Add better processing behavior and tests (#134)

* feat(block-status): track header → BLOCK_PROCESSED → BUMP-built per block

Adds a `block_processing` table populated by three writers — chaintracks
header subscription, the merkle-service callback handler, and the
bump-builder consumer — so we can answer "which blocks reached which
milestone?" without scanning transactions or compound BUMPs.

- Models: `BlockProcessingStatus` with active/orphaned status and
  pointer-time milestones so JSON cleanly distinguishes "not yet" from zero.
- Store: 6 new methods (Upsert/MarkProcessed/MarkBUMPBuilt/MarkOrphaned/
  Get/List) implemented across Postgres (column-level ON CONFLICT),
  Pebble (inverted-uint64 height index for descending scans), and
  Aerospike (per-bin Operate to avoid clobbering concurrent writers).
  Drops dead `setProcessedBlocks` helpers in Aerospike along the way.
- Writers: chaintracks tip + reorg subscription in api-server,
  `MarkBlockProcessed` in `handleBlockProcessed` before Kafka publish
  (log-and-continue on store error), `MarkBlockBUMPBuilt` in bump-builder
  after `InsertBUMP`.
- API: `GET /api/v1/blocks/processing-status` (paginated, descending
  height) and `GET /api/v1/blocks/processing-status/:blockHash`.
- Tests: 8 Pebble + 7 Postgres backend tests + 7 api-server handler
  tests + 2 bump-builder integration tests; existing test mocks extended
  to satisfy the larger interface.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* refactor(app): hoist Bootstrap and BuildServices out of cmd/arcade

`buildServices` and the dependency wiring around it lived as private
helpers inside `cmd/arcade/main.go`, which meant test harnesses that
want to boot arcade in-process either had to launch the binary or
duplicate every kafka/store/teranode/merkle-client setup line.

Moves both into a new top-level `app` package with two entry points:
`app.Bootstrap(ctx, cfg, logger)` returns a `*Deps` plus a cleanup
func (closing publisher → teranode client → store → producer in
reverse order), and `app.BuildServices(deps)` returns the slice of
services to run for the configured mode. `cmd/arcade/main.go`
becomes a thin supervisor that calls the two and handles signals.

No behavior change. The full default test suite passes; this lands
ahead of the e2e harness which will reuse the same boot path.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* test(e2e): add container layer for arcade ↔ merkle-service smoke tests

Lays the foundation for a reusable end-to-end test harness that boots
real backing services and runs against `ghcr.io/bsv-blockchain/
merkle-service:latest` instead of mocks.

- Adds testcontainers-go (postgres + redpanda modules) to go.mod.
- New `tests/e2e/harness` package, gated behind the `e2e` build tag
  so the default `go test ./...` run is unaffected.
- `harness.New(t, ...Option)` brings up Postgres, Redpanda, and the
  merkle-service container on a shared user-defined bridge network.
  merkle-service is wired with `STORE_BACKEND=sql` (Postgres),
  `KAFKA_BROKERS` (Redpanda alias), `BLOB_STORE_URL=memory:`, and
  the SSRF/private-IP guards relaxed so callbacks back to
  `host.docker.internal` succeed. Wait strategy accepts both 200
  (healthy) and 503 (degraded — peer count zero before libp2p host
  attaches) on `/health`.
- Container teardown handles partial-start failures and runs via
  `t.Cleanup`. Helpers expose Postgres DSN / Kafka broker addresses
  and a `WaitForMerkleLogLine` poll that reads container stdout —
  used by later steps to assert deterministic events without poking
  at internal state.
- `TestContainers_BootAndTearDown` skips when no container runtime
  is reachable (so devs without docker/podman aren't blocked) and
  otherwise takes ~16s warm to boot the stack and verify /health.

Verified against rootless podman with
`DOCKER_HOST=unix:///run/user/$(id -u)/podman/podman.sock`.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* test(e2e): in-process libp2p host as bootstrap peer for merkle-service

The smoke test needs to drive synthetic SubtreeMessage / BlockMessage
announcements that merkle-service consumes via libp2p. Adds a
`LibP2PHost` that wraps go-p2p-message-bus and:

- Listens on a random TCP port and advertises
  `/dns4/host.docker.internal/tcp/<port>` so the merkle-service
  container can dial back via the host gateway.
- Subscribes to the regtest block + subtree topics so gossipsub
  forms mesh links with merkle-service (publish-only peers don't get
  picked up by the mesh). A 250ms grace after Subscribe avoids a
  msgbus close-of-closed race when tests tear down quickly.
- Exposes `BootstrapMultiaddr()` for feeding to merkle-service via
  `P2P_BOOTSTRAP_PEERS`, and `PublishBlock` / `PublishSubtree` that
  JSON-encode `teranode.BlockMessage` / `teranode.SubtreeMessage` and
  send on the right pubsub topic.

