From ee95e980e9dfb7f7c593caf28226fa236b7f4ecb Mon Sep 17 00:00:00 2001
From: defiQUG <defi@defi-oracle.io>
Date: Sun, 29 Mar 2026 02:28:15 -0700
Subject: [PATCH] Add RTGS later-phase sidecar deployment scaffolding

---
 dbis_chain_138_technical_master_plan.md       |   2 +
 .../DBIS_RTGS_E2E_REQUIREMENTS_MATRIX.md      |   2 +
 ...TER_PHASE_SIDECARS_DEPLOYMENT_CHECKLIST.md |  54 ++++++
 docs/MASTER_INDEX.md                          |   2 +-
 ...eate-dbis-rtgs-later-phase-sidecar-lxcs.sh |  54 ++++++
 .../deploy-dbis-rtgs-later-phase-sidecars.sh  | 178 ++++++++++++++++++
 .../check-dbis-rtgs-later-phase-sidecars.sh   |  38 ++++
 7 files changed, 329 insertions(+), 1 deletion(-)
 create mode 100644 docs/03-deployment/DBIS_RTGS_LATER_PHASE_SIDECARS_DEPLOYMENT_CHECKLIST.md
 create mode 100644 scripts/deployment/create-dbis-rtgs-later-phase-sidecar-lxcs.sh
 create mode 100644 scripts/deployment/deploy-dbis-rtgs-later-phase-sidecars.sh
 create mode 100644 scripts/verify/check-dbis-rtgs-later-phase-sidecars.sh

diff --git a/dbis_chain_138_technical_master_plan.md b/dbis_chain_138_technical_master_plan.md
index 9cecb8c..c4ca0a7 100644
--- a/dbis_chain_138_technical_master_plan.md
+++ b/dbis_chain_138_technical_master_plan.md
@@ -802,6 +802,8 @@ Executable counterparts in this repository:
 | RTGS FX and liquidity operating model | `docs/03-deployment/DBIS_RTGS_FX_AND_LIQUIDITY_OPERATING_MODEL.md` |
 | RTGS control-plane deployment checklist | `docs/03-deployment/DBIS_RTGS_CONTROL_PLANE_DEPLOYMENT_CHECKLIST.md` |
 | RTGS control-plane deployment scripts | `scripts/deployment/create-dbis-rtgs-control-plane-lxcs.sh`, `scripts/deployment/deploy-dbis-rtgs-control-plane.sh`, `scripts/verify/check-dbis-rtgs-control-plane.sh` |
+| RTGS later-phase sidecars deployment checklist | `docs/03-deployment/DBIS_RTGS_LATER_PHASE_SIDECARS_DEPLOYMENT_CHECKLIST.md` |
+| RTGS later-phase sidecars deployment scripts | `scripts/deployment/create-dbis-rtgs-later-phase-sidecar-lxcs.sh`, `scripts/deployment/deploy-dbis-rtgs-later-phase-sidecars.sh`, `scripts/verify/check-dbis-rtgs-later-phase-sidecars.sh` |
 | Indonesia / BNI E2E integration blueprint | `docs/03-deployment/DBIS_OMNL_INDONESIA_BNI_E2E_INTEGRATION_BLUEPRINT.md` |
 | RTGS first-slice architecture | `docs/03-deployment/DBIS_RTGS_FIRST_SLICE_ARCHITECTURE.md` |
 | RTGS first-slice deployment checklist | `docs/03-deployment/DBIS_RTGS_FIRST_SLICE_DEPLOYMENT_CHECKLIST.md` |
diff --git a/docs/03-deployment/DBIS_RTGS_E2E_REQUIREMENTS_MATRIX.md b/docs/03-deployment/DBIS_RTGS_E2E_REQUIREMENTS_MATRIX.md
index df20b26..7270097 100644
--- a/docs/03-deployment/DBIS_RTGS_E2E_REQUIREMENTS_MATRIX.md
+++ b/docs/03-deployment/DBIS_RTGS_E2E_REQUIREMENTS_MATRIX.md
@@ -43,6 +43,8 @@
 | `mt103-hardcopy-sidecar` | Partial. Known sidecar, but not yet tied into the canonical RTGS path. | MT103 ingest, bank-message archive, and settlement/evidence mapping. | Decide whether it is in scope and, if yes, integrate MT103 ingest into the canonical RTGS flow. | HYBX integration lead | MT103 ingestion path is documented, integrated, and tested if in scope. |
 | `securitization-engine-sidecar` | Partial. Known sidecar, but regulatory/accounting role in RTGS is not yet frozen. | Accounting, collateral, and reporting responsibilities in the RTGS operating model. | Define whether it participates in RTGS slice 1 and validate the required role if so. | HYBX integration lead | Its RTGS responsibility is either validated or explicitly out of scope. |
