diff --git a/AGENTS.md b/AGENTS.md index 02277bdd..8d07c5e3 100644 --- a/AGENTS.md +++ b/AGENTS.md @@ -12,7 +12,8 @@ Orchestration for Proxmox VE, Chain 138 (`smom-dbis-138/`), explorers, NPMplus, |------|-----------| | Doc index | `docs/MASTER_INDEX.md` | | Canonical ecosystem master plan | `docs/02-architecture/DBIS_ECOSYSTEM_TECHNICAL_MASTER_PLAN.md` — umbrella root; subordinate roots: `dbis_chain_138_technical_master_plan.md`, `docs/03-deployment/DBIS_RTGS_MASTER_PLAN_IMPLEMENTATION_TRACKER.md`, `docs/04-configuration/universal-resource-activation/URA_MANIFEST_AUTOMATION_IMPLEMENTATION_TRACKER.md` | -| Universal resource activation (manifest, CI, Phoenix) | `docs/04-configuration/universal-resource-activation/UNIVERSAL_RESOURCE_WIRING.md`, `config/universal-resource-activation/manifest.json`, `node scripts/validate/validate-universal-resource-activation.mjs`, `bash scripts/verify/smoke-universal-resource-activation.sh` (add `--http` or `PHOENIX_BASE_URL=…` for live API), `GET` `/api/v1/universal-resource-activation/manifest` on `phoenix-deploy-api` | +| Universal resource activation (manifest, CI, Phoenix) | `UNIVERSAL_RESOURCE_WIRING.md`, `URA_MANIFEST_AUTOMATION_IMPLEMENTATION_TRACKER.md`, `URA_OPERATIONAL_READINESS_CHECKLIST.md` (under `docs/04-configuration/universal-resource-activation/`); `config/universal-resource-activation/{manifest.json,policy-profiles.json,integration/}`; `pnpm ura:ops-readiness` / `ura:ops-readiness:full`, `ura:production-ready` / `ura:production-ready:connectivity`, `ura:validate`, `ura:validate-profiles`, `ura:merge-manifest`, `ura:validate-ledger-mapping`, `ura:writer:ledger`, `ura:writer:settlement`, `ura:profile-hash`, `ura:validate-closure`, `ura:keccak`, `ura:smoke`; `URA_STRICT_CLOSURE` / Gitea `vars.URA_STRICT_CLOSURE`; `smom-dbis-138/contracts/universal-resource/PolicyProfileRegistry.sol` (scoped forge test); Phoenix `PUBLIC_V1_NO_PARTNER_KEY_PATHS` | +| Multi-jurisdiction compliance (matrices, onboarding) | `docs/04-configuration/compliance-matrices/README.md`, `INSTITUTION_ONBOARDING_CHARTER.md`, `INSTITUTION_ONBOARDING_PLAYBOOK.md`, `docs/04-configuration/jurisdictions/JURISDICTION_CATALOG.md`, `config/jurisdictions/catalog.v1.json`, `docs/dbis-rail/DBIS_RAIL_JURISDICTION_TRACEABILITY.md`, `docs/03-deployment/DBIS_RTGS_MASTER_PLAN_IMPLEMENTATION_TRACKER.md` | | cXAUC/cXAUT unit | 1 full token = 1 troy oz Au — `docs/11-references/EXPLORER_TOKEN_LIST_CROSSCHECK.md` (section 5.1) | | PMM mesh 6s tick | `smom-dbis-138/scripts/reserve/pmm-mesh-6s-automation.sh` — `docs/integration/ORACLE_AND_KEEPER_CHAIN138.md` (PMM mesh automation) | | VMID / IP / FQDN | `docs/04-configuration/ALL_VMIDS_ENDPOINTS.md` | diff --git a/config/universal-resource-activation/MANIFEST_AUTOMATION_DESIGN.md b/config/universal-resource-activation/MANIFEST_AUTOMATION_DESIGN.md index 0037b8aa..1fd7839c 100644 --- a/config/universal-resource-activation/MANIFEST_AUTOMATION_DESIGN.md +++ b/config/universal-resource-activation/MANIFEST_AUTOMATION_DESIGN.md @@ -32,5 +32,6 @@ ## Related +- [technical-specs/README.md](../../docs/04-configuration/universal-resource-activation/technical-specs/README.md) — normative **TS-*** specs for remaining operator work - [`UNIVERSAL_RESOURCE_WIRING.md`](../../docs/04-configuration/universal-resource-activation/UNIVERSAL_RESOURCE_WIRING.md) - [`scripts/validate/validate-ura-policy-profiles.mjs`](../../scripts/validate/validate-ura-policy-profiles.mjs) diff --git a/config/universal-resource-activation/ura-production-ready.env.example b/config/universal-resource-activation/ura-production-ready.env.example new file mode 100644 index 00000000..f6b3cf8e --- /dev/null +++ b/config/universal-resource-activation/ura-production-ready.env.example @@ -0,0 +1,20 @@ +# Copy to a path outside VCS (or set inline) and: +# export URA_PRODUCTION_ENV_FILE=/path/to/ura-production-ready.env +# pnpm ura:production-ready +# # or (staging: skips manifest strict closure; does NOT claim production evidence closure) +# URA_PRODUCTION_MODE=connectivity pnpm ura:production-ready +# +# shellcheck disable=SC2034 + +export PHOENIX_BASE_URL="https://phoenix.example.invalid" +export SERVER_FUNDS_SIDECAR_URL="https://server-funds-sidecar.example.invalid" +export POLICY_PROFILE_REGISTRY_ADDRESS="0x0000000000000000000000000000000000000000" + +# export GRU_REQUIRED=1 +# export GRU_M00_DIAMOND_ADDRESS="0x0000000000000000000000000000000000000000" + +# export LEDGER_E2E_EVIDENCE_FILE="/path/to/ledger-ticket.md" +# export SETTLEMENT_E2E_EVIDENCE_FILE="/path/to/settlement-ticket.md" +# export REQUIRE_CUSTODY=1 +# export CUSTODY_E2E_EVIDENCE_FILE="/path/to/custody-ticket.md" +# export COUNSEL_SIGNOFF_FILE="/path/to/counsel-signoff.pdf" diff --git a/docs/03-deployment/URA_MANIFEST_WRITER_OPS.md b/docs/03-deployment/URA_MANIFEST_WRITER_OPS.md index 90383e53..26496414 100644 --- a/docs/03-deployment/URA_MANIFEST_WRITER_OPS.md +++ b/docs/03-deployment/URA_MANIFEST_WRITER_OPS.md @@ -60,4 +60,5 @@ When automation goes live, archive: ## Related +- [TS-OMNL-SIDECAR-MANIFEST-SYNC-V1.md](../04-configuration/universal-resource-activation/technical-specs/TS-OMNL-SIDECAR-MANIFEST-SYNC-V1.md) — normative ledger/sidecar → manifest