feat: SolaceNet gateway rails, IRU marketplace hardening, and docs

- Gateway adapter registry, rails routes, optional SOLACENET_GATEWAY_RAILS_ENFORCE; HTTP integration tests.
- IRU marketplace: rate limits, public routes, notifications/SMTP env docs; marketplace UI constants and flows.
- Quantum proxy legacy protocol types; debank/tezos/GSDS touch-ups; .env.example operator notes.
- SolaceNet doc set (gaps, runbooks, telecom schema example).

Tests: npm run test:iru-marketplace, npm run test:gateway (pass).
Note: full-repo tsc still reports unrelated legacy errors outside this change set.
Made-with: Cursor

.env.example

@@ -22,11 +22,55 @@ EMAIL_ALERT_RECIPIENTS=
 CRYPTO_COM_API_KEY=
 CRYPTO_COM_API_SECRET=
 
+# ----------------------------------------------------------------------------
+# API behind reverse proxy (rate limits, logging)
+# TRUST_PROXY=1
+
+# ----------------------------------------------------------------------------
+# IRU marketplace — rate limits (optional; sensible defaults in code)
+# With TRUST_PROXY=1, limits key on real client IP from X-Forwarded-For.
+# IRU_MARKETPLACE_INQUIRY_WINDOW_MS=900000
+# IRU_MARKETPLACE_INQUIRY_MAX=10
+# IRU_MARKETPLACE_PUBLIC_WINDOW_MS=60000
+# IRU_MARKETPLACE_PUBLIC_MAX=200
+# Jest disables limits when IRU_MARKETPLACE_RATE_LIMIT_IN_TEST=1 (set in tests only)
+
+# ----------------------------------------------------------------------------
+# IRU / marketplace email (notification.service)
+# Default provider is SMTP (EMAIL_PROVIDER=smtp). On Proxmox LAN use the Mail Proxy VM:
+#   VMID 100 — 192.168.11.32 (hostname proxmox-mail-gateway) — ports 25, 587, 465
+#   See: proxmox repo docs/04-configuration/ALL_VMIDS_ENDPOINTS.md (Mail Proxy note)
+# EMAIL_PROVIDER=smtp
+# SMTP_HOST=192.168.11.32
+# SMTP_PORT=587
+# SMTP_SECURE=false
+# Lab relay with private CA: SMTP_TLS_REJECT_UNAUTHORIZED=false
+# SMTP_USER=
+# SMTP_PASSWORD=
+# EMAIL_FROM=noreply@yourdomain.tld
+# EMAIL_FROM_NAME=SolaceNet
+# DBIS_SALES_EMAIL=sales@yourdomain.tld
+# Or: EMAIL_PROVIDER=sendgrid | ses (set EMAIL_API_KEY / AWS creds per integration)
+
+# ----------------------------------------------------------------------------
+# SolaceNet — gateway rails (optional enforcement)
+# ----------------------------------------------------------------------------
+# When 1|true, POST/GET rail adapter endpoints require capability gateway-microservices.
+# SOLACENET_GATEWAY_RAILS_ENFORCE=0
+# Tenant for policy checks if not in x-tenant-id / body.tenantId:
+# SOLACENET_DEFAULT_TENANT_ID=system
+# Optional NDJSON audit file for allow/deny (create directory; rotate externally):
+# SOLACENET_GATEWAY_AUDIT_LOG_PATH=/var/log/dbis/gateway-rails-audit.ndjson
+# POST .../rails/:id/validate|receive — extra per-IP limit (default 120/min):
+# GATEWAY_RAIL_MUTATE_WINDOW_MS=60000
+# GATEWAY_RAIL_MUTATE_MAX=120
+# Jest / integration: disable rail mutate limiter
+# GATEWAY_RAIL_RATE_LIMIT_IN_TEST=1
+
 # ----------------------------------------------------------------------------
 # Other (add as needed from dbis_core code)
 # ----------------------------------------------------------------------------
 CHAIN138_RPC_URL=https://rpc-core.d-bis.org
 # ADMIN_CENTRAL_API_KEY=
 # VAULT_ROOT_TOKEN=
-# DBIS_SALES_EMAIL=
 # etc.