Align E2E profile workflow across scripts and runbooks

2026-03-06 08:46:55 -08:00
parent e4c9dda0fd
commit d38174dc25
18 changed files with 345 additions and 53 deletions
--- a/docs/03-deployment/BLOCKSCOUT_FIX_RUNBOOK.md
+++ b/docs/03-deployment/BLOCKSCOUT_FIX_RUNBOOK.md
@@ -145,7 +145,7 @@ BLOCKSCOUT_URL=http://192.168.11.140:4000 node forge-verification-proxy/server.j

 ## E2E completion (Blockscout and other sites)

- **Public routing E2E**: `bash scripts/verify/verify-end-to-end-routing.sh` tests explorer.d-bis.org (DNS, SSL, HTTPS) and an optional Blockscout API check (`/api/v2/stats`). The API check does not fail the run if unreachable; use `SKIP_BLOCKSCOUT_API=1` to skip it. See [E2E_CLOUDFLARE_DOMAINS_RUNBOOK.md](../05-network/E2E_CLOUDFLARE_DOMAINS_RUNBOOK.md).
+- **Public routing E2E**: `bash scripts/verify/verify-end-to-end-routing.sh --profile=public` tests explorer.d-bis.org (DNS, SSL, HTTPS) and an optional Blockscout API check (`/api/v2/stats`). The API check does not fail the run if unreachable; use `SKIP_BLOCKSCOUT_API=1` to skip it. See [E2E_CLOUDFLARE_DOMAINS_RUNBOOK.md](../05-network/E2E_CLOUDFLARE_DOMAINS_RUNBOOK.md).
 - **Full explorer E2E (on LAN)**: From a host that can reach 192.168.11.140, run `explorer-monorepo/scripts/e2e-test-explorer.sh` for frontend, API, and service checks.
 - **Daily checks**: `scripts/maintenance/daily-weekly-checks.sh daily` checks explorer indexer via `/api/v2/stats` (and fallback legacy API).

--- a/docs/03-deployment/OPERATIONAL_RUNBOOKS.md
+++ b/docs/03-deployment/OPERATIONAL_RUNBOOKS.md
@@ -381,7 +381,7 @@ See **[BLOCKSCOUT_FIX_RUNBOOK.md](BLOCKSCOUT_FIX_RUNBOOK.md)** § "Proactive: Wh
 ### After NPMplus or DNS changes

 Run **E2E routing** (includes explorer.d-bis.org):  
-`bash scripts/verify/verify-end-to-end-routing.sh`
+`bash scripts/verify/verify-end-to-end-routing.sh --profile=public`

 ### After frontend or Blockscout deploy

@@ -558,4 +558,3 @@ See [BLOCKSCOUT_FIX_RUNBOOK.md](BLOCKSCOUT_FIX_RUNBOOK.md).
 **Maintained By:** Infrastructure Team  
 **Review Cycle:** Monthly  
 **Last Updated:** 2026-02-05
-
--- a/docs/03-deployment/SANKOFA_STUDIO_E2E_FLOW.md
+++ b/docs/03-deployment/SANKOFA_STUDIO_E2E_FLOW.md
@@ -112,7 +112,7 @@ curl -s http://192.168.11.72:8000/studio/ -o /dev/null -w "%{http_code}\n"

 ```bash
 cd /home/intlc/projects/proxmox
-bash scripts/verify/verify-end-to-end-routing.sh
+bash scripts/verify/verify-end-to-end-routing.sh --profile=public
 ```

