Cardano Updates

Signed-off-by: Akhil Repala <[email protected]>

Bumps [github.com/blinklabs-io/plutigo](https://github.com/blinklabs-io/plutigo) from 0.1.13 to 0.1.14.
- [Release notes](https://github.com/blinklabs-io/plutigo/releases)
- [Changelog](https://github.com/blinklabs-io/plutigo/blob/main/RELEASE_NOTES.md)
- [Commits](https://github.com/blinklabs-io/plutigo/compare/v0.1.13...v0.1.14)

---
updated-dependencies:
- dependency-name: github.com/blinklabs-io/plutigo
  dependency-version: 0.1.14
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

Signed-off-by: Akhil Repala <[email protected]>

Signed-off-by: Akhil Repala <[email protected]>

Signed-off-by: Chris Gianelloni <[email protected]>

  withCRSLookup only checked txOutReferenceScript (script hash) but not
  txOutAddress. An attacker could create a UTxO at any address, attach the
  legitimate CRS script as a reference, and provide malicious G2 identity
  elements as datum — bypassing the KZG membership check and fanning out
  arbitrary outputs after the contestation deadline.

  Fix: add addressCredential (txOutAddress resolved) == ScriptCredential
  expectedHash check. Since expectedHash is already compiled into the head
  validator, no new parameters are needed. Move CRS UTxO publishing to the
  CRS script address (which already always-fails) so the on-chain check is
  self-consistent. Update the test generator to match.

  Add WrongAddressCRS mutation tests to FinalPartialFanout, PartialFanout,
  and FanOut (the full fanout path had no CRS mutation coverage at all).

Signed-off-by: Sasha Bogicevic <[email protected]>

  Merge the two-callback interface (mkTx + fitsCheck) into one
  (Int -> m (Maybe tx)) where Nothing means doesn't fit and Just tx
  means fits. This enforces at the type level that construction and
  checking always happen together.

  Also rename mkTxM to buildTx in findFittingFanoutTx's where bindings.

Signed-off-by: Sasha Bogicevic <[email protected]>

  The accumulator-based headIsFinalizedWith used txInfoOutputs directly,
  which includes the wallet's change output appended by coverFee. Since
  that output is not in the accumulator, the KZG membership proof failed
  for every real on-chain fanout.

  Restore numberOfFanoutOutputs :: Integer to the Fanout redeemer (as in
  the original hash-based validator) so the validator slices txInfoOutputs
  to only the distributed UTxOs before running the pairing check and value
  conservation. Also update the FanOut.hs head output to carry the UTxO
  value so mustConserveValue passes, and add a unit test that appends a
  trailing wallet change output and asserts the transaction still
  evaluates — this would have caught the regression at the contract test
  level rather than requiring a devnet E2E run.

Signed-off-by: Sasha Bogicevic <[email protected]>

Also reduce a diff in the test code

Signed-off-by: Sasha Bogicevic <[email protected]>

  Remove utxoHash/alphaUTxOHash/omegaUTxOHash from ClosedDatum, all
  Close/Contest redeemers, and the snapshot signing tuple. The BLS
  accumulator already commits to the full UTxO set (utxo ∪ alpha ∪
  omega), making the three separate SHA256 hashes redundant.

  Full fanout now verifies outputs via a KZG membership proof (same as
  partial fanout) rather than hash comparison. The Fanout redeemer gains
  proof and crsRef fields; the three output-count fields are dropped.

  Snapshot signing shrinks from a 7-tuple to a 4-tuple
  (headId, version, snapshotNumber, accumulatorHash).

Signed-off-by: Sasha Bogicevic <[email protected]>

  Four mutation tests expected error codes that no longer match the
  validator's check ordering or error code assignments:

  - IncrementDifferentClaimRedeemer: H44 (DepositInputNotFound) is not
    referenced anywhere in the on-chain validator; H43 (DepositNotSpent)
    is the actual check that fires when the increment TxOutRef is absent
    from tx inputs.

