proxmox/docs/03-deployment/DBIS_RTGS_E2E_REQUIREMENTS_MATRIX.md

DBIS RTGS Canonical Production Checklist

Last updated: 2026-03-29
Purpose: Canonical production-readiness checklist for the full DBIS RTGS stack across Chain 138, OMNL / Fineract, HYBX sidecars, Indonesia / BNI banking flows, and optional Hyperledger identity and interoperability layers.

Status guidance

• Use Complete only for production-capable roles that are implemented and verified.
• Use Partial when a slice exists or works narrowly, but is not yet enough for full production use.
• Use Planned for intentionally in-scope components not yet deployed or validated.
• Use Reserved placeholder for inventory that exists but is not an active workload.
• Use Retired / standby for inventory that is intentionally inactive until rebuilt.

Canonical checklist

Component	Current state	Required integration	Remaining task	Owner	Production gate
Chain 138 Besu validator / sentry / RPC baseline	Complete. Validator, sentry, core, public, and named RPC tiers are live and script-verified.	Ongoing RPC, validator, and public wallet/explorer compatibility only.	Maintain health, peer spread, fee support, and public RPC method coverage.	DBIS / infra ops	Public and core RPC healthy, head spread 0, peer counts healthy, wallet/explorer-required methods working.
Explorer / Blockscout	Complete. Explorer routes, APIs, token metadata, and RPC capability metadata are live.	Ongoing explorer API, token metadata, and wallet metadata compatibility.	Maintain explorer health, indexing freshness, metadata accuracy, and route stability.	DBIS / explorer ops	Explorer routes, APIs, and metadata remain healthy and consistent with Chain 138 runtime.
FireFly primary 6200	Partial. Restored as a minimal local FireFly API footprint, not yet a proven multiparty production workflow engine.	FireFly event/orchestration model, sidecar and banking workflow correlation, and HA strategy.	Define event model, validate orchestration role, and decide whether FireFly is mandatory in slice 1.	DBIS workflow / infra ops	API healthy, config preserved, orchestration role defined, and real cross-system workflow validated.
FireFly secondary 6201	Retired / standby. Inventory exists, but current rootfs does not contain a valid deployment payload.	Rebuild contract for a real secondary FireFly node if HA is required.	Either rebuild as a true secondary and validate failover, or keep explicitly retired in all architecture claims.	DBIS workflow / infra ops	Either rebuilt and verified as a real secondary, or formally excluded from active-stack claims.
Fabric 6000-6002	Partial. Primary 6000 runs a validated sample network; 6001 and 6002 remain reserved placeholder inventory.	Actual Fabric peer/orderer deployment model if Fabric is required by the RTGS target architecture.	Decide whether the current sample topology evolves into a production role or remains a validated sidecar DLT only.	DBIS architecture / infra ops	If Fabric stays in scope, the intended role-specific workloads are deployed and validated; otherwise placeholders stay explicitly non-production.
Indy 6400-6402	Partial. Primary 6400 runs a validated four-node local pool; 6401 and 6402 remain reserved placeholder inventory.	Actual Indy validator / identity runtime only if Indy is required by the RTGS target architecture.	Decide whether the current pool is the canonical identity-ledger base and validate the role if it remains in scope.	DBIS architecture / infra ops	If Indy stays in scope, the intended identity-ledger role is documented and validated; otherwise placeholders stay explicitly non-production.
Aries	Partial. Primary 6500 now runs a deployed ACA-Py agent, but no RTGS credential-exchange flow is yet validated.	Identity-agent model, DID/wallet strategy, and credential-exchange role in RTGS workflows.	Freeze scope for production slice 1 and, if retained, validate one real agent-to-agent or institution-facing flow.	Identity architecture lead	Scope decision is frozen, and if in scope the deployed agent model and flows are validated.
AnonCreds	Partial. The deployed ACA-Py runtime now uses askar-anoncreds, but issuer / holder / verifier lifecycle is not yet validated end to end.	Issuer / holder / verifier model and credential lifecycle.	Freeze schema, credential-definition, and verification flow if the feature remains in scope.	Identity architecture lead	Scope decision is frozen, and if in scope the credential lifecycle is validated end to end.
Ursa	Partial. No separate operator-managed daemon is evidenced; the current cryptographic path is indirect through the deployed ACA-Py / AnonCreds runtime.	Cryptographic runtime role, library dependency model, and operational controls.	Decide whether Ursa must ever be managed directly or remains an indirect dependency only.	Identity / cryptography architecture lead	Scope decision is frozen, and if in scope the cryptographic dependency model is documented and validated.
