diff --git a/.env.master.example b/.env.master.example
new file mode 100644
index 0000000..e1ca79d
--- /dev/null
+++ b/.env.master.example
@@ -0,0 +1,198 @@
+# ============================================================================
+# Master Secrets Template — ALL keys used across the workspace
+# ============================================================================
+# Copy to .env (repo root) or .env.master (local only). Fill values; NEVER commit.
+# See: docs/04-configuration/MASTER_SECRETS.md for where each is used.
+# ============================================================================
+
+# --- Proxmox ---
+PROXMOX_ML110=
+PROXMOX_R630_01=
+PROXMOX_R630_02=
+PROXMOX_HOST=
+PROXMOX_PORT=
+PROXMOX_USER=
+PROXMOX_TOKEN_NAME=
+PROXMOX_TOKEN_VALUE=
+PROXMOX_ALLOW_ELEVATED=
+
+# --- Cloudflare ---
+CLOUDFLARE_API_TOKEN=
+CLOUDFLARE_EMAIL=
+CLOUDFLARE_API_KEY=
+CLOUDFLARE_ZONE_ID=
+CLOUDFLARE_ZONE_ID_D_BIS_ORG=
+CLOUDFLARE_ZONE_ID_MIM4U_ORG=
+CLOUDFLARE_ZONE_ID_SANKOFA_NEXUS=
+CLOUDFLARE_ZONE_ID_DEFI_ORACLE_IO=
+CLOUDFLARE_TUNNEL_TOKEN=
+CLOUDFLARE_TUNNEL_ID=
+CLOUDFLARE_TUNNEL_ID_ALLTRA_HYBX=
+CLOUDFLARE_TUNNEL_ID_MIFOS_R630_02=
+CLOUDFLARE_TUNNEL_TOKEN_MIFOS_R630_02=
+CLOUDFLARE_ORIGIN_CA_KEY=
+CLOUDFLARE_ACCOUNT_ID=
+
+# --- ClouDNS ---
+CLOUDNS_AUTH_ID=
+CLOUDNS_AUTH_PASSWORD=
+
+# --- NPM / NPMplus ---
+NPM_URL=
+NPM_EMAIL=
+NPM_PASSWORD=
+NPM_HOST=
+NPM_PROXMOX_HOST=
+NPMPLUS_HOST=
+NPM_VMID=
+NPMPLUS_VMID=
+NPMPLUS_ALLTRA_HYBX_VMID=
+IP_NPMPLUS_ALLTRA_HYBX=
+NPM_URL_MIFOS=
+
+# --- Fastly ---
+FASTLY_API_TOKEN=
+
+# --- Network / UniFi / Omada ---
+PUBLIC_IP=
+PROXMOX_HOST_FOR_TEST=
+UNIFI_UDM_URL=
+UNIFI_API_KEY=
+UNIFI_API_MODE=
+UNIFI_SITE_ID=
+UNIFI_VERIFY_SSL=
+OMADA_API_KEY=
+OMADA_CLIENT_SECRET=
+
+# --- Gitea ---
+GITEA_URL=
+GITEA_TOKEN=
+GITEA_ORG=
+
+# --- Database & app auth ---
+DATABASE_URL=
+JWT_SECRET=
+JWT_REFRESH_SECRET=
+JWT_EXPIRES_IN=
+JWT_REFRESH_EXPIRES_IN=
+SESSION_SECRET=
+ADMIN_CENTRAL_API_KEY=
+DBIS_CENTRAL_URL=
+ADMIN_JWT_SECRET=
+
+# --- Storage (AWS / Azure) ---
+STORAGE_TYPE=
+STORAGE_PATH=
+AWS_REGION=
+AWS_ACCESS_KEY_ID=
+AWS_SECRET_ACCESS_KEY=
+AWS_S3_BUCKET=
+AZURE_STORAGE_CONNECTION_STRING=
+AZURE_STORAGE_CONTAINER=
+
+# --- Blockchain / SMOM-DBIS-138 (use smom-dbis-138/.env for PRIVATE_KEY) ---
+PRIVATE_KEY=
+RPC_URL_138=
+RPC_URL_138_PUBLIC=
+ETHEREUM_MAINNET_RPC=
+CHAIN_651940_RPC_URL=
+ETHERLINK_RPC_URL=
+TEZOS_RPC_URL=
+ETHERSCAN_API_KEY=
+ETHERLINK_CCIP_SELECTOR=
