d-bis/proxmox
4
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add RTGS depository custody FX and liquidity layers
All checks were successful
Deploy to Phoenix / deploy (push) Successful in 5s
Details

Browse Source
This commit is contained in:
defiQUG
2026-03-29 02:10:40 -07:00
parent 5618f95426
commit 1b74070674
5 changed files with 471 additions and 110 deletions
Download Patch File Download Diff File Expand all files Collapse all files

324
dbis_chain_138_technical_master_plan.md
View File

@@ -269,6 +269,328 @@ Use FireFly as the workflow layer only after:
- [docs/03-deployment/DBIS_RTGS_FIRST_SLICE_ARCHITECTURE.md](docs/03-deployment/DBIS_RTGS_FIRST_SLICE_ARCHITECTURE.md)
- [docs/03-deployment/DBIS_RTGS_FIRST_SLICE_DEPLOYMENT_CHECKLIST.md](docs/03-deployment/DBIS_RTGS_FIRST_SLICE_DEPLOYMENT_CHECKLIST.md)
## 11.1 Depository / CSD architecture
### Current state
- A dedicated depository / central securities depository runtime is not currently evidenced as deployed in this environment.
- The depository role is still implied inside broader settlement, securities, and custody discussions rather than frozen as a first-class production component.
- The canonical production checklist row is:
- [Depository / CSD layer](docs/03-deployment/DBIS_RTGS_E2E_REQUIREMENTS_MATRIX.md)
### Target role
- maintain the authoritative asset register for in-scope instruments
- define issuance, transfer, pledge, and lien semantics
- provide the settlement-touch point between asset ownership and RTGS finality
### Required integrations
- OMNL / Fineract participant and account model
- custody and safekeeping lifecycle
- Chain 138 settlement and evidence path where on-ledger finality is in scope
- external statements, reconciliation, and regulatory evidence outputs
### Current gaps
- No frozen decision yet on whether the depository role is on-ledger, off-ledger, or hybrid.
- No participant-to-asset-register relationship is yet frozen for custody, pledge, and transfer scenarios.
### Execution artifacts
- [docs/03-deployment/DBIS_RTGS_E2E_REQUIREMENTS_MATRIX.md](docs/03-deployment/DBIS_RTGS_E2E_REQUIREMENTS_MATRIX.md)
- [docs/03-deployment/DBIS_OMNL_INDONESIA_BNI_E2E_INTEGRATION_BLUEPRINT.md](docs/03-deployment/DBIS_OMNL_INDONESIA_BNI_E2E_INTEGRATION_BLUEPRINT.md)
### System flow
```mermaid
flowchart LR
OMNL["OMNL / Fineract"] -->|"participant + account context"| CSD["Depository / CSD"]
CSD -->|"asset ownership + settlement touch"| RTGS["RTGS Orchestrator"]
RTGS -->|"cash settlement leg"| BANK["Bank / Correspondent Rail"]
RTGS -->|"optional finality evidence"| CHAIN["Chain 138 Settlement"]
CSD -->|"holdings + entitlements"| CUSTODY["Custody / Safekeeping"]
CUSTODY -->|"statements + evidence"| EVIDENCE["Audit / Reconciliation Package"]
```
### Contract — Depository asset-register and settlement-touch
- Owning subsystem: Depository / CSD layer
- Required integrations: participant model, custody model, settlement orchestration, reconciliation/evidence
- Canonical business object or event: asset position, transfer instruction, pledge/release instruction
- Reconciliation / evidence requirement: holdings register must reconcile to settlement state and custody reporting
- Production completion condition: one canonical asset flow proves issuance/transfer/settlement-touch behavior end to end
## 11.2 Global custodian architecture
### Current state
- No explicit global custodian runtime or operating model is currently evidenced as active in the repo-backed deployment state.
- Custodian responsibilities are currently implied through correspondent-bank and safekeeping language, not frozen as one production role.
- The canonical production checklist row is:
- [Global custodian layer](docs/03-deployment/DBIS_RTGS_E2E_REQUIREMENTS_MATRIX.md)
### Target role
- manage safekeeping accounts and sub-custody relationships
- coordinate global bank, correspondent, and asset-servicing obligations
- provide statement, confirmation, and reconciliation surfaces for institutional holdings
### Required integrations
- depository / CSD role
- correspondent and global-bank messaging lanes
- custody / safekeeping / asset-servicing lifecycle
- OMNL and RTGS reconciliation packages
### Current gaps
- No frozen custody account structure or reporting model exists yet.
- Corporate-action, entitlement, and asset-servicing obligations are not yet mapped into the RTGS program.
### Execution artifacts
- [docs/03-deployment/DBIS_RTGS_E2E_REQUIREMENTS_MATRIX.md](docs/03-deployment/DBIS_RTGS_E2E_REQUIREMENTS_MATRIX.md)
- [docs/03-deployment/DBIS_OMNL_INDONESIA_BNI_E2E_INTEGRATION_BLUEPRINT.md](docs/03-deployment/DBIS_OMNL_INDONESIA_BNI_E2E_INTEGRATION_BLUEPRINT.md)
### Contract — Global custodian account, reporting, and reconciliation
- Owning subsystem: Global custodian layer
- Required integrations: correspondent/global-bank path, depository role, custody operations, evidence package
- Canonical business object or event: custody account statement, holdings advice, settlement confirmation
- Reconciliation / evidence requirement: custodian statements must reconcile to OMNL and settlement state
- Production completion condition: one canonical custody flow includes account structure, reporting, and reconciliation outputs
## 11.3 FX pricing and dealing architecture
### Current state
- FX pricing, valuation, and revaluation requirements are documented, but no single production pricing/dealing engine contract is yet frozen.
- Existing materials prove the need for FX handling, not a finalized runtime ownership model.
- The canonical production checklist row is:
- [FX pricing / dealing engine](docs/03-deployment/DBIS_RTGS_E2E_REQUIREMENTS_MATRIX.md)
### Target role
- own quote generation or ingestion
- apply spread and pricing policy
- lock rates, value dates, and booking terms
- feed OMNL, treasury, and settlement services with the approved FX terms
### Required integrations
- treasury policy and limits
- participant / office / GL model
- `server-funds-sidecar` and `off-ledger-2-on-ledger-sidecar`
- reconciliation and evidence path
### Current gaps
- No frozen source hierarchy yet for rates, triangulation, and overrides.
- No canonical quote lifecycle is yet mapped from request to booking to reconciliation.
### Execution artifacts
- [docs/03-deployment/DBIS_RTGS_FX_TRANSACTION_CATALOG.md](docs/03-deployment/DBIS_RTGS_FX_TRANSACTION_CATALOG.md)
- [docs/03-deployment/DBIS_RTGS_E2E_REQUIREMENTS_MATRIX.md](docs/03-deployment/DBIS_RTGS_E2E_REQUIREMENTS_MATRIX.md)
- [docs/03-deployment/DBIS_OMNL_INDONESIA_BNI_E2E_INTEGRATION_BLUEPRINT.md](docs/03-deployment/DBIS_OMNL_INDONESIA_BNI_E2E_INTEGRATION_BLUEPRINT.md)
### Sequence diagram
```mermaid
sequenceDiagram
participant Client as Initiating System
participant ORCH as RTGS Orchestrator
participant FX as FX Pricing / Dealing Engine
participant TREASURY as Treasury / Funds
participant OMNL as OMNL / Fineract
participant SETTLE as Settlement Service
Client->>ORCH: FX-backed payment request
ORCH->>FX: Quote request with currencies, amount, value date
FX-->>ORCH: Locked quote, spread, rate source, expiry
ORCH->>TREASURY: Liquidity and approval check
TREASURY-->>ORCH: Funding approval / rejection
ORCH->>OMNL: Post booked FX and settlement journals
OMNL-->>ORCH: Accounting confirmation
ORCH->>SETTLE: Trigger settlement leg with FX references
SETTLE-->>ORCH: Settlement reference and finality state
```
### Contract — FX quote, pricing, and booking
- Owning subsystem: FX pricing / dealing engine
- Required integrations: treasury, OMNL, sidecars, settlement, reconciliation
- Canonical business object or event: FX quote, booked FX instruction, revaluation event
- Reconciliation / evidence requirement: rate source, booked rate, and realized/unrealized P&L must reconcile
- Production completion condition: one canonical FX transaction completes with frozen inputs, accounting, and reconciliation
## 11.4 Liquidity pooling and aggregation architecture
### Current state
- Liquidity and prefunding checks are documented, but no explicit pooling/aggregation engine is yet modeled as a first-class production component.
