proxmox/scripts/verify

Verification Scripts

Scripts for ingress, NPMplus, DNS, and source-of-truth verification.

Dependencies

Required tools (install before running):

Tool	Purpose	Install
bash	Shell (4.0+)	Default on most systems
curl	API calls, HTTP	apt install curl
jq	JSON parsing	apt install jq
dig	DNS resolution	apt install dnsutils
openssl	SSL certificate inspection	apt install openssl
ssh	Remote execution	apt install openssh-client
ss	Port checking	apt install iproute2
systemctl	Service status	System (systemd)
sqlite3	Database backup	apt install sqlite3

Optional (recommended for automation): sshpass, rsync, screen, tmux, htop, shellcheck, parallel. See docs/11-references/APT_PACKAGES_CHECKLIST.md § Automation / jump host.
One-line install (Debian/Ubuntu): sudo apt install -y sshpass rsync dnsutils iproute2 screen tmux htop shellcheck parallel

Tool	Purpose
wscat or websocat	WebSocket testing (manual verification)

Scripts

• backup-npmplus.sh - Full NPMplus backup (database, API exports, certificates)
• check-contracts-on-chain-138.sh - Check that Chain 138 deployed contracts have bytecode on-chain (cast code for 31 addresses; requires cast and RPC access). Use [RPC_URL] or env RPC_URL_138; --dry-run lists addresses only (no RPC calls); SKIP_EXIT=1 to exit 0 when RPC unreachable.
• generate-contract-verification-publish-matrix.mjs - Generates the repo-wide all-network contract verification/publication backlog from config/smart-contracts-master.json and cross-chain-pmm-lps/config/deployment-status.json. Writes reports/status/contract_verification_publish_matrix.json and docs/11-references/CONTRACT_VERIFICATION_AND_PUBLICATION_MATRIX_ALL_NETWORKS.md.
• generate-crosschain-publication-packs.mjs - Groups the requested cross-chain publication packs (ethereum-mainnet, optimism, bsc, polygon, base) from the generated matrix and writes reports/status/publication-packs/*/{pack.json,README.md}.
• check-publication-pack-explorer-status.mjs - Queries the Etherscan-family explorers for the five publication packs and writes reports/status/publication-pack-explorer-status.json plus docs/11-references/PUBLICATION_PACK_EXPLORER_STATUS.md. Requires ETHERSCAN_API_KEY. The markdown intentionally shows Unknown counts so pack closure is not overstated.
• generate-publication-actionable-backlog.mjs - Separates the five requested publication packs into auto-submittable, manual-or-external, and inventory/reference buckets. Writes reports/status/publication-actionable-backlog.json and docs/11-references/PUBLICATION_ACTIONABLE_BACKLOG.md.
• check-chain138-x402-readiness.sh - RPC + explorer smoke plus ERC-2612 / ERC-3009 on default V2 then V1 USD tokens; --strict exits non-zero if not x402-ready. See CHAIN138_X402_TOKEN_SUPPORT.md.
• check-chain138-token-permit-support.sh - cast checks permit / ERC-3009 per token; defaults match x402 script (V2 then V1). Use for CHAIN138_X402_TOKEN_SUPPORT.md.
• validate-address-registry-xe-aliases.mjs - Validates web3_eth_iban aliases in institutional registry examples (or paths you pass) using web3-eth-iban. Run: node scripts/verify/validate-address-registry-xe-aliases.mjs.
• check-public-report-api.sh - Verify token-aggregation report + networks JSON (not Blockscout). Probes /api/v1/networks first, then /token-aggregation/api/v1/networks, and uses the working prefix for all checks. Use SKIP_EXIT=1 for diagnostic-only mode. Set SKIP_BRIDGE_ROUTES=0, SKIP_BRIDGE_PREFLIGHT=0, or SKIP_GAS_REGISTRY=0 for bridge and gas-rollout assertions.
