Deploy DBIS RTGS first-slice sidecars

2026-03-29 00:01:34 -07:00
parent 3f8d1a1e2c
commit 4ef9ca58ef
8 changed files with 471 additions and 10 deletions
--- a/config/proxmox-operational-template.json
+++ b/config/proxmox-operational-template.json
@@ -1138,6 +1138,60 @@
        "mifos.d-bis.org"
      ]
    },
+    {
+      "vmid": 5802,
+      "hostname": "rtgs-scsm-1",
+      "ipv4": "192.168.11.89",
+      "preferred_node": "r630-02",
+      "category": "rtgs-sidecar",
+      "runtime_state": "active_internal_health_ok",
+      "notes": "Deployed 2026-03-28/29 as the DBIS RTGS SCSM sidecar. systemd service active, local Redis active, and /actuator/health returned UP. Live Fineract reachability to 5800 is confirmed at the HTTP layer; authenticated production flow still requires final tenant/auth freeze.",
+      "ports": [
+        {
+          "port": 8080
+        },
+        {
+          "port": 6379
+        }
+      ],
+      "fqdns": []
+    },
+    {
+      "vmid": 5803,
+      "hostname": "rtgs-funds-1",
+      "ipv4": "192.168.11.90",
+      "preferred_node": "r630-02",
+      "category": "rtgs-sidecar",
+      "runtime_state": "active_internal_health_ok",
+      "notes": "Deployed 2026-03-28/29 as the DBIS RTGS server-funds sidecar. systemd service active, local Redis active, and /actuator/health returned UP. Live Fineract reachability to 5800 is confirmed at the HTTP layer; authenticated production flow still requires final tenant/auth freeze.",
+      "ports": [
+        {
+          "port": 8080
+        },
+        {
+          "port": 6379
+        }
+      ],
+      "fqdns": []
+    },
+    {
+      "vmid": 5804,
+      "hostname": "rtgs-xau-1",
+      "ipv4": "192.168.11.92",
+      "preferred_node": "r630-02",
+      "category": "rtgs-sidecar",
+      "runtime_state": "active_internal_health_ok",
+      "notes": "Deployed 2026-03-28/29 as the DBIS RTGS off-ledger-to-on-ledger XAU sidecar. systemd service active and /actuator/health returned UP. Live Fineract reachability to 5800 is confirmed at the HTTP layer; authenticated production flow still requires final tenant/auth freeze.",
+      "ports": [
+        {
+          "port": 8080
+        },
+        {
+          "port": 6379
+        }
+      ],
+      "fqdns": []
+    },
    {
      "vmid": 5801,
      "hostname": "dapp-smom",
--- a/dbis_chain_138_technical_master_plan.md
+++ b/dbis_chain_138_technical_master_plan.md
@@ -448,7 +448,7 @@ Separate security compliance and benchmark reports remain future deliverables un
 - Ceph-backed distributed storage is still roadmap work.
 - Full VLAN / sovereign network segmentation is still roadmap work.
 - Final entity ownership assignments remain incomplete.
- The selected first-slice HYBX sidecars are build-verified locally, but not yet deployed to production runtime on Proxmox VE.
+- The selected first-slice HYBX sidecars are now deployed internally on Proxmox VE and healthy at the runtime level, but the authenticated Fineract tenant flow and canonical RTGS business transaction are not yet frozen end to end.

