PR #121 (issue #91) added TestHandleCallback_UnknownTxid_NoPhantomRow
without the bearer header that PR #112 (issue #76) made mandatory on
the callback endpoint, so the test was failing on every PR rebased
onto main. Use the existing authedCallbackRequest helper.

PR #121 (issue #91) added TestHandleCallback_UnknownTxid_NoPhantomRow
without the bearer header that PR #112 (issue #76) made mandatory on
the callback endpoint, so the test was failing on every PR rebased
onto main. Use the existing authedCallbackRequest helper.

* fix(api_server): cap callback request body size (#77)

handleCallback binds JSON without limiting body size, allowing a
malicious or malfunctioning peer to exhaust memory with oversized
payloads (especially STUMP blobs). Bodies are now wrapped in
http.MaxBytesReader; oversize requests return 413. The limit is
configurable via Callback.MaxBodyBytes (default 16 MiB). Closes F-019.

* test(api_server): authenticate the unknown-txid callback test

PR #121 (issue #91) added TestHandleCallback_UnknownTxid_NoPhantomRow
without the bearer header that PR #112 (issue #76) made mandatory on
the callback endpoint, so the test was failing on every PR rebased
onto main. Use the existing authedCallbackRequest helper.

…#87) (#123)

* fix(bump_builder): preserve block height when publishing mined status (#87)

The mined-status update path was dropping blockHeight between
InsertBUMP and SetMinedByTxIDs (or the subsequent publish), so
downstream consumers received MINED statuses with a zero or unset
height. Block height is now threaded through the whole call chain
and asserted in tests. Closes F-029.

* test(api_server): authenticate the unknown-txid callback test

PR #121 (issue #91) added TestHandleCallback_UnknownTxid_NoPhantomRow
without the bearer header that PR #112 (issue #76) made mandatory on
the callback endpoint, so the test was failing on every PR rebased
onto main. Use the existing authedCallbackRequest helper.

…tration (#131)

Arcade's /api/v1/merkle-service/callback requires bearer-token auth via
cfg.CallbackToken (PR #112 / F-018), but the /watch registration to
merkle-service didn't tell merkle-service what token to send back.
Result: merkle-service calls arcade with no Authorization header and
gets 401.

Register/RegisterBatch now accept a callback-token argument and emit
it in the watchRequest JSON. The propagator passes cfg.CallbackToken
through. Empty tokens omit the field so older deployments without a
configured token continue to work as today (with the same 401 they
already get from the inbound check, which is the correct fail-closed
behaviour).

Pairs with merkle-service PR <leave-placeholder> which makes the
receiving end actually store and forward the token on outbound
delivery. Both PRs must merge before authenticated callbacks work.

merkle-service #112 shipped a POST /reprocess endpoint that re-drives a
block through STUMP + BLOCK_PROCESSED delivery for a single requesting
arcade — the operator-facing recovery hatch when arcade missed the
original BLOCK_PROCESSED event. The new smoke scenario proves the
recovery path lands a valid compound BUMP at arcade:

  1. arcade registers 10 watched txids via /watch
  2. NO libp2p BlockMessage is ever published, so merkle-service
     never processes the block live (simulates "arcade missed the
     BLOCK_PROCESSED event")
  3. test sanity-checks none of the txs reached MINED
  4. test calls POST /reprocess with the block hash + arcade's
     callback URL + token
  5. merkle-service probes its DATAHUB_FALLBACK_URLS, finds the
     harness datahub, runs the full block-processing pipeline
     with override callback URL/token + BypassDedup=true so
     subtree-worker emits STUMPs filtered to arcade and a single
     BLOCK_PROCESSED scoped to arcade's callback
  6. arcade's bump-builder builds the compound BUMP, marks all 10
     txs MINED, and each merklePath ComputeRoot()s back to the
     block's real header merkle root

Harness additions:

- harness.New() learns a WithReprocessReady() option. When set, it
  pre-picks a free TCP port, builds the datahub URL on the network
  gateway IP, and threads it into the merkle-service container's
  DATAHUB_FALLBACK_URLS env var BEFORE the container starts. The
  Datahub listener binds on that pre-reserved port after the
  container is up. h.Datahub is the resulting pre-registered datahub.

- harness.NewDatahubOnPort(t, opts, port) — datahub constructor
  that accepts an explicit port. port=0 keeps the auto-pick
  behavior NewDatahubWith/NewDatahub already had.

- harness.TriggerReprocess(ctx, merkleHostURL, blockHash, callbackURL,
  callbackToken) — POSTs to merkle-service /reprocess, parses the
  202 body into ReprocessResponse{Status, BlockHash, DataHubURL}.
  Returns the parsed response so callers can assert which datahub
  URL got picked up.

No new fixtures — the test reuses the existing single-subtree
mainnet block fixture from the round-trip test.

Like the other end-to-end tests, this one requires container ↔ host
networking that works on Docker but not on rootless podman with
pasta's --no-map-gw default. The /reprocess call fails locally with
"no DataHub could serve the requested block" — documented in
tests/e2e/README.md. CI on GitHub Actions uses Docker so the test
runs the full path there.

Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>