diff --git a/dbis_chain_138_technical_master_plan.md b/dbis_chain_138_technical_master_plan.md index 95def9e..d2d6637 100644 --- a/dbis_chain_138_technical_master_plan.md +++ b/dbis_chain_138_technical_master_plan.md @@ -269,6 +269,328 @@ Use FireFly as the workflow layer only after: - [docs/03-deployment/DBIS_RTGS_FIRST_SLICE_ARCHITECTURE.md](docs/03-deployment/DBIS_RTGS_FIRST_SLICE_ARCHITECTURE.md) - [docs/03-deployment/DBIS_RTGS_FIRST_SLICE_DEPLOYMENT_CHECKLIST.md](docs/03-deployment/DBIS_RTGS_FIRST_SLICE_DEPLOYMENT_CHECKLIST.md) +## 11.1 Depository / CSD architecture + +### Current state + +- A dedicated depository / central securities depository runtime is not currently evidenced as deployed in this environment. +- The depository role is still implied inside broader settlement, securities, and custody discussions rather than frozen as a first-class production component. +- The canonical production checklist row is: + - [Depository / CSD layer](docs/03-deployment/DBIS_RTGS_E2E_REQUIREMENTS_MATRIX.md) + +### Target role + +- maintain the authoritative asset register for in-scope instruments +- define issuance, transfer, pledge, and lien semantics +- provide the settlement-touch point between asset ownership and RTGS finality + +### Required integrations + +- OMNL / Fineract participant and account model +- custody and safekeeping lifecycle +- Chain 138 settlement and evidence path where on-ledger finality is in scope +- external statements, reconciliation, and regulatory evidence outputs + +### Current gaps + +- No frozen decision yet on whether the depository role is on-ledger, off-ledger, or hybrid. +- No participant-to-asset-register relationship is yet frozen for custody, pledge, and transfer scenarios. + +### Execution artifacts + +- [docs/03-deployment/DBIS_RTGS_E2E_REQUIREMENTS_MATRIX.md](docs/03-deployment/DBIS_RTGS_E2E_REQUIREMENTS_MATRIX.md) +- [docs/03-deployment/DBIS_OMNL_INDONESIA_BNI_E2E_INTEGRATION_BLUEPRINT.md](docs/03-deployment/DBIS_OMNL_INDONESIA_BNI_E2E_INTEGRATION_BLUEPRINT.md) + +### System flow + +```mermaid +flowchart LR + OMNL["OMNL / Fineract"] -->|"participant + account context"| CSD["Depository / CSD"] + CSD -->|"asset ownership + settlement touch"| RTGS["RTGS Orchestrator"] + RTGS -->|"cash settlement leg"| BANK["Bank / Correspondent Rail"] + RTGS -->|"optional finality evidence"| CHAIN["Chain 138 Settlement"] + CSD -->|"holdings + entitlements"| CUSTODY["Custody / Safekeeping"] + CUSTODY -->|"statements + evidence"| EVIDENCE["Audit / Reconciliation Package"] +``` + +### Contract — Depository asset-register and settlement-touch + +- Owning subsystem: Depository / CSD layer +- Required integrations: participant model, custody model, settlement orchestration, reconciliation/evidence +- Canonical business object or event: asset position, transfer instruction, pledge/release instruction +- Reconciliation / evidence requirement: holdings register must reconcile to settlement state and custody reporting +- Production completion condition: one canonical asset flow proves issuance/transfer/settlement-touch behavior end to end + +## 11.2 Global custodian architecture + +### Current state + +- No explicit global custodian runtime or operating model is currently evidenced as active in the repo-backed deployment state. +- Custodian responsibilities are currently implied through correspondent-bank and safekeeping language, not frozen as one production role. +- The canonical production checklist row is: + - [Global custodian layer](docs/03-deployment/DBIS_RTGS_E2E_REQUIREMENTS_MATRIX.md) + +### Target role + +- manage safekeeping accounts and sub-custody relationships +- coordinate global bank, correspondent, and asset-servicing obligations +- provide statement, confirmation, and reconciliation surfaces for institutional holdings + +### Required integrations + +- depository / CSD role +- correspondent and global-bank messaging lanes +- custody / safekeeping / asset-servicing lifecycle +- OMNL and RTGS reconciliation packages + +### Current gaps + +- No frozen custody account structure or reporting model exists yet. +- Corporate-action, entitlement, and asset-servicing obligations are not yet mapped into the RTGS program. + +### Execution artifacts + +- [docs/03-deployment/DBIS_RTGS_E2E_REQUIREMENTS_MATRIX.md](docs/03-deployment/DBIS_RTGS_E2E_REQUIREMENTS_MATRIX.md) +- [docs/03-deployment/DBIS_OMNL_INDONESIA_BNI_E2E_INTEGRATION_BLUEPRINT.md](docs/03-deployment/DBIS_OMNL_INDONESIA_BNI_E2E_INTEGRATION_BLUEPRINT.md) + +### Contract — Global custodian account, reporting, and reconciliation + +- Owning subsystem: Global custodian layer +- Required integrations: correspondent/global-bank path, depository role, custody operations, evidence package +- Canonical business object or event: custody account statement, holdings advice, settlement confirmation +- Reconciliation / evidence requirement: custodian statements must reconcile to OMNL and settlement state +- Production completion condition: one canonical custody flow includes account structure, reporting, and reconciliation outputs + +## 11.3 FX pricing and dealing architecture + +### Current state + +- FX pricing, valuation, and revaluation requirements are documented, but no single production pricing/dealing engine contract is yet frozen. +- Existing materials prove the need for FX handling, not a finalized runtime ownership model. +- The canonical production checklist row is: + - [FX pricing / dealing engine](docs/03-deployment/DBIS_RTGS_E2E_REQUIREMENTS_MATRIX.md) + +### Target role + +- own quote generation or ingestion +- apply spread and pricing policy +- lock rates, value dates, and booking terms +- feed OMNL, treasury, and settlement services with the approved FX terms + +### Required integrations + +- treasury policy and limits +- participant / office / GL model +- `server-funds-sidecar` and `off-ledger-2-on-ledger-sidecar` +- reconciliation and evidence path + +### Current gaps + +- No frozen source hierarchy yet for rates, triangulation, and overrides. +- No canonical quote lifecycle is yet mapped from request to booking to reconciliation. + +### Execution artifacts + +- [docs/03-deployment/DBIS_RTGS_FX_TRANSACTION_CATALOG.md](docs/03-deployment/DBIS_RTGS_FX_TRANSACTION_CATALOG.md) +- [docs/03-deployment/DBIS_RTGS_E2E_REQUIREMENTS_MATRIX.md](docs/03-deployment/DBIS_RTGS_E2E_REQUIREMENTS_MATRIX.md) +- [docs/03-deployment/DBIS_OMNL_INDONESIA_BNI_E2E_INTEGRATION_BLUEPRINT.md](docs/03-deployment/DBIS_OMNL_INDONESIA_BNI_E2E_INTEGRATION_BLUEPRINT.md) + +### Sequence diagram + +```mermaid +sequenceDiagram + participant Client as Initiating System + participant ORCH as RTGS Orchestrator + participant FX as FX Pricing / Dealing Engine + participant TREASURY as Treasury / Funds + participant OMNL as OMNL / Fineract + participant SETTLE as Settlement Service + + Client->>ORCH: FX-backed payment request + ORCH->>FX: Quote request with currencies, amount, value date + FX-->>ORCH: Locked quote, spread, rate source, expiry + ORCH->>TREASURY: Liquidity and approval check + TREASURY-->>ORCH: Funding approval / rejection + ORCH->>OMNL: Post booked FX and settlement journals + OMNL-->>ORCH: Accounting confirmation + ORCH->>SETTLE: Trigger settlement leg with FX references + SETTLE-->>ORCH: Settlement reference and finality state +``` + +### Contract — FX quote, pricing, and booking + +- Owning subsystem: FX pricing / dealing engine +- Required integrations: treasury, OMNL, sidecars, settlement, reconciliation +- Canonical business object or event: FX quote, booked FX instruction, revaluation event +- Reconciliation / evidence requirement: rate source, booked rate, and realized/unrealized P&L must reconcile +- Production completion condition: one canonical FX transaction completes with frozen inputs, accounting, and reconciliation + +## 11.4 Liquidity pooling and aggregation architecture + +### Current state + +- Liquidity and prefunding checks are documented, but no explicit pooling/aggregation engine is yet modeled as a first-class production component. +- Liquidity sourcing is currently spread across