`TestLibP2PHost_MerkleServicePeersWithHost` brings up the harness
host plus the full container stack and asserts merkle-service logs
`[CONNECTED] Topic peer <harness-peer-id>` within 90s. Using the
container log line as the peering signal — rather than
`msgbus.GetPeers()` — because msgbus's peerTracker only counts peers
we've received messages from, which stays empty when merkle-service
is silent.

Round-trip peering verified end-to-end against rootless podman in
~5s warm.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* test(e2e): in-process datahub fake + synthetic block/subtree builder

The smoke test needs to feed arcade and merkle-service the same block +
subtree binaries that they would normally pull from a teranode datahub.
Adds two pieces:

- `harness.Datahub` is an httptest.Server bound on 0.0.0.0:auto-port
  exposing GET /block/<hash> and GET /subtree/<hash>. Tests Stage*
  payloads keyed by hash; the merkle-service container reaches the
  server via the host.docker.internal URL.
- `txbuilder.go` mints synthetic transactions (using LockTime to vary
  txids), packs them into the concatenated-32-byte-hash subtree binary
  merkle-service expects, and constructs full model.Block.Bytes()
  payloads via teranode's `model` package. Bitcoin merkle-tree helpers
  (SubtreeRoot, MerkleRootFromCoinbaseAndSubtree) compose a header-
  valid layout for callers that need ValidateCompoundRoot to pass
  downstream.

`TestDatahub_StageAndServe` round-trips a synthetic block through
arcade's `bump.FetchBlockDataForBUMP`, which exercises the same
parseBlockBinary path the bump-builder runs. This verifies our format
is wire-compatible with both arcade (unchanged) and merkle-service
(model.NewBlockFromBytes uses identical byte layout).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* test(e2e): in-process arcade runtime + poll helpers

The harness now boots arcade via the same `app.Bootstrap` →
`app.BuildServices` path the production binary uses, with config
overridden in-memory:

- regtest network (chaintracks auto-disabled)
- pebble store on a t.TempDir()
- in-process memory kafka broker
- merkle_service.url = merkle-service container's host-mapped URL
- callback_url = host.docker.internal so the container can reach back
- datahub_urls seeded with the harness datahub fake
- p2p bootstrap_peers = harness libp2p multiaddr (datahub_discovery off)
- callback.allow_private_ips = true (RFC1918 loopback by definition)

`StartArcade(t, opts)` returns an ArcadeRuntime exposing the bound
port, host-side base URL, and merkle-service-reachable host URL. All
services start in goroutines bound to the test context; t.Cleanup
cancels and waits with a 15s bound.

`poll.go` adds the helpers later steps lean on:
- BroadcastTx: POST /tx with raw bytes; returns server-side txid.
- GetTxStatus / WaitForMined: poll /tx/:txid until every supplied
  txid reaches MINED with a non-empty merklePath, or fail with the
  first stuck txid's last-observed status.

`TestArcadeRuntime_BootsAndServesHealth` brings up the full stack —
containers + libp2p + datahub + arcade — and asserts /health returns
200 with the harness datahub URL listed as healthy. Verified against
rootless podman in ~5s warm.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* test(e2e): smoke test verifies tx → arcade → merkle-service /watch

The first cross-service smoke scenario. It boots the full harness
(Postgres + Redpanda + merkle-service container, plus in-process
libp2p host, datahub fake, and arcade), submits a single transaction
to arcade via POST /tx, and asserts the txid lands in
merkle-service's registration store via GET /api/lookup/<txid>.

That walks every piece of wiring this PR adds:

- arcade's tx-validator parses + structurally validates the tx
- propagation calls merkleClient.Register over HTTP
- merkle-service inside its container reaches Postgres and persists
  the (txid, callbackUrl, callbackToken) entry

Adds harness.BuildValidatableTxs which produces the minimum-valid
transactions arcade's structural validator accepts (1 input + 1
output + non-data scripts + LockTime-driven txid uniqueness).
TxBuilder unit tests confirm the validator path on these synthetic
txs without any container involvement.

