docs: Ledger Live integration, contract deploy learnings, NEXT_STEPS updates

- ADD_CHAIN138_TO_LEDGER_LIVE: Ledger form done; public code review repo bis-innovations/LedgerLive; init/push commands - CONTRACT_DEPLOYMENT_RUNBOOK: Chain 138 gas price 1 gwei, 36-addr check, TransactionMirror workaround - CONTRACT_*: AddressMapper, MirrorManager deployed 2026-02-12; 36-address on-chain check - NEXT_STEPS_FOR_YOU: Ledger done; steps completable now (no LAN); run-completable-tasks-from-anywhere - MASTER_INDEX, OPERATOR_OPTIONAL, SMART_CONTRACTS_INVENTORY_SIMPLE: updates - LEDGER_BLOCKCHAIN_INTEGRATION_COMPLETE: bis-innovations/LedgerLive reference Co-authored-by: Cursor <cursoragent@cursor.com>
2026-02-12 15:46:57 -08:00
parent cc8dcaf356
commit fbda1b4beb
5114 changed files with 498901 additions and 4567 deletions
--- a/docs/02-architecture/NETWORK_ARCHITECTURE.md
+++ b/docs/02-architecture/NETWORK_ARCHITECTURE.md
@@ -1,11 +1,13 @@
 # Network Architecture - Enterprise Orchestration Plan

-**Navigation:** [Home](/docs/01-getting-started/README.md) > [Architecture](/docs/01-getting-started/README.md) > Network Architecture
+**Navigation:** [Home](../01-getting-started/README.md) > [Architecture](README.md) > Network Architecture

-**Last Updated:** 2025-01-20  
-**Document Version:** 2.0  
+**Related:** [PHYSICAL_HARDWARE_INVENTORY.md](PHYSICAL_HARDWARE_INVENTORY.md) | [DOMAIN_STRUCTURE.md](DOMAIN_STRUCTURE.md) | [ORCHESTRATION_DEPLOYMENT_GUIDE.md](ORCHESTRATION_DEPLOYMENT_GUIDE.md) | [11-references/NETWORK_CONFIGURATION_MASTER.md](../11-references/NETWORK_CONFIGURATION_MASTER.md) | **Runbooks & VLAN:** [03-deployment/OPERATIONAL_RUNBOOKS.md](../03-deployment/OPERATIONAL_RUNBOOKS.md) (Phase 4, VLAN), [03-deployment/MISSING_CONTAINERS_LIST.md](../03-deployment/MISSING_CONTAINERS_LIST.md), [04-configuration/UDM_PRO_FIREWALL_MANUAL_CONFIGURATION.md](../04-configuration/UDM_PRO_FIREWALL_MANUAL_CONFIGURATION.md)
+
+**Last Updated:** 2026-02-05  
+**Document Version:** 2.1  
 **Status:** 🟢 Active Documentation  
-**Project:** Sankofa / Phoenix / PanTel · ChainID 138 · Proxmox + Cloudflare Zero Trust + Dual ISP + 6×/28
+**Project:** Sankofa / Phoenix / PanTel · ChainID 138 · Proxmox + Cloudflare DNS + NPMplus (edge: UDM Pro; Fastly or direct to 76.53.10.36)

 ---

@@ -21,6 +23,70 @@ This document defines the complete enterprise-grade network architecture for the

