From 179798a9df5c68ad6093f5e178fc71c376ba912c Mon Sep 17 00:00:00 2001
From: defiQUG <defi@defi-oracle.io>
Date: Sun, 29 Mar 2026 02:24:12 -0700
Subject: [PATCH] Add RTGS control-plane deployment scaffolding

---
 dbis_chain_138_technical_master_plan.md       |   2 +
 ...RTGS_CONTROL_PLANE_DEPLOYMENT_CHECKLIST.md |  69 ++++++++
 docs/MASTER_INDEX.md                          |   2 +-
 .../create-dbis-rtgs-control-plane-lxcs.sh    |  54 +++++++
 .../deploy-dbis-rtgs-control-plane.sh         | 153 ++++++++++++++++++
 .../verify/check-dbis-rtgs-control-plane.sh   |  35 ++++
 6 files changed, 314 insertions(+), 1 deletion(-)
 create mode 100644 docs/03-deployment/DBIS_RTGS_CONTROL_PLANE_DEPLOYMENT_CHECKLIST.md
 create mode 100644 scripts/deployment/create-dbis-rtgs-control-plane-lxcs.sh
 create mode 100644 scripts/deployment/deploy-dbis-rtgs-control-plane.sh
 create mode 100644 scripts/verify/check-dbis-rtgs-control-plane.sh

diff --git a/dbis_chain_138_technical_master_plan.md b/dbis_chain_138_technical_master_plan.md
index 51752f2..9cecb8c 100644
--- a/dbis_chain_138_technical_master_plan.md
+++ b/dbis_chain_138_technical_master_plan.md
@@ -800,6 +800,8 @@ Executable counterparts in this repository:
 | RTGS FX transaction catalog | `docs/03-deployment/DBIS_RTGS_FX_TRANSACTION_CATALOG.md` |
 | RTGS depository and custody operating model | `docs/03-deployment/DBIS_RTGS_DEPOSITORY_AND_CUSTODY_OPERATING_MODEL.md` |
 | RTGS FX and liquidity operating model | `docs/03-deployment/DBIS_RTGS_FX_AND_LIQUIDITY_OPERATING_MODEL.md` |
+| RTGS control-plane deployment checklist | `docs/03-deployment/DBIS_RTGS_CONTROL_PLANE_DEPLOYMENT_CHECKLIST.md` |
+| RTGS control-plane deployment scripts | `scripts/deployment/create-dbis-rtgs-control-plane-lxcs.sh`, `scripts/deployment/deploy-dbis-rtgs-control-plane.sh`, `scripts/verify/check-dbis-rtgs-control-plane.sh` |
 | Indonesia / BNI E2E integration blueprint | `docs/03-deployment/DBIS_OMNL_INDONESIA_BNI_E2E_INTEGRATION_BLUEPRINT.md` |
 | RTGS first-slice architecture | `docs/03-deployment/DBIS_RTGS_FIRST_SLICE_ARCHITECTURE.md` |
 | RTGS first-slice deployment checklist | `docs/03-deployment/DBIS_RTGS_FIRST_SLICE_DEPLOYMENT_CHECKLIST.md` |
diff --git a/docs/03-deployment/DBIS_RTGS_CONTROL_PLANE_DEPLOYMENT_CHECKLIST.md b/docs/03-deployment/DBIS_RTGS_CONTROL_PLANE_DEPLOYMENT_CHECKLIST.md
new file mode 100644
index 0000000..fac7eb2
--- /dev/null
+++ b/docs/03-deployment/DBIS_RTGS_CONTROL_PLANE_DEPLOYMENT_CHECKLIST.md
@@ -0,0 +1,69 @@
+# DBIS RTGS Control Plane Deployment Checklist
+
+**Last updated:** 2026-03-29  
+**Purpose:** Deployment checklist for the next RTGS control-plane services beyond the first-slice sidecars:
+
+- RTGS orchestrator
+- FX pricing / dealing engine
+- liquidity pooling and aggregation engine
+
+This checklist does not claim these services are already built. It exists so the platform can self-deploy them as soon as artifacts are available.
