Cardano Updates

Two related changes to `modules/cabal-project.nix`:

**1. `cabalProjectLocal` / `cabalProjectFreeze` no longer auto-load
from disk.**  The options were typed `nullOr lines` with
`readIfExists`-based defaults that did IFD lookups for
`cabal.project.local` / `cabal.project.freeze` in the project
source.  Internal projects (hadrian, ghc-extra-projects) explicitly
set them to `null` just to suppress those reads, and the nullability
also prevented `mkBefore` directives from merging cleanly.

Switch the types to plain `lines` (default `""`) — projects that
relied on the implicit `readFile` behaviour now do it explicitly:

    cabalProjectLocal = builtins.readFile ./cabal.project.local;

Internal callers that set `null` for IFD-avoidance lose the
explicit assignments — the new default is already IFD-free.

**2. Platform-conditional defaults are now injected into every
cabal project's `cabalProjectLocal`.**  Four `mkIf` blocks added:

  * **musl host** — `package * \n executable-static: True`.
    comp-builder adds `--ghc-option=-optl=-static` at build time;
    surfacing the toggle here makes plan-to-nix record
    `--enable-executable-static`.  Build artefacts are unchanged.
  * **x86_64-darwin host** — `package * \n library-for-ghci: True`.
    Mirrors what comp-builder passes for `!ghcjs && !wasm && !android`
    (always true on darwin).
  * **android host** —
    `package * \n ghc-options: -optl-static -optl-ldl` (plus
    `-optl-no-pie` on aarch32).  Mirrors `lib/check.nix`'s
    test-exe `setupBuildFlags` re-wrap.
  * **wasm GHC ≥ 9.12** — `package * \n shared: True`.  Wasm's RTS
    linker only loads `.so` files; `--disable-shared` (cabal's
    default given the real compiler's reported capabilities) would
    force a `.a`-only install that TH-eval can't load.

All four sit at `mkBefore` priority so a project's own
`cabalProjectLocal` overrides them.

Cache impact: plan-nix hashes change for affected platforms.
Internal GHC builds verified byte-identical (drvPath
`na9chax1gj2n6jx3d6v86v6fdah9r9fd-ghc-9.14.1.drv` matches master).

Changelog entry added describing both changes.

Pulled out of #2504 (`hkm/builder-v2`).

also adapt networking tests to stricter default reconnect policy

Signed-off-by: Roland Kuhn <[email protected]>

Surface the static-linking / library-for-ghci / shared-libs flags
that comp-builder and `lib/check.nix` already apply at the
artefact level into the plan-to-nix step, so plan-nix's recorded
configure-args and UnitIds match what cabal v2-build would compute
against the real compiler.

Four mkIfs added to `modules/cabal-project.nix`:

* **musl host** — `package * \n executable-static: True`.
  comp-builder adds `--ghc-option=-optl=-static` at build time;
  surfacing the toggle here makes plan-to-nix record
  `--enable-executable-static`.  Build artefacts are unchanged.
* **x86_64-darwin host** — `package * \n library-for-ghci: True`.
  Mirrors what comp-builder passes for `!ghcjs && !wasm && !android`
  (always true on darwin).
* **android host** —
  `package * \n ghc-options: -optl-static -optl-ldl` (plus
  `-optl-no-pie` on aarch32).  Mirrors `lib/check.nix`'s test-exe
  setupBuildFlags re-wrap.
* **wasm GHC ≥ 9.12** — `package * \n shared: True`.  Wasm's RTS
  linker only loads `.so` files; `--disable-shared` (cabal's
  default given the real compiler's reported capabilities) would
  force a `.a`-only install that TH-eval can't load.

All four directives sit at `mkBefore` priority so a project's own
`cabalProjectLocal` overrides them.

Cache impact: plan-nix hashes change for affected platforms.

Changelog entry added in `changelog.md` describing the cache-bust
and the opt-out path.

Pulled out of #2504 (`hkm/builder-v2`).

* Add `useLocalGhcLib` project option

Surface what `modules/configuration-nix.nix` used to do
unconditionally as an opt-in `useLocalGhcLib` flag, so the
`packages.ghc.src` override only fires when a project actually
constrains the `ghc` package (e.g. `ghc-lib-reinstallable`).