 ---

+## Architecture Diagrams
+
+### Network Topology (High Level)
+
+```mermaid
+graph TB
+    Internet[Internet]
+    CF[Cloudflare Zero Trust]
+    UDM[UDM Pro 76.53.10.34]
+    NPM[NPMplus 192.168.11.167]
+    ES1[ES216G-1 Core]
+    ES2[ES216G-2 Compute]
+    ML[ML110 192.168.11.10]
+    R1[R630-01 192.168.11.11]
+    R2[R630-02 192.168.11.12]
+    Internet --> CF
+    CF --> UDM
+    UDM --> NPM
+    NPM --> ES1
+    ES1 --> ES2
+    ES2 --> ML
+    ES2 --> R1
+    ES2 --> R2
+```
+
+### VLAN Architecture (Selected VLANs)
+
+```mermaid
+graph TD
+    V11[VLAN 11: MGMT-LAN<br/>192.168.11.0/24]
+    V110[VLAN 110: BESU-VAL<br/>10.110.0.0/24]
+    V111[VLAN 111: BESU-SEN<br/>10.111.0.0/24]
+    V112[VLAN 112: BESU-RPC<br/>10.112.0.0/24]
+    V132[VLAN 132: CCIP-COMMIT<br/>10.132.0.0/24]
+    V133[VLAN 133: CCIP-EXEC<br/>10.133.0.0/24]
+    V134[VLAN 134: CCIP-RMN<br/>10.134.0.0/24]
+    V11 --> V110
+    V11 --> V111
+    V11 --> V112
+    V11 --> V132
+    V11 --> V133
+    V11 --> V134
+```
+
+See [VLAN Set (Authoritative)](#31-vlan-set-authoritative) below for the full table.
+
+### Proxmox Cluster (Nodes)
+
+```mermaid
+graph LR
+    ML[ml110 192.168.11.10]
+    R1[r630-01 .11]
+    R2[r630-02 .12]
+    R3[r630-03 .13]
+    R4[r630-04 .14]
+    ML --- R1
+    ML --- R2
+    R1 --- R2
+    R1 --- R3
+    R2 --- R4
+```
+
+---
+
 ## Core Principles

 1. **No public IPs on Proxmox hosts or LXCs/VMs** (default)
@@ -76,10 +142,12 @@ This document defines the complete enterprise-grade network architecture for the
 | **Gateway** | `76.53.10.33` | ✅ Active |
 | **Usable Range** | `76.53.10.33–76.53.10.46` | ✅ In Use |
 | **Broadcast** | `76.53.10.47` | - |
-| **ER605 WAN1 IP** | `76.53.10.34` (router interface) | ✅ Active |
+| **UDM Pro (edge)** | `76.53.10.34` (replaced ER605) | ✅ Active |
 | **Available IPs** | 13 (76.53.10.35-46, excluding .34) | ✅ Available |

-### Public Blocks #2–#6 (Placeholders - To Be Configured)
+### Public Blocks #2–#6 (Reserved - To Be Configured)
+
+> **Status:** Blocks #2–#6 are reserved. Document actual network/gateway/usable range when assigned by provider, or keep as placeholders until CCIP/Sankofa/Sovereign egress planning is finalized. See [MASTER_PLAN.md](../00-meta/MASTER_PLAN.md) §3.1.

 | Block | Network | Gateway | Usable Range | Broadcast | Designated Use |
 |-------|--------|---------|--------------|-----------|----------------|
@@ -197,22 +265,15 @@ This yields **provable separation**, allowlisting, and incident scoping.

 ---

-## 6. Cloudflare Zero Trust Orchestration
+## 6. Public Edge: Fastly or Direct to NPMplus

-### 6.1 cloudflared Gateway Pattern
+### 6.1 Fastly or Direct to NPMplus (Primary Public Path)

-Run **2 cloudflared LXCs** for redundancy:
+**Public ingress** is **Fastly** (Option A) or **DNS direct to 76.53.10.36** (Option C). Both flow through **UDM Pro** port forward to **NPMplus** (VMID 10233 at 192.168.11.167). Cloudflare Tunnel is **deprecated** for public access (502 errors); Cloudflare DNS is retained for all public hostnames.

