docs: add ura operational readiness and production gates

2026-04-25 11:37:05 -07:00
parent 5688f474c3
commit a894b1dd50
15 changed files with 349 additions and 5 deletions
--- a/AGENTS.md
+++ b/AGENTS.md
@@ -12,7 +12,8 @@ Orchestration for Proxmox VE, Chain 138 (`smom-dbis-138/`), explorers, NPMplus,
 |------|-----------|
 | Doc index | `docs/MASTER_INDEX.md` |
 | Canonical ecosystem master plan | `docs/02-architecture/DBIS_ECOSYSTEM_TECHNICAL_MASTER_PLAN.md` — umbrella root; subordinate roots: `dbis_chain_138_technical_master_plan.md`, `docs/03-deployment/DBIS_RTGS_MASTER_PLAN_IMPLEMENTATION_TRACKER.md`, `docs/04-configuration/universal-resource-activation/URA_MANIFEST_AUTOMATION_IMPLEMENTATION_TRACKER.md` |
-| Universal resource activation (manifest, CI, Phoenix) | `docs/04-configuration/universal-resource-activation/UNIVERSAL_RESOURCE_WIRING.md`, `config/universal-resource-activation/manifest.json`, `node scripts/validate/validate-universal-resource-activation.mjs`, `bash scripts/verify/smoke-universal-resource-activation.sh` (add `--http` or `PHOENIX_BASE_URL=…` for live API), `GET` `/api/v1/universal-resource-activation/manifest` on `phoenix-deploy-api` |
+| Universal resource activation (manifest, CI, Phoenix) | `UNIVERSAL_RESOURCE_WIRING.md`, `URA_MANIFEST_AUTOMATION_IMPLEMENTATION_TRACKER.md`, `URA_OPERATIONAL_READINESS_CHECKLIST.md` (under `docs/04-configuration/universal-resource-activation/`); `config/universal-resource-activation/{manifest.json,policy-profiles.json,integration/}`; `pnpm ura:ops-readiness` / `ura:ops-readiness:full`, `ura:production-ready` / `ura:production-ready:connectivity`, `ura:validate`, `ura:validate-profiles`, `ura:merge-manifest`, `ura:validate-ledger-mapping`, `ura:writer:ledger`, `ura:writer:settlement`, `ura:profile-hash`, `ura:validate-closure`, `ura:keccak`, `ura:smoke`; `URA_STRICT_CLOSURE` / Gitea `vars.URA_STRICT_CLOSURE`; `smom-dbis-138/contracts/universal-resource/PolicyProfileRegistry.sol` (scoped forge test); Phoenix `PUBLIC_V1_NO_PARTNER_KEY_PATHS` |
+| Multi-jurisdiction compliance (matrices, onboarding) | `docs/04-configuration/compliance-matrices/README.md`, `INSTITUTION_ONBOARDING_CHARTER.md`, `INSTITUTION_ONBOARDING_PLAYBOOK.md`, `docs/04-configuration/jurisdictions/JURISDICTION_CATALOG.md`, `config/jurisdictions/catalog.v1.json`, `docs/dbis-rail/DBIS_RAIL_JURISDICTION_TRACEABILITY.md`, `docs/03-deployment/DBIS_RTGS_MASTER_PLAN_IMPLEMENTATION_TRACKER.md` |
 | cXAUC/cXAUT unit | 1 full token = 1 troy oz Au — `docs/11-references/EXPLORER_TOKEN_LIST_CROSSCHECK.md` (section 5.1) |
 | PMM mesh 6s tick | `smom-dbis-138/scripts/reserve/pmm-mesh-6s-automation.sh` — `docs/integration/ORACLE_AND_KEEPER_CHAIN138.md` (PMM mesh automation) |
 | VMID / IP / FQDN | `docs/04-configuration/ALL_VMIDS_ENDPOINTS.md` |
--- a/config/universal-resource-activation/MANIFEST_AUTOMATION_DESIGN.md
+++ b/config/universal-resource-activation/MANIFEST_AUTOMATION_DESIGN.md
@@ -32,5 +32,6 @@

 ## Related

+- [technical-specs/README.md](../../docs/04-configuration/universal-resource-activation/technical-specs/README.md) — normative **TS-*** specs for remaining operator work  
 - [`UNIVERSAL_RESOURCE_WIRING.md`](../../docs/04-configuration/universal-resource-activation/UNIVERSAL_RESOURCE_WIRING.md)  
 - [`scripts/validate/validate-ura-policy-profiles.mjs`](../../scripts/validate/validate-ura-policy-profiles.mjs)
--- a/config/universal-resource-activation/ura-production-ready.env.example
+++ b/config/universal-resource-activation/ura-production-ready.env.example
@@ -0,0 +1,20 @@
+# Copy to a path outside VCS (or set inline) and:
+#   export URA_PRODUCTION_ENV_FILE=/path/to/ura-production-ready.env
+#   pnpm ura:production-ready
+#   # or (staging: skips manifest strict closure; does NOT claim production evidence closure)
+#   URA_PRODUCTION_MODE=connectivity pnpm ura:production-ready
+#
+# shellcheck disable=SC2034
+
+export PHOENIX_BASE_URL="https://phoenix.example.invalid"
+export SERVER_FUNDS_SIDECAR_URL="https://server-funds-sidecar.example.invalid"
+export POLICY_PROFILE_REGISTRY_ADDRESS="0x0000000000000000000000000000000000000000"
+
+# export GRU_REQUIRED=1
+# export GRU_M00_DIAMOND_ADDRESS="0x0000000000000000000000000000000000000000"
+
+# export LEDGER_E2E_EVIDENCE_FILE="/path/to/ledger-ticket.md"
+# export SETTLEMENT_E2E_EVIDENCE_FILE="/path/to/settlement-ticket.md"
+# export REQUIRE_CUSTODY=1
+# export CUSTODY_E2E_EVIDENCE_FILE="/path/to/custody-ticket.md"
+# export COUNSEL_SIGNOFF_FILE="/path/to/counsel-signoff.pdf"
--- a/docs/03-deployment/URA_MANIFEST_WRITER_OPS.md
+++ b/docs/03-deployment/URA_MANIFEST_WRITER_OPS.md
@@ -60,4 +60,5 @@ When automation goes live, archive:

 ## Related

+- [TS-OMNL-SIDECAR-MANIFEST-SYNC-V1.md](../04-configuration/universal-resource-activation/technical-specs/TS-OMNL-SIDECAR-MANIFEST-SYNC-V1.md) — normative ledger/sidecar → manifest requirements  
