b3a8fe4496
Some checks failed
Deploy to Phoenix / deploy (push) Has been cancelled
- Config, docs, scripts, and backup manifests - Submodule refs unchanged (m = modified content in submodules) Made-with: Cursor
5.1 KiB
5.1 KiB
All Recommendations — High-Priority Only
Purpose: Filtered view of high-priority and critical items from the canonical list.
Canonical source: ALL_RECOMMENDATIONS_AND_IMPROVEMENTS_LIST.md (~139 items, 20 sections).
1. Proxmox / Validated Set (High) — Items 1–11
| # | Recommendation | Notes |
|---|---|---|
| 1 | Secure .env file permissions | chmod 600 ~/.env |
| 2 | Secure validator key permissions | chmod 600, chown besu |
| 3 | SSH key-based authentication (disable password) | |
| 4 | Firewall rules for Proxmox API (port 8006) | Restrict to specific IPs |
| 5 | Network segmentation (VLANs) | VLAN enablement phase |
| 6 | Basic metrics collection (Prometheus, Besu 9545) | |
| 7 | Health check monitoring + alerting | |
| 8 | Automated backup script + encrypted validator keys | |
| 9 | Backup configuration files + version control | |
| 10 | Integration tests for deployment scripts | |
| 11 | Runbooks (add/remove validator, upgrade Besu, key rotation, recovery, consensus) |
2. Code quality & scripts (High) — Items 36–37
| # | Recommendation | Priority |
|---|---|---|
| 36 | Script shebang: standardize on #!/usr/bin/env bash |
Medium |
| 37 | Error handling: standardize on set -euo pipefail + traps |
High |
3. Documentation (High) — Items 68, 70
| # | Recommendation | Priority |
|---|---|---|
| 68 | Quick reference cards (network, VMID, commands, troubleshooting) | High |
| 70 | Configuration templates (ER605, Proxmox, Cloudflare, Besu) | High |
4. Security — Items 48–52
| # | Recommendation | Priority |
|---|---|---|
| 48 | Secret management audit (no hardcoded secrets, rotation, CI scanning) | High |
| 49 | Input validation in all scripts | High |
| 50 | Security scanning automation (CI, container image scanning) | High |
| 51 | Access control review (RBAC, least privilege) | Medium |
| 52 | Configuration validation (JSON/YAML schema, pre-deploy) | High |
5. Configuration, testing & DX (High) — Item 67
| # | Recommendation | Priority |
|---|---|---|
| 67 | Backup & recovery review and testing | High |
6. Infrastructure & deployment (High) — Items 79–81
| # | Recommendation | Notes |
|---|---|---|
| 79 | Besu RPC — 2506–2508 destroyed 2026-02-08; replaced by new VMID structure; RPC 2500–2505 only. See MISSING_CONTAINERS_LIST.md | Done (doc) |
| 80 | Hyperledger (Firefly, Cacti, Fabric, Indy) containers | High/Medium |
| 81 | Blockscout (5000) container | High |
7. Codebase & placeholders (Critical/High) — Items 82–86
| # | Recommendation | Priority |
|---|---|---|
| 82 | Security audits (VLT-024, ISO-024) | Critical |
| 83 | Bridge integrations (BRG-VLT, BRG-ISO) | High |
| 84 | CCIP AMB full implementation | High |
| 85 | dbis_core TypeScript/Prisma fixes (~1186 errors) | High |
| 86 | IRU remaining tasks | High |
8. RPC translator — Items 128–129
| # | Recommendation | Priority |
|---|---|---|
| 128 | Client-side retry logic (exponential backoff, 502) | High |
| 129 | Set up monitoring/alerting | High |
9. Orchestration portal (P0) — Item 131
| # | Recommendation | Priority |
|---|---|---|
| 131 | P0: Auth, state, real-time, error handling, security headers, validation, testing, CI/CD | Must have |
10. dbis_core (Critical)
| Recommendation | Priority |
|---|---|
| HSM Integration | Critical |
| Zero-Trust Authentication | Critical |
| Database Backups | Critical |
| Post-Quantum Cryptography Migration | Critical |
| Data Retention Policies | Critical |
Source: dbis_core/docs/RECOMMENDATIONS.md
11. Operator checklist (R1–R24)
Full operator actions: RECOMMENDATIONS_OPERATOR_CHECKLIST.md and OPERATOR_AND_EXTERNAL_COMPLETION_CHECKLIST.md.
| # | Action |
|---|---|
| R1–R3 | Verify contracts on Blockscout; keep CONTRACT_ADDRESSES_REFERENCE and ADDRESS_MATRIX_AND_STATUS updated; run check-contracts-on-chain-138.sh |
| R4–R7 | Use 0x971c... CCIPWETH9Bridge only; no .env/keys in repo; restrict deployer/RPC access |
| R8–R11 | RPC_URL_138; GAS_PRICE on 138; phased deploy; nonce/tx stuck runbooks |
| R12–R16 | Keep runbooks in sync; document addresses per chain; run verification after deploy; env per env |
| R17–R20 | Monitor bridges; Blockscout up; forge test pre-deploy; NatSpec |
| R21–R24 | The Order NPMplus; blocks #2–#6; script progress/dry-run/validation; token-mapping.json source of truth |
Where to read more
- Full list (all priorities): ALL_RECOMMENDATIONS_AND_IMPROVEMENTS_LIST.md
- Operator-only checklist: ALL_RECOMMENDATIONS_OPERATOR_ONLY.md
- Implementation checkboxes: 10-best-practices/IMPLEMENTATION_CHECKLIST.md