From 790e489538423d21b19151314a946f831ba552df Mon Sep 17 00:00:00 2001 From: defiQUG Date: Fri, 27 Mar 2026 18:46:56 -0700 Subject: [PATCH] docs: FQDN matrix, public-sector baseline, Chain138 runbooks, eIDAS repo reference Made-with: Cursor --- ...NCY_MARKETPLACE_AND_DEPLOYMENT_BASELINE.md | 95 ++++ ...38_OFFICIAL_STABLE_BLOCKER_REMOVAL_PATH.md | 152 ++++++ ...8_PMM_REDEPLOY_AND_POOL_FUNDING_RUNBOOK.md | 475 ++++++++++++++++++ ...AU_POOL_STATUS_AND_PUBLIC_CREATION_PATH.md | 247 +++++++++ .../FINAL_UNBLOCK_CHECKLIST_MAINNET_BSC.md | 137 +++++ .../04-configuration/FQDN_EXPECTED_CONTENT.md | 119 +++++ ...COMPLETE_CREDENTIAL_EIDAS_PROGRAM_REPOS.md | 29 ++ 7 files changed, 1254 insertions(+) create mode 100644 docs/02-architecture/PUBLIC_SECTOR_TENANCY_MARKETPLACE_AND_DEPLOYMENT_BASELINE.md create mode 100644 docs/03-deployment/CHAIN138_OFFICIAL_STABLE_BLOCKER_REMOVAL_PATH.md create mode 100644 docs/03-deployment/CHAIN138_PMM_REDEPLOY_AND_POOL_FUNDING_RUNBOOK.md create mode 100644 docs/03-deployment/CHAIN138_XAU_POOL_STATUS_AND_PUBLIC_CREATION_PATH.md create mode 100644 docs/03-deployment/FINAL_UNBLOCK_CHECKLIST_MAINNET_BSC.md create mode 100644 docs/04-configuration/FQDN_EXPECTED_CONTENT.md create mode 100644 docs/11-references/COMPLETE_CREDENTIAL_EIDAS_PROGRAM_REPOS.md diff --git a/docs/02-architecture/PUBLIC_SECTOR_TENANCY_MARKETPLACE_AND_DEPLOYMENT_BASELINE.md b/docs/02-architecture/PUBLIC_SECTOR_TENANCY_MARKETPLACE_AND_DEPLOYMENT_BASELINE.md new file mode 100644 index 0000000..f3eb631 --- /dev/null +++ b/docs/02-architecture/PUBLIC_SECTOR_TENANCY_MARKETPLACE_AND_DEPLOYMENT_BASELINE.md @@ -0,0 +1,95 @@ +# Public sector tenancy, service catalog, and deployment baseline + +**Last Updated:** 2026-03-25 +**Status:** Canonical baseline (reconciles assurance, Phoenix intent, and repo boundaries) +**Related:** [NON_GOALS.md](NON_GOALS.md), [EXPECTED_WEB_CONTENT.md](EXPECTED_WEB_CONTENT.md), [SERVICE_DESCRIPTIONS.md](SERVICE_DESCRIPTIONS.md), [BRAND_RELATIONSHIP.md](BRAND_RELATIONSHIP.md), [../11-references/COMPLETE_CREDENTIAL_EIDAS_PROGRAM_REPOS.md](../11-references/COMPLETE_CREDENTIAL_EIDAS_PROGRAM_REPOS.md), [config/public-sector-program-manifest.json](../../config/public-sector-program-manifest.json) + +--- + +## Purpose + +This document **closes documented gaps** between: + +- **Assurance claims** (e.g. SMOA eIDAS evidence: partial / QTSP pending — see SMOA repo `docs/compliance/evidence/eidas-compliance-evidence.md`) +- **Platform intent** (Phoenix as CSP-style control plane with tenant/IAM/catalog expectations) +- **Repository reality** (Complete Credential / eIDAS connector code lives **outside** this `proxmox` tree) + +It does **not** replace legal advice, DPIAs, or national eID supervision requirements. + +--- + +## Official-style descriptors (use in contracts and external comms) + +| Avoid (ambiguous) | Prefer | +|-------------------|--------| +| Government client | **Public sector organization**, **procuring entity** (procurement context), **data controller** (GDPR context) | +| Subdivision | **Organizational unit**, **child public body**, **agency** (if legally distinct) | +| Phoenix portal (colloquial) | **Phoenix control plane** / **Phoenix API** (API-first); **Sankofa Portal** for brand site (`sankofa.nexus`) | +| Marketplace (product) | **Service catalog** + **entitlement management** until procurement-backed billing is implemented; use **marketplace** only if contractually defined | +| Wallet (in gov packs) | **Credential holder application**, **authenticator**, **SMOA client** — do not mix with **self-custody cryptocurrency wallet** language from Chain 138 / DeFi docs | + +--- + +## Deployment profiles (flexibility bridge) + +| Profile | Use when | Isolation | +|---------|----------|-----------| +| **A — Shared platform** | Pilot, single legal controller, non-qualified flows | Multi-tenant logical separation; **per-tenant** keys and metadata | +| **B — Dedicated stack** | Jurisdiction rule, qualified-trust boundary, or security classification | Separate LXC/VM (or cluster) per **controller** or **Member State** deployment | +| **C — Hybrid** | Shared orchestration (Phoenix), isolated crypto/PII | Phoenix + shared IdP; **connector + HSM/DB** isolated per tenant | + +**Promotion path:** tenant IDs and APIs should allow moving **A → B** without rewriting mobile or portal clients. + +--- + +## Illustrative reference topology (time-scoped) + +_Label: **Illustrative — as of 2026-Q1**. Per [NON_GOALS.md](NON_GOALS.md) §4, this is not an immutable enterprise diagram; update when VMIDs/FQDNs change._ + +``` + [ Internet / VPN ] + | + NPMplus / Edge + | + +-------------------+-------------------+ + | | | + sankofa.nexus phoenix.sankofa.nexus api.smoa… (example) + (Portal 7801) (Phoenix API 7800) (SMOA edge LXC — see SMOA repo) + | | | + Keycloak 7802 GraphQL / health SMOA API / DB (LXC) + | + PostgreSQL 7803 + | + [Optional: Complete Credential / eIDAS connector — dedicated LXC; not on Phoenix VMIDs] +``` + +**SMOA** Proxmox LXC layout (edge, API, DB, optional TURN/signal): see **SMOA** repository `backend/docs/LXC-PROXMOX-CONTAINERS.md` (not duplicated here). + +**Complete Credential / eIDAS connector:** register in [public-sector-program-manifest.json](../../config/public-sector-program-manifest.json) and deploy per [COMPLETE_CREDENTIAL_EIDAS_PROGRAM_REPOS.md](../11-references/COMPLETE_CREDENTIAL_EIDAS_PROGRAM_REPOS.md). + +--- + +## Regulatory-aligned defaults (summary) + +1. **Credential / connector deployment:** isolate by **legal controller** and **jurisdiction** for qualified or sensitive PII; use **Profile B** when in doubt. +2. **Service catalog:** **entitlements** tied to **contracts / purchase orders** before automated public payment rails; same **SKU** model can later attach **e-invoicing / payment**. +3. **SMOA APK:** prefer **MDM / managed distribution** for production public-sector devices; public download only for **pilot / low classification** with explicit scope. + +--- + +## Known technical gaps (tracked) + +| ID | Gap | Mitigation owner | +|----|-----|------------------| +| G1 | SMOA eIDAS: QTSP, EU trust lists, qualified timestamping — **partial** in evidence doc | SMOA + legal + QTSP partnership | +| G2 | Phoenix: **billing** in EXPECTED_WEB_CONTENT is **roadmap**, not implemented | Phoenix product + procurement counsel | +| G3 | **proxmox** repo does not contain Complete Credential source | Use manifest + sibling clone; deploy via runbook | +| G4 | Terminology: **wallet** in