# ============================================================================ # Master Secrets Template — ALL keys used across the workspace # ============================================================================ # Copy to .env (repo root) or .env.master (local only). Fill values; NEVER commit. # See: docs/04-configuration/MASTER_SECRETS.md for where each is used. # ============================================================================ # --- Proxmox --- PROXMOX_ML110= PROXMOX_R630_01= PROXMOX_R630_02= PROXMOX_HOST= PROXMOX_PORT= PROXMOX_USER= PROXMOX_TOKEN_NAME= PROXMOX_TOKEN_VALUE= PROXMOX_ALLOW_ELEVATED= # Production operator host: set PROXMOX_SAFE_DEFAULTS=1 so guarded maintenance scripts default to dry-run unless --apply or PROXMOX_OPS_APPLY=1 (see scripts/lib/proxmox-production-guard.sh). # PROXMOX_SAFE_DEFAULTS= # PROXMOX_OPS_ALLOWED_VMIDS= # --- Cloudflare --- # Prefer CLOUDFLARE_API_TOKEN scoped to Zone:DNS:Edit on the zones you use (avoid global Account API key when possible). # Bulk DNS script: scripts/update-all-dns-to-public-ip.sh — use --dry-run and --zone-only=sankofa.nexus (etc.) before wide updates. CLOUDFLARE_API_TOKEN= CLOUDFLARE_EMAIL= CLOUDFLARE_API_KEY= CLOUDFLARE_ZONE_ID= CLOUDFLARE_ZONE_ID_D_BIS_ORG= CLOUDFLARE_ZONE_ID_MIM4U_ORG= CLOUDFLARE_ZONE_ID_SANKOFA_NEXUS= CLOUDFLARE_ZONE_ID_DEFI_ORACLE_IO= # omdnl.org (apex + www): scripts/cloudflare/configure-omdnl-org-dns.sh CLOUDFLARE_ZONE_ID_OMDNL_ORG= CLOUDFLARE_TUNNEL_TOKEN= CLOUDFLARE_TUNNEL_ID= CLOUDFLARE_TUNNEL_ID_ALLTRA_HYBX= CLOUDFLARE_TUNNEL_ID_MIFOS_R630_02= CLOUDFLARE_TUNNEL_TOKEN_MIFOS_R630_02= CLOUDFLARE_ORIGIN_CA_KEY= CLOUDFLARE_ACCOUNT_ID= # Turnstile (Captcha) for IRU marketplace inquiry — Dashboard → Turnstile; NOT the DNS API key CLOUDFLARE_TURNSTILE_SECRET_KEY= # dbis_core Vite marketplace: VITE_CLOUDFLARE_TURNSTILE_SITE_KEY= # Sankofa portal Next.js (sibling repo): NEXT_PUBLIC_CLOUDFLARE_TURNSTILE_SITE_KEY= # --- ClouDNS --- CLOUDNS_AUTH_ID= CLOUDNS_AUTH_PASSWORD= # --- NPM / NPMplus --- # Shared admin username for all NPMplus instances unless an instance-specific # UI is deliberately configured differently. # API scripts: use HTTPS on port 81 (e.g. https://192.168.11.167:81). Plain http:// typically 301-redirects to https:// and breaks POST /api/tokens unless curl uses --post301. NPM_URL= NPM_EMAIL= NPM_PASSWORD= NPM_HOST= NPM_PROXMOX_HOST= NPMPLUS_HOST= NPM_VMID= NPMPLUS_VMID= NPM_PASSWORD_PRIMARY= NPM_PASSWORD_SECONDARY= NPM_PASSWORD_ALLTRA_HYBX= NPM_PASSWORD_FOURTH= NPM_PASSWORD_MIFOS= NPMPLUS_ALLTRA_HYBX_VMID= IP_NPMPLUS_ALLTRA_HYBX= NPM_URL_SECONDARY= NPM_URL_ALLTRA_HYBX= NPM_URL_FOURTH= NPM_URL_MIFOS= # --- NPMplus: public CCIP mainnet-cw relay health (upstream r630-01 :9863) --- # Set then run: bash scripts/nginx-proxy-manager/update-npmplus-proxy-hosts-api.sh # Or from SSH (r630-01 → NPM LAN): bash scripts/nginx-proxy-manager/upsert-ccip-relay-mainnet-cw-via-ssh.sh # DNS (d-bis.org): bash scripts/cloudflare/configure-relay-mainnet-cw-dns.sh (or full zone: scripts/update-all-dns-to-public-ip.sh) # CCIP_RELAY_MAINNET_CW_PUBLIC_HOST=relay-mainnet-cw.d-bis.org # Optional: CCIP_RELAY_MAINNET_CW_UPSTREAM_IP=192.168.11.11 CCIP_RELAY_MAINNET_CW_UPSTREAM_PORT=9863 # Explorer / mission-control (optional): name mainnet-cw normalizes to mainnet_cw (preferred primary in ccip_health.go). # Set on the explorer API