Cardano Updates

Optimize codegen to be two linear passes

The pipeline framework tracked stages but most of PipelineTiming drove no
behavior: stageFor ran only on the certified path, handleEbQuorum honored
any certificate regardless of timing, and the pipeline's VoteWindowSlots
had no relationship to VoteManager's vote-acceptance window.

- Enforce the certification deadline: a certificate arriving at or past
  CertifyByDeadlineSlots is rejected (counted under certs_rejected_total),
  leaving the EB tracked but never certified, so it cannot become eligible.
- Surface the uncertified stages: updateGaugesLocked now derives a per-EB
  stage gauge via stageFor with each EB's real certified flag (exercising
  the uncertified branch in production), plus a read-only StageOf seam.
- Unify the vote window: VoteManager's vote-acceptance past bound is now
  the pipeline's VoteWindowSlots, passed through VoteManagerConfig and
  sourced from the same leiosPipelineTiming() the pipeline uses, so the two
  components admit votes over the same window and cannot drift. Replaces the
  standalone slotWindowPastTolerance.
- Remove the inert StageLengthSlots field.

ARCHITECTURE.md updated; DATABASE.md unaffected (in-memory, metrics only).

Co-Authored-By: Claude Opus 4.8 (1M context) <[email protected]>
Signed-off-by: Chris Guiney <[email protected]>

Two follow-ups from review of the pipeline timing change:

- markEquivocationLocked incremented ebEquivocationTotal (and logged)
  once per EB added beyond the first, so a slot with N distinct EBs
  counted N-1 times despite the metric documenting "number of slots with
  equivocating endorser blocks". Track a per-instance equivocated flag so
  the counter and warn log fire exactly once per equivocating slot; every
  EB is still flagged for inclusion exclusion. Adds a regression test.

- Define observeFutureToleranceSlots as the vote manager's
  slotWindowFutureTolerance instead of a duplicated literal 60, so the two
  Leios components admit endorser blocks over the same future window and
  cannot drift apart.

Co-Authored-By: Claude Opus 4.8 (1M context) <[email protected]>
Signed-off-by: Chris Guiney <[email protected]>

A peer controls the slot on an endorser block it offers, which flows
through storeLeiosEndorserBlock into PipelineManager.ObserveEndorserBlock.
Because MayProduceEndorserBlock treats any existing instance for a slot as
"already produced," a peer could pre-seed far-future slots and deny the
legitimate local producer when those slots open.

Bound the observation acceptance window: ignore observations for slots more
than observeFutureToleranceSlots (60) ahead of the current/tip slot, or
already older than InstanceTTLSlots. The future tolerance matches the vote
manager's slotWindowFutureTolerance so the two Leios components admit
endorser blocks over the same window, while still allowing clock-skew and
diffusion slack for honest near-present blocks. The quorum path is
unaffected: it is fed by the locally windowed vote manager, not raw peer
input.

Found by cubic and CodeRabbit on the pull request.

Signed-off-by: Chris Guiney <[email protected]>
Co-Authored-By: Claude Opus 4.8 (1M context) <[email protected]>

Add a PipelineManager that orchestrates the CIP-0164 Linear Leios
pipeline on top of the existing vote/certificate machinery. It tracks
endorser blocks through produce/diffuse/vote/certify/eligible stages
under provisional, off-chain timing windows, detects slot-level EB
equivocation, flushes in-flight state at epoch boundaries and rollbacks,
and exposes the producer- and inclusion-facing seams the forge loop will
consume.

Scope is framework + hook only:

- The pipeline is decoupled from VoteManager; both observe endorser
  blocks independently and share only the leios.eb_quorum event. The
  certificate is captured verbatim, never rebuilt.
- EB equivocation keys on slot (the endorser block carries no producer
  identity yet) and excludes all candidates for a slot from inclusion;
  this complements VoteManager's (slot, voter_id) vote equivocation.
- Stage 3 tracks and exposes certified EBs eligible for ranking-block
  inclusion via EligibleCertifiedEbs/MarkEmbedded, but the actual RB
  embedding is left stubbed pending the ranking-block CDDL.
- Timing windows live in one provisional PipelineTiming struct,
  overridable via WithLeiosPipelineTiming, rather than as protocol
  parameters while CIP-0164 is unstable.

Window decisions are slot-driven via SlotProvider.CurrentOrTipSlot (the
SlotClock is private to LedgerState), and epoch/rollback flushing runs
off the EventBus, mirroring VoteManager. The manager is wired into the
ouroboros component via a new LeiosPipelineHandler interface, notified
from storeLeiosEndorserBlock after the vote handler, and started/stopped
around VoteManager in node wiring (LIFO) since it consumes its output.
All state is in-memory; DATABASE.md is unaffected. ARCHITECTURE.md
documents the new component and event flow.

Signed-off-by: Chris Guiney <[email protected]>

Co-Authored-By: Claude Opus 4.8 (1M context) <[email protected]>

Signed-off-by: Akhil Repala <[email protected]>

These three Rust workspaces now live in their own repository,
cardano-scaling/leios-tools, extracted with full git history. Replace
each directory's contents with a short README pointing at the new home,
and remove the now-orphaned build/CI that referenced the deleted source:

- .github/workflows/sim-rs.yaml — built sim-rs (moved).
- .github/workflows/conformance-linear.yaml — built sim-rs and ran the
  linear conformance check against sim-rs/parameters (moved).
- .github/workflows/net-node-docker.yaml — built the net-node docker
  image from net-rs/ + shared-rs/ (moved; docker CI lives in leios-tools).
- Dockerfile — drop the Rust build stage (rs-builder) and the `rs`
  target image that compiled sim-cli from sim-rs/. The Haskell `hs`
  image is unchanged.

Stale prose/comment references remain in .dockerignore,
topology-viewer/scripts/build-viewer-data.py, and a couple of config
comments; left untouched here as they don't break the build.

Co-Authored-By: Claude Opus 4.8 (1M context) <[email protected]>

ci: enable using the binary cache within test VM's

sim-rs/, net-rs/ and shared-rs/ now live in their own repository at
cardano-scaling/leios-tools. Update the remaining monorepo docs that
linked into sim-rs as a local path so they point at the new home:

- Markdown links → https://github.com/cardano-scaling/leios-tools/tree/main/sim-rs
  (and /blob/main/... for specific files).
- Embedded architecture diagrams → raw.githubusercontent.com/.../main/sim-rs/docs/...

Docs that live under net-rs/, sim-rs/ and shared-rs/ are left out — they
travel with their own repo. Prose mentions, git tags, output filenames,
docker image names, and shell-command relative paths are intentionally
left untouched (a URL can't be a symlink target or local build output).
Logbook.md is a historical journal and is left as-is.

Co-Authored-By: Claude Opus 4.8 (1M context) <[email protected]>

Signed-off-by: Akhil Repala <[email protected]>

Signed-off-by: Akhil Repala <[email protected]>

Signed-off-by: Akhil Repala <[email protected]>

Signed-off-by: Akhil Repala <[email protected]>

Signed-off-by: Akhil Repala <[email protected]>

Signed-off-by: Akhil Repala <[email protected]>

Signed-off-by: Akhil Repala <[email protected]>

Signed-off-by: Akhil Repala <[email protected]>