chore(repo): sync operator workspace (config, scripts, docs, multi-chain)

Add optional Cosmos/Engine-X/act-runner templates, CWUSDC/EI-matrix tooling,
non-EVM route planner in multi-chain-execution (tests passing), token list and
extraction updates, and documentation (MetaMask matrix, GRU/CWUSDC packets).

Ignore institutional evidence tarballs/sha256 under reports/status.

Validated with: bash scripts/verify/run-all-validation.sh --skip-genesis

Co-authored-by: Cursor <cursoragent@cursor.com>

scripts/dev-vm/act-runner-resource-snapshot.sh

@@ -0,0 +1,26 @@
+#!/usr/bin/env bash
+# Quick RAM / Docker snapshot for act_runner CTs (5700 + 5701). Host loadavg inside LXCs
+# tracks the Proxmox host — use docker stats for job CPU when containers are running.
+#
+# Usage:
+#   bash scripts/dev-vm/act-runner-resource-snapshot.sh
+#
+# Env:
+#   PROXMOX_HOST_R630_04 — default 192.168.11.14
+
+set -euo pipefail
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+PROJECT_ROOT="$(cd "${SCRIPT_DIR}/../.." && pwd)"
+[[ -f "${PROJECT_ROOT}/config/ip-addresses.conf" ]] && source "${PROJECT_ROOT}/config/ip-addresses.conf"
+
+PVE="${PROXMOX_HOST_R630_04:-192.168.11.14}"
+
+print_ct() {
+  local vmid="$1"
+  echo "=== CT ${vmid} ==="
+  ssh -o BatchMode=yes -o ConnectTimeout=12 "root@${PVE}" "pct exec ${vmid} -- bash -lc 'hostname; nproc; free -h | head -2; echo loadavg: \$(cat /proc/loadavg); systemctl show act-runner -p MemoryCurrent -p CPUUsageNSec --no-pager 2>/dev/null || true; docker stats --no-stream 2>/dev/null | head -12 || echo \"(no docker stats / no containers)\"'"
+  echo ""
+}
+
+print_ct 5700
+print_ct 5701

scripts/dev-vm/apply-act-runner-config.sh

@@ -0,0 +1,29 @@
+#!/usr/bin/env bash
+# Copy repo-managed act_runner YAML to CT 5700 / 5701 and restart services.
+# Requires SSH to the Proxmox node that hosts both CTs (default r630-04).
+#
+# Usage (repo root):
+#   bash scripts/dev-vm/apply-act-runner-config.sh
+#
+# Env:
+#   PROXMOX_HOST_R630_04 — override Proxmox host IP (default 192.168.11.14)
+
+set -euo pipefail
+
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+PROJECT_ROOT="$(cd "${SCRIPT_DIR}/../.." && pwd)"
+[[ -f "${PROJECT_ROOT}/config/ip-addresses.conf" ]] && source "${PROJECT_ROOT}/config/ip-addresses.conf"
+
+PVE="${PROXMOX_HOST_R630_04:-192.168.11.14}"
+CFG_DIR="${PROJECT_ROOT}/config/gitea-act-runner"
+
+ssh -o BatchMode=yes -o StrictHostKeyChecking=accept-new "root@${PVE}" "pct exec 5700 -- mkdir -p /etc/act_runner"
+ssh -o BatchMode=yes -o StrictHostKeyChecking=accept-new "root@${PVE}" "pct exec 5701 -- mkdir -p /etc/act_runner"
+
+ssh -o BatchMode=yes -o StrictHostKeyChecking=accept-new "root@${PVE}" "pct exec 5700 -- bash -c 'cat > /etc/act_runner/config.yaml'" < "${CFG_DIR}/config-5700-heavy.yaml"
+ssh -o BatchMode=yes -o StrictHostKeyChecking=accept-new "root@${PVE}" "pct exec 5701 -- bash -c 'cat > /etc/act_runner/config.yaml'" < "${CFG_DIR}/config-5701-standard.yaml"
+
+ssh -o BatchMode=yes -o StrictHostKeyChecking=accept-new "root@${PVE}" \
+  "pct exec 5700 -- systemctl restart act-runner && pct exec 5701 -- systemctl restart act-runner"
+
+echo "Applied templates and restarted act-runner on 5700 and 5701 (${PVE})."