- `cloudflared-1` on ML110
- `cloudflared-2` on an R630
-
-Both run tunnels for:
- Blockscout
- FireFly
- Gitea
- Internal admin dashboards (Grafana) behind Cloudflare Access
-
-**Keep Proxmox UI LAN-only**; if needed, publish via Cloudflare Access with strict posture/MFA.
+- **Flow:** Internet → Cloudflare DNS → Fastly or 76.53.10.36 → UDM Pro (76.53.10.36:80/443) → NPMplus → internal services (Blockscout, RPC, DBIS, MIM4U, etc.).
+- **Pre-requisite:** Verify 76.53.10.36:80 and :443 are open from the internet; see [05-network/EDGE_PORT_VERIFICATION_RUNBOOK.md](../05-network/EDGE_PORT_VERIFICATION_RUNBOOK.md). If closed (e.g. Spectrum filtering), use Option B (tunnel or VPS origin).
+- **Keep Proxmox UI LAN-only**; if needed, publish via Cloudflare Access or VPN with strict posture/MFA.

 ---

@@ -220,24 +281,25 @@ Both run tunnels for:

 | VMID Range | Domain / Subdomain | VLAN Name | VLAN ID | Private Subnet (GW .1) | Public IP (Edge VIP / NAT) |
 |-----------:|-------------------|-----------|--------:|------------------------|---------------------------|
-| **EDGE** | ER605 WAN1 (Primary) | WAN1 | — | — | **76.53.10.34** *(router WAN IP)* |
+| **EDGE** | UDM Pro (replaced ER605) | WAN | — | — | **76.53.10.34** *(edge)* |
 | **EDGE** | Spectrum ISP Gateway | — | — | — | **76.53.10.33** *(ISP gateway)* |
 | 1000–1499 | **Besu** – Validators | BESU-VAL | 110 | 10.110.0.0/24 | **None** (no inbound; tunnel/VPN only) |
 | 1500–2499 | **Besu** – Sentries | BESU-SEN | 111 | 10.111.0.0/24 | **None** *(optional later via NAT pool)* |
-| 2500–3499 | **Besu** – RPC / Gateways | BESU-RPC | 112 | 10.112.0.0/24 | **76.53.10.36** *(Reserved edge VIP for emergency RPC only; primary is Cloudflare Tunnel)* |
+| 2500–3499 | **Besu** – RPC / Gateways | BESU-RPC | 112 | 10.112.0.0/24 | **Via NPMplus** *(Fastly or direct to 76.53.10.36); Alltra/HYBX via 76.53.10.38 or 76.53.10.42)* |
 | 3500–4299 | **Besu** – Archive/Snapshots/Mirrors/Telemetry | BESU-INFRA | 113 | 10.113.0.0/24 | None |
 | 4300–4999 | **Besu** – Reserved expansion | BESU-RES | 114 | 10.114.0.0/24 | None |
-| 5000–5099 | **Blockscout** – Explorer/Indexing | BLOCKSCOUT | 120 | 10.120.0.0/24 | **76.53.10.35** *(Reserved edge VIP for emergency UI only; primary is Cloudflare Tunnel)* |
-| 5200–5299 | **Cacti** – Interop middleware | CACTI | 121 | 10.121.0.0/24 | None *(publish via Cloudflare Tunnel if needed)* |
+| 5000–5099 | **Blockscout** – Explorer/Indexing | BLOCKSCOUT | 120 | 10.120.0.0/24 | **Via NPMplus** *(Fastly or direct to 76.53.10.36)* |
+| 5200–5299 | **Cacti** – Interop middleware | CACTI | 121 | 10.121.0.0/24 | None *(publish via NPMplus/Fastly if needed)* |
 | 5400–5401 | **CCIP** – Ops/Admin | CCIP-OPS | 130 | 10.130.0.0/24 | None *(Cloudflare Access / VPN only)* |
 | 5402–5403 | **CCIP** – Monitoring/Telemetry | CCIP-MON | 131 | 10.131.0.0/24 | None *(optionally publish dashboards via Cloudflare Access)* |
