Fix MEV backend and token-aggregation deployment wiring

2026-04-15 03:25:30 -07:00
parent 382e776599
commit 59006f520a
12 changed files with 264 additions and 15 deletions
--- a/.env.master.example
+++ b/.env.master.example
@@ -96,13 +96,16 @@ NPM_URL_MIFOS=
 # In info-defi-oracle-138/.env.local (not this file): VITE_TOKEN_AGGREGATION_API_BASE=https://explorer.d-bis.org/token-aggregation

 # --- mev.defi-oracle.io (MEV Control GUI on nginx LXC 2410 by default) ---
-# MEV_ADMIN_API_HOST=192.168.11.11   # LAN host reachable from CT; mev-admin-api listen address
+# MEV_ADMIN_API_HOST=192.168.11.223  # Dedicated backend CT 2421; LAN host reachable from CT
 # MEV_ADMIN_API_PORT=9090
 # MEV_DEFI_ORACLE_WEB_VMID=2410
 # MEV_DEFI_ORACLE_UPSTREAM_IP=      # NPM: forward_host override (default IP_INFO_DEFI_ORACLE_WEB)
 # MEV_DEFI_ORACLE_UPSTREAM_PORT=80
 # MEV_DEFI_ORACLE_EDGE_MODE=auto    # Cloudflare DNS script (same as info: auto|tunnel|public_ip)
 # MEV_DEFI_ORACLE_PUBLIC_IP=        # A-record mode WAN IP if not using tunnel
+# Backend CT runtime env lives in config/mev-platform/mev-platform-backend-ct.env.example
+# and must include:
+#   MEV_SUPERVISOR_URL=http://127.0.0.1:9091

 # --- Keycloak Admin API (optional) ---
 # For scripts/deployment/keycloak-sankofa-ensure-client-redirects.sh — merge portal/admin redirect URIs.
@@ -425,6 +428,7 @@ CW_CANONICAL_USDT=
 CW_CANONICAL_USDC=
 CW_USDT_RESERVE_ASSET=
 CW_USDC_RESERVE_ASSET=
+CW_MAX_OUTSTANDING_BTC_MAINNET=2100000000000000
 CW_MAX_OUTSTANDING_USDT_MAINNET=10000000000000
 CW_MAX_OUTSTANDING_USDC_MAINNET=10000000000000
 CW_MAX_OUTSTANDING_USDT_CRONOS=
--- a/config/ip-addresses.conf
+++ b/config/ip-addresses.conf
@@ -177,9 +177,9 @@ IP_DBIS_API_2="192.168.11.156"
 # d-bis.org public apex — Gov Portals DBIS on VMID 7804 (same as dbis.xom-dev :3001); override when production host is pinned
 IP_DBIS_PUBLIC_APEX="${IP_DBIS_PUBLIC_APEX:-192.168.11.54}"
 DBIS_PUBLIC_APEX_PORT="${DBIS_PUBLIC_APEX_PORT:-3001}"
-# core.d-bis.org — DBIS Core banking client portal; default API VM until dedicated UI (dbis_core); override in .env when UI has its own upstream
-IP_DBIS_CORE_CLIENT="${IP_DBIS_CORE_CLIENT:-192.168.11.155}"
-DBIS_CORE_CLIENT_PORT="${DBIS_CORE_CLIENT_PORT:-3000}"
+# core.d-bis.org — DBIS Core banking client portal on the DBIS frontend host (VMID 10130)
+IP_DBIS_CORE_CLIENT="${IP_DBIS_CORE_CLIENT:-192.168.11.130}"
+DBIS_CORE_CLIENT_PORT="${DBIS_CORE_CLIENT_PORT:-80}"

 # Additional service/container IPs (for remaining script migration)
 IP_VALIDATOR_0="192.168.11.100"
--- a/docs/04-configuration/GAS_NATIVE_VERIFIER_WIRING_INVENTORY_AND_REMEDIATION_PLAN.md
+++ b/docs/04-configuration/GAS_NATIVE_VERIFIER_WIRING_INVENTORY_AND_REMEDIATION_PLAN.md
@@ -0,0 +1,96 @@
+# Gas-Native Verifier Wiring Inventory And Remediation Plan
+
+This document captures the current state of the Chain 138 gas-native GRU transport lanes and the exact runtime references they still require.