 - Report: `docs/04-configuration/verification-evidence/e2e-verification-<timestamp>/verification_report.md`
--- a/docs/04-configuration/E2E_ENDPOINTS_LIST.md
+++ b/docs/04-configuration/E2E_ENDPOINTS_LIST.md
@@ -0,0 +1,143 @@
+# E2E verification — endpoint inventory and profiles
+
+**Source:** `scripts/verify/verify-end-to-end-routing.sh` (DOMAIN_TYPES).  
+**List from CLI (public):** `./scripts/verify/verify-end-to-end-routing.sh --list-endpoints --profile=public`  
+**List from CLI (private/admin):** `./scripts/verify/verify-end-to-end-routing.sh --list-endpoints --profile=private`  
+**Run E2E (public profile recommended):** `./scripts/verify/verify-end-to-end-routing.sh --profile=public` (from LAN with DNS or use `E2E_USE_SYSTEM_RESOLVER=1` and `/etc/hosts` per [E2E_DNS_FROM_LAN_RUNBOOK.md](E2E_DNS_FROM_LAN_RUNBOOK.md)).  
+**Run E2E (private/admin):** `./scripts/verify/verify-end-to-end-routing.sh --profile=private`.
+
+## Verification profiles
+
+- **Public profile (default for routine E2E):** web, api, public RPC endpoints.
+- **Private/admin profile:** private RPC and Fireblocks RPC endpoints. Run separately for internal operations.
+
+## Full endpoint inventory (combined)
+
+| Endpoint | Type | URL | Description (content provided) |
+|----------|------|-----|--------------------------------|
+| explorer.d-bis.org | web | https://explorer.d-bis.org | Blockscout-style blockchain explorer for Chain 138: blocks, transactions, addresses, contracts, tokens, verification. |
+| dbis-admin.d-bis.org | web | https://dbis-admin.d-bis.org | DBIS admin dashboard and frontend (VMID 10130). |
+| secure.d-bis.org | web | https://secure.d-bis.org | Secure DBIS frontend / authenticated portal. |
+| dbis-api.d-bis.org | api | https://dbis-api.d-bis.org | DBIS core API: token aggregation, Crypto.com OTC, exchange endpoints (VMID 10150). |
+| dbis-api-2.d-bis.org | api | https://dbis-api-2.d-bis.org | DBIS API secondary instance (VMID 10151). |
+| mim4u.org | web | https://mim4u.org | MIM4U main site. |
+| www.mim4u.org | web | https://www.mim4u.org | MIM4U www. |
+| secure.mim4u.org | web | https://secure.mim4u.org | MIM4U secure portal. |
+| training.mim4u.org | web | https://training.mim4u.org | MIM4U training site. |
+| sankofa.nexus | web | https://sankofa.nexus | Sankofa Nexus root / web. |
+| www.sankofa.nexus | web | https://www.sankofa.nexus | Sankofa Nexus www. |
+| phoenix.sankofa.nexus | web | https://phoenix.sankofa.nexus | Phoenix (Sankofa) web app. |
+| www.phoenix.sankofa.nexus | web | https://www.phoenix.sankofa.nexus | Phoenix www. |
+| the-order.sankofa.nexus | web | https://the-order.sankofa.nexus | Hosted client on the Sankofa Phoenix cloud services platform. |
+| studio.sankofa.nexus | web | https://studio.sankofa.nexus | Sankofa Studio (FusionAI Creator) at VMID 7805. |
+| cacti-alltra.d-bis.org | web | https://cacti-alltra.d-bis.org | Cacti monitoring UI for Alltra. |
+| cacti-hybx.d-bis.org | web | https://cacti-hybx.d-bis.org | Cacti monitoring UI for HYBX. |
+| mifos.d-bis.org | web | https://mifos.d-bis.org | Mifos X / Fineract banking and microfinance platform (VMID 5800). |
+| dapp.d-bis.org | web | https://dapp.d-bis.org | DApp frontend for Chain 138 bridge (VMID 5801). |
+| gitea.d-bis.org | web | https://gitea.d-bis.org | Gitea git repository and CI (Dev VM 5700). |
+| dev.d-bis.org | web | https://dev.d-bis.org | Dev VM web / Codespaces entry. |
+| codespaces.d-bis.org | web | https://codespaces.d-bis.org | Codespaces / dev environment entry. |
+| rpc-http-pub.d-bis.org | rpc-http | https://rpc-http-pub.d-bis.org | Chain 138 public JSON-RPC HTTP (VMID 2201). |