- Liquidity sourcing is currently spread across treasury, correspondent, and optional on-chain discussions.
- The canonical production checklist row is:
- [Liquidity pooling and aggregation engine](docs/03-deployment/DBIS_RTGS_E2E_REQUIREMENTS_MATRIX.md)
### Target role
- evaluate available liquidity sources
- apply prioritization and eligibility policy
- allocate funding across internal and external sources
- expose operator controls for override, hold, and audit
### Required integrations
- treasury account model
- reserve policy
- bank and correspondent source adapters
- optional on-chain liquidity and settlement lanes
### Current gaps
- No source-priority model is yet frozen.
- No operator control model is yet defined for overrides, holds, or emergency liquidity routing.
### Execution artifacts
- [docs/03-deployment/DBIS_RTGS_E2E_REQUIREMENTS_MATRIX.md](docs/03-deployment/DBIS_RTGS_E2E_REQUIREMENTS_MATRIX.md)
- [docs/03-deployment/DBIS_OMNL_INDONESIA_BNI_E2E_INTEGRATION_BLUEPRINT.md](docs/03-deployment/DBIS_OMNL_INDONESIA_BNI_E2E_INTEGRATION_BLUEPRINT.md)
### Flowchart
```mermaid
flowchart LR
REQUEST["Funding Request"] --> ENGINE["Liquidity Pooling / Aggregation Engine"]
ENGINE --> INTERNAL["Internal Treasury Pool"]
ENGINE --> BANKLINES["Bank Credit / Liquidity Lines"]
ENGINE --> CORR["Correspondent / Global Bank Sources"]
ENGINE --> ONCHAIN["Optional On-Chain Liquidity"]
INTERNAL --> DECISION["Funding Decision"]
BANKLINES --> DECISION
CORR --> DECISION
ONCHAIN --> DECISION
DECISION --> ORCH["RTGS Orchestrator"]
ORCH --> OMNL["OMNL / Fineract"]
```
### Contract — Liquidity-engine source selection and allocation
- Owning subsystem: Liquidity pooling and aggregation engine
- Required integrations: treasury policy, source adapters, RTGS orchestrator, OMNL
- Canonical business object or event: funding request, allocation decision, liquidity hold/release
- Reconciliation / evidence requirement: chosen source and allocation rationale must be reconstructible
- Production completion condition: one canonical funding decision path is documented and validated
## 11.5 Liquidity source adapter model
### Current state
- Source classes are referenced in treasury and correspondent-bank materials, but no canonical adapter model is yet frozen for each source family.
- The canonical production checklist row is:
- [Liquidity source adapters](docs/03-deployment/DBIS_RTGS_E2E_REQUIREMENTS_MATRIX.md)
### Target role
- normalize access to internal treasury pools, bank lines, correspondent banks, and optional on-chain liquidity
- hide transport/auth differences behind one adapter family
- return funding availability, hold, release, and confirmation events into the liquidity engine
### Required integrations
- liquidity pooling and aggregation engine
- correspondent-bank and global-bank rails
- treasury controls and operator policies
- optional Chain 138 or sidecar/provider adapters
### Current gaps
- No adapter catalog yet exists for source families.
- No required minimum adapter contract is yet documented.
### Execution artifacts
- [docs/03-deployment/DBIS_RTGS_E2E_REQUIREMENTS_MATRIX.md](docs/03-deployment/DBIS_RTGS_E2E_REQUIREMENTS_MATRIX.md)
- [docs/03-deployment/DBIS_OMNL_INDONESIA_BNI_E2E_INTEGRATION_BLUEPRINT.md](docs/03-deployment/DBIS_OMNL_INDONESIA_BNI_E2E_INTEGRATION_BLUEPRINT.md)
### Contract — Liquidity source adapter
- Owning subsystem: Treasury / integrations layer
- Required integrations: liquidity engine, bank/correspondent paths, treasury controls
- Canonical business object or event: liquidity quote, hold confirmation, release confirmation, failure reason
- Reconciliation / evidence requirement: source selection and adapter result must be linked to the settlement package
- Production completion condition: each in-scope source class has a defined adapter contract and mandatory sources are validated
## 11.6 Custody / safekeeping / asset servicing architecture
### Current state
- Custody and safekeeping obligations are referenced implicitly in correspondent-bank, securities, and evidence discussions, but not yet frozen as one canonical lifecycle.
- The canonical production checklist row is:
- [Custody / safekeeping / asset servicing flow](docs/03-deployment/DBIS_RTGS_E2E_REQUIREMENTS_MATRIX.md)
### Target role
- manage safekeeping, transfer, entitlement, and servicing lifecycles
- bind depository positions, custodian reporting, and settlement state into one auditable trail
- produce holdings, statements, and servicing evidence for institutional participants
### Required integrations
- depository / CSD layer
- global custodian layer
- OMNL participant and account model
- RTGS settlement and evidence package
### Current gaps
- No canonical custody lifecycle is yet frozen.
- Corporate-action, entitlement, and servicing events are not yet mapped into reconciliation artifacts.
### Execution artifacts
- [docs/03-deployment/DBIS_RTGS_E2E_REQUIREMENTS_MATRIX.md](docs/03-deployment/DBIS_RTGS_E2E_REQUIREMENTS_MATRIX.md)
- [docs/03-deployment/DBIS_OMNL_INDONESIA_BNI_E2E_INTEGRATION_BLUEPRINT.md](docs/03-deployment/DBIS_OMNL_INDONESIA_BNI_E2E_INTEGRATION_BLUEPRINT.md)
### Sequence and state view
```mermaid
sequenceDiagram
participant DEP as Depository / CSD
participant CUST as Custodian
participant ORCH as RTGS Orchestrator
participant OMNL as OMNL / Fineract
participant EVIDENCE as Evidence Package
DEP->>CUST: Position / entitlement update
CUST->>ORCH: Safekeeping or servicing instruction
ORCH->>OMNL: Accounting impact or fee posting
OMNL-->>ORCH: Posting confirmation
ORCH->>EVIDENCE: Reconciliation and servicing references
EVIDENCE-->>CUST: Statement / audit package references
```
```mermaid
stateDiagram-v2
[*] --> Registered
Registered --> Safekept
Safekept --> Transferred
Safekept --> Serviced
Transferred --> Reconciled
Serviced --> Reconciled
Reconciled --> Reported
Reported --> [*]
```
### Contract — Custody, safekeeping, and asset-servicing lifecycle
- Owning subsystem: Custody operations / product architecture layer
- Required integrations: depository, custodian, OMNL, evidence package
- Canonical business object or event: custody instruction, holdings statement, servicing event
- Reconciliation / evidence requirement: holdings, statements, and servicing events must reconcile to settlement and participant records
- Production completion condition: one end-to-end custody lifecycle is documented and validated with reconciliation/evidence output
---
# SECTION 12 — CROSS-CHAIN INTEROPERABILITY DESIGN
@@ -468,7 +790,7 @@ Executable counterparts in this repository:
| Phase 2 roadmap | `docs/02-architecture/DBIS_PHASE2_PROXMOX_SOVEREIGNIZATION_ROADMAP.md` |
| Phase 3 liveness wrapper | `scripts/verify/run-dbis-phase3-e2e-simulation.sh`, `docs/03-deployment/DBIS_PHASE3_E2E_PRODUCTION_SIMULATION_RUNBOOK.md` |
| Production gate | `docs/03-deployment/DBIS_PHASES_1_TO_3_PRODUCTION_GATE.md` |
| RTGS E2E requirements matrix | `docs/03-deployment/DBIS_RTGS_E2E_REQUIREMENTS_MATRIX.md` |
| RTGS canonical production checklist | `docs/03-deployment/DBIS_RTGS_E2E_REQUIREMENTS_MATRIX.md` |
| RTGS FX transaction catalog | `docs/03-deployment/DBIS_RTGS_FX_TRANSACTION_CATALOG.md` |
| Indonesia / BNI E2E integration blueprint | `docs/03-deployment/DBIS_OMNL_INDONESIA_BNI_E2E_INTEGRATION_BLUEPRINT.md` |
| RTGS first-slice architecture | `docs/03-deployment/DBIS_RTGS_FIRST_SLICE_ARCHITECTURE.md` |

52
docs/00-meta/TODO_TASK_LIST_MASTER.md
View File

@@ -197,6 +197,47 @@
- `scripts/omnl/omnl-office-create-*.sh`
- `scripts/omnl/omnl-pvp-post-clearing-bank-kanaya.sh`
### 12.1A Depository / CSD layer
- [ ] Define the depository / CSD operating model for in-scope DBIS instruments.
