Cardano Updates

Extract two helpers in LeiosLateJoinState so the production node boot and
the threadnet harness set up late-join the same way and cannot drift.

setLateJoinHooks sets the three late-join ChainDbArgs fields (the
ignore-set plus the seed and register hooks). forkLateJoinWorkers forks
the three background loops (trigger worker, AcquiredEbTxs subscriber, GC
pruner) on the node registry after the ChainDB is open.

Node.hs runWith now builds the LeiosKernel late-join state and routes
through both helpers; it did not wire late-join before. Network.hs
replaces its inline ChainDbArgs field-setting and loop forking with the
same two calls.

This tackles a weird corner case in a test run, checkout the commit
before this one and run `ChainDB q-s-m.sequential` with
`--quickcheck-replay="(SMGen 15718721082101496336
1793087168948606521,99)"` to observe it.

In short, in the tests we don't copy blocks when we snapshot (which we
do on production, see TODO(geo2a) in ChainDB.StateMachine). Normally we
would be guarded by the fact that the snapshot would have a higher slot
than the immutable db tip but when the tip is exactly at an EBB this is
not the case and we reach the exception case.

With this fix, we instead discard the snapshot in this extremely rare
situation.

# Description

Please include a meaningful description of the PR and link the relevant
issues
this PR might resolve.

Also note that:

- New code should be properly tested (even if it does not add new
features).
- The fix for a regression should include a test that reproduces said
regression.

# WARNING

To update your feature branch if it's stale, please rebase it manually
on top of `main`. Don't update your feature branch by merging `main`
into it. Your pull request will not pass CI if you do.

This tackles a weird corner case in a test run, checkout the commit before this
one and run `ChainDB q-s-m.sequential` with `--quickcheck-replay="(SMGen
15718721082101496336 1793087168948606521,99)"` to observe it.

In short, in the tests we don't copy blocks when we snapshot (which we do on
production, see TODO(geo2a) in ChainDB.StateMachine). Normally we would be
guarded by the fact that the snapshot would have a higher slot than the
immutable db tip but when the tip is exactly at an EBB this is not the case and
we reach the exception case.

With this fix, we instead discard the snapshot in this extremely rare situation.

With `yarn upgrade --latest`

The bound was too tight and sometimes we could not fulfill the contract that the
Dynamo was honest. The cause for re-download is now noted and in case the dynamo
is adversarial we allow for some more re-downloads.

The bound was too tight and sometimes we could not fulfill the contract that the
Dynamo was honest. The cause for re-download is now noted and in case the dynamo
is adversarial we allow for some more re-downloads.

We can finally drop the mocked certificates by accessing the aggregated
certificates from the LeiosVoteState

The chain selection semantics should be correct now. For a CertRB we do
check the cert and only reapply, while a TxsRB gets fully validated.

Separated cert validation from ResolveLeiosBlock and exploring the
proper semantics for block validation.

This also implements the certificate verification itself (unit tested).

Refs https://github.com/input-output-hk/ouroboros-leios/issues/790.

Builds on the initial Leios voting prototype (#1963) by adding committee
selection and real signature creation/validation, replacing the
placeholder voting from #1963. This is also built on the Leios prototype
remake (still in flight as #2041).

- **Committee selection (per EB) from the stake distribution.** A
`HasLeiosVoting` decides whether (and as which `VoterId`) the local node
votes on an EB, derived from the Shelley `PoolDistr`. For now, this only
runs in the latest era and uses a basic selection scheme.
- **Real BLS signatures.** Switched from placeholder/fake signing to
actual BLS signatures, using a more recent `cardano-crypto-class` (now
available after the remake #2041)
- **Voting key material.** BLS keys are still derived, but from the cold
verification key hash (pool id) instead. This allows us to skip the key
registration, but is obviously still unsafe.
- **Tests.** `LeiosVoteState` unit tests cover the new validation API;
ThreadNet expectations remain green.

TODO

- [x] ThreadNet property tests pass (votes diffuse and are validated)
- [x] `LeiosVoteState` unit tests pass
- [x] Integrate golden `LeiosVote` test into existing machinery