• check-info-defi-oracle-public.sh - After publishing info-defi-oracle-138/dist/, confirms the public host serves the real Vite SPA (detects generic placeholder pages), /agents, and static agent files (llms.txt, agent-hints.json, robots.txt, sitemap.xml). Optional jq validates agent-hints.json. Set INFO_SITE_BASE for a non-default URL. If / passes but static paths look wrong through Cloudflare, run scripts/cloudflare/purge-info-defi-oracle-cache.sh (or pnpm run cloudflare:purge-info-defi-oracle-cache).
• pmm-swap-quote-chain138.sh - On-chain PMM quote for swapExactIn: calls querySellBase / querySellQuote on the DODO pool (not the REST /quote xy=k estimate). Prints 99% / 95% / 90% minAmountOut and a cast send example. Requires cast + bc. Defaults: RPC_URL_138, pool PMM_QUOTE_POOL (or 0x9e89…40dC cUSDT/cUSDC), trader DEPLOYER_ADDRESS. Example: bash scripts/verify/pmm-swap-quote-chain138.sh --token-in 0x93E6…f22 --amount-in 100000000.
• check-token-aggregation-chain138-api.sh - Hits tokens, pools, quote, bridge/routes, bridge/status, bridge/preflight, and networks on both /api/v1/* and /token-aggregation/api/v1/*, then probes planner-v2 on /token-aggregation/api/v2/* for provider capabilities, route selection, the live DODO v3 pilot execution path through EnhancedSwapRouterV2, and the public route-tree depth sanity for the funded canonical cUSDC/USDC DODO pool. BASE_URL=https://explorer.d-bis.org (default) or http://192.168.11.140.
• check-dodo-api-chain138-route-support.sh - Probes official DODO docs/contract inventory plus hosted SmartTrade quote support for Chain 138. Hosted quote probes read DODO_API_KEY (fallbacks: DODO_SECRET_KEY, DODO_DEVELOPER_API_KEY) and derive USER_ADDR from PRIVATE_KEY by default, so placing the DODO developer key in the root .env or exported shell alongside the deployer PRIVATE_KEY is the canonical repo path.
• check-dodo-v3-planner-visibility-chain138.sh - Verifies the Chain 138 DODO v3 / D3MM pilot is promoted into planner-v2 capability and route-matrix visibility, and that the canonical pilot pair now emits EnhancedSwapRouterV2 executable calldata.
• check-gru-transport-preflight.sh - Operator-focused GRU runtime preflight. Calls /api/v1/bridge/preflight, prints blocked pairs with eligibilityBlockers / runtimeMissingRequirements, and fails unless all active pairs are runtime-ready or ALLOW_BLOCKED=1 is set.
• check-gru-v2-d3mm-expansion-status.sh - Summarizes the GRU v2 / D3MM public-EVM rollout posture against the explicit chain-by-chain expansion plan, including whether bootstrap-ready chains already have tracked first-tier pool scaffolds.
• build-gru-v2-first-tier-pool-scaffolds.sh - Builds the canonical config/gru-v2-first-tier-pool-scaffolds.json inventory for missing first-tier public PMM rows. Use --write to refresh the tracked file.
• print-gru-v2-first-tier-pool-scaffolds.sh - Prints ad-hoc scaffold snippets for selected chain IDs. Useful for operator copy/paste, but the canonical tracked source is config/gru-v2-first-tier-pool-scaffolds.json.
• report-mainnet-deployer-liquidity-and-routes.sh - Read-only snapshot: deployer ETH / USDC / USDT / cWUSDC / cWUSDT balances, DODO integration allowances, Balancer vault USDC/USDT balances, Aave V3 available USDC/USDT under aTokens (flash premium bps), Curve 3pool USDC/USDT depth, Uniswap V3 USDC/USDT 0.01%/0.05% pool liquidity, DODO PMM reserves for all Mainnet cWUSDT/cWUSDC pairs in deployment-status.json, and a pointer for 1inch/DODO keys. Requires cast, jq, PRIVATE_KEY (address derivation only).
• plan-mainnet-usdt-usdc-via-cw-paths.sh - Read-only Mainnet routing map: cWUSDT/USDT, cWUSDC/USDC, cWUSDT/USDC, cWUSDC/USDT, and cWUSDT/cWUSDC (0xe944…68DB), with two-hop and three-hop USDT↔USDC path recipes and optional --with-examples dry-run command lines.