- [ ] Freeze whether the depository role is on-ledger, off-ledger, or hybrid.
- [ ] Freeze issuance, transfer, pledge, lien, and settlement-touch behavior for at least one canonical asset flow.
- [ ] Define participant-to-asset-register and custody relationships for depository-managed assets.
### 12.1B Global custodian layer
- [ ] Define the global custodian operating model and account structure.
- [ ] Freeze safekeeping, statement, and asset-servicing obligations across correspondent and global-bank paths.
- [ ] Define how custodian statements reconcile to OMNL and RTGS settlement state.
### 12.1C FX pricing / dealing engine
- [ ] Freeze the FX pricing hierarchy, approved rate sources, and quote-locking rules.
- [ ] Freeze the quote lifecycle from request to booking to reconciliation.
- [ ] Define how the FX engine integrates with OMNL, treasury, and HYBX sidecars.
### 12.1D Liquidity pooling and aggregation engine
- [ ] Define source prioritization, eligibility rules, allocation logic, and operator overrides.
- [ ] Freeze how liquidity decisions are recorded and reconciled against funding and settlement events.
- [ ] Decide when on-chain liquidity is part of the funding policy versus optional extension.
### 12.1E Liquidity source adapters
- [ ] Enumerate all in-scope liquidity source families:
- internal treasury pools
- bank credit / liquidity lines
- correspondent-bank sources
- optional on-chain liquidity
- [ ] Define one adapter contract per mandatory source class.
- [ ] Validate at least the mandatory source adapters used by the canonical RTGS rail.
### 12.1F Custody / safekeeping / asset servicing flow
- [ ] Define the canonical lifecycle for safekeeping, transfer, servicing, and statement production.
- [ ] Freeze custody-to-depository, custody-to-settlement, and custody-to-evidence relationships.
- [ ] Validate one end-to-end custody lifecycle with reconciliation and evidence output.
### 12.2 Mifos / Fineract / OMNL banking rail
- [ ] Freeze and execute the first-slice deployment checklist:
@@ -309,14 +350,13 @@
### 12.10 Production gate
- [ ] Create a dedicated RTGS E2E requirements matrix covering:
- [x] Canonical RTGS production checklist created and now maintained in [DBIS_RTGS_E2E_REQUIREMENTS_MATRIX.md](../03-deployment/DBIS_RTGS_E2E_REQUIREMENTS_MATRIX.md) with columns:
- component
- current status
- repo / API source
- blocker
- current state
- required integration
- remaining task
- owner
- production gate criteria
- [x] Initial matrix created: [DBIS_RTGS_E2E_REQUIREMENTS_MATRIX.md](../03-deployment/DBIS_RTGS_E2E_REQUIREMENTS_MATRIX.md)
- production gate
- [x] Initial HYBX sidecar boundary matrix created: [DBIS_HYBX_SIDECAR_BOUNDARY_MATRIX.md](../03-deployment/DBIS_HYBX_SIDECAR_BOUNDARY_MATRIX.md)
- [x] Initial Mojaloop status artifact created: [DBIS_MOJALOOP_INTEGRATION_STATUS.md](../03-deployment/DBIS_MOJALOOP_INTEGRATION_STATUS.md)
- [x] Initial identity-stack decision artifact created: [DBIS_HYPERLEDGER_IDENTITY_STACK_DECISION.md](../03-deployment/DBIS_HYPERLEDGER_IDENTITY_STACK_DECISION.md)

55
docs/03-deployment/DBIS_OMNL_INDONESIA_BNI_E2E_INTEGRATION_BLUEPRINT.md
View File

@@ -44,6 +44,12 @@ This document is intentionally broader than the current deployed slice. It defin
5. **Chain 138 settlement lane**
- optional but strategically important if on-ledger finality is part of the regulated operating model
6. **Depository / custody / liquidity-control layers**
- depository / CSD role for asset-register and settlement-touch scenarios
- global custodian role for safekeeping, statements, and asset servicing
- FX pricing / dealing engine for rate ownership and booking policy
- liquidity pooling and aggregation engine plus source adapters for funding decisions
## 3. Full end-to-end stages
### Stage 0 — Static setup
@@ -55,6 +61,9 @@ Required before live value movement:
- beneficiary offices mapped
- GL chart complete
- FX reserve / revaluation accounts complete
- FX pricing hierarchy and quote-locking policy frozen
- liquidity source inventory and prioritization policy frozen
- depository / custody operating model frozen for any in-scope asset-backed or safekeeping flow
- payment types and maker-checker policy frozen
- sidecar-to-Fineract auth contract frozen
- external bank routing matrix frozen
@@ -88,6 +97,7 @@ Required checks:
- sanctions and watchlist screening
- limit checks
- liquidity and prefunding check
- source-of-liquidity selection and approval
- market conduct / rate authorization check
- jurisdictional eligibility
@@ -108,6 +118,7 @@ Required capabilities:
- trade timestamp and value date
- spread / fee logic
- approved trader / operator identity
- pricing-engine or dealer ownership of the approved quote
Required records:
@@ -118,6 +129,7 @@ Required records:
- rate
- fee / spread component
- realized vs unrealized P&L handling
- quote id and liquidity-decision reference
### Stage 4 — OMNL accounting and posting
@@ -158,6 +170,7 @@ For global-bank and cross-border settlement:
- nostro / vostro account chosen
- prefunding / cover logic confirmed
- message dispatched and acknowledged
- custody / safekeeping instructions attached where the flow involves held assets or global-custodian reporting
### Stage 6 — Funds movement and settlement confirmation
@@ -168,6 +181,7 @@ Required evidence:
- statement extract or advice
- confirmation of beneficiary-bank receipt
- unresolved exception queue if delayed
- custody statement / servicing reference where applicable
### Stage 7 — Reconciliation and package generation
@@ -178,6 +192,8 @@ Required reconciliations:
3. FX trade blotter vs accounting postings
4. external bank confirmations vs OMNL settlement state
5. on-chain event vs OMNL event where chain leg exists
6. asset register / custody statement vs settlement state where depository flows apply
7. liquidity decision vs selected funding source vs actual settlement usage
Required evidence outputs:
@@ -305,6 +321,7 @@ Required responsibilities:
- limit checks
- prefunding and source-of-funds orchestration
- status / approval / exception workflow
- handoff to liquidity pooling and source-adapter decisions
### `off-ledger-2-on-ledger-sidecar`
@@ -312,6 +329,16 @@ Required responsibilities:
- translate approved off-ledger event into on-ledger settlement action
- attach rates, conversion basis, and settlement refs
- record chain transaction linkage
- preserve depository / custody / liquidity references where those roles are in scope
### Additional required control layers
Required responsibilities:
- FX pricing / dealing engine owns quote generation or approved rate ingest
- liquidity pooling and aggregation engine owns funding-source selection
- liquidity source adapters normalize bank-line, correspondent, internal-pool, and optional on-chain liquidity access
- depository / CSD layer owns asset-register and settlement-touch behavior for in-scope instruments
- global custodian layer owns safekeeping, statements, and asset-servicing obligations
### Optional or later
@@ -329,6 +356,9 @@ If on-ledger settlement is in scope, the following must be true:
3. reserve / oracle dependencies are frozen
4. sidecar correlation id maps to chain tx hash
5. evidence package includes chain settlement proof
6. depository / CSD touch point is frozen where asset-backed flows exist
7. custody / safekeeping statement linkage is frozen where custody applies
8. liquidity-source decision reference is preserved in the evidence package
## 9. Reconciliation requirements
@@ -350,6 +380,12 @@ If on-ledger settlement is in scope, the following must be true:
5. **On-ledger reconciliation**
- chain tx vs off-ledger settlement event
6. **Custody / depository reconciliation**
- asset register vs custody statement vs settlement state
7. **Liquidity reconciliation**
- selected funding source vs liquidity decision vs actual settlement usage
## 10. Full production-complete gate
The OMNL → Indonesia / BNI → global-bank flow is only fully complete when:
@@ -369,18 +405,21 @@ The OMNL → Indonesia / BNI → global-bank flow is only fully complete when:
- treasury / funds sidecar lane not yet validated end to end
- on-ledger settlement leg not yet included in the canonical transaction
- participant / office / treasury model not yet frozen across all counterparties
- depository / custody operating model not yet frozen
- FX pricing engine and liquidity aggregation ownership not yet frozen
## 12. Execution order
1. freeze participant / office / GL / nostro-vostro model
2. freeze OMNL operator runbook
3. validate `server-funds-sidecar`
4. validate `off-ledger-2-on-ledger-sidecar`
5. acquire and document BNI / correspondent-bank endpoint and auth contracts
6. run one domestic Indonesia beneficiary-bank flow
7. run one correspondent-bank flow
8. add Chain 138 settlement leg if in scope
9. generate and sign the final evidence package
2. freeze depository / custody / FX / liquidity-control layers
3. freeze OMNL operator runbook
4. validate `server-funds-sidecar`
5. validate `off-ledger-2-on-ledger-sidecar`
6. acquire and document BNI / correspondent-bank endpoint and auth contracts
7. run one domestic Indonesia beneficiary-bank flow
8. run one correspondent-bank flow
9. add Chain 138 settlement leg if in scope
10. generate and sign the final evidence package
## Related artifacts

148
docs/03-deployment/DBIS_RTGS_E2E_REQUIREMENTS_MATRIX.md
View File

@@ -1,105 +1,65 @@
# DBIS RTGS E2E Requirements Matrix
# DBIS RTGS Canonical Production Checklist
**Last updated:** 2026-03-29
**Purpose:** Canonical implementation matrix for the full DBIS RTGS stack across Chain 138, OMNL / Fineract, HYBX sidecars, and the related Hyperledger layers. This document turns the RTGS TODO section into an executable requirements and production-gate artifact.