Cacti	Partial. Primary 5200 is now proven as a live Besu-facing interoperability gateway, but no production cross-ledger contract is frozen.	Cross-ledger interoperability contract and deployment model.	Decide whether Cacti is needed for production slice 1 and, if retained, validate the real cross-ledger path.	Interoperability architecture lead	Scope decision is frozen, and if in scope the live interoperability path is deployed and tested.
Caliper	Partial. Primary 6600 now hosts a live upstream Caliper workspace with the Besu 1.4 binding, but no approved benchmark profile has been executed.	Benchmark workload definitions for RTGS and Chain 138 settlement paths.	Add approved workload profiles and execute the accepted read / write benchmark set.	Performance / QA lead	Benchmark harness exists and approved RTGS workloads have been executed and recorded.
OMNL / Fineract API rail	Partial. Live tenant and authenticated posting path are now proven, but the canonical RTGS operator rail is not fully frozen.	Stable OMNL tenant/auth contract, operator flow, office/GL mapping, and reconciliation package path.	Freeze tenant, operator runbook, participant model, and reproducible OMNL settlement rail.	OMNL / banking ops	Office / GL / JE / snapshot / package flow runs cleanly and repeatably against the intended live tenant.
Mifos X frontend / Fineract tenant	Partial. Runtime is live and sidecars can authenticate, but production operator model is not fully frozen.	Stable UI/API tenant contract, secrets, and operator procedures.	Finalize tenant/auth, operator usage, and runbook completeness.	OMNL / banking ops	UI/API healthy, tenant/auth stable, and operator procedures are complete and repeatable.
HYBX participant / office / treasury model	Planned. Participant, office, reserve, settlement, and treasury roles are not yet frozen end to end.	OMNL participant model, office mappings, GL mappings, and treasury structure.	Freeze participant classes, office IDs, treasury accounts, and nostro/vostro model.	Banking architecture lead	Participant, treasury, reserve, and GL structures are documented, accepted, and used by the canonical rail.
Depository / CSD layer	Planned. No dedicated depository or CSD runtime and no frozen asset-register model are yet evidenced in the current RTGS stack.	Securities ownership model, settlement-finality link, asset register, and participant/custody relationships.	Define whether the depository role is on-ledger, off-ledger, or hybrid; freeze issuance, transfer, pledge, and settlement-touch points.	Securities / market-infrastructure architecture lead	Depository role, participant model, and settlement interaction are documented and validated in at least one canonical asset flow.
Global custodian layer	Planned. No explicit global custodian runtime, account model, or reporting path is yet frozen in repo-backed state.	Correspondent banks, global custodians, safekeeping accounts, corporate-action handling, and asset-servicing obligations.	Define the custody operating model, account structure, reporting obligations, and reconciliation with OMNL and RTGS settlement.	Custody / institutional banking integration lead	Custody account model, reconciliation path, and reporting obligations are frozen and tested in a canonical custody flow.
FX pricing / dealing engine	Planned. FX flow requirements are documented, but no single pricing/dealing engine contract is yet frozen as the production source of rates and booking rules.	Treasury policy, rate sources, quote locking, spreads, value dates, and gain/loss accounting.	Freeze the pricing hierarchy, quote lifecycle, booking rules, and integration into OMNL and sidecars.	FX / treasury architecture lead	One canonical FX transaction runs with frozen pricing inputs, accounting, and reconciliation.
Liquidity pooling and aggregation engine	Planned. Liquidity sourcing is implied across treasury and correspondent flows, but no explicit pooling/aggregation engine is yet modeled as a production component.	Treasury policy, reserve policy, liquidity providers, internal pools, external bank lines, and optional on-chain liquidity.	Define source prioritization, eligibility rules, allocation logic, and operator controls.	Liquidity architecture lead	Liquidity sourcing logic is documented and one canonical funding decision path is validated.
Liquidity source adapters	Planned. No source-by-source adapter contract has been frozen for bank lines, treasury pools, correspondent banks, or optional on-chain liquidity.	Bank lines, correspondent banks, internal treasury pools, optional on-chain pools, and optional sidecar/provider adapters.	Enumerate source families and define one adapter contract per source class.	Treasury / integrations lead	Each in-scope liquidity source class has a defined adapter contract and at least the mandatory sources are validated.
