# All Requirements — Master List **Last Updated:** 2026-02-05 **Purpose:** Single source for all project requirements. Use for compliance, traceability, and execution. **Sources:** MASTER_PLAN, PHASES_AND_TASKS_MASTER, TODO_TASK_LIST_MASTER, [REMAINING_WORK_DETAILED_STEPS.md](REMAINING_WORK_DETAILED_STEPS.md), MISSING_CONTAINERS_LIST, CCIP_DEPLOYMENT_SPEC, IMPLEMENTATION_CHECKLIST, OPERATIONAL_RUNBOOKS, MASTER_SECRETS_INVENTORY, FULL_PARALLEL_EXECUTION_ORDER. --- ## 1. Foundation (Phase 0) — ✅ Done | ID | Requirement | Source | Status | |----|-------------|--------|--------| | F-1 | Proxmox management accessible (ml110, r630-01, r630-02) | PHASES_AND_TASKS_MASTER | ✅ Done | | F-2 | Edge: UDM Pro; port forward 76.53.10.36:80/443 → 192.168.11.167 (NPMplus) | DEPLOYMENT_STATUS_MASTER | ✅ Done | | F-3 | Basic Besu containers deployed (validators, sentries, RPC per inventory) | DEPLOYMENT_STATUS_MASTER | ✅ Done | | F-4 | config/ip-addresses.conf and .env.example present; validation passes | run-all-validation.sh | ✅ Done | --- ## 2. Security Requirements | ID | Requirement | Source | Priority | |----|-------------|--------|----------| | S-1 | .env permissions: chmod 600 | IMPLEMENTATION_CHECKLIST | Required | | S-2 | Validator key permissions: chmod 600, chown besu; use secure-validator-keys.sh | OPERATIONAL_RUNBOOKS § Phase 2 | Required | | S-3 | SSH key-based auth; disable password (coordinate to avoid lockout) | setup-ssh-key-auth.sh | Required | | S-4 | Firewall: restrict Proxmox API port 8006 to admin CIDR | firewall-proxmox-8006.sh | Required | | S-5 | No real API keys in .env.example; document in MASTER_SECRETS_INVENTORY | MASTER_PLAN §3.1 | Required | | S-6 | Rotate any exposed keys; private keys not in docs | MASTER_SECRETS_INVENTORY | Critical | | S-7 | smom: Security audits VLT-024, ISO-024 | PHASES_AND_TASKS_MASTER | Critical | | S-8 | smom: Bridge integrations BRG-VLT, BRG-ISO | PHASES_AND_TASKS_MASTER | High | | S-9 | Network segmentation (VLANs): plan and migrate per NETWORK_ARCHITECTURE | IMPLEMENTATION_CHECKLIST | Optional | --- ## 3. Deployment Requirements ### 3.1 Missing Containers (canonical: 3 only) | ID | Requirement | VMID | Spec | Source | |----|-------------|------|------|--------| | D-1 | Create besu-rpc-luis (Luis 0x1) | 2506 | 16GB, 4 CPU, 200GB; JWT required | MISSING_CONTAINERS_LIST | | D-2 | Create besu-rpc-putu (Putu 0x8a) | 2507 | Same | MISSING_CONTAINERS_LIST | | D-3 | Create besu-rpc-putu (Putu 0x1) | 2508 | Same | MISSING_CONTAINERS_LIST | ### 3.2 Phase 1 — VLAN (optional) | ID | Requirement | Source | |----|-------------|--------| | D-4 | UDM Pro VLAN config | PHASES_AND_TASKS_MASTER | | D-5 | VLAN-aware bridge on Proxmox | PHASES_AND_TASKS_MASTER | | D-6 | Services migrated to VLANs per NETWORK_ARCHITECTURE | DEPLOYMENT_STATUS_MASTER | ### 3.3 Phase 2 — Observability (required) | ID | Requirement | Source | |----|-------------|--------| | D-7 | Monitoring stack: Prometheus, Grafana, Loki, Alertmanager | PHASES_AND_TASKS_MASTER | | D-8 | Prometheus scrape Besu 9545; config in config/monitoring/ | phase2-observability.sh | | D-9 | Grafana published via Cloudflare Access | PHASES_AND_TASKS_MASTER | | D-10 | Alerts configured (Alertmanager, email/webhook) | OPERATIONAL_RUNBOOKS § Phase 2 | ### 3.4 Phase 3 — CCIP Fleet (required) | ID | Requirement | VMIDs / scope | Source | |----|-------------|----------------|--------| | D-11 | CCIP Ops/Admin deployed | 5400-5401 | CCIP_DEPLOYMENT_SPEC | | D-12 | CCIP Monitoring nodes | 5402-5403 | CCIP_DEPLOYMENT_SPEC | | D-13 | 16 Commit nodes | 5410-5425 | CCIP_DEPLOYMENT_SPEC | | D-14 | 16 Execute nodes | 5440-5455 | CCIP_DEPLOYMENT_SPEC | | D-15 | 7 RMN nodes | 5470-5476 | CCIP_DEPLOYMENT_SPEC | | D-16 | NAT pools configured (blocks #2–#4 per NETWORK_ARCHITECTURE) | CCIP_DEPLOYMENT_SPEC | | D-17 | Env: CCIP_ETH_ROUTER, CCIP_ETH_LINK_TOKEN, ETH_MAINNET_SELECTOR (mainnet CCIP) | ccip-deploy-checklist.sh | ### 3.5 Phase 4 — Sovereign Tenants (required) | ID | Requirement | Source | |----|-------------|--------| | D-18 | Sovereign VLANs configured (200–203) | phase4-sovereign-tenants.sh, OPERATIONAL_RUNBOOKS | | D-19 | Tenant isolation enforced; access control | PHASES_AND_TASKS_MASTER | | D-20 | Block #6 egress NAT; verify tenant isolation | NETWORK_ARCHITECTURE | --- ## 4. Backup & Maintenance Requirements | ID | Requirement | Frequency / scope | Source | |----|-------------|-------------------|--------| | B-1 | Automated config backup (Proxmox configs) | On demand or cron | automated-backup.sh | | B-2 | NPMplus backup (export/config) when NPMplus up | NPM_PASSWORD; schedule-npmplus-backup-cron.sh | Wave 0 / W1-8 | | B-3 | Backup validator keys (encrypted); 30-day retention | IMPLEMENTATION_CHECKLIST | Required | | B-4 | Daily maintenance checks: explorer sync, RPC 2201 | Daily 08:00 | schedule-daily-weekly-cron.sh | | B-5 | Weekly: Config API uptime, review explorer logs | Sun 09:00 | daily-weekly-checks.sh weekly | | B-6 | Token list: validate; update as needed (token-lists/lists/dbis-138.tokenlist.json) | As needed | OPERATIONAL_RUNBOOKS [139] | --- ## 5. Configuration & Secrets Requirements | ID | Requirement | Source | |----|-------------|--------| | C-1 | config/ip-addresses.conf present and sourced | validate-config-files.sh | | C-2 | .env from .env.example; no real keys in repo | MASTER_SECRETS_INVENTORY | | C-3 | ADMIN_CENTRAL_API_KEY, DBIS_CENTRAL_URL for portal/token-agg/multi-chain | MASTER_PLAN §9 | | C-4 | PRIVATE_KEY (deployer) for bridge/sendCrossChain; LINK approved for fee | run-send-cross-chain.sh | | C-5 | NPM_PASSWORD for NPMplus backup/export | backup-npmplus.sh | | C-6 | PROXMOX_* optional for API; SSH used for host access | config validation | | C-7 | JWT auth for RPC 2503–2508; nginx reverse proxy | CHAIN138_JWT_AUTH_REQUIREMENTS | --- ## 6. Codebase Requirements | ID | Requirement | Component | Priority | |----|-------------|-----------|----------| | R-1 | Security audits VLT-024, ISO-024 | smom-dbis-138 | Critical | | R-2 | Bridge integrations BRG-VLT, BRG-ISO | smom-dbis-138 | High | | R-3 | CCIP AMB full implementation | smom-dbis-138 | High | | R-4 | Vault/ISO test suites exist | smom-dbis-138 | ✅ Done | | R-5 | deploy-vault-system.sh (VLT-010–018, ISO-009–018) | smom-dbis-138 | ✅ Done | | R-6 | IRU remaining tasks (OFAC/sanctions/AML) | dbis_core | High | | R-7 | TypeScript/Prisma fixes (~1186 errors) or defer | dbis_core | High | | R-8 | REST API backend, migrations, VITE_USE_REAL_API | OMNIS | ✅ Scaffold | | R-9 | Sankofa Phoenix SDK auth (VITE_SANKOFA_*) | OMNIS | High | | R-10 | Placeholders: AlltraAdapter setBridgeFee; smart accounts kit; TezosRelayService; quote-service Fabric chainId | PLACEHOLDERS_AND_TBD | High | --- ## 7. Protection Layer & Admin Requirements (MASTER_PLAN) | ID | Requirement | Target | |----|-------------|--------| | P-1 | Central policy and audit: permission check API, audit append/query | dbis_core Admin Central | | P-2 | Orchestration portal: JWT + central permission + audit (replace x-admin-token) | MASTER_PLAN §2.2 | | P-3 | Token-aggregation admin: auth + audit for admin endpoints | MASTER_PLAN §2.2 | | P-4 | Multi-chain-execution admin: JWT or client-credentials + audit | MASTER_PLAN §2.2 | | P-5 | Org-level panel: global identity, role matrix, central audit viewer | admin-console-frontend-plan Phase 4/6 | | P-6 | Admin runner for scripts/MCP: identity + permission + audit log | OPERATIONAL_RUNBOOKS, MASTER_PLAN §2.4 | --- ## 8. Wave Execution Requirements ### Wave 0 (gates; run from LAN when creds ready) | ID | Requirement | Command / note | |----|-------------|----------------| | W0-1 | Apply NPMplus RPC fix (405) | From LAN: `bash scripts/nginx-proxy-manager/update-npmplus-proxy-hosts-api.sh` | | W0-2 | Execute sendCrossChain (real) | Omit `--dry-run`; PRIVATE_KEY, LINK approved | | W0-3 | NPMplus backup | NPM_PASSWORD; `automated-backup.sh --with-npmplus` or backup-npmplus.sh | ### Wave 1 (full parallel) | ID | Requirement | Ref | |----|-------------|-----| | W1-1 | SSH key auth (--apply on hosts) | S-3 | | W1-2 | Firewall 8006 (--apply) | S-4 | | W1-5–W1-7 | Monitoring config (Prometheus, Grafana, Loki, Alertmanager) | D-7–D-10 | | W1-8 | Backup cron: daily-weekly + NPMplus (--install when NPM_PASSWORD set) | B-1–B-5 | | W1-11–W1-13 | Docs: consolidation, quick refs, IP matrix, runbooks | ALL_IMPROVEMENTS 68–74, 75–81 | | W1-14–W1-17 | Codebase: dbis_core TS, smom placeholders, IRU | R-6–R-10 | | W1-18–W1-21 | Progress indicators, validator keys, secret audit, config validation | IMPLEMENTATION_CHECKLIST | | W1-27–W1-44 | ALL_IMPROVEMENTS 1–139 by range | ALL_IMPROVEMENTS_AND_GAPS_INDEX | ### Wave 2 (infra / deploy) | ID | Requirement | Ref | |----|-------------|-----| | W2-1 | Deploy monitoring stack | D-7–D-10 | | W2-2 | Grafana + Cloudflare Access; alerts | D-9, D-10 | | W2-3 | VLAN enablement and migration | D-4–D-6 | | W2-4 | CCIP Ops/Admin (5400-5401); NAT; scripts | D-11–D-17 | | W2-5 | Phase 4 sovereign VLANs | D-18–D-20 | | W2-6 | Create missing containers 2506, 2507, 2508 | D-1–D-3 | | W2-7 | DBIS services start; Hyperledger | DEPLOYMENT_STATUS_MASTER | | W2-8 | NPMplus HA (Keepalived, 10234) | Optional | ### Wave 3 (after Wave 2) | ID | Requirement | Ref | |----|-------------|-----| | W3-1 | CCIP Fleet full deploy: commit, execute, RMN nodes | D-11–D-15 | | W3-2 | Phase 4 tenant isolation enforcement | D-18–D-20 | ### Ongoing | ID | Requirement | Status | |----|-------------|--------| | O-1–O-5 | Daily/weekly checks; explorer logs; token list | ✅ Cron installed; token list validated | --- ## 9. Validation & Acceptance Requirements | ID | Requirement | Command | |----|-------------|---------| | V-1 | CI / pre-deploy validation | `bash scripts/verify/run-all-validation.sh [--skip-genesis]` | | V-2 | Config files | `bash scripts/validation/validate-config-files.sh` | | V-3 | Full verification (DNS, UDM Pro, NPMplus, etc.) | `bash scripts/verify/run-full-verification.sh` | | V-4 | E2E routing (Cloudflare domains) | `bash scripts/verify/verify-end-to-end-routing.sh` | | V-5 | Backend VMs | `bash scripts/verify/verify-backend-vms.sh` | | V-6 | Genesis (smom-dbis-138) | `bash smom-dbis-138/scripts/validation/validate-genesis.sh` | | V-7 | Besu peers | `bash scripts/besu-verify-peers.sh http://192.168.11.211:8545` | | V-8 | CCIP deploy order and env | `bash scripts/ccip/ccip-deploy-checklist.sh` | --- ## 10. Optional / External Requirements | ID | Requirement | Source | |----|-------------|--------| | X-1 | API keys: Li.Fi, Jumper, 1inch (API_KEYS_REQUIRED.md) | NEXT_STEPS_MASTER | | X-2 | Paymaster deploy (smart accounts) | SMART_ACCOUNTS_DEPLOYMENT_NOTE | | X-3 | Token-aggregation: CoinGecko/CMC submission | COINGECKO_SUBMISSION.md | | X-4 | Explorer: dark mode, network selector, sync indicator | ALL_IMPROVEMENTS 92–105 | | X-5 | Tezos/Etherlink CCIP (finality, routes, DON, metrics) | TEZOS_CCIP_REMAINING_ITEMS | | X-6 | External integrations: Li.Fi, LayerZero, Wormhole, Uniswap, 1inch, MoonPay/Ramp | PHASES_AND_TASKS_MASTER | | X-7 | Resource/network/database optimization | TODO_TASK_LIST_MASTER | --- ## 11. Requirement Index by Source | Document | Section in this file | |----------|----------------------| | [MASTER_PLAN.md](MASTER_PLAN.md) | §2 (Protection), §7 (Wave), §3.1 (Config) | | [PHASES_AND_TASKS_MASTER.md](PHASES_AND_TASKS_MASTER.md) | §2 (Security), §3 (Deployment), §6 (Codebase), §10 (Optional) | | [MISSING_CONTAINERS_LIST.md](../03-deployment/MISSING_CONTAINERS_LIST.md) | §3.1 (D-1–D-3) | | [CCIP_DEPLOYMENT_SPEC.md](../07-ccip/CCIP_DEPLOYMENT_SPEC.md) | §3.4 (D-11–D-17) | | [IMPLEMENTATION_CHECKLIST.md](../10-best-practices/IMPLEMENTATION_CHECKLIST.md) | §2 (Security), §4 (Backup), §8 (Wave 1) | | [OPERATIONAL_RUNBOOKS.md](../03-deployment/OPERATIONAL_RUNBOOKS.md) | §2, §4, §8 | | [MASTER_SECRETS_INVENTORY.md](../04-configuration/MASTER_SECRETS_INVENTORY.md) | §5 (Configuration) | | [FULL_PARALLEL_EXECUTION_ORDER.md](FULL_PARALLEL_EXECUTION_ORDER.md) | §8 (Wave 0–3, Ongoing) | | [REMAINING_ITEMS_FULL_PARALLEL_LIST.md](REMAINING_ITEMS_FULL_PARALLEL_LIST.md) | §8 (detailed task IDs) | --- **Use this document to:** - Trace requirements to source docs - Check off completion (update status in source docs or add a REQUIREMENTS_STATUS.md) - Drive compliance and runbooks - Onboard: one place for “what must be true” before and after deployment **Last Updated:** 2026-02-05