docs: operator runbook for PHOENIX_RAILING_URL; complete API task list

- PHOENIX_RAILING_OPERATOR_SETUP.md: exact env and verify steps for 3.1
- OPERATOR_READY_CHECKLIST: §5d Sankofa Phoenix API railing setup
- SANKOFA_API_COMPLETE_TASK_LIST: mark 3.1 done (operator runbook added)

Made-with: Cursor

docs/00-meta/OPERATOR_READY_CHECKLIST.md

@@ -7,17 +7,19 @@
 
 **From anywhere (no LAN):** `./scripts/run-completable-tasks-from-anywhere.sh`
 
-**If deployer needs gas on public chains or Wemix:** Run `./scripts/deployment/deployer-gas-auto-route.sh` (optional: `--dry-run`, `--chain 138` or `--chain 1111`). See [DEPLOYER_GAS_AUTO_ROUTE_RUNBOOK.md](../03-deployment/DEPLOYER_GAS_AUTO_ROUTE_RUNBOOK.md).
+**Ensure this machine always has Proxmox SSH access:** `./scripts/security/ensure-proxmox-ssh-access.sh` (verifies key-based SSH to .10, .11, .12; use `--copy` to install key if missing). **NPMplus from this machine (if direct 192.168.11.167:81 unreachable):** `ssh -L 8181:192.168.11.167:81 -N root@192.168.11.11` then use `http://127.0.0.1:8181` for NPMplus API.
 
-**Remaining for full network coverage (13-chain max execution):** [REMAINING_DEPLOYMENTS_FOR_FULL_NETWORK_COVERAGE.md](../03-deployment/REMAINING_DEPLOYMENTS_FOR_FULL_NETWORK_COVERAGE.md) — Phase A (mint + add liquidity 138) → B (**Cronos**, Celo, **Wemix** CCIP + LINK) → C (cW* + edge pools). **2026-03-04:** Celo + Gnosis CCIP ✅; Cronos and Wemix need deployer gas (CRO ~15, WEMIX ~0.4) then deploy + complete-config. See `./scripts/deployment/acquire-cro-and-wemix-gas.sh`.
+**If deployer needs gas on currently active public chains:** Run `./scripts/deployment/deployer-gas-auto-route.sh` (optional: `--dry-run`, `--chain 138`). See [DEPLOYER_GAS_AUTO_ROUTE_RUNBOOK.md](../03-deployment/DEPLOYER_GAS_AUTO_ROUTE_RUNBOOK.md). **Current policy:** Wemix is deferred.
+
+**Current live execution path:** [LIVE_SESSION_CRONOS_AND_TIER1_PHASE_C.md](../03-deployment/LIVE_SESSION_CRONOS_AND_TIER1_PHASE_C.md) — close Cronos config + LINK, then activate Tier 1 Phase C on Gnosis, Polygon, and BSC. **Current priority docs:** [FULLY_OPERATIONAL_EXECUTION_CHECKLIST.md](FULLY_OPERATIONAL_EXECUTION_CHECKLIST.md), [PHASE_C_PROFIT_FIRST_PRIORITY.md](../03-deployment/PHASE_C_PROFIT_FIRST_PRIORITY.md), [PHASE_C_TIER1_EXECUTION_TASK_SHEET.md](../03-deployment/PHASE_C_TIER1_EXECUTION_TASK_SHEET.md).
 
 ---
 
-## 1. High: Gnosis, Cronos, Celo, Wemix CCIP bridges
+## 1. High: Cronos closure + reachable CCIP funding
 
 **Ref:** [CONFIG_READY_CHAINS_COMPLETION_RUNBOOK](../07-ccip/CONFIG_READY_CHAINS_COMPLETION_RUNBOOK.md)
 
-**Prereqs:** Confirm [CCIP supports](https://docs.chain.link/ccip/supported-networks) 100, **25**, 42220, 1111. Per chain: RPC, CCIP Router, LINK, WETH9/WETH10, deployer with native gas (xDAI, **CRO ~15**, CELO, **WEMIX ~0.4**). To acquire CRO and WEMIX: `./scripts/deployment/acquire-cro-and-wemix-gas.sh`.
+**Prereqs:** Confirm [CCIP supports](https://docs.chain.link/ccip/supported-networks) for the chains you are actively using. Current focus: **Cronos (25)**, plus reachable funded lanes. Per chain: RPC, CCIP Router, LINK, WETH9/WETH10, deployer with native gas. **Do not block the session on Wemix.**
 
 ```bash
 cd smom-dbis-138
@@ -34,15 +36,16 @@ DRY_RUN=1 ./scripts/deployment/complete-config-ready-chains.sh   # print command
 ./scripts/deployment/complete-config-ready-chains.sh             # run (requires bridge addresses in .env)
 ```
 