 ## Planning gaps

--- a/docs/03-deployment/DBIS_RTGS_E2E_REQUIREMENTS_MATRIX.md
+++ b/docs/03-deployment/DBIS_RTGS_E2E_REQUIREMENTS_MATRIX.md
@@ -31,12 +31,12 @@
 | HYBX participant / office / treasury model | Planned | Banking architecture lead | OMNL scripts and central-bank config | Participant model and treasury structure not yet frozen end-to-end | Office IDs, treasury accounts, GL mapping, nostro/vostro model, and settlement roles are documented and accepted |
 | Mojaloop integration | Planned | Payments interoperability lead | [DBIS_MOJALOOP_INTEGRATION_STATUS.md](DBIS_MOJALOOP_INTEGRATION_STATUS.md) | No proven live Mojaloop switch endpoint set or callback contract in repo-backed state | Endpoint/auth contract documented, quote/transfer/callback flow integrated, settlement-window behavior mapped to accounting and chain settlement |
 | HYBX sidecar layer | Partial | HYBX app / integration lead | [DBIS_HYBX_SIDECAR_BOUNDARY_MATRIX.md](DBIS_HYBX_SIDECAR_BOUNDARY_MATRIX.md) | Sidecars available, but full orchestration and system-of-record ownership not yet frozen | Sidecar-by-sidecar purpose, auth, ingress/egress, retries, and system-of-record ownership documented and validated |
-| `mifos-fineract-sidecar` | Partial | HYBX integration lead | [DBIS_HYBX_SIDECAR_BOUNDARY_MATRIX.md](DBIS_HYBX_SIDECAR_BOUNDARY_MATRIX.md) | Integration contract not yet wired into canonical RTGS runbook | Sidecar API and event flow documented and validated against live Fineract rail |
+| `mifos-fineract-sidecar` | Partial | HYBX integration lead | [DBIS_HYBX_SIDECAR_BOUNDARY_MATRIX.md](DBIS_HYBX_SIDECAR_BOUNDARY_MATRIX.md), [DBIS_RTGS_FIRST_SLICE_DEPLOYMENT_CHECKLIST.md](DBIS_RTGS_FIRST_SLICE_DEPLOYMENT_CHECKLIST.md) | Runtime is deployed on Proxmox and healthy, but authenticated Fineract tenant flow is not yet frozen | Sidecar API and event flow documented and validated against live Fineract rail |
 | `mt103-hardcopy-sidecar` | Partial | HYBX integration lead | [DBIS_HYBX_SIDECAR_BOUNDARY_MATRIX.md](DBIS_HYBX_SIDECAR_BOUNDARY_MATRIX.md) | Ingestion path not yet tied into canonical RTGS workflow | MT103 ingest to settlement and evidence path is documented and tested |
-| `off-ledger-2-on-ledger-sidecar` | Partial | HYBX integration lead | [DBIS_HYBX_SIDECAR_BOUNDARY_MATRIX.md](DBIS_HYBX_SIDECAR_BOUNDARY_MATRIX.md) | Off-ledger to on-ledger conversion path not yet frozen | Canonical mapping from off-ledger event to Chain 138 settlement defined and tested |
+| `off-ledger-2-on-ledger-sidecar` | Partial | HYBX integration lead | [DBIS_HYBX_SIDECAR_BOUNDARY_MATRIX.md](DBIS_HYBX_SIDECAR_BOUNDARY_MATRIX.md), [DBIS_RTGS_FIRST_SLICE_DEPLOYMENT_CHECKLIST.md](DBIS_RTGS_FIRST_SLICE_DEPLOYMENT_CHECKLIST.md) | Runtime is deployed on Proxmox and healthy, but canonical off-ledger source event and authenticated Fineract flow are not yet frozen | Canonical mapping from off-ledger event to Chain 138 settlement defined and tested |
