Merge bitcoin/bitcoin#34366: test: switch order of error code and message check

0aba464ce7 test: switch order of error code and message check (rkrux)

Pull request description:

  I feel it'd be easier to debug intermittent test failures if the error message is present in the logs instead of error code. So, switching order of error code and message in the `try_rpc` function to aid error debugging.

  Should help in debugging #34354 IMO. It's an intermittent failure on Windows that I can't reproduce and it's more difficult to figure out what could have gone wrong only by seeing the error code like below in the CI logs. Given that the functional tests pass, I don't see a harm in checking for error message first and throwing it in case of a mismatch.

  ```python
  AssertionError: Unexpected JSONRPC error code -1
  ```

  <!--
  *** Please remove the following help text before submitting: ***

  Pull requests without a rationale and clear improvement may be closed
  immediately.

  GUI-related pull requests should be opened against
  https://github.com/bitcoin-core/gui
  first. See CONTRIBUTING.md
  -->

  <!--
  Please provide clear motivation for your patch and explain how it improves
  Bitcoin Core user experience or Bitcoin Core developer experience
  significantly:

  * Any test improvements or new tests that improve coverage are always welcome.
  * All other changes should have accompanying unit tests (see `src/test/`) or
    functional tests (see `test/`). Contributors should note which tests cover
    modified code. If no tests exist for a region of modified code, new tests
    should accompany the change.
  * Bug fixes are most welcome when they come with steps to reproduce or an
    explanation of the potential issue as well as reasoning for the way the bug
    was fixed.
  * Features are welcome, but might be rejected due to design or scope issues.
    If a feature is based on a lot of dependencies, contributors should first
    consider building the system outside of Bitcoin Core, if possible.
  * Refactoring changes are only accepted if they are required for a feature or
    bug fix or otherwise improve developer experience significantly. For example,
    most "code style" refactoring changes require a thorough explanation why they
    are useful, what downsides they have and why they *significantly* improve
    developer experience or avoid serious programming bugs. Note that code style
    is often a subjective matter. Unless they are explicitly mentioned to be
    preferred in the [developer notes](/doc/developer-notes.md), stylistic code
    changes are usually rejected.
  -->

  <!--
  Bitcoin Core has a thorough review process and even the most trivial change
  needs to pass a lot of eyes and requires non-zero or even substantial time
  effort to review. There is a huge lack of active reviewers on the project, so
  patches often sit for a long time.
  -->

ACKs for top commit:
  maflcko:
    lgtm ACK 0aba464ce7
  polespinasa:
    lgtm ACK 0aba464ce7
  fjahr:
    utACK 0aba464ce7
  brunoerg:
    code review ACK 0aba464ce7
  sedited:
    ACK 0aba464ce7

Tree-SHA512: b09ba4b5d13a2c93a4a28a5c1b06af44a91295974236bb8326b74a988878c431e9ce0e19ec14bb98ac2b002da877abaa7da6a9851424453bcb494c0317b57227

.github/ISSUE_TEMPLATE/bug.yml

@@ -78,7 +78,7 @@ body:
     id: os
     attributes:
       label: Operating system and version
-      placeholder: e.g. "MacOS Ventura 13.2" or "Ubuntu 22.04 LTS"
+      placeholder: e.g. "MacOS 26.0" or "Ubuntu 26.04 LTS"
     validations:
       required: true
   - type: textarea
@@ -90,4 +90,3 @@ body:
         e.g. OS/CPU and disk type, network connectivity
     validations:
       required: false
-

.github/actions/clear-files/action.yml

@@ -0,0 +1,12 @@
+name: 'Clear unnecessary files'
+description: 'Clear out unnecessary files to make space on the VM'
+runs:
+  using: 'composite'
+  steps:
+    - name: Clear unnecessary files
+      shell: bash
+      env:
+        DEBIAN_FRONTEND: noninteractive
+      run: |
+        set +o errexit
+        sudo bash -c '(ionice -c 3 nice -n 19 rm -rf /usr/share/dotnet/ /usr/local/graalvm/ /usr/local/.ghcup/ /usr/local/share/powershell /usr/local/share/chromium /usr/local/lib/android /usr/local/lib/node_modules)&'

.github/actions/configure-docker/action.yml

@@ -1,12 +1,19 @@
 name: 'Configure Docker'
 description: 'Set up Docker build driver and configure build cache args'
 inputs:
-  use-cirrus:
-    description: 'Use cirrus cache'
+  cache-provider:
+    description: 'gha or cirrus cache provider'
     required: true
 runs:
   using: 'composite'
   steps:
+    - name: Check inputs
+      shell: python
+      run: |
+        # We expect only gha or cirrus as inputs to cache-provider
+        if "${{ inputs.cache-provider }}" not in ("gha", "cirrus"):
+          print("::warning title=Unknown input to configure docker action::Provided value was ${{ inputs.cache-provider }}")
+
     - name: Set up Docker Buildx
       uses: docker/setup-buildx-action@v3
       with:
@@ -19,8 +26,12 @@ runs:
       uses: actions/github-script@v6
       with:
         script: |
-          core.exportVariable('ACTIONS_CACHE_URL', process.env['ACTIONS_CACHE_URL'])
-          core.exportVariable('ACTIONS_RUNTIME_TOKEN', process.env['ACTIONS_RUNTIME_TOKEN'])
+          Object.keys(process.env).forEach(function (key) {
+            if (key.startsWith('ACTIONS_')) {
+              core.info(`Exporting ${key}`);
+              core.exportVariable(key, process.env[key]);
+            }
+          });
 
     - name: Construct docker build cache args
       shell: bash
@@ -32,7 +43,7 @@ runs:
         # which are set automatically when running on GitHub infra: https://docs.docker.com/build/cache/backends/gha/#synopsis
 
         # Use cirrus cache host
-        if [[ ${{ inputs.use-cirrus }} == 'true' ]]; then
+        if [[ ${{ inputs.cache-provider }} == 'cirrus' ]]; then
           url_args="url=${CIRRUS_CACHE_HOST},url_v2=${CIRRUS_CACHE_HOST}"
         else
           url_args=""
@@ -41,8 +52,8 @@ runs:
         # Always optimistically --cache‑from in case a cache blob exists
         args=(--cache-from "type=gha${url_args:+,${url_args}},scope=${CONTAINER_NAME}")
 
-        # If this is a push to the default branch, also add --cache‑to to save the cache
-        if [[ ${{ github.event_name }} == "push" && ${{ github.ref_name }} == ${{ github.event.repository.default_branch }} ]]; then
+        # Only add --cache-to when using the Cirrus cache provider and pushing to the default branch.
+        if [[ ${{ inputs.cache-provider }} == 'cirrus' && ${{ github.event_name }} == "push" && ${{ github.ref_name }} == ${{ github.event.repository.default_branch }} ]]; then
           args+=(--cache-to "type=gha${url_args:+,${url_args}},mode=max,ignore-error=true,scope=${CONTAINER_NAME}")
         fi
 

.github/actions/configure-environment/action.yml

@@ -17,7 +17,7 @@ runs:
     - name: Set cache hashes
       shell: bash
       run: |
-        echo "DEPENDS_HASH=$(git ls-tree HEAD depends "ci/test/$FILE_ENV" | sha256sum | cut -d' ' -f1)" >> $GITHUB_ENV
+        echo "DEPENDS_HASH=$(git ls-tree HEAD depends "$FILE_ENV" | sha256sum | cut -d' ' -f1)" >> $GITHUB_ENV
         echo "PREVIOUS_RELEASES_HASH=$(git ls-tree HEAD test/get_previous_releases.py | sha256sum | cut -d' ' -f1)" >> $GITHUB_ENV
 
     - name: Get container name

.github/ci-lint-exec.py

@@ -0,0 +1,55 @@
+#!/usr/bin/env python3
+# Copyright (c) The Bitcoin Core developers
+# Distributed under the MIT software license, see the accompanying
+# file COPYING or https://opensource.org/license/mit.
+
+import os
+import shlex
+import subprocess
+import sys
+import time
+
+
+def run(cmd, **kwargs):
+    print("+ " + shlex.join(cmd), flush=True)
+    kwargs.setdefault("check", True)
+    try:
+        return subprocess.run(cmd, **kwargs)
+    except Exception as e:
+        sys.exit(e)
+
+
+def main():
+    CONTAINER_NAME = os.environ["CONTAINER_NAME"]
+
+    build_cmd = [
+        "docker", "buildx", "build",
+        f"--tag={CONTAINER_NAME}",
+        *shlex.split(os.getenv("DOCKER_BUILD_CACHE_ARG", "")),
+        "--file=./ci/lint_imagefile",
+        "."
+    ]
+
+    if run(build_cmd, check=False).returncode != 0:
+        print("Retry building image tag after failure")
+        time.sleep(3)
+        run(build_cmd)
+
+    extra_env = []
+    if os.environ["GITHUB_EVENT_NAME"] == "pull_request":
+        extra_env = ["--env", "LINT_CI_IS_PR=1"]
+    if os.environ["GITHUB_EVENT_NAME"] != "pull_request" and os.environ["GITHUB_REPOSITORY"] == "bitcoin/bitcoin":
+        extra_env = ["--env", "LINT_CI_SANITY_CHECK_COMMIT_SIG=1"]
+
+    run([
+        "docker",
+        "run",
+        "--rm",
+        *extra_env,
+        f"--volume={os.getcwd()}:/bitcoin",
+        CONTAINER_NAME,
+    ])
+
+
+if __name__ == "__main__":
+    main()

.github/ci-test-each-commit-exec.py

@@ -21,11 +21,12 @@ def main():
     run(["git", "log", "-1"])
 
     num_procs = int(run(["nproc"], stdout=subprocess.PIPE).stdout)
+    build_dir = "ci_build"
 
     run([
         "cmake",
         "-B",
-        "build",
+        build_dir,
         "-Werror=dev",
         # Use clang++, because it is a bit faster and uses less memory than g++
         "-DCMAKE_C_COMPILER=clang",
@@ -37,26 +38,23 @@ def main():
         "-DAPPEND_CFLAGS='-O3 -g2'",
         "-DCMAKE_BUILD_TYPE=Debug",
         "-DWERROR=ON",
-        "-DWITH_ZMQ=ON",
-        "-DBUILD_GUI=ON",
-        "-DBUILD_BENCH=ON",
-        "-DBUILD_FUZZ_BINARY=ON",
-        "-DWITH_USDT=ON",
+        "--preset=dev-mode",
+        # Tolerate unused member functions in intermediate commits in a pull request
         "-DCMAKE_CXX_FLAGS=-Wno-error=unused-member-function",
     ])
-    run(["cmake", "--build", "build", "-j", str(num_procs)])
+    run(["cmake", "--build", build_dir, "-j", str(num_procs)])
     run([
         "ctest",
         "--output-on-failure",
         "--stop-on-failure",
         "--test-dir",
-        "build",
+        build_dir,
         "-j",
         str(num_procs),
     ])
     run([
         sys.executable,
-        "./build/test/functional/test_runner.py",
+        f"./{build_dir}/test/functional/test_runner.py",
         "-j",
         str(num_procs * 2),
         "--combinedlogslen=99999999",

.github/workflows/ci.yml

@@ -30,32 +30,43 @@ defaults:
 
 jobs:
   runners:
-    name: 'determine runners'
+    name: '[meta] determine runners'
     runs-on: ubuntu-latest
     outputs:
-      use-cirrus-runners: ${{ steps.runners.outputs.use-cirrus-runners }}
+      provider: ${{ steps.runners.outputs.provider }}
     steps:
+      - &ANNOTATION_PR_NUMBER
+        name: Annotate with pull request number
+        # This annotation is machine-readable and can be used to assign a check
+        # run to its corresponding pull request. Running in all check runs is
+        # required, because check re-runs discard the annotations of other
+        # tasks in the test suite.
+        run: |
+          if [ "${{ github.event_name }}" = "pull_request" ]; then
+            echo "::notice title=debug_pull_request_number_str::${{ github.event.number }}"
+          fi
       - id: runners
         run: |
           if [[ "${REPO_USE_CIRRUS_RUNNERS}" == "${{ github.repository }}" ]]; then
-            echo "use-cirrus-runners=true" >> "$GITHUB_OUTPUT"
+            echo "provider=cirrus" >> "$GITHUB_OUTPUT"
             echo "::notice title=Runner Selection::Using Cirrus Runners"
           else
-            echo "use-cirrus-runners=false" >> "$GITHUB_OUTPUT"
+            echo "provider=gha" >> "$GITHUB_OUTPUT"
             echo "::notice title=Runner Selection::Using GitHub-hosted runners"
           fi
 
   test-each-commit:
-    name: 'test each commit'
+    name: 'test max 6 ancestor commits'
     runs-on: ubuntu-24.04
     if: github.event_name == 'pull_request' && github.event.pull_request.commits != 1
     timeout-minutes: 360  # Use maximum time, see https://docs.github.com/en/actions/writing-workflows/workflow-syntax-for-github-actions#jobsjob_idtimeout-minutes. Assuming a worst case time of 1 hour per commit, this leads to a --max-count=6 below.
     env:
-      MAX_COUNT: 6
+      MAX_COUNT: 6  # Keep in sync with name above
     steps:
       - name: Determine fetch depth
         run: echo "FETCH_DEPTH=$((${{ github.event.pull_request.commits }} + 2))" >> "$GITHUB_ENV"
-      - uses: actions/checkout@v5
+      - *ANNOTATION_PR_NUMBER
+      - uses: actions/checkout@v6
         with:
           ref: ${{ github.event.pull_request.head.sha }}
           fetch-depth: ${{ env.FETCH_DEPTH }}
@@ -105,7 +116,7 @@ jobs:
     name: ${{ matrix.job-name }}
     # Use any image to support the xcode-select below, but hardcode version to avoid silent upgrades (and breaks).
     # See: https://github.com/actions/runner-images#available-images.
-    runs-on: macos-14
+    runs-on: macos-15
 
     # When a contributor maintains a fork of the repo, any pull request they make
     # to their own fork, or to the main repository, will trigger two CI runs:
@@ -123,30 +134,32 @@ jobs:
         include:
           - job-type: standard
             file-env: './ci/test/00_setup_env_mac_native.sh'
-            job-name: 'macOS 14 native, arm64, no depends, sqlite only, gui'
+            job-name: 'macOS native'
           - job-type: fuzz
             file-env: './ci/test/00_setup_env_mac_native_fuzz.sh'
-            job-name: 'macOS 14 native, arm64, fuzz'
+            job-name: 'macOS native, fuzz'
 
     env:
       DANGER_RUN_CI_ON_HOST: 1
-      BASE_ROOT_DIR: ${{ github.workspace }}
+      BASE_ROOT_DIR: ${{ github.workspace }}/repo_archive
 
     steps:
+      - *ANNOTATION_PR_NUMBER
+
       - &CHECKOUT
         name: Checkout
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
         with:
           # Ensure the latest merged pull request state is used, even on re-runs.
           ref: &CHECKOUT_REF_TMPL ${{ github.event_name == 'pull_request' && github.ref || '' }}
 
       - name: Clang version
         run: |
-          # Use the earliest Xcode supported by the version of macOS denoted in
+          # Use the latest Xcode supported by the version of macOS denoted in
           # doc/release-notes-empty-template.md and providing at least the
           # minimum clang version denoted in doc/dependencies.md.
-          # See: https://developer.apple.com/documentation/xcode-release-notes/xcode-15-release-notes
-          sudo xcode-select --switch /Applications/Xcode_15.0.app
+          # See: https://developer.apple.com/documentation/xcode-release-notes/xcode-16_2-release-notes
+          sudo xcode-select --switch /Applications/Xcode_16.2.app
           clang --version
 
       - name: Install Homebrew packages
@@ -157,11 +170,6 @@ jobs:
           brew install --quiet python@3 || brew link --overwrite python@3
           brew install --quiet coreutils ninja pkgconf gnu-getopt ccache boost libevent zeromq qt@6 qrencode capnp
 
-      - name: Install Python packages
-        run: |
-          git clone -b v2.1.0 https://github.com/capnproto/pycapnp
-          pip3 install ./pycapnp -C force-bundled-libcapnp=True --break-system-packages
-
       - name: Set Ccache directory
         run: echo "CCACHE_DIR=${RUNNER_TEMP}/ccache_dir" >> "$GITHUB_ENV"
 
@@ -173,14 +181,22 @@ jobs:
           key: ${{ github.job }}-${{ matrix.job-type }}-ccache-${{ github.run_id }}
           restore-keys: ${{ github.job }}-${{ matrix.job-type }}-ccache-
 
+      - name: Create git archive
+        run: |
+          git log -1
+          git archive --format=tar --prefix=repo_archive/ --output=repo.tar HEAD
+          tar -xf repo.tar
+
       - name: CI script
-        run: ./ci/test_run_all.sh
+        run: |
+          cd repo_archive
+          ./ci/test_run_all.sh
         env:
           FILE_ENV: ${{ matrix.file-env }}
 