+
+It is intentionally conservative:
+- only deployed addresses evidenced in the canonical registry are treated as real
+- `CW_ASSET_RESERVE_VERIFIER_DEPLOYED_CHAIN138` is informational until the live L1 bridge is explicitly attached
+- gas-verifier envs remain unset until bridge wiring is confirmed
+
+## Current State
+
+Current public GRU preflight status:
+- non-gas Mainnet lanes are now ready:
+  - `138-1-cBTC-cWBTC`
+  - `138-1-cUSDC-cWUSDC`
+  - `138-1-cUSDT-cWUSDT`
+- remaining Mainnet gas blocker:
+  - `138-1-cETH-cWETH`
+
+The gas-native transport lanes are defined in [gru-transport-active.json](/home/intlc/projects/proxmox/config/gru-transport-active.json:774) with two reserve-verifier modes:
+- `chain138-gas-strict-escrow`
+- `chain138-gas-hybrid-cap`
+
+## Runtime Keys
+
+| Env key | Purpose | Current evidence | Current state | Safe action |
+|---|---|---|---|---|
+| `CW_GAS_STRICT_ESCROW_VERIFIER_CHAIN138` | active verifier for strict-escrow gas lanes such as `138-1-cETH-cWETH` | `CWAssetReserveVerifier` is deployed at `0xbf26a679586663f87f3bf3f52c79479b8aa8d854` | unset on published runtime by design | keep unset until live L1 bridge attachment is confirmed |
+| `CW_GAS_HYBRID_CAP_VERIFIER_CHAIN138` | active verifier for hybrid-cap gas lanes such as `cETHL2 -> cWETHL2` | same deployed generic verifier exists | unset on published runtime by design | keep unset until live L1 bridge attachment is confirmed |
+| `CW_GAS_ESCROW_VAULT_CHAIN138` | gas-family escrow vault for strict/hybrid gas lanes | no canonical deployed address published in contract reference | unset | inventory deployment artifacts; do not invent |
+| `CW_GAS_TREASURY_SYSTEM` | treasury-side reserve accounting for hybrid-cap gas lanes | no canonical deployed address published in contract reference | unset | inventory deployment artifacts; do not invent |
+| `CW_ASSET_RESERVE_VERIFIER_DEPLOYED_CHAIN138` | informational pointer to the deployed generic verifier | published in canonical registry | settable now | safe to publish as informational only |
+
+## Canonical Deployed Evidence
+
+Published in [CONTRACT_ADDRESSES_REFERENCE.md](/home/intlc/projects/proxmox/docs/11-references/CONTRACT_ADDRESSES_REFERENCE.md:77):
+
+| Contract | Address | Published status |
+|---|---|---|
+| `CWAssetReserveVerifier` | `0xbf26a679586663f87f3bf3f52c79479b8aa8d854` | deployed, not yet attached |
+| `ReserveSystem` | `0x607e97cD626f209facfE48c1464815DDE15B5093` | deployed for stable reserve flows |
+| `BridgeEscrowVault` | not published in canonical address reference for gas rollout | unknown for gas runtime purposes |
+| `TreasurySystem` | not published in canonical address reference for gas rollout | unknown for gas runtime purposes |
+
+Gas-family canonical tokens and public mirrors are deployed and published, but runtime verifier wiring is still incomplete.
+
+## Why The Gas Lane Is Still Blocked
+
+The remaining blocker is not token publication and not `CW_MAX_OUTSTANDING_*`.
+
+The blocker is that the gas-family lane requires runtime verifier references that are intentionally left unset until bridge attachment is explicit:
+- `CW_GAS_STRICT_ESCROW_VERIFIER_CHAIN138`
+- `CW_GAS_HYBRID_CAP_VERIFIER_CHAIN138`
+- `CW_GAS_ESCROW_VAULT_CHAIN138`
+- `CW_GAS_TREASURY_SYSTEM`
+
+This is consistent with:
+- [deploy-token-aggregation-for-publication.sh](/home/intlc/projects/proxmox/scripts/deploy-token-aggregation-for-publication.sh:294)
+- [print-gas-runtime-env-canonical.sh](/home/intlc/projects/proxmox/scripts/verify/print-gas-runtime-env-canonical.sh:74)
+- [TOKEN_AGGREGATION_REPORT_API_RUNBOOK.md](/home/intlc/projects/proxmox/docs/04-configuration/TOKEN_AGGREGATION_REPORT_API_RUNBOOK.md:100)
+
+## Remediation Sequence
+
+1. Confirm whether the live Chain 138 L1 bridge is already attached to the deployed generic verifier `0xbf26a679586663f87f3bf3f52c79479b8aa8d854`.
+2. If attached, publish:
+   - `CW_GAS_STRICT_ESCROW_VERIFIER_CHAIN138`
+   - `CW_GAS_HYBRID_CAP_VERIFIER_CHAIN138`
+   using the confirmed active verifier address.
