Align E2E profile workflow across scripts and runbooks

docs/05-network/CHECK_ALL_UPDATES_AND_CLOUDFLARE_TUNNELS.md

@@ -69,7 +69,7 @@ The dev/Codespaces FQDN (gitea.d-bis.org, dev.d-bis.org, codespaces.d-bis.org) i
 
 | Check | Command |
 |-------|--------|
-| **E2E (all domains incl. Gitea)** | `bash scripts/verify/verify-end-to-end-routing.sh` |
+| **E2E (all domains incl. Gitea)** | `bash scripts/verify/verify-end-to-end-routing.sh --profile=public` |
 | **RPC tunnel ingress (from host with VMID 102)** | `bash scripts/verify/verify-cloudflare-tunnel-ingress.sh [--host 192.168.11.11]` |
 | **Dev/Codespaces tunnel + DNS** | `bash scripts/cloudflare/configure-dev-codespaces-tunnel-and-dns.sh` (updates ingress + CNAMEs) |
 | **NPMplus Fourth proxy (gitea → .59:3000)** | `NPM_PASSWORD=xxx bash scripts/nginx-proxy-manager/update-npmplus-fourth-proxy-hosts.sh` |

docs/05-network/E2E_CLOUDFLARE_DOMAINS_RUNBOOK.md

@@ -80,7 +80,7 @@ From the project root:
 
 ```bash
 cd /home/intlc/projects/proxmox
-bash scripts/verify/verify-end-to-end-routing.sh
+bash scripts/verify/verify-end-to-end-routing.sh --profile=public
 ```
 
 Optional environment variables:
@@ -95,7 +95,7 @@ Optional environment variables:
 Example when using Fastly (DNS points to Fastly, not 76.53.10.36):
 
 ```bash
-ACCEPT_ANY_DNS=1 bash scripts/verify/verify-end-to-end-routing.sh
+ACCEPT_ANY_DNS=1 bash scripts/verify/verify-end-to-end-routing.sh --profile=public
 ```
 
 Outputs:
@@ -141,7 +141,7 @@ If any domain fails:
 
 ## Blockscout and explorer.d-bis.org (E2E completion)
 
-- **Public E2E**: `verify-end-to-end-routing.sh` tests explorer.d-bis.org as **web** (DNS, SSL, HTTPS). It also runs an **optional** Blockscout API check (GET `https://explorer.d-bis.org/api/v2/stats`). If the API is unreachable (e.g. run from off-LAN), the result is recorded as `skip` and does not fail the run. Use `SKIP_BLOCKSCOUT_API=1` to skip this check entirely.
+- **Public E2E**: `verify-end-to-end-routing.sh --profile=public` tests explorer.d-bis.org as **web** (DNS, SSL, HTTPS). It also runs an **optional** Blockscout API check (GET `https://explorer.d-bis.org/api/v2/stats`). If the API is unreachable (e.g. run from off-LAN), the result is recorded as `skip` and does not fail the run. Use `SKIP_BLOCKSCOUT_API=1` to skip this check entirely.
 - **Fix Blockscout** (502, DB, migrations): Run on Proxmox host or from LAN per [BLOCKSCOUT_FIX_RUNBOOK.md](../03-deployment/BLOCKSCOUT_FIX_RUNBOOK.md). Key script: `scripts/fix-blockscout-ssl-and-migrations.sh`.
 - **Full explorer E2E on LAN**: For comprehensive explorer tests (frontend, API, services on VMID 5000), run from a host that can reach 192.168.11.140: `explorer-monorepo/scripts/e2e-test-explorer.sh`. Report: [explorer-monorepo/E2E_TEST_REPORT.md](../../../explorer-monorepo/E2E_TEST_REPORT.md).
 - **Daily checks**: Explorer indexer is checked by `scripts/maintenance/daily-weekly-checks.sh daily` using Blockscout `/api/v2/stats` (and fallback to `?module=stats&action=eth_price`).

