proxmox/docs/00-meta/ALL_REQUIREMENTS.md

All Requirements — Master List

Last Updated: 2026-02-05
Purpose: Single source for all project requirements. Use for compliance, traceability, and execution.
Sources: MASTER_PLAN, PHASES_AND_TASKS_MASTER, TODO_TASK_LIST_MASTER, REMAINING_WORK_DETAILED_STEPS.md, MISSING_CONTAINERS_LIST, CCIP_DEPLOYMENT_SPEC, IMPLEMENTATION_CHECKLIST, OPERATIONAL_RUNBOOKS, MASTER_SECRETS_INVENTORY, FULL_PARALLEL_EXECUTION_ORDER.

---

1. Foundation (Phase 0) — ✅ Done

ID	Requirement	Source	Status
F-1	Proxmox management accessible (ml110, r630-01, r630-02)	PHASES_AND_TASKS_MASTER	✅ Done
F-2	Edge: UDM Pro; port forward 76.53.10.36:80/443 → 192.168.11.167 (NPMplus)	DEPLOYMENT_STATUS_MASTER	✅ Done
F-3	Basic Besu containers deployed (validators, sentries, RPC per inventory)	DEPLOYMENT_STATUS_MASTER	✅ Done
F-4	config/ip-addresses.conf and .env.example present; validation passes	run-all-validation.sh	✅ Done

---

2. Security Requirements

ID	Requirement	Source	Priority
S-1	.env permissions: chmod 600	IMPLEMENTATION_CHECKLIST	Required
S-2	Validator key permissions: chmod 600, chown besu; use secure-validator-keys.sh	OPERATIONAL_RUNBOOKS § Phase 2	Required
S-3	SSH key-based auth; disable password (coordinate to avoid lockout)	setup-ssh-key-auth.sh	Required
S-4	Firewall: restrict Proxmox API port 8006 to admin CIDR	firewall-proxmox-8006.sh	Required
S-5	No real API keys in .env.example; document in MASTER_SECRETS_INVENTORY	MASTER_PLAN §3.1	Required
S-6	Rotate any exposed keys; private keys not in docs	MASTER_SECRETS_INVENTORY	Critical
S-7	smom: Security audits VLT-024, ISO-024	PHASES_AND_TASKS_MASTER	Critical
S-8	smom: Bridge integrations BRG-VLT, BRG-ISO	PHASES_AND_TASKS_MASTER	High
S-9	Network segmentation (VLANs): plan and migrate per NETWORK_ARCHITECTURE	IMPLEMENTATION_CHECKLIST	Optional

---

3. Deployment Requirements

3.1 Missing Containers (canonical: 3 only)

ID	Requirement	VMID	Spec	Source
D-1	Create besu-rpc-luis (Luis 0x1)	2506	16GB, 4 CPU, 200GB; JWT required	MISSING_CONTAINERS_LIST
D-2	Create besu-rpc-putu (Putu 0x8a)	2507	Same	MISSING_CONTAINERS_LIST
D-3	Create besu-rpc-putu (Putu 0x1)	2508	Same	MISSING_CONTAINERS_LIST

3.2 Phase 1 — VLAN (optional)

ID	Requirement	Source
D-4	UDM Pro VLAN config	PHASES_AND_TASKS_MASTER
D-5	VLAN-aware bridge on Proxmox	PHASES_AND_TASKS_MASTER
D-6	Services migrated to VLANs per NETWORK_ARCHITECTURE	DEPLOYMENT_STATUS_MASTER

3.3 Phase 2 — Observability (required)

ID	Requirement	Source
D-7	Monitoring stack: Prometheus, Grafana, Loki, Alertmanager	PHASES_AND_TASKS_MASTER
D-8	Prometheus scrape Besu 9545; config in config/monitoring/	phase2-observability.sh
D-9	Grafana published via Cloudflare Access	PHASES_AND_TASKS_MASTER
D-10	Alerts configured (Alertmanager, email/webhook)	OPERATIONAL_RUNBOOKS § Phase 2

3.4 Phase 3 — CCIP Fleet (required)

ID	Requirement	VMIDs / scope	Source
D-11	CCIP Ops/Admin deployed	5400-5401	CCIP_DEPLOYMENT_SPEC
D-12	CCIP Monitoring nodes	5402-5403	CCIP_DEPLOYMENT_SPEC
D-13	16 Commit nodes	5410-5425	CCIP_DEPLOYMENT_SPEC
D-14	16 Execute nodes	5440-5455	CCIP_DEPLOYMENT_SPEC
D-15	7 RMN nodes	5470-5476	CCIP_DEPLOYMENT_SPEC
D-16	NAT pools configured (blocks #2–#4 per NETWORK_ARCHITECTURE)	CCIP_DEPLOYMENT_SPEC
D-17	Env: CCIP_ETH_ROUTER, CCIP_ETH_LINK_TOKEN, ETH_MAINNET_SELECTOR (mainnet CCIP)	ccip-deploy-checklist.sh

