Sync workspace: config, docs, scripts, CI, operator rules, and submodule pointers.

- Update dbis_core, cross-chain-pmm-lps, explorer-monorepo, metamask-integration, pr-workspace/chains
- Omit embedded publish git dirs and empty placeholders from index

Made-with: Cursor

scripts/operator/README.md

@@ -0,0 +1,14 @@
+# Operator scripts — scope classes
+
+Scripts here touch **live Proxmox / edge** systems. Prefer **narrow scope** and **dry-run first**.
+
+| Script | Class | Notes |
+|--------|-------|--------|
+| `start-stopped-lxc-scoped.sh` | **Scoped mutate** | Requires `--host` + `--vmid` (repeat); default dry-run; `--apply` or `PROXMOX_OPS_APPLY=1` to run `pct start`. |
+| `upgrade-gitea-lxc.sh` | Scoped | Use `--dry-run` per script header. |
+
+**Shared helpers:** `scripts/lib/proxmox-production-guard.sh` — `PROXMOX_OPS_APPLY`, `PROXMOX_OPS_ALLOWED_VMIDS`, `PROXMOX_SAFE_DEFAULTS`.
+
+**Broad orchestration** (multiple subsystems) remains in `scripts/run-all-operator-tasks-from-lan.sh` and `scripts/maintenance/run-all-maintenance-via-proxmox-ssh.sh` — review `--dry-run` before running on production.
+
+See also: `AGENTS.md` (Production safety), `.cursor/rules/proxmox-production-safety.mdc`.

scripts/operator/start-stopped-lxc-scoped.sh

@@ -0,0 +1,85 @@
+#!/usr/bin/env bash
+# Start specific stopped LXC containers on ONE Proxmox host — scoped, production-safe.
+# Default: dry-run only. No host-wide "start everything" without explicit VMIDs.
+#
+# Usage:
+#   ./scripts/operator/start-stopped-lxc-scoped.sh --host 192.168.11.13 --vmid 2400 --vmid 2402
+#   ./scripts/operator/start-stopped-lxc-scoped.sh --host 192.168.11.13 --vmid 2400 --apply
+#
+# Env (optional):
+#   PROXMOX_OPS_APPLY=1     Same as --apply
+#   PROXMOX_OPS_ALLOWED_VMIDS="2400,2402"   Refuse any --vmid not in this set
+#
+set -euo pipefail
+
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+PROJECT_ROOT="$(cd "$SCRIPT_DIR/../.." && pwd)"
+# shellcheck source=../lib/proxmox-production-guard.sh
+source "$SCRIPT_DIR/../lib/proxmox-production-guard.sh"
+
+SSH_OPTS=( -o BatchMode=yes -o ConnectTimeout=20 -o StrictHostKeyChecking=no )
+SSH_USER="${PROXMOX_SSH_USER:-root}"
+
+HOST=""
+declare -a VMIDS=()
+APPLY=false
+
+usage() {
+  sed -n '1,20p' "$0" | tail -n +2
+  echo ""
+  echo "Options:"
+  echo "  --host IP|NAME   Required. Single Proxmox node (no multi-host sweep)."
+  echo "  --vmid N         Required (repeatable). Only these CTs are considered."
+  echo "  --apply          Actually run pct start (otherwise print plan only)."
+  echo "  -h, --help"
+  exit "${1:-0}"
+}
+
+while [[ $# -gt 0 ]]; do
+  case "$1" in
+    --host) HOST="${2:?}"; shift 2 ;;
+    --vmid) VMIDS+=("${2:?}"); shift 2 ;;
+    --apply) APPLY=true; shift ;;
+    -h|--help) usage 0 ;;
+    *) echo "Unknown arg: $1" >&2; usage 1 ;;
+  esac
+done
+
+[[ -n "$HOST" ]] || { echo "ERROR: --host required" >&2; usage 1; }
+[[ "${#VMIDS[@]}" -gt 0 ]] || { echo "ERROR: at least one --vmid required (refusing host-wide start-all)" >&2; usage 1; }
+
+if ! pguard_require_apply_flag "$APPLY"; then
+  MODE="DRY-RUN"
+else
+  MODE="APPLY"
+  export PROXMOX_OPS_APPLY=1
+fi
+
+echo "=== start-stopped-lxc-scoped ($MODE) ==="
+echo "  host=$HOST user=$SSH_USER"
+echo "  vmids=${VMIDS[*]}"
+
+for vmid in "${VMIDS[@]}"; do
+  pguard_vmid_allowed "$vmid" || exit 2
+done
+
+run_ssh() { ssh "${SSH_OPTS[@]}" "${SSH_USER}@${HOST}" "$@"; }
+
+for vmid in "${VMIDS[@]}"; do
+  st="$(run_ssh "pct status $vmid 2>/dev/null | awk '/^status:/{print \$2}'" || echo "unknown")"
+  echo "  VMID $vmid status: ${st:-unknown}"
+  if [[ "$st" != "stopped" ]]; then
+    echo "    skip (not stopped)"
+    continue
+  fi
+  if [[ "$MODE" == "DRY-RUN" ]]; then
+    echo "    [DRY-RUN] would: pct start $vmid"
+    continue
+  fi
+  run_ssh "pct start $vmid" && echo "    ok: pct start $vmid" || echo "    FAIL: pct start $vmid" >&2
+done
+
+if [[ "$MODE" == "DRY-RUN" ]]; then
+  echo ""
+  echo "No changes made. Re-run with --apply or PROXMOX_OPS_APPLY=1 to execute."
+fi