+3. Confirm the deployed gas escrow vault address, if one exists, and publish:
+   - `CW_GAS_ESCROW_VAULT_CHAIN138`
+4. Confirm the deployed gas treasury accounting contract, if one exists, and publish:
+   - `CW_GAS_TREASURY_SYSTEM`
+5. Redeploy or restart the token-aggregation runtime.
+6. Re-run:
+   - `bash scripts/verify/check-gru-transport-preflight.sh https://explorer.d-bis.org`
+   - `bash scripts/verify/check-gas-rollout-deployment-matrix.sh`
+
+## Known Safe Defaults
+
+Safe to publish now:
+- `CW_ASSET_RESERVE_VERIFIER_DEPLOYED_CHAIN138=0xbf26a679586663f87f3bf3f52c79479b8aa8d854`
+
+Not safe to auto-publish without bridge confirmation:
+- `CW_GAS_STRICT_ESCROW_VERIFIER_CHAIN138`
+- `CW_GAS_HYBRID_CAP_VERIFIER_CHAIN138`
+- `CW_GAS_ESCROW_VAULT_CHAIN138`
+- `CW_GAS_TREASURY_SYSTEM`
+
+## Operational Boundary
+
+At the moment, the gas-native blocker is a real rollout dependency, not a broken publication script:
+- non-gas caps are published and working
+- token-aggregation publication is healthy
+- the remaining gas lane requires confirmed bridge/verifier/vault wiring
+
+Treat the gas-native lane as `deployment-evidenced but runtime-incomplete` until those four envs are resolved from deployed contracts or explicit rollout policy.
--- a/docs/04-configuration/MEV_CONTROL_DEFI_ORACLE_IO_DEPLOYMENT.md
+++ b/docs/04-configuration/MEV_CONTROL_DEFI_ORACLE_IO_DEPLOYMENT.md
@@ -1,6 +1,6 @@
 # MEV Control GUI — mev.defi-oracle.io

-**Last Updated:** 2026-04-13  
+**Last Updated:** 2026-04-15
 **Document Version:** 1.0  
 **Status:** Deployment runbook

@@ -17,6 +17,14 @@ This document describes how to publish the **MEV Control** web app (`MEV_Bot/mev

 The browser uses **same-origin** `/api` (no CORS split). Set **`MEV_ADMIN_API_HOST`** / **`MEV_ADMIN_API_PORT`** so the nginx CT can reach the backend CT where `mev-admin-api` listens. For the current recommended split topology, keep the public GUI on CT **2410** and point `/api` to a dedicated backend CT on **`r630-04`** (current production backend: **`192.168.11.223:9090`**). Do not host the MEV backend services directly on a Proxmox node unless you are intentionally breaking the portability standard.

+The backend CT runtime env must also include:
+
+```bash
+MEV_SUPERVISOR_URL=http://127.0.0.1:9091
+```
+
+Without that value, `mev-admin-api` cannot proxy `/api/control/*` to `mev-supervisor`, and the worker fleet will not recover correctly after boot or restart.
+
 ## Prerequisites

 1. **info** nginx LXC exists and nginx works (VMID **2410** by default): see [INFO_DEFI_ORACLE_IO_DEPLOYMENT.md](INFO_DEFI_ORACLE_IO_DEPLOYMENT.md).  
@@ -76,7 +84,7 @@ If you intentionally carry **MEV** traffic on the same Cloudflare tunnel stack a
 |----------|--------------------------------------------|---------|
 | `MEV_DEFI_ORACLE_WEB_VMID` | `2410` | Target LXC |
 | `MEV_DEFI_ORACLE_WEB_ROOT` | `/var/www/mev.defi-oracle.io/html` | Web root |
-| `MEV_ADMIN_API_HOST` | `192.168.11.11` shared default; override to the backend CT IP (recommended `192.168.11.223`) for the contained split topology | mev-admin-api bind host (from CT) |
+| `MEV_ADMIN_API_HOST` | `192.168.11.223` | mev-admin-api bind host (from CT) |
 | `MEV_ADMIN_API_PORT` | `9090` | mev-admin-api port |
 | `MEV_DEFI_ORACLE_UPSTREAM_IP` | `IP_INFO_DEFI_ORACLE_WEB` | NPM forward target |
 | `MEV_DEFI_ORACLE_UPSTREAM_PORT` | `80` | NPM forward port |
@@ -88,6 +96,8 @@ curl -fsS -H 'Host: mev.defi-oracle.io' "http://${IP_INFO_DEFI_ORACLE_WEB:-192.1
 # expect: mev-gui-healthy

 curl -fsSI "https://mev.defi-oracle.io/" | head -5
+curl -fsS "https://mev.defi-oracle.io/api/infra" | jq .