treasury, correspondent, and optional on-chain discussions. +- The canonical production checklist row is: + - [Liquidity pooling and aggregation engine](docs/03-deployment/DBIS_RTGS_E2E_REQUIREMENTS_MATRIX.md) + +### Target role + +- evaluate available liquidity sources +- apply prioritization and eligibility policy +- allocate funding across internal and external sources +- expose operator controls for override, hold, and audit + +### Required integrations + +- treasury account model +- reserve policy +- bank and correspondent source adapters +- optional on-chain liquidity and settlement lanes + +### Current gaps + +- No source-priority model is yet frozen. +- No operator control model is yet defined for overrides, holds, or emergency liquidity routing. + +### Execution artifacts + +- [docs/03-deployment/DBIS_RTGS_E2E_REQUIREMENTS_MATRIX.md](docs/03-deployment/DBIS_RTGS_E2E_REQUIREMENTS_MATRIX.md) +- [docs/03-deployment/DBIS_OMNL_INDONESIA_BNI_E2E_INTEGRATION_BLUEPRINT.md](docs/03-deployment/DBIS_OMNL_INDONESIA_BNI_E2E_INTEGRATION_BLUEPRINT.md) + +### Flowchart + +```mermaid +flowchart LR + REQUEST["Funding Request"] --> ENGINE["Liquidity Pooling / Aggregation Engine"] + ENGINE --> INTERNAL["Internal Treasury Pool"] + ENGINE --> BANKLINES["Bank Credit / Liquidity Lines"] + ENGINE --> CORR["Correspondent / Global Bank Sources"] + ENGINE --> ONCHAIN["Optional On-Chain Liquidity"] + INTERNAL --> DECISION["Funding Decision"] + BANKLINES --> DECISION + CORR --> DECISION + ONCHAIN --> DECISION + DECISION --> ORCH["RTGS Orchestrator"] + ORCH --> OMNL["OMNL / Fineract"] +``` + +### Contract — Liquidity-engine source selection and allocation + +- Owning subsystem: Liquidity pooling and aggregation engine +- Required integrations: treasury policy, source adapters, RTGS orchestrator, OMNL +- Canonical business object or event: funding request, allocation decision, liquidity hold/release +- Reconciliation / evidence requirement: chosen source and allocation rationale must be reconstructible +- Production completion condition: one canonical funding decision path is documented and validated + +## 11.5 Liquidity source adapter model + +### Current state + +- Source classes are referenced in treasury and correspondent-bank materials, but no canonical adapter model is yet frozen for each source family. +- The canonical production checklist row is: + - [Liquidity source adapters](docs/03-deployment/DBIS_RTGS_E2E_REQUIREMENTS_MATRIX.md) + +### Target role + +- normalize access to internal treasury pools, bank lines, correspondent banks, and optional on-chain liquidity +- hide transport/auth differences behind one adapter family +- return funding availability, hold, release, and confirmation events into the liquidity engine + +### Required integrations + +- liquidity pooling and aggregation engine +- correspondent-bank and global-bank rails +- treasury controls and operator policies +- optional Chain 138 or sidecar/provider adapters + +### Current gaps + +- No adapter catalog yet exists for source families. +- No required minimum adapter contract is yet documented. + +### Execution artifacts + +- [docs/03-deployment/DBIS_RTGS_E2E_REQUIREMENTS_MATRIX.md](docs/03-deployment/DBIS_RTGS_E2E_REQUIREMENTS_MATRIX.md) +- [docs/03-deployment/DBIS_OMNL_INDONESIA_BNI_E2E_INTEGRATION_BLUEPRINT.md](docs/03-deployment/DBIS_OMNL_INDONESIA_BNI_E2E_INTEGRATION_BLUEPRINT.md) + +### Contract — Liquidity source adapter + +- Owning subsystem: Treasury / integrations layer +- Required integrations: liquidity engine, bank/correspondent paths, treasury controls +- Canonical business object or event: liquidity quote, hold confirmation, release confirmation, failure reason +- Reconciliation / evidence requirement: source selection and adapter result must be linked to the settlement package +- Production completion condition: each in-scope source class has a defined adapter contract and mandatory sources are validated + +## 11.6 Custody / safekeeping / asset servicing architecture + +### Current state + +- Custody and safekeeping obligations are referenced implicitly in correspondent-bank, securities, and evidence discussions, but not yet frozen as one canonical lifecycle. +- The canonical production checklist row is: + - [Custody / safekeeping / asset servicing flow](docs/03-deployment/DBIS_RTGS_E2E_REQUIREMENTS_MATRIX.md) + +### Target role + +- manage safekeeping, transfer, entitlement, and servicing lifecycles +- bind depository positions, custodian reporting, and settlement state into one auditable trail +- produce holdings, statements, and servicing evidence for institutional participants + +### Required integrations + +- depository / CSD layer +- global custodian layer +- OMNL participant and account model +- RTGS settlement and evidence package + +### Current gaps + +- No canonical custody lifecycle is yet frozen. +- Corporate-action, entitlement, and servicing events are not yet mapped into reconciliation artifacts. + +### Execution artifacts + +- [docs/03-deployment/DBIS_RTGS_E2E_REQUIREMENTS_MATRIX.md](docs/03-deployment/DBIS_RTGS_E2E_REQUIREMENTS_MATRIX.md) +- [docs/03-deployment/DBIS_OMNL_INDONESIA_BNI_E2E_INTEGRATION_BLUEPRINT.md](docs/03-deployment/DBIS_OMNL_INDONESIA_BNI_E2E_INTEGRATION_BLUEPRINT.md) + +### Sequence and state view + +```mermaid +sequenceDiagram + participant DEP as Depository / CSD + participant CUST as Custodian + participant ORCH as RTGS Orchestrator + participant OMNL as OMNL / Fineract + participant EVIDENCE as Evidence Package + + DEP->>CUST: Position / entitlement update + CUST->>ORCH: Safekeeping or servicing instruction + ORCH->>OMNL: Accounting impact or fee posting + OMNL-->>ORCH: Posting confirmation + ORCH->>EVIDENCE: Reconciliation and servicing references + EVIDENCE-->>CUST: Statement / audit package references +``` + +```mermaid +stateDiagram-v2 + [*] --> Registered + Registered --> Safekept + Safekept --> Transferred + Safekept --> Serviced + Transferred --> Reconciled + Serviced --> Reconciled + Reconciled --> Reported + Reported --> [*] +``` + +### Contract — Custody, safekeeping, and asset-servicing lifecycle + +- Owning subsystem: Custody operations / product architecture layer +- Required integrations: depository, custodian, OMNL, evidence package +- Canonical business object or event: custody instruction, holdings statement, servicing event +- Reconciliation / evidence requirement: holdings, statements, and servicing events must reconcile to settlement and participant records +- Production completion condition: one end-to-end custody lifecycle is documented and validated with reconciliation/evidence output + --- # SECTION 12 — CROSS-CHAIN INTEROPERABILITY DESIGN @@ -468,7 +790,7 @@ Executable counterparts in this repository: | Phase 2 roadmap | `docs/02-architecture/DBIS_PHASE2_PROXMOX_SOVEREIGNIZATION_ROADMAP.md` | | Phase 3 liveness wrapper | `scripts/verify/run-dbis-phase3-e2e-simulation.sh`, `docs/03-deployment/DBIS_PHASE3_E2E_PRODUCTION_SIMULATION_RUNBOOK.md` | | Production gate | `docs/03-deployment/DBIS_PHASES_1_TO_3_PRODUCTION_GATE.md` | -| RTGS E2E requirements matrix | `docs/03-deployment/DBIS_RTGS_E2E_REQUIREMENTS_MATRIX.md` | +| RTGS canonical production checklist | `docs/03-deployment/DBIS_RTGS_E2E_REQUIREMENTS_MATRIX.md` | | RTGS FX transaction catalog | `docs/03-deployment/DBIS_RTGS_FX_TRANSACTION_CATALOG.md` | | Indonesia / BNI E2E integration blueprint | `docs/03-deployment/DBIS_OMNL_INDONESIA_BNI_E2E_INTEGRATION_BLUEPRINT.md` | | RTGS first-slice architecture | `docs/03-deployment/DBIS_RTGS_FIRST_SLICE_ARCHITECTURE.md` | diff --git a/docs/00-meta/TODO_TASK_LIST_MASTER.md b/docs/00-meta/TODO_TASK_LIST_MASTER.md index 27c32b7..dd20f71 100644 --- a/docs/00-meta/TODO_TASK_LIST_MASTER.md +++ b/docs/00-meta/TODO_TASK_LIST_MASTER.md @@ -197,6 +197,47 @@ - `scripts/omnl/omnl-office-create-*.sh` - `scripts/omnl/omnl-pvp-post-clearing-bank-kanaya.sh` +### 12.1A Depository / CSD layer + +- [ ] Define the depository / CSD operating model for in-scope DBIS instruments. +- [ ] Freeze whether the depository role is on-ledger, off-ledger, or hybrid. +- [ ] Freeze