2 + step 4 - REMAINING_WORK_BREAKDOWN_AND_ANSWERS Sankofa Q&A + one-line summary - REMAINING_COMPONENTS R21; operator-only + improvements + checklists Made-with: Cursor	2026-03-27 15:40:45 -07:00
defiQUG	21c839b9b5	docs(stage1): GAPS + placeholders master — The Order / cutover live - GAPS §2.1: replace TBD table with 2026-03 live routing + cutover v1.1 note - PLACEHOLDERS: Sankofa cutover row matches SANKOFA_CUTOVER_PLAN v1.1 Made-with: Cursor	2026-03-27 15:38:40 -07:00
defiQUG	4f383490a3	docs(A): sync high-value runbooks for The Order (10210 HAProxy) - SANKOFA_CUTOVER_PLAN: live backends table, fix TBDs, historical step labels - SANKOFA_THE_ORDER_CHECKLIST: replace with done + bypass + pointers - DNS comprehensive + streamlined tables: the-order row and sankofa zone live - E2E Cloudflare runbook: the-order backend column Made-with: Cursor	2026-03-27 15:24:54 -07:00
defiQUG	a086c451c3	docs: sync The Order routing (10210 HAProxy) and fix stale TBDs - E2E, ALL_VMIDS, operator checklist, RPC_ENDPOINTS_MASTER, DNS/NPM architecture - PROXMOX deployment template: the-order wired via 10210 - Placeholders master + r630-02 incomplete summary for 10210 - CT 10210: chown /var/cache on host idmap (mandb clean) — applied on cluster Made-with: Cursor	2026-03-27 15:06:06 -07:00
defiQUG	430431f2f6	feat(order): HAProxy on 10210, NPM → 192.168.11.39:80 - Add order-haproxy config template and provision-order-haproxy-10210.sh (SSH to r630-01) - Document one-time unprivileged CT idmap chown repair when apt fails - Default THE_ORDER_UPSTREAM_* to IP_ORDER_HAPROXY:80; portal bypass via env - Align update-sankofa-npmplus-proxy-hosts.sh, AGENTS, ALL_VMIDS, E2E notes Made-with: Cursor	2026-03-27 14:05:37 -07:00
defiQUG	0df175d9cb	chore: stop tracking legacy NPMplus backup tarballs (use local backups/npmplus/) Made-with: Cursor	2026-03-27 13:44:56 -07:00
defiQUG	96eb0a6660	chore: ignore backups/npmplus (NPMplus backup script output) Made-with: Cursor	2026-03-27 13:44:44 -07:00
defiQUG	436b13ad3d	docs: E2E evidence after operator NPM sync (2026-03-27) - Public + private verification reports (e2e-verification-20260327_134032 / _134137) - E2E_ENDPOINTS_LIST: refresh stats and note rpc.defi-oracle.io optional-when-fail behavior Made-with: Cursor	2026-03-27 13:42:50 -07:00
defiQUG	a2645b5285	NPM: validate canonical_https for www redirects; docs and env example - Reject non-https, paths, and injection-prone chars in advanced_config 301 targets - E2E list: phoenix marketing note, the-order HAProxy remediation, 2026-03-27 passes - AGENTS.md: scoped Cloudflare token pointer; smom-dbis-138 dotenv load note - .env.master.example: DNS script flags and scoped token guidance Made-with: Cursor	2026-03-27 12:29:40 -07:00
defiQUG	17b923ffdf	Follow-ups: DNS dry-run/zone-only, Order NPM IDs, E2E Location assert, the-order block_exploits - update-all-dns-to-public-ip.sh: --dry-run (no CF API), --zone-only=ZONE, help before .env, env CLOUDFLARE_DNS_DRY_RUN/DNS_ZONE_ONLY - update-sankofa-npmplus-proxy-hosts.sh: the-order + www.the-order by ID (env SANKOFA_NPM_ID_THE_ORDER, SANKOFA_NPM_ID_WWW_THE_ORDER, THE_ORDER_UPSTREAM_*) - update-npmplus-proxy-hosts-api.sh: the-order.sankofa.nexus uses block_exploits false like sankofa portal - verify-end-to-end-routing.sh: E2E_WWW_CANONICAL_BASE + Location validation (fail on wrong apex); keep local redirect vars - docs: ALL_VMIDS www 301 lines, E2E_ENDPOINTS_LIST verifier/DNS notes; AGENTS.md Cloudflare script pointer Made-with: Cursor	2026-03-27 11:27:39 -07:00
defiQUG	50a3973662	DNS/scripts: include www.the-order.sankofa.nexus in zone lists and NPM cleanup - export-cloudflare-dns-records.sh: baseline DOMAIN_ZONES entry - update-all-dns-to-public-ip.sh: Cloudflare name www.the-order for sankofa.nexus zone - cleanup-npmplus-duplicate-certificates.sh: SANKOFA_DOMAINS for LE grouping Made-with: Cursor	2026-03-27 00:31:14 -07:00
defiQUG	a36ccbbd77	NPM: canonical 301 for www sankofa/phoenix/the-order; E2E pass on 301/308 - update-npmplus-proxy-hosts-api.sh: optional advanced_config 301 via 5th/6th args; wire www.the-order → https://the-order.sankofa.nexus; document OSJ portal and the_order repo path - update-sankofa-npmplus-proxy-hosts.sh: same 301 for www rows via 4th pipe field - verify-end-to-end-routing.sh: www.the-order in inventory; treat 301/308 as HTTPS pass for www.sankofa, www.phoenix, www.the-order - configure-npmplus-domains.js: comment — avoid duplicate redirection UI rows for Sankofa www - AGENTS.md, ALL_VMIDS_ENDPOINTS.md, E2E_ENDPOINTS_LIST.md: Order portal and www redirect notes Made-with: Cursor	2026-03-27 00:30:28 -07:00
defiQUG	b9d3c10d01	ops: CCIP relay systemd unit, TsunamiSwap VM 5010 inventory script - config/systemd/ccip-relay.service for /opt/smom-dbis-138/services/relay/start-relay.sh - tsunamiswap-vm-5010-provision.sh checks qm status on PROXMOX_HOST - AGENTS.md pointers for relay and TsunamiSwap Made-with: Cursor	2026-03-27 00:27:10 -07:00
defiQUG	00afd38a57	feat(deploy): Sankofa portal sync excludes secrets; ensure NextAuth on CT - Tar excludes .env/.env.local; post-sync sets NEXTAUTH_URL on .env and .env.local - New sankofa-portal-ensure-nextauth-on-ct.sh; optional SANKOFA_PORTAL_NEXTAUTH_URL - AGENTS.md pointer to ensure script Made-with: Cursor	2026-03-26 18:56:57 -07:00
defiQUG	47b1ec0992	docs: note portal strict ESLint and optional hardening Some checks failed Deploy to Phoenix / deploy (push) Has been cancelled Details Made-with: Cursor	2026-03-25 21:16:08 -07:00
defiQUG	15406797a4	docs: refresh Sankofa portal build notes (strict TS, ESLint warnings) Made-with: Cursor	2026-03-25 20:47:27 -07:00
defiQUG	abe7afb9ab	docs: add public sector live deployment checklist (Phoenix 7800/7801) Made-with: Cursor	2026-03-25 20:46:57 -07:00
`@@ -172,4 +172,4 @@`