 - [`URA_MANIFEST_AUTOMATION_IMPLEMENTATION_TRACKER.md`](../04-configuration/universal-resource-activation/URA_MANIFEST_AUTOMATION_IMPLEMENTATION_TRACKER.md)
--- a/docs/04-configuration/universal-resource-activation/README.md
+++ b/docs/04-configuration/universal-resource-activation/README.md
@@ -16,6 +16,8 @@
 | [UNIVERSAL_RESOURCE_EVIDENCE_PACKAGE.md](UNIVERSAL_RESOURCE_EVIDENCE_PACKAGE.md) | Shared evidence and reconciliation package |
 | [UNIVERSAL_RESOURCE_PILOT_PLAN.md](UNIVERSAL_RESOURCE_PILOT_PLAN.md) | First three pilots (SKR, server funds, infra) |
 | [URA_PILOT_CLOSURE_RUNBOOK.md](URA_PILOT_CLOSURE_RUNBOOK.md) | Replace manifest placeholders; close pilots and evidence |
+| [URA_OPERATIONAL_READINESS_CHECKLIST.md](URA_OPERATIONAL_READINESS_CHECKLIST.md) | Phased checklist from preconditions to production acceptance; run `pnpm ura:ops-readiness` (fast) or `pnpm ura:ops-readiness:full` (adds forge + full config gate) in-repo for validation |
+| [technical-specs/README.md](technical-specs/README.md) | **TS-*** normative specs for remaining automation (OMNL/sidecar, settlement indexer, SKR ETL, GRU program, compliance sign-off) |
 | [policy-profiles.json (registry)](../../config/universal-resource-activation/policy-profiles.json) | Machine-readable profiles + GRU governance level |
 | [POLICY_PROFILES_REGISTRY.md](../../config/universal-resource-activation/POLICY_PROFILES_REGISTRY.md) | Doc control / sign-off table per profile version |
 | [MANIFEST_AUTOMATION_DESIGN.md](../../config/universal-resource-activation/MANIFEST_AUTOMATION_DESIGN.md) | Future manifest merge/CI design (not implemented) |
@@ -25,7 +27,7 @@
 | [URAWiring / ops](UNIVERSAL_RESOURCE_WIRING.md) | **Manifest, CI validation, Phoenix `GET` route, env overrides** |
 | [manifest.json (live store)](../../../config/universal-resource-activation/manifest.json) | In-repo `resources[]` and `evidencePackages[]` |

-**Validate:** `pnpm ura:validate` · `pnpm ura:validate-profiles` · **merge fragments:** `pnpm ura:merge-manifest` · **ledger mapping:** `pnpm ura:validate-ledger-mapping` · **writers:** `pnpm ura:writer:ledger` / `pnpm ura:writer:settlement` · **profile hash (on-chain anchor):** `pnpm ura:profile-hash` · **closure gate:** `pnpm ura:validate-closure` / `pnpm ura:validate-closure:strict` · **smoke:** `pnpm ura:smoke` (add `--http` for Phoenix: manifest + policy-profiles + sidecar-probe) · **on-chain id hashes:** `pnpm ura:keccak` — [wiring §2.1](UNIVERSAL_RESOURCE_WIRING.md#21-testing-checklist) · **full automation tracker:** [URA_MANIFEST_AUTOMATION_IMPLEMENTATION_TRACKER.md](URA_MANIFEST_AUTOMATION_IMPLEMENTATION_TRACKER.md)
+**Validate:** `pnpm ura:ops-readiness` / `pnpm ura:ops-readiness:full` (aggregate repo gate) · `pnpm ura:production-ready` / `pnpm ura:production-ready:connectivity` (target host: strict vs staging) · `pnpm ura:validate` · `pnpm ura:validate-profiles` · **merge fragments:** `pnpm ura:merge-manifest` · **ledger mapping:** `pnpm ura:validate-ledger-mapping` · **writers:** `pnpm ura:writer:ledger` / `pnpm ura:writer:settlement` · **profile hash (on-chain anchor):** `pnpm ura:profile-hash` · **closure gate:** `pnpm ura:validate-closure` / `pnpm ura:validate-closure:strict` · **smoke:** `pnpm ura:smoke` (add `--http` for Phoenix: manifest + policy-profiles + sidecar-probe) · **on-chain id hashes:** `pnpm ura:keccak` — [wiring §2.1](UNIVERSAL_RESOURCE_WIRING.md#21-testing-checklist) · **full automation tracker:** [URA_MANIFEST_AUTOMATION_IMPLEMENTATION_TRACKER.md](URA_MANIFEST_AUTOMATION_IMPLEMENTATION_TRACKER.md)

 ## Upstream anchors

--- a/docs/04-configuration/universal-resource-activation/SKR_CUSTODY_AUTOMATION_NOTES.md
+++ b/docs/04-configuration/universal-resource-activation/SKR_CUSTODY_AUTOMATION_NOTES.md
@@ -23,5 +23,6 @@ Obligations live in the per-jurisdiction matrix (e.g. [ID-INDONESIA/banking_v1.m

 ## Related

+- [TS-SKR-CUSTODY-ETL-MANIFEST-V1.md](technical-specs/TS-SKR-CUSTODY-ETL-MANIFEST-V1.md) — normative custody ETL requirements  
 - [`URA_PILOT_CLOSURE_RUNBOOK.md`](URA_PILOT_CLOSURE_RUNBOOK.md) §2  
 - [`URA_MANIFEST_WRITER_OPS.md`](../../03-deployment/URA_MANIFEST_WRITER_OPS.md)
--- a/docs/04-configuration/universal-resource-activation/UNIVERSAL_RESOURCE_WIRING.md
+++ b/docs/04-configuration/universal-resource-activation/UNIVERSAL_RESOURCE_WIRING.md
@@ -31,6 +31,8 @@ node scripts/validate/validate-universal-resource-activation.mjs
 | 2. Full config gate (includes step 1) | `bash scripts/validation/validate-config-files.sh` | Any required project config check fails |
 | 3. CI-style aggregate | `bash scripts/verify/run-all-validation.sh --skip-genesis` | Any step in the wrapper fails |
