d-bis/proxmox
4
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
4eead3e53fecdb2b7e629bb9f56b22ff92c61d2e
proxmox/docs/03-deployment/DBIS_RTGS_E2E_REQUIREMENTS_MATRIX.md
defiQUG 7ac74f432b chore: sync docs, config schemas, scripts, and meta task alignment 
- Institutional / JVMTM / reserve-provenance / GRU transport + standards JSON
- Validation and verify scripts (Blockscout labels, x402, GRU preflight, P1 local path)
- Wormhole wiring in AGENTS, MCP_SETUP, MASTER_INDEX, 04-configuration README
- Meta docs, integration gaps, live verification log, architecture updates
- CI validate-config workflow updates

Operator/LAN items, submodule working trees, and public token-aggregation edge
routes remain follow-up (see TODOS_CONSOLIDATED P1).

Made-with: Cursor
2026-03-31 22:31:39 -07:00

95 lines
23 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
# DBIS RTGS Canonical Production Checklist
**Last updated:** 2026-03-29
**Purpose:** Canonical production-readiness checklist for the full DBIS RTGS stack across Chain 138, OMNL / Fineract, HYBX sidecars, Indonesia / BNI banking flows, and optional Hyperledger identity and interoperability layers.
## Status guidance
- Use `Complete` only for production-capable roles that are implemented and verified.
- Use `Partial` when a slice exists or works narrowly, but is not yet enough for full production use.
- Use `Planned` for intentionally in-scope components not yet deployed or validated.
- Use `Reserved placeholder` for inventory that exists but is not an active workload.
- Use `Retired / standby` for inventory that is intentionally inactive until rebuilt.
## Canonical checklist
| Component | Current state | Required integration | Remaining task | Owner | Production gate |
|-----------|---------------|----------------------|----------------|-------|-----------------|
| Chain 138 Besu validator / sentry / RPC baseline | Complete. Validator, sentry, core, public, and named RPC tiers are live and script-verified. | Ongoing RPC, validator, and public wallet/explorer compatibility only. | Maintain health, peer spread, fee support, and public RPC method coverage. | DBIS / infra ops | Public and core RPC healthy, head spread `0`, peer counts healthy, wallet/explorer-required methods working. |
| Explorer / Blockscout | Complete. Explorer routes, APIs, token metadata, and RPC capability metadata are live. | Ongoing explorer API, token metadata, and wallet metadata compatibility. | Maintain explorer health, indexing freshness, metadata accuracy, and route stability. | DBIS / explorer ops | Explorer routes, APIs, and metadata remain healthy and consistent with Chain 138 runtime. |
| FireFly primary `6200` | Partial. Restored as a minimal local FireFly API footprint, not yet a proven multiparty production workflow engine. | FireFly event/orchestration model, sidecar and banking workflow correlation, and HA strategy. | Define event model, validate orchestration role, and decide whether FireFly is mandatory in slice 1. | DBIS workflow / infra ops | API healthy, config preserved, orchestration role defined, and real cross-system workflow validated. |
| FireFly secondary `6201` | Retired / standby. Inventory exists, but current rootfs does not contain a valid deployment payload. | Rebuild contract for a real secondary FireFly node if HA is required. | Either rebuild as a true secondary and validate failover, or keep explicitly retired in all architecture claims. | DBIS workflow / infra ops | Either rebuilt and verified as a real secondary, or formally excluded from active-stack claims. |
| Fabric `6000-6002` | Partial. Primary `6000` runs a validated sample network; `6001` and `6002` remain reserved placeholder inventory. | Actual Fabric peer/orderer deployment model if Fabric is required by the RTGS target architecture. | Decide whether the current sample topology evolves into a production role or remains a validated sidecar DLT only. | DBIS architecture / infra ops | If Fabric stays in scope, the intended role-specific workloads are deployed and validated; otherwise placeholders stay explicitly non-production. |