**Purpose:** Canonical production-readiness checklist for the full DBIS RTGS stack across Chain 138, OMNL / Fineract, HYBX sidecars, Indonesia / BNI banking flows, and optional Hyperledger identity and interoperability layers.
## Status legend
## Status guidance
- `Complete` — implemented and verified enough to be used in production for the stated role
- `Partial` exists or works in a narrow slice, but not yet enough for full production use
- `Planned` intentionally in scope, but not yet deployed or validated
- `Reserved placeholder` inventory exists, but is not an active deployed workload
- `Retired / standby` — not active; retained only as reserve inventory until rebuilt
- Use `Complete` only for production-capable roles that are implemented and verified.
- Use `Partial` when a slice exists or works narrowly, but is not yet enough for full production use.
- Use `Planned` for intentionally in-scope components not yet deployed or validated.
- Use `Reserved placeholder` for inventory that exists but is not an active workload.
- Use `Retired / standby` for inventory that is intentionally inactive until rebuilt.
## Core matrix
## Canonical checklist
| Component | Current status | Owner | Current source / repo artifact | Main blockers | Production-gate criteria |
|-----------|----------------|-------|--------------------------------|---------------|--------------------------|
| Chain 138 Besu validator / sentry / RPC baseline | Complete | DBIS / infra ops | [check-chain138-rpc-health.sh](../../scripts/verify/check-chain138-rpc-health.sh), [DBIS_PHASES_1_TO_3_PRODUCTION_GATE.md](DBIS_PHASES_1_TO_3_PRODUCTION_GATE.md) | None for baseline | Public and core RPC healthy, head spread `0`, peer counts healthy, required wallet/explorer methods working |
| Explorer / Blockscout | Complete | DBIS / explorer ops | `explorer-monorepo`, explorer routing/API runbooks | Ongoing normal maintenance only | Explorer routes, API, token metadata, and RPC capability metadata remain healthy |
| FireFly primary `6200` | Partial | DBIS workflow / infra ops | [DBIS_HYPERLEDGER_RUNTIME_STATUS.md](DBIS_HYPERLEDGER_RUNTIME_STATUS.md) | Minimal local gateway only; no proven multiparty production workflow yet | API healthy, config preserved, event model defined, cross-system orchestration validated |
| FireFly secondary `6201` | Retired / standby | DBIS workflow / infra ops | [DBIS_HYPERLEDGER_RUNTIME_STATUS.md](DBIS_HYPERLEDGER_RUNTIME_STATUS.md) | Empty rootfs; no valid deployment payload | Either rebuilt as a real secondary node and verified, or left explicitly retired in all architecture claims |
| Fabric `6000-6002` | Reserved placeholder | DBIS architecture / infra ops | [DBIS_HYPERLEDGER_RUNTIME_STATUS.md](DBIS_HYPERLEDGER_RUNTIME_STATUS.md), [DBIS_NODE_ROLE_MATRIX.md](../02-architecture/DBIS_NODE_ROLE_MATRIX.md) | No app payload, no listeners, no active peer/orderer processes | Either deploy real Fabric workloads and validate them, or keep them stopped and excluded from active stack claims |
| Indy `6400-6402` | Reserved placeholder | DBIS architecture / infra ops | [DBIS_HYPERLEDGER_RUNTIME_STATUS.md](DBIS_HYPERLEDGER_RUNTIME_STATUS.md), [DBIS_NODE_ROLE_MATRIX.md](../02-architecture/DBIS_NODE_ROLE_MATRIX.md) | No app payload, no listeners, no active Indy processes | Either deploy real Indy workloads and validate them, or keep them stopped and excluded from active stack claims |
| Aries | Planned | Identity architecture lead | [DBIS_HYPERLEDGER_IDENTITY_STACK_DECISION.md](DBIS_HYPERLEDGER_IDENTITY_STACK_DECISION.md), [TODO_TASK_LIST_MASTER.md](../00-meta/TODO_TASK_LIST_MASTER.md) | No deployed Aries runtime, no agent model defined | Decide in/out of scope; if in, deploy agents, define DID/wallet/protocol model, validate credential flows |
| AnonCreds | Planned | Identity architecture lead | [DBIS_HYPERLEDGER_IDENTITY_STACK_DECISION.md](DBIS_HYPERLEDGER_IDENTITY_STACK_DECISION.md), [TODO_TASK_LIST_MASTER.md](../00-meta/TODO_TASK_LIST_MASTER.md) | No deployed credential flow, no issuer/holder/verifier model frozen | Decide in/out of scope; if in, define schema/credential lifecycle and validation path |
| Ursa | Planned | Identity / cryptography architecture lead | [DBIS_HYPERLEDGER_IDENTITY_STACK_DECISION.md](DBIS_HYPERLEDGER_IDENTITY_STACK_DECISION.md), [TODO_TASK_LIST_MASTER.md](../00-meta/TODO_TASK_LIST_MASTER.md) | No explicit runtime control or deployment model defined | Decide in/out of scope; if in, document cryptographic role and operational dependency model |
| Cacti | Planned | Interoperability architecture lead | [dbis_chain_138_technical_master_plan.md](../../dbis_chain_138_technical_master_plan.md) | Not proven as current live interoperability engine | Decide in/out of scope; if in, deploy and validate real cross-ledger integration path |
| Caliper | Planned | Performance / QA lead | [CALIPER_CHAIN138_PERF_HOOK.md](CALIPER_CHAIN138_PERF_HOOK.md) | Hook exists, benchmark harness not yet routine | Add benchmark harness and run approved RTGS workload profiles |
| OMNL / Fineract API rail | Partial | OMNL / banking ops | [HYBX_BATCH_001_OPERATOR_CHECKLIST.md](../04-configuration/mifos-omnl-central-bank/HYBX_BATCH_001_OPERATOR_CHECKLIST.md), [scripts/omnl](../../scripts/omnl), [API_DOCUMENTATION.md](../11-references/API_DOCUMENTATION.md) | Full production package flow and participant model are not yet frozen as the canonical RTGS rail | Office / GL / JE / snapshot / package flow runs cleanly against live API and is operator-repeatable |
| Mifos X frontend / Fineract tenant | Partial | OMNL / banking ops | [ALL_VMIDS_ENDPOINTS.md](../04-configuration/ALL_VMIDS_ENDPOINTS.md), Mifos deployment docs | Authenticated tenant is now proven live for sidecar posting, but operator runbook and production participant model remain incomplete | UI/API confirmed healthy, tenant/auth stable, operator runbook complete |
| HYBX participant / office / treasury model | Planned | Banking architecture lead | OMNL scripts and central-bank config | Participant model and treasury structure not yet frozen end-to-end | Office IDs, treasury accounts, GL mapping, nostro/vostro model, and settlement roles are documented and accepted |
| Mojaloop integration | Planned | Payments interoperability lead | [DBIS_MOJALOOP_INTEGRATION_STATUS.md](DBIS_MOJALOOP_INTEGRATION_STATUS.md) | No proven live Mojaloop switch endpoint set or callback contract in repo-backed state | Endpoint/auth contract documented, quote/transfer/callback flow integrated, settlement-window behavior mapped to accounting and chain settlement |
| HYBX sidecar layer | Partial | HYBX app / integration lead | [DBIS_HYBX_SIDECAR_BOUNDARY_MATRIX.md](DBIS_HYBX_SIDECAR_BOUNDARY_MATRIX.md) | Sidecars available, but full orchestration and system-of-record ownership not yet frozen | Sidecar-by-sidecar purpose, auth, ingress/egress, retries, and system-of-record ownership documented and validated |
| `mifos-fineract-sidecar` | Partial | HYBX integration lead | [DBIS_HYBX_SIDECAR_BOUNDARY_MATRIX.md](DBIS_HYBX_SIDECAR_BOUNDARY_MATRIX.md), [DBIS_RTGS_FIRST_SLICE_DEPLOYMENT_CHECKLIST.md](DBIS_RTGS_FIRST_SLICE_DEPLOYMENT_CHECKLIST.md) | Runtime is deployed on Proxmox, healthy, and has completed one authenticated live OMNL posting, but chain-settlement and evidence legs are still open | Sidecar API and event flow documented, at least one authenticated live transfer completed, and downstream settlement/evidence path validated |
| `mt103-hardcopy-sidecar` | Partial | HYBX integration lead | [DBIS_HYBX_SIDECAR_BOUNDARY_MATRIX.md](DBIS_HYBX_SIDECAR_BOUNDARY_MATRIX.md) | Ingestion path not yet tied into canonical RTGS workflow | MT103 ingest to settlement and evidence path is documented and tested |
