docs: Ledger Live integration, contract deploy learnings, NEXT_STEPS updates

- ADD_CHAIN138_TO_LEDGER_LIVE: Ledger form done; public code review repo bis-innovations/LedgerLive; init/push commands
- CONTRACT_DEPLOYMENT_RUNBOOK: Chain 138 gas price 1 gwei, 36-addr check, TransactionMirror workaround
- CONTRACT_*: AddressMapper, MirrorManager deployed 2026-02-12; 36-address on-chain check
- NEXT_STEPS_FOR_YOU: Ledger done; steps completable now (no LAN); run-completable-tasks-from-anywhere
- MASTER_INDEX, OPERATOR_OPTIONAL, SMART_CONTRACTS_INVENTORY_SIMPLE: updates
- LEDGER_BLOCKCHAIN_INTEGRATION_COMPLETE: bis-innovations/LedgerLive reference

Co-authored-by: Cursor <cursoragent@cursor.com>

scripts/deployment/deploy-phased.sh

@@ -1,272 +0,0 @@
-#!/usr/bin/env bash
-# Phased Deployment Orchestrator
-# Deploys infrastructure in phases: Besu → CCIP → Other Services
-# Allows validation between phases to reduce risk
-
-set -euo pipefail
-
-SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
-# Try to find project root - could be at same level or in smom-dbis-138-proxmox subdirectory
-if [[ -d "$SCRIPT_DIR/../../smom-dbis-138-proxmox" ]]; then
-    PROJECT_ROOT="$(cd "$SCRIPT_DIR/../../smom-dbis-138-proxmox" && pwd)"
-elif [[ -d "$SCRIPT_DIR/../.." ]]; then
-    PROJECT_ROOT="$(cd "$SCRIPT_DIR/../.." && pwd)"
-else
-    PROJECT_ROOT="$SCRIPT_DIR/../.."
-fi
-
-source "$PROJECT_ROOT/lib/common.sh" 2>/dev/null || {
-    log_info() { echo "[INFO] $1"; }
-    log_success() { echo "[✓] $1"; }
-    log_error() { echo "[ERROR] $1"; exit 1; }
-    log_warn() { echo "[WARN] $1"; }
-}
-source "$PROJECT_ROOT/lib/progress-tracking.sh" 2>/dev/null || true
-
-# Load configuration
-load_config "$PROJECT_ROOT/config/proxmox.conf" 2>/dev/null || true
-
-# Command line options
-SKIP_PHASE1="${SKIP_PHASE1:-false}"
-SKIP_PHASE2="${SKIP_PHASE2:-false}"
-SKIP_PHASE3="${SKIP_PHASE3:-false}"
-SKIP_VALIDATION="${SKIP_VALIDATION:-false}"
-SOURCE_PROJECT="${SOURCE_PROJECT:-}"
-
-while [[ $# -gt 0 ]]; do
-    case $1 in
-        --skip-phase1)
-            SKIP_PHASE1=true
-            shift
-            ;;
-        --skip-phase2)
-            SKIP_PHASE2=true
-            shift
-            ;;
-        --skip-phase3)
-            SKIP_PHASE3=true
-            shift
-            ;;
-        --skip-validation)
-            SKIP_VALIDATION=true
-            shift
-            ;;
-        --source-project)
-            SOURCE_PROJECT="$2"
-            shift 2
-            ;;
-        --help)
-            echo "Usage: $0 [OPTIONS]"
-            echo ""
-            echo "Phased Deployment Orchestrator"
-            echo ""
-            echo "Phases:"
-            echo "  1. Besu Network (12 containers) - 1.5-2.5 hours"
-            echo "  2. CCIP Network (41-43 containers) - 2.5-4 hours"
-            echo "  3. Other Services (14 containers) - 1.5-2.5 hours"
-            echo ""
-            echo "Options:"
-            echo "  --skip-phase1       Skip Besu network deployment"
-            echo "  --skip-phase2       Skip CCIP network deployment"
-            echo "  --skip-phase3       Skip other services deployment"
-            echo "  --skip-validation   Skip validation between phases"
-            echo "  --source-project PATH  Path to source project with config files"
-            echo "  --help              Show this help message"
-            exit 0
-            ;;
-        *)
-            log_error "Unknown option: $1"
-            exit 1
-            ;;
-    esac
-done
-
-log_info "========================================="
-log_info "Phased Deployment Orchestrator"