requirements - [`URA_MANIFEST_AUTOMATION_IMPLEMENTATION_TRACKER.md`](../04-configuration/universal-resource-activation/URA_MANIFEST_AUTOMATION_IMPLEMENTATION_TRACKER.md) diff --git a/docs/04-configuration/universal-resource-activation/README.md b/docs/04-configuration/universal-resource-activation/README.md index d789e85f..4345abd4 100644 --- a/docs/04-configuration/universal-resource-activation/README.md +++ b/docs/04-configuration/universal-resource-activation/README.md @@ -16,6 +16,8 @@ | [UNIVERSAL_RESOURCE_EVIDENCE_PACKAGE.md](UNIVERSAL_RESOURCE_EVIDENCE_PACKAGE.md) | Shared evidence and reconciliation package | | [UNIVERSAL_RESOURCE_PILOT_PLAN.md](UNIVERSAL_RESOURCE_PILOT_PLAN.md) | First three pilots (SKR, server funds, infra) | | [URA_PILOT_CLOSURE_RUNBOOK.md](URA_PILOT_CLOSURE_RUNBOOK.md) | Replace manifest placeholders; close pilots and evidence | +| [URA_OPERATIONAL_READINESS_CHECKLIST.md](URA_OPERATIONAL_READINESS_CHECKLIST.md) | Phased checklist from preconditions to production acceptance; run `pnpm ura:ops-readiness` (fast) or `pnpm ura:ops-readiness:full` (adds forge + full config gate) in-repo for validation | +| [technical-specs/README.md](technical-specs/README.md) | **TS-*** normative specs for remaining automation (OMNL/sidecar, settlement indexer, SKR ETL, GRU program, compliance sign-off) | | [policy-profiles.json (registry)](../../config/universal-resource-activation/policy-profiles.json) | Machine-readable profiles + GRU governance level | | [POLICY_PROFILES_REGISTRY.md](../../config/universal-resource-activation/POLICY_PROFILES_REGISTRY.md) | Doc control / sign-off table per profile version | | [MANIFEST_AUTOMATION_DESIGN.md](../../config/universal-resource-activation/MANIFEST_AUTOMATION_DESIGN.md) | Future manifest merge/CI design (not implemented) | @@ -25,7 +27,7 @@ | [URAWiring / ops](UNIVERSAL_RESOURCE_WIRING.md) | **Manifest, CI validation, Phoenix `GET` route, env overrides** | | [manifest.json (live store)](../../../config/universal-resource-activation/manifest.json) | In-repo `resources[]` and `evidencePackages[]` | -**Validate:** `pnpm ura:validate` · `pnpm ura:validate-profiles` · **merge fragments:** `pnpm ura:merge-manifest` · **ledger mapping:** `pnpm ura:validate-ledger-mapping` · **writers:** `pnpm ura:writer:ledger` / `pnpm ura:writer:settlement` · **profile hash (on-chain anchor):** `pnpm ura:profile-hash` · **closure gate:** `pnpm ura:validate-closure` / `pnpm ura:validate-closure:strict` · **smoke:** `pnpm ura:smoke` (add `--http` for Phoenix: manifest + policy-profiles + sidecar-probe) · **on-chain id hashes:** `pnpm ura:keccak` — [wiring §2.1](UNIVERSAL_RESOURCE_WIRING.md#21-testing-checklist) · **full automation tracker:** [URA_MANIFEST_AUTOMATION_IMPLEMENTATION_TRACKER.md](URA_MANIFEST_AUTOMATION_IMPLEMENTATION_TRACKER.md) +**Validate:** `pnpm ura:ops-readiness` / `pnpm ura:ops-readiness:full` (aggregate repo gate) · `pnpm ura:production-ready` / `pnpm ura:production-ready:connectivity` (target host: strict vs staging) · `pnpm ura:validate` · `pnpm ura:validate-profiles` · **merge fragments:** `pnpm ura:merge-manifest` · **ledger mapping:** `pnpm ura:validate-ledger-mapping` · **writers:** `pnpm ura:writer:ledger` / `pnpm ura:writer:settlement` · **profile hash (on-chain anchor):** `pnpm ura:profile-hash` · **closure gate:** `pnpm ura:validate-closure` / `pnpm ura:validate-closure:strict` · **smoke:** `pnpm ura:smoke` (add `--http` for Phoenix: manifest + policy-profiles + sidecar-probe) · **on-chain id hashes:** `pnpm ura:keccak` — [wiring §2.1](UNIVERSAL_RESOURCE_WIRING.md#21-testing-checklist) · **full automation tracker:** [URA_MANIFEST_AUTOMATION_IMPLEMENTATION_TRACKER.md](URA_MANIFEST_AUTOMATION_IMPLEMENTATION_TRACKER.md) ## Upstream anchors diff --git a/docs/04-configuration/universal-resource-activation/SKR_CUSTODY_AUTOMATION_NOTES.md b/docs/04-configuration/universal-resource-activation/SKR_CUSTODY_AUTOMATION_NOTES.md index 719966ff..79d772b2 100644 --- a/docs/04-configuration/universal-resource-activation/SKR_CUSTODY_AUTOMATION_NOTES.md +++ b/docs/04-configuration/universal-resource-activation/SKR_CUSTODY_AUTOMATION_NOTES.md @@ -23,5 +23,6 @@ Obligations live in the per-jurisdiction matrix (e.g. [ID-INDONESIA/banking_v1.m ## Related +- [TS-SKR-CUSTODY-ETL-MANIFEST-V1.md](technical-specs/TS-SKR-CUSTODY-ETL-MANIFEST-V1.md) — normative custody ETL requirements - [`URA_PILOT_CLOSURE_RUNBOOK.md`](URA_PILOT_CLOSURE_RUNBOOK.md) §2 - [`URA_MANIFEST_WRITER_OPS.md`](../../03-deployment/URA_MANIFEST_WRITER_OPS.md) diff --git a/docs/04-configuration/universal-resource-activation/UNIVERSAL_RESOURCE_WIRING.md b/docs/04-configuration/universal-resource-activation/UNIVERSAL_RESOURCE_WIRING.md index 22fc64f7..8d955109 100644 --- a/docs/04-configuration/universal-resource-activation/UNIVERSAL_RESOURCE_WIRING.md +++ b/docs/04-configuration/universal-resource-activation/UNIVERSAL_RESOURCE_WIRING.md @@ -31,6 +31,8 @@ node scripts/validate/validate-universal-resource-activation.mjs | 2. Full config gate (includes step 1) | `bash scripts/validation/validate-config-files.sh` | Any required project config check fails | | 3. CI-style aggregate | `bash scripts/verify/run-all-validation.sh --skip-genesis` | Any step in the wrapper fails | | 4. URA smoke (schema + optional HTTP) | `bash scripts/verify/smoke-universal-resource-activation.sh` | Step 1 fails. With `--http` (or `PHOENIX_BASE_URL=…`), checks `GET …/manifest` (200 + `.schemaVersion`), `GET …/policy-profiles` (200 + `.profiles` array), and `GET …/server-funds-sidecar-probe` (**200** = sidecar or probe ok JSON; **503** + `configured: false` = URL unset, OK for dev; **502** = URL set but sidecar unreachable) | +| 4a. URA repo ops gate (aggregate validate / profiles / mapping / closure / merge) | `pnpm ura:ops-readiness` (optional `URA_READINESS_FORGE=1`, `URA_READINESS_CONFIG=1`, `URA_READINESS_MAP=…`) | Non-zero if a gate fails. **Environment and E2E** steps: [URA_OPERATIONAL_READINESS_CHECKLIST.md](URA_OPERATIONAL_READINESS_CHECKLIST.md) | +| 4d. Production gate (target host) | `pnpm ura:production-ready` (strict) or `pnpm ura:production-ready:connectivity` (skips strict closure) | Env template: `config/universal-resource-activation/ura-production-ready.env.example`. **Strict** requires a closed manifest per [URA_PILOT_CLOSURE_RUNBOOK.md](URA_PILOT_CLOSURE_RUNBOOK.md). | | 4b. On-chain / GRU hash (optional) | `node scripts/ura/keccak-resource-ids.mjs` | Prints `keccak256(utf8(resourceId))` per row (requires root `ethers`); does not block CI | | 4c. Server-funds sidecar probe (optional) | `curl` `GET /api/v1/universal-resource-activation/server-funds-sidecar-probe` on Phoenix | `503` + `configured:false` until `SERVER_FUNDS_SIDECAR_URL` is set; `200` when a health path returns 2xx | | 5. OpenAPI / Swagger | Open `http://:/api-docs` on `phoenix-deploy-api` and confirm URA paths (see [`phoenix-deploy-api/openapi.yaml`](../../../phoenix-deploy-api/openapi.yaml)) | N/A (manual) | @@ -68,6 +70,7 @@ When Gitea deploy syncs the `d-bis/proxmox` archive, the `config/` tree (includi ## Related - [README.md](README.md) — document map +- [URA_OPERATIONAL_READINESS_CHECKLIST.md](URA_OPERATIONAL_READINESS_CHECKLIST.md) — phased operator checklist; **local** gate: `pnpm ura:ops-readiness` - [technical-specs/README.md](technical-specs/README.md) — normative TS-* specs for OMNL/sidecar, settlement indexer, SKR ETL, GRU program, compliance sign-off - [URA_PILOT_CLOSURE_RUNBOOK.md](URA_PILOT_CLOSURE_RUNBOOK.md) — close pilots / replace placeholders - [../compliance-matrices/README.md](../compliance-matrices/README.md) — jurisdiction matrices and onboarding charter/playbook diff --git a/docs/04-configuration/universal-resource-activation/URA_MANIFEST_AUTOMATION_IMPLEMENTATION_TRACKER.md b/docs/04-configuration/universal-resource-activation/URA_MANIFEST_AUTOMATION_IMPLEMENTATION_TRACKER.md index 02e459aa..6594d74d 100644 --- a/docs/04-configuration/universal-resource-activation/URA_MANIFEST_AUTOMATION_IMPLEMENTATION_TRACKER.md +++ b/docs/04-configuration/universal-resource-activation/URA_MANIFEST_AUTOMATION_IMPLEMENTATION_TRACKER.md @@ -7,6 +7,8 @@ **Normative technical specs (remaining implementation):** [technical-specs/README.md](technical-specs/README.md) — RFC 2119 requirements, interfaces, acceptance tests for pending workstreams. +**Operational gate (all phases, operator vs repo):** [URA_OPERATIONAL_READINESS_CHECKLIST.md](URA_OPERATIONAL_READINESS_CHECKLIST.md) — **local repo check:** `pnpm ura:ops-readiness` ([UNIVERSAL_RESOURCE_WIRING.md](UNIVERSAL_RESOURCE_WIRING.md#21-testing-checklist) §2.1). + | ID | Task | Status | Artifact / next step | |----|------|--------|----------------------| | ura-auto-01 | OMNL/Fineract APIs → `accountingRef` | **Done (repo)** | [`URA_MANIFEST_WRITER_OPS.md`](../../03-deployment/URA_MANIFEST_WRITER_OPS.md) §2; mapping schema | @@ -41,6 +43,7 @@ ## Quick commands ```bash +pnpm ura:ops-readiness pnpm ura:validate-ledger-mapping pnpm ura:writer:ledger -- --mapping config/universal-resource-activation/integration/omnl-ledger-mapping.v1.example.json --ledger config/universal-resource-activation/integration/examples/ledger-snapshot.example.json pnpm ura:writer:settlement -- --evidence-package-id ura:pilot:evidence-register-bootstrap --message-id 0x1 --tx-hash 0x2 --chain-id 138 @@ -50,5 +53,6 @@ cd smom-dbis-138 && FORGE_SCOPE=universal-resource bash scripts/forge/scope.sh t ## Related +- [`URA_OPERATIONAL_READINESS_CHECKLIST.md`](URA_OPERATIONAL_READINESS_CHECKLIST.md) — end-to-end operational + acceptance steps - [`MANIFEST_AUTOMATION_DESIGN.md`](../../../config/universal-resource-activation/MANIFEST_AUTOMATION_DESIGN.md) - [`URA_PILOT_CLOSURE_RUNBOOK.md`](URA_PILOT_CLOSURE_RUNBOOK.md) diff --git a/docs/04-configuration/universal-resource-activation/URA_OPERATIONAL_READINESS_CHECKLIST.md b/docs/04-configuration/universal-resource-activation/URA_OPERATIONAL_READINESS_CHECKLIST.md new file mode 100644 index 00000000..d18faae0 --- /dev/null +++ b/docs/04-configuration/universal-resource-activation/URA_OPERATIONAL_READINESS_CHECKLIST.md @@ -0,0 +1,94 @@ +# URA / RTGS / GRU — operational readiness checklist + +**Last updated:** 2026-04-25 +**Purpose:** **Executable** steps from empty/staging to **fully operational, tested** production, aligned with [technical-specs/README.md](technical-specs/README.md). Check boxes