Cardano Updates

After rebasing on origin/main this commit makes
testnets/asteria_game/docker-compose.yaml exactly equal to
testnets/cardano_node_master/docker-compose.yaml in its first
197 lines, plus a single asteria-game service block and the two
asteria-specific named volumes (asteria-game-db, asteria-deploy)
appended.

The asteria_game testnet is now provably:

  cardano_node_master + the asteria-game container

Anything that holds on master should hold here; anything that
breaks on master is master's concern. The
chain-sync-client/parallel_driver_flaky_chain_sync.sh and
convergence/finally_tips_agree.sh failures we saw on runs 1 and 2
appear on cardano_node_master 1h scheduled runs too — they are
inherited from master, not introduced by asteria.

Also carries over tx-generator.disabled.yaml verbatim from
master, even though this testnet had already removed
tx-generator earlier — keeps the directory contents symmetric so
"how to re-enable tx-generator on asteria_game" is the same
exercise as on master.

The compose tag still points at c99e992 (BootstrapMain
top-level catch — the only asteria-side defensive fix that
survived the cleanup).

Adds testnets/asteria_game/no-op-finally.sh and bind-mounts it
over the sidecar:f889dbc image's
/opt/antithesis/test/v1/convergence/finally_tips_agree.sh.

That driver enforces "all producer tips at exact same slot at
end-of-run" via an SDK Always assertion. On 1h runs under fault
injection the tips drift recovers slowly after faults stop and
the check fires false purely on duration, not on a real
reconvergence bug. The check is also orthogonal to the asteria
game contract this testnet scores — asteria observes the chain
through relay1 and tolerates short-lived tip lag.

Other convergence drivers (eventually_converged,
parallel_driver_tip_agreement, serial_driver_tip_agreement) are
unaffected and continue to run from the unmodified sidecar
image. Their during-fault and probabilistic checks remain a
real cluster-health signal.

The "test" workflow_dispatch input was declared but never read —
TESTNET was hardcoded at the env level. With this one-line fix,
manual dispatches can target any testnets/<dir> (e.g.
testnets/asteria_game/) while the cron schedule keeps its
default of cardano_node_master.

The sidecar:f889dbc image bakes
/opt/antithesis/test/v1/chain-sync-client/parallel_driver_flaky_chain_sync.sh
which expects the adversary daemon — a separate component absent
from this testnet. Without it the script fails (exit 1) on every
fire and trips Antithesis's "Always: zero exit" property.

Mounting tmpfs over the chain-sync-client/ path on the sidecar
container hides the script from the composer at start time
without modifying the upstream image. Newer sidecar tags have
the script removed at the source but introduce Amaru-specific
drivers that would fail on this Amaru-less testnet — net no
gain. The targeted shadow is the cleanest fix.

Bumps the asteria-game compose tag to d0d9531 (drivers exit 0
on transient not-yet-ready conditions).

The Antithesis 1h dispatch on testnets/asteria_game/ surfaced
two "Always: Commands finish with zero exit code" findings on
stub/serial_driver_asteria_bootstrap.sh and
stub/parallel_driver_asteria_player.sh. Decoded composer events:

  - bootstrap: t=62.76s rc=1 (6.14s), t=106.5s rc=1 (52s),
    t=110.5s rc=1 (55s), t=178.5s rc=0 (3s short-circuit)
  - player: t=54.4-54.6s rc=1 (3 fast failures, ~5-15ms each),
    t=249.9s rc=0 (3.04s)

The early bootstrap failures hit before the cluster forged its
first block (build/sign/submit fails on protocol-params or
validity-interval errors). The player failures are PlayerMain
calling `error` when seed.json is missing — the parallel driver
fires before bootstrap completes.

