# Verification Scripts Scripts for ingress, NPMplus, DNS, and source-of-truth verification. ## Dependencies Required tools (install before running): | Tool | Purpose | Install | |------|---------|---------| | `bash` | Shell (4.0+) | Default on most systems | | `curl` | API calls, HTTP | `apt install curl` | | `jq` | JSON parsing | `apt install jq` | | `dig` | DNS resolution | `apt install dnsutils` | | `openssl` | SSL certificate inspection | `apt install openssl` | | `ssh` | Remote execution | `apt install openssh-client` | | `ss` | Port checking | `apt install iproute2` | | `systemctl` | Service status | System (systemd) | | `sqlite3` | Database backup | `apt install sqlite3` | Optional (recommended for automation): `sshpass`, `rsync`, `screen`, `tmux`, `htop`, `shellcheck`, `parallel`. See [docs/11-references/APT_PACKAGES_CHECKLIST.md](../../docs/11-references/APT_PACKAGES_CHECKLIST.md) § Automation / jump host. One-line install (Debian/Ubuntu): `sudo apt install -y sshpass rsync dnsutils iproute2 screen tmux htop shellcheck parallel` | Tool | Purpose | |------|---------| | `wscat` or `websocat` | WebSocket testing (manual verification) | ## Scripts - `backup-npmplus.sh` - Full NPMplus backup (database, API exports, certificates) - `check-contracts-on-chain-138.sh` - Check that Chain 138 deployed contracts have bytecode on-chain (`cast code` for 31 addresses; requires `cast` and RPC access). Use `[RPC_URL]` or env `RPC_URL_138`; `--dry-run` lists addresses only (no RPC calls); `SKIP_EXIT=1` to exit 0 when RPC unreachable. - `generate-contract-verification-publish-matrix.mjs` - Generates the repo-wide all-network contract verification/publication backlog from `config/smart-contracts-master.json` and `cross-chain-pmm-lps/config/deployment-status.json`. Writes `reports/status/contract_verification_publish_matrix.json` and `docs/11-references/CONTRACT_VERIFICATION_AND_PUBLICATION_MATRIX_ALL_NETWORKS.md`. - `generate-crosschain-publication-packs.mjs` - Groups the requested cross-chain publication packs (`ethereum-mainnet`, `optimism`, `bsc`, `polygon`, `base`) from the generated matrix and writes `reports/status/publication-packs/*/{pack.json,README.md}`. - `check-publication-pack-explorer-status.mjs` - Queries the Etherscan-family explorers for the five publication packs and writes `reports/status/publication-pack-explorer-status.json` plus `docs/11-references/PUBLICATION_PACK_EXPLORER_STATUS.md`. Requires `ETHERSCAN_API_KEY`. The markdown intentionally shows `Unknown` counts so pack closure is not overstated. - `generate-publication-actionable-backlog.mjs` - Separates the five requested publication packs into `auto-submittable`, `manual-or-external`, and `inventory/reference` buckets. Writes `reports/status/publication-actionable-backlog.json` and `docs/11-references/PUBLICATION_ACTIONABLE_BACKLOG.md`. - `check-chain138-x402-readiness.sh` - RPC + explorer smoke plus **ERC-2612 / ERC-3009** on default **V2 then V1** USD tokens; `--strict` exits non-zero if not x402-ready. See [CHAIN138_X402_TOKEN_SUPPORT.md](../../docs/04-configuration/CHAIN138_X402_TOKEN_SUPPORT.md). - `check-chain138-token-permit-support.sh` - **cast** checks **permit / ERC-3009** per token; defaults match x402 script (V2 then V1). Use for [CHAIN138_X402_TOKEN_SUPPORT.md](../../docs/04-configuration/CHAIN138_X402_TOKEN_SUPPORT.md). - `validate-address-registry-xe-aliases.mjs` - Validates `web3_eth_iban` aliases in institutional registry examples (or paths you pass) using `web3-eth-iban`. Run: `node scripts/verify/validate-address-registry-xe-aliases.mjs`. - `check-public-report-api.sh` - Verify token-aggregation report + networks JSON (not Blockscout). Probes `/api/v1/networks` first, then `/token-aggregation/api/v1/networks`, and uses the working