feat: add hybx omnl stack and gas pmm tooling

services/token-aggregation/scripts/encode-omnl-mirror-payload.mjs

@@ -0,0 +1,20 @@
+#!/usr/bin/env node
+/**
+ * Encode OMNLMirrorReceiver CCIP data field (v2 with merkleRoot).
+ * Usage: node encode-omnl-mirror-payload.mjs <version> <lineId0x> <R> <validUntil> <evidence0x> <merkleRoot0x>
+ */
+import { AbiCoder } from 'ethers';
+
+const [, , v, lineId, R, validUntil, evHash, merkleRoot] = process.argv;
+if (!merkleRoot) {
+  console.error(
+    'Usage: node encode-omnl-mirror-payload.mjs <version> <lineId0x> <R> <validUntil> <evidence0x> <merkleRoot0x>'
+  );
+  process.exit(1);
+}
+const coder = AbiCoder.defaultAbiCoder();
+const data = coder.encode(
+  ['uint256', 'bytes32', 'uint256', 'uint256', 'bytes32', 'bytes32'],
+  [BigInt(v), lineId, BigInt(R), BigInt(validUntil), evHash, merkleRoot]
+);
+process.stdout.write(data + '\n');

services/token-aggregation/scripts/omnl-attestation-payload.mjs

@@ -0,0 +1,22 @@
+#!/usr/bin/env node
+/**
+ * Preview digest for off-chain attestation signing (fiat / XAU custodian flow).
+ * Uses keccak256(abi.encode(lineId, R, nonce, validUntil, evidenceKind)) — align with ops before HSM.
+ * Usage: node omnl-attestation-payload.mjs <lineId0x> <R> <nonce> <validUntil> <evidenceKind>
+ */
+import { keccak256, AbiCoder } from 'ethers';
+
+const [, , lineId, R, nonce, validUntil, evidenceKind] = process.argv;
+if (!evidenceKind) {
+  console.error(
+    'Usage: omnl-attestation-payload.mjs <lineId0x> <R> <nonce> <validUntil> <evidenceKind>'
+  );
+  process.exit(1);
+}
+const coder = AbiCoder.defaultAbiCoder();
+const encoded = coder.encode(
+  ['bytes32', 'uint256', 'uint256', 'uint256', 'string'],
+  [lineId, BigInt(R), BigInt(nonce), BigInt(validUntil), evidenceKind]
+);
+const digest = keccak256(encoded);
+process.stdout.write(JSON.stringify({ digest, encoded }, null, 2) + '\n');

services/token-aggregation/scripts/omnl-reconcile-report.mjs

@@ -0,0 +1,34 @@
+#!/usr/bin/env node
+/**
+ * Canonical reconciliation hash: IPSAS registry + journal matrix JSON (minor units / narratives unchanged).
+ * Exit 0 always; stdout JSON with sha256 for audit trail anchoring.
+ * Env: OMNL_IPSAS_GL_REGISTRY, OMNL_JOURNAL_MATRIX_PATH (optional overrides).
+ */
+import { readFileSync } from 'fs';
+import { createHash } from 'crypto';
+import { resolve } from 'path';
+import { fileURLToPath } from 'url';
+
+const __dirname = fileURLToPath(new URL('.', import.meta.url));
+const regPath =
+  process.env.OMNL_IPSAS_GL_REGISTRY ||
+  resolve(__dirname, '../../../config/omnl-ipsas-gl-registry.json');
+const matrixPath =
+  process.env.OMNL_JOURNAL_MATRIX_PATH ||
+  resolve(__dirname, '../../../config/omnl-journal-matrix.json');
+
+const reg = readFileSync(regPath, 'utf8');
+const matrix = readFileSync(matrixPath, 'utf8');
+const canonical = JSON.stringify({
+  registry: JSON.parse(reg),
+  matrix: JSON.parse(matrix),
+});
+const sha256 = createHash('sha256').update(canonical).digest('hex');
+const out = {
+  ok: true,
+  sha256,
+  registryPath: regPath,
+  matrixPath: matrixPath,
+  generatedAt: new Date().toISOString(),
+};
+process.stdout.write(JSON.stringify(out, null, 2) + '\n');

services/token-aggregation/scripts/omnl-reconcile-stub.mjs

@@ -0,0 +1,13 @@
+#!/usr/bin/env node
+/**
+ * Back-compat entry: delegates to IPSAS + journal-matrix anchor (`omnl-reconcile-report.mjs`).
+ * For custodian/bank ↔ on-chain Merkle workflows, extend that script or add a separate job; do not fork the anchor format without updating ops runbooks.
+ */
+import { spawnSync } from 'child_process';
+import { fileURLToPath } from 'url';
+import { dirname, join } from 'path';
+
+const dir = dirname(fileURLToPath(import.meta.url));
+const report = join(dir, 'omnl-reconcile-report.mjs');
+const r = spawnSync(process.execPath, [report], { stdio: 'inherit' });
+process.exit(r.status ?? 1);

services/token-aggregation/scripts/omnl-ttl-monitor.mjs

@@ -0,0 +1,51 @@
+#!/usr/bin/env node
+/**
+ * Exit 1 if reporting is not compliant (policy + freshness + ops) or RPC error.
+ * Env: RPC, OMNL_COMPLIANCE_CORE_*, OMNL_MONITOR_LINE_ID, OMNL_MONITOR_CHAIN_ID
+ */
+import { Contract, JsonRpcProvider } from 'ethers';
+
+const ABI = [
+  'function getCompliance(bytes32 lineId) view returns (uint256 s0, uint256 s1, uint256 r, uint256 validUntil, bytes32 evidenceHash, bytes32 merkleRoot, uint256 minR, uint256 maxS1, bool m0Ok, bool m1Ok, bool attestationStale, bool policyOk, bool operational, bool reportingCompliant)',
+];
+
+async function main() {
+  const chainId = parseInt(process.env.OMNL_MONITOR_CHAIN_ID || '138', 10);
+  const lineId = process.env.OMNL_MONITOR_LINE_ID;
+  const addr =
+    chainId === 138
+      ? process.env.OMNL_COMPLIANCE_CORE_138
+      : chainId === 651940
+        ? process.env.OMNL_COMPLIANCE_CORE_651940
+        : process.env[`OMNL_COMPLIANCE_CORE_${chainId}`];
+  const rpc =
+    chainId === 138
+      ? process.env.RPC_URL_138 || process.env.RPC_URL
+      : process.env.CHAIN_651940_RPC_URL || 'https://mainnet-rpc.alltra.global';
+
+  if (!lineId || !addr || !rpc) {
+    console.error('Set OMNL_MONITOR_LINE_ID, OMNL_COMPLIANCE_CORE_*, and RPC for chain');
+    process.exit(2);
+  }
+
+  const provider = new JsonRpcProvider(rpc, chainId);
+  const c = new Contract(addr, ABI, provider);
+  const r = await c.getCompliance(lineId);
+  const ok = r.reportingCompliant;
+  console.log(
+    JSON.stringify({
+      chainId,
+      reportingCompliant: ok,
+      policyOk: r.policyOk,
+      attestationStale: r.attestationStale,
+      operational: r.operational,
+      validUntil: r.validUntil.toString(),
+    })
+  );
+  if (!ok) process.exit(1);
+}
+
+main().catch((e) => {
+  console.error(e);
+  process.exit(2);
+});