scripts/dev-vm/bootstrap-gitea-act-runner-secondary-lan.sh

@@ -0,0 +1,19 @@
+#!/usr/bin/env bash
+# Standard runner on CT 5701 (gitea-runner-1): ubuntu-latest / 22.04 / 20.04 for org-wide jobs.
+# Gitea HTTP is on dev-vm — use LAN URL from inside 5701.
+#
+# Usage (repo root with GITEA_TOKEN in .env):
+#   bash scripts/dev-vm/bootstrap-gitea-act-runner-secondary-lan.sh
+
+set -euo pipefail
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+PROJECT_ROOT="$(cd "${SCRIPT_DIR}/../.." && pwd)"
+[[ -f "${PROJECT_ROOT}/config/ip-addresses.conf" ]] && source "${PROJECT_ROOT}/config/ip-addresses.conf"
+
+IP_DEV="${IP_DEV_VM:-192.168.11.59}"
+
+export DEV_VM_VMID="${DEV_VM_VMID:-5701}"
+export GITEA_RUNNER_INSTANCE="${GITEA_RUNNER_INSTANCE:-http://${IP_DEV}:3000}"
+export RUNNER_LABELS="${RUNNER_LABELS:-ubuntu-latest:docker://docker.gitea.com/runner-images:ubuntu-latest,ubuntu-22.04:docker://docker.gitea.com/runner-images:ubuntu-22.04,ubuntu-20.04:docker://docker.gitea.com/runner-images:ubuntu-20.04}"
+
+exec bash "${SCRIPT_DIR}/bootstrap-gitea-act-runner.sh"

scripts/dev-vm/bootstrap-gitea-act-runner-site-wide.sh

@@ -1,70 +1,14 @@
 #!/usr/bin/env bash
-# Site-wide Gitea Actions runner: use admin GITEA_TOKEN from root .env to fetch the
-# instance registration token, then register act_runner on dev-vm (5700) with ubuntu-latest.
-#
-# Requires: SSH to Proxmox (BatchMode), CT 5700 running Gitea + act_runner under /opt/act_runner.
-# Env (from .env via load-project-env): GITEA_TOKEN, optional GITEA_URL, RUNNER_LABELS,
-#   RUNNER_FORCE_REREGISTER=1 to drop .runner and re-register, DEV_VM_VMID (default 5700).
-#
-# Usage (repo root):
-#   bash scripts/dev-vm/bootstrap-gitea-act-runner-site-wide.sh
-#   RUNNER_FORCE_REREGISTER=1 bash scripts/dev-vm/bootstrap-gitea-act-runner-site-wide.sh
+# Heavy runner on CT 5700 (dev-vm): registers ubuntu-latest-heavy for monorepo / validation workflows.
+# See scripts/dev-vm/bootstrap-gitea-act-runner.sh
 