Round-trips cleanly against rootless podman in ~5s warm. Full MINED
status (which requires merkle-tree-valid block construction so
arcade's ValidateCompoundRoot accepts the compound BUMP) is the
next step — tracked as a gap in tests/e2e/MERKLE_SERVICE_GAPS.md
in a follow-up commit.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* ci(e2e): wire smoke suite as required PR gate, document harness

Adds .github/workflows/e2e-smoke.yml — pre-pulls the merkle-service
image so registry latency stays out of the test's wait budgets,
disables Ryuk (flaky on rootless container runtimes), and runs the
full e2e suite under the e2e build tag with a 20-min hard timeout.
Triggers on every PR and push to main; configured to be the required
gate via repo branch-protection settings.

tests/e2e/README.md documents the local-run recipe for both Docker
and rootless podman (DOCKER_HOST socket override), the file layout,
and how to add a new scenario.

tests/e2e/MERKLE_SERVICE_GAPS.md captures six friction points the
harness work surfaced — backend-import drift, mandatory external
Kafka, private-IP guard defaults, health-endpoint signal aliasing,
no deterministic block-replay, and missing private-network docs —
each with a suggested fix and a note about how the harness works
around it today. Worth filing upstream against /git/merkle-service.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* Fix linting

* Lint and test fixes

* docs(e2e): document rootless podman + pasta networking limitation

The harness now reaches the host from inside containers via the
docker bridge gateway IP (auto-discovered) with host.docker.internal
as a fallback. README updates to reflect the new flow:

- Document the gateway-IP-first announce strategy and the
  host.docker.internal fallback.
- Call out the rootless-podman + pasta limitation: when pasta runs
  with --no-map-gw (the security-conscious default on recent
  Fedora/Ubuntu), the host is not reachable from inside containers
  via either the gateway IP or host.docker.internal. Tests that
  require merkle-service to dial back into the harness will time
  out under this configuration. CI uses Docker so the required PR
  gate is unaffected.
- Add a one-liner reachability check developers can run before
  trying the libp2p-peering tests locally.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* Run go mod tidy

* Potential fix for pull request finding 'CodeQL / Incorrect conversion between integer types'

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>

---------

Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>

Author: 3 people

.github/workflows/build.yml

@@ -58,8 +58,7 @@ jobs:
     name: Verify GoFortress gates passed
     runs-on: ubuntu-latest
     if: >-
-      github.event_name != 'workflow_run' ||
-      (github.event.workflow_run.conclusion == 'success' &&
+      github.event_name != 'workflow_run' || (github.event.workflow_run.conclusion == 'success' &&
        github.event.workflow_run.event == 'push')
     steps:
       - name: Confirm upstream gates

.github/workflows/e2e-smoke.yml

@@ -0,0 +1,55 @@
+name: e2e-smoke
+
+# ------------------------------------------------------------------------------------
+#  arcade ↔ merkle-service end-to-end smoke
+# ------------------------------------------------------------------------------------
+# Boots Postgres, Redpanda, and ghcr.io/bsv-blockchain/merkle-service:latest via
+# testcontainers-go alongside an in-process arcade instance, then drives a
+# representative tx-flow scenario through both services.
+#
+# Required PR gate: every PR must show a green run before merging. The job
+# pre-pulls the merkle-service image so cold-start latency doesn't surface as
+# flaky timeouts on the wait strategies in tests/e2e/harness.
+# ------------------------------------------------------------------------------------
+
+on:
+  pull_request:
+  push:
+    branches: [main]
+  workflow_dispatch:
+
+permissions:
+  contents: read
+
+concurrency:
+  group: e2e-smoke-${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  smoke:
+    name: smoke
+    runs-on: ubuntu-24.04
+    timeout-minutes: 25
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Set up Go
+        uses: actions/setup-go@v5
+        with:
+          go-version-file: go.mod
+          cache: true
+
+      # Pre-pulling pins image-fetch time outside the test's wait strategies so
+      # the harness's own timeouts only have to cover container startup, not
+      # registry pulls. ghcr.io is unauthenticated for public images.
+      - name: Pre-pull merkle-service image
+        run: docker pull ghcr.io/bsv-blockchain/merkle-service:latest
+
+      - name: Run e2e smoke tests
+        env:
+          # testcontainers-go honors DOCKER_HOST when set; on the GitHub
+          # ubuntu runner the docker socket lives at the default path so we
+          # leave it unset.
+          TESTCONTAINERS_RYUK_DISABLED: "true"
+        run: go test -tags=e2e -timeout=20m -v ./tests/e2e/...