 | `card-networks-sidecar` | Partial. Known sidecar, but not yet placed in the RTGS path. | Card-network settlement role only if card rails are included in scope. | Include only if card settlement is part of production scope; otherwise keep it out of the canonical path. | HYBX integration lead | Scope decision is frozen, and if included the settlement path is validated. |
+| `securities-sidecar` | Partial. Known sidecar with runnable application shape, but its depository/custody placement in the RTGS architecture is not yet frozen. | Instrument resolution, securities instructions, settlement events, and position reconciliation linked to the depository/custody operating model. | Freeze whether it is the runtime boundary for depository/custody flows and validate one canonical securities/custody path if so. | HYBX integration lead | Scope decision is frozen, and if included one canonical securities or custody flow is validated. |
+| `flash-loan-xau-sidecar` | Planned. Runnable sidecar exists locally, but its role in the RTGS production path is still specialized and optional. | XAU-specific liquidity, conversion, and settlement logic only if retained as part of the target architecture. | Decide whether it remains a specialized liquidity extension or enters the canonical RTGS path; validate if retained. | HYBX integration lead | Scope decision is frozen, and if included the XAU liquidity path is validated end to end. |
 | Chain 138 settlement contracts | Partial. Contract families exist, but the exact RTGS contract path is not yet frozen as one canonical settlement lane. | Final contract path between OMNL-side events and on-chain settlement evidence. | Freeze the exact contract set and document how each business flow reaches Chain 138. | Chain 138 / settlement lead | Final contract set is frozen, deployed addresses are accepted, and the path is tested end to end. |
 | MerchantSettlementRegistry | Partial. Available contract family, but exact placement in the canonical RTGS flow is not yet frozen. | RTGS settlement workflow and evidence mapping. | Decide exactly when and how the registry is invoked in RTGS settlement. | Chain 138 / settlement lead | Registry path is integrated into the business flow with verified inputs and outputs. |
 | WithdrawalEscrow | Partial. Available contract family, but exact placement in RTGS withdrawal scenarios is not yet frozen. | Withdrawal / release / payout semantics in the RTGS model. | Freeze the escrow role for settlement and withdrawal scenarios. | Chain 138 / settlement lead | Escrow flow is validated in the chosen settlement and withdrawal scenarios. |
diff --git a/docs/03-deployment/DBIS_RTGS_LATER_PHASE_SIDECARS_DEPLOYMENT_CHECKLIST.md b/docs/03-deployment/DBIS_RTGS_LATER_PHASE_SIDECARS_DEPLOYMENT_CHECKLIST.md
new file mode 100644
index 0000000..61bcd43
--- /dev/null
+++ b/docs/03-deployment/DBIS_RTGS_LATER_PHASE_SIDECARS_DEPLOYMENT_CHECKLIST.md
@@ -0,0 +1,54 @@
+# DBIS RTGS Later-Phase Sidecars Deployment Checklist
+
+**Last updated:** 2026-03-29  
+**Purpose:** Deployment checklist for the next sidecar tranche beyond the currently deployed first-slice services.