       - name: Save Ccache cache
         uses: actions/cache/save@v4
-        if: github.event_name != 'pull_request' && steps.ccache-cache.outputs.cache-hit != 'true'
+        if: github.event_name != 'pull_request' && github.ref_name == github.event.repository.default_branch && steps.ccache-cache.outputs.cache-hit != 'true'
         with:
           path: ${{ env.CCACHE_DIR }}
           # https://github.com/actions/cache/blob/main/tips-and-workarounds.md#update-a-cache
@@ -202,20 +218,27 @@ jobs:
         job-type: [standard, fuzz]
         include:
           - job-type: standard
-            generate-options: '-DBUILD_GUI=ON -DWITH_ZMQ=ON -DBUILD_BENCH=ON -DWERROR=ON'
+            generate-options: '-DBUILD_BENCH=ON -DBUILD_KERNEL_LIB=ON -DBUILD_UTIL_CHAINSTATE=ON -DWERROR=ON'
             job-name: 'Windows native, VS 2022'
           - job-type: fuzz
-            generate-options: '-DVCPKG_MANIFEST_NO_DEFAULT_FEATURES=ON -DVCPKG_MANIFEST_FEATURES="wallet" -DBUILD_GUI=OFF -DBUILD_FOR_FUZZING=ON -DWERROR=ON'
+            generate-options: '-DVCPKG_MANIFEST_NO_DEFAULT_FEATURES=ON -DVCPKG_MANIFEST_FEATURES="wallet" -DBUILD_GUI=OFF -DWITH_ZMQ=OFF -DBUILD_FOR_FUZZING=ON -DWERROR=ON'
             job-name: 'Windows native, fuzz, VS 2022'
 
     steps:
+      - *ANNOTATION_PR_NUMBER
+
       - *CHECKOUT
 
-      - name: Configure Developer Command Prompt for Microsoft Visual C++
-        # Using microsoft/setup-msbuild is not enough.
-        uses: ilammy/msvc-dev-cmd@v1
-        with:
-          arch: x64
+      - &SET_UP_VS
+        name: Set up VS Developer Prompt
+        shell: pwsh -Command "$PSVersionTable; $PSNativeCommandUseErrorActionPreference = $true; $ErrorActionPreference = 'Stop'; & '{0}'"
+        run: |
+          $vswherePath = "${env:ProgramFiles(x86)}\Microsoft Visual Studio\Installer\vswhere.exe"
+          $installationPath = & $vswherePath -latest -property installationPath
+          & "${env:COMSPEC}" /s /c "`"$installationPath\Common7\Tools\vsdevcmd.bat`" -arch=x64 -no_logo && set" | foreach-object {
+            $name, $value = $_ -split '=', 2
+            echo "$name=$value" >> $env:GITHUB_ENV
+          }
 
       - name: Get tool information
         shell: pwsh
@@ -235,7 +258,7 @@ jobs:
           sed -i '1s/^/set(ENV{CMAKE_POLICY_VERSION_MINIMUM} 3.5)\n/' "${VCPKG_INSTALLATION_ROOT}/scripts/ports.cmake"
 
       - name: vcpkg tools cache
-        uses: actions/cache@v4
+        uses: actions/cache@v5
         with:
           path: C:/vcpkg/downloads/tools
           key: ${{ github.job }}-vcpkg-tools
@@ -253,7 +276,7 @@ jobs:
 
       - name: Save vcpkg binary cache
         uses: actions/cache/save@v4
-        if: github.event_name != 'pull_request' && steps.vcpkg-binary-cache.outputs.cache-hit != 'true' && matrix.job-type == 'standard'
+        if: github.event_name != 'pull_request' && github.ref_name == github.event.repository.default_branch && steps.vcpkg-binary-cache.outputs.cache-hit != 'true' && matrix.job-type == 'standard'
         with:
           path: ~/AppData/Local/vcpkg/archives
           key: ${{ github.job }}-vcpkg-binary-${{ hashFiles('cmake_version', 'msbuild_version', 'toolset_version', 'vcpkg.json') }}
@@ -263,20 +286,30 @@ jobs:
         run: |
           cmake --build . -j $NUMBER_OF_PROCESSORS --config Release
 
-      - name: Get bitcoind manifest
+      - name: Check executable manifests
         if: matrix.job-type == 'standard'
         working-directory: build
+        shell: pwsh -Command "$PSVersionTable; $PSNativeCommandUseErrorActionPreference = $true; $ErrorActionPreference = 'Stop'; & '{0}'"
         run: |
-          mt.exe -nologo -inputresource:bin/Release/bitcoind.exe -out:bitcoind.manifest
-          cat bitcoind.manifest
-          echo
-          mt.exe -nologo -inputresource:bin/Release/bitcoind.exe -validate_manifest
+          mt.exe -nologo -inputresource:bin\Release\bitcoind.exe -out:bitcoind.manifest
+          Get-Content bitcoind.manifest
+
+          Get-ChildItem -Filter "bin\Release\*.exe" | ForEach-Object {
+            $exeName = $_.Name
+
+            # Skip as they currently do not have manifests
+            if ($exeName -eq "fuzz.exe" -or $exeName -eq "bench_bitcoin.exe" -or $exeName -eq "test_bitcoin-qt.exe" -or $exeName -eq "test_kernel.exe" -or $exeName -eq "bitcoin-chainstate.exe") {
+              Write-Host "Skipping $exeName (no manifest present)"
+              return
+            }
+
+            Write-Host "Checking $exeName"
+            & mt.exe -nologo -inputresource:$_.FullName -validate_manifest
+          }
 
       - name: Run test suite
         if: matrix.job-type == 'standard'
         working-directory: build
-        env:
-          QT_PLUGIN_PATH: '${{ github.workspace }}\build\vcpkg_installed\x64-windows\Qt6\plugins'
         run: |
           ctest --output-on-failure --stop-on-failure -j $NUMBER_OF_PROCESSORS -C Release
 
@@ -287,11 +320,15 @@ jobs:
           BITCOIN_BIN: '${{ github.workspace }}\build\bin\Release\bitcoin.exe'
           BITCOIND: '${{ github.workspace }}\build\bin\Release\bitcoind.exe'
           BITCOINCLI: '${{ github.workspace }}\build\bin\Release\bitcoin-cli.exe'
+          BITCOIN_BENCH: '${{ github.workspace }}\build\bin\Release\bench_bitcoin.exe'
           BITCOINTX: '${{ github.workspace }}\build\bin\Release\bitcoin-tx.exe'
           BITCOINUTIL: '${{ github.workspace }}\build\bin\Release\bitcoin-util.exe'
           BITCOINWALLET: '${{ github.workspace }}\build\bin\Release\bitcoin-wallet.exe'
+          BITCOINCHAINSTATE: '${{ github.workspace }}\build\bin\Release\bitcoin-chainstate.exe'
           TEST_RUNNER_EXTRA: ${{ github.event_name != 'pull_request' && '--extended' || '' }}
-        run: py -3 test/functional/test_runner.py --jobs $NUMBER_OF_PROCESSORS --ci --quiet --tmpdirprefix="${RUNNER_TEMP}" --combinedlogslen=99999999 --timeout-factor=${TEST_RUNNER_TIMEOUT_FACTOR} ${TEST_RUNNER_EXTRA}
+        run: |
+          py -3 -m pip install pyzmq
+          py -3 test/functional/test_runner.py --jobs $NUMBER_OF_PROCESSORS --quiet --tmpdirprefix="${RUNNER_TEMP}" --combinedlogslen=99999999 --timeout-factor=${TEST_RUNNER_TIMEOUT_FACTOR} ${TEST_RUNNER_EXTRA}
 
       - name: Clone corpora
         if: matrix.job-type == 'fuzz'
@@ -309,18 +346,49 @@ jobs:
         run: |
           py -3 test/fuzz/test_runner.py --par $NUMBER_OF_PROCESSORS --loglevel DEBUG "${RUNNER_TEMP}/qa-assets/fuzz_corpora"
 
+  record-frozen-commit:
+    # Record frozen commit, so that the native tests on cross-builds can run on
+    # the exact same commit id of the build.
+    name: '[meta] record frozen commit'
+    runs-on: ubuntu-latest
+    outputs:
+      commit: ${{ steps.record-commit.outputs.commit }}
+    steps:
+      - *ANNOTATION_PR_NUMBER
+      - *CHECKOUT
+      - name: Record commit
+        id: record-commit
+        run: echo "commit=$(git rev-parse HEAD)" >> "$GITHUB_OUTPUT"
+
   windows-cross:
-    name: 'Linux->Windows cross, no tests'
-    needs: runners
-    runs-on: ${{ needs.runners.outputs.use-cirrus-runners == 'true' && 'ghcr.io/cirruslabs/ubuntu-runner-amd64:24.04-sm' || 'ubuntu-24.04' }}
+    name: 'Windows-cross to x86_64, ${{ matrix.crt }}'
+    needs: [runners, record-frozen-commit]
+    runs-on: ${{ needs.runners.outputs.provider == 'cirrus' && 'ghcr.io/cirruslabs/ubuntu-runner-amd64:24.04-sm' || 'ubuntu-24.04' }}
     if: ${{ vars.SKIP_BRANCH_PUSH != 'true' || github.event_name == 'pull_request' }}
 
+    strategy:
+      fail-fast: false
+      matrix:
+        crt: [msvcrt, ucrt]
+        include:
+          - crt: msvcrt
+            file-env: './ci/test/00_setup_env_win64_msvcrt.sh'
+            artifact-name: 'x86_64-w64-mingw32-executables'
+          - crt: ucrt
+            file-env: './ci/test/00_setup_env_win64.sh'
+            artifact-name: 'x86_64-w64-mingw32ucrt-executables'
+
     env:
-      FILE_ENV: './ci/test/00_setup_env_win64.sh'
+      FILE_ENV: ${{ matrix.file-env }}
       DANGER_CI_ON_HOST_FOLDERS: 1
 
     steps:
-      - *CHECKOUT
+      - *ANNOTATION_PR_NUMBER
+
+      - name: Checkout
+        uses: actions/checkout@v6
+        with:
+          ref: ${{ needs.record-frozen-commit.outputs.commit }}
 
       - name: Configure environment
         uses: ./.github/actions/configure-environment
@@ -332,7 +400,7 @@ jobs:
       - name: Configure Docker
         uses: ./.github/actions/configure-docker
         with:
-          use-cirrus: ${{ needs.runners.outputs.use-cirrus-runners }}
+          cache-provider: ${{ needs.runners.outputs.provider }}
 
       - name: CI script
         run: ./ci/test_run_all.sh
@@ -341,52 +409,76 @@ jobs:
         uses: ./.github/actions/save-caches
 
       - name: Upload built executables
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@v6
         with:
-          name: x86_64-w64-mingw32-executables-${{ github.run_id }}
+          name: ${{ matrix.artifact-name }}-${{ github.run_id }}
           path: |
+            ${{ env.BASE_BUILD_DIR }}/bin/*.dll
             ${{ env.BASE_BUILD_DIR }}/bin/*.exe
             ${{ env.BASE_BUILD_DIR }}/src/secp256k1/bin/*.exe
             ${{ env.BASE_BUILD_DIR }}/src/univalue/*.exe
             ${{ env.BASE_BUILD_DIR }}/test/config.ini
 
   windows-native-test:
-    name: 'Windows, test cross-built'
+    name: 'Windows, ${{ matrix.crt }}, test cross-built'
     runs-on: windows-2022
-    needs: windows-cross
+    needs: [windows-cross, record-frozen-commit]
+
+    strategy:
+      fail-fast: false
+      matrix:
+        crt: [msvcrt, ucrt]
+        include:
+          - crt: msvcrt
+            artifact-name: 'x86_64-w64-mingw32-executables'
+          - crt: ucrt
+            artifact-name: 'x86_64-w64-mingw32ucrt-executables'
 
     env:
       PYTHONUTF8: 1
       TEST_RUNNER_TIMEOUT_FACTOR: 40
 
     steps:
-      - *CHECKOUT
+      - *ANNOTATION_PR_NUMBER
+
+      - name: Checkout
+        uses: actions/checkout@v6
+        with:
+          ref: ${{ needs.record-frozen-commit.outputs.commit }}
 
       - name: Download built executables
-        uses: actions/download-artifact@v4
+        uses: actions/download-artifact@v7
         with:
-          name: x86_64-w64-mingw32-executables-${{ github.run_id }}
+          name: ${{ matrix.artifact-name }}-${{ github.run_id }}
 
       - name: Run bitcoind.exe
         run: ./bin/bitcoind.exe -version
 
-      - name: Find mt.exe tool
-        shell: pwsh
-        run: |
-          $sdk_dir = (Get-ItemProperty 'HKLM:\SOFTWARE\Wow6432Node\Microsoft\Windows Kits\Installed Roots' -Name KitsRoot10).KitsRoot10
-          $sdk_latest = (Get-ChildItem "$sdk_dir\bin" -Directory | Where-Object { $_.Name -match '^\d+\.\d+\.\d+\.\d+$' } | Sort-Object Name -Descending | Select-Object -First 1).Name
-          "MT_EXE=${sdk_dir}bin\${sdk_latest}\x64\mt.exe" >> $env:GITHUB_ENV
+      - *SET_UP_VS
 
-      - name: Get bitcoind manifest
-        shell: pwsh
+      - name: Check executable manifests
+        shell: pwsh -Command "$PSVersionTable; $PSNativeCommandUseErrorActionPreference = $true; $ErrorActionPreference = 'Stop'; & '{0}'"
         run: |
-          & $env:MT_EXE -nologo -inputresource:bin\bitcoind.exe -out:bitcoind.manifest
+          mt.exe -nologo -inputresource:bin\bitcoind.exe -out:bitcoind.manifest
           Get-Content bitcoind.manifest
-          & $env:MT_EXE -nologo -inputresource:bin\bitcoind.exe -validate_manifest
+
+          Get-ChildItem -Filter "bin\*.exe" | ForEach-Object {
+            $exeName = $_.Name
+
+            # Skip as they currently do not have manifests
+            if ($exeName -eq "fuzz.exe" -or $exeName -eq "bench_bitcoin.exe" -or $exeName -eq "test_kernel.exe") {
+              Write-Host "Skipping $exeName (no manifest present)"
+              return
+            }
+
+            Write-Host "Checking $exeName"
+            & mt.exe -nologo -inputresource:$_.FullName -validate_manifest
+          }
 
       - name: Run unit tests
         # Can't use ctest here like other jobs as we don't have a CMake build tree.
         run: |
+          ./bin/test_bitcoin-qt.exe
           ./bin/test_bitcoin.exe -l test_suite  # Intentionally run sequentially here, to catch test case failures caused by dirty global state from prior test cases.
           ./src/secp256k1/bin/exhaustive_tests.exe
           ./src/secp256k1/bin/noverify_tests.exe
@@ -394,9 +486,6 @@ jobs:
           ./src/univalue/object.exe
           ./src/univalue/unitester.exe
 
-      - name: Run benchmarks
-        run: ./bin/bench_bitcoin.exe -sanity-check
-
       - name: Adjust paths in test/config.ini
         shell: pwsh
         run: |
@@ -408,21 +497,27 @@ jobs:
           echo "PREVIOUS_RELEASES_DIR=${{ runner.temp }}/previous_releases" >> "$GITHUB_ENV"
 
       - name: Get previous releases
-        working-directory: test
-        run: ./get_previous_releases.py --target-dir $PREVIOUS_RELEASES_DIR
+        run: ./test/get_previous_releases.py --target-dir $PREVIOUS_RELEASES_DIR
 
       - name: Run functional tests
         env:
-          # TODO: Fix the excluded test and re-enable it.
-          # feature_unsupported_utxo_db.py fails on windows because of emojis in the test data directory
-          EXCLUDE: '--exclude wallet_multiwallet.py,feature_unsupported_utxo_db.py'
           TEST_RUNNER_EXTRA: ${{ github.event_name != 'pull_request' && '--extended' || '' }}
-        run: py -3 test/functional/test_runner.py --jobs $NUMBER_OF_PROCESSORS --ci --quiet --tmpdirprefix="$RUNNER_TEMP" --combinedlogslen=99999999 --timeout-factor=$TEST_RUNNER_TIMEOUT_FACTOR $EXCLUDE $TEST_RUNNER_EXTRA
+        run: |
+          py -3 -m pip install pyzmq
+          py -3 test/functional/test_runner.py --jobs $NUMBER_OF_PROCESSORS --quiet --tmpdirprefix="$RUNNER_TEMP" --combinedlogslen=99999999 --timeout-factor=$TEST_RUNNER_TIMEOUT_FACTOR $TEST_RUNNER_EXTRA \
+            `# feature_unsupported_utxo_db.py fails on Windows because of emojis in the test data directory.` \
+            --exclude feature_unsupported_utxo_db.py \
+            `# See https://github.com/bitcoin/bitcoin/issues/31409.` \
+            --exclude wallet_multiwallet.py
+          # Run feature_unsupported_utxo_db sequentially in ASCII-only tmp dir,
+          # because it is excluded above due to lack of UTF-8 support in the
+          # ancient release.
+          py -3 test/functional/feature_unsupported_utxo_db.py --previous-releases --tmpdir="${RUNNER_TEMP}/test_feature_unsupported_utxo_db"
 
   ci-matrix:
     name: ${{ matrix.name }}
     needs: runners
-    runs-on: ${{ needs.runners.outputs.use-cirrus-runners == 'true' && matrix.cirrus-runner || matrix.fallback-runner }}
+    runs-on: ${{ needs.runners.outputs.provider == 'cirrus' && matrix.cirrus-runner || matrix.fallback-runner }}
     if: ${{ vars.SKIP_BRANCH_PUSH != 'true' || github.event_name == 'pull_request' }}
     timeout-minutes: ${{ matrix.timeout-minutes }}
 
@@ -434,53 +529,72 @@ jobs:
       fail-fast: false
       matrix:
         include:
-          - name: '32 bit ARM, unit tests, no functional tests'
+          - name: 'iwyu'
+            cirrus-runner: 'ghcr.io/cirruslabs/ubuntu-runner-amd64:24.04-md'
+            fallback-runner: 'ubuntu-24.04'
+            timeout-minutes: 120
+            file-env: './ci/test/00_setup_env_native_iwyu.sh'
+
+          - name: '32 bit ARM'
             cirrus-runner: 'ubuntu-24.04-arm' # Cirrus' Arm runners are Apple (with virtual Linux aarch64), which doesn't support 32-bit mode
             fallback-runner: 'ubuntu-24.04-arm'
             timeout-minutes: 120
             file-env: './ci/test/00_setup_env_arm.sh'
+            provider: 'gha'
 