-log_info "========================================="
-log_info ""
-
-# Check prerequisites
-if ! command_exists pct; then
-    log_error "pct command not found. This script must be run on Proxmox host."
-fi
-
-if [[ $EUID -ne 0 ]]; then
-    log_error "This script must be run as root"
-fi
-
-# Helper function to find script
-find_script() {
-    local script_name="$1"
-    # Try current directory first
-    if [[ -f "$SCRIPT_DIR/$script_name" ]]; then
-        echo "$SCRIPT_DIR/$script_name"
-    # Try PROJECT_ROOT scripts/deployment
-    elif [[ -f "$PROJECT_ROOT/scripts/deployment/$script_name" ]]; then
-        echo "$PROJECT_ROOT/scripts/deployment/$script_name"
-    # Try smom-dbis-138-proxmox path
-    elif [[ -f "$(dirname "$SCRIPT_DIR")/smom-dbis-138-proxmox/scripts/deployment/$script_name" ]]; then
-        echo "$(dirname "$SCRIPT_DIR")/smom-dbis-138-proxmox/scripts/deployment/$script_name"
-    else
-        echo ""
-    fi
-}
-
-# Pre-cache OS template (recommendation)
-log_info "=== Pre-caching OS Template ==="
-PRE_CACHE_SCRIPT=$(find_script "pre-cache-os-template.sh")
-if [[ -n "$PRE_CACHE_SCRIPT" ]] && [[ -f "$PRE_CACHE_SCRIPT" ]]; then
-    "$PRE_CACHE_SCRIPT" || log_warn "Template pre-caching had issues, continuing..."
-else
-    log_warn "pre-cache-os-template.sh not found, skipping template pre-cache"
-fi
-
-# Phase 1: Besu Network
-if [[ "$SKIP_PHASE1" != "true" ]]; then
-    log_info ""
-    log_info "========================================="
-    log_info "PHASE 1: Besu Network Deployment"
-    log_info "========================================="
-    log_info "Containers: 11 (4 validators, 4 sentries, 3 RPC)"
-    log_info "Estimated time: 90-150 minutes (1.5-2.5 hours)"
-    log_info ""
-    
-    DEPLOY_BESU_SCRIPT=$(find_script "deploy-besu-nodes.sh")
-    if [[ -n "$DEPLOY_BESU_SCRIPT" ]] && [[ -f "$DEPLOY_BESU_SCRIPT" ]]; then
-        if "$DEPLOY_BESU_SCRIPT"; then
-            log_success "Phase 1 completed successfully"
-        else
-            log_error "Phase 1 failed. Fix issues before continuing."
-            exit 1
-        fi
-    else
-        log_error "deploy-besu-nodes.sh not found in $SCRIPT_DIR or $PROJECT_ROOT/scripts/deployment"
-        exit 1
-    fi
-    
-    # Copy configuration files
-    if [[ -n "$SOURCE_PROJECT" ]] && [[ -d "$SOURCE_PROJECT" ]]; then
-        log_info ""
-        log_info "Copying Besu configuration files..."
-        if [[ -f "$PROJECT_ROOT/scripts/copy-besu-config-with-nodes.sh" ]]; then
-            SOURCE_PROJECT="$SOURCE_PROJECT" "$PROJECT_ROOT/scripts/copy-besu-config-with-nodes.sh" || {
-                log_error "Failed to copy configuration files"
-            }
-        fi
-    fi
-    
-    # Validation after Phase 1
-    if [[ "$SKIP_VALIDATION" != "true" ]]; then
-        log_info ""
-        log_info "=== Phase 1 Validation ==="
-        if [[ -f "$PROJECT_ROOT/scripts/validation/validate-deployment-comprehensive.sh" ]]; then
-            "$PROJECT_ROOT/scripts/validation/validate-deployment-comprehensive.sh" || {
-                log_warn "Phase 1 validation had issues. Review before continuing to Phase 2."
-                read -p "Continue to Phase 2? (y/N): " -n 1 -r
-                echo
-                if [[ ! $REPLY =~ ^[Yy]$ ]]; then
-                    log_error "Deployment paused. Fix Phase 1 issues before continuing."
-                fi
-            }
-        fi
-    fi
-else
-    log_info "Skipping Phase 1 (Besu Network)"
-fi
-
-# Phase 2: CCIP Network
-if [[ "$SKIP_PHASE2" != "true" ]]; then
-    log_info ""
-    log_info "========================================="