 set -euo pipefail
-
 SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
 PROJECT_ROOT="$(cd "${SCRIPT_DIR}/../.." && pwd)"
-# Load only root .env + IPs (avoid full load-project-env if another dotenv exits non-zero under set -e).
-[[ -f "${PROJECT_ROOT}/.env" ]] && set -a && source "${PROJECT_ROOT}/.env" && set +a
 [[ -f "${PROJECT_ROOT}/config/ip-addresses.conf" ]] && source "${PROJECT_ROOT}/config/ip-addresses.conf"
-PROXMOX_HOST_R630_01="${PROXMOX_R630_01:-${PROXMOX_HOST_R630_01:-192.168.11.11}}"
-PROXMOX_HOST_R630_02="${PROXMOX_R630_02:-${PROXMOX_HOST_R630_02:-192.168.11.12}}"
-PROXMOX_HOST_ML110="${PROXMOX_ML110:-${PROXMOX_HOST_ML110:-192.168.11.10}}"
-get_host_for_vmid() {
-  case "$1" in
-    5000|5700|7810|2201|2303|2401|6200|6201|10234|10237|5800|5801) echo "${PROXMOX_HOST_R630_02}";;
-    5400|5401|5402|5403|5410|5411|5412|5413|5414|5415|5416|5417|5418|5419|5420|5421|5422|5423|5424|5425|5440|5441|5442|5443|5444|5445|5446|5447|5448|5449|5450|5451|5452|5453|5454|5455|5470|5471|5472|5473|5474|5475|5476) echo "${PROXMOX_HOST_R630_02}";;
-    2101|10130|10150|10151|106|107|108|10000|10001|10020|10100|10101|10120|10233|10235) echo "${PROXMOX_HOST_R630_01}";;
-    2301|2400|1504|2503|2504|2505) echo "${PROXMOX_HOST_ML110}";;
-    *) echo "${PROXMOX_HOST_R630_01}";;
-  esac
-}
 
-GITEA_URL="${GITEA_URL:-https://gitea.d-bis.org}"
-GITEA_URL="${GITEA_URL%/}"
-VMID="${DEV_VM_VMID:-5700}"
-RUNNER_LABELS="${RUNNER_LABELS:-ubuntu-latest}"
+export DEV_VM_VMID="${DEV_VM_VMID:-5700}"
+export GITEA_RUNNER_INSTANCE="${GITEA_RUNNER_INSTANCE:-http://127.0.0.1:3000}"
+export RUNNER_LABELS="${RUNNER_LABELS:-ubuntu-latest-heavy:docker://docker.gitea.com/runner-images:ubuntu-latest}"
 
-if [[ -z "${GITEA_TOKEN:-}" ]]; then
-  echo "ERROR: GITEA_TOKEN not set (root .env)." >&2
-  exit 1
-fi
-
-REG_JSON="$(curl -sS -H "Authorization: token ${GITEA_TOKEN}" \
-  "${GITEA_URL}/api/v1/admin/runners/registration-token")"
-REG_TOKEN="$(printf '%s' "$REG_JSON" | sed -n 's/.*"token"[[:space:]]*:[[:space:]]*"\([^"]*\)".*/\1/p')"
-if [[ -z "$REG_TOKEN" || "$REG_TOKEN" == "null" ]]; then
-  echo "ERROR: Could not get admin registration token. Response:" >&2
-  printf '%s\n' "$REG_JSON" >&2
-  echo "Ensure GITEA_TOKEN is an admin token with access to GET /api/v1/admin/runners/registration-token" >&2
-  exit 1
-fi
-
-PROXMOX_HOST="$(get_host_for_vmid "$VMID")"
-echo "Using Proxmox host ${PROXMOX_HOST} for VMID ${VMID}."
-
-if [[ "${RUNNER_FORCE_REREGISTER:-0}" == "1" ]]; then
-  ssh -o BatchMode=yes -o StrictHostKeyChecking=accept-new "root@${PROXMOX_HOST}" \
-    "pct exec ${VMID} -- bash -lc 'rm -f /opt/act_runner/.runner; systemctl stop act-runner 2>/dev/null || true'"
-fi
-
-# Pass registration token into the container without embedding raw secret in ssh argv (still reversible from b64).
-TB64="$(printf '%s' "$REG_TOKEN" | base64 | tr -d '\n')"
-ssh -o BatchMode=yes -o StrictHostKeyChecking=accept-new "root@${PROXMOX_HOST}" \
-  "pct exec ${VMID} -- bash -c 'export GITEA_RUNNER_REGISTRATION_TOKEN=\$(printf %s \"${TB64}\" | base64 -d); export RUNNER_LABELS=\"${RUNNER_LABELS}\"; bash -s'" \
-  < "${SCRIPT_DIR}/setup-act-runner.sh"
-
-ssh -o BatchMode=yes -o StrictHostKeyChecking=accept-new "root@${PROXMOX_HOST}" \
-  "pct exec ${VMID} -- bash -s" < "${SCRIPT_DIR}/install-act-runner-systemd.sh"
-
-echo "Done. Check Gitea Admin → Actions → Runners for an online runner with labels including: ${RUNNER_LABELS}"
+exec bash "${SCRIPT_DIR}/bootstrap-gitea-act-runner.sh"

