Cardano Updates

* Add ToJSON/FromJSON as superclass constraints to EraScript
* Add ToJSON/FromJSON instances for MultiSig, Timelock and DijkstraNativeScript
* Add structured JSON serialisation for native scripts across all eras (Shelley, Allegra, Dijkstra)
* Add ToJSON/FromJSON instances for AlonzoScript with structured JSON format
* Rename kindObject (returning Value) to kindObjectValue; add new kindObject returning Aeson.Object
* Fix shelleyBasedEraNativeScriptToJSON and sizedNativeScriptGens to accept a child continuation to correctly handle nested scripts across eras
* Add round-trip JSON property tests for NativeScript and Script to the shared era spec

Snarks certificates are significantly slower to run than concatenation
certificates, this lighter scenario will be useful to still keep an e2e
test without taking hours to run.

* implemented a new `MinimalScenario` to validate artifact production
  and signing under minimal configurations
* integrated `MinimalScenario` into the `scenario` module

The latest moog release dropped the moog-*-linux64.tar.gz asset; the
portable Linux binary is now the statically-linked
moog-*-x86_64-linux-musl.tar.gz. Replace the get-latest-release +
release-downloader actions with a gh release download that picks the
right asset, fixing the failing Install moog step.

Replace the local build: directives with the published image digests so
the testnet is pullable by Antithesis.

The vote driver now RNG-selects among --yes, --no and --abstain (was
yes/no). Validated live: on-chain votes show Abstain, VoteNo and VoteYes
across DRep/SPO/CC voters.

The create and vote parallel drivers coordinate through two append-only
logs in the (fault-excluded, hence durable) gov-data volume:
- created.log: txid+ix per action, appended only after on-chain confirm
- rejected.log: txid per action a vote was rejected on
The vote driver works the set difference (created minus rejected); an
action stays votable until a vote on it is rejected (e.g. on expiry).

The vote driver hands every choice to the Antithesis RNG: which action,
which voter (a random DRep/SPO/CC member), and yes/no. Each invocation
casts one voter's single vote, so the hypervisor explores the
(action, voter, decision) space.

Validated live: random voters cast mixed yes/no votes recorded on-chain
across multiple actions.

Previous detection had two problems: it only checked required_signers
without collateral, and that check was wrong — required_signers is
actually allowed in ORDINARY/MULTISIG by the v8 lib (only POOL_REGISTRATION
modes forbid it). Replace with detection that mirrors the lib's per-mode
rejection rules in parsing/transaction.ts:

- Pool registration combined with any other cert (POOL_REGISTRATION_*
  requires a sole pool reg cert; lib AUTO throws CANNOT_DETERMINE).
- Pool registration alongside Plutus signals (mutual exclusion).
- Any cert/withdrawal/voter credential that resolves to a bare KEY_HASH
  (no matching signing file). ORDINARY needs KEY_PATH, MULTISIG needs
  SCRIPT_HASH; nothing else accepts KEY_HASH outside PLUTUS (only
  auto-inferred via collateral or other Plutus signals).
- Mixed KEY_PATH + SCRIPT_HASH signals (lib AUTO can't decide ORDINARY
  vs MULTISIG, throws CANNOT_DETERMINE).
- Pool retirement in a multisig-shape tx (MULTISIG rejects pool retirement).

A new collectCertCredentials helper enumerates the credential fields a
non-unrestricted mode actually validates per cert (stakeCredential,
dRepCredential, coldCredential — but not the hotCredential on
AUTHORIZE_COMMITTEE_HOT, which the lib doesn't constrain per mode).

Known gap: device-owned outputs in a multisig-shape tx (MULTISIG forbids
device-owned outputs). Detecting this needs change-output path → address
resolution and is deferred; the lib catches it with a clear per-rule
error if hit.

Tests rewritten to use the new auto-detect triggers (pool reg + extra
cert; key-hash credential with no matching signing file), constructed by
mutating decoded bodies to avoid hand-crafted CBOR.