+| rpc-ws-pub.d-bis.org | rpc-ws | wss://rpc-ws-pub.d-bis.org | Chain 138 public JSON-RPC WebSocket. |
+| rpc.d-bis.org | rpc-http | https://rpc.d-bis.org | Chain 138 RPC HTTP (alias). |
+| rpc2.d-bis.org | rpc-http | https://rpc2.d-bis.org | Chain 138 RPC HTTP (second). |
+| ws.rpc.d-bis.org | rpc-ws | wss://ws.rpc.d-bis.org | Chain 138 RPC WebSocket. |
+| ws.rpc2.d-bis.org | rpc-ws | wss://ws.rpc2.d-bis.org | Chain 138 RPC WebSocket (second). |
+| rpc-http-prv.d-bis.org | rpc-http | https://rpc-http-prv.d-bis.org | Chain 138 private/admin RPC HTTP (VMID 2101). |
+| rpc-ws-prv.d-bis.org | rpc-ws | wss://rpc-ws-prv.d-bis.org | Chain 138 private RPC WebSocket. |
+| rpc-fireblocks.d-bis.org | rpc-http | https://rpc-fireblocks.d-bis.org | Chain 138 RPC for Fireblocks Web3 (VMID 2301). |
+| ws.rpc-fireblocks.d-bis.org | rpc-ws | wss://ws.rpc-fireblocks.d-bis.org | Chain 138 RPC WebSocket for Fireblocks. |
+| rpc.public-0138.defi-oracle.io | rpc-http | https://rpc.public-0138.defi-oracle.io | Defi Oracle Chain 138 public RPC. |
+| rpc.defi-oracle.io | rpc-http | https://rpc.defi-oracle.io | Defi Oracle RPC. |
+| wss.defi-oracle.io | rpc-ws | wss://wss.defi-oracle.io | Defi Oracle RPC WebSocket. |
+| rpc-alltra.d-bis.org | rpc-http | https://rpc-alltra.d-bis.org | Alltra chain RPC HTTP. |
+| rpc-alltra-2.d-bis.org | rpc-http | https://rpc-alltra-2.d-bis.org | Alltra chain RPC HTTP (2). |
+| rpc-alltra-3.d-bis.org | rpc-http | https://rpc-alltra-3.d-bis.org | Alltra chain RPC HTTP (3). |
+| rpc-hybx.d-bis.org | rpc-http | https://rpc-hybx.d-bis.org | HYBX chain RPC HTTP. |
+| rpc-hybx-2.d-bis.org | rpc-http | https://rpc-hybx-2.d-bis.org | HYBX chain RPC HTTP (2). |
+| rpc-hybx-3.d-bis.org | rpc-http | https://rpc-hybx-3.d-bis.org | HYBX chain RPC HTTP (3). |
+
+## Endpoints by type
+
+### Web
+
+| Domain | URL |
+|--------|-----|
+| explorer.d-bis.org | https://explorer.d-bis.org |
+| dbis-admin.d-bis.org | https://dbis-admin.d-bis.org |
+| secure.d-bis.org | https://secure.d-bis.org |
+| mim4u.org | https://mim4u.org |
+| www.mim4u.org | https://www.mim4u.org |
+| secure.mim4u.org | https://secure.mim4u.org |
+| training.mim4u.org | https://training.mim4u.org |
+| sankofa.nexus | https://sankofa.nexus |
+| www.sankofa.nexus | https://www.sankofa.nexus |
+| phoenix.sankofa.nexus | https://phoenix.sankofa.nexus |
+| www.phoenix.sankofa.nexus | https://www.phoenix.sankofa.nexus |
+| the-order.sankofa.nexus | https://the-order.sankofa.nexus |
+| studio.sankofa.nexus | https://studio.sankofa.nexus |
+| cacti-alltra.d-bis.org | https://cacti-alltra.d-bis.org |
+| cacti-hybx.d-bis.org | https://cacti-hybx.d-bis.org |
+| mifos.d-bis.org | https://mifos.d-bis.org |
+| dapp.d-bis.org | https://dapp.d-bis.org |
+| gitea.d-bis.org | https://gitea.d-bis.org |
+| dev.d-bis.org | https://dev.d-bis.org |
+| codespaces.d-bis.org | https://codespaces.d-bis.org |
+
+### API
+
+| Domain | URL |
+|--------|-----|
+| dbis-api.d-bis.org | https://dbis-api.d-bis.org |
+| dbis-api-2.d-bis.org | https://dbis-api-2.d-bis.org |
+
+### RPC HTTP (public)
+
+| Domain | URL |
+|--------|-----|
+| rpc-http-pub.d-bis.org | https://rpc-http-pub.d-bis.org |
+| rpc.d-bis.org | https://rpc.d-bis.org |
+| rpc2.d-bis.org | https://rpc2.d-bis.org |
+| rpc.public-0138.defi-oracle.io | https://rpc.public-0138.defi-oracle.io |
+| rpc.defi-oracle.io | https://rpc.defi-oracle.io |
+| rpc-alltra.d-bis.org | https://rpc-alltra.d-bis.org |
+| rpc-alltra-2.d-bis.org | https://rpc-alltra-2.d-bis.org |
