f3d2961b97
Some checks failed
CI/CD Pipeline / Lint and Format (push) Failing after 46s
CI/CD Pipeline / Terraform Validation (push) Failing after 35s
CI/CD Pipeline / Kubernetes Validation (push) Successful in 37s
Deploy ChainID 138 / Deploy ChainID 138 (push) Failing after 1m50s
HYBX OMNL TypeScript & anchor / token-aggregation build + reconcile artifact (push) Failing after 2m19s
Validation / validate-genesis (push) Successful in 51s
Validation / validate-terraform (push) Failing after 39s
Validation / validate-kubernetes (push) Failing after 10s
CI/CD Pipeline / Solidity Contracts (push) Failing after 12m56s
Validation / validate-smart-contracts (push) Failing after 12s
CI/CD Pipeline / Security Scanning (push) Failing after 15m52s
Validation / validate-security (push) Failing after 10m59s
Validation / validate-documentation (push) Failing after 17s
Validate Token List / validate (push) Failing after 30s
OMNL reconcile anchor / Run omnl:reconcile and upload artifacts (push) Failing after 26s
Verify Deployment / Verify Deployment (push) Failing after 56s
2.8 KiB
2.8 KiB
Operational compliance (OMNL)
Webhooks
- Configure
OMNL_WEBHOOK_URLS(comma-separated HTTPS endpoints). - Set
OMNL_WEBHOOK_SECRET. Each POST body is UTF-8 JSON;X-OMNL-Signature=sha256=+ hex(HMAC-SHA256(secret, rawBody)) (same bytes as the request body). UseverifyOmnlWebhookSignature()fromomnl-webhooks.tsor reimplement with the same algorithm. Timing-safe compare the full header value. - Payloads include
deliveryId(e.g.138-12345-2) for idempotent processing at the receiver. - Prefer allowlists and TLS 1.2+ only; rotate secrets on break-glass.
API hardening
OMNL_API_KEY: when set,GET /api/v1/omnl/ipsas/fineract-compareand.../compliance-context/:lineIdrequireAuthorization: Bearer <key>or?access_token=<key>.OMNL_DASHBOARD_TOKEN: when set,GET /omnl/dashboardrequires the same token via?access_token=or headerX-OMNL-Dashboard-Token. For Fineract compare in the embedded page, open/omnl/dashboard?access_token=<OMNL_API_KEY>so the script can call protected routes.- OMNL rate limit:
OMNL_RATE_LIMIT_MAX/OMNL_RATE_LIMIT_WINDOW_MS(default 30/min per IP on/api/v1/omnl/*, in addition to the global API limiter).
Logs and retention
- Reserve commit and compliance events are emitted to application logs; align retention with your policy (often 90 days minimum for financial audit support).
- Config anchor (IPSAS / journal matrix): after registry/matrix JSON changes, run
bash scripts/hybx-omnl/omnl-reconcile-artifact.sh— this hashes off-chain config files only, not custodian bank balances vs on-chainR. Use a separate control for bank ↔ on-chain reconciliation if required for your auditor. - Automate anchors via cron or GitHub Actions — OMNL_RECONCILE_CRON_AND_CI.md.
Poller state
OMNL_POLLER_STATE_PATH: optional path for JSON storing last processed block per chain (default:.omnl-poller-state.jsonincwd). Survives restarts to avoid re-querying large ranges; webhook consumers should still treatdeliveryIdas idempotent.
Recommended alerts (operational)
Wire your log/metrics stack to alert on:
- Webhook POST failures (warn logs from
omnl-webhooks.ts). reportingCompliant === falseorattestationStalefrom compliance APIs for criticallineIds.mirror-status/inSync === falsewhen both reserve stores are configured.- Repeated
401on OMNL routes (possible credential scanning).
Break-glass
- Document who can pause
OMNLCircuitBreakerand rotate coordinator keys; store procedures outside this repo per org policy.
Data minimization
- Webhook payloads avoid full PII; line IDs and hashes only unless contractually required.