Add BLS support

[palas]

DO NOT MERGE

Changelog

- description: |
    Add support BLS key generation and addition to stake pool registration certificates
  type:
    - feature
    - breaking

Context

This PR aims to address input-output-hk/ouroboros-leios#776.
It builds on top of IntersectMBO/cardano-api#1135 and a bunch of SRPs so far, which need to be eliminated as new releases for dependencies are made. Also, current implementation is based on a provisional and rough patch over cardano-ledger, which needs to be remade: https://github.com/IntersectMBO/cardano-ledger/tree/add-bls

How to trust this PR

The implementation is simple, but it may get complicated because as of this prototype we are modifying the CDDL retroactively, and that is probably a bad idea.

Checklist

• Commit sequence broadly makes sense and commits have useful messages
• New tests are added if needed and existing tests are updated. See Running tests for more details
• Self-reviewed the diff

[Copilot]

Pull request overview

Adds BLS operational key support to cardano-cli and threads the optional BLS verification key through stake pool registration certificate generation, updating ledger/API integrations and regenerating relevant golden fixtures.

Changes:

• Add node key-gen-BLS / node key-hash-BLS commands (and era-qualified variants) plus golden help outputs.
• Extend stake pool registration certificate CLI to accept optional --bls-verification-key{,-file} and include it in produced certificates (updates CBOR goldens).
• Update ledger/API integration points and dependency set (newer crypto/wrapper/ping, shift away from consensus deps; query peer snapshot decoding changes).

Reviewed changes

Copilot reviewed 57 out of 58 changed files in this pull request and generated 4 comments.