+
+## 1. Target sidecars
+
+| Sidecar | Runtime type | Expected artifact | Health path |
+|---------|--------------|-------------------|-------------|
+| `securities-sidecar` | Java / Spring Boot | `securities-app/target/securities-app-1.0.0-SNAPSHOT.jar` | `GET /actuator/health` |
+| `card-networks-sidecar` | Java / Spring Boot | `cardnet-app/target/cardnet-app-1.0.0-SNAPSHOT.jar` | `GET /actuator/health` |
+| `mt103-hardcopy-sidecar` | Go binary | `./server` built from `cmd/server` | `GET /health` |
+
+## 2. Intended role in DBIS RTGS
+
+- `securities-sidecar`
+  - later-phase depository / custody / securities instruction lane
+- `card-networks-sidecar`
+  - later-phase card-rail settlement lane
+- `mt103-hardcopy-sidecar`
+  - evidence and hardcopy-bank-message archive lane
+
+## 3. Target runtime
+
+Suggested default Proxmox targets on `r630-02`:
+
+- `5808` `rtgs-securities-1`
+- `5809` `rtgs-cardnet-1`
+- `5810` `rtgs-mt103-1`
+
+## 4. Required inputs before deployment
+
+- built JAR for `securities-sidecar`
+- built JAR for `card-networks-sidecar`
+- built Go binary for `mt103-hardcopy-sidecar`
+- OMNL / Fineract tenant/auth contract for the Java sidecars
+- PostgreSQL decision for `mt103-hardcopy-sidecar`
+- Redis host/port for Java sidecars
+
+## 5. Deployment gates
+
+- [ ] each artifact exists and is versioned
+- [ ] each target CT exists and is reachable
+- [ ] each service can start under systemd
+- [ ] health endpoint returns success
+- [ ] Fineract reachability is proven for Java sidecars
+- [ ] storage/database reachability is proven for the MT103 sidecar
+- [ ] one canonical later-phase business flow is identified per sidecar before production claims are made
+
+## 6. Scripts
+
+- [create-dbis-rtgs-later-phase-sidecar-lxcs.sh](/home/intlc/projects/proxmox/scripts/deployment/create-dbis-rtgs-later-phase-sidecar-lxcs.sh)
+- [deploy-dbis-rtgs-later-phase-sidecars.sh](/home/intlc/projects/proxmox/scripts/deployment/deploy-dbis-rtgs-later-phase-sidecars.sh)
+- [check-dbis-rtgs-later-phase-sidecars.sh](/home/intlc/projects/proxmox/scripts/verify/check-dbis-rtgs-later-phase-sidecars.sh)
diff --git a/docs/MASTER_INDEX.md b/docs/MASTER_INDEX.md
index 969003b..10fe1e8 100644
--- a/docs/MASTER_INDEX.md
+++ b/docs/MASTER_INDEX.md
@@ -58,7 +58,7 @@
 |------|-----------------|
 | **00-meta** (tasks, next steps, phases) | [00-meta/NEXT_STEPS_INDEX.md](00-meta/NEXT_STEPS_INDEX.md), [00-meta/PHASES_AND_TASKS_MASTER.md](00-meta/PHASES_AND_TASKS_MASTER.md) |
 | **02-architecture** | [02-architecture/](02-architecture/) — **Public sector + Phoenix catalog baseline:** [02-architecture/PUBLIC_SECTOR_TENANCY_MARKETPLACE_AND_DEPLOYMENT_BASELINE.md](02-architecture/PUBLIC_SECTOR_TENANCY_MARKETPLACE_AND_DEPLOYMENT_BASELINE.md); **non-goals (incl. catalog vs marketing §9):** [02-architecture/NON_GOALS.md](02-architecture/NON_GOALS.md); **DBIS Chain 138:** [dbis_chain_138_technical_master_plan.md](../dbis_chain_138_technical_master_plan.md), [02-architecture/DBIS_NODE_ROLE_MATRIX.md](02-architecture/DBIS_NODE_ROLE_MATRIX.md), [02-architecture/DBIS_PHASE2_PROXMOX_SOVEREIGNIZATION_ROADMAP.md](02-architecture/DBIS_PHASE2_PROXMOX_SOVEREIGNIZATION_ROADMAP.md) |