| `off-ledger-2-on-ledger-sidecar` | Partial | HYBX integration lead | [DBIS_HYBX_SIDECAR_BOUNDARY_MATRIX.md](DBIS_HYBX_SIDECAR_BOUNDARY_MATRIX.md), [DBIS_RTGS_FIRST_SLICE_DEPLOYMENT_CHECKLIST.md](DBIS_RTGS_FIRST_SLICE_DEPLOYMENT_CHECKLIST.md) | Runtime is deployed on Proxmox and healthy, but canonical off-ledger source event and authenticated Fineract flow are not yet frozen | Canonical mapping from off-ledger event to Chain 138 settlement defined and tested |
| `securitization-engine-sidecar` | Partial | HYBX integration lead | [DBIS_HYBX_SIDECAR_BOUNDARY_MATRIX.md](DBIS_HYBX_SIDECAR_BOUNDARY_MATRIX.md) | Regulatory/accounting role not yet tied into RTGS runbook | Accounting and reporting responsibilities explicitly mapped and validated |
| `card-networks-sidecar` | Partial | HYBX integration lead | [DBIS_HYBX_SIDECAR_BOUNDARY_MATRIX.md](DBIS_HYBX_SIDECAR_BOUNDARY_MATRIX.md) | Not yet placed in RTGS path | Include only if card-network settlement is in scope and integrated |
| `server-funds-sidecar` | Partial | HYBX integration lead | [DBIS_HYBX_SIDECAR_BOUNDARY_MATRIX.md](DBIS_HYBX_SIDECAR_BOUNDARY_MATRIX.md), [DBIS_RTGS_FIRST_SLICE_DEPLOYMENT_CHECKLIST.md](DBIS_RTGS_FIRST_SLICE_DEPLOYMENT_CHECKLIST.md) | Runtime is deployed on Proxmox and healthy, but its final treasury/system-of-record boundary is not yet frozen | Define and validate if it is needed for treasury/funding orchestration |
| Chain 138 settlement contracts | Partial | Chain 138 / settlement lead | `smom-dbis-138`, `alltra-lifi-settlement`, [CONTRACTS_TO_DEPLOY.md](../11-references/CONTRACTS_TO_DEPLOY.md) | Canonical RTGS path not yet frozen across off-ledger ↔ on-ledger events | Final contract set chosen, deployed addresses frozen, flow tested end-to-end |
| MerchantSettlementRegistry | Partial | Chain 138 / settlement lead | `alltra-lifi-settlement` docs and deploy scripts | Need explicit placement in RTGS canonical flow | Registry integrated into business flow with verified inputs/outputs |
| WithdrawalEscrow | Partial | Chain 138 / settlement lead | `alltra-lifi-settlement` docs and deploy scripts | Need explicit placement in RTGS canonical flow | Escrow flow validated in settlement and withdrawal scenarios |
| DBIS / compliant settlement tokens | Partial | Chain 138 / monetary architecture lead | token/contract references throughout repo | Need final RTGS instrument selection per use case | Final instrument selection, mint/burn/reserve rules, and reconciliation path are frozen |
| Reserve / oracle dependencies | Partial | Monetary controls lead | Chain 138 reserve/oracle docs and scripts | RTGS-specific dependency mapping not yet frozen | Reserve attestations and oracle dependencies are documented and operational |
| FireFly / sidecar / chain event model | Planned | Workflow architecture lead | TODOs and FireFly docs | No single canonical correlation model yet | Event catalog, IDs, retries, and compensating actions defined |
| ISO 20022 evidence and vault path | Partial | Regulatory / compliance lead | [INDONESIA_PACKAGE_4_995_EVIDENCE_STANDARD.md](../04-configuration/mifos-omnl-central-bank/INDONESIA_PACKAGE_4_995_EVIDENCE_STANDARD.md) | Need full institution-ready production completion | ISO vault manifest, hashes, and legal evidence path complete and reproducible |
| Institutional 4.995 package path | Partial | Regulatory / compliance lead | same standard + OMNL scripts | Requires real institution attestation and submission-grade evidence | `--strict` readiness passes with real institution materials |
| RTGS production gate | Planned | DBIS program owner | this matrix + [DBIS_PHASES_1_TO_3_PRODUCTION_GATE.md](DBIS_PHASES_1_TO_3_PRODUCTION_GATE.md) | Not all subsystems are green | All mandatory rows for the chosen RTGS architecture are `Complete` |
| Component | Current state | Required integration | Remaining task | Owner | Production gate |
|-----------|---------------|----------------------|----------------|-------|-----------------|
| Chain 138 Besu validator / sentry / RPC baseline | Complete. Validator, sentry, core, public, and named RPC tiers are live and script-verified. | Ongoing RPC, validator, and public wallet/explorer compatibility only. | Maintain health, peer spread, fee support, and public RPC method coverage. | DBIS / infra ops | Public and core RPC healthy, head spread `0`, peer counts healthy, wallet/explorer-required methods working. |
| Explorer / Blockscout | Complete. Explorer routes, APIs, token metadata, and RPC capability metadata are live. | Ongoing explorer API, token metadata, and wallet metadata compatibility. | Maintain explorer health, indexing freshness, metadata accuracy, and route stability. | DBIS / explorer ops | Explorer routes, APIs, and metadata remain healthy and consistent with Chain 138 runtime. |
| FireFly primary `6200` | Partial. Restored as a minimal local FireFly API footprint, not yet a proven multiparty production workflow engine. | FireFly event/orchestration model, sidecar and banking workflow correlation, and HA strategy. | Define event model, validate orchestration role, and decide whether FireFly is mandatory in slice 1. | DBIS workflow / infra ops | API healthy, config preserved, orchestration role defined, and real cross-system workflow validated. |
| FireFly secondary `6201` | Retired / standby. Inventory exists, but current rootfs does not contain a valid deployment payload. | Rebuild contract for a real secondary FireFly node if HA is required. | Either rebuild as a true secondary and validate failover, or keep explicitly retired in all architecture claims. | DBIS workflow / infra ops | Either rebuilt and verified as a real secondary, or formally excluded from active-stack claims. |
| Fabric `6000-6002` | Reserved placeholder. VMIDs exist, but app-level verification did not show active peer / orderer services or meaningful Fabric payloads. | Actual Fabric peer/orderer deployment model if Fabric is required by the RTGS target architecture. | Either deploy real Fabric workloads and validate them, or keep them stopped and excluded from active-stack claims. | DBIS architecture / infra ops | Real Fabric workloads deployed and validated, or the footprint remains explicitly placeholder-only. |
| Indy `6400-6402` | Reserved placeholder. VMIDs exist, but app-level verification did not show active Indy listeners or meaningful Indy payloads. | Actual Indy validator / identity runtime only if Indy is required by the RTGS target architecture. | Either deploy real Indy workloads and validate them, or keep them stopped and excluded from active-stack claims. | DBIS architecture / infra ops | Real Indy workloads deployed and validated, or the footprint remains explicitly placeholder-only. |
| Aries | Planned. No deployed Aries runtime is currently evidenced. | Identity-agent model, DID/wallet strategy, and credential-exchange role in RTGS workflows. | Decide in or out of scope for production slice 1; if in, deploy agents and validate flows. | Identity architecture lead | Scope decision is frozen, and if in scope the deployed agent model and flows are validated. |
| AnonCreds | Planned. No deployed credential flow is currently evidenced. | Issuer / holder / verifier model and credential lifecycle. | Decide in or out of scope for production slice 1; if in, freeze schema and verification flow. | Identity architecture lead | Scope decision is frozen, and if in scope the credential lifecycle is validated end to end. |
| Ursa | Planned. No explicit runtime dependency or operating model is currently evidenced. | Cryptographic runtime role, library dependency model, and operational controls. | Decide in or out of scope; if in, document and validate the cryptographic dependency model. | Identity / cryptography architecture lead | Scope decision is frozen, and if in scope the cryptographic dependency is documented and validated. |
