# All Tasks — Detailed Steps (Single Reference)

**Last Updated:** 2026-02-12  
**Purpose:** One place for every task with concrete steps to execute.  
**Sources:** NEXT_STEPS_MASTER.md, REMAINING_WORK_DETAILED_STEPS.md, CONTRACT_NEXT_STEPS_AND_RECOMMENDATIONS_COMPLETE.md, CONFIG_READY_CHAINS_COMPLETION_RUNBOOK.md, TODO_TASK_LIST_MASTER.md, IMPLEMENTATION_CHECKLIST.md.

---

## How to use this document

- **Wave order:** Wave 0 → Wave 1 → Wave 2 → Wave 3 → Ongoing. Within a wave, run tasks in parallel where possible.
- **Blocker:** Each task notes what is required (LAN, PRIVATE_KEY, etc.).
- **References:** Links point to runbooks and scripts; runbooks have the full command set.

### Runner scripts (run in parallel where possible)

| Script | When to use | What it runs |
|--------|-------------|--------------|
| **scripts/run-completable-tasks-from-anywhere.sh** | From dev machine / WSL / CI (no LAN or secrets) | Config validation, on-chain contract check (Chain 138), run-all-validation --skip-genesis, canonical .env output for reconciliation. |
| **scripts/run-operator-tasks-from-lan.sh** | From a host on LAN with NPM_PASSWORD (and optionally PRIVATE_KEY for O-1) | W0-1 (NPMplus RPC fix), W0-3 (NPMplus backup), O-1 (Blockscout verification). Prints next steps for W0-2, W1-*, cron, CR-1, API keys. |
| **scripts/run-wave0-from-lan.sh** | Same as above (subset) | W0-1 + W0-3 only. |
| **scripts/run-all-remaining-tasks.sh** | From project root; set RUN_W02=1 AMOUNT=…, RUN_SECURITY=1, or RUN_VALIDATOR_KEYS=1 to execute | W0-2 (sendCrossChain), W1-1/W1-2 (--apply), W1-19 (validator keys), and prints runbook commands for W2-2 through W3-2, CR-1, API, Paymaster. |

---

## Task index (by category)

| ID | Task | Wave | Blocker |
|----|------|------|---------|
| W0-1 | NPMplus RPC fix (405) | 0 | LAN |
| W0-2 | sendCrossChain (real transfer) | 0 | PRIVATE_KEY, LINK |
| W0-3 | NPMplus backup | 0 | NPM_PASSWORD, LAN |
| CR-1 | Config-ready chains (Gnosis, Celo, Wemix) | — | CCIP support, keys, gas |
| O-1 | Run Blockscout source verification | — | LAN / Blockscout reachable |
| O-2 | Reconcile .env (canonical addresses) | — | CONTRACT_ADDRESSES_REFERENCE |
| O-3 | On-chain contract check (Chain 138) | — | RPC (e.g. VMID 2101) |
| W1-1 | SSH key-based auth; disable password | 1 | Proxmox/SSH |
| W1-2 | Firewall — restrict Proxmox API 8006 | 1 | Proxmox/SSH |
| W1-8 | NPMplus backup run + cron | 1 | NPM_PASSWORD, LAN |
| W1-19 | Secure validator key permissions | 1 | Proxmox host |
| W2-1 | Deploy monitoring stack | 2 | Infra |
| W2-2 | Grafana via Cloudflare; alerts | 2 | W2-1 |
| W2-3 | VLAN enablement | 2 | UDM Pro, Proxmox |
| W2-4 | Phase 3 CCIP Ops/Admin; NAT pools | 2 | CCIP_DEPLOYMENT_SPEC |
| W2-5 | Phase 4 sovereign tenant VLANs | 2 | Runbook |
| W2-7 | DBIS / Hyperledger services | 2 | Runbooks |
| W3-1 | CCIP Fleet (commit/execute/RMN) | 3 | W2-4 |
| W3-2 | Phase 4 tenant isolation enforcement | 3 | W2-5 |
| Cron-1 | NPMplus backup cron | — | Target host |
| Cron-2 | Daily/weekly checks cron | — | Target host |
| API | API keys — obtain and set | — | Sign-up |
| Paymaster | Deploy Paymaster (optional) | — | smom-dbis-138, RPC |

