refactor: rename SolaceScanScout to Solace and update related configurations

- Updated branding from "SolaceScanScout" to "Solace" across various files including deployment scripts, API responses, and documentation.
- Changed default base URL for Playwright tests and updated security headers to reflect the new branding.
- Enhanced README and API documentation to include new authentication endpoints and product access details.

This refactor aligns the project branding and improves clarity in the API documentation.

deployment/common/README.md

@@ -6,7 +6,9 @@ Use as reference or copy into your project.
 ## Contents
 
 - **nginx-api-location.conf** – Generic `location /api/` proxy snippet (upstream host/port to be adjusted).
+- **nginx-rpc-api-key-gate.conf** – Example `auth_request` pattern for API-key-protected RPC lanes using the explorer access validator.
 - **systemd-api-service.example** – Example systemd unit for a REST API (env and paths to be adjusted).
+- **../scripts/render-rpc-access-gate-nginx.sh** – Render a concrete nginx gate config for `core-rpc`, `alltra-rpc`, or `thirdweb-rpc`.
 - **cloudflare / fail2ban** – See parent `../cloudflare/` and `../fail2ban/` for full configs.
 
 When this is a separate repo, add as submodule at `deployment/common`.

deployment/common/nginx-next-frontend-proxy.conf

@@ -1,4 +1,4 @@
-# Next.js frontend proxy locations for SolaceScanScout.
+# Next.js frontend proxy locations for SolaceScan.
 # Keep the existing higher-priority locations for:
 # - /api/
 # - /api/config/token-list
@@ -32,5 +32,6 @@ location / {
     proxy_buffering off;
     proxy_hide_header Cache-Control;
     add_header Cache-Control "no-store, no-cache, must-revalidate" always;
-    add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://cdn.jsdelivr.net https://unpkg.com https://cdnjs.cloudflare.com; style-src 'self' 'unsafe-inline' https://cdnjs.cloudflare.com; img-src 'self' data: https:; font-src 'self' https://cdnjs.cloudflare.com; connect-src 'self' https://explorer.d-bis.org wss://explorer.d-bis.org https://rpc-http-pub.d-bis.org wss://rpc-ws-pub.d-bis.org http://192.168.11.221:8545 ws://192.168.11.221:8546;" always;
+    add_header Referrer-Policy "strict-origin-when-cross-origin" always;
+    add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://cdn.jsdelivr.net https://unpkg.com https://cdnjs.cloudflare.com; style-src 'self' 'unsafe-inline' https://cdnjs.cloudflare.com; img-src 'self' data: https:; font-src 'self' https://cdnjs.cloudflare.com; connect-src 'self' https://blockscout.defi-oracle.io wss://blockscout.defi-oracle.io https://explorer.d-bis.org wss://explorer.d-bis.org https://rpc-http-pub.d-bis.org wss://rpc-ws-pub.d-bis.org http://192.168.11.221:8545 ws://192.168.11.221:8546;" always;
 }

deployment/common/nginx-rpc-api-key-gate.conf

@@ -0,0 +1,56 @@
+# Example nginx gate for API-key-protected RPC upstreams using the explorer access API.
+# This pattern assumes the explorer config/API backend listens on 127.0.0.1:8081 and
+# exposes GET /api/v1/access/internal/validate-key for nginx auth_request.
+#
+# Replace:
+# - ACCESS_INTERNAL_SECRET_VALUE with a real shared secret
+# - protected-rpc.example.org with the public host you are protecting
+# - upstream IP:port with the actual RPC lane (e.g. 192.168.11.212:8545 or 192.168.11.217:8545)
+#
+# Clients should send the API key as:
+# - X-API-Key: sk_live_...
+# or
+# - Authorization: Bearer sk_live_...
+
+server {
+    listen 443 ssl http2;
+    server_name protected-rpc.example.org;
+
+    # Internal subrequest used by auth_request.
+    location = /__access_validate_rpc {
+        internal;
+        proxy_pass http://127.0.0.1:8081/api/v1/access/internal/validate-key;
+        proxy_pass_request_body off;
+        proxy_set_header Content-Length "";
+        proxy_set_header X-Access-Internal-Secret "ACCESS_INTERNAL_SECRET_VALUE";
+        proxy_set_header X-API-Key $http_x_api_key;
+        proxy_set_header Authorization $http_authorization;
+        proxy_set_header X-Access-Method $request_method;
+        proxy_set_header X-Access-Request-Count "1";
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+    }
+
+    location / {
+        auth_request /__access_validate_rpc;
+
+        # Optional metadata exported from the validator for logging or rate decisions.
+        auth_request_set $validated_product $upstream_http_x_validated_product;
+        auth_request_set $validated_tier $upstream_http_x_validated_tier;
+        auth_request_set $validated_scopes $upstream_http_x_validated_scopes;
+        auth_request_set $quota_remaining $upstream_http_x_quota_remaining;
+
+        proxy_pass http://192.168.11.217:8545;
+        proxy_http_version 1.1;
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+
+        # Helpful for downstream logs and operational tracing.
+        proxy_set_header X-Validated-Product $validated_product;
+        proxy_set_header X-Validated-Tier $validated_tier;
+        proxy_set_header X-Validated-Scopes $validated_scopes;
+        proxy_set_header X-Quota-Remaining $quota_remaining;
+    }
+}

deployment/common/systemd-api-service.example

@@ -17,6 +17,8 @@ Environment=RPC_URL=https://rpc-http-pub.d-bis.org
 Environment=TOKEN_AGGREGATION_BASE_URL=http://127.0.0.1:3000
 Environment=BLOCKSCOUT_INTERNAL_URL=http://127.0.0.1:4000
 Environment=EXPLORER_PUBLIC_BASE=https://explorer.d-bis.org
+Environment=ACCESS_ADMIN_EMAILS=ops@example.org
+Environment=ACCESS_INTERNAL_SECRET=CHANGE_THIS_INTERNAL_ACCESS_SECRET
 Environment=OPERATOR_SCRIPTS_ROOT=/opt/explorer/scripts
 Environment=OPERATOR_SCRIPT_ALLOWLIST=check-health.sh,check-bridges.sh
 Environment=OPERATOR_SCRIPT_TIMEOUT_SEC=120