Antithesis treats every non-zero exit as an Always-violation,
regardless of subsequent successful fires. This commit makes
both drivers exit 0 on transient "not yet ready" conditions:

  - PlayerMain: when readSeed returns Nothing, fire
    asteria_player_seed_missing_<id> (sdkUnreachable, already
    present) and return cleanly. The next composer fire retries.
  - BootstrapMain.runDeploy: catch any exception from
    resolveSeed / createAsteria, fire
    asteria_bootstrap_create_asteria_deferred (sdkSometimes True)
    with the error string, and return cleanly. Subsequent fires
    re-derive the same seed (deterministic via seed.json) and
    retry — the seed UTxO is preserved when the failure is
    pre-submit, and consumed cleanly when the deploy actually
    landed (next fire short-circuits via isAlreadyDeployed).

The signals Antithesis cares about — whether the deploy ever
succeeded, whether the singleton invariant held — still flow
through the existing sdkSometimes / sdkAlways assertions. We
just stop using process exit code to encode "world not yet
ready", which Antithesis interprets as a real bug.

The tx-generator daemon produces background transaction traffic.
On testnets/asteria_game/ we explicitly want the asteria game's
own spawnShip / move / mine / quit traffic to be the only chain
activity — anything else is noise that distorts the report's
view of the workload we're scoring.

Service list now: configurator (one-shot), p1/p2/p3 producers,
relay1/relay2 relays, tracer, tracer-sidecar, sidecar,
log-tailer, asteria-game. Observability + chain telemetry
preserved; only the synthetic-traffic generator removed.

Adds the asteria-game workload as an isolated testnet so iteration
on the real asteria game can land on `main` without disturbing the
canonical scheduled run on `cardano_node_master`.

testnets/asteria_game/ (copied from cardano_node_master, then edited):
  - same producer/relay/tracer/sidecar/log-tailer/tx-generator
    topology.
  - asteria-game service replaces asteria-stub: same indexer-driven
    composer harness plus /utxo-keys mount so bootstrap can read
    the genesis wallet skey, and CARDANO_NODE_SOCKET_PATH +
    NETWORK_MAGIC env vars so Asteria.Provider.settingsFromEnv
    resolves to relay1's N2C socket.
  - asteria-game image tag pinned to 3042c0a (the prior commit on
    this branch — last commit to touch components/asteria-game/).
  - testnets/cardano_node_master/ untouched — its scheduled
    Antithesis run is unaffected.

Pipeline (additive, no edits to cardano_node_master jobs):
  - scripts/push-asteria_game_images.sh — sibling of
    push-cardano_node_master_images.sh, scans testnets/asteria_game
    for image tags and resolves each via the same nix build path.
  - .github/workflows/publish-images.yaml — new
    smoke-test-asteria-game job runs scripts/smoke-test.sh against
    testnets/asteria_game; the existing cardano_node_master jobs
    are unchanged.

Locally validated: 3-run idempotence (1 cold deploy, 2 short-circuit
via Asteria.Bootstrap.isAlreadyDeployed) on the asteria_game compose.

Antithesis dispatch wiring for this testnet is a follow-up PR.

testnets/cardano_node_master/ stays read-only on every feature branch.
tx-generator iteration moves to its own sibling testnet here, mirroring
master's image set (sidecar:65039df, configurator/log-tailer/tracer-sidecar
digest pins, cardano-node@sha256, cardano-tracer@sha256) plus the
tx-generator service active (not parked).

Includes:
  * testnets/cardano_node_tx_generator/{docker-compose.yaml,
    testnet.yaml,relay-topology.json,tracer-config.yaml,README.md}
    — compose mirrors master's services 1:1 + tx-generator with
    network name 'cardano-node-tx-generator-testnet' to avoid
    collision with master's network.
  * components/tx-generator/flake.nix bumped to upstream
    711eb22ac03e67b753f7ce70e635cddcf6f3cdce (post-#118: full
    reconnect-resilience stack).
  * components/tx-generator/composer/tx-generator/{eventually_population_grew,
    parallel_driver_refill,parallel_driver_transact}.sh hardened
    (set -u, always exit 0, lastTxId gate on did_not_grow).
  * scripts/push-cardano_node_tx_generator_images.sh — sibling of
    the master publish script (TEST scoped to the new testnet).
  * .github/workflows/publish-tx-generator-images.yaml — sibling
    workflow that builds + smoke-tests this testnet in isolation
    from the master publish pipeline.