| Cacti | Planned. Not currently proven as a live interoperability engine. | Cross-ledger interoperability contract and deployment model. | Decide whether Cacti is needed for production slice 1; if in, deploy and validate the real path. | Interoperability architecture lead | Scope decision is frozen, and if in scope the live interoperability path is deployed and tested. |
| Caliper | Planned. Documentation hook exists, but no routine benchmark harness is active. | Benchmark workload definitions for RTGS and Chain 138 settlement paths. | Build the approved benchmark harness and run accepted workload profiles. | Performance / QA lead | Benchmark harness exists and approved RTGS workloads have been executed and recorded. |
| OMNL / Fineract API rail | Partial. Live tenant and authenticated posting path are now proven, but the canonical RTGS operator rail is not fully frozen. | Stable OMNL tenant/auth contract, operator flow, office/GL mapping, and reconciliation package path. | Freeze tenant, operator runbook, participant model, and reproducible OMNL settlement rail. | OMNL / banking ops | Office / GL / JE / snapshot / package flow runs cleanly and repeatably against the intended live tenant. |
| Mifos X frontend / Fineract tenant | Partial. Runtime is live and sidecars can authenticate, but production operator model is not fully frozen. | Stable UI/API tenant contract, secrets, and operator procedures. | Finalize tenant/auth, operator usage, and runbook completeness. | OMNL / banking ops | UI/API healthy, tenant/auth stable, and operator procedures are complete and repeatable. |
| HYBX participant / office / treasury model | Planned. Participant, office, reserve, settlement, and treasury roles are not yet frozen end to end. | OMNL participant model, office mappings, GL mappings, and treasury structure. | Freeze participant classes, office IDs, treasury accounts, and nostro/vostro model. | Banking architecture lead | Participant, treasury, reserve, and GL structures are documented, accepted, and used by the canonical rail. |
| Depository / CSD layer | Planned. No dedicated depository or CSD runtime and no frozen asset-register model are yet evidenced in the current RTGS stack. | Securities ownership model, settlement-finality link, asset register, and participant/custody relationships. | Define whether the depository role is on-ledger, off-ledger, or hybrid; freeze issuance, transfer, pledge, and settlement-touch points. | Securities / market-infrastructure architecture lead | Depository role, participant model, and settlement interaction are documented and validated in at least one canonical asset flow. |
| Global custodian layer | Planned. No explicit global custodian runtime, account model, or reporting path is yet frozen in repo-backed state. | Correspondent banks, global custodians, safekeeping accounts, corporate-action handling, and asset-servicing obligations. | Define the custody operating model, account structure, reporting obligations, and reconciliation with OMNL and RTGS settlement. | Custody / institutional banking integration lead | Custody account model, reconciliation path, and reporting obligations are frozen and tested in a canonical custody flow. |
| FX pricing / dealing engine | Planned. FX flow requirements are documented, but no single pricing/dealing engine contract is yet frozen as the production source of rates and booking rules. | Treasury policy, rate sources, quote locking, spreads, value dates, and gain/loss accounting. | Freeze the pricing hierarchy, quote lifecycle, booking rules, and integration into OMNL and sidecars. | FX / treasury architecture lead | One canonical FX transaction runs with frozen pricing inputs, accounting, and reconciliation. |
| Liquidity pooling and aggregation engine | Planned. Liquidity sourcing is implied across treasury and correspondent flows, but no explicit pooling/aggregation engine is yet modeled as a production component. | Treasury policy, reserve policy, liquidity providers, internal pools, external bank lines, and optional on-chain liquidity. | Define source prioritization, eligibility rules, allocation logic, and operator controls. | Liquidity architecture lead | Liquidity sourcing logic is documented and one canonical funding decision path is validated. |
| Liquidity source adapters | Planned. No source-by-source adapter contract has been frozen for bank lines, treasury pools, correspondent banks, or optional on-chain liquidity. | Bank lines, correspondent banks, internal treasury pools, optional on-chain pools, and optional sidecar/provider adapters. | Enumerate source families and define one adapter contract per source class. | Treasury / integrations lead | Each in-scope liquidity source class has a defined adapter contract and at least the mandatory sources are validated. |
| Custody / safekeeping / asset servicing flow | Planned. Custody, safekeeping, and servicing obligations are referenced indirectly through settlement and correspondent flows, but not yet modeled as one canonical lifecycle. | Depository, custodian, participant accounts, statements, corporate actions, holdings reconciliation, and evidence path. | Define the canonical lifecycle for safekeeping, transfer, servicing, and statement production. | Custody operations / product architecture lead | One end-to-end custody lifecycle is documented and validated with reconciliation/evidence output. |
| Mojaloop integration | Planned. No live Mojaloop switch endpoint/auth/callback contract is yet evidenced here. | Mojaloop quote, transfer, callback, and settlement-window contract. | Document live Mojaloop endpoints/auth and integrate them if Mojaloop remains in scope. | Payments interoperability lead | Endpoint/auth contract is frozen and quote/transfer/callback/settlement behavior is validated. |
| HYBX sidecar layer | Partial. Sidecar families are known, and first-slice sidecars are deployed, but full boundaries and ownership are not yet frozen. | Sidecar-by-sidecar ingress/egress, retries, auth, and system-of-record ownership. | Freeze sidecar boundaries, orchestration model, and canonical RTGS event path. | HYBX app / integration lead | Sidecar purposes, auth, retries, and system-of-record ownership are documented and validated. |
| `mifos-fineract-sidecar` | Partial. Deployed on Proxmox, healthy, and has completed an authenticated live OMNL posting. | OMNL/Fineract tenant contract and downstream settlement/evidence path. | Extend validation from posting success to the full settlement/evidence path. | HYBX integration lead | Sidecar API and event flow documented, and at least one authenticated live transfer completes through downstream settlement/evidence. |
| `server-funds-sidecar` | Partial. Deployed on Proxmox and healthy, but treasury/system-of-record boundaries are not yet frozen. | OMNL treasury/funding orchestration contract and participant model. | Freeze whether it is mandatory in the first RTGS slice and validate its business flow. | HYBX integration lead | Treasury/funding role is defined and a real authenticated business flow is validated. |
| `off-ledger-2-on-ledger-sidecar` | Partial. Deployed on Proxmox, healthy, and able to drive the first Chain 138 settlement leg with safe pending-anchor degradation. | Canonical off-ledger event source, OMNL/Fineract posting contract, and Chain 138 settlement finality path. | Freeze the canonical off-ledger source event and complete final receipt/finality handling. | HYBX integration lead | Off-ledger event to Chain 138 settlement is frozen and tested end to end with durable evidence output. |
| `mt103-hardcopy-sidecar` | Partial. Known sidecar, but not yet tied into the canonical RTGS path. | MT103 ingest, bank-message archive, and settlement/evidence mapping. | Decide whether it is in scope and, if yes, integrate MT103 ingest into the canonical RTGS flow. | HYBX integration lead | MT103 ingestion path is documented, integrated, and tested if in scope. |