+| rpc-alltra-3.d-bis.org | https://rpc-alltra-3.d-bis.org |
+| rpc-hybx.d-bis.org | https://rpc-hybx.d-bis.org |
+| rpc-hybx-2.d-bis.org | https://rpc-hybx-2.d-bis.org |
+| rpc-hybx-3.d-bis.org | https://rpc-hybx-3.d-bis.org |
+
+### RPC WebSocket (public)
+
+| Domain | URL |
+|--------|-----|
+| rpc-ws-pub.d-bis.org | wss://rpc-ws-pub.d-bis.org |
+| ws.rpc.d-bis.org | wss://ws.rpc.d-bis.org |
+| ws.rpc2.d-bis.org | wss://ws.rpc2.d-bis.org |
+| wss.defi-oracle.io | wss://wss.defi-oracle.io |
+
+### RPC HTTP (private/admin profile)
+
+| Domain | URL |
+|--------|-----|
+| rpc-http-prv.d-bis.org | https://rpc-http-prv.d-bis.org |
+| rpc-fireblocks.d-bis.org | https://rpc-fireblocks.d-bis.org |
+
+### RPC WebSocket (private/admin profile)
+
+| Domain | URL |
+|--------|-----|
+| rpc-ws-prv.d-bis.org | wss://rpc-ws-prv.d-bis.org |
+| ws.rpc-fireblocks.d-bis.org | wss://ws.rpc-fireblocks.d-bis.org |
+
+## Report content
+
+After each run, the verification report includes:
+
+1. **All endpoints** — table of every domain, type, and URL.
+2. **Summary** — counts (DNS pass, HTTPS pass, failed, skipped) and average response time.
+3. **Results overview** — table of each domain with DNS | SSL | HTTPS | RPC status.
+4. **Test Results by Domain** — per-domain detail (DNS, SSL, HTTPS, Blockscout API, RPC).
+
+Output directory: `docs/04-configuration/verification-evidence/e2e-verification-<timestamp>/`  
+Files: `verification_report.md`, `all_e2e_results.json`, `*_https_headers.txt`, `*_rpc_response.txt`.
--- a/docs/04-configuration/README.md
+++ b/docs/04-configuration/README.md
@@ -24,6 +24,8 @@ This directory contains setup and configuration guides.
 - **[NPMPLUS_PROXY_HOSTS_SNAPSHOT_2026-03.md](NPMPLUS_PROXY_HOSTS_SNAPSHOT_2026-03.md)** - Snapshot of NPMplus proxy destinations (IP:port) and VMID mapping (March 2026)
 - **[NPMPLUS_CUSTOM_NGINX_CONFIG.md](NPMPLUS_CUSTOM_NGINX_CONFIG.md)** - NPMplus custom config: proxy variables, security headers (CSP with unsafe-eval for ethers.js), and caveat (do not add `location '/'`)
 - **[NPMPLUS_UI_APIERROR_400_RUNBOOK.md](NPMPLUS_UI_APIERROR_400_RUNBOOK.md)** - NPMplus UI ApiError 400 on dashboard load: find failing request, test API with curl, logs, fixes
+- **[E2E_DNS_FROM_LAN_RUNBOOK.md](E2E_DNS_FROM_LAN_RUNBOOK.md)** - Run E2E domain sweep from LAN when public DNS is unavailable: /etc/hosts option, DNS path, or bastion
+- **[E2E_ENDPOINTS_LIST.md](E2E_ENDPOINTS_LIST.md)** - All E2E verification endpoints (domain, type, URL); list from CLI: `./scripts/verify/verify-end-to-end-routing.sh --list-endpoints --profile=public`
 - **[PROXMOX_LOAD_BALANCING_RUNBOOK.md](PROXMOX_LOAD_BALANCING_RUNBOOK.md)** - Balance Proxmox load: migrate containers from r630-01 to r630-02/ml110; candidates, script, cluster vs backup/restore
 - **[PROXMOX_ADD_THIRD_FOURTH_R630_DECISION.md](PROXMOX_ADD_THIRD_FOURTH_R630_DECISION.md)** - Add 3rd/4th R630 before migration? r630-03/04 status, HA/Ceph (3–4 nodes), order of operations
 - **[ER605_ROUTER_CONFIGURATION.md](ER605_ROUTER_CONFIGURATION.md)** ⭐⭐ - ER605 router configuration
@@ -122,4 +124,3 @@ This directory contains setup and configuration guides.
 - **[../01-getting-started/](../01-getting-started/)** - Getting started
 - **[../02-architecture/](../02-architecture/)** - Architecture reference
 - **[../05-network/](../05-network/)** - Network infrastructure
-
--- a/docs/05-network/CHECK_ALL_UPDATES_AND_CLOUDFLARE_TUNNELS.md
+++ b/docs/05-network/CHECK_ALL_UPDATES_AND_CLOUDFLARE_TUNNELS.md
@@ -69,7 +69,7 @@ The dev/Codespaces FQDN (gitea.d-bis.org, dev.d-bis.org, codespaces.d-bis.org) i

