Cardano Updates

The "test" workflow_dispatch input was declared but never read —
TESTNET was hardcoded at the env level. With this one-line fix,
manual dispatches can target any testnets/<dir> (e.g.
testnets/asteria_game/) while the cron schedule keeps its
default of cardano_node_master.

Closes the always-true admin_mint placeholder PR #67 ships. The
bootstrap's "no double-mint on container restart" contract was
previously enforced only by the off-chain isAlreadyDeployed
check; this commit puts the contract on chain.

Aiken side (components/asteria-game/aiken/validators/admin_mint.ak):
  - validator admin_mint(seed: OutputReference) succeeds iff the
    tx consumes the seed AND the bundle minted under this policy
    is exactly [(asteriaAdmin, 1)]. Seed consumption is permanent
    on Cardano UTxO, so admin_mint can fire at most once across
    all chain history.
  - aiken/plutus.json regenerated; admin_mint now declares one
    parameter "seed". All 91 existing tests pass.
  - apply-params.sh / plutus-applied.json no longer in the build
    path — Haskell applies the seed at runtime.

Haskell side:
  - new Asteria.Validators.applyScripts: takes a seed TxIn and
    returns AppliedScripts { adminMint, pellet, asteria,
    spacetime } with both Plutus scripts and ledger-side hashes.
    Built on plutus-ledger-api's uncheckedDeserialiseUPLC +
    UntypedPlutusCore.applyProgram + serialiseUPLC. Hash
    dependencies are threaded in declaration order
    (admin_mint → pellet → asteria → spacetime).
  - new Asteria.Deploy module: read/write
    /asteria-deploy/seed.json. Bootstrap is the only writer;
    player + invariant are readers. ASTERIA_DEPLOY_DIR env var
    overrides the path.
  - BootstrapMain: reads seed.json on startup. If present,
    re-derives the same scripts (deterministic). If absent,
    picks a fresh wallet UTxO via pickWalletUtxo, writes the
    seed to disk BEFORE submitting the deploy tx (durable order
    so a crash leaves either no file or a consistent file).
    isAlreadyDeployed simplified to "any UTxO at the per-deploy
    asteria addr" — under the one-shot policy at most one such
    UTxO can ever exist.
  - PlayerMain + InvariantMain: read seed.json, applyScripts,
    use AppliedScripts.as{Asteria,Spacetime,Pellet,AdminMint}
    {Script,Hash} in place of former top-level constants. If
    seed file missing, emit asteria_*_seed_missing_<id>
    sdkUnreachable and exit cleanly (correct: bootstrap hasn't
    run yet on this cluster).

Compose:
  - new asteria-deploy named volume mounted at /asteria-deploy
    on the asteria-game container.

Locally validated end-to-end on testnets/asteria_game/:
  - pre-bootstrap: asteria_invariant_seed_missing_admin_singleton
    fires (correct)
  - bootstrap cold: asteria_bootstrap_seed_picked +
    asteria_bootstrap_seed_persisted + asteria_bootstrap_asteria_created
    (asteria addr is now per-seed: 77a02b8e... instead of the
    previous hardcoded 0824601a...)
  - container restart: asteria_bootstrap_seed_reused +
    asteria_bootstrap_already_deployed short-circuit
  - spawn: asteria_player_ship_spawned_1 succeeds with the
    seed-derived validators
  - consistency: ship_counter=1, ship_token_count=1, hit=true
  - admin_singleton: count=1, hit=true (post-bootstrap and
    post-spawn)

Findings root cause from run https://github.com/cardano-foundation/cardano-node-antithesis/actions/runs/25224228713
report: the failing
"Always: Commands finish with zero exit code →
chain-sync-client/parallel_driver_flaky_chain_sync.sh"
property was tripped by the SIDECAR container, not the adversary
container.

The Antithesis composer walks every container's
/opt/antithesis/test/v1/ for scripts and dispatches anything it
finds. The adversary container's parallel_driver dispatches and
returns the daemon's structured response; that's the intended
path. But the sidecar container, pinned at sidecar:f889dbc, is
from BEFORE PR #99 removed components/sidecar/composer/chain-sync-client/.
That stale image still ships the script that requires
CHAINPOINT_FILEPATH (which we no longer set on the sidecar
service) — and it just `adversary "$@"`s with no SDK assertions,
so it failed immediately:

  chain-sync-client/parallel_driver_flaky_chain_sync.sh sidecar.example
  Error: CHAINPOINT_FILEPATH environment variable is not set

Bumping the pin to a9e7743 (current branch tip, which exists on
origin) forces publish-images to rebuild the sidecar image from
this commit's components/sidecar/composer/ tree — which has only
`convergence/`, no `chain-sync-client/`. Once published, the
sidecar container in this testnet won't dispatch any chain-sync
script, and the only `parallel_driver_flaky_chain_sync.sh` in
play comes from the adversary container as intended.

cardano_node_master is unchanged (its sidecar pin stays at
:f889dbc per the master-readonly rule). When the time comes to
fix master, that's a separate explicit PR.

Main parks tx-generator (43bf739/8c45f76/d78c7b1 in
cardano-node-antithesis) so the cron run on main targets
a tx-generator-free reference cluster. But Antithesis
launches the cluster from compose AS-IS; passing
'-f tx-generator.disabled.yaml' isn't an option through
moog's launcher. So a 1h workflow_dispatch on this
branch needs the service un-parked HERE — otherwise the
Antithesis cluster has no daemon and the run is a no-op
for our verification.

Image points at the tag we pre-pushed earlier
(tx-generator:8c53529, digest sha256:3c13a0f3...).