| `securitization-engine-sidecar` | Partial. Known sidecar, but regulatory/accounting role in RTGS is not yet frozen. | Accounting, collateral, and reporting responsibilities in the RTGS operating model. | Define whether it participates in RTGS slice 1 and validate the required role if so. | HYBX integration lead | Its RTGS responsibility is either validated or explicitly out of scope. |
| `card-networks-sidecar` | Partial. Known sidecar, but not yet placed in the RTGS path. | Card-network settlement role only if card rails are included in scope. | Include only if card settlement is part of production scope; otherwise keep it out of the canonical path. | HYBX integration lead | Scope decision is frozen, and if included the settlement path is validated. |
| Chain 138 settlement contracts | Partial. Contract families exist, but the exact RTGS contract path is not yet frozen as one canonical settlement lane. | Final contract path between OMNL-side events and on-chain settlement evidence. | Freeze the exact contract set and document how each business flow reaches Chain 138. | Chain 138 / settlement lead | Final contract set is frozen, deployed addresses are accepted, and the path is tested end to end. |
| MerchantSettlementRegistry | Partial. Available contract family, but exact placement in the canonical RTGS flow is not yet frozen. | RTGS settlement workflow and evidence mapping. | Decide exactly when and how the registry is invoked in RTGS settlement. | Chain 138 / settlement lead | Registry path is integrated into the business flow with verified inputs and outputs. |
| WithdrawalEscrow | Partial. Available contract family, but exact placement in RTGS withdrawal scenarios is not yet frozen. | Withdrawal / release / payout semantics in the RTGS model. | Freeze the escrow role for settlement and withdrawal scenarios. | Chain 138 / settlement lead | Escrow flow is validated in the chosen settlement and withdrawal scenarios. |
| DBIS / compliant settlement tokens | Partial. Candidate instruments exist, but the final RTGS instrument set is not yet frozen by use case. | Monetary architecture, reserve rules, mint/burn policy, and reconciliation policy. | Select the final RTGS instruments and freeze their control and reconciliation model. | Chain 138 / monetary architecture lead | Final instrument selection, reserve rules, and reconciliation path are documented and validated. |
| Reserve / oracle dependencies | Partial. Reserve and oracle systems exist, but the RTGS-specific dependency mapping is not yet frozen. | RTGS dependency model for reserve attestations, price references, and control policy. | Freeze which reserve/oracle controls are required for RTGS settlement and FX support. | Monetary controls lead | RTGS reserve/oracle dependencies are documented, accepted, and operational. |
| FireFly / sidecar / chain event model | Planned. No single canonical correlation and retry model is yet frozen. | Shared IDs, correlation, retry, compensating actions, and event archive policy. | Define one canonical event model across OMNL, sidecars, and Chain 138. | Workflow architecture lead | Event catalog, IDs, retries, and compensating actions are defined and validated. |
| ISO 20022 evidence and vault path | Partial. Evidence standard exists, but full institution-ready production completion is not yet frozen. | ISO 20022 archive, manifest, vaulting, and hash anchoring contract. | Complete ISO evidence packaging and archive references for the RTGS path. | Regulatory / compliance lead | ISO manifests, hashes, archive references, and legal evidence path are complete and reproducible. |
| Institutional 4.995 package path | Partial. Package standards and scripts exist, but real institution submission-grade completion is not yet frozen. | Institutional attestation, submission package, and strict readiness contract. | Complete the evidence path with real institution-ready materials and `--strict` readiness. | Regulatory / compliance lead | `--strict` readiness passes with real institution materials and reproducible evidence output. |
| Indonesia / BNI domestic banking path | Planned. Blueprint exists, but live BNI endpoint/auth/message contract is not yet evidenced. | BNI institution profile, domestic route definition, auth, account validation, and reporting obligations. | Freeze the BNI-connected route and message/auth contract for production. | Indonesia banking integration lead | Live BNI contract is documented, validated, and used in the canonical Indonesia payment flow. |
| Global correspondent / liquidity bank path | Planned. Blueprint exists, but live correspondent endpoint/auth/message contract is not yet evidenced. | SWIFT / ISO / correspondent-bank endpoint, auth, nostro/vostro, and confirmation contract. | Freeze the correspondent-bank route and integrate it with OMNL, sidecars, and reconciliation. | Cross-border banking integration lead | Live correspondent contract is documented and a real cross-border flow is validated. |
| RTGS production gate | Planned. The gate exists conceptually, but not all mandatory lanes are green yet. | All mandatory banking, sidecar, settlement, evidence, and external-bank integrations for the chosen production architecture. | Turn all mandatory rows for the chosen production architecture to `Complete`. | DBIS program owner | All mandatory checklist rows for the chosen RTGS production architecture are `Complete`. |
## First-slice implementation note
## Immediate execution priority
The current recommended first production slice is frozen in:
- [DBIS_RTGS_FIRST_SLICE_ARCHITECTURE.md](DBIS_RTGS_FIRST_SLICE_ARCHITECTURE.md)
- [DBIS_RTGS_FIRST_SLICE_DEPLOYMENT_CHECKLIST.md](DBIS_RTGS_FIRST_SLICE_DEPLOYMENT_CHECKLIST.md)
As of 2026-03-29, the following first-slice sidecars are deployed on Proxmox VE and runtime-healthy:
- `mifos-fineract-sidecar`
- `server-funds-sidecar`
- `off-ledger-2-on-ledger-sidecar`
Additional proven fact for the first slice:
- `mifos-fineract-sidecar` has completed at least one authenticated live transfer into OMNL / Fineract with verified debit/credit journal entries (`transactionId: a16a10b3bc47`).
This is still not equivalent to full RTGS production completion. The deployment checklist remains the gate for chain settlement, evidence output, and the remaining sidecar lanes.
## Immediate execution priorities
### Priority 1 — Freeze the canonical banking rail
1. Freeze the canonical HYBX batch / settlement operator flow on top of the now-proven OMNL tenant/auth path.
2. Lock the participant / treasury / GL model.
3. Extend authenticated business-flow validation beyond SCSM into the remaining in-scope sidecars.
### Priority 2 — Freeze the interoperability path
1. Decide whether Mojaloop is in-scope now or a later phase.
2. Decide which HYBX sidecars are truly part of the initial RTGS path.
3. Decide whether Aries / AnonCreds / Ursa are required in the first production slice.
### Priority 3 — Freeze the settlement path
1. Define the exact off-ledger to on-ledger mapping.
2. Freeze the Chain 138 contract path used by RTGS.
3. Define reconciliation and evidence outputs for each settlement batch.
## Minimum “full RTGS E2E” green criteria
The RTGS stack can be called fully end-to-end only when all of the following are true:
1. The Fineract / OMNL operator flow runs cleanly against the intended live tenant.
2. The participant / treasury / GL model is frozen and documented.
3. The required HYBX sidecars are integrated and their boundaries are documented.
4. If Mojaloop is in scope, quote / transfer / callback / settlement logic is live and validated.
5. The Chain 138 settlement path is frozen and validated.
6. Required Hyperledger identity/workflow layers are either:
- deployed and validated, or
- explicitly out of scope for the first production slice.