 | `securitization-engine-sidecar` | Partial | HYBX integration lead | [DBIS_HYBX_SIDECAR_BOUNDARY_MATRIX.md](DBIS_HYBX_SIDECAR_BOUNDARY_MATRIX.md) | Regulatory/accounting role not yet tied into RTGS runbook | Accounting and reporting responsibilities explicitly mapped and validated |
 | `card-networks-sidecar` | Partial | HYBX integration lead | [DBIS_HYBX_SIDECAR_BOUNDARY_MATRIX.md](DBIS_HYBX_SIDECAR_BOUNDARY_MATRIX.md) | Not yet placed in RTGS path | Include only if card-network settlement is in scope and integrated |
-| `server-funds-sidecar` | Partial | HYBX integration lead | [DBIS_HYBX_SIDECAR_BOUNDARY_MATRIX.md](DBIS_HYBX_SIDECAR_BOUNDARY_MATRIX.md) | Not yet placed in RTGS path | Define and validate if it is needed for treasury/funding orchestration |
+| `server-funds-sidecar` | Partial | HYBX integration lead | [DBIS_HYBX_SIDECAR_BOUNDARY_MATRIX.md](DBIS_HYBX_SIDECAR_BOUNDARY_MATRIX.md), [DBIS_RTGS_FIRST_SLICE_DEPLOYMENT_CHECKLIST.md](DBIS_RTGS_FIRST_SLICE_DEPLOYMENT_CHECKLIST.md) | Runtime is deployed on Proxmox and healthy, but its final treasury/system-of-record boundary is not yet frozen | Define and validate if it is needed for treasury/funding orchestration |
 | Chain 138 settlement contracts | Partial | Chain 138 / settlement lead | `smom-dbis-138`, `alltra-lifi-settlement`, [CONTRACTS_TO_DEPLOY.md](../11-references/CONTRACTS_TO_DEPLOY.md) | Canonical RTGS path not yet frozen across off-ledger ↔ on-ledger events | Final contract set chosen, deployed addresses frozen, flow tested end-to-end |
 | MerchantSettlementRegistry | Partial | Chain 138 / settlement lead | `alltra-lifi-settlement` docs and deploy scripts | Need explicit placement in RTGS canonical flow | Registry integrated into business flow with verified inputs/outputs |
 | WithdrawalEscrow | Partial | Chain 138 / settlement lead | `alltra-lifi-settlement` docs and deploy scripts | Need explicit placement in RTGS canonical flow | Escrow flow validated in settlement and withdrawal scenarios |
--- a/docs/03-deployment/DBIS_RTGS_FIRST_SLICE_DEPLOYMENT_CHECKLIST.md
+++ b/docs/03-deployment/DBIS_RTGS_FIRST_SLICE_DEPLOYMENT_CHECKLIST.md
@@ -50,6 +50,29 @@ The following sidecars were built successfully on 2026-03-28 with Maven and `-Ds
 - Verified runnable artifact:
  - `/home/intlc/projects/HYBX_Sidecars/off-ledger-2-on-ledger-sidecar/target/off-ledger-2-on-ledger-sidecar-0.1.0-SNAPSHOT.jar`

+## Current deployment status
+
+As of 2026-03-28/29:
+
+- `5802` `rtgs-scsm-1` is deployed on `r630-02`
+  - systemd: `dbis-rtgs-scsm`
+  - Redis: active
+  - health: `UP`
+- `5803` `rtgs-funds-1` is deployed on `r630-02`
+  - systemd: `dbis-rtgs-funds`
+  - Redis: active
+  - health: `UP`
+- `5804` `rtgs-xau-1` is deployed on `r630-02`
+  - systemd: `dbis-rtgs-xau`
+  - Redis: active
+  - health: `UP`
+
+What is still not complete:
+
+- the canonical authenticated Fineract tenant flow is not yet frozen in the sidecar runtime