Custody / safekeeping / asset servicing flow	Planned. Custody, safekeeping, and servicing obligations are referenced indirectly through settlement and correspondent flows, but not yet modeled as one canonical lifecycle.	Depository, custodian, participant accounts, statements, corporate actions, holdings reconciliation, and evidence path.	Define the canonical lifecycle for safekeeping, transfer, servicing, and statement production.	Custody operations / product architecture lead	One end-to-end custody lifecycle is documented and validated with reconciliation/evidence output.
Mojaloop integration	Planned. No live Mojaloop switch endpoint/auth/callback contract is yet evidenced here.	Mojaloop quote, transfer, callback, and settlement-window contract.	Document live Mojaloop endpoints/auth and integrate them if Mojaloop remains in scope.	Payments interoperability lead	Endpoint/auth contract is frozen and quote/transfer/callback/settlement behavior is validated.
HYBX sidecar layer	Partial. Sidecar families are known, and first-slice sidecars are deployed, but full boundaries and ownership are not yet frozen.	Sidecar-by-sidecar ingress/egress, retries, auth, and system-of-record ownership.	Freeze sidecar boundaries, orchestration model, and canonical RTGS event path.	HYBX app / integration lead	Sidecar purposes, auth, retries, and system-of-record ownership are documented and validated.
mifos-fineract-sidecar	Partial. Deployed on Proxmox, healthy, and has completed an authenticated live OMNL posting.	OMNL/Fineract tenant contract and downstream settlement/evidence path.	Extend validation from posting success to the full settlement/evidence path.	HYBX integration lead	Sidecar API and event flow documented, and at least one authenticated live transfer completes through downstream settlement/evidence.
server-funds-sidecar	Partial. Deployed on Proxmox and healthy, but treasury/system-of-record boundaries are not yet frozen.	OMNL treasury/funding orchestration contract and participant model.	Freeze whether it is mandatory in the first RTGS slice and validate its business flow.	HYBX integration lead	Treasury/funding role is defined and a real authenticated business flow is validated.
off-ledger-2-on-ledger-sidecar	Partial. Deployed on Proxmox, healthy, and able to drive the first Chain 138 settlement leg with safe pending-anchor degradation.	Canonical off-ledger event source, OMNL/Fineract posting contract, and Chain 138 settlement finality path.	Freeze the canonical off-ledger source event and complete final receipt/finality handling.	HYBX integration lead	Off-ledger event to Chain 138 settlement is frozen and tested end to end with durable evidence output.
mt103-hardcopy-sidecar	Partial. Known sidecar, but not yet tied into the canonical RTGS path.	MT103 ingest, bank-message archive, and settlement/evidence mapping.	Decide whether it is in scope and, if yes, integrate MT103 ingest into the canonical RTGS flow.	HYBX integration lead	MT103 ingestion path is documented, integrated, and tested if in scope.
securitization-engine-sidecar	Partial. Known sidecar, but regulatory/accounting role in RTGS is not yet frozen.	Accounting, collateral, and reporting responsibilities in the RTGS operating model.	Define whether it participates in RTGS slice 1 and validate the required role if so.	HYBX integration lead	Its RTGS responsibility is either validated or explicitly out of scope.
card-networks-sidecar	Partial. Known sidecar, but not yet placed in the RTGS path.	Card-network settlement role only if card rails are included in scope.	Include only if card settlement is part of production scope; otherwise keep it out of the canonical path.	HYBX integration lead	Scope decision is frozen, and if included the settlement path is validated.
securities-sidecar	Partial. Known sidecar with runnable application shape, but its depository/custody placement in the RTGS architecture is not yet frozen.	Instrument resolution, securities instructions, settlement events, and position reconciliation linked to the depository/custody operating model.	Freeze whether it is the runtime boundary for depository/custody flows and validate one canonical securities/custody path if so.	HYBX integration lead	Scope decision is frozen, and if included one canonical securities or custody flow is validated.
