Cardano Updates

cardano ping implemented with ouroboros-network

KnownPeers.setCurrentTime and EstablishedPeers.setCurrentTime run on
every governor loop iteration. Add a fast path to KnownPeers for the
common case where nothing is scheduled or the earliest scheduled time
is still in the future; previously it always ran the general path,
rebuilding the record and (with +asserts) checking the invariant.

In EstablishedPeers use findMin instead of minView in the existing
fast-path guard: an O(1) peek that avoids allocating the deletion of
the minimum. The fast path now also covers the empty-queue case, which
previously fell through to the general path.

Signed-off-by: cryptodj413 <[email protected]>

Replace raw `Var () name.x` / `LamAbs () name.x` with the var.x / lam.x handles
for consistency with the other transform specs. These modules keep their raw
constructors for the non-variable parts (mkIterApp, Force, Builtin, Constr).

The bare-Name handle does not allocate fresh names; it derives a deterministic
Unique from the hint text, so `name.x` reads more accurately than `fresh.x`
(addresses review feedback). Rename the goldenVs* test-name params to testName
to avoid shadowing the imported handle.

Turn var and lam into OverloadedRecordDot handles (var.x :: T, lam.x :: T -> T)
so occurrences and binders read as var.x / lam.x instead of var fresh.x. Bare
names (predicate args, free-var lists, raw-constructor modules) still come from
the fresh handle. Drop the now-redundant brackets and $ that hlint flagged.

- Added build arguments for Blockfrost API keys in docker-compose files to ensure consistent client bundle paths.
- Updated Dockerfile to handle Blockfrost API keys as environment variables for production builds.
- Modified CI workflow to allow insecure cookies for wallet sessions during testing.
- Refactored wallet handling in various components to use the new useMeshWallet hook, ensuring compatibility with the latest wallet API.
- Enhanced error handling in wallet session management to prevent issues with unconnected wallets.

Signed-off-by: Sasha Bogicevic <[email protected]>

Signed-off-by: Sasha Bogicevic <[email protected]>

    A malicious participant could set an arbitrary headAdaOverhead in the
    output ClosedDatum at close time. Since mustPreserveHeadAdaOverhead in
    checkContest locks this value permanently after Close, a wrong value
    makes fanout impossible and freezes all head funds.

    Fix: store headAdaOverhead in OpenDatum at init time (where it equals
    worstCaseMinLovelace, the pre-funded overhead with no L2 UTxOs) and
    verify it is unchanged in checkClose, checkIncrement, and checkDecrement.
    The invariant headAdaOverhead = headLovelace - utxoLovelace holds across
    the head lifetime because Increment and Decrement both change headLovelace
    and utxoLovelace by the same deposit/decommit amount.

    Also fix worstCaseClosedDatum used to compute the pre-funded ADA at
    initTx: variable-size integer fields (version, snapshotNumber,
    contestationDeadline, headAdaOverhead) previously used small constants
    (0 or 2 trillion) that produce 1-9 CBOR bytes less than the true
    maximum. Using maxBound @Word64 for all of them ensures the datum size
    estimate is a genuine upper bound, preventing potential ledger min-UTxO
    rejections on close for long-running or high-throughput heads.

Signed-off-by: Sasha Bogicevic <[email protected]>

  When a DecrementTx was applied on-chain before the head was closed
  (snapshotVersion != openVersion), partialFanout passed fullUTxO to
  buildAndVerifyAccumulator. But the closed datum's accumulatorCommitment
  was built from utxoForProof (snapshot UTxO including the decommit set),
  so the check always failed with StaleChainState, leaving the head stuck.

  Separate the accumulator proof input from the distribution set by adding
  a proofUTxO parameter to partialFanout and findFittingFanoutTx. The
  FanoutTx call site now passes utxoForProof as proofUTxO so it matches
  what the closed datum was committed to, while fullUTxO (the actual
  distribution set) is used unchanged for fanout outputs.

Signed-off-by: Sasha Bogicevic <[email protected]>

  When snapshotVersion < version (an IncrementTx confirmed on L1 after the
  last snapshot), computeFullFanoutUTxO includes utxoToCommit in the full
  fanout set. After a PartialFanoutTx distributes all other outputs, a
  FinalPartialFanoutTx must distribute the pending deposit UTxO alone.

  Adds genClosedStateWithPendingCommit to the testlib and a property test
  that verifies finalPartialFanout succeeds in this scenario — guarding
  against the StaleChainState failure observed in practice when the
  in-memory deposit UTxO accumulator element diverges from the on-chain
  commitment.

Signed-off-by: Sasha Bogicevic <[email protected]>

  genStOpen inflates the head UTxO by u0Value but leaves headAdaOverhead
  in the open datum unchanged. genCloseTx now adjusts the head UTxO value
  to headAdaOverhead + confirmedUTxOValue + decommitValue before building
  the close tx, so closeTx computes the correct headAdaOverhead' for the
  closed datum (fixes H65).

  forAllClose was discarding the adjusted UTxO returned by genCloseTx and
  recomputing it from the original inflated OpenState, causing the
  evaluator to see a different input value than what the tx was built
  against (fixes H4/HeadValueIsNotPreserved).

Signed-off-by: Sasha Bogicevic <[email protected]>

  genStOpen inflates the head UTxO by u0Value but genCloseTx was not
  adjusting it before calling unsafeClose. With mustPreserveHeadValue
  now using strict equality (instead of geq), the head value must be
  exactly headAdaOverhead + confirmedUTxO + decommit at close time,
  or the Plutus script fires H65. Adjust the UTxO in genCloseTx the
  same way genClosedStateForFanout and genFanoutTx already do.

Signed-off-by: Sasha Bogicevic <[email protected]>

Signed-off-by: Yurii Shynbuiev <[email protected]>

Signed-off-by: Yurii Shynbuiev <[email protected]>

Signed-off-by: Eric Torreborre <[email protected]>