 | 4. URA smoke (schema + optional HTTP) | `bash scripts/verify/smoke-universal-resource-activation.sh` | Step 1 fails. With `--http` (or `PHOENIX_BASE_URL=…`), checks `GET …/manifest` (200 + `.schemaVersion`), `GET …/policy-profiles` (200 + `.profiles` array), and `GET …/server-funds-sidecar-probe` (**200** = sidecar or probe ok JSON; **503** + `configured: false` = URL unset, OK for dev; **502** = URL set but sidecar unreachable) |
+| 4a. URA repo ops gate (aggregate validate / profiles / mapping / closure / merge) | `pnpm ura:ops-readiness` (optional `URA_READINESS_FORGE=1`, `URA_READINESS_CONFIG=1`, `URA_READINESS_MAP=…`) | Non-zero if a gate fails. **Environment and E2E** steps: [URA_OPERATIONAL_READINESS_CHECKLIST.md](URA_OPERATIONAL_READINESS_CHECKLIST.md) |
+| 4d. Production gate (target host) | `pnpm ura:production-ready` (strict) or `pnpm ura:production-ready:connectivity` (skips strict closure) | Env template: `config/universal-resource-activation/ura-production-ready.env.example`. **Strict** requires a closed manifest per [URA_PILOT_CLOSURE_RUNBOOK.md](URA_PILOT_CLOSURE_RUNBOOK.md). |
 | 4b. On-chain / GRU hash (optional) | `node scripts/ura/keccak-resource-ids.mjs` | Prints `keccak256(utf8(resourceId))` per row (requires root `ethers`); does not block CI |
 | 4c. Server-funds sidecar probe (optional) | `curl` `GET /api/v1/universal-resource-activation/server-funds-sidecar-probe` on Phoenix | `503` + `configured:false` until `SERVER_FUNDS_SIDECAR_URL` is set; `200` when a health path returns 2xx |
 | 5. OpenAPI / Swagger | Open `http://<host>:<port>/api-docs` on `phoenix-deploy-api` and confirm URA paths (see [`phoenix-deploy-api/openapi.yaml`](../../../phoenix-deploy-api/openapi.yaml)) | N/A (manual) |
@@ -68,6 +70,7 @@ When Gitea deploy syncs the `d-bis/proxmox` archive, the `config/` tree (includi
 ## Related

 - [README.md](README.md) — document map  
+- [URA_OPERATIONAL_READINESS_CHECKLIST.md](URA_OPERATIONAL_READINESS_CHECKLIST.md) — phased operator checklist; **local** gate: `pnpm ura:ops-readiness`  
 - [technical-specs/README.md](technical-specs/README.md) — normative TS-* specs for OMNL/sidecar, settlement indexer, SKR ETL, GRU program, compliance sign-off
 - [URA_PILOT_CLOSURE_RUNBOOK.md](URA_PILOT_CLOSURE_RUNBOOK.md) — close pilots / replace placeholders
 - [../compliance-matrices/README.md](../compliance-matrices/README.md) — jurisdiction matrices and onboarding charter/playbook
--- a/docs/04-configuration/universal-resource-activation/URA_MANIFEST_AUTOMATION_IMPLEMENTATION_TRACKER.md
+++ b/docs/04-configuration/universal-resource-activation/URA_MANIFEST_AUTOMATION_IMPLEMENTATION_TRACKER.md
@@ -7,6 +7,8 @@

 **Normative technical specs (remaining implementation):** [technical-specs/README.md](technical-specs/README.md) — RFC 2119 requirements, interfaces, acceptance tests for pending workstreams.

+**Operational gate (all phases, operator vs repo):** [URA_OPERATIONAL_READINESS_CHECKLIST.md](URA_OPERATIONAL_READINESS_CHECKLIST.md) — **local repo check:** `pnpm ura:ops-readiness` ([UNIVERSAL_RESOURCE_WIRING.md](UNIVERSAL_RESOURCE_WIRING.md#21-testing-checklist) §2.1).
+
 | ID | Task | Status | Artifact / next step |
 |----|------|--------|----------------------|
 | ura-auto-01 | OMNL/Fineract APIs → `accountingRef` | **Done (repo)** | [`URA_MANIFEST_WRITER_OPS.md`](../../03-deployment/URA_MANIFEST_WRITER_OPS.md) §2; mapping schema |
@@ -41,6 +43,7 @@
 ## Quick commands

 ```bash
+pnpm ura:ops-readiness
 pnpm ura:validate-ledger-mapping
 pnpm ura:writer:ledger -- --mapping config/universal-resource-activation/integration/omnl-ledger-mapping.v1.example.json --ledger config/universal-resource-activation/integration/examples/ledger-snapshot.example.json
 pnpm ura:writer:settlement -- --evidence-package-id ura:pilot:evidence-register-bootstrap --message-id 0x1 --tx-hash 0x2 --chain-id 138
@@ -50,5 +53,6 @@ cd smom-dbis-138 && FORGE_SCOPE=universal-resource bash scripts/forge/scope.sh t

 ## Related

+- [`URA_OPERATIONAL_READINESS_CHECKLIST.md`](URA_OPERATIONAL_READINESS_CHECKLIST.md) — end-to-end operational + acceptance steps  
 - [`MANIFEST_AUTOMATION_DESIGN.md`](../../../config/universal-resource-activation/MANIFEST_AUTOMATION_DESIGN.md)  
 - [`URA_PILOT_CLOSURE_RUNBOOK.md`](URA_PILOT_CLOSURE_RUNBOOK.md)
--- a/docs/04-configuration/universal-resource-activation/URA_OPERATIONAL_READINESS_CHECKLIST.md
+++ b/docs/04-configuration/universal-resource-activation/URA_OPERATIONAL_READINESS_CHECKLIST.md
@@ -0,0 +1,94 @@
+# URA / RTGS / GRU — operational readiness checklist
+
+**Last updated:** 2026-04-25  
+**Purpose:** **Executable** steps from empty/staging to **fully operational, tested** production, aligned with [technical-specs/README.md](technical-specs/README.md). Check boxes as you complete each step in the target environment.
+
+**Local repo gate (no live services):** `pnpm ura:ops-readiness` — see [UNIVERSAL_RESOURCE_WIRING.md](UNIVERSAL_RESOURCE_WIRING.md).