issuance, transfer, pledge, lien, and settlement-touch behavior for at least one canonical asset flow. +- [ ] Define participant-to-asset-register and custody relationships for depository-managed assets. + +### 12.1B Global custodian layer + +- [ ] Define the global custodian operating model and account structure. +- [ ] Freeze safekeeping, statement, and asset-servicing obligations across correspondent and global-bank paths. +- [ ] Define how custodian statements reconcile to OMNL and RTGS settlement state. + +### 12.1C FX pricing / dealing engine + +- [ ] Freeze the FX pricing hierarchy, approved rate sources, and quote-locking rules. +- [ ] Freeze the quote lifecycle from request to booking to reconciliation. +- [ ] Define how the FX engine integrates with OMNL, treasury, and HYBX sidecars. + +### 12.1D Liquidity pooling and aggregation engine + +- [ ] Define source prioritization, eligibility rules, allocation logic, and operator overrides. +- [ ] Freeze how liquidity decisions are recorded and reconciled against funding and settlement events. +- [ ] Decide when on-chain liquidity is part of the funding policy versus optional extension. + +### 12.1E Liquidity source adapters + +- [ ] Enumerate all in-scope liquidity source families: + - internal treasury pools + - bank credit / liquidity lines + - correspondent-bank sources + - optional on-chain liquidity +- [ ] Define one adapter contract per mandatory source class. +- [ ] Validate at least the mandatory source adapters used by the canonical RTGS rail. + +### 12.1F Custody / safekeeping / asset servicing flow + +- [ ] Define the canonical lifecycle for safekeeping, transfer, servicing, and statement production. +- [ ] Freeze custody-to-depository, custody-to-settlement, and custody-to-evidence relationships. +- [ ] Validate one end-to-end custody lifecycle with reconciliation and evidence output. + ### 12.2 Mifos / Fineract / OMNL banking rail - [ ] Freeze and execute the first-slice deployment checklist: @@ -309,14 +350,13 @@ ### 12.10 Production gate -- [ ] Create a dedicated RTGS E2E requirements matrix covering: +- [x] Canonical RTGS production checklist created and now maintained in [DBIS_RTGS_E2E_REQUIREMENTS_MATRIX.md](../03-deployment/DBIS_RTGS_E2E_REQUIREMENTS_MATRIX.md) with columns: - component - - current status - - repo / API source - - blocker + - current state + - required integration + - remaining task - owner - - production gate criteria -- [x] Initial matrix created: [DBIS_RTGS_E2E_REQUIREMENTS_MATRIX.md](../03-deployment/DBIS_RTGS_E2E_REQUIREMENTS_MATRIX.md) + - production gate - [x] Initial HYBX sidecar boundary matrix created: [DBIS_HYBX_SIDECAR_BOUNDARY_MATRIX.md](../03-deployment/DBIS_HYBX_SIDECAR_BOUNDARY_MATRIX.md) - [x] Initial Mojaloop status artifact created: [DBIS_MOJALOOP_INTEGRATION_STATUS.md](../03-deployment/DBIS_MOJALOOP_INTEGRATION_STATUS.md) - [x] Initial identity-stack decision artifact created: [DBIS_HYPERLEDGER_IDENTITY_STACK_DECISION.md](../03-deployment/DBIS_HYPERLEDGER_IDENTITY_STACK_DECISION.md) diff --git a/docs/03-deployment/DBIS_OMNL_INDONESIA_BNI_E2E_INTEGRATION_BLUEPRINT.md b/docs/03-deployment/DBIS_OMNL_INDONESIA_BNI_E2E_INTEGRATION_BLUEPRINT.md index ea07553..608ee9a 100644 --- a/docs/03-deployment/DBIS_OMNL_INDONESIA_BNI_E2E_INTEGRATION_BLUEPRINT.md +++ b/docs/03-deployment/DBIS_OMNL_INDONESIA_BNI_E2E_INTEGRATION_BLUEPRINT.md @@ -44,6 +44,12 @@ This document is intentionally broader than the current deployed slice. It defin 5. **Chain 138 settlement lane** - optional but strategically important if on-ledger finality is part of the regulated operating model +6. **Depository / custody / liquidity-control layers** + - depository / CSD role for asset-register and settlement-touch scenarios + - global custodian role for safekeeping, statements, and asset servicing + - FX pricing / dealing engine for rate ownership and booking policy + - liquidity pooling and aggregation engine plus source adapters for funding decisions + ## 3. Full end-to-end stages ### Stage 0 — Static setup @@ -55,6 +61,9 @@ Required before live value movement: - beneficiary offices mapped - GL chart complete - FX reserve / revaluation accounts complete +- FX pricing hierarchy and quote-locking policy frozen +- liquidity source inventory and prioritization policy frozen +- depository / custody operating model frozen for any in-scope asset-backed or safekeeping flow - payment types and maker-checker policy frozen - sidecar-to-Fineract auth contract frozen - external bank routing matrix frozen @@ -88,6 +97,7 @@ Required checks: - sanctions and watchlist screening - limit checks - liquidity and prefunding check +- source-of-liquidity selection and approval - market conduct / rate authorization check - jurisdictional eligibility @@ -108,6 +118,7 @@ Required capabilities: - trade timestamp and value date - spread / fee logic - approved trader / operator identity +- pricing-engine or dealer ownership of the approved quote Required records: @@ -118,6 +129,7 @@ Required records: - rate - fee / spread component - realized vs unrealized P&L handling +- quote id and liquidity-decision reference ### Stage 4 — OMNL accounting and posting @@ -158,6 +170,7 @@ For global-bank and cross-border settlement: - nostro / vostro account chosen - prefunding / cover logic confirmed - message dispatched and acknowledged +- custody / safekeeping instructions attached where the flow involves held assets or global-custodian reporting ### Stage 6 — Funds movement and settlement confirmation @@ -168,6 +181,7 @@ Required evidence: - statement extract or advice - confirmation of beneficiary-bank receipt - unresolved exception queue if delayed +- custody statement / servicing reference where applicable ### Stage 7 — Reconciliation and package generation @@ -178,6 +192,8 @@ Required reconciliations: 3. FX trade blotter vs accounting postings 4. external bank confirmations vs OMNL settlement state 5. on-chain event vs OMNL event where chain leg exists +6. asset register / custody statement vs settlement state where depository flows apply +7. liquidity decision vs selected funding source vs actual settlement usage Required evidence outputs: @@ -305,6 +321,7 @@ Required responsibilities: - limit checks - prefunding and source-of-funds orchestration - status / approval / exception workflow +- handoff to liquidity pooling and source-adapter decisions ### `off-ledger-2-on-ledger-sidecar` @@ -312,6 +329,16 @@ Required responsibilities: - translate approved off-ledger event into on-ledger settlement action - attach rates, conversion basis, and settlement refs - record chain transaction linkage +- preserve depository / custody / liquidity references where those roles are in scope + +### Additional required control layers + +Required responsibilities: +- FX pricing / dealing engine owns quote generation or approved rate ingest +- liquidity pooling and aggregation engine owns funding-source selection +- liquidity source adapters normalize bank-line, correspondent, internal-pool, and optional on-chain liquidity access +- depository / CSD layer owns asset-register and settlement-touch behavior for in-scope instruments +- global custodian layer owns safekeeping, statements, and asset-servicing obligations ### Optional or later @@ -329,6 +356,9 @@ If on-ledger settlement is in scope, the following must be true: 3. reserve / oracle dependencies are frozen 4. sidecar correlation id maps to chain tx hash 5. evidence package includes chain settlement proof +6. depository / CSD touch point is frozen where asset-backed flows exist +7. custody / safekeeping statement linkage is frozen where custody applies +8. liquidity-source decision reference is preserved in the evidence package ## 9. Reconciliation requirements @@ -350,6 +380,12 @@ If on-ledger settlement is in scope, the following must be true: 5. **On-ledger reconciliation** - chain tx vs off-ledger settlement event +6. **Custody / depository reconciliation** + - asset register vs custody statement vs settlement state + +7. **Liquidity reconciliation** + - selected funding source vs liquidity decision