-    log_info "PHASE 2: CCIP Network Deployment"
-    log_info "========================================="
-    log_info "Containers: 41-43 (2 ops, 2 mon, 16 commit, 16 exec, 5-7 RMN)"
-    log_info "Estimated time: 150-240 minutes (2.5-4 hours)"
-    log_info ""
-    
-    DEPLOY_CCIP_SCRIPT=$(find_script "deploy-ccip-nodes.sh")
-    if [[ -n "$DEPLOY_CCIP_SCRIPT" ]] && [[ -f "$DEPLOY_CCIP_SCRIPT" ]]; then
-        if command_exists init_progress_tracking 2>/dev/null; then
-            init_progress_tracking 5 "CCIP Network Deployment"
-            update_progress 1 "Deploying CCIP-OPS nodes"
-        fi
-        if "$DEPLOY_CCIP_SCRIPT"; then
-            if command_exists update_progress 2>/dev/null; then
-                update_progress 5 "CCIP deployment complete"
-                complete_progress
-            fi
-            log_success "Phase 2 completed successfully"
-        else
-            log_error "Phase 2 failed. Fix issues before continuing."
-            exit 1
-        fi
-    else
-        log_warn "deploy-ccip-nodes.sh not found, skipping CCIP deployment"
-    fi
-else
-    log_info "Skipping Phase 2 (CCIP Network)"
-fi
-
-# Phase 3: Other Services
-if [[ "$SKIP_PHASE3" != "true" ]]; then
-    log_info ""
-    log_info "========================================="
-    log_info "PHASE 3: Other Services Deployment"
-    log_info "========================================="
-    log_info "Containers: ~14 (Blockscout, Cacti, Fabric, Firefly, Indy, etc.)"
-    log_info "Estimated time: 90-150 minutes (1.5-2.5 hours)"
-    log_info ""
-    
-    # Deploy Hyperledger services
-    HYPERLEDGER_SCRIPT=$(find_script "deploy-hyperledger-services.sh")
-    if [[ -n "$HYPERLEDGER_SCRIPT" ]] && [[ -f "$HYPERLEDGER_SCRIPT" ]]; then
-        log_info "Deploying Hyperledger services..."
-        "$HYPERLEDGER_SCRIPT" || log_warn "Hyperledger services had issues"
-    fi
-    
-    # Deploy explorer
-    EXPLORER_SCRIPT=$(find_script "deploy-explorer.sh")
-    if [[ -n "$EXPLORER_SCRIPT" ]] && [[ -f "$EXPLORER_SCRIPT" ]]; then
-        log_info "Deploying Blockscout explorer..."
-        "$EXPLORER_SCRIPT" || log_warn "Explorer deployment had issues"
-    fi
-    
-    # Deploy other services
-    SERVICES_SCRIPT=$(find_script "deploy-services.sh")
-    if [[ -n "$SERVICES_SCRIPT" ]] && [[ -f "$SERVICES_SCRIPT" ]]; then
-        log_info "Deploying other services..."
-        "$SERVICES_SCRIPT" || log_warn "Services deployment had issues"
-    fi
-    
-    # Deploy monitoring
-    MONITORING_SCRIPT=$(find_script "deploy-monitoring.sh")
-    if [[ -n "$MONITORING_SCRIPT" ]] && [[ -f "$MONITORING_SCRIPT" ]]; then
-        log_info "Deploying monitoring stack..."
-        "$MONITORING_SCRIPT" || log_warn "Monitoring deployment had issues"
-    fi
-    
-    log_success "Phase 3 completed"
-else
-    log_info "Skipping Phase 3 (Other Services)"
-fi
-
-# Final validation
-if [[ "$SKIP_VALIDATION" != "true" ]]; then
-    log_info ""
-    log_info "========================================="
-    log_info "Final Deployment Validation"
-    log_info "========================================="
-    if [[ -f "$PROJECT_ROOT/scripts/validation/validate-deployment-comprehensive.sh" ]]; then
-        "$PROJECT_ROOT/scripts/validation/validate-deployment-comprehensive.sh"
-    fi
-fi
-
-log_info ""
-log_success "Phased deployment completed!"
-log_info ""
-log_info "Next steps:"
-log_info "  - Verify all services are running"
-log_info "  - Check service logs for errors"
-log_info "  - Monitor blockchain sync progress"
-log_info "  - Configure CCIP DONs (if Phase 2 completed)"
-