 | 5410–5425 | **CCIP** – Commit-role oracle nodes (16) | CCIP-COMMIT | 132 | 10.132.0.0/24 | **Egress NAT: Block #2** |
 | 5440–5455 | **CCIP** – Execute-role oracle nodes (16) | CCIP-EXEC | 133 | 10.133.0.0/24 | **Egress NAT: Block #3** |
 | 5470–5476 | **CCIP** – RMN nodes (7) | CCIP-RMN | 134 | 10.134.0.0/24 | **Egress NAT: Block #4** |
 | 5480–5599 | **CCIP** – Reserved expansion | CCIP-RES | 135 | 10.135.0.0/24 | None |
-| 6000–6099 | **Fabric** – Enterprise contracts | FABRIC | 140 | 10.140.0.0/24 | None *(publish via Cloudflare Tunnel if required)* |
-| 6200–6299 | **FireFly** – Workflow/orchestration | FIREFLY | 141 | 10.141.0.0/24 | **76.53.10.37** *(Reserved edge VIP if ever needed; primary is Cloudflare Tunnel)* |
-| 6400–7399 | **Indy** – Identity layer | INDY | 150 | 10.150.0.0/24 | **76.53.10.39** *(Reserved edge VIP for DID endpoints if required; primary is Cloudflare Tunnel)* |
+| 6000–6099 | **Fabric** – Enterprise contracts | FABRIC | 140 | 10.140.0.0/24 | None *(publish via NPMplus/Fastly if required)* |
+| 6200–6299 | **FireFly** – Workflow/orchestration | FIREFLY | 141 | 10.141.0.0/24 | **76.53.10.37** *(Reserved edge VIP if ever needed; primary via NPMplus)* |
+| 6400–7399 | **Indy** – Identity layer | INDY | 150 | 10.150.0.0/24 | **76.53.10.39** *(Reserved edge VIP for DID endpoints if required; primary via NPMplus)* |
+| 10235 | **NPMplus Alltra/HYBX** | MGMT-LAN | 11 | 192.168.11.0/24 | **76.53.10.38** *(port forward 80/81/443); 76.53.10.42 designated; see [NPMPLUS_ALLTRA_HYBX_MASTER_PLAN.md](../04-configuration/NPMPLUS_ALLTRA_HYBX_MASTER_PLAN.md))* |
 | 7800–8999 | **Sankofa / Phoenix / PanTel** – Service + Cloud + Telecom | SANKOFA-SVC | 160 | 10.160.0.0/22 | **Egress NAT: Block #5** |
 | 10000–10999 | **Phoenix Sovereign Cloud Band** – SMOM tenant | PHX-SOV-SMOM | 200 | 10.200.0.0/20 | **Egress NAT: Block #6** |
 | 11000–11999 | **Phoenix Sovereign Cloud Band** – ICCC tenant | PHX-SOV-ICCC | 201 | 10.201.0.0/20 | **Egress NAT: Block #6** |
@@ -256,12 +318,11 @@ Both run tunnels for:
   - CCIP Ops/Admin (VLAN 130)
   - CCIP Monitoring (VLAN 131)

-2. **Cloudflare Tunnel (Primary)**
-   - Blockscout (VLAN 120) - Emergency VIP: 76.53.10.35
-   - Besu RPC (VLAN 112) - Emergency VIP: 76.53.10.36
-   - FireFly (VLAN 141) - Emergency VIP: 76.53.10.37
-   - Indy (VLAN 150) - Emergency VIP: 76.53.10.39
-   - Sankofa/Phoenix/PanTel (VLAN 160) - Emergency VIP: 76.53.10.38
+2. **Fastly or Direct to NPMplus (Primary)**
+   - All public services route through NPMplus (VMID 10233) at 192.168.11.167
+   - Public origin: 76.53.10.36 (UDM Pro port forwarding to NPMplus)
+   - Blockscout (VLAN 120), Besu RPC (VLAN 112), FireFly (VLAN 141), Indy (VLAN 150), Sankofa/Phoenix/PanTel (VLAN 160) - Via NPMplus
+   - DNS: Cloudflare. Edge: Fastly (Option A) or direct to 76.53.10.36 (Option C). Tunnel deprecated for public ingress.