| Indy `6400-6402` | Partial. Primary `6400` runs a validated four-node local pool; `6401` and `6402` remain reserved placeholder inventory. | Actual Indy validator / identity runtime only if Indy is required by the RTGS target architecture. | Decide whether the current pool is the canonical identity-ledger base and validate the role if it remains in scope. | DBIS architecture / infra ops | If Indy stays in scope, the intended identity-ledger role is documented and validated; otherwise placeholders stay explicitly non-production. |
| Aries | Partial. Primary `6500` now runs a deployed ACA-Py agent, but no RTGS credential-exchange flow is yet validated. | Identity-agent model, DID/wallet strategy, and credential-exchange role in RTGS workflows. | Freeze scope for production slice 1 and, if retained, validate one real agent-to-agent or institution-facing flow. | Identity architecture lead | Scope decision is frozen, and if in scope the deployed agent model and flows are validated. |
| AnonCreds | Partial. The deployed ACA-Py runtime now uses `askar-anoncreds`, but issuer / holder / verifier lifecycle is not yet validated end to end. | Issuer / holder / verifier model and credential lifecycle. | Freeze schema, credential-definition, and verification flow if the feature remains in scope. | Identity architecture lead | Scope decision is frozen, and if in scope the credential lifecycle is validated end to end. |
| Ursa | Partial. No separate operator-managed daemon is evidenced; the current cryptographic path is indirect through the deployed ACA-Py / AnonCreds runtime. | Cryptographic runtime role, library dependency model, and operational controls. | Decide whether Ursa must ever be managed directly or remains an indirect dependency only. | Identity / cryptography architecture lead | Scope decision is frozen, and if in scope the cryptographic dependency model is documented and validated. |
| Cacti | Partial. Primary `5200` is now proven as a live Besu-facing interoperability gateway, but no production cross-ledger contract is frozen. | Cross-ledger interoperability contract and deployment model. | Decide whether Cacti is needed for production slice 1 and, if retained, validate the real cross-ledger path. | Interoperability architecture lead | Scope decision is frozen, and if in scope the live interoperability path is deployed and tested. |
| Caliper | Partial. Primary `6600` now hosts a live upstream Caliper workspace with the Besu `1.4` binding, but no approved benchmark profile has been executed. | Benchmark workload definitions for RTGS and Chain 138 settlement paths. | Add approved workload profiles and execute the accepted read / write benchmark set. | Performance / QA lead | Benchmark harness exists and approved RTGS workloads have been executed and recorded. |
| OMNL / Fineract API rail | Partial. Live tenant and authenticated posting path are now proven, but the canonical RTGS operator rail is not fully frozen. | Stable OMNL tenant/auth contract, operator flow, office/GL mapping, and reconciliation package path. | Freeze tenant, operator runbook, participant model, and reproducible OMNL settlement rail. | OMNL / banking ops | Office / GL / JE / snapshot / package flow runs cleanly and repeatably against the intended live tenant. |
| Mifos X frontend / Fineract tenant | Partial. Runtime is live and sidecars can authenticate, but production operator model is not fully frozen. | Stable UI/API tenant contract, secrets, and operator procedures. | Finalize tenant/auth, operator usage, and runbook completeness. | OMNL / banking ops | UI/API healthy, tenant/auth stable, and operator procedures are complete and repeatable. |
| HYBX participant / office / treasury model | Planned. Participant, office, reserve, settlement, and treasury roles are not yet frozen end to end. | OMNL participant model, office mappings, GL mappings, and treasury structure. | Freeze participant classes, office IDs, treasury accounts, and nostro/vostro model. | Banking architecture lead | Participant, treasury, reserve, and GL structures are documented, accepted, and used by the canonical rail. |
