AGENTS.md

# Proxmox workspace — agent instructions

Single canonical copy for Cursor/Codex. (If your editor also loads `.cursor/rules`, treat those as overlays.)

## Scope

Orchestration for Proxmox VE, Chain 138 (`smom-dbis-138/`), explorers, NPMplus, and deployment runbooks.

## Quick pointers

| Need | Location |
|------|-----------|
| Doc index | `docs/MASTER_INDEX.md` |
| cXAUC/cXAUT unit | 1 full token = 1 troy oz Au — `docs/11-references/EXPLORER_TOKEN_LIST_CROSSCHECK.md` (section 5.1) |
| PMM mesh 6s tick | `smom-dbis-138/scripts/reserve/pmm-mesh-6s-automation.sh` — `docs/integration/ORACLE_AND_KEEPER_CHAIN138.md` (PMM mesh automation) |
| VMID / IP / FQDN | `docs/04-configuration/ALL_VMIDS_ENDPOINTS.md` |
| Ops template + JSON | `docs/03-deployment/PROXMOX_VE_OPERATIONAL_DEPLOYMENT_TEMPLATE.md`, `config/proxmox-operational-template.json` |
| Live vs template (read-only SSH) | `bash scripts/verify/audit-proxmox-operational-template.sh` |
| Config validation | `bash scripts/validation/validate-config-files.sh` |
| FQDN / NPM E2E verifier | `bash scripts/verify/verify-end-to-end-routing.sh --profile=public` — inventory: `docs/04-configuration/E2E_ENDPOINTS_LIST.md`. Gitea Actions URLs (no API): `bash scripts/verify/print-gitea-actions-urls.sh` |
| Submodule trees clean (CI / post-merge) | `bash scripts/verify/submodules-clean.sh` |
| Submodule + explorer remotes | `docs/00-meta/SUBMODULE_HYGIENE.md` |
| smom-dbis-138 `.env` in bash scripts | Prefer `source smom-dbis-138/scripts/lib/deployment/dotenv.sh` + `load_deployment_env --repo-root "$PROJECT_ROOT"` (trims RPC URL line endings). From an interactive shell: `source smom-dbis-138/scripts/load-env.sh`. Proxmox root scripts: `source scripts/lib/load-project-env.sh` (also trims common RPC vars). |
| Sankofa portal → CT 7801 (build + restart) | `./scripts/deployment/sync-sankofa-portal-7801.sh` (`--dry-run` first); sets `NEXTAUTH_URL` on CT via `sankofa-portal-ensure-nextauth-on-ct.sh` |
| CCIP relay (r630-01 host) | Unit: `config/systemd/ccip-relay.service` → `/etc/systemd/system/ccip-relay.service`; `systemctl enable --now ccip-relay` |
| TsunamiSwap VM 5010 check | `./scripts/deployment/tsunamiswap-vm-5010-provision.sh` (inventory only until VM exists) |
| The Order portal (`https://the-order.sankofa.nexus`) | OSJ management UI (secure auth); source repo **the_order** at `~/projects/the_order`. NPM upstream defaults to **order-haproxy** CT **10210** (`IP_ORDER_HAPROXY:80`); use `THE_ORDER_UPSTREAM_*` to point at the Sankofa portal if 10210 is down. Provision HAProxy: `scripts/deployment/provision-order-haproxy-10210.sh`. **`www.the-order.sankofa.nexus`** → **301** apex (same as www.sankofa / www.phoenix). |
| Portal login + Keycloak systemd + `.env` (prints password once) | `./scripts/deployment/enable-sankofa-portal-login-7801.sh` (`--dry-run` first) |
| Completable (no LAN) | `./scripts/run-completable-tasks-from-anywhere.sh` |
| Operator (LAN + secrets) | `./scripts/run-all-operator-tasks-from-lan.sh` (use `--skip-backup` if `NPM_PASSWORD` unset) |
| Cloudflare bulk DNS → `PUBLIC_IP` | `./scripts/update-all-dns-to-public-ip.sh` — use **`--dry-run`** and **`--zone-only=sankofa.nexus`** (or `d-bis.org` / `mim4u.org` / `defi-oracle.io`) to limit scope; see script header. Prefer scoped **`CLOUDFLARE_API_TOKEN`** (see `.env.master.example`). |

## Git submodules

Most submodules are **pinned commits**; `git submodule update --init --recursive` often leaves **detached HEAD** — that is normal. To **change** a submodule: check out a branch inside it, commit, **push the submodule first**, then commit and push the **parent** submodule pointer. Do not embed credentials in `git remote` URLs; use SSH or a credential helper. Explorer Gitea vs GitHub and token cleanup: `docs/00-meta/SUBMODULE_HYGIENE.md`.

