Cardano Updates

* feat(leios): pipeline timing and stage management

Add a PipelineManager that orchestrates the CIP-0164 Linear Leios
pipeline on top of the existing vote/certificate machinery. It tracks
endorser blocks through produce/diffuse/vote/certify/eligible stages
under provisional, off-chain timing windows, detects slot-level EB
equivocation, flushes in-flight state at epoch boundaries and rollbacks,
and exposes the producer- and inclusion-facing seams the forge loop will
consume.

Scope is framework + hook only:

- The pipeline is decoupled from VoteManager; both observe endorser
  blocks independently and share only the leios.eb_quorum event. The
  certificate is captured verbatim, never rebuilt.
- EB equivocation keys on slot (the endorser block carries no producer
  identity yet) and excludes all candidates for a slot from inclusion;
  this complements VoteManager's (slot, voter_id) vote equivocation.
- Stage 3 tracks and exposes certified EBs eligible for ranking-block
  inclusion via EligibleCertifiedEbs/MarkEmbedded, but the actual RB
  embedding is left stubbed pending the ranking-block CDDL.
- Timing windows live in one provisional PipelineTiming struct,
  overridable via WithLeiosPipelineTiming, rather than as protocol
  parameters while CIP-0164 is unstable.

Window decisions are slot-driven via SlotProvider.CurrentOrTipSlot (the
SlotClock is private to LedgerState), and epoch/rollback flushing runs
off the EventBus, mirroring VoteManager. The manager is wired into the
ouroboros component via a new LeiosPipelineHandler interface, notified
from storeLeiosEndorserBlock after the vote handler, and started/stopped
around VoteManager in node wiring (LIFO) since it consumes its output.
All state is in-memory; DATABASE.md is unaffected. ARCHITECTURE.md
documents the new component and event flow.

Signed-off-by: Chris Guiney <[email protected]>

Co-Authored-By: Claude Opus 4.8 (1M context) <[email protected]>

* fix(leios): reject out-of-window endorser block observations

A peer controls the slot on an endorser block it offers, which flows
through storeLeiosEndorserBlock into PipelineManager.ObserveEndorserBlock.
Because MayProduceEndorserBlock treats any existing instance for a slot as
"already produced," a peer could pre-seed far-future slots and deny the
legitimate local producer when those slots open.

Bound the observation acceptance window: ignore observations for slots more
than observeFutureToleranceSlots (60) ahead of the current/tip slot, or
already older than InstanceTTLSlots. The future tolerance matches the vote
manager's slotWindowFutureTolerance so the two Leios components admit
endorser blocks over the same window, while still allowing clock-skew and
diffusion slack for honest near-present blocks. The quorum path is
unaffected: it is fed by the locally windowed vote manager, not raw peer
input.

Found by cubic and CodeRabbit on the pull request.

Signed-off-by: Chris Guiney <[email protected]>
Co-Authored-By: Claude Opus 4.8 (1M context) <[email protected]>

* fix(leios): count EB equivocation per slot and couple observe window to vote tolerance

Two follow-ups from review of the pipeline timing change:

- markEquivocationLocked incremented ebEquivocationTotal (and logged)
  once per EB added beyond the first, so a slot with N distinct EBs
  counted N-1 times despite the metric documenting "number of slots with
  equivocating endorser blocks". Track a per-instance equivocated flag so
  the counter and warn log fire exactly once per equivocating slot; every
  EB is still flagged for inclusion exclusion. Adds a regression test.

- Define observeFutureToleranceSlots as the vote manager's
  slotWindowFutureTolerance instead of a duplicated literal 60, so the two
  Leios components admit endorser blocks over the same future window and
  cannot drift apart.

Co-Authored-By: Claude Opus 4.8 (1M context) <[email protected]>
Signed-off-by: Chris Guiney <[email protected]>

* feat(leios): enforce pipeline timing windows and unify the vote window

The pipeline framework tracked stages but most of PipelineTiming drove no
behavior: stageFor ran only on the certified path, handleEbQuorum honored
any certificate regardless of timing, and the pipeline's VoteWindowSlots
had no relationship to VoteManager's vote-acceptance window.

- Enforce the certification deadline: a certificate arriving at or past
  CertifyByDeadlineSlots is rejected (counted under certs_rejected_total),
  leaving the EB tracked but never certified, so it cannot become eligible.
- Surface the uncertified stages: updateGaugesLocked now derives a per-EB
  stage gauge via stageFor with each EB's real certified flag (exercising
  the uncertified branch in production), plus a read-only StageOf seam.
- Unify the vote window: VoteManager's vote-acceptance past bound is now
  the pipeline's VoteWindowSlots, passed through VoteManagerConfig and
  sourced from the same leiosPipelineTiming() the pipeline uses, so the two
  components admit votes over the same window and cannot drift. Replaces the
  standalone slotWindowPastTolerance.
- Remove the inert StageLengthSlots field.

ARCHITECTURE.md updated; DATABASE.md unaffected (in-memory, metrics only).

Co-Authored-By: Claude Opus 4.8 (1M context) <[email protected]>
Signed-off-by: Chris Guiney <[email protected]>

---------

Signed-off-by: Chris Guiney <[email protected]>
Co-authored-by: Claude Opus 4.8 (1M context) <[email protected]>

This reverts commit 07d0522bbf8ba5a2d3a419405cee7573832cc98b.

Signed-off-by: hade <[email protected]>