feat: genesis ceremony client types and /v0/node-id endpoint (#40)

## Summary

- Add four genesis ceremony task builder types (`GenerateIdentityTask`,
`GenerateGentxTask`, `UploadGenesisArtifactsTask`,
`AssembleAndUploadGenesisTask`) implementing the `TaskBuilder` interface
for controller-side plan construction
- Add `GET /v0/node-id` server endpoint that derives the Tendermint node
ID from `node_key.json` using CometBFT-compatible
`SHA256(ed25519_pubkey)[:20]`
- Add `GetNodeID()` client method for the controller to collect node IDs
during peer assembly
- Refactor `SidecarClient` to store `baseURL` and `doer` for direct HTTP
calls outside the OpenAPI-generated client

These are the seictl-side prerequisites for the network deployment
genesis ceremony feature in sei-k8s-controller. Task handlers (the
actual `generate-identity`, `generate-gentx`, etc. implementations) will
follow in a subsequent PR.

## Design decisions

- **`AccountBalance` is a single string** (e.g.
`"1000000usei,1000000uusdc"`), not a list of address+amount pairs. Each
node discovers its own address during identity generation -- no
cross-node coordination needed between the identity and gentx steps.
- **`/v0/node-id` is outside the OpenAPI spec** since it is a simple
read from disk, not a task. The client uses a direct HTTP call rather
than the generated client.
- **Node ID derivation** matches CometBFT exactly:
`hex(SHA256(ed25519_pubkey)[:20])`, reading the 32-byte public key from
the last half of the 64-byte Ed25519 private key in `node_key.json`.

## Test plan

- [x] All existing server tests pass (updated `NewServer` calls to
include `homeDir`)
- [x] All existing client tests pass
- [x] `go build ./...` clean
- [ ] Validate task builder `ToTaskRequest()` output matches expected
wire format

Author: bdchatham

serve.go

@@ -63,7 +63,7 @@ var serveCmd = cli.Command{
 
 		go runSchedulerTicker(ctx, eng)
 
-		srv := server.NewServer(":"+port, eng)
+		srv := server.NewServer(":"+port, eng, homeDir)
 		if err := srv.ListenAndServe(ctx); err != nil && !errors.Is(err, context.Canceled) {
 			return fmt.Errorf("server error: %w", err)
 		}

sidecar/client/client.go

@@ -3,8 +3,10 @@ package client
 import (
 	"bytes"
 	"context"
+	"encoding/json"
 	"errors"
 	"fmt"
+	"io"
 	"net/http"
 	"time"
 
@@ -19,7 +21,9 @@ var ErrNotFound = errors.New("sidecar: task not found")
 // SidecarClient wraps the generated ClientWithResponses with a simpler,
 // error-oriented API.
 type SidecarClient struct {
-	inner *ClientWithResponses
+	inner   *ClientWithResponses
+	baseURL string
+	doer    HttpRequestDoer
 }
 
 // Option configures optional SidecarClient parameters.
@@ -47,18 +51,16 @@ func NewSidecarClient(baseURL string, opts ...Option) (*SidecarClient, error) {
 		fn(&o)
 	}
 
-	var clientOpts []ClientOption
-	if o.httpClient != nil {
-		clientOpts = append(clientOpts, WithHTTPClient(o.httpClient))
-	} else {
-		clientOpts = append(clientOpts, WithHTTPClient(&http.Client{Timeout: o.timeout}))
+	httpClient := o.httpClient
+	if httpClient == nil {
+		httpClient = &http.Client{Timeout: o.timeout}
 	}
 
-	inner, err := NewClientWithResponses(baseURL, clientOpts...)
+	inner, err := NewClientWithResponses(baseURL, WithHTTPClient(httpClient))
 	if err != nil {
 		return nil, err
 	}
-	return &SidecarClient{inner: inner}, nil
+	return &SidecarClient{inner: inner, baseURL: baseURL, doer: httpClient}, nil
 }
 
 // NewSidecarClientFromPodDNS builds a client targeting the sidecar via
@@ -198,6 +200,41 @@ func (c *SidecarClient) Healthz(ctx context.Context) (bool, error) {
 	}
 }
 