-| **03-deployment** | [03-deployment/OPERATIONAL_RUNBOOKS.md](03-deployment/OPERATIONAL_RUNBOOKS.md), [03-deployment/DEPLOYMENT_ORDER_OF_OPERATIONS.md](03-deployment/DEPLOYMENT_ORDER_OF_OPERATIONS.md), **Public sector live checklist:** [03-deployment/PUBLIC_SECTOR_LIVE_DEPLOYMENT_CHECKLIST.md](03-deployment/PUBLIC_SECTOR_LIVE_DEPLOYMENT_CHECKLIST.md), **Proxmox VE ops template:** [03-deployment/PROXMOX_VE_OPERATIONAL_DEPLOYMENT_TEMPLATE.md](03-deployment/PROXMOX_VE_OPERATIONAL_DEPLOYMENT_TEMPLATE.md) · [`config/proxmox-operational-template.json`](config/proxmox-operational-template.json); **DBIS Phase 1–3:** [03-deployment/PHASE1_DISCOVERY_RUNBOOK.md](03-deployment/PHASE1_DISCOVERY_RUNBOOK.md), [03-deployment/DBIS_PHASE3_E2E_PRODUCTION_SIMULATION_RUNBOOK.md](03-deployment/DBIS_PHASE3_E2E_PRODUCTION_SIMULATION_RUNBOOK.md), [03-deployment/CALIPER_CHAIN138_PERF_HOOK.md](03-deployment/CALIPER_CHAIN138_PERF_HOOK.md), [03-deployment/DBIS_HYPERLEDGER_RUNTIME_STATUS.md](03-deployment/DBIS_HYPERLEDGER_RUNTIME_STATUS.md), [03-deployment/DBIS_PHASES_1_TO_3_PRODUCTION_GATE.md](03-deployment/DBIS_PHASES_1_TO_3_PRODUCTION_GATE.md), **RTGS canonical production checklist and institutional-finance layers:** [03-deployment/DBIS_RTGS_E2E_REQUIREMENTS_MATRIX.md](03-deployment/DBIS_RTGS_E2E_REQUIREMENTS_MATRIX.md), [03-deployment/DBIS_RTGS_FX_TRANSACTION_CATALOG.md](03-deployment/DBIS_RTGS_FX_TRANSACTION_CATALOG.md), [03-deployment/DBIS_RTGS_DEPOSITORY_AND_CUSTODY_OPERATING_MODEL.md](03-deployment/DBIS_RTGS_DEPOSITORY_AND_CUSTODY_OPERATING_MODEL.md), [03-deployment/DBIS_RTGS_FX_AND_LIQUIDITY_OPERATING_MODEL.md](03-deployment/DBIS_RTGS_FX_AND_LIQUIDITY_OPERATING_MODEL.md), [03-deployment/DBIS_RTGS_CONTROL_PLANE_DEPLOYMENT_CHECKLIST.md](03-deployment/DBIS_RTGS_CONTROL_PLANE_DEPLOYMENT_CHECKLIST.md), [03-deployment/DBIS_OMNL_INDONESIA_BNI_E2E_INTEGRATION_BLUEPRINT.md](03-deployment/DBIS_OMNL_INDONESIA_BNI_E2E_INTEGRATION_BLUEPRINT.md), [03-deployment/DBIS_RTGS_FIRST_SLICE_ARCHITECTURE.md](03-deployment/DBIS_RTGS_FIRST_SLICE_ARCHITECTURE.md), [03-deployment/DBIS_RTGS_FIRST_SLICE_DEPLOYMENT_CHECKLIST.md](03-deployment/DBIS_RTGS_FIRST_SLICE_DEPLOYMENT_CHECKLIST.md), [03-deployment/DBIS_HYBX_SIDECAR_BOUNDARY_MATRIX.md](03-deployment/DBIS_HYBX_SIDECAR_BOUNDARY_MATRIX.md), [03-deployment/DBIS_MOJALOOP_INTEGRATION_STATUS.md](03-deployment/DBIS_MOJALOOP_INTEGRATION_STATUS.md), [03-deployment/DBIS_HYPERLEDGER_IDENTITY_STACK_DECISION.md](03-deployment/DBIS_HYPERLEDGER_IDENTITY_STACK_DECISION.md) |
+| **03-deployment** | [03-deployment/OPERATIONAL_RUNBOOKS.md](03-deployment/OPERATIONAL_RUNBOOKS.md), [03-deployment/DEPLOYMENT_ORDER_OF_OPERATIONS.md](03-deployment/DEPLOYMENT_ORDER_OF_OPERATIONS.md), **Public sector live checklist:** [03-deployment/PUBLIC_SECTOR_LIVE_DEPLOYMENT_CHECKLIST.md](03-deployment/PUBLIC_SECTOR_LIVE_DEPLOYMENT_CHECKLIST.md), **Proxmox VE ops template:** [03-deployment/PROXMOX_VE_OPERATIONAL_DEPLOYMENT_TEMPLATE.md](03-deployment/PROXMOX_VE_OPERATIONAL_DEPLOYMENT_TEMPLATE.md) · [`config/proxmox-operational-template.json`](config/proxmox-operational-template.json); **DBIS Phase 1–3:** [03-deployment/PHASE1_DISCOVERY_RUNBOOK.md](03-deployment/PHASE1_DISCOVERY_RUNBOOK.md), [03-deployment/DBIS_PHASE3_E2E_PRODUCTION_SIMULATION_RUNBOOK.md](03-deployment/DBIS_PHASE3_E2E_PRODUCTION_SIMULATION_RUNBOOK.md), [03-deployment/CALIPER_CHAIN138_PERF_HOOK.md](03-deployment/CALIPER_CHAIN138_PERF_HOOK.md), [03-deployment/DBIS_HYPERLEDGER_RUNTIME_STATUS.md](03-deployment/DBIS_HYPERLEDGER_RUNTIME_STATUS.md), [03-deployment/DBIS_PHASES_1_TO_3_PRODUCTION_GATE.md](03-deployment/DBIS_PHASES_1_TO_3_PRODUCTION_GATE.md), **RTGS