+curl -fsS "https://mev.defi-oracle.io/api/health" | jq .
 ```

 After TLS is live, open **https://mev.defi-oracle.io/intel** for in-app framing docs; **/login** if `MEV_ADMIN_API_KEY` is enabled on the API.
--- a/docs/04-configuration/MEV_CONTROL_LAN_BRINGUP_CHECKLIST.md
+++ b/docs/04-configuration/MEV_CONTROL_LAN_BRINGUP_CHECKLIST.md
@@ -1,6 +1,6 @@
 # MEV Control LAN Bring-Up Checklist

-**Last Updated:** 2026-04-12  
+**Last Updated:** 2026-04-15
 **Status:** Operator checklist for the current Proxmox / Sankofa LAN

 This runbook turns the current MEV Control deployment into a working LAN stack for **`https://mev.defi-oracle.io`**.
@@ -9,8 +9,9 @@ It is based on the repo's current assumptions:

 - Public GUI static assets are served from **VMID 2410** (`192.168.11.218`) via nginx.
 - The GUI proxies **same-origin** `/api/*` to **`MEV_ADMIN_API_HOST:MEV_ADMIN_API_PORT`**.
- The shared repo default upstream is still **`192.168.11.11:9090`** in [config/ip-addresses.conf](../../config/ip-addresses.conf), but for this deployment we intentionally override it to a dedicated backend CT on `r630-04`.
+- The repo default upstream is the dedicated backend CT on **`192.168.11.223:9090`** in [config/ip-addresses.conf](../../config/ip-addresses.conf).
 - The admin API expects the pipeline health ports **8080-8087** and graph API **9082** to be reachable on **localhost**.
+- The backend CT runtime env must include **`MEV_SUPERVISOR_URL=http://127.0.0.1:9091`** or `/api/control/*` will return `supervisor not configured` and the worker fleet will not start after boot.

 Because of that localhost assumption, the cleanest contained split topology for this deployment is:

@@ -166,6 +167,7 @@ Notes:
 - `config.dev.toml` expects **Postgres on port `5434`**, Redis on `6379`, and NATS on `4222`.
 - This is the easiest way to match the included `docker-compose.yml`.
 - If you later promote this to a dedicated Chain 138 config, update `MEV_CONFIG` in the env file and restart `mev-supervisor` and `mev-admin-api`.
+- Keep **`MEV_SUPERVISOR_URL=http://127.0.0.1:9091`** in `/etc/mev-platform/backend.env`. This is functionally required, not optional, for boot-time worker recovery.

 ## 7. Build binaries inside the backend CT

--- a/scripts/deploy-token-aggregation-for-publication.sh
+++ b/scripts/deploy-token-aggregation-for-publication.sh
@@ -115,6 +115,28 @@ try {
 } catch (_) {
  process.exit(0);
 }
+
+derive_repo_example_env_value() {
+  local env_key="$1"
+  local env_file="$REPO_ROOT/.env.master.example"
+
+  [[ -f "$env_file" ]] || return 0
+
+  node - <<'NODE' "$env_file" "$env_key"
+const fs = require('fs');
+const file = process.argv[2];
+const key = process.argv[3];
+try {
+  const line = fs
+    .readFileSync(file, 'utf8')
+    .split(/\r?\n/)
+    .find((entry) => entry.startsWith(`${key}=`));
+  if (!line) process.exit(0);
+  const value = line.slice(key.length + 1).trim();
+  if (value) process.stdout.write(value);
+} catch (_) {
+  process.exit(0);
+}
 NODE
 }

@@ -169,6 +191,9 @@ NODE
        ;;
      CW_MAX_OUTSTANDING_*)
