Cardano Updates

Make `cardano_node_adversary` the dress rehearsal for the future
master testnet — the state master will reach when the adversary
container is promoted into it.

Adversary's compose now equals master's compose verbatim plus the
adversary service stanza (slotted between sidecar and
tracer-sidecar). Concrete additions:

- tx-generator service + asteria-game service (both newly active
  in master via ecf7910).
- Restored container_name labels, original config-comment
  annotations, and the default network's `name:` so the diff
  master → adversary is exactly +adversary-block.
- New volumes asteria-game-db + asteria-deploy needed by
  asteria-game.

The tracer-sidecar pin stays on the post-#129 build (8dbf509) so
adversary keeps the Layer 3 fork-depth checklist; master will pick
it up when adversary is promoted in a follow-up.

Smoke-tested locally: 3 producers responding, adversary driver
hits p1 cleanly, tx-generator drove 5/5 transacts, asteria
indexer observed refill UTxO.

Make `cardano_node_adversary` the dress rehearsal for the future
master testnet — the state master will reach when the adversary
container is promoted into it.

Adversary's compose now equals master's compose verbatim plus the
adversary service stanza (slotted between sidecar and
tracer-sidecar). Concrete additions:

- tx-generator service + asteria-game service (both newly active
  in master via ecf7910).
- Restored container_name labels, original config-comment
  annotations, and the default network's `name:` so the diff
  master → adversary is exactly +adversary-block.
- New volumes asteria-game-db + asteria-deploy needed by
  asteria-game.

The tracer-sidecar pin stays on the post-#129 build (8dbf509) so
adversary keeps the Layer 3 fork-depth checklist; master will pick
it up when adversary is promoted in a follow-up.

Smoke-tested locally: 3 producers responding, adversary driver
hits p1 cleanly, tx-generator drove 5/5 transacts, asteria
indexer observed refill UTxO.

Rework custom validators to work with generic rules

New Huddle example `tagRangeExample`: `foo<a> = #6.1280(a) / #6.1400(a)`
used at `[foo<uint>, foo<nint>]`, with a custom generator that picks any
tag in `1280..1400` (biased toward the edges via `frequency`) and a
custom validator accepting the same range. Both delegate to the bound
generic type via `generateFromGRef` / `validateFromGRef`.

Wired into the `Generated value validates` round-trip suite, plus a
separate property that classifies tag samples to surface edge
coverage (33% edge / 67% middle).

Custom generators and validators attached to a generic Huddle rule can
now look up the type bound to a generic parameter at the enclosing
rule. Add `generateFromGRef` and `validateFromGRef` helpers, plus
`validateFromName`. Custom closures attached to generic rules are
wrapped at monomorphization time to install the active local bindings
into `geLocal`/`veLocal` on `GenEnv`/`ValidateEnv`, which a new
`lookupGRef` method on `MonadCddl` consults.

`runCBORValidator` now takes a `CTreeRoot ValidatorPhase` directly.
`GRef` moves to `Codec.CBOR.Cuddle.CDDL` so lower-level modules can
use it; `Huddle` re-exports it without the constructor.

JWT.verify did not validate the nbf (not before) claim, so JWTs with
nbf in the future were incorrectly considered valid. This is a
security issue per RFC 7519 Section 4.1.5.

Added an explicit nbf check after JWT decode: if nbf is present and
the current time is before it, verify() returns false. JWTs without
an nbf claim keep the previous behavior (no nbf enforced).

This is a sister fix to #489/#550 (which addressed the exp claim).

Adding the nbf check exposed pre-existing bugs in JWT/SDJWT creation
paths that emitted nbf as milliseconds (Date.now()) instead of
seconds (NumericDate per RFC 7519). Without correction these tokens
would be rejected by the new check, breaking
createPresentationForRequestProof and credential issuance. Three
creation sites are corrected to seconds:

  - src/plugins/internal/dif/PresentationRequest.ts (VP nbf)
  - src/plugins/internal/didcomm/tasks/HandleRequestCredential.ts
    (JWT and SDJWT credential nbf)

The hardcoded VP JWT in tests/plugins/dif/PresentationVerify.test.ts
and the credential fixture in tests/fixtures/credentials/jwt.ts
contained nbf in milliseconds and have been regenerated with valid
(seconds) timestamps. Inline currentDate.getTime() test data has
been corrected to Math.floor(.../1000).

Note: iat and exp in the same creation paths are also emitted as
milliseconds; this does not block the new nbf check (exp in ms is
interpreted as far future and passes) but violates RFC 7519. Filed
separately.

Closes #551

Signed-off-by: Seydi Charyyev <[email protected]>

Add the conter thread to the test cases.
Add meta tests for AppV2 generators/shrinkers

New Huddle example `tagRangeExample`: `foo<a> = #6.1280(a) / #6.1400(a)`
used at `[foo<uint>, foo<nint>]`, with a custom generator that picks any
tag in `1280..1400` (biased toward the edges via `frequency`) and a
custom validator accepting the same range. Both delegate to the bound
generic type via `generateFromGRef` / `validateFromGRef`.

Wired into the `Generated value validates` round-trip suite, plus a
separate property that classifies tag samples to surface edge
coverage (~38% edge / ~62% middle).

Custom generators and validators attached to a generic Huddle rule can
now look up the type bound to a generic parameter at the enclosing
rule. Add `generateFromGRef` and `validateFromGRef` helpers, plus
`validateFromName`. Custom closures attached to generic rules are
wrapped at monomorphization time to install the active local bindings
into `geLocal`/`veLocal` on `GenEnv`/`ValidateEnv`, which a new
`lookupGRef` method on `MonadCddl` consults.

`runCBORValidator` now takes a `CTreeRoot ValidatorPhase` directly.
`GRef` moves to `Codec.CBOR.Cuddle.CDDL` so lower-level modules can
use it; `Huddle` re-exports it without the constructor.