-          - name: 'ASan + LSan + UBSan + integer, no depends, USDT'
+          - name: 'ASan + LSan + UBSan + integer'
             cirrus-runner: 'ghcr.io/cirruslabs/ubuntu-runner-amd64:24.04-md' # has to match container in ci/test/00_setup_env_native_asan.sh for tracing tools
             fallback-runner: 'ubuntu-24.04'
             timeout-minutes: 120
             file-env: './ci/test/00_setup_env_native_asan.sh'
 
-          - name: 'macOS-cross, gui, no tests'
+          - name: 'macOS-cross to arm64'
             cirrus-runner: 'ghcr.io/cirruslabs/ubuntu-runner-amd64:24.04-sm'
             fallback-runner: 'ubuntu-24.04'
             timeout-minutes: 120
             file-env: './ci/test/00_setup_env_mac_cross.sh'
 
-          - name: 'No wallet, libbitcoinkernel'
+          - name: 'macOS-cross to x86_64'
             cirrus-runner: 'ghcr.io/cirruslabs/ubuntu-runner-amd64:24.04-sm'
             fallback-runner: 'ubuntu-24.04'
             timeout-minutes: 120
-            file-env: './ci/test/00_setup_env_native_nowallet_libbitcoinkernel.sh'
+            file-env: './ci/test/00_setup_env_mac_cross_intel.sh'
 
-          - name: 'no IPC, i686, DEBUG'
+          - name: 'No wallet'
+            cirrus-runner: 'ghcr.io/cirruslabs/ubuntu-runner-amd64:24.04-sm'
+            fallback-runner: 'ubuntu-24.04'
+            timeout-minutes: 120
+            file-env: './ci/test/00_setup_env_native_nowallet.sh'
+
+          - name: 'i686, no IPC'
             cirrus-runner: 'ghcr.io/cirruslabs/ubuntu-runner-amd64:24.04-md'
             fallback-runner: 'ubuntu-24.04'
             timeout-minutes: 120
             file-env: './ci/test/00_setup_env_i686_no_ipc.sh'
 
-          - name: 'fuzzer,address,undefined,integer, no depends'
+          - name: 'fuzzer,address,undefined,integer'
             cirrus-runner: 'ghcr.io/cirruslabs/ubuntu-runner-amd64:24.04-lg'
             fallback-runner: 'ubuntu-24.04'
             timeout-minutes: 240
             file-env: './ci/test/00_setup_env_native_fuzz.sh'
 
-          - name: 'previous releases, depends DEBUG'
+          - name: 'Valgrind, fuzz'
+            cirrus-runner: 'ghcr.io/cirruslabs/ubuntu-runner-amd64:24.04-md'
+            fallback-runner: 'ubuntu-24.04'
+            timeout-minutes: 240
+            file-env: './ci/test/00_setup_env_native_fuzz_with_valgrind.sh'
+
+          - name: 'previous releases'
             cirrus-runner: 'ghcr.io/cirruslabs/ubuntu-runner-amd64:24.04-md'
             fallback-runner: 'ubuntu-24.04'
             timeout-minutes: 120
             file-env: './ci/test/00_setup_env_native_previous_releases.sh'
 
-          - name: 'CentOS, depends, gui'
-            cirrus-runner: 'ghcr.io/cirruslabs/ubuntu-runner-amd64:24.04-lg'
+          - name: 'Alpine (musl)'
+            cirrus-runner: 'ghcr.io/cirruslabs/ubuntu-runner-amd64:24.04-md'
             fallback-runner: 'ubuntu-24.04'
             timeout-minutes: 120
-            file-env: './ci/test/00_setup_env_native_centos.sh'
+            file-env: './ci/test/00_setup_env_native_alpine_musl.sh'
 
           - name: 'tidy'
             cirrus-runner: 'ghcr.io/cirruslabs/ubuntu-runner-amd64:24.04-md'
@@ -488,19 +602,27 @@ jobs:
             timeout-minutes: 120
             file-env: './ci/test/00_setup_env_native_tidy.sh'
 
-          - name: 'TSan, depends, no gui'
+          - name: 'TSan'
             cirrus-runner: 'ghcr.io/cirruslabs/ubuntu-runner-amd64:24.04-md'
             fallback-runner: 'ubuntu-24.04'
             timeout-minutes: 120
             file-env: './ci/test/00_setup_env_native_tsan.sh'
 
-          - name: 'MSan, depends'
+          - name: 'MSan, fuzz'
+            cirrus-runner: 'ghcr.io/cirruslabs/ubuntu-runner-amd64:24.04-md'
+            fallback-runner: 'ubuntu-24.04'
+            timeout-minutes: 150
+            file-env: './ci/test/00_setup_env_native_fuzz_with_msan.sh'
+
+          - name: 'MSan'
             cirrus-runner: 'ghcr.io/cirruslabs/ubuntu-runner-amd64:24.04-lg'
             fallback-runner: 'ubuntu-24.04'
             timeout-minutes: 120
             file-env: './ci/test/00_setup_env_native_msan.sh'
 
     steps:
+      - *ANNOTATION_PR_NUMBER
+
       - *CHECKOUT
 
       - name: Configure environment
@@ -513,7 +635,11 @@ jobs:
       - name: Configure Docker
         uses: ./.github/actions/configure-docker
         with:
-          use-cirrus: ${{ needs.runners.outputs.use-cirrus-runners }}
+          cache-provider: ${{ matrix.provider || needs.runners.outputs.provider }}
+
+      - name: Clear unnecessary files
+        if: ${{ needs.runners.outputs.provider == 'gha' && true || false }} # Only needed on GHA runners
+        uses: ./.github/actions/clear-files
 
       - name: Enable bpfcc script
         if: ${{ env.CONTAINER_NAME == 'ci_native_asan' }}
@@ -522,7 +648,7 @@ jobs:
         run: sed -i "s|\${INSTALL_BCC_TRACING_TOOLS}|true|g" ./ci/test/00_setup_env_native_asan.sh
 
       - name: Set mmap_rnd_bits
-        if: ${{ env.CONTAINER_NAME == 'ci_native_tsan' || env.CONTAINER_NAME == 'ci_native_msan' }}
+        if: ${{ env.CONTAINER_NAME == 'ci_native_tsan' || env.CONTAINER_NAME == 'ci_native_msan' || env.CONTAINER_NAME == 'ci_native_fuzz_msan' }}
         # Prevents crashes due to high ASLR entropy
         run: sudo sysctl -w vm.mmap_rnd_bits=28
 
@@ -535,14 +661,16 @@ jobs:
   lint:
     name: 'lint'
     needs: runners
-    runs-on: ${{ needs.runners.outputs.use-cirrus-runners == 'true' && 'ghcr.io/cirruslabs/ubuntu-runner-amd64:24.04-xs' || 'ubuntu-24.04' }}
+    runs-on: ${{ needs.runners.outputs.provider == 'cirrus' && 'ghcr.io/cirruslabs/ubuntu-runner-amd64:24.04-xs' || 'ubuntu-24.04' }}
     if: ${{ vars.SKIP_BRANCH_PUSH != 'true' || github.event_name == 'pull_request' }}
     timeout-minutes: 20
     env:
       CONTAINER_NAME: "bitcoin-linter"
     steps:
+      - *ANNOTATION_PR_NUMBER
+
       - name: Checkout
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
         with:
           ref: *CHECKOUT_REF_TMPL
           fetch-depth: 0
@@ -550,14 +678,7 @@ jobs:
       - name: Configure Docker
         uses: ./.github/actions/configure-docker
         with:
-          use-cirrus: ${{ needs.runners.outputs.use-cirrus-runners }}
+          cache-provider: ${{ needs.runners.outputs.provider }}
 
       - name: CI script
-        run: |
-          set -o xtrace
-          docker buildx build -t "$CONTAINER_NAME" $DOCKER_BUILD_CACHE_ARG --file "./ci/lint_imagefile" .
-          CIRRUS_PR_FLAG=""
-          if [ "${{ github.event_name }}" = "pull_request" ]; then
-            CIRRUS_PR_FLAG="-e CIRRUS_PR=1"
-          fi
-          docker run --rm $CIRRUS_PR_FLAG -v "$(pwd)":/bitcoin "$CONTAINER_NAME"
+        run: python .github/ci-lint-exec.py

.gitignore

@@ -12,6 +12,7 @@
 
 # Only ignore unexpected patches
 *.patch
+!ci/test/*.patch
 !contrib/guix/patches/*.patch
 !depends/patches/**/*.patch
 

CMakeLists.txt

@@ -32,7 +32,7 @@ set(CLIENT_VERSION_MINOR 99)
 set(CLIENT_VERSION_BUILD 0)
 set(CLIENT_VERSION_RC 0)
 set(CLIENT_VERSION_IS_RELEASE "false")
-set(COPYRIGHT_YEAR "2025")
+set(COPYRIGHT_YEAR "2026")
 
 # During the enabling of the CXX and CXXOBJ languages, we modify
 # CMake's compiler/linker invocation strings by appending the content
@@ -105,6 +105,7 @@ option(BUILD_UTIL "Build bitcoin-util executable." ${BUILD_TESTS})
 
 option(BUILD_UTIL_CHAINSTATE "Build experimental bitcoin-chainstate executable." OFF)
 option(BUILD_KERNEL_LIB "Build experimental bitcoinkernel library." ${BUILD_UTIL_CHAINSTATE})
+cmake_dependent_option(BUILD_KERNEL_TEST "Build tests for the experimental bitcoinkernel library." ON "BUILD_KERNEL_LIB" OFF)
 
 option(ENABLE_WALLET "Enable wallet." ON)
 if(ENABLE_WALLET)
@@ -210,6 +211,7 @@ if(BUILD_FOR_FUZZING)
   set(BUILD_UTIL OFF)
   set(BUILD_UTIL_CHAINSTATE OFF)
   set(BUILD_KERNEL_LIB OFF)
+  set(BUILD_KERNEL_TEST OFF)
   set(BUILD_WALLET_TOOL OFF)
   set(BUILD_GUI OFF)
   set(ENABLE_EXTERNAL_SIGNER OFF)
@@ -461,6 +463,8 @@ else()
   try_append_cxx_flags("-Wself-assign" TARGET warn_interface SKIP_LINK)
   try_append_cxx_flags("-Wbidi-chars=any" TARGET warn_interface SKIP_LINK)
   try_append_cxx_flags("-Wundef" TARGET warn_interface SKIP_LINK)
+  try_append_cxx_flags("-Wleading-whitespace=spaces" TARGET warn_interface SKIP_LINK)
+  try_append_cxx_flags("-Wtrailing-whitespace=any" TARGET warn_interface SKIP_LINK)
 
   # Some compilers (gcc) ignore unknown -Wno-* options, but warn about all
   # unknown options if any other warning is produced. Test the -Wfoo case, and
@@ -491,8 +495,8 @@ try_append_cxx_flags("-fmacro-prefix-map=A=B" TARGET core_interface SKIP_LINK
   IF_CHECK_PASSED "-fmacro-prefix-map=${PROJECT_SOURCE_DIR}/src=."
 )
 
-# Currently all versions of gcc are subject to a class of bugs, see the
-# gccbug_90348 test case (only reproduces on GCC 11 and earlier) and
+# GCC versions 13.2 (and earlier) are subject to a class of bugs, see
+# https://gcc.gnu.org/bugzilla/show_bug.cgi?id=90348 and the meta bug
 # https://gcc.gnu.org/bugzilla/show_bug.cgi?id=111843. To work around that, set
 # -fstack-reuse=none for all gcc builds. (Only gcc understands this flag).
 try_append_cxx_flags("-fstack-reuse=none" TARGET core_interface)
@@ -619,19 +623,6 @@ if(CMAKE_VERSION VERSION_GREATER_EQUAL 3.29)
   set(CMAKE_SKIP_TEST_ALL_DEPENDENCY FALSE)
 endif()
 
-# TODO: The `CMAKE_SKIP_BUILD_RPATH` variable setting can be deleted
-#       in the future after reordering Guix script commands to
-#       perform binary checks after the installation step.
-# Relevant discussions:
-# - https://github.com/hebasto/bitcoin/pull/236#issuecomment-2183120953
-# - https://github.com/bitcoin/bitcoin/pull/30312#issuecomment-2191235833
-# NetBSD always requires runtime paths to be set for executables.
-if(CMAKE_SYSTEM_NAME STREQUAL "NetBSD")
-  set(CMAKE_INSTALL_RPATH_USE_LINK_PATH TRUE)
-else()
-  set(CMAKE_SKIP_BUILD_RPATH TRUE)
-  set(CMAKE_SKIP_INSTALL_RPATH TRUE)
-endif()
 add_subdirectory(test)
 add_subdirectory(doc)
 
@@ -639,7 +630,6 @@ add_subdirectory(src)
 
 include(Maintenance)
 setup_split_debug_script()
-add_maintenance_targets()
 add_windows_deploy_target()
 add_macos_deploy_target()
 
@@ -668,6 +658,7 @@ message("  bitcoin-util ........................ ${BUILD_UTIL}")
 message("  bitcoin-wallet ...................... ${BUILD_WALLET_TOOL}")
 message("  bitcoin-chainstate (experimental) ... ${BUILD_UTIL_CHAINSTATE}")
 message("  libbitcoinkernel (experimental) ..... ${BUILD_KERNEL_LIB}")
+message("  kernel-test (experimental) .......... ${BUILD_KERNEL_TEST}")
 message("Optional features:")
 message("  wallet support ...................... ${ENABLE_WALLET}")
 message("  external signer ..................... ${ENABLE_EXTERNAL_SIGNER}")

CMakePresets.json

@@ -14,7 +14,8 @@
       "toolchainFile": "$env{VCPKG_ROOT}\\scripts\\buildsystems\\vcpkg.cmake",
       "cacheVariables": {
         "VCPKG_TARGET_TRIPLET": "x64-windows",
-        "BUILD_GUI": "ON"
+        "BUILD_GUI": "ON",
+        "WITH_ZMQ": "ON"
       }
     },
     {
@@ -30,7 +31,8 @@
       "toolchainFile": "$env{VCPKG_ROOT}\\scripts\\buildsystems\\vcpkg.cmake",
       "cacheVariables": {
         "VCPKG_TARGET_TRIPLET": "x64-windows-static",
-        "BUILD_GUI": "ON"
+        "BUILD_GUI": "ON",
+        "WITH_ZMQ": "ON"
       }
     },
     {

COPYING

@@ -1,7 +1,7 @@
 The MIT License (MIT)
 
-Copyright (c) 2009-2025 The Bitcoin Core developers
-Copyright (c) 2009-2025 Bitcoin Developers
+Copyright (c) 2009-2026 The Bitcoin Core developers
+Copyright (c) 2009-2026 Bitcoin Developers
 
 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal

ci/README.md

@@ -20,11 +20,30 @@ requires `bash`, `docker`, and `python3` to be installed. To run on different ar
 sudo apt install bash docker.io python3 qemu-user-static
 ```
 
-It is recommended to run the ci system in a clean env. To run the test stage
-with a specific configuration,
+For some sanitizer builds, the kernel's address-space layout randomization
+(ASLR) entropy can cause sanitizer shadow memory mappings to fail. When running
+the CI locally you may need to reduce that entropy by running:
 
 ```
-env -i HOME="$HOME" PATH="$PATH" USER="$USER" bash -c 'FILE_ENV="./ci/test/00_setup_env_arm.sh" ./ci/test_run_all.sh'
+sudo sysctl -w vm.mmap_rnd_bits=28
+```
+
+To run a test that requires emulating a CPU architecture different from the
+host, we may rely on the container environment recognizing foreign executables
+and automatically running them using `qemu`. The following sets us up to do so
+(also works for `podman`):
+
+```
+docker run --rm --privileged docker.io/multiarch/qemu-user-static --reset -p yes
+```
+
+It is recommended to run the CI system in a clean environment. The `env -i`
+command below ensures that *only* specified environment variables are propagated
+into the local CI.
+To run the test stage with a specific configuration:
+
+```
+env -i HOME="$HOME" PATH="$PATH" USER="$USER" FILE_ENV="./ci/test/00_setup_env_arm.sh" ./ci/test_run_all.sh
 ```
 
 ## Configurations
@@ -43,7 +62,7 @@ It is also possible to force a specific configuration without modifying the
 file. For example,
 