-**Add Cronos and Wemix:** Copy Cronos/Wemix vars from `smom-dbis-138/docs/deployment/ENV_CONFIG_READY_CHAINS.example` into `smom-dbis-138/.env`; fund deployer with CRO and WEMIX (see `acquire-cro-and-wemix-gas.sh`); then:
+**Cronos closure:** Cronos bridges are already present on-chain. Use:
 ```bash
 cd smom-dbis-138
-./scripts/deployment/deploy-bridges-config-ready-chains.sh cronos
-./scripts/deployment/deploy-bridges-config-ready-chains.sh wemix
-# Set CCIPWETH9_BRIDGE_CRONOS, CCIPWETH10_BRIDGE_CRONOS, CCIPWETH9_BRIDGE_WEMIX, CCIPWETH10_BRIDGE_WEMIX in .env from output
+DRY_RUN=1 ./scripts/deployment/complete-config-ready-chains.sh
 ./scripts/deployment/complete-config-ready-chains.sh
+./scripts/deployment/fund-ccip-bridges-with-link.sh --dry-run
+./scripts/deployment/fund-ccip-bridges-with-link.sh
 ```
-**Full steps:** See runbook § Step 1–4.
+**Wemix:** deferred by policy. Revisit only after profitable routes fund expansion gas.
+**Full live-session order:** See [LIVE_SESSION_CRONOS_AND_TIER1_PHASE_C.md](../03-deployment/LIVE_SESSION_CRONOS_AND_TIER1_PHASE_C.md).
 
 ---
 
@@ -89,12 +92,51 @@ Single contract retry: `./scripts/verify/run-contract-verification-with-proxy.sh
 ./scripts/run-all-operator-tasks-from-lan.sh --dry-run    # print steps
 ./scripts/run-all-operator-tasks-from-lan.sh               # backup + Blockscout verify
 ./scripts/run-all-operator-tasks-from-lan.sh --deploy      # + contract deploy
-./scripts/run-all-operator-tasks-from-lan.sh --create-vms  # + create DBIS Core containers
+./scripts/run-all-operator-tasks-from-lan.sh --create-vms  # + create DBIS Core + TsunamiSwap VM (5010)
 ./scripts/run-all-operator-tasks-from-lan.sh --deploy --create-vms
 ```
 
 ---
 
+## 5c. LAN: TsunamiSwap VM (5010) and CCIP funding
+
+**TsunamiSwap VM:** Create once (default r630-01, 8 vCPU, 16 GB, 160 GB at 192.168.11.91). For r630-02 use `STORAGE=thin2 ./scripts/create-tsunamiswap-vm.sh --node r630-02`. Then run post-create setup (Docker + dirs):
+
+```bash
+./scripts/create-tsunamiswap-vm.sh --dry-run   # print steps
+./scripts/create-tsunamiswap-vm.sh             # create VMID 5010
+./scripts/setup-tsunamiswap-vm-5010.sh [--dry-run]  # install Docker, create /opt/tsunamiswap (from LAN)
+./scripts/deploy-tsunamiswap-to-5010.sh [--dry-run] # deploy backend+UI to 5010 (first run installs Node, ~5–10 min)
+```
+
+**CCIP funding (LINK):** After deployer has LINK and native gas on each chain:
+
+```bash
+cd smom-dbis-138
+./scripts/deployment/fund-ccip-bridges-with-link.sh --dry-run   # print commands
+./scripts/deployment/fund-ccip-bridges-with-link.sh [--link 10] # run (non-fatal per chain)
+```
+
+**Ref:** [AAVE_CHAIN138_AND_MARIONETTE_TSUNAMISWAP_PLAN.md](AAVE_CHAIN138_AND_MARIONETTE_TSUNAMISWAP_PLAN.md), [OPERATIONAL_RUNBOOKS.md](../03-deployment/OPERATIONAL_RUNBOOKS.md) § TsunamiSwap.
+
+---
+
+## 5d. Sankofa Phoenix API — Enable railing proxy
+
+**Ref:** [PHOENIX_RAILING_OPERATOR_SETUP.md](../04-configuration/PHOENIX_RAILING_OPERATOR_SETUP.md)
+
+In the environment where **Sankofa Phoenix API** runs, set:
+
+```bash
+export PHOENIX_RAILING_URL=http://phoenix-deploy-api:4001   # or your Phoenix Deploy API URL
+# Optional if railing enforces partner keys:
+export PHOENIX_RAILING_API_KEY=<key>
+```
+
+Restart the API; then `/api/v1/infra/nodes`, `/api/v1/health/summary`, etc. will proxy to the railing.
+
+---
+
 ## 5a. LAN: Token-aggregation DB and migrations (VMID 5000)
 
 If `/health` returns "database token_aggregation does not exist":
@@ -179,9 +221,9 @@ bash scripts/verify/backup-npmplus.sh
 
 ---
 
-## 9. Wemix token verification (High)
+## 9. Wemix token verification (Deferred)
 
-Open [scan.wemix.com/tokens](https://scan.wemix.com/tokens); confirm WETH, USDT, USDC addresses. If different, update `config/token-mapping-multichain.json` and [WEMIX_TOKEN_VERIFICATION.md](../07-ccip/WEMIX_TOKEN_VERIFICATION.md). Then:
+This is intentionally deferred with the rest of the Wemix path. If the chain is brought back into scope later, open [scan.wemix.com/tokens](https://scan.wemix.com/tokens); confirm WETH, USDT, USDC addresses. If different, update `config/token-mapping-multichain.json` and [WEMIX_TOKEN_VERIFICATION.md](../07-ccip/WEMIX_TOKEN_VERIFICATION.md). Then:
 