DeFi docs vs **credential app** in gov context | Use this doc + review gov-facing PDFs | +| G5 | Single **sovereign reference diagram** in one place | This file + SERVICE_DESCRIPTIONS VM table; refresh quarterly | + +--- + +## Review cadence + +- **Quarterly** or when VMID/DNS/procurement model changes: update manifest FQDN hints and this diagram note. +- **After** QTSP or national eID milestone: update G1 and external-facing assurance statements. diff --git a/docs/03-deployment/CHAIN138_OFFICIAL_STABLE_BLOCKER_REMOVAL_PATH.md b/docs/03-deployment/CHAIN138_OFFICIAL_STABLE_BLOCKER_REMOVAL_PATH.md new file mode 100644 index 0000000..b62cbb2 --- /dev/null +++ b/docs/03-deployment/CHAIN138_OFFICIAL_STABLE_BLOCKER_REMOVAL_PATH.md @@ -0,0 +1,152 @@ +# Chain 138 Official Stable Blocker Removal Path + +**Purpose:** Remove the last local PMM blocker on Chain 138 by replacing stale placeholder addresses with live quote-side ERC-20 contracts and then redeploying the integration against them. + +--- + +## 1. The blocker, stated plainly + +The current local PMM path for: + +- `cUSDT / USDT` +- `cUSDC / USDC` + +is blocked because the integration is wired to addresses that are **not live ERC-20 contracts on Chain 138**. + +That means: + +- the pools may exist in metadata +- the integration can still report those addresses +- but liquidity add and swap flows will fail locally because the quote-side token has no bytecode + +--- + +## 2. What is real in the repo today + +### Live on Chain 138 + +- `cUSDT` +- `cUSDC` +- `cXAUC` +- `cXAUT` +- `DODOPMMIntegration` +- live funded `cUSDT / cUSDC` +- live funded XAU-side pools + +### Not present as live local ERC-20s + +- a real local `USDT` contract for Chain 138 official-pair PMM use +- a real local `USDC` contract for Chain 138 official-pair PMM use + +### Not valid for this PMM blocker + +- `MainnetTether.sol` + - this is a state anchor, not an ERC-20 token +- `StablecoinReserveVault.sol` + - this is for mainnet reserve custody/redemption, not a local Chain 138 quote token + +--- + +## 3. Exact contract/deploy path + +### Step 1. Deploy local Chain 138 quote-side mirrors + +Deploy these contracts: + +- [OfficialStableMirrorToken.sol](/home/intlc/projects/proxmox/smom-dbis-138/contracts/tokens/OfficialStableMirrorToken.sol) +- [DeployOfficialUSDT138.s.sol](/home/intlc/projects/proxmox/smom-dbis-138/script/DeployOfficialUSDT138.s.sol) +- [DeployOfficialUSDC138.s.sol](/home/intlc/projects/proxmox/smom-dbis-138/script/DeployOfficialUSDC138.s.sol) + +These tokens are: + +- lightweight ERC-20s +- 6 decimals +- owner-mintable +- meant only to provide live local quote-side assets for Chain 138 PMM pools + +They are intentionally separate from the compliant token layer. + +### Step 2. Persist live addresses + +Write these into `smom-dbis-138/.env`: + +```bash +OFFICIAL_USDT_ADDRESS=0x... +OFFICIAL_USDC_ADDRESS=0x... +``` + +### Step 3. Redeploy PMM integration against the live local quote assets + +Use: + +- [DeployDODOPMMIntegration.s.sol](/home/intlc/projects/proxmox/smom-dbis-138/script/dex/DeployDODOPMMIntegration.s.sol) + +Important: this deploy script no longer falls back to stale hardcoded Chain 138 addresses. The operator must supply real addresses explicitly through env. + +### Step 4. Create the stable pools on the new integration + +Use: + +- [CreateCUSDTUSDTPool.s.sol](/home/intlc/projects/proxmox/smom-dbis-138/script/dex/CreateCUSDTUSDTPool.s.sol) +- [CreateCUSDCUSDCPool.s.sol](/home/intlc/projects/proxmox/smom-dbis-138/script/dex/CreateCUSDCUSDCPool.s.sol) +- [CreateCUSDTCUSDCPool.s.sol](/home/intlc/projects/proxmox/smom-dbis-138/script/dex/CreateCUSDTCUSDCPool.s.sol) + +### Step 5. Fund in this order + +1. `cUSDT / cUSDC` +2. `cUSDT / USDT` +3. `cUSDC / USDC` + +Use: + +- [AddLiquidityPMMPoolsChain138.s.sol](/home/intlc/projects/proxmox/smom-dbis-138/script/dex/AddLiquidityPMMPoolsChain138.s.sol) + +--- + +## 4. Verification gates + +Before PMM redeploy: + +```bash +cast code "$OFFICIAL_USDT_ADDRESS" --rpc-url "$RPC_URL_138" +cast code "$OFFICIAL_USDC_ADDRESS" --rpc-url "$RPC_URL_138" +cast call "$OFFICIAL_USDT_ADDRESS" "symbol()(string)" --rpc-url "$RPC_URL_138" +cast call "$OFFICIAL_USDC_ADDRESS" "symbol()(string)" --rpc-url "$RPC_URL_138" +``` + +After PMM redeploy: + +```bash +cast call "$DODO_PMM_INTEGRATION_ADDRESS" "officialUSDT()(address)" --rpc-url "$RPC_URL_138" +cast call "$DODO_PMM_INTEGRATION_ADDRESS" "officialUSDC()(address)" --rpc-url "$RPC_URL_138" +``` + +After pool creation: + +```bash +cast call "$DODO_PMM_INTEGRATION_ADDRESS" "pools(address,address)(address)" \ + "$COMPLIANT_USDT_ADDRESS" "$OFFICIAL_USDT_ADDRESS" --rpc-url "$RPC_URL_138" + +cast call "$DODO_PMM_INTEGRATION_ADDRESS" "pools(address,address)(address)" \ + "$COMPLIANT_USDC_ADDRESS" "$OFFICIAL_USDC_ADDRESS" --rpc-url "$RPC_URL_138" +``` + +After funding: + +```bash +cast call "$OFFICIAL_USDT_ADDRESS" "balanceOf(address)(uint256)" "$POOL_CUSDTUSDT" --rpc-url "$RPC_URL_138" +cast call "$OFFICIAL_USDC_ADDRESS" "balanceOf(address)(uint256)" "$POOL_CUSDCUSDC" --rpc-url "$RPC_URL_138" +``` + +--- + +## 5. Recommendation + +The safe path is: + +1. stop relying on the stale Chain 138 placeholder addresses +2. deploy explicit local quote-side mirror tokens +3. redeploy PMM integration using those real local token addresses +4. create and fund the stable pools + +That is the narrowest change that removes the blocker without redefining the compliant token layer or pretending a non-existent Chain 138 official stable already exists. diff --git a/docs/03-deployment/CHAIN138_PMM_REDEPLOY_AND_POOL_FUNDING_RUNBOOK.md b/docs/03-deployment/CHAIN138_PMM_REDEPLOY_AND_POOL_FUNDING_RUNBOOK.md new file mode 100644 index 0000000..24bd410 --- /dev/null +++ b/docs/03-deployment/CHAIN138_PMM_REDEPLOY_AND_POOL_FUNDING_RUNBOOK.md @@ -0,0 +1,475 @@ +# Chain 138 PMM Redeploy and Pool Funding Runbook + +**Purpose:** Execute the live on-chain PMM remediation and funding sequence on Chain 138 in the correct order: + +1. deploy live Chain 138 quote-side `USDT` and `USDC` ERC-20 mirror tokens +2. redeploy `DODOPMMIntegration` with those live Chain 138 official stable addresses +3. recreate the usable public stable pools on the new integration +4. create public XAU pools using `cXAUC` or `cXAUT` as the Chain 138 XAU anchor +5. deploy the `PrivatePoolRegistry` and register the XAU private stabilization pools +6. fund the pools in the correct order + +**Primary chain:** Chain 138 +**Operator requirement:** deployer