 ```
-env -i HOME="$HOME" PATH="$PATH" USER="$USER" bash -c 'MAKEJOBS="-j1" FILE_ENV="./ci/test/00_setup_env_arm.sh" ./ci/test_run_all.sh'
+env -i HOME="$HOME" PATH="$PATH" USER="$USER" MAKEJOBS="-j1" FILE_ENV="./ci/test/00_setup_env_arm.sh" ./ci/test_run_all.sh
 ```
 
 The files starting with `0n` (`n` greater than 0) are the scripts that are run

ci/lint/01_install.sh

@@ -18,7 +18,8 @@ ${CI_RETRY_EXE} apt-get update
 # - curl/xz-utils (to install shellcheck)
 # - git (used in many lint scripts)
 # - gpg (used by verify-commits)
-${CI_RETRY_EXE} apt-get install -y cargo curl xz-utils git gpg
+# - moreutils (used by scripted-diff)
+${CI_RETRY_EXE} apt-get install -y cargo curl xz-utils git gpg moreutils
 
 PYTHON_PATH="/python_build"
 if [ ! -d "${PYTHON_PATH}/bin" ]; then
@@ -39,12 +40,11 @@ command -v python3
 python3 --version
 
 ${CI_RETRY_EXE} pip3 install \
-  codespell==2.4.1 \
   lief==0.16.6 \
-  mypy==1.4.1 \
-  pyzmq==25.1.0 \
-  ruff==0.5.5 \
-  vulture==2.6
+  mypy==1.18.2 \
+  pyzmq==27.1.0 \
+  ruff==0.13.2 \
+  vulture==2.14
 
 SHELLCHECK_VERSION=v0.11.0
 curl -sL "https://github.com/koalaman/shellcheck/releases/download/${SHELLCHECK_VERSION}/shellcheck-${SHELLCHECK_VERSION}.linux.x86_64.tar.xz" | \

ci/lint/06_script.sh

@@ -6,19 +6,19 @@
 
 export LC_ALL=C
 
-set -ex
+set -o errexit -o pipefail -o xtrace
 
-if [ -n "$CIRRUS_PR" ]; then
+if [ -n "${LINT_CI_IS_PR}" ]; then
   export COMMIT_RANGE="HEAD~..HEAD"
   if [ "$(git rev-list -1 HEAD)" != "$(git rev-list -1 --merges HEAD)" ]; then
-    echo "Error: The top commit must be a merge commit, usually the remote 'pull/${PR_NUMBER}/merge' branch."
+    echo "Error: The top commit must be a merge commit, usually the remote 'pull/<PR_NUMBER>/merge' branch."
     false
   fi
 fi
 
 RUST_BACKTRACE=1 cargo run --manifest-path "./test/lint/test_runner/Cargo.toml"
 
-if [ "$CIRRUS_REPO_FULL_NAME" = "bitcoin/bitcoin" ] && [ "$CIRRUS_PR" = "" ] ; then
+if [ "${LINT_CI_SANITY_CHECK_COMMIT_SIG}" = "1" ] ; then
     # Sanity check only the last few commits to get notified of missing sigs,
     # missing keys, or expired keys. Usually there is only one new merge commit
     # per push on the master branch and a few commits on release branches, so

ci/test/00_setup_env.sh

@@ -6,7 +6,7 @@
 
 export LC_ALL=C.UTF-8
 
-set -ex
+set -o errexit -o pipefail -o xtrace
 
 # The source root dir, usually from git, usually read-only.
 # The ci system copies this folder.
@@ -22,9 +22,6 @@ export DEPENDS_DIR=${DEPENDS_DIR:-$BASE_ROOT_DIR/depends}
 # A folder for the ci system to put temporary files (build result, datadirs for tests, ...)
 # This folder only exists on the ci guest.
 export BASE_SCRATCH_DIR=${BASE_SCRATCH_DIR:-$BASE_ROOT_DIR/ci/scratch}
-# A folder for the ci system to put executables.
-# This folder only exists on the ci guest.
-export BINS_SCRATCH_DIR="${BASE_SCRATCH_DIR}/bins/"
 
 echo "Setting specific values in env"
 if [ -n "${FILE_ENV}" ]; then
@@ -36,8 +33,6 @@ fi
 echo "Fallback to default values in env (if not yet set)"
 # The number of parallel jobs to pass down to make and test_runner.py
 export MAKEJOBS=${MAKEJOBS:--j$(if command -v nproc > /dev/null 2>&1; then nproc; else sysctl -n hw.logicalcpu; fi)}
-# Whether to prefer BusyBox over GNU utilities
-export USE_BUSY_BOX=${USE_BUSY_BOX:-false}
 
 export RUN_UNIT_TESTS=${RUN_UNIT_TESTS:-true}
 export RUN_FUNCTIONAL_TESTS=${RUN_FUNCTIONAL_TESTS:-true}
@@ -64,7 +59,7 @@ export BASE_OUTDIR=${BASE_OUTDIR:-$BASE_SCRATCH_DIR/out}
 # The folder for previous release binaries.
 # This folder exists only on the ci guest, and on the ci host as a volume.
 export PREVIOUS_RELEASES_DIR=${PREVIOUS_RELEASES_DIR:-$BASE_ROOT_DIR/prev_releases}
-export CI_BASE_PACKAGES=${CI_BASE_PACKAGES:-build-essential pkgconf curl ca-certificates ccache python3 rsync git procps bison e2fsprogs cmake ninja-build}
+export CI_BASE_PACKAGES=${CI_BASE_PACKAGES:-build-essential pkgconf curl ca-certificates ccache python3-dev rsync git procps bison e2fsprogs cmake ninja-build}
 export GOAL=${GOAL:-install}
 export DIR_QA_ASSETS=${DIR_QA_ASSETS:-${BASE_SCRATCH_DIR}/qa-assets}
 export CI_RETRY_EXE=${CI_RETRY_EXE:-"retry --"}

ci/test/00_setup_env_arm.sh

@@ -8,15 +8,16 @@ export LC_ALL=C.UTF-8
 
 export HOST=arm-linux-gnueabihf
 export DPKG_ADD_ARCH="armhf"
-export PACKAGES="python3-zmq g++-arm-linux-gnueabihf busybox libc6:armhf libstdc++6:armhf libfontconfig1:armhf libxcb1:armhf"
+export PACKAGES="python3-zmq g++-arm-linux-gnueabihf libc6:armhf libstdc++6:armhf libfontconfig1:armhf libxcb1:armhf"
 export CONTAINER_NAME=ci_arm_linux
-export CI_IMAGE_NAME_TAG="mirror.gcr.io/ubuntu:24.04"  # Check that https://packages.ubuntu.com/noble/g++-arm-linux-gnueabihf (version 13.x, similar to guix) can cross-compile
+export CI_IMAGE_NAME_TAG="mirror.gcr.io/debian:trixie"  # Check that https://packages.debian.org/trixie/g++-arm-linux-gnueabihf (version 14.x, similar to guix) can cross-compile
 export CI_IMAGE_PLATFORM="linux/arm64"
-export USE_BUSY_BOX=true
-export RUN_UNIT_TESTS=true
-export RUN_FUNCTIONAL_TESTS=false
 export GOAL="install"
 export CI_LIMIT_STACK_SIZE=1
 # -Wno-psabi is to disable ABI warnings: "note: parameter passing for argument of type ... changed in GCC 7.1"
 # This could be removed once the ABI change warning does not show up by default
-export BITCOIN_CONFIG="-DREDUCE_EXPORTS=ON -DCMAKE_CXX_FLAGS='-Wno-psabi -Wno-error=maybe-uninitialized'"
+export BITCOIN_CONFIG=" \
+  --preset=dev-mode \
+  -DREDUCE_EXPORTS=ON \
+  -DCMAKE_CXX_FLAGS='-Wno-psabi -Wno-error=maybe-uninitialized' \
+"

ci/test/00_setup_env_i686_no_ipc.sh

@@ -8,13 +8,16 @@ export LC_ALL=C.UTF-8
 
 export HOST=i686-pc-linux-gnu
 export CONTAINER_NAME=ci_i686_no_multiprocess
-export CI_IMAGE_NAME_TAG="mirror.gcr.io/ubuntu:24.04"
+export CI_IMAGE_NAME_TAG="mirror.gcr.io/debian:trixie"
 export CI_IMAGE_PLATFORM="linux/amd64"
 export PACKAGES="llvm clang g++-multilib"
 export DEP_OPTS="DEBUG=1 NO_IPC=1"
 export GOAL="install"
+export CI_LIMIT_STACK_SIZE=1
 export TEST_RUNNER_EXTRA="--v2transport --usecli"
 export BITCOIN_CONFIG="\
+ --preset=dev-mode \
+ -DENABLE_IPC=OFF \
  -DCMAKE_BUILD_TYPE=Debug \
  -DCMAKE_C_COMPILER='clang;-m32' \
  -DCMAKE_CXX_COMPILER='clang++;-m32' \

ci/test/00_setup_env_mac_cross.sh

@@ -9,12 +9,16 @@ export LC_ALL=C.UTF-8
 export SDK_URL=${SDK_URL:-https://bitcoincore.org/depends-sources/sdks}
 
 export CONTAINER_NAME=ci_macos_cross
-export CI_IMAGE_NAME_TAG="mirror.gcr.io/ubuntu:24.04"
-export HOST=x86_64-apple-darwin
+export CI_IMAGE_NAME_TAG="mirror.gcr.io/debian:trixie" # Check that https://packages.debian.org/trixie/clang (version 19, similar to guix) can cross-compile
+export HOST=arm64-apple-darwin
 export PACKAGES="clang lld llvm zip"
 export XCODE_VERSION=15.0
 export XCODE_BUILD_ID=15A240d
 export RUN_UNIT_TESTS=false
 export RUN_FUNCTIONAL_TESTS=false
 export GOAL="deploy"
-export BITCOIN_CONFIG="-DBUILD_GUI=ON -DREDUCE_EXPORTS=ON"
+export BITCOIN_CONFIG="\
+ --preset=dev-mode \
+ -DWITH_USDT=OFF \
+ -DREDUCE_EXPORTS=ON \
+"

ci/test/00_setup_env_mac_cross_intel.sh

@@ -0,0 +1,24 @@
+#!/usr/bin/env bash
+#
+# Copyright (c) 2019-present The Bitcoin Core developers
+# Distributed under the MIT software license, see the accompanying
+# file COPYING or http://www.opensource.org/licenses/mit-license.php.
+
+export LC_ALL=C.UTF-8
+
+export SDK_URL=${SDK_URL:-https://bitcoincore.org/depends-sources/sdks}
+
+export CONTAINER_NAME=ci_macos_cross_intel
+export CI_IMAGE_NAME_TAG="mirror.gcr.io/debian:trixie" # Check that https://packages.debian.org/trixie/clang (version 19, similar to guix) can cross-compile
+export HOST=x86_64-apple-darwin
+export PACKAGES="clang lld llvm zip"
+export XCODE_VERSION=15.0
+export XCODE_BUILD_ID=15A240d
+export RUN_UNIT_TESTS=false
+export RUN_FUNCTIONAL_TESTS=false
+export GOAL="deploy"
+export BITCOIN_CONFIG="\
+ --preset=dev-mode \
+ -DWITH_USDT=OFF \
+ -DREDUCE_EXPORTS=ON \
+"

ci/test/00_setup_env_mac_native.sh

@@ -6,14 +6,17 @@
 
 export LC_ALL=C.UTF-8
 
-# Homebrew's python@3.12 is marked as externally managed (PEP 668).
-# Therefore, `--break-system-packages` is needed.
 export CONTAINER_NAME="ci_mac_native"  # macos does not use a container, but the env var is needed for logging
-export PIP_PACKAGES="--break-system-packages zmq"
+export PIP_PACKAGES="--break-system-packages pycapnp zmq"
 export GOAL="install deploy"
 export CMAKE_GENERATOR="Ninja"
-export BITCOIN_CONFIG="-DBUILD_GUI=ON -DWITH_ZMQ=ON -DREDUCE_EXPORTS=ON -DCMAKE_EXE_LINKER_FLAGS='-Wl,-stack_size -Wl,0x80000'"
 export CI_OS_NAME="macos"
 export NO_DEPENDS=1
 export OSX_SDK=""
+export BITCOIN_CONFIG="\
+  --preset=dev-mode \
+  -DWITH_USDT=OFF \
+  -DREDUCE_EXPORTS=ON \
+  -DCMAKE_EXE_LINKER_FLAGS='-Wl,-stack_size -Wl,0x80000' \
+"
 export BITCOIN_CMD="bitcoin -m" # Used in functional tests

ci/test/00_setup_env_mac_native_fuzz.sh

@@ -8,7 +8,7 @@ export LC_ALL=C.UTF-8
 
 export CONTAINER_NAME="ci_mac_native_fuzz"  # macos does not use a container, but the env var is needed for logging
 export CMAKE_GENERATOR="Ninja"
-export BITCOIN_CONFIG="-DBUILD_FOR_FUZZING=ON -DCMAKE_EXE_LINKER_FLAGS='-Wl,-stack_size -Wl,0x80000'"
+export BITCOIN_CONFIG="-DBUILD_FOR_FUZZING=ON -DCMAKE_EXE_LINKER_FLAGS='-Wl,-stack_size -Wl,0x80000' -DAPPEND_CPPFLAGS='-D_LIBCPP_HARDENING_MODE=_LIBCPP_HARDENING_MODE_DEBUG'"
 export CI_OS_NAME="macos"
 export NO_DEPENDS=1
 export OSX_SDK=""

ci/test/00_setup_env_native_alpine_musl.sh

@@ -6,15 +6,14 @@
 
 export LC_ALL=C.UTF-8
 
-export CONTAINER_NAME=ci_native_centos
-export CI_IMAGE_NAME_TAG="quay.io/centos/centos:stream10"
-export CI_BASE_PACKAGES="gcc-c++ glibc-devel libstdc++-devel ccache make ninja-build git python3 python3-pip which patch xz procps-ng rsync coreutils bison e2fsprogs cmake dash"
-export PIP_PACKAGES="pyzmq pycapnp"
+export CONTAINER_NAME=ci_native_alpine_musl
+export CI_IMAGE_NAME_TAG="mirror.gcr.io/alpine:3.22"
+export CI_BASE_PACKAGES="build-base musl-dev pkgconf curl ccache make ninja git python3-dev py3-pip which patch xz procps rsync util-linux bison e2fsprogs cmake dash linux-headers"
+export PIP_PACKAGES="--break-system-packages pyzmq pycapnp"
 export DEP_OPTS="DEBUG=1"
 export GOAL="install"
 export BITCOIN_CONFIG="\
- -DWITH_ZMQ=ON \
- -DBUILD_GUI=ON \
+ --preset=dev-mode \
  -DREDUCE_EXPORTS=ON \
  -DCMAKE_BUILD_TYPE=Debug \
 "

ci/test/00_setup_env_native_asan.sh

@@ -20,18 +20,19 @@ fi
 
 export CONTAINER_NAME=ci_native_asan
 export APT_LLVM_V="21"
-export PACKAGES="systemtap-sdt-dev clang-${APT_LLVM_V} llvm-${APT_LLVM_V} libclang-rt-${APT_LLVM_V}-dev python3-zmq qt6-base-dev qt6-tools-dev qt6-l10n-tools libevent-dev libboost-dev libzmq3-dev libqrencode-dev libsqlite3-dev ${BPFCC_PACKAGE} libcapnp-dev capnproto python3-pip"
+export PACKAGES="systemtap-sdt-dev clang-${APT_LLVM_V} llvm-${APT_LLVM_V} libclang-rt-${APT_LLVM_V}-dev mold python3-zmq qt6-base-dev qt6-tools-dev qt6-l10n-tools libevent-dev libboost-dev libzmq3-dev libqrencode-dev libsqlite3-dev ${BPFCC_PACKAGE} libcapnp-dev capnproto python3-pip"
 export PIP_PACKAGES="--break-system-packages pycapnp"
 export NO_DEPENDS=1
 export GOAL="install"
 export CI_LIMIT_STACK_SIZE=1
 export BITCOIN_CONFIG="\
- -DWITH_USDT=ON -DWITH_ZMQ=ON -DBUILD_GUI=ON \
+ --preset=dev-mode \
  -DSANITIZERS=address,float-divide-by-zero,integer,undefined \
  -DCMAKE_C_COMPILER=clang \
  -DCMAKE_CXX_COMPILER=clang++ \
  -DCMAKE_C_FLAGS='-ftrivial-auto-var-init=pattern' \
  -DCMAKE_CXX_FLAGS='-ftrivial-auto-var-init=pattern' \
+ -DCMAKE_EXE_LINKER_FLAGS='-fuse-ld=mold' \
  -DAPPEND_CXXFLAGS='-std=c++23' \
  -DAPPEND_CPPFLAGS='-DARENA_DEBUG -DDEBUG_LOCKORDER' \
 "

ci/test/00_setup_env_native_fuzz_with_msan.sh

@@ -7,12 +7,15 @@
 export LC_ALL=C.UTF-8
 
 export CI_IMAGE_NAME_TAG="mirror.gcr.io/ubuntu:24.04"
+export APT_LLVM_V="21"
 LIBCXX_DIR="/cxx_build/"
 export MSAN_FLAGS="-fsanitize=memory -fsanitize-memory-track-origins=2 -fno-omit-frame-pointer -g -O1 -fno-optimize-sibling-calls"
-LIBCXX_FLAGS="-nostdinc++ -nostdlib++ -isystem ${LIBCXX_DIR}include/c++/v1 -L${LIBCXX_DIR}lib -Wl,-rpath,${LIBCXX_DIR}lib -lc++ -lc++abi -lpthread -Wno-unused-command-line-argument"
+# -lstdc++ to resolve link issues due to upstream packaging
+LIBCXX_FLAGS="-nostdinc++ -nostdlib++ -isystem ${LIBCXX_DIR}include/c++/v1 -L${LIBCXX_DIR}lib -Wl,-rpath,${LIBCXX_DIR}lib -lc++ -lc++abi -lpthread -Wno-unused-command-line-argument -lstdc++"
 export MSAN_AND_LIBCXX_FLAGS="${MSAN_FLAGS} ${LIBCXX_FLAGS}"
 
 export CONTAINER_NAME="ci_native_fuzz_msan"
+export PACKAGES="clang-${APT_LLVM_V} llvm-${APT_LLVM_V} llvm-${APT_LLVM_V}-dev libclang-${APT_LLVM_V}-dev libclang-rt-${APT_LLVM_V}-dev"