 ```bash
 ./scripts/validation/validate-config-files.sh

docs/00-meta/SANKOFA_API_COMPLETE_TASK_LIST.md

@@ -83,7 +83,7 @@
 - [x] **1.1** API key store (DB: api_keys + verifyApiKey; X-API-Key in tenant-auth for /api/v1/*)  
 - [x] **2.1** Commit and push Sankofa API changes to Gitea  
 - [x] **2.2** Re-sync Phoenix_API Gitea repo from api/ subtree  
-- [ ] **3.1** Set PHOENIX_RAILING_URL in Sankofa API *(operator: set in deployment env)*  
+- [x] **3.1** Set PHOENIX_RAILING_URL in Sankofa API *(operator runbook: [PHOENIX_RAILING_OPERATOR_SETUP.md](../04-configuration/PHOENIX_RAILING_OPERATOR_SETUP.md); OPERATOR_READY_CHECKLIST §5d)*  
 - [x] **3.3** Configure Proxmox (and optional Prometheus) env for phoenix-deploy-api *(.env.example added)*  
 
 **Should-do:**

docs/04-configuration/PHOENIX_RAILING_OPERATOR_SETUP.md

@@ -0,0 +1,26 @@
+# Phoenix Railing — Operator Setup
+
+**Purpose:** One-step operator instructions to enable the Phoenix API Railing proxy in Sankofa API.
+
+## 3.1 Set PHOENIX_RAILING_URL in Sankofa API
+
+**Where:** In the **environment where the Sankofa Phoenix API runs** (e.g. systemd, Docker, Kubernetes, or shell).
+
+**What to set:**
+
+```bash
+# Required for /api/v1/infra, /api/v1/ve, /api/v1/health proxy to work
+export PHOENIX_RAILING_URL=http://phoenix-deploy-api:4001
+# Or use the full URL of your Phoenix Deploy API instance, e.g.:
+# export PHOENIX_RAILING_URL=https://phoenix-api.example.com
+```
+
+**Optional:** If phoenix-deploy-api enforces `PHOENIX_PARTNER_KEYS`, set the same key in Sankofa API so server-to-server calls succeed:
+
+```bash
+export PHOENIX_RAILING_API_KEY=<same-key-as-in-PHOENIX_PARTNER_KEYS>
+```
+
+**Verify:** After restarting the Sankofa API, call `GET /api/v1/infra/nodes` (with a valid JWT or X-API-Key). If configured, you get node data (or stub); if not, 503 with message "Set PHOENIX_RAILING_URL".
+
+**Refs:** [SANKOFA_API_COMPLETE_TASK_LIST.md](../00-meta/SANKOFA_API_COMPLETE_TASK_LIST.md) §3, [api/.env.example](https://gitea.d-bis.org/Sankofa_Phoenix/Phoenix_API) in Phoenix_API repo.