	`Total remaining (actionable): Wave 0: 3 · Wave 1: 44 · Wave 2: 8 · Wave 3: 2 · Ongoing: 5.`	`Total remaining (actionable): Wave 0: 3 · Wave 1: 44 · Wave 2: 8 · Wave 3: 2 · Ongoing: 5.`

	`Last parallel run (2026-02-05): Run log batch 11 — CI validation, config validation, security dry-runs (W1-1, W1-2), phase2 config, CCIP checklist, phase4 show-steps, config backup, shellcheck --optional, Wave 0 dry-run. See [FULL_PARALLEL_RUN_LOG.md](../archive/00-meta-pruned/FULL_PARALLEL_RUN_LOG.md) (archived).`	Last parallel run (2026-02-05): Batch 11 covered CI validation, `validate-config-files.sh`, security dry-runs, phase2 config, CCIP checklist, phase4 show-steps, config backup, shellcheck --optional, Wave 0 dry-run. Current checks: `./scripts/validation/validate-config-files.sh`, `./scripts/verify/run-all-validation.sh` (optional `--skip-genesis`), [WAVE1_COMPLETION_SUMMARY.md](WAVE1_COMPLETION_SUMMARY.md).
`@@ -41,4 +41,4 @@ Examples (no API key or key without private-key restriction):`

	`---`	`---`

	`Refs: [OPTIONAL_DEPLOYMENTS_START_HERE](../07-ccip/OPTIONAL_DEPLOYMENTS_START_HERE.md) §2C \| [COMPLETION_STATUS_20260215](../archive/00-meta-pruned/COMPLETION_STATUS_20260215.md)`	`Refs: [OPTIONAL_DEPLOYMENTS_START_HERE](../07-ccip/OPTIONAL_DEPLOYMENTS_START_HERE.md) §2C \| [OPERATOR_READY_CHECKLIST.md](OPERATOR_READY_CHECKLIST.md)`