EOA with `PRIVATE_KEY`, gas, and the required token balances / mint authority. + +--- + +## 0. Preconditions + +### 0.1 Required environment + +From `smom-dbis-138/.env`: + +```bash +PRIVATE_KEY=0x... +RPC_URL_138=http://... +DODO_VENDING_MACHINE_ADDRESS=0x... +COMPLIANT_USDT_ADDRESS=0x93E66202A11B1772E55407B32B44e5Cd8eda7f22 +COMPLIANT_USDC_ADDRESS=0xf22258f57794CC8E06237084b353Ab30fFfa640b +OFFICIAL_USDT_ADDRESS=0x... +OFFICIAL_USDC_ADDRESS=0x... +``` + +### 0.2 XAU anchor selection + +Choose one Chain 138 XAU anchor for the PMM and private stabilization pools: + +```bash +# Preferred default +XAU_ADDRESS_138=0x290E52a8819A4fbD0714E517225429aA2B70EC6b # cXAUC + +# Optional alternate +CXAUT_ADDRESS_138=0x94e408E26c6FD8F4ee00b54dF19082FDA07dC96E # cXAUT +``` + +If `XAU_ADDRESS_138` is unset, the scripts default to `cXAUC` on Chain 138. + +### 0.3 Stop conditions + +Stop immediately if any of these checks fail: + +```bash +cd /home/intlc/projects/proxmox/smom-dbis-138 +source .env + +cast wallet address "$PRIVATE_KEY" +cast code "$DODO_VENDING_MACHINE_ADDRESS" --rpc-url "$RPC_URL_138" +cast code "$COMPLIANT_USDT_ADDRESS" --rpc-url "$RPC_URL_138" +cast code "$COMPLIANT_USDC_ADDRESS" --rpc-url "$RPC_URL_138" +cast code "$OFFICIAL_USDT_ADDRESS" --rpc-url "$RPC_URL_138" +cast code "$OFFICIAL_USDC_ADDRESS" --rpc-url "$RPC_URL_138" +cast code "${XAU_ADDRESS_138:-0x290E52a8819A4fbD0714E517225429aA2B70EC6b}" --rpc-url "$RPC_URL_138" +``` + +Expected result: each `cast code` returns non-empty bytecode. + +### 0.4 Important blocker note + +Do **not** use the historical placeholder addresses `0x15DF...` or `0xA0b8...` on Chain 138 unless `cast code` proves they are live ERC-20 contracts on Chain 138. + +The local PMM integration requires live quote-side ERC-20s on Chain 138. If `OFFICIAL_USDT_ADDRESS` and `OFFICIAL_USDC_ADDRESS` have no bytecode, deploy the local mirror tokens first. + +--- + +## 1. Snapshot the current state + +Record the current integration and pool state before redeploying: + +```bash +cd /home/intlc/projects/proxmox/smom-dbis-138 +source .env + +echo "Current integration: ${DODO_PMM_INTEGRATION_ADDRESS:-${DODO_PMM_INTEGRATION:-unset}}" +echo "Current cUSDT/cUSDC pool: ${POOL_CUSDTCUSDC:-unset}" +echo "Current cUSDT/USDT pool: ${POOL_CUSDTUSDT:-unset}" +echo "Current cUSDC/USDC pool: ${POOL_CUSDCUSDC:-unset}" +``` + +If the current integration exists, record its immutable token addresses: + +```bash +INT="${DODO_PMM_INTEGRATION_ADDRESS:-${DODO_PMM_INTEGRATION:-}}" +[ -n "$INT" ] && cast call "$INT" "officialUSDT()(address)" --rpc-url "$RPC_URL_138" +[ -n "$INT" ] && cast call "$INT" "officialUSDC()(address)" --rpc-url "$RPC_URL_138" +``` + +--- + +## 1. Deploy the Chain 138 official stable mirrors + +Deploy the local quote-side assets first. These are lightweight ERC-20 mirrors used only to unblock local PMM pools on Chain 138. + +```bash +cd /home/intlc/projects/proxmox/smom-dbis-138 +source .env + +forge script script/DeployOfficialUSDT138.s.sol:DeployOfficialUSDT138 \ + --rpc-url "$RPC_URL_138" \ + --broadcast \ + --private-key "$PRIVATE_KEY" \ + --with-gas-price "${GAS_PRICE_138:-1000000000}" \ + --legacy \ + -vv + +forge script script/DeployOfficialUSDC138.s.sol:DeployOfficialUSDC138 \ + --rpc-url "$RPC_URL_138" \ + --broadcast \ + --private-key "$PRIVATE_KEY" \ + --with-gas-price "${GAS_PRICE_138:-1000000000}" \ + --legacy \ + -vv +``` + +Persist the deployed addresses into `.env`: + +```bash +OFFICIAL_USDT_ADDRESS=0x... +OFFICIAL_USDC_ADDRESS=0x... +``` + +Verify both: + +```bash +cast code "$OFFICIAL_USDT_ADDRESS" --rpc-url "$RPC_URL_138" +cast code "$OFFICIAL_USDC_ADDRESS" --rpc-url "$RPC_URL_138" +cast call "$OFFICIAL_USDT_ADDRESS" "symbol()(string)" --rpc-url "$RPC_URL_138" +cast call "$OFFICIAL_USDC_ADDRESS" "symbol()(string)" --rpc-url "$RPC_URL_138" +``` + +Expected result: +- both return non-empty bytecode +- symbols return `USDT` and `USDC` + +--- + +## 2. Redeploy PMM integration on Chain 138 + +This step creates a fresh `DODOPMMIntegration` using the corrected Chain 138 official stable addresses. + +```bash +cd /home/intlc/projects/proxmox/smom-dbis-138 +source .env + +forge script script/dex/DeployDODOPMMIntegration.s.sol:DeployDODOPMMIntegration \ + --rpc-url "$RPC_URL_138" \ + --broadcast \ + --private-key "$PRIVATE_KEY" \ + --with-gas-price "${GAS_PRICE_138:-1000000000}" \ + --legacy \ + -vv +``` + +After deployment, update `.env` with the new integration address: + +```bash +DODO_PMM_INTEGRATION_ADDRESS=0x... +DODO_PMM_INTEGRATION=0x... +``` + +Verify the new immutables: + +```bash +INT="${DODO_PMM_INTEGRATION_ADDRESS:-${DODO_PMM_INTEGRATION:-}}" +cast call "$INT" "officialUSDT()(address)" --rpc-url "$RPC_URL_138" +cast call "$INT" "officialUSDC()(address)" --rpc-url "$RPC_URL_138" +cast call "$INT" "compliantUSDT()(address)" --rpc-url "$RPC_URL_138" +cast call "$INT" "compliantUSDC()(address)" --rpc-url "$RPC_URL_138" +``` + +Expected result: +- `officialUSDT` = the live `OFFICIAL_USDT_ADDRESS` you just deployed or verified +- `officialUSDC` = the live `OFFICIAL_USDC_ADDRESS` you just deployed or verified + +--- + +## 3. Create the corrected public stable pools + +Create the three public PMM pools on the **new** integration: + +```bash +cd /home/intlc/projects/proxmox/smom-dbis-138 +source .env + +forge script script/dex/CreateCUSDTCUSDCPool.s.sol:CreateCUSDTCUSDCPool \ + --rpc-url "$RPC_URL_138" --broadcast --private-key "$PRIVATE_KEY" --with-gas-price "${GAS_PRICE_138:-1000000000}" -vv + +forge script script/dex/CreateCUSDTUSDTPool.s.sol:CreateCUSDTUSDTPool \ + --rpc-url "$RPC_URL_138" --broadcast --private-key "$PRIVATE_KEY" --with-gas-price "${GAS_PRICE_138:-1000000000}" -vv + +forge script script/dex/CreateCUSDCUSDCPool.s.sol:CreateCUSDCUSDCPool \ + --rpc-url "$RPC_URL_138" --broadcast --private-key "$PRIVATE_KEY" --with-gas-price "${GAS_PRICE_138:-1000000000}" -vv +``` + +Record the new pool addresses: + +```bash +INT="${DODO_PMM_INTEGRATION_ADDRESS:-${DODO_PMM_INTEGRATION:-}}" + +POOL_CUSDTCUSDC=$(cast call "$INT" "pools(address,address)(address)" \ + "$COMPLIANT_USDT_ADDRESS" "$COMPLIANT_USDC_ADDRESS" --rpc-url "$RPC_URL_138" | cast --to-addr) + +POOL_CUSDTUSDT=$(cast call "$INT" "pools(address,address)(address)" \ + "$COMPLIANT_USDT_ADDRESS" "$OFFICIAL_USDT_ADDRESS" --rpc-url "$RPC_URL_138" | cast --to-addr) + +POOL_CUSDCUSDC=$(cast call "$INT" "pools(address,address)(address)" \ + "$COMPLIANT_USDC_ADDRESS" "$OFFICIAL_USDC_ADDRESS" --rpc-url "$RPC_URL_138" | cast --to-addr) + +echo "$POOL_CUSDTCUSDC" +echo "$POOL_CUSDTUSDT" +echo "$POOL_CUSDCUSDC" +``` + +Persist them into `.env`. + +--- + +## 4. Create the public XAU pools + +Use the new public XAU script so the XAU side is explicit as `cXAUC` or `cXAUT`. + +```bash +cd /home/intlc/projects/proxmox/smom-dbis-138 +source .env + +forge script script/dex/CreatePublicXAUPoolsChain138.s.sol:CreatePublicXAUPoolsChain138 \ + --rpc-url "$RPC_URL_138" \ + --broadcast \ + --private-key "$PRIVATE_KEY" \ + --with-gas-price "${GAS_PRICE_138:-1000000000}" \ + --legacy \ + -vv +``` + +Optional controls: + +```bash +CREATE_CUSDT_XAU=true +CREATE_CUSDC_XAU=true +CREATE_CEURT_XAU=true +``` + +Verify the created public XAU pools: + +```bash +INT="${DODO_PMM_INTEGRATION_ADDRESS:-${DODO_PMM_INTEGRATION:-}}" +XAU="${XAU_ADDRESS_138:-0x290E52a8819A4fbD0714E517225429aA2B70EC6b}" + +cast call "$INT" "pools(address,address)(address)" "$COMPLIANT_USDT_ADDRESS" "$XAU" --rpc-url "$RPC_URL_138" +cast call "$INT" "pools(address,address)(address)" "$COMPLIANT_USDC_ADDRESS" "$XAU" --rpc-url "$RPC_URL_138" +cast call "$INT" "pools(address,address)(address)" "0xdf4b71c61E5912712C1Bdd451416B9aC26949d72" "$XAU" --rpc-url "$RPC_URL_138" +``` + +Persist the returned pool addresses if they are non-zero. + +--- + +## 5. Deploy `PrivatePoolRegistry` and register private XAU pools + +```bash +cd /home/intlc/projects/proxmox/smom-dbis-138 +source .env + +forge script script/dex/DeployPrivatePoolRegistryAndPools.s.sol:DeployPrivatePoolRegistryAndPools \ + --rpc-url "$RPC_URL_138" \ + --broadcast \ + --private-key "$PRIVATE_KEY" \ + --with-gas-price "${GAS_PRICE_138:-1000000000}" \ + --legacy \ + -vv +``` + +Record: + +```bash +PRIVATE_POOL_REGISTRY=0x... +``` + +Verify registrations: + +```bash +REG="$PRIVATE_POOL_REGISTRY" +XAU="${XAU_ADDRESS_138:-0x290E52a8819A4fbD0714E517225429aA2B70EC6b}" + +cast call "$REG" "getPool(address,address)(address)" "$COMPLIANT_USDT_ADDRESS" "$XAU" --rpc-url "$RPC_URL_138" +cast call "$REG" "getPool(address,address)(address)" "$COMPLIANT_USDC_ADDRESS" "$XAU" --rpc-url "$RPC_URL_138" +cast call "$REG" "getPool(address,address)(address)" "0xdf4b71c61E5912712C1Bdd451416B9aC26949d72" "$XAU" --rpc-url "$RPC_URL_138" +``` + +--- + +## 6. Fund the pools in the correct order + +### 6.1 Funding order + +Fund in this order: + +1. `cUSDT / cUSDC` +2. `cUSDT / USDT` +3. `cUSDC / USDC` +4. public XAU pools: + - `cUSDT / XAU` + - `cUSDC / XAU` + - `cEURT / XAU` +5. private stabilization pools last + +Reason: +- `cUSDT/cUSDC` establishes the base compliant market first +- official stable pools come next after the corrected addresses are live +- XAU public pools should discover price before private stabilization paths are seeded + +### 6.2 Mint compliant balances + +Mint the compliant side first: + +```bash +cd /home/intlc/projects/proxmox/smom-dbis-138 +source .env + +MINT_CUSDT_AMOUNT=2000000 \ +MINT_CUSDC_AMOUNT=2000000 \ +./scripts/mint-for-liquidity.sh +``` + +Mint additional compliant assets as needed: + +```bash +DEPLOYER=$(cast wallet address "$PRIVATE_KEY") +cast send 0xdf4b71c61E5912712C1Bdd451416B9aC26949d72 \ + "mint(address,uint256)" "$DEPLOYER" 1000000000000 \ + --rpc-url "$RPC_URL_138" --private-key "$PRIVATE_KEY" +``` + +### 6.3 Acquire / verify non-mintable sides + +Before adding liquidity, confirm balances of: +- `OFFICIAL_USDT_ADDRESS` +- `OFFICIAL_USDC_ADDRESS` +- `XAU_ADDRESS_138` (`cXAUC` or `cXAUT`) + +```bash +DEPLOYER=$(cast wallet address "$PRIVATE_KEY") + +cast call "$OFFICIAL_USDT_ADDRESS" "balanceOf(address)(uint256)" "$DEPLOYER" --rpc-url "$RPC_URL_138" +cast call "$OFFICIAL_USDC_ADDRESS" "balanceOf(address)(uint256)" "$DEPLOYER" --rpc-url "$RPC_URL_138" +cast call "${XAU_ADDRESS_138:-0x290E52a8819A4fbD0714E517225429aA2B70EC6b}" "balanceOf(address)(uint256)" "$DEPLOYER" --rpc-url "$RPC_URL_138" +``` + +Do **not** proceed on a pool until both sides have sufficient balance. + +### 6.4 Fund `cUSDT / cUSDC` + +Use the existing add-liquidity script first: + +```bash +export ADD_LIQUIDITY_CUSDTCUSDC_BASE=1000000000000 +export ADD_LIQUIDITY_CUSDTCUSDC_QUOTE=1000000000000 + +forge script script/dex/AddLiquidityPMMPoolsChain138.s.sol:AddLiquidityPMMPoolsChain138 \ + --rpc-url "$RPC_URL_138" \ + --broadcast \ + --private-key "$PRIVATE_KEY" \ + --with-gas-price "${GAS_PRICE_138:-1000000000}" \ + -vv +``` + +### 6.5 Fund `cUSDT / USDT` and `cUSDC / USDC` + +Set per-pool liquidity amounts: + +```bash +export ADD_LIQUIDITY_CUSDTUSDT_BASE=1000000000000 +export ADD_LIQUIDITY_CUSDTUSDT_QUOTE=1000000000000 +export ADD_LIQUIDITY_CUSDCUSDC_BASE=1000000000000 +export ADD_LIQUIDITY_CUSDCUSDC_QUOTE=1000000000000 +``` + +Then run the same liquidity script: + +```bash +forge script script/dex/AddLiquidityPMMPoolsChain138.s.sol:AddLiquidityPMMPoolsChain138 \ + --rpc-url "$RPC_URL_138" \ + --broadcast \ + --private-key "$PRIVATE_KEY" \ + --with-gas-price "${GAS_PRICE_138:-1000000000}" \ + -vv +``` + +### 6.6 Fund public XAU pools + +For each public XAU pool: + +1. approve both tokens to the integration +2. call `addLiquidity(pool, baseAmount, quoteAmount)` + +Example for `cUSDT / XAU`: + +```bash +INT="${DODO_PMM_INTEGRATION_ADDRESS:-${DODO_PMM_INTEGRATION:-}}" +XAU="${XAU_ADDRESS_138:-0x290E52a8819A4fbD0714E517225429aA2B70EC6b}" +POOL=$(cast call "$INT" "pools(address,address)(address)" "$COMPLIANT_USDT_ADDRESS" "$XAU" --rpc-url "$RPC_URL_138" | cast --to-addr) + +cast send "$COMPLIANT_USDT_ADDRESS" "approve(address,uint256)" "$INT" 1000000000000 --rpc-url "$RPC_URL_138" --private-key "$PRIVATE_KEY" +cast send "$XAU" "approve(address,uint256)" "$INT" 1000000000000 --rpc-url "$RPC_URL_138" --private-key "$PRIVATE_KEY" +cast send "$INT" "addLiquidity(address,uint256,uint256)" "$POOL" 1000000000000 1000000000000 --rpc-url "$RPC_URL_138" --private-key "$PRIVATE_KEY" +``` + +Repeat for: +- `cUSDC / XAU` +- `cEURT / XAU` + +### 6.7 Seed private stabilization pools last + +Only after the public pools have been created and seeded: + +1. verify private registry entries exist +2. approve both sides +3. fund the corresponding private pool addresses with smaller initial depth than the public pools + +Use the same `addLiquidity(address,uint256,uint256)` pattern against the registered pool addresses. + +--- + +## 7. Post-funding verification + +### 7.1 Pool reserves + +```bash +cast call "$POOL_CUSDTCUSDC" "getVaultReserve()(uint256,uint256)" --rpc-url "$RPC_URL_138" +cast call "$POOL_CUSDTUSDT" "getVaultReserve()(uint256,uint256)" --rpc-url "$RPC_URL_138" +cast call "$POOL_CUSDCUSDC" "getVaultReserve()(uint256,uint256)" --rpc-url "$RPC_URL_138" +``` + +Repeat for each XAU pool address. + +### 7.2 Explorer alignment + +After successful execution, update: +- [ADDRESS_MATRIX_AND_STATUS.md](../11-references/ADDRESS_MATRIX_AND_STATUS.md) +- [DEPLOYED_TOKENS_BRIDGES_LPS_AND_ROUTING_STATUS.md](../11-references/DEPLOYED_TOKENS_BRIDGES_LPS_AND_ROUTING_STATUS.md) + +Also update the explorer pool inventory if new pool addresses were created. + +--- + +## 8. Rollback / abort guidance + +Abort if any of the following occurs: +- official token bytecode missing on 138 +- integration deployed with wrong immutables +- pool creation returns zero or reverts unexpectedly +- deployer lacks balance for either side of a target pool + +If the new integration is deployed but pool creation fails, stop there and do **not** fund the old incorrect pools. + +--- + +## 9. References + +- [DeployDODOPMMIntegration.s.sol](../../smom-dbis-138/script/dex/DeployDODOPMMIntegration.s.sol) +- [CreateCUSDTCUSDCPool.s.sol](../../smom-dbis-138/script/dex/CreateCUSDTCUSDCPool.s.sol) +- [CreateCUSDTUSDTPool.s.sol](../../smom-dbis-138/script/dex/CreateCUSDTUSDTPool.s.sol) +- [CreateCUSDCUSDCPool.s.sol](../../smom-dbis-138/script/dex/CreateCUSDCUSDCPool.s.sol) +- [CreatePublicXAUPoolsChain138.s.sol](../../smom-dbis-138/script/dex/CreatePublicXAUPoolsChain138.s.sol) +- [DeployPrivatePoolRegistryAndPools.s.sol](../../smom-dbis-138/script/dex/DeployPrivatePoolRegistryAndPools.s.sol) +- [AddLiquidityPMMPoolsChain138.s.sol](../../smom-dbis-138/script/dex/AddLiquidityPMMPoolsChain138.s.sol) +- [ADD_LIQUIDITY_PMM_CHAIN138_RUNBOOK.md](/home/intlc/projects/proxmox/docs/03-deployment/ADD_LIQUIDITY_PMM_CHAIN138_RUNBOOK.md) diff --git a/docs/03-deployment/CHAIN138_XAU_POOL_STATUS_AND_PUBLIC_CREATION_PATH.md b/docs/03-deployment/CHAIN138_XAU_POOL_STATUS_AND_PUBLIC_CREATION_PATH.md new file mode 100644 index 0000000..f3ff11b --- /dev/null +++ b/docs/03-deployment/CHAIN138_XAU_POOL_STATUS_AND_PUBLIC_CREATION_PATH.md @@ -0,0 +1,247 @@ +# Chain 138 XAU Pool Status and Public Creation Path + +**Date:** 2026-03-26 +**Scope:** Verify live private and public XAU pools on Chain 138 and record the exact creation/funding path used. + +## Current live state + +### Private XAU pools: live on-chain now + +Verified against: + +- `PrivatePoolRegistry`: `0xb27057B27db09e8Df353AF722c299f200519882A` +- `cXAUC`: `0x290E52a8819A4fbD0714E517225429aA2B70EC6b` + +Registered private pools: + +- `cUSDT / cXAUC` + - pool: `0x94316511621430423a2cff0C036902BAB4aA70c2` +- `cUSDC / cXAUC` + - pool: `0x7867D58567948e5b9908F1057055Ee4440de0851` +- `cEURT / cXAUC` + - pool: `0x505403093826D494983A93b43Aa0B8601078A44e` + +Code verification: + +- all three pool addresses return non-empty bytecode on Chain 138 + +Observed reserves: + +- `cUSDT / cXAUC` + - `cUSDT`: `2,666,965` + - `cXAUC`: `519.477` +- `cUSDC / cXAUC` + - `cUSDC`: `1,000,000` + - `cXAUC`: `194.782554` +- `cEURT / cXAUC` + - `cEURT`: `1,000,000` + - `cXAUC`: `225.577676` + +### Public XAU pools: now created and funded in the live PMM integration + +Verified against: + +- `DODOPMMIntegration`: `0x5BDc62f1ae7D630c37A8B363a1d49845356Ee72d` + +Current mapping state: + +- `pools(cUSDT, cXAUC) = 0x1AA55E2001E5651349AfF5A63FD7A7Ae44f0F1b0` +- `pools(cUSDC, cXAUC) = 0xEA9Ac6357CaCB42a83b9082B870610363B177cBa` +- `pools(cEURT, cXAUC) = 0xbA99bc1eAAC164569d5AcA96C806934DDaF970Cf` + +All three public pool addresses return non-empty bytecode on Chain 138. + +Observed public reserves: + +- `cUSDT / cXAUC` + - `cUSDT`: `2,666,965` + - `cXAUC`: `519.477` +- `cUSDC / cXAUC` + - `cUSDC`: `1,000,000` + - `cXAUC`: `194.782554` +- `cEURT / cXAUC` + - `cEURT`: `1,000,000` + - `cXAUC`: `225.577676` + +The explorer should now show these rows with: + +- real pool address +- `Funded (live)` +- notes derived from live integration mapping and reserves + +## Exact creation and funding path used for the three public XAU pools + +### 1. Preconditions + +Confirm the required contracts and tokens are already live: + +- `DODOPMMIntegration`: `0x5BDc62f1ae7D630c37A8B363a1d49845356Ee72d` +- `cUSDT`: `0x93E66202A11B1772E55407B32B44e5Cd8eda7f22` +- `cUSDC`: `0xf22258f57794CC8E06237084b353Ab30fFfa640b` +- `cEURT`: `0xdf4b71c61E5912712C1Bdd451416B9aC26949d72` +- `cXAUC`: `0x290E52a8819A4fbD0714E517225429aA2B70EC6b` + +Recommended env: + +```bash +export RPC_URL_138=http://192.168.11.211:8545 +export DODOPMM_INTEGRATION=0x5BDc62f1ae7D630c37A8B363a1d49845356Ee72d +export COMPLIANT_USDT_ADDRESS=0x93E66202A11B1772E55407B32B44e5Cd8eda7f22 +export COMPLIANT_USDC_ADDRESS=0xf22258f57794CC8E06237084b353Ab30fFfa640b +export cEURT_ADDRESS_138=0xdf4b71c61E5912712C1Bdd451416B9aC26949d72 +export XAU_ADDRESS_138=0x290E52a8819A4fbD0714E517225429aA2B70EC6b +``` + +### 2. Create the public XAU pools + +Use the existing script: + +- [CreatePublicXAUPoolsChain138.s.sol](../../smom-dbis-138/script/dex/CreatePublicXAUPoolsChain138.s.sol) + +Run: + +```bash +cd /home/intlc/projects/proxmox/smom-dbis-138 +source .env + +forge script script/dex/CreatePublicXAUPoolsChain138.s.sol:CreatePublicXAUPoolsChain138 \ + --rpc-url "$RPC_URL_138" \ + --broadcast \ + --private-key "$PRIVATE_KEY" \ + --with-gas-price "${GAS_PRICE_138:-1000000000}" \ + --legacy \ + -vv +``` + +Optional toggles: + +```bash +export CREATE_CUSDT_XAU=true +export CREATE_CUSDC_XAU=true +export CREATE_CEURT_XAU=true +``` + +### 3. Verify creation immediately + +```bash +INT="${DODOPMM_INTEGRATION:-$DODOPMM_INTEGRATION_ADDRESS}" +XAU="${XAU_ADDRESS_138:-0x290E52a8819A4fbD0714E517225429aA2B70EC6b}" + +cast call "$INT" "pools(address,address)(address)" "$COMPLIANT_USDT_ADDRESS" "$XAU" --rpc-url "$RPC_URL_138" +cast call "$INT" "pools(address,address)(address)" "$COMPLIANT_USDC_ADDRESS" "$XAU" --rpc-url "$RPC_URL_138" +cast call "$INT" "pools(address,address)(address)" "0xdf4b71c61E5912712C1Bdd451416B9aC26949d72" "$XAU" --rpc-url "$RPC_URL_138" +``` + +Each result should now be a non-zero pool address. + +Persist them into `.env` or the relevant operator notes. + +### 4. Public pool addresses created + +- `cUSDT / cXAUC` + - pool: `0x1AA55E2001E5651349AfF5A63FD7A7Ae44f0F1b0` + - create tx: `0xb38df32e7f51cff2ec283aa70ebf0e98b195721efa58d9b0a6e1df7fb55c05a1` +- `cUSDC / cXAUC` + - pool: `0xEA9Ac6357CaCB42a83b9082B870610363B177cBa` + - create tx: `0xae16081faf9762500d14883be814393695d6a854afe84c9c1521ec5486babe23` +- `cEURT / cXAUC` + - pool: `0xbA99bc1eAAC164569d5AcA96C806934DDaF970Cf` + - create tx: `0x1adaca76b3e34acd0807d5e11e334dd773b2146e4aeb45d67d5a54c1934d0e55` + +## Exact funding path for the public XAU pools + +### 5. Funding order + +Fund public XAU pools before changing private stabilization depth: + +1. `cUSDT / cXAUC` +2. `cUSDC / cXAUC` +3. `cEURT / cXAUC` +4. only then revisit private stabilization depth if needed + +### 6. Funding method + +The public XAU pools use the same PMM integration liquidity path: + +1. approve both tokens to `DODOPMMIntegration` +2. call `addLiquidity(pool, baseAmount, quoteAmount)` + +Example for `cUSDT / cXAUC`: + +```bash +INT="${DODOPMM_INTEGRATION:-$DODOPMM_INTEGRATION_ADDRESS}" +XAU="${XAU_ADDRESS_138:-0x290E52a8819A4fbD0714E517225429aA2B70EC6b}" +POOL=$(cast call "$INT" "pools(address,address)(address)" "$COMPLIANT_USDT_ADDRESS" "$XAU" --rpc-url "$RPC_URL_138" | cast --to-addr) + +cast send "$COMPLIANT_USDT_ADDRESS" "approve(address,uint256)" "$INT" 1000000000000 --rpc-url "$RPC_URL_138" --private-key "$PRIVATE_KEY" +cast send "$XAU" "approve(address,uint256)" "$INT" 1000000000000 --rpc-url "$RPC_URL_138" --private-key "$PRIVATE_KEY" +cast send "$INT" "addLiquidity(address,uint256,uint256)" "$POOL" 1000000000000 1000000000000 --rpc-url "$RPC_URL_138" --private-key "$PRIVATE_KEY" +``` + +Repeat the same pattern for: + +- `cUSDC / cXAUC` +- `cEURT / cXAUC` + +### 7. Funding completed + +Successful funding transactions: + +- `cUSDT / cXAUC` + - fund tx: `0x7e00ec7a97fada7a9c238638bc019c6755feeb68be06c4b69e519b0eec6dd3b6` + - final reserves: `2,666,965 cUSDT / 519.477 cXAUC` +- `cUSDC / cXAUC` + - fund tx: `0x87ec3a710dfb785de6adaa4f191440cd4968e090c0afb1f21ba02c8e0501f7eb` + - final reserves: `1,000,000 cUSDC / 194.782554 cXAUC` +- `cEURT / cXAUC` + - fund tx: `0x995b785ab49f0ffc8f782a7d573259cf09fc57176d4fae19c1f6b274712e9e93` + - final reserves: `1,000,000 cEURT / 225.577676 cXAUC` + +Supporting approvals: + +- `cXAUC` approval: `0xd194c80b8246816ef88141736eb17dece478183b37053cfbe1fffd6efe2abc99` +- `cEURT` approval: `0x922d530cd65fdd139ff4e8c43a219b254d0c3df4e461a45f02f7832205735983` + +### 8. Suggested bootstrap amounts + +Use the same scale already proven on the private side unless treasury wants a different public depth target. + +Reasonable bootstrap examples: + +- `cUSDT / cXAUC` + - base: `1,000,000e6` + - quote: `200e6` to `500e6` depending on desired starting depth +- `cUSDC / cXAUC` + - base: `1,000,000e6` + - quote: `150e6` to `250e6` +- `cEURT / cXAUC` + - base: `1,000,000e6` + - quote: `200e6` to `250e6` + +Final quote-side amounts should be treasury/policy-driven. The exact `cXAUC` depth can be calibrated against the current private pool ratios if parity is desired. + +## Post-funding verification + +After funding, verify: + +```bash +cast call "$COMPLIANT_USDT_ADDRESS" "balanceOf(address)(uint256)" "$POOL_CUSDT_XAU" --rpc-url "$RPC_URL_138" +cast call "$COMPLIANT_USDC_ADDRESS" "balanceOf(address)(uint256)" "$POOL_CUSDC_XAU" --rpc-url "$RPC_URL_138" +cast call "0xdf4b71c61E5912712C1Bdd451416B9aC26949d72" "balanceOf(address)(uint256)" "$POOL_CEURT_XAU" --rpc-url "$RPC_URL_138" +cast call "$XAU" "balanceOf(address)(uint256)" "$POOL_CUSDT_XAU" --rpc-url "$RPC_URL_138" +cast call "$XAU" "balanceOf(address)(uint256)" "$POOL_CUSDC_XAU" --rpc-url "$RPC_URL_138" +cast call "$XAU" "balanceOf(address)(uint256)" "$POOL_CEURT_XAU" --rpc-url "$RPC_URL_138" +``` + +Then verify the explorer `/pools` page shows: + +- real pool address +- `Funded (live)` +- a live note path derived from the integration mapping instead of the old `Not created` state + +## References + +- [CreatePublicXAUPoolsChain138.s.sol](../../smom-dbis-138/script/dex/CreatePublicXAUPoolsChain138.s.sol) +- [DeployPrivatePoolRegistryAndPools.s.sol](../../smom-dbis-138/script/dex/DeployPrivatePoolRegistryAndPools.s.sol) +- [AddLiquidityPMMPoolsChain138.s.sol](../../smom-dbis-138/script/dex/AddLiquidityPMMPoolsChain138.s.sol) +- [CHAIN138_PMM_REDEPLOY_AND_POOL_FUNDING_RUNBOOK.md](./CHAIN138_PMM_REDEPLOY_AND_POOL_FUNDING_RUNBOOK.md) diff --git a/docs/03-deployment/FINAL_UNBLOCK_CHECKLIST_MAINNET_BSC.md b/docs/03-deployment/FINAL_UNBLOCK_CHECKLIST_MAINNET_BSC.md new file mode 100644 index 0000000..a7537e6 --- /dev/null +++ b/docs/03-deployment/FINAL_UNBLOCK_CHECKLIST_MAINNET_BSC.md @@ -0,0 +1,137 @@ +# Final Unblock Checklist: Mainnet and BSC + +**Date:** 2026-03-26 +**Wallet:** `0x4A666F96fC8764181194447A7dFdb7d471b301C8` + +This checklist captures the **exact remaining top-up targets** after the live funding pass already completed on Ethereum Mainnet. + +## Current post-funding state + +### Mainnet + +- Deployer ETH: `0.003345428710812742` +- Deployer LINK: `0` +- Deployer WETH9: `0` +- `MAINNET_CCIP_WETH9_BRIDGE` LINK: `0.215485646892774955` +- `MAINNET_CCIP_WETH10_BRIDGE` LINK: `0.215485646892774955` +- `CCIP_RELAY_BRIDGE_MAINNET` WETH: `0.002634280582011289` +- `LiquidityPoolETH` available ETH: `0.015` +- `LiquidityPoolETH` available WETH: `0.001` + +### BSC + +- Deployer BNB: `0.0091250643` +- Deployer LINK: `0` +- Deployer WETH: `0` +- `CCIPWETH9_BRIDGE_BSC` LINK: `0` +- `CCIPWETH10_BRIDGE_BSC` LINK: `0` + +## Exact top-up targets + +### 1. Mainnet deployer gas reserve + +Repo recommendation: keep **`0.05 ETH`** on the deployer for safe operator headroom. + +- Current: `0.003345428710812742 ETH` +- Target: `0.05 ETH` +- **Top up:** `0.046654571289187258 ETH` + +### 2. Mainnet CCIP bridge LINK + +Repo recommendation: **`10 LINK per bridge`**. + +- `MAINNET_CCIP_WETH9_BRIDGE` + - Current: `0.215485646892774955 LINK` + - Target: `10 LINK` + - **Top up:** `9.784514353107225045 LINK` +- `MAINNET_CCIP_WETH10_BRIDGE` + - Current: `0.215485646892774955 LINK` + - Target: `10 LINK` + - **Top up:** `9.784514353107225045 LINK` +- **Mainnet CCIP LINK total top-up:** `19.56902870621445009 LINK` + +### 3. Mainnet trustless LP target + +Operator runbook example target: + +- LP ETH target: **`1 ETH`** +- LP WETH target: **`0.5 WETH`** + +Current: + +- LP ETH available: `0.015 ETH` +- LP WETH available: `0.001 WETH` + +Top-ups: + +- **ETH top-up:** `0.985 ETH` +- **WETH top-up:** `0.499 WETH` + +### 4. Mainnet relay bridge WETH target + +There is no hardcoded repo target for relay inventory, so use a small bootstrap target unless you have a higher payout requirement. + +- Suggested bootstrap target: **`0.01 WETH`** +- Current: `0.002634280582011289 WETH` +- **Top up:** `0.007365719417988711 WETH` + +### 5. BSC deployer gas reserve + +Repo