SAAKSHA Mandi · MSP procurement-point appliance
A procurement-centre appliance for NAFED, FCI and CCI mandis. It reads every truck plate at the gate, grades the grain against the official FAQ circular in visible-spectrum CV, signs each lot into a BSA Section 63-aligned Ed25519 audit chain, and emits the DBT trigger artefact to PFMS — collapsing truck ID, quality assay and payment into one sub-five-minute lane workflow. Co-deploys with SAAKSHA Rail at NAFED sites.
Reference implementation / pilot-ready. Production grain-CV models and live PFMS and Aadhaar connectors land with the first NAFED pilot; the PFMS and Aadhaar adapters ship today as deterministic stubs. Available in early access — contact us to scope a pilot.
01 — Who it's for
The bottleneck at every MSP procurement centre is the manual grain assay; the pain is structural — 6-to-14-day payment delay, inter-centre grade inconsistency, and zero artefact that survives a dispute three years later. SAAKSHA Mandi attaches to the cooperative procurement buyer, sold per centre under NAFED's own Direct Purchase rules. We do not enter the state APMC tender motion.
— Buyer · 01 · NAFED MD office
Reviews parliamentary questions on MSP payment latency every week. Wants a CAG-defensible audit-chain artefact and a measurable DBT compression. Signs off centre-level procurements.
— Buyer · 02 · State coordinator
A NAFED-state coordinator on deputation to a state marketing federation, running several hundred centres. The wedge enters here — they sign per-centre commitments under cooperative Direct Purchase rules. Needs a vernacular operator UI and a one-week install.
— Buyer · 03 · FCI procurement state
Oversees several hundred wheat centres in a state under the CAG-2024 audit shadow. A second-wave buyer; engages only after a lead state produces a CAG-friendly artefact across one season, and will likely require a formal tender — we prepare the response in advance.
— Subject · 04 · Farmer + CAG
A smallholder selling soybean at MSP wants a 48-hour payment and a Hindi receipt they can dispute. An ICAS auditor on deputation to CAG audits the cycle and verifies every grading event offline against the public key.
02 — How a lot moves
The appliance sits next to the existing weighbridge. A gate camera reads the truck plate, the grading clerk places a sample tray under the rig, the FAQ grader returns a verdict against the circular, a supervisor accepts, and the DBT trigger artefact is composed for PFMS. Every step writes an Ed25519-signed, hash-linked audit entry. The appliance never auto-executes the payment.
For gate chain-of-custody
PlateKit India Pro reads the HSRP / multi-line truck plate at gate-in. The read is cross-checked against NAFED's pre-published procurement record — unknown plate, unknown farmer, commodity mismatch, quantity exceeded, or unregistered centre all raise closed-enum flags.
For sub-five-second assay
Visible-spectrum CV estimates moisture, foreign matter, broken grain, weeviled grain and lustre. The composite grader reads thresholds straight from the FAQ spec — never an operator-tunable value — and returns FAQ, UNDER_FAQ or REJECTED. Target: high agreement with accredited human graders, validated per commodity against our internal lot test set before any centre goes live; every UNDER_FAQ and REJECTED is two-operator-gated, so a borderline call is never one grader's read (design goal, not yet independently measured).
For a record that survives a dispute
Acceptance writes a hash-linked audit entry signed with the centre's per-tenant Ed25519 key, then issues a one-page FAQ grading certificate carrying the plate, every percentage, the rate and the DBT amount.
For a much faster payment (target)
The appliance composes a DBTPaymentEvent (account hash, lot, amount in INR, audit hash) and pushes it to PFMS. Final approval rests with PSU staff in the PFMS console. We generate the trigger and observe the callback state — we never move money. The sub-30-minute latency is the online steady state; during an offline window grading continues locally and DBT triggers queue, then flush to PFMS on reconnect.
For a farmer who reads Hindi, not English
A 9-language farmer display and thermal receipt show grade, rate, quantity and DBT estimate with an Aadhaar-OTP confirmation. Aadhaar is never stored — only a one-way SHA-256 fingerprint. No farmer face is ever captured.
For a call with financial consequence
A grade override, a DBT-amount override, a vigilance flag, a cert issuance, a key rotation — each needs a second, distinct operator to concur. Both signatures land in the chain. A reject can never be one grader's call.
03 — FAQ commodity packs
Each commodity ships as a closed FAQ spec — MSP per quintal, per-category under-FAQ and hard-reject thresholds, the under-FAQ rate multiplier, and the exact circular reference it matches. The grader reads these and only these; it is advisory until the circular is updated by the QCI-accredited process. We never silently re-define a Government of India acceptance standard. The rupee figures below are illustrative, anchored to RMS / KMS 2024-25; specs ship as updatable FAQ packs tied to the live circular, so each season's notification replaces them.
