feat: deploy MEV Control GUI to mev.defi-oracle.io (nginx, NPM, Cloudflare)

- Add nginx site template + sync-mev-control-gui-defi-oracle.sh
- NPM fleet: mev.defi-oracle.io + www.mev; Cloudflare set-mev-defi-oracle-dns.sh
- ip-addresses + .env.master.example: MEV_ADMIN_API_* and web root vars
- Runbook MEV_CONTROL_DEFI_ORACLE_IO_DEPLOYMENT.md; AGENTS, MASTER_INDEX, ALL_VMIDS

Made-with: Cursor

docs/04-configuration/ALL_VMIDS_ENDPOINTS.md

@@ -151,7 +151,7 @@ All RPC nodes have been migrated to a new VMID structure for better organization
 
 | VMID | IP Address | Hostname | Status | Endpoints | Purpose |
 |------|------------|----------|--------|-----------|---------|
-| 2410 | 192.168.11.218 | info-defi-oracle-web | ✅ Running | **HTTP: 80** (nginx) | **info.defi-oracle.io** Vite SPA (incl. `/governance`, `/ecosystem`, `/documentation`, `/disclosures`, `/agents`) + **`/token-aggregation/`** → `IP_BLOCKSCOUT` — `config/nginx/info-defi-oracle-io.site.conf`; `provision-info-defi-oracle-web-lxc.sh` + `sync-info-defi-oracle-to-vmid2400.sh`; NPM upstream `IP_INFO_DEFI_ORACLE_WEB` |
+| 2410 | 192.168.11.218 | info-defi-oracle-web | ✅ Running | **HTTP: 80** (nginx) | **info.defi-oracle.io** Vite SPA (incl. `/governance`, `/ecosystem`, `/documentation`, `/disclosures`, `/agents`) + **`/token-aggregation/`** → `IP_BLOCKSCOUT` — `config/nginx/info-defi-oracle-io.site.conf`; `provision-info-defi-oracle-web-lxc.sh` + `sync-info-defi-oracle-to-vmid2400.sh`; **mev.defi-oracle.io** MEV Control GUI + `/api` → mev-admin-api — `config/nginx/mev-defi-oracle-io.site.conf.template` + `sync-mev-control-gui-defi-oracle.sh`; NPM upstream `IP_INFO_DEFI_ORACLE_WEB` (see [MEV_CONTROL_DEFI_ORACLE_IO_DEPLOYMENT.md](MEV_CONTROL_DEFI_ORACLE_IO_DEPLOYMENT.md)) |
 
 **Note**: VMID 2400 is the primary ThirdWeb RPC with Nginx and RPC Translator — **do not** host the info SPA there. The 2026-04-02 probe showed all ThirdWeb-side nodes responding normally.
 