---

## W0 — Gates (do first when credentials allow)

### W0-1: NPMplus RPC fix (405)

**Blocker:** Host on LAN (e.g. 192.168.11.x).

**Steps:**

1. From a machine on LAN: `cd /path/to/proxmox`.
2. Option A — Full Wave 0: `bash scripts/run-wave0-from-lan.sh` (use `--skip-backup` for RPC only).
3. Option B — RPC only: `bash scripts/nginx-proxy-manager/update-npmplus-proxy-hosts-api.sh`.
4. Verify: `bash scripts/verify/verify-end-to-end-routing.sh` — RPC domains should pass.

**Ref:** REMAINING_WORK_DETAILED_STEPS.md § W0-1.

---

### W0-2: sendCrossChain (real)

**Blocker:** `PRIVATE_KEY` and LINK approved in `.env`; bridge `0xcacfd227A040002e49e2e01626363071324f820a`.

**Steps:**

1. Ensure `smom-dbis-138/.env` has `PRIVATE_KEY` and LINK (or fee token) approved for bridge.
2. Run: `bash scripts/bridge/run-send-cross-chain.sh <amount> [recipient]` (omit `--dry-run`).
3. Confirm tx on chain and destination.

**Ref:** scripts/README.md §8, REMAINING_WORK_DETAILED_STEPS.md § W0-2.

---

### W0-3: NPMplus backup

**Blocker:** `NPM_PASSWORD` in `.env`; NPMplus API reachable (LAN).

**Steps:**

1. Set `NPM_PASSWORD` (and optionally `NPM_HOST`) in `.env`.
2. From host that can reach NPMplus: `bash scripts/verify/backup-npmplus.sh`.
3. Or: `bash scripts/run-wave0-from-lan.sh` (includes backup).

**Ref:** REMAINING_WORK_DETAILED_STEPS.md § W0-3.

---

## CR — Config-ready chains (Gnosis, Celo, Wemix)

**Blocker:** CCIP support per chain (verify at https://docs.chain.link/ccip/supported-networks); deployer key with gas on each chain; Chain 138 RPC and `CHAIN138_SELECTOR`.

**Steps:**

1. **Verify CCIP:** Confirm Gnosis, Celo, Wemix in Chainlink CCIP supported networks.
2. **Deploy bridges (per chain):** From `smom-dbis-138/`: set `RPC_URL`, `CCIP_ROUTER_ADDRESS`, `LINK_TOKEN_ADDRESS`, `WETH9_ADDRESS`, `WETH10_ADDRESS`, `PRIVATE_KEY` for that chain; run:
   ```bash
   forge script script/deploy/bridge/DeployWETHBridges.s.sol:DeployWETHBridges --rpc-url "$RPC_URL" --broadcast -vvvv
   ```
   Record deployed bridge addresses.
3. **Env:** Copy `smom-dbis-138/docs/deployment/ENV_CONFIG_READY_CHAINS.example` into `smom-dbis-138/.env`; set `CCIPWETH9_BRIDGE_GNOSIS`, `CCIPWETH10_BRIDGE_GNOSIS`, same for Celo/Wemix; set `CHAIN138_SELECTOR` (decimal).
4. **Configure destinations:** `cd smom-dbis-138 && ./scripts/deployment/complete-config-ready-chains.sh` (use `DRY_RUN=1` first).
5. **Fund LINK:** Send ~10 LINK per bridge on Gnosis, Celo, Wemix to each bridge address.

**Ref:** [CONFIG_READY_CHAINS_COMPLETION_RUNBOOK.md](../07-ccip/CONFIG_READY_CHAINS_COMPLETION_RUNBOOK.md), ENV_CONFIG_READY_CHAINS.example.

---

## O — Operator / contract (any time)

### O-1: Blockscout source verification

**Blocker:** Host that can reach Blockscout (e.g. LAN to 192.168.11.140:4000).

**Steps:**

1. `source smom-dbis-138/.env 2>/dev/null`
2. `./scripts/verify/run-contract-verification-with-proxy.sh`
3. Optionally retry single contract: `--only ContractName`

**Ref:** CONTRACT_NEXT_STEPS_AND_RECOMMENDATIONS_COMPLETE.md § Operator action.

---

### O-2: Reconcile .env (canonical addresses)

**Blocker:** None (edit only).

**Steps:**

1. Open [CONTRACT_ADDRESSES_REFERENCE § Canonical source of truth](../11-references/CONTRACT_ADDRESSES_REFERENCE.md).
2. Ensure `smom-dbis-138/.env` has one entry per variable; remove duplicates; align values with the canonical table.