 export DEP_OPTS="DEBUG=1 NO_QT=1 CC=clang CXX=clang++ CFLAGS='${MSAN_FLAGS}' CXXFLAGS='${MSAN_AND_LIBCXX_FLAGS}'"
 export GOAL="all"
 # Setting CMAKE_{C,CXX}_FLAGS_DEBUG flags to an empty string ensures that the flags set in MSAN_FLAGS remain unaltered.
@@ -22,7 +25,7 @@ export BITCOIN_CONFIG="\
  -DCMAKE_C_FLAGS_DEBUG='' \
  -DCMAKE_CXX_FLAGS_DEBUG='' \
  -DBUILD_FOR_FUZZING=ON \
- -DSANITIZERS=fuzzer,memory \
+ -DSANITIZERS=memory \
  -DAPPEND_CPPFLAGS='-DBOOST_MULTI_INDEX_ENABLE_SAFE_MODE -U_FORTIFY_SOURCE' \
 "
 export USE_INSTRUMENTED_LIBCPP="MemoryWithOrigins"

ci/test/00_setup_env_native_fuzz_with_valgrind.sh

@@ -6,7 +6,7 @@
 
 export LC_ALL=C.UTF-8
 
-export CI_IMAGE_NAME_TAG="mirror.gcr.io/ubuntu:24.04"
+export CI_IMAGE_NAME_TAG="mirror.gcr.io/debian:trixie"
 export CONTAINER_NAME=ci_native_fuzz_valgrind
 export PACKAGES="libevent-dev libboost-dev libsqlite3-dev valgrind libcapnp-dev capnproto"
 export NO_DEPENDS=1

ci/test/00_setup_env_native_iwyu.sh

@@ -0,0 +1,25 @@
+#!/usr/bin/env bash
+#
+# Copyright (c) 2023-present The Bitcoin Core developers
+# Distributed under the MIT software license, see the accompanying
+# file COPYING or http://www.opensource.org/licenses/mit-license.php.
+
+export LC_ALL=C.UTF-8
+
+export CI_IMAGE_NAME_TAG="mirror.gcr.io/debian:trixie"  # To build codegen, CMake must be 3.31 or newer.
+export CONTAINER_NAME=ci_native_iwyu
+export TIDY_LLVM_V="21"
+export APT_LLVM_V="${TIDY_LLVM_V}"
+export PACKAGES="clang-${TIDY_LLVM_V} clang-format-${TIDY_LLVM_V} libclang-${TIDY_LLVM_V}-dev llvm-${TIDY_LLVM_V}-dev jq libevent-dev libboost-dev libzmq3-dev systemtap-sdt-dev qt6-base-dev qt6-tools-dev qt6-l10n-tools libqrencode-dev libsqlite3-dev libcapnp-dev capnproto"
+export NO_DEPENDS=1
+export RUN_UNIT_TESTS=false
+export RUN_FUNCTIONAL_TESTS=false
+export RUN_FUZZ_TESTS=false
+export RUN_CHECK_DEPS=false
+export RUN_IWYU=true
+export GOAL="codegen"
+export BITCOIN_CONFIG="\
+ --preset dev-mode -DBUILD_GUI=OFF \
+ -DCMAKE_C_COMPILER=clang-${TIDY_LLVM_V} \
+ -DCMAKE_CXX_COMPILER=clang++-${TIDY_LLVM_V} \
+"

ci/test/00_setup_env_native_msan.sh

@@ -22,6 +22,8 @@ export CI_LIMIT_STACK_SIZE=1
 # Setting CMAKE_{C,CXX}_FLAGS_DEBUG flags to an empty string ensures that the flags set in MSAN_FLAGS remain unaltered.
 # _FORTIFY_SOURCE is not compatible with MSAN.
 export BITCOIN_CONFIG="\
+ --preset=dev-mode \
+ -DBUILD_GUI=OFF \
  -DCMAKE_BUILD_TYPE=Debug \
  -DCMAKE_C_FLAGS_DEBUG='' \
  -DCMAKE_CXX_FLAGS_DEBUG='' \

ci/test/00_setup_env_native_nowallet.sh

@@ -0,0 +1,20 @@
+#!/usr/bin/env bash
+#
+# Copyright (c) 2019-present The Bitcoin Core developers
+# Distributed under the MIT software license, see the accompanying
+# file COPYING or http://www.opensource.org/licenses/mit-license.php.
+
+export LC_ALL=C.UTF-8
+
+export CONTAINER_NAME=ci_native_nowallet
+export CI_IMAGE_NAME_TAG="mirror.gcr.io/ubuntu:24.04"
+# Use minimum supported python3.10 (or best-effort 3.12) and clang-17, see doc/dependencies.md
+export PACKAGES="python3-zmq python3-pip clang-17 llvm-17 libc++abi-17-dev libc++-17-dev"
+export PIP_PACKAGES="--break-system-packages pycapnp"
+export DEP_OPTS="NO_WALLET=1 CC=clang-17 CXX='clang++-17 -stdlib=libc++'"
+export GOAL="install"
+export BITCOIN_CONFIG="\
+  --preset=dev-mode \
+  -DREDUCE_EXPORTS=ON \
+  -DENABLE_WALLET=OFF \
+"

ci/test/00_setup_env_native_nowallet_libbitcoinkernel.sh

@@ -1,16 +0,0 @@
-#!/usr/bin/env bash
-#
-# Copyright (c) 2019-present The Bitcoin Core developers
-# Distributed under the MIT software license, see the accompanying
-# file COPYING or http://www.opensource.org/licenses/mit-license.php.
-
-export LC_ALL=C.UTF-8
-
-export CONTAINER_NAME=ci_native_nowallet_libbitcoinkernel
-export CI_IMAGE_NAME_TAG="mirror.gcr.io/debian:bookworm"
-# Use minimum supported python3.10 (or best-effort 3.11) and clang-16, see doc/dependencies.md
-export PACKAGES="python3-zmq python3-pip clang-16 llvm-16 libc++abi-16-dev libc++-16-dev"
-export PIP_PACKAGES="--break-system-packages pycapnp"
-export DEP_OPTS="NO_WALLET=1 CC=clang-16 CXX='clang++-16 -stdlib=libc++'"
-export GOAL="install"
-export BITCOIN_CONFIG="-DREDUCE_EXPORTS=ON -DBUILD_UTIL_CHAINSTATE=ON -DBUILD_KERNEL_LIB=ON -DBUILD_SHARED_LIBS=ON"

ci/test/00_setup_env_native_previous_releases.sh

@@ -8,15 +8,16 @@ export LC_ALL=C.UTF-8
 
 export CONTAINER_NAME=ci_native_previous_releases
 export CI_IMAGE_NAME_TAG="mirror.gcr.io/ubuntu:22.04"
-# Use minimum supported python3.10 and gcc-11, see doc/dependencies.md
-export PACKAGES="gcc-11 g++-11 python3-zmq"
-export DEP_OPTS="CC=gcc-11 CXX=g++-11"
+# Use minimum supported python3.10 and gcc-12, see doc/dependencies.md
+export PACKAGES="gcc-12 g++-12 python3-zmq"
+export DEP_OPTS="CC=gcc-12 CXX=g++-12"
 export TEST_RUNNER_EXTRA="--previous-releases --coverage --extended --exclude feature_dbcrash"  # Run extended tests so that coverage does not fail, but exclude the very slow dbcrash
 export GOAL="install"
 export CI_LIMIT_STACK_SIZE=1
 export DOWNLOAD_PREVIOUS_RELEASES="true"
 export BITCOIN_CONFIG="\
- -DWITH_ZMQ=ON -DBUILD_GUI=ON -DREDUCE_EXPORTS=ON \
+ --preset=dev-mode \
+ -DREDUCE_EXPORTS=ON \
  -DCMAKE_BUILD_TYPE=Debug \
  -DCMAKE_C_FLAGS='-funsigned-char' \
  -DCMAKE_C_FLAGS_DEBUG='-g2 -O2' \

ci/test/00_setup_env_native_tidy.sh

@@ -8,7 +8,7 @@ export LC_ALL=C.UTF-8
 
 export CI_IMAGE_NAME_TAG="mirror.gcr.io/ubuntu:24.04"
 export CONTAINER_NAME=ci_native_tidy
-export TIDY_LLVM_V="20"
+export TIDY_LLVM_V="21"
 export APT_LLVM_V="${TIDY_LLVM_V}"
 export PACKAGES="clang-${TIDY_LLVM_V} libclang-${TIDY_LLVM_V}-dev llvm-${TIDY_LLVM_V}-dev libomp-${TIDY_LLVM_V}-dev clang-tidy-${TIDY_LLVM_V} jq libevent-dev libboost-dev libzmq3-dev systemtap-sdt-dev qt6-base-dev qt6-tools-dev qt6-l10n-tools libqrencode-dev libsqlite3-dev libcapnp-dev capnproto"
 export NO_DEPENDS=1
@@ -19,7 +19,7 @@ export RUN_CHECK_DEPS=true
 export RUN_TIDY=true
 export GOAL="install"
 export BITCOIN_CONFIG="\
- -DWITH_ZMQ=ON -DBUILD_GUI=ON -DBUILD_BENCH=ON -DWITH_USDT=ON \
+ --preset dev-mode \
  -DCMAKE_C_COMPILER=clang-${TIDY_LLVM_V} \
  -DCMAKE_CXX_COMPILER=clang++-${TIDY_LLVM_V} \
  -DCMAKE_C_FLAGS_RELWITHDEBINFO='-O0 -g0' \

ci/test/00_setup_env_native_tsan.sh

@@ -16,6 +16,10 @@ export PIP_PACKAGES="--break-system-packages pycapnp"
 export DEP_OPTS="CC=clang CXX=clang++ CXXFLAGS='${LIBCXX_FLAGS}' NO_QT=1"
 export GOAL="install"
 export CI_LIMIT_STACK_SIZE=1
-export BITCOIN_CONFIG="-DWITH_ZMQ=ON -DSANITIZERS=thread \
--DAPPEND_CPPFLAGS='-DARENA_DEBUG -DDEBUG_LOCKCONTENTION -D_LIBCPP_REMOVE_TRANSITIVE_INCLUDES'"
+export BITCOIN_CONFIG="\
+  --preset=dev-mode \
+  -DBUILD_GUI=OFF \
+  -DSANITIZERS=thread \
+  -DAPPEND_CPPFLAGS='-DARENA_DEBUG -DDEBUG_LOCKCONTENTION -D_LIBCPP_REMOVE_TRANSITIVE_INCLUDES' \
+"
 export USE_INSTRUMENTED_LIBCPP="Thread"

ci/test/00_setup_env_native_valgrind.sh

@@ -6,16 +6,18 @@
 
 export LC_ALL=C.UTF-8
 
-export CI_IMAGE_NAME_TAG="mirror.gcr.io/ubuntu:24.04"
+export CI_IMAGE_NAME_TAG="mirror.gcr.io/debian:trixie"
 export CONTAINER_NAME=ci_native_valgrind
 export PACKAGES="valgrind python3-zmq libevent-dev libboost-dev libzmq3-dev libsqlite3-dev libcapnp-dev capnproto python3-pip"
 export PIP_PACKAGES="--break-system-packages pycapnp"
 export USE_VALGRIND=1
 export NO_DEPENDS=1
 # bind tests excluded for now, see https://github.com/bitcoin/bitcoin/issues/17765#issuecomment-602068547
-export TEST_RUNNER_EXTRA="--exclude rpc_bind,feature_bind_extra"
+export TEST_RUNNER_EXTRA="--exclude rpc_bind --exclude feature_bind_extra"
 export GOAL="install"
 # TODO enable GUI
 export BITCOIN_CONFIG="\
- -DWITH_ZMQ=ON -DBUILD_GUI=OFF \
+  --preset=dev-mode \
+ -DBUILD_GUI=OFF \
+ -DWITH_USDT=OFF \
 "

ci/test/00_setup_env_s390x.sh

@@ -9,9 +9,13 @@ export LC_ALL=C.UTF-8
 export HOST=s390x-linux-gnu
 export PACKAGES="python3-zmq"
 export CONTAINER_NAME=ci_s390x
-export CI_IMAGE_NAME_TAG="mirror.gcr.io/ubuntu:24.04"
+export CI_IMAGE_NAME_TAG="mirror.gcr.io/debian:trixie"
 export CI_IMAGE_PLATFORM="linux/s390x"
-export TEST_RUNNER_EXTRA="--exclude rpc_bind,feature_bind_extra"  # Excluded for now, see https://github.com/bitcoin/bitcoin/issues/17765#issuecomment-602068547
+# bind tests excluded for now, see https://github.com/bitcoin/bitcoin/issues/17765#issuecomment-602068547
+export TEST_RUNNER_EXTRA="--exclude rpc_bind --exclude feature_bind_extra"
 export RUN_FUNCTIONAL_TESTS=true
 export GOAL="install"
-export BITCOIN_CONFIG="-DREDUCE_EXPORTS=ON"
+export BITCOIN_CONFIG="\
+  --preset=dev-mode \
+  -DREDUCE_EXPORTS=ON \
+"

ci/test/00_setup_env_win64.sh

@@ -1,18 +1,22 @@
 #!/usr/bin/env bash
 #
-# Copyright (c) 2019-present The Bitcoin Core developers
+# Copyright (c) 2025-present The Bitcoin Core developers
 # Distributed under the MIT software license, see the accompanying
 # file COPYING or http://www.opensource.org/licenses/mit-license.php.
 
 export LC_ALL=C.UTF-8
 
 export CONTAINER_NAME=ci_win64
-export CI_IMAGE_NAME_TAG="mirror.gcr.io/ubuntu:24.04"  # Check that https://packages.ubuntu.com/noble/g++-mingw-w64-x86-64-posix (version 13.x, similar to guix) can cross-compile
-export CI_IMAGE_PLATFORM="linux/amd64"
-export HOST=x86_64-w64-mingw32
-export PACKAGES="g++-mingw-w64-x86-64-posix nsis"
+export CI_IMAGE_NAME_TAG="mirror.gcr.io/debian:trixie"  # Check that https://packages.debian.org/trixie/g++-mingw-w64-ucrt64 can cross-compile
+export HOST=x86_64-w64-mingw32ucrt
+export PACKAGES="g++-mingw-w64-ucrt64 nsis"
 export RUN_UNIT_TESTS=false
 export RUN_FUNCTIONAL_TESTS=false
 export GOAL="deploy"
-export BITCOIN_CONFIG="-DREDUCE_EXPORTS=ON -DBUILD_GUI_TESTS=OFF \
--DCMAKE_CXX_FLAGS='-Wno-error=maybe-uninitialized'"
+export BITCOIN_CONFIG="\
+  --preset=dev-mode \
+  -DENABLE_IPC=OFF \
+  -DWITH_USDT=OFF \
+  -DREDUCE_EXPORTS=ON \
+  -DCMAKE_CXX_FLAGS='-Wno-error=maybe-uninitialized' \
+"

ci/test/00_setup_env_win64_msvcrt.sh

@@ -0,0 +1,22 @@
+#!/usr/bin/env bash
+#
+# Copyright (c) 2019-present The Bitcoin Core developers
+# Distributed under the MIT software license, see the accompanying
+# file COPYING or http://www.opensource.org/licenses/mit-license.php.
+
+export LC_ALL=C.UTF-8
+
+export CONTAINER_NAME=ci_win64_msvcrt
+export CI_IMAGE_NAME_TAG="mirror.gcr.io/debian:trixie"  # Check that https://packages.debian.org/trixie/g++-mingw-w64-x86-64-posix (version 14.x, similar to guix) can cross-compile
+export HOST=x86_64-w64-mingw32
+export PACKAGES="g++-mingw-w64-x86-64-posix nsis"
+export RUN_UNIT_TESTS=false
+export RUN_FUNCTIONAL_TESTS=false
+export GOAL="deploy"
+export BITCOIN_CONFIG="\
+  --preset=dev-mode \
+  -DENABLE_IPC=OFF \
+  -DWITH_USDT=OFF \
+  -DREDUCE_EXPORTS=ON \
+  -DCMAKE_CXX_FLAGS='-Wno-error=maybe-uninitialized' \
+"

ci/test/01_base_install.sh

@@ -32,16 +32,17 @@ if [ -n "${APT_LLVM_V}" ]; then
   )
 fi
 
-if [[ $CI_IMAGE_NAME_TAG == *centos* ]]; then
-  bash -c "dnf -y install epel-release"
-  # The ninja-build package is available in the CRB repository.
-  bash -c "dnf -y --allowerasing --enablerepo crb install $CI_BASE_PACKAGES $PACKAGES"
+if [[ $CI_IMAGE_NAME_TAG == *alpine* ]]; then
+  ${CI_RETRY_EXE} apk update
+  # shellcheck disable=SC2086
+  ${CI_RETRY_EXE} apk add --no-cache $CI_BASE_PACKAGES $PACKAGES
 elif [ "$CI_OS_NAME" != "macos" ]; then
   if [[ -n "${APPEND_APT_SOURCES_LIST}" ]]; then
     echo "${APPEND_APT_SOURCES_LIST}" >> /etc/apt/sources.list
   fi
   ${CI_RETRY_EXE} apt-get update
-  ${CI_RETRY_EXE} bash -c "apt-get install --no-install-recommends --no-upgrade -y $PACKAGES $CI_BASE_PACKAGES"
+  # shellcheck disable=SC2086
+  ${CI_RETRY_EXE} apt-get install --no-install-recommends --no-upgrade -y $PACKAGES $CI_BASE_PACKAGES
 fi
 
 if [ -n "${APT_LLVM_V}" ]; then
@@ -56,25 +57,7 @@ if [ -n "$PIP_PACKAGES" ]; then
 fi
 
 if [[ -n "${USE_INSTRUMENTED_LIBCPP}" ]]; then
-  if [ -n "${APT_LLVM_V}" ]; then
-    ${CI_RETRY_EXE} git clone --depth=1 https://github.com/llvm/llvm-project -b "llvmorg-$( clang --version | sed --silent 's@.*clang version \([0-9.]*\).*@\1@p' )" /llvm-project
-  else
-    ${CI_RETRY_EXE} git clone --depth=1 https://github.com/llvm/llvm-project -b "llvmorg-21.1.0" /llvm-project
-
-    cmake -G Ninja -B /clang_build/ \
-      -DLLVM_ENABLE_PROJECTS="clang" \
-      -DCMAKE_BUILD_TYPE=Release \
-      -DLLVM_TARGETS_TO_BUILD=Native \
-      -DLLVM_ENABLE_RUNTIMES="compiler-rt;libcxx;libcxxabi;libunwind" \
-      -S /llvm-project/llvm
-
-    ninja -C /clang_build/ "$MAKEJOBS"
-    ninja -C /clang_build/ install-runtimes
-
-    update-alternatives --install /usr/bin/clang++ clang++ /clang_build/bin/clang++ 100
-    update-alternatives --install /usr/bin/clang clang /clang_build/bin/clang 100
