Cardano Updates

Signed-off-by: cryptodj413 <[email protected]>

ChainSel must not select a chain that includes a CertRB whose certified
EB closure is not locally available; otherwise 'resolveLeiosBlock'
crashes when the block-add path tries to recover the closure.

Wire-up:
- 'CDB' carries 'cdbLeiosDbHandle :: LeiosDbHandle m' so ChainSel can
  read the closure cache on the block-add hot path without threading
  the snapshot through every caller.
- 'chainSelectionForBlock' reads 'readCompletedClosures' on each
  iteration; the read is O(1) (TVar) so this is cheap.
- New 'ignorePendingCertRBs' wrapper around 'lookupBlockInfo'.  Mirrors
  the existing 'ignoreInvalid' wrapper.  Both lookup paths
  ('lookupBlockInfo'' and 'succsOf'') filter against the same set.

Filter body itself is a stub:
'computeCertRBsWithPendingEbClosures' returns 'Set.empty'.  The real
implementation walks the VolatileDB forward from the immutable tip and,
for each header satisfying 'headerIsCertRB', extracts the certified
'EbHash' from the parent's 'headerEbAnnouncement' and checks it against
'readCompletedClosures'.  Lands in the next step of the late-join
workstream.

'Node.hs' / 'Test/ThreadNet/Network.hs' pass the handle to
'openChainDB'; no more 'LeiosOutstanding' MVar lifting.

Bumps [@sveltejs/kit](https://github.com/sveltejs/kit/tree/HEAD/packages/kit) from 2.55.0 to 2.60.1.
- [Release notes](https://github.com/sveltejs/kit/releases)
- [Changelog](https://github.com/sveltejs/kit/blob/main/packages/kit/CHANGELOG.md)
- [Commits](https://github.com/sveltejs/kit/commits/@sveltejs/[email protected]/packages/kit)

---
updated-dependencies:
- dependency-name: "@sveltejs/kit"
  dependency-version: 2.60.1
  dependency-type: direct:development
...

Signed-off-by: dependabot[bot] <[email protected]>

Add 'readCompletedClosures :: m (Set EbHash)' to 'LeiosDbHandle'.  The
handle owns a TVar; ChainSel will read it on the block-add hot path
(O(1) 'readTVarIO').

Seed at construction:
- SQLite: 'SELECT ebHashBytes FROM ebs WHERE missingTxCount IS NOT
  NULL AND missingTxCount <= 0'.  Covers both "just completed" (0)
  and "completed and notified" (-1); both states mean the closure is
  in the DB.  Run on a short-lived connection that also guarantees
  schema initialisation before any 'open'-ed connection later.
- In-memory: derive from 'imTxs' / 'imEbBodies' via the same
  predicate the insert paths use.

Update inside the existing insert paths:
- Both SQLite insert paths share a 'findAndMarkCompletedEbs' helper
  inside the BEGIN and a 'notifyAndCacheCompleted' helper after
  COMMIT.  The notify+cache step pushes the just-transitioned
  closures into the cache.
- In-memory insert paths do the same update inside their STM
  transaction, so the state mutation and the cache update are
  atomic.

'LeiosDemoLogic.msgLeiosBlock' now also emits
'TraceLeiosBlockTxsAcquired' for closures completed by a body
insert (not just tx inserts), matching the symmetry the cache update
exposes.

Cache is unbounded for now; future work caps it to a k-window with
DB query on miss.  See 'readCompletedClosures' TODO and the
late-join plan.

ChainSel needs two header-level queries to identify CertRBs whose
certified EB closure is not locally available: 'headerIsCertRB' on
the candidate header, and 'headerEbAnnouncement' on its parent.

Add both methods to 'ResolveLeiosBlock' without defaults: a silent
'False' / 'Nothing' default would let a future block-type author
forget to override, and ChainSel would silently degrade to "never
filter a CertRB" without a compile error.  Every instance now
defines all three methods.

The Praos Shelley instance reads 'hbIsCertRB' / 'hbMayEbAnnouncement'
off the body.  Cardano dispatches to Conway for both methods.  Every
other instance (Byron, mock, test, single-era HFC wrappers) spells
out the "never a CertRB" stance explicitly.

Add 'hbIsCertRB' to 'HeaderBody' (and mirror on 'HeaderView') for the
CIP-0164 header bit signalling that this RB certifies a
previously-announced EB.  Thread the bit through 'mkHeader' (Praos
and TPraos; the latter ignores it) and the Shelley forge path.

Encode canonically: every header is len=12 carrying
@(Bool, Maybe EbAnnouncement)@.  Decode still accepts len=10
(pre-Leios) and len=11 (announcement-only) for back-compat with
existing on-disk data; new encodings never produce those shapes.
Two valid encodings for the same logical header would have made
hashing / signature over the encoded form non-canonical.

Per-header cost: one byte for the Bool plus one for the
Maybe-Nothing tag when no announcement is present.

Parameterise runThreadNet over NodeJoinPlan and add a new property
that starts node 3 at a random slot while nodes 0-2 run from slot 0.
Demonstrates the crash in 'resolveLeiosBlock' when a late-joining
node encounters a CertRB referencing an EB it never received.

The fix lives later in the workstream; this commit just makes the
gap visible.

The crate gated `serde` behind the `json` feature, but used
`serde::{Serialize, Deserialize}` unconditionally across the era
models, so building with `default-features = false` failed to
compile. Since `pallas-codec` and `pallas-crypto` already depend on
serde unconditionally, gating it here gave no real benefit anyway.

The `json` feature now gates only `serde_json`. A CI job checks
pallas-primitives in isolation, since a workspace-wide
`--no-default-features` build unifies the feature back on.

Fixes #740

Co-authored-by: Claude Opus 4.7 (1M context) <[email protected]>

chore(gateway): include manifests in release image