Files

Deploy to Phoenix / deploy (push) Has been cancelled

Details

docs: update master documentation and push to Gitea (2026-03-06)

- MASTER_INDEX: Last Updated 2026-03-06; status 59/59 contracts; add NEXT_STEPS_LIST, CONTRACT_NEXT_STEPS_LIST
- docs/README, NEXT_STEPS_INDEX, 06-besu/MASTER_INDEX: Last Updated 2026-03-06
- Contract check script: 59 addresses (PMM, vault/reserve, CompliantFiatTokens); canonical CCIP/router
- New docs: EXECUTION_CHECKLIST, NEXT_STEPS_LIST, DOTENV_AUDIT, ADDITIONAL_PATHS, deployer gas runbook, WEMIX_ACQUISITION_TABLED, etc.
- Config: deployer-gas-routes, cro-wemix-swap-routes, routing-registry, token-mapping
- Scripts: check-contracts-on-chain-138, check-pmm-pool-balances-chain138, deployer-gas-auto-route, acquire-cro-and-wemix-gas
- Operator rule: operator-lan-access-check.mdc

Made-with: Cursor

2026-03-06 19:11:25 -08:00

5.9 KiB

Raw Blame History

Remaining Items — Secrets in .env and Actions

Last Updated: 2026-03-06
Purpose: Where to store secrets and what to run for each remaining next step. Check completion before running.
Run order: EXECUTION_CHECKLIST_MULTIPLE_ROUTES_AND_LIQUIDITY.md (suggested order of execution); NEXT_STEPS_LIST.md (ordered next steps). Audit: DOTENV_AND_MARKDOWN_AUDIT_GAPS_AND_RECOMMENDATIONS.md.

Secrets storage (dotenv)

Secret / config	Where to store	Used by
GITEA_TOKEN	Root `.env` (or export when running)	`push-to-gitea.sh`, `gitea-create-orgs-and-repos.sh`
PRIVATE_KEY, RPC_URL_138, CCIPWETH9_BRIDGE_CHAIN138, LINK_TOKEN_CHAIN138	`smom-dbis-138/.env`	Bridge script and contract deployment (load-project-env.sh sources it). Same deployer wallet holds LINK for bridge fees.
NPM_, NPM_PASSWORD_FOURTH*	Root `.env`	NPMplus proxy scripts
CLOUDFLARE_*	Root `.env`	Tunnel/DNS scripts
JWT (per container)	Container config or file; not in repo .env	2506–2508 RPC JWT auth; see `generate-jwt-token-for-container.sh`

Reference: REQUIRED_SECRETS_INVENTORY.md, root .env.example.

7. Bridge (W0-2)

Secrets: PRIVATE_KEY is stored in smom-dbis-138/.env. The same wallet holds LINK for bridge fees (fee token on Chain 138).

Completed? Run dry-run to verify:
bash scripts/bridge/run-send-cross-chain.sh 0.01 --dry-run
If simulation OK, PRIVATE_KEY and RPC are loaded from smom-dbis-138/.env.

To complete: When ready to send real tx:
bash scripts/bridge/run-send-cross-chain.sh 0.01
(No --dry-run.)

8. Security (W1-1, W1-2)

Completed? Check: on each Proxmox host, PasswordAuthentication in /etc/ssh/sshd_config and UFW rules for 8006. If already restricted, skip.

To complete: Deploy SSH keys to all Proxmox hosts first, then from repo root:
bash scripts/security/run-security-on-proxmox-hosts.sh --apply
This disables password SSH and restricts port 8006 to 192.168.11.0/24.

9. 2506–2508 JWT / identity

Completed? Check: Nginx in front of 2506/2507/2508 validates JWT; tokens map to identities per CHAIN138_JWT_AUTH_REQUIREMENTS.md.

To complete: Per container: configure JWT auth in nginx, generate tokens with scripts/generate-jwt-token-for-container.sh (JWT secret from container or saved file). Identity: 2506→Luis, 2507/2508→Putu. See MISSING_CONTAINERS_LIST.md.

Secrets: JWT secrets live on the containers or in a secure store; do not put in repo .env.

10. Explorer SSL

Completed? Open https://explorer.d-bis.org — no certificate warning.

To complete: NPMplus at https://192.168.11.167:81 → SSL Certificates → Let's Encrypt for explorer.d-bis.org → assign to proxy host, Force SSL. See EXPLORER_TROUBLESHOOTING.md. No .env needed.

11. NPMplus cert 134 (cross-all.defi-oracle.io)

Completed? Verification no longer reports "cert files missing" for that cert.

To complete: NPMplus at https://192.168.11.167:81 → SSL Certificates → find cross-all.defi-oracle.io → re-request Let's Encrypt or re-save. No .env needed.

12. Wave 2 & 3

Completed? Per WAVE2_WAVE3_OPERATOR_CHECKLIST.md: monitoring stack, Grafana + Cloudflare Access, VLANs, CCIP Ops/Admin (5400–5401), 2506–2508 JWT/identity, DBIS services, NPMplus HA (optional), CCIP Fleet, Phase 4 tenant isolation.

To complete: Work through the checklist by wave. Store any new secrets in the appropriate .env (root or service-specific) and document in REQUIRED_SECRETS_INVENTORY.md.

13. Smart contracts — deploy and verify

Secrets: PRIVATE_KEY (and RPC_URL_138, LINK_TOKEN_CHAIN138, CCIPWETH9_BRIDGE_CHAIN138) are in smom-dbis-138/.env. Same deployer wallet used for deployment and bridge (holds LINK for fees).

Completed? Check: contracts deployed to Chain 138 and/or Mainnet per CONTRACTS_TO_DEPLOY.md; verified on Blockscout/explorer.

To complete:

Deploy (Chain 138) — From a host with RPC access to 192.168.11.211:8545 (RPC_CORE_1):
```
cd smom-dbis-138 && source .env
bash scripts/deployment/deploy-all-contracts.sh
# or phased: deploy-contracts-unified.sh --mode ordered
```
WETH bridge (CCIP): From repo root:
GAS_PRICE=1000000000 ./scripts/deploy-and-configure-weth9-bridge-chain138.sh
Then set CCIPWETH9_BRIDGE_CHAIN138 in smom-dbis-138/.env if the script does not update it.
Verify (Blockscout) — After deployment:
```
source smom-dbis-138/.env 2>/dev/null
./scripts/verify/run-contract-verification-with-proxy.sh
```
Or start the Forge Verification Proxy (Blockscout) and run ./scripts/verify-contracts-blockscout.sh.

References: CONTRACT_DEPLOYMENT_RUNBOOK.md, CONTRACTS_TO_DEPLOY.md.

Quick check before running

See CONTINUE_AND_COMPLETE.md (archived) for run order and quick-check commands.

Bridge: PRIVATE_KEY and LINK (same wallet) in smom-dbis-138/.env; dry-run OK.
Contracts: PRIVATE_KEY in smom-dbis-138/.env; RPC access to RPC_CORE_1 (192.168.11.211:8545); then deploy and run verification script.
Security --apply: SSH key login works to 192.168.11.10, .11, .12.
Gitea push: GITEA_TOKEN in root .env or export; run push-to-gitea.sh from each repo.

5.9 KiB Raw Blame History Unescape Escape