prefix for all checks. Use `SKIP_EXIT=1` for diagnostic-only mode. Set `SKIP_BRIDGE_ROUTES=0`, `SKIP_BRIDGE_PREFLIGHT=0`, or `SKIP_GAS_REGISTRY=0` for bridge and gas-rollout assertions. - `check-info-defi-oracle-public.sh` - After publishing `info-defi-oracle-138/dist/`, confirms the public host serves the real Vite SPA (detects generic placeholder pages), `/agents`, and static agent files (`llms.txt`, `agent-hints.json`, `robots.txt`, `sitemap.xml`). Optional `jq` validates `agent-hints.json`. Set `INFO_SITE_BASE` for a non-default URL. If `/` passes but static paths look wrong through Cloudflare, run `scripts/cloudflare/purge-info-defi-oracle-cache.sh` (or `pnpm run cloudflare:purge-info-defi-oracle-cache`). - `pmm-swap-quote-chain138.sh` - **On-chain PMM quote** for **`swapExactIn`**: calls `querySellBase` / `querySellQuote` on the DODO pool (not the REST `/quote` xy=k estimate). Prints **99% / 95% / 90% `minAmountOut`** and a **`cast send`** example. Requires **`cast`** + **`bc`**. Defaults: `RPC_URL_138`, pool `PMM_QUOTE_POOL` (or `0x9e89…40dC` cUSDT/cUSDC), trader `DEPLOYER_ADDRESS`. Example: `bash scripts/verify/pmm-swap-quote-chain138.sh --token-in 0x93E6…f22 --amount-in 100000000`. - `check-token-aggregation-chain138-api.sh` - Hits tokens, pools, quote, `bridge/routes`, `bridge/status`, `bridge/preflight`, and networks on both `/api/v1/*` and `/token-aggregation/api/v1/*`, then probes planner-v2 on `/token-aggregation/api/v2/*` for provider capabilities, route selection, the live DODO v3 pilot execution path through `EnhancedSwapRouterV2`, and the public route-tree depth sanity for the funded canonical `cUSDC/USDC` DODO pool. `BASE_URL=https://explorer.d-bis.org` (default) or `http://192.168.11.140`. - `check-dodo-api-chain138-route-support.sh` - Probes official DODO docs/contract inventory plus hosted SmartTrade quote support for Chain 138. Hosted quote probes read `DODO_API_KEY` (fallbacks: `DODO_SECRET_KEY`, `DODO_DEVELOPER_API_KEY`) and derive `USER_ADDR` from `PRIVATE_KEY` by default, so placing the DODO developer key in the root `.env` or exported shell alongside the deployer `PRIVATE_KEY` is the canonical repo path. - `check-dodo-v3-planner-visibility-chain138.sh` - Verifies the Chain 138 DODO v3 / D3MM pilot is promoted into planner-v2 capability and route-matrix visibility, and that the canonical pilot pair now emits `EnhancedSwapRouterV2` executable calldata. - `check-gru-transport-preflight.sh` - Operator-focused GRU runtime preflight. Calls `/api/v1/bridge/preflight`, prints blocked pairs with `eligibilityBlockers` / `runtimeMissingRequirements`, and fails unless all active pairs are runtime-ready or `ALLOW_BLOCKED=1` is set. - `check-gru-v2-d3mm-expansion-status.sh` - Summarizes the GRU v2 / D3MM public-EVM rollout posture against the explicit chain-by-chain expansion plan, including whether bootstrap-ready chains already have tracked first-tier pool scaffolds. - `build-gru-v2-first-tier-pool-scaffolds.sh` - Builds the canonical `config/gru-v2-first-tier-pool-scaffolds.json` inventory for missing first-tier public PMM rows. Use `--write` to refresh the tracked file. - `print-gru-v2-first-tier-pool-scaffolds.sh` - Prints ad-hoc scaffold snippets for selected chain IDs. Useful for operator copy/paste, but the canonical tracked source is `config/gru-v2-first-tier-pool-scaffolds.json`. - `report-mainnet-deployer-liquidity-and-routes.sh` - Read-only snapshot: deployer **ETH / USDC / USDT / cWUSDC / cWUSDT** balances, **DODO integration allowances**, **Balancer** vault USDC/USDT balances, **Aave V3** available USDC/USDT under aTokens (flash premium bps), **Curve 3pool** USDC/USDT depth, **Uniswap V3** USDC/USDT 0.01%/0.05% pool liquidity, **DODO PMM** reserves for all Mainnet `cWUSDT`/`cWUSDC` pairs in `deployment-status.json`, and a pointer for **1inch/DODO** keys. Requires `cast`, `jq`, `PRIVATE_KEY` (address derivation only). - `plan-mainnet-usdt-usdc-via-cw-paths.sh` - Read-only Mainnet routing map: `cWUSDT/USDT`, `cWUSDC/USDC`, `cWUSDT/USDC`, `cWUSDC/USDT`, and **`cWUSDT/cWUSDC`** (`0xe944…68DB`), with two-hop and three-hop USDT↔USDC path recipes and optional `--with-examples` dry-run command lines. - `run-mainnet-cwusdc-usdc-ladder-steps-1-3.sh` - Operator helper for the current staged Mainnet `cWUSDC/USDC` ladder. Runs preflight, prints the staged matched top-up dry-run, executes dry-runs for steps 1-3, and verifies the expected matched reserve state after each rebalance without sending any live flash swaps. Optional **`PMM_FLASH_EXIT_PRICE_CMD`** overrides the default `printf 1.12` for `--external-exit-price-cmd` (see `print-mainnet-cwusdc-usdc-pmm-sellbase-implied-price.sh` for on-chain pool-implied diagnostics only). - `check-public-pmm-dry-run-readiness.sh` - Read-only checklist: mainnet `cWUSDT`/`cWUSDC` pools, `ETHEREUM_MAINNET_RPC` / `DODO_PMM_INTEGRATION_MAINNET`, Balancer and Aave V3 flash liquidity snapshots, Chain 138 flash-candidate note, and suggested `pmm-flash-push-break-even.mjs` templates. - `print-mainnet-cwusdc-usdc-pmm-sellbase-implied-price.sh` - Prints one number: implied gross USDC per cWUSDC for a base sell size, using `getVaultReserve` + `_LP_FEE_RATE_` (same fallback as `run-mainnet-public-dodo-cw-swap.sh` when `querySellBase` reverts). Args: `[base_raw] [pool_address]`; pool defaults to canonical public `cWUSDC/USDC` vault or env **`PMM_CWUSDC_USDC_IMPLIED_PRICE_POOL`**. **Not** a real external unwind quote. - `print-mainnet-cwusdc-external-exit-quote.sh` - Prints one number: **hosted** gross USDC per cWUSDC from **DODO SmartTrade** or **1inch v6** for mainnet `cWUSDC→USDC` at a raw base amount. Args: `dodo|1inch [base_raw]`. Keys: **`DODO_API_KEY`** (or `DODO_SECRET_KEY` / `DODO_DEVELOPER_API_KEY`) or **`ONEINCH_API_KEY`**; optional **`DODO_QUOTE_URL`**, **`ONEINCH_API_URL`**, **`DODO_SLIPPAGE`**, **`DODO_USER_ADDRESS`**. Use as `--external-exit-price-cmd` for execution-grade dry-runs. Same quoting logic as `packages/economics-toolkit` (`dodo-quote.ts`, `oneinch-quote.ts`). Alternative: `pnpm exec economics-toolkit swap-quote --engine oneinch|dodo --chain-id 1 --rpc … --token-in … --token-out … --amount-in …`. - `check-gas-public-pool-status.sh` - Operator-focused gas-native rollout summary. Combines the active GRU transport gas lanes with `cross-chain-pmm-lps/config/deployment-status.json`, then reports per-lane DODO wrapped-native and stable-quote pool state, Uniswap v3 reference visibility, 1inch exposure, and runtime/env blockers. The summary now distinguishes active vs deferred gas transport pairs, so deferred lanes such as `wemix` do not pollute the active counts. Use `--json` for machine-readable output. - `check-gas-rollout-deployment-matrix.sh` - Cross-checks the gas-family rollout against live bytecode on Chain 138 and the destination chains. Reports which canonical contracts, mirrored contracts, bridge refs, verifier refs, and vault refs are actually live, includes the deployed generic gas verifier on Chain 138 when present, distinguishes active vs deferred gas transport pairs, resolves each lane's CCIP selector, checks whether the live Chain 138 bridge has that destination wired, and classifies the observed L1 bridge read surface as `full_accounting`, `partial_destination_only`, `admin_only`, or `unknown_or_incompatible`. Use `--json` for machine-readable output. - `../deployment/print-gas-l1-destination-wiring-commands.sh` - Prints the exact `configureDestination(address,uint64,address,bool)` commands still required on the live Chain 138 `CWMultiTokenBridgeL1` for the