+
+## 1. Target components
+
+| Component | Default role | Expected health path |
+|-----------|--------------|----------------------|
+| `rtgs-orchestrator` | canonical transaction-state owner and cross-system workflow coordinator | `GET /actuator/health` |
+| `rtgs-fx-engine` | quote generation / approved-rate ingest / booking references | `GET /actuator/health` |
+| `rtgs-liquidity-engine` | funding-source selection, allocation, and adapter coordination | `GET /actuator/health` |
+
+## 2. Runtime expectations
+
+- Proxmox target host defaults to `r630-02`
+- packaging expectation: Java application JAR per service
+- runtime expectation: systemd-managed service with env file under `/etc/dbis-rtgs`
+- health expectation: local HTTP readiness on port `8080`
+
+## 3. Required inputs before deployment
+
+- built JAR for each selected control-plane service
+- OMNL / Fineract base URL and tenant/auth contract
+- Redis and persistence choices
+- per-service env vars for role-specific configuration
+- decision on target CT VMIDs and host placement
+
+## 4. Deployment sequence
+
+1. create target CTs if they do not already exist
+2. copy application artifact into `/opt/dbis-rtgs/<service>`
+3. push env file into `/etc/dbis-rtgs/<service>.env`
+4. install systemd unit
+5. restart service
+6. verify local health endpoint
+7. verify Fineract or downstream reachability where applicable
+
+## 5. Validation checklist
+
+- [ ] `rtgs-orchestrator` artifact is present and versioned
+- [ ] `rtgs-fx-engine` artifact is present and versioned
+- [ ] `rtgs-liquidity-engine` artifact is present and versioned
+- [ ] CT targets are chosen and reachable
+- [ ] env files are frozen for the chosen environment
+- [ ] health endpoints return `UP`
+- [ ] Fineract/downstream reachability is verified
+- [ ] operator can restart and inspect each service via systemd
+
+## 6. Scripts
+
+- [create-dbis-rtgs-control-plane-lxcs.sh](/home/intlc/projects/proxmox/scripts/deployment/create-dbis-rtgs-control-plane-lxcs.sh)
+- [deploy-dbis-rtgs-control-plane.sh](/home/intlc/projects/proxmox/scripts/deployment/deploy-dbis-rtgs-control-plane.sh)
+- [check-dbis-rtgs-control-plane.sh](/home/intlc/projects/proxmox/scripts/verify/check-dbis-rtgs-control-plane.sh)
+
+## 7. Production gate
+
+This control-plane tranche is only complete when:
+
+1. all selected services are deployed on Proxmox
+2. health checks pass
+3. their interfaces are frozen against the canonical RTGS docs
+4. at least one canonical flow uses them end to end