+// GetNodeID queries the sidecar's /v0/node-id endpoint and returns the
+// Tendermint node ID (hex-encoded). This is a direct HTTP call rather than
+// using the generated client, since /v0/node-id is outside the OpenAPI spec.
+func (c *SidecarClient) GetNodeID(ctx context.Context) (string, error) {
+	url := c.baseURL + "/v0/node-id"
+	req, err := http.NewRequestWithContext(ctx, http.MethodGet, url, nil)
+	if err != nil {
+		return "", fmt.Errorf("building node-id request: %w", err)
+	}
+	resp, err := c.doer.Do(req)
+	if err != nil {
+		return "", fmt.Errorf("querying node-id: %w", err)
+	}
+	defer func() { _ = resp.Body.Close() }()
+
+	body, err := io.ReadAll(resp.Body)
+	if err != nil {
+		return "", fmt.Errorf("reading node-id response: %w", err)
+	}
+	if resp.StatusCode != http.StatusOK {
+		return "", fmt.Errorf("node-id returned %d: %s", resp.StatusCode, bytes.TrimSpace(body))
+	}
+
+	var result struct {
+		NodeID string `json:"nodeId"`
+	}
+	if err := json.Unmarshal(body, &result); err != nil {
+		return "", fmt.Errorf("parsing node-id response: %w", err)
+	}
+	if result.NodeID == "" {
+		return "", fmt.Errorf("node-id response missing nodeId field")
+	}
+	return result.NodeID, nil
+}
+
 // ---------------------------------------------------------------------------
 // Typed submit methods -- primary public API for task submission.
 // Each validates the typed struct and delegates to SubmitTask.

sidecar/client/client_test.go

@@ -473,3 +473,51 @@ func TestConfigPatchTask_Validate_OK(t *testing.T) {
 		t.Fatalf("Validate() error = %v", err)
 	}
 }
+
+func TestGetNodeID_OK(t *testing.T) {
+	want := "a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4e5f6a1b2"
+	c := newTestClient(t, http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		if r.URL.Path != "/v0/node-id" || r.Method != http.MethodGet {
+			t.Errorf("unexpected request: %s %s", r.Method, r.URL.Path)
+		}
+		w.Header().Set("Content-Type", "application/json")
+		_ = json.NewEncoder(w).Encode(map[string]string{"nodeId": want})
+	}))
+
+	got, err := c.GetNodeID(context.Background())
+	if err != nil {
+		t.Fatalf("GetNodeID() error = %v", err)
+	}
+	if got != want {
+		t.Errorf("GetNodeID() = %q, want %q", got, want)
+	}
+}
+
+func TestGetNodeID_ServerError(t *testing.T) {
+	c := newTestClient(t, http.HandlerFunc(func(w http.ResponseWriter, _ *http.Request) {
+		http.Error(w, "not ready", http.StatusInternalServerError)
+	}))
+
+	_, err := c.GetNodeID(context.Background())
+	if err == nil {
+		t.Fatal("expected error for 500 response")
+	}
+	if !strings.Contains(err.Error(), "500") {
+		t.Errorf("error = %v, expected to contain '500'", err)
+	}
+}
+
+func TestGetNodeID_EmptyNodeID(t *testing.T) {
+	c := newTestClient(t, http.HandlerFunc(func(w http.ResponseWriter, _ *http.Request) {
+		w.Header().Set("Content-Type", "application/json")
+		_ = json.NewEncoder(w).Encode(map[string]string{"nodeId": ""})
+	}))
+
+	_, err := c.GetNodeID(context.Background())
+	if err == nil {
+		t.Fatal("expected error for empty nodeId")
+	}
+	if !strings.Contains(err.Error(), "missing nodeId") {
+		t.Errorf("error = %v, expected to contain 'missing nodeId'", err)
+	}
+}

sidecar/client/tasks.go

@@ -31,6 +31,11 @@ const (
 	TaskTypeSnapshotUpload     = string(engine.TaskSnapshotUpload)
 	TaskTypeResultExport       = string(engine.TaskResultExport)
 	TaskTypeAwaitCondition     = string(engine.TaskAwaitCondition)
+
+	TaskTypeGenerateIdentity       = "generate-identity"
+	TaskTypeGenerateGentx          = "generate-gentx"
+	TaskTypeUploadGenesisArtifacts = "upload-genesis-artifacts"
+	TaskTypeAssembleGenesis        = "assemble-and-upload-genesis"
 )
 
 // Known condition and action values for AwaitConditionTask.
@@ -523,6 +528,149 @@ func ResultExportTaskFromParams(params map[string]interface{}) ResultExportTask
 	}
 }
 