active gas-native rollout lanes. Uses the same active transport overlay and selector metadata as the deployment matrix. Use `--json` for machine-readable output. - `../deployment/run-gas-l1-destination-wiring.sh` - Operator-ready wrapper for the same 10 active gas-lane `configureDestination(address,uint64,address,bool)` writes on the live Chain 138 bridge. Dry-run by default; only broadcasts when `EXECUTE_GAS_L1_DESTINATIONS=1` is set. - `check-gru-global-priority-rollout.sh` - Compares the ranked GRU global-priority currency rollout queue against the current repo state: live manifest, `c* -> cW*` mapping, and transport overlay. Use `--wave=wave1` to focus on the next promotion wave or `--json` for machine-readable output. - `check-gru-v2-public-protocols.sh` - Canonical GRU v2 public-network status surface. Summarizes the desired public EVM cW mesh, loaded cW suites, Wave 1 transport state, and the current public-protocol truth for `Uniswap v3`, `Balancer`, `Curve 3`, `DODO PMM`, and `1inch`. Use `--json` for machine-readable output or `--write-explorer-config` to regenerate `explorer-monorepo/backend/api/rest/config/metamask/GRU_V2_PUBLIC_DEPLOYMENT_STATUS.json`. - `check-gru-v2-deployment-queue.sh` - Operator-grade deployment queue for what is left to finish the public-network GRU v2 rollout. Breaks the remaining work down by Wave 1 asset, destination chain, and protocol stage, and now includes a blocker `resolutionMatrix` for missing cW suites, pending Wave 1 transport, public pool rollout, protocol staging, backlog assets, and Solana. Use `--json` for machine-readable output or `--write-explorer-config` to regenerate `explorer-monorepo/backend/api/rest/config/metamask/GRU_V2_DEPLOYMENT_QUEUE.json`. - `check-gru-v2-d3mm-expansion-status.sh` - Expansion-focused status summary for the explicit GRU v2 / D3MM public-EVM rollout order. Reads `config/gru-v2-d3mm-network-expansion-plan.json`, `cross-chain-pmm-lps/config/deployment-status.json`, and `cross-chain-pmm-lps/config/pool-matrix.json`, then reports which priority chains are already live-first-tier, only partially live, bootstrap-ready, or still blocked. Use `--json` for machine-readable output. - `print-gru-v2-first-tier-pool-scaffolds.sh` - Prints JSON snippets for the missing first-tier public PMM rows from the GRU v2 / D3MM expansion plan. This is scaffold output only: replace the zero pool address and keep `publicRoutingEnabled=false` until the pool is actually deployed and seeded. - `check-gru-v2-deployer-funding-status.sh` - Current deployer-wallet funding posture for the remaining GRU v2 rollout. Checks Mainnet, Cronos, Arbitrum, and Chain 138 balances, then flags the live funding blockers for public deployment work and canonical Chain 138 liquidity seeding. Use `--json` for machine-readable output. - `check-cw-evm-deployment-mesh.sh` - Reports the public EVM cW token deployment mesh recorded in `smom-dbis-138/.env`: expected 12-token suites per chain, missing addresses, and on-chain bytecode presence when RPCs are available. Current expected result is `10/11` loaded targets with `10/10` full sets across Mainnet, Optimism, Cronos, BSC, Gnosis, Polygon, Base, Arbitrum, Celo, and Avalanche; `Wemix` remains the only desired target without a loaded cW suite. - `check-cw-public-pool-status.sh` - Reads `cross-chain-pmm-lps/config/deployment-status.json` and reports how many chains have cW tokens, bridge availability, and any recorded public-chain `pmmPools`. Current expected result is that the tracked `cW*` token mesh exists on several chains and the first Mainnet DODO PMM pool wave is recorded (including `cWUSDT/cWUSDC` and the first six non-USD Wave 1 rows), while the broader public-chain mesh remains incomplete. - `check-mainnet-public-dodo-cw-bootstrap-pools.sh` - Verifies