3.5 Phase 4 — Sovereign Tenants (required)

ID	Requirement	Source
D-18	Sovereign VLANs configured (200–203)	phase4-sovereign-tenants.sh, OPERATIONAL_RUNBOOKS
D-19	Tenant isolation enforced; access control	PHASES_AND_TASKS_MASTER
D-20	Block #6 egress NAT; verify tenant isolation	NETWORK_ARCHITECTURE

---

4. Backup & Maintenance Requirements

ID	Requirement	Frequency / scope	Source
B-1	Automated config backup (Proxmox configs)	On demand or cron	automated-backup.sh
B-2	NPMplus backup (export/config) when NPMplus up	NPM_PASSWORD; schedule-npmplus-backup-cron.sh	Wave 0 / W1-8
B-3	Backup validator keys (encrypted); 30-day retention	IMPLEMENTATION_CHECKLIST	Required
B-4	Daily maintenance checks: explorer sync, RPC 2201	Daily 08:00	schedule-daily-weekly-cron.sh
B-5	Weekly: Config API uptime, review explorer logs	Sun 09:00	daily-weekly-checks.sh weekly
B-6	Token list: validate; update as needed (token-lists/lists/dbis-138.tokenlist.json)	As needed	OPERATIONAL_RUNBOOKS [139]

---

5. Configuration & Secrets Requirements

ID	Requirement	Source
C-1	config/ip-addresses.conf present and sourced	validate-config-files.sh
C-2	.env from .env.example; no real keys in repo	MASTER_SECRETS_INVENTORY
C-3	ADMIN_CENTRAL_API_KEY, DBIS_CENTRAL_URL for portal/token-agg/multi-chain	MASTER_PLAN §9
C-4	PRIVATE_KEY (deployer) for bridge/sendCrossChain; LINK approved for fee	run-send-cross-chain.sh
C-5	NPM_PASSWORD for NPMplus backup/export	backup-npmplus.sh
C-6	PROXMOX_* optional for API; SSH used for host access	config validation
C-7	JWT auth for RPC 2503–2508; nginx reverse proxy	CHAIN138_JWT_AUTH_REQUIREMENTS

---

6. Codebase Requirements

ID	Requirement	Component	Priority
R-1	Security audits VLT-024, ISO-024	smom-dbis-138	Critical
R-2	Bridge integrations BRG-VLT, BRG-ISO	smom-dbis-138	High
R-3	CCIP AMB full implementation	smom-dbis-138	High
R-4	Vault/ISO test suites exist	smom-dbis-138	✅ Done
R-5	deploy-vault-system.sh (VLT-010–018, ISO-009–018)	smom-dbis-138	✅ Done
R-6	IRU remaining tasks (OFAC/sanctions/AML)	dbis_core	High
R-7	TypeScript/Prisma fixes (~1186 errors) or defer	dbis_core	High
R-8	REST API backend, migrations, VITE_USE_REAL_API	OMNIS	✅ Scaffold
R-9	Sankofa Phoenix SDK auth (VITE_SANKOFA_*)	OMNIS	High
R-10	Placeholders: AlltraAdapter setBridgeFee; smart accounts kit; TezosRelayService; quote-service Fabric chainId	PLACEHOLDERS_AND_TBD	High

---

7. Protection Layer & Admin Requirements (MASTER_PLAN)

ID	Requirement	Target
P-1	Central policy and audit: permission check API, audit append/query	dbis_core Admin Central
P-2	Orchestration portal: JWT + central permission + audit (replace x-admin-token)	MASTER_PLAN §2.2
P-3	Token-aggregation admin: auth + audit for admin endpoints	MASTER_PLAN §2.2
P-4	Multi-chain-execution admin: JWT or client-credentials + audit	MASTER_PLAN §2.2
P-5	Org-level panel: global identity, role matrix, central audit viewer	admin-console-frontend-plan Phase 4/6
P-6	Admin runner for scripts/MCP: identity + permission + audit log	OPERATIONAL_RUNBOOKS, MASTER_PLAN §2.4

---

8. Wave Execution Requirements

Wave 0 (gates; run from LAN when creds ready)

ID	Requirement	Command / note
W0-1	Apply NPMplus RPC fix (405)	From LAN: bash scripts/nginx-proxy-manager/update-npmplus-proxy-hosts-api.sh
W0-2	Execute sendCrossChain (real)	Omit --dry-run; PRIVATE_KEY, LINK approved
W0-3	NPMplus backup	NPM_PASSWORD; automated-backup.sh --with-npmplus or backup-npmplus.sh

Wave 1 (full parallel)