Four pieces:

* `modules/project-common.nix`: add the `useLocalGhcLib` option
  (default `false`).
* `modules/configuration-nix.nix`: drop the unconditional
  `packages.ghc.src` / `packages.ghc.package-description-override`
  overrides — they're moved into the per-project wiring below.
* `modules/stack-project.nix`: under `useLocalGhcLib`, re-apply
  the `packages.ghc.src` post-plan override.  Stack-to-nix can't
  use the cabal-project route, so this keeps the existing
  behaviour for stack users who flip the flag.
* `modules/cabal-project.nix`: under `useLocalGhcLib`, inject a
  `source-repository-package` block into `cabalProjectLocal`
  pointing at the configured-src + generated GHC tree, and add an
  `inputMap` entry so haskell.nix doesn't try to fetch the URL.
  Cabal then hashes the wrapped repo's content into
  `pkg-src-sha256` and installs `lib:ghc` like any other
  reinstallable dep.

Projects that need the previous always-on behaviour now set
`useLocalGhcLib = true` on the project module; everyone else gets
a smaller plan-nix and avoids the unconditional `configured-src`
materialisation.

Pulled out of #2504 (`hkm/builder-v2`).

* ghc-lib-reinstallable test + changelog: set useLocalGhcLib = true

Flips the new opt-in flag in both test variants and adds a
changelog entry telling users to do the same when they constrain
`lib:ghc`.

Updates cabal.project to point at the three rebased Leios forks that
ship with this cardano-node 11.0.1 build:

  - ouroboros-consensus  @  IntersectMBO/ouroboros-consensus
    branch leios-prototype-remake-3.0.1.0
    Single squashed Leios commit on top of release-3.0.1.0
    (mempool + diffusion + chain inclusion + voting + demo).
  - ouroboros-network    @  IntersectMBO/ouroboros-network
    branch leios-prototype-remake-1.1.0.0
    Three Leios commits on top of ouroboros-network-1.1.0.0
    (BearerBytes, Reception arrival-time, drop unused imports)
    + a trace-dispatcher version bump for compat with cardano-node 11.0.1.
  - cardano-ledger       @  IntersectMBO/cardano-ledger
    branch leios-prototype-remake
    Adds 'Maybe LeiosCert' on the Dijkstra block body
    (Dijkstra-only, mirrors 'Maybe PerasCert').

Also drops the 'dmq-node' extra-package (its latest CHaP release
requires ouroboros-network:framework-tracing, a sublib name that
the remade network fork doesn't carry).

Vendors a one-line 'ekg-forward' source patch (left untouched here)
to match the network's pre-bump 'ConnectToArgs' shape.

Co-Authored-By: Claude Opus 4.7 <[email protected]>

Both had been on the leios-prototype and and need to be re-exposed after
resetting to a recent cardano-node version.

Only the rest-in-mempool execution units metric was not easily
applicable. That part of the code will change anyways though.

The consensus Leios chunks added four fields to the consensus tracer
records that cardano-node assembles in 'Cardano.Tracing.Tracers' (old
style) and 'Cardano.Node.Tracing.Tracers' (new style):

  - Consensus.Tracers'      gained 'leiosKernelTracer' and 'leiosPeerTracer'
  - NodeToNode.Tracers'     gained 'tLeiosNotifyTracer' and 'tLeiosFetchTracer'

This commit populates those fields in both 'mkTracers' code paths so
the record-construction sites are total. All four are wired to
'nullTracer' for now; the corresponding 'Transformable' / 'MetaTrace'
instances and EKG metrics are left as TODO. The new-style tracing
system will accordingly emit a 'TracerConsistencyWarnings' for the
four Leios namespaces declared in the config.yaml — that surfaces the
gap explicitly rather than silently dropping the configuration.