scripts/deployment/phase1-vlan-enablement.sh

@@ -0,0 +1,17 @@
+#!/usr/bin/env bash
+# Phase 1: VLAN Enablement - Runbook
+# Prerequisites: Physical access to ES216G switch, Proxmox hosts, ER605
+# See docs/03-deployment/DEPLOYMENT_STATUS_CONSOLIDATED.md
+
+set -euo pipefail
+
+echo "Phase 1: VLAN Enablement Runbook"
+echo "================================="
+echo ""
+echo "1. ES216G trunk ports: Configure ports connecting to Proxmox/ER605 as trunk"
+echo "2. Proxmox VLAN bridge: vmbr1 with VLAN 110,111,112,130,132,133,134"
+echo "3. ER605: Create VLAN interfaces per NETWORK_ARCHITECTURE.md"
+echo "4. Migrate: Move Besu validators to VLAN 110, sentries to 111, RPC to 112"
+echo ""
+echo "Run with --dry-run to see commands (no changes)"
+echo "Full steps: docs/02-architecture/NETWORK_ARCHITECTURE.md"

scripts/deployment/phase2-observability.sh

@@ -0,0 +1,44 @@
+#!/usr/bin/env bash
+# Phase 2: Observability - Deploy Prometheus, Grafana, Loki, Alertmanager
+# Usage: ./scripts/deployment/phase2-observability.sh [--config-only]
+# --config-only: write config/monitoring/ (prometheus.yml, alertmanager.yml) and exit.
+# See docs/08-monitoring/MONITORING_SUMMARY.md, OPERATIONAL_RUNBOOKS § Phase 2.
+
+set -euo pipefail
+
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+PROJECT_ROOT="$(cd "$SCRIPT_DIR/../.." && pwd)"
+CONFIG_DIR="${PROJECT_ROOT}/config/monitoring"
+CONFIG_ONLY=false
+[[ "${1:-}" == "--config-only" ]] && CONFIG_ONLY=true
+
+mkdir -p "$CONFIG_DIR"
+
+echo "Phase 2: Observability Runbook"
+echo "=============================="
+echo ""
+echo "1. Prometheus (VMID 10200 or Docker) - scrape Besu 9545; config: scripts/monitoring/prometheus-besu-config.yml"
+echo "2. Grafana (VMID 10201 or Docker) - dashboards; datasource: Prometheus"
+echo "3. Loki - log aggregation"
+echo "4. Alertmanager - alerts (email/Slack webhook); configure in config/monitoring/alertmanager.yml"
+echo "5. Cloudflare Access - optional for Grafana"
+echo ""
+
+if $CONFIG_ONLY; then
+  # Write minimal Prometheus config (merge Besu targets from scripts/monitoring/prometheus-besu-config.yml)
+  cat > "$CONFIG_DIR/prometheus.yml" << 'EOF'
+global:
+  scrape_interval: 15s
+scrape_configs:
+  - job_name: prometheus
+    static_configs: [{ targets: ['localhost:9090'] }]
+EOF
+  cat > "$CONFIG_DIR/alertmanager.yml" << 'EOF'
+route: { receiver: 'null' }
+receivers: [{ name: 'null' }]
+EOF
+  echo "[OK] Config written to $CONFIG_DIR (prometheus.yml, alertmanager.yml)"
+  exit 0
+fi
+
+echo "See: scripts/monitoring/ for existing configs. Run with --config-only to write config/monitoring/."