vs actual settlement usage + ## 10. Full production-complete gate The OMNL → Indonesia / BNI → global-bank flow is only fully complete when: @@ -369,18 +405,21 @@ The OMNL → Indonesia / BNI → global-bank flow is only fully complete when: - treasury / funds sidecar lane not yet validated end to end - on-ledger settlement leg not yet included in the canonical transaction - participant / office / treasury model not yet frozen across all counterparties +- depository / custody operating model not yet frozen +- FX pricing engine and liquidity aggregation ownership not yet frozen ## 12. Execution order 1. freeze participant / office / GL / nostro-vostro model -2. freeze OMNL operator runbook -3. validate `server-funds-sidecar` -4. validate `off-ledger-2-on-ledger-sidecar` -5. acquire and document BNI / correspondent-bank endpoint and auth contracts -6. run one domestic Indonesia beneficiary-bank flow -7. run one correspondent-bank flow -8. add Chain 138 settlement leg if in scope -9. generate and sign the final evidence package +2. freeze depository / custody / FX / liquidity-control layers +3. freeze OMNL operator runbook +4. validate `server-funds-sidecar` +5. validate `off-ledger-2-on-ledger-sidecar` +6. acquire and document BNI / correspondent-bank endpoint and auth contracts +7. run one domestic Indonesia beneficiary-bank flow +8. run one correspondent-bank flow +9. add Chain 138 settlement leg if in scope +10. generate and sign the final evidence package ## Related artifacts diff --git a/docs/03-deployment/DBIS_RTGS_E2E_REQUIREMENTS_MATRIX.md b/docs/03-deployment/DBIS_RTGS_E2E_REQUIREMENTS_MATRIX.md index 3c39553..df20b26 100644 --- a/docs/03-deployment/DBIS_RTGS_E2E_REQUIREMENTS_MATRIX.md +++ b/docs/03-deployment/DBIS_RTGS_E2E_REQUIREMENTS_MATRIX.md @@ -1,105 +1,65 @@ -# DBIS RTGS E2E Requirements Matrix +# DBIS RTGS Canonical Production Checklist **Last updated:** 2026-03-29 -**Purpose:** Canonical implementation matrix for the full DBIS RTGS stack across Chain 138, OMNL / Fineract, HYBX sidecars, and the related Hyperledger layers. This document turns the RTGS TODO section into an executable requirements and production-gate artifact. +**Purpose:** Canonical production-readiness checklist for the full DBIS RTGS stack across Chain 138, OMNL / Fineract, HYBX sidecars, Indonesia / BNI banking flows, and optional Hyperledger identity and interoperability layers. -## Status legend +## Status guidance -- `Complete` — implemented and verified enough to be used in production for the stated role -- `Partial` — exists or works in a narrow slice, but not yet enough for full production use -- `Planned` — intentionally in scope, but not yet deployed or validated -- `Reserved placeholder` — inventory exists, but is not an active deployed workload -- `Retired / standby` — not active; retained only as reserve inventory until rebuilt +- Use `Complete` only for production-capable roles that are implemented and verified. +- Use `Partial` when a slice exists or works narrowly, but is not yet enough for full production use. +- Use `Planned` for intentionally in-scope components not yet deployed or validated. +- Use `Reserved placeholder` for inventory that exists but is not an active workload. +- Use `Retired / standby` for inventory that is intentionally inactive until rebuilt. -## Core matrix +## Canonical checklist -| Component | Current status | Owner | Current source / repo artifact | Main blockers | Production-gate criteria | -|-----------|----------------|-------|--------------------------------|---------------|--------------------------| -| Chain 138 Besu validator / sentry / RPC baseline | Complete | DBIS / infra ops | [check-chain138-rpc-health.sh](../../scripts/verify/check-chain138-rpc-health.sh), [DBIS_PHASES_1_TO_3_PRODUCTION_GATE.md](DBIS_PHASES_1_TO_3_PRODUCTION_GATE.md) | None for baseline | Public and core RPC healthy, head spread `0`, peer counts healthy, required wallet/explorer methods working | -| Explorer / Blockscout | Complete | DBIS / explorer ops | `explorer-monorepo`, explorer routing/API runbooks | Ongoing normal maintenance only | Explorer routes, API, token metadata, and RPC capability metadata remain healthy | -| FireFly primary `6200` | Partial | DBIS workflow / infra ops | [DBIS_HYPERLEDGER_RUNTIME_STATUS.md](DBIS_HYPERLEDGER_RUNTIME_STATUS.md) | Minimal local gateway only; no proven multiparty production workflow yet | API healthy, config preserved, event model defined, cross-system orchestration validated | -| FireFly secondary `6201` | Retired / standby | DBIS workflow / infra ops | [DBIS_HYPERLEDGER_RUNTIME_STATUS.md](DBIS_HYPERLEDGER_RUNTIME_STATUS.md) | Empty rootfs; no valid deployment payload | Either rebuilt as a real secondary node and verified, or left explicitly retired in all architecture claims | -| Fabric `6000-6002` | Reserved placeholder | DBIS architecture / infra ops | [DBIS_HYPERLEDGER_RUNTIME_STATUS.md](DBIS_HYPERLEDGER_RUNTIME_STATUS.md), [DBIS_NODE_ROLE_MATRIX.md](../02-architecture/DBIS_NODE_ROLE_MATRIX.md) | No app payload, no listeners, no active peer/orderer processes | Either deploy real Fabric workloads and validate them, or keep them stopped and excluded from “active stack” claims | -| Indy `6400-6402` | Reserved placeholder | DBIS architecture / infra ops | [DBIS_HYPERLEDGER_RUNTIME_STATUS.md](DBIS_HYPERLEDGER_RUNTIME_STATUS.md), [DBIS_NODE_ROLE_MATRIX.md](../02-architecture/DBIS_NODE_ROLE_MATRIX.md) | No app payload, no listeners, no active Indy processes | Either deploy real Indy workloads and validate them, or keep them stopped and excluded from “active stack” claims | -| Aries | Planned | Identity architecture lead | [DBIS_HYPERLEDGER_IDENTITY_STACK_DECISION.md](DBIS_HYPERLEDGER_IDENTITY_STACK_DECISION.md), [TODO_TASK_LIST_MASTER.md](../00-meta/TODO_TASK_LIST_MASTER.md) | No deployed Aries runtime, no agent model defined | Decide in/out of scope; if in, deploy agents, define DID/wallet/protocol model, validate credential flows | -| AnonCreds | Planned | Identity architecture lead | [DBIS_HYPERLEDGER_IDENTITY_STACK_DECISION.md](DBIS_HYPERLEDGER_IDENTITY_STACK_DECISION.md), [TODO_TASK_LIST_MASTER.md](../00-meta/TODO_TASK_LIST_MASTER.md) | No deployed credential flow, no issuer/holder/verifier model frozen | Decide in/out of scope; if in, define schema/credential lifecycle and validation path | -| Ursa | Planned | Identity / cryptography architecture lead | [DBIS_HYPERLEDGER_IDENTITY_STACK_DECISION.md](DBIS_HYPERLEDGER_IDENTITY_STACK_DECISION.md), [TODO_TASK_LIST_MASTER.md](../00-meta/TODO_TASK_LIST_MASTER.md) | No explicit runtime control or deployment model defined | Decide in/out of scope; if in, document cryptographic role and operational dependency model | -| Cacti | Planned | Interoperability architecture lead | [dbis_chain_138_technical_master_plan.md](../../dbis_chain_138_technical_master_plan.md) | Not proven as current live interoperability engine | Decide in/out of scope; if in, deploy and validate real cross-ledger integration path | -| Caliper | Planned | Performance / QA lead | [CALIPER_CHAIN138_PERF_HOOK.md](CALIPER_CHAIN138_PERF_HOOK.md) | Hook exists, benchmark harness not yet routine | Add benchmark harness and run approved RTGS workload profiles | -| OMNL / Fineract API rail | Partial | OMNL / banking ops | [HYBX_BATCH_001_OPERATOR_CHECKLIST.md](../04-configuration/mifos-omnl-central-bank/HYBX_BATCH_001_OPERATOR_CHECKLIST.md), [scripts/omnl](../../scripts/omnl), [API_DOCUMENTATION.md](../11-references/API_DOCUMENTATION.md) | Full production package flow and participant model are not yet frozen as the canonical RTGS rail | Office / GL / JE / snapshot / package flow runs cleanly against live API and is operator-repeatable | -| Mifos X frontend / Fineract tenant | Partial | OMNL / banking ops | [ALL_VMIDS_ENDPOINTS.md](../04-configuration/ALL_VMIDS_ENDPOINTS.md), Mifos deployment docs | Authenticated tenant is now proven live for sidecar posting, but operator runbook and production participant model remain incomplete | UI/API confirmed healthy, tenant/auth stable, operator runbook complete | -| HYBX