• run-mainnet-cwusdc-usdc-ladder-steps-1-3.sh - Operator helper for the current staged Mainnet cWUSDC/USDC ladder. Runs preflight, prints the staged matched top-up dry-run, executes dry-runs for steps 1-3, and verifies the expected matched reserve state after each rebalance without sending any live flash swaps. Optional PMM_FLASH_EXIT_PRICE_CMD overrides the default printf 1.12 for --external-exit-price-cmd (see print-mainnet-cwusdc-usdc-pmm-sellbase-implied-price.sh for on-chain pool-implied diagnostics only).
• check-public-pmm-dry-run-readiness.sh - Read-only checklist: mainnet cWUSDT/cWUSDC pools, ETHEREUM_MAINNET_RPC / DODO_PMM_INTEGRATION_MAINNET, Balancer and Aave V3 flash liquidity snapshots, Chain 138 flash-candidate note, and suggested pmm-flash-push-break-even.mjs templates.
• print-mainnet-cwusdc-usdc-pmm-sellbase-implied-price.sh - Prints one number: implied gross USDC per cWUSDC for a base sell size, using getVaultReserve + _LP_FEE_RATE_ (same fallback as run-mainnet-public-dodo-cw-swap.sh when querySellBase reverts). Args: [base_raw] [pool_address]; pool defaults to canonical public cWUSDC/USDC vault or env PMM_CWUSDC_USDC_IMPLIED_PRICE_POOL. Not a real external unwind quote.
• print-mainnet-cwusdc-external-exit-quote.sh - Prints one number: hosted gross USDC per cWUSDC from DODO SmartTrade or 1inch v6 for mainnet cWUSDC→USDC at a raw base amount. Args: dodo|1inch [base_raw]. Keys: DODO_API_KEY (or DODO_SECRET_KEY / DODO_DEVELOPER_API_KEY) or ONEINCH_API_KEY; optional DODO_QUOTE_URL, ONEINCH_API_URL, DODO_SLIPPAGE, DODO_USER_ADDRESS. Use as --external-exit-price-cmd for execution-grade dry-runs. Same quoting logic as packages/economics-toolkit (dodo-quote.ts, oneinch-quote.ts). Alternative: pnpm exec economics-toolkit swap-quote --engine oneinch|dodo --chain-id 1 --rpc … --token-in … --token-out … --amount-in ….
• check-gas-public-pool-status.sh - Operator-focused gas-native rollout summary. Combines the active GRU transport gas lanes with cross-chain-pmm-lps/config/deployment-status.json, then reports per-lane DODO wrapped-native and stable-quote pool state, Uniswap v3 reference visibility, 1inch exposure, and runtime/env blockers. The summary now distinguishes active vs deferred gas transport pairs, so deferred lanes such as wemix do not pollute the active counts. Use --json for machine-readable output.
• check-gas-rollout-deployment-matrix.sh - Cross-checks the gas-family rollout against live bytecode on Chain 138 and the destination chains. Reports which canonical contracts, mirrored contracts, bridge refs, verifier refs, and vault refs are actually live, includes the deployed generic gas verifier on Chain 138 when present, distinguishes active vs deferred gas transport pairs, resolves each lane's CCIP selector, checks whether the live Chain 138 bridge has that destination wired, and classifies the observed L1 bridge read surface as full_accounting, partial_destination_only, admin_only, or unknown_or_incompatible. Use --json for machine-readable output.
• ../deployment/print-gas-l1-destination-wiring-commands.sh - Prints the exact configureDestination(address,uint64,address,bool) commands still required on the live Chain 138 CWMultiTokenBridgeL1 for the active gas-native rollout lanes. Uses the same active transport overlay and selector metadata as the deployment matrix. Use --json for machine-readable output.
• ../deployment/run-gas-l1-destination-wiring.sh - Operator-ready wrapper for the same 10 active gas-lane configureDestination(address,uint64,address,bool) writes on the live Chain 138 bridge. Dry-run by default; only broadcasts when EXECUTE_GAS_L1_DESTINATIONS=1 is set.