| Depository / CSD layer | Planned. No dedicated depository or CSD runtime and no frozen asset-register model are yet evidenced in the current RTGS stack. | Securities ownership model, settlement-finality link, asset register, and participant/custody relationships. | Define whether the depository role is on-ledger, off-ledger, or hybrid; freeze issuance, transfer, pledge, and settlement-touch points. | Securities / market-infrastructure architecture lead | Depository role, participant model, and settlement interaction are documented and validated in at least one canonical asset flow. |
| Global custodian layer | Planned. No explicit global custodian runtime, account model, or reporting path is yet frozen in repo-backed state. | Correspondent banks, global custodians, safekeeping accounts, corporate-action handling, and asset-servicing obligations. | Define the custody operating model, account structure, reporting obligations, and reconciliation with OMNL and RTGS settlement. | Custody / institutional banking integration lead | Custody account model, reconciliation path, and reporting obligations are frozen and tested in a canonical custody flow. |
| FX pricing / dealing engine | Planned. FX flow requirements are documented, but no single pricing/dealing engine contract is yet frozen as the production source of rates and booking rules. | Treasury policy, rate sources, quote locking, spreads, value dates, and gain/loss accounting. | Freeze the pricing hierarchy, quote lifecycle, booking rules, and integration into OMNL and sidecars. | FX / treasury architecture lead | One canonical FX transaction runs with frozen pricing inputs, accounting, and reconciliation. |
| Liquidity pooling and aggregation engine | Planned. Liquidity sourcing is implied across treasury and correspondent flows, but no explicit pooling/aggregation engine is yet modeled as a production component. | Treasury policy, reserve policy, liquidity providers, internal pools, external bank lines, and optional on-chain liquidity. | Define source prioritization, eligibility rules, allocation logic, and operator controls. | Liquidity architecture lead | Liquidity sourcing logic is documented and one canonical funding decision path is validated. |
| Liquidity source adapters | Planned. No source-by-source adapter contract has been frozen for bank lines, treasury pools, correspondent banks, or optional on-chain liquidity. | Bank lines, correspondent banks, internal treasury pools, optional on-chain pools, and optional sidecar/provider adapters. | Enumerate source families and define one adapter contract per source class. | Treasury / integrations lead | Each in-scope liquidity source class has a defined adapter contract and at least the mandatory sources are validated. |
| Custody / safekeeping / asset servicing flow | Planned. Custody, safekeeping, and servicing obligations are referenced indirectly through settlement and correspondent flows, but not yet modeled as one canonical lifecycle. | Depository, custodian, participant accounts, statements, corporate actions, holdings reconciliation, and evidence path. | Define the canonical lifecycle for safekeeping, transfer, servicing, and statement production. | Custody operations / product architecture lead | One end-to-end custody lifecycle is documented and validated with reconciliation/evidence output. |
| Mojaloop integration | Planned. No live Mojaloop switch endpoint/auth/callback contract is yet evidenced here. | Mojaloop quote, transfer, callback, and settlement-window contract. | Document live Mojaloop endpoints/auth and integrate them if Mojaloop remains in scope. | Payments interoperability lead | Endpoint/auth contract is frozen and quote/transfer/callback/settlement behavior is validated. |
| HYBX sidecar layer | Partial. Sidecar families are known, and first-slice sidecars are deployed, but full boundaries and ownership are not yet frozen. | Sidecar-by-sidecar ingress/egress, retries, auth, and system-of-record ownership. | Freeze sidecar boundaries, orchestration model, and canonical RTGS event path. | HYBX app / integration lead | Sidecar purposes, auth, retries, and system-of-record ownership are documented and validated. |