 3. **Role-Based Egress NAT (Allowlistable)**
   - CCIP Commit (VLAN 132) → Block #2
@@ -293,7 +354,7 @@ Both run tunnels for:
  - VLAN 11: 192.168.11.0/24 (legacy mgmt)
  - All other VLANs: 10.x.0.0/24 or /20 or /22 (VLAN ID maps to second octet)
 - **Public IPs:** 6× /28 blocks with role-based NAT pools
- **All public access** should route through Cloudflare Tunnel for security
+- **All public access** routes through NPMplus (Fastly or direct to 76.53.10.36) for security and stability

 ### 9.4 VLAN Tagging
 - All VLANs are tagged on the Proxmox bridge
@@ -309,7 +370,7 @@ This architecture should be reflected in:
 - `config/proxmox.conf` - VMID ranges
 - Proxmox bridge configuration (VLAN-aware mode)
 - ER605 router configuration (NAT pools, routing)
- Cloudflare Tunnel configuration
+- Fastly or direct-to-NPMplus configuration (see 05-network routing docs)
 - ES216G switch configuration (VLAN trunks)

 ---
@@ -331,15 +392,15 @@ This architecture should be reflected in:
 - **[ORCHESTRATION_DEPLOYMENT_GUIDE.md](ORCHESTRATION_DEPLOYMENT_GUIDE.md)** ⭐⭐⭐ - Enterprise deployment orchestration guide
 - **[VMID_ALLOCATION_FINAL.md](VMID_ALLOCATION_FINAL.md)** ⭐⭐⭐ - VMID allocation registry
 - **[DOMAIN_STRUCTURE.md](DOMAIN_STRUCTURE.md)** ⭐⭐ - Domain structure and DNS assignments
- **[HOSTNAME_MIGRATION_GUIDE.md](HOSTNAME_MIGRATION_GUIDE.md)** ⭐ - Hostname migration procedures
+- **[DOMAIN_STRUCTURE.md](DOMAIN_STRUCTURE.md)** ⭐ - Domain and hostname structure

 ### Configuration Documents
 - **[../04-configuration/ER605_ROUTER_CONFIGURATION.md](/docs/04-configuration/ER605_ROUTER_CONFIGURATION.md)** - Router configuration
 - **[../04-configuration/cloudflare/CLOUDFLARE_ZERO_TRUST_GUIDE.md](../04-configuration/cloudflare/CLOUDFLARE_ZERO_TRUST_GUIDE.md)** - Cloudflare Zero Trust setup
- **[../05-network/CLOUDFLARE_TUNNEL_ROUTING_ARCHITECTURE.md](../05-network/CLOUDFLARE_TUNNEL_ROUTING_ARCHITECTURE.md)** - Cloudflare tunnel routing
+- **[../05-network/CLOUDFLARE_ROUTING_MASTER.md](../05-network/CLOUDFLARE_ROUTING_MASTER.md)** - Fastly/Direct for web; Option B (tunnel) for RPC

 ### Deployment Documents
- **[../03-deployment/ORCHESTRATION_DEPLOYMENT_GUIDE.md](../03-deployment/ORCHESTRATION_DEPLOYMENT_GUIDE.md)** - Deployment orchestration
+- **[ORCHESTRATION_DEPLOYMENT_GUIDE.md](ORCHESTRATION_DEPLOYMENT_GUIDE.md)** - Deployment orchestration (this directory)
 - **[../07-ccip/CCIP_DEPLOYMENT_SPEC.md](../07-ccip/CCIP_DEPLOYMENT_SPEC.md)** - CCIP deployment specification

 ---