7. Regulatory evidence generation passes at submission grade.
8. The final production gate is updated to reflect those facts.
1. Freeze the canonical banking rail on the now-proven OMNL tenant/auth path.
2. Freeze the participant / treasury / GL model plus the depository, custody, FX, and liquidity-control layers.
3. Complete the canonical settlement path from HYBX sidecars into Chain 138 and evidence output.
## Related artifacts

2
docs/MASTER_INDEX.md
View File

@@ -58,7 +58,7 @@
|------|-----------------|
| **00-meta** (tasks, next steps, phases) | [00-meta/NEXT_STEPS_INDEX.md](00-meta/NEXT_STEPS_INDEX.md), [00-meta/PHASES_AND_TASKS_MASTER.md](00-meta/PHASES_AND_TASKS_MASTER.md) |
| **02-architecture** | [02-architecture/](02-architecture/) — **Public sector + Phoenix catalog baseline:** [02-architecture/PUBLIC_SECTOR_TENANCY_MARKETPLACE_AND_DEPLOYMENT_BASELINE.md](02-architecture/PUBLIC_SECTOR_TENANCY_MARKETPLACE_AND_DEPLOYMENT_BASELINE.md); **non-goals (incl. catalog vs marketing §9):** [02-architecture/NON_GOALS.md](02-architecture/NON_GOALS.md); **DBIS Chain 138:** [dbis_chain_138_technical_master_plan.md](../dbis_chain_138_technical_master_plan.md), [02-architecture/DBIS_NODE_ROLE_MATRIX.md](02-architecture/DBIS_NODE_ROLE_MATRIX.md), [02-architecture/DBIS_PHASE2_PROXMOX_SOVEREIGNIZATION_ROADMAP.md](02-architecture/DBIS_PHASE2_PROXMOX_SOVEREIGNIZATION_ROADMAP.md) |
| **03-deployment** | [03-deployment/OPERATIONAL_RUNBOOKS.md](03-deployment/OPERATIONAL_RUNBOOKS.md), [03-deployment/DEPLOYMENT_ORDER_OF_OPERATIONS.md](03-deployment/DEPLOYMENT_ORDER_OF_OPERATIONS.md), **Public sector live checklist:** [03-deployment/PUBLIC_SECTOR_LIVE_DEPLOYMENT_CHECKLIST.md](03-deployment/PUBLIC_SECTOR_LIVE_DEPLOYMENT_CHECKLIST.md), **Proxmox VE ops template:** [03-deployment/PROXMOX_VE_OPERATIONAL_DEPLOYMENT_TEMPLATE.md](03-deployment/PROXMOX_VE_OPERATIONAL_DEPLOYMENT_TEMPLATE.md) · [`config/proxmox-operational-template.json`](config/proxmox-operational-template.json); **DBIS Phase 13:** [03-deployment/PHASE1_DISCOVERY_RUNBOOK.md](03-deployment/PHASE1_DISCOVERY_RUNBOOK.md), [03-deployment/DBIS_PHASE3_E2E_PRODUCTION_SIMULATION_RUNBOOK.md](03-deployment/DBIS_PHASE3_E2E_PRODUCTION_SIMULATION_RUNBOOK.md), [03-deployment/CALIPER_CHAIN138_PERF_HOOK.md](03-deployment/CALIPER_CHAIN138_PERF_HOOK.md), [03-deployment/DBIS_HYPERLEDGER_RUNTIME_STATUS.md](03-deployment/DBIS_HYPERLEDGER_RUNTIME_STATUS.md), [03-deployment/DBIS_PHASES_1_TO_3_PRODUCTION_GATE.md](03-deployment/DBIS_PHASES_1_TO_3_PRODUCTION_GATE.md), [03-deployment/DBIS_RTGS_E2E_REQUIREMENTS_MATRIX.md](03-deployment/DBIS_RTGS_E2E_REQUIREMENTS_MATRIX.md), [03-deployment/DBIS_RTGS_FX_TRANSACTION_CATALOG.md](03-deployment/DBIS_RTGS_FX_TRANSACTION_CATALOG.md), [03-deployment/DBIS_OMNL_INDONESIA_BNI_E2E_INTEGRATION_BLUEPRINT.md](03-deployment/DBIS_OMNL_INDONESIA_BNI_E2E_INTEGRATION_BLUEPRINT.md), [03-deployment/DBIS_RTGS_FIRST_SLICE_ARCHITECTURE.md](03-deployment/DBIS_RTGS_FIRST_SLICE_ARCHITECTURE.md), [03-deployment/DBIS_RTGS_FIRST_SLICE_DEPLOYMENT_CHECKLIST.md](03-deployment/DBIS_RTGS_FIRST_SLICE_DEPLOYMENT_CHECKLIST.md), [03-deployment/DBIS_HYBX_SIDECAR_BOUNDARY_MATRIX.md](03-deployment/DBIS_HYBX_SIDECAR_BOUNDARY_MATRIX.md), [03-deployment/DBIS_MOJALOOP_INTEGRATION_STATUS.md](03-deployment/DBIS_MOJALOOP_INTEGRATION_STATUS.md), [03-deployment/DBIS_HYPERLEDGER_IDENTITY_STACK_DECISION.md](03-deployment/DBIS_HYPERLEDGER_IDENTITY_STACK_DECISION.md) |
| **03-deployment** | [03-deployment/OPERATIONAL_RUNBOOKS.md](03-deployment/OPERATIONAL_RUNBOOKS.md), [03-deployment/DEPLOYMENT_ORDER_OF_OPERATIONS.md](03-deployment/DEPLOYMENT_ORDER_OF_OPERATIONS.md), **Public sector live checklist:** [03-deployment/PUBLIC_SECTOR_LIVE_DEPLOYMENT_CHECKLIST.md](03-deployment/PUBLIC_SECTOR_LIVE_DEPLOYMENT_CHECKLIST.md), **Proxmox VE ops template:** [03-deployment/PROXMOX_VE_OPERATIONAL_DEPLOYMENT_TEMPLATE.md](03-deployment/PROXMOX_VE_OPERATIONAL_DEPLOYMENT_TEMPLATE.md) · [`config/proxmox-operational-template.json`](config/proxmox-operational-template.json); **DBIS Phase 13:** [03-deployment/PHASE1_DISCOVERY_RUNBOOK.md](03-deployment/PHASE1_DISCOVERY_RUNBOOK.md), [03-deployment/DBIS_PHASE3_E2E_PRODUCTION_SIMULATION_RUNBOOK.md](03-deployment/DBIS_PHASE3_E2E_PRODUCTION_SIMULATION_RUNBOOK.md), [03-deployment/CALIPER_CHAIN138_PERF_HOOK.md](03-deployment/CALIPER_CHAIN138_PERF_HOOK.md), [03-deployment/DBIS_HYPERLEDGER_RUNTIME_STATUS.md](03-deployment/DBIS_HYPERLEDGER_RUNTIME_STATUS.md), [03-deployment/DBIS_PHASES_1_TO_3_PRODUCTION_GATE.md](03-deployment/DBIS_PHASES_1_TO_3_PRODUCTION_GATE.md), **RTGS canonical production checklist and institutional-finance layers:** [03-deployment/DBIS_RTGS_E2E_REQUIREMENTS_MATRIX.md](03-deployment/DBIS_RTGS_E2E_REQUIREMENTS_MATRIX.md), [03-deployment/DBIS_RTGS_FX_TRANSACTION_CATALOG.md](03-deployment/DBIS_RTGS_FX_TRANSACTION_CATALOG.md), [03-deployment/DBIS_OMNL_INDONESIA_BNI_E2E_INTEGRATION_BLUEPRINT.md](03-deployment/DBIS_OMNL_INDONESIA_BNI_E2E_INTEGRATION_BLUEPRINT.md), [03-deployment/DBIS_RTGS_FIRST_SLICE_ARCHITECTURE.md](03-deployment/DBIS_RTGS_FIRST_SLICE_ARCHITECTURE.md), [03-deployment/DBIS_RTGS_FIRST_SLICE_DEPLOYMENT_CHECKLIST.md](03-deployment/DBIS_RTGS_FIRST_SLICE_DEPLOYMENT_CHECKLIST.md), [03-deployment/DBIS_HYBX_SIDECAR_BOUNDARY_MATRIX.md](03-deployment/DBIS_HYBX_SIDECAR_BOUNDARY_MATRIX.md), [03-deployment/DBIS_MOJALOOP_INTEGRATION_STATUS.md](03-deployment/DBIS_MOJALOOP_INTEGRATION_STATUS.md), [03-deployment/DBIS_HYPERLEDGER_IDENTITY_STACK_DECISION.md](03-deployment/DBIS_HYPERLEDGER_IDENTITY_STACK_DECISION.md) |
| **04-configuration** | [04-configuration/README.md](04-configuration/README.md), [04-configuration/ADDITIONAL_PATHS_AND_EXTENSIONS.md](04-configuration/ADDITIONAL_PATHS_AND_EXTENSIONS.md) (paths, registry, token-mapping, LiFi/Jumper); **Chain 138 wallets:** [04-configuration/CHAIN138_WALLET_CONFIG_VALIDATION.md](04-configuration/CHAIN138_WALLET_CONFIG_VALIDATION.md); **Chain 2138 testnet wallets:** [04-configuration/CHAIN2138_WALLET_CONFIG_VALIDATION.md](04-configuration/CHAIN2138_WALLET_CONFIG_VALIDATION.md); **OMNL Indonesia / HYBX-BATCH-001:** [04-configuration/mifos-omnl-central-bank/HYBX_BATCH_001_OPERATOR_CHECKLIST.md](04-configuration/mifos-omnl-central-bank/HYBX_BATCH_001_OPERATOR_CHECKLIST.md), [04-configuration/mifos-omnl-central-bank/INDONESIA_PACKAGE_4_995_EVIDENCE_STANDARD.md](04-configuration/mifos-omnl-central-bank/INDONESIA_PACKAGE_4_995_EVIDENCE_STANDARD.md) |
| **06-besu** | [06-besu/MASTER_INDEX.md](06-besu/MASTER_INDEX.md) |
| **Testnet (2138)** | [testnet/DEFI_ORACLE_META_TESTNET_2138_RUNBOOK.md](testnet/DEFI_ORACLE_META_TESTNET_2138_RUNBOOK.md), [testnet/TESTNET_DEPLOYMENT.md](testnet/TESTNET_DEPLOYMENT.md) |