as you complete each step in the target environment. + +**Local repo gate (no live services):** `pnpm ura:ops-readiness` — see [UNIVERSAL_RESOURCE_WIRING.md](UNIVERSAL_RESOURCE_WIRING.md). + +--- + +## Phase 0 — Preconditions + +- [ ] **0.1** Record GRC → M00 strategy (ADR) if GRU M00 is in program scope — [TS-GRU-M00-IMPLEMENTATION-PROGRAM-V1.md](technical-specs/TS-GRU-M00-IMPLEMENTATION-PROGRAM-V1.md) §2 +- [ ] **0.2** Staging/prod: OMNL/Fineract, server-funds-sidecar, chain RPC, Phoenix, writer host available; secrets in vault +- [ ] **0.3** Create `config/universal-resource-activation/integration/omnl-ledger-mapping.v1.json` from the example; fill `accountingRefField` with **real** export field names; `pnpm ura:validate-ledger-mapping -- config/.../omnl-ledger-mapping.v1.json` +- [ ] **0.4** Add indexer/settlement and (if used) custody **binding** config (secure repo or vault path) for `evidencePackageId` / resources +- [ ] **0.5** CI **without** `URA_STRICT_CLOSURE=1` until [URA_PILOT_CLOSURE_RUNBOOK.md](URA_PILOT_CLOSURE_RUNBOOK.md) is actually executed and placeholders are gone + +--- + +## Phase 1 — OMNL + server-funds-sidecar → manifest + +- [ ] **1.1** **Correlation:** every prod draw/hold/release has a **correlation id** and path to a **posted** `accountingRef` — [TS-OMNL-SIDECAR-MANIFEST-SYNC-V1.md](technical-specs/TS-OMNL-SIDECAR-MANIFEST-SYNC-V1.md) §5.1 +- [ ] **1.2** **Ledger snapshot:** batch or API produces JSON for `pnpm ura:writer:ledger` +- [ ] **1.3** **Writer pipeline** automated: snapshot → `merge-manifest-fragments` → `pnpm ura:validate` + `pnpm ura:validate-profiles` +- [ ] **1.4** **Publish** path live (git PR, secured sync, or internal API) — [URA_MANIFEST_WRITER_OPS.md](../../03-deployment/URA_MANIFEST_WRITER_OPS.md) §4 +- [ ] **1.5** **Phoenix:** `SERVER_FUNDS_SIDECAR_URL` set; **sidecar-probe** returns **200** when sidecar healthy +- [ ] **1.6** **Metrics/alerts** per TS-OMNL §6 (success/fail, lag, DLQ) +- [ ] **1.7** **Staging E2E** for ledger path: TS-OMNL §7 — real or realistic journal → merge → validate → `pnpm ura:smoke --http` + +--- + +## Phase 2 — Settlement / chain → manifest + +- [ ] **2.1** **Addresses/events** documented for Chain 138 (and other chains in scope) — [DBIS_RAIL_SETTLEMENT_EVENT_SOURCES.md](../../dbis-rail/DBIS_RAIL_SETTLEMENT_EVENT_SOURCES.md) +- [ ] **2.2** **Indexer** service: `eth_getLogs` / WebSocket / subgraph with **N** confirmations — [TS-SETTLEMENT-INDEXER-MANIFEST-V1.md](technical-specs/TS-SETTLEMENT-INDEXER-MANIFEST-V1.md) §6 +- [ ] **2.3** `pnpm ura:writer:settlement` (or equivalent) into merge + validate + publish (same as Phase 1) +- [ ] **2.4** **Binding** map: route/pool → `evidencePackageId` (fail closed) +- [ ] **2.5** **Idempotency** key: `(chainId, block, logIndex)` (or defined equivalent) +- [ ] **2.6** **Reorg** alerting; no silent delete of manifest rows (TS-SETTLEMENT §6) +- [ ] **2.7** **Staging E2E** for settlement path: TS-SETTLEMENT §10 + +- [ ] **2.8** *(optional)* On-chain **hash anchoring** if required — TS-SETTLEMENT §8 + +--- + +## Phase 3 — SKR / custody (if in scope) + +- [ ] **3.1** Custody **ETL** authenticated; fingerprints + `evidenceRefs` / `custodyOrSourceEvidence` per [TS-SKR-CUSTODY-ETL-MANIFEST-V1.md](technical-specs/TS-SKR-CUSTODY-ETL-MANIFEST-V1.md) +- [ ] **3.2** **Staging E2E** for SKR path + +--- + +## Phase 4 — `PolicyProfileRegistry` (on-chain anchor) + +- [ ] **4.1** `pnpm ura:profile-hash ` for each production profile; record hashes +- [ ] **4.2** **Deploy** `smom-dbis-138/.../PolicyProfileRegistry` + `publishProfile` (roles secured) — [GRU_REGISTRY_WIRING_CHECKLIST.md](../../../runbooks/GRU_REGISTRY_WIRING_CHECKLIST.md) §6 +- [ ] **4.3** **Record** address in [CONTRACT_ADDRESSES_REFERENCE.md](../../11-references/CONTRACT_ADDRESSES_REFERENCE.md) (or successor) + +--- + +## Phase 5 — Full GRU M00 spine (if in scope; large program) + +- [ ] **5.1** GRUStorage + governance bitmask signed off; storage collision analysis if GRC migration — [TS-GRU](technical-specs/TS-GRU-M00-IMPLEMENTATION-PROGRAM-V1.md) +- [ ] **5.2** **Facets** delivered and tested: PolicyRouter, gates, StandardsRegistry, GovernanceLevel, asset/token path +- [ ] **5.3** **Testnet** deploy; [GRU_M00_DIAMOND_DEPLOYMENT_RUNBOOK.md](../../../runbooks/GRU_M00_DIAMOND_DEPLOYMENT_RUNBOOK.md) §6 green +- [ ] **5.4** **Mainnet/138** (or target) deploy; addresses in inventory; `resourceId` / `assetId` mapping doc updated +- [ ] **5.5** **Multisig**, timelock, **pause** drill, rollback runbook tested + +--- + +## Phase 6 — Compliance, strict CI, DR + +- [ ] **6.1** **Sign-off** pack for automation per [TS-COMPLIANCE-AUTOMATION-SIGNOFF-V1.md](technical-specs/TS-COMPLIANCE-AUTOMATION-SIGNOFF-V1.md) +- [ ] **6.2** [URA_PILOT_CLOSURE_RUNBOOK.md](URA_PILOT_CLOSURE_RUNBOOK.md) complete: no pilot placeholders; `reconciliationStatus` as policy requires +- [ ] **6.3** Enable `pnpm ura:validate-closure:strict` in pipeline; set `URA_STRICT_CLOSURE=1` / Gitea `vars.URA_STRICT_CLOSURE=1` +- [ ] **6.4** **DR/rollback** drill: [URA_MANIFEST_WRITER_OPS.md](../../03-deployment/URA_MANIFEST_WRITER_OPS.md) §8 + +--- + +## Final acceptance (production “done”) + +- [ ] **F.1** In-repo: `pnpm ura:ops-readiness:full` (validates URA + **PolicyProfileRegistry** forge + full `validate-config-files.sh`) and, per your release policy, `bash scripts/verify/run-all-validation.sh` (or equivalent) **green** on the release branch +- [ ] **F.1a** On target host: set env (see `config/universal-resource-activation/ura-production-ready.env.example`; optional `URA_PRODUCTION_ENV_FILE=…` to source it). **Strict go-live:** `pnpm ura:production-ready` (`URA_PRODUCTION_MODE=strict`, default). **Staging / pilots still open:** `pnpm ura:production-ready:connectivity` only. +- [ ] **F.2** `pnpm ura:smoke --http` to Phoenix: manifest + policy-profiles + **sidecar-probe 200** in prod +- [ ] **F.3** Evidence: staging + prod test tickets for **ledger**, **settlement**, and (if used) **custody** closed +- [ ] **F.4** On-chain: PolicyProfileRegistry (if used) + GRU M00 (if used) addresses and upgrade path documented +- [ ] **F.5** Ops: on-call runbook + monitoring dashboards live + +--- + +## Related + +- [URA_MANIFEST_AUTOMATION_IMPLEMENTATION_TRACKER.md](URA_MANIFEST_AUTOMATION_IMPLEMENTATION_TRACKER.md) +- [UNIVERSAL_RESOURCE_WIRING.md](UNIVERSAL_RESOURCE_WIRING.md) §2.1 diff --git a/docs/04-configuration/universal-resource-activation/technical-specs/README.md b/docs/04-configuration/universal-resource-activation/technical-specs/README.md index dee52145..2105e7b7 100644 --- a/docs/04-configuration/universal-resource-activation/technical-specs/README.md +++ b/docs/04-configuration/universal-resource-activation/technical-specs/README.md @@ -20,4 +20,5 @@ ## Related -- [URA_MANIFEST_AUTOMATION_IMPLEMENTATION_TRACKER.md](../URA_MANIFEST_AUTOMATION_IMPLEMENTATION_TRACKER.md) +- [URA_MANIFEST_AUTOMATION_IMPLEMENTATION_TRACKER.md](../URA_MANIFEST_AUTOMATION_IMPLEMENTATION_TRACKER.md) +- [URA_OPERATIONAL_READINESS_CHECKLIST.md](../URA_OPERATIONAL_READINESS_CHECKLIST.md) (phased operator checklist; in-repo gate: `pnpm ura:ops-readiness`) diff --git a/docs/MASTER_INDEX.md b/docs/MASTER_INDEX.md index 01494c09..69a1788d 100644 --- a/docs/MASTER_INDEX.md +++ b/docs/MASTER_INDEX.md @@ -103,7 +103,7 @@ | **00-meta** (tasks, next steps, phases) | [00-meta/NEXT_STEPS_INDEX.md](00-meta/NEXT_STEPS_INDEX.md), [00-meta/PHASES_AND_TASKS_MASTER.md](00-meta/PHASES_AND_TASKS_MASTER.md) | | **02-architecture** | [02-architecture/](02-architecture/) — **canonical ecosystem root:** [02-architecture/DBIS_ECOSYSTEM_TECHNICAL_MASTER_PLAN.md](02-architecture/DBIS_ECOSYSTEM_TECHNICAL_MASTER_PLAN.md); **Chain 138 infrastructure and runtime sub-plan:** [dbis_chain_138_technical_master_plan.md](../dbis_chain_138_technical_master_plan.md); **institutional settlement execution tracker:** [03-deployment/DBIS_RTGS_MASTER_PLAN_IMPLEMENTATION_TRACKER.md](03-deployment/DBIS_RTGS_MASTER_PLAN_IMPLEMENTATION_TRACKER.md); **policy / activation control-plane tracker:** [04-configuration/universal-resource-activation/URA_MANIFEST_AUTOMATION_IMPLEMENTATION_TRACKER.md](04-configuration/universal-resource-activation/URA_MANIFEST_AUTOMATION_IMPLEMENTATION_TRACKER.md); **machine-readable workstreams:** [`../config/dbis-ecosystem-master-plan-tracker.json`](../config/dbis-ecosystem-master-plan-tracker.json); **client / division terminology:** [02-architecture/CLIENT_DIVISION_TERMINOLOGY.md](02-architecture/CLIENT_DIVISION_TERMINOLOGY.md); **Public sector + Phoenix catalog baseline:** [02-architecture/PUBLIC_SECTOR_TENANCY_MARKETPLACE_AND_DEPLOYMENT_BASELINE.md](02-architecture/PUBLIC_SECTOR_TENANCY_MARKETPLACE_AND_DEPLOYMENT_BASELINE.md); **non-goals (incl. catalog vs marketing §9):** [02-architecture/NON_GOALS.md](02-architecture/NON_GOALS.md); [02-architecture/DBIS_NODE_ROLE_MATRIX.md](02-architecture/DBIS_NODE_ROLE_MATRIX.md), [02-architecture/DBIS_PHASE2_PROXMOX_SOVEREIGNIZATION_ROADMAP.md](02-architecture/DBIS_PHASE2_PROXMOX_SOVEREIGNIZATION_ROADMAP.md) | | **03-deployment** | [03-deployment/OPERATIONAL_RUNBOOKS.md](03-deployment/OPERATIONAL_RUNBOOKS.md), [03-deployment/DEPLOYMENT_ORDER_OF_OPERATIONS.md](03-deployment/DEPLOYMENT_ORDER_OF_OPERATIONS.md), **Public sector live checklist:** [03-deployment/PUBLIC_SECTOR_LIVE_DEPLOYMENT_CHECKLIST.md](03-deployment/PUBLIC_SECTOR_LIVE_DEPLOYMENT_CHECKLIST.md), **Proxmox VE ops template:** [03-deployment/PROXMOX_VE_OPERATIONAL_DEPLOYMENT_TEMPLATE.md](03-deployment/PROXMOX_VE_OPERATIONAL_DEPLOYMENT_TEMPLATE.md) · [`config/proxmox-operational-template.json`](config/proxmox-operational-template.json); **DBIS Phase 1–3:** [03-deployment/PHASE1_DISCOVERY_RUNBOOK.md](03-deployment/PHASE1_DISCOVERY_RUNBOOK.md), [03-deployment/DBIS_PHASE3_E2E_PRODUCTION_SIMULATION_RUNBOOK.md](03-deployment/DBIS_PHASE3_E2E_PRODUCTION_SIMULATION_RUNBOOK.md), [03-deployment/CALIPER_CHAIN138_PERF_HOOK.md](03-deployment/CALIPER_CHAIN138_PERF_HOOK.md), [03-deployment/DBIS_HYPERLEDGER_RUNTIME_STATUS.md](03-deployment/DBIS_HYPERLEDGER_RUNTIME_STATUS.md), [03-deployment/DBIS_PHASES_1_TO_3_PRODUCTION_GATE.md](03-deployment/DBIS_PHASES_1_TO_3_PRODUCTION_GATE.md), **RTGS canonical production checklist and institutional-finance