canonical production checklist and institutional-finance layers:** [03-deployment/DBIS_RTGS_E2E_REQUIREMENTS_MATRIX.md](03-deployment/DBIS_RTGS_E2E_REQUIREMENTS_MATRIX.md), [03-deployment/DBIS_RTGS_FX_TRANSACTION_CATALOG.md](03-deployment/DBIS_RTGS_FX_TRANSACTION_CATALOG.md), [03-deployment/DBIS_RTGS_DEPOSITORY_AND_CUSTODY_OPERATING_MODEL.md](03-deployment/DBIS_RTGS_DEPOSITORY_AND_CUSTODY_OPERATING_MODEL.md), [03-deployment/DBIS_RTGS_FX_AND_LIQUIDITY_OPERATING_MODEL.md](03-deployment/DBIS_RTGS_FX_AND_LIQUIDITY_OPERATING_MODEL.md), [03-deployment/DBIS_RTGS_CONTROL_PLANE_DEPLOYMENT_CHECKLIST.md](03-deployment/DBIS_RTGS_CONTROL_PLANE_DEPLOYMENT_CHECKLIST.md), [03-deployment/DBIS_RTGS_LATER_PHASE_SIDECARS_DEPLOYMENT_CHECKLIST.md](03-deployment/DBIS_RTGS_LATER_PHASE_SIDECARS_DEPLOYMENT_CHECKLIST.md), [03-deployment/DBIS_OMNL_INDONESIA_BNI_E2E_INTEGRATION_BLUEPRINT.md](03-deployment/DBIS_OMNL_INDONESIA_BNI_E2E_INTEGRATION_BLUEPRINT.md), [03-deployment/DBIS_RTGS_FIRST_SLICE_ARCHITECTURE.md](03-deployment/DBIS_RTGS_FIRST_SLICE_ARCHITECTURE.md), [03-deployment/DBIS_RTGS_FIRST_SLICE_DEPLOYMENT_CHECKLIST.md](03-deployment/DBIS_RTGS_FIRST_SLICE_DEPLOYMENT_CHECKLIST.md), [03-deployment/DBIS_HYBX_SIDECAR_BOUNDARY_MATRIX.md](03-deployment/DBIS_HYBX_SIDECAR_BOUNDARY_MATRIX.md), [03-deployment/DBIS_MOJALOOP_INTEGRATION_STATUS.md](03-deployment/DBIS_MOJALOOP_INTEGRATION_STATUS.md), [03-deployment/DBIS_HYPERLEDGER_IDENTITY_STACK_DECISION.md](03-deployment/DBIS_HYPERLEDGER_IDENTITY_STACK_DECISION.md) |
 | **04-configuration** | [04-configuration/README.md](04-configuration/README.md), [04-configuration/ADDITIONAL_PATHS_AND_EXTENSIONS.md](04-configuration/ADDITIONAL_PATHS_AND_EXTENSIONS.md) (paths, registry, token-mapping, LiFi/Jumper); **Chain 138 wallets:** [04-configuration/CHAIN138_WALLET_CONFIG_VALIDATION.md](04-configuration/CHAIN138_WALLET_CONFIG_VALIDATION.md); **Chain 2138 testnet wallets:** [04-configuration/CHAIN2138_WALLET_CONFIG_VALIDATION.md](04-configuration/CHAIN2138_WALLET_CONFIG_VALIDATION.md); **OMNL Indonesia / HYBX-BATCH-001:** [04-configuration/mifos-omnl-central-bank/HYBX_BATCH_001_OPERATOR_CHECKLIST.md](04-configuration/mifos-omnl-central-bank/HYBX_BATCH_001_OPERATOR_CHECKLIST.md), [04-configuration/mifos-omnl-central-bank/INDONESIA_PACKAGE_4_995_EVIDENCE_STANDARD.md](04-configuration/mifos-omnl-central-bank/INDONESIA_PACKAGE_4_995_EVIDENCE_STANDARD.md) |
 | **06-besu** | [06-besu/MASTER_INDEX.md](06-besu/MASTER_INDEX.md) |
 | **Testnet (2138)** | [testnet/DEFI_ORACLE_META_TESTNET_2138_RUNBOOK.md](testnet/DEFI_ORACLE_META_TESTNET_2138_RUNBOOK.md), [testnet/TESTNET_DEPLOYMENT.md](testnet/TESTNET_DEPLOYMENT.md) |
diff --git a/scripts/deployment/create-dbis-rtgs-later-phase-sidecar-lxcs.sh b/scripts/deployment/create-dbis-rtgs-later-phase-sidecar-lxcs.sh
new file mode 100644
index 0000000..e5cc177
--- /dev/null
+++ b/scripts/deployment/create-dbis-rtgs-later-phase-sidecar-lxcs.sh
@@ -0,0 +1,54 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+# Create placeholder LXCs for later-phase DBIS RTGS sidecars.