-    update-alternatives --install /usr/bin/llvm-symbolizer llvm-symbolizer /clang_build/bin/llvm-symbolizer 100
-  fi
+  ${CI_RETRY_EXE} git clone --depth=1 https://github.com/llvm/llvm-project -b "llvmorg-21.1.5" /llvm-project
 
   cmake -G Ninja -B /cxx_build/ \
     -DLLVM_ENABLE_RUNTIMES="libcxx;libcxxabi;libunwind" \
@@ -96,8 +79,9 @@ if [[ -n "${USE_INSTRUMENTED_LIBCPP}" ]]; then
   rm -rf /llvm-project
 fi
 
-if [[ "${RUN_TIDY}" == "true" ]]; then
+if [[ "${RUN_IWYU}" == true ]]; then
   ${CI_RETRY_EXE} git clone --depth=1 https://github.com/include-what-you-use/include-what-you-use -b clang_"${TIDY_LLVM_V}" /include-what-you-use
+  (cd /include-what-you-use && patch -p1 < /ci_container_base/ci/test/01_iwyu.patch)
   cmake -B /iwyu-build/ -G 'Unix Makefiles' -DCMAKE_PREFIX_PATH=/usr/lib/llvm-"${TIDY_LLVM_V}" -S /include-what-you-use
   make -C /iwyu-build/ install "$MAKEJOBS"
 fi
@@ -107,7 +91,7 @@ mkdir -p "${DEPENDS_DIR}/SDKs" "${DEPENDS_DIR}/sdk-sources"
 OSX_SDK_BASENAME="Xcode-${XCODE_VERSION}-${XCODE_BUILD_ID}-extracted-SDK-with-libcxx-headers"
 
 if [ -n "$XCODE_VERSION" ] && [ ! -d "${DEPENDS_DIR}/SDKs/${OSX_SDK_BASENAME}" ]; then
-  OSX_SDK_FILENAME="${OSX_SDK_BASENAME}.tar.gz"
+  OSX_SDK_FILENAME="${OSX_SDK_BASENAME}.tar"
   OSX_SDK_PATH="${DEPENDS_DIR}/sdk-sources/${OSX_SDK_FILENAME}"
   if [ ! -f "$OSX_SDK_PATH" ]; then
     ${CI_RETRY_EXE} curl --location --fail "${SDK_URL}/${OSX_SDK_FILENAME}" -o "$OSX_SDK_PATH"

ci/test/01_iwyu.patch

@@ -0,0 +1,600 @@
+Prefer angled brackets over quotes for include directives.
+See: https://en.cppreference.com/w/cpp/preprocessor/include.html.
+
+--- a/iwyu_path_util.cc
++++ b/iwyu_path_util.cc
+@@ -211,7 +211,7 @@ bool IsQuotedInclude(const string& s) {
+ }
+
+ string AddQuotes(string include_name, bool angled) {
+-  if (angled) {
++  if (true) {
+       return "<" + include_name + ">";
+   }
+   return "\"" + include_name + "\"";
+
+
+Prefer C++ headers over C counterparts.
+See: https://github.com/include-what-you-use/include-what-you-use/blob/clang_21/iwyu_include_picker.cc#L587-L629.
+
+--- a/iwyu_include_picker.cc
++++ b/iwyu_include_picker.cc
+@@ -100,20 +100,20 @@ const IncludeMapEntry libc_symbol_map[] = {
+   // equal.  The visibility on the symbol-name is ignored; by convention
+   // we always set it to kPrivate.
+   { "_POSIX_VDISABLE", kPrivate, "<unistd.h>", kPublic },
+-  { "abort", kPrivate, "<stdlib.h>", kPublic },
++  { "abort", kPrivate, "<stdlib.h>", kPrivate },
+   { "aiocb", kPrivate, "<aio.h>", kPublic },
+   { "blkcnt_t", kPrivate, "<sys/types.h>", kPublic },
+   { "blksize_t", kPrivate, "<sys/types.h>", kPublic },
+   { "cc_t", kPrivate, "<termios.h>", kPublic },
+-  { "clock_t", kPrivate, "<time.h>", kPublic },
++  { "clock_t", kPrivate, "<time.h>", kPrivate },
+   { "clock_t", kPrivate, "<sys/types.h>", kPublic },
+   { "clockid_t", kPrivate, "<sys/types.h>", kPublic },
+-  { "ctermid", kPrivate, "<stdio.h>", kPublic },
++  { "ctermid", kPrivate, "<stdio.h>", kPrivate },
+   { "daddr_t", kPrivate, "<sys/types.h>", kPublic },
+   { "dev_t", kPrivate, "<sys/types.h>", kPublic },
+-  { "div_t", kPrivate, "<stdlib.h>", kPublic },
+-  { "double_t", kPrivate, "<math.h>", kPublic },
+-  { "error_t", kPrivate, "<errno.h>", kPublic },
++  { "div_t", kPrivate, "<stdlib.h>", kPrivate },
++  { "double_t", kPrivate, "<math.h>", kPrivate },
++  { "error_t", kPrivate, "<errno.h>", kPrivate },
+   { "error_t", kPrivate, "<argp.h>", kPublic },
+   { "error_t", kPrivate, "<argz.h>", kPublic },
+   { "FD_CLR", kPrivate, "<sys/select.h>", kPublic },
+@@ -122,10 +122,10 @@ const IncludeMapEntry libc_symbol_map[] = {
+   { "fd_set", kPrivate, "<sys/select.h>", kPublic },
+   { "FD_SETSIZE", kPrivate, "<sys/select.h>", kPublic },
+   { "FD_ZERO", kPrivate, "<sys/select.h>", kPublic },
+-  { "fenv_t", kPrivate, "<fenv.h>", kPublic },
+-  { "fexcept_t", kPrivate, "<fenv.h>", kPublic },
+-  { "FILE", kPrivate, "<stdio.h>", kPublic },
+-  { "float_t", kPrivate, "<math.h>", kPublic },
++  { "fenv_t", kPrivate, "<fenv.h>", kPrivate },
++  { "fexcept_t", kPrivate, "<fenv.h>", kPrivate },
++  { "FILE", kPrivate, "<stdio.h>", kPrivate },
++  { "float_t", kPrivate, "<math.h>", kPrivate },
+   { "fsblkcnt_t", kPrivate, "<sys/types.h>", kPublic },
+   { "fsfilcnt_t", kPrivate, "<sys/types.h>", kPublic },
+   { "getopt", kPrivate, "<unistd.h>", kPublic },
+@@ -135,31 +135,31 @@ const IncludeMapEntry libc_symbol_map[] = {
+   { "in_addr_t", kPrivate, "<netinet/in.h>", kPublic },
+   { "in_port_t", kPrivate, "<netinet/in.h>", kPublic },
+   { "id_t", kPrivate, "<sys/types.h>", kPublic },
+-  { "imaxdiv_t", kPrivate, "<inttypes.h>", kPublic },
+-  { "intmax_t", kPrivate, "<stdint.h>", kPublic },
+-  { "uintmax_t", kPrivate, "<stdint.h>", kPublic },
++  { "imaxdiv_t", kPrivate, "<inttypes.h>", kPrivate },
++  { "intmax_t", kPrivate, "<stdint.h>", kPrivate },
++  { "uintmax_t", kPrivate, "<stdint.h>", kPrivate },
+   { "ino64_t", kPrivate, "<sys/types.h>", kPublic },
+   { "ino_t", kPrivate, "<sys/types.h>", kPublic },
+-  { "int8_t", kPrivate, "<stdint.h>", kPublic },
+-  { "int16_t", kPrivate, "<stdint.h>", kPublic },
+-  { "int32_t", kPrivate, "<stdint.h>", kPublic },
+-  { "int64_t", kPrivate, "<stdint.h>", kPublic },
+-  { "uint8_t", kPrivate, "<stdint.h>", kPublic },
+-  { "uint16_t", kPrivate, "<stdint.h>", kPublic },
+-  { "uint32_t", kPrivate, "<stdint.h>", kPublic },
+-  { "uint64_t", kPrivate, "<stdint.h>", kPublic },
+-  { "intptr_t", kPrivate, "<stdint.h>", kPublic },
+-  { "uintptr_t", kPrivate, "<stdint.h>", kPublic },
++  { "int8_t", kPrivate, "<stdint.h>", kPrivate },
++  { "int16_t", kPrivate, "<stdint.h>", kPrivate },
++  { "int32_t", kPrivate, "<stdint.h>", kPrivate },
++  { "int64_t", kPrivate, "<stdint.h>", kPrivate },
++  { "uint8_t", kPrivate, "<stdint.h>", kPrivate },
++  { "uint16_t", kPrivate, "<stdint.h>", kPrivate },
++  { "uint32_t", kPrivate, "<stdint.h>", kPrivate },
++  { "uint64_t", kPrivate, "<stdint.h>", kPrivate },
++  { "intptr_t", kPrivate, "<stdint.h>", kPrivate },
++  { "uintptr_t", kPrivate, "<stdint.h>", kPrivate },
+   { "iovec", kPrivate, "<sys/uio.h>", kPublic },
+-  { "itimerspec", kPrivate, "<time.h>", kPublic },
++  { "itimerspec", kPrivate, "<time.h>", kPrivate },
+   { "key_t", kPrivate, "<sys/types.h>", kPublic },
+-  { "L_ctermid", kPrivate, "<stdio.h>", kPublic },
+-  { "lconv", kPrivate, "<locale.h>", kPublic },
+-  { "ldiv_t", kPrivate, "<stdlib.h>", kPublic },
+-  { "lldiv_t", kPrivate, "<stdlib.h>", kPublic },
+-  { "locale_t", kPrivate, "<locale.h>", kPublic },
+-  { "max_align_t", kPrivate, "<stddef.h>", kPublic },
+-  { "mbstate_t", kPrivate, "<wchar.h>", kPublic },
++  { "L_ctermid", kPrivate, "<stdio.h>", kPrivate },
++  { "lconv", kPrivate, "<locale.h>", kPrivate },
++  { "ldiv_t", kPrivate, "<stdlib.h>", kPrivate },
++  { "lldiv_t", kPrivate, "<stdlib.h>", kPrivate },
++  { "locale_t", kPrivate, "<locale.h>", kPrivate },
++  { "max_align_t", kPrivate, "<stddef.h>", kPrivate },
++  { "mbstate_t", kPrivate, "<wchar.h>", kPrivate },
+   { "mcontext_t", kPrivate, "<ucontext.h>", kPublic },
+   { "mode_t", kPrivate, "<sys/types.h>", kPublic },
+   { "nl_item", kPrivate, "<nl_types.h>", kPublic },
+@@ -175,8 +175,8 @@ const IncludeMapEntry libc_symbol_map[] = {
+   { "optind", kPrivate, "<unistd.h>", kPublic },
+   { "optopt", kPrivate, "<unistd.h>", kPublic },
+   { "pid_t", kPrivate, "<sys/types.h>", kPublic },
+-  { "posix_memalign", kPrivate, "<stdlib.h>", kPublic },
+-  { "printf", kPrivate, "<stdio.h>", kPublic },
++  { "posix_memalign", kPrivate, "<stdlib.h>", kPrivate },
++  { "printf", kPrivate, "<stdio.h>", kPrivate },
+   { "pthread_attr_t", kPrivate, "<pthread.h>", kPublic },
+   { "pthread_cond_t", kPrivate, "<pthread.h>", kPublic },
+   { "pthread_condattr_t", kPrivate, "<pthread.h>", kPublic },
+@@ -187,7 +187,7 @@ const IncludeMapEntry libc_symbol_map[] = {
+   { "pthread_rwlock_t", kPrivate, "<pthread.h>", kPublic },
+   { "pthread_rwlockattr_t", kPrivate, "<pthread.h>", kPublic },
+   { "pthread_t", kPrivate, "<pthread.h>", kPublic },
+-  { "ptrdiff_t", kPrivate, "<stddef.h>", kPublic },
++  { "ptrdiff_t", kPrivate, "<stddef.h>", kPrivate },
+   { "regex_t", kPrivate, "<regex.h>", kPublic },
+   { "regmatch_t", kPrivate, "<regex.h>", kPublic },
+   { "regoff_t", kPrivate, "<regex.h>", kPublic },
+@@ -218,51 +218,51 @@ const IncludeMapEntry libc_symbol_map[] = {
+   { "SCHED_FIFO", kPrivate, "<sched.h>", kPublic },
+   { "SCHED_OTHER", kPrivate, "<sched.h>", kPublic },
+   { "SCHED_RR", kPrivate, "<sched.h>", kPublic },
+-  { "SEEK_CUR", kPrivate, "<stdio.h>", kPublic },
+-  { "SEEK_END", kPrivate, "<stdio.h>", kPublic },
+-  { "SEEK_SET", kPrivate, "<stdio.h>", kPublic },
+-  { "sig_atomic_t", kPrivate, "<signal.h>", kPublic },
+-  { "sigevent", kPrivate, "<signal.h>", kPublic },
+-  { "siginfo_t", kPrivate, "<signal.h>", kPublic },
+-  { "sigset_t", kPrivate, "<signal.h>", kPublic },
+-  { "sigval", kPrivate, "<signal.h>", kPublic },
++  { "SEEK_CUR", kPrivate, "<stdio.h>", kPrivate },
++  { "SEEK_END", kPrivate, "<stdio.h>", kPrivate },
++  { "SEEK_SET", kPrivate, "<stdio.h>", kPrivate },
++  { "sig_atomic_t", kPrivate, "<signal.h>", kPrivate },
++  { "sigevent", kPrivate, "<signal.h>", kPrivate },
++  { "siginfo_t", kPrivate, "<signal.h>", kPrivate },
++  { "sigset_t", kPrivate, "<signal.h>", kPrivate },
++  { "sigval", kPrivate, "<signal.h>", kPrivate },
+   { "sockaddr", kPrivate, "<sys/socket.h>", kPublic },
+   { "socklen_t", kPrivate, "<sys/socket.h>", kPublic },
+   { "ssize_t", kPrivate, "<sys/types.h>", kPublic },
+-  { "stack_t", kPrivate, "<signal.h>", kPublic },
++  { "stack_t", kPrivate, "<signal.h>", kPrivate },
+   { "stat", kPrivate, "<sys/stat.h>", kPublic },
+   { "suseconds_t", kPrivate, "<sys/types.h>", kPublic },
+-  { "time_t", kPrivate, "<time.h>", kPublic },
++  { "time_t", kPrivate, "<time.h>", kPrivate },
+   { "time_t", kPrivate, "<sys/types.h>", kPublic },
+   { "timer_t", kPrivate, "<sys/types.h>", kPublic },
+-  { "timespec", kPrivate, "<time.h>", kPublic },
++  { "timespec", kPrivate, "<time.h>", kPrivate },
+   { "timeval", kPrivate, "<sys/time.h>", kPublic },
+-  { "tm", kPrivate, "<time.h>", kPublic },
++  { "tm", kPrivate, "<time.h>", kPrivate },
+   { "u_char", kPrivate, "<sys/types.h>", kPublic },
+   { "ucontext_t", kPrivate, "<ucontext.h>", kPublic },
+   { "uid_t", kPrivate, "<sys/types.h>", kPublic },
+   { "useconds_t", kPrivate, "<sys/types.h>", kPublic },
+-  { "wchar_t", kPrivate, "<stddef.h>", kPublic },
+-  { "wctrans_t", kPrivate, "<wctype.h>", kPublic },
+-  { "wctype_t", kPrivate, "<wctype.h>", kPublic },
++  { "wchar_t", kPrivate, "<stddef.h>", kPrivate },
++  { "wctrans_t", kPrivate, "<wctype.h>", kPrivate },
++  { "wctype_t", kPrivate, "<wctype.h>", kPrivate },
+   { "winsize", kPrivate, "<termios.h>", kPublic },
+-  { "wint_t", kPrivate, "<wchar.h>", kPublic },
++  { "wint_t", kPrivate, "<wchar.h>", kPrivate },
+   // It is unspecified if the cname headers provide ::size_t.
+   // <locale.h> is the one header which defines NULL but not size_t.
+-  { "size_t", kPrivate, "<stddef.h>", kPublic },  // 'canonical' location for size_t
+-  { "size_t", kPrivate, "<signal.h>", kPublic },
+-  { "size_t", kPrivate, "<stdio.h>", kPublic },
+-  { "size_t", kPrivate, "<stdlib.h>", kPublic },
+-  { "size_t", kPrivate, "<string.h>", kPublic },
+-  { "size_t", kPrivate, "<time.h>", kPublic },
+-  { "size_t", kPrivate, "<uchar.h>", kPublic },
+-  { "size_t", kPrivate, "<wchar.h>", kPublic },
++  { "size_t", kPrivate, "<stddef.h>", kPrivate },  // 'canonical' location for size_t
++  { "size_t", kPrivate, "<signal.h>", kPrivate },
++  { "size_t", kPrivate, "<stdio.h>", kPrivate },
++  { "size_t", kPrivate, "<stdlib.h>", kPrivate },
++  { "size_t", kPrivate, "<string.h>", kPrivate },
++  { "size_t", kPrivate, "<time.h>", kPrivate },
++  { "size_t", kPrivate, "<uchar.h>", kPrivate },
++  { "size_t", kPrivate, "<wchar.h>", kPrivate },
+   // Macros that can be defined in more than one file, don't have the
+   // same __foo_defined guard that other types do, so the grep above
+   // doesn't discover them.  Until I figure out a better way, I just
+   // add them in by hand as I discover them.
+-  { "EOF", kPrivate, "<stdio.h>", kPublic },
+-  { "FILE", kPrivate, "<stdio.h>", kPublic },
++  { "EOF", kPrivate, "<stdio.h>", kPrivate },
++  { "FILE", kPrivate, "<stdio.h>", kPrivate },
+   { "IBSHIFT", kPrivate, "<asm/termbits.h>", kPublic },
+   { "MAP_POPULATE", kPrivate, "<sys/mman.h>", kPublic },
+   { "MAP_POPULATE", kPrivate, "<linux/mman.h>", kPublic },