## Rules of engagement

- Review scripts before running; prefer `--dry-run` where supported.
- Do not run the full operator flow when everything is healthy unless the user explicitly wants broad fixes (NPM/nginx/RPC churn).
- Chain 138 deploy RPC: `http://192.168.11.211:8545` (Core). Read-only / non-deploy checks may use public RPC per project rules.

Full detail: see embedded workspace rules and `docs/00-meta/OPERATOR_READY_CHECKLIST.md`.
feat(deploy): Sankofa portal sync excludes secrets; ensure NextAuth on CT - Tar excludes .env/.env.local; post-sync sets NEXTAUTH_URL on .env and .env.local - New sankofa-portal-ensure-nextauth-on-ct.sh; optional SANKOFA_PORTAL_NEXTAUTH_URL - AGENTS.md pointer to ensure script Made-with: Cursor 2026-03-26 18:56:57 -07:00			`# Proxmox workspace — agent instructions`

			Single canonical copy for Cursor/Codex. (If your editor also loads `.cursor/rules`, treat those as overlays.)

			`## Scope`

			Orchestration for Proxmox VE, Chain 138 (`smom-dbis-138/`), explorers, NPMplus, and deployment runbooks.

			`## Quick pointers`

			`\| Need \| Location \|`
			`\|------\|-----------\|`
			\| Doc index \| `docs/MASTER_INDEX.md` \|
			\| cXAUC/cXAUT unit \| 1 full token = 1 troy oz Au — `docs/11-references/EXPLORER_TOKEN_LIST_CROSSCHECK.md` (section 5.1) \|
			\| PMM mesh 6s tick \| `smom-dbis-138/scripts/reserve/pmm-mesh-6s-automation.sh` — `docs/integration/ORACLE_AND_KEEPER_CHAIN138.md` (PMM mesh automation) \|
			\| VMID / IP / FQDN \| `docs/04-configuration/ALL_VMIDS_ENDPOINTS.md` \|
			\| Ops template + JSON \| `docs/03-deployment/PROXMOX_VE_OPERATIONAL_DEPLOYMENT_TEMPLATE.md`, `config/proxmox-operational-template.json` \|
			\| Live vs template (read-only SSH) \| `bash scripts/verify/audit-proxmox-operational-template.sh` \|
			\| Config validation \| `bash scripts/validation/validate-config-files.sh` \|
docs(AGENTS): E2E verifier + print-gitea-actions-urls pointers Made-with: Cursor 2026-03-28 17:30:07 -07:00			\| FQDN / NPM E2E verifier \| `bash scripts/verify/verify-end-to-end-routing.sh --profile=public` — inventory: `docs/04-configuration/E2E_ENDPOINTS_LIST.md`. Gitea Actions URLs (no API): `bash scripts/verify/print-gitea-actions-urls.sh` \|
docs(ops): submodule hygiene guide, verify script, rule/doc alignment - Add docs/00-meta/SUBMODULE_HYGIENE.md (detached HEAD, remotes, JSON refs) - Add scripts/verify/submodules-clean.sh (labeled dirty-tree report) - AGENTS.md + CONTRIBUTOR_GUIDELINES + OPERATOR_READY_CHECKLIST + MASTER_INDEX - chain138-tokens-and-pmm: DODOPMMIntegration 0x5BDc62… per ADDRESS_MATRIX - Bump smom-dbis-138 + explorer-monorepo (config READMEs, explorer env loading) Made-with: Cursor 2026-03-27 22:12:46 -07:00			\| Submodule trees clean (CI / post-merge) \| `bash scripts/verify/submodules-clean.sh` \|
			\| Submodule + explorer remotes \| `docs/00-meta/SUBMODULE_HYGIENE.md` \|
NPM: validate canonical_https for www redirects; docs and env example - Reject non-https, paths, and injection-prone chars in advanced_config 301 targets - E2E list: phoenix marketing note, the-order HAProxy remediation, 2026-03-27 passes - AGENTS.md: scoped Cloudflare token pointer; smom-dbis-138 dotenv load note - .env.master.example: DNS script flags and scoped token guidance Made-with: Cursor 2026-03-27 12:29:40 -07:00			\| smom-dbis-138 `.env` in bash scripts \| Prefer `source smom-dbis-138/scripts/lib/deployment/dotenv.sh` + `load_deployment_env --repo-root "$PROJECT_ROOT"` (trims RPC URL line endings). From an interactive shell: `source smom-dbis-138/scripts/load-env.sh`. Proxmox root scripts: `source scripts/lib/load-project-env.sh` (also trims common RPC vars). \|
feat(deploy): Sankofa portal sync excludes secrets; ensure NextAuth on CT - Tar excludes .env/.env.local; post-sync sets NEXTAUTH_URL on .env and .env.local - New sankofa-portal-ensure-nextauth-on-ct.sh; optional SANKOFA_PORTAL_NEXTAUTH_URL - AGENTS.md pointer to ensure script Made-with: Cursor 2026-03-26 18:56:57 -07:00			\| Sankofa portal → CT 7801 (build + restart) \| `./scripts/deployment/sync-sankofa-portal-7801.sh` (`--dry-run` first); sets `NEXTAUTH_URL` on CT via `sankofa-portal-ensure-nextauth-on-ct.sh` \|