**Ref:** CONTRACT_NEXT_STEPS_AND_RECOMMENDATIONS_COMPLETE.md.

---

### O-3: On-chain contract check (Chain 138)

**Blocker:** RPC reachable — set `RPC_URL_138` (e.g. `http://192.168.11.211:8545` or `https://rpc-core.d-bis.org`).

**Steps:**

1. From repo root: `./scripts/verify/check-contracts-on-chain-138.sh` (uses `RPC_URL_138`)
2. Or pass URL: `./scripts/verify/check-contracts-on-chain-138.sh $RPC_URL_138`
3. Fix any MISS: deploy or correct address in docs/.env.

**Ref:** CONTRACT_NEXT_STEPS_AND_RECOMMENDATIONS_COMPLETE.md § Part 2.

---

## W1 — Operator / security / cron

### W1-1: SSH key-based auth; disable password

**Blocker:** Proxmox/SSH access; break-glass method in place.

**Steps:**

1. Deploy SSH public key(s): `ssh-copy-id root@<host>`.
2. Test: `ssh root@<host>` (no password).
3. Dry-run: `bash scripts/security/setup-ssh-key-auth.sh --dry-run`.
4. Apply: `bash scripts/security/setup-ssh-key-auth.sh --apply`.

**Ref:** REMAINING_WORK_DETAILED_STEPS.md § W1-1, OPERATIONAL_RUNBOOKS § Access Control.

---

### W1-2: Firewall — restrict Proxmox API 8006

**Blocker:** Proxmox host or SSH from admin network.

**Steps:**

1. Decide allowed CIDR(s) for Proxmox API.
2. Dry-run: `bash scripts/security/firewall-proxmox-8006.sh --dry-run [CIDR]`.
3. Apply: `bash scripts/security/firewall-proxmox-8006.sh --apply [CIDR]`.
4. Verify: https://<proxmox>:8006 only from allowed IP.

**Ref:** REMAINING_WORK_DETAILED_STEPS.md § W1-2.

---

### W1-8: NPMplus backup run + cron

**Steps (one-time run):**

1. With `NPM_PASSWORD` set: `bash scripts/verify/backup-npmplus.sh`.
2. Full automated backup: `bash scripts/backup/automated-backup.sh [--with-npmplus]`.

**Cron:** See **Cron-1** and **Cron-2** below.

**Ref:** REMAINING_WORK_DETAILED_STEPS.md § W1-8, Crontab installs.

---

### W1-19: Secure validator key permissions

**Blocker:** Run on Proxmox host (or SSH from LAN).

**Steps:**

1. SSH to each host that runs validators (e.g. VMIDs 1000–1004).
2. Dry-run: `bash scripts/secure-validator-keys.sh --dry-run`.
3. Apply: `bash scripts/secure-validator-keys.sh`.
4. Confirm Besu still starts: `pct exec <vmid> -- systemctl status besu`.

**Ref:** REMAINING_WORK_DETAILED_STEPS.md § W1-19.

---

## Cron installs (on target host)

### Cron-1: NPMplus backup cron

**Steps:**

1. On host: `cd /path/to/proxmox`.
2. Show: `bash scripts/maintenance/schedule-npmplus-backup-cron.sh --show`.
3. Install: `bash scripts/maintenance/schedule-npmplus-backup-cron.sh --install`.
4. Default: daily 03:00; log: `logs/npmplus-backup.log`.

---

### Cron-2: Daily/weekly checks cron

**Steps:**

1. On host: `cd /path/to/proxmox`.
2. Show: `bash scripts/maintenance/schedule-daily-weekly-cron.sh --show`.
3. Install: `bash scripts/maintenance/schedule-daily-weekly-cron.sh --install`.
4. Defaults: daily 08:00 (explorer sync, RPC 2201); weekly Sunday 09:00 (Config API).

