docs(inventory): Order of Malta DealFlow CT 10381; IP_OM_TREASURY_DEALFLOW; ignore .secrets for operator keys.

Co-authored-by: Cursor <cursoragent@cursor.com>

.gitignore

@@ -159,3 +159,6 @@ tmp/
 token-aggregation-build/
 transaction-composer/
 vendor/
+
+# Operator-local secrets (SSH keys, tokens — never commit)
+.secrets/

config/ip-addresses.conf

@@ -83,6 +83,8 @@ IP_NGINX_LEGACY="192.168.11.26"
 IP_ORDER_OPENSEARCH="192.168.11.48"
 IP_ORDER_HAPROXY="192.168.11.39"
 IP_VAULT_PHOENIX_2="192.168.11.201"
+# Order of Malta — DealFlow Command Center (LXC 10381, r630-03, Docker Compose prod)
+IP_OM_TREASURY_DEALFLOW="${IP_OM_TREASURY_DEALFLOW:-192.168.11.94}"
 
 # Order Service IPs
 ORDER_POSTGRES_PRIMARY="192.168.11.44"

docs/04-configuration/ALL_VMIDS_ENDPOINTS.md

@@ -1,6 +1,6 @@
 # Complete VMID and Endpoints Reference
 
-**Last Updated:** 2026-04-25  
+**Last Updated:** 2026-05-09  
 **Document Version:** 1.3  
 **Status:** Active Documentation — **Master (source of truth)** for VMID, IP, port, and domain mapping. Use this with the live Besu fleet map in [../06-besu/BESU_NODE_CONFIGURATION_MAP_20260424.md](../06-besu/BESU_NODE_CONFIGURATION_MAP_20260424.md) and the cluster audit in [`../../scripts/verify/check-cluster-besu-inventory.sh`](../../scripts/verify/check-cluster-besu-inventory.sh).
 
@@ -8,21 +8,21 @@
 
 ---
 
-**Date**: 2026-04-25  
+**Date**: 2026-05-09  
 **Status**: Current Active Configuration (Reconciled)  
-**Last Updated**: 2026-04-25  
-**Verification Status**: ✅ Complete - Canonical Besu fleet reconciled across all 5 Proxmox nodes via direct host audit plus cluster-wide inventory
+**Last Updated**: 2026-05-09  
+**Verification Status**: ✅ Cluster-wide guest inventory — **136** running LXC/QEMU (**2026-05-09** `pvesh get /cluster/resources`); **ml110** **0** guests; primary counts on **r630-01** (57), **r630-02** (41), **r630-03** (19), **r630-04** (19). Besu fleet detail: host audit + [`../../scripts/verify/check-cluster-besu-inventory.sh`](../../scripts/verify/check-cluster-besu-inventory.sh).
 
 ---
 
 ## Quick Summary
 
-- **Total VMIDs**: 50+ (excluding deprecated Cloudflared)
-- **Running**: 45+
-- **Stopped**: 5
-- **Infrastructure Services**: 10
-- **Blockchain Nodes**: 37 canonical Besu nodes (Validators: 5, Sentries: 11, RPC: 21)
-- **Application Services**: 22
+- **Cluster (all nodes, LXC+QEMU) — running:** **136** (**2026-05-09** `pvesh get /cluster/resources`); **all** were `running` in that pass.
+- **Per Proxmox node (guests):** **r630-01** 57, **r630-02** 41, **r630-03** 19, **r630-04** 19, **ml110** 0.
+- **Documented VMID rows** in this file: 50+ service entries (excl. deprecated); category rolls below are **Besu / app taxonomy** — reconcile exact Besu counts with `check-cluster-besu-inventory.sh` and the Besu map doc.
+- **Infrastructure Services** (sample category): 10
+- **Blockchain Nodes**: 37 canonical Besu nodes (Validators: 5, Sentries: 11, RPC: 21) — verify against live map
+- **Application Services**: 22 (category roll — verify)
 
 ## Canonical-use guardrails
 
@@ -123,6 +123,19 @@ All RPC nodes have been migrated to a new VMID structure for better organization
 | **2201** | **192.168.11.221** | besu-rpc-public-1 | ✅ Running | 1,145,367 | 7 | Besu: 8545/8546, P2P: 30303, Metrics: 9545 | Public RPC node **(FIXED PERMANENT)** |
 | 2301 | 192.168.11.232 | besu-rpc-private-1 | ✅ Running | Cluster CT confirmed on `r630-03` | - | Besu: 8545/8546, P2P: 30303, Metrics: 9545 | Fireblocks-dedicated RPC on `r630-03` |
 
+### Extra (non-canonical) Besu RPC — Justin / Jason variants
+
+These LXCs are **running** and appear in `scripts/verify/check-cluster-besu-inventory.sh` as **`extra/non-canonical`** (parallel RPC paths). They are **not** in the minimal canonical Besu map; do not decommission without ops coordination.
+
+| VMID | IP Address | Hostname | Node | Endpoints (typical) |
+|------|------------|----------|------|---------------------|
+| 2104 | 192.168.11.222 | besu-rpc-core-justin | r630-03 | Besu: 8545/8546, P2P: 30303, Metrics: 9545 |
+| 2105 | 192.168.11.225 | besu-rpc-core-jason | r630-03 | Besu: 8545/8546, P2P: 30303, Metrics: 9545 |
+| 2202 | 192.168.11.223 | besu-rpc-public-justin | r630-02 | Besu: 8545/8546, P2P: 30303, Metrics: 9545 |
+| 2203 | 192.168.11.226 | besu-rpc-public-jason | r630-02 | Besu: 8545/8546, P2P: 30303, Metrics: 9545 |
+| 2309 | 192.168.11.224 | besu-rpc-private-justin | r630-03 | Besu: 8545/8546, P2P: 30303, Metrics: 9545 |
+| 2310 | 192.168.11.227 | besu-rpc-private-jason | r630-03 | Besu: 8545/8546, P2P: 30303, Metrics: 9545 |
+
 ### Named RPC Nodes (Ali/Luis/Putu)
 
 | VMID | IP Address | Hostname | Status | Block | Peers | Endpoints | Purpose |
@@ -204,6 +217,18 @@ The following VMIDs have been permanently removed:
 
 ## Application Services
 
+### Order of Malta — DealFlow Command Center (prod Compose)
+
+| VMID | IP Address | Hostname | Node | Status | Endpoints | Purpose |
+|------|------------|----------|------|--------|-----------|---------|
+| **10381** | **192.168.11.94** | treasury-dealflow | **r630-03** | ✅ Running | **HTTPS:** 443 (nginx → frontend/backend), **HTTP:** 80→443; Grafana **3001**, Prometheus **9090**, MinIO **9000/9001** | [`treasury_management_monorepo`](https://gitea.d-bis.org/ORDER_OF_MALTA_TREASURY/treasury_management_monorepo) Docker Compose prod |
+
+**Allocated:** Sovereign Cloud band **10000–13999** (VMID **10381**). **Storage:** `thin2-r630-03` (~80 GiB root). **App dir:** `/opt/treasury_management_monorepo`, SSH user **`deploy`**.
+
+**CI/CD:** Gitea `.gitea/workflows/deploy.yml` — secrets `TREASURY_DEPLOY_HOST`, `TREASURY_DEPLOY_USER`, `TREASURY_DEPLOY_SSH_KEY`, `TREASURY_DEPLOY_PATH`; runner must reach **192.168.11.94** on LAN.
+
+---
+
 ### Blockchain Explorer
 
 | VMID | IP Address | Hostname | Status | Endpoints | Purpose |