 | Check | Command |
 |-------|--------|
-| **E2E (all domains incl. Gitea)** | `bash scripts/verify/verify-end-to-end-routing.sh` |
+| **E2E (all domains incl. Gitea)** | `bash scripts/verify/verify-end-to-end-routing.sh --profile=public` |
 | **RPC tunnel ingress (from host with VMID 102)** | `bash scripts/verify/verify-cloudflare-tunnel-ingress.sh [--host 192.168.11.11]` |
 | **Dev/Codespaces tunnel + DNS** | `bash scripts/cloudflare/configure-dev-codespaces-tunnel-and-dns.sh` (updates ingress + CNAMEs) |
 | **NPMplus Fourth proxy (gitea → .59:3000)** | `NPM_PASSWORD=xxx bash scripts/nginx-proxy-manager/update-npmplus-fourth-proxy-hosts.sh` |
--- a/docs/05-network/E2E_CLOUDFLARE_DOMAINS_RUNBOOK.md
+++ b/docs/05-network/E2E_CLOUDFLARE_DOMAINS_RUNBOOK.md
@@ -80,7 +80,7 @@ From the project root:

 ```bash
 cd /home/intlc/projects/proxmox
-bash scripts/verify/verify-end-to-end-routing.sh
+bash scripts/verify/verify-end-to-end-routing.sh --profile=public
 ```

