proxmox/AGENTS.md

Proxmox workspace — agent instructions

Single canonical copy for Cursor/Codex. (If your editor also loads .cursor/rules, treat those as overlays.)

Scope

Orchestration for Proxmox VE, Chain 138 (smom-dbis-138/), explorers, NPMplus, and deployment runbooks.

Quick pointers

Need	Location
Doc index	docs/MASTER_INDEX.md
Chain 138 info site (info.defi-oracle.io)	info-defi-oracle-138/ — pnpm --filter info-defi-oracle-138 build; deploy dist/; runbook docs/04-configuration/INFO_DEFI_ORACLE_IO_DEPLOYMENT.md
cXAUC/cXAUT unit	1 full token = 1 troy oz Au — docs/11-references/EXPLORER_TOKEN_LIST_CROSSCHECK.md (section 5.1)
PMM mesh 6s tick	smom-dbis-138/scripts/reserve/pmm-mesh-6s-automation.sh — docs/integration/ORACLE_AND_KEEPER_CHAIN138.md (PMM mesh automation)
VMID / IP / FQDN	docs/04-configuration/ALL_VMIDS_ENDPOINTS.md
Proxmox Mail Proxy (LAN SMTP)	VMID 100 192.168.11.32 (proxmox-mail-gateway) — submission 587 / 465; see Mail Proxy note in ALL_VMIDS_ENDPOINTS.md
Ops template + JSON	docs/03-deployment/PROXMOX_VE_OPERATIONAL_DEPLOYMENT_TEMPLATE.md, config/proxmox-operational-template.json
Live vs template (read-only SSH)	bash scripts/verify/audit-proxmox-operational-template.sh
Config validation	bash scripts/validation/validate-config-files.sh (optional: python3 -m pip install check-jsonschema for validate-dbis-institutional-schemas.sh, validate-jvmtm-regulatory-closure-schemas.sh, validate-reserve-provenance-package.sh; includes explorer Chain 138 inventory vs config/smart-contracts-master.json)
Chain 138 contract addresses (JSON + bytecode)	config/smart-contracts-master.json — bash scripts/verify/check-contracts-on-chain-138.sh (expect 64/64 when Core RPC reachable; jq uses JSON when file present)
OMNL + Core + Chain 138 + RTGS + Smart Vaults	docs/03-deployment/OMNL_DBIS_CORE_CHAIN138_SMART_VAULT_RTGS_RUNBOOK.md; identifiers (UETR vs DLT-primary): docs/03-deployment/OJK_BI_AUDIT_JVMTM_REMEDIATION_AND_UETR_POLICY.md; JVMTM Tables B/C/D closure matrix: config/jvmtm-regulatory-closure/INAAUDJVMTM_2025_AUDIT_CLOSURE_MATRIX.md; dual-anchor attestation: scripts/omnl/omnl-chain138-attestation-tx.sh (138 + optional mainnet via ETHEREUM_MAINNET_RPC); E2E zip: AUDIT_PROOF.json chainAttestationMainnet; machine-readable: config/dbis-institutional/
Blockscout address labels from registry	bash scripts/verify/sync-blockscout-address-labels-from-registry.sh (plan); --apply with BLOCKSCOUT_* env when explorer API confirmed
ISO-20022 on-chain methodology + intake gateway	docs/04-configuration/SMART_CONTRACTS_ISO20022_FIN_METHODOLOGY.md, ISO20022_INTAKE_GATEWAY_CONTRACT_MULTI_NETWORK.md; Rail: docs/dbis-rail/ISO_GATEWAY_AND_RELAYER_SPEC.md
FQDN / NPM E2E verifier	bash scripts/verify/verify-end-to-end-routing.sh --profile=public — inventory: docs/04-configuration/E2E_ENDPOINTS_LIST.md. Gitea Actions URLs (no API): bash scripts/verify/print-gitea-actions-urls.sh
RPC FQDN batch (eth_chainId + WSS)	bash scripts/verify/check-rpc-fqdns-e2e.sh — after DNS + update-npmplus-proxy-hosts-api.sh; includes rpc-core.d-bis.org
Submodule trees clean (CI / post-merge)	bash scripts/verify/submodules-clean.sh
Submodule + explorer remotes	docs/00-meta/SUBMODULE_HYGIENE.md
smom-dbis-138 .env in bash scripts	Prefer source smom-dbis-138/scripts/lib/deployment/dotenv.sh + load_deployment_env --repo-root "$PROJECT_ROOT" (trims RPC URL line endings). From an interactive shell: source smom-dbis-138/scripts/load-env.sh. Proxmox root scripts: source scripts/lib/load-project-env.sh (also trims common RPC vars).
Sankofa portal → CT 7801 (build + restart)	./scripts/deployment/sync-sankofa-portal-7801.sh (--dry-run first); default NEXTAUTH_URL=https://portal.sankofa.nexus via sankofa-portal-ensure-nextauth-on-ct.sh
Portal Keycloak OIDC secret on CT 7801	After client exists: ./scripts/deployment/sankofa-portal-merge-keycloak-env-from-repo.sh (needs KEYCLOAK_CLIENT_SECRET in repo .env; base64-safe over SSH)
