Cardano Updates

[EC Api] - Beyond MVG project: April 2026 progress report – first draft State of Governance report

Pulls in master's current shared-image versions:
- sidecar:1ff6913       (post legacy-probe delete, #119)
- tracer-sidecar:5271661 (fork-tree probe build)
- configurator + log-tailer + tracer + cardano-node digests already match
- tx-generator from master is intentionally not added — adversary
  testnet runs nodes only

The adversary container itself stays pinned to its own SHA
(adversary:b75cfe3) since master has no adversary equivalent.

Layer 3 of #123 (perturbation metric emit from finally_tips_agree.sh)
is dropped: that script was deleted on main by #119, the cluster-wide
"did the cluster fork" oracle now lives in tracer-sidecar's fork-tree
probe. Re-implementing the perturbation metric on top of that surface
is a follow-up.

Adds Adversary.SDK with Reachable / Sometimes assertion emitters that
write to \$ANTITHESIS_OUTPUT_DIR/sdk.jsonl (default /tmp/sdk.jsonl).
Wires two assertions into app/Main.hs:

  - reachable("adversary_chain_sync_started", {target_host, point, limit})
    fires once per invocation before connectToNode. Antithesis report
    will show, segmented by target_host, "the adversary fired against
    pN at least once". A host that never gets attacked is visible as
    a missing Reachable hit.

  - sometimes(true|false, "adversary_chain_sync_completed",
              {target_host, tip|reason})
    fires once per invocation on completion. true on clean exit,
    false on connect/protocol failure. Sometimes-true vs Sometimes-
    false buckets quantify how often the adversary actually completed
    a full --limit sync vs being cut short by chaos.

Layer 1 of three for issue #123.

origin/main bumped both:
  sidecar:65039df       -> sidecar:1ff6913
  tracer-sidecar@sha256:8474... -> tracer-sidecar:5271661

Keep asteria_game on the same images master is using.

Removes:
  - components/sidecar/composer/convergence/eventually_converged.sh
  - components/sidecar/composer/convergence/finally_tips_agree.sh
  - components/sidecar/composer/convergence/serial_driver_tip_agreement.sh
  - components/sidecar/composer/convergence/helper_{sdk,tip_probe}_lib.sh
  - eventually-converged + flaky-chain-sync wrappers from
    sidecar's docker-image.nix (their target scripts are gone)

These were the strict-tip-equality probes flagged in #84 and #119:
they compare hashes at instant T and false-positive on healthy mid-
propagation state. The cluster-wide invariant they were trying to
express is now enforced by tracer-sidecar's fork-tree probe (the
'cluster fork depth < k' AlwaysOrUnreachable assertion plus the
'cluster fork observed' Sometimes coverage check, both passing on
the verification run for this branch).

scripts/smoke-test.sh: drop the eventually_converged.sh exec; the
cardano-cli tip ping above already proves each producer is alive
and serving the chain.

Closes #119 (gates #84 / #81 closure).

Adds cluster-wide fork-depth probe to the Spec:

- Extends State with forkTree, forkObserved, forkExceededK
- updateForkTree rule: parses AddedToCurrentChain /
  SwitchedToAFork into Tip records, feeds them to ForkTree
  (recordExtension / setTip), and updates the two derived
  flags
- Sometimes assertion 'cluster fork observed' fires once
  cluster fork depth has been > 0 — proves fault injection
  drives the fork path
- AlwaysOrUnreachable assertion 'cluster fork depth < k'
  fires false the moment depth crosses k = 432

Golden output regenerated to include the two new
declarations.

Phase 1 of #119 (in-memory probe). Persistence (#119 step 4)
and master compose mount (step 5) follow.

Adds a SwitchedToAFork constructor to LogMessageData. Previously
these events fell through to OtherLogMessageData. Required for the
ForkTree probe (#119) to track per-host current-tip transitions
that bypass sequential extension.

Tests still green; golden output unchanged because no existing
rule matches SwitchedToAFork.

Pins the tracer-sidecar tag to commit 5271661 (this branch
HEAD pre-bump) so the publish-images workflow rebuilds the
image with the new ForkTree probe + multi-version field
parser. Required for the 1h Antithesis verification run on
this branch.

OverloadedStrings in ForkTree.hs and DeriveAnyClass in LogMessage.hs are no longer needed.

cardano-node 10.7+ ships two breaking changes to the
ChainDB.AddBlockEvent JSON payload that silently dropped
events from any node running a newer version:

  - 'newTipSelectView' renamed to 'newSuffixSelectView'
    (and 'oldTipSelectView' to 'oldSuffixSelectView')
  - inside that view, 'chainLength' renamed to 'blockNo' and
    'kind' changed from 'PraosChainSelectView' to
    'PraosTiebreakerView' (with an extra 'weightBoost' field)

The master testnet pins three different cardano-node images
spanning both schemas.  Before this fix, only the older p1
image was decoded; p2 and p3's events failed FromJSON and
were silently skipped, leaving tracer-sidecar with a
single-host view of the cluster.

Both old and new field names are now accepted (case
fallthrough on .:?).  No semantic change for older nodes.

This was already the right fix on its own merits, and is a
strict prerequisite for the #119 fork-tree probe (which
needs at least two hosts to ever report a non-zero cluster
fork depth).

ForkTreeState tracks per-host current tips and a global
parent map. Edges are recorded on AddedToCurrentChain
(producer's own extension always captures the true parent);
SwitchedToAFork only updates the host's tip without
recording an edge.

clusterForkDepth = max(tip.chainLength) - commonAncestor.chainLength,
where commonAncestor walks each host's ancestry back (capped
at maxDepth) and intersects to find the deepest shared block.

8 hspec unit tests cover: empty state, sequential extension,
agreement, 1-block fork, root-only common ancestor, deep 5-block
divergence, setTip without edge, depth-cap truncation.

Part of #119 — pure algebra commit; wiring + persistence in
follow-up commits on this branch.

Signed-off-by: Eric Torreborre <[email protected]>

- Drop unused waitForError import (was triggering -Wall unused-import).
- Rename local errorPath shadow → errorFilePath in 3 invalid-UUID test
  cases (the local binding is a String-derived path; the imported helper
  takes a UUID, so they cannot be unified — just unshadow).
- Remove stale "(5 second timeout)" comments; the timeout is now driven
  by defaultWaitMs and the comments would mislead future debugging.
- Reword waitForFile haddock: the doesFileExist probe runs *after*
  watcher registration, not before, to cover events that fired before
  we were listening.

This patch ensures that when a node starts syncing from scratch
in bootstrap peers mode that it has only up to 2 active connections
to bootstrap relays.

Co-authored-by: Copilot Autofix powered by AI <[email protected]>

Apple Clang 15+ rejects static_cast<enum>(-1) in constant expressions
(Wenum-constexpr-conversion), causing blake-hash and node-hid to fail
in the Darwin node_modules build. NIX_CFLAGS_COMPILE doesn't reach
node-gyp since it invokes the compiler directly, bypassing the Nix CC
wrapper. Set CXXFLAGS and npm_config_cxxflags before the install scripts
loop — both are read directly by node-gyp.