diff --git a/docs/MASTER_INDEX.md b/docs/MASTER_INDEX.md
index ee3d6ed..969003b 100644
--- a/docs/MASTER_INDEX.md
+++ b/docs/MASTER_INDEX.md
@@ -58,7 +58,7 @@
 |------|-----------------|
 | **00-meta** (tasks, next steps, phases) | [00-meta/NEXT_STEPS_INDEX.md](00-meta/NEXT_STEPS_INDEX.md), [00-meta/PHASES_AND_TASKS_MASTER.md](00-meta/PHASES_AND_TASKS_MASTER.md) |
 | **02-architecture** | [02-architecture/](02-architecture/) — **Public sector + Phoenix catalog baseline:** [02-architecture/PUBLIC_SECTOR_TENANCY_MARKETPLACE_AND_DEPLOYMENT_BASELINE.md](02-architecture/PUBLIC_SECTOR_TENANCY_MARKETPLACE_AND_DEPLOYMENT_BASELINE.md); **non-goals (incl. catalog vs marketing §9):** [02-architecture/NON_GOALS.md](02-architecture/NON_GOALS.md); **DBIS Chain 138:** [dbis_chain_138_technical_master_plan.md](../dbis_chain_138_technical_master_plan.md), [02-architecture/DBIS_NODE_ROLE_MATRIX.md](02-architecture/DBIS_NODE_ROLE_MATRIX.md), [02-architecture/DBIS_PHASE2_PROXMOX_SOVEREIGNIZATION_ROADMAP.md](02-architecture/DBIS_PHASE2_PROXMOX_SOVEREIGNIZATION_ROADMAP.md) |
-| **03-deployment** | [03-deployment/OPERATIONAL_RUNBOOKS.md](03-deployment/OPERATIONAL_RUNBOOKS.md), [03-deployment/DEPLOYMENT_ORDER_OF_OPERATIONS.md](03-deployment/DEPLOYMENT_ORDER_OF_OPERATIONS.md), **Public sector live checklist:** [03-deployment/PUBLIC_SECTOR_LIVE_DEPLOYMENT_CHECKLIST.md](03-deployment/PUBLIC_SECTOR_LIVE_DEPLOYMENT_CHECKLIST.md), **Proxmox VE ops template:** [03-deployment/PROXMOX_VE_OPERATIONAL_DEPLOYMENT_TEMPLATE.md](03-deployment/PROXMOX_VE_OPERATIONAL_DEPLOYMENT_TEMPLATE.md) · [`config/proxmox-operational-template.json`](config/proxmox-operational-template.json); **DBIS Phase 1–3:** [03-deployment/PHASE1_DISCOVERY_RUNBOOK.md](03-deployment/PHASE1_DISCOVERY_RUNBOOK.md), [03-deployment/DBIS_PHASE3_E2E_PRODUCTION_SIMULATION_RUNBOOK.md](03-deployment/DBIS_PHASE3_E2E_PRODUCTION_SIMULATION_RUNBOOK.md), [03-deployment/CALIPER_CHAIN138_PERF_HOOK.md](03-deployment/CALIPER_CHAIN138_PERF_HOOK.md), [03-deployment/DBIS_HYPERLEDGER_RUNTIME_STATUS.md](03-deployment/DBIS_HYPERLEDGER_RUNTIME_STATUS.md), [03-deployment/DBIS_PHASES_1_TO_3_PRODUCTION_GATE.md](03-deployment/DBIS_PHASES_1_TO_3_PRODUCTION_GATE.md), **RTGS canonical production checklist and institutional-finance