+- the sidecars can reach the live Fineract endpoint at the HTTP layer, but current checks stop at `400 Bad Request` without the final request/auth contract
+- no canonical RTGS transaction has yet been executed across OMNL / Fineract, sidecar logic, Chain 138 settlement, and final evidence output
+
 ## Runtime deployment baseline

 ### Besu / explorer / FireFly
@@ -184,12 +207,13 @@ The following sidecars were built successfully on 2026-03-28 with Maven and `-Ds

 ### Runtime verification

- [ ] Process starts under systemd / container supervisor
- [ ] Health endpoints return healthy
- [ ] API base paths respond
- [ ] Logs show no dependency boot failures
- [ ] Sidecar can reach Fineract
- [ ] Sidecar can reach any required Redis / DB / Kafka dependency
+- [x] Process starts under systemd / container supervisor
+- [x] Health endpoints return healthy
+- [ ] API base paths respond for a canonical business flow
+- [x] Logs show no dependency boot failures for current runtime boot
+- [x] Sidecar can reach Fineract at the HTTP layer
+- [x] Sidecar can reach required local Redis dependency
+- [ ] Sidecar can reach final production DB / Kafka dependencies if those are required by the chosen slice

 ### Functional verification

@@ -199,6 +223,22 @@ The following sidecars were built successfully on 2026-03-28 with Maven and `-Ds
 - [ ] Chain 138 receives and records the intended settlement leg where applicable
 - [ ] Reconciliation and audit outputs are captured

+## Verification command
+
+Use:
+
+```bash
+bash scripts/verify/check-dbis-rtgs-first-slice.sh
+```
+
+This verifies:
+
+- CT status
+- systemd service status
+- local Redis status
+- local actuator health
+- live Fineract HTTP reachability from each sidecar CT
+
 ## First-slice production gate

 The first RTGS production slice should be treated as deployable only when all of the following are true:
--- a/docs/04-configuration/ALL_VMIDS_ENDPOINTS.md
+++ b/docs/04-configuration/ALL_VMIDS_ENDPOINTS.md
@@ -180,6 +180,21 @@ The following VMIDs have been permanently removed:

 ---

+### DBIS RTGS first-slice sidecars
+
+| VMID | IP Address | Hostname | Status | Endpoints | Purpose |
+|------|------------|----------|--------|-----------|---------|
+| 5802 | 192.168.11.89 | rtgs-scsm-1 | ✅ Running | App: 8080, Redis: 6379 | DBIS RTGS `mifos-fineract-sidecar` / SCSM |
+| 5803 | 192.168.11.90 | rtgs-funds-1 | ✅ Running | App: 8080, Redis: 6379 | DBIS RTGS `server-funds-sidecar` |
+| 5804 | 192.168.11.92 | rtgs-xau-1 | ✅ Running | App: 8080, Redis: 6379 | DBIS RTGS `off-ledger-2-on-ledger-sidecar` |
+
+**Operational note (2026-03-28/29):**
+- These three sidecars are deployed internally on `r630-02` and return local actuator health.
+- They can reach the live Mifos / Fineract surface on VMID `5800` at the HTTP layer.
+- Canonical authenticated RTGS flow is still pending final Fineract tenant/auth freeze, so these should currently be treated as `runtime deployed, functionally partial`.