layers:** [03-deployment/DBIS_RTGS_E2E_REQUIREMENTS_MATRIX.md](03-deployment/DBIS_RTGS_E2E_REQUIREMENTS_MATRIX.md), [03-deployment/DBIS_RTGS_MASTER_PLAN_IMPLEMENTATION_TRACKER.md](03-deployment/DBIS_RTGS_MASTER_PLAN_IMPLEMENTATION_TRACKER.md), [03-deployment/DBIS_RTGS_FX_TRANSACTION_CATALOG.md](03-deployment/DBIS_RTGS_FX_TRANSACTION_CATALOG.md), [03-deployment/DBIS_RTGS_DEPOSITORY_AND_CUSTODY_OPERATING_MODEL.md](03-deployment/DBIS_RTGS_DEPOSITORY_AND_CUSTODY_OPERATING_MODEL.md), [03-deployment/DBIS_RTGS_FX_AND_LIQUIDITY_OPERATING_MODEL.md](03-deployment/DBIS_RTGS_FX_AND_LIQUIDITY_OPERATING_MODEL.md), [03-deployment/DBIS_RTGS_CONTROL_PLANE_DEPLOYMENT_CHECKLIST.md](03-deployment/DBIS_RTGS_CONTROL_PLANE_DEPLOYMENT_CHECKLIST.md), [03-deployment/DBIS_RTGS_LATER_PHASE_SIDECARS_DEPLOYMENT_CHECKLIST.md](03-deployment/DBIS_RTGS_LATER_PHASE_SIDECARS_DEPLOYMENT_CHECKLIST.md), [03-deployment/DBIS_OMNL_INDONESIA_BNI_E2E_INTEGRATION_BLUEPRINT.md](03-deployment/DBIS_OMNL_INDONESIA_BNI_E2E_INTEGRATION_BLUEPRINT.md), [03-deployment/DBIS_RTGS_FIRST_SLICE_ARCHITECTURE.md](03-deployment/DBIS_RTGS_FIRST_SLICE_ARCHITECTURE.md), [03-deployment/DBIS_RTGS_FIRST_SLICE_DEPLOYMENT_CHECKLIST.md](03-deployment/DBIS_RTGS_FIRST_SLICE_DEPLOYMENT_CHECKLIST.md), [03-deployment/DBIS_HYBX_SIDECAR_BOUNDARY_MATRIX.md](03-deployment/DBIS_HYBX_SIDECAR_BOUNDARY_MATRIX.md), [03-deployment/DBIS_MOJALOOP_INTEGRATION_STATUS.md](03-deployment/DBIS_MOJALOOP_INTEGRATION_STATUS.md), [03-deployment/DBIS_HYPERLEDGER_IDENTITY_STACK_DECISION.md](03-deployment/DBIS_HYPERLEDGER_IDENTITY_STACK_DECISION.md) | -| **04-configuration** | [04-configuration/README.md](04-configuration/README.md), [04-configuration/ADDITIONAL_PATHS_AND_EXTENSIONS.md](04-configuration/ADDITIONAL_PATHS_AND_EXTENSIONS.md) (paths, registry, token-mapping, LiFi/Jumper); **Multi-jurisdiction compliance (matrices, charter, playbook):** [04-configuration/compliance-matrices/README.md](04-configuration/compliance-matrices/README.md), [04-configuration/jurisdictions/JURISDICTION_CATALOG.md](04-configuration/jurisdictions/JURISDICTION_CATALOG.md), [`config/jurisdictions/catalog.v1.json`](../config/jurisdictions/catalog.v1.json), [dbis-rail/DBIS_RAIL_JURISDICTION_TRACEABILITY.md](dbis-rail/DBIS_RAIL_JURISDICTION_TRACEABILITY.md); **Universal resource activation (SKR, server funds, infra):** [04-configuration/universal-resource-activation/README.md](04-configuration/universal-resource-activation/README.md), [UNIVERSAL_RESOURCE_WIRING.md](04-configuration/universal-resource-activation/UNIVERSAL_RESOURCE_WIRING.md), [URA_MANIFEST_AUTOMATION_IMPLEMENTATION_TRACKER.md](04-configuration/universal-resource-activation/URA_MANIFEST_AUTOMATION_IMPLEMENTATION_TRACKER.md), [technical-specs/README.md](04-configuration/universal-resource-activation/technical-specs/README.md) (normative TS-* for remaining implementation), [URA_MANIFEST_WRITER_OPS.md](03-deployment/URA_MANIFEST_WRITER_OPS.md), [GRU_REGISTRY_WIRING_CHECKLIST.md](runbooks/GRU_REGISTRY_WIRING_CHECKLIST.md), `pnpm ura:*`, Phoenix URA routes, [`config/universal-resource-activation/`](../config/universal-resource-activation/); **Chain 138 wallets:** [04-configuration/CHAIN138_WALLET_CONFIG_VALIDATION.md](04-configuration/CHAIN138_WALLET_CONFIG_VALIDATION.md); **Chain 2138 testnet wallets:** [04-configuration/CHAIN2138_WALLET_CONFIG_VALIDATION.md](04-configuration/CHAIN2138_WALLET_CONFIG_VALIDATION.md); **OMNL Indonesia / HYBX-BATCH-001:** [04-configuration/mifos-omnl-central-bank/HYBX_BATCH_001_OPERATOR_CHECKLIST.md](04-configuration/mifos-omnl-central-bank/HYBX_BATCH_001_OPERATOR_CHECKLIST.md), [04-configuration/mifos-omnl-central-bank/INDONESIA_PACKAGE_4_995_EVIDENCE_STANDARD.md](04-configuration/mifos-omnl-central-bank/INDONESIA_PACKAGE_4_995_EVIDENCE_STANDARD.md) | +| **04-configuration** | [04-configuration/README.md](04-configuration/README.md), [04-configuration/ADDITIONAL_PATHS_AND_EXTENSIONS.md](04-configuration/ADDITIONAL_PATHS_AND_EXTENSIONS.md) (paths, registry, token-mapping, LiFi/Jumper); **Multi-jurisdiction compliance (matrices, charter, playbook):** [04-configuration/compliance-matrices/README.md](04-configuration/compliance-matrices/README.md), [04-configuration/jurisdictions/JURISDICTION_CATALOG.md](04-configuration/jurisdictions/JURISDICTION_CATALOG.md), [`config/jurisdictions/catalog.v1.json`](../config/jurisdictions/catalog.v1.json), [dbis-rail/DBIS_RAIL_JURISDICTION_TRACEABILITY.md](dbis-rail/DBIS_RAIL_JURISDICTION_TRACEABILITY.md); **Universal resource activation (SKR, server funds, infra):** [04-configuration/universal-resource-activation/README.md](04-configuration/universal-resource-activation/README.md), [UNIVERSAL_RESOURCE_WIRING.md](04-configuration/universal-resource-activation/UNIVERSAL_RESOURCE_WIRING.md), [URA_MANIFEST_AUTOMATION_IMPLEMENTATION_TRACKER.md](04-configuration/universal-resource-activation/URA_MANIFEST_AUTOMATION_IMPLEMENTATION_TRACKER.md), [URA_OPERATIONAL_READINESS_CHECKLIST.md](04-configuration/universal-resource-activation/URA_OPERATIONAL_READINESS_CHECKLIST.md), [technical-specs/README.md](04-configuration/universal-resource-activation/technical-specs/README.md) (normative TS-* for remaining implementation), [URA_MANIFEST_WRITER_OPS.md](03-deployment/URA_MANIFEST_WRITER_OPS.md), [GRU_REGISTRY_WIRING_CHECKLIST.md](runbooks/GRU_REGISTRY_WIRING_CHECKLIST.md), `pnpm