+@@ -270,22 +270,22 @@ const IncludeMapEntry libc_symbol_map[] = {
+   { "MAP_STACK", kPrivate, "<linux/mman.h>", kPublic },
+   { "MAXHOSTNAMELEN", kPrivate, "<sys/param.h>", kPublic },
+   { "MAXHOSTNAMELEN", kPrivate, "<protocols/timed.h>", kPublic },
+-  { "SIGABRT", kPrivate, "<signal.h>", kPublic },
+-  { "SIGCHLD", kPrivate, "<signal.h>", kPublic },
+-  { "va_arg", kPrivate, "<stdarg.h>", kPublic },
+-  { "va_copy", kPrivate, "<stdarg.h>", kPublic },
+-  { "va_end", kPrivate, "<stdarg.h>", kPublic },
+-  { "va_list", kPrivate, "<stdarg.h>", kPublic },
+-  { "va_start", kPrivate, "<stdarg.h>", kPublic },
+-  { "WEOF", kPrivate, "<wchar.h>", kPublic },
++  { "SIGABRT", kPrivate, "<signal.h>", kPrivate },
++  { "SIGCHLD", kPrivate, "<signal.h>", kPrivate },
++  { "va_arg", kPrivate, "<stdarg.h>", kPrivate },
++  { "va_copy", kPrivate, "<stdarg.h>", kPrivate },
++  { "va_end", kPrivate, "<stdarg.h>", kPrivate },
++  { "va_list", kPrivate, "<stdarg.h>", kPrivate },
++  { "va_start", kPrivate, "<stdarg.h>", kPrivate },
++  { "WEOF", kPrivate, "<wchar.h>", kPrivate },
+   // These are symbols that could be defined in either stdlib.h or
+   // malloc.h, but we always want the stdlib location.
+-  { "malloc", kPrivate, "<stdlib.h>", kPublic },
+-  { "calloc", kPrivate, "<stdlib.h>", kPublic },
+-  { "realloc", kPrivate, "<stdlib.h>", kPublic },
+-  { "free", kPrivate, "<stdlib.h>", kPublic },
++  { "malloc", kPrivate, "<stdlib.h>", kPrivate },
++  { "calloc", kPrivate, "<stdlib.h>", kPrivate },
++  { "realloc", kPrivate, "<stdlib.h>", kPrivate },
++  { "free", kPrivate, "<stdlib.h>", kPrivate },
+   // Entries for NULL
+-  { "NULL", kPrivate, "<stddef.h>", kPublic },  // 'canonical' location for NULL
++  { "NULL", kPrivate, "<stddef.h>", kPrivate },  // 'canonical' location for NULL
+   { "NULL", kPrivate, "<clocale>", kPublic },
+   { "NULL", kPrivate, "<cstddef>", kPublic },
+   { "NULL", kPrivate, "<cstdio>", kPublic },
+@@ -293,13 +293,13 @@ const IncludeMapEntry libc_symbol_map[] = {
+   { "NULL", kPrivate, "<cstring>", kPublic },
+   { "NULL", kPrivate, "<ctime>", kPublic },
+   { "NULL", kPrivate, "<cwchar>", kPublic },
+-  { "NULL", kPrivate, "<locale.h>", kPublic },
+-  { "NULL", kPrivate, "<stdio.h>", kPublic },
+-  { "NULL", kPrivate, "<stdlib.h>", kPublic },
+-  { "NULL", kPrivate, "<string.h>", kPublic },
+-  { "NULL", kPrivate, "<time.h>", kPublic },
+-  { "NULL", kPrivate, "<wchar.h>", kPublic },
+-  { "offsetof", kPrivate, "<stddef.h>", kPublic },
++  { "NULL", kPrivate, "<locale.h>", kPrivate },
++  { "NULL", kPrivate, "<stdio.h>", kPrivate },
++  { "NULL", kPrivate, "<stdlib.h>", kPrivate },
++  { "NULL", kPrivate, "<string.h>", kPrivate },
++  { "NULL", kPrivate, "<time.h>", kPrivate },
++  { "NULL", kPrivate, "<wchar.h>", kPrivate },
++  { "offsetof", kPrivate, "<stddef.h>", kPrivate },
+ };
+ 
+ // Common kludges for C++ standard libraries
+@@ -355,7 +355,7 @@ const IncludeMapEntry libc_include_map[] = {
+   { "<bits/a.out.h>", kPrivate, "<a.out.h>", kPublic },
+   { "<bits/auxv.h>", kPrivate, "<sys/auxv.h>", kPublic },
+   { "<bits/byteswap.h>", kPrivate, "<byteswap.h>", kPublic },
+-  { "<bits/cmathcalls.h>", kPrivate, "<complex.h>", kPublic },
++  { "<bits/cmathcalls.h>", kPrivate, "<complex.h>", kPrivate },
+   { "<bits/confname.h>", kPrivate, "<unistd.h>", kPublic },
+   { "<bits/dirent.h>", kPrivate, "<dirent.h>", kPublic },
+   { "<bits/dlfcn.h>", kPrivate, "<dlfcn.h>", kPublic },
+@@ -363,18 +363,18 @@ const IncludeMapEntry libc_include_map[] = {
+   { "<bits/endian.h>", kPrivate, "<endian.h>", kPublic },
+   { "<bits/environments.h>", kPrivate, "<unistd.h>", kPublic },
+   { "<bits/epoll.h>", kPrivate, "<sys/epoll.h>", kPublic },
+-  { "<bits/errno.h>", kPrivate, "<errno.h>", kPublic },
++  { "<bits/errno.h>", kPrivate, "<errno.h>", kPrivate },
+   { "<bits/error.h>", kPrivate, "<error.h>", kPublic },
+   { "<bits/eventfd.h>", kPrivate, "<sys/eventfd.h>", kPublic },
+   { "<bits/fcntl.h>", kPrivate, "<fcntl.h>", kPublic },
+   { "<bits/fcntl2.h>", kPrivate, "<fcntl.h>", kPublic },
+-  { "<bits/fenv.h>", kPrivate, "<fenv.h>", kPublic },
+-  { "<bits/fenvinline.h>", kPrivate, "<fenv.h>", kPublic },
+-  { "<bits/huge_val.h>", kPrivate, "<math.h>", kPublic },
+-  { "<bits/huge_valf.h>", kPrivate, "<math.h>", kPublic },
+-  { "<bits/huge_vall.h>", kPrivate, "<math.h>", kPublic },
++  { "<bits/fenv.h>", kPrivate, "<fenv.h>", kPrivate },
++  { "<bits/fenvinline.h>", kPrivate, "<fenv.h>", kPrivate },
++  { "<bits/huge_val.h>", kPrivate, "<math.h>", kPrivate },
++  { "<bits/huge_valf.h>", kPrivate, "<math.h>", kPrivate },
++  { "<bits/huge_vall.h>", kPrivate, "<math.h>", kPrivate },
+   { "<bits/hwcap.h>", kPrivate, "<sys/auxv.h>", kPublic },
+-  { "<bits/inf.h>", kPrivate, "<math.h>", kPublic },
++  { "<bits/inf.h>", kPrivate, "<math.h>", kPrivate },
+   { "<bits/inotify.h>", kPrivate, "<sys/inotify.h>", kPublic },
+   { "<bits/ioctl-types.h>", kPrivate, "<sys/ioctl.h>", kPublic },
+   { "<bits/ioctls.h>", kPrivate, "<sys/ioctl.h>", kPublic },
+@@ -382,24 +382,24 @@ const IncludeMapEntry libc_include_map[] = {
+   { "<bits/ipctypes.h>", kPrivate, "<sys/ipc.h>", kPublic },
+   { "<bits/libio-ldbl.h>", kPrivate, "<libio.h>", kPublic },
+   { "<bits/link.h>", kPrivate, "<link.h>", kPublic },
+-  { "<bits/locale.h>", kPrivate, "<locale.h>", kPublic },
+-  { "<bits/math-finite.h>", kPrivate, "<math.h>", kPublic },
+-  { "<bits/mathcalls.h>", kPrivate, "<math.h>", kPublic },
+-  { "<bits/mathdef.h>", kPrivate, "<math.h>", kPublic },
+-  { "<bits/mathinline.h>", kPrivate, "<math.h>", kPublic },
++  { "<bits/locale.h>", kPrivate, "<locale.h>", kPrivate },
++  { "<bits/math-finite.h>", kPrivate, "<math.h>", kPrivate },
++  { "<bits/mathcalls.h>", kPrivate, "<math.h>", kPrivate },
++  { "<bits/mathdef.h>", kPrivate, "<math.h>", kPrivate },
++  { "<bits/mathinline.h>", kPrivate, "<math.h>", kPrivate },
+   { "<bits/mman.h>", kPrivate, "<sys/mman.h>", kPublic },
+   { "<bits/mman-shared.h>", kPrivate, "<sys/mman.h>", kPublic },
+   { "<bits/monetary-ldbl.h>", kPrivate, "<monetary.h>", kPublic },
+   { "<bits/mqueue.h>", kPrivate, "<mqueue.h>", kPublic },
+   { "<bits/mqueue2.h>", kPrivate, "<mqueue.h>", kPublic },
+   { "<bits/msq.h>", kPrivate, "<sys/msg.h>", kPublic },
+-  { "<bits/nan.h>", kPrivate, "<math.h>", kPublic },
++  { "<bits/nan.h>", kPrivate, "<math.h>", kPrivate },
+   { "<bits/netdb.h>", kPrivate, "<netdb.h>", kPublic },
+   { "<bits/param.h>", kPrivate, "<sys/param.h>", kPublic },
+   { "<bits/poll.h>", kPrivate, "<sys/poll.h>", kPrivate },
+   { "<bits/poll2.h>", kPrivate, "<sys/poll.h>", kPrivate },
+-  { "<bits/posix1_lim.h>", kPrivate, "<limits.h>", kPublic },
+-  { "<bits/posix2_lim.h>", kPrivate, "<limits.h>", kPublic },
++  { "<bits/posix1_lim.h>", kPrivate, "<limits.h>", kPrivate },
++  { "<bits/posix2_lim.h>", kPrivate, "<limits.h>", kPrivate },
+   { "<bits/posix_opt.h>", kPrivate, "<unistd.h>", kPublic },
+   { "<bits/printf-ldbl.h>", kPrivate, "<printf.h>", kPublic },
+   { "<bits/pthreadtypes.h>", kPrivate, "<pthread.h>", kPublic },
+@@ -409,17 +409,17 @@ const IncludeMapEntry libc_include_map[] = {
+   { "<bits/select2.h>", kPrivate, "<sys/select.h>", kPublic },
+   { "<bits/sem.h>", kPrivate, "<sys/sem.h>", kPublic },
+   { "<bits/semaphore.h>", kPrivate, "<semaphore.h>", kPublic },
+-  { "<bits/setjmp.h>", kPrivate, "<setjmp.h>", kPublic },
+-  { "<bits/setjmp2.h>", kPrivate, "<setjmp.h>", kPublic },
++  { "<bits/setjmp.h>", kPrivate, "<setjmp.h>", kPrivate },
++  { "<bits/setjmp2.h>", kPrivate, "<setjmp.h>", kPrivate },
+   { "<bits/shm.h>", kPrivate, "<sys/shm.h>", kPublic },
+-  { "<bits/sigaction.h>", kPrivate, "<signal.h>", kPublic },
+-  { "<bits/sigcontext.h>", kPrivate, "<signal.h>", kPublic },
+-  { "<bits/siginfo.h>", kPrivate, "<signal.h>", kPublic },
+-  { "<bits/signum.h>", kPrivate, "<signal.h>", kPublic },
+-  { "<bits/signum-arch.h>", kPrivate, "<signal.h>", kPublic },
+-  { "<bits/sigset.h>", kPrivate, "<signal.h>", kPublic },
+-  { "<bits/sigstack.h>", kPrivate, "<signal.h>", kPublic },
+-  { "<bits/sigthread.h>", kPrivate, "<signal.h>", kPublic },
++  { "<bits/sigaction.h>", kPrivate, "<signal.h>", kPrivate },
++  { "<bits/sigcontext.h>", kPrivate, "<signal.h>", kPrivate },
++  { "<bits/siginfo.h>", kPrivate, "<signal.h>", kPrivate },
++  { "<bits/signum.h>", kPrivate, "<signal.h>", kPrivate },
++  { "<bits/signum-arch.h>", kPrivate, "<signal.h>", kPrivate },
++  { "<bits/sigset.h>", kPrivate, "<signal.h>", kPrivate },
++  { "<bits/sigstack.h>", kPrivate, "<signal.h>", kPrivate },
++  { "<bits/sigthread.h>", kPrivate, "<signal.h>", kPrivate },
+   { "<bits/sockaddr.h>", kPrivate, "<sys/un.h>", kPublic },
+   { "<bits/socket.h>", kPrivate, "<sys/socket.h>", kPublic },
+   { "<bits/socket2.h>", kPrivate, "<sys/socket.h>", kPublic },
+@@ -429,22 +429,22 @@ const IncludeMapEntry libc_include_map[] = {
+   { "<bits/statfs.h>", kPrivate, "<sys/statfs.h>", kPublic },
+   { "<bits/statvfs.h>", kPrivate, "<sys/statvfs.h>", kPublic },
+   { "<bits/statx-generic.h>", kPrivate, "<sys/stat.h>", kPublic },
+-  { "<bits/stdio-ldbl.h>", kPrivate, "<stdio.h>", kPublic },
++  { "<bits/stdio-ldbl.h>", kPrivate, "<stdio.h>", kPrivate },
+   { "<bits/stdio-lock.h>", kPrivate, "<libio.h>", kPublic },
+-  { "<bits/stdio.h>", kPrivate, "<stdio.h>", kPublic },
+-  { "<bits/stdio2.h>", kPrivate, "<stdio.h>", kPublic },
+-  { "<bits/stdio_lim.h>", kPrivate, "<stdio.h>", kPublic },
+-  { "<bits/stdlib-bsearch.h>", kPrivate, "<stdlib.h>", kPublic },
+-  { "<bits/stdlib-float.h>", kPrivate, "<stdlib.h>", kPublic },
+-  { "<bits/stdlib-ldbl.h>", kPrivate, "<stdlib.h>", kPublic },
+-  { "<bits/stdlib.h>", kPrivate, "<stdlib.h>", kPublic },
+-  { "<bits/string.h>", kPrivate, "<string.h>", kPublic },
+-  { "<bits/string2.h>", kPrivate, "<string.h>", kPublic },
+-  { "<bits/string3.h>", kPrivate, "<string.h>", kPublic },
++  { "<bits/stdio.h>", kPrivate, "<stdio.h>", kPrivate },
++  { "<bits/stdio2.h>", kPrivate, "<stdio.h>", kPrivate },
++  { "<bits/stdio_lim.h>", kPrivate, "<stdio.h>", kPrivate },
++  { "<bits/stdlib-bsearch.h>", kPrivate, "<stdlib.h>", kPrivate },
++  { "<bits/stdlib-float.h>", kPrivate, "<stdlib.h>", kPrivate },
++  { "<bits/stdlib-ldbl.h>", kPrivate, "<stdlib.h>", kPrivate },
++  { "<bits/stdlib.h>", kPrivate, "<stdlib.h>", kPrivate },
++  { "<bits/string.h>", kPrivate, "<string.h>", kPrivate },
++  { "<bits/string2.h>", kPrivate, "<string.h>", kPrivate },
++  { "<bits/string3.h>", kPrivate, "<string.h>", kPrivate },
+   { "<bits/stropts.h>", kPrivate, "<stropts.h>", kPublic },
+   { "<bits/struct_stat.h>", kPrivate, "<sys/stat.h>", kPublic },
+   { "<bits/struct_stat.h>", kPrivate, "<ftw.h>", kPublic },
+-  { "<bits/sys_errlist.h>", kPrivate, "<stdio.h>", kPublic },
++  { "<bits/sys_errlist.h>", kPrivate, "<stdio.h>", kPrivate },
+   { "<bits/syscall.h>", kPrivate, "<sys/syscall.h>", kPublic },
+   { "<bits/sysctl.h>", kPrivate, "<sys/sysctl.h>", kPublic },
+   { "<bits/syslog-ldbl.h>", kPrivate, "<sys/syslog.h>", kPrivate },
+@@ -459,12 +459,12 @@ const IncludeMapEntry libc_include_map[] = {
+   { "<bits/termios-struct.h>", kPrivate, "<termios.h>", kPublic },
+   { "<bits/termios-tcflow.h>", kPrivate, "<termios.h>", kPublic },
+   { "<bits/termios.h>", kPrivate, "<termios.h>", kPublic },
+-  { "<bits/time.h>", kPrivate, "<time.h>", kPublic },
++  { "<bits/time.h>", kPrivate, "<time.h>", kPrivate },
+   { "<bits/time.h>", kPrivate, "<sys/time.h>", kPublic },
+   { "<bits/timerfd.h>", kPrivate, "<sys/timerfd.h>", kPublic },
+   { "<bits/timex.h>", kPrivate, "<sys/timex.h>", kPublic },
+   { "<bits/types.h>", kPrivate, "<sys/types.h>", kPublic },
+-  { "<bits/types/siginfo_t.h>", kPrivate, "<signal.h>", kPublic },
++  { "<bits/types/siginfo_t.h>", kPrivate, "<signal.h>", kPrivate },
+   { "<bits/types/siginfo_t.h>", kPrivate, "<sys/wait.h>", kPublic },
+   { "<bits/uio.h>", kPrivate, "<sys/uio.h>", kPublic },
+   { "<bits/unistd.h>", kPrivate, "<unistd.h>", kPublic },
+@@ -474,11 +474,11 @@ const IncludeMapEntry libc_include_map[] = {
+   { "<bits/utsname.h>", kPrivate, "<sys/utsname.h>", kPublic },
+   { "<bits/waitflags.h>", kPrivate, "<sys/wait.h>", kPublic },
+   { "<bits/waitstatus.h>", kPrivate, "<sys/wait.h>", kPublic },
+-  { "<bits/wchar-ldbl.h>", kPrivate, "<wchar.h>", kPublic },
+-  { "<bits/wchar.h>", kPrivate, "<wchar.h>", kPublic },
+-  { "<bits/wchar2.h>", kPrivate, "<wchar.h>", kPublic },
+-  { "<bits/wordsize.h>", kPrivate, "<limits.h>", kPublic },
+-  { "<bits/xopen_lim.h>", kPrivate, "<limits.h>", kPublic },
++  { "<bits/wchar-ldbl.h>", kPrivate, "<wchar.h>", kPrivate },