        derived_value="$(derive_gru_transport_policy_amount "$key" || true)"
+        if [[ -z "$derived_value" ]]; then
+          derived_value="$(derive_repo_example_env_value "$key" || true)"
+        fi
        value="${!key:-$derived_value}"
        ;;
      CW_GAS_OUTSTANDING_*|CW_GAS_ESCROWED_*|CW_GAS_TREASURY_BACKED_*|CW_GAS_TREASURY_CAP_*)
--- a/scripts/deployment/push-token-aggregation-bundle-to-explorer.sh
+++ b/scripts/deployment/push-token-aggregation-bundle-to-explorer.sh
@@ -19,6 +19,8 @@ set -euo pipefail

 BUNDLE_ROOT="${1:?Usage: $0 /path/to/token-aggregation-build}"
 SERVICE_SRC="$BUNDLE_ROOT/smom-dbis-138/services/token-aggregation"
+CONFIG_SRC="$BUNDLE_ROOT/config"
+PMM_CONFIG_SRC="$BUNDLE_ROOT/cross-chain-pmm-lps/config"
 EXPLORER_SSH="${EXPLORER_SSH:-root@192.168.11.140}"
 REMOTE_DIR="${REMOTE_DIR:-/opt/token-aggregation}"
 REMOTE_SERVICE="${REMOTE_SERVICE:-token-aggregation}"
@@ -28,6 +30,10 @@ if [[ ! -d "$SERVICE_SRC" || ! -f "$SERVICE_SRC/dist/index.js" ]]; then
  echo "Expected built service at $SERVICE_SRC (run deploy-token-aggregation-for-publication.sh first)." >&2
  exit 1
 fi
+if [[ ! -d "$CONFIG_SRC" || ! -d "$PMM_CONFIG_SRC" ]]; then
+  echo "Expected bundle config directories at $CONFIG_SRC and $PMM_CONFIG_SRC." >&2
+  exit 1
+fi

 echo "Rsync $SERVICE_SRC/ → ${EXPLORER_SSH}:${REMOTE_DIR}/"
 rsync_args=(
@@ -46,6 +52,16 @@ fi
 RSYNC_RSH="ssh -o BatchMode=yes" rsync "${rsync_args[@]}" \
  "$SERVICE_SRC/" "${EXPLORER_SSH}:${REMOTE_DIR}/"

+echo "Rsync $CONFIG_SRC/ → ${EXPLORER_SSH}:${REMOTE_DIR}/config/"
+RSYNC_RSH="ssh -o BatchMode=yes" rsync -avz --delete \
+  "$CONFIG_SRC/" "${EXPLORER_SSH}:${REMOTE_DIR}/config/"
+
+echo "Rsync $PMM_CONFIG_SRC/ → ${EXPLORER_SSH}:${REMOTE_DIR}/cross-chain-pmm-lps/config/"
+ssh -o BatchMode=yes "$EXPLORER_SSH" \
+  "mkdir -p '${REMOTE_DIR}/cross-chain-pmm-lps/config'"
+RSYNC_RSH="ssh -o BatchMode=yes" rsync -avz --delete \
+  "$PMM_CONFIG_SRC/" "${EXPLORER_SSH}:${REMOTE_DIR}/cross-chain-pmm-lps/config/"
+
 if [[ -n "$REMOTE_SERVICE" ]]; then
  echo "Restart ${REMOTE_SERVICE} on ${EXPLORER_SSH}..."
  ssh -o BatchMode=yes "$EXPLORER_SSH" "systemctl restart '${REMOTE_SERVICE}'" || {
--- a/scripts/deployment/run-mainnet-public-dodo-cw-swap.sh
+++ b/scripts/deployment/run-mainnet-public-dodo-cw-swap.sh
@@ -380,6 +380,19 @@ if [[ -z "$tx_hash" ]]; then
  exit 1
 fi

+receipt_output="$(cast receipt "$tx_hash" --rpc-url "$RPC_URL" 2>&1 || true)"
+receipt_status="$(printf '%s\n' "$receipt_output" | awk '/^status[[:space:]]/ {print $2; exit}')"
+if [[ -z "$receipt_status" ]]; then
+  echo "[fail] could not determine transaction receipt status for $tx_hash" >&2
+  printf '%s\n' "$receipt_output" >&2
+  exit 1
+fi
+if [[ "$receipt_status" != "1" ]]; then
+  echo "[fail] transaction reverted on-chain for ${tx_mode}: txHash=$tx_hash status=$receipt_status" >&2
+  printf '%s\n' "$receipt_output" >&2
+  exit 1
+fi
+
 balance_in_after="$(cast call "$TOKEN_IN" 'balanceOf(address)(uint256)' "$DEPLOYER" --rpc-url "$RPC_URL" | awk '{print $1}')"
 balance_out_after="$(cast call "$TOKEN_OUT" 'balanceOf(address)(uint256)' "$DEPLOYER" --rpc-url "$RPC_URL" | awk '{print $1}')"