ura:ops-readiness` / `pnpm ura:*`, Phoenix URA routes, [`config/universal-resource-activation/`](../config/universal-resource-activation/); **Chain 138 wallets:** [04-configuration/CHAIN138_WALLET_CONFIG_VALIDATION.md](04-configuration/CHAIN138_WALLET_CONFIG_VALIDATION.md); **Chain 2138 testnet wallets:** [04-configuration/CHAIN2138_WALLET_CONFIG_VALIDATION.md](04-configuration/CHAIN2138_WALLET_CONFIG_VALIDATION.md); **OMNL Indonesia / HYBX-BATCH-001:** [04-configuration/mifos-omnl-central-bank/HYBX_BATCH_001_OPERATOR_CHECKLIST.md](04-configuration/mifos-omnl-central-bank/HYBX_BATCH_001_OPERATOR_CHECKLIST.md), [04-configuration/mifos-omnl-central-bank/INDONESIA_PACKAGE_4_995_EVIDENCE_STANDARD.md](04-configuration/mifos-omnl-central-bank/INDONESIA_PACKAGE_4_995_EVIDENCE_STANDARD.md) | | **Phoenix / Sankofa deploy handoff** | [04-configuration/PHOENIX_SANKOFA_OPERATOR_HANDOFF.md](04-configuration/PHOENIX_SANKOFA_OPERATOR_HANDOFF.md) — live CTs, env locations, secret split, rotate/reload/verify commands | | **06-besu** | [06-besu/MASTER_INDEX.md](06-besu/MASTER_INDEX.md) | | **Testnet (2138)** | [testnet/DEFI_ORACLE_META_TESTNET_2138_RUNBOOK.md](testnet/DEFI_ORACLE_META_TESTNET_2138_RUNBOOK.md), [testnet/TESTNET_DEPLOYMENT.md](testnet/TESTNET_DEPLOYMENT.md) | diff --git a/package.json b/package.json index 1bd3c938..fe8c31b6 100644 --- a/package.json +++ b/package.json @@ -36,6 +36,10 @@ "ura:profile-hash": "node scripts/ura/policy-profiles-content-hash.mjs", "ura:keccak": "node scripts/ura/keccak-resource-ids.mjs", "ura:smoke": "bash scripts/verify/smoke-universal-resource-activation.sh", + "ura:ops-readiness": "bash scripts/verify/ura-ops-readiness.sh", + "ura:ops-readiness:full": "URA_READINESS_FORGE=1 URA_READINESS_CONFIG=1 bash scripts/verify/ura-ops-readiness.sh", + "ura:production-ready": "bash scripts/verify/ura-production-readiness.sh", + "ura:production-ready:connectivity": "URA_PRODUCTION_MODE=connectivity bash scripts/verify/ura-production-readiness.sh", "mission-control:dev": "pnpm --filter mission-control dev", "mission-control:build": "pnpm --filter mission-control build", "mission-control:start": "pnpm --filter mission-control start", diff --git a/scripts/validate/validate-omnl-ledger-mapping.mjs b/scripts/validate/validate-omnl-ledger-mapping.mjs index c33de083..a358bc6b 100644 --- a/scripts/validate/validate-omnl-ledger-mapping.mjs +++ b/scripts/validate/validate-omnl-ledger-mapping.mjs @@ -20,7 +20,8 @@ const schemaPath = path.join( 'config/universal-resource-activation/integration/omnl-ledger-mapping.v1.schema.json' ); -const file = path.resolve(projectRoot, process.argv[2] || defaultPath); +const fileArg = process.argv.slice(2).filter((a) => a !== '--')[0]; +const file = path.resolve(projectRoot, fileArg || defaultPath); if (!existsSync(file)) { console.error(`[validate-ledger-mapping] Missing ${file}`); diff --git a/scripts/verify/ura-ops-readiness.sh b/scripts/verify/ura-ops-readiness.sh new file mode 100755 index 00000000..2e4950dd --- /dev/null +++ b/scripts/verify/ura-ops-readiness.sh @@ -0,0 +1,63 @@ +#!/usr/bin/env bash +# URA — repo-level readiness: manifest, profiles, mapping schema, merge, non-strict closure, optional forge test. +# Does not substitute staging/prod E2E or live Fineract/sidecar (see URA_OPERATIONAL_READINESS_CHECKLIST.md). +# +# Usage (repo root): +# bash scripts/verify/ura-ops-readiness.sh +# URA_READINESS_MAP=config/universal-resource-activation/integration/omnl-ledger-mapping.v1.json \ +# bash scripts/verify/ura-ops-readiness.sh +# URA_READINESS_FORGE=1 bash scripts/verify/ura-ops-readiness.sh # also runs PolicyProfileRegistry unit test in smom-dbis-138 +# URA_READINESS_CONFIG=1 bash scripts/verify/ura-ops-readiness.sh # also runs validate-config-files.sh +set -euo pipefail + +SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)" +ROOT="$(cd "$SCRIPT_DIR/../.." && pwd)" +cd "$ROOT" + +log() { echo "[ura-ops-readiness] $*"; } +log_err() { echo "[ura-ops-readiness] ERROR: $*" >&2; } + +if ! command -v pnpm &>/dev/null; then + log_err "pnpm not found" + exit 1 +fi + +log "1/7 pnpm ura:validate" +pnpm ura:validate +log "2/7 pnpm ura:validate-profiles" +pnpm ura:validate-profiles +MAP_FILE="${URA_READINESS_MAP:-$ROOT/config/universal-resource-activation/integration/omnl-ledger-mapping.v1.example.json}" +if [[ -f "$MAP_FILE" ]]; then + log "3/7 validate-omnl-ledger-mapping.mjs $MAP_FILE" + node "$ROOT/scripts/validate/validate-omnl-ledger-mapping.mjs" "$MAP_FILE" +else + log "3/7 skip (mapping file not found: $MAP_FILE)" +fi +log "4/7 pnpm ura:validate-closure (warn mode)" +pnpm ura:validate-closure || true +log "5/7 pnpm ura:merge-manifest" +pnpm ura:merge-manifest + +if [[ "${URA_READINESS_FORGE:-}" == "1" ]]; then + if [[ -d "$ROOT/smom-dbis-138" && -f "$ROOT/smom-dbis-138/scripts/forge/scope.sh" ]]; then + log "6/7 FORGE_SCOPE=universal-resource forge test (PolicyProfileRegistry)" + (cd "$ROOT/smom-dbis-138" && FORGE_SCOPE=universal-resource bash scripts/forge/scope.sh test --match-contract PolicyProfileRegistryTest) || { + log_err "Forge test failed" + exit 1 + } + else + log "6/7 skip (smom-dbis-138 or scope.sh not present)" + fi +else + log "6/7 skip forge (set URA_READINESS_FORGE=1 to run PolicyProfileRegistryTest)" +fi + +if [[ "${URA_READINESS_CONFIG:-}" == "1" ]]; then + log "7/7 validate-config-files.sh" + bash "$ROOT/scripts/validation/validate-config-files.sh" +else + log "7/7 skip validate-config-files (set URA_READINESS_CONFIG=1 for full project config gate)" +fi + +log "OK: repo URA gates passed (see docs/.../URA_OPERATIONAL_READINESS_CHECKLIST.md for runtime steps)." +exit 0 diff --git a/scripts/verify/ura-production-readiness.sh b/scripts/verify/ura-production-readiness.sh new file mode 100755 index 00000000..19ea500b --- /dev/null +++ b/scripts/verify/ura-production-readiness.sh @@ -0,0 +1,148 @@ +#!