From d513ac35c01d51d52b0b893b1d92200b460a954a Mon Sep 17 00:00:00 2001 From: defiQUG Date: Sun, 29 Mar 2026 00:29:29 -0700 Subject: [PATCH] Freeze OMNL-backed SCSM first-slice status --- dbis_chain_138_technical_master_plan.md | 3 +- .../DBIS_RTGS_E2E_REQUIREMENTS_MATRIX.md | 22 ++++++----- ...S_RTGS_FIRST_SLICE_DEPLOYMENT_CHECKLIST.md | 39 ++++++++++++++----- .../deploy-dbis-rtgs-first-slice-sidecars.sh | 26 ++++++++----- 4 files changed, 61 insertions(+), 29 deletions(-) diff --git a/dbis_chain_138_technical_master_plan.md b/dbis_chain_138_technical_master_plan.md index 0998fea..a6ccd1b 100644 --- a/dbis_chain_138_technical_master_plan.md +++ b/dbis_chain_138_technical_master_plan.md @@ -448,7 +448,8 @@ Separate security compliance and benchmark reports remain future deliverables un - Ceph-backed distributed storage is still roadmap work. - Full VLAN / sovereign network segmentation is still roadmap work. - Final entity ownership assignments remain incomplete. -- The selected first-slice HYBX sidecars are now deployed internally on Proxmox VE and healthy at the runtime level, but the authenticated Fineract tenant flow and canonical RTGS business transaction are not yet frozen end to end. +- The selected first-slice HYBX sidecars are now deployed internally on Proxmox VE and healthy at the runtime level. +- The `mifos-fineract-sidecar` lane has now completed at least one authenticated live OMNL / Fineract transfer posting, but the broader participant model, Chain 138 settlement leg, reconciliation/evidence output, and the `server-funds-sidecar` / `off-ledger-2-on-ledger-sidecar` business flows are still not frozen end to end. ## Planning gaps diff --git a/docs/03-deployment/DBIS_RTGS_E2E_REQUIREMENTS_MATRIX.md b/docs/03-deployment/DBIS_RTGS_E2E_REQUIREMENTS_MATRIX.md index 4731358..3c39553 100644 --- a/docs/03-deployment/DBIS_RTGS_E2E_REQUIREMENTS_MATRIX.md +++ b/docs/03-deployment/DBIS_RTGS_E2E_REQUIREMENTS_MATRIX.md @@ -1,6 +1,6 @@ # DBIS RTGS E2E Requirements Matrix -**Last updated:** 2026-03-28 +**Last updated:** 2026-03-29 **Purpose:** Canonical implementation matrix for the full DBIS RTGS stack across Chain 138, OMNL / Fineract, HYBX sidecars, and the related Hyperledger layers. This document turns the RTGS TODO section into an executable requirements and production-gate artifact. ## Status legend @@ -26,12 +26,12 @@ | Ursa | Planned | Identity / cryptography architecture lead | [DBIS_HYPERLEDGER_IDENTITY_STACK_DECISION.md](DBIS_HYPERLEDGER_IDENTITY_STACK_DECISION.md), [TODO_TASK_LIST_MASTER.md](../00-meta/TODO_TASK_LIST_MASTER.md) | No explicit runtime control or deployment model defined | Decide in/out of scope; if in, document cryptographic role and operational dependency model | | Cacti | Planned | Interoperability architecture lead | [dbis_chain_138_technical_master_plan.md](../../dbis_chain_138_technical_master_plan.md) | Not proven as current live interoperability engine | Decide in/out of scope; if in, deploy and validate real cross-ledger integration path | | Caliper | Planned | Performance / QA lead | [CALIPER_CHAIN138_PERF_HOOK.md](CALIPER_CHAIN138_PERF_HOOK.md) | Hook exists, benchmark harness not yet routine | Add benchmark harness and run approved RTGS workload profiles | -| OMNL / Fineract API rail | Partial | OMNL / banking ops | [HYBX_BATCH_001_OPERATOR_CHECKLIST.md](../04-configuration/mifos-omnl-central-bank/HYBX_BATCH_001_OPERATOR_CHECKLIST.md), [scripts/omnl](../../scripts/omnl), [API_DOCUMENTATION.md](../11-references/API_DOCUMENTATION.md) | Full production package flow not yet frozen as canonical RTGS rail | Office / GL / JE / snapshot / package flow runs cleanly against live API and is operator-repeatable | -| Mifos X frontend / Fineract tenant | Partial | OMNL / banking ops | [ALL_VMIDS_ENDPOINTS.md](../04-configuration/ALL_VMIDS_ENDPOINTS.md), Mifos deployment docs | Need confirmed prod tenancy, auth, and operating procedures for RTGS workload | UI/API confirmed healthy, tenant/auth stable, operator runbook complete | +| OMNL / Fineract API rail | Partial | OMNL / banking ops | [HYBX_BATCH_001_OPERATOR_CHECKLIST.md](../04-configuration/mifos-omnl-central-bank/HYBX_BATCH_001_OPERATOR_CHECKLIST.md), [scripts/omnl](../../scripts/omnl), [API_DOCUMENTATION.md](../11-references/API_DOCUMENTATION.md) | Full production package flow and participant model are not yet frozen as the canonical RTGS rail | Office / GL / JE / snapshot / package flow runs cleanly against live API and is operator-repeatable | +| Mifos X frontend / Fineract tenant | Partial | OMNL / banking ops | [ALL_VMIDS_ENDPOINTS.md](../04-configuration/ALL_VMIDS_ENDPOINTS.md), Mifos deployment docs | Authenticated tenant is now proven live for sidecar posting, but operator runbook and production participant model remain incomplete | UI/API confirmed healthy, tenant/auth stable, operator runbook complete | | HYBX participant / office / treasury model | Planned | Banking architecture lead | OMNL scripts and central-bank config | Participant model and treasury structure not yet frozen end-to-end | Office IDs, treasury accounts, GL mapping, nostro/vostro model, and settlement roles are documented and accepted | | Mojaloop integration | Planned | Payments interoperability lead | [DBIS_MOJALOOP_INTEGRATION_STATUS.md](DBIS_MOJALOOP_INTEGRATION_STATUS.md) | No proven live Mojaloop switch endpoint set or callback contract in repo-backed state | Endpoint/auth contract documented, quote/transfer/callback flow integrated, settlement-window behavior mapped to accounting and chain settlement | | HYBX sidecar layer | Partial | HYBX app / integration lead | [DBIS_HYBX_SIDECAR_BOUNDARY_MATRIX.md](DBIS_HYBX_SIDECAR_BOUNDARY_MATRIX.md) | Sidecars available, but full orchestration and system-of-record ownership not yet frozen | Sidecar-by-sidecar purpose, auth, ingress/egress, retries, and system-of-record ownership documented and validated | -| `mifos-fineract-sidecar` | Partial | HYBX integration lead | [DBIS_HYBX_SIDECAR_BOUNDARY_MATRIX.md](DBIS_HYBX_SIDECAR_BOUNDARY_MATRIX.md), [DBIS_RTGS_FIRST_SLICE_DEPLOYMENT_CHECKLIST.md](DBIS_RTGS_FIRST_SLICE_DEPLOYMENT_CHECKLIST.md) | Runtime is deployed on Proxmox and healthy, but authenticated Fineract tenant flow is not yet frozen | Sidecar API and event flow documented and validated against live Fineract rail | +| `mifos-fineract-sidecar` | Partial | HYBX integration lead | [DBIS_HYBX_SIDECAR_BOUNDARY_MATRIX.md](DBIS_HYBX_SIDECAR_BOUNDARY_MATRIX.md), [DBIS_RTGS_FIRST_SLICE_DEPLOYMENT_CHECKLIST.md](DBIS_RTGS_FIRST_SLICE_DEPLOYMENT_CHECKLIST.md) | Runtime is deployed on Proxmox, healthy, and has completed one authenticated live OMNL posting, but chain-settlement and evidence legs are still open | Sidecar API and event flow documented, at least one authenticated live transfer completed, and downstream settlement/evidence path validated | | `mt103-hardcopy-sidecar` | Partial | HYBX integration lead | [DBIS_HYBX_SIDECAR_BOUNDARY_MATRIX.md](DBIS_HYBX_SIDECAR_BOUNDARY_MATRIX.md) | Ingestion path not yet tied into canonical RTGS workflow | MT103 ingest to settlement and evidence path is documented and tested | | `off-ledger-2-on-ledger-sidecar` | Partial | HYBX integration lead | [DBIS_HYBX_SIDECAR_BOUNDARY_MATRIX.md](DBIS_HYBX_SIDECAR_BOUNDARY_MATRIX.md), [DBIS_RTGS_FIRST_SLICE_DEPLOYMENT_CHECKLIST.md](DBIS_RTGS_FIRST_SLICE_DEPLOYMENT_CHECKLIST.md) | Runtime is deployed on Proxmox and healthy, but canonical off-ledger source event and authenticated Fineract flow are not yet frozen | Canonical mapping from off-ledger event to Chain 138 settlement defined and tested | | `securitization-engine-sidecar` | Partial | HYBX integration lead | [DBIS_HYBX_SIDECAR_BOUNDARY_MATRIX.md](DBIS_HYBX_SIDECAR_BOUNDARY_MATRIX.md) | Regulatory/accounting role not yet tied into RTGS runbook | Accounting and reporting responsibilities explicitly mapped and validated | @@ -54,21 +54,25 @@ The current recommended first production slice is frozen in: - [DBIS_RTGS_FIRST_SLICE_ARCHITECTURE.md](DBIS_RTGS_FIRST_SLICE_ARCHITECTURE.md) - [DBIS_RTGS_FIRST_SLICE_DEPLOYMENT_CHECKLIST.md](DBIS_RTGS_FIRST_SLICE_DEPLOYMENT_CHECKLIST.md) -As of 2026-03-28, the following first-slice sidecars are at least build-verified locally: +As of 2026-03-29, the following first-slice sidecars are deployed on Proxmox VE and runtime-healthy: - `mifos-fineract-sidecar` - `server-funds-sidecar` - `off-ledger-2-on-ledger-sidecar` -That is not yet equivalent to production deployment. The deployment checklist remains the gate for Proxmox promotion and live RTGS flow validation. +Additional proven fact for the first slice: + +- `mifos-fineract-sidecar` has completed at least one authenticated live transfer into OMNL / Fineract with verified debit/credit journal entries (`transactionId: a16a10b3bc47`). + +This is still not equivalent to full RTGS production completion. The deployment checklist remains the gate for chain settlement, evidence output, and the remaining sidecar lanes. ## Immediate execution priorities ### Priority 1 — Freeze the canonical banking rail -1. Confirm the exact OMNL / Fineract tenant, auth, and operator path to use for RTGS. -2. Freeze the canonical HYBX batch / settlement operator flow. -3. Lock the participant / treasury / GL model. +1. Freeze the canonical HYBX batch / settlement operator flow on top of the now-proven OMNL tenant/auth path. +2. Lock the participant / treasury / GL model. +3. Extend authenticated business-flow validation beyond SCSM into the remaining in-scope sidecars. ### Priority 2 — Freeze the interoperability path diff --git a/docs/03-deployment/DBIS_RTGS_FIRST_SLICE_DEPLOYMENT_CHECKLIST.md b/docs/03-deployment/DBIS_RTGS_FIRST_SLICE_DEPLOYMENT_CHECKLIST.md index 32ce70d..bf7ef49 100644 --- a/docs/03-deployment/DBIS_RTGS_FIRST_SLICE_DEPLOYMENT_CHECKLIST.md +++ b/docs/03-deployment/DBIS_RTGS_FIRST_SLICE_DEPLOYMENT_CHECKLIST.md @@ -1,6 +1,6 @@ # DBIS RTGS First Slice Deployment Checklist -**Last updated:** 2026-03-28 +**Last updated:** 2026-03-29 **Purpose:** Convert the first-slice RTGS architecture into a deployable checklist for Proxmox VE and live operator validation. This document is intentionally narrower than the full RTGS program. It only covers the components chosen for the initial production slice. ## Scope @@ -67,11 +67,28 @@ As of 2026-03-28/29: - Redis: active - health: `UP` +What is now proven: + +- the canonical authenticated OMNL / Fineract tenant flow is live for the SCSM lane: + - base URL: `https://omnl.hybxfinance.io/fineract-provider/api/v1` + - tenant: `omnl` + - user: `app.omnl` +- `rtgs-scsm-1` can post authenticated journal-entry batches into OMNL / Fineract +- one canonical live transfer has completed through the deployed sidecar runtime: + - sidecar response: + - `messageId: c6e44bc8-aa04-4eba-b983-6293967f24b7` + - `transactionId: a16a10b3bc47` + - `status: COMPLETED` + - verified OMNL journal entries: + - debit `GL 1410` amount `1.11` + - credit `GL 2100` amount `1.11` + - comments `SCSM transfer c6e44bc8-aa04-4eba-b983-6293967f24b7` + What is still not complete: -- the canonical authenticated Fineract tenant flow is not yet frozen in the sidecar runtime -- the sidecars can reach the live Fineract endpoint at the HTTP layer, but current checks stop at `400 Bad Request` without the final request/auth contract -- no canonical RTGS transaction has yet been executed across OMNL / Fineract, sidecar logic, Chain 138 settlement, and final evidence output +- the participant / office / treasury / GL model is not yet frozen as the full RTGS production model +- `server-funds-sidecar` and `off-ledger-2-on-ledger-sidecar` are runtime-healthy, but do not yet have equivalent authenticated business-flow validation +- the canonical RTGS flow is not yet complete across OMNL / Fineract, sidecar logic, Chain 138 settlement, and final evidence output ## Runtime deployment baseline @@ -87,7 +104,7 @@ What is still not complete: ### OMNL / Fineract -- [ ] Confirm the exact production tenant, auth path, and base URL +- [x] Confirm the exact production tenant, auth path, and base URL - [ ] Freeze the operator runbook and canonical batch flow - [ ] Confirm the participant / office / treasury / GL model used by the sidecars @@ -122,9 +139,10 @@ What is still not complete: **Deployment gate before Proxmox promotion:** - [ ] Confirm production DB target - [ ] Confirm Redis target -- [ ] Confirm Fineract base URL and tenant/auth -- [ ] Prove `/actuator/health/readiness` healthy with production-like dependencies -- [ ] Validate one canonical transfer request path against the intended Fineract rail +- [x] Confirm Fineract base URL and tenant/auth +- [x] Prove `/actuator/health/readiness` healthy with production-like dependencies +- [x] Validate one canonical transfer request path against the intended Fineract rail +- [ ] Eliminate the current hard-stop / forced-restart workaround needed for some jar upgrades on the SCSM systemd unit ### `server-funds-sidecar` @@ -209,7 +227,8 @@ What is still not complete: - [x] Process starts under systemd / container supervisor - [x] Health endpoints return healthy -- [ ] API base paths respond for a canonical business flow +- [x] `mifos-fineract-sidecar` API base path responds for a canonical business flow +- [ ] `server-funds-sidecar` and `off-ledger-2-on-ledger-sidecar` API base paths respond for canonical business flows - [x] Logs show no dependency boot failures for current runtime boot - [x] Sidecar can reach Fineract at the HTTP layer - [x] Sidecar can reach required local Redis dependency @@ -217,7 +236,7 @@ What is still not complete: ### Functional verification -- [ ] `mifos-fineract-sidecar` processes one canonical transfer +- [x] `mifos-fineract-sidecar` processes one canonical transfer - [ ] `server-funds-sidecar` processes one canonical funds/approval flow if in scope - [ ] `off-ledger-2-on-ledger-sidecar` processes one canonical conversion/settlement flow - [ ] Chain 138 receives and records the intended settlement leg where applicable diff --git a/scripts/deployment/deploy-dbis-rtgs-first-slice-sidecars.sh b/scripts/deployment/deploy-dbis-rtgs-first-slice-sidecars.sh index 5afc1fb..d6c456d 100755 --- a/scripts/deployment/deploy-dbis-rtgs-first-slice-sidecars.sh +++ b/scripts/deployment/deploy-dbis-rtgs-first-slice-sidecars.sh @@ -8,6 +8,13 @@ set -euo pipefail SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)" PROJECT_ROOT="$(cd "$SCRIPT_DIR/../.." && pwd)" +if [[ -f "$PROJECT_ROOT/omnl-fineract/.env" ]]; then + set +u + # shellcheck source=/dev/null + source "$PROJECT_ROOT/omnl-fineract/.env" + set -u +fi + HOST="${PROXMOX_HOST_R630_02:-192.168.11.12}" SSH_OPTS="-o BatchMode=yes -o ConnectTimeout=15 -o StrictHostKeyChecking=accept-new" @@ -15,12 +22,12 @@ SCSM_JAR="/home/intlc/projects/HYBX_Sidecars/mifos-fineract-sidecar/scsm-app/tar FUNDS_JAR="/home/intlc/projects/HYBX_Sidecars/server-funds-sidecar/funds-app/target/funds-app-1.0.0-SNAPSHOT.jar" XAU_JAR="/home/intlc/projects/HYBX_Sidecars/off-ledger-2-on-ledger-sidecar/target/off-ledger-2-on-ledger-sidecar-0.1.0-SNAPSHOT.jar" -SCSM_FINERACT_BASE_URL="${SCSM_FINERACT_BASE_URL:-http://192.168.11.85:8080/fineract-provider/api/v1}" -SCSM_FINERACT_TENANT="${SCSM_FINERACT_TENANT:-omnl}" -SCSM_FINERACT_USERNAME="${SCSM_FINERACT_USERNAME:-}" -SCSM_FINERACT_PASSWORD="${SCSM_FINERACT_PASSWORD:-}" +SCSM_FINERACT_BASE_URL="${SCSM_FINERACT_BASE_URL:-${OMNL_FINERACT_BASE_URL:-http://192.168.11.85:8080/fineract-provider/api/v1}}" +SCSM_FINERACT_TENANT="${SCSM_FINERACT_TENANT:-${OMNL_FINERACT_TENANT:-omnl}}" +SCSM_FINERACT_USERNAME="${SCSM_FINERACT_USERNAME:-${OMNL_FINERACT_USER:-}}" +SCSM_FINERACT_PASSWORD="${SCSM_FINERACT_PASSWORD:-${OMNL_FINERACT_PASSWORD:-}}" -FUNDS_FINERACT_BASE_URL="${FUNDS_FINERACT_BASE_URL:-http://192.168.11.85:8080/fineract-provider/api/v1}" +FUNDS_FINERACT_BASE_URL="${FUNDS_FINERACT_BASE_URL:-${OMNL_FINERACT_BASE_URL:-http://192.168.11.85:8080/fineract-provider/api/v1}}" XAU_FINERACT_BASE_URL="${XAU_FINERACT_BASE_URL:-http://192.168.11.85:8080}" XAU_FEED_URL="${XAU_FEED_URL:-}" @@ -102,7 +109,8 @@ DB_USER=sa DB_PASSWORD= REDIS_HOST=127.0.0.1 REDIS_PORT=6379 -KAFKA_BOOTSTRAP_SERVERS=localhost:9092 +KAFKA_BOOTSTRAP_SERVERS= +SCSM_KAFKA_ENABLED=false FINERACT_BASE_URL=${SCSM_FINERACT_BASE_URL} FINERACT_TENANT=${SCSM_FINERACT_TENANT} FINERACT_USERNAME=${SCSM_FINERACT_USERNAME} @@ -131,7 +139,7 @@ WantedBy=multi-user.target EOF push_file "$vmid" "$unit" "/etc/systemd/system/dbis-rtgs-scsm.service" rm -f "$unit" - run_remote "$vmid" "mkdir -p /var/lib/dbis-rtgs/scsm /opt/dbis-rtgs/scsm /etc/dbis-rtgs && systemctl daemon-reload && systemctl enable dbis-rtgs-scsm --now" + run_remote "$vmid" "mkdir -p /var/lib/dbis-rtgs/scsm /opt/dbis-rtgs/scsm /etc/dbis-rtgs && systemctl daemon-reload && systemctl enable dbis-rtgs-scsm && systemctl restart dbis-rtgs-scsm" wait_for_health "$vmid" "http://127.0.0.1:8080/actuator/health" "/tmp/scsm-health.json" } @@ -173,7 +181,7 @@ WantedBy=multi-user.target EOF push_file "$vmid" "$unit" "/etc/systemd/system/dbis-rtgs-funds.service" rm -f "$unit" - run_remote "$vmid" "mkdir -p /var/lib/dbis-rtgs/funds /opt/dbis-rtgs/funds /etc/dbis-rtgs && systemctl daemon-reload && systemctl enable dbis-rtgs-funds --now" + run_remote "$vmid" "mkdir -p /var/lib/dbis-rtgs/funds /opt/dbis-rtgs/funds /etc/dbis-rtgs && systemctl daemon-reload && systemctl enable dbis-rtgs-funds && systemctl restart dbis-rtgs-funds" wait_for_health "$vmid" "http://127.0.0.1:8080/actuator/health" "/tmp/funds-health.json" } @@ -211,7 +219,7 @@ WantedBy=multi-user.target EOF push_file "$vmid" "$unit" "/etc/systemd/system/dbis-rtgs-xau.service" rm -f "$unit" - run_remote "$vmid" "mkdir -p /opt/dbis-rtgs/xau /etc/dbis-rtgs && systemctl daemon-reload && systemctl enable dbis-rtgs-xau --now" + run_remote "$vmid" "mkdir -p /opt/dbis-rtgs/xau /etc/dbis-rtgs && systemctl daemon-reload && systemctl enable dbis-rtgs-xau && systemctl restart dbis-rtgs-xau" wait_for_health "$vmid" "http://127.0.0.1:8080/actuator/health" "/tmp/xau-health.json" }