 amount_out_delta=$((balance_out_after - balance_out_before))
@@ -409,6 +422,7 @@ echo "minOut=$MIN_OUT"
 echo "tokenIn=$TOKEN_IN"
 echo "tokenOut=$TOKEN_OUT"
 echo "txHash=$tx_hash"
+echo "txReceiptStatus=$receipt_status"
 echo "tokenInBalanceBefore=$balance_in_before"
 echo "tokenInBalanceAfter=$balance_in_after"
 echo "tokenOutBalanceBefore=$balance_out_before"
--- a/scripts/deployment/run-mev-post-deploy-cutover-ct2421.sh
+++ b/scripts/deployment/run-mev-post-deploy-cutover-ct2421.sh
@@ -157,7 +157,7 @@ PATCH_CMD+=(--apply)
 CT_VERIFY_CMD=$(cat <<EOF
 set -euo pipefail
 printf '== env ==\n'
-grep -E '^(MEV_CONFIG|MEV_ADMIN_PORT|MEV_SUPERVISOR_PORT|MEV_SUBMIT_DISABLED|MEV_ADMIN_API_KEY|MEV_EXECUTOR_PRIVATE_KEY)=' /etc/mev-platform/backend.env || true
+grep -E '^(MEV_CONFIG|MEV_ADMIN_PORT|MEV_SUPERVISOR_PORT|MEV_SUPERVISOR_URL|MEV_SUBMIT_DISABLED|MEV_ADMIN_API_KEY|MEV_EXECUTOR_PRIVATE_KEY)=' /etc/mev-platform/backend.env || true
 printf '\n== services ==\n'
 systemctl restart mev-supervisor.service
 systemctl restart mev-admin-api.service
@@ -166,6 +166,9 @@ systemctl --no-pager --full status mev-supervisor.service mev-admin-api.service
 printf '\n== local api ==\n'
 curl -fsS http://127.0.0.1:9090/api/health | jq .
 curl -fsS http://127.0.0.1:9090/api/auth/check | jq .
+if [ -n "${API_KEY:-}" ]; then
+  curl -fsS -H "X-API-Key: ${API_KEY}" http://127.0.0.1:9090/api/control/status | jq .
+fi
 if [ -n "${API_KEY:-}" ]; then
  curl -fsS -H "X-API-Key: ${API_KEY}" http://127.0.0.1:9090/api/infra | jq .
  curl -fsS -H "X-API-Key: ${API_KEY}" http://127.0.0.1:9090/api/safety/signer | jq .
--- a/scripts/verify/check-gru-v2-chain138-readiness.sh
+++ b/scripts/verify/check-gru-v2-chain138-readiness.sh
@@ -55,9 +55,14 @@ CUSDC_V2="${COMPLIANT_USDC_V2:-${CUSDC_V2_ADDRESS_138:-0x219522c60e83dEe01FC5b03

 BLOCKERS=()
 WARNINGS=()
+NOTES=()
+KNOWN_REGISTRY_ORPHANS=(
+  "0x9AA44008f30B7F6D2BfB74016420c5eA49c5ebE4"
+)

 ok() { printf '[OK] %s\n' "$*"; }
 warn() { printf '[WARN] %s\n' "$*"; WARNINGS+=("$*"); }
+note() { printf '[NOTE] %s\n' "$*"; NOTES+=("$*"); }
 block() { printf '[BLOCKER] %s\n' "$*"; BLOCKERS+=("$*"); }

 call_or_fail() {
@@ -204,7 +209,11 @@ audit_registry_orphans() {
    [[ -z "$address" ]] && continue
    code="$(cast code "$address" --rpc-url "$RPC_URL" 2>/dev/null || true)"
    if [[ -z "$code" || "$code" == "0x" ]]; then
-      warn "UniversalAssetRegistry has an active GRU entry with no bytecode: $address"
+      if printf '%s\n' "${KNOWN_REGISTRY_ORPHANS[@]}" | grep -Fqx "$address"; then
+        note "UniversalAssetRegistry still contains the known orphaned GRU entry from the interrupted 2026-04-03 rollout: $address"
+      else
+        warn "UniversalAssetRegistry has an active GRU entry with no bytecode: $address"
+      fi
    fi
  done
 }
@@ -220,7 +229,7 @@ if [[ "$RUN_LOCAL_TESTS" == "1" ]]; then
  run_local_suite
  ok "Local CompliantFiatTokenV2 suite passed."
 else
-  warn "Skipping local Foundry suite. Re-run with --run-local-tests or RUN_LOCAL_TESTS=1 to include it."