  - DropDecommitOutput and ChangeDecrementedValue: signatures cover
    (headId, version, snapshotNumber, accumulatorHash), not output values,
    so removing or changing a decommit output fails mustDecreaseValue
    (H4) before any signature check (H12) can run.

  - ContestFromDifferentHead: replacePolicyIdWith mutates token values
    but not the datum's headId field, so mustBeSignedByParticipant fires
    H5 before the signature check reaches H37.

Signed-off-by: Sasha Bogicevic <[email protected]>

  When a UTxO is settled on-chain via Increment or Decrement before Close,
  its scalar remains in the snapshot's KZG accumulator but its value has
  already left (or entered) the head. Fanning out only the remaining UTxOs
  produces a subset membership proof, but the old on-chain check required
  isG1Generator(proof) — only true when the subset equals the full
  accumulator. This caused H39 FanoutUTxOHashMismatch for any CloseUsed
  scenario.

  Fix (two inseparable halves):

  1. Remove `&& isG1Generator proof` from headIsFinalizedWith and
     checkFinalPartialFanout. Fanout and final-partial-fanout now accept
     any valid subset membership proof.

  2. Replace the `geq` conservation check with strict equality using a new
     `headAdaOverhead :: Integer` field in ClosedDatum and
     FanoutProgressDatum. This field holds the fixed lovelace overhead in
     the head UTxO not attributable to any L2 UTxO (the min-UTxO cost set
     at CollectCom). It closes the security hole that geq would leave: a
     valid subset proof + >= would let an attacker leave value unaccounted.

  Off-chain: fanoutTx receives a separate utxoForProof argument (the full
  snapshot UTxO set including pre-settled ones) to rebuild the accumulator
  matching the ClosedDatum commitment, while the fanned-out outputs cover
  only the UTxOs whose values are still in the head. closeTx computes
  headAdaOverhead as lovelace(headInputValue) - lovelace(UTxOs currently
  in head), with case analysis on incrementalAction × (version ==
  openVersion). contestTx propagates it unchanged; partialFanoutTx threads
  it through FanoutProgressDatum.

  checkContest preserves headAdaOverhead so it cannot be altered after the
  initial Close. checkPartialFanout also preserves it across intermediate
  steps.

Signed-off-by: Sasha Bogicevic <[email protected]>

  genFanoutTx generated a snapshot with utxoToCommit/utxoToDecommit but
  called unsafeFanout with mempty mempty — the BLS proof was built for a
  different accumulator than the one committed in the closed head datum,
  so every evaluateTx call failed script validation and the FanOut table
  produced no rows.

  Fix: pass utxoToCommit and utxoToDecommit through to unsafeFanout, and
  inflate the head output value by the total fanout value (same pattern as
  computePartialFanOutNominalCost) so mustConserveValue passes.

Signed-off-by: Sasha Bogicevic <[email protected]>

  Remove UTxO fields from ToCommit and ToDecommit constructors of
  IncrementalAction — the UTxO was already ignored at every callsite.
  Update setIncrementalActionMaybe and pattern matches in Close.hs and
  Contest.hs accordingly.

  Extract repeated BLS12-381 generator check into isG1Generator helper in
  Head.hs, and add a comment explaining why mustConserveValue uses geq
  rather than == (min-UTxO overhead on the head output).

Signed-off-by: Sasha Bogicevic <[email protected]>

  Replace the hardcoded numToDistribute = totalUTxO - 1 in the partial
  fanout benchmarks with a binary search that finds the largest chunk
  actually fitting within both the tx size and execution budget, mirroring
  findFittingFanoutTx in the real node. The Remaining column in the output
  table now carries meaningful information instead of always showing 1.

  Also add ContestationDeadlineOutsideTimeHorizon to the PostTxError
  oneOf in api.yaml, which was defined in Chain.hs but missing from the
  schema, causing ServerOutputSpec to fail.

Signed-off-by: Sasha Bogicevic <[email protected]>