recommendation: keep **`0.06 BNB`** on the deployer. + +- Current: `0.0091250643 BNB` +- Target: `0.06 BNB` +- **Top up:** `0.0508749357 BNB` + +### 6. BSC CCIP bridge LINK + +Repo recommendation: **`10 LINK per bridge`**. + +- `CCIPWETH9_BRIDGE_BSC` + - Current: `0 LINK` + - Target: `10 LINK` + - **Top up:** `10 LINK` +- `CCIPWETH10_BRIDGE_BSC` + - Current: `0 LINK` + - Target: `10 LINK` + - **Top up:** `10 LINK` +- **BSC CCIP LINK total top-up:** `20 LINK` + +### 7. BSC relay bridge WETH (optional, only if relay mode is used) + +If you are operating the BSC relay flow from `services/relay/.env.bsc`, top up the destination relay bridge too. + +- Suggested bootstrap target: **`0.01 WETH`** +- Current deployer WETH on BSC: `0` +- **Acquire and transfer:** `0.01 WETH` to `DEST_RELAY_BRIDGE` + +## One-pass operator sequence after top-up + +1. Fund Mainnet deployer ETH reserve to `0.05 ETH`. +2. Fund Mainnet CCIP bridges to `10 LINK` each: + - `MAINNET_CCIP_WETH9_BRIDGE` + - `MAINNET_CCIP_WETH10_BRIDGE` +3. Fund Mainnet LP to `1 ETH` and `0.5 WETH`. +4. Fund Mainnet relay bridge to `0.01 WETH` minimum. +5. Fund BSC deployer to `0.06 BNB`. +6. Fund BSC CCIP bridges to `10 LINK` each. +7. If relay mode is used on BSC, fund the BSC relay bridge with at least `0.01 WETH`. +8. Set `BOND_MANAGER_MAINNET` and `CHALLENGE_MANAGER_MAINNET` in `.env`. +9. Run the full live bridge test from [`live-test-trustless-bridge.sh`](../../smom-dbis-138/scripts/deployment/live-test-trustless-bridge.sh). + +## Scripted paths + +- One-command operator wrapper: + - [`run-final-unblock-checklist.sh`](../../smom-dbis-138/scripts/deployment/run-final-unblock-checklist.sh) + - Status-only preflight: + - `./scripts/deployment/run-final-unblock-checklist.sh --status-only` + - JSON preflight for CI/dashboards: + - `./scripts/deployment/run-final-unblock-checklist.sh --status-only --json` +- Mainnet LP funding: + - [`fund-mainnet-lp.sh`](../../smom-dbis-138/scripts/deployment/fund-mainnet-lp.sh) +- Mainnet relay bridge funding: + - [`fund-mainnet-relay-bridge.sh`](../../smom-dbis-138/scripts/bridge/fund-mainnet-relay-bridge.sh) +- BSC relay bridge funding: + - [`fund-bsc-relay-bridge.sh`](../../smom-dbis-138/scripts/bridge/fund-bsc-relay-bridge.sh) +- Multi-chain LINK funding: + - [`fund-ccip-bridges-with-link.sh`](../../smom-dbis-138/scripts/deployment/fund-ccip-bridges-with-link.sh) diff --git a/docs/04-configuration/FQDN_EXPECTED_CONTENT.md b/docs/04-configuration/FQDN_EXPECTED_CONTENT.md new file mode 100644 index 0000000..e0b550d --- /dev/null +++ b/docs/04-configuration/FQDN_EXPECTED_CONTENT.md @@ -0,0 +1,119 @@ +# FQDN expected content (what users and clients should see) + +**Last Updated:** 2026-03-27 (Sankofa hostname tiers: public / SSO / dash) +**Purpose:** One-page description of **what should be presented** at each public NPM-routed hostname after HTTPS. Use this before pruning evidence or changing proxies so expectations stay aligned with product intent. + +**Canonical routing (IPs, VMIDs, ports):** [ALL_VMIDS_ENDPOINTS.md](ALL_VMIDS_ENDPOINTS.md), [RPC_ENDPOINTS_MASTER.md](RPC_ENDPOINTS_MASTER.md). +**Product depth (Sankofa / Phoenix / explorer narrative):** [EXPECTED_WEB_CONTENT.md](../02-architecture/EXPECTED_WEB_CONTENT.md). +**Automated checks:** [E2E_ENDPOINTS_LIST.md](E2E_ENDPOINTS_LIST.md), `scripts/verify/verify-end-to-end-routing.sh`. + +--- + +## Legend + +| Kind | Meaning | +|------|---------| +| **Web** | Browser loads HTML (or SPA shell); humans see pages, forms, or dashboards. | +| **API** | Primarily JSON over HTTPS; browsers may see errors unless hitting documented REST paths. | +| **RPC-HTTP** | **No marketing page.** JSON-RPC 2.0 over HTTPS POST to `/` (or provider path); wallets and backends consume JSON. | +| **RPC-WS** | **No HTML.** WebSocket upgrade; JSON-RPC / subscription traffic. | +| **301** | Apex policy: `www.*` redirects to non-www HTTPS (see NPM `advanced_config`). | + +--- + +## sankofa.nexus zone + +**Canonical roles:** [EXPECTED_WEB_CONTENT.md](../02-architecture/EXPECTED_WEB_CONTENT.md) (hostname model table). + +### Public web (unauthenticated visitors for marketing / division pages) + +| FQDN | Kind | What should be displayed or returned | +|------|------|--------------------------------------| +| `sankofa.nexus` | Web | **Sankofa — Sovereign Technologies:** public corporate / brand web (mission, narrative, entry points). | +| `www.sankofa.nexus` | 301 → apex | Browser ends on `https://sankofa.nexus/...`. | +| `phoenix.sankofa.nexus` | Web / API | **Phoenix Cloud Services** (division of Sankofa): public-facing **division web** (intent). Same deployment may still expose API paths (`/health`, `/graphql`, …). E2E verifier may use `/health`. | +| `www.phoenix.sankofa.nexus` | 301 → apex | Browser ends on `https://phoenix.sankofa.nexus/...`. | + +### Client SSO (system SSO; Keycloak as IdP) + +| FQDN | Kind | What should be displayed or returned | +|------|------|--------------------------------------| +| `keycloak.sankofa.nexus` | Web / IdP | **Identity provider** for client SSO: realm login UI, OIDC/SAML well-known and token endpoints; operator **Keycloak admin** at `/admin`. Backs **`admin`** and **`portal`** redirects—not a substitute for those apps. | +| `admin.sankofa.nexus` | Web | **Client SSO:** administer access (users, roles, org access policy). | +| `portal.sankofa.nexus` | Web | **Client SSO:** Phoenix cloud services, Sankofa Marketplace subscriptions, and other **client-facing** services. | + +### Operator / systems (IP-gated + MFA) + +| FQDN | Kind | What should be displayed or returned | +|------|------|--------------------------------------| +| `dash.sankofa.nexus` | Web | **IP allowlisting** + **system authentication** + **MFA:** unified admin for Sankofa, Phoenix, Gitea, and related systems (not the client self-service portal). | + +### Other properties on the zone + +| FQDN | Kind | What should be displayed or returned | +|------|------|--------------------------------------| +| `the-order.sankofa.nexus` | Web | **OSJ / Order management** portal (secure auth); app **the_order**. Upstream: HAProxy **10210** → portal stack. | +| `www.the-order.sankofa.nexus` | 301 → apex | Browser ends on `https://the-order.sankofa.nexus/...