+TEZOS_BRIDGE_ENABLED=
+ETHERLINK_BRIDGE_ENABLED=
+TEZOS_RELAY_ORACLE_KEY=
+ETHERLINK_RELAY_BRIDGE=
+ETHERLINK_RELAY_PRIVATE_KEY=
+JUMPER_API_KEY=
+ONEINCH_API_KEY=
+MOONPAY_API_KEY=
+MOONPAY_SECRET_KEY=
+RAMP_NETWORK_API_KEY=
+ONRAMPER_API_KEY=
+
+# --- Alerts & monitoring ---
+SLACK_WEBHOOK_URL=
+PAGERDUTY_INTEGRATION_KEY=
+EMAIL_ALERT_API_URL=
+EMAIL_ALERT_RECIPIENTS=
+SENTRY_DSN=
+
+# --- Legal / e-signature ---
+E_SIGNATURE_BASE_URL=
+
+# --- OTC / exchanges (dbis_core) ---
+CRYPTO_COM_API_KEY=
+CRYPTO_COM_API_SECRET=
+CRYPTO_COM_ENVIRONMENT=
+BINANCE_API_KEY=
+BINANCE_API_SECRET=
+KRAKEN_API_KEY=
+KRAKEN_PRIVATE_KEY=
+OANDA_API_KEY=
+OANDA_ACCOUNT_ID=
+OANDA_ENVIRONMENT=
+FXCM_API_TOKEN=
+
+# --- Price / market data ---
+COINGECKO_API_KEY=
+COINDESK_API_KEY=
+COINMARKETCAP_API_KEY=
+DEXSCREENER_API_KEY=
+
+# --- Mifos / Fineract / OMNL ---
+MIFOS_BASE_URL=
+MIFOS_TENANT=
+MIFOS_USER=
+MIFOS_PASSWORD=
+MIFOS_INSECURE=
+OMNL_FINERACT_BASE_URL=
+OMNL_FINERACT_TENANT=
+OMNL_FINERACT_USER=
+OMNL_FINERACT_PASSWORD=
+
+# --- Phoenix / Sankofa / OMNIS backend ---
+SANKOFA_PHOENIX_API_URL=
+SANKOFA_PHOENIX_CLIENT_ID=
+SANKOFA_PHOENIX_CLIENT_SECRET=
+SANKOFA_PHOENIX_TENANT_ID=
+
+# --- Frontend / MetaMask / Explorer ---
+VITE_WALLETCONNECT_PROJECT_ID=
+VITE_THIRDWEB_CLIENT_ID=
+VITE_ETHERSCAN_API_KEY=
+VITE_SENTRY_DSN=
+VITE_API_URL=
+VITE_API_BASE_URL=
+NEXT_PUBLIC_API_URL=
+NEXT_PUBLIC_CHAIN_ID=
+METAMASK_API_KEY=
+THIRDWEB_SECRET_KEY=
+NPM_ACCESS_TOKEN=
+
+# --- DeFi aggregators (alltra-lifi-settlement) ---
+PARASWAP_API_KEY=
+ZEROX_API_KEY=
+
+# --- ProxmoxVE API (MongoDB) ---
+MONGO_USER=
+MONGO_PASSWORD=
+MONGO_IP=
+MONGO_PORT=
+MONGO_DATABASE=
+
+# --- Chain138 RPC (config) ---
+CHAIN138_RPC_URL=
+RPC_URL_138_FIREBLOCKS=
+WS_URL_138_FIREBLOCKS=
+CHAIN_ID_138=
+
+# --- Phoenix deploy API ---
+PORT=
+GITEA_TOKEN=
+
+# --- Optional / per-service ---
+MARKET_REPORTING_API_KEY=
+E_FILING_ENABLED=
+NODE_ENV=
diff --git a/.gitignore b/.gitignore
index 8ea8ab3..dcbc50d 100644
--- a/.gitignore
+++ b/.gitignore
@@ -10,6 +10,7 @@ yarn.lock
 .env
 .env.local
 .env.*.local
+.env.master
 
 # Logs
 *.log
diff --git a/docs/04-configuration/MASTER_SECRETS.md b/docs/04-configuration/MASTER_SECRETS.md
new file mode 100644
index 0000000..404e4dd
--- /dev/null
+++ b/docs/04-configuration/MASTER_SECRETS.md
@@ -0,0 +1,218 @@
+# Master Secrets Reference
+
+**Single authoritative list of all secrets** used across the Proxmox workspace and related projects.  