| `mifos-fineract-sidecar` | Partial. Deployed on Proxmox, healthy, and has completed an authenticated live OMNL posting. | OMNL/Fineract tenant contract and downstream settlement/evidence path. | Extend validation from posting success to the full settlement/evidence path. | HYBX integration lead | Sidecar API and event flow documented, and at least one authenticated live transfer completes through downstream settlement/evidence. |
| `server-funds-sidecar` | Partial. Deployed on Proxmox and healthy, but treasury/system-of-record boundaries are not yet frozen. | OMNL treasury/funding orchestration contract and participant model. | Freeze whether it is mandatory in the first RTGS slice and validate its business flow. | HYBX integration lead | Treasury/funding role is defined and a real authenticated business flow is validated. |
| `off-ledger-2-on-ledger-sidecar` | Partial. Deployed on Proxmox, healthy, and able to drive the first Chain 138 settlement leg with safe pending-anchor degradation. | Canonical off-ledger event source, OMNL/Fineract posting contract, and Chain 138 settlement finality path. | Freeze the canonical off-ledger source event and complete final receipt/finality handling. | HYBX integration lead | Off-ledger event to Chain 138 settlement is frozen and tested end to end with durable evidence output. |
| `mt103-hardcopy-sidecar` | Partial. Known sidecar, but not yet tied into the canonical RTGS path. | MT103 ingest, bank-message archive, and settlement/evidence mapping. | Decide whether it is in scope and, if yes, integrate MT103 ingest into the canonical RTGS flow. | HYBX integration lead | MT103 ingestion path is documented, integrated, and tested if in scope. |
| `securitization-engine-sidecar` | Partial. Known sidecar, but regulatory/accounting role in RTGS is not yet frozen. | Accounting, collateral, and reporting responsibilities in the RTGS operating model. | Define whether it participates in RTGS slice 1 and validate the required role if so. | HYBX integration lead | Its RTGS responsibility is either validated or explicitly out of scope. |
| `card-networks-sidecar` | Partial. Known sidecar, but not yet placed in the RTGS path. | Card-network settlement role only if card rails are included in scope. | Include only if card settlement is part of production scope; otherwise keep it out of the canonical path. | HYBX integration lead | Scope decision is frozen, and if included the settlement path is validated. |
| `securities-sidecar` | Partial. Known sidecar with runnable application shape, but its depository/custody placement in the RTGS architecture is not yet frozen. | Instrument resolution, securities instructions, settlement events, and position reconciliation linked to the depository/custody operating model. | Freeze whether it is the runtime boundary for depository/custody flows and validate one canonical securities/custody path if so. | HYBX integration lead | Scope decision is frozen, and if included one canonical securities or custody flow is validated. |
| `flash-loan-xau-sidecar` | Planned. Runnable sidecar exists locally, but its role in the RTGS production path is still specialized and optional. | XAU-specific liquidity, conversion, and settlement logic only if retained as part of the target architecture. | Decide whether it remains a specialized liquidity extension or enters the canonical RTGS path; validate if retained. | HYBX integration lead | Scope decision is frozen, and if included the XAU liquidity path is validated end to end. |
| Chain 138 settlement contracts | Partial. Contract families exist, but the exact RTGS contract path is not yet frozen as one canonical settlement lane. | Final contract path between OMNL-side events and on-chain settlement evidence. | Freeze the exact contract set and document how each business flow reaches Chain 138. | Chain 138 / settlement lead | Final contract set is frozen, deployed addresses are accepted, and the path is tested end to end. |