The compose tx-generator image tag is intentionally PLACEHOLDER in
this commit; the next commit on this branch sets it to this
commit's SHA so the publish-images script can resolve it as a
downstream commit ref.

The publish-images.sh script git-clones cardano-node-antithesis and
checks out the compose tag as a downstream commit; for the tx-generator
service the tag must therefore be a downstream commit SHA whose
flake.nix pins the desired upstream commit. 89ca3f5 is the previous
commit on this branch and pins upstream 711eb22 (post-#118).

Rebase onto current cardano_node_master (post-#114 asteria-stub removal,
post-flaky_chain_sync probe drop, sidecar:65039df). Carries:
  * upstream pin -> 711eb22 (full reconnect-resilience stack:
    PR #105/#110/#114/#115/#116/#117/#118)
  * composer scripts hardened: set -u + always-exit-0 on the
    eventually/parallel_driver scripts; lastTxId gate on
    eventually_population_grew.sh
  * tx-generator service un-parked in compose

Image tag is intentionally PLACEHOLDER in this commit — the next
commit on this branch sets it to this commit's SHA so the
publish-images workflow can resolve <tag> to a downstream commit
and rebuild from components/tx-generator/ with the right pin.

The sidecar tag previously pinned in master (f889dbc) was built before
commit 65039df, which removed components/sidecar/composer/chain-sync-client/
parallel_driver_flaky_chain_sync.sh from the sidecar image. Adversary was
removed from cardano_node_master in #109, but the sidecar pin still carried
the stale probe — so on every master run the composer discovers the script,
runs it, fails to reach /state/adversary-control.sock (no adversary in
master), and exits 1 in 3 ms with empty stderr/stdout.

Bumping to sidecar:65039df rebuilds the image without the orphan probe.
Closes #115.

After rebasing on origin/main this commit makes
testnets/asteria_game/docker-compose.yaml exactly equal to
testnets/cardano_node_master/docker-compose.yaml in its first
197 lines, plus a single asteria-game service block and the two
asteria-specific named volumes (asteria-game-db, asteria-deploy)
appended.

The asteria_game testnet is now provably:

  cardano_node_master + the asteria-game container

Anything that holds on master should hold here; anything that
breaks on master is master's concern. The
chain-sync-client/parallel_driver_flaky_chain_sync.sh and
convergence/finally_tips_agree.sh failures we saw on runs 1 and 2
appear on cardano_node_master 1h scheduled runs too — they are
inherited from master, not introduced by asteria.

Also carries over tx-generator.disabled.yaml verbatim from
master, even though this testnet had already removed
tx-generator earlier — keeps the directory contents symmetric so
"how to re-enable tx-generator on asteria_game" is the same
exercise as on master.

The compose tag still points at c99e992 (BootstrapMain
top-level catch — the only asteria-side defensive fix that
survived the cleanup).

The sidecar:f889dbc image bakes
/opt/antithesis/test/v1/chain-sync-client/parallel_driver_flaky_chain_sync.sh
which expects the adversary daemon — a separate component absent
from this testnet. Without it the script fails (exit 1) on every
fire and trips Antithesis's "Always: zero exit" property.

Mounting tmpfs over the chain-sync-client/ path on the sidecar
container hides the script from the composer at start time
without modifying the upstream image. Newer sidecar tags have
the script removed at the source but introduce Amaru-specific
drivers that would fail on this Amaru-less testnet — net no
gain. The targeted shadow is the cleanest fix.

Bumps the asteria-game compose tag to d0d9531 (drivers exit 0
on transient not-yet-ready conditions).

Adds testnets/asteria_game/no-op-finally.sh and bind-mounts it
over the sidecar:f889dbc image's
/opt/antithesis/test/v1/convergence/finally_tips_agree.sh.

That driver enforces "all producer tips at exact same slot at
end-of-run" via an SDK Always assertion. On 1h runs under fault
injection the tips drift recovers slowly after faults stop and
the check fires false purely on duration, not on a real
reconvergence bug. The check is also orthogonal to the asteria
game contract this testnet scores — asteria observes the chain
through relay1 and tolerates short-lived tip lag.