+// GenerateIdentityTask creates validator identity (keys, node ID).
+type GenerateIdentityTask struct {
+	ChainID string
+	Moniker string
+}
+
+func (t GenerateIdentityTask) TaskType() string { return TaskTypeGenerateIdentity }
+
+func (t GenerateIdentityTask) Validate() error {
+	if t.ChainID == "" {
+		return fmt.Errorf("generate-identity: missing required field ChainID")
+	}
+	if t.Moniker == "" {
+		return fmt.Errorf("generate-identity: missing required field Moniker")
+	}
+	return nil
+}
+
+func (t GenerateIdentityTask) ToTaskRequest() TaskRequest {
+	p := map[string]interface{}{
+		"chainId": t.ChainID,
+		"moniker": t.Moniker,
+	}
+	return TaskRequest{Type: t.TaskType(), Params: &p}
+}
+
+// GenerateGentxTask creates a gentx for the validator. The handler discovers
+// the node's own account address from the keys generated during identity
+// creation and funds it with AccountBalance before generating the gentx.
+type GenerateGentxTask struct {
+	ChainID        string
+	StakingAmount  string
+	AccountBalance string
+	GenesisParams  string
+}
+
+func (t GenerateGentxTask) TaskType() string { return TaskTypeGenerateGentx }
+
+func (t GenerateGentxTask) Validate() error {
+	if t.ChainID == "" {
+		return fmt.Errorf("generate-gentx: missing required field ChainID")
+	}
+	if t.StakingAmount == "" {
+		return fmt.Errorf("generate-gentx: missing required field StakingAmount")
+	}
+	if t.AccountBalance == "" {
+		return fmt.Errorf("generate-gentx: missing required field AccountBalance")
+	}
+	return nil
+}
+
+func (t GenerateGentxTask) ToTaskRequest() TaskRequest {
+	p := map[string]interface{}{
+		"chainId":        t.ChainID,
+		"stakingAmount":  t.StakingAmount,
+		"accountBalance": t.AccountBalance,
+	}
+	if t.GenesisParams != "" {
+		p["genesisParams"] = t.GenesisParams
+	}
+	return TaskRequest{Type: t.TaskType(), Params: &p}
+}
+
+// UploadGenesisArtifactsTask uploads identity.json and gentx.json to S3.
+type UploadGenesisArtifactsTask struct {
+	S3Bucket string
+	S3Prefix string
+	S3Region string
+	NodeName string
+}
+
+func (t UploadGenesisArtifactsTask) TaskType() string { return TaskTypeUploadGenesisArtifacts }
+
+func (t UploadGenesisArtifactsTask) Validate() error {
+	if t.S3Bucket == "" {
+		return fmt.Errorf("upload-genesis-artifacts: missing required field S3Bucket")
+	}
+	if t.S3Region == "" {
+		return fmt.Errorf("upload-genesis-artifacts: missing required field S3Region")
+	}
+	if t.NodeName == "" {
+		return fmt.Errorf("upload-genesis-artifacts: missing required field NodeName")
+	}
+	return nil
+}
+
+func (t UploadGenesisArtifactsTask) ToTaskRequest() TaskRequest {
+	p := map[string]interface{}{
+		"s3Bucket": t.S3Bucket,
+		"s3Prefix": t.S3Prefix,
+		"s3Region": t.S3Region,
+		"nodeName": t.NodeName,
+	}
+	return TaskRequest{Type: t.TaskType(), Params: &p}
+}
+
+// GenesisNodeParam is the wire format for nodes[] in assemble-and-upload-genesis.
+type GenesisNodeParam struct {
+	Name string `json:"name"`
+}
+
+// AssembleAndUploadGenesisTask collects per-node artifacts and produces final genesis.json.
+type AssembleAndUploadGenesisTask struct {
+	S3Bucket string
+	S3Prefix string
+	S3Region string
+	ChainID  string
+	Nodes    []GenesisNodeParam
+}
+
+func (t AssembleAndUploadGenesisTask) TaskType() string { return TaskTypeAssembleGenesis }
+
+func (t AssembleAndUploadGenesisTask) Validate() error {
+	if t.S3Bucket == "" {
+		return fmt.Errorf("assemble-and-upload-genesis: missing required field S3Bucket")
+	}
+	if t.S3Region == "" {
+		return fmt.Errorf("assemble-and-upload-genesis: missing required field S3Region")
+	}
+	if t.ChainID == "" {
+		return fmt.Errorf("assemble-and-upload-genesis: missing required field ChainID")
+	}
+	if len(t.Nodes) == 0 {
+		return fmt.Errorf("assemble-and-upload-genesis: at least one node is required")
+	}
+	return nil
+}
+
+func (t AssembleAndUploadGenesisTask) ToTaskRequest() TaskRequest {
+	nodes := make([]interface{}, len(t.Nodes))
+	for i, n := range t.Nodes {
+		nodes[i] = map[string]interface{}{"name": n.Name}
+	}
+	p := map[string]interface{}{
+		"s3Bucket": t.S3Bucket,
+		"s3Prefix": t.S3Prefix,
+		"s3Region": t.S3Region,
+		"chainId":  t.ChainID,
+		"nodes":    nodes,
+	}
+	return TaskRequest{Type: t.TaskType(), Params: &p}
+}
+
 // AwaitConditionTask blocks until a condition is met, then optionally
 // executes a post-condition action. Currently supports the "height"
 // condition and the "SIGTERM_SEID" action.