layers:** [03-deployment/DBIS_RTGS_E2E_REQUIREMENTS_MATRIX.md](03-deployment/DBIS_RTGS_E2E_REQUIREMENTS_MATRIX.md), [03-deployment/DBIS_RTGS_FX_TRANSACTION_CATALOG.md](03-deployment/DBIS_RTGS_FX_TRANSACTION_CATALOG.md), [03-deployment/DBIS_RTGS_DEPOSITORY_AND_CUSTODY_OPERATING_MODEL.md](03-deployment/DBIS_RTGS_DEPOSITORY_AND_CUSTODY_OPERATING_MODEL.md), [03-deployment/DBIS_RTGS_FX_AND_LIQUIDITY_OPERATING_MODEL.md](03-deployment/DBIS_RTGS_FX_AND_LIQUIDITY_OPERATING_MODEL.md), [03-deployment/DBIS_OMNL_INDONESIA_BNI_E2E_INTEGRATION_BLUEPRINT.md](03-deployment/DBIS_OMNL_INDONESIA_BNI_E2E_INTEGRATION_BLUEPRINT.md), [03-deployment/DBIS_RTGS_FIRST_SLICE_ARCHITECTURE.md](03-deployment/DBIS_RTGS_FIRST_SLICE_ARCHITECTURE.md), [03-deployment/DBIS_RTGS_FIRST_SLICE_DEPLOYMENT_CHECKLIST.md](03-deployment/DBIS_RTGS_FIRST_SLICE_DEPLOYMENT_CHECKLIST.md), [03-deployment/DBIS_HYBX_SIDECAR_BOUNDARY_MATRIX.md](03-deployment/DBIS_HYBX_SIDECAR_BOUNDARY_MATRIX.md), [03-deployment/DBIS_MOJALOOP_INTEGRATION_STATUS.md](03-deployment/DBIS_MOJALOOP_INTEGRATION_STATUS.md), [03-deployment/DBIS_HYPERLEDGER_IDENTITY_STACK_DECISION.md](03-deployment/DBIS_HYPERLEDGER_IDENTITY_STACK_DECISION.md) |
+| **03-deployment** | [03-deployment/OPERATIONAL_RUNBOOKS.md](03-deployment/OPERATIONAL_RUNBOOKS.md), [03-deployment/DEPLOYMENT_ORDER_OF_OPERATIONS.md](03-deployment/DEPLOYMENT_ORDER_OF_OPERATIONS.md), **Public sector live checklist:** [03-deployment/PUBLIC_SECTOR_LIVE_DEPLOYMENT_CHECKLIST.md](03-deployment/PUBLIC_SECTOR_LIVE_DEPLOYMENT_CHECKLIST.md), **Proxmox VE ops template:** [03-deployment/PROXMOX_VE_OPERATIONAL_DEPLOYMENT_TEMPLATE.md](03-deployment/PROXMOX_VE_OPERATIONAL_DEPLOYMENT_TEMPLATE.md) · [`config/proxmox-operational-template.json`](config/proxmox-operational-template.json); **DBIS Phase 1–3:** [03-deployment/PHASE1_DISCOVERY_RUNBOOK.md](03-deployment/PHASE1_DISCOVERY_RUNBOOK.md), [03-deployment/DBIS_PHASE3_E2E_PRODUCTION_SIMULATION_RUNBOOK.md](03-deployment/DBIS_PHASE3_E2E_PRODUCTION_SIMULATION_RUNBOOK.md), [03-deployment/CALIPER_CHAIN138_PERF_HOOK.md](03-deployment/CALIPER_CHAIN138_PERF_HOOK.md), [03-deployment/DBIS_HYPERLEDGER_RUNTIME_STATUS.md](03-deployment/DBIS_HYPERLEDGER_RUNTIME_STATUS.md), [03-deployment/DBIS_PHASES_1_TO_3_PRODUCTION_GATE.md](03-deployment/DBIS_PHASES_1_TO_3_PRODUCTION_GATE.md), **RTGS canonical production checklist and institutional-finance