| MerchantSettlementRegistry | Partial. Available contract family, but exact placement in the canonical RTGS flow is not yet frozen. | RTGS settlement workflow and evidence mapping. | Decide exactly when and how the registry is invoked in RTGS settlement. | Chain 138 / settlement lead | Registry path is integrated into the business flow with verified inputs and outputs. |
| WithdrawalEscrow | Partial. Available contract family, but exact placement in RTGS withdrawal scenarios is not yet frozen. | Withdrawal / release / payout semantics in the RTGS model. | Freeze the escrow role for settlement and withdrawal scenarios. | Chain 138 / settlement lead | Escrow flow is validated in the chosen settlement and withdrawal scenarios. |
| DBIS / compliant settlement tokens | Partial. Candidate instruments exist, but the final RTGS instrument set is not yet frozen by use case. | Monetary architecture, reserve rules, mint/burn policy, and reconciliation policy. | Select the final RTGS instruments and freeze their control and reconciliation model. | Chain 138 / monetary architecture lead | Final instrument selection, reserve rules, and reconciliation path are documented and validated. |
| Reserve / oracle dependencies | Partial. Reserve and oracle systems exist, but the RTGS-specific dependency mapping is not yet frozen. | RTGS dependency model for reserve attestations, price references, and control policy. | Freeze which reserve/oracle controls are required for RTGS settlement and FX support. | Monetary controls lead | RTGS reserve/oracle dependencies are documented, accepted, and operational. |
| FireFly / sidecar / chain event model | Planned. No single canonical correlation and retry model is yet frozen. | Shared IDs, correlation, retry, compensating actions, and event archive policy. | Define one canonical event model across OMNL, sidecars, and Chain 138. | Workflow architecture lead | Event catalog, IDs, retries, and compensating actions are defined and validated. |
| ISO 20022 evidence and vault path | Partial. Evidence standard exists, but full institution-ready production completion is not yet frozen. | ISO 20022 archive, manifest, vaulting, and hash anchoring contract. | Complete ISO evidence packaging and archive references for the RTGS path. | Regulatory / compliance lead | ISO manifests, hashes, archive references, and legal evidence path are complete and reproducible. |
| Institutional 4.995 package path | Partial. Package standards and scripts exist, but real institution submission-grade completion is not yet frozen. | Institutional attestation, submission package, and strict readiness contract. | Complete the evidence path with real institution-ready materials and `--strict` readiness. | Regulatory / compliance lead | `--strict` readiness passes with real institution materials and reproducible evidence output. |
| Indonesia / BNI domestic banking path | Planned. Blueprint exists, but live BNI endpoint/auth/message contract is not yet evidenced. | BNI institution profile, domestic route definition, auth, account validation, and reporting obligations. | Freeze the BNI-connected route and message/auth contract for production. | Indonesia banking integration lead | Live BNI contract is documented, validated, and used in the canonical Indonesia payment flow. |
| Global correspondent / liquidity bank path | Planned. Blueprint exists, but live correspondent endpoint/auth/message contract is not yet evidenced. | SWIFT / ISO / correspondent-bank endpoint, auth, nostro/vostro, and confirmation contract. | Freeze the correspondent-bank route and integrate it with OMNL, sidecars, and reconciliation. | Cross-border banking integration lead | Live correspondent contract is documented and a real cross-border flow is validated. |
| RTGS production gate | Planned. The gate exists conceptually, but not all mandatory lanes are green yet. | All mandatory banking, sidecar, settlement, evidence, and external-bank integrations for the chosen production architecture. | Turn all mandatory rows for the chosen production architecture to `Complete`. | DBIS program owner | All mandatory checklist rows for the chosen RTGS production architecture are `Complete`. |