+
+---
+
+## Phase 0 — Preconditions
+
+- [ ] **0.1** Record GRC → M00 strategy (ADR) if GRU M00 is in program scope — [TS-GRU-M00-IMPLEMENTATION-PROGRAM-V1.md](technical-specs/TS-GRU-M00-IMPLEMENTATION-PROGRAM-V1.md) §2  
+- [ ] **0.2** Staging/prod: OMNL/Fineract, server-funds-sidecar, chain RPC, Phoenix, writer host available; secrets in vault  
+- [ ] **0.3** Create `config/universal-resource-activation/integration/omnl-ledger-mapping.v1.json` from the example; fill `accountingRefField` with **real** export field names; `pnpm ura:validate-ledger-mapping -- config/.../omnl-ledger-mapping.v1.json`  
+- [ ] **0.4** Add indexer/settlement and (if used) custody **binding** config (secure repo or vault path) for `evidencePackageId` / resources  
+- [ ] **0.5** CI **without** `URA_STRICT_CLOSURE=1` until [URA_PILOT_CLOSURE_RUNBOOK.md](URA_PILOT_CLOSURE_RUNBOOK.md) is actually executed and placeholders are gone  
+
+---
+
+## Phase 1 — OMNL + server-funds-sidecar → manifest
+
+- [ ] **1.1** **Correlation:** every prod draw/hold/release has a **correlation id** and path to a **posted** `accountingRef` — [TS-OMNL-SIDECAR-MANIFEST-SYNC-V1.md](technical-specs/TS-OMNL-SIDECAR-MANIFEST-SYNC-V1.md) §5.1  
+- [ ] **1.2** **Ledger snapshot:** batch or API produces JSON for `pnpm ura:writer:ledger`  
+- [ ] **1.3** **Writer pipeline** automated: snapshot → `merge-manifest-fragments` → `pnpm ura:validate` + `pnpm ura:validate-profiles`  
+- [ ] **1.4** **Publish** path live (git PR, secured sync, or internal API) — [URA_MANIFEST_WRITER_OPS.md](../../03-deployment/URA_MANIFEST_WRITER_OPS.md) §4  
+- [ ] **1.5** **Phoenix:** `SERVER_FUNDS_SIDECAR_URL` set; **sidecar-probe** returns **200** when sidecar healthy  
+- [ ] **1.6** **Metrics/alerts** per TS-OMNL §6 (success/fail, lag, DLQ)  
+- [ ] **1.7** **Staging E2E** for ledger path: TS-OMNL §7 — real or realistic journal → merge → validate → `pnpm ura:smoke --http`  
+
+---
+
+## Phase 2 — Settlement / chain → manifest
+
+- [ ] **2.1** **Addresses/events** documented for Chain 138 (and other chains in scope) — [DBIS_RAIL_SETTLEMENT_EVENT_SOURCES.md](../../dbis-rail/DBIS_RAIL_SETTLEMENT_EVENT_SOURCES.md)  
+- [ ] **2.2** **Indexer** service: `eth_getLogs` / WebSocket / subgraph with **N** confirmations — [TS-SETTLEMENT-INDEXER-MANIFEST-V1.md](technical-specs/TS-SETTLEMENT-INDEXER-MANIFEST-V1.md) §6  
+- [ ] **2.3** `pnpm ura:writer:settlement` (or equivalent) into merge + validate + publish (same as Phase 1)  
+- [ ] **2.4** **Binding** map: route/pool → `evidencePackageId` (fail closed)  
+- [ ] **2.5** **Idempotency** key: `(chainId, block, logIndex)` (or defined equivalent)  
+- [ ] **2.6** **Reorg** alerting; no silent delete of manifest rows (TS-SETTLEMENT §6)  
+- [ ] **2.7** **Staging E2E** for settlement path: TS-SETTLEMENT §10  
+
+- [ ] **2.8** *(optional)* On-chain **hash anchoring** if required — TS-SETTLEMENT §8  
+
+---
+
+## Phase 3 — SKR / custody (if in scope)
+
+- [ ] **3.1** Custody **ETL** authenticated; fingerprints + `evidenceRefs` / `custodyOrSourceEvidence` per [TS-SKR-CUSTODY-ETL-MANIFEST-V1.md](technical-specs/TS-SKR-CUSTODY-ETL-MANIFEST-V1.md)  
+- [ ] **3.2** **Staging E2E** for SKR path  
+
+---
+
+## Phase 4 — `PolicyProfileRegistry` (on-chain anchor)
+
+- [ ] **4.1** `pnpm ura:profile-hash <id>` for each production profile; record hashes  
+- [ ] **4.2** **Deploy** `smom-dbis-138/.../PolicyProfileRegistry` + `publishProfile` (roles secured) — [GRU_REGISTRY_WIRING_CHECKLIST.md](../../../runbooks/GRU_REGISTRY_WIRING_CHECKLIST.md) §6  
+- [ ] **4.3** **Record** address in [CONTRACT_ADDRESSES_REFERENCE.md](../../11-references/CONTRACT_ADDRESSES_REFERENCE.md) (or successor)  
+
+---
+
+## Phase 5 — Full GRU M00 spine (if in scope; large program)
+
+- [ ] **5.1** GRUStorage + governance bitmask signed off; storage collision analysis if GRC migration — [TS-GRU](technical-specs/TS-GRU-M00-IMPLEMENTATION-PROGRAM-V1.md)  
+- [ ] **5.2** **Facets** delivered and tested: PolicyRouter, gates, StandardsRegistry, GovernanceLevel, asset/token path  
+- [ ] **5.3** **Testnet** deploy; [GRU_M00_DIAMOND_DEPLOYMENT_RUNBOOK.md](../../../runbooks/GRU_M00_DIAMOND_DEPLOYMENT_RUNBOOK.md) §6 green  
+- [ ] **5.4** **Mainnet/138** (or target) deploy; addresses in inventory; `resourceId` / `assetId` mapping doc updated  
+- [ ] **5.5** **Multisig**, timelock, **pause** drill, rollback runbook tested  
+
+---
+
+## Phase 6 — Compliance, strict CI, DR
+
+- [ ] **6.1** **Sign-off** pack for automation per [TS-COMPLIANCE-AUTOMATION-SIGNOFF-V1.md](technical-specs/TS-COMPLIANCE-AUTOMATION-SIGNOFF-V1.md)  
+- [ ] **6.2** [URA_PILOT_CLOSURE_RUNBOOK.md](URA_PILOT_CLOSURE_RUNBOOK.md) complete: no pilot placeholders; `reconciliationStatus` as policy requires  
+- [ ] **6.3** Enable `pnpm ura:validate-closure:strict` in pipeline; set `URA_STRICT_CLOSURE=1` / Gitea `vars.URA_STRICT_CLOSURE=1`  
+- [ ] **6.4** **DR/rollback** drill: [URA_MANIFEST_WRITER_OPS.md](../../03-deployment/URA_MANIFEST_WRITER_OPS.md) §8  
+
+---
+
+## Final acceptance (production “done”)
+
+- [ ] **F.1** In-repo: `pnpm ura:ops-readiness:full` (validates URA + **PolicyProfileRegistry** forge + full `validate-config-files.sh`) and, per your release policy, `bash scripts/verify/run-all-validation.sh` (or equivalent) **green** on the release branch  
+- [ ] **F.1a** On target host: set env (see `config/universal-resource-activation/ura-production-ready.env.example`; optional `URA_PRODUCTION_ENV_FILE=…` to source it). **Strict go-live:** `pnpm ura:production-ready` (`URA_PRODUCTION_MODE=strict`, default). **Staging / pilots still open:** `pnpm ura:production-ready:connectivity` only.  