+
+---
+
 ### Hyperledger Fabric

 | VMID | IP Address | Hostname | Status | Endpoints | Purpose |
--- a/scripts/deployment/create-dbis-rtgs-sidecar-lxcs.sh
+++ b/scripts/deployment/create-dbis-rtgs-sidecar-lxcs.sh
@@ -0,0 +1,79 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+# Create the three DBIS RTGS first-slice sidecar LXCs on r630-02.
+# Usage:
+#   ./scripts/deployment/create-dbis-rtgs-sidecar-lxcs.sh [--dry-run]
+
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+PROJECT_ROOT="$(cd "$SCRIPT_DIR/../.." && pwd)"
+source "${PROJECT_ROOT}/config/ip-addresses.conf" 2>/dev/null || true
+
+HOST="${PROXMOX_HOST_R630_02:-${PROXMOX_R630_02:-192.168.11.12}}"
+NETWORK="${NETWORK:-vmbr0}"
+GATEWAY="${NETWORK_GATEWAY:-192.168.11.1}"
+DNS="${DNS_PRIMARY:-1.1.1.1}"
+STORAGE="${RTGS_SIDECAR_STORAGE:-thin3}"
+TEMPLATE="${TEMPLATE_UBUNTU_24:-local:vztmpl/ubuntu-24.04-standard_24.04-1_amd64.tar.zst}"
+SSH_OPTS="-o BatchMode=yes -o ConnectTimeout=15 -o StrictHostKeyChecking=accept-new"
+
+DRY_RUN=false
+if [[ "${1:-}" == "--dry-run" ]]; then
+  DRY_RUN=true
+fi
+
+SIDEcars=(
+  "5802 rtgs-scsm-1 192.168.11.89 4096 2 24"
+  "5803 rtgs-funds-1 192.168.11.90 4096 2 24"
+  "5804 rtgs-xau-1 192.168.11.92 4096 2 24"
+)
+
+resolve_template() {
+  if ssh $SSH_OPTS "root@$HOST" "pveam list local 2>/dev/null | grep -q 'ubuntu-24.04-standard'" 2>/dev/null; then
+    echo "local:vztmpl/ubuntu-24.04-standard_24.04-1_amd64.tar.zst"
+  elif ssh $SSH_OPTS "root@$HOST" "pveam list local 2>/dev/null | grep -q 'ubuntu-22.04-standard'" 2>/dev/null; then
+    echo "local:vztmpl/ubuntu-22.04-standard_22.04-1_amd64.tar.zst"
+  else
+    echo "$TEMPLATE"
+  fi
+}
+
+TEMPLATE="$(resolve_template)"
+
+echo "=== DBIS RTGS first-slice sidecar LXCs ==="
+echo "Host: $HOST"
+echo "Storage: $STORAGE"
+echo "Template: $TEMPLATE"
+echo
+
+for spec in "${SIDEcars[@]}"; do
+  read -r VMID HOSTNAME IP MEMORY CORES ROOTFS_GB <<<"$spec"
+  if ssh $SSH_OPTS "root@$HOST" "pct status $VMID >/dev/null 2>&1"; then
+    echo "CT $VMID already exists on $HOST; skipping create."
+    continue
+  fi
+
+  CREATE_CMD="pct create $VMID $TEMPLATE \
+    --hostname $HOSTNAME \
+    --memory $MEMORY \
+    --cores $CORES \
+    --rootfs $STORAGE:${ROOTFS_GB} \
+    --net0 name=eth0,bridge=$NETWORK,ip=$IP/24,gw=$GATEWAY \
+    --features nesting=1,keyctl=1 \
+    --nameserver $DNS \
+    --onboot 1 \
+    --start 1 \
+    --unprivileged 0 \
+    --description 'DBIS RTGS first-slice sidecar LXC ($HOSTNAME)'"
+
+  if $DRY_RUN; then
+    echo "[DRY-RUN] $CREATE_CMD"
+    echo
+    continue
+  fi
+
+  echo "Creating CT $VMID ($HOSTNAME, $IP)..."
+  ssh $SSH_OPTS "root@$HOST" "$CREATE_CMD"
+done
+
+echo "Done."
--- a/scripts/deployment/deploy-dbis-rtgs-first-slice-sidecars.sh
+++ b/scripts/deployment/deploy-dbis-rtgs-first-slice-sidecars.sh