docs/04-configuration/MEV_CONTROL_DEFI_ORACLE_IO_DEPLOYMENT.md

@@ -0,0 +1,87 @@
+# MEV Control GUI — mev.defi-oracle.io
+
+**Last Updated:** 2026-04-13  
+**Document Version:** 1.0  
+**Status:** Deployment runbook
+
+This document describes how to publish the **MEV Control** web app (`MEV_Bot/mev-platform/gui`) at **https://mev.defi-oracle.io** (and **www.mev.defi-oracle.io**), using the same edge pattern as **info.defi-oracle.io**: nginx on LAN, NPMplus on the public edge, optional Cloudflare DNS.
+
+## Architecture
+
+| Layer | Role |
+|--------|------|
+| **Static SPA** | Vite `dist/` on the nginx LXC (default **VMID 2410**, same CT as `info.defi-oracle.io` unless overridden). |
+| **`/api/*`** | Nginx `proxy_pass` to **mev-admin-api** (Axum, default port **9090**) on a LAN host reachable from the CT. |
+| **NPMplus** | TLS termination; forwards `mev.defi-oracle.io` → `http://IP_INFO_DEFI_ORACLE_WEB:80` (or `MEV_DEFI_ORACLE_UPSTREAM_*`). |
+| **Cloudflare** | Optional proxied **A** or **CNAME** (tunnel) for `mev.defi-oracle.io` / `www.mev.defi-oracle.io`. |
+
+The browser uses **same-origin** `/api` (no CORS split). Set **`MEV_ADMIN_API_HOST`** / **`MEV_ADMIN_API_PORT`** so the nginx CT can reach the machine where `cargo run -p mev-admin-api` (or your unit) listens.
+
+## Prerequisites
+
+1. **info** nginx LXC exists and nginx works (VMID **2410** by default): see [INFO_DEFI_ORACLE_IO_DEPLOYMENT.md](INFO_DEFI_ORACLE_IO_DEPLOYMENT.md).  
+2. **MEV_Bot** submodule present at repo root (`MEV_Bot/mev-platform/gui`).  
+3. **mev-admin-api** reachable from the CT at `http://${MEV_ADMIN_API_HOST}:${MEV_ADMIN_API_PORT}` (firewall / bind address).  
+4. Operator **LAN** + SSH to Proxmox; repo `.env` with **NPM_PASSWORD** (and Cloudflare token if using DNS script).
+
+## Deploy or refresh the GUI
+
+From **proxmox** repo root (loads paths; override via env):
+
+```bash
+# Optional: export MEV_ADMIN_API_HOST=192.168.11.xx MEV_ADMIN_API_PORT=9090
+bash scripts/deployment/sync-mev-control-gui-defi-oracle.sh --dry-run
+bash scripts/deployment/sync-mev-control-gui-defi-oracle.sh
+```
+
+This builds with `npm ci && npm run build` in `MEV_Bot/mev-platform/gui`, installs files under `/var/www/mev.defi-oracle.io/html`, renders [config/nginx/mev-defi-oracle-io.site.conf.template](../../config/nginx/mev-defi-oracle-io.site.conf.template) with your admin API upstream, enables `sites-enabled/mev-defi-oracle`, and reloads nginx.
+
+## NPMplus
+
+Fleet update (creates or updates proxy hosts):
+
+```bash
+bash scripts/nginx-proxy-manager/update-npmplus-proxy-hosts-api.sh
+```
+
+Hosts: **mev.defi-oracle.io**, **www.mev.defi-oracle.io** (apex canonical for www). Upstream defaults match **info** (`IP_INFO_DEFI_ORACLE_WEB`:80). Override with `MEV_DEFI_ORACLE_UPSTREAM_IP` / `MEV_DEFI_ORACLE_UPSTREAM_PORT` if the GUI is served from another LAN IP.
+
+Request or renew TLS certificates in NPMplus for the new hostnames (same workflow as other `*.defi-oracle.io` hosts).
+
+## Cloudflare (defi-oracle.io zone)
+
+Same credentials and zone id as **info** (`CLOUDFLARE_ZONE_ID_DEFI_ORACLE_IO`). Edge mode defaults to **auto** (tunnel if tunnel id exists, else **A** to `PUBLIC_IP`):
+
+```bash
+bash scripts/cloudflare/set-mev-defi-oracle-dns.sh
+```
+
+Optional: `MEV_DEFI_ORACLE_EDGE_MODE=tunnel|public_ip|auto`, `MEV_DEFI_ORACLE_PUBLIC_IP=…`.
+
+## Configuration reference
+
+| Variable | Default (see `config/ip-addresses.conf`) | Purpose |
+|----------|--------------------------------------------|---------|
+| `MEV_DEFI_ORACLE_WEB_VMID` | `2410` | Target LXC |
+| `MEV_DEFI_ORACLE_WEB_ROOT` | `/var/www/mev.defi-oracle.io/html` | Web root |
+| `MEV_ADMIN_API_HOST` | `192.168.11.11` | mev-admin-api bind host (from CT) |
+| `MEV_ADMIN_API_PORT` | `9090` | mev-admin-api port |
+| `MEV_DEFI_ORACLE_UPSTREAM_IP` | `IP_INFO_DEFI_ORACLE_WEB` | NPM forward target |
+| `MEV_DEFI_ORACLE_UPSTREAM_PORT` | `80` | NPM forward port |
+
+## Verification
+
+```bash
+curl -fsS -H 'Host: mev.defi-oracle.io' "http://${IP_INFO_DEFI_ORACLE_WEB:-192.168.11.218}/health"
+# expect: mev-gui-healthy
+
+curl -fsSI "https://mev.defi-oracle.io/" | head -5
+```
+
+After TLS is live, open **https://mev.defi-oracle.io/intel** for in-app framing docs; **/login** if `MEV_ADMIN_API_KEY` is enabled on the API.
+
+## Related
+
+- [INFO_DEFI_ORACLE_IO_DEPLOYMENT.md](INFO_DEFI_ORACLE_IO_DEPLOYMENT.md)  
+- [MEV_Bot/README.md](../../MEV_Bot/README.md)  
+- [MEV_Bot/mev-platform/docs/RUNBOOK_AND_DEPLOYMENT.md](../../MEV_Bot/mev-platform/docs/RUNBOOK_AND_DEPLOYMENT.md)  

