Cardano Updates

This is hardening, not recovery. PR #1016 made a pool whose snapshot lags the
current epoch surface at RUPD instead of panicking obscurely. This adds two
fail-loud guards so the same class of corruption is caught earlier and a
half-finished boundary can't silently double-apply. It does NOT implement true
shard resume, and it does NOT repair an already-lagging pool — those remain
open (see #1018 and the restored "TODO: implement true shard resume" notes).

Piece A — guard the silent-corruption hole. `MintedBlocksInc::apply`
accumulates the block count into the pool's positional `live` snapshot slot,
which only holds this epoch's blocks when the snapshot is aligned. A lagging
pool would silently fold later-epoch blocks into a mislabeled slot, corrupting
the `blocks_minted` reward input. `apply` now asserts the snapshot is aligned
to the block's epoch, failing at the origin (block processing) rather than as a
downstream RUPD failure. It sits in the infallible delta-apply layer alongside
its existing invariant `expect`s, so it is a descriptive panic. The block epoch
rides on a transient `#[serde(skip)]` field; WAL-stored deltas are only ever
undone (never re-applied), so the WAL format is unchanged.

Piece B — guard ESTART finalize. `commit_finalize` now asserts every shard
committed and the epoch has not advanced before rotating pools / advancing the
epoch, returning BrokenInvariant::EpochBoundaryIncomplete otherwise — a
defensive assertion that turns a would-be silent double-rotation into a loud
error. It guards the finalize step only; it does NOT make the per-shard
`AccountTransition` replay idempotent.

Error codes + troubleshooting. The two errors are codified (LEDGER-001 pool
snapshot lagging, LEDGER-002 epoch boundary incomplete) with concise messages;
the explanatory prose and operator guidance live in a new
docs/content/operations/troubleshooting.mdx page.

Out of scope: making boundary resume idempotent (the real fix, tracked in
#1018), and rebuilding an already-corrupted pool snapshot window from the
archive. A node that already persisted a lag keeps failing loud with LEDGER-001
and needs a re-bootstrap.

Co-Authored-By: Claude Opus 4.8 (1M context) <[email protected]>

The info banner sat inside the genesis() function body, so it fired once per `wb genesis <op>` dispatch

Signed-off-by: Akhil Repala <[email protected]>

These expose some combinators which allow for summarising rolling
statistics across a long stream in constant memory.

These modules expose sliding windows backed by an approximate t-digest
measure, which permit efficient computations of quantiles in bounded memory.

These modules keep samples within a configured duration of the newest
sample's timestamp. These variants abstract over the timestamp type
via the 'TimeLike' class, which have two implementations defined:

- `UTCTime` / `NominalDiffTime` (wall-clock, from `time`)
- `Time` / `DiffTime` (monotonic, from `io-classes:si-timers`)

Monotonic is preferred when sliding-window correctness must not be
perturbed by NTP corrections or wall-clock jumps; wall-clock fits
data that already carries `UTCTime` timestamps.

These modules provide a fingertree-backed sliding window with fixed
element count. The fingertree backend caches a user-supplied monoidal measure
`v` which updates incrementally as elements are added and evicted, which
allows for constant time lookup of its value regardless of window
size.

The Window.Count module exposes a public API, and the private internal
implementation is exposed by the Internal.Count module without any
guarantees that it stays compatible between any releases.

The Measures module exposes some common and practical prebuilt
measures.

This is hardening, not recovery. PR #1016 made a pool whose snapshot lags the
current epoch surface at RUPD instead of panicking obscurely. This adds two
fail-loud guards so the same class of corruption is caught earlier and a
half-finished boundary can't silently double-apply. It does NOT implement true
shard resume, and it does NOT repair an already-lagging pool — those remain
open (see #1018 and the restored "TODO: implement true shard resume" notes).

Piece A — guard the silent-corruption hole. `MintedBlocksInc::apply`
accumulates the block count into the pool's positional `live` snapshot slot,
which only holds this epoch's blocks when the snapshot is aligned. A lagging
pool would silently fold later-epoch blocks into a mislabeled slot, corrupting
the `blocks_minted` reward input. `apply` now asserts the snapshot is aligned
to the block's epoch, failing at the origin (block processing) rather than as a
downstream RUPD failure. It sits in the infallible delta-apply layer alongside
its existing invariant `expect`s, so it is a descriptive panic. The block epoch
rides on a transient `#[serde(skip)]` field; WAL-stored deltas are only ever
undone (never re-applied), so the WAL format is unchanged.