Show a summary per file

File	Description
flake.nix	Updates dev-shell packages to match dependency/tooling changes.
cardano-cli/test/cardano-cli-golden/files/input/genesis.alonzo.spec.json	Regenerates/reshapes Alonzo genesis JSON used by golden tests.
cardano-cli/test/cardano-cli-golden/files/input/conway/txbody	Updates expected Conway txbody CBOR golden.
cardano-cli/test/cardano-cli-golden/files/golden/shelley/reg-certificate.json	Updates expected pool registration certificate CBOR (BLS-related shape).
cardano-cli/test/cardano-cli-golden/files/golden/shelley/reg-certificate-extended.json	Updates expected extended pool registration certificate CBOR (BLS-related shape).
cardano-cli/test/cardano-cli-golden/files/golden/help/node_key-hash-BLS.cli	Adds golden help output for node key-hash-BLS.
cardano-cli/test/cardano-cli-golden/files/golden/help/node_key-gen-BLS.cli	Adds golden help output for node key-gen-BLS.
cardano-cli/test/cardano-cli-golden/files/golden/help/node.cli	Updates node command help to include BLS subcommands.
cardano-cli/test/cardano-cli-golden/files/golden/help/latest_stake-pool_registration-certificate.cli	Adds optional BLS key flags to latest stake-pool registration help.
cardano-cli/test/cardano-cli-golden/files/golden/help/latest_node_key-hash-BLS.cli	Adds golden help output for latest node key-hash-BLS.
cardano-cli/test/cardano-cli-golden/files/golden/help/latest_node_key-gen-BLS.cli	Adds golden help output for latest node key-gen-BLS.
cardano-cli/test/cardano-cli-golden/files/golden/help/latest_node.cli	Updates latest node help to include BLS subcommands.
cardano-cli/test/cardano-cli-golden/files/golden/help/conway_stake-pool_registration-certificate.cli	Adds optional BLS key flags to Conway stake-pool registration help.
cardano-cli/test/cardano-cli-golden/files/golden/help/conway_node_key-hash-BLS.cli	Adds golden help output for conway node key-hash-BLS.
cardano-cli/test/cardano-cli-golden/files/golden/help/conway_node_key-gen-BLS.cli	Adds golden help output for conway node key-gen-BLS.
cardano-cli/test/cardano-cli-golden/files/golden/help/conway_node.cli	Updates conway node help to include BLS subcommands.
cardano-cli/test/cardano-cli-golden/files/golden/help/compatible_shelley_stake-pool_registration-certificate.cli	Adds optional BLS key flags to compatible shelley stake-pool registration help.
cardano-cli/test/cardano-cli-golden/files/golden/help/compatible_mary_stake-pool_registration-certificate.cli	Adds optional BLS key flags to compatible mary stake-pool registration help.
cardano-cli/test/cardano-cli-golden/files/golden/help/compatible_conway_stake-pool_registration-certificate.cli	Adds optional BLS key flags to compatible conway stake-pool registration help.
cardano-cli/test/cardano-cli-golden/files/golden/help/compatible_babbage_stake-pool_registration-certificate.cli	Adds optional BLS key flags to compatible babbage stake-pool registration help.
cardano-cli/test/cardano-cli-golden/files/golden/help/compatible_alonzo_stake-pool_registration-certificate.cli	Adds optional BLS key flags to compatible alonzo stake-pool registration help.
cardano-cli/test/cardano-cli-golden/files/golden/help/compatible_allegra_stake-pool_registration-certificate.cli	Adds optional BLS key flags to compatible allegra stake-pool registration help.
cardano-cli/test/cardano-cli-golden/files/golden/help.cli	Regenerates top-level CLI help golden including new BLS commands/options.
cardano-cli/test/cardano-cli-golden/files/golden/conway/transaction/assemble_out	Updates expected Conway assembled tx CBOR golden.
cardano-cli/test/cardano-cli-golden/Test/Golden/Legacy/Genesis/Create.hs	Adjusts golden test to read cost models from Alonzo extra config.
cardano-cli/test/cardano-cli-golden/Test/Golden/CreateTestnetData.hs	Updates staking pool relay accessor to new ledger naming.
cardano-cli/src/Cardano/CLI/Type/Common.hs	Updates pool-state construction to match updated ledger mkStakePoolState signature.
cardano-cli/src/Cardano/CLI/Read.hs	Updates bootstrap witness signature for new ledger TxBody level type.
cardano-cli/src/Cardano/CLI/EraIndependent/Node/Run.hs	Implements BLS key-gen and key-hash commands.
cardano-cli/src/Cardano/CLI/EraIndependent/Node/Option.hs	Wires new BLS node subcommands into CLI parsing.
cardano-cli/src/Cardano/CLI/EraIndependent/Node/Command.hs	Adds new node command constructors and argument types for BLS operations.
cardano-cli/src/Cardano/CLI/EraIndependent/Key/Run.hs	Prevents BLS keys from being treated as extended/non-extended where unsupported.
cardano-cli/src/Cardano/CLI/EraBased/Transaction/Run.hs	Adapts submit result handling and fee parameter accessors for updated APIs.
cardano-cli/src/Cardano/CLI/EraBased/StakePool/Run.hs	Threads optional BLS verification key into stake pool registration certificate creation.
cardano-cli/src/Cardano/CLI/EraBased/StakePool/Option.hs	Adds optional BLS flags to stake-pool registration certificate command parser.
cardano-cli/src/Cardano/CLI/EraBased/StakePool/Command.hs	Extends stake-pool registration command args with optional BLS key.
cardano-cli/src/Cardano/CLI/EraBased/Script/Withdrawal/Read.hs	Resolves name conflicts by hiding AnyPlutusScript.
cardano-cli/src/Cardano/CLI/EraBased/Script/Vote/Read.hs	Resolves name conflicts by hiding AnyPlutusScript.
cardano-cli/src/Cardano/CLI/EraBased/Script/Spend/Read.hs	Resolves name conflicts by hiding AnyPlutusScript.
cardano-cli/src/Cardano/CLI/EraBased/Script/Proposal/Read.hs	Resolves name conflicts by hiding AnyPlutusScript.
cardano-cli/src/Cardano/CLI/EraBased/Script/Mint/Read.hs	Resolves name conflicts by hiding AnyPlutusScript.
cardano-cli/src/Cardano/CLI/EraBased/Script/Certificate/Read.hs	Resolves name conflicts by hiding AnyPlutusScript.
cardano-cli/src/Cardano/CLI/EraBased/Query/Run.hs	Switches ledger peer snapshot decoding path and updates account credential accessors.
cardano-cli/src/Cardano/CLI/EraBased/Governance/Actions/Option.hs	Updates protocol parameter conversions for new ledger compact types and numeric types.
cardano-cli/src/Cardano/CLI/EraBased/Genesis/Run.hs	Updates genesis stake pool parameter types/fields for new ledger structures incl. BLS field.
cardano-cli/src/Cardano/CLI/EraBased/Genesis/CreateTestnetData/Run.hs	Updates testnet genesis pool parameter types/fields incl. BLS field.
cardano-cli/src/Cardano/CLI/EraBased/Common/Option.hs	Adds common CLI parsers for BLS verification key input (value/file).
cardano-cli/src/Cardano/CLI/Compatible/Transaction/ScriptWitness.hs	Resolves name conflicts by hiding AnyPlutusScript.
cardano-cli/src/Cardano/CLI/Compatible/Transaction/Run.hs	Resolves name conflicts by hiding AnyPlutusScript.
cardano-cli/src/Cardano/CLI/Compatible/Transaction/Option.hs	Removes Dijkstra-specific datum parsing branch (align with updated era set).
cardano-cli/src/Cardano/CLI/Compatible/StakePool/Run.hs	Threads optional BLS verification key into compatible stake pool registration certificate creation.
cardano-cli/src/Cardano/CLI/Compatible/StakePool/Option.hs	Adds optional BLS flags to compatible stake-pool registration certificate command parser.
cardano-cli/src/Cardano/CLI/Compatible/StakePool/Command.hs	Extends compatible stake-pool registration command args with optional BLS key.
cardano-cli/src/Cardano/CLI/Compatible/Json/Friendly.hs	Updates ledger Tx types and compact coin handling in friendly JSON rendering.
cardano-cli/src/Cardano/CLI/Byron/Tx.hs	Adapts submit result handling to updated submit API result constructors.
cardano-cli/cardano-cli.cabal	Updates dependencies to newer crypto/ping and adjusts ouroboros dependencies.
cabal.project	Updates index-state, adds SRP stanzas and an allow-newer exception for random bounds.

