Cardano Updates

The PeerCommand dispatch loop was duplicated nearly verbatim between
peer_task.rs and duplex_task.rs. Extract into command_dispatch.rs so
adding a new command variant requires a single edit instead of two.

Co-Authored-By: Claude Opus 4.6 (1M context) <[email protected]>

BlockBody::header() extracts the WrappedHeader directly from block body
CBOR, reusing shared try_extract_header() logic with point(). Coordinator
now falls back to body.header() when pending_headers misses, and skips
chain store insertion if neither produces a header. Post-remediation
review: added Resolution subsections for all three residual observations,
stripped trailing whitespace.

Co-Authored-By: Claude Opus 4.6 (1M context) <[email protected]>

- Test count 258/280 → 291 in README, CLAUDE.md, implementation-plan
- README scheduler label: strict priority → PriorityWfq (actual default)
- CLAUDE.md: document SubmitTransaction broadcast in coordinator
- Risk register: consistent "Fixed" status (#8 was "Resolved", #9 "Mitigated")

Co-Authored-By: Claude Opus 4.6 (1M context) <[email protected]>

TxSubmission protocol was implemented but only wired on the server side.
Client connections never negotiated it, so outbound peers couldn't push
transactions. Register in client_protocol_configs, add spawn_txsubmission,
wire into peer_task/duplex_task/coordinator with broadcast semantics.

Co-Authored-By: Claude Opus 4.6 (1M context) <[email protected]>

CIP-0164 specifies that a server should disconnect if the client
requests an EB or its transactions that the server does not have.
Replace unwrap_or_default() with explicit Option matching — None
now breaks the server loop, triggering disconnect.

Co-Authored-By: Claude Opus 4.6 (1M context) <[email protected]>

Add OS-level TCP keepalive (idle=60s, interval=15s) to complement
protocol-level KeepAlive. Fix unused import/variable warnings in tests.
Update risk register: #7 commit hash, #8 resolved.

Co-Authored-By: Claude Opus 4.6 (1M context) <[email protected]>

Replace hardcoded StrictPriority with PriorityWfq as the default mux
scheduler. Protocols are assigned to Priority class (absolute priority,
round-robin) or Default class (message-based weighted fair queuing).
Praos protocols get Priority; Leios and PeerSharing get Default(1).
This prevents starvation of lower-priority protocols while maintaining
absolute Praos priority.

- Split scheduler.rs into scheduler/ module: PriorityWfq (new default),
  StrictPriority (hardwired tiers), RoundRobin (testing)
- Replace ProtocolConfig.priority: u8 with traffic_class: TrafficClass
- Add AnyScheduler dispatch enum and SchedulerType for runtime selection
- CLI --scheduler (round-robin|strict-priority|priority-wfq) and
  --protocol-priority <id>,<P|weight> shared across serve/follow/multi-follow
- Thread scheduler_type and traffic_class_overrides through CoordinatorConfig
  and per-peer task configs
- Mark risk register #7 as fixed

Co-Authored-By: Claude Opus 4.6 (1M context) <[email protected]>

Co-Authored-By: Claude Opus 4.6 (1M context) <[email protected]>

The mux egress loop previously used yield_now() in a polling loop to
wait for protocol data, causing CPU churn. Replace with a shared
tokio::sync::Notify per Mux instance: ChannelSend signals notify_one()
after queuing data, and the egress loop blocks on notified() instead
of spinning. A 100ms timeout handles closed-channel cleanup.

Risk register item #6 marked fixed.

Co-Authored-By: Claude Opus 4.6 (1M context) <[email protected]>

Item #4 commit hash updated to 3683da78e.
Item #5 (fail-open Leios dedup) accepted: fail-open is the correct
safety valve; real mitigation is per-peer rate limiting in future work.

Co-Authored-By: Claude Opus 4.6 (1M context) <[email protected]>

Replace weak peer selection (any peer with block_no > 0) with per-peer
chain fragment tracking. Each peer's fragment records the exact set of
points announced via ChainSync, enabling the coordinator to verify a
peer provably has a requested block before routing a fetch to it.