Adds the corresponding selectors to 'TraceSelection' / 'PartialTraceSelection'
and their JSON parsing:

  - traceLeiosKernel          / Consensus.LeiosKernel
  - traceLeiosPeer            / Consensus.LeiosPeer
  - traceLeiosNotifyProtocol  / LeiosNotify.Remote
  - traceLeiosFetchProtocol   / LeiosFetch.Remote

Also drops the duplicate 'LogFormatting (Simple/Stateful.TraceSendRecv)'
and 'MetaTrace (Simple/Stateful.TraceSendRecv)' instances that the
upstream leios-prototype branch carried in
'Cardano/Node/Tracing/Tracers/NodeToClient.hs' — they are now provided
by 'ouroboros-network:framework-tracing' and would collide if redefined
here.

Co-Authored-By: Claude Opus 4.7 <[email protected]>

Introduces 'Cardano.Node.Configuration.Leios.LeiosDbConfig' with two
constructors:

  - LeiosDbInMemory          (matches 'LeiosDbConnection's in-memory backend)
  - LeiosDbSQLite !FilePath  (SQLite backend, file relative to node CWD)

Wired through 'PartialNodeConfiguration' / 'NodeConfiguration' as
'ncLeiosDbConfig' with JSON parsing ('"LeiosDbConfig":{"Backend":...,
"Filepath":...}') and a default of 'LeiosDbSQLite "leios.db"'.

At node startup ('Cardano.Node.Run.handleSimpleNode'), the configured
backend is materialised into a 'LeiosDbHandle' (via 'newLeiosDBInMemory'
/ 'newLeiosDBSQLite') and passed into 'RunNodeArgs' through a new
'rnLeiosDb :: Maybe (LeiosDbHandle m)' field, which consensus's
'runWith' threads into the Leios kernel's shared connection.
'Nothing' falls back to the in-memory default.

Co-Authored-By: Claude Opus 4.7 <[email protected]>

The consensus Leios chunks extended 'NTN.Codecs' with two extra type
parameters ('bLN' / 'bLF', for LeiosNotify and LeiosFetch), and the
network-side BearerBytes/Reception work changed 'runPeerWithLimits' to
return 'Maybe (Reception bytes)' (instead of 'Maybe bytes') and made
'byteLimitsKeepAlive' parameter-less.

Update 'tx-generator' to compile against the rebased stack:

  - Pull in 'ouroboros-network:framework-tracing' as a sublib dependency.
  - Extend the local 'myCodecs' type to 9 'ByteString' parameters (was 7).
  - Update 'kaClient' return type to 'IO ((), Maybe (Mux.Reception ByteString))'.
  - Drop the size-function argument from 'byteLimitsKeepAlive'.

Co-Authored-By: Claude Opus 4.7 <[email protected]>

Mempend a small OuroborosBundle with leiosNotify/leiosFetch on the Hot
temperature onto the existing five-protocol bundle in initiator and
initiatorAndResponder.  Define the matching ingress-queue limits from the
demo's LeiosFetchStaticEnv.  This matches the upstream leios-prototype
pattern - the change is contained to consensus and leaves the network
NodeToNodeProtocols record untouched.

Co-Authored-By: Claude Opus 4.7 <[email protected]>

Bumps [qs](https://github.com/ljharb/qs) from 6.14.0 to 6.15.2.
- [Changelog](https://github.com/ljharb/qs/blob/main/CHANGELOG.md)
- [Commits](https://github.com/ljharb/qs/compare/v6.14.0...v6.15.2)

---
updated-dependencies:
- dependency-name: qs
  dependency-version: 6.15.2
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <[email protected]>

Upstream cleanup, not Leios-specific: eight unused-import warnings that
upstream's own ghc-options promote to errors via 'nix/ouroboros-network.nix'
('-Werror' on forAllProjectPackages). They've been present at the
'main-peras-5202-merged' SHA that cardano-node and ouroboros-consensus
master both consume; surface when downstream haskell.nix builds also
inherit `-Werror`.

Affected files (one unused qualified import each):
- framework/lib/Ouroboros/Network/Protocol/Handshake/Codec.hs (BL)
- framework/tests-lib/.../ConnectionManager/Experiments.hs (LBS)
- framework/io-tests/.../Driver.hs (List)
- framework/io-tests/.../Socket.hs (IntMap)
- tests/lib/.../TxSubmission/AppV1.hs (BSL)
- tests/lib/.../TxSubmission/AppV2.hs (BSL)
- protocols/tests-lib/.../KeepAlive/Test.hs (BL)
- protocols/tests-lib/.../PeerSharing/Test.hs (BL)

Verified with 'cabal clean && cabal build all --ghc-options=-Werror' →
exit 0.