flash-loan-xau-sidecar	Planned. Runnable sidecar exists locally, but its role in the RTGS production path is still specialized and optional.	XAU-specific liquidity, conversion, and settlement logic only if retained as part of the target architecture.	Decide whether it remains a specialized liquidity extension or enters the canonical RTGS path; validate if retained.	HYBX integration lead	Scope decision is frozen, and if included the XAU liquidity path is validated end to end.
Chain 138 settlement contracts	Partial. Contract families exist, but the exact RTGS contract path is not yet frozen as one canonical settlement lane.	Final contract path between OMNL-side events and on-chain settlement evidence.	Freeze the exact contract set and document how each business flow reaches Chain 138.	Chain 138 / settlement lead	Final contract set is frozen, deployed addresses are accepted, and the path is tested end to end.
MerchantSettlementRegistry	Partial. Available contract family, but exact placement in the canonical RTGS flow is not yet frozen.	RTGS settlement workflow and evidence mapping.	Decide exactly when and how the registry is invoked in RTGS settlement.	Chain 138 / settlement lead	Registry path is integrated into the business flow with verified inputs and outputs.
WithdrawalEscrow	Partial. Available contract family, but exact placement in RTGS withdrawal scenarios is not yet frozen.	Withdrawal / release / payout semantics in the RTGS model.	Freeze the escrow role for settlement and withdrawal scenarios.	Chain 138 / settlement lead	Escrow flow is validated in the chosen settlement and withdrawal scenarios.
DBIS / compliant settlement tokens	Partial. Candidate instruments exist, but the final RTGS instrument set is not yet frozen by use case.	Monetary architecture, reserve rules, mint/burn policy, and reconciliation policy.	Select the final RTGS instruments and freeze their control and reconciliation model.	Chain 138 / monetary architecture lead	Final instrument selection, reserve rules, and reconciliation path are documented and validated.
Reserve / oracle dependencies	Partial. Reserve and oracle systems exist, but the RTGS-specific dependency mapping is not yet frozen.	RTGS dependency model for reserve attestations, price references, and control policy.	Freeze which reserve/oracle controls are required for RTGS settlement and FX support.	Monetary controls lead	RTGS reserve/oracle dependencies are documented, accepted, and operational.
FireFly / sidecar / chain event model	Planned. No single canonical correlation and retry model is yet frozen.	Shared IDs, correlation, retry, compensating actions, and event archive policy.	Define one canonical event model across OMNL, sidecars, and Chain 138.	Workflow architecture lead	Event catalog, IDs, retries, and compensating actions are defined and validated.
ISO 20022 evidence and vault path	Partial. Evidence standard exists, but full institution-ready production completion is not yet frozen.	ISO 20022 archive, manifest, vaulting, and hash anchoring contract.	Complete ISO evidence packaging and archive references for the RTGS path.	Regulatory / compliance lead	ISO manifests, hashes, archive references, and legal evidence path are complete and reproducible.
Institutional 4.995 package path	Partial. Package standards and scripts exist, but real institution submission-grade completion is not yet frozen.	Institutional attestation, submission package, and strict readiness contract.	Complete the evidence path with real institution-ready materials and --strict readiness.	Regulatory / compliance lead	--strict readiness passes with real institution materials and reproducible evidence output.
Indonesia / BNI domestic banking path	Planned. Blueprint exists, but live BNI endpoint/auth/message contract is not yet evidenced.	BNI institution profile, domestic route definition, auth, account validation, and reporting obligations.	Freeze the BNI-connected route and message/auth contract for production.	Indonesia banking integration lead	Live BNI contract is documented, validated, and used in the canonical Indonesia payment flow.
Global correspondent / liquidity bank path	Planned. Blueprint exists, but live correspondent endpoint/auth/message contract is not yet evidenced.	SWIFT / ISO / correspondent-bank endpoint, auth, nostro/vostro, and confirmation contract.	Freeze the correspondent-bank route and integrate it with OMNL, sidecars, and reconciliation.	Cross-border banking integration lead	Live correspondent contract is documented and a real cross-border flow is validated.
RTGS production gate	Planned. The gate exists conceptually, but not all mandatory lanes are green yet.	All mandatory banking, sidecar, settlement, evidence, and external-bank integrations for the chosen production architecture.	Turn all mandatory rows for the chosen production architecture to Complete.	DBIS program owner	All mandatory checklist rows for the chosen RTGS production architecture are Complete.