- ChainFragment module (multi_peer/chain_fragment.rs) with Vec+HashSet,
  rollback truncation, and per-point removal on successful fetch
- WrappedHeader::point() derives header points via shared header_hash()
  helper (Blake2b-256), fixing pending_headers keying bug that used
  tip.point instead of the announced header's actual point
- PeerEvent::IntersectionFound surfaces intersection from find_intersection
- PeerEvent::BlockFetchFailed / NetworkEvent::BlockFetchFailed surface
  NoBlocks responses with full range (from, to) to the application
- Risk register item #4 marked fixed
- Future work: BlockFetch pipelining, multi-block range fetching

Co-Authored-By: Claude Opus 4.6 (1M context) <[email protected]>

Separate concerns that were mixed in the peer/ module:
- multi_peer/ — coordinator, NetworkEvent/NetworkCommand, app interface
- store/ — ChainStore, LeiosStore (shared cross-peer state)
- peer/ — per-connection tasks, server handlers, PeerEvent/PeerCommand

Layering: multi_peer → peer → protocols; both multi_peer and peer → store.
No circular dependencies.

Co-Authored-By: Claude Opus 4.6 (1M context) <[email protected]>

Item #4 (weak peer selection) deferred to coordinator refactor.
Item #3 commit hash updated to 8ddb06048.

Co-Authored-By: Claude Opus 4.6 (1M context) <[email protected]>

Remove point from PeerEvent::BlockFetched — the block body contains
the header, so point derivation belongs at the coordinator level.

Add BlockBody::point() which extracts the header from the block,
parses it for slot via HeaderInfo, and computes Blake2b-256 of the
header CBOR for the block hash. Coordinator now derives correct
points for each streamed block, fixing multi-block range fetches.

- Add blake2b_simd dependency (pure Rust)
- Add BlockBody::point() with tests
- Remove point field from PeerEvent::BlockFetched
- Coordinator derives point via body.point()
- Update risk register items #2 (commit hash) and #3 (Fixed)

Co-Authored-By: Claude Opus 4.6 (1M context) <[email protected]>

- Set peer_sharing=1 in all paths (PeerSharing protocol is always registered)
- Set initiator_only_diffusion_mode=true for InitiatorOnly connections,
  false for Duplex (was incorrectly false everywhere)
- negotiate() now takes server VersionData and correctly ORs diffusion
  modes from both sides per spec (was only using client's value)
- Add negotiate_diffusion_mode_or test
- Update risk register items #1 (commit hash) and #2 (Fixed)

Co-Authored-By: Claude Opus 4.6 (1M context) <[email protected]>

Protocol::size_limit() was defined on all 8 protocols but never checked.
Now enforced at the demuxer (one hop from TCP socket) via shared
IngressLimit atomic that Runner updates on every state transition.
This lets TCP backpressure naturally constrain senders of oversized data.

- Add IngressLimit shared type (Arc<AtomicUsize>) to channel.rs
- Demuxer reads dynamic limit on every segment dispatch
- Runner sets ingress limit in new(), send(), and recv()
- Remove redundant codec max_buffer (was hardcoded 2.5MB, blocked
  valid 16MB LeiosFetch messages)
- Make Protocol::size_limit() a required trait method (no default);
  zero return = fail closed (reject all data)
- Update risk register item #1 to Fixed

Co-Authored-By: Claude Opus 4.6 (1M context) <[email protected]>

Prompts:

1. Take a deep dive into this Cardano networking library and critique it for
structure, adherence to the specs and security in the face of adversarial
peers.  It's in branch prc/net-rs
{repo link}

2. Turn this into a risk register in markdown with sections for each item
that needs attention, with a title, description, more details if you have it,
the current status, which will be open, and the severity of the risk.

Leios protocol messages now encode slot+hash as a nested [slot, hash]
CBOR sub-array via the existing Point type, matching the Praos Point
encoding convention and the Haskell prototype's LeiosPoint format.

Previously slot and hash were flat sibling fields in the CBOR encoding
(e.g. [2, slot, hash]); now they use Point (e.g. [2, [slot, hash]]).
This was identified during a desk check against the ouroboros-consensus
leios-prototype branch (commit 881e2c6).

Changes:
- LeiosNotify: MsgLeiosBlockOffer/MsgLeiosBlockTxsOffer use Point
- LeiosFetch: MsgLeiosBlockRequest/MsgLeiosBlockTxsRequest use Point
- All peer types (PeerEvent, PeerCommand, NetworkEvent, NetworkCommand)
  use Point instead of separate slot+hash fields
- LeiosStore, server handlers, peer tasks, coordinator updated
- 258 tests pass, clippy clean

Co-Authored-By: Claude Opus 4.6 (1M context) <[email protected]>