Co-Authored-By: Claude Opus 4.7 <[email protected]>

Wrap `Channel m a` recv values in a new `Reception a = MkReception
!(IntMap Time) !a`, recording per-chunk arrival times.  In the mux
demuxer the chunk's arrival time is paired with its starting byte
offset; codec/driver layers either strip the time map (the codec sees
only bytes) or propagate it through `wrapMiniProtocolTrailing` at the
mini-protocol callback boundary.  Tests/demos/benches use `IntMap.empty`
when synthesising trailing.

This is the network half of the November Leios demo's arrival-time
plumbing; consumers (e.g. Praos block-arrival tracing on the consensus
side) will be wired up separately.

Co-Authored-By: Claude Opus 4.7 <[email protected]>

The validateField method in PresentationVerify passes the filter.pattern
from the presentation definition directly to new RegExp() without any
safety checks. An attacker can craft a presentation request with a regex
pattern that causes catastrophic backtracking (e.g. (a|aa)+b), blocking
the JavaScript event loop indefinitely.

This is an unauthenticated attack vector since the presentation definition
originates from an external verifier.

Add a safeRegex utility that:
- Validates the pattern is a non-empty string
- Enforces a maximum pattern length of 256 characters
- Verifies the pattern compiles as a valid regex
- Detects and rejects patterns with nested quantifiers (ReDoS vectors)
- Detects and rejects patterns with alternation inside quantified groups

Fixes #646

Signed-off-by: A-Chronicle <[email protected]>

The validateField method in PresentationVerify passes the filter.pattern
from the presentation definition directly to new RegExp() without any
safety checks. An attacker can craft a presentation request with a regex
pattern that causes catastrophic backtracking (e.g. (a|aa)+b), blocking
the JavaScript event loop indefinitely.

This is an unauthenticated attack vector since the presentation definition
originates from an external verifier.

Add a safeRegex utility that:
- Validates the pattern is a non-empty string
- Enforces a maximum pattern length of 256 characters
- Verifies the pattern compiles as a valid regex
- Detects and rejects patterns with nested quantifiers (ReDoS vectors)
- Detects and rejects patterns with alternation inside quantified groups

Fixes #646

Signed-off-by: A-Chronicle <[email protected]>

Flips the new opt-in flag in both test variants and adds a
changelog entry telling users to do the same when they constrain
`lib:ghc`.

Surface what `modules/configuration-nix.nix` used to do
unconditionally as an opt-in `useLocalGhcLib` flag, so the
`packages.ghc.src` override only fires when a project actually
constrains the `ghc` package (e.g. `ghc-lib-reinstallable`).

Four pieces:

* `modules/project-common.nix`: add the `useLocalGhcLib` option
  (default `false`).
* `modules/configuration-nix.nix`: drop the unconditional
  `packages.ghc.src` / `packages.ghc.package-description-override`
  overrides — they're moved into the per-project wiring below.
* `modules/stack-project.nix`: under `useLocalGhcLib`, re-apply
  the `packages.ghc.src` post-plan override.  Stack-to-nix can't
  use the cabal-project route, so this keeps the existing
  behaviour for stack users who flip the flag.
* `modules/cabal-project.nix`: under `useLocalGhcLib`, inject a
  `source-repository-package` block into `cabalProjectLocal`
  pointing at the configured-src + generated GHC tree, and add an
  `inputMap` entry so haskell.nix doesn't try to fetch the URL.
  Cabal then hashes the wrapped repo's content into
  `pkg-src-sha256` and installs `lib:ghc` like any other
  reinstallable dep.

Projects that need the previous always-on behaviour now set
`useLocalGhcLib = true` on the project module; everyone else gets
a smaller plan-nix and avoids the unconditional `configured-src`
materialisation.

Pulled out of #2504 (`hkm/builder-v2`).