+- [ ] **F.2** `pnpm ura:smoke --http` to Phoenix: manifest + policy-profiles + **sidecar-probe 200** in prod  
+- [ ] **F.3** Evidence: staging + prod test tickets for **ledger**, **settlement**, and (if used) **custody** closed  
+- [ ] **F.4** On-chain: PolicyProfileRegistry (if used) + GRU M00 (if used) addresses and upgrade path documented  
+- [ ] **F.5** Ops: on-call runbook + monitoring dashboards live  
+
+---
+
+## Related
+
+- [URA_MANIFEST_AUTOMATION_IMPLEMENTATION_TRACKER.md](URA_MANIFEST_AUTOMATION_IMPLEMENTATION_TRACKER.md)  
+- [UNIVERSAL_RESOURCE_WIRING.md](UNIVERSAL_RESOURCE_WIRING.md) §2.1
--- a/docs/04-configuration/universal-resource-activation/technical-specs/README.md
+++ b/docs/04-configuration/universal-resource-activation/technical-specs/README.md
@@ -20,4 +20,5 @@

 ## Related

- [URA_MANIFEST_AUTOMATION_IMPLEMENTATION_TRACKER.md](../URA_MANIFEST_AUTOMATION_IMPLEMENTATION_TRACKER.md)
+- [URA_MANIFEST_AUTOMATION_IMPLEMENTATION_TRACKER.md](../URA_MANIFEST_AUTOMATION_IMPLEMENTATION_TRACKER.md)  
+- [URA_OPERATIONAL_READINESS_CHECKLIST.md](../URA_OPERATIONAL_READINESS_CHECKLIST.md) (phased operator checklist; in-repo gate: `pnpm ura:ops-readiness`)
--- a/docs/MASTER_INDEX.md
+++ b/docs/MASTER_INDEX.md
@@ -103,7 +103,7 @@
 | **00-meta** (tasks, next steps, phases) | [00-meta/NEXT_STEPS_INDEX.md](00-meta/NEXT_STEPS_INDEX.md), [00-meta/PHASES_AND_TASKS_MASTER.md](00-meta/PHASES_AND_TASKS_MASTER.md) |
 | **02-architecture** | [02-architecture/](02-architecture/) — **canonical ecosystem root:** [02-architecture/DBIS_ECOSYSTEM_TECHNICAL_MASTER_PLAN.md](02-architecture/DBIS_ECOSYSTEM_TECHNICAL_MASTER_PLAN.md); **Chain 138 infrastructure and runtime sub-plan:** [dbis_chain_138_technical_master_plan.md](../dbis_chain_138_technical_master_plan.md); **institutional settlement execution tracker:** [03-deployment/DBIS_RTGS_MASTER_PLAN_IMPLEMENTATION_TRACKER.md](03-deployment/DBIS_RTGS_MASTER_PLAN_IMPLEMENTATION_TRACKER.md); **policy / activation control-plane tracker:** [04-configuration/universal-resource-activation/URA_MANIFEST_AUTOMATION_IMPLEMENTATION_TRACKER.md](04-configuration/universal-resource-activation/URA_MANIFEST_AUTOMATION_IMPLEMENTATION_TRACKER.md); **machine-readable workstreams:** [`../config/dbis-ecosystem-master-plan-tracker.json`](../config/dbis-ecosystem-master-plan-tracker.json); **client / division terminology:** [02-architecture/CLIENT_DIVISION_TERMINOLOGY.md](02-architecture/CLIENT_DIVISION_TERMINOLOGY.md); **Public sector + Phoenix catalog baseline:** [02-architecture/PUBLIC_SECTOR_TENANCY_MARKETPLACE_AND_DEPLOYMENT_BASELINE.md](02-architecture/PUBLIC_SECTOR_TENANCY_MARKETPLACE_AND_DEPLOYMENT_BASELINE.md); **non-goals (incl. catalog vs marketing §9):** [02-architecture/NON_GOALS.md](02-architecture/NON_GOALS.md); [02-architecture/DBIS_NODE_ROLE_MATRIX.md](02-architecture/DBIS_NODE_ROLE_MATRIX.md), [02-architecture/DBIS_PHASE2_PROXMOX_SOVEREIGNIZATION_ROADMAP.md](02-architecture/DBIS_PHASE2_PROXMOX_SOVEREIGNIZATION_ROADMAP.md) |
 | **03-deployment** | [03-deployment/OPERATIONAL_RUNBOOKS.md](03-deployment/OPERATIONAL_RUNBOOKS.md), [03-deployment/DEPLOYMENT_ORDER_OF_OPERATIONS.md](03-deployment/DEPLOYMENT_ORDER_OF_OPERATIONS.md), **Public sector live checklist:** [03-deployment/PUBLIC_SECTOR_LIVE_DEPLOYMENT_CHECKLIST.md](03-deployment/PUBLIC_SECTOR_LIVE_DEPLOYMENT_CHECKLIST.md), **Proxmox VE ops template:** [03-deployment/PROXMOX_VE_OPERATIONAL_DEPLOYMENT_TEMPLATE.md](03-deployment/PROXMOX_VE_OPERATIONAL_DEPLOYMENT_TEMPLATE.md) · [`config/proxmox-operational-template.json`](config/proxmox-operational-template.json); **DBIS Phase 1–3:** [03-deployment/PHASE1_DISCOVERY_RUNBOOK.md](03-deployment/PHASE1_DISCOVERY_RUNBOOK.md), [03-deployment/DBIS_PHASE3_E2E_PRODUCTION_SIMULATION_RUNBOOK.md](03-deployment/DBIS_PHASE3_E2E_PRODUCTION_SIMULATION_RUNBOOK.md), [03-deployment/CALIPER_CHAIN138_PERF_HOOK.md](03-deployment/CALIPER_CHAIN138_PERF_HOOK.md), [03-deployment/DBIS_HYPERLEDGER_RUNTIME_STATUS.md](03-deployment/DBIS_HYPERLEDGER_RUNTIME_STATUS.md), [03-deployment/DBIS_PHASES_1_TO_3_PRODUCTION_GATE.md](03-deployment/DBIS_PHASES_1_TO_3_PRODUCTION_GATE.md), **RTGS canonical production checklist and institutional-finance layers:** [03-deployment/DBIS_RTGS_E2E_REQUIREMENTS_MATRIX.md](03-deployment/DBIS_RTGS_E2E_REQUIREMENTS_MATRIX.md), [03-deployment/DBIS_RTGS_MASTER_PLAN_IMPLEMENTATION_TRACKER.md](03-deployment/DBIS_RTGS_MASTER_PLAN_IMPLEMENTATION_TRACKER.md), [03-deployment/DBIS_RTGS_FX_TRANSACTION_CATALOG.md](03-deployment/DBIS_RTGS_FX_TRANSACTION_CATALOG.md), [03-deployment/DBIS_RTGS_DEPOSITORY_AND_CUSTODY_OPERATING_MODEL.md](03-deployment/DBIS_RTGS_DEPOSITORY_AND_CUSTODY_OPERATING_MODEL.md), [03-deployment/DBIS_RTGS_FX_AND_LIQUIDITY_OPERATING_MODEL.md](03-deployment/DBIS_RTGS_FX_AND_LIQUIDITY_OPERATING_MODEL.md), [03-deployment/DBIS_RTGS_CONTROL_PLANE_DEPLOYMENT_CHECKLIST.md](03-deployment/DBIS_RTGS_CONTROL_PLANE_DEPLOYMENT_CHECKLIST.md), [03-deployment/DBIS_RTGS_LATER_PHASE_SIDECARS_DEPLOYMENT_CHECKLIST.md](03-deployment/DBIS_RTGS_LATER_PHASE_SIDECARS_DEPLOYMENT_CHECKLIST.md), [03-deployment/DBIS_OMNL_INDONESIA_BNI_E2E_INTEGRATION_BLUEPRINT.md](03-deployment/DBIS_OMNL_INDONESIA_BNI_E2E_INTEGRATION_BLUEPRINT.md), [03-deployment/DBIS_RTGS_FIRST_SLICE_ARCHITECTURE.md](03-deployment/DBIS_RTGS_FIRST_SLICE_ARCHITECTURE.md), [03-deployment/DBIS_RTGS_FIRST_SLICE_DEPLOYMENT_CHECKLIST.md](03-deployment/DBIS_RTGS_FIRST_SLICE_DEPLOYMENT_CHECKLIST.md), [03-deployment/DBIS_HYBX_SIDECAR_BOUNDARY_MATRIX.md](03-deployment/DBIS_HYBX_SIDECAR_BOUNDARY_MATRIX.md), [03-deployment/DBIS_MOJALOOP_INTEGRATION_STATUS.md](03-deployment/DBIS_MOJALOOP_INTEGRATION_STATUS.md), [03-deployment/DBIS_HYPERLEDGER_IDENTITY_STACK_DECISION.md](03-deployment/DBIS_HYPERLEDGER_IDENTITY_STACK_DECISION.md) |
-| **04-configuration** | [04-configuration/README.md](04-configuration/README.md), [04-configuration/ADDITIONAL_PATHS_AND_EXTENSIONS.md](04-configuration/ADDITIONAL_PATHS_AND_EXTENSIONS.md) (paths, registry, token-mapping, LiFi/Jumper); **Multi-jurisdiction compliance (matrices, charter, playbook):** [04-configuration/compliance-matrices/README.md](04-configuration/compliance-matrices/README.md), [04-configuration/jurisdictions/JURISDICTION_CATALOG.md](04-configuration/jurisdictions/JURISDICTION_CATALOG.md), [`config/jurisdictions/catalog.v1.json`](../config/jurisdictions/catalog.v1.json), [dbis-rail/DBIS_RAIL_JURISDICTION_TRACEABILITY.md](dbis-rail/DBIS_RAIL_JURISDICTION_TRACEABILITY.md); **Universal resource activation (SKR, server funds, infra):** [04-configuration/universal-resource-activation/README.md](04-configuration/universal-resource-activation/README.md), [UNIVERSAL_RESOURCE_WIRING.md](04-configuration/universal-resource-activation/UNIVERSAL_RESOURCE_WIRING.md), [URA_MANIFEST_AUTOMATION_IMPLEMENTATION_TRACKER.md](04-configuration/universal-resource-activation/URA_MANIFEST_AUTOMATION_IMPLEMENTATION_TRACKER.md), [technical-specs/README.md](04-configuration/universal-resource-activation/technical-specs/README.md) (normative TS-* for remaining implementation), [URA_MANIFEST_WRITER_OPS.md](03-deployment/URA_MANIFEST_WRITER_OPS.md), [GRU_REGISTRY_WIRING_CHECKLIST.md](runbooks/GRU_REGISTRY_WIRING_CHECKLIST.md), `pnpm ura:*`, Phoenix URA routes, [`config/universal-resource-activation/`](../config/universal-resource-activation/); **Chain 138 wallets:** [04-configuration/CHAIN138_WALLET_CONFIG_VALIDATION.md](04-configuration/CHAIN138_WALLET_CONFIG_VALIDATION.md); **Chain 2138 testnet wallets:** [04-configuration/CHAIN2138_WALLET_CONFIG_VALIDATION.md](04-configuration/CHAIN2138_WALLET_CONFIG_VALIDATION.md); **OMNL Indonesia / HYBX-BATCH-001:** [04-configuration/mifos-omnl-central-bank/HYBX_BATCH_001_OPERATOR_CHECKLIST.md](04-configuration/mifos-omnl-central-bank/HYBX_BATCH_001_OPERATOR_CHECKLIST.md), [04-configuration/mifos-omnl-central-bank/INDONESIA_PACKAGE_4_995_EVIDENCE_STANDARD.md](04-configuration/mifos-omnl-central-bank/INDONESIA_PACKAGE_4_995_EVIDENCE_STANDARD.md) |
+| **04-configuration** | [04-configuration/README.md](04-configuration/README.md), [04-configuration/ADDITIONAL_PATHS_AND_EXTENSIONS.md](04-configuration/ADDITIONAL_PATHS_AND_EXTENSIONS.md) (paths, registry, token-mapping, LiFi/Jumper); **Multi-jurisdiction compliance (matrices, charter, playbook):** [04-configuration/compliance-matrices/README.md](04-configuration/compliance-matrices/README.md), [04-configuration/jurisdictions/JURISDICTION_CATALOG.md](04-configuration/jurisdictions/JURISDICTION_CATALOG.md), [`config/jurisdictions/catalog.v1.json`](../config/jurisdictions/catalog.v1.json), [dbis-rail/DBIS_RAIL_JURISDICTION_TRACEABILITY.md](dbis-rail/DBIS_RAIL_JURISDICTION_TRACEABILITY.md); **Universal resource activation (SKR, server funds, infra):** [04-configuration/universal-resource-activation/README.md](04-configuration/universal-resource-activation/README.md), [UNIVERSAL_RESOURCE_WIRING.md](04-configuration/universal-resource-activation/UNIVERSAL_RESOURCE_WIRING.md), [URA_MANIFEST_AUTOMATION_IMPLEMENTATION_TRACKER.md](04-configuration/universal-resource-activation/URA_MANIFEST_AUTOMATION_IMPLEMENTATION_TRACKER.md), [URA_OPERATIONAL_READINESS_CHECKLIST.md](04-configuration/universal-resource-activation/URA_OPERATIONAL_READINESS_CHECKLIST.md), [technical-specs/README.md](04-configuration/universal-resource-activation/technical-specs/README.md) (normative TS-* for remaining implementation), [URA_MANIFEST_WRITER_OPS.md](03-deployment/URA_MANIFEST_WRITER_OPS.md), [GRU_REGISTRY_WIRING_CHECKLIST.md](runbooks/GRU_REGISTRY_WIRING_CHECKLIST.md), `pnpm ura:ops-readiness` / `pnpm ura:*`, Phoenix URA routes, [`config/universal-resource-activation/`](../config/universal-resource-activation/); **Chain 138 wallets:** [04-configuration/CHAIN138_WALLET_CONFIG_VALIDATION.md](04-configuration/CHAIN138_WALLET_CONFIG_VALIDATION.md); **Chain 2138 testnet wallets:** [04-configuration/CHAIN2138_WALLET_CONFIG_VALIDATION.md](04-configuration/CHAIN2138_WALLET_CONFIG_VALIDATION.md); **OMNL Indonesia / HYBX-BATCH-001:** [04-configuration/mifos-omnl-central-bank/HYBX_BATCH_001_OPERATOR_CHECKLIST.md](04-configuration/mifos-omnl-central-bank/HYBX_BATCH_001_OPERATOR_CHECKLIST.md), [04-configuration/mifos-omnl-central-bank/INDONESIA_PACKAGE_4_995_EVIDENCE_STANDARD.md](04-configuration/mifos-omnl-central-bank/INDONESIA_PACKAGE_4_995_EVIDENCE_STANDARD.md) |