**Ref:** REMAINING_WORK_DETAILED_STEPS.md § Crontab installs.

---

## W2 — Infra / deploy

### W2-1: Deploy monitoring stack

**Steps:**

1. Use configs: `smom-dbis-138/monitoring/`, `scripts/monitoring/`.
2. Run or adapt: `scripts/deployment/phase2-observability.sh` (or manual per runbook).
3. Ensure Prometheus scrapes Besu 9545; add targets from `export-prometheus-targets.sh` if used.

**Ref:** OPERATIONAL_RUNBOOKS § Phase 2, REMAINING_WORK_DETAILED_STEPS.md § W2-1.

---

### W2-2: Grafana via Cloudflare Access; alerts

**Steps:**

1. After W2-1, publish Grafana via Cloudflare Access (or chosen ingress).
2. Configure Alertmanager routes in `alertmanager/alertmanager.yml`.
3. Test alert routing.

**Ref:** REMAINING_WORK_DETAILED_STEPS.md § W2-2.

---

### W2-3: VLAN enablement (UDM Pro + Proxmox)

**Steps:**

1. Configure sovereign VLANs on UDM Pro (e.g. 200–203).
2. Enable VLAN-aware bridge on Proxmox; attach VMs/containers to VLANs.
3. Migrate services per [NETWORK_ARCHITECTURE](../02-architecture/NETWORK_ARCHITECTURE.md) §3–5 and UDM_PRO_VLAN_* docs.
4. Verify connectivity and firewall.

**Ref:** REMAINING_WORK_DETAILED_STEPS.md § W2-3.

---

### W2-4: Phase 3 CCIP — Ops/Admin; NAT pools

**Steps:**

1. Run: `bash scripts/ccip/ccip-deploy-checklist.sh` (validates env, prints order).
2. Deploy CCIP Ops/Admin (VMIDs 5400, 5401) per [CCIP_DEPLOYMENT_SPEC](../07-ccip/CCIP_DEPLOYMENT_SPEC.md).
3. Configure NAT pools on ER605 (Blocks #2–4 for commit/execute/RMN).
4. Expand commit/execute/RMN scripts for full fleet (for Wave 3).

**Ref:** REMAINING_WORK_DETAILED_STEPS.md § W2-4.

---

### W2-5: Phase 4 — Sovereign tenant VLANs

**Steps:**

1. Show steps: `bash scripts/deployment/phase4-sovereign-tenants.sh --show-steps`.
2. Dry-run: `bash scripts/deployment/phase4-sovereign-tenants.sh --dry-run`.
3. Execute manual steps: OPERATIONAL_RUNBOOKS § Phase 4; UDM_PRO_FIREWALL_MANUAL_CONFIGURATION.
4. (1) UDM Pro VLANs 200–203, (2) Proxmox VLAN-aware bridge, (3) migrate tenant containers, (4) access control, (5) Block #6 egress NAT and verify.

**Ref:** REMAINING_WORK_DETAILED_STEPS.md § W2-5.

---

### W2-7: DBIS / Hyperledger services

**Steps:**

1. Follow deployment runbooks for DBIS VMIDs (10100–10151).
2. Start/configure Hyperledger (Firefly etc.) per [MISSING_CONTAINERS_LIST](../03-deployment/MISSING_CONTAINERS_LIST.md).
3. Parallelize by host where possible.

**Ref:** REMAINING_WORK_DETAILED_STEPS.md § W2-7.

---

## W3 — After W2

### W3-1: CCIP Fleet (16 commit, 16 execute, 7 RMN)

**Depends on:** W2-4.

**Steps:**

1. Deploy 16 commit nodes: VMIDs 5410–5425.
2. Deploy 16 execute nodes: VMIDs 5440–5455.
3. Deploy 7 RMN nodes: VMIDs 5470–5476.
4. Use scripts/runbooks from W2-4; spec: [CCIP_DEPLOYMENT_SPEC](../07-ccip/CCIP_DEPLOYMENT_SPEC.md).

**Ref:** REMAINING_WORK_DETAILED_STEPS.md § W3-1.

---

### W3-2: Phase 4 tenant isolation enforcement

**Depends on:** W2-3 / W2-5.

**Steps:**

1. Apply firewall rules and ACLs for east-west denial between tenants.
2. Verify tenant isolation and egress NAT (Block #6).
3. Document exceptions and review periodically.