participant / office / treasury model | Planned | Banking architecture lead | OMNL scripts and central-bank config | Participant model and treasury structure not yet frozen end-to-end | Office IDs, treasury accounts, GL mapping, nostro/vostro model, and settlement roles are documented and accepted | -| Mojaloop integration | Planned | Payments interoperability lead | [DBIS_MOJALOOP_INTEGRATION_STATUS.md](DBIS_MOJALOOP_INTEGRATION_STATUS.md) | No proven live Mojaloop switch endpoint set or callback contract in repo-backed state | Endpoint/auth contract documented, quote/transfer/callback flow integrated, settlement-window behavior mapped to accounting and chain settlement | -| HYBX sidecar layer | Partial | HYBX app / integration lead | [DBIS_HYBX_SIDECAR_BOUNDARY_MATRIX.md](DBIS_HYBX_SIDECAR_BOUNDARY_MATRIX.md) | Sidecars available, but full orchestration and system-of-record ownership not yet frozen | Sidecar-by-sidecar purpose, auth, ingress/egress, retries, and system-of-record ownership documented and validated | -| `mifos-fineract-sidecar` | Partial | HYBX integration lead | [DBIS_HYBX_SIDECAR_BOUNDARY_MATRIX.md](DBIS_HYBX_SIDECAR_BOUNDARY_MATRIX.md), [DBIS_RTGS_FIRST_SLICE_DEPLOYMENT_CHECKLIST.md](DBIS_RTGS_FIRST_SLICE_DEPLOYMENT_CHECKLIST.md) | Runtime is deployed on Proxmox, healthy, and has completed one authenticated live OMNL posting, but chain-settlement and evidence legs are still open | Sidecar API and event flow documented, at least one authenticated live transfer completed, and downstream settlement/evidence path validated | -| `mt103-hardcopy-sidecar` | Partial | HYBX integration lead | [DBIS_HYBX_SIDECAR_BOUNDARY_MATRIX.md](DBIS_HYBX_SIDECAR_BOUNDARY_MATRIX.md) | Ingestion path not yet tied into canonical RTGS workflow | MT103 ingest to settlement and evidence path is documented and tested | -| `off-ledger-2-on-ledger-sidecar` | Partial | HYBX integration lead | [DBIS_HYBX_SIDECAR_BOUNDARY_MATRIX.md](DBIS_HYBX_SIDECAR_BOUNDARY_MATRIX.md), [DBIS_RTGS_FIRST_SLICE_DEPLOYMENT_CHECKLIST.md](DBIS_RTGS_FIRST_SLICE_DEPLOYMENT_CHECKLIST.md) | Runtime is deployed on Proxmox and healthy, but canonical off-ledger source event and authenticated Fineract flow are not yet frozen | Canonical mapping from off-ledger event to Chain 138 settlement defined and tested | -| `securitization-engine-sidecar` | Partial | HYBX integration lead | [DBIS_HYBX_SIDECAR_BOUNDARY_MATRIX.md](DBIS_HYBX_SIDECAR_BOUNDARY_MATRIX.md) | Regulatory/accounting role not yet tied into RTGS runbook | Accounting and reporting responsibilities explicitly mapped and validated | -| `card-networks-sidecar` | Partial | HYBX integration lead | [DBIS_HYBX_SIDECAR_BOUNDARY_MATRIX.md](DBIS_HYBX_SIDECAR_BOUNDARY_MATRIX.md) | Not yet placed in RTGS path | Include only if card-network settlement is in scope and integrated | -| `server-funds-sidecar` | Partial | HYBX integration lead | [DBIS_HYBX_SIDECAR_BOUNDARY_MATRIX.md](DBIS_HYBX_SIDECAR_BOUNDARY_MATRIX.md), [DBIS_RTGS_FIRST_SLICE_DEPLOYMENT_CHECKLIST.md](DBIS_RTGS_FIRST_SLICE_DEPLOYMENT_CHECKLIST.md) | Runtime is deployed on Proxmox and healthy, but its final treasury/system-of-record boundary is not yet frozen | Define and validate if it is needed for treasury/funding orchestration | -| Chain 138 settlement contracts | Partial | Chain 138 / settlement lead | `smom-dbis-138`, `alltra-lifi-settlement`, [CONTRACTS_TO_DEPLOY.md](../11-references/CONTRACTS_TO_DEPLOY.md) | Canonical RTGS path not yet frozen across off-ledger ↔ on-ledger events | Final contract set chosen, deployed addresses frozen, flow tested end-to-end | -| MerchantSettlementRegistry | Partial | Chain 138 / settlement lead | `alltra-lifi-settlement` docs and deploy scripts | Need explicit placement in RTGS canonical flow | Registry integrated into business flow with verified inputs/outputs | -| WithdrawalEscrow | Partial | Chain 138 / settlement lead | `alltra-lifi-settlement` docs and deploy scripts | Need explicit placement in RTGS canonical flow | Escrow flow validated in settlement and withdrawal scenarios | -| DBIS / compliant settlement tokens | Partial | Chain 138 / monetary architecture lead | token/contract references throughout repo | Need final RTGS instrument selection per use case | Final instrument selection, mint/burn/reserve rules, and reconciliation path are frozen | -| Reserve / oracle dependencies | Partial | Monetary controls lead | Chain 138 reserve/oracle docs and scripts | RTGS-specific dependency mapping not yet frozen | Reserve attestations and oracle dependencies are documented and operational | -| FireFly / sidecar / chain event model | Planned | Workflow architecture lead | TODOs and FireFly docs | No single canonical correlation model yet | Event catalog, IDs, retries, and compensating actions defined | -| ISO 20022 evidence and vault path | Partial | Regulatory / compliance lead | [INDONESIA_PACKAGE_4_995_EVIDENCE_STANDARD.md](../04-configuration/mifos-omnl-central-bank/INDONESIA_PACKAGE_4_995_EVIDENCE_STANDARD.md) | Need full institution-ready production completion | ISO vault manifest, hashes, and legal evidence path complete and reproducible | -| Institutional 4.995 package path | Partial | Regulatory / compliance lead | same standard + OMNL scripts | Requires real institution attestation and submission-grade evidence | `--strict` readiness passes with real institution materials | -| RTGS production gate | Planned | DBIS program owner | this matrix + [DBIS_PHASES_1_TO_3_PRODUCTION_GATE.md](DBIS_PHASES_1_TO_3_PRODUCTION_GATE.md) | Not all subsystems are green | All mandatory rows for the chosen RTGS architecture are `Complete` | +| Component | Current state | Required integration | Remaining task | Owner | Production gate | +|-----------|---------------|----------------------|----------------|-------|-----------------| +| Chain 138 Besu validator / sentry / RPC baseline | Complete. Validator, sentry, core, public, and named RPC tiers are live and script-verified. | Ongoing RPC, validator, and public wallet/explorer compatibility only. | Maintain health, peer spread, fee support, and public RPC method coverage. | DBIS / infra ops | Public and core RPC healthy, head spread `0`, peer counts healthy, wallet/explorer-required methods working. | +| Explorer / Blockscout | Complete. Explorer routes, APIs, token metadata, and RPC capability metadata are live. | Ongoing explorer API, token metadata, and wallet metadata compatibility. | Maintain explorer health, indexing freshness, metadata accuracy, and route stability. | DBIS / explorer ops | Explorer routes, APIs, and metadata remain healthy and consistent with Chain 138 runtime. | +| FireFly primary `6200` | Partial. Restored as a minimal local FireFly API footprint, not yet a proven multiparty production workflow engine. | FireFly event/orchestration model, sidecar and banking workflow correlation, and HA strategy. | Define event model, validate orchestration role, and decide whether FireFly is mandatory in slice 1. | DBIS workflow / infra ops | API healthy, config preserved, orchestration role defined, and real cross-system workflow validated. | +| FireFly secondary `6201` | Retired / standby. Inventory exists, but current rootfs does not contain a valid deployment payload. | Rebuild contract for a real secondary FireFly node if HA is required. | Either rebuild as a true secondary and validate failover, or keep explicitly retired in all architecture claims. | DBIS workflow / infra ops | Either rebuilt and verified as a real secondary, or formally excluded from active-stack claims. | +| Fabric `6000-6002` | Reserved placeholder. VMIDs exist, but app-level verification did not show active peer / orderer services or meaningful Fabric payloads. | Actual Fabric peer/orderer deployment model if Fabric is required by the RTGS target architecture. | Either deploy real Fabric workloads and validate them, or keep them stopped and excluded from active-stack claims. | DBIS architecture / infra ops | Real Fabric workloads deployed and validated, or the footprint remains explicitly placeholder-only. | +| Indy `6400-6402` | Reserved