Cardano Updates

Signed-off-by: cryptodj413 <[email protected]>

ChainSel must not select a chain that includes a CertRB whose certified
EB closure is not locally available; otherwise 'resolveLeiosBlock'
crashes when the block-add path tries to recover the closure.

Wire-up:
- 'CDB' carries 'cdbLeiosDbHandle :: LeiosDbHandle m' so ChainSel can
  read the closure cache on the block-add hot path without threading
  the snapshot through every caller.
- 'chainSelectionForBlock' reads 'readCompletedClosures' on each
  iteration; the read is O(1) (TVar) so this is cheap.
- New 'ignorePendingCertRBs' wrapper around 'lookupBlockInfo'.  Mirrors
  the existing 'ignoreInvalid' wrapper.  Both lookup paths
  ('lookupBlockInfo'' and 'succsOf'') filter against the same set.

Filter body itself is a stub:
'computeCertRBsWithPendingEbClosures' returns 'Set.empty'.  The real
implementation walks the VolatileDB forward from the immutable tip and,
for each header satisfying 'headerIsCertRB', extracts the certified
'EbHash' from the parent's 'headerEbAnnouncement' and checks it against
'readCompletedClosures'.  Lands in the next step of the late-join
workstream.

'Node.hs' / 'Test/ThreadNet/Network.hs' pass the handle to
'openChainDB'; no more 'LeiosOutstanding' MVar lifting.

Add 'readCompletedClosures :: m (Set EbHash)' to 'LeiosDbHandle'.  The
handle owns a TVar; ChainSel will read it on the block-add hot path
(O(1) 'readTVarIO').

Seed at construction:
- SQLite: 'SELECT ebHashBytes FROM ebs WHERE missingTxCount IS NOT
  NULL AND missingTxCount <= 0'.  Covers both "just completed" (0)
  and "completed and notified" (-1); both states mean the closure is
  in the DB.  Run on a short-lived connection that also guarantees
  schema initialisation before any 'open'-ed connection later.
- In-memory: derive from 'imTxs' / 'imEbBodies' via the same
  predicate the insert paths use.

Update inside the existing insert paths:
- Both SQLite insert paths share a 'findAndMarkCompletedEbs' helper
  inside the BEGIN and a 'notifyAndCacheCompleted' helper after
  COMMIT.  The notify+cache step pushes the just-transitioned
  closures into the cache.
- In-memory insert paths do the same update inside their STM
  transaction, so the state mutation and the cache update are
  atomic.

'LeiosDemoLogic.msgLeiosBlock' now also emits
'TraceLeiosBlockTxsAcquired' for closures completed by a body
insert (not just tx inserts), matching the symmetry the cache update
exposes.

Cache is unbounded for now; future work caps it to a k-window with
DB query on miss.  See 'readCompletedClosures' TODO and the
late-join plan.

ChainSel needs two header-level queries to identify CertRBs whose
certified EB closure is not locally available: 'headerIsCertRB' on
the candidate header, and 'headerEbAnnouncement' on its parent.

Add both methods to 'ResolveLeiosBlock' without defaults: a silent
'False' / 'Nothing' default would let a future block-type author
forget to override, and ChainSel would silently degrade to "never
filter a CertRB" without a compile error.  Every instance now
defines all three methods.

The Praos Shelley instance reads 'hbIsCertRB' / 'hbMayEbAnnouncement'
off the body.  Cardano dispatches to Conway for both methods.  Every
other instance (Byron, mock, test, single-era HFC wrappers) spells
out the "never a CertRB" stance explicitly.

Add 'hbIsCertRB' to 'HeaderBody' (and mirror on 'HeaderView') for the
CIP-0164 header bit signalling that this RB certifies a
previously-announced EB.  Thread the bit through 'mkHeader' (Praos
and TPraos; the latter ignores it) and the Shelley forge path.

Encode canonically: every header is len=12 carrying
@(Bool, Maybe EbAnnouncement)@.  Decode still accepts len=10
(pre-Leios) and len=11 (announcement-only) for back-compat with
existing on-disk data; new encodings never produce those shapes.
Two valid encodings for the same logical header would have made
hashing / signature over the encoded form non-canonical.

Per-header cost: one byte for the Bool plus one for the
Maybe-Nothing tag when no announcement is present.

Parameterise runThreadNet over NodeJoinPlan and add a new property
that starts node 3 at a random slot while nodes 0-2 run from slot 0.
Demonstrates the crash in 'resolveLeiosBlock' when a late-joining
node encounters a CertRB referencing an EB it never received.

The fix lives later in the workstream; this commit just makes the
gap visible.

The crate gated `serde` behind the `json` feature, but used
`serde::{Serialize, Deserialize}` unconditionally across the era
models, so building with `default-features = false` failed to
compile. Since `pallas-codec` and `pallas-crypto` already depend on
serde unconditionally, gating it here gave no real benefit anyway.

The `json` feature now gates only `serde_json`. A CI job checks
pallas-primitives in isolation, since a workspace-wide
`--no-default-features` build unifies the feature back on.

Fixes #740

Co-authored-by: Claude Opus 4.7 (1M context) <[email protected]>

chore(gateway): include manifests in release image

* `epochInfoRange`
* `startStep`
* `pulseStep`
* `completeStep`
* `lift`

Lets researchers install (and stop) a per-node behaviour spec at
runtime on a subset of nodes, instead of fixing it at cluster
startup, so they can observe the network's reaction to misbehaviour
without losing chain state to a restart.

net-node remembers the BehaviourSpec it materialised at startup and
gains a behaviour_reset stdin path that walks the handle back to it;
net-cluster gains a per-child targeted send_config_update_to and
three /api/attack routes (GET / POST / POST stop) driven by the
existing BehaviourSelection enum, with the main-loop arm resetting
any prior set before applying a new one and clearing the active
attack across restarts.  The new AttackPanel and orange-explosion
toolbar icon let the UI install/stop attacks; attacking nodes are
tinted dark red in the topology graph (bgColor only, leaving border
flashes intact) and surfaced in the node inspector.

Co-Authored-By: Claude Opus 4.7 (1M context) <[email protected]>

  This allows to properly encapsulate those fields which MUST NOT be accessed directly inadvertently. Given that it is very easy to so (and effectively hard to keep track of), moving them in a separate module encapsulated as private field in a struct gives us the strong compiler guarantees needed. Defining Deref and DerefMut also makes it transparent to use from the parent module; yet preserves the encapsulation we need.

  Note that this made apparent an inconsistency in terms of protocol parameters and governance activity between validation and block application. This is now properly handled.

Signed-off-by: KtorZ <[email protected]>

Signed-off-by: Chris Gianelloni <[email protected]>

 shared-consensus: extract 'pure' consensus core, adopt in sim-rs and net-rs, add UI display of EB announcement & certification, fix state leak and O(N) CPU growth issues in net-node.