docs: Gitea CD operator checklist + wire templates README; executable parity script

Made-with: Cursor

.env.master.example

@@ -77,6 +77,10 @@ GITEA_URL=
 GITEA_TOKEN=
 GITEA_ORG=
 
+# --- Phoenix deploy API (Gitea Actions secrets on EACH repo that triggers deploy) ---
+# PHOENIX_DEPLOY_URL=       # full POST URL e.g. http://192.168.11.59:4001/api/deploy — same variable name as repo Secrets in Gitea
+# PHOENIX_DEPLOY_TOKEN=    # bearer for Phoenix deploy API — set per-repo Secret on Gitea, not necessarily in this root .env
+
 # --- CyberSecur Global (Gov portal static site; optional Web3Forms intake) ---
 # CYBERSECUR_WEB3FORMS_ACCESS_KEY=   # web3forms.com — used by CyberSecur-Global/deploy/render-intake.sh (key is public in browser HTML per provider)
 # After rotating the key in the Web3Forms dashboard, update this line and redeploy:

config/gitea-workflow-templates/README.md

@@ -6,5 +6,8 @@ Copy one of these into **your repo** as `.gitea/workflows/<workflow-name>.yml`,
 |----------|----------|
 | [`deploy-via-phoenix-api.yml`](deploy-via-phoenix-api.yml) | App/service with a row in `phoenix-deploy-api/deploy-targets.json` |
 | [`validate-only.yml`](validate-only.yml) | Libraries/docs — CI gate only, no VM deploy |
+| **[`repos/`](repos/README.md)** | **Concrete YAML** for DBIS, CROMERO, CurrenciCombo — copy into those Gitea repos |
 
 See [docs/04-configuration/GITEA_REPO_VM_CD_CI_MATRIX.md](../../docs/04-configuration/GITEA_REPO_VM_CD_CI_MATRIX.md) for repo ↔ VM mapping.
+
+**Operator checklist:** [docs/00-meta/GITEA_CD_OPERATOR_CHECKLIST.md](../../docs/00-meta/GITEA_CD_OPERATOR_CHECKLIST.md).

docs/00-meta/GITEA_CD_OPERATOR_CHECKLIST.md

@@ -0,0 +1,29 @@
+# Gitea CD/CI — operator checklist
+
+Use this after changing **`phoenix-deploy-api/deploy-targets.json`** or adding workflows under **`config/gitea-workflow-templates/`**.
+
+## One-time per application repo (on Gitea)
+
+1. **Actions enabled** for the org/repo (Gitea settings).
+2. **Secrets** on **that repo** (not only global):
+   - **`PHOENIX_DEPLOY_URL`** — full URL for `POST` (same shape as **`d-bis/proxmox`** workflows use), typically `http://<dev-vm>:4001/api/deploy` or HTTPS equivalent.
+   - **`PHOENIX_DEPLOY_TOKEN`** — bearer token accepted by Phoenix deploy API.
+3. **Workflow file** in the repo: copy from [`config/gitea-workflow-templates/repos/README.md`](../config/gitea-workflow-templates/repos/README.md) or use the repo’s existing `.gitea/workflows/*.yml`.
+
+## Phoenix deploy host (LAN)
+
+1. **`git pull`** **proxmox** so **`deploy-targets.json`** and **`scripts/deployment/phoenix-deploy-*.sh`** match Gitea **`d-bis/proxmox`** `master` / `main`.
+2. Restart or reinstall **phoenix-deploy-api** if you manage it via systemd (see **`phoenix-deploy-api/scripts/install-systemd.sh`**).
+3. **`GITEA_TOKEN`** on that host must allow archive fetch for repos you deploy.
+
+## Verify locally (proxmox clone)
+
+```bash
+bash scripts/validation/validate-phoenix-deploy-targets.sh phoenix-deploy-api/deploy-targets.json
+bash scripts/verify/report-gitea-cd-parity.sh
+```
+
+## Canonical references
+
+- [GITEA_REPO_VM_CD_CI_MATRIX.md](../04-configuration/GITEA_REPO_VM_CD_CI_MATRIX.md)
+- [config/gitea-workflow-templates/README.md](../../config/gitea-workflow-templates/README.md)

docs/04-configuration/GITEA_REPO_VM_CD_CI_MATRIX.md

@@ -4,6 +4,10 @@ Each **application repo** should carry **its own** `.gitea/workflows/*.yml` so p
 
 **Canonical integration:** [Phoenix deploy API](../../phoenix-deploy-api/server.js) + [`deploy-targets.json`](../../phoenix-deploy-api/deploy-targets.json).
 