+**No values are stored here.** Use root `.env`, service-specific `.env` files, or a secrets store (e.g. Vault); see [.env.master.example](../../.env.master.example) for a single template of all keys.
+
+**Last updated:** 2026-02-21
+
+---
+
+## How to use
+
+- **Reference:** This file lists every secret **name**, **where it is used**, and **required/optional**.
+- **Template:** Copy [.env.master.example](../../.env.master.example) to `.env` (root) or `.env.master` (local only), fill values, and never commit. Ensure `.env` and `.env.master` are in `.gitignore`.
+- **Per-project:** Many secrets live in project-specific `.env` (e.g. `smom-dbis-138/.env`, `dbis_core/.env`). Root `.env` is used by scripts in this repo; subprojects use their own `.env`.
+
+---
+
+## 1. Proxmox & infrastructure
+
+| Secret | Where used | Required | Notes |
+|--------|------------|----------|--------|
+| `PROXMOX_ML110`, `PROXMOX_R630_01`, `PROXMOX_R630_02` | Root `.env`, config | Yes | Host IPs (can be non-secret) |
+| `PROXMOX_HOST`, `PROXMOX_PORT`, `PROXMOX_USER` | Root `.env`, scripts | Yes | API target |
+| `PROXMOX_TOKEN_NAME`, `PROXMOX_TOKEN_VALUE` | Root `.env` | Yes (for API) | Or password per host |
+| `PROXMOX_PASS_ML110`, `PROXMOX_PASS_R630_01`, `PROXMOX_PASS_R630_02` | Scripts (if no token) | If no token | SSH/API |
+
+---
+
+## 2. Cloudflare
+
+| Secret | Where used | Required | Notes |
+|--------|------------|----------|--------|
+| `CLOUDFLARE_API_TOKEN` | Root `.env` | Preferred | Prefer over API_KEY |
+| `CLOUDFLARE_EMAIL`, `CLOUDFLARE_API_KEY` | Root `.env` | If no token | Legacy |
+| `CLOUDFLARE_ZONE_ID`, `CLOUDFLARE_ZONE_ID_*` | Root `.env` | Yes | Per zone |
+| `CLOUDFLARE_ACCOUNT_ID` | Root `.env` | Yes | Tunnels / account API |
+| `CLOUDFLARE_TUNNEL_TOKEN` | Root `.env` | Yes (tunnels) | cloudflared |
+| `CLOUDFLARE_TUNNEL_ID`, `CLOUDFLARE_TUNNEL_ID_*` | Root `.env` | If using tunnel DNS | Tunnel UUIDs |
+| `CLOUDFLARE_ORIGIN_CA_KEY` | Root `.env` | Optional | Origin cert |
+
+---
+
+## 3. NPM / NPMplus
+
+| Secret | Where used | Required | Notes |
+|--------|------------|----------|--------|
+| `NPM_URL`, `NPM_EMAIL`, `NPM_PASSWORD` | Root `.env` | Yes (NPM scripts) | All NPMplus instances |
+| `NPM_HOST`, `NPM_VMID`, `NPMPLUS_HOST`, `NPMPLUS_VMID` | Root `.env` | Yes | Config |
+| `NPM_URL_MIFOS`, `NPMPLUS_ALLTRA_HYBX_VMID`, `IP_NPMPLUS_ALLTRA_HYBX` | Root `.env` | Per setup | Optional |
+
+---
+
+## 4. DNS / TLS (ClouDNS, etc.)