@@ -0,0 +1,233 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+# Deploy the three selected DBIS RTGS first-slice sidecars to their LXC targets.
+# Usage:
+#   ./scripts/deployment/deploy-dbis-rtgs-first-slice-sidecars.sh [--dry-run]
+
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+PROJECT_ROOT="$(cd "$SCRIPT_DIR/../.." && pwd)"
+
+HOST="${PROXMOX_HOST_R630_02:-192.168.11.12}"
+SSH_OPTS="-o BatchMode=yes -o ConnectTimeout=15 -o StrictHostKeyChecking=accept-new"
+
+SCSM_JAR="/home/intlc/projects/HYBX_Sidecars/mifos-fineract-sidecar/scsm-app/target/scsm-app-1.0.0-SNAPSHOT.jar"
+FUNDS_JAR="/home/intlc/projects/HYBX_Sidecars/server-funds-sidecar/funds-app/target/funds-app-1.0.0-SNAPSHOT.jar"
+XAU_JAR="/home/intlc/projects/HYBX_Sidecars/off-ledger-2-on-ledger-sidecar/target/off-ledger-2-on-ledger-sidecar-0.1.0-SNAPSHOT.jar"
+
+SCSM_FINERACT_BASE_URL="${SCSM_FINERACT_BASE_URL:-http://192.168.11.85:8080/fineract-provider/api/v1}"
+SCSM_FINERACT_TENANT="${SCSM_FINERACT_TENANT:-omnl}"
+SCSM_FINERACT_USERNAME="${SCSM_FINERACT_USERNAME:-}"
+SCSM_FINERACT_PASSWORD="${SCSM_FINERACT_PASSWORD:-}"
+
+FUNDS_FINERACT_BASE_URL="${FUNDS_FINERACT_BASE_URL:-http://192.168.11.85:8080/fineract-provider/api/v1}"
+
+XAU_FINERACT_BASE_URL="${XAU_FINERACT_BASE_URL:-http://192.168.11.85:8080}"
+XAU_FEED_URL="${XAU_FEED_URL:-}"
+XAU_STUB_PRICE="${XAU_STUB_PRICE:-2000}"
+
+DRY_RUN=false
+if [[ "${1:-}" == "--dry-run" ]]; then
+  DRY_RUN=true
+fi
+
+TARGETS="${TARGETS:-scsm,funds,xau}"
+
+require_file() {
+  local path="$1"
+  if [[ ! -f "$path" ]]; then
+    echo "Missing required artifact: $path" >&2
+    exit 1
+  fi
+}
+
+require_file "$SCSM_JAR"
+require_file "$FUNDS_JAR"
+require_file "$XAU_JAR"
+
+run_remote() {
+  local vmid="$1"
+  local cmd="$2"
+  if $DRY_RUN; then
+    echo "[DRY-RUN][CT $vmid] $cmd"
+  else
+    ssh $SSH_OPTS "root@$HOST" "pct exec $vmid -- bash -lc $(printf '%q' "$cmd")"
+  fi
+}
+
+target_enabled() {
+  local want="$1"
+  [[ ",$TARGETS," == *",$want,"* ]]
+}
+
+wait_for_health() {
+  local vmid="$1"
+  local url="$2"
+  local out_file="$3"
+  local attempts="${4:-20}"
+  local sleep_seconds="${5:-2}"
+  local cmd="for i in \$(seq 1 $attempts); do if curl -sf \"$url\" > \"$out_file\"; then cat \"$out_file\"; exit 0; fi; sleep $sleep_seconds; done; exit 7"
+  run_remote "$vmid" "$cmd"
+}
+
+push_file() {
+  local vmid="$1"
+  local src="$2"
+  local dest="$3"
+  if $DRY_RUN; then
+    echo "[DRY-RUN][CT $vmid] copy $src -> $dest"
+  else
+    ssh $SSH_OPTS "root@$HOST" "pct exec $vmid -- mkdir -p $(dirname "$dest")"
+    ssh $SSH_OPTS "root@$HOST" "cat > /tmp/$(basename "$dest")" < "$src"
+    ssh $SSH_OPTS "root@$HOST" "pct push $vmid /tmp/$(basename "$dest") $dest >/dev/null && rm -f /tmp/$(basename "$dest")"
+  fi
+}
+
+setup_base_runtime() {
+  local vmid="$1"
+  run_remote "$vmid" "export DEBIAN_FRONTEND=noninteractive && apt-get update && apt-get install -y openjdk-21-jre-headless redis-server curl ca-certificates"