When this PR merges, tx-generator becomes active on
master again. If we want to keep main tx-generator-free,
the merge should be staged with a follow-up commit that
re-parks it after Antithesis verification.

PR #114 merged to upstream main (commit
67935ff9c8dadbbdd8ec1b92a14e1f5e9e5d1f80). Repoint per
the *Pins main only* rule — PR #98 can now merge to
downstream main without a feature-branch pin.

narHash unchanged from the pre-merge feature-branch SHA;
image content (tx-generator:8c53529) is byte-identical
to what was already pre-pushed to GHCR.

In `conwayGovTransition`, we remove the condition on
`hardforkConwayBootstrapPhase` for checking `ZeroTreasuryWithdrawals`.

We then replayed the preview, preprod and mainnet public chains with
this change which guarentees there were no empty treasury withdrawals
pre-Conway era.

Signed-off-by: Doc Holiday <[email protected]>

Signed-off-by: Doc Holiday <[email protected]>

Signed-off-by: Doc Holiday <[email protected]>

Signed-off-by: Doc Holiday <[email protected]>

Passive observer — tails cardano-tracer's per-node JSON logs to its
own stdout so Antithesis Logs Explorer indexes them under
source=log-tailer. Read-only on the tracer volume; does not
generate any workload of its own.

Removed earlier when stripping workload services for adversary
isolation, but log-tailer isn't a perturbator — it's a diagnostic
sidecar. Adding it back lets us query node-level events via Logs
Explorer when triaging adversary effects.

The tx-generator daemon produces background transaction traffic.
On testnets/asteria_game/ we explicitly want the asteria game's
own spawnShip / move / mine / quit traffic to be the only chain
activity — anything else is noise that distorts the report's
view of the workload we're scoring.

Service list now: configurator (one-shot), p1/p2/p3 producers,
relay1/relay2 relays, tracer, tracer-sidecar, sidecar,
log-tailer, asteria-game. Observability + chain telemetry
preserved; only the synthetic-traffic generator removed.

Expand upon transaction examples by adding missing fields.

Picks up the upstream PR #114 pin + composer always-exit-0
fixes. Tag points at the locally-built image we just
pushed to GHCR (digest sha256:...).

Activated via:
  docker compose -f testnets/cardano_node_master/docker-compose.yaml \
                 -f testnets/cardano_node_master/tx-generator.disabled.yaml up

Three composer-side fixes folded into one commit, against
findings from prior Antithesis runs (most recent:
https://cardano.antithesis.com/report/tilehuSggX4cnuy5qyXfwpqI/2ZUJSYUipLqm3Dlbo9R3rjrS7i7dYJ_mc8FwikFqYLg.html).

1. (https://github.com/cardano-foundation/cardano-node-antithesis/issues/105)
   Switch tx_generator_*_not_applicable from
   'sdk_sometimes false' to 'sdk_reachable'. Antithesis
   grades a Sometimes assertion as PASSING when ≥1 sample
   has condition=true; we always emit condition=false for
   not-applicable, so that type can never satisfy.
   Reachability is the right shape — accumulates samples
   without a pass/fail grade.

2. (https://github.com/cardano-foundation/cardano-node-antithesis/issues/106)
   Replace 'set -euo pipefail' with 'set -u'. Always exit
   0; encode tick state purely via SDK assertions
   (asteria-stub convention: parallel_driver_heartbeat.sh
   in components/asteria-stub/composer/stub/).
   Antithesis's built-in 'Always: Commands finish with
   zero exit code' property has no opt-out; any non-zero
   exit fails it. The previous 'exit 1 on not-applicable'
   pattern would have worked if the property could be
   suppressed but it can't.

3. Wrap nc in '|| true', check for empty RSP, and on
   empty emit a tx_generator_*_daemon_unreachable
   reachability event then exit 0. Fixes the case where
   the composer fires a driver before the daemon's control
   socket is bound during early boot — without this, the
   'set -e' (now removed) would kill the script before any
   exit-0 path runs, and even with 'set -u' alone, the
   subsequent jq parse on empty input emits stderr noise.

4. eventually_population_grew.sh: distinguish "daemon
   unreachable" from "daemon says populationSize=0". Fire
   did_not_grow only when the snapshot RSP is non-empty
   AND parses as JSON. Otherwise emit
   tx_generator_eventually_daemon_unreachable
   reachability + exit 0.

5. parallel_driver_refill.sh: include 'index-not-ready' in
   the not-applicable case set. After
   cardano-node-clients#110 (freshness gate) and #114
   (pre-submit chain-tip probe), the refill arm returns
   IndexNotReady during the post-reconnect stale window;
   the composer should treat this as a documented
   not-applicable, not unknown-failure.

The submit-rejected paths keep their sdk_unreachable
(strict) framing — the daemon-side fixes (#105/#110/#114)
are expected to drive these to zero. The next 1h
Antithesis dispatch on this branch verifies the full stack.

Picks up the pre-submit chain-tip UTxO probe — the
second-line defense for duplicate-submit-after-reconnect
that PR #110's freshness gate alone couldn't cover
(https://github.com/lambdasistemi/cardano-node-clients/pull/114
closes lambdasistemi/cardano-node-clients#111).

Stacks the full reconnect-resilience suite from upstream:
  * #105 — N2C reconnect supervisor + BlockedIndefinitelyOnSTM catch
  * #110 — post-reconnect indexer freshness gate (rsIndexFresh)
  * #114 — pre-submit chain-tip UTxO probe (this bump)

Will be re-pinned to the upstream main merge SHA before
this PR merges, per *Pins main only*.

This reverts commit 80aaa6e37ba42b49172e1acbbb4ce2a2f7387573.