placeholder. VMIDs exist, but app-level verification did not show active Indy listeners or meaningful Indy payloads. | Actual Indy validator / identity runtime only if Indy is required by the RTGS target architecture. | Either deploy real Indy workloads and validate them, or keep them stopped and excluded from active-stack claims. | DBIS architecture / infra ops | Real Indy workloads deployed and validated, or the footprint remains explicitly placeholder-only. | +| Aries | Planned. No deployed Aries runtime is currently evidenced. | Identity-agent model, DID/wallet strategy, and credential-exchange role in RTGS workflows. | Decide in or out of scope for production slice 1; if in, deploy agents and validate flows. | Identity architecture lead | Scope decision is frozen, and if in scope the deployed agent model and flows are validated. | +| AnonCreds | Planned. No deployed credential flow is currently evidenced. | Issuer / holder / verifier model and credential lifecycle. | Decide in or out of scope for production slice 1; if in, freeze schema and verification flow. | Identity architecture lead | Scope decision is frozen, and if in scope the credential lifecycle is validated end to end. | +| Ursa | Planned. No explicit runtime dependency or operating model is currently evidenced. | Cryptographic runtime role, library dependency model, and operational controls. | Decide in or out of scope; if in, document and validate the cryptographic dependency model. | Identity / cryptography architecture lead | Scope decision is frozen, and if in scope the cryptographic dependency is documented and validated. | +| Cacti | Planned. Not currently proven as a live interoperability engine. | Cross-ledger interoperability contract and deployment model. | Decide whether Cacti is needed for production slice 1; if in, deploy and validate the real path. | Interoperability architecture lead | Scope decision is frozen, and if in scope the live interoperability path is deployed and tested. | +| Caliper | Planned. Documentation hook exists, but no routine benchmark harness is active. | Benchmark workload definitions for RTGS and Chain 138 settlement paths. | Build the approved benchmark harness and run accepted workload profiles. | Performance / QA lead | Benchmark harness exists and approved RTGS workloads have been executed and recorded. | +| OMNL / Fineract API rail | Partial. Live tenant and authenticated posting path are now proven, but the canonical RTGS operator rail is not fully frozen. | Stable OMNL tenant/auth contract, operator flow, office/GL mapping, and reconciliation package path. | Freeze tenant, operator runbook, participant model, and reproducible OMNL settlement rail. | OMNL / banking ops | Office / GL / JE / snapshot / package flow runs cleanly and repeatably against the intended live tenant. | +| Mifos X frontend / Fineract tenant | Partial. Runtime is live and sidecars can authenticate, but production operator model is not fully frozen. | Stable UI/API tenant contract, secrets, and operator procedures. | Finalize tenant/auth, operator usage, and runbook completeness. | OMNL / banking ops | UI/API healthy, tenant/auth stable, and operator procedures are complete and repeatable. | +| HYBX participant / office / treasury model | Planned. Participant, office, reserve, settlement, and treasury roles are not yet frozen end to end. | OMNL participant model, office mappings, GL mappings, and treasury structure. | Freeze participant classes, office IDs, treasury accounts, and nostro/vostro model. | Banking architecture lead | Participant, treasury, reserve, and GL structures are documented, accepted, and used by the canonical rail. | +| Depository / CSD layer | Planned. No dedicated depository or CSD runtime and no frozen asset-register model are yet evidenced in the current RTGS stack. | Securities ownership model, settlement-finality link, asset register, and participant/custody relationships. | Define whether the depository role is on-ledger, off-ledger, or hybrid; freeze issuance, transfer, pledge, and settlement-touch points. | Securities / market-infrastructure architecture lead | Depository role, participant model, and settlement interaction are documented and validated in at least one canonical asset flow. | +| Global custodian layer | Planned. No explicit global custodian runtime, account model, or reporting path is yet frozen in repo-backed state. | Correspondent banks, global custodians, safekeeping accounts, corporate-action handling, and asset-servicing obligations. | Define the custody operating model, account structure, reporting obligations, and reconciliation with OMNL and RTGS settlement. | Custody / institutional banking integration lead | Custody account model, reconciliation path, and reporting obligations are frozen and tested in a canonical custody flow. | +| FX pricing / dealing engine | Planned. FX flow requirements are documented, but no single pricing/dealing engine contract is yet frozen as the production source of rates and booking rules. | Treasury policy, rate sources, quote locking, spreads, value dates, and gain/loss accounting. | Freeze the pricing hierarchy, quote lifecycle, booking rules, and integration into OMNL and sidecars. | FX / treasury architecture lead | One canonical FX transaction runs with frozen pricing inputs, accounting, and reconciliation. | +| Liquidity pooling and aggregation engine | Planned. Liquidity sourcing is implied across treasury and correspondent flows, but no explicit pooling/aggregation engine is yet modeled as a production component. | Treasury policy, reserve policy, liquidity providers, internal pools, external bank lines, and optional on-chain liquidity. | Define source prioritization, eligibility rules, allocation logic, and operator controls. | Liquidity architecture lead | Liquidity sourcing logic is documented and one canonical funding decision path is validated. | +| Liquidity source adapters | Planned. No source-by-source adapter contract has been frozen for bank lines, treasury pools, correspondent banks, or optional on-chain liquidity. | Bank lines, correspondent banks, internal treasury pools, optional on-chain pools, and optional sidecar/provider adapters. | Enumerate source families and define one adapter contract per source class. | Treasury / integrations lead | Each in-scope liquidity source class has a defined adapter contract and at least the mandatory sources are validated. | +| Custody / safekeeping / asset servicing flow | Planned. Custody, safekeeping, and servicing obligations are referenced indirectly through settlement and correspondent flows, but not yet modeled as one canonical lifecycle. | Depository, custodian, participant accounts, statements, corporate actions, holdings reconciliation, and evidence path. | Define the canonical lifecycle for safekeeping, transfer, servicing, and statement production. | Custody operations / product architecture lead | One end-to-end custody lifecycle is documented and validated with reconciliation/evidence output. | +| Mojaloop integration | Planned. No live Mojaloop switch endpoint/auth/callback contract is yet evidenced here. | Mojaloop quote, transfer, callback, and settlement-window contract. | Document live Mojaloop endpoints/auth and integrate them if Mojaloop remains in scope. | Payments interoperability lead | Endpoint/auth contract is frozen and quote/transfer/callback/settlement behavior is validated. | +| HYBX sidecar layer | Partial. Sidecar families are known, and first-slice sidecars are deployed, but full boundaries and ownership are not yet frozen. | Sidecar-by-sidecar ingress/egress, retries, auth, and system-of-record ownership. | Freeze sidecar boundaries, orchestration model, and canonical RTGS event path. | HYBX app / integration lead | Sidecar purposes, auth, retries, and system-of-record ownership are documented and validated. | +| `mifos-fineract-sidecar` | Partial. Deployed on Proxmox, healthy, and has completed an authenticated live OMNL posting. | OMNL/Fineract tenant contract and downstream settlement/evidence path. | Extend