05 — Roadmap¶
Phase 1 — PM Core B1–B10¶
Goal: Replace blnkfinance with TigerBeetle. P2P transfers and PromptPay withdrawals working end-to-end.
| Block | Name | Key Deliverables | Status |
|---|---|---|---|
| B1 | Infrastructure | Fastify scaffold · Docker Compose · pm schema · service_key · CI | ✅ Done |
| B2 | Ledger Module | TigerBeetle SDK · tb_account_map · deterministic ID gen · account verifier |
✅ Done |
| B3 | Intent API + Router | POST /intents · payment_route · StepRegistry · INTERNAL_P2P channel |
✅ Done |
| B4 | Rule Engine | CEL fee evaluation · PRE/POST timing · fee_rule table · dry-run endpoint |
✅ Done |
| B5 | Saga Orchestrator | CREATED→VALIDATED→AUTHORIZED→SETTLED · PRE+POST fee splits · linked TB batches | ✅ Done |
| B6 | Outbox + Settlement | OutboxWorker · tx_history · account_balance · intent_event · startup reconciler | ✅ Done |
| B6.1 | Display Name Fields | fromName / toName / comment · requiresMonitoring flag |
✅ Done |
| B7 | IPPS Integration | PromptPay Tag 29+30 · query→confirm · StatusPoller · psp_tx_map | 🟡 In progress |
| B9 | Limits Engine | Daily/monthly caps · Redis cache · per-user enforcement | ✅ Done |
| B10 | Auth Center Bridge | Serverpod→PM integration · nginx auth_request · blnk removal | ⬜ Pending B7 |
Phase 1 unlocks: Full wallet functionality for end users — P2P transfers and PromptPay withdrawals with real-time confirmation.
Phase 2A — Merchant & Mini-Apps B11–B12¶
Goal: Enable third-party merchants to charge and credit user wallets through the mini-app ecosystem.
| Block | Name | Key Deliverables |
|---|---|---|
| B11 | Merchant Onboarding | Admin Panel: create merchant (Serverpod user + miniapp + PM service_key + TB accounts) · deactivation · secret rotation |
| B12 | Mini-Apps Integration | MINIAPP_CHARGE + MINIAPP_CREDIT operation types · merchant permission enforcement · Admin Panel catalog |
Merchant model: A merchant is a service_key in PM — same HMAC authentication as Auth Center. Permissions JSON limits what operation types and which merchant account the key can access. No special code paths.
Phase 2A unlocks: Revenue from merchant transaction fees. Mini-apps can offer paid services billed directly to the user's wallet.
Phase 2B — External PSP via Redis Streams B8, B13–B14¶
Goal: Decouple PM from PSP adapters via Redis Streams, enabling independent scaling and adding more PSP support.
| Block | Name | Key Deliverables |
|---|---|---|
| B8 | Redis Streams Core | Consumer groups · DLQ (max 3 retries) · MAXLEN ~ 10,000 · lag check before dispatch · XAUTOCLAIM stalled messages |
| B13 | IPPS PPXC Adapter | Migrate IPPS channel to Redis Streams · webhook receiver · Tag 29 + Tag 30 |
| B14 | QP Adapter | СБП Top-Up · status polling |
Why Redis Streams for adapters?
| Direct HTTP (current B7) | Redis Streams (Phase 2B) |
|---|---|
| PM blocks on PSP call | PM dispatches and moves on |
| PSP timeout = PM timeout | PSP slowness isolated to adapter |
| One PM instance per PSP | Adapter instances scale independently |
| PM crash = lost job | Stream persists job until ACK |
DLQ behaviour:
- jobs.dlq (adapter never processed) → safe to void TB pending → intent FAILED
- results.dlq (PM could not process PSP response) → ops alert + manual review (PSP may have settled)
Phase 2B unlocks: QP (СБП) Top-Up. PSP adapter independent scaling. Groundwork for any future PSP integration.
Phase 2C — Advanced B15–B17¶
Goal: Multi-currency, full reconciliation service, and webhook infrastructure.
| Block | Name | Key Deliverables |
|---|---|---|
| B15 | Currency Exchange | THB/USD multi-ledger · liquidity accounts · cross-ledger linked transfers |
| B16 | Reconciliation Service | TB ↔ PostgreSQL diff · pm.reconciliation_alert · scheduled reports · settlement verifier |
| B17 | Webhooks | IPPS refund notifications · HMAC signature verification · IP whitelist |
B16 — Reconciliation Service closes the open questions from B6:
- Detects SETTLED intents where TB transfers have mismatched amounts
- Detects SETTLED intents where TB transfers are missing entirely
- Handles the 7 historical intents affected by the TB amount=0 bug (pre-fix)
- Provides daily/weekly financial reports for ops and compliance
Phase 2C unlocks: USD wallets, automatic financial auditing, refund webhooks for merchant integrations.
Timeline Summary¶
Phase 1 B1–B6.1 ████████████████████ Done
B7 ████░░░░░░░░░░░░░░░░ In progress
B9–B10 ░░░░░░░░░░░░░░░░░░░░ Pending B7
Phase 2A B11–B12 ░░░░░░░░░░░░░░░░░░░░ After B10
Phase 2B B8,13,14 ░░░░░░░░░░░░░░░░░░░░ After B10
Phase 2C B15–B17 ░░░░░░░░░░░░░░░░░░░░ After Phase 2A/2B
What Was Removed¶
As part of this migration, the following components were deprecated:
| Removed | Replaced by |
|---|---|
blnkfinance service |
TigerBeetle (owned, auditable) |
blnkfinance-service adapter |
Direct TigerBeetle Node.js SDK in PM |
public.wallet table |
pm.tb_account_map (deterministic IDs) |
| Payment logic in Serverpod | PM POST /intents |
| 11 Dart payment service files | PM Node.js services |
| Serverpod payment models (intent, fee_rule, etc.) | pm schema (Drizzle) |
Net result: Auth Center is now a pure auth/identity service. PM is a pure payment service. The two can be deployed, scaled, and updated independently.