# Recommendations and operator checklist (R1–R24) **Purpose:** Single checklist for all recommendations from [REMAINING_COMPONENTS_TASKS_AND_RECOMMENDATIONS](REMAINING_COMPONENTS_TASKS_AND_RECOMMENDATIONS.md) Part 2. Use when deploying, verifying, or operating. **Related:** [CONTRACT_DEPLOYMENT_RUNBOOK](../03-deployment/CONTRACT_DEPLOYMENT_RUNBOOK.md) | [BLOCKSCOUT_VERIFICATION_GUIDE](../08-monitoring/BLOCKSCOUT_VERIFICATION_GUIDE.md) | [MASTER_SECRETS_INVENTORY](../04-configuration/MASTER_SECRETS_INVENTORY.md) | [COMPLETE_REQUIRED_OPTIONAL_RECOMMENDED_INDEX.md](COMPLETE_REQUIRED_OPTIONAL_RECOMMENDED_INDEX.md) (full plan: required / optional / recommended). --- ## Verification and source of truth (R1–R3) | # | Action | When | |---|--------|------| | R1 | Verify every deployed contract on Blockscout (Forge Verification Proxy or BLOCKSCOUT_VERIFICATION_GUIDE) | After each deployment when Blockscout is reachable | | R2 | Keep [CONTRACT_ADDRESSES_REFERENCE](../11-references/CONTRACT_ADDRESSES_REFERENCE.md) and [ADDRESS_MATRIX_AND_STATUS](../11-references/ADDRESS_MATRIX_AND_STATUS.md) updated; reconcile duplicate .env entries | When new contracts are deployed or deprecated | | R3 | Run `./scripts/verify/check-contracts-on-chain-138.sh [RPC]`; fix any MISSING/EMPTY | Periodically or after deploy | ## Security and secrets (R4–R7) | # | Action | When | |---|--------|------| | R4 | **Do not use** CCIPWETH9Bridge at `0x89dd...`; use only `0x971c...` and set `CCIPWETH9_BRIDGE_CHAIN138` in env | Always; see runbook § Deprecated bridge | | R5 | Never commit .env or private keys; use MASTER_SECRETS_INVENTORY; rotate any exposed keys | Always | | R6 | API keys in .env.example — Done (placeholders) | — | | R7 | Restrict deployer key and RPC admin access (RPC_URL_138) to operators who need them | Access review | ## Deployment (R8–R11) | # | Action | When | |---|--------|------| | R8 | Set RPC_URL_138 (Core); run from LAN/VPN if 192.168.11.x not reachable | Before deploy | | R9 | Use GAS_PRICE=1000000000 (or current min) on Chain 138; see CONTRACT_DEPLOYMENT_RUNBOOK | Every forge script/create on 138 | | R10 | Phased core: 01_DeployCore first, set env, then 02_DeployBridges; alltra-lifi: MerchantSettlementRegistry before WithdrawalEscrow | Deploy order | | R11 | If tx stuck, manage nonce; see DEPLOYMENT_STRATEGY_EVALUATION | Troubleshooting | ## Documentation and runbooks (R12–R13) | # | Action | When | |---|--------|------| | R12 | Keep CONTRACT_DEPLOYMENT_RUNBOOK, BLOCKSCOUT_VERIFICATION_GUIDE, BLOCKSCOUT_FIX_RUNBOOK in sync with scripts and Blockscout URL | After script or URL changes | | R13 | When deploying to mainnet or other chains, document addresses in CONTRACT_ADDRESSES_REFERENCE or chain-specific doc; update [ADDRESS_MATRIX_AND_STATUS](../11-references/ADDRESS_MATRIX_AND_STATUS.md) | Per-chain deploy | ## Automation and CI/CD (R14–R16) | # | Action | When | |---|--------|------| | R14 | Run run-contract-verification-with-proxy.sh after deployments when Blockscout reachable from CI | CI after deploy | | R15 | Consider single script: check env → deploy → verify → update config (COMPREHENSIVE_RECOMMENDATIONS § Infrastructure) | Automation | | R16 | Use .env.development / .env.staging / .env.production or JSON configs per chain | Config hygiene | ## Monitoring and operations (R17–R18) | # | Action | When | |---|--------|------| | R17 | Monitor critical bridge/oracle events (TransferInitiated, TransferCompleted, price updates); see COMPREHENSIVE_RECOMMENDATIONS § Monitoring | Ongoing | | R18 | Ensure Blockscout (VMID 5000) is up and /api reachable; see EXPLORER_API_ACCESS, BLOCKSCOUT_FIX_RUNBOOK | Health checks | ## Testing and quality (R19–R20) | # | Action | When | |---|--------|------| | R19 | Run `forge test` in smom-dbis-138 and alltra-lifi-settlement before deploying; run integration tests where available | Pre-deploy | | R20 | NatSpec on public contract functions (verification and tooling) | Code quality | ## Configuration and DNS (R21–R22) | # | Action | When | |---|--------|------| | R21 | **Done 2026-03:** NPMplus + ALL_VMIDS + RPC_ENDPOINTS_MASTER + SANKOFA_CUTOVER_PLAN v1.1 | Complete | | R22 | Document or configure blocks #2–#6 in NETWORK_ARCHITECTURE and NETWORK_CONFIGURATION_MASTER (or mark reserved); see NETWORK_PLACEHOLDERS_DECISION | When decided | ## Quick wins (R23) | # | Action | When | |---|--------|------| | R23 | Scripts: add progress indicators; add --dry-run where missing; extend config validation (IMPLEMENTATION_CHECKLIST). **Done:** `run-completable-tasks-from-anywhere.sh` has Step 1/4–4/4; `validate-config-files.sh`, `run-e2e-flow-tasks-full-parallel.sh`, `run-all-operator-tasks-from-lan.sh` support `--dry-run`. | Script updates | ## Token mapping (R24) | # | Action | When | |---|--------|------| | R24 | Keep config/token-mapping.json as single source of truth for 138↔Mainnet; when adding tokens update token-mapping.json and optionally CHAIN138_TOKEN_ADDRESSES; see TOKEN_MAPPING_AND_MAINNET_ADDRESSES | Adding tokens | --- **Key commands:** See [REMAINING_COMPONENTS_TASKS_AND_RECOMMENDATIONS](REMAINING_COMPONENTS_TASKS_AND_RECOMMENDATIONS.md) Part 3.