validation from posting success to the full settlement/evidence path. | HYBX integration lead | Sidecar API and event flow documented, and at least one authenticated live transfer completes through downstream settlement/evidence. | +| `server-funds-sidecar` | Partial. Deployed on Proxmox and healthy, but treasury/system-of-record boundaries are not yet frozen. | OMNL treasury/funding orchestration contract and participant model. | Freeze whether it is mandatory in the first RTGS slice and validate its business flow. | HYBX integration lead | Treasury/funding role is defined and a real authenticated business flow is validated. | +| `off-ledger-2-on-ledger-sidecar` | Partial. Deployed on Proxmox, healthy, and able to drive the first Chain 138 settlement leg with safe pending-anchor degradation. | Canonical off-ledger event source, OMNL/Fineract posting contract, and Chain 138 settlement finality path. | Freeze the canonical off-ledger source event and complete final receipt/finality handling. | HYBX integration lead | Off-ledger event to Chain 138 settlement is frozen and tested end to end with durable evidence output. | +| `mt103-hardcopy-sidecar` | Partial. Known sidecar, but not yet tied into the canonical RTGS path. | MT103 ingest, bank-message archive, and settlement/evidence mapping. | Decide whether it is in scope and, if yes, integrate MT103 ingest into the canonical RTGS flow. | HYBX integration lead | MT103 ingestion path is documented, integrated, and tested if in scope. | +| `securitization-engine-sidecar` | Partial. Known sidecar, but regulatory/accounting role in RTGS is not yet frozen. | Accounting, collateral, and reporting responsibilities in the RTGS operating model. | Define whether it participates in RTGS slice 1 and validate the required role if so. | HYBX integration lead | Its RTGS responsibility is either validated or explicitly out of scope. | +| `card-networks-sidecar` | Partial. Known sidecar, but not yet placed in the RTGS path. | Card-network settlement role only if card rails are included in scope. | Include only if card settlement is part of production scope; otherwise keep it out of the canonical path. | HYBX integration lead | Scope decision is frozen, and if included the settlement path is validated. | +| Chain 138 settlement contracts | Partial. Contract families exist, but the exact RTGS contract path is not yet frozen as one canonical settlement lane. | Final contract path between OMNL-side events and on-chain settlement evidence. | Freeze the exact contract set and document how each business flow reaches Chain 138. | Chain 138 / settlement lead | Final contract set is frozen, deployed addresses are accepted, and the path is tested end to end. | +| MerchantSettlementRegistry | Partial. Available contract family, but exact placement in the canonical RTGS flow is not yet frozen. | RTGS settlement workflow and evidence mapping. | Decide exactly when and how the registry is invoked in RTGS settlement. | Chain 138 / settlement lead | Registry path is integrated into the business flow with verified inputs and outputs. | +| WithdrawalEscrow | Partial. Available contract family, but exact placement in RTGS withdrawal scenarios is not yet frozen. | Withdrawal / release / payout semantics in the RTGS model. | Freeze the escrow role for settlement and withdrawal scenarios. | Chain 138 / settlement lead | Escrow flow is validated in the chosen settlement and withdrawal scenarios. | +| DBIS / compliant settlement tokens | Partial. Candidate instruments exist, but the final RTGS instrument set is not yet frozen by use case. | Monetary architecture, reserve rules, mint/burn policy, and reconciliation policy. | Select the final RTGS instruments and freeze their control and reconciliation model. | Chain 138 / monetary architecture lead | Final instrument selection, reserve rules, and reconciliation path are documented and validated. | +| Reserve / oracle dependencies | Partial. Reserve and oracle systems exist, but the RTGS-specific dependency mapping is not yet frozen. | RTGS dependency model for reserve attestations, price references, and control policy. | Freeze which reserve/oracle controls are required for RTGS settlement and FX support. | Monetary controls lead | RTGS reserve/oracle dependencies are documented, accepted, and operational. | +| FireFly / sidecar / chain event model | Planned. No single canonical correlation and retry model is yet frozen. | Shared IDs, correlation, retry, compensating actions, and event archive policy. | Define one canonical event model across OMNL, sidecars, and Chain 138. | Workflow architecture lead | Event catalog, IDs, retries, and compensating actions are defined and validated. | +| ISO 20022 evidence and vault path | Partial. Evidence standard exists, but full institution-ready production completion is not yet frozen. | ISO 20022 archive, manifest, vaulting, and hash anchoring contract. | Complete ISO evidence packaging and archive references for the RTGS path. | Regulatory / compliance lead | ISO manifests, hashes, archive references, and legal evidence path are complete and reproducible. | +| Institutional 4.995 package path | Partial. Package standards and scripts exist, but real institution submission-grade completion is not yet frozen. | Institutional attestation, submission package, and strict readiness contract. | Complete the evidence path with real institution-ready materials and `--strict` readiness. | Regulatory / compliance lead | `--strict` readiness passes with real institution materials and reproducible evidence output. | +| Indonesia / BNI domestic banking path | Planned. Blueprint exists, but live BNI endpoint/auth/message contract is not yet evidenced. | BNI institution profile, domestic route definition, auth, account validation, and reporting obligations. | Freeze the BNI-connected route and message/auth contract for production. | Indonesia banking integration lead | Live BNI contract is documented, validated, and used in the canonical Indonesia payment flow. | +| Global correspondent / liquidity bank path | Planned. Blueprint exists, but live correspondent endpoint/auth/message contract is not yet evidenced. | SWIFT / ISO / correspondent-bank endpoint, auth, nostro/vostro, and confirmation contract. | Freeze the correspondent-bank route and integrate it with OMNL, sidecars, and reconciliation. | Cross-border banking integration lead | Live correspondent contract is documented and a real cross-border flow is validated. | +| RTGS production gate | Planned. The gate exists conceptually, but not all mandatory lanes are green yet. | All mandatory banking, sidecar, settlement, evidence, and external-bank integrations for the chosen production architecture. | Turn all mandatory rows for the chosen production architecture to `Complete`. | DBIS program owner | All mandatory checklist rows for the chosen RTGS production architecture are `Complete`. | -## First-slice implementation note +## Immediate execution priority -The current recommended first production slice is frozen in: - -- [DBIS_RTGS_FIRST_SLICE_ARCHITECTURE.md](DBIS_RTGS_FIRST_SLICE_ARCHITECTURE.md) -- [DBIS_RTGS_FIRST_SLICE_DEPLOYMENT_CHECKLIST.md](DBIS_RTGS_FIRST_SLICE_DEPLOYMENT_CHECKLIST.md) - -As of 2026-03-29, the following first-slice sidecars are deployed on Proxmox VE and runtime-healthy: - -- `mifos-fineract-sidecar` -- `server-funds-sidecar` -- `off-ledger-2-on-ledger-sidecar` - -Additional proven fact for the first slice: - -- `mifos-fineract-sidecar` has completed at least one authenticated live transfer into OMNL / Fineract with verified debit/credit journal entries (`transactionId: a16a10b3bc47`). - -This is still not equivalent to full RTGS production completion. The deployment checklist remains the gate for chain settlement, evidence output, and the remaining sidecar lanes. - -## Immediate execution priorities - -### Priority 1 — Freeze the canonical banking rail - -1. Freeze the canonical HYBX batch / settlement operator flow on top of the now-proven OMNL tenant/auth path. -2. Lock the participant / treasury / GL