host or pass through explorer-monorepo/deployment/docker-compose.yml (api service). # CCIP_RELAY_HEALTH_URLS=mainnet-cw=https://relay-mainnet-cw.d-bis.org/healthz,mainnet=http://192.168.11.11:9860/healthz # CCIP_RELAY_HEALTH_URL= # --- info.defi-oracle.io (dedicated nginx LXC, not VMID 2400 RPC) --- # Defaults in config/ip-addresses.conf: IP_INFO_DEFI_ORACLE_WEB=192.168.11.218, VMID 2410. # IP_INFO_DEFI_ORACLE_WEB= # INFO_DEFI_ORACLE_VMID= # INFO_DEFI_ORACLE_UPSTREAM_IP= # NPM fleet: overrides forward_host for info.defi-oracle.io # INFO_DEFI_ORACLE_EDGE_MODE=auto # auto | tunnel | public_ip — DNS script for info.defi-oracle.io # INFO_DEFI_ORACLE_PUBLIC_IP= # WAN IP for public_ip mode (else PUBLIC_IP) # CLOUDFLARE_ZONE_ID_DEFI_ORACLE_IO= # Required for set-info-defi-oracle-dns + purge-info-defi-oracle-cache # INFO_DEFI_ORACLE_TUNNEL_UPSTREAM= # Tunnel ingress origin for info hostnames (default IP_INFO_DEFI_ORACLE_WEB) # SPA: default runtime base is {origin}/token-aggregation (nginx on 2410 proxies to Blockscout). Override only if needed: # In info-defi-oracle-138/.env.local (not this file): VITE_TOKEN_AGGREGATION_API_BASE=https://explorer.d-bis.org/token-aggregation # --- mev.defi-oracle.io (MEV Control GUI on nginx LXC 2410 by default) --- # MEV_ADMIN_API_HOST=192.168.11.223 # Dedicated backend CT 2421; LAN host reachable from CT # MEV_ADMIN_API_PORT=9090 # MEV_DEFI_ORACLE_WEB_VMID=2410 # MEV_DEFI_ORACLE_UPSTREAM_IP= # NPM: forward_host override (default IP_INFO_DEFI_ORACLE_WEB) # MEV_DEFI_ORACLE_UPSTREAM_PORT=80 # MEV_DEFI_ORACLE_EDGE_MODE=auto # Cloudflare DNS script (same as info: auto|tunnel|public_ip) # MEV_DEFI_ORACLE_PUBLIC_IP= # A-record mode WAN IP if not using tunnel # Backend CT runtime env lives in config/mev-platform/mev-platform-backend-ct.env.example # and must include: # MEV_SUPERVISOR_URL=http://127.0.0.1:9091 # --- Keycloak Admin API (optional) --- # For scripts/deployment/keycloak-sankofa-ensure-client-redirects.sh — merge portal/admin redirect URIs. # KEYCLOAK_URL=https://keycloak.sankofa.nexus # KEYCLOAK_REALM=master # KEYCLOAK_CLIENT_ID=sankofa-portal # KEYCLOAK_ADMIN=admin # KEYCLOAK_ADMIN_PASSWORD= # --- IT read API (Sankofa portal /it on CT 7801) --- # Base URL of sankofa-it-read-api (Phase 0). Merged into /opt/sankofa-portal/.env by: # scripts/deployment/sankofa-portal-merge-it-read-api-env-from-repo.sh # IT_READ_API_URL=http://192.168.11.11:8787 # IT_READ_API_KEY= # --- Fastly --- FASTLY_API_TOKEN= # --- Network / UniFi / Omada --- PUBLIC_IP= PROXMOX_HOST_FOR_TEST= UNIFI_UDM_URL= UNIFI_API_KEY= UNIFI_API_MODE= UNIFI_SITE_ID= UNIFI_VERIFY_SSL= OMADA_API_KEY= OMADA_CLIENT_SECRET= # --- Gitea --- GITEA_URL= GITEA_TOKEN= GITEA_ORG= # NPMplus upstream for gitea.d-bis.org (primary + fourth scripts). Defaults in config/ip-addresses.conf: VMID 104 @ .31:80 # GITEA_PUBLIC_UPSTREAM_HOST=192.168.11.31 # GITEA_PUBLIC_UPSTREAM_PORT=80 # Dev-local Gitea on VM 5700 instead: GITEA_PUBLIC_UPSTREAM_HOST=192.168.11.59 GITEA_PUBLIC_UPSTREAM_PORT=3000 # --- Database & app auth --- DATABASE_URL= JWT_SECRET= JWT_REFRESH_SECRET= JWT_EXPIRES_IN= JWT_REFRESH_EXPIRES_IN= SESSION_SECRET= ADMIN_CENTRAL_API_KEY= DBIS_CENTRAL_URL= ADMIN_JWT_SECRET= # --- Storage (AWS / Azure) --- STORAGE_TYPE= STORAGE_PATH= AWS_REGION= AWS_ACCESS_KEY_ID= AWS_SECRET_ACCESS_KEY= AWS_S3_BUCKET= AZURE_STORAGE_CONNECTION_STRING= AZURE_STORAGE_CONTAINER= # --- Pinata (IPFS pinning; token logos) --- # Dashboard: https://app.pinata.cloud — API Keys → JWT or key/secret. # scripts/upload-token-logos-to-ipfs.sh uses PINATA_JWT only (Bearer for pinFileToIPFS). PINATA_JWT= PINATA_API_KEY= PINATA_API_SECRET= # --- Blockchain / SMOM-DBIS-138 (use smom-dbis-138/.env for PRIVATE_KEY) --- PRIVATE_KEY= # Chain 138 Core (deploy/gas/scripts on LAN): http://192.168.11.211:8545 — IP:port; not FQDN. See docs/04-configuration/RPC_ENDPOINTS_MASTER.md RPC_URL_138= # Public JSON-RPC for frontends, bridges, MetaMask: HTTPS FQDN only, e.g. https://rpc-http-pub.d-bis.org (not 192.168.11.221). LAN-only services may use http://192.168.11.221:8545 RPC_URL_138_PUBLIC= # Token-aggregation publication bundle (explorer): deploy script uses TOKEN_AGG_CHAIN138_RPC_URL if set, else defaults to public node — see scripts/deploy-token-aggregation-for-publication.sh # TOKEN_AGG_CHAIN138_RPC_URL= # Optional PMM-only RPC for GET /api/v1/quote on-chain path (core RPC while indexer uses public) # TOKEN_AGGREGATION_PMM_RPC_URL= # TOKEN_AGGREGATION_PMM_QUERY_TRADER= # Router-v2 execution stack (Chain 138 canonical live deployment) ENHANCED_SWAP_ROUTER_V2_ADDRESS=0xF1c93F54A5C2fc0d7766Ccb0Ad8f157DFB4C99Ce INTENT_BRIDGE_COORDINATOR_V2_ADDRESS=0x7D0022B7e8360172fd9C0bB6778113b7Ea3674E7 CHAIN138_ENABLE_DODO_V3_EXECUTION=1 # Chain 138 multi-provider venues (canonical live deployment) UNISWAP_V3_ROUTER=0xde9cD8ee2811E6E64a41D5F68Be315d33995975E UNISWAP_QUOTER_ADDRESS=0x6abbB1CEb2468e748a03A00CD6aA9BFE893AFa1f UNISWAP_V3_WETH_USDT_POOL=0xa893add35aEfe6A6d858EB01828bE4592f12C9F5 UNISWAP_V3_WETH_USDC_POOL=0xEC745bfb6b3cd32f102d594E5F432d8d85B19391 UNISWAP_V3_WETH_USDT_FEE=500 UNISWAP_V3_WETH_USDC_FEE=500 BALANCER_VAULT=0x96423d7C1727698D8a25EbFB88131e9422d1a3C3 BALANCER_WETH_USDT_POOL_ID=0x877cd220759e8c94b82f55450c85d382ae06856c426b56d93092a420facbc324 BALANCER_WETH_USDC_POOL_ID=0xd8dfb18a6baf9b29d8c2dbd74639db87ac558af120df5261dab8e2a5de69013b CURVE_3POOL=0xE440Ec15805BE4C7BabCD17A63B8C8A08a492e0f ONEINCH_ROUTER=0x500B84b1Bc6F59C1898a5Fe538eA20A758757A4F CHAIN138_DEPLOY_GAS_PRICE_WEI=1000 # Chain 138 upstream-native Uniswap v3 replacement track CHAIN138_UNISWAP_V3_NATIVE_CORE_REPO=/home/intlc/projects/uniswap-v3-core CHAIN138_UNISWAP_V3_NATIVE_PERIPHERY_REPO=/home/intlc/projects/uniswap-v3-periphery CHAIN138_UNISWAP_V3_NATIVE_FACTORY=0x2f7219276e3ce367dB9ec74C1196a8ecEe67841C CHAIN138_UNISWAP_V3_NATIVE_NFT_DESCRIPTOR_LIBRARY=0x6F5fdE32DD2aC66B27e296EC9D6F4E79A3dE2947 CHAIN138_UNISWAP_V3_NATIVE_TOKEN_DESCRIPTOR=0xca66DCAC4633555033F6fDDBE4234B6913c7ff51 CHAIN138_UNISWAP_V3_NATIVE_POSITION_MANAGER=0x31b68BE5af4Df565Ce261dfe53D529005D947B48 CHAIN138_UNISWAP_V3_NATIVE_SWAP_ROUTER=0xde9cD8ee2811E6E64a41D5F68Be315d33995975E CHAIN138_UNISWAP_V3_NATIVE_QUOTER_V2=0x6abbB1CEb2468e748a03A00CD6aA9BFE893AFa1f CHAIN138_UNISWAP_V3_NATIVE_WETH_USDT_POOL=0xa893add35aEfe6A6d858EB01828bE4592f12C9F5 CHAIN138_UNISWAP_V3_NATIVE_WETH_USDC_POOL=0xEC745bfb6b3cd32f102d594E5F432d8d85B19391 CHAIN138_UNISWAP_V3_NATIVE_FEE_TIER=500 CHAIN138_NATIVE_GAS_PRICE=1000 CHAIN138_NATIVE_DEPLOY_GAS_LIMIT=12000000 CHAIN138_NATIVE_POOL_TX_GAS_LIMIT=12000000 CHAIN138_NATIVE_WETH9=0xC02aaA39b223FE8D0A0e5C4F27eAD9083C756Cc2 CHAIN138_NATIVE_USDT=0x004b63A7B5b0E06f6bB6adb4a5F9f590BF3182D1 CHAIN138_NATIVE_USDC=0x71D6687F38b93CCad569Fa6352c876eea967201b