• check-gru-global-priority-rollout.sh - Compares the ranked GRU global-priority currency rollout queue against the current repo state: live manifest, c* -> cW* mapping, and transport overlay. Use --wave=wave1 to focus on the next promotion wave or --json for machine-readable output.
• check-gru-v2-public-protocols.sh - Canonical GRU v2 public-network status surface. Summarizes the desired public EVM cW mesh, loaded cW suites, Wave 1 transport state, and the current public-protocol truth for Uniswap v3, Balancer, Curve 3, DODO PMM, and 1inch. Use --json for machine-readable output or --write-explorer-config to regenerate explorer-monorepo/backend/api/rest/config/metamask/GRU_V2_PUBLIC_DEPLOYMENT_STATUS.json.
• check-gru-v2-deployment-queue.sh - Operator-grade deployment queue for what is left to finish the public-network GRU v2 rollout. Breaks the remaining work down by Wave 1 asset, destination chain, and protocol stage, and now includes a blocker resolutionMatrix for missing cW suites, pending Wave 1 transport, public pool rollout, protocol staging, backlog assets, and Solana. Use --json for machine-readable output or --write-explorer-config to regenerate explorer-monorepo/backend/api/rest/config/metamask/GRU_V2_DEPLOYMENT_QUEUE.json.
• check-gru-v2-d3mm-expansion-status.sh - Expansion-focused status summary for the explicit GRU v2 / D3MM public-EVM rollout order. Reads config/gru-v2-d3mm-network-expansion-plan.json, cross-chain-pmm-lps/config/deployment-status.json, and cross-chain-pmm-lps/config/pool-matrix.json, then reports which priority chains are already live-first-tier, only partially live, bootstrap-ready, or still blocked. Use --json for machine-readable output.
• print-gru-v2-first-tier-pool-scaffolds.sh - Prints JSON snippets for the missing first-tier public PMM rows from the GRU v2 / D3MM expansion plan. This is scaffold output only: replace the zero pool address and keep publicRoutingEnabled=false until the pool is actually deployed and seeded.
• check-gru-v2-deployer-funding-status.sh - Current deployer-wallet funding posture for the remaining GRU v2 rollout. Checks Mainnet, Cronos, Arbitrum, and Chain 138 balances, then flags the live funding blockers for public deployment work and canonical Chain 138 liquidity seeding. Use --json for machine-readable output.
• check-cw-evm-deployment-mesh.sh - Reports the public EVM cW token deployment mesh recorded in smom-dbis-138/.env: expected 12-token suites per chain, missing addresses, and on-chain bytecode presence when RPCs are available. Current expected result is 10/11 loaded targets with 10/10 full sets across Mainnet, Optimism, Cronos, BSC, Gnosis, Polygon, Base, Arbitrum, Celo, and Avalanche; Wemix remains the only desired target without a loaded cW suite.
• check-cw-public-pool-status.sh - Reads cross-chain-pmm-lps/config/deployment-status.json and reports how many chains have cW tokens, bridge availability, and any recorded public-chain pmmPools. Current expected result is that the tracked cW* token mesh exists on several chains and the first Mainnet DODO PMM pool wave is recorded (including cWUSDT/cWUSDC and the first six non-USD Wave 1 rows), while the broader public-chain mesh remains incomplete.
• check-mainnet-public-dodo-cw-bootstrap-pools.sh - Verifies the eleven recorded Mainnet DODO cW* bootstrap pools (including cwusdt-cwusdc) are still mapped by the integration, have non-zero reserves, and remain dry-run routable through run-mainnet-public-dodo-cw-swap.sh.