layers:** [03-deployment/DBIS_RTGS_E2E_REQUIREMENTS_MATRIX.md](03-deployment/DBIS_RTGS_E2E_REQUIREMENTS_MATRIX.md), [03-deployment/DBIS_RTGS_FX_TRANSACTION_CATALOG.md](03-deployment/DBIS_RTGS_FX_TRANSACTION_CATALOG.md), [03-deployment/DBIS_RTGS_DEPOSITORY_AND_CUSTODY_OPERATING_MODEL.md](03-deployment/DBIS_RTGS_DEPOSITORY_AND_CUSTODY_OPERATING_MODEL.md), [03-deployment/DBIS_RTGS_FX_AND_LIQUIDITY_OPERATING_MODEL.md](03-deployment/DBIS_RTGS_FX_AND_LIQUIDITY_OPERATING_MODEL.md), [03-deployment/DBIS_RTGS_CONTROL_PLANE_DEPLOYMENT_CHECKLIST.md](03-deployment/DBIS_RTGS_CONTROL_PLANE_DEPLOYMENT_CHECKLIST.md), [03-deployment/DBIS_OMNL_INDONESIA_BNI_E2E_INTEGRATION_BLUEPRINT.md](03-deployment/DBIS_OMNL_INDONESIA_BNI_E2E_INTEGRATION_BLUEPRINT.md), [03-deployment/DBIS_RTGS_FIRST_SLICE_ARCHITECTURE.md](03-deployment/DBIS_RTGS_FIRST_SLICE_ARCHITECTURE.md), [03-deployment/DBIS_RTGS_FIRST_SLICE_DEPLOYMENT_CHECKLIST.md](03-deployment/DBIS_RTGS_FIRST_SLICE_DEPLOYMENT_CHECKLIST.md), [03-deployment/DBIS_HYBX_SIDECAR_BOUNDARY_MATRIX.md](03-deployment/DBIS_HYBX_SIDECAR_BOUNDARY_MATRIX.md), [03-deployment/DBIS_MOJALOOP_INTEGRATION_STATUS.md](03-deployment/DBIS_MOJALOOP_INTEGRATION_STATUS.md), [03-deployment/DBIS_HYPERLEDGER_IDENTITY_STACK_DECISION.md](03-deployment/DBIS_HYPERLEDGER_IDENTITY_STACK_DECISION.md) |
 | **04-configuration** | [04-configuration/README.md](04-configuration/README.md), [04-configuration/ADDITIONAL_PATHS_AND_EXTENSIONS.md](04-configuration/ADDITIONAL_PATHS_AND_EXTENSIONS.md) (paths, registry, token-mapping, LiFi/Jumper); **Chain 138 wallets:** [04-configuration/CHAIN138_WALLET_CONFIG_VALIDATION.md](04-configuration/CHAIN138_WALLET_CONFIG_VALIDATION.md); **Chain 2138 testnet wallets:** [04-configuration/CHAIN2138_WALLET_CONFIG_VALIDATION.md](04-configuration/CHAIN2138_WALLET_CONFIG_VALIDATION.md); **OMNL Indonesia / HYBX-BATCH-001:** [04-configuration/mifos-omnl-central-bank/HYBX_BATCH_001_OPERATOR_CHECKLIST.md](04-configuration/mifos-omnl-central-bank/HYBX_BATCH_001_OPERATOR_CHECKLIST.md), [04-configuration/mifos-omnl-central-bank/INDONESIA_PACKAGE_4_995_EVIDENCE_STANDARD.md](04-configuration/mifos-omnl-central-bank/INDONESIA_PACKAGE_4_995_EVIDENCE_STANDARD.md) |
 | **06-besu** | [06-besu/MASTER_INDEX.md](06-besu/MASTER_INDEX.md) |
 | **Testnet (2138)** | [testnet/DEFI_ORACLE_META_TESTNET_2138_RUNBOOK.md](testnet/DEFI_ORACLE_META_TESTNET_2138_RUNBOOK.md), [testnet/TESTNET_DEPLOYMENT.md](testnet/TESTNET_DEPLOYMENT.md) |
diff --git a/scripts/deployment/create-dbis-rtgs-control-plane-lxcs.sh b/scripts/deployment/create-dbis-rtgs-control-plane-lxcs.sh
new file mode 100644
index 0000000..bbde559
--- /dev/null
+++ b/scripts/deployment/create-dbis-rtgs-control-plane-lxcs.sh
@@ -0,0 +1,54 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+# Create placeholder LXCs for the DBIS RTGS control plane.