Comments suppressed due to low confidence (1)

cardano-cli/src/Cardano/CLI/EraIndependent/Node/Run.hs:1

• runNodeKeyGenBLSCmd is implemented in this module and wired into runNodeCmds, but it is not exported while the analogous KES/VRF key-gen runners are. For consistency and ease of reuse (e.g., from tests or other runners), export runNodeKeyGenBLSCmd alongside the other key-gen functions.

{-# LANGUAGE DataKinds #-}

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

The Bech32 branch writes the signing key with writeTextFile, while the text-envelope branch uses writeLazyByteStringFileWithOwnerPermissions for the signing key. If writeTextFile does not restrict permissions, this can create world-readable secret key files. Use an owner-permissions writer for the Bech32 signing key as well (and keep the verification key as-is).

Suggested change

	. writeTextFile skeyFile
	$ serialiseToBech32 skey
	fromEitherIOCli @(FileError ())
	. writeTextFile vkeyFile
	$ serialiseToBech32 vkey
	)
	. writeLazyByteStringFileWithOwnerPermissions skeyFile
	$ Data.Text.Lazy.Encoding.encodeUtf8
	(Data.Text.Lazy.fromStrict (serialiseToBech32 skey))
	fromEitherIOCli @(FileError ())
	. writeTextFile vkeyFile
	$ serialiseToBech32 vkey

[Copilot]

Using fromJust . toCompact can crash at runtime if toCompact returns Nothing (e.g., out-of-range values). Prefer handling the failure explicitly (e.g., reject the CLI input with a parser error / domain error) instead of partial functions. This is especially important for protocol parameter updates where users may provide arbitrary large numbers.

[Copilot]

Using fromJust . toCompact can crash at runtime if toCompact returns Nothing (e.g., out-of-range values). Prefer handling the failure explicitly (e.g., reject the CLI input with a parser error / domain error) instead of partial functions. This is especially important for protocol parameter updates where users may provide arbitrary large numbers.

[Copilot]

The code imports Ouroboros.Network.PeerSelection.LedgerPeers.Type (see Cardano/CLI/EraBased/Query/Run.hs), but the cabal dependency was changed to ouroboros-network:api. Please verify that this module is actually exposed by the api sublibrary; if not, the build will fail and the dependency should be on the main ouroboros-network library (or whichever component exposes PeerSelection.LedgerPeers.*).

Suggested change

	ouroboros-network:api,
	ouroboros-network,