Co-Authored-By: Claude Opus 4.7 (1M context) <[email protected]>

Bumps [github.com/blinklabs-io/gouroboros](https://github.com/blinklabs-io/gouroboros) from 0.153.1 to 0.180.0.
- [Release notes](https://github.com/blinklabs-io/gouroboros/releases)
- [Changelog](https://github.com/blinklabs-io/gouroboros/blob/main/RELEASE_NOTES.md)
- [Commits](https://github.com/blinklabs-io/gouroboros/compare/v0.153.1...v0.180.0)

---
updated-dependencies:
- dependency-name: github.com/blinklabs-io/gouroboros
  dependency-version: 0.180.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>

Bumps [actions/checkout](https://github.com/actions/checkout) from 6.0.2 to 6.0.3.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](https://github.com/actions/checkout/compare/de0fac2e4500dabe0009e67214ff5f5447ce83dd...df4cb1c069e1874edd31b4311f1884172cec0e10)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-version: 6.0.3
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <[email protected]>

Bumps [github.com/go-playground/validator/v10](https://github.com/go-playground/validator) from 10.30.1 to 10.30.3.
- [Release notes](https://github.com/go-playground/validator/releases)
- [Commits](https://github.com/go-playground/validator/compare/v10.30.1...v10.30.3)

---
updated-dependencies:
- dependency-name: github.com/go-playground/validator/v10
  dependency-version: 10.30.3
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <[email protected]>

Signed-off-by: Jenita <[email protected]>
Co-authored-by: Jenita <[email protected]>

Validated against a local 2-producer + 1-relay Conway testnet: pool-only
liveness, cardonnay genesis with committee seeded, setup (5 CC authorized
+ 5 DReps registered + stake delegated), create InfoAction, and DRep+SPO+CC
voting all recorded on-chain.

gov-configurator:
- run cardonnay via a shim that patches os.getlogin (fails with no tty)
- socket path directly in state-cluster0 so STATE_CLUSTER matches
- idempotent generation; generate once per volume via a .generated marker

gov-cli bash drivers:
- build_sign_submit uses transaction build-raw (no anchor download, which
  transaction build mandates and cannot skip) with explicit deposits and a
  calculated fee
- read faucet UTxO via --output-text, not jq: jq 1.6 corrupts lovelace
  amounts above 2^53, breaking value conservation by 1
- normalise 'transaction txid' JSON ({"txhash":...}) to bare hex
- create-info takes --testnet, hash anchor-data is top-level, drep-state
  needs --all-dreps

Add fallible 'Certificate::try_compute_hash' and route the certificate
verification and aggregator hash-migration paths through it, so a
serialization error surfaces instead of panicking. 'compute_hash' stays
infallible for construction-time use.

- golden-handles.txt: 25 commonly-known mainnet handles (cardano, hosky,
  minswap, bigpey, charles, ... incl. enterprise-address eth/satoshi/crypto),
  all verified present on mainnet. Names only — handles are transferable NFTs,
  so addresses are asserted by shape + round-trip, not pinned (drift-proof).
- run-golden-handles.sh: forward lookup (well-formed addr1.../stake1...) +
  reverse-by-payment-address round-trip for each golden handle.
- run-rest-spotchecks.sh: fix stdin/heredoc collision (data now passed via
  argv, not a pipe that the heredoc program shadowed) and switch the DB sampler
  to JSON output so arbitrary UTF-8 handle names parse safely; skip empty names.
- SKILL.md: document the golden step and files.

Validated live against the in-progress mainnet sync: golden 25/25, sample 10/10.

Co-Authored-By: Claude Opus 4.8 (1M context) <[email protected]>

Remove the comment block above isDraftPullRequest() in
slack-message-broker.yml and the ref-validation comment in
haddock-site.yml.

Remove duplicate Block Forging.
Added cardano-node CPU load panel.
Added GC time panel.