docs/05-network/E2E_RPC_EDGE_LIMITATION.md

@@ -74,7 +74,7 @@ Follow the **Option B runbook** for step-by-step instructions and the DNS script
    - Follow [CLOUDFLARE_TUNNEL_502_FIX_RUNBOOK.md](../04-configuration/cloudflare/CLOUDFLARE_TUNNEL_502_FIX_RUNBOOK.md): point all Public Hostnames (including the 6 RPC) to `http://192.168.11.167:80`, verify from VMID 102, restart cloudflared.
 2. **Point RPC hostnames to the tunnel** in Cloudflare DNS:
    - Run: `./scripts/set-rpc-dns-to-tunnel.sh` (uses `CLOUDFLARE_TUNNEL_ID` and zone IDs from `.env`), or set CNAME manually per the runbook.
-3. **Re-run E2E:** After DNS propagates, run `bash scripts/verify/troubleshoot-rpc-failures.sh` and `./scripts/verify/verify-end-to-end-routing.sh`; POST will succeed and the 6 RPC checks can pass.
+3. **Re-run E2E:** After DNS propagates, run `bash scripts/verify/troubleshoot-rpc-failures.sh` and `./scripts/verify/verify-end-to-end-routing.sh --profile=public`; POST will succeed and the 6 RPC checks can pass.
 
 ---
 
@@ -83,7 +83,7 @@ Follow the **Option B runbook** for step-by-step instructions and the DNS script
 When the only failures are the 6 RPC (edge blocking POST), you can still treat E2E as successful for DNS and HTTPS:
 
 ```bash
-E2E_SUCCESS_IF_ONLY_RPC_BLOCKED=1 ./scripts/verify/verify-end-to-end-routing.sh
+E2E_SUCCESS_IF_ONLY_RPC_BLOCKED=1 ./scripts/verify/verify-end-to-end-routing.sh --profile=public
 ```
 
 - Exit code is **0** when DNS and HTTPS all pass and all failures are RPC.

docs/05-network/OPTION_B_RPC_VIA_TUNNEL_RUNBOOK.md

@@ -117,7 +117,7 @@ bash scripts/verify/troubleshoot-rpc-failures.sh
 
 # Full E2E (no need for E2E_SUCCESS_IF_ONLY_RPC_BLOCKED when RPC passes)
 # Use ACCEPT_ANY_DNS=1 so the 6 RPC hostnames (resolving to Cloudflare) count as DNS pass
-ACCEPT_ANY_DNS=1 ./scripts/verify/verify-end-to-end-routing.sh
+ACCEPT_ANY_DNS=1 ./scripts/verify/verify-end-to-end-routing.sh --profile=public
 ```
 
 ---
@@ -150,4 +150,4 @@ To send RPC traffic back through the UDM Pro (and accept 405 again):
 | 1 | Tunnel Public Hostnames: all 6 RPC hostnames → https://192.168.11.167:443 (No TLS Verify) |
 | 2 | (Optional) Verify origin from VMID 102 |
 | 3 | DNS: 6 RPC hostnames → CNAME to <tunnel-id>.cfargotunnel.com (Proxied) |
-| 4 | Re-run troubleshoot-rpc-failures.sh and verify-end-to-end-routing.sh |
+| 4 | Re-run troubleshoot-rpc-failures.sh and verify-end-to-end-routing.sh --profile=public |

docs/05-network/README.md

@@ -26,7 +26,7 @@ This directory contains network infrastructure documentation.
 
 ## Quick Reference
 
-**Edge:** UDM Pro (76.53.10.34); origin 76.53.10.36 → NPMplus 192.168.11.167. **Option B:** 6 RPC hostnames via Cloudflare Tunnel. E2E: `ACCEPT_ANY_DNS=1 bash scripts/verify/verify-end-to-end-routing.sh` when using Option B.
+**Edge:** UDM Pro (76.53.10.34); origin 76.53.10.36 → NPMplus 192.168.11.167. **Option B:** 6 RPC hostnames via Cloudflare Tunnel. E2E: `ACCEPT_ANY_DNS=1 bash scripts/verify/verify-end-to-end-routing.sh --profile=public` when using Option B.
 
 ## Related Documentation
 
@@ -34,4 +34,3 @@ This directory contains network infrastructure documentation.
 - **[../02-architecture/NETWORK_ARCHITECTURE.md](../02-architecture/NETWORK_ARCHITECTURE.md)** - Complete network architecture
 - **[../04-configuration/RPC_ENDPOINTS_MASTER.md](../04-configuration/RPC_ENDPOINTS_MASTER.md)** - RPC proxy and DNS
 - **[../04-configuration/cloudflare/TUNNEL_SFVALLEY01_INSTALL.md](../04-configuration/cloudflare/TUNNEL_SFVALLEY01_INSTALL.md)** - Option B tunnel connector install
-