/usr/bin/env bash +# URA production readiness verifier. +# Enforces strict manifest closure and live endpoint checks. +# +# Modes (URA_PRODUCTION_MODE): +# strict — default: repo gates + strict closure + HTTP smoke + sidecar 200. Use after URA_PILOT_CLOSURE_RUNBOOK. +# connectivity — repo gates + HTTP + sidecar 200; skips strict closure (staging / pilot manifest still open). +# +# Optional env file: +# URA_PRODUCTION_ENV_FILE — path to a file with export KEY=value lines; sourced before checks. +# +# Required: +# - pnpm, curl, jq +# - PHOENIX_BASE_URL +# - SERVER_FUNDS_SIDECAR_URL +# - POLICY_PROFILE_REGISTRY_ADDRESS +# +# Optional: +# - GRU_REQUIRED=1 + GRU_M00_DIAMOND_ADDRESS (if GRU M00 is in scope) +# - REQUIRE_CUSTODY=1 + CUSTODY_E2E_EVIDENCE_FILE (if custody lane is in scope) +# - LEDGER_E2E_EVIDENCE_FILE / SETTLEMENT_E2E_EVIDENCE_FILE / COUNSEL_SIGNOFF_FILE +set -euo pipefail + +SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)" +ROOT="$(cd "$SCRIPT_DIR/../.." && pwd)" +cd "$ROOT" + +if [[ -n "${URA_PRODUCTION_ENV_FILE:-}" && -f "${URA_PRODUCTION_ENV_FILE}" ]]; then + set -a + # shellcheck source=/dev/null + source "${URA_PRODUCTION_ENV_FILE}" + set +a +fi + +log() { echo "[ura-prod-ready] $*"; } +log_err() { echo "[ura-prod-ready] ERROR: $*" >&2; } + +require_cmd() { + if ! command -v "$1" &>/dev/null; then + log_err "Missing command: $1" + exit 1 + fi +} + +require_env() { + local key="$1" + if [[ -z "${!key:-}" ]]; then + log_err "Missing required env var: $key" + exit 1 + fi +} + +require_file() { + local p="$1" + if [[ -z "$p" || ! -f "$p" ]]; then + log_err "Missing required evidence file: $p" + exit 1 + fi +} + +validate_address() { + local label="$1" + local value="$2" + if [[ ! "$value" =~ ^0x[a-fA-F0-9]{40}$ ]]; then + log_err "$label must be a 20-byte hex EVM address, got: $value" + exit 1 + fi +} + +require_cmd pnpm +require_cmd curl +require_cmd jq + +require_env PHOENIX_BASE_URL +require_env SERVER_FUNDS_SIDECAR_URL +require_env POLICY_PROFILE_REGISTRY_ADDRESS +validate_address "POLICY_PROFILE_REGISTRY_ADDRESS" "$POLICY_PROFILE_REGISTRY_ADDRESS" + +if [[ "${GRU_REQUIRED:-0}" == "1" ]]; then + require_env GRU_M00_DIAMOND_ADDRESS + validate_address "GRU_M00_DIAMOND_ADDRESS" "$GRU_M00_DIAMOND_ADDRESS" +fi + +if [[ -n "${LEDGER_E2E_EVIDENCE_FILE:-}" ]]; then + require_file "$LEDGER_E2E_EVIDENCE_FILE" +fi +if [[ -n "${SETTLEMENT_E2E_EVIDENCE_FILE:-}" ]]; then + require_file "$SETTLEMENT_E2E_EVIDENCE_FILE" +fi +if [[ "${REQUIRE_CUSTODY:-0}" == "1" ]]; then + require_env CUSTODY_E2E_EVIDENCE_FILE + require_file "$CUSTODY_E2E_EVIDENCE_FILE" +fi +if [[ -n "${COUNSEL_SIGNOFF_FILE:-}" ]]; then + require_file "$COUNSEL_SIGNOFF_FILE" +fi + +BASE="${PHOENIX_BASE_URL%/}" +MODE="${URA_PRODUCTION_MODE:-strict}" +if [[ "$MODE" != "strict" && "$MODE" != "connectivity" ]]; then + log_err "URA_PRODUCTION_MODE must be 'strict' or 'connectivity', got: $MODE" + exit 1 +fi + +if [[ "$MODE" == "connectivity" ]]; then + log "Mode: connectivity (strict manifest closure is skipped — not a full production sign-off)" +else + log "Mode: strict (manifest must pass ura:validate-closure:strict; close pilots per URA_PILOT_CLOSURE_RUNBOOK first)" +fi + +log "1/? Running full repo gates" +pnpm ura:ops-readiness:full + +if [[ "$MODE" == "strict" ]]; then + log "2/? Enforcing strict closure (no placeholders/TBD/open reconciliation)" + pnpm ura:validate-closure:strict +else + log "2/? Skipping strict closure (use URA_PRODUCTION_MODE=strict for production go-live)" + pnpm ura:validate-closure || true +fi + +log "3/? Phoenix smoke over HTTP (PHOENIX_BASE_URL=$BASE)" +PHOENIX_BASE_URL="$BASE" pnpm ura:smoke --http + +log "4/? Requiring sidecar probe HTTP 200" +probe_url="${BASE}/api/v1/universal-resource-activation/server-funds-sidecar-probe" +probe_body="$(mktemp)" +trap 'rm -f "$probe_body"' EXIT +probe_code="$(curl -sS -o "$probe_body" -w '%{http_code}' --connect-timeout 5 --max-time 20 "$probe_url" || true)" +if [[ "$probe_code" != "200" ]]; then + log_err "Expected sidecar probe HTTP 200 at $probe_url, got $probe_code" + if [[ -s "$probe_body" ]]; then + log_err "Probe body: $(head -c 500 "$probe_body")" + fi + exit 1 +fi +if ! jq -e 'type == "object"' "$probe_body" &>/dev/null; then + log_err "Probe response is not a JSON object" + exit 1 +fi + +log "5/? URA $MODE gate PASSED" +log "Registry: $POLICY_PROFILE_REGISTRY_ADDRESS" +if [[ -n "${GRU_M00_DIAMOND_ADDRESS:-}" ]]; then + log "GRU diamond: $GRU_M00_DIAMOND_ADDRESS" +fi + +exit 0