+# Usage:
+#   ./scripts/deployment/create-dbis-rtgs-control-plane-lxcs.sh [--dry-run]
+
+HOST="${PROXMOX_HOST_R630_02:-192.168.11.12}"
+SSH_OPTS="-o BatchMode=yes -o ConnectTimeout=15 -o StrictHostKeyChecking=accept-new"
+TEMPLATE="${PVE_LXC_TEMPLATE:-local:vztmpl/debian-12-standard_12.7-1_amd64.tar.zst}"
+STORAGE="${PVE_STORAGE:-local-lvm}"
+BRIDGE="${PVE_BRIDGE:-vmbr0}"
+GATEWAY="${PVE_GATEWAY:-192.168.11.1}"
+
+DRY_RUN=false
+if [[ "${1:-}" == "--dry-run" ]]; then
+  DRY_RUN=true
+fi
+
+LXCS=(
+  "${RTGS_ORCH_VMID:-5805} ${RTGS_ORCH_HOSTNAME:-rtgs-orchestrator-1} ${RTGS_ORCH_IP:-192.168.11.93} 4096 2 24"
+  "${RTGS_FX_VMID:-5806} ${RTGS_FX_HOSTNAME:-rtgs-fx-1} ${RTGS_FX_IP:-192.168.11.94} 4096 2 24"
+  "${RTGS_LIQ_VMID:-5807} ${RTGS_LIQ_HOSTNAME:-rtgs-liquidity-1} ${RTGS_LIQ_IP:-192.168.11.95} 4096 2 24"
+)
+
+run_remote() {
+  local cmd="$1"
+  if $DRY_RUN; then
+    echo "[DRY-RUN] $cmd"
+  else
+    ssh $SSH_OPTS "root@$HOST" "$cmd"
+  fi
+}
+
+echo "=== DBIS RTGS control-plane LXCs ==="
+echo "Host: $HOST"
+echo "Template: $TEMPLATE"
+echo
+
+for spec in "${LXCS[@]}"; do
+  read -r vmid hostname ip memory cores disk <<<"$spec"
+  cmd="pct create $vmid $TEMPLATE \
+    --hostname $hostname \
+    --cores $cores \
+    --memory $memory \
+    --rootfs ${STORAGE}:${disk} \
+    --net0 name=eth0,bridge=${BRIDGE},gw=${GATEWAY},ip=${ip}/24 \
+    --onboot 1 \
+    --unprivileged 1 \
+    --features nesting=1 \
+    --password \$(openssl rand -base64 18) \
+    --description 'DBIS RTGS control-plane LXC ($hostname)'"
+  run_remote "$cmd"
+done
diff --git a/scripts/deployment/deploy-dbis-rtgs-control-plane.sh b/scripts/deployment/deploy-dbis-rtgs-control-plane.sh
new file mode 100644
index 0000000..a5e790c
--- /dev/null
+++ b/scripts/deployment/deploy-dbis-rtgs-control-plane.sh
@@ -0,0 +1,153 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+# Deploy the DBIS RTGS control-plane services when artifacts are available.
+# Usage:
+#   ./scripts/deployment/deploy-dbis-rtgs-control-plane.sh [--dry-run]
+
+HOST="${PROXMOX_HOST_R630_02:-192.168.11.12}"
+SSH_OPTS="-o BatchMode=yes -o ConnectTimeout=15 -o StrictHostKeyChecking=accept-new"
+
+ORCH_VMID="${RTGS_ORCH_VMID:-5805}"
+FX_VMID="${RTGS_FX_VMID:-5806}"
+LIQ_VMID="${RTGS_LIQ_VMID:-5807}"
+
+ORCH_JAR="${RTGS_ORCH_JAR:-}"
+FX_JAR="${RTGS_FX_JAR:-}"
+LIQ_JAR="${RTGS_LIQ_JAR:-}"
+
+OMNL_BASE_URL="${OMNL_FINERACT_BASE_URL:-http://192.168.11.85:8080/fineract-provider/api/v1}"
+OMNL_TENANT="${OMNL_FINERACT_TENANT:-omnl}"
+OMNL_USER="${OMNL_FINERACT_USER:-}"
+OMNL_PASSWORD="${OMNL_FINERACT_PASSWORD:-}"
+
+DRY_RUN=false
+if [[ "${1:-}" == "--dry-run" ]]; then
+  DRY_RUN=true
+fi
+
+run_remote() {