docs/04-configuration/README.md

@@ -34,6 +34,7 @@ This directory contains setup and configuration guides.
 - **[GITEA_PLATFORM_AND_UPGRADE_RUNBOOK.md](GITEA_PLATFORM_AND_UPGRADE_RUNBOOK.md)** — Gitea as org forge (VMID 104), NPMplus, binary upgrades, `scripts/operator/upgrade-gitea-lxc.sh`
 - **[GITEA_IP_CONFLICT_CHECK.md](GITEA_IP_CONFLICT_CHECK.md)** — Gitea IP (.31) vs other VMIDs; `IP_GITEA_INFRA` notes
 - **[INFO_DEFI_ORACLE_IO_DEPLOYMENT.md](INFO_DEFI_ORACLE_IO_DEPLOYMENT.md)** - **`info.defi-oracle.io`** Chain 138 hub SPA (incl. `/governance`, `/ecosystem`, `/documentation`, `/solacenet`, `/disclosures`, agents): VMID **2410**, nginx **`/token-aggregation/`** proxy, `sync-info-defi-oracle-to-vmid2400.sh`, NPMplus, Cloudflare DNS (`set-info-defi-oracle-dns-to-vmid2400-tunnel.sh`), `purge-info-defi-oracle-cache.sh`, `pnpm run verify:info-defi-oracle-public`, CI `info-defi-oracle-138.yml` + `verify-info-defi-oracle-public.yml`, optional `pnpm run audit:info-defi-oracle-site`
+- **[MEV_CONTROL_DEFI_ORACLE_IO_DEPLOYMENT.md](MEV_CONTROL_DEFI_ORACLE_IO_DEPLOYMENT.md)** — **`mev.defi-oracle.io`** MEV Control GUI (`MEV_Bot/mev-platform/gui`): `sync-mev-control-gui-defi-oracle.sh`, nginx `/api` → mev-admin-api, NPMplus + `set-mev-defi-oracle-dns.sh`
 - **[SOLACENET_PUBLIC_HUB.md](SOLACENET_PUBLIC_HUB.md)** — Public **SolaceNet** page (`/solacenet`) on the info hub plus `dbis_core/docs/solacenet/` markdown map
 - **[PROXMOX_LOAD_BALANCING_RUNBOOK.md](PROXMOX_LOAD_BALANCING_RUNBOOK.md)** - Balance Proxmox load: migrate containers from r630-01 to r630-02/ml110; candidates, script, cluster vs backup/restore
 - **[PROXMOX_ADD_THIRD_FOURTH_R630_DECISION.md](PROXMOX_ADD_THIRD_FOURTH_R630_DECISION.md)** - Add 3rd/4th R630 before migration? r630-03/04 status, HA/Ceph (3–4 nodes), order of operations

docs/MASTER_INDEX.md

@@ -16,7 +16,7 @@
 | **Agent / IDE instructions** | [AGENTS.md](../AGENTS.md) (repo root) |
 | **Local green-path tests** | Root `pnpm test` → [`scripts/verify/run-repo-green-test-path.sh`](../scripts/verify/run-repo-green-test-path.sh) |
 | **Git submodule hygiene + explorer remotes** | [00-meta/SUBMODULE_HYGIENE.md](00-meta/SUBMODULE_HYGIENE.md) — detached HEAD, push order, Gitea/GitHub, `submodules-clean.sh` |
-| **MEV intel (taxonomy, MVP matrix, diagrams + GUI Intel tab)** | [../MEV_Bot/docs/framing/README.md](../MEV_Bot/docs/framing/README.md) — canonical framing in `MEV_Bot`; specs in [MEV_Bot/specs/README.md](../MEV_Bot/specs/README.md); standalone `mev-searcher-pipeline-reference` repo deprecated |
+| **MEV intel + public GUI (`mev.defi-oracle.io`)** | Framing: [../MEV_Bot/docs/framing/README.md](../MEV_Bot/docs/framing/README.md); deploy: [04-configuration/MEV_CONTROL_DEFI_ORACLE_IO_DEPLOYMENT.md](04-configuration/MEV_CONTROL_DEFI_ORACLE_IO_DEPLOYMENT.md); specs: [../MEV_Bot/specs/README.md](../MEV_Bot/specs/README.md) |
 | **What to do next** | [00-meta/NEXT_STEPS_INDEX.md](00-meta/NEXT_STEPS_INDEX.md) — ordered actions, by audience, execution plan |
 | **Live verification evidence (dated)** | [00-meta/LIVE_VERIFICATION_LOG_2026-03-30.md](00-meta/LIVE_VERIFICATION_LOG_2026-03-30.md) |
 | **Your personal checklist** | [00-meta/NEXT_STEPS_FOR_YOU.md](00-meta/NEXT_STEPS_FOR_YOU.md) |