Sync workspace: config, docs, scripts, CI, operator rules, and submodule pointers.

- Update dbis_core, cross-chain-pmm-lps, explorer-monorepo, metamask-integration, pr-workspace/chains
- Omit embedded publish git dirs and empty placeholders from index

Made-with: Cursor

scripts/op-stack/prepare-operator-ct.sh

@@ -0,0 +1,125 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+ROLE="${1:-}"
+if [[ "$ROLE" != "deployer" && "$ROLE" != "ops" ]]; then
+  echo "Usage: $0 <deployer|ops>" >&2
+  exit 1
+fi
+
+SERVICE_USER="${OP_STACK_SERVICE_USER:-opstack}"
+SERVICE_GROUP="${OP_STACK_SERVICE_GROUP:-opstack}"
+INSTALL_ROOT="${OP_STACK_INSTALL_ROOT:-/opt/op-stack}"
+STATE_ROOT="${OP_STACK_STATE_ROOT:-/var/lib/op-stack}"
+CONFIG_ROOT="${OP_STACK_CONFIG_ROOT:-/etc/op-stack}"
+
+if ! getent group "$SERVICE_GROUP" >/dev/null 2>&1; then
+  groupadd --system "$SERVICE_GROUP"
+fi
+
+if ! id -u "$SERVICE_USER" >/dev/null 2>&1; then
+  useradd \
+    --system \
+    --home-dir "$STATE_ROOT" \
+    --create-home \
+    --shell /usr/sbin/nologin \
+    --gid "$SERVICE_GROUP" \
+    "$SERVICE_USER"
+fi
+
+install -d -m 755 "$INSTALL_ROOT" "$INSTALL_ROOT/bin" "$INSTALL_ROOT/src" "$INSTALL_ROOT/workdir"
+install -d -m 750 "$STATE_ROOT"
+install -d -m 750 \
+  "$STATE_ROOT/artifacts" \
+  "$STATE_ROOT/jwt" \
+  "$STATE_ROOT/logs" \
+  "$STATE_ROOT/op-node" \
+  "$STATE_ROOT/op-reth" \
+  "$STATE_ROOT/batcher" \
+  "$STATE_ROOT/proposer" \
+  "$STATE_ROOT/challenger"
+
+if [[ "$ROLE" == "deployer" ]]; then
+  install -d -m 750 "$STATE_ROOT/deployer" "$STATE_ROOT/deployer/.deployer"
+else
+  install -d -m 750 "$STATE_ROOT/runtime"
+fi
+
+chown -R "$SERVICE_USER:$SERVICE_GROUP" "$INSTALL_ROOT" "$STATE_ROOT"
+
+install -d -m 755 "$CONFIG_ROOT" "$CONFIG_ROOT/systemd-examples"
+
+write_stub_if_missing() {
+  local path="$1"
+  local content="$2"
+  if [[ ! -s "$path" ]]; then
+    printf '%s\n' "$content" > "$path"
+    chmod 640 "$path"
+  fi
+}
+
+write_stub_if_missing "$CONFIG_ROOT/op-stack-l2.env" "# Fill and keep secret values out of git
+# OP_STACK_L2_CHAIN_ID=
+# L1_RPC_URL=
+# L1_BEACON_URL=
+# L2_CHAIN_NAME=
+"
+
+write_stub_if_missing "$CONFIG_ROOT/op-deployer.env" "# Deployer-side secrets and RPCs
+# L1_RPC_URL=
+# PRIVATE_KEY=
+# DEPLOYER_WORKDIR=/var/lib/op-stack/deployer/.deployer
+"
+
+write_stub_if_missing "$CONFIG_ROOT/op-node.env" "# Consensus client
+# L1_RPC_URL=
+# L1_BEACON_URL=
+# L2_ENGINE_RPC_URL=http://127.0.0.1:8551
+# JWT_SECRET=/etc/op-stack/jwt.hex
+# ROLLUP_CONFIG=/var/lib/op-stack/artifacts/rollup.json
+"
+
+write_stub_if_missing "$CONFIG_ROOT/op-reth.env" "# Preferred execution client
+# DATA_DIR=/var/lib/op-stack/op-reth
+# JWT_SECRET=/etc/op-stack/jwt.hex
+# CHAIN_CONFIG=/var/lib/op-stack/artifacts/genesis.json
+"
+
+write_stub_if_missing "$CONFIG_ROOT/sequencer.env" "# Legacy op-geth fallback only
+# DATA_DIR=/var/lib/op-stack/op-geth
+# JWT_SECRET=/etc/op-stack/jwt.hex
+"
+
+write_stub_if_missing "$CONFIG_ROOT/batcher.env" "# Batcher
+# L1_RPC_URL=
+# L2_RPC_URL=
+# PRIVATE_KEY=
+"
+
+write_stub_if_missing "$CONFIG_ROOT/proposer.env" "# Proposer
+# L1_RPC_URL=
+# L2_RPC_URL=
+# PRIVATE_KEY=
+"
+
+write_stub_if_missing "$CONFIG_ROOT/challenger.env" "# Challenger
+# L1_RPC_URL=
+# L2_RPC_URL=
+# PRIVATE_KEY=
+"
+
+chown root:"$SERVICE_GROUP" "$CONFIG_ROOT"/*.env
+
+if [[ ! -s "$CONFIG_ROOT/jwt.hex" ]]; then
+  openssl rand -hex 32 > "$CONFIG_ROOT/jwt.hex"
+fi
+chmod 640 "$CONFIG_ROOT/jwt.hex"
+chown root:"$SERVICE_GROUP" "$CONFIG_ROOT/jwt.hex"
+
+cat <<EOF
+Prepared OP Stack $ROLE workspace
+  service user:  $SERVICE_USER:$SERVICE_GROUP
+  install root:  $INSTALL_ROOT
+  state root:    $STATE_ROOT
+  config root:   $CONFIG_ROOT
+EOF