 | **Phoenix / Sankofa deploy handoff** | [04-configuration/PHOENIX_SANKOFA_OPERATOR_HANDOFF.md](04-configuration/PHOENIX_SANKOFA_OPERATOR_HANDOFF.md) — live CTs, env locations, secret split, rotate/reload/verify commands |
 | **06-besu** | [06-besu/MASTER_INDEX.md](06-besu/MASTER_INDEX.md) |
 | **Testnet (2138)** | [testnet/DEFI_ORACLE_META_TESTNET_2138_RUNBOOK.md](testnet/DEFI_ORACLE_META_TESTNET_2138_RUNBOOK.md), [testnet/TESTNET_DEPLOYMENT.md](testnet/TESTNET_DEPLOYMENT.md) |
--- a/package.json
+++ b/package.json
@@ -36,6 +36,10 @@
    "ura:profile-hash": "node scripts/ura/policy-profiles-content-hash.mjs",
    "ura:keccak": "node scripts/ura/keccak-resource-ids.mjs",
    "ura:smoke": "bash scripts/verify/smoke-universal-resource-activation.sh",
+    "ura:ops-readiness": "bash scripts/verify/ura-ops-readiness.sh",
+    "ura:ops-readiness:full": "URA_READINESS_FORGE=1 URA_READINESS_CONFIG=1 bash scripts/verify/ura-ops-readiness.sh",
+    "ura:production-ready": "bash scripts/verify/ura-production-readiness.sh",
+    "ura:production-ready:connectivity": "URA_PRODUCTION_MODE=connectivity bash scripts/verify/ura-production-readiness.sh",
    "mission-control:dev": "pnpm --filter mission-control dev",
    "mission-control:build": "pnpm --filter mission-control build",
    "mission-control:start": "pnpm --filter mission-control start",
--- a/scripts/validate/validate-omnl-ledger-mapping.mjs
+++ b/scripts/validate/validate-omnl-ledger-mapping.mjs
@@ -20,7 +20,8 @@ const schemaPath = path.join(
  'config/universal-resource-activation/integration/omnl-ledger-mapping.v1.schema.json'
 );

-const file = path.resolve(projectRoot, process.argv[2] || defaultPath);
+const fileArg = process.argv.slice(2).filter((a) => a !== '--')[0];
+const file = path.resolve(projectRoot, fileArg || defaultPath);

 if (!existsSync(file)) {
  console.error(`[validate-ledger-mapping] Missing ${file}`);
--- a/scripts/verify/ura-ops-readiness.sh
+++ b/scripts/verify/ura-ops-readiness.sh
@@ -0,0 +1,63 @@
+#!/usr/bin/env bash
+# URA — repo-level readiness: manifest, profiles, mapping schema, merge, non-strict closure, optional forge test.
+# Does not substitute staging/prod E2E or live Fineract/sidecar (see URA_OPERATIONAL_READINESS_CHECKLIST.md).
+#
+# Usage (repo root):
+#   bash scripts/verify/ura-ops-readiness.sh
+#   URA_READINESS_MAP=config/universal-resource-activation/integration/omnl-ledger-mapping.v1.json \
+#     bash scripts/verify/ura-ops-readiness.sh
+#   URA_READINESS_FORGE=1 bash scripts/verify/ura-ops-readiness.sh   # also runs PolicyProfileRegistry unit test in smom-dbis-138
+#   URA_READINESS_CONFIG=1 bash scripts/verify/ura-ops-readiness.sh  # also runs validate-config-files.sh
+set -euo pipefail
+
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+ROOT="$(cd "$SCRIPT_DIR/../.." && pwd)"
+cd "$ROOT"
+
+log() { echo "[ura-ops-readiness] $*"; }
+log_err() { echo "[ura-ops-readiness] ERROR: $*" >&2; }
+
+if ! command -v pnpm &>/dev/null; then
+  log_err "pnpm not found"
+  exit 1
+fi
+
+log "1/7 pnpm ura:validate"
+pnpm ura:validate
+log "2/7 pnpm ura:validate-profiles"
+pnpm ura:validate-profiles
+MAP_FILE="${URA_READINESS_MAP:-$ROOT/config/universal-resource-activation/integration/omnl-ledger-mapping.v1.example.json}"
+if [[ -f "$MAP_FILE" ]]; then
+  log "3/7 validate-omnl-ledger-mapping.mjs $MAP_FILE"
+  node "$ROOT/scripts/validate/validate-omnl-ledger-mapping.mjs" "$MAP_FILE"
+else
+  log "3/7 skip (mapping file not found: $MAP_FILE)"
+fi
+log "4/7 pnpm ura:validate-closure (warn mode)"
+pnpm ura:validate-closure || true
+log "5/7 pnpm ura:merge-manifest"
+pnpm ura:merge-manifest
+
+if [[ "${URA_READINESS_FORGE:-}" == "1" ]]; then
+  if [[ -d "$ROOT/smom-dbis-138" && -f "$ROOT/smom-dbis-138/scripts/forge/scope.sh" ]]; then
+    log "6/7 FORGE_SCOPE=universal-resource forge test (PolicyProfileRegistry)"
+    (cd "$ROOT/smom-dbis-138" && FORGE_SCOPE=universal-resource bash scripts/forge/scope.sh test --match-contract PolicyProfileRegistryTest) || {
+      log_err "Forge test failed"
+      exit 1
+    }
+  else
+    log "6/7 skip (smom-dbis-138 or scope.sh not present)"
+  fi
+else
+  log "6/7 skip forge (set URA_READINESS_FORGE=1 to run PolicyProfileRegistryTest)"
+fi
+
+if [[ "${URA_READINESS_CONFIG:-}" == "1" ]]; then
+  log "7/7 validate-config-files.sh"
+  bash "$ROOT/scripts/validation/validate-config-files.sh"
+else
+  log "7/7 skip validate-config-files (set URA_READINESS_CONFIG=1 for full project config gate)"
+fi
+
+log "OK: repo URA gates passed (see docs/.../URA_OPERATIONAL_READINESS_CHECKLIST.md for runtime steps)."