the eleven recorded Mainnet DODO `cW*` bootstrap pools (including **`cwusdt-cwusdc`**) are still mapped by the integration, have non-zero reserves, and remain dry-run routable through `run-mainnet-public-dodo-cw-swap.sh`. - `check-mainnet-pmm-peg-bot-readiness.sh` - Reads `cross-chain-pmm-lps/config/deployment-status.json` (chain `1`), confirms `eth_chainId` is 1, checks integration mapping and reserves for each recorded pool, and flags USD-class cW vs USDC/USDT reserve imbalance against `peg-bands.json`. Optional: `PMM_TRUU_BASE_TOKEN` + `PMM_TRUU_QUOTE_TOKEN`, `MIN_POOL_RESERVE_RAW`, `SKIP_EXIT=1`. See [MAINNET_PMM_TRUU_CWUSD_PEG_AND_BOT_RUNBOOK.md](../../docs/03-deployment/MAINNET_PMM_TRUU_CWUSD_PEG_AND_BOT_RUNBOOK.md). Included in `check-full-deployment-status.sh` when `ETHEREUM_MAINNET_RPC` and `DODO_PMM_INTEGRATION_MAINNET` are set (after `load-env`). - `../deployment/deploy-mainnet-pmm-cw-truu-pool.sh` - Mainnet DODO PMM: create and seed **cWUSDT/TRUU** or **cWUSDC/TRUU** (`TRUU_MAINNET` defaults to canonical Truth token). Defaults: fee 30 bps, `k=0.5e18`, TWAP off. Requires correct `--initial-price` (DODO `i`). Use `--dry-run` first. - `../deployment/add-mainnet-truu-pmm-topup.sh` - Add liquidity to an **existing** cW/TRUU pool using max wallet balances that fit the reference USD ratio (see runbook section 11). Exits 0 if either leg balance is zero. - `../deployment/compute-mainnet-truu-liquidity-amounts.sh` - Given **USD per leg**, prints `base_raw` / `quote_raw` and suggested `deploy-mainnet-pmm-cw-truu-pool.sh` lines for cWUSDT/TRUU and cWUSDC/TRUU (runbook section 11.1). - `../deployment/add-mainnet-truu-pmm-fund-both-pools.sh` - Funds **both** volatile pools sequentially with optional `--reserve-bps` (runbook: partial add + trading inventory). - `../deployment/compute-mainnet-truu-pmm-seed-amounts.sh` - Given **USD notional per leg** and **TRUU/USD** (per full token), prints `--base-amount` / `--quote-amount` for equal **dollar** liquidity on each side (not equal raw 1:1 tokens). See `MAINNET_PMM_TRUU_CWUSD_PEG_AND_BOT_RUNBOOK.md` section 9. - `check-full-deployment-status.sh` - Aggregates the current full-deployment posture across config validation, the Chain 138 canonical on-chain inventory, public token-aggregation health, GRU v2 readiness, the GRU global rollout queue, the GRU v2 public-protocol matrix, the deployer-funding gate, the public EVM cW token mesh, the gas-native c* / cW* rollout summary, and the public-chain cW* pool graph. It fails until the remaining deployment blockers are cleared; use `SKIP_EXIT=1` or `--json` for reporting. - `../deployment/run-progressive-router-v2-swaps-chain138.sh` - Live operator swap ladder for the public Chain 138 planner-v2 path. Fetches `/token-aggregation/api/v2/routes/internal-execution-plan`, ensures allowance, executes router-v2 calldata on-chain, and prints actual in/out for a progressive set of USD notionals (default: `10 50 100 250 500 1000`). Requires `PRIVATE_KEY`; optional `BASE_URL`, `RPC_URL_138`, `ENHANCED_SWAP_ROUTER_V2_ADDRESS`. - `check-cstar-v2-transport-stack.sh` - Predeploy Forge verifier for the `c* V2` bridge stack. Runs the base V2 token suite, legacy reserve-verifier compatibility suite, V2 reserve/verifier full L1/L2 round-trip suite, and the core `CWMultiTokenBridge` round-trip suite. - `check-gru-v2-chain138-readiness.sh` - Live Chain 138 readiness gate for the deployed `cUSDT V2` / `cUSDC V2` addresses. Verifies bytecode, GRU registry activation, V2 identity/signing surface, `forwardCanonical`, IPFS-backed `tokenURI`, and the governance/supervision metadata ABI expected by the latest GRU V2 standards. - `run-repo-green-test-path.sh` - Local deterministic green-path aggregate behind root `pnpm test`. Runs config