+# Usage:
+#   ./scripts/deployment/create-dbis-rtgs-later-phase-sidecar-lxcs.sh [--dry-run]
+
+HOST="${PROXMOX_HOST_R630_02:-192.168.11.12}"
+SSH_OPTS="-o BatchMode=yes -o ConnectTimeout=15 -o StrictHostKeyChecking=accept-new"
+TEMPLATE="${PVE_LXC_TEMPLATE:-local:vztmpl/debian-12-standard_12.7-1_amd64.tar.zst}"
+STORAGE="${PVE_STORAGE:-local-lvm}"
+BRIDGE="${PVE_BRIDGE:-vmbr0}"
+GATEWAY="${PVE_GATEWAY:-192.168.11.1}"
+
+DRY_RUN=false
+if [[ "${1:-}" == "--dry-run" ]]; then
+  DRY_RUN=true
+fi
+
+LXCS=(
+  "${RTGS_SECURITIES_VMID:-5808} ${RTGS_SECURITIES_HOSTNAME:-rtgs-securities-1} ${RTGS_SECURITIES_IP:-192.168.11.96} 4096 2 24"
+  "${RTGS_CARDNET_VMID:-5809} ${RTGS_CARDNET_HOSTNAME:-rtgs-cardnet-1} ${RTGS_CARDNET_IP:-192.168.11.97} 4096 2 24"
+  "${RTGS_MT103_VMID:-5810} ${RTGS_MT103_HOSTNAME:-rtgs-mt103-1} ${RTGS_MT103_IP:-192.168.11.98} 4096 2 24"
+)
+
+run_remote() {
+  local cmd="$1"
+  if $DRY_RUN; then
+    echo "[DRY-RUN] $cmd"
+  else
+    ssh $SSH_OPTS "root@$HOST" "$cmd"
+  fi
+}
+
+echo "=== DBIS RTGS later-phase sidecar LXCs ==="
+echo "Host: $HOST"
+echo "Template: $TEMPLATE"
+echo
+
+for spec in "${LXCS[@]}"; do
+  read -r vmid hostname ip memory cores disk <<<"$spec"
+  cmd="pct create $vmid $TEMPLATE \
+    --hostname $hostname \
+    --cores $cores \
+    --memory $memory \
+    --rootfs ${STORAGE}:${disk} \
+    --net0 name=eth0,bridge=${BRIDGE},gw=${GATEWAY},ip=${ip}/24 \
+    --onboot 1 \
+    --unprivileged 1 \
+    --features nesting=1 \
+    --password \$(openssl rand -base64 18) \
+    --description 'DBIS RTGS later-phase sidecar LXC ($hostname)'"
+  run_remote "$cmd"
+done
diff --git a/scripts/deployment/deploy-dbis-rtgs-later-phase-sidecars.sh b/scripts/deployment/deploy-dbis-rtgs-later-phase-sidecars.sh
new file mode 100644
index 0000000..117665f
--- /dev/null
+++ b/scripts/deployment/deploy-dbis-rtgs-later-phase-sidecars.sh
@@ -0,0 +1,178 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+# Deploy later-phase DBIS RTGS sidecars when artifacts are available.
+# Usage:
+#   ./scripts/deployment/deploy-dbis-rtgs-later-phase-sidecars.sh [--dry-run]
+
+HOST="${PROXMOX_HOST_R630_02:-192.168.11.12}"
+SSH_OPTS="-o BatchMode=yes -o ConnectTimeout=15 -o StrictHostKeyChecking=accept-new"
+
+SECT_VMID="${RTGS_SECURITIES_VMID:-5808}"
+CARD_VMID="${RTGS_CARDNET_VMID:-5809}"
+MT103_VMID="${RTGS_MT103_VMID:-5810}"
+
+SECT_JAR="${RTGS_SECURITIES_JAR:-/home/intlc/projects/HYBX_Sidecars/securities-sidecar/securities-app/target/securities-app-1.0.0-SNAPSHOT.jar}"
+CARD_JAR="${RTGS_CARDNET_JAR:-/home/intlc/projects/HYBX_Sidecars/card-networks-sidecar/cardnet-app/target/cardnet-app-1.0.0-SNAPSHOT.jar}"
+MT103_BIN="${RTGS_MT103_BIN:-/home/intlc/projects/HYBX_Sidecars/mt103-hardcopy-sidecar/server}"
+
+OMNL_BASE_URL="${OMNL_FINERACT_BASE_URL:-http://192.168.11.85:8080/fineract-provider/api/v1}"
+OMNL_TENANT="${OMNL_FINERACT_TENANT:-omnl}"
+OMNL_USER="${OMNL_FINERACT_USER:-}"
+OMNL_PASSWORD="${OMNL_FINERACT_PASSWORD:-}"
+MT103_DATABASE_URL="${MT103_DATABASE_URL:-postgres://localhost/mt103_sidecar?sslmode=disable}"
+
+DRY_RUN=false