scripts/deployment/phase3-ccip-fleet.sh

@@ -0,0 +1,17 @@
+#!/usr/bin/env bash
+# Phase 3: CCIP Fleet Deployment
+# See docs/07-ccip/CCIP_DEPLOYMENT_SPEC.md
+
+set -euo pipefail
+
+echo "Phase 3: CCIP Fleet Runbook"
+echo "==========================="
+echo ""
+echo "Node allocation (41-43 nodes):"
+echo "  Ops/Admin: VMID 5400-5401 (VLAN 130)"
+echo "  Commit: VMID 5410-5425 (16 nodes, VLAN 132)"
+echo "  Execute: VMID 5440-5455 (16 nodes, VLAN 133)"
+echo "  RMN: VMID 5470-5476 (7 nodes, VLAN 134)"
+echo ""
+echo "Prerequisites: Phase 1 (VLAN) complete, NAT pools configured"
+echo "Full spec: docs/07-ccip/CCIP_DEPLOYMENT_SPEC.md"

scripts/deployment/phase3-ccip-ops.sh

@@ -0,0 +1,21 @@
+#!/usr/bin/env bash
+# Phase 3: CCIP Fleet - Ops/Admin (VMID 5400-5401)
+# See docs/07-ccip/CCIP_DEPLOYMENT_SPEC.md
+
+set -euo pipefail
+
+echo "Phase 3: CCIP Ops/Admin Deployment"
+echo "=================================="
+echo ""
+echo "VMIDs: 5400 (CCIP Ops), 5401 (CCIP Admin)"
+echo "Requires: PRIVATE_KEY, RPC_URL_138, CCIP_ROUTER_ADDRESS"
+echo ""
+echo "Steps:"
+echo "  1. Deploy CCIP Ops container (VMID 5400)"
+echo "  2. Deploy CCIP Admin container (VMID 5401)"
+echo "  3. Configure NAT pools"
+echo "  4. Deploy commit nodes (5410-5425)"
+echo "  5. Deploy execute nodes (5440-5455)"
+echo "  6. Deploy RMN nodes (5470-5476)"
+echo ""
+echo "Run: smom-dbis-138/scripts/ccip-deployment/ for automation"