 Optional environment variables:
@@ -95,7 +95,7 @@ Optional environment variables:
 Example when using Fastly (DNS points to Fastly, not 76.53.10.36):

 ```bash
-ACCEPT_ANY_DNS=1 bash scripts/verify/verify-end-to-end-routing.sh
+ACCEPT_ANY_DNS=1 bash scripts/verify/verify-end-to-end-routing.sh --profile=public
 ```

 Outputs:
@@ -141,7 +141,7 @@ If any domain fails:

 ## Blockscout and explorer.d-bis.org (E2E completion)

- **Public E2E**: `verify-end-to-end-routing.sh` tests explorer.d-bis.org as **web** (DNS, SSL, HTTPS). It also runs an **optional** Blockscout API check (GET `https://explorer.d-bis.org/api/v2/stats`). If the API is unreachable (e.g. run from off-LAN), the result is recorded as `skip` and does not fail the run. Use `SKIP_BLOCKSCOUT_API=1` to skip this check entirely.
+- **Public E2E**: `verify-end-to-end-routing.sh --profile=public` tests explorer.d-bis.org as **web** (DNS, SSL, HTTPS). It also runs an **optional** Blockscout API check (GET `https://explorer.d-bis.org/api/v2/stats`). If the API is unreachable (e.g. run from off-LAN), the result is recorded as `skip` and does not fail the run. Use `SKIP_BLOCKSCOUT_API=1` to skip this check entirely.
 - **Fix Blockscout** (502, DB, migrations): Run on Proxmox host or from LAN per [BLOCKSCOUT_FIX_RUNBOOK.md](../03-deployment/BLOCKSCOUT_FIX_RUNBOOK.md). Key script: `scripts/fix-blockscout-ssl-and-migrations.sh`.
 - **Full explorer E2E on LAN**: For comprehensive explorer tests (frontend, API, services on VMID 5000), run from a host that can reach 192.168.11.140: `explorer-monorepo/scripts/e2e-test-explorer.sh`. Report: [explorer-monorepo/E2E_TEST_REPORT.md](../../../explorer-monorepo/E2E_TEST_REPORT.md).
 - **Daily checks**: Explorer indexer is checked by `scripts/maintenance/daily-weekly-checks.sh daily` using Blockscout `/api/v2/stats` (and fallback to `?module=stats&action=eth_price`).
--- a/docs/05-network/E2E_RPC_EDGE_LIMITATION.md
+++ b/docs/05-network/E2E_RPC_EDGE_LIMITATION.md
@@ -74,7 +74,7 @@ Follow the **Option B runbook** for step-by-step instructions and the DNS script
   - Follow [CLOUDFLARE_TUNNEL_502_FIX_RUNBOOK.md](../04-configuration/cloudflare/CLOUDFLARE_TUNNEL_502_FIX_RUNBOOK.md): point all Public Hostnames (including the 6 RPC) to `http://192.168.11.167:80`, verify from VMID 102, restart cloudflared.
 2. **Point RPC hostnames to the tunnel** in Cloudflare DNS:
   - Run: `./scripts/set-rpc-dns-to-tunnel.sh` (uses `CLOUDFLARE_TUNNEL_ID` and zone IDs from `.env`), or set CNAME manually per the runbook.
-3. **Re-run E2E:** After DNS propagates, run `bash scripts/verify/troubleshoot-rpc-failures.sh` and `./scripts/verify/verify-end-to-end-routing.sh`; POST will succeed and the 6 RPC checks can pass.
+3. **Re-run E2E:** After DNS propagates, run `bash scripts/verify/troubleshoot-rpc-failures.sh` and `./scripts/verify/verify-end-to-end-routing.sh --profile=public`; POST will succeed and the 6 RPC checks can pass.

 ---

@@ -83,7 +83,7 @@ Follow the **Option B runbook** for step-by-step instructions and the DNS script
 When the only failures are the 6 RPC (edge blocking POST), you can still treat E2E as successful for DNS and HTTPS:

 ```bash
-E2E_SUCCESS_IF_ONLY_RPC_BLOCKED=1 ./scripts/verify/verify-end-to-end-routing.sh
+E2E_SUCCESS_IF_ONLY_RPC_BLOCKED=1 ./scripts/verify/verify-end-to-end-routing.sh --profile=public
 ```

 - Exit code is **0** when DNS and HTTPS all pass and all failures are RPC.
--- a/docs/05-network/OPTION_B_RPC_VIA_TUNNEL_RUNBOOK.md
+++ b/docs/05-network/OPTION_B_RPC_VIA_TUNNEL_RUNBOOK.md
@@ -117,7 +117,7 @@ bash scripts/verify/troubleshoot-rpc-failures.sh