+
+| Secret | Where used | Required | Notes |
+|--------|------------|----------|--------|
+| `CLOUDNS_AUTH_ID`, `CLOUDNS_AUTH_PASSWORD` | Root `.env` | If Certbot ClouDNS | NPMplus TLS |
+
+---
+
+## 5. Network / UniFi / Omada
+
+| Secret | Where used | Required | Notes |
+|--------|------------|----------|--------|
+| `UNIFI_UDM_URL`, `UNIFI_API_KEY`, `UNIFI_SITE_ID` | Root `.env`, unifi-api | Yes (if automating) | UDM Pro API |
+| `OMADA_API_KEY`, `OMADA_CLIENT_SECRET` | omada-api/.env | If using Omada | Omada Controller |
+
+---
+
+## 6. Gitea
+
+| Secret | Where used | Required | Notes |
+|--------|------------|----------|--------|
+| `GITEA_URL`, `GITEA_TOKEN` | Root `.env` | Yes (push/create repos) | push-to-gitea.sh, push-all-projects-to-gitea.sh |
+| `GITEA_ORG` | Optional override | No | Default d-bis |
+
+---
+
+## 7. Blockchain / SMOM-DBIS-138
+
+| Secret | Where used | Required | Notes |
+|--------|------------|----------|--------|
+| `PRIVATE_KEY` | smom-dbis-138/.env | Yes (deploy/bridge) | Deployer key; move to HSM |
+| `RPC_URL_138`, `RPC_URL_138_PUBLIC` | Root/smom-dbis-138 `.env`, config | Yes | Chain 138 RPC |
+| `ETHEREUM_MAINNET_RPC`, `CHAIN_651940_RPC_URL`, etc. | smom-dbis-138/.env | Per use | Other chains |
+| `ETHERSCAN_API_KEY` | Root, smom-dbis-138 | Yes (verification) | Etherscan/Blockscan |
+| Contract addresses (e.g. `CCIP_ROUTER`, `LINK_TOKEN`) | smom-dbis-138/.env, config | Yes | See config/contract-addresses.conf |
+
+---
+
+## 8. Database & app auth
+
+| Secret | Where used | Required | Notes |
+|--------|------------|----------|--------|
+| `DATABASE_URL` | Root, dbis_core, OMNIS, explorer, token-aggregation | Yes (per app) | PostgreSQL connection string |
+| `JWT_SECRET`, `JWT_REFRESH_SECRET` | OMNIS/backend, explorer, dbis_core | Yes (per service) | Min 32 chars |
+| `SESSION_SECRET` | Explorer, OMNIS | If sessions | Session signing |
+| `ADMIN_CENTRAL_API_KEY` | dbis_core, orchestration, token-aggregation | Yes (central API) | Service-to-service |
+| `DBIS_CENTRAL_URL` | Callers of dbis_core | Yes | API base URL |
+
+---
+
+## 9. Storage (AWS / Azure)
+
+| Secret | Where used | Required | Notes |
+|--------|------------|----------|--------|
+| `AWS_ACCESS_KEY_ID`, `AWS_SECRET_ACCESS_KEY`, `AWS_REGION`, `AWS_S3_BUCKET` | Root, OMNIS, the-order | If S3 | Storage |
+| `AZURE_STORAGE_CONNECTION_STRING`, `AZURE_STORAGE_CONTAINER` | Root, OMNIS | If Azure | Blob storage |
+
+---
+
+## 10. Third-party APIs (price, ramps, exchanges)
+
+| Secret | Where used | Required | Notes |
+|--------|------------|----------|--------|
+| `COINGECKO_API_KEY` | Root, token-aggregation, oracle | Recommended | Price feeds |
+| `COINDESK_API_KEY` | Root | Optional | Market data |
+| `MOONPAY_API_KEY`, `MOONPAY_SECRET_KEY` | Root, metamask-integration | Optional | On/off ramp |
+| `RAMP_NETWORK_API_KEY`, `ONRAMPER_API_KEY` | Root, metamask-integration | Optional | Ramps |
+| `CRYPTO_COM_API_KEY`, `CRYPTO_COM_API_SECRET` | dbis_core | If OTC | Exchange OTC |
+| `BINANCE_API_KEY`, `BINANCE_API_SECRET` | dbis_core | Optional | Ticker/private |
+| `KRAKEN_API_KEY`, `KRAKEN_PRIVATE_KEY` | dbis_core | Optional | Same |
+| `OANDA_API_KEY`, `OANDA_ACCOUNT_ID` | dbis_core | Optional | Forex |
+| `FXCM_API_TOKEN` | dbis_core | Optional | Forex |
+| `ONEINCH_API_KEY`, `PARASWAP_API_KEY`, `ZEROX_API_KEY` | alltra-lifi-settlement | Optional | DeFi rate limits |
+
+---
+
+## 11. Frontend / MetaMask / Explorer
+
+| Secret | Where used | Required | Notes |
+|--------|------------|----------|--------|