scripts/operator/upgrade-gitea-lxc.sh

@@ -0,0 +1,114 @@
+#!/usr/bin/env bash
+# Upgrade Gitea binary inside LXC VMID 104 (infra forge) via Proxmox pct.
+# Prerequisites: SSH root@PROXMOX host, CT running, tteck-style paths (/usr/local/bin/gitea, /etc/gitea/app.ini).
+#
+# Usage:
+#   ./scripts/operator/upgrade-gitea-lxc.sh [--dry-run] [--version=1.22.6]
+# Env:
+#   PROXMOX_GITEA_HOST   (default: PROXMOX_HOST_R630_01 from config/ip-addresses.conf)
+#   GITEA_VMID           (default: 104)
+#   GITEA_VERSION        (default: empty = resolve "latest" from GitHub API on the CT)
+#   GITEA_ARCH           (default: linux-amd64; use linux-arm64 on aarch64 LXCs)
+#
+# See: docs/04-configuration/GITEA_PLATFORM_AND_UPGRADE_RUNBOOK.md
+set -euo pipefail
+
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+PROJECT_ROOT="$(cd "$SCRIPT_DIR/../.." && pwd)"
+# shellcheck source=/dev/null
+source "$PROJECT_ROOT/config/ip-addresses.conf" 2>/dev/null || true
+# shellcheck source=/dev/null
+source "$PROJECT_ROOT/scripts/lib/load-project-env.sh" 2>/dev/null || true
+
+GITEA_VMID="${GITEA_VMID:-104}"
+PROXMOX_GITEA_HOST="${PROXMOX_GITEA_HOST:-${PROXMOX_HOST_R630_01:-192.168.11.11}}"
+GITEA_VERSION="${GITEA_VERSION:-}"
+GITEA_ARCH="${GITEA_ARCH:-linux-amd64}"
+DRY_RUN=0
+
+for arg in "$@"; do
+  case "$arg" in
+    --dry-run) DRY_RUN=1 ;;
+    --version=*) GITEA_VERSION="${arg#--version=}" ;;
+    --help|-h)
+      grep '^#' "$0" | grep -v '^#!/' | sed 's/^# \{0,1\}//'
+      exit 0
+      ;;
+  esac
+done
+
+ssh_exec() {
+  ssh -o ConnectTimeout=20 -o StrictHostKeyChecking=no "root@${PROXMOX_GITEA_HOST}" "$@"
+}
+
+echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
+echo "Gitea LXC upgrade"
+echo "  Proxmox: ${PROXMOX_GITEA_HOST}"
+echo "  VMID:    ${GITEA_VMID}"
+echo "  Arch:    ${GITEA_ARCH}"
+echo "  Version: ${GITEA_VERSION:-<latest from GitHub API>}"
+echo "  Dry-run: ${DRY_RUN}"
+echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
+
+if ! ssh_exec "pct status '${GITEA_VMID}'" >/dev/null 2>&1; then