+if [[ "${1:-}" == "--dry-run" ]]; then
+  DRY_RUN=true
+fi
+
+run_remote() {
+  local vmid="$1"
+  local cmd="$2"
+  if $DRY_RUN; then
+    echo "[DRY-RUN][CT $vmid] $cmd"
+  else
+    ssh $SSH_OPTS "root@$HOST" "pct exec $vmid -- bash -lc $(printf '%q' "$cmd")"
+  fi
+}
+
+push_file() {
+  local vmid="$1"
+  local src="$2"
+  local dest="$3"
+  if $DRY_RUN; then
+    echo "[DRY-RUN][CT $vmid] copy $src -> $dest"
+  else
+    ssh $SSH_OPTS "root@$HOST" "pct exec $vmid -- mkdir -p $(dirname "$dest")"
+    ssh $SSH_OPTS "root@$HOST" "cat > /tmp/$(basename "$dest")" < "$src"
+    ssh $SSH_OPTS "root@$HOST" "pct push $vmid /tmp/$(basename "$dest") $dest >/dev/null && rm -f /tmp/$(basename "$dest")"
+  fi
+}
+
+require_file() {
+  local path="$1"
+  if [[ ! -f "$path" ]]; then
+    echo "Missing required artifact: $path" >&2
+    exit 1
+  fi
+}
+
+setup_java_runtime() {
+  local vmid="$1"
+  run_remote "$vmid" "export DEBIAN_FRONTEND=noninteractive && apt-get update && apt-get install -y openjdk-21-jre-headless redis-server curl ca-certificates"
+  run_remote "$vmid" "systemctl enable redis-server --now"
+}
+
+setup_go_runtime() {
+  local vmid="$1"
+  run_remote "$vmid" "export DEBIAN_FRONTEND=noninteractive && apt-get update && apt-get install -y curl ca-certificates"
+}
+
+deploy_java_sidecar() {
+  local vmid="$1"
+  local svc="$2"
+  local jar="$3"
+  local env_content="$4"
+  require_file "$jar"
+  setup_java_runtime "$vmid"
+  push_file "$vmid" "$jar" "/opt/dbis-rtgs/${svc}/${svc}.jar"
+
+  local envfile unit
+  envfile="$(mktemp)"
+  cat > "$envfile" <<<"$env_content"
+  push_file "$vmid" "$envfile" "/etc/dbis-rtgs/${svc}.env"
+  rm -f "$envfile"
+
+  unit="$(mktemp)"
+  cat > "$unit" <<EOF
+[Unit]
+Description=DBIS RTGS ${svc}
+After=network-online.target redis-server.service
+Wants=network-online.target
+
+[Service]
+User=root
+WorkingDirectory=/opt/dbis-rtgs/${svc}
+EnvironmentFile=/etc/dbis-rtgs/${svc}.env
+ExecStart=/usr/bin/java -jar /opt/dbis-rtgs/${svc}/${svc}.jar
+Restart=always
+RestartSec=5
+
+[Install]
+WantedBy=multi-user.target
+EOF
+  push_file "$vmid" "$unit" "/etc/systemd/system/dbis-rtgs-${svc}.service"
+  rm -f "$unit"
+  run_remote "$vmid" "mkdir -p /opt/dbis-rtgs/${svc} /etc/dbis-rtgs /var/lib/dbis-rtgs/${svc} && systemctl daemon-reload && systemctl enable dbis-rtgs-${svc} && systemctl restart dbis-rtgs-${svc}"
+}
+
+deploy_mt103() {
+  require_file "$MT103_BIN"
+  setup_go_runtime "$MT103_VMID"
+  push_file "$MT103_VMID" "$MT103_BIN" "/opt/dbis-rtgs/mt103/server"
+  run_remote "$MT103_VMID" "chmod +x /opt/dbis-rtgs/mt103/server"
+
+  local envfile unit
+  envfile="$(mktemp)"
+  cat > "$envfile" <<EOF
+HTTP_PORT=8080
+DATABASE_URL=${MT103_DATABASE_URL}
+STORAGE_BASE_PATH=/var/lib/dbis-rtgs/mt103/storage
+AUTH_MODE=none
+EOF
+  push_file "$MT103_VMID" "$envfile" "/etc/dbis-rtgs/mt103.env"
+  rm -f "$envfile"
+
+  unit="$(mktemp)"
+  cat > "$unit" <<'EOF'
+[Unit]
+Description=DBIS RTGS mt103-hardcopy-sidecar
+After=network-online.target
+Wants=network-online.target
+
+[Service]
+User=root