ID	Requirement	Ref
W1-1	SSH key auth (--apply on hosts)	S-3
W1-2	Firewall 8006 (--apply)	S-4
W1-5–W1-7	Monitoring config (Prometheus, Grafana, Loki, Alertmanager)	D-7–D-10
W1-8	Backup cron: daily-weekly + NPMplus (--install when NPM_PASSWORD set)	B-1–B-5
W1-11–W1-13	Docs: consolidation, quick refs, IP matrix, runbooks	ALL_IMPROVEMENTS 68–74, 75–81
W1-14–W1-17	Codebase: dbis_core TS, smom placeholders, IRU	R-6–R-10
W1-18–W1-21	Progress indicators, validator keys, secret audit, config validation	IMPLEMENTATION_CHECKLIST
W1-27–W1-44	ALL_IMPROVEMENTS 1–139 by range	ALL_IMPROVEMENTS_AND_GAPS_INDEX

Wave 2 (infra / deploy)

ID	Requirement	Ref
W2-1	Deploy monitoring stack	D-7–D-10
W2-2	Grafana + Cloudflare Access; alerts	D-9, D-10
W2-3	VLAN enablement and migration	D-4–D-6
W2-4	CCIP Ops/Admin (5400-5401); NAT; scripts	D-11–D-17
W2-5	Phase 4 sovereign VLANs	D-18–D-20
W2-6	Create missing containers 2506, 2507, 2508	D-1–D-3
W2-7	DBIS services start; Hyperledger	DEPLOYMENT_STATUS_MASTER
W2-8	NPMplus HA (Keepalived, 10234)	Optional

Wave 3 (after Wave 2)

ID	Requirement	Ref
W3-1	CCIP Fleet full deploy: commit, execute, RMN nodes	D-11–D-15
W3-2	Phase 4 tenant isolation enforcement	D-18–D-20

Ongoing

ID	Requirement	Status
O-1–O-5	Daily/weekly checks; explorer logs; token list	✅ Cron installed; token list validated

---

9. Validation & Acceptance Requirements

ID	Requirement	Command
V-1	CI / pre-deploy validation	bash scripts/verify/run-all-validation.sh [--skip-genesis]
V-2	Config files	bash scripts/validation/validate-config-files.sh
V-3	Full verification (DNS, UDM Pro, NPMplus, etc.)	bash scripts/verify/run-full-verification.sh
V-4	E2E routing (Cloudflare domains)	bash scripts/verify/verify-end-to-end-routing.sh
V-5	Backend VMs	bash scripts/verify/verify-backend-vms.sh
V-6	Genesis (smom-dbis-138)	bash smom-dbis-138/scripts/validation/validate-genesis.sh
V-7	Besu peers	bash scripts/besu-verify-peers.sh http://192.168.11.211:8545
V-8	CCIP deploy order and env	bash scripts/ccip/ccip-deploy-checklist.sh

---

10. Optional / External Requirements

ID	Requirement	Source
X-1	API keys: Li.Fi, Jumper, 1inch (API_KEYS_REQUIRED.md)	NEXT_STEPS_MASTER
X-2	Paymaster deploy (smart accounts)	SMART_ACCOUNTS_DEPLOYMENT_NOTE
X-3	Token-aggregation: CoinGecko/CMC submission	COINGECKO_SUBMISSION.md
X-4	Explorer: dark mode, network selector, sync indicator	ALL_IMPROVEMENTS 92–105
X-5	Tezos/Etherlink CCIP (finality, routes, DON, metrics)	TEZOS_CCIP_REMAINING_ITEMS
X-6	External integrations: Li.Fi, LayerZero, Wormhole, Uniswap, 1inch, MoonPay/Ramp	PHASES_AND_TASKS_MASTER
X-7	Resource/network/database optimization	TODO_TASK_LIST_MASTER

---

11. Requirement Index by Source

Document	Section in this file
MASTER_PLAN.md	§2 (Protection), §7 (Wave), §3.1 (Config)
PHASES_AND_TASKS_MASTER.md	§2 (Security), §3 (Deployment), §6 (Codebase), §10 (Optional)
MISSING_CONTAINERS_LIST.md	§3.1 (D-1–D-3)
CCIP_DEPLOYMENT_SPEC.md	§3.4 (D-11–D-17)
IMPLEMENTATION_CHECKLIST.md	§2 (Security), §4 (Backup), §8 (Wave 1)
OPERATIONAL_RUNBOOKS.md	§2, §4, §8
MASTER_SECRETS_INVENTORY.md	§5 (Configuration)
FULL_PARALLEL_EXECUTION_ORDER.md	§8 (Wave 0–3, Ongoing)
REMAINING_ITEMS_FULL_PARALLEL_LIST.md	§8 (detailed task IDs)

---

Use this document to:

• Trace requirements to source docs
• Check off completion (update status in source docs or add a REQUIREMENTS_STATUS.md)
• Drive compliance and runbooks
• Onboard: one place for “what must be true” before and after deployment

Last Updated: 2026-02-05