Immediate execution priority

1. Freeze the canonical banking rail on the now-proven OMNL tenant/auth path.
2. Freeze the participant / treasury / GL model plus the depository, custody, FX, and liquidity-control layers.
3. Complete the canonical settlement path from HYBX sidecars into Chain 138 and evidence output.

Related artifacts

• OMNL_DBIS_CORE_CHAIN138_SMART_VAULT_RTGS_RUNBOOK.md — OMNL, DBIS Core, Smart Vault, RTGS, settlement events, ISO/DID/correlation
• docs/00-meta/INTEGRATION_GAPS_AND_NEXT_STEPS_2026-03-30.md — consolidated integration gaps and follow-ups
• dbis_chain_138_technical_master_plan.md
• docs/00-meta/TODO_TASK_LIST_MASTER.md
• docs/03-deployment/DBIS_PHASES_1_TO_3_PRODUCTION_GATE.md
• docs/03-deployment/DBIS_HYPERLEDGER_RUNTIME_STATUS.md
• docs/04-configuration/mifos-omnl-central-bank/HYBX_BATCH_001_OPERATOR_CHECKLIST.md
• docs/04-configuration/mifos-omnl-central-bank/INDONESIA_PACKAGE_4_995_EVIDENCE_STANDARD.md
• docs/11-references/GITEA_HYBX_ORGANIZATION_AND_REPOS.md
• DBIS_HYBX_SIDECAR_BOUNDARY_MATRIX.md
• DBIS_MOJALOOP_INTEGRATION_STATUS.md
• DBIS_HYPERLEDGER_IDENTITY_STACK_DECISION.md
• DBIS_IDENTITY_COMPLETION_PACKAGE_RUNBOOK.md
• DBIS_RTGS_FIRST_SLICE_ARCHITECTURE.md
• DBIS_RTGS_FIRST_SLICE_DEPLOYMENT_CHECKLIST.md

ISO20022Router — production acceptance (manual / G4)

Use this when moving the ISO20022Router row from Partial to Complete for a chosen slice.

1. Deployed: Router address matches config/smart-contracts-master.json / ADDRESS_MATRIX_AND_STATUS.md (ISO20022Router); scripts/verify/check-contracts-on-chain-138.sh reports bytecode present.
2. Canonical payload: Off-chain ISO (or SWIFT Fin) normalized per SMART_CONTRACTS_ISO20022_FIN_METHODOLOGY.md; instructionId / uetr / payloadHash recorded.
3. On-chain: At least one successful transaction path (direct call, gateway, or relayer → router) on Chain 138 with explorer tx hash captured.
4. Correlation: A settlement event (or equivalent sidecar log) carries the same correlation_id as OMNL / Core / RTGS references for that payment.
5. Evidence: Archive path meets INDONESIA_PACKAGE_4_995_EVIDENCE_STANDARD.md or your jurisdiction’s package rules if applicable.

Automation (CI) for steps 2–4 is optional until the relayer and tenant sandbox are frozen; the checklist above is the definition of done for manual sign-off.