## Immediate execution priority
1. Freeze the canonical banking rail on the now-proven OMNL tenant/auth path.
2. Freeze the participant / treasury / GL model plus the depository, custody, FX, and liquidity-control layers.
3. Complete the canonical settlement path from HYBX sidecars into Chain 138 and evidence output.
## Related artifacts
- [OMNL_DBIS_CORE_CHAIN138_SMART_VAULT_RTGS_RUNBOOK.md](OMNL_DBIS_CORE_CHAIN138_SMART_VAULT_RTGS_RUNBOOK.md) — OMNL, DBIS Core, Smart Vault, RTGS, settlement events, ISO/DID/correlation
- [docs/00-meta/INTEGRATION_GAPS_AND_NEXT_STEPS_2026-03-30.md](../00-meta/INTEGRATION_GAPS_AND_NEXT_STEPS_2026-03-30.md) — consolidated integration gaps and follow-ups
- [dbis_chain_138_technical_master_plan.md](../../dbis_chain_138_technical_master_plan.md)
- [docs/00-meta/TODO_TASK_LIST_MASTER.md](../00-meta/TODO_TASK_LIST_MASTER.md)
- [docs/03-deployment/DBIS_PHASES_1_TO_3_PRODUCTION_GATE.md](DBIS_PHASES_1_TO_3_PRODUCTION_GATE.md)
- [docs/03-deployment/DBIS_HYPERLEDGER_RUNTIME_STATUS.md](DBIS_HYPERLEDGER_RUNTIME_STATUS.md)
- [docs/04-configuration/mifos-omnl-central-bank/HYBX_BATCH_001_OPERATOR_CHECKLIST.md](../04-configuration/mifos-omnl-central-bank/HYBX_BATCH_001_OPERATOR_CHECKLIST.md)
- [docs/04-configuration/mifos-omnl-central-bank/INDONESIA_PACKAGE_4_995_EVIDENCE_STANDARD.md](../04-configuration/mifos-omnl-central-bank/INDONESIA_PACKAGE_4_995_EVIDENCE_STANDARD.md)
- [docs/11-references/GITEA_HYBX_ORGANIZATION_AND_REPOS.md](../11-references/GITEA_HYBX_ORGANIZATION_AND_REPOS.md)
- [DBIS_HYBX_SIDECAR_BOUNDARY_MATRIX.md](DBIS_HYBX_SIDECAR_BOUNDARY_MATRIX.md)
- [DBIS_MOJALOOP_INTEGRATION_STATUS.md](DBIS_MOJALOOP_INTEGRATION_STATUS.md)
- [DBIS_HYPERLEDGER_IDENTITY_STACK_DECISION.md](DBIS_HYPERLEDGER_IDENTITY_STACK_DECISION.md)
- [DBIS_IDENTITY_COMPLETION_PACKAGE_RUNBOOK.md](DBIS_IDENTITY_COMPLETION_PACKAGE_RUNBOOK.md)
- [DBIS_RTGS_FIRST_SLICE_ARCHITECTURE.md](DBIS_RTGS_FIRST_SLICE_ARCHITECTURE.md)
- [DBIS_RTGS_FIRST_SLICE_DEPLOYMENT_CHECKLIST.md](DBIS_RTGS_FIRST_SLICE_DEPLOYMENT_CHECKLIST.md)
### ISO20022Router — production acceptance (manual / G4)
Use this when moving the **ISO20022Router** row from **Partial** to **Complete** for a chosen slice.
1. **Deployed:** Router address matches `config/smart-contracts-master.json` / [ADDRESS_MATRIX_AND_STATUS.md](../11-references/ADDRESS_MATRIX_AND_STATUS.md) (`ISO20022Router`); `scripts/verify/check-contracts-on-chain-138.sh` reports bytecode present.
2. **Canonical payload:** Off-chain ISO (or SWIFT Fin) normalized per [SMART_CONTRACTS_ISO20022_FIN_METHODOLOGY.md](../04-configuration/SMART_CONTRACTS_ISO20022_FIN_METHODOLOGY.md); `instructionId` / `uetr` / `payloadHash` recorded.
3. **On-chain:** At least one successful transaction path (direct call, gateway, or relayer → router) on Chain 138 with **explorer** tx hash captured.
4. **Correlation:** A [settlement event](../../config/dbis-institutional/schemas/settlement-event.schema.json) (or equivalent sidecar log) carries the same **`correlation_id`** as OMNL / Core / RTGS references for that payment.
5. **Evidence:** Archive path meets [INDONESIA_PACKAGE_4_995_EVIDENCE_STANDARD.md](../04-configuration/mifos-omnl-central-bank/INDONESIA_PACKAGE_4_995_EVIDENCE_STANDARD.md) or your jurisdictions package rules if applicable.
Automation (CI) for steps 24 is optional until the relayer and tenant sandbox are frozen; the checklist above is the **definition of done** for manual sign-off.
Reference in New Issue View Git Blame Copy Permalink