+  run_remote "$vmid" "systemctl enable redis-server --now"
+}
+
+deploy_scsm() {
+  local vmid=5802
+  setup_base_runtime "$vmid"
+  push_file "$vmid" "$SCSM_JAR" "/opt/dbis-rtgs/scsm/scsm-app.jar"
+  local envfile unit
+  envfile="$(mktemp)"
+  cat > "$envfile" <<EOF
+SERVER_PORT=8080
+DB_URL=jdbc:h2:file:/var/lib/dbis-rtgs/scsm/scsm;DB_CLOSE_ON_EXIT=FALSE
+DB_USER=sa
+DB_PASSWORD=
+REDIS_HOST=127.0.0.1
+REDIS_PORT=6379
+KAFKA_BOOTSTRAP_SERVERS=localhost:9092
+FINERACT_BASE_URL=${SCSM_FINERACT_BASE_URL}
+FINERACT_TENANT=${SCSM_FINERACT_TENANT}
+FINERACT_USERNAME=${SCSM_FINERACT_USERNAME}
+FINERACT_PASSWORD=${SCSM_FINERACT_PASSWORD}
+FINERACT_OFFICE_ID=1
+EOF
+  push_file "$vmid" "$envfile" "/etc/dbis-rtgs/scsm.env"
+  rm -f "$envfile"
+  unit="$(mktemp)"
+  cat > "$unit" <<'EOF'
+[Unit]
+Description=DBIS RTGS SCSM sidecar
+After=network-online.target redis-server.service
+Wants=network-online.target
+
+[Service]
+User=root
+WorkingDirectory=/opt/dbis-rtgs/scsm
+EnvironmentFile=/etc/dbis-rtgs/scsm.env
+ExecStart=/usr/bin/java -jar /opt/dbis-rtgs/scsm/scsm-app.jar
+Restart=always
+RestartSec=5
+
+[Install]
+WantedBy=multi-user.target
+EOF
+  push_file "$vmid" "$unit" "/etc/systemd/system/dbis-rtgs-scsm.service"
+  rm -f "$unit"
+  run_remote "$vmid" "mkdir -p /var/lib/dbis-rtgs/scsm /opt/dbis-rtgs/scsm /etc/dbis-rtgs && systemctl daemon-reload && systemctl enable dbis-rtgs-scsm --now"
+  wait_for_health "$vmid" "http://127.0.0.1:8080/actuator/health" "/tmp/scsm-health.json"
+}
+
+deploy_funds() {
+  local vmid=5803
+  setup_base_runtime "$vmid"
+  push_file "$vmid" "$FUNDS_JAR" "/opt/dbis-rtgs/funds/funds-app.jar"
+  local envfile unit
+  envfile="$(mktemp)"
+  cat > "$envfile" <<EOF
+SERVER_PORT=8080
+DB_URL=jdbc:h2:file:/var/lib/dbis-rtgs/funds/funds;DB_CLOSE_ON_EXIT=FALSE
+DB_USER=sa
+DB_PASSWORD=
+REDIS_HOST=127.0.0.1
+REDIS_PORT=6379
+KAFKA_BOOTSTRAP_SERVERS=localhost:9092
+FINERACT_BASE_URL=${FUNDS_FINERACT_BASE_URL}
+EOF
+  push_file "$vmid" "$envfile" "/etc/dbis-rtgs/funds.env"
+  rm -f "$envfile"
+  unit="$(mktemp)"
+  cat > "$unit" <<'EOF'
+[Unit]
+Description=DBIS RTGS server-funds sidecar
+After=network-online.target redis-server.service
+Wants=network-online.target
+
+[Service]
+User=root
+WorkingDirectory=/opt/dbis-rtgs/funds
+EnvironmentFile=/etc/dbis-rtgs/funds.env
+ExecStart=/usr/bin/java -jar /opt/dbis-rtgs/funds/funds-app.jar
+Restart=always
+RestartSec=5
+
+[Install]
+WantedBy=multi-user.target
+EOF
+  push_file "$vmid" "$unit" "/etc/systemd/system/dbis-rtgs-funds.service"
+  rm -f "$unit"
+  run_remote "$vmid" "mkdir -p /var/lib/dbis-rtgs/funds /opt/dbis-rtgs/funds /etc/dbis-rtgs && systemctl daemon-reload && systemctl enable dbis-rtgs-funds --now"
+  wait_for_health "$vmid" "http://127.0.0.1:8080/actuator/health" "/tmp/funds-health.json"
+}
+
+deploy_xau() {
+  local vmid=5804
+  setup_base_runtime "$vmid"