scripts/dev-vm/bootstrap-gitea-act-runner.sh

@@ -0,0 +1,82 @@
+#!/usr/bin/env bash
+# Register/re-register Gitea act_runner on a Proxmox LXC (5700 heavy pool or 5701 standard pool).
+#
+# Env (required unless noted):
+#   GITEA_TOKEN           — admin token (root .env)
+#   DEV_VM_VMID           — default 5700
+#   GITEA_RUNNER_INSTANCE — URL passed to act_runner register --instance (5700: http://127.0.0.1:3000)
+#   RUNNER_LABELS         — comma-separated labels (docker image refs); default set by wrappers
+# Optional:
+#   GITEA_URL             — default https://gitea.d-bis.org
+#   RUNNER_FORCE_REREGISTER=1 — remove .runner before register
+#
+# Usage:
+#   bash scripts/dev-vm/bootstrap-gitea-act-runner-site-wide.sh
+#   bash scripts/dev-vm/bootstrap-gitea-act-runner-secondary-lan.sh
+
+set -euo pipefail
+
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+PROJECT_ROOT="$(cd "${SCRIPT_DIR}/../.." && pwd)"
+[[ -f "${PROJECT_ROOT}/.env" ]] && set -a && source "${PROJECT_ROOT}/.env" && set +a
+[[ -f "${PROJECT_ROOT}/config/ip-addresses.conf" ]] && source "${PROJECT_ROOT}/config/ip-addresses.conf"
+
+PROXMOX_HOST_R630_04="${PROXMOX_HOST_R630_04:-192.168.11.14}"
+PROXMOX_HOST_R630_01="${PROXMOX_R630_01:-${PROXMOX_HOST_R630_01:-192.168.11.11}}"
+PROXMOX_HOST_R630_02="${PROXMOX_R630_02:-${PROXMOX_HOST_R630_02:-192.168.11.12}}"
+
+get_host_for_vmid() {
+  local vmid="$1"
+  case "$vmid" in
+    5700|5701) echo "${PROXMOX_HOST_R630_04}";;
+    5000|7810|2201|2303|2401|6200|6201|10234|10237|5800|5801) echo "${PROXMOX_HOST_R630_02}";;
+    *) echo "${PROXMOX_HOST_R630_01}";;
+  esac
+}
+
+GITEA_URL="${GITEA_URL:-https://gitea.d-bis.org}"
+GITEA_URL="${GITEA_URL%/}"
+VMID="${DEV_VM_VMID:-5700}"
+GITEA_RUNNER_INSTANCE="${GITEA_RUNNER_INSTANCE:-http://127.0.0.1:3000}"
+
+if [[ -z "${RUNNER_LABELS:-}" ]]; then
+  echo "ERROR: RUNNER_LABELS must be set (use a wrapper script or export explicitly)." >&2