NPM: canonical 301 for www sankofa/phoenix/the-order; E2E pass on 301/308 - update-npmplus-proxy-hosts-api.sh: optional advanced_config 301 via 5th/6th args; wire www.the-order → https://the-order.sankofa.nexus; document OSJ portal and the_order repo path - update-sankofa-npmplus-proxy-hosts.sh: same 301 for www rows via 4th pipe field - verify-end-to-end-routing.sh: www.the-order in inventory; treat 301/308 as HTTPS pass for www.sankofa, www.phoenix, www.the-order - configure-npmplus-domains.js: comment — avoid duplicate redirection UI rows for Sankofa www - AGENTS.md, ALL_VMIDS_ENDPOINTS.md, E2E_ENDPOINTS_LIST.md: Order portal and www redirect notes Made-with: Cursor 2026-03-27 00:30:28 -07:00			\| CCIP relay (r630-01 host) \| Unit: `config/systemd/ccip-relay.service` → `/etc/systemd/system/ccip-relay.service`; `systemctl enable --now ccip-relay` \|
			\| TsunamiSwap VM 5010 check \| `./scripts/deployment/tsunamiswap-vm-5010-provision.sh` (inventory only until VM exists) \|
feat(order): HAProxy on 10210, NPM → 192.168.11.39:80 - Add order-haproxy config template and provision-order-haproxy-10210.sh (SSH to r630-01) - Document one-time unprivileged CT idmap chown repair when apt fails - Default THE_ORDER_UPSTREAM_* to IP_ORDER_HAPROXY:80; portal bypass via env - Align update-sankofa-npmplus-proxy-hosts.sh, AGENTS, ALL_VMIDS, E2E notes Made-with: Cursor 2026-03-27 14:05:37 -07:00			\| The Order portal (`https://the-order.sankofa.nexus`) \| OSJ management UI (secure auth); source repo the_order at `~/projects/the_order`. NPM upstream defaults to order-haproxy CT 10210 (`IP_ORDER_HAPROXY:80`); use `THE_ORDER_UPSTREAM_` to point at the Sankofa portal if 10210 is down. Provision HAProxy: `scripts/deployment/provision-order-haproxy-10210.sh`. `www.the-order.sankofa.nexus`* → 301 apex (same as www.sankofa / www.phoenix). \|
ops: CCIP relay systemd unit, TsunamiSwap VM 5010 inventory script - config/systemd/ccip-relay.service for /opt/smom-dbis-138/services/relay/start-relay.sh - tsunamiswap-vm-5010-provision.sh checks qm status on PROXMOX_HOST - AGENTS.md pointers for relay and TsunamiSwap Made-with: Cursor 2026-03-27 00:27:10 -07:00			\| Portal login + Keycloak systemd + `.env` (prints password once) \| `./scripts/deployment/enable-sankofa-portal-login-7801.sh` (`--dry-run` first) \|
feat(deploy): Sankofa portal sync excludes secrets; ensure NextAuth on CT - Tar excludes .env/.env.local; post-sync sets NEXTAUTH_URL on .env and .env.local - New sankofa-portal-ensure-nextauth-on-ct.sh; optional SANKOFA_PORTAL_NEXTAUTH_URL - AGENTS.md pointer to ensure script Made-with: Cursor 2026-03-26 18:56:57 -07:00			\| Completable (no LAN) \| `./scripts/run-completable-tasks-from-anywhere.sh` \|
			\| Operator (LAN + secrets) \| `./scripts/run-all-operator-tasks-from-lan.sh` (use `--skip-backup` if `NPM_PASSWORD` unset) \|
NPM: validate canonical_https for www redirects; docs and env example - Reject non-https, paths, and injection-prone chars in advanced_config 301 targets - E2E list: phoenix marketing note, the-order HAProxy remediation, 2026-03-27 passes - AGENTS.md: scoped Cloudflare token pointer; smom-dbis-138 dotenv load note - .env.master.example: DNS script flags and scoped token guidance Made-with: Cursor 2026-03-27 12:29:40 -07:00			\| Cloudflare bulk DNS → `PUBLIC_IP` \| `./scripts/update-all-dns-to-public-ip.sh` — use `--dry-run` and `--zone-only=sankofa.nexus` (or `d-bis.org` / `mim4u.org` / `defi-oracle.io`) to limit scope; see script header. Prefer scoped `CLOUDFLARE_API_TOKEN` (see `.env.master.example`). \|
feat(deploy): Sankofa portal sync excludes secrets; ensure NextAuth on CT - Tar excludes .env/.env.local; post-sync sets NEXTAUTH_URL on .env and .env.local - New sankofa-portal-ensure-nextauth-on-ct.sh; optional SANKOFA_PORTAL_NEXTAUTH_URL - AGENTS.md pointer to ensure script Made-with: Cursor 2026-03-26 18:56:57 -07:00
docs(ops): submodule hygiene guide, verify script, rule/doc alignment - Add docs/00-meta/SUBMODULE_HYGIENE.md (detached HEAD, remotes, JSON refs) - Add scripts/verify/submodules-clean.sh (labeled dirty-tree report) - AGENTS.md + CONTRIBUTOR_GUIDELINES + OPERATOR_READY_CHECKLIST + MASTER_INDEX - chain138-tokens-and-pmm: DODOPMMIntegration 0x5BDc62… per ADDRESS_MATRIX - Bump smom-dbis-138 + explorer-monorepo (config READMEs, explorer env loading) Made-with: Cursor 2026-03-27 22:12:46 -07:00			`## Git submodules`