app/app.go

@@ -0,0 +1,209 @@
+// Package app builds and wires the shared dependencies arcade's services
+// need (kafka broker + producer, store, teranode client, merkle-service
+// client, events publisher, validator) and turns them into a slice of
+// runnable services. cmd/arcade/main.go is a thin wrapper that loads
+// config, calls Bootstrap, then BuildServices, and supervises the lifecycle.
+//
+// Splitting this out of cmd/arcade lets the e2e test harness reuse the same
+// boot path without invoking the binary or duplicating wiring.
+package app
+
+import (
+	"context"
+	"fmt"
+	"time"
+
+	"go.uber.org/zap"
+
+	"github.com/bsv-blockchain/arcade/config"
+	"github.com/bsv-blockchain/arcade/events"
+	"github.com/bsv-blockchain/arcade/kafka"
+	"github.com/bsv-blockchain/arcade/merkleservice"
+	"github.com/bsv-blockchain/arcade/services"
+	"github.com/bsv-blockchain/arcade/services/api_server"
+	"github.com/bsv-blockchain/arcade/services/bump_builder"
+	"github.com/bsv-blockchain/arcade/services/p2p_client"
+	"github.com/bsv-blockchain/arcade/services/propagation"
+	"github.com/bsv-blockchain/arcade/services/tx_validator"
+	"github.com/bsv-blockchain/arcade/services/webhook"
+	"github.com/bsv-blockchain/arcade/store"
+	storefactory "github.com/bsv-blockchain/arcade/store/factory"
+	"github.com/bsv-blockchain/arcade/teranode"
+	"github.com/bsv-blockchain/arcade/validator"
+)
+
+// Deps is the set of process-wide dependencies arcade's services share.
+// Bootstrap returns one of these fully wired; BuildServices consumes it.
+type Deps struct {
+	Cfg            *config.Config
+	Logger         *zap.Logger
+	Broker         kafka.Broker
+	Producer       *kafka.Producer
+	Publisher      events.Publisher
+	Store          store.Store
+	Leaser         store.Leaser
+	TxTracker      *store.TxTracker
+	TeranodeClient *teranode.Client
+	MerkleClient   *merkleservice.Client // nil when MerkleService.URL is unset
+	Validator      *validator.Validator
+}
+
+// Bootstrap creates every shared dependency the services rely on, in the
+// order they need to be created. The returned cleanup func closes them in
+// reverse order. teranodeClient.Start is wired to ctx, so its background
+// probes terminate when ctx is canceled.
+func Bootstrap(ctx context.Context, cfg *config.Config, logger *zap.Logger) (*Deps, func(), error) {
+	logger.Info(
+		"starting arcade",
+		zap.String("mode", cfg.Mode),
+		zap.String("kafka_backend", cfg.Kafka.Backend),
+		zap.String("store_backend", cfg.Store.Backend),
+	)
+
+	broker, err := kafka.NewBroker(cfg.Kafka)
+	if err != nil {
+		return nil, nil, fmt.Errorf("creating kafka broker: %w", err)
+	}
+	producer := kafka.NewProducer(broker)
+
+	if cfg.Kafka.MinPartitions > 1 {
+		if pErr := kafka.CheckPartitions(broker, []string{kafka.TopicTransaction, kafka.TopicPropagation}, cfg.Kafka.MinPartitions, logger); pErr != nil {
+			_ = producer.Close()
+			return nil, nil, fmt.Errorf("kafka partition check: %w", pErr)
+		}
+	}
+
+	st, leaser, err := storefactory.New(cfg) //nolint:contextcheck // factory signature predates ctx; the Postgres backend honors ctx via its own internal pool dial, others (Pebble, Aerospike) connect synchronously
+	if err != nil {
+		_ = producer.Close()
+		return nil, nil, fmt.Errorf("creating store: %w", err)
+	}
+	if err := st.EnsureIndexes(); err != nil {
+		_ = st.Close()
+		_ = producer.Close()
+		return nil, nil, fmt.Errorf("ensuring store indexes: %w", err)
+	}
+
+	txTracker := store.NewTxTracker()
+
+	teranodeClient := teranode.NewClient(cfg.DatahubURLs, cfg.Teranode.AuthToken, teranode.HealthConfig{
+		FailureThreshold:    cfg.Propagation.EndpointHealth.FailureThreshold,
+		ProbeInterval:       time.Duration(cfg.Propagation.EndpointHealth.ProbeIntervalMs) * time.Millisecond,
+		ProbeTimeout:        time.Duration(cfg.Propagation.EndpointHealth.ProbeTimeoutMs) * time.Millisecond,
+		MinHealthyEndpoints: cfg.Propagation.EndpointHealth.MinHealthyEndpoints,