+  note "Skipping local Foundry suite. Re-run with --run-local-tests or RUN_LOCAL_TESTS=1 to include it."
 fi

 check_token "cUSDT V2" "$CUSDT_V2" "cUSDT" "USD"
@@ -228,9 +237,17 @@ check_token "cUSDC V2" "$CUSDC_V2" "cUSDC" "USD"
 audit_registry_orphans

 printf '\n=== Summary ===\n'
+printf 'Notes: %s\n' "${#NOTES[@]}"
 printf 'Warnings: %s\n' "${#WARNINGS[@]}"
 printf 'Blockers: %s\n' "${#BLOCKERS[@]}"

+if [[ "${#NOTES[@]}" -gt 0 ]]; then
+  printf '\nNotes:\n'
+  for item in "${NOTES[@]}"; do
+    printf ' - %s\n' "$item"
+  done
+fi
+
 if [[ "${#WARNINGS[@]}" -gt 0 ]]; then
  printf '\nWarnings:\n'
  for item in "${WARNINGS[@]}"; do
--- a/scripts/verify/check-mev-execution-readiness.sh
+++ b/scripts/verify/check-mev-execution-readiness.sh
@@ -180,6 +180,13 @@ if submit_disabled.strip().lower() in truthy:
 else:
    add_row("MEV_SUBMIT_DISABLED", str(env_path), submit_disabled or "0", "ok")

+supervisor_url = os.environ.get("MEV_SUPERVISOR_URL") or env_values.get("MEV_SUPERVISOR_URL", "")
+if supervisor_url:
+    add_row("MEV_SUPERVISOR_URL", str(env_path), supervisor_url, "ok")
+else:
+    add_row("MEV_SUPERVISOR_URL", str(env_path), "(missing)", "missing")
+    issues.append("MEV_SUPERVISOR_URL is not configured")
+
 if chain is None:
    add_row(f"chains.{chain_key}", str(config_path), "(missing chain section)", "missing")
    issues.append(f"chains.{chain_key} section is missing")
--- a/scripts/verify/check-token-aggregation-chain138-api.sh
+++ b/scripts/verify/check-token-aggregation-chain138-api.sh
@@ -14,6 +14,12 @@ WETH10="0xf4BB2e28688e89fCcE3c0580D37d36A7672E8A9f"
 USDT="0x004b63A7B5b0E06f6bB6adb4a5F9f590BF3182D1"
 USDC="0x71D6687F38b93CCad569Fa6352c876eea967201b"

+ROOT_V1_CODE="000"
+TOKEN_AGG_V1_CODE="000"
+V2_CAPS_CODE="000"
+V2_PLAN_CODE="000"
+V2_INTERNAL_PLAN_CODE="000"
+
 try_path() {
  local prefix="$1"
  local path="$2"
@@ -77,12 +83,36 @@ echo ""
 echo "== planner-v2 checks =="
 echo ""
 echo "-- prefix: /token-aggregation (published v2 path) --"
-try_path "/token-aggregation" "/api/v2/providers/capabilities?chainId=138"
+V2_CAPS_CODE=$(curl -sS -o /tmp/ta-check.json -w "%{http_code}" -m 25 \
+  "${BASE_URL}/token-aggregation/api/v2/providers/capabilities?chainId=138" 2>/dev/null || echo "000")
+echo "  $V2_CAPS_CODE  /token-aggregation/api/v2/providers/capabilities?chainId=138"
+if [[ "$V2_CAPS_CODE" == "200" ]]; then
+  head -c 220 /tmp/ta-check.json
+  echo
+fi
 if [[ -f /tmp/ta-check.json ]] && head -c 20 /tmp/ta-check.json | grep -qi '<!DOCTYPE'; then
  echo "  [WARN] capabilities response looks like HTML — nginx may not proxy /token-aggregation/api/v2/ to token-aggregation (VMID 5000: scripts/fix-explorer-token-aggregation-api-v2-proxy.sh)"
 fi
-try_post_path "/token-aggregation" "/api/v2/routes/plan" "{\"sourceChainId\":138,\"tokenIn\":\"${WETH10}\",\"tokenOut\":\"${USDT}\",\"amountIn\":\"100000000000000000\"}"
-try_post_path "/token-aggregation" "/api/v2/routes/internal-execution-plan" "{\"sourceChainId\":138,\"tokenIn\":\"${WETH10}\",\"tokenOut\":\"${USDT}\",\"amountIn\":\"100000000000000000\"}"
+V2_PLAN_CODE=$(curl -sS -o /tmp/ta-check.json -w "%{http_code}" -m 25 \
+  -H "content-type: application/json" \
+  -X POST \
+  --data "{\"sourceChainId\":138,\"tokenIn\":\"${WETH10}\",\"tokenOut\":\"${USDT}\",\"amountIn\":\"100000000000000000\"}" \
+  "${BASE_URL}/token-aggregation/api/v2/routes/plan" 2>/dev/null || echo "000")
+echo "  $V2_PLAN_CODE  POST /token-aggregation/api/v2/routes/plan"
+if [[ "$V2_PLAN_CODE" == "200" || "$V2_PLAN_CODE" == "400" ]]; then
+  head -c 260 /tmp/ta-check.json
+  echo
+fi
+V2_INTERNAL_PLAN_CODE=$(curl -sS -o /tmp/ta-check.json -w "%{http_code}" -m 25 \
+  -H "content-type: application/json" \
+  -X POST \
+  --data "{\"sourceChainId\":138,\"tokenIn\":\"${WETH10}\",\"tokenOut\":\"${USDT}\",\"amountIn\":\"100000000000000000\"}" \
+  "${BASE_URL}/token-aggregation/api/v2/routes/internal-execution-plan" 2>/dev/null || echo "000")
+echo "  $V2_INTERNAL_PLAN_CODE  POST /token-aggregation/api/v2/routes/internal-execution-plan"
+if [[ "$V2_INTERNAL_PLAN_CODE" == "200" || "$V2_INTERNAL_PLAN_CODE" == "400" ]]; then
+  head -c 260 /tmp/ta-check.json
+  echo
+fi

 echo ""
 echo "== DODO stable depth sanity =="
@@ -140,7 +170,32 @@ echo "  - gas-registry 404: redeploy token-aggregation from repo (implements GET
 echo "  - Health: curl -s http://127.0.0.1:3001/health on explorer VM (not always proxied as /health)."
