feat: Add ingest check for non-zero node account balance

[ibankov]

Description:

• Add validation during ingest to ensure that a node must have a balance greater than zero before submitting a transaction to the network.
• Skip this validation when the transaction is submitted using a system account.
• Add a cryptoTransfer from the treasury to fund nodes in HAPI test networks to prevent existing tests from failing.

Related issue(s):

Fixes #
#21377
Notes for reviewer:

Checklist

• Documented (Code comments, README, etc.)
• Tested (unit, integration, etc.)

[lfdt-bot]

✅ Snyk checks have passed. No issues have been found so far.

Status	Scanner	Critical	High	Medium	Low	Total (0)
✅	Open Source Security	0	0	0	0	0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.

@@             Coverage Diff              @@
##               main   #21707      +/-   ##
============================================
- Coverage     71.84%   71.83%   -0.02%     
+ Complexity    24570    24568       -2     
============================================
  Files          2673     2673              
  Lines        103932   103948      +16     
  Branches      10868    10872       +4     
============================================
- Hits          74670    74666       -4     
- Misses        25223    25245      +22     
+ Partials       4039     4037       -2     

Files with missing lines	Coverage Δ	Complexity Δ
...edera/node/app/workflows/ingest/IngestChecker.java	83.33% <100.00%> (+1.24%)	49.00 <6.00> (+6.00)
.../app/workflows/prehandle/PreHandleContextImpl.java	72.18% <ø> (ø)	48.00 <0.00> (ø)
...ra/node/app/workflows/query/QueryWorkflowImpl.java	88.46% <100.00%> (+0.08%)	17.00 <0.00> (ø)

... and 19 files with indirect coverage changes

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[codacy-production]

Coverage summary from Codacy

See diff coverage on Codacy

Coverage variation	Diff coverage
✅ -0.02% (target: -1.00%)	✅ 100.00%

Coverage variation details

	Coverable lines	Covered lines	Coverage
Common ancestor commit (5fd761d)	103837	78664	75.76%
Head commit (906b10d)	103853 (+16)	78658 (-6)	75.74% (-0.02%)

Coverage variation is the difference between the coverage for the head and common ancestor commits of the pull request branch: <coverage of head commit> - <coverage of common ancestor commit>

Diff coverage details

	Coverable lines	Covered lines	Diff coverage
Pull request (#21707)	16	16	100.00%

Diff coverage is the percentage of lines that are covered by tests out of the coverable lines that the pull request added or modified: <covered lines added or modified>/<coverable lines added or modified> * 100%

See your quality gate settings    Change summary preferences

[akdev]

I don't like that we are hard coding the number of the system accounts like this. It should have its own dynamic property. I see that contract service is using it as 750 in ProcessorModule instead of 1000! Lets do the following:

• Confirm what the right value is.
• File and issue to make the range of system accounts a dynamic property and scrub the codebase to make that it is used everywhere. Making it a dynamic property will be useful in the case of spheres.

[akdev]

Scratch that. There is a dynamic property already. LedgerConfig.numSystemAccounts we should use it instead. I will file a bug against contract service.

[ibankov]

LedgerConfig.numSystemAccounts default value is 100, we should probably use numReservedSystemEntities in the same class which is 750

[jsync-swirlds]

There are a lot of accounts and other entities below numReservedSystemEntities that should not be able to bypass this check. Even in the System Accounts (at least on Hedera) there are 20-30 Node accounts that probably shouldn't have this privilege.

Checking below numSystemAccounts is OK, but we might be better off checking if the account is a privileged account specifically (I believe those are, for Hedera, 2 and 42-60, they'll vary for other Hiero networks, the exact value is, or perhaps should be, defined in api-permissions.properties).

[ibankov]

I switched it to use AccountsConfig.isSuperUser() so only the treasury and system admin accounts are privileged for that. This should be fine as this is mostly for funding accounts after genesis which will be done by the treasury because its the only account with balance.

[Neeharika-Sompalli]

Since we already know which accounts are privileged for each transaction type in PrivilegesVerifier, we can re-use that and call PrivilegesVerifier.hasPrivileges here. If its privileged account, we can by pass that check?

[ibankov]

Switched to using Authorizer

[Neeharika-Sompalli]

Makes sense to me. Thanks @ibankov