CHAIN138_NATIVE_CURRENCY_LABEL=ETH CHAIN138_UNISWAP_V3_INITIAL_USD_PER_WETH=2116.6 CHAIN138_UNISWAP_V3_SEED_WETH_USDT_WETH=50 CHAIN138_UNISWAP_V3_SEED_WETH_USDT_STABLE=105830 CHAIN138_UNISWAP_V3_SEED_WETH_USDC_WETH=50 CHAIN138_UNISWAP_V3_SEED_WETH_USDC_STABLE=105830 # Cross-chain flash infra (Chain 138) FLASH_UNIVERSAL_CCIP_BRIDGE=0xCd42e8eD79Dc50599535d1de48d3dAFa0BE156F8 FLASH_CCIP_ROUTER=0x42DAb7b888Dd382bD5Adcf9E038dBF1fD03b4817 FLASH_REPAY_RECEIVER_ROUTER=0x42DAb7b888Dd382bD5Adcf9E038dBF1fD03b4817 FLASH_VAULT_CREDIT_ROUTER=0x42DAb7b888Dd382bD5Adcf9E038dBF1fD03b4817 CROSS_CHAIN_FLASH_BRIDGE_ADAPTER=0xBe9e0B2d4cF6A3b2994d6f2f0904D2B165eB8ffC CROSS_CHAIN_FLASH_REPAY_RECEIVER=0xD084b68cB4B1ef2cBA09CF99FB1B6552fd9b4859 CROSS_CHAIN_FLASH_VAULT_CREDIT_RECEIVER=0x89F7a1fcbBe104BeE96Da4b4b6b7d3AF85f7E661 # Optional same-chain ERC-3156 flash dry-run inputs (set when a canonical flash vault is deployed / approved) FLASH_VAULT= FLASH_VAULT_TOKEN= FLASH_PROVIDER_RPC_URL= FLASH_TEST_AMOUNT= # XDC Zero — second relayer pair (XDC Network mainnet <-> Chain 138). See docs/03-deployment/CHAIN138_XDC_ZERO_BRIDGE_RUNBOOK.md and config/xdc-zero/ # Use XDC mainnet JSON-RPC only (chain id 50), not Ethereum L1. Prefer erpc (rpc.xinfin.network often returns 5xx). XDC_PARENTNET_URL=https://erpc.xinfin.network # Testnet (Apothem): https://rpc.apothem.network # Optional alias for 138 side (defaults to RPC_URL_138 in preflight if unset): XDC_ZERO_PEER_RPC_URL= # Ethereum L1 — used for dual-anchor attestation with scripts/omnl/omnl-chain138-attestation-tx.sh (consumes ETH gas). Alias: RPC_URL_MAINNET. ETHEREUM_MAINNET_RPC= # Mainnet DODO PMM + optional TRUU volatile rail (see docs/03-deployment/MAINNET_PMM_TRUU_CWUSD_PEG_AND_BOT_RUNBOOK.md) # Canonical integration: 0xa9F284eD010f4F7d7F8F201742b49b9f58e29b84 DODO_PMM_INTEGRATION_MAINNET= # --- Mainnet Aave flash quote-push (cWUSDC/USDC peg / rebalance without wallet USDC) --- # If the deployer wallet already has USDC + cWUSDC: bash scripts/deployment/apply-mainnet-cwusdc-usdc-peg-tranche-from-wallet.sh --dry-run | --apply # Receiver only: bash scripts/deployment/deploy-mainnet-aave-quote-push-receiver.sh --dry-run | --apply # Deploy: bash scripts/deployment/deploy-mainnet-aave-quote-push-stack.sh --dry-run | --apply # Treasury manager: bash scripts/deployment/deploy-mainnet-quote-push-treasury-manager.sh --dry-run | --apply # One shot: bash scripts/deployment/run-mainnet-aave-cwusdc-quote-push-once.sh --dry-run | --apply # Keeper: bash scripts/deployment/run-mainnet-aave-quote-push-keeper.sh --dry-run | --apply # Loop: FLASH_LOOP_COUNT=3 bash scripts/deployment/run-mainnet-aave-cwusdc-quote-push-loop.sh --dry-run | --apply # Forge sources: smom-dbis-138/script/flash/RunMainnetAaveCwusdcUsdcQuotePushOnce.s.sol # Modeling (no chain writes): scripts/deployment/run-mainnet-cwusdc-flash-quote-push-model-sweep.sh # Optional sweep tuning: FLASH_MODEL_GAS_TX_COUNT FLASH_MODEL_GAS_PER_TX FLASH_MODEL_MAX_POST_TRADE_DEV_BPS AAVE_QUOTE_PUSH_RECEIVER_MAINNET=0x241cb416aaFC2654078b7E2376adED2bDeFbCBa2 # QUOTE_PUSH_UNWINDER_TYPE=two_hop_dodo # or dodo_univ3 / two_hop_dodo_univ3; lets the runner auto-pick the latest real broadcast unwinder after --apply QUOTE_PUSH_EXTERNAL_UNWINDER_MAINNET=0xaB74B4369e5603085A58FDa181E9B43617C6a58f FLASH_QUOTE_AMOUNT_RAW=200000 # MIN_OUT_UNWIND_BUFFER_RAW=0 # route-specific override for two_hop_dodo_univ3; the recovered three-leg path can clear with zero buffer while the legacy 5000 raw default clips it # UNWIND_MODE: 0 = Uniswap V3 exactInputSingle (set UNWIND_V3_FEE_U24); 1 = DODO pool (UNWIND_DODO_POOL); # 2 = Uniswap V3 exactInput packed path hex (UNWIND_V3_PATH_HEX) when no direct pool — see UniswapV3ExternalUnwinder. # 6 = TwoHopDodoToUniswapV3MultiHopExternalUnwinder (UNWIND_TWO_HOP_* + UNWIND_INTERMEDIATE_TOKEN + UNWIND_V3_PATH_HEX) UNWIND_MODE=4 # UNWIND_V3_FEE_U24= # UNWIND_V3_PATH_HEX=0x... # UNWIND_MODE=2 — build: bash scripts/verify/build-uniswap-v3-exact-input-path-hex.sh # UNWIND_DODO_POOL= UNWIND_TWO_HOP_POOL_A=0xe944b7Cb012A0820c07f54D51e92f0e1C74168DB UNWIND_TWO_HOP_POOL_B=0x27f3aE7EE71Be3d77bAf17d4435cF8B895DD25D2 UNWIND_TWO_HOP_MID_TOKEN=0xaF5017d0163ecb99d9B5D94e3b4D7b09Af44D8AE UNWIND_MIN_MID_OUT_RAW=1 # UNWIND_INTERMEDIATE_TOKEN=0xdAC17F958D2ee523a2206206994597C13D831ec7 # UNWIND_MIN_INTERMEDIATE_OUT_RAW=1 # Retained-surplus recycle / treasury manager policy: # QUOTE_PUSH_RECEIVER_OWNER=0x... # Live migration shortcut: # bash scripts/deployment/deploy-mainnet-aave-quote-push-receiver.sh --apply # AAVE_QUOTE_PUSH_RECEIVER_MAINNET= QUOTE_PUSH_TREASURY_TAKE_RECEIVER_OWNERSHIP=1 bash scripts/deployment/deploy-mainnet-quote-push-treasury-manager.sh --apply # QUOTE_PUSH_TREASURY_MANAGER_MAINNET=0x... # QUOTE_PUSH_TREASURY_OWNER=0x... # QUOTE_PUSH_TREASURY_OPERATOR=0x... # QUOTE_PUSH_TREASURY_GAS_RECIPIENT=0x... # QUOTE_PUSH_TREASURY_RECYCLE_RECIPIENT=0x... # QUOTE_PUSH_RECEIVER_RESERVE_RAW=0 # QUOTE_PUSH_TREASURY_RESERVE_RAW=0 # QUOTE_PUSH_TREASURY_TAKE_RECEIVER_OWNERSHIP=1 # QUOTE_PUSH_KEEPER_SKIP_FLASH=0 # QUOTE_PUSH_KEEPER_SKIP_RECYCLE=0 # QUOTE_PUSH_DEPLOYER_GAS_FLOOR_ETH=0.003 # QUOTE_PUSH_OPERATION_BUFFER_ETH=0.0005 # QUOTE_PUSH_NATIVE_TOKEN_PRICE=3200 # Discover V3 pools: bash scripts/verify/probe-uniswap-v3-cwusdc-usdc-mainnet.sh # Optional min-out overrides (script derives from pool query + Aave premium when unset): # MIN_OUT_PMM= # MIN_OUT_UNWIND= # AAVE_FLASH_PREMIUM_BPS=5 # UniswapV3ExternalUnwinder expects legacy SwapRouter exactInputSingle (not SwapRouter02 multicall). # UNISWAP_V3_SWAP_ROUTER_MAINNET=0xE592427A0AEce92De3Edee1F18E0157C05861564 # cWUSDT/cWUSDC public PMM on mainnet (see cross-chain-pmm-lps/config/deployment-status.json); override if redeployed: # POOL_CWUSDT_CWUSDC_MAINNET=0xe944b7Cb012A0820c07f54D51e92f0e1C74168DB # Optional public flash-lender candidates for no-broadcast dry-runs on Ethereum mainnet. # Balancer mainnet vault is documented in smom-dbis-138/docs/bridge/trustless/ENV_VARIABLES_REFERENCE.md. MAINNET_BALANCER_VAULT=0xBA12222222228d8Ba445958a75a0704d566BF2C8 # Aave V3 Ethereum mainnet pool/provider, verified on-chain 2026-04-05 via ADDRESSES_PROVIDER() and FLASHLOAN_PREMIUM_TOTAL(). MAINNET_AAVE_V3_POOL=0x87870Bca3F3fD6335C3F4ce8392D69350B4fA4E2 MAINNET_AAVE_V3_POOL_ADDRESSES_PROVIDER=0x2f39d218133AFaB8F2B819B1066c7E434Ad94E9e # Optional overrides (defaults match deployment-status.json / scripts) TRUU_MAINNET= PMM_TRUU_FEE_BPS= PMM_TRUU_K= # Optional extra cast check in scripts/verify/check-mainnet-pmm-peg-bot-readiness.sh PMM_TRUU_BASE_TOKEN= PMM_TRUU_QUOTE_TOKEN= # Override initial DODO i for new pools only if governance changes baseline (top-up script