scripts/deployment/phase4-sovereign-tenants.sh

@@ -0,0 +1,36 @@
+#!/usr/bin/env bash
+# Phase 4: Sovereign Tenants — VLAN isolation, tenant access control.
+# Usage: bash scripts/deployment/phase4-sovereign-tenants.sh [--show-steps|--dry-run]
+# Runbook: docs/03-deployment/OPERATIONAL_RUNBOOKS.md § Phase 4
+
+set -euo pipefail
+
+DRY_RUN=false
+SHOW_STEPS=false
+for a in "$@"; do
+  [[ "$a" == "--dry-run" ]] && DRY_RUN=true
+  [[ "$a" == "--show-steps" ]] && SHOW_STEPS=true
+done
+
+echo "Phase 4: Sovereign Tenants"
+echo "=========================="
+echo ""
+echo "Steps:"
+echo "  1. Configure sovereign VLANs on UDM Pro (200–203)"
+echo "  2. Enable VLAN-aware bridge on Proxmox"
+echo "  3. Migrate tenant containers to VLANs"
+echo "  4. Configure access control (firewall rules; deny east-west)"
+echo "  5. Apply Block #6 egress NAT; verify tenant isolation"
+echo ""
+if [[ "$SHOW_STEPS" == true ]]; then
+  echo "Runbook: docs/03-deployment/OPERATIONAL_RUNBOOKS.md (Phase 4)"
+  echo "Architecture: docs/02-architecture/NETWORK_ARCHITECTURE.md, ORCHESTRATION_DEPLOYMENT_GUIDE.md"
+  echo "Firewall: docs/04-configuration/UDM_PRO_FIREWALL_MANUAL_CONFIGURATION.md"
+  exit 0
+fi
+if [[ "$DRY_RUN" == true ]]; then
+  echo "[DRY-RUN] No changes. Run without --dry-run to execute (script is checklist-only; manual steps in runbook)."
+  exit 0
+fi
+echo "See: docs/02-architecture/NETWORK_ARCHITECTURE.md"
+echo "     docs/03-deployment/OPERATIONAL_RUNBOOKS.md § Phase 4"

scripts/deployment/pre-cache-os-template.sh

@@ -1,69 +0,0 @@
-#!/usr/bin/env bash
-# Pre-cache OS Template - Download Ubuntu 22.04 template before deployment
-# This saves 5-10 minutes during deployment
-
-set -euo pipefail
-
-SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
-PROJECT_ROOT="$(cd "$SCRIPT_DIR/../.." && pwd)"
-
-source "$PROJECT_ROOT/lib/common.sh" 2>/dev/null || {
-    # Basic logging if common.sh not available
-    log_info() { echo "[INFO] $1"; }
-    log_success() { echo "[✓] $1"; }
-    log_error() { echo "[ERROR] $1"; exit 1; }
-}
-
-# Load configuration
-load_config "$PROJECT_ROOT/config/proxmox.conf" 2>/dev/null || true
-
-TEMPLATE_NAME="${CONTAINER_OS_TEMPLATE:-local:vztmpl/ubuntu-22.04-standard_22.04-1_amd64.tar.zst}"
-TEMPLATE_FILE="ubuntu-22.04-standard_22.04-1_amd64.tar.zst"
-
-log_info "========================================="
-log_info "Pre-cache OS Template"
-log_info "========================================="
-log_info ""
-log_info "Template: $TEMPLATE_NAME"
-log_info "File: $TEMPLATE_FILE"
-log_info ""
-
-# Check if running on Proxmox host
-if ! command_exists pveam; then
-    log_error "pveam command not found. This script must be run on Proxmox host."
-fi
-
-# Check if template already exists
-log_info "Checking if template already exists..."
-if pveam list local | grep -q "$TEMPLATE_FILE"; then
-    log_success "Template $TEMPLATE_FILE already exists in local storage"
-    log_info "No download needed. Deployment will use existing template."
-    log_info ""
-    log_info "Template details:"
-    pveam list local | grep "$TEMPLATE_FILE"
-    exit 0
-fi
-
-# Check available templates
-log_info "Checking available templates..."
-if ! pveam available | grep -q "$TEMPLATE_FILE"; then
-    log_error "Template $TEMPLATE_FILE not available. Please check template name."
-fi
-
-# Download template
-log_info "Downloading template $TEMPLATE_FILE..."
-log_info "This may take 5-10 minutes depending on network speed..."
-log_info ""
-
-if pveam download local "$TEMPLATE_FILE"; then
-    log_success "Template downloaded successfully"
-    log_info ""
-    log_info "Template is now cached and ready for deployment"
-    log_info "This saves 5-10 minutes during container creation phase"
-    log_info ""
-    log_info "Template details:"
-    pveam list local | grep "$TEMPLATE_FILE"
-else
-    log_error "Failed to download template"
-fi
-