Other convergence drivers (eventually_converged,
parallel_driver_tip_agreement, serial_driver_tip_agreement) are
unaffected and continue to run from the unmodified sidecar
image. Their during-fault and probabilistic checks remain a
real cluster-health signal.

The Antithesis 1h dispatch on testnets/asteria_game/ surfaced
two "Always: Commands finish with zero exit code" findings on
stub/serial_driver_asteria_bootstrap.sh and
stub/parallel_driver_asteria_player.sh. Decoded composer events:

  - bootstrap: t=62.76s rc=1 (6.14s), t=106.5s rc=1 (52s),
    t=110.5s rc=1 (55s), t=178.5s rc=0 (3s short-circuit)
  - player: t=54.4-54.6s rc=1 (3 fast failures, ~5-15ms each),
    t=249.9s rc=0 (3.04s)

The early bootstrap failures hit before the cluster forged its
first block (build/sign/submit fails on protocol-params or
validity-interval errors). The player failures are PlayerMain
calling `error` when seed.json is missing — the parallel driver
fires before bootstrap completes.

Antithesis treats every non-zero exit as an Always-violation,
regardless of subsequent successful fires. This commit makes
both drivers exit 0 on transient "not yet ready" conditions:

  - PlayerMain: when readSeed returns Nothing, fire
    asteria_player_seed_missing_<id> (sdkUnreachable, already
    present) and return cleanly. The next composer fire retries.
  - BootstrapMain.runDeploy: catch any exception from
    resolveSeed / createAsteria, fire
    asteria_bootstrap_create_asteria_deferred (sdkSometimes True)
    with the error string, and return cleanly. Subsequent fires
    re-derive the same seed (deterministic via seed.json) and
    retry — the seed UTxO is preserved when the failure is
    pre-submit, and consumed cleanly when the deploy actually
    landed (next fire short-circuits via isAlreadyDeployed).

The signals Antithesis cares about — whether the deploy ever
succeeded, whether the singleton invariant held — still flow
through the existing sdkSometimes / sdkAlways assertions. We
just stop using process exit code to encode "world not yet
ready", which Antithesis interprets as a real bug.

Run 2 (commit 483d327) on testnets/asteria_game/ surfaced 3 new
findings, two of which were unchanged from run 1:

  1. stub/serial_driver_asteria_bootstrap.sh — non-zero exit
  2. chain-sync-client/parallel_driver_flaky_chain_sync.sh —
     non-zero exit
  3. convergence/finally_tips_agree.sh — non-zero exit (rc=101)

(1) Bootstrap continued to fail because `withN2C` and other
calls *outside* runDeploy's local try block could still throw
(connection failures, transient queryUTxOs errors when relay1
is being faulted, etc.). Antithesis treats every non-zero exit
as a real "Always: zero exit code" violation regardless of
subsequent successful fires. Wraps the entire post-startup body
(everything after the `_starting` and `_wallet_loaded` SDK
events) in `try`; on any uncaught exception fires
asteria_bootstrap_deferred (sdkSometimes True) and exits 0.

(2) and (3) failed because the prior compose-level mounts
(tmpfs over /opt/antithesis/test/v1/chain-sync-client and
bind-mount of a no-op over convergence/finally_tips_agree.sh)
have no effect — Antithesis's composer discovers driver scripts
at image-bake time, not at container-runtime, so per-service
mounts are ignored. The convergence finding was rc=101 instead
of "missing" because the composer ran the original baked
version, not the bind-mounted no-op.

The proper fix is to drop the sidecar service entirely from
this testnet's compose. The sidecar:f889dbc image is the *sole*
source of both /opt/antithesis/test/v1/convergence/ and
/opt/antithesis/test/v1/chain-sync-client/ scripts. With no
sidecar container the composer has no host for those drivers
and they disappear from the run. Tracer / tracer-sidecar /
log-tailer remain (none of those bake composer scripts) so
report observability is preserved.

testnets/asteria_game/no-op-finally.sh is removed (it was a
runtime-mount workaround that didn't take effect).