default) PMM_TRUU_INITIAL_I= WORMHOLE_API_KEY= WORMHOLE_EXECUTOR_URL=https://executor.labsapis.com WORMHOLE_EXECUTOR_TESTNET_URL=https://executor-testnet.labsapis.com CHAIN_651940_RPC_URL= ETHERLINK_RPC_URL= TEZOS_RPC_URL= ETHERSCAN_API_KEY= ETHERLINK_CCIP_SELECTOR= TEZOS_BRIDGE_ENABLED= ETHERLINK_BRIDGE_ENABLED= TEZOS_RELAY_ORACLE_KEY= ETHERLINK_RELAY_BRIDGE= ETHERLINK_RELAY_PRIVATE_KEY= JUMPER_API_KEY= ONEINCH_API_KEY= # Optional: 1inch dev API base (default https://api.1inch.dev/swap/v6.0) — see packages/economics-toolkit/src/swap-engine/oneinch-quote.ts ONEINCH_API_URL= DODO_API_KEY= DODO_SECRET_KEY= DODO_DEVELOPER_API_KEY= # Optional: hosted DODO SmartTrade swap URL (default https://api.dodoex.io/route-service/developer/swap) DODO_QUOTE_URL= # Optional override for hosted DODO quote probes; if unset, scripts derive USER_ADDR # from PRIVATE_KEY and fall back to the standard deployer wallet. USER_ADDR= MOONPAY_API_KEY= MOONPAY_SECRET_KEY= RAMP_NETWORK_API_KEY= ONRAMPER_API_KEY= # --- Changelly Exchange API v2 (Chain 138 → mainnet → BTC payout pathway; backend only) --- # Docs: https://docs.changelly.com/ — register keys via pro@changelly.com # Private key: PEM file on server or KMS reference; never expose to frontend builds. CHANGELLY_API_PUBLIC_KEY= CHANGELLY_API_PRIVATE_KEY_PEM_PATH= # --- Canonical GRU / D-WIN token surfaces used by PMM, reporting, and staged x402 cutover --- CUSDT_V2_ADDRESS_138= CUSDC_V2_ADDRESS_138= CAUSDT_ADDRESS_138=0x5fdDF65733e3d590463F68f93Cf16E8c04081271 CUSDW_ADDRESS_138= AUSDT_ADDRESS_651940=0x015B1897Ed5279930bC2Be46F661894d219292A6 CAXAUC_ADDRESS_651940= CAXAUT_ADDRESS_651940= CWAXAUC_ADDRESS_651940= CWAXAUT_ADDRESS_651940= USDW_ADDRESS_25= # Optional: CMC "USD DWIN" native USDW (post-migration); canonical pins are config/token-mapping-multichain.json -> dwinUsdWinPublic USDW_DWIN_BSC= USDW_DWIN_POLYGON= CWAUSDT_ADDRESS_56=0xe1a51Bc037a79AB36767561B147eb41780124934 CWAUSDT_ADDRESS_137=0xf12e262F85107df26741726b074606CaFa24AAe7 CWAUSDT_ADDRESS_43114=0xff3084410A732231472Ee9f93F5855dA89CC5254 CWAUSDT_ADDRESS_42220=0xC158b6cD3A3088C52F797D41f5Aa02825361629e CWUSDW_ADDRESS_56= CWUSDW_ADDRESS_137= CWUSDW_ADDRESS_43114= USDW_WRAP_VAULT_56= USDW_WRAP_VAULT_137= USDW_NATIVE_ADDRESS_56= USDW_NATIVE_ADDRESS_137= # Legacy wrapped-token aliases still seen in smom-dbis-138/.env and accepted by token-aggregation: CWUSDW_BSC= CWUSDW_AVALANCHE= # --- cW* bridge role grants (scripts/deployment/grant-cw-bridge-roles-on-chain.sh) --- # Optional: legacy gas price wei, or percent bump over cast gas-price (default 150). Mainnet/L2s need this when base fee spikes. # CW_GRANT_GAS_PRICE_WEI= # CW_GRANT_GAS_BUMP_PCT=150 # --- WEMIX3.0 mainnet (chain id 1111) --- # Official RPC (HTTPS): https://docs.wemix.com/en/quick-start/start-node/use-public-api-server-rpc # Swap on-chain to native WEMIX for gas after assets are on 1111: https://wemix.fi/swap # No in-repo route for ETH/BNB/POL → WEMIX; see docs/03-deployment/WEMIX_ACQUISITION_TABLED.md WEMIX_RPC=https://api.wemix.com # WEMIX_MAINNET_RPC= # alias also read by grant-cw-bridge-roles-on-chain.sh # --- GRU deployer funding gates (check-gru-v2-deployer-funding-status.sh, check-full-deployment-status.sh) --- # Arbitrum native balance must exceed this wei threshold or a funding blocker is raised. Set to 0 to skip (planning/CI only). # GRU_FUNDING_ARBITRUM_THRESHOLD_WEI=440872740000000000 # --- GRU Transport / cW hard-peg bridge controls (Chain 138 -> public chains) --- # Canonical L1 bridge env used by the GRU transport overlay and token-aggregation. CHAIN138_L1_BRIDGE= # Legacy alias still used by some deployment helpers. CW_L1_BRIDGE_CHAIN138= CW_BRIDGE_MAINNET= CW_BRIDGE_CRONOS= CW_BRIDGE_BSC= CW_BRIDGE_POLYGON= CW_BRIDGE_GNOSIS= CW_BRIDGE_CELO= CW_BRIDGE_AVALANCHE= CW_BRIDGE_BASE= CW_BRIDGE_ARBITRUM= CW_BRIDGE_OPTIMISM= CW_BRIDGE_WEMIX= CW_RESERVE_VERIFIER_CHAIN138= CW_STABLECOIN_RESERVE_VAULT= CW_RESERVE_SYSTEM= CW_ATTACH_VERIFIER_TO_L1=1 CW_REQUIRE_VAULT_BACKING= CW_REQUIRE_RESERVE_SYSTEM_BALANCE= CW_REQUIRE_TOKEN_OWNER_MATCH_VAULT= CW_CANONICAL_USDT= CW_CANONICAL_USDC= CW_USDT_RESERVE_ASSET= CW_USDC_RESERVE_ASSET= CW_MAX_OUTSTANDING_BTC_MAINNET=2100000000000000 CW_MAX_OUTSTANDING_USDT_MAINNET=10000000000000 CW_MAX_OUTSTANDING_USDC_MAINNET=10000000000000 CW_MAX_OUTSTANDING_USDT_CRONOS= CW_MAX_OUTSTANDING_USDC_CRONOS= CW_MAX_OUTSTANDING_USDT_BSC= CW_MAX_OUTSTANDING_USDC_BSC= CW_MAX_OUTSTANDING_AUSDT_BSC= CW_MAX_OUTSTANDING_USDT_POLYGON= CW_MAX_OUTSTANDING_USDC_POLYGON= CW_MAX_OUTSTANDING_AUSDT_POLYGON= CW_MAX_OUTSTANDING_USDT_GNOSIS= CW_MAX_OUTSTANDING_USDC_GNOSIS= CW_MAX_OUTSTANDING_USDT_CELO= CW_MAX_OUTSTANDING_USDC_CELO= CW_MAX_OUTSTANDING_AUSDT_CELO= CW_MAX_OUTSTANDING_USDT_AVALANCHE= CW_MAX_OUTSTANDING_USDC_AVALANCHE= CW_MAX_OUTSTANDING_AUSDT_AVALANCHE= CW_MAX_OUTSTANDING_USDT_BASE= CW_MAX_OUTSTANDING_USDC_BASE= CW_MAX_OUTSTANDING_USDT_ARBITRUM= CW_MAX_OUTSTANDING_USDC_ARBITRUM= CW_MAX_OUTSTANDING_USDT_OPTIMISM= CW_MAX_OUTSTANDING_USDC_OPTIMISM= CW_MAX_OUTSTANDING_WEMIX_WEMIX= CW_FREEZE_AVAX_L2_CONFIG= # --- Alerts & monitoring --- SLACK_WEBHOOK_URL= PAGERDUTY_INTEGRATION_KEY= EMAIL_ALERT_API_URL= EMAIL_ALERT_RECIPIENTS= SENTRY_DSN= # --- dbis_core IRU / marketplace outbound mail (optional; Proxmox Mail Proxy VMID 100 = 192.168.11.32) --- # EMAIL_PROVIDER=smtp # SMTP_HOST=192.168.11.32 # SMTP_PORT=587 # SMTP_SECURE=false # SMTP_USER= # SMTP_PASSWORD= # EMAIL_FROM= # EMAIL_FROM_NAME=SolaceNet # DBIS_SALES_EMAIL= # --- Legal / e-signature --- E_SIGNATURE_BASE_URL= # --- OTC / exchanges (dbis_core) --- CRYPTO_COM_API_KEY= CRYPTO_COM_API_SECRET= CRYPTO_COM_ENVIRONMENT= BINANCE_API_KEY= BINANCE_API_SECRET= KRAKEN_API_KEY= KRAKEN_PRIVATE_KEY= OANDA_API_KEY= OANDA_ACCOUNT_ID= OANDA_ENVIRONMENT= FXCM_API_TOKEN= # --- Price / market data --- COINGECKO_API_KEY= COINDESK_API_KEY= COINMARKETCAP_API_KEY= DEXSCREENER_API_KEY= # --- Mifos / Fineract / OMNL --- MIFOS_BASE_URL= MIFOS_TENANT= MIFOS_USER= MIFOS_PASSWORD= MIFOS_INSECURE= OMNL_FINERACT_BASE_URL= OMNL_FINERACT_TENANT= OMNL_FINERACT_USER= OMNL_FINERACT_PASSWORD= # --- Phoenix / Sankofa / OMNIS backend --- SANKOFA_PHOENIX_API_URL= SANKOFA_PHOENIX_CLIENT_ID= SANKOFA_PHOENIX_CLIENT_SECRET= SANKOFA_PHOENIX_TENANT_ID= # Corporate apex (sankofa.nexus) → CT 7806 when provisioned (default in ip-addresses stays portal until set) # IP_SANKOFA_PUBLIC_WEB=192.168.11.63 # Optional consolidated hub (non-chain web + API path router). Defaults in ip-addresses.conf match discrete CTs until overridden. # IP_SANKOFA_WEB_HUB= # SANKOFA_WEB_HUB_PORT=80 # IP_SANKOFA_PHOENIX_API_HUB= # SANKOFA_PHOENIX_API_HUB_PORT=8080 # When API hub nginx is live on Phoenix CT (7800), LAN smoke: curl -sS http://${IP_SANKOFA_PHOENIX_API:-192.168.11.50}:8080/health # NPM fleet (phoenix.sankofa.nexus): set 8080 when Tier-1 API hub nginx is live (production); leave unset only for break-glass direct :4000. SANKOFA_NPM_PHOENIX_PORT=8080 # Hub listen port for LAN smoke scripts (distinct from SANKOFA_PHOENIX_API_HUB_PORT / Apollo): # SANKOFA_API_HUB_LISTEN_PORT=8080 # WebSocket upgrade smoke (curl HTTP 101): pnpm run verify:phoenix-graphql-wss # Optional second probe to hub on LAN: PHOENIX_WSS_INCLUDE_LAN=1 (needs load-project-env / IP_SANKOFA_PHOENIX_API) # Phoenix CT 7800 — bind Apollo to loopback after hub uses 127.0.0.1:4000: scripts/deployment/ensure-sankofa-phoenix-apollo-bind-loopback-7800.sh # LAN verify prefers hub :8080 when reachable; optional direct :4000 check: SANKOFA_VERIFY_PHOENIX_DIRECT_PORT=1 # Optional if hub CT IP differs from IP_SANKOFA_PHOENIX_API: # IP_SANKOFA_NPM_PHOENIX_API=192.168.11.xx # dbis_core behind NPM (+ optional hub): set TRUST_PROXY=1 and TRUST_PROXY_HOPS (1 or 2) in dbis_core .env — see dbis_core/.env.example # --- Frontend / MetaMask / Explorer --- VITE_WALLETCONNECT_PROJECT_ID= VITE_THIRDWEB_CLIENT_ID= VITE_ETHERSCAN_API_KEY= VITE_SENTRY_DSN= VITE_API_URL= VITE_API_BASE_URL= NEXT_PUBLIC_API_URL= NEXT_PUBLIC_CHAIN_ID= METAMASK_API_KEY= THIRDWEB_SECRET_KEY= NPM_ACCESS_TOKEN= # --- DeFi aggregators (alltra-lifi-settlement) --- PARASWAP_API_KEY= ZEROX_API_KEY= # --- ProxmoxVE API (MongoDB) --- MONGO_USER= MONGO_PASSWORD= MONGO_IP= MONGO_PORT= MONGO_DATABASE= # --- Chain138 RPC (config) --- CHAIN138_RPC_URL= RPC_URL_138_FIREBLOCKS= WS_URL_138_FIREBLOCKS= CHAIN_ID_138= # --- PMM soak grid (6534 wallets; operator funding scripts) --- # Runbook: docs/11-references/CHAIN138_GRID_6534_WALLET_FUNDING_PLAN.md # Optional stable RPC for long runs (avoids LAN Core flaps during thousands of cast sends): # PMM_SOAK_RPC_URL_OVERRIDE=https://rpc-http-pub.d-bis.org # Full-grid resume orchestrator: start at this leg only (native|mint|cusdt|cusdc|mirr_usdt|mirr_usdc) # PMM_SOAK_START_LEG= # Skip native when every wallet already funded (max linear index is 6533; use 6534 to skip native): # PMM_SOAK_RESUME_NATIVE_FROM_LINEAR= # Per-chunk progress/ETA in pmm-soak-operator-fund-grid.sh (0 = quiet except final line per chunk): # PMM_SOAK_FUND_PROGRESS_EVERY=50 # PMM_SOAK_FUND_CHUNK=250 # --- @proxmox/economics-toolkit (path-check / exec broadcast; operator LAN only) --- # Validate checked-in strategy JSON: pnpm run economics:validate (optional: pip install check-jsonschema for schema pass) # Optional: same as PRIVATE_KEY for guarded swap broadcast (see packages/economics-toolkit/config/executor-allowlist.example.json). # ECONOMICS_EXEC_PRIVATE_KEY= # Set to 1 to broadcast after successful simulation (default is dry-run). # ECONOMICS_EXEC_APPLY= # POST JSON when path-check clears economics gate (optional). # ECONOMICS_ALERT_WEBHOOK= # Per-chain RPC override for economics-toolkit gas-quote: ECONOMICS_GAS_RPC_1=, ECONOMICS_GAS_RPC_56=, etc. # (Listed chain IDs are CR/LF-stripped when using scripts/lib/load-project-env.sh — same as RPC_URL_138.) # ECONOMICS_GAS_SKIP_USD=1 Skip CoinGecko; print native gas cost only # Optional: economics-toolkit gas-budget derives EOA from this if --address omitted (else PRIVATE_KEY) # ECONOMICS_GAS_BUDGET_PRIVATE_KEY= # --- Phoenix deploy API --- PORT= GITEA_TOKEN= # --- Optional / per-service --- MARKET_REPORTING_API_KEY= E_FILING_ENABLED= NODE_ENV=