 echo "  - planner-v2 publishes under /token-aggregation/api/v2/* so it does not collide with Blockscout /api/v2/* on explorer.d-bis.org."
 echo "  - Apex https://explorer.d-bis.org/api/v1/* returns 400 while /token-aggregation/api/v1/* works: add HTTP+HTTPS location /api/v1/ → token-aggregation (scripts/fix-explorer-http-api-v1-proxy.sh on explorer VM)."
-echo "  - POST /token-aggregation/api/v2/* returns 405: insert v2 proxy block (scripts/fix-explorer-token-aggregation-api-v2-proxy.sh on VMID 5000)."
+echo "  - If POST /token-aggregation/api/v2/* returns 405 or HTML instead of JSON, insert the v2 proxy block (scripts/fix-explorer-token-aggregation-api-v2-proxy.sh on VMID 5000)."
 echo "  - Fresh binary + PMM env: bash scripts/deploy-token-aggregation-for-publication.sh then rsync dist/node_modules/.env to /opt/token-aggregation; systemctl restart token-aggregation (see TOKEN_AGGREGATION_REPORT_API_RUNBOOK.md)."
 echo "  - DODO v3 pilot routes should return provider=dodo_v3, routePlanPresent=true, and an internal-execution-plan object targeting EnhancedSwapRouterV2 when CHAIN138_ENABLE_DODO_V3_EXECUTION is live."
 echo "  - The funded canonical cUSDC/USDC DODO pool should report non-zero route-tree depth on Chain 138; if it falls back to near-zero TVL again, check the DODO valuation path and the canonical PMM integration address."
+
+ROOT_V1_CODE=$(curl -sS -o /tmp/ta-root-v1.json -w "%{http_code}" -m 25 \
+  "${BASE_URL}/api/v1/tokens?chainId=138&limit=1" 2>/dev/null || echo "000")
+TOKEN_AGG_V1_CODE=$(curl -sS -o /tmp/ta-tokenagg-v1.json -w "%{http_code}" -m 25 \
+  "${BASE_URL}/token-aggregation/api/v1/tokens?chainId=138&limit=1" 2>/dev/null || echo "000")
+
+echo ""
+echo "== summary =="
+echo "root_v1=$ROOT_V1_CODE token_aggregation_v1=$TOKEN_AGG_V1_CODE v2_caps=$V2_CAPS_CODE v2_plan=$V2_PLAN_CODE v2_internal_plan=$V2_INTERNAL_PLAN_CODE"
+
+if [[ "$V2_CAPS_CODE" != "200" || "$V2_PLAN_CODE" != "200" || "$V2_INTERNAL_PLAN_CODE" != "200" ]]; then
+  echo "[fail] planner-v2 publication is unhealthy" >&2
+  exit 1
+fi
+
+if [[ "$TOKEN_AGG_V1_CODE" == "502" || "$TOKEN_AGG_V1_CODE" == "000" ]]; then
+  echo "[fail] published /token-aggregation/api/v1 surface is unhealthy" >&2
+  exit 1
+fi
+
+if [[ "$ROOT_V1_CODE" == "400" ]]; then
+  echo "[warn] apex /api/v1 remains routed to Blockscout and not token-aggregation; use /token-aggregation/api/v1 or add the dedicated apex proxy if required." >&2
+fi
+
+echo "[OK] token-aggregation planner-v2 is healthy; published v1 surface is reachable."