feat(omnl): HYBX-BATCH-001 package, rail scripts, regulatory docs, CI

- Add OMNL/CBK Indonesia submission and audit binder docs, manifests, attestations
- Add scripts/omnl transaction-package pipeline, LEI/PvP helpers, jq/lib fixtures
- Update entity master data, MASTER_INDEX, TODOS, dbis-rail docs and rulebook
- Add proof_package/regulatory skeleton and transaction package zip + snapshot JSON
- validate-omnl-rail workflow, forge-verification-proxy tweak, .gitignore hygiene
- Bump smom-dbis-138 (cronos verify docs/scripts) and explorer-monorepo (SPA + env report)

Made-with: Cursor

proof_package/regulatory/.gitignore

@@ -0,0 +1,2 @@
+# Signed production attestation (may contain names / internal refs) — keep local or in vault
+INSTITUTIONAL_PACKAGE_SCORE_ATTESTATION_4_995.json

proof_package/regulatory/README.md

@@ -0,0 +1,17 @@
+# Regulatory attestation (4.995)
+
+Canonical attestation (OMNL officer names, scores): **`docs/04-configuration/mifos-omnl-central-bank/INSTITUTIONAL_PACKAGE_SCORE_ATTESTATION_4_995.json`**.
+
+The zip build copies **`proof_package/regulatory/INSTITUTIONAL_PACKAGE_SCORE_ATTESTATION_4_995.json`** when present; otherwise it uses the **docs** path above.
+
+**SUBREG PDF hashes:** When counsel memo and audit report PDFs exist locally, run:
+
+`COUNSEL_PDF=/path/to/memo.pdf AUDIT_PDF=/path/to/audit.pdf bash scripts/omnl/patch-attestation-subreg-pdf-hashes.sh`
+
+(then `bash scripts/omnl/build-transaction-package-zip.sh`).
+
+Override path: `PACKAGE_4995_ATTESTATION_JSON=/path/to/file.json` when running `build-transaction-package-zip.sh`.
+
+**Do not commit** production attestation with real names if policy forbids; use vault or CI secret store.
+
+This folder’s **`.gitignore`** ignores `INSTITUTIONAL_PACKAGE_SCORE_ATTESTATION_4_995.json` so a local signed file is not pushed by mistake; remove from `.gitignore` if your policy requires versioning attestations.