Sankofa corporate web → CT 7806	Provision: ./scripts/deployment/provision-sankofa-public-web-lxc-7806.sh. Sync: ./scripts/deployment/sync-sankofa-public-web-to-ct.sh. systemd: config/systemd/sankofa-public-web.service. Set IP_SANKOFA_PUBLIC_WEB in .env, then scripts/nginx-proxy-manager/update-npmplus-proxy-hosts-api.sh
CCIP relay (r630-01 host)	Unit: config/systemd/ccip-relay.service → /etc/systemd/system/ccip-relay.service; systemctl enable --now ccip-relay
Wormhole protocol (LLM / MCP) vs Chain 138 facts	Wormhole NTT/Connect/VAAs/etc.: docs/04-configuration/WORMHOLE_AI_RESOURCES_LLM_PLAYBOOK.md, mirror scripts/doc/sync-wormhole-ai-resources.sh, MCP mcp-wormhole-docs/ + docs/04-configuration/MCP_SETUP.md. Chain 138 addresses, PMM, CCIP: repo docs/11-references/ + docs/07-ccip/ — not Wormhole bundles. Cursor overlay: .cursor/rules/wormhole-ai-resources.mdc.
TsunamiSwap VM 5010 check	./scripts/deployment/tsunamiswap-vm-5010-provision.sh (inventory only until VM exists)
The Order portal (https://the-order.sankofa.nexus)	OSJ management UI (secure auth); source repo the_order at ~/projects/the_order. NPM upstream defaults to order-haproxy CT 10210 (IP_ORDER_HAPROXY:80); use THE_ORDER_UPSTREAM_* to point at the Sankofa portal if 10210 is down. Provision HAProxy: scripts/deployment/provision-order-haproxy-10210.sh. www.the-order.sankofa.nexus → 301 apex (same as www.sankofa / www.phoenix).
Portal login + Keycloak systemd + .env (prints password once)	./scripts/deployment/enable-sankofa-portal-login-7801.sh (--dry-run first); preserves KEYCLOAK_* from repo .env and runs merge script when KEYCLOAK_CLIENT_SECRET is set
Keycloak redirect URIs (portal + admin)	./scripts/deployment/keycloak-sankofa-ensure-client-redirects-via-proxmox-pct.sh (or keycloak-sankofa-ensure-client-redirects.sh for LAN URL) — needs KEYCLOAK_ADMIN_PASSWORD in .env
NPM TLS for hosts missing certs	./scripts/request-npmplus-certificates.sh — optional `CERT_DOMAINS_FILTER='portal\.sankofa
Token-aggregation API (Chain 138)	pnpm run verify:token-aggregation-api — tokens, pools, quote, bridge/routes, networks. Deploy: scripts/deploy-token-aggregation-for-publication.sh. After edge deploy: SKIP_BRIDGE_ROUTES=0 bash scripts/verify/check-public-report-api.sh https://explorer.d-bis.org.
Completable (no LAN)	./scripts/run-completable-tasks-from-anywhere.sh
Operator (LAN + secrets)	./scripts/run-all-operator-tasks-from-lan.sh (use --skip-backup if NPM_PASSWORD unset)
Cloudflare bulk DNS → PUBLIC_IP	./scripts/update-all-dns-to-public-ip.sh — use --dry-run and --zone-only=sankofa.nexus (or d-bis.org / mim4u.org / defi-oracle.io) to limit scope; see script header. Prefer scoped CLOUDFLARE_API_TOKEN (see .env.master.example).
IRU marketplace surfaces + Turnstile (Captcha)	docs/03-deployment/SANKOFA_MARKETPLACE_SURFACES.md — native (VMs, IPs, app hosting, etc.) vs partner (e.g. SolaceNet IRU) methodology; Turnstile secret on API (CLOUDFLARE_TURNSTILE_SECRET_KEY or aliases), site key on frontend build (VITE_*); not the same as Cloudflare DNS keys. docs/04-configuration/MASTER_SECRETS.md (Cloudflare table).

Git submodules

Most submodules are pinned commits; git submodule update --init --recursive often leaves detached HEAD — that is normal. To change a submodule: check out a branch inside it, commit, push the submodule first, then commit and push the parent submodule pointer. Do not embed credentials in git remote URLs; use SSH or a credential helper. Explorer Gitea vs GitHub and token cleanup: docs/00-meta/SUBMODULE_HYGIENE.md.

Rules of engagement

• Review scripts before running; prefer --dry-run where supported.
• Do not run the full operator flow when everything is healthy unless the user explicitly wants broad fixes (NPM/nginx/RPC churn).
• Chain 138 deploy RPC: http://192.168.11.211:8545 (Core). Read-only / non-deploy checks may use public RPC per project rules.

Full detail: see embedded workspace rules and docs/00-meta/OPERATOR_READY_CHECKLIST.md.