• check-mainnet-pmm-peg-bot-readiness.sh - Reads cross-chain-pmm-lps/config/deployment-status.json (chain 1), confirms eth_chainId is 1, checks integration mapping and reserves for each recorded pool, and flags USD-class cW vs USDC/USDT reserve imbalance against peg-bands.json. Optional: PMM_TRUU_BASE_TOKEN + PMM_TRUU_QUOTE_TOKEN, MIN_POOL_RESERVE_RAW, SKIP_EXIT=1. See MAINNET_PMM_TRUU_CWUSD_PEG_AND_BOT_RUNBOOK.md. Included in check-full-deployment-status.sh when ETHEREUM_MAINNET_RPC and DODO_PMM_INTEGRATION_MAINNET are set (after load-env).
• ../deployment/deploy-mainnet-pmm-cw-truu-pool.sh - Mainnet DODO PMM: create and seed cWUSDT/TRUU or cWUSDC/TRUU (TRUU_MAINNET defaults to canonical Truth token). Defaults: fee 30 bps, k=0.5e18, TWAP off. Requires correct --initial-price (DODO i). Use --dry-run first.
• ../deployment/add-mainnet-truu-pmm-topup.sh - Add liquidity to an existing cW/TRUU pool using max wallet balances that fit the reference USD ratio (see runbook section 11). Exits 0 if either leg balance is zero.
• ../deployment/compute-mainnet-truu-liquidity-amounts.sh - Given USD per leg, prints base_raw / quote_raw and suggested deploy-mainnet-pmm-cw-truu-pool.sh lines for cWUSDT/TRUU and cWUSDC/TRUU (runbook section 11.1).
• ../deployment/add-mainnet-truu-pmm-fund-both-pools.sh - Funds both volatile pools sequentially with optional --reserve-bps (runbook: partial add + trading inventory).
• ../deployment/compute-mainnet-truu-pmm-seed-amounts.sh - Given USD notional per leg and TRUU/USD (per full token), prints --base-amount / --quote-amount for equal dollar liquidity on each side (not equal raw 1:1 tokens). See MAINNET_PMM_TRUU_CWUSD_PEG_AND_BOT_RUNBOOK.md section 9.
• check-full-deployment-status.sh - Aggregates the current full-deployment posture across config validation, the Chain 138 canonical on-chain inventory, public token-aggregation health, GRU v2 readiness, the GRU global rollout queue, the GRU v2 public-protocol matrix, the deployer-funding gate, the public EVM cW token mesh, the gas-native c* / cW* rollout summary, and the public-chain cW* pool graph. It fails until the remaining deployment blockers are cleared; use SKIP_EXIT=1 or --json for reporting.
• ../deployment/run-progressive-router-v2-swaps-chain138.sh - Live operator swap ladder for the public Chain 138 planner-v2 path. Fetches /token-aggregation/api/v2/routes/internal-execution-plan, ensures allowance, executes router-v2 calldata on-chain, and prints actual in/out for a progressive set of USD notionals (default: 10 50 100 250 500 1000). Requires PRIVATE_KEY; optional BASE_URL, RPC_URL_138, ENHANCED_SWAP_ROUTER_V2_ADDRESS.
• check-cstar-v2-transport-stack.sh - Predeploy Forge verifier for the c* V2 bridge stack. Runs the base V2 token suite, legacy reserve-verifier compatibility suite, V2 reserve/verifier full L1/L2 round-trip suite, and the core CWMultiTokenBridge round-trip suite.
• check-gru-v2-chain138-readiness.sh - Live Chain 138 readiness gate for the deployed cUSDT V2 / cUSDC V2 addresses. Verifies bytecode, GRU registry activation, V2 identity/signing surface, forwardCanonical, IPFS-backed tokenURI, and the governance/supervision metadata ABI expected by the latest GRU V2 standards.
• run-repo-green-test-path.sh - Local deterministic green-path aggregate behind root pnpm test. Runs config validation, then the focused smom-dbis-138 contract and service CI targets.
• audit-npmplus-ssl-all-instances.sh - Audits the documented NPMplus fleet for no_certificate, expired, cert_domain_mismatch, missing_cert_record, and ssl_not_forced. ssl_not_forced is expected for RPC / WebSocket-style hosts where plain HTTP or non-browser clients must keep working.