+  exit 1
+fi
+
+if [[ -z "${GITEA_TOKEN:-}" ]]; then
+  echo "ERROR: GITEA_TOKEN not set (root .env)." >&2
+  exit 1
+fi
+
+REG_JSON="$(curl -sS -H "Authorization: token ${GITEA_TOKEN}" \
+  "${GITEA_URL}/api/v1/admin/runners/registration-token")"
+REG_TOKEN="$(printf '%s' "$REG_JSON" | sed -n 's/.*"token"[[:space:]]*:[[:space:]]*"\([^"]*\)".*/\1/p')"
+if [[ -z "$REG_TOKEN" || "$REG_TOKEN" == "null" ]]; then
+  echo "ERROR: Could not get admin registration token. Response:" >&2
+  printf '%s\n' "$REG_JSON" >&2
+  exit 1
+fi
+
+PROXMOX_HOST="$(get_host_for_vmid "$VMID")"
+echo "Using Proxmox host ${PROXMOX_HOST} for VMID ${VMID}."
+
+TB64="$(printf '%s' "$REG_TOKEN" | base64 | tr -d '\n')"
+LB64="$(printf '%s' "$RUNNER_LABELS" | base64 | tr -d '\n')"
+IB64="$(printf '%s' "$GITEA_RUNNER_INSTANCE" | base64 | tr -d '\n')"
+
+if [[ "${RUNNER_FORCE_REREGISTER:-0}" == "1" ]]; then
+  ssh -o BatchMode=yes -o StrictHostKeyChecking=accept-new "root@${PROXMOX_HOST}" \
+    "pct exec ${VMID} -- bash -lc 'rm -f /opt/act_runner/.runner; systemctl stop act-runner 2>/dev/null || true'"
+fi
+
+ssh -o BatchMode=yes -o StrictHostKeyChecking=accept-new "root@${PROXMOX_HOST}" \
+  "pct exec ${VMID} -- bash -c 'export GITEA_RUNNER_REGISTRATION_TOKEN=\$(printf %s \"${TB64}\" | base64 -d); export RUNNER_LABELS=\$(printf %s \"${LB64}\" | base64 -d); export INSTANCE=\$(printf %s \"${IB64}\" | base64 -d); bash -s'" \
+  < "${SCRIPT_DIR}/setup-act-runner.sh"
+
+ACT_RUNNER_CONFIG="${ACT_RUNNER_CONFIG:-/etc/act_runner/config.yaml}"
+ssh -o BatchMode=yes -o StrictHostKeyChecking=accept-new "root@${PROXMOX_HOST}" \
+  "pct exec ${VMID} -- env ACT_RUNNER_CONFIG=${ACT_RUNNER_CONFIG} GITEA_ACTION_URL=${GITEA_RUNNER_INSTANCE} bash -s" \
+  < "${SCRIPT_DIR}/install-act-runner-systemd.sh"
+
+echo "Done. VMID ${VMID} — labels: ${RUNNER_LABELS}"

