Cardano Updates

Signed-off-by: Chris Gianelloni <[email protected]>

chore: point hermes submodule at master branch + bump

test(packages): add shared package behavior suites

fix: correct security contact email

ci(cardano): add transaction budget gates

The consensus Leios chunks extended 'NTN.Codecs' with two extra type
parameters ('bLN' / 'bLF', for LeiosNotify and LeiosFetch), and the
network-side BearerBytes/Reception work changed 'runPeerWithLimits' to
return 'Maybe (Reception bytes)' (instead of 'Maybe bytes') and made
'byteLimitsKeepAlive' parameter-less.

Update 'tx-generator' to compile against the rebased stack:

  - Pull in 'ouroboros-network:framework-tracing' as a sublib dependency.
  - Extend the local 'myCodecs' type to 9 'ByteString' parameters (was 7).
  - Update 'kaClient' return type to 'IO ((), Maybe (Mux.Reception ByteString))'.
  - Drop the size-function argument from 'byteLimitsKeepAlive'.

Co-Authored-By: Claude Opus 4.7 <[email protected]>

Introduces 'Cardano.Node.Configuration.Leios.LeiosDbConfig' with two
constructors:

  - LeiosDbInMemory          (matches 'LeiosDbConnection's in-memory backend)
  - LeiosDbSQLite !FilePath  (SQLite backend, file relative to node CWD)

Wired through 'PartialNodeConfiguration' / 'NodeConfiguration' as
'ncLeiosDbConfig' with JSON parsing ('"LeiosDbConfig":{"Backend":...,
"Filepath":...}') and a default of 'LeiosDbSQLite "leios.db"'.

At node startup ('Cardano.Node.Run.handleSimpleNode'), the configured
backend is materialised into a 'LeiosDbHandle' (via 'newLeiosDBInMemory'
/ 'newLeiosDBSQLite') and passed into 'RunNodeArgs' through a new
'rnLeiosDb :: Maybe (LeiosDbHandle m)' field, which consensus's
'runWith' threads into the Leios kernel's shared connection.
'Nothing' falls back to the in-memory default.

Co-Authored-By: Claude Opus 4.7 <[email protected]>

The consensus Leios chunks added four fields to the consensus tracer
records that cardano-node assembles in 'Cardano.Tracing.Tracers' (old
style) and 'Cardano.Node.Tracing.Tracers' (new style):

  - Consensus.Tracers'      gained 'leiosKernelTracer' and 'leiosPeerTracer'
  - NodeToNode.Tracers'     gained 'tLeiosNotifyTracer' and 'tLeiosFetchTracer'

This commit populates those fields in both 'mkTracers' code paths so
the record-construction sites are total. All four are wired to
'nullTracer' for now; the corresponding 'Transformable' / 'MetaTrace'
instances and EKG metrics are left as TODO. The new-style tracing
system will accordingly emit a 'TracerConsistencyWarnings' for the
four Leios namespaces declared in the config.yaml — that surfaces the
gap explicitly rather than silently dropping the configuration.

Adds the corresponding selectors to 'TraceSelection' / 'PartialTraceSelection'
and their JSON parsing:

  - traceLeiosKernel          / Consensus.LeiosKernel
  - traceLeiosPeer            / Consensus.LeiosPeer
  - traceLeiosNotifyProtocol  / LeiosNotify.Remote
  - traceLeiosFetchProtocol   / LeiosFetch.Remote

Also drops the duplicate 'LogFormatting (Simple/Stateful.TraceSendRecv)'
and 'MetaTrace (Simple/Stateful.TraceSendRecv)' instances that the
upstream leios-prototype branch carried in
'Cardano/Node/Tracing/Tracers/NodeToClient.hs' — they are now provided
by 'ouroboros-network:framework-tracing' and would collide if redefined
here.

Co-Authored-By: Claude Opus 4.7 <[email protected]>

Updates cabal.project to point at the three rebased Leios forks that
ship with this cardano-node 11.0.1 build:

  - ouroboros-consensus  @  IntersectMBO/ouroboros-consensus
    branch leios-prototype-remake-3.0.1.0
    Single squashed Leios commit on top of release-3.0.1.0
    (mempool + diffusion + chain inclusion + voting + demo).
  - ouroboros-network    @  IntersectMBO/ouroboros-network
    branch leios-prototype-remake-1.1.0.0
    Three Leios commits on top of ouroboros-network-1.1.0.0
    (BearerBytes, Reception arrival-time, drop unused imports)
    + a trace-dispatcher version bump for compat with cardano-node 11.0.1.
  - cardano-ledger       @  IntersectMBO/cardano-ledger
    branch leios-prototype-remake
    Adds 'Maybe LeiosCert' on the Dijkstra block body
    (Dijkstra-only, mirrors 'Maybe PerasCert').

Also drops the 'dmq-node' extra-package (its latest CHaP release
requires ouroboros-network:framework-tracing, a sublib name that
the remade network fork doesn't carry).

Vendors a one-line 'ekg-forward' source patch (left untouched here)
to match the network's pre-bump 'ConnectToArgs' shape.

Co-Authored-By: Claude Opus 4.7 <[email protected]>

The serializer currently hashes Plutus cost models from a hardcoded
default (DEFAULT_V[123]_COST_MODEL_LIST), regardless of the protocol
parameters passed in. This produces an incorrect scriptIntegrityHash
on any network whose cost model differs from those defaults.

Concrete impact: mainnet still uses the default (297 V3 entries), but
preprod and preview have expanded V3 to 350 entries ahead of the
upcoming PV11 hard fork. Today any Plutus V3 mint submitted to
preprod/preview fails with PPViewHashesDontMatch. Once PV11 is enacted,
mainnet will be affected too.

This change makes the CardanoSDKSerializer prefer cost models supplied
through Protocol.costModels (typically derived from the provider's
fetchProtocolParameters response) and fall back to the hardcoded
defaults when not supplied. Backwards compatible — existing callers
that pass a Protocol without costModels keep current behavior.

Changes:
- Add optional CostModels type and Protocol.costModels field
- castProtocol passes the costModels object through
- CardanoSDKSerializerCore reads cost models from protocolParams when
  available, falls back to DEFAULT_V[123]_COST_MODEL_LIST otherwise
- Tests for castProtocol covering presence/absence of costModels