+  local vmid="$1"
+  local cmd="$2"
+  if $DRY_RUN; then
+    echo "[DRY-RUN][CT $vmid] $cmd"
+  else
+    ssh $SSH_OPTS "root@$HOST" "pct exec $vmid -- bash -lc $(printf '%q' "$cmd")"
+  fi
+}
+
+push_file() {
+  local vmid="$1"
+  local src="$2"
+  local dest="$3"
+  if $DRY_RUN; then
+    echo "[DRY-RUN][CT $vmid] copy $src -> $dest"
+  else
+    ssh $SSH_OPTS "root@$HOST" "pct exec $vmid -- mkdir -p $(dirname "$dest")"
+    ssh $SSH_OPTS "root@$HOST" "cat > /tmp/$(basename "$dest")" < "$src"
+    ssh $SSH_OPTS "root@$HOST" "pct push $vmid /tmp/$(basename "$dest") $dest >/dev/null && rm -f /tmp/$(basename "$dest")"
+  fi
+}
+
+setup_base_runtime() {
+  local vmid="$1"
+  run_remote "$vmid" "export DEBIAN_FRONTEND=noninteractive && apt-get update && apt-get install -y openjdk-21-jre-headless redis-server curl ca-certificates"
+  run_remote "$vmid" "systemctl enable redis-server --now"
+}
+
+require_artifact() {
+  local label="$1"
+  local path="$2"
+  if [[ -z "$path" ]]; then
+    echo "Missing ${label}: set the corresponding RTGS_*_JAR env var." >&2
+    exit 1
+  fi
+  if [[ ! -f "$path" ]]; then
+    echo "Missing ${label} artifact: $path" >&2
+    exit 1
+  fi
+}
+
+deploy_service() {
+  local vmid="$1"
+  local service_name="$2"
+  local jar_path="$3"
+  local env_path="$4"
+  local env_content="$5"
+  local workdir="/opt/dbis-rtgs/${service_name}"
+  local unitfile
+
+  setup_base_runtime "$vmid"
+  push_file "$vmid" "$jar_path" "${workdir}/${service_name}.jar"
+
+  local env_tmp
+  env_tmp="$(mktemp)"
+  cat > "$env_tmp" <<<"$env_content"
+  push_file "$vmid" "$env_tmp" "$env_path"
+  rm -f "$env_tmp"
+
+  unitfile="$(mktemp)"
+  cat > "$unitfile" <<EOF
+[Unit]
+Description=DBIS RTGS ${service_name}
+After=network-online.target redis-server.service
+Wants=network-online.target
+
+[Service]
+User=root
+WorkingDirectory=${workdir}
+EnvironmentFile=${env_path}
+ExecStart=/usr/bin/java -jar ${workdir}/${service_name}.jar
+Restart=always
+RestartSec=5
+
+[Install]
+WantedBy=multi-user.target
+EOF
+
+  push_file "$vmid" "$unitfile" "/etc/systemd/system/dbis-rtgs-${service_name}.service"
+  rm -f "$unitfile"
+  run_remote "$vmid" "mkdir -p ${workdir} /etc/dbis-rtgs /var/lib/dbis-rtgs/${service_name} && systemctl daemon-reload && systemctl enable dbis-rtgs-${service_name} && systemctl restart dbis-rtgs-${service_name}"
+}
+
+require_artifact "orchestrator JAR" "$ORCH_JAR"
+require_artifact "FX engine JAR" "$FX_JAR"
+require_artifact "liquidity engine JAR" "$LIQ_JAR"
+
+deploy_service "$ORCH_VMID" "orchestrator" "$ORCH_JAR" "/etc/dbis-rtgs/orchestrator.env" "$(cat <<EOF
+SERVER_PORT=8080
+DB_URL=jdbc:h2:file:/var/lib/dbis-rtgs/orchestrator/orchestrator;DB_CLOSE_ON_EXIT=FALSE