# Wheat FAQ spec — thresholds match the circular exactly; NOT configurable. # Circular reference: CACP Wheat FAQ RMS 2024-25 (illustrative; MSP revised each season). WHEAT_FAQ_SPEC = CommodityFAQSpec( commodity=Commodity.WHEAT, msp_inr_per_quintal=Decimal("2425"), thresholds=FAQThresholds( moisture_pct_max=12.0, # under-FAQ above this foreign_matter_pct_max=0.75, broken_grain_pct_max=6.0, weeviled_grain_pct_max=4.0, lustre_score_min=0.55, moisture_pct_reject=18.0, # hard REJECTED above this foreign_matter_pct_reject=1.5, broken_grain_pct_reject=12.0, weeviled_grain_pct_reject=8.0, ), under_faq_rate_multiplier=Decimal("0.95"), # under-FAQ paid at 95% circular_reference="CACP Wheat FAQ RMS 2024-25", )
→ grade verdict is FAQ (full MSP), UNDER_FAQ (reduced rate, threshold_failures listed) or
REJECTED (no payment) · failure reasons are a fixed vocabulary (moisture_too_high,
foreign_matter_too_high, …), never free text.
04 — The procurement-lot record
A MandiEvent ties the truck-ANPR read, the grain-quality read, the FAQ assessment and the audit entry to
one farmer and one lot. The DBT trigger and the grading certificate hang off it. Money quantities are
Decimal INR with paisa precision and Indian lakh/crore digit grouping. The full FastAPI
surface is served by saaksha_mandi.web.app.
# DBT trigger artefact (C-02). Status starts at trigger_generated; # PFMS callbacks move it forward. SAAKSHA Mandi NEVER auto-pays. { "dbt_id": "3f2a…-…-…", "tenant_id": "NAFED-MP", "event_id": "BHO-2026-05-24-0042", "farmer_payment_account_hash": "<sha-256, never the account number>", "amount_inr": "<qty × notified MSP>", # computed server-side from quintals × MSP "triggered_ts": "2026-05-24T07:41:18Z", "push_status": "pushed_to_pfms", "pfms_reference": "PFMS-…" # approved_in_pfms / paid_by_pfms follow } # Walk the whole chain end-to-end; non-zero exit means tamper. saaksha-mandi verify-chain \ --db /var/lib/saaksha-mandi/bhopal-01.db \ --tenant-id NAFED-MP \ --public-key-hex 9bd69d3bab0a0794063b139dacac050d23a8a76a1b753879b708eef4c9051170 # A CAG pack is plain JSON — verifiable with the public key alone. { "schema": "saaksha_mandi.cag_audit_pack.v1", "tenant_id": "NAFED-MP", "event_count": 217, "entries": [{ "event_id": "…", "seq": 3281, "prev_entry_hash_hex": "…", "event_payload_hash_hex": "…", "signer_key_fingerprint_hex": "…", "signature_hex": "…" }] # Verify: SHA-256(manifest.json) == manifest_hash, and # Ed25519 verify(signer_public_key, manifest.json, signature). }
Tenant isolation is enforced per query — an operator in one tenant cannot read another's data
(NAFED-MP, FCI-Punjab and the IDs above are illustrative sample tenants). Every audit
entry carries prev_entry_hash, event_payload_hash, signer_key_fingerprint
and a 64-byte Ed25519 signature; an append-only schema rejects any UPDATE or DELETE.
05 — DBT · CAG · BSA Section 63
CAG audits of food-procurement operations have repeatedly flagged the absence of machine-readable, lot-level, tamper-evident grading records. SAAKSHA Mandi is built specifically to produce that kind of record. Three compliance surfaces — the DBT trigger artefact, the CAG export bundle, and the BSA Section 63-aligned evidence certificate — are real code today with deterministic stub adapters; production PFMS and PSU integrations plug behind the same Protocols, and land with the first pilot.
vs the 6-to-14-day paper-to-payment cycle
On acceptance, a DBTPaymentEvent is composed and pushed to PFMS within the lane. The closed DBTPushStatus lifecycle (trigger_generated → pushed_to_pfms → approved_in_pfms → paid_by_pfms) observes PFMS state; PSU staff approve the payment. We never move money — that is the line that keeps the appliance defensible.
