mainnet dwployment guide

[Akatenvictor]

docs/MAINNET_DEPLOY.md (new)
A 7-section step-by-step guide covering:

1. Pre-flight — cargo test, npm run codegen:check, cargo audit, testnet reference grep
2. Wallet setup — hardware wallet keygen, XLM funding
3. Contract deployment — build WASM, run with MAINNET_CONFIRMED=true guard, verify on-chain via stellar contract invoke -- admin
4. Backend config — full table of every env var found in the codebase (STELLAR_SECRET_KEY, TRIVELA_MASTER_KEY, TRIVELA_JWT_SECRET, VAPID keys, OTEL, etc.) split into required vs. optional
5. Kubernetes / Helm — exact values.yaml keys that must change (image tag, replicaCount: 3, resource limits, ingress.host, CORS)
6. SSL / Nginx — references nginx/trivela.conf.template, notes that CORS_ALLOWED_ORIGINS=* is forbidden in production
7. Smoke test checklist — infrastructure, Stellar/contracts, backend API, frontend, observability

docs/SECURITY.md (new)
Covers:

• Vulnerability reporting contact
• Key inventory table with storage requirements for each secret
• Routine key rotation procedure (zero-downtime, with TRIVELA_API_KEYS multi-key phase-in)
• STELLAR_SECRET_KEY rotation (separate from contract admin authority)
• Compromised admin keypair incident response (contain → emergency transfer → rotate to new key → post-incident audit)
• Full two-step propose_admin → accept_admin procedure with CLI commands, verification steps, and the 30-day TTL window
• Defense-in-depth recommendations (multisig, time-lock, monitoring, backup key)

scripts/deploy-testnet.sh (modified)
Added a guard block after the STELLAR_SOURCE check: if STELLAR_NETWORK is mainnet or public, the script errors out unless MAINNET_CONFIRMED=true is explicitly set, with a warning message printed to stderr.

package.json (modified)
Added "deploy:mainnet": "STELLAR_NETWORK=mainnet MAINNET_CONFIRMED=true bash ./scripts/deploy-testnet.sh" — still requires STELLAR_SOURCE in the caller's environment.

Closes #481
Closes #484
Closes #522
Closes #517

[vercel]

Someone is attempting to deploy a commit to the joelpeace48-cell's projects Team on Vercel.

A member of the Team first needs to authorize it.

[drips-wave]

@Akatenvictor Great news! 🎉 Based on an automated assessment of this PR, the linked Wave issue(s) no longer count against your application limits.

You can now already apply to more issues while waiting for a review of this PR. Keep up the great work! 🚀

Learn more about application limits