Piece B — guard ESTART finalize. `commit_finalize` now asserts every shard
committed and the epoch has not advanced before rotating pools / advancing the
epoch, returning BrokenInvariant::EpochBoundaryIncomplete otherwise — a
defensive assertion that turns a would-be silent double-rotation into a loud
error. It guards the finalize step only; it does NOT make the per-shard
`AccountTransition` replay idempotent.

Error codes + troubleshooting. The two errors are codified (LEDGER-001 pool
snapshot lagging, LEDGER-002 epoch boundary incomplete) with concise messages;
the explanatory prose and operator guidance live in a new
docs/content/operations/troubleshooting.mdx page.

Out of scope: making boundary resume idempotent (the real fix, tracked in
#1018), and rebuilding an already-corrupted pool snapshot window from the
archive. A node that already persisted a lag keeps failing loud with LEDGER-001
and needs a re-bootstrap.

Co-Authored-By: Claude Opus 4.8 (1M context) <[email protected]>

Bumps the npm_and_yarn group with 1 update in the / directory: [markdown-it](https://github.com/markdown-it/markdown-it).


Updates `markdown-it` from 14.1.1 to 14.2.0
- [Changelog](https://github.com/markdown-it/markdown-it/blob/master/CHANGELOG.md)
- [Commits](https://github.com/markdown-it/markdown-it/compare/14.1.1...14.2.0)

---
updated-dependencies:
- dependency-name: markdown-it
  dependency-version: 14.2.0
  dependency-type: indirect
  dependency-group: npm_and_yarn
...

Signed-off-by: dependabot[bot] <[email protected]>

Adds an endpoint listing the UTXOs that hold a given script as a
reference script (CIP-33). These outputs can be used as reference
inputs (CIP-31) to execute the script without including its bytes.
A script may be held by multiple UTXOs, potentially at different
addresses, so the endpoint is paginated.

Response shape mirrors /addresses/{address}/utxos, omitting the
deprecated tx_index field (consistent with tx_content_utxo).

Co-Authored-By: Claude Opus 4.8 (1M context) <[email protected]>

Lists the UTXOs that hold a given script as a reference script (CIP-33),
so a script hash can be resolved directly to its deployment UTXOs for use
as reference inputs (CIP-31) — without knowing/enumerating the holding
address.

- paged route GET /scripts/:script_hash/utxos
- query uses consumed_by_tx_id IS NULL for spentness
- response mirrors /addresses/:address/utxos, minus the deprecated tx_index
- requires @blockfrost/openapi 0.1.90

Co-Authored-By: Claude Opus 4.8 (1M context) <[email protected]>

PR #1016 made a pool whose snapshot lags the current epoch surface loudly at
RUPD instead of panicking. This adds the recovery/prevention half so the lag
can neither be introduced silently nor double-applied on restart.

Piece A — guard the silent-corruption hole. `MintedBlocksInc::apply` accumulates
the block count into the pool's `live` snapshot slot, which only holds this
epoch's blocks when the snapshot is aligned. A lagging pool would silently fold
later-epoch blocks into a mislabeled slot, corrupting the `blocks_minted` reward
input. `apply` now asserts the snapshot is aligned to the block's epoch before
accumulating, failing loud and identifying (naming pool + epochs) at the origin
— block processing — rather than as a downstream RUPD failure. This sits in the
infallible delta-apply layer alongside its existing invariant `expect`s, so it
is a descriptive panic, not a propagating error. The block epoch travels on a
transient `#[serde(skip)]` field on MintedBlocksInc; WAL-stored deltas are only
ever undone (never re-applied), so the default it decodes to off the WAL is
never read — the WAL format is unchanged.

Piece B — make ESTART finalize run exactly once. Per-shard resume already skips
committed shards via `start_shard` (each shard commits atomically and advances
`estart_progress.committed` in the same write), and EWRAP finalize short-
circuits via `is_complete()`. ESTART finalize had no such guard — it was safe
only because the cursor advances in the same atomic commit as `EpochTransition`.
`commit_finalize` now asserts every shard committed and the epoch has not
advanced, returning BrokenInvariant::EpochBoundaryIncomplete (enriched with
epoch/committed/total) otherwise, converting a would-be silent double-rotation
into a loud, identifying error. Resume diagnostics updated to describe the
now-enforced mechanism (dropped the two "TODO: implement true shard resume"
notes).

Out of scope (deferred): rebuilding an already-corrupted pool snapshot window
from the archive for nodes that persisted a lag before this fix — they keep
failing loud with PoolSnapshotLagging and require a re-bootstrap.

Co-Authored-By: Claude Opus 4.8 (1M context) <[email protected]>