+		RefreshInterval:     time.Duration(cfg.Propagation.EndpointHealth.RefreshIntervalMs) * time.Millisecond,
+		Source:              endpointSource{st: st, network: cfg.Network},
+		Logger:              logger,
+	})
+
+	// Seed the registry with statically configured URLs so a freshly started
+	// pod (especially mode=p2p-client) always sees them via the same discovery
+	// path. The upsert is idempotent and refreshes LastSeen on every restart,
+	// so this also works as a heartbeat for the operator-defined seed list.
+	if len(cfg.DatahubURLs) > 0 {
+		seedCtx, seedCancel := context.WithTimeout(ctx, 5*time.Second)
+		for _, url := range cfg.DatahubURLs {
+			if err := st.UpsertDatahubEndpoint(seedCtx, store.DatahubEndpoint{
+				URL:      url,
+				Network:  cfg.Network,
+				Source:   store.DatahubEndpointSourceConfigured,
+				LastSeen: time.Now(),
+			}); err != nil {
+				logger.Warn(
+					"failed to seed configured datahub url",
+					zap.String("url", url),
+					zap.Error(err),
+				)
+			}
+		}
+		seedCancel()
+	}
+
+	var merkleClient *merkleservice.Client
+	if cfg.MerkleService.URL != "" {
+		merkleClient = merkleservice.NewClient(cfg.MerkleService.URL, cfg.MerkleService.AuthToken, 0)
+		merkleClient.SetLogger(logger.Named("merkle-client"))
+	}
+
+	txVal := validator.NewValidator(nil, nil)
+
+	publisher := events.NewKafkaPublisher(producer, logger, cfg.Events.SubscriberBuffer)
+
+	teranodeClient.Start(ctx)
+
+	deps := &Deps{
+		Cfg:            cfg,
+		Logger:         logger,
+		Broker:         broker,
+		Producer:       producer,
+		Publisher:      publisher,
+		Store:          st,
+		Leaser:         leaser,
+		TxTracker:      txTracker,
+		TeranodeClient: teranodeClient,
+		MerkleClient:   merkleClient,
+		Validator:      txVal,
+	}
+
+	cleanup := func() {
+		_ = publisher.Close()
+		teranodeClient.Close()
+		_ = st.Close()
+		_ = producer.Close()
+	}
+	return deps, cleanup, nil
+}
+
+// BuildServices returns the services that should run for the configured mode.
+// Each service's lifetime is tied to the ctx passed to its Start method by
+// the caller — the supervisor in cmd/arcade or the test harness.
+func BuildServices(d *Deps) []services.Service {
+	cfg := d.Cfg
+	var svcs []services.Service
+
+	shouldRun := func(name string) bool {
+		return cfg.Mode == "all" || cfg.Mode == name
+	}
+
+	if shouldRun("api-server") {
+		svcs = append(svcs, api_server.New(cfg, d.Logger, d.Producer, d.Publisher, d.Store, d.TxTracker, d.TeranodeClient))
+	}
+	if shouldRun("bump-builder") {
+		svcs = append(svcs, bump_builder.New(cfg, d.Logger, d.Producer, d.Publisher, d.Store, d.TeranodeClient))
+	}
+	if shouldRun("tx-validator") {
+		svcs = append(svcs, tx_validator.New(cfg, d.Logger, d.Producer, d.Publisher, d.Store, d.TxTracker, d.Validator))
+	}
+	if shouldRun("propagation") {
+		svcs = append(svcs, propagation.New(cfg, d.Logger, d.Producer, d.Publisher, d.Store, d.Leaser, d.TeranodeClient, d.MerkleClient))
+	}
+	if shouldRun("api-server") || shouldRun("webhook") {
+		svcs = append(svcs, webhook.New(cfg.Webhook, cfg.Callback, d.Logger, d.Publisher, d.Store))
+	}
+	if shouldRun("propagation") || shouldRun("p2p-client") {
+		svcs = append(svcs, p2p_client.New(cfg, d.Logger, d.Producer, d.TeranodeClient, d.Store))
+	}
+
+	return svcs
+}
+
+// endpointSource adapts store.Store to teranode.EndpointSource by extracting
+// just the URL list. network scopes the listing to the configured Bitcoin
+// network so a store shared across pods (or reused after a network change)
+// never replays peers from a different network.
+type endpointSource struct {
+	st      store.Store
+	network string
+}
+
+func (a endpointSource) ListEndpointURLs(ctx context.Context) ([]string, error) {
+	eps, err := a.st.ListDatahubEndpoints(ctx, a.network)
+	if err != nil {
+		return nil, err
+	}
+	out := make([]string, 0, len(eps))
+	for _, ep := range eps {
+		out = append(out, ep.URL)
+	}
+	return out, nil
+}