vs aggregate weight records + complaint registers
A date-window export emits a plain-JSON manifest plus a plain-text grade summary and per-event chain-entry hashes. An auditor verifies it with the public-key fingerprint and SHA-256 alone — no SAAKSHA-specific tooling. Issuance is two-operator-gated and itself logged into the chain.
vs an unsigned web form a grader can edit later
BSA Section 63 prescribes a certificate signed by both the person-in-charge and an expert, stating the hash value and the algorithm. The bundle is structured to meet that form: it carries the per-tenant signature plus an operator counter-signature over the signed JSON, with the algorithm fixed at ed25519+sha256 — a tamper-evident evidence bundle engineered to satisfy the §63 technical requirements (hash, algorithm, chain of custody, device identity, operator). No agriculture-procurement precedent exists yet. Admissibility in any proceeding is determined by the court.
vs covert cross-PSU record sharing
A NAFED → FCI or CCI → NAFED grading-record handoff passes three gates: a hashed warrant artefact, distinct source and target PSU tenants (consent), and at least two distinct operators on each side. Any failed gate names itself. The grant and any revoke are hash-linked into the chain.
DPDP Act 2023: farmer and truck-driver data processed solely for the procurement workflow, on-prem at the centre or in the in-India cloud control plane (Mumbai + Bangalore), never cross-border. No farmer-face recognition, no audio, no continuous video. Aadhaar and bank account are stored only as one-way SHA-256 fingerprints — never the number itself.
06 — Multi-role console
Six operational consoles below, plus two admin / audit roles (CLOUD_ADMIN and
READ_ONLY_AUDITOR) — eight roles in one closed permission matrix. Every console is a
server-rendered FastAPI + Jinja view on the IcyCastle design system — no SPA build. The matrix is
closed-set: adding a capability means editing the enum and the matrix, not flipping a runtime flag. The
clerk kiosk is Hindi-first with 88px touch targets; the CAG dashboard is read-only with drill-down to
the source signed event.
Hindi-first kiosk for the procurement clerk. Submit a sample, see the live FAQ verdict against the circular, issue the grading cert. View grading console, submit grading, view farmer display.
9-language kiosk showing grade and DBT estimate with Aadhaar-OTP confirmation, plus a farmer-side workflow to appeal a grading decision into the chain (SUBMITTED → UNDER_REVIEW → UPHELD / DISMISSED).
Pending two-operator approvals queue, exceptions, and daily KPIs (events today, FAQ pass / under-FAQ / rejected, DBT triggered in INR). Initiate and concur on overrides; push DBT; read the audit chain.
Variance heatmap across centres — flags any centre whose reject rate exceeds the state mean plus two sigma. Issues the BSA cert and grants federation gates. The rollup view for a coordinator's several hundred centres.
Audit-trail forensic timeline and the farmer-appeal review queue. Open and close vigilance cases (closed-vocabulary findings), concur on two-operator gates, read the chain end-to-end.
Read-only aggregate KPIs with per-entry Ed25519 verify and drill-down to source; generate the CAG pack. Tenant admin handles operator enrolment, key rotation and the permission-matrix viewer.
Operator auth is badge-bound: FIDO2 for clerks, Aadhaar OTP or a Class-3 DSC for supervisors, vigilance
and state officers. The audit chain references the badge ID only — the badge-to-name mapping never appears
in any centre or state view, and is exposed solely through the CAG-mode export. Two further roles,
CLOUD_ADMIN and READ_ONLY_AUDITOR, round out the eight.
07 — How to engage
A retrofit that drops in beside the existing weighbridge: the appliance includes the edge accelerator, the RGB + NIR sample-tray rig, the gate camera and the receipt printer, and reuses the centre's existing weighbridge. Deployed per centre under NAFED's own cooperative Direct Purchase rules — never escalating to the GFR Rule 161(iv) Global Tender Enquiry threshold. We never sell a proprietary lab-grade assay instrument — grading runs on commodity visible / IR cameras. Available in early access; reach out to scope a NAFED pilot.
Edge appliance: IP54 fanless x86 with a Hailo M.2 accelerator, or an NDAA-clean Jetson Orin Nano variant. Sample-tray rig (RGB + NIR, cross-polarised LED ring), IP66 PoE gate camera, industrial tablet, thermal printer with Indian-script rendering. Cellular failover, 2-hour UPS hold, ≥7-day offline tolerance.
08 — Start
One appliance per centre, sold under NAFED's own cooperative rules. Truck ANPR, FAQ grain CV, a BSA Section 63-aligned audit chain and a DBT trigger artefact — a reference implementation, pilot-ready. Request early access to scope a NAFED pilot.