+REDIS_HOST=127.0.0.1
+REDIS_PORT=6379
+OMNL_BASE_URL=${OMNL_BASE_URL}
+OMNL_TENANT=${OMNL_TENANT}
+OMNL_USER=${OMNL_USER}
+OMNL_PASSWORD=${OMNL_PASSWORD}
+EOF
+)"
+
+deploy_service "$FX_VMID" "fx-engine" "$FX_JAR" "/etc/dbis-rtgs/fx-engine.env" "$(cat <<EOF
+SERVER_PORT=8080
+DB_URL=jdbc:h2:file:/var/lib/dbis-rtgs/fx-engine/fx-engine;DB_CLOSE_ON_EXIT=FALSE
+REDIS_HOST=127.0.0.1
+REDIS_PORT=6379
+OMNL_BASE_URL=${OMNL_BASE_URL}
+OMNL_TENANT=${OMNL_TENANT}
+OMNL_USER=${OMNL_USER}
+OMNL_PASSWORD=${OMNL_PASSWORD}
+EOF
+)"
+
+deploy_service "$LIQ_VMID" "liquidity-engine" "$LIQ_JAR" "/etc/dbis-rtgs/liquidity-engine.env" "$(cat <<EOF
+SERVER_PORT=8080
+DB_URL=jdbc:h2:file:/var/lib/dbis-rtgs/liquidity-engine/liquidity-engine;DB_CLOSE_ON_EXIT=FALSE
+REDIS_HOST=127.0.0.1
+REDIS_PORT=6379
+OMNL_BASE_URL=${OMNL_BASE_URL}
+OMNL_TENANT=${OMNL_TENANT}
+OMNL_USER=${OMNL_USER}
+OMNL_PASSWORD=${OMNL_PASSWORD}
+EOF
+)"
+
+echo "DBIS RTGS control-plane deployment complete."
diff --git a/scripts/verify/check-dbis-rtgs-control-plane.sh b/scripts/verify/check-dbis-rtgs-control-plane.sh
new file mode 100644
index 0000000..8f7dac2
--- /dev/null
+++ b/scripts/verify/check-dbis-rtgs-control-plane.sh
@@ -0,0 +1,35 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+# Verify the DBIS RTGS control-plane services once deployed.
+
+HOST="${PROXMOX_HOST_R630_02:-192.168.11.12}"
+SSH_OPTS="-o BatchMode=yes -o ConnectTimeout=15 -o StrictHostKeyChecking=accept-new"
+
+check_ct() {
+  local vmid="$1"
+  local hostname="$2"
+  local service="$3"
+
+  echo "=== CT $vmid ($hostname) ==="
+  ssh $SSH_OPTS "root@$HOST" "pct status $vmid"
+  ssh $SSH_OPTS "root@$HOST" "pct exec $vmid -- bash -lc 'systemctl is-active redis-server'"
+  ssh $SSH_OPTS "root@$HOST" "pct exec $vmid -- bash -lc 'systemctl is-active $service'"
+  ssh $SSH_OPTS "root@$HOST" "pct exec $vmid -- bash -lc 'curl -sf http://127.0.0.1:8080/actuator/health'"
+  echo
+}
+
+echo "=== DBIS RTGS control-plane runtime check ==="
+echo "Host: $HOST"
+echo
+
+check_ct "${RTGS_ORCH_VMID:-5805}" "${RTGS_ORCH_HOSTNAME:-rtgs-orchestrator-1}" dbis-rtgs-orchestrator
+check_ct "${RTGS_FX_VMID:-5806}" "${RTGS_FX_HOSTNAME:-rtgs-fx-1}" dbis-rtgs-fx-engine
+check_ct "${RTGS_LIQ_VMID:-5807}" "${RTGS_LIQ_HOSTNAME:-rtgs-liquidity-1}" dbis-rtgs-liquidity-engine
+
+echo "=== OMNL reachability from control plane ==="
+for vmid in "${RTGS_ORCH_VMID:-5805}" "${RTGS_FX_VMID:-5806}" "${RTGS_LIQ_VMID:-5807}"; do
+  printf 'CT %s -> ' "$vmid"
+  ssh $SSH_OPTS "root@$HOST" "pct exec $vmid -- bash -lc 'curl -s -o /tmp/fineract.out -w \"%{http_code}\" http://192.168.11.85:8080/fineract-provider/api/v1/offices'"
+  echo
+done