Enterprise Branch
Teller Platform

China-Wall Isolation

Every query, parameter, and audit log scoped by Entity + BranchId. Phase 1 enforces logical row-level isolation; Phase 2 adds per-entity physical databases.

CBS-Agnostic ESB Layer

All transactional operations decoupled from the Core Banking System via ESB adapter. Swap the mock for any real CBS integration without touching the teller API.

Zero Carryover

Drawer close is hard-blocked if any currency balance ≠ 0. All cash must return to vault before the business day ends — no physical cash crosses business days.

F6 Decimal Precision

Monetary amounts stored as numeric(19,6). CurrencyMath.Truncate before every write. String-encoded at JSON boundary via DecimalStringConverter — no IEEE 754 drift.

Dual-Control Lifecycle Ops

Vault and drawer ops require two distinct authorized officers. Initiator role is recorded on the approval record; self-approval always blocked at the service layer.

Role Hierarchy & ABAC

Six-tier rank: Teller < Supervisor < HeadTeller < BranchManager < EntityAdmin < BankAdmin. TellerPrincipal helpers enforce every access decision.

OPA Policy Enforcement

External OPA sidecar gates all POST /transactions/*, /vault/*, /branch/*. Hard-deny when OPA is unreachable. Cash limits data-driven per entity + currency.

Business Day Gate

Financial transactions require BusinessDayStatus.Active. Vault/drawer/proof-in ops require IsOpenAsync. Requests when the session is Closed return 409 Conflict.

State Hierarchy

Branch → Session → Vault → Drawer. Each level must open before the next. Roll-up close enforced at each level — no branch close with open drawers or vault.

Immutable Audit Trail

All lifecycle events write to audit.BranchAuditLogs indexed by Entity, BranchId, Timestamp. Audit logs are entity-scoped — never cross-visible between entities.