feat(5288): script-witness support in Transaction.Ledger (#5291)
## Resolves
- #5288 — script-witness support in `Transaction.Ledger`.
- Parent: #5243 (transaction-layer cardano-api removal).
- Blocks: #5285.
## Status
Ready for review.
Implementation commit: `3cb6e7ae9bd954a47a23bcadd4f40cb11e0fa541`.
Finalization commit: `309f58bb9ff589135cd85a558e937d96c07965d5`.
CI warning fix: `8c717bf2a8a6139381533fa0772516c6934a5d2d`.
## Delivered Scope
`Cardano.Wallet.Shelley.Transaction.Ledger` now accepts the
script-witness surface currently consumed by legacy `mkUnsignedTx`:
- `swNativeInputs :: Map TxIn (Script KeyHash)` — native spending
witnesses.
- `swStakingScript :: Maybe (Script KeyHash)` — staking-credential
script for withdrawals and certificates.
- `swMintingSources :: Map AssetId ScriptSource` — local mint scripts
and reference-input mint policies.
- `swReferenceScript :: Maybe (Script KeyHash)` — output-attached
reference script.
The default `noScriptWitnesses` preserves the existing production call
sites in `mkTransaction` and `constructUnsignedTxLedger`. `mkUnsignedTx`
and `mkUnsignedTransaction` are intentionally unchanged; their migration
remains #5285.
The new builder mirrors the legacy body/witness shape, including
reference-input minting and the legacy one-witness-per-token-policy
merge for local mint scripts.
## Tests
Added `Cardano.Wallet.Shelley.TransactionLedgerSpec` coverage for:
- six enumerated Conway parity scenarios: native input script, staking
script, local mint, reference-input mint, output reference script, and
mixed witnesses,
- `prop_buildLedgerTx_matches_mkUnsignedTx_on_script_witnesses` with 100
QuickCheck cases,
- body-CBOR equality and `witsTxL . scriptTxWitsL` equality between
legacy and ledger-native builders.
## Local Verification
Fresh local gate at implementation HEAD
`3cb6e7ae9bd954a47a23bcadd4f40cb11e0fa541` before the final `gate.sh`
removal commit:
```text
./gate.sh
Cardano.Wallet.Shelley.TransactionLedger: 27 examples, 0 failures
prop_buildLedgerTx_matches_mkUnsignedTx_on_script_witnesses: OK, passed 100 tests
HLint: No hints
exit 0
```
The exact earlier failing property seed was also rerun before the full
gate:
```text
--seed 1404754578
1 example, 0 failures
OK, passed 100 tests
```
CI-warning repair at `8c717bf2a8a6139381533fa0772516c6934a5d2d` was
verified locally with the same Nix surfaces as the failed GitHub job:
```text
git diff --check
exit 0
nix build --quiet .#unit-cardano-wallet-unit
exit 0
nix build --quiet .#cardano-wallet .#cardano-node .#cardano-cli .#local-cluster .#integration-exe .#test-local-cluster-exe .#unit-cardano-wallet-unit .#unit-cardano-numeric .#unit-cardano-wallet-primitive .#unit-cardano-wallet-secrets .#unit-cardano-wallet-test-utils .#unit-cardano-wallet-launcher .#unit-cardano-wallet-network-layer .#unit-cardano-wallet-application-tls .#unit-cardano-wallet-blackbox-benchmarks .#unit-delta-chain .#unit-delta-store .#unit-delta-table .#unit-delta-types .#unit-std-gen-seed .#unit-wai-middleware-logging .#unit-benchmark-history .#wallet-key-export .#wallet-key-export-test
exit 0
```
Finalization audit at `309f58bb9ff589135cd85a558e937d96c07965d5`:
```text
OK: every commit passes the message gate; tasks.md is complete.
git show --check HEAD: clean
```
No files under `lib/integration/**` are touched by this branch.
## Non-goals
- No migration of `mkUnsignedTransaction` itself (#5285).
- No new Dijkstra-era behaviour (#5209).
- No changes under `lib/integration/**`.
- No removal of the `cardano-api` build-dep (#5290).
- No changes to transaction signing (#5289).
## Live-boundary Check
The live-boundary diagnostic returns "none" for this slice: the parity
proof compares CBOR bytes of two pure builders over hand-rolled
selections; no node/database/API boundary is in the picture (see
`plan.md` "Live-boundary check").
![dependabot[bot]](https://avatars.githubusercontent.com/in/29110?v=4&s=80)
