feat(network): header-carried tree-aux roots in header sync

[evan-forbes]

Motivation

Carry the per-height Sapling/Orchard commitment roots (tree_aux) inside the
header-sync Headers message instead of fetching them over a separate stream,
and remove the old separate stream now that it's redundant. A VCT
fast-syncing node receives provisional roots alongside the headers it already
requests, persists them ahead of body commit, and skips the note-commitment
frontier rebuild when the roots verify.

Scoped to that feature; targets PR #189 (perf-note-commit-tree).

What's in scope

• Wire/protocol (zakura/header_sync/*, handler.rs): Headers carries an
  optional all-or-nothing tree_aux_roots vector parallel to headers;
  GetHeaders gains want_tree_aux_roots; header-sync stream version bump;
  byte-budget accounting, root validation, new error variants.
• State persistence/serving (zebra-state/*): a new
  zakura_header_commitment_roots_by_height CF persists provisional header-ahead
  roots; CommitHeaderRange accepts tree_aux_roots; BlockRoots serving
  appends provisional header-ahead roots after committed roots;
  PeerSource/VctState read provisional roots from the DB.
• Driver wiring (header_sync_driver.rs, start.rs): serve roots for
  finalized ranges, route received roots into CommitHeaderRange.
• Observability (trace.rs): want_tree_aux_roots/tree_aux_roots_len on
  header-sync rows, tree_aux_roots_len on commit-state rows, and
  state.vct.fast_path.{hit,miss} counters.
• Old-stream removal (final commit): delete the zakura/tree_aux client/server
  module, its stream kind + capability registration, the tree_aux_driver
  (serving port + fetch loop), and the state-side TreeAuxRootsWriter /
  PeerSourceWriter / PeerSourceHandle / peer-root refetch signal. PeerSource
  stays as the DB-backed reader. A missing/rejected root now waits for header sync
  to deliver a replacement via the in-place commit retry (or, on an archive node,
  recomputes from the per-height trees) — no separate-stream refetch.

Commits

1. refactor!: move aux tree to the headersync message — wire + state + wiring
   (de-bundled; see below).
2. test(network): align header-sync tests with non-finalized tree-aux-root rejection
3. feat(network): trace header-carried tree-aux roots and vct fast-path hits
4. fix(zebrad): serve the aligned tree-aux root prefix when roots lag headers
5. refactor!: remove the separate tree_aux fetch stream

De-bundling note

The source commit for (1) also contained unrelated block-sync work (sequencer
round-robin fairness, clear_submitted_applies_through, apply-limit tuning, etc.).
All of that was excluded here — block_sync/ is byte-identical to the #189 base.

Bug fixed (commit 4)

tree_aux_roots_for_served_header_range returned an empty vec whenever the
available roots didn't cover every requested header height. Since served
headers normally run ahead of roots, that meant no roots were ever served over
the header path — silently disabling the feature. Fixed to return the aligned
prefix.

Known caveats (draft)

• Header-sync stream version jumps 2 → 4 on this base (no v3 in between).

Test evidence

• cargo fmt --all -- --check, cargo check, cargo clippy --all-targets — clean
  (only pre-existing valar-base warnings: tx_v6 cfg in zebra-chain,
  clone_on_copy in zebra-rpc).
• cargo test -p zebra-network --lib zakura::* — 537 passed.
• cargo test -p zebrad --lib zakura_header_sync_driver_tests — 35 passed.
• cargo test -p zebra-state --lib --features proptest-impl finalized_state — 174
  passed, 2 pre-existing failures unrelated to this PR (a stale
  column_family_names snapshot from the valar fast_sync_metadata→vct_sync_metadata
  rename + the new CF, and vct_frozen_frontier_survives_reopen).
• Full workspace suite not run (draft).

AI disclosure

Used Claude Code to extract/de-bundle the source commits onto the #189 base,
remove the old tree_aux stream, resolve conflicts, and author the prefix bug fix.

[p0mvn]

There are 2 cases when we expect these to be false:

1. Syncing in non-checkpoint mode
2. Beyond the last checkpoint.

I'd rather always require this for initial simplicity of the design and to avoid having conditions that are error-prone. I think that this is easy to misuse

We could track the optimization via a Linear task

[p0mvn]

I also noticed that we are requesting these in non-checkpoint mode, which is redundant

[p0mvn]

Do we want to downgrade this before the final release?

[p0mvn]

Might be worth having traces/metrics here

[p0mvn]

This still has a bug I explained yesterday in DM:

#259

I will rebase that PR after merging this

[p0mvn]

I am a bit worried about the number of these silent Vec::new() conditions.

It is very likely that some nodes are not serving roots because of something silly, but we cannot see it due to the lack of observability/error propagation

[p0mvn]

LGTM.

Let's start updating documentation (e.g., docs/design/verified-commitment-trees.md) and add comments to critical areas.

I committed low-risk nits and doc/comment updates directly to not block cycles on this

[p0mvn]

Having problems with GitHub failing to merge. Looking into

[p0mvn]

Okay, it got merged into perf-note-commit-tree. I think there is a GitHub bug