+  push_file "$vmid" "$XAU_JAR" "/opt/dbis-rtgs/xau/off-ledger-2-on-ledger-sidecar.jar"
+  local envfile unit
+  envfile="$(mktemp)"
+  cat > "$envfile" <<EOF
+SERVER_PORT=8080
+FINERACT_BASE_URL=${XAU_FINERACT_BASE_URL}
+XAU_FEED_URL=${XAU_FEED_URL}
+XAU_STUB_PRICE=${XAU_STUB_PRICE}
+EOF
+  push_file "$vmid" "$envfile" "/etc/dbis-rtgs/xau.env"
+  rm -f "$envfile"
+  unit="$(mktemp)"
+  cat > "$unit" <<'EOF'
+[Unit]
+Description=DBIS RTGS XAU conversion sidecar
+After=network-online.target
+Wants=network-online.target
+
+[Service]
+User=root
+WorkingDirectory=/opt/dbis-rtgs/xau
+EnvironmentFile=/etc/dbis-rtgs/xau.env
+ExecStart=/usr/bin/java -jar /opt/dbis-rtgs/xau/off-ledger-2-on-ledger-sidecar.jar
+Restart=always
+RestartSec=5
+
+[Install]
+WantedBy=multi-user.target
+EOF
+  push_file "$vmid" "$unit" "/etc/systemd/system/dbis-rtgs-xau.service"
+  rm -f "$unit"
+  run_remote "$vmid" "mkdir -p /opt/dbis-rtgs/xau /etc/dbis-rtgs && systemctl daemon-reload && systemctl enable dbis-rtgs-xau --now"
+  wait_for_health "$vmid" "http://127.0.0.1:8080/actuator/health" "/tmp/xau-health.json"
+}
+
+echo "=== Deploy DBIS RTGS first-slice sidecars ==="
+echo "Host: $HOST"
+echo
+
+if target_enabled scsm; then
+  deploy_scsm
+fi
+if target_enabled funds; then
+  deploy_funds
+fi
+if target_enabled xau; then
+  deploy_xau
+fi
+
+echo
+echo "Done."
--- a/scripts/verify/check-dbis-rtgs-first-slice.sh
+++ b/scripts/verify/check-dbis-rtgs-first-slice.sh
@@ -0,0 +1,40 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+# Verify the deployed DBIS RTGS first-slice sidecars on Proxmox VE.
+
+HOST="${PROXMOX_HOST_R630_02:-192.168.11.12}"
+SSH_OPTS="-o BatchMode=yes -o ConnectTimeout=15 -o StrictHostKeyChecking=accept-new"
+
+check_ct() {
+  local vmid="$1"
+  local hostname="$2"
+  local service="$3"
+
+  echo "=== CT $vmid ($hostname) ==="
+  ssh $SSH_OPTS "root@$HOST" "pct status $vmid"
+  ssh $SSH_OPTS "root@$HOST" "pct exec $vmid -- bash -lc 'systemctl is-active redis-server'"
+  ssh $SSH_OPTS "root@$HOST" "pct exec $vmid -- bash -lc 'systemctl is-active $service'"
+  ssh $SSH_OPTS "root@$HOST" "pct exec $vmid -- bash -lc 'curl -sf http://127.0.0.1:8080/actuator/health'"
+  echo
+}
+
+echo "=== DBIS RTGS first-slice runtime check ==="
+echo "Host: $HOST"
+echo
+
+check_ct 5802 rtgs-scsm-1 dbis-rtgs-scsm
+check_ct 5803 rtgs-funds-1 dbis-rtgs-funds
+check_ct 5804 rtgs-xau-1 dbis-rtgs-xau
+
+echo "=== Fineract reachability from sidecars ==="
+for vmid in 5802 5803 5804; do
+  printf 'CT %s -> ' "$vmid"
+  ssh $SSH_OPTS "root@$HOST" "pct exec $vmid -- bash -lc 'curl -s -o /tmp/fineract.out -w \"%{http_code}\" http://192.168.11.85:8080/fineract-provider/api/v1/offices'"
+  echo
+done
+
+echo
+echo "Interpretation:"
+echo "- 200 means unauthenticated route unexpectedly open or credentials baked into proxy"
+echo "- 400/401 means HTTP reachability exists, but authenticated tenant flow is not yet frozen"