			Most submodules are pinned commits; `git submodule update --init --recursive` often leaves detached HEAD — that is normal. To change a submodule: check out a branch inside it, commit, push the submodule first, then commit and push the parent submodule pointer. Do not embed credentials in `git remote` URLs; use SSH or a credential helper. Explorer Gitea vs GitHub and token cleanup: `docs/00-meta/SUBMODULE_HYGIENE.md`.

feat(deploy): Sankofa portal sync excludes secrets; ensure NextAuth on CT - Tar excludes .env/.env.local; post-sync sets NEXTAUTH_URL on .env and .env.local - New sankofa-portal-ensure-nextauth-on-ct.sh; optional SANKOFA_PORTAL_NEXTAUTH_URL - AGENTS.md pointer to ensure script Made-with: Cursor 2026-03-26 18:56:57 -07:00			`## Rules of engagement`

			- Review scripts before running; prefer `--dry-run` where supported.
			`- Do not run the full operator flow when everything is healthy unless the user explicitly wants broad fixes (NPM/nginx/RPC churn).`
			- Chain 138 deploy RPC: `http://192.168.11.211:8545` (Core). Read-only / non-deploy checks may use public RPC per project rules.

			Full detail: see embedded workspace rules and `docs/00-meta/OPERATOR_READY_CHECKLIST.md`.