+  echo "ERROR: pct status ${GITEA_VMID} failed on ${PROXMOX_GITEA_HOST} (SSH or VMID)." >&2
+  exit 1
+fi
+
+# Pass safe quoted env into CT
+_ver_q=$(printf '%q' "$GITEA_VERSION")
+_arch_q=$(printf '%q' "$GITEA_ARCH")
+
+ssh_exec "pct exec ${GITEA_VMID} -- env GITEA_TARGET_VERSION=${_ver_q} GITEA_ARCH=${_arch_q} DRY_RUN=${DRY_RUN} bash -s" <<'REMOTE'
+set -euo pipefail
+if [[ ! -f /usr/local/bin/gitea ]]; then
+  echo "ERROR: /usr/local/bin/gitea not found (expected standard LXC layout)." >&2
+  exit 1
+fi
+
+echo "--- Current binary ---"
+/usr/local/bin/gitea --version 2>&1 || true
+
+VER="${GITEA_TARGET_VERSION:-}"
+if [[ -z "${VER}" ]]; then
+  VER="$(curl -fsSL https://api.github.com/repos/go-gitea/gitea/releases/latest \
+    | sed -n 's/.*"tag_name": "v\{0,1\}\([^"]*\)".*/\1/p' | head -1)"
+fi
+if [[ -z "${VER}" ]]; then
+  echo "ERROR: Could not determine Gitea version (set GITEA_VERSION on host)." >&2
+  exit 1
+fi
+
+echo "--- Target version: ${VER} (${GITEA_ARCH}) ---"
+
+if [[ "${DRY_RUN}" -eq 1 ]]; then
+  echo "[dry-run] Would: systemctl stop gitea; backup /usr/local/bin/gitea;"
+  echo "          curl https://dl.gitea.com/gitea/${VER}/gitea-${VER}-${GITEA_ARCH};"
+  echo "          gitea migrate; systemctl start gitea"
+  exit 0
+fi
+
+systemctl stop gitea
+cp -a /usr/local/bin/gitea "/usr/local/bin/gitea.bak.$(date +%Y%m%d%H%M%S)"
+TMP="$(mktemp)"
+curl -fsSL -o "${TMP}" "https://dl.gitea.com/gitea/${VER}/gitea-${VER}-${GITEA_ARCH}"
+chmod +x "${TMP}"
+install -m 755 "${TMP}" /usr/local/bin/gitea
+rm -f "${TMP}"
+
+if [[ -f /etc/gitea/app.ini ]]; then
+  sudo -u gitea env GITEA_WORK_DIR=/var/lib/gitea HOME=/var/lib/gitea/data \
+    /usr/local/bin/gitea migrate --config /etc/gitea/app.ini
+else
+  echo "WARN: /etc/gitea/app.ini missing; skipping migrate" >&2
+fi
+
+systemctl start gitea
+sleep 2
+systemctl is-active --quiet gitea
+echo "--- Upgraded ---"
+/usr/local/bin/gitea --version
+REMOTE
+
+echo ""
+echo "Done. Verify UI and git over SSH/HTTPS. See docs/04-configuration/GITEA_PLATFORM_AND_UPGRADE_RUNBOOK.md"