+WorkingDirectory=/opt/dbis-rtgs/mt103
+EnvironmentFile=/etc/dbis-rtgs/mt103.env
+ExecStart=/opt/dbis-rtgs/mt103/server
+Restart=always
+RestartSec=5
+
+[Install]
+WantedBy=multi-user.target
+EOF
+  push_file "$MT103_VMID" "$unit" "/etc/systemd/system/dbis-rtgs-mt103.service"
+  rm -f "$unit"
+  run_remote "$MT103_VMID" "mkdir -p /opt/dbis-rtgs/mt103 /etc/dbis-rtgs /var/lib/dbis-rtgs/mt103/storage && systemctl daemon-reload && systemctl enable dbis-rtgs-mt103 && systemctl restart dbis-rtgs-mt103"
+}
+
+deploy_java_sidecar "$SECT_VMID" "securities" "$SECT_JAR" "$(cat <<EOF
+SERVER_PORT=8080
+DB_URL=jdbc:h2:file:/var/lib/dbis-rtgs/securities/securities;DB_CLOSE_ON_EXIT=FALSE
+REDIS_HOST=127.0.0.1
+REDIS_PORT=6379
+KAFKA_BOOTSTRAP_SERVERS=
+FINERACT_BASE_URL=${OMNL_BASE_URL}
+FINERACT_TENANT=${OMNL_TENANT}
+FINERACT_USERNAME=${OMNL_USER}
+FINERACT_PASSWORD=${OMNL_PASSWORD}
+EOF
+)"
+
+deploy_java_sidecar "$CARD_VMID" "cardnet" "$CARD_JAR" "$(cat <<EOF
+SERVER_PORT=8080
+DB_URL=jdbc:h2:file:/var/lib/dbis-rtgs/cardnet/cardnet;DB_CLOSE_ON_EXIT=FALSE
+REDIS_HOST=127.0.0.1
+REDIS_PORT=6379
+KAFKA_BOOTSTRAP_SERVERS=
+FINERACT_BASE_URL=${OMNL_BASE_URL}
+FINERACT_TENANT=${OMNL_TENANT}
+FINERACT_USERNAME=${OMNL_USER}
+FINERACT_PASSWORD=${OMNL_PASSWORD}
+EOF
+)"
+
+deploy_mt103
+
+echo "DBIS RTGS later-phase sidecar deployment complete."
diff --git a/scripts/verify/check-dbis-rtgs-later-phase-sidecars.sh b/scripts/verify/check-dbis-rtgs-later-phase-sidecars.sh
new file mode 100644
index 0000000..d82968c
--- /dev/null
+++ b/scripts/verify/check-dbis-rtgs-later-phase-sidecars.sh
@@ -0,0 +1,38 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+# Verify the later-phase DBIS RTGS sidecars once deployed.
+
+HOST="${PROXMOX_HOST_R630_02:-192.168.11.12}"
+SSH_OPTS="-o BatchMode=yes -o ConnectTimeout=15 -o StrictHostKeyChecking=accept-new"
+
+check_java_ct() {
+  local vmid="$1"
+  local hostname="$2"
+  local service="$3"
+  echo "=== CT $vmid ($hostname) ==="
+  ssh $SSH_OPTS "root@$HOST" "pct status $vmid"
+  ssh $SSH_OPTS "root@$HOST" "pct exec $vmid -- bash -lc 'systemctl is-active redis-server'"
+  ssh $SSH_OPTS "root@$HOST" "pct exec $vmid -- bash -lc 'systemctl is-active $service'"
+  ssh $SSH_OPTS "root@$HOST" "pct exec $vmid -- bash -lc 'curl -sf http://127.0.0.1:8080/actuator/health'"
+  echo
+}
+
+check_go_ct() {
+  local vmid="$1"
+  local hostname="$2"
+  local service="$3"
+  echo "=== CT $vmid ($hostname) ==="
+  ssh $SSH_OPTS "root@$HOST" "pct status $vmid"
+  ssh $SSH_OPTS "root@$HOST" "pct exec $vmid -- bash -lc 'systemctl is-active $service'"
+  ssh $SSH_OPTS "root@$HOST" "pct exec $vmid -- bash -lc 'curl -sf http://127.0.0.1:8080/health'"
+  echo
+}
+
+echo "=== DBIS RTGS later-phase sidecar runtime check ==="
+echo "Host: $HOST"
+echo
+
+check_java_ct "${RTGS_SECURITIES_VMID:-5808}" "${RTGS_SECURITIES_HOSTNAME:-rtgs-securities-1}" dbis-rtgs-securities
+check_java_ct "${RTGS_CARDNET_VMID:-5809}" "${RTGS_CARDNET_HOSTNAME:-rtgs-cardnet-1}" dbis-rtgs-cardnet
+check_go_ct "${RTGS_MT103_VMID:-5810}" "${RTGS_MT103_HOSTNAME:-rtgs-mt103-1}" dbis-rtgs-mt103