+**Operator checklist:** [docs/00-meta/GITEA_CD_OPERATOR_CHECKLIST.md](../00-meta/GITEA_CD_OPERATOR_CHECKLIST.md)
+
+**Parity report (local clone):** `bash scripts/verify/report-gitea-cd-parity.sh`
+
 ## Pattern A — Repo workflow triggers Phoenix (recommended)
 
 1. Repo workflow `on: push` runs on Gitea Actions (checkout only + `curl` POST).
@@ -18,15 +22,15 @@ Multiple deploy jobs in one workflow ([`.gitea/workflows/deploy-to-phoenix.yml`]
 
 ## Matrix (maintain when repos or VMs change)
 
-| Gitea repo | Branch(es) | Hosting / VM | `deploy-targets` `target` | Workflow in repo |
-|------------|------------|--------------|-----------------------------|------------------|
-| `d-bis/proxmox` | `main`, `master` | Phoenix deploy host + varies by job (API install, portal CT 7801, atomic-swap 5801, CF sync, …) | `default`, `atomic-swap-dapp-live`, `portal-live`, `cloudflare-sync`, … | `.gitea/workflows/deploy-to-phoenix.yml`, `validate-on-pr.yml` |
-| `Gov_Web_Portals/CyberSecur-Global` | `main` | CT **7810** (`192.168.11.37`), nginx docroot `/var/www/cybersecur-d-bis` | `default` | `.gitea/workflows/deploy-to-ct7810.yml` |
-| `Gov_Web_Portals/DBIS` | `main` | CT **7804** (see runbook) | `dbis-portal-live` | _(add in Gov repo when ready; same Phoenix POST pattern)_ |
-| `d-bis/explorer-monorepo` | `main`, `master` | VMID **5000** Blockscout stack | `explorer-live` | Add `.gitea/workflows/deploy-explorer-live.yml` in explorer repo |
-| `d-bis/CROMERO` | `main`, `master` | NPM ecosystem path | `default` | Add workflow in CROMERO repo |
-| `d-bis/CurrenciCombo` | `main`, `master` | Phoenix CT **8604** | `default` | Add workflow in CurrenciCombo repo |
-| `d-bis/cross-chain-pmm-lps` | `main` | No dedicated user-facing VM (simulation/docs library) | _(validate only)_ | `.gitea/workflows/validate-capital-efficiency.yml` |
+| Gitea repo | Branch(es) | Hosting / VM | `deploy-targets` `target` | Workflow |
+|------------|------------|--------------|-----------------------------|----------|
+| `d-bis/proxmox` | `main`, `master` | Phoenix deploy host + varies by job | `default`, `atomic-swap-dapp-live`, `portal-live`, `cloudflare-sync`, … | `.gitea/workflows/deploy-to-phoenix.yml`, `validate-on-pr.yml` |
+| `Gov_Web_Portals/CyberSecur-Global` | `main` | CT **7810** | `default` | In **CyberSecur-Global** repo: `.gitea/workflows/deploy-to-ct7810.yml` |
+| `Gov_Web_Portals/DBIS` | `main` | CT **7804** | `dbis-portal-live` | Copy [`repos/dbis-portal-live.yml`](../../config/gitea-workflow-templates/repos/dbis-portal-live.yml) → DBIS repo |
+| `d-bis/explorer-monorepo` | `main`, `master` | VMID **5000** | `explorer-live` | Submodule: `.gitea/workflows/deploy-live.yml` |
+| `d-bis/CROMERO` | `main`, `master` | NPM ecosystem path | `default` | Copy [`repos/cromero-default.yml`](../../config/gitea-workflow-templates/repos/cromero-default.yml) → CROMERO repo |
+| `d-bis/CurrenciCombo` | `main`, `master` | Phoenix CT **8604** | `default` | Copy [`repos/currencicombo-default.yml`](../../config/gitea-workflow-templates/repos/currencicombo-default.yml) → CurrenciCombo repo |
+| `d-bis/cross-chain-pmm-lps` | `main` | _(simulation/docs — no VM)_ | — | `.gitea/workflows/validate-capital-efficiency.yml` |
 
 ## Adding a new repo
 

docs/MASTER_INDEX.md

@@ -27,6 +27,7 @@
 | **Gitea TLS expiry check** | `bash scripts/verify/check-gitea-certificate-expiry.sh` — warns before `gitea.d-bis.org` cert expiry blocks HTTPS pushes |
 | **Gitea TLS expiry cron** | `bash scripts/maintenance/schedule-gitea-cert-check-cron.sh --install` — installs a daily warning check with `WARN_DAYS=30` |
 | **Gitea repo ↔ VM CI/CD matrix** | [04-configuration/GITEA_REPO_VM_CD_CI_MATRIX.md](04-configuration/GITEA_REPO_VM_CD_CI_MATRIX.md) — per-repo workflows, Phoenix deploy targets, templates under `config/gitea-workflow-templates/` |
+| **Gitea CD operator checklist** | [00-meta/GITEA_CD_OPERATOR_CHECKLIST.md](00-meta/GITEA_CD_OPERATOR_CHECKLIST.md) — secrets, Phoenix host sync, `report-gitea-cd-parity.sh` |
 | **TsunamiSwap DEX plan** | [00-meta/AAVE_CHAIN138_AND_MARIONETTE_TSUNAMISWAP_PLAN.md](00-meta/AAVE_CHAIN138_AND_MARIONETTE_TSUNAMISWAP_PLAN.md) — canonical TsunamiSwap VM `5010` plan, current DEX link, and publish checklist |
 | **Required / optional / recommended (full plan)** | [00-meta/COMPLETE_REQUIRED_OPTIONAL_RECOMMENDED_INDEX.md](00-meta/COMPLETE_REQUIRED_OPTIONAL_RECOMMENDED_INDEX.md) |
 | **Single task list** | [00-meta/TODOS_CONSOLIDATED.md](00-meta/TODOS_CONSOLIDATED.md) |