**Ref:** REMAINING_WORK_DETAILED_STEPS.md § W3-2.

---

## API keys

**Steps:**

1. Open [reports/API_KEYS_REQUIRED.md](../../reports/API_KEYS_REQUIRED.md).
2. Obtain each key (sign-up URLs in report); set in root and subproject `.env`.
3. Restart services that use those vars.

**Ref:** REMAINING_WORK_DETAILED_STEPS.md § API Keys & Secrets.

---

## Paymaster (optional)

**Blocker:** smom-dbis-138 contract sources; Chain 138 RPC.

**Steps:**

1. From `smom-dbis-138/`: `forge script script/smart-accounts/DeployPaymaster.s.sol --rpc-url $RPC_URL_138 --broadcast`.
2. See [SMART_ACCOUNTS_DEPLOYMENT_NOTE](../../metamask-integration/docs/SMART_ACCOUNTS_DEPLOYMENT_NOTE.md).

**Ref:** TODO_TASK_LIST_MASTER §2.

---

## Ongoing (no wave)

| ID | Task | Frequency | Steps |
|----|------|-----------|--------|
| O-1 | Monitor explorer sync | Daily | Cron or `bash scripts/maintenance/daily-weekly-checks.sh daily` |
| O-2 | Monitor RPC 2201 | Daily | Same script |
| O-3 | Config API uptime | Weekly | `daily-weekly-checks.sh weekly` |
| O-4 | Review explorer logs | Weekly | e.g. `ssh root@<host> journalctl -u blockscout -n 200` |
| O-5 | Update token list | As needed | Update token-list.json / explorer config |

**Ref:** REMAINING_WORK_DETAILED_STEPS.md § Ongoing.

---

## Validation commands (re-run anytime)

| Check | Command |
|-------|---------|
| All validation | `bash scripts/verify/run-all-validation.sh [--skip-genesis]` |
| Full verification | `bash scripts/verify/run-full-verification.sh` |
| E2E routing | `bash scripts/verify/verify-end-to-end-routing.sh` |
| Config files | `bash scripts/validation/validate-config-files.sh` |
| Genesis | `bash smom-dbis-138/scripts/validation/validate-genesis.sh` |
| Wave 0 dry-run | `bash scripts/run-wave0-from-lan.sh --dry-run` |

---

## Deferred / backlog (no steps here)

- **W1-3, W1-4:** smom security audits (VLT-024, ISO-024); bridge integrations (BRG-VLT, BRG-ISO) — smom backlog.
- **W1-14:** dbis_core ~1186 TypeScript errors — fix by module; `npx prisma generate`; explicit types.
- **W1-15–W1-17:** smom placeholders (canonical env-only, AlltraAdapter fee, smart accounts, quote Fabric 999, .bak deprecation) — see PLACEHOLDERS_AND_*.
- **Improvements 1–139:** [ALL_IMPROVEMENTS_AND_GAPS_INDEX.md](../ALL_IMPROVEMENTS_AND_GAPS_INDEX.md) by cohort.

---

## Related documents

- [NEXT_STEPS_MASTER.md](NEXT_STEPS_MASTER.md) — Master list and phases
- [REMAINING_WORK_DETAILED_STEPS.md](REMAINING_WORK_DETAILED_STEPS.md) — Wave 0–3 and “can do now”
- [CONTRACT_NEXT_STEPS_AND_RECOMMENDATIONS_COMPLETE.md](../11-references/CONTRACT_NEXT_STEPS_AND_RECOMMENDATIONS_COMPLETE.md) — Contract operator actions
- [CONFIG_READY_CHAINS_COMPLETION_RUNBOOK.md](../07-ccip/CONFIG_READY_CHAINS_COMPLETION_RUNBOOK.md) — Gnosis, Celo, Wemix
- [TODO_TASK_LIST_MASTER.md](TODO_TASK_LIST_MASTER.md) — Full checklist and improvements index
- [OPERATIONAL_RUNBOOKS.md](../03-deployment/OPERATIONAL_RUNBOOKS.md) — Phase 2–4 runbooks