• ../nginx-proxy-manager/fix-npmplus-ssl-issues.sh - Applies the primary NPMplus SSL remediation: enables Force SSL + HSTS for browser-facing hosts that already have certs, and requests or reuses certificates for hosts missing them or bound to the wrong certificate. It intentionally leaves Force SSL off for RPC / WebSocket endpoints such as rpc-core.d-bis.org, rpc.defi-oracle.io, and wss.*.
• xdc-zero-chain138-preflight.sh - eth_chainId HTTP checks for XDC_PARENTNET_URL/PARENTNET_URL and RPC_URL_138; optional ETHEREUM_MAINNET_RPC, BSC_RPC_URL. See CHAIN138_XDC_ZERO_BRIDGE_RUNBOOK.
• ../xdc-zero/merge-endpointconfig-chain138.sh - Merge chain138 into XDC-Zero endpointconfig.json and append xdcparentnet.registers from fragments. Pass path to endpointconfig.json or XDC_ZERO_ENDPOINT_DIR; --dry-run. See config/xdc-zero/README.md.
• ../xdc-zero/deploy-endpoint-chain138.sh - Hardhat deploy Endpoint stack to --network chain138 (XDC_ZERO_REPO, PRIVATE_KEY). See scripts/xdc-zero/README.md.
• ../xdc-zero/run-xdc-zero-138-operator-sequence.sh - Prints full XDC Zero + 138 operator order.
• ../validation/validate-xdc-zero-config.sh - jq parse check for config/xdc-zero/*.json.
• check-completion-status.sh - One-command summary of repo-completable checks, public report API health, and pointers to operator/external remaining work. Set INCLUDE_INFO_DEFI_PUBLIC_VERIFY=1 to also run check-info-defi-oracle-public.sh (needs HTTPS to INFO_SITE_BASE / production).
• reconcile-env-canonical.sh - Emit recommended .env lines for Chain 138 (canonical source of truth); use to reconcile smom-dbis-138/.env with CONTRACT_ADDRESSES_REFERENCE. Usage: ./scripts/verify/reconcile-env-canonical.sh [--print]
• print-gas-runtime-env-canonical.sh - Emit the non-secret gas-lane runtime env scaffold from gru-transport-active.json plus live canonical totalSupply() on Chain 138. Uses per-lane gas caps from the registry, defaults outstanding / escrowed to the current canonical supply, defaults treasury-backed / treasury-cap to 0, and leaves the active gas verifier envs commented until the live L1 bridge is explicitly attached.
• check-deployer-balance-blockscout-vs-rpc.sh - Compare deployer native balance from Blockscout API vs RPC (to verify index matches current chain); see EXPLORER_AND_BLOCKSCAN_REFERENCE
• sync-blockscout-address-labels-from-registry.sh - Plan or sync Blockscout address labels from address-registry-entry JSON (config/dbis-institutional/schemas/address-registry-entry.schema.json: blockscout.label, status: active). Supports --mode=http, --mode=db, and --mode=auto; on the self-hosted Chain 138 explorer, db is the right live mode because /api/v1/* is token-aggregation, not a native Blockscout label-write API. DB mode writes primary labels into Blockscout public.address_names through CT 5000. See config/dbis-institutional/README.md and OMNL_DBIS_CORE_CHAIN138_SMART_VAULT_RTGS_RUNBOOK.md.
• check-dependencies.sh - Verify required tools (bash, curl, jq, openssl, ssh)
• export-cloudflare-dns-records.sh - Export Cloudflare DNS records
• export-npmplus-config.sh - Export NPMplus proxy hosts and certificates via API
• generate-source-of-truth.sh - Combine verification outputs into canonical JSON
• run-full-verification.sh - Run full verification suite
• verify-backend-vms.sh - Verify backend VMs (status, IPs, nginx configs)
• verify-end-to-end-routing.sh - E2E routing verification
• verify-udm-pro-port-forwarding.sh - UDM Pro port forwarding checks
• verify-websocket.sh - WebSocket connectivity test (requires websocat or wscat)