`. | +| `studio.sankofa.nexus` | Web | **Sankofa Studio (FusionAI)** UI under `/studio/` (and related API routes on same origin). | + +--- + +## d-bis.org (DBIS + infrastructure) + +| FQDN | Kind | What should be displayed or returned | +|------|------|--------------------------------------| +| `explorer.d-bis.org` | Web | **SolaceScanScout / Blockscout** UI: blocks, txs, addresses, tokens, contract verification for **Chain 138**. Public, no login for browse. | +| `docs.d-bis.org` | Web | Same Blockscout nginx host as explorer where configured; may serve docs paths (see explorer deploy runbooks). | +| `dbis-admin.d-bis.org` | Web | DBIS **admin** frontend (dashboard). | +| `secure.d-bis.org` | Web | DBIS **secure** authenticated portal. | +| `dbis-api.d-bis.org` | API | DBIS **core API** (aggregation, OTC, exchange JSON). | +| `dbis-api-2.d-bis.org` | API | Secondary DBIS API instance. | +| `mim4u.org`, `www.mim4u.org`, `secure.mim4u.org`, `training.mim4u.org` | Web | **MIM4U** property sites (nginx on MIM stack). | +| `rpc-http-pub.d-bis.org`, `rpc.d-bis.org`, `rpc2.d-bis.org` | RPC-HTTP | **Public Besu JSON-RPC** (Chain 138); `eth_chainId` → `0x8a`. | +| `rpc-ws-pub.d-bis.org`, `ws.rpc.d-bis.org`, `ws.rpc2.d-bis.org` | RPC-WS | **Public Besu WebSocket** RPC. | +| `rpc-http-prv.d-bis.org` | RPC-HTTP | **Core / private** JSON-RPC (permissioned use). | +| `rpc-ws-prv.d-bis.org` | RPC-WS | **Core / private** WebSocket RPC. | +| `rpc-fireblocks.d-bis.org` | RPC-HTTP | **Fireblocks-dedicated** JSON-RPC endpoint. | +| `ws.rpc-fireblocks.d-bis.org` | RPC-WS | **Fireblocks-dedicated** WebSocket RPC. | +| `rpc-alltra.d-bis.org`, `rpc-alltra-2.d-bis.org`, `rpc-alltra-3.d-bis.org` | RPC-HTTP | **Alltra** RPC fronts (tunnel to NPM); JSON-RPC for Chain 138 (or as configured on those edges). | +| `rpc-hybx.d-bis.org`, `rpc-hybx-2.d-bis.org`, `rpc-hybx-3.d-bis.org` | RPC-HTTP | **HYBX** RPC fronts; same class as Alltra. | +| `cacti-alltra.d-bis.org`, `cacti-hybx.d-bis.org` | Web | **Cacti** monitoring UI (graphs, device views). | +| `mifos.d-bis.org` | Web | **Mifos** banking platform UI (when backend healthy). | +| `dapp.d-bis.org` | Web | **DApp** static/hosted frontend (VMID per ALL_VMIDS). | +| `gitea.d-bis.org` | Web | **Gitea** git forge UI. | +| `dev.d-bis.org` | Web | **Dev** workspace UI (codespaces / dev host). | +| `codespaces.d-bis.org` | Web | **Codespaces / dev** related web entry (as wired on NPM). | + +--- + +## defi-oracle.io (ThirdWeb / public edge) + +| FQDN | Kind | What should be displayed or returned | +|------|------|--------------------------------------| +| `rpc.public-0138.defi-oracle.io` | RPC-HTTP | **ThirdWeb-style HTTPS RPC** terminator on VMID 2400; JSON-RPC to Chain 138. | +| `rpc.defi-oracle.io` | RPC-HTTP | Public JSON-RPC alias (same Besu public stack as `rpc.d-bis.org` family when healthy). | +| `wss.defi-oracle.io` | RPC-WS | Public WebSocket RPC companion. | + +**Note:** `blockscout.defi-oracle.io` is a **separate Blockscout** hostname (generic / reference). Not the canonical DBIS explorer; same class of **web** explorer UI as Blockscout. See EXPECTED_WEB_CONTENT. + +--- + +## xom-dev.phoenix.sankofa.nexus (gov portals dev) + +| FQDN | Kind | What should be displayed or returned | +|------|------|--------------------------------------| +| `dbis.xom-dev.phoenix.sankofa.nexus` | Web | Gov portals **dev** app on port **3001** (VMID 7804 family). | +| `iccc.xom-dev.phoenix.sankofa.nexus` | Web | Idem, port **3002**. | +| `omnl.xom-dev.phoenix.sankofa.nexus` | Web | Idem, port **3003**. | +| `xom.xom-dev.phoenix.sankofa.nexus` | Web | Idem, port **3004**. | + +--- + +## Operator checklist + +- **Wrong content** (e.g. explorer UI on `sankofa.nexus`, or HTML on RPC hostname) usually means **NPM upstream** or **DNS** is wrong — fix with `update-npmplus-proxy-hosts-api.sh` and [ALL_VMIDS_ENDPOINTS.md](ALL_VMIDS_ENDPOINTS.md). +- **301 on `www.*`** is intentional; content is judged on the **apex** hostname after redirect. + +--- + +**Inventory alignment:** Public hostnames above follow `DOMAIN_TYPES_ALL` in `scripts/verify/verify-end-to-end-routing.sh` plus `keycloak.sankofa.nexus`, `docs.d-bis.org`, `blockscout.defi-oracle.io`, and xom-dev hosts. **`admin.sankofa.nexus`**, **`portal.sankofa.nexus`**, and **`dash.sankofa.nexus`** are **product-intent** hostnames—add to NPM and the E2E script when upstreams are wired. Add new rows here when you add NPM hosts. diff --git a/docs/11-references/COMPLETE_CREDENTIAL_EIDAS_PROGRAM_REPOS.md b/docs/11-references/COMPLETE_CREDENTIAL_EIDAS_PROGRAM_REPOS.md new file mode 100644 index 0000000..a20b616 --- /dev/null +++ b/docs/11-references/COMPLETE_CREDENTIAL_EIDAS_PROGRAM_REPOS.md @@ -0,0 +1,29 @@ +# Complete Credential and eIDAS program — repository authority + +**Last Updated:** 2026-03-25 +**Purpose:** Single **proxmox-repo** pointer for where Complete Credential and **eIDAS SAML connector** source and runbooks live, so deployment truth is not inferred only from chat or scattered ADRs. + +--- + +## Canonical program umbrella + +- **Complete Credential** (umbrella program): integration and governance docs typically live in the **Complete Credential** / **DBIS** documentation space (e.g. `complete-credential` umbrella on Gitea). Clone path on operator workstations is often a **sibling** of `proxmox`, not a submodule of this repo. + +## eIDAS receiving Member State connector (reference implementation) + +- **Component:** SAML **Attribute Consumer Service (ACS)** / connector skeleton (e.g. `cc-eidas-connector` in the Complete Credential monorepo or submodule). +- **This `proxmox` repo:** contains **orchestration, DNS, NPM, Chain 138**, and **Sankofa Phoenix** service descriptions — **not** the Android or Java connector source tree unless explicitly added as a submodule later. + +## Machine-readable registry + +Authoritative **IDs, doc roles, and clone hints** for automation and runbooks: +[`config/public-sector-program-manifest.json`](../../config/public-sector-program-manifest.json) + +## Related architecture baseline + +- [PUBLIC_SECTOR_TENANCY_MARKETPLACE_AND_DEPLOYMENT_BASELINE.md](../02-architecture/PUBLIC_SECTOR_TENANCY_MARKETPLACE_AND_DEPLOYMENT_BASELINE.md) +- Phoenix **service catalog** contract (implementation may be out-of-tree): Complete Credential `docs/integrations/PHOENIX_SERVICE_CATALOG_SPEC.md`; machine-readable SKUs: [public-sector-program-manifest.json](../../config/public-sector-program-manifest.json) (`catalogSkus`). + +--- + +**Note:** Default `repoUrl` values in the manifest point at `https://gitea.d-bis.org/Sankofa_Phoenix/…`. If a repo name differs on Gitea, update [`config/public-sector-program-manifest.json`](../../config/public-sector-program-manifest.json).