+exit 0
--- a/scripts/verify/ura-production-readiness.sh
+++ b/scripts/verify/ura-production-readiness.sh
@@ -0,0 +1,148 @@
+#!/usr/bin/env bash
+# URA production readiness verifier.
+# Enforces strict manifest closure and live endpoint checks.
+#
+# Modes (URA_PRODUCTION_MODE):
+#   strict         — default: repo gates + strict closure + HTTP smoke + sidecar 200. Use after URA_PILOT_CLOSURE_RUNBOOK.
+#   connectivity   — repo gates + HTTP + sidecar 200; skips strict closure (staging / pilot manifest still open).
+#
+# Optional env file:
+#   URA_PRODUCTION_ENV_FILE — path to a file with export KEY=value lines; sourced before checks.
+#
+# Required:
+#   - pnpm, curl, jq
+#   - PHOENIX_BASE_URL
+#   - SERVER_FUNDS_SIDECAR_URL
+#   - POLICY_PROFILE_REGISTRY_ADDRESS
+#
+# Optional:
+#   - GRU_REQUIRED=1 + GRU_M00_DIAMOND_ADDRESS (if GRU M00 is in scope)
+#   - REQUIRE_CUSTODY=1 + CUSTODY_E2E_EVIDENCE_FILE (if custody lane is in scope)
+#   - LEDGER_E2E_EVIDENCE_FILE / SETTLEMENT_E2E_EVIDENCE_FILE / COUNSEL_SIGNOFF_FILE
+set -euo pipefail
+
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+ROOT="$(cd "$SCRIPT_DIR/../.." && pwd)"
+cd "$ROOT"
+
+if [[ -n "${URA_PRODUCTION_ENV_FILE:-}" && -f "${URA_PRODUCTION_ENV_FILE}" ]]; then
+  set -a
+  # shellcheck source=/dev/null
+  source "${URA_PRODUCTION_ENV_FILE}"
+  set +a
+fi
+
+log() { echo "[ura-prod-ready] $*"; }
+log_err() { echo "[ura-prod-ready] ERROR: $*" >&2; }
+
+require_cmd() {
+  if ! command -v "$1" &>/dev/null; then
+    log_err "Missing command: $1"
+    exit 1
+  fi
+}
+
+require_env() {
+  local key="$1"
+  if [[ -z "${!key:-}" ]]; then
+    log_err "Missing required env var: $key"
+    exit 1
+  fi
+}
+
+require_file() {
+  local p="$1"
+  if [[ -z "$p" || ! -f "$p" ]]; then
+    log_err "Missing required evidence file: $p"
+    exit 1
+  fi
+}
+
+validate_address() {
+  local label="$1"
+  local value="$2"
+  if [[ ! "$value" =~ ^0x[a-fA-F0-9]{40}$ ]]; then
+    log_err "$label must be a 20-byte hex EVM address, got: $value"
+    exit 1
+  fi
+}
+
+require_cmd pnpm
+require_cmd curl
+require_cmd jq
+
+require_env PHOENIX_BASE_URL
+require_env SERVER_FUNDS_SIDECAR_URL
+require_env POLICY_PROFILE_REGISTRY_ADDRESS
+validate_address "POLICY_PROFILE_REGISTRY_ADDRESS" "$POLICY_PROFILE_REGISTRY_ADDRESS"
+
+if [[ "${GRU_REQUIRED:-0}" == "1" ]]; then
+  require_env GRU_M00_DIAMOND_ADDRESS
+  validate_address "GRU_M00_DIAMOND_ADDRESS" "$GRU_M00_DIAMOND_ADDRESS"
+fi
+
+if [[ -n "${LEDGER_E2E_EVIDENCE_FILE:-}" ]]; then
+  require_file "$LEDGER_E2E_EVIDENCE_FILE"
+fi
+if [[ -n "${SETTLEMENT_E2E_EVIDENCE_FILE:-}" ]]; then
+  require_file "$SETTLEMENT_E2E_EVIDENCE_FILE"
+fi
+if [[ "${REQUIRE_CUSTODY:-0}" == "1" ]]; then
+  require_env CUSTODY_E2E_EVIDENCE_FILE
+  require_file "$CUSTODY_E2E_EVIDENCE_FILE"
+fi
+if [[ -n "${COUNSEL_SIGNOFF_FILE:-}" ]]; then
+  require_file "$COUNSEL_SIGNOFF_FILE"
+fi
+
+BASE="${PHOENIX_BASE_URL%/}"
+MODE="${URA_PRODUCTION_MODE:-strict}"
+if [[ "$MODE" != "strict" && "$MODE" != "connectivity" ]]; then
+  log_err "URA_PRODUCTION_MODE must be 'strict' or 'connectivity', got: $MODE"
+  exit 1
+fi
+
+if [[ "$MODE" == "connectivity" ]]; then
+  log "Mode: connectivity (strict manifest closure is skipped — not a full production sign-off)"
+else
+  log "Mode: strict (manifest must pass ura:validate-closure:strict; close pilots per URA_PILOT_CLOSURE_RUNBOOK first)"
+fi
+
+log "1/? Running full repo gates"
+pnpm ura:ops-readiness:full
+
+if [[ "$MODE" == "strict" ]]; then
+  log "2/? Enforcing strict closure (no placeholders/TBD/open reconciliation)"
+  pnpm ura:validate-closure:strict
+else
+  log "2/? Skipping strict closure (use URA_PRODUCTION_MODE=strict for production go-live)"
+  pnpm ura:validate-closure || true
+fi
+
+log "3/? Phoenix smoke over HTTP (PHOENIX_BASE_URL=$BASE)"
+PHOENIX_BASE_URL="$BASE" pnpm ura:smoke --http
+
+log "4/? Requiring sidecar probe HTTP 200"
+probe_url="${BASE}/api/v1/universal-resource-activation/server-funds-sidecar-probe"
+probe_body="$(mktemp)"
+trap 'rm -f "$probe_body"' EXIT
+probe_code="$(curl -sS -o "$probe_body" -w '%{http_code}' --connect-timeout 5 --max-time 20 "$probe_url" || true)"
+if [[ "$probe_code" != "200" ]]; then
+  log_err "Expected sidecar probe HTTP 200 at $probe_url, got $probe_code"
+  if [[ -s "$probe_body" ]]; then
+    log_err "Probe body: $(head -c 500 "$probe_body")"
+  fi
+  exit 1
+fi
+if ! jq -e 'type == "object"' "$probe_body" &>/dev/null; then
+  log_err "Probe response is not a JSON object"
+  exit 1
+fi
+
+log "5/? URA $MODE gate PASSED"
+log "Registry: $POLICY_PROFILE_REGISTRY_ADDRESS"
+if [[ -n "${GRU_M00_DIAMOND_ADDRESS:-}" ]]; then
+  log "GRU diamond: $GRU_M00_DIAMOND_ADDRESS"
+fi
+
+exit 0