+| `VITE_WALLETCONNECT_PROJECT_ID`, `VITE_THIRDWEB_CLIENT_ID` | smom-dbis-138/frontend-dapp | Yes (WalletConnect) | Reown/Thirdweb |
+| `VITE_ETHERSCAN_API_KEY`, `VITE_SENTRY_DSN` | Frontends | Optional | Build-time |
+| `NEXT_PUBLIC_*` | explorer-monorepo/frontend | Per feature | Next.js public env |
+| `METAMASK_API_KEY`, `THIRDWEB_SECRET_KEY` | metamask-integration | If integrated | Backend |
+
+---
+
+## 12. Alerts & monitoring
+
+| Secret | Where used | Required | Notes |
+|--------|------------|----------|--------|
+| `SLACK_WEBHOOK_URL` | Root, dbis_core | Optional | Alerts |
+| `PAGERDUTY_INTEGRATION_KEY` | Root, dbis_core | Optional | |
+| `EMAIL_ALERT_API_URL`, `EMAIL_ALERT_RECIPIENTS` | Root, dbis_core | Optional | |
+| `SENTRY_DSN` | Various | Optional | Error tracking |
+
+---
+
+## 13. Legal / e-signature / e-filing
+
+| Secret | Where used | Required | Notes |
+|--------|------------|----------|--------|
+| `E_SIGNATURE_BASE_URL` | Root, the-order/legal-documents | Optional | E-signature API |
+| E-filing / court API keys | the-order/legal-documents | If enabled | Per integration |
+
+---
+
+## 14. Mifos / Fineract / OMNL
+
+| Secret | Where used | Required | Notes |
+|--------|------------|----------|--------|
+| `MIFOS_BASE_URL`, `MIFOS_TENANT`, `MIFOS_USER`, `MIFOS_PASSWORD` | Root `.env` | If central-bank scripts | Fineract API |
+| `OMNL_FINERACT_BASE_URL`, `OMNL_FINERACT_TENANT`, `OMNL_FINERACT_USER`, `OMNL_FINERACT_PASSWORD` | Root `.env`, omnl-fineract | If OMNL | OMNL tenant |
+
+---
+
+## 15. Phoenix / Sankofa / OMNIS backend
+
+| Secret | Where used | Required | Notes |
+|--------|------------|----------|--------|
+| `SANKOFA_PHOENIX_API_URL`, `SANKOFA_PHOENIX_CLIENT_ID`, `SANKOFA_PHOENIX_CLIENT_SECRET`, `SANKOFA_PHOENIX_TENANT_ID` | OMNIS/backend | If Phoenix OAuth | OAuth client |
+| Phoenix/Vault app role credentials | .secure/ or Vault | If Phoenix deploy | Phoenix deploy API |
+
+---
+
+## 16. Tezos / Etherlink / Jumper
+
+| Secret | Where used | Required | Notes |
+|--------|------------|----------|--------|
+| `TEZOS_RELAY_ORACLE_KEY`, `ETHERLINK_RELAY_BRIDGE`, `ETHERLINK_RELAY_PRIVATE_KEY` | Root, smom-dbis-138 | If Tezos bridge | Relay |
+| `JUMPER_API_KEY` | Root | Optional | Jumper bridge |
+
+---
+
+## 17. Fastly / other CDN
+
+| Secret | Where used | Required | Notes |
+|--------|------------|----------|--------|
+| `FASTLY_API_TOKEN` | Root `.env` | If using Fastly API | Purge/config |
+
+---
+
+## 18. Proxmox VE API subproject
+
+| Secret | Where used | Required | Notes |
+|--------|------------|----------|--------|
+| `MONGO_USER`, `MONGO_PASSWORD`, `MONGO_IP`, `MONGO_PORT`, `MONGO_DATABASE` | ProxmoxVE/api/.env | If MongoDB | ProxmoxVE API |
+
+---
+
+## Security
+
+- **Never commit** `.env`, `.env.master`, or any file containing real secrets.
+- **Private keys:** Prefer HSM/Vault; do not store in repo or committed files.
+- **Rotation:** Rotate API tokens and passwords periodically; document in this repo.
+- **Scopes:** Use least-privilege tokens (e.g. Gitea: write:organization, write:repository).
+
+---
+
+## Related docs
+
+- [.env.master.example](../../.env.master.example) — Single template with all keys (placeholders).
+- [.env.example](../../.env.example) — Root .env template with comments.
+- [MASTER_SECRETS_INVENTORY.md](MASTER_SECRETS_INVENTORY.md) — Detailed inventory and HSM migration plan.
+- [REQUIRED_SECRETS_INVENTORY.md](REQUIRED_SECRETS_INVENTORY.md) — Required secrets checklist.
+- [REMAINING_ITEMS_DOTENV_AND_ACTIONS.md](REMAINING_ITEMS_DOTENV_AND_ACTIONS.md) — Where to store secrets and which scripts use them.