validation, then the focused `smom-dbis-138` contract and service CI targets. - `audit-npmplus-ssl-all-instances.sh` - Audits the documented NPMplus fleet for `no_certificate`, `expired`, `cert_domain_mismatch`, `missing_cert_record`, and `ssl_not_forced`. `ssl_not_forced` is expected for RPC / WebSocket-style hosts where plain HTTP or non-browser clients must keep working. - `../nginx-proxy-manager/fix-npmplus-ssl-issues.sh` - Applies the primary NPMplus SSL remediation: enables Force SSL + HSTS for browser-facing hosts that already have certs, and requests or reuses certificates for hosts missing them or bound to the wrong certificate. It intentionally leaves Force SSL off for RPC / WebSocket endpoints such as `rpc-core.d-bis.org`, `rpc.defi-oracle.io`, and `wss.*`. - `xdc-zero-chain138-preflight.sh` - `eth_chainId` HTTP checks for `XDC_PARENTNET_URL`/`PARENTNET_URL` and `RPC_URL_138`; optional `ETHEREUM_MAINNET_RPC`, `BSC_RPC_URL`. See [CHAIN138_XDC_ZERO_BRIDGE_RUNBOOK](../../docs/03-deployment/CHAIN138_XDC_ZERO_BRIDGE_RUNBOOK.md). - `../xdc-zero/merge-endpointconfig-chain138.sh` - Merge `chain138` into XDC-Zero `endpointconfig.json` and append `xdcparentnet.registers` from fragments. Pass path to `endpointconfig.json` or `XDC_ZERO_ENDPOINT_DIR`; `--dry-run`. See [config/xdc-zero/README.md](../../config/xdc-zero/README.md). - `../xdc-zero/deploy-endpoint-chain138.sh` - Hardhat deploy Endpoint stack to `--network chain138` (`XDC_ZERO_REPO`, `PRIVATE_KEY`). See [scripts/xdc-zero/README.md](../xdc-zero/README.md). - `../xdc-zero/run-xdc-zero-138-operator-sequence.sh` - Prints full XDC Zero + 138 operator order. - `../validation/validate-xdc-zero-config.sh` - `jq` parse check for `config/xdc-zero/*.json`. - `check-completion-status.sh` - One-command summary of repo-completable checks, public report API health, and pointers to operator/external remaining work. Set `INCLUDE_INFO_DEFI_PUBLIC_VERIFY=1` to also run `check-info-defi-oracle-public.sh` (needs HTTPS to `INFO_SITE_BASE` / production). - `reconcile-env-canonical.sh` - Emit recommended .env lines for Chain 138 (canonical source of truth); use to reconcile `smom-dbis-138/.env` with [CONTRACT_ADDRESSES_REFERENCE](../../docs/11-references/CONTRACT_ADDRESSES_REFERENCE.md). Usage: `./scripts/verify/reconcile-env-canonical.sh [--print]` - `print-gas-runtime-env-canonical.sh` - Emit the non-secret gas-lane runtime env scaffold from `gru-transport-active.json` plus live canonical `totalSupply()` on Chain 138. Uses per-lane gas caps from the registry, defaults outstanding / escrowed to the current canonical supply, defaults treasury-backed / treasury-cap to `0`, and leaves the active gas verifier envs commented until the live L1 bridge is explicitly attached. - `check-deployer-balance-blockscout-vs-rpc.sh` - Compare deployer native balance from Blockscout API vs RPC (to verify index matches current chain); see [EXPLORER_AND_BLOCKSCAN_REFERENCE](../../docs/11-references/EXPLORER_AND_BLOCKSCAN_REFERENCE.md) - `sync-blockscout-address-labels-from-registry.sh` - Plan or sync Blockscout address labels from `address-registry-entry` JSON (`config/dbis-institutional/schemas/address-registry-entry.schema.json`: `blockscout.label`, `status: active`). Supports `--mode=http`, `--mode=db`, and `--mode=auto`; on the self-hosted Chain 138 explorer, `db` is the right live mode because `/api/v1/*` is token-aggregation, not a native Blockscout label-write API. DB mode writes primary labels into Blockscout `public.address_names` through CT `5000`. See `config/dbis-institutional/README.md` and [OMNL_DBIS_CORE_CHAIN138_SMART_VAULT_RTGS_RUNBOOK.md](../../docs/03-deployment/OMNL_DBIS_CORE_CHAIN138_SMART_VAULT_RTGS_RUNBOOK.md). - `check-dependencies.sh` - Verify required tools (bash, curl, jq, openssl, ssh) - `export-cloudflare-dns-records.sh` - Export Cloudflare DNS records - `export-npmplus-config.sh` - Export NPMplus proxy hosts and certificates via API - `generate-source-of-truth.sh` - Combine verification outputs into canonical JSON - `run-full-verification.sh` - Run full verification suite - `verify-backend-vms.sh` - Verify backend VMs (status, IPs, nginx configs) - `verify-end-to-end-routing.sh` - E2E routing verification - `verify-udm-pro-port-forwarding.sh` - UDM Pro port forwarding checks - `verify-websocket.sh` - WebSocket connectivity test (requires websocat or wscat) ## Task runners (no LAN vs from LAN) - **From anywhere (no LAN/creds):** `../run-completable-tasks-from-anywhere.sh` — runs config validation, on-chain contract check, run-all-validation --skip-genesis, public report API diagnostics, reconcile-env-canonical, and the gas runtime env scaffold. - **Completion snapshot:** `check-completion-status.sh` — summarizes what is complete locally and what still depends on operator or external execution. Optional: `INCLUDE_INFO_DEFI_PUBLIC_VERIFY=1` adds the public info hub check. - **Full LAN execution order:** `../run-full-operator-completion-from-lan.sh` — starts with the token-aggregation `/api/v1` repair, then Wave 0, verification, E2E, non-fatal **info.defi-oracle.io** public smoke, and optional operator-only deployment steps. Use `--skip-info-public` without outbound HTTPS to the public hostname. Use `--dry-run` first. - **From LAN (NPM_PASSWORD, optional PRIVATE_KEY):** `../run-operator-tasks-from-lan.sh` — runs W0-1 (NPMplus RPC fix), W0-3 (NPMplus backup), O-1 (Blockscout verification); use `--dry-run` to print commands only. See [ALL_TASKS_DETAILED_STEPS](../../docs/00-meta/ALL_TASKS_DETAILED_STEPS.md). ## Common operator patterns - **Primary NPMplus SSL audit/fix:** `bash scripts/verify/audit-npmplus-ssl-all-instances.sh` then `bash scripts/nginx-proxy-manager/fix-npmplus-ssl-issues.sh --dry-run` and rerun without `--dry-run` on the primary instance. The scripts now handle both JSON bearer-token auth and cookie-session auth from NPMplus, and the fixer can renew expired cert bindings as well as fill missing certs, wrong-cert bindings, and Force SSL gaps. - **Tunnel-backed NPM hosts:** if a hostname is publicly served by a proxied Cloudflare tunnel `CNAME` to `*.cfargotunnel.com`, the SSL audit intentionally ignores origin-cert expiry or mismatch on that NPM host. Public TLS is terminated by Cloudflare in that mode, and the tunnel origin uses `noTLSVerify` by design. - **Other NPMplus instances:** the fleet scripts already assume a shared `NPM_EMAIL` across instances. Rerun the same fix script with `NPM_URL=https://:81` and the matching per-instance password env vars such as `NPM_PASSWORD_SECONDARY`, `NPM_PASSWORD_ALLTRA_HYBX`, `NPM_PASSWORD_FOURTH`, or `NPM_PASSWORD_MIFOS`. If audit shows `auth_failed`, the repo cannot finish that from here without the correct UI password for that instance. - **Alltra/HYBX tunnel migration:** `bash scripts/cloudflare/configure-alltra-hybx-tunnel-and-dns.sh` is the preferred public-path repair for `rpc-alltra*`, `rpc-hybx*`, `rpc-core-2`, and the related service names on `192.168.11.169`. The script now replaces legacy direct `A` records with proxied tunnel `CNAME`s when needed. - **RPC TLS mismatch:** if `rpc.defi-oracle.io` has a certificate attached but the browser still reports a hostname mismatch, the fix is to request or assign a certificate whose SAN/CN actually includes `rpc.defi-oracle.io`; Force SSL toggles alone will not fix that. ## Environment Set variables in `.env` or export before running. See project root `.env.example` and [docs/04-configuration/VERIFICATION_GAPS_AND_TODOS.md](../../docs/04-configuration/VERIFICATION_GAPS_AND_TODOS.md).