model. -3. Extend authenticated business-flow validation beyond SCSM into the remaining in-scope sidecars. - -### Priority 2 — Freeze the interoperability path - -1. Decide whether Mojaloop is in-scope now or a later phase. -2. Decide which HYBX sidecars are truly part of the initial RTGS path. -3. Decide whether Aries / AnonCreds / Ursa are required in the first production slice. - -### Priority 3 — Freeze the settlement path - -1. Define the exact off-ledger to on-ledger mapping. -2. Freeze the Chain 138 contract path used by RTGS. -3. Define reconciliation and evidence outputs for each settlement batch. - -## Minimum “full RTGS E2E” green criteria - -The RTGS stack can be called fully end-to-end only when all of the following are true: - -1. The Fineract / OMNL operator flow runs cleanly against the intended live tenant. -2. The participant / treasury / GL model is frozen and documented. -3. The required HYBX sidecars are integrated and their boundaries are documented. -4. If Mojaloop is in scope, quote / transfer / callback / settlement logic is live and validated. -5. The Chain 138 settlement path is frozen and validated. -6. Required Hyperledger identity/workflow layers are either: - - deployed and validated, or - - explicitly out of scope for the first production slice. -7. Regulatory evidence generation passes at submission grade. -8. The final production gate is updated to reflect those facts. +1. Freeze the canonical banking rail on the now-proven OMNL tenant/auth path. +2. Freeze the participant / treasury / GL model plus the depository, custody, FX, and liquidity-control layers. +3. Complete the canonical settlement path from HYBX sidecars into Chain 138 and evidence output. ## Related artifacts diff --git a/docs/MASTER_INDEX.md b/docs/MASTER_INDEX.md index 517871e..aed25ae 100644 --- a/docs/MASTER_INDEX.md +++ b/docs/MASTER_INDEX.md @@ -58,7 +58,7 @@ |------|-----------------| | **00-meta** (tasks, next steps, phases) | [00-meta/NEXT_STEPS_INDEX.md](00-meta/NEXT_STEPS_INDEX.md), [00-meta/PHASES_AND_TASKS_MASTER.md](00-meta/PHASES_AND_TASKS_MASTER.md) | | **02-architecture** | [02-architecture/](02-architecture/) — **Public sector + Phoenix catalog baseline:** [02-architecture/PUBLIC_SECTOR_TENANCY_MARKETPLACE_AND_DEPLOYMENT_BASELINE.md](02-architecture/PUBLIC_SECTOR_TENANCY_MARKETPLACE_AND_DEPLOYMENT_BASELINE.md); **non-goals (incl. catalog vs marketing §9):** [02-architecture/NON_GOALS.md](02-architecture/NON_GOALS.md); **DBIS Chain 138:** [dbis_chain_138_technical_master_plan.md](../dbis_chain_138_technical_master_plan.md), [02-architecture/DBIS_NODE_ROLE_MATRIX.md](02-architecture/DBIS_NODE_ROLE_MATRIX.md), [02-architecture/DBIS_PHASE2_PROXMOX_SOVEREIGNIZATION_ROADMAP.md](02-architecture/DBIS_PHASE2_PROXMOX_SOVEREIGNIZATION_ROADMAP.md) | -| **03-deployment** | [03-deployment/OPERATIONAL_RUNBOOKS.md](03-deployment/OPERATIONAL_RUNBOOKS.md), [03-deployment/DEPLOYMENT_ORDER_OF_OPERATIONS.md](03-deployment/DEPLOYMENT_ORDER_OF_OPERATIONS.md), **Public sector live checklist:** [03-deployment/PUBLIC_SECTOR_LIVE_DEPLOYMENT_CHECKLIST.md](03-deployment/PUBLIC_SECTOR_LIVE_DEPLOYMENT_CHECKLIST.md), **Proxmox VE ops template:** [03-deployment/PROXMOX_VE_OPERATIONAL_DEPLOYMENT_TEMPLATE.md](03-deployment/PROXMOX_VE_OPERATIONAL_DEPLOYMENT_TEMPLATE.md) · [`config/proxmox-operational-template.json`](config/proxmox-operational-template.json); **DBIS Phase 1–3:** [03-deployment/PHASE1_DISCOVERY_RUNBOOK.md](03-deployment/PHASE1_DISCOVERY_RUNBOOK.md), [03-deployment/DBIS_PHASE3_E2E_PRODUCTION_SIMULATION_RUNBOOK.md](03-deployment/DBIS_PHASE3_E2E_PRODUCTION_SIMULATION_RUNBOOK.md), [03-deployment/CALIPER_CHAIN138_PERF_HOOK.md](03-deployment/CALIPER_CHAIN138_PERF_HOOK.md), [03-deployment/DBIS_HYPERLEDGER_RUNTIME_STATUS.md](03-deployment/DBIS_HYPERLEDGER_RUNTIME_STATUS.md), [03-deployment/DBIS_PHASES_1_TO_3_PRODUCTION_GATE.md](03-deployment/DBIS_PHASES_1_TO_3_PRODUCTION_GATE.md), [03-deployment/DBIS_RTGS_E2E_REQUIREMENTS_MATRIX.md](03-deployment/DBIS_RTGS_E2E_REQUIREMENTS_MATRIX.md), [03-deployment/DBIS_RTGS_FX_TRANSACTION_CATALOG.md](03-deployment/DBIS_RTGS_FX_TRANSACTION_CATALOG.md), [03-deployment/DBIS_OMNL_INDONESIA_BNI_E2E_INTEGRATION_BLUEPRINT.md](03-deployment/DBIS_OMNL_INDONESIA_BNI_E2E_INTEGRATION_BLUEPRINT.md), [03-deployment/DBIS_RTGS_FIRST_SLICE_ARCHITECTURE.md](03-deployment/DBIS_RTGS_FIRST_SLICE_ARCHITECTURE.md), [03-deployment/DBIS_RTGS_FIRST_SLICE_DEPLOYMENT_CHECKLIST.md](03-deployment/DBIS_RTGS_FIRST_SLICE_DEPLOYMENT_CHECKLIST.md), [03-deployment/DBIS_HYBX_SIDECAR_BOUNDARY_MATRIX.md](03-deployment/DBIS_HYBX_SIDECAR_BOUNDARY_MATRIX.md), [03-deployment/DBIS_MOJALOOP_INTEGRATION_STATUS.md](03-deployment/DBIS_MOJALOOP_INTEGRATION_STATUS.md), [03-deployment/DBIS_HYPERLEDGER_IDENTITY_STACK_DECISION.md](03-deployment/DBIS_HYPERLEDGER_IDENTITY_STACK_DECISION.md) | +| **03-deployment** | [03-deployment/OPERATIONAL_RUNBOOKS.md](03-deployment/OPERATIONAL_RUNBOOKS.md), [03-deployment/DEPLOYMENT_ORDER_OF_OPERATIONS.md](03-deployment/DEPLOYMENT_ORDER_OF_OPERATIONS.md), **Public sector live checklist:** [03-deployment/PUBLIC_SECTOR_LIVE_DEPLOYMENT_CHECKLIST.md](03-deployment/PUBLIC_SECTOR_LIVE_DEPLOYMENT_CHECKLIST.md), **Proxmox VE ops template:** [03-deployment/PROXMOX_VE_OPERATIONAL_DEPLOYMENT_TEMPLATE.md](03-deployment/PROXMOX_VE_OPERATIONAL_DEPLOYMENT_TEMPLATE.md) · [`config/proxmox-operational-template.json`](config/proxmox-operational-template.json); **DBIS Phase 1–3:** [03-deployment/PHASE1_DISCOVERY_RUNBOOK.md](03-deployment/PHASE1_DISCOVERY_RUNBOOK.md), [03-deployment/DBIS_PHASE3_E2E_PRODUCTION_SIMULATION_RUNBOOK.md](03-deployment/DBIS_PHASE3_E2E_PRODUCTION_SIMULATION_RUNBOOK.md), [03-deployment/CALIPER_CHAIN138_PERF_HOOK.md](03-deployment/CALIPER_CHAIN138_PERF_HOOK.md), [03-deployment/DBIS_HYPERLEDGER_RUNTIME_STATUS.md](03-deployment/DBIS_HYPERLEDGER_RUNTIME_STATUS.md), [03-deployment/DBIS_PHASES_1_TO_3_PRODUCTION_GATE.md](03-deployment/DBIS_PHASES_1_TO_3_PRODUCTION_GATE.md), **RTGS canonical production checklist and institutional-finance layers:** [03-deployment/DBIS_RTGS_E2E_REQUIREMENTS_MATRIX.md](03-deployment/DBIS_RTGS_E2E_REQUIREMENTS_MATRIX.md), [03-deployment/DBIS_RTGS_FX_TRANSACTION_CATALOG.md](03-deployment/DBIS_RTGS_FX_TRANSACTION_CATALOG.md), [03-deployment/DBIS_OMNL_INDONESIA_BNI_E2E_INTEGRATION_BLUEPRINT.md](03-deployment/DBIS_OMNL_INDONESIA_BNI_E2E_INTEGRATION_BLUEPRINT.md), [03-deployment/DBIS_RTGS_FIRST_SLICE_ARCHITECTURE.md](03-deployment/DBIS_RTGS_FIRST_SLICE_ARCHITECTURE.md), [03-deployment/DBIS_RTGS_FIRST_SLICE_DEPLOYMENT_CHECKLIST.md](03-deployment/DBIS_RTGS_FIRST_SLICE_DEPLOYMENT_CHECKLIST.md), [03-deployment/DBIS_HYBX_SIDECAR_BOUNDARY_MATRIX.md](03-deployment/DBIS_HYBX_SIDECAR_BOUNDARY_MATRIX.md), [03-deployment/DBIS_MOJALOOP_INTEGRATION_STATUS.md](03-deployment/DBIS_MOJALOOP_INTEGRATION_STATUS.md), [03-deployment/DBIS_HYPERLEDGER_IDENTITY_STACK_DECISION.md](03-deployment/DBIS_HYPERLEDGER_IDENTITY_STACK_DECISION.md) | | **04-configuration** | [04-configuration/README.md](04-configuration/README.md), [04-configuration/ADDITIONAL_PATHS_AND_EXTENSIONS.md](04-configuration/ADDITIONAL_PATHS_AND_EXTENSIONS.md) (paths, registry, token-mapping, LiFi/Jumper); **Chain 138 wallets:** [04-configuration/CHAIN138_WALLET_CONFIG_VALIDATION.md](04-configuration/CHAIN138_WALLET_CONFIG_VALIDATION.md); **Chain 2138 testnet wallets:** [04-configuration/CHAIN2138_WALLET_CONFIG_VALIDATION.md](04-configuration/CHAIN2138_WALLET_CONFIG_VALIDATION.md); **OMNL Indonesia / HYBX-BATCH-001:** [04-configuration/mifos-omnl-central-bank/HYBX_BATCH_001_OPERATOR_CHECKLIST.md](04-configuration/mifos-omnl-central-bank/HYBX_BATCH_001_OPERATOR_CHECKLIST.md), [04-configuration/mifos-omnl-central-bank/INDONESIA_PACKAGE_4_995_EVIDENCE_STANDARD.md](04-configuration/mifos-omnl-central-bank/INDONESIA_PACKAGE_4_995_EVIDENCE_STANDARD.md) | | **06-besu** | [06-besu/MASTER_INDEX.md](06-besu/MASTER_INDEX.md) | | **Testnet (2138)** | [testnet/DEFI_ORACLE_META_TESTNET_2138_RUNBOOK.md](testnet/DEFI_ORACLE_META_TESTNET_2138_RUNBOOK.md), [testnet/TESTNET_DEPLOYMENT.md](testnet/TESTNET_DEPLOYMENT.md) |