Task runners (no LAN vs from LAN)

• From anywhere (no LAN/creds): ../run-completable-tasks-from-anywhere.sh — runs config validation, on-chain contract check, run-all-validation --skip-genesis, public report API diagnostics, reconcile-env-canonical, and the gas runtime env scaffold.
• Completion snapshot: check-completion-status.sh — summarizes what is complete locally and what still depends on operator or external execution. Optional: INCLUDE_INFO_DEFI_PUBLIC_VERIFY=1 adds the public info hub check.
• Full LAN execution order: ../run-full-operator-completion-from-lan.sh — starts with the token-aggregation /api/v1 repair, then Wave 0, verification, E2E, non-fatal info.defi-oracle.io public smoke, and optional operator-only deployment steps. Use --skip-info-public without outbound HTTPS to the public hostname. Use --dry-run first.
• From LAN (NPM_PASSWORD, optional PRIVATE_KEY): ../run-operator-tasks-from-lan.sh — runs W0-1 (NPMplus RPC fix), W0-3 (NPMplus backup), O-1 (Blockscout verification); use --dry-run to print commands only. See ALL_TASKS_DETAILED_STEPS.

Common operator patterns

• Primary NPMplus SSL audit/fix: bash scripts/verify/audit-npmplus-ssl-all-instances.sh then bash scripts/nginx-proxy-manager/fix-npmplus-ssl-issues.sh --dry-run and rerun without --dry-run on the primary instance. The scripts now handle both JSON bearer-token auth and cookie-session auth from NPMplus, and the fixer can renew expired cert bindings as well as fill missing certs, wrong-cert bindings, and Force SSL gaps.
• Tunnel-backed NPM hosts: if a hostname is publicly served by a proxied Cloudflare tunnel CNAME to *.cfargotunnel.com, the SSL audit intentionally ignores origin-cert expiry or mismatch on that NPM host. Public TLS is terminated by Cloudflare in that mode, and the tunnel origin uses noTLSVerify by design.
• Other NPMplus instances: the fleet scripts already assume a shared NPM_EMAIL across instances. Rerun the same fix script with NPM_URL=https://<ip>:81 and the matching per-instance password env vars such as NPM_PASSWORD_SECONDARY, NPM_PASSWORD_ALLTRA_HYBX, NPM_PASSWORD_FOURTH, or NPM_PASSWORD_MIFOS. If audit shows auth_failed, the repo cannot finish that from here without the correct UI password for that instance.
• Alltra/HYBX tunnel migration: bash scripts/cloudflare/configure-alltra-hybx-tunnel-and-dns.sh is the preferred public-path repair for rpc-alltra*, rpc-hybx*, rpc-core-2, and the related service names on 192.168.11.169. The script now replaces legacy direct A records with proxied tunnel CNAMEs when needed.
• RPC TLS mismatch: if rpc.defi-oracle.io has a certificate attached but the browser still reports a hostname mismatch, the fix is to request or assign a certificate whose SAN/CN actually includes rpc.defi-oracle.io; Force SSL toggles alone will not fix that.

Environment

Set variables in .env or export before running. See project root .env.example and docs/04-configuration/VERIFICATION_GAPS_AND_TODOS.md.