scripts/dev-vm/delete-offline-gitea-actions-runners.sh

@@ -0,0 +1,72 @@
+#!/usr/bin/env bash
+# Delete Gitea Actions runners that are **offline** (stale rows after re-register).
+# Uses Admin API — requires GITEA_TOKEN (admin) in repo root .env.
+#
+# Usage (repo root):
+#   bash scripts/dev-vm/delete-offline-gitea-actions-runners.sh --dry-run
+#   bash scripts/dev-vm/delete-offline-gitea-actions-runners.sh --apply
+#
+# Over SSH (from a host with this repo and .env):
+#   ssh user@workstation 'cd /path/to/proxmox && bash scripts/dev-vm/delete-offline-gitea-actions-runners.sh --apply'
+
+set -euo pipefail
+
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+PROJECT_ROOT="$(cd "${SCRIPT_DIR}/../.." && pwd)"
+[[ -f "${PROJECT_ROOT}/.env" ]] && set -a && source "${PROJECT_ROOT}/.env" && set +a
+
+GITEA_URL="${GITEA_URL:-https://gitea.d-bis.org}"
+GITEA_URL="${GITEA_URL%/}"
+MODE="${1:-}"
+
+if [[ -z "${GITEA_TOKEN:-}" ]]; then
+  echo "ERROR: GITEA_TOKEN not set (root .env)." >&2
+  exit 1
+fi
+
+if [[ "$MODE" != "--dry-run" && "$MODE" != "--apply" ]]; then
+  echo "Usage: $0 --dry-run | --apply" >&2
+  exit 1
+fi
+
+export GITEA_URL GITEA_TOKEN
+export DELETE_MODE="$MODE"
+
+python3 <<'PY'
+import json, os, sys, urllib.request
+
+base = os.environ["GITEA_URL"].rstrip("/")
+token = os.environ["GITEA_TOKEN"]
+mode = os.environ["DELETE_MODE"]
+
+req = urllib.request.Request(
+    f"{base}/api/v1/admin/actions/runners?limit=100",
+    headers={"Authorization": f"token {token}"},
+)
+with urllib.request.urlopen(req, timeout=60) as resp:
+    data = json.loads(resp.read().decode())
+
+runners = data.get("runners") or []
+offline = [r for r in runners if r.get("status") == "offline"]
+
+if not offline:
+    print("No offline runners.")
+    sys.exit(0)
+
+for r in offline:
+    print(f"offline id={r.get('id')} name={r.get('name')!r}")
+
+if mode == "--dry-run":
+    print("--dry-run: no DELETE issued.")
+    sys.exit(0)
+
+for r in offline:
+    rid = r["id"]
+    dreq = urllib.request.Request(
+        f"{base}/api/v1/admin/actions/runners/{rid}",
+        method="DELETE",
+        headers={"Authorization": f"token {token}"},
+    )
+    with urllib.request.urlopen(dreq, timeout=60) as resp:
+        print(f"DELETE runner id={rid} -> HTTP {resp.status}")
+PY

scripts/dev-vm/install-act-runner-systemd.sh

@@ -10,6 +10,8 @@ set -euo pipefail
 
 WORK_DIR="${WORK_DIR:-/opt/act_runner}"
 GITEA_ACTION_URL="${GITEA_ACTION_URL:-http://127.0.0.1:3000}"
+ACT_RUNNER_CONFIG="${ACT_RUNNER_CONFIG:-/etc/act_runner/config.yaml}"
+mkdir -p "$(dirname "${ACT_RUNNER_CONFIG}")"
 
 if [ ! -x "${WORK_DIR}/act_runner" ]; then
   echo "Missing ${WORK_DIR}/act_runner — run setup-act-runner.sh with GITEA_RUNNER_REGISTRATION_TOKEN first."
@@ -30,7 +32,7 @@ After=network.target
 Type=simple
 User=root
 WorkingDirectory=${WORK_DIR}
-ExecStart=${WORK_DIR}/act_runner daemon
+ExecStart=${WORK_DIR}/act_runner daemon -c ${ACT_RUNNER_CONFIG}
 Restart=on-failure
 RestartSec=10
 Environment=GITEA_ACTION_URL=${GITEA_ACTION_URL}

scripts/dev-vm/setup-act-runner.sh

@@ -7,10 +7,10 @@ set -euo pipefail
 
 ACT_RUNNER_VERSION="${ACT_RUNNER_VERSION:-0.2.13}"
 # Gitea root URL as seen from this host (same LXC as Gitea → 127.0.0.1)
-INSTANCE="${INSTANCE:-http://127.0.0.1:3000}"
+INSTANCE="${INSTANCE:-${GITEA_RUNNER_INSTANCE:-http://127.0.0.1:3000}}"
 WORK_DIR="${WORK_DIR:-/opt/act_runner}"
 TOKEN="${GITEA_RUNNER_REGISTRATION_TOKEN:-}"
-# Workflows commonly use runs-on: ubuntu-latest; labels must match.
+# Labels must match workflow runs-on (e.g. ubuntu-latest or ubuntu-latest-heavy); comma-separated.
 RUNNER_LABELS="${RUNNER_LABELS:-ubuntu-latest}"
 
 if [ -z "$TOKEN" ]; then