 # Full E2E (no need for E2E_SUCCESS_IF_ONLY_RPC_BLOCKED when RPC passes)
 # Use ACCEPT_ANY_DNS=1 so the 6 RPC hostnames (resolving to Cloudflare) count as DNS pass
-ACCEPT_ANY_DNS=1 ./scripts/verify/verify-end-to-end-routing.sh
+ACCEPT_ANY_DNS=1 ./scripts/verify/verify-end-to-end-routing.sh --profile=public
 ```

 ---
@@ -150,4 +150,4 @@ To send RPC traffic back through the UDM Pro (and accept 405 again):
 | 1 | Tunnel Public Hostnames: all 6 RPC hostnames → https://192.168.11.167:443 (No TLS Verify) |
 | 2 | (Optional) Verify origin from VMID 102 |
 | 3 | DNS: 6 RPC hostnames → CNAME to &lt;tunnel-id&gt;.cfargotunnel.com (Proxied) |
-| 4 | Re-run troubleshoot-rpc-failures.sh and verify-end-to-end-routing.sh |
+| 4 | Re-run troubleshoot-rpc-failures.sh and verify-end-to-end-routing.sh --profile=public |
--- a/docs/05-network/README.md
+++ b/docs/05-network/README.md
@@ -26,7 +26,7 @@ This directory contains network infrastructure documentation.

 ## Quick Reference

-**Edge:** UDM Pro (76.53.10.34); origin 76.53.10.36 → NPMplus 192.168.11.167. **Option B:** 6 RPC hostnames via Cloudflare Tunnel. E2E: `ACCEPT_ANY_DNS=1 bash scripts/verify/verify-end-to-end-routing.sh` when using Option B.
+**Edge:** UDM Pro (76.53.10.34); origin 76.53.10.36 → NPMplus 192.168.11.167. **Option B:** 6 RPC hostnames via Cloudflare Tunnel. E2E: `ACCEPT_ANY_DNS=1 bash scripts/verify/verify-end-to-end-routing.sh --profile=public` when using Option B.

 ## Related Documentation

@@ -34,4 +34,3 @@ This directory contains network infrastructure documentation.
 - **[../02-architecture/NETWORK_ARCHITECTURE.md](../02-architecture/NETWORK_ARCHITECTURE.md)** - Complete network architecture
 - **[../04-configuration/RPC_ENDPOINTS_MASTER.md](../04-configuration/RPC_ENDPOINTS_MASTER.md)** - RPC proxy and DNS
 - **[../04-configuration/cloudflare/TUNNEL_SFVALLEY01_INSTALL.md](../04-configuration/cloudflare/TUNNEL_SFVALLEY01_INSTALL.md)** - Option B tunnel connector install
-
--- a/docs/12-quick-reference/QUICK_REFERENCE.md
+++ b/docs/12-quick-reference/QUICK_REFERENCE.md
@@ -15,7 +15,7 @@
 | Wave 2/3 operator checklist | [WAVE2_WAVE3_OPERATOR_CHECKLIST.md](../00-meta/WAVE2_WAVE3_OPERATOR_CHECKLIST.md) |
 | Run log | [FULL_PARALLEL_RUN_LOG.md](../archive/00-meta-pruned/FULL_PARALLEL_RUN_LOG.md) (archived) |
 | Full verification | `bash scripts/verify/run-full-verification.sh` |
-| E2E routing only | `bash scripts/verify/verify-end-to-end-routing.sh` |
+| E2E routing only | `bash scripts/verify/verify-end-to-end-routing.sh --profile=public` |

 ---

@@ -203,4 +203,3 @@ bash ProxmoxVE/ct/AppName.sh -u
 - [ ] Test on Proxmox VE 8.4+ or 9.0+
 - [ ] Implement update function (if applicable)
 - [ ] Update documentation (if needed)
-
--- a/docs/12-quick-reference/QUICK_REFERENCE_CARDS.md
+++ b/docs/12-quick-reference/QUICK_REFERENCE_CARDS.md
@@ -142,8 +142,8 @@ Expected: Table with columns VMID, status, name, type (e.g. `running`, `ubuntu-2
 | Task | Command / Location |
 |------|--------------------|
 | Full verification (deps + E2E) | `bash scripts/verify/run-full-verification.sh` |
-| E2E routing only | `bash scripts/verify/verify-end-to-end-routing.sh` |
-| E2E with Option B (RPC via tunnel) | `ACCEPT_ANY_DNS=1 bash scripts/verify/verify-end-to-end-routing.sh` |
+| E2E routing only | `bash scripts/verify/verify-end-to-end-routing.sh --profile=public` |
+| E2E with Option B (RPC via tunnel) | `ACCEPT_ANY_DNS=1 bash scripts/verify/verify-end-to-end-routing.sh --profile=public` |
 | Dependencies check | `bash scripts/verify/check-dependencies.sh` |
 | NPMplus RPC fix (from LAN) | `bash scripts/nginx-proxy-manager/update-npmplus-proxy-hosts-api.sh` |
 | NPMplus backup | `bash scripts/verify/backup-npmplus.sh` |