++  { "<bits/wchar.h>", kPrivate, "<wchar.h>", kPrivate },
++  { "<bits/wchar2.h>", kPrivate, "<wchar.h>", kPrivate },
++  { "<bits/wordsize.h>", kPrivate, "<limits.h>", kPrivate },
++  { "<bits/xopen_lim.h>", kPrivate, "<limits.h>", kPrivate },
+   { "<bits/xtitypes.h>", kPrivate, "<stropts.h>", kPublic },
+   // Sometimes libc tells you what mapping to do via an '#error':
+   // # error "Never use <bits/dlfcn.h> directly; include <dlfcn.h> instead."
+@@ -488,7 +488,7 @@ const IncludeMapEntry libc_include_map[] = {
+   { "<bits/a.out.h>", kPrivate, "<a.out.h>", kPublic },
+   { "<bits/byteswap-16.h>", kPrivate, "<byteswap.h>", kPublic },
+   { "<bits/byteswap.h>", kPrivate, "<byteswap.h>", kPublic },
+-  { "<bits/cmathcalls.h>", kPrivate, "<complex.h>", kPublic },
++  { "<bits/cmathcalls.h>", kPrivate, "<complex.h>", kPrivate },
+   { "<bits/confname.h>", kPrivate, "<unistd.h>", kPublic },
+   { "<bits/dirent.h>", kPrivate, "<dirent.h>", kPublic },
+   { "<bits/dlfcn.h>", kPrivate, "<dlfcn.h>", kPublic },
+@@ -498,38 +498,38 @@ const IncludeMapEntry libc_include_map[] = {
+   { "<bits/eventfd.h>", kPrivate, "<sys/eventfd.h>", kPublic },
+   { "<bits/fcntl-linux.h>", kPrivate, "<fcntl.h>", kPublic },
+   { "<bits/fcntl.h>", kPrivate, "<fcntl.h>", kPublic },
+-  { "<bits/fenv.h>", kPrivate, "<fenv.h>", kPublic },
+-  { "<bits/huge_val.h>", kPrivate, "<math.h>", kPublic },
+-  { "<bits/huge_valf.h>", kPrivate, "<math.h>", kPublic },
+-  { "<bits/huge_vall.h>", kPrivate, "<math.h>", kPublic },
++  { "<bits/fenv.h>", kPrivate, "<fenv.h>", kPrivate },
++  { "<bits/huge_val.h>", kPrivate, "<math.h>", kPrivate },
++  { "<bits/huge_valf.h>", kPrivate, "<math.h>", kPrivate },
++  { "<bits/huge_vall.h>", kPrivate, "<math.h>", kPrivate },
+   { "<bits/in.h>", kPrivate, "<netinet/in.h>", kPublic },
+-  { "<bits/inf.h>", kPrivate, "<math.h>", kPublic },
++  { "<bits/inf.h>", kPrivate, "<math.h>", kPrivate },
+   { "<bits/inotify.h>", kPrivate, "<sys/inotify.h>", kPublic },
+   { "<bits/ioctl-types.h>", kPrivate, "<sys/ioctl.h>", kPublic },
+   { "<bits/ioctls.h>", kPrivate, "<sys/ioctl.h>", kPublic },
+   { "<bits/ipc.h>", kPrivate, "<sys/ipc.h>", kPublic },
+   { "<bits/ipctypes.h>", kPrivate, "<sys/ipc.h>", kPublic },
+-  { "<bits/locale.h>", kPrivate, "<locale.h>", kPublic },
+-  { "<bits/math-finite.h>", kPrivate, "<math.h>", kPublic },
+-  { "<bits/mathdef.h>", kPrivate, "<math.h>", kPublic },
+-  { "<bits/mathinline.h>", kPrivate, "<math.h>", kPublic },
++  { "<bits/locale.h>", kPrivate, "<locale.h>", kPrivate },
++  { "<bits/math-finite.h>", kPrivate, "<math.h>", kPrivate },
++  { "<bits/mathdef.h>", kPrivate, "<math.h>", kPrivate },
++  { "<bits/mathinline.h>", kPrivate, "<math.h>", kPrivate },
+   { "<bits/mman-linux.h>", kPrivate, "<sys/mman.h>", kPublic },
+   { "<bits/mman.h>", kPrivate, "<sys/mman.h>", kPublic },
+   { "<bits/mqueue.h>", kPrivate, "<mqueue.h>", kPublic },
+   { "<bits/msq.h>", kPrivate, "<sys/msg.h>", kPublic },
+-  { "<bits/nan.h>", kPrivate, "<math.h>", kPublic },
++  { "<bits/nan.h>", kPrivate, "<math.h>", kPrivate },
+   { "<bits/param.h>", kPrivate, "<sys/param.h>", kPublic },
+   { "<bits/poll.h>", kPrivate, "<sys/poll.h>", kPrivate },
+   { "<bits/predefs.h>", kPrivate, "<features.h>", kPublic },
+   { "<bits/resource.h>", kPrivate, "<sys/resource.h>", kPublic },
+   { "<bits/select.h>", kPrivate, "<sys/select.h>", kPublic },
+   { "<bits/semaphore.h>", kPrivate, "<semaphore.h>", kPublic },
+-  { "<bits/sigcontext.h>", kPrivate, "<signal.h>", kPublic },
++  { "<bits/sigcontext.h>", kPrivate, "<signal.h>", kPrivate },
+   { "<bits/signalfd.h>", kPrivate, "<sys/signalfd.h>", kPublic },
+-  { "<bits/stdlib-float.h>", kPrivate, "<stdlib.h>", kPublic },
+-  { "<bits/string.h>", kPrivate, "<string.h>", kPublic },
+-  { "<bits/string2.h>", kPrivate, "<string.h>", kPublic },
+-  { "<bits/string3.h>", kPrivate, "<string.h>", kPublic },
++  { "<bits/stdlib-float.h>", kPrivate, "<stdlib.h>", kPrivate },
++  { "<bits/string.h>", kPrivate, "<string.h>", kPrivate },
++  { "<bits/string2.h>", kPrivate, "<string.h>", kPrivate },
++  { "<bits/string3.h>", kPrivate, "<string.h>", kPrivate },
+   { "<bits/timerfd.h>", kPrivate, "<sys/timerfd.h>", kPublic },
+   { "<bits/typesizes.h>", kPrivate, "<sys/types.h>", kPublic },
+   // Top-level #includes that just forward to another file:
+@@ -541,13 +541,13 @@ const IncludeMapEntry libc_include_map[] = {
+   // on the POSIX.1-2024 list, I just choose the top-level one.
+   { "<sys/aio.h>", kPrivate, "<aio.h>", kPublic },
+   { "<sys/dirent.h>", kPrivate, "<dirent.h>", kPublic },
+-  { "<sys/errno.h>", kPrivate, "<errno.h>", kPublic },
++  { "<sys/errno.h>", kPrivate, "<errno.h>", kPrivate },
+   { "<sys/fcntl.h>", kPrivate, "<fcntl.h>", kPublic },
+   { "<sys/poll.h>", kPrivate, "<poll.h>", kPublic },
+   { "<sys/semaphore.h>", kPrivate, "<semaphore.h>", kPublic },
+-  { "<sys/signal.h>", kPrivate, "<signal.h>", kPublic },
++  { "<sys/signal.h>", kPrivate, "<signal.h>", kPrivate },
+   { "<sys/spawn.h>", kPrivate, "<spawn.h>", kPublic },
+-  { "<sys/stdio.h>", kPrivate, "<stdio.h>", kPublic },
++  { "<sys/stdio.h>", kPrivate, "<stdio.h>", kPrivate },
+   { "<sys/syslog.h>", kPrivate, "<syslog.h>", kPublic },
+   { "<sys/termios.h>", kPrivate, "<termios.h>", kPublic },
+   { "<sys/unistd.h>", kPrivate, "<unistd.h>", kPublic },
+@@ -567,21 +567,21 @@ const IncludeMapEntry libc_include_map[] = {
+   { "<asm/unistd_64.h>", kPrivate, "<asm/unistd.h>", kPrivate },
+   // I don't know what grep would have found these.  I found them
+   // via user report.
+-  { "<asm/errno.h>", kPrivate, "<errno.h>", kPublic },
+-  { "<asm/errno-base.h>", kPrivate, "<errno.h>", kPublic },
++  { "<asm/errno.h>", kPrivate, "<errno.h>", kPrivate },
++  { "<asm/errno-base.h>", kPrivate, "<errno.h>", kPrivate },
+   { "<asm/ptrace-abi.h>", kPrivate, "<asm/ptrace.h>", kPublic },
+   { "<asm/unistd.h>", kPrivate, "<sys/syscall.h>", kPublic },
+-  { "<linux/limits.h>", kPrivate, "<limits.h>", kPublic },   // PATH_MAX
++  { "<linux/limits.h>", kPrivate, "<limits.h>", kPrivate },   // PATH_MAX
+   { "<linux/prctl.h>", kPrivate, "<sys/prctl.h>", kPublic },
+   { "<sys/ucontext.h>", kPrivate, "<ucontext.h>", kPublic },
+   // System headers available on AIX, BSD, Solaris and other Unix systems
+   { "<sys/dtrace.h>", kPrivate, "<dtrace.h>", kPublic },
+   { "<sys/paths.h>", kPrivate, "<paths.h>", kPublic },
+-  { "<sys/syslimits.h>", kPrivate, "<limits.h>", kPublic },
++  { "<sys/syslimits.h>", kPrivate, "<limits.h>", kPrivate },
+   { "<sys/ttycom.h>", kPrivate, "<sys/ioctl.h>", kPublic },
+   { "<sys/ustat.h>", kPrivate, "<ustat.h>", kPublic },
+   // Exports guaranteed by the C standard
+-  { "<stdint.h>", kPublic, "<inttypes.h>", kPublic },
++  { "<stdint.h>", kPrivate, "<inttypes.h>", kPrivate },
+ };
+ 
+ const IncludeMapEntry stdlib_c_include_map[] = {
+@@ -600,32 +600,32 @@ const IncludeMapEntry stdlib_c_include_map[] = {
+   // https://github.com/cplusplus/draft/blob/c+%2B20/source/lib-intro.tex
+   //
+   // $ curl -s -N https://raw.githubusercontent.com/cplusplus/draft/c%2B%2B20/source/lib-intro.tex | sed -n '/begin{multicolfloattable}.*{headers.cpp.c}/,/end{multicolfloattable}/p' | grep tcode | perl -nle 'm/tcode{<c(.*)>}/ && print qq@  { "<$1.h>", kPublic, "<c$1>", kPublic },@' | sort
+-  { "<assert.h>", kPublic, "<cassert>", kPublic },
+-  { "<complex.h>", kPublic, "<ccomplex>", kPublic },
+-  { "<ctype.h>", kPublic, "<cctype>", kPublic },
+-  { "<errno.h>", kPublic, "<cerrno>", kPublic },
+-  { "<fenv.h>", kPublic, "<cfenv>", kPublic },
+-  { "<float.h>", kPublic, "<cfloat>", kPublic },
+-  { "<inttypes.h>", kPublic, "<cinttypes>", kPublic },
+-  { "<iso646.h>", kPublic, "<ciso646>", kPublic },
+-  { "<limits.h>", kPublic, "<climits>", kPublic },
+-  { "<locale.h>", kPublic, "<clocale>", kPublic },
+-  { "<math.h>", kPublic, "<cmath>", kPublic },
+-  { "<setjmp.h>", kPublic, "<csetjmp>", kPublic },
+-  { "<signal.h>", kPublic, "<csignal>", kPublic },
+-  { "<stdalign.h>", kPublic, "<cstdalign>", kPublic },
+-  { "<stdarg.h>", kPublic, "<cstdarg>", kPublic },
+-  { "<stdbool.h>", kPublic, "<cstdbool>", kPublic },
+-  { "<stddef.h>", kPublic, "<cstddef>", kPublic },
+-  { "<stdint.h>", kPublic, "<cstdint>", kPublic },
+-  { "<stdio.h>", kPublic, "<cstdio>", kPublic },
+-  { "<stdlib.h>", kPublic, "<cstdlib>", kPublic },
+-  { "<string.h>", kPublic, "<cstring>", kPublic },
+-  { "<tgmath.h>", kPublic, "<ctgmath>", kPublic },
+-  { "<time.h>", kPublic, "<ctime>", kPublic },
+-  { "<uchar.h>", kPublic, "<cuchar>", kPublic },
+-  { "<wchar.h>", kPublic, "<cwchar>", kPublic },
+-  { "<wctype.h>", kPublic, "<cwctype>", kPublic },
++  { "<assert.h>", kPrivate, "<cassert>", kPublic },
++  { "<complex.h>", kPrivate, "<ccomplex>", kPublic },
++  { "<ctype.h>", kPrivate, "<cctype>", kPublic },
++  { "<errno.h>", kPrivate, "<cerrno>", kPublic },
++  { "<fenv.h>", kPrivate, "<cfenv>", kPublic },
++  { "<float.h>", kPrivate, "<cfloat>", kPublic },
++  { "<inttypes.h>", kPrivate, "<cinttypes>", kPublic },
++  { "<iso646.h>", kPrivate, "<ciso646>", kPublic },
++  { "<limits.h>", kPrivate, "<climits>", kPublic },
++  { "<locale.h>", kPrivate, "<clocale>", kPublic },
++  { "<math.h>", kPrivate, "<cmath>", kPublic },
++  { "<setjmp.h>", kPrivate, "<csetjmp>", kPublic },
++  { "<signal.h>", kPrivate, "<csignal>", kPublic },
++  { "<stdalign.h>", kPrivate, "<cstdalign>", kPublic },
++  { "<stdarg.h>", kPrivate, "<cstdarg>", kPublic },
++  { "<stdbool.h>", kPrivate, "<cstdbool>", kPublic },
++  { "<stddef.h>", kPrivate, "<cstddef>", kPublic },
++  { "<stdint.h>", kPrivate, "<cstdint>", kPublic },
++  { "<stdio.h>", kPrivate, "<cstdio>", kPublic },
++  { "<stdlib.h>", kPrivate, "<cstdlib>", kPublic },
++  { "<string.h>", kPrivate, "<cstring>", kPublic },
++  { "<tgmath.h>", kPrivate, "<ctgmath>", kPublic },
++  { "<time.h>", kPrivate, "<ctime>", kPublic },
++  { "<uchar.h>", kPrivate, "<cuchar>", kPublic },
++  { "<wchar.h>", kPrivate, "<cwchar>", kPublic },
++  { "<wctype.h>", kPrivate, "<cwctype>", kPublic },
+ };
+ 
+ const char* stdlib_cpp_public_headers[] = {

ci/test/02_run_container.py

@@ -3,16 +3,19 @@
 # Distributed under the MIT software license, see the accompanying
 # file COPYING or https://opensource.org/license/mit/.
 
+from pathlib import Path
 import os
 import shlex
 import subprocess
 import sys
+import time
 
 
 def run(cmd, **kwargs):
     print("+ " + shlex.join(cmd), flush=True)
+    kwargs.setdefault("check", True)
     try:
-        return subprocess.run(cmd, check=True, **kwargs)
+        return subprocess.run(cmd, **kwargs)
     except Exception as e:
         sys.exit(e)
 
@@ -23,7 +26,6 @@ def main():
         ["bash", "-c", "grep export ./ci/test/00_setup_env*.sh"],
         stdout=subprocess.PIPE,
         text=True,
-        encoding="utf8",
     ).stdout.splitlines()
     settings = set(l.split("=")[0].split("export ")[1] for l in settings)
     # Add "hidden" settings, which are never exported, manually. Otherwise,
@@ -36,16 +38,154 @@ def main():
     # Append $USER to /tmp/env to support multi-user systems and $CONTAINER_NAME
     # to allow support starting multiple runs simultaneously by the same user.
     env_file = "/tmp/env-{u}-{c}".format(
-        u=os.getenv("USER"),
-        c=os.getenv("CONTAINER_NAME"),
+        u=os.environ["USER"],
+        c=os.environ["CONTAINER_NAME"],
     )
-    with open(env_file, "w", encoding="utf8") as file:
+    with open(env_file, "w") as file:
         for k, v in os.environ.items():
             if k in settings:
                 file.write(f"{k}={v}\n")
     run(["cat", env_file])
 
-    run(["./ci/test/02_run_container.sh"])  # run the remainder
+    if os.getenv("DANGER_RUN_CI_ON_HOST"):
+        print("Running on host system without docker wrapper")
+        print("Create missing folders")
+        for create_dir in [
+                os.environ["CCACHE_DIR"],
+                os.environ["PREVIOUS_RELEASES_DIR"],
+        ]:
+            Path(create_dir).mkdir(parents=True, exist_ok=True)
+
+        # Modify PATH to prepend the retry script, needed for CI_RETRY_EXE
+        os.environ["PATH"] = f"{os.environ['BASE_ROOT_DIR']}/ci/retry:{os.environ['PATH']}"
+        # GNU getopt is required for the CI_RETRY_EXE script
+        if os.getenv("CI_OS_NAME") == "macos":
+            prefix = run(
+                ["brew", "--prefix", "gnu-getopt"],
+                stdout=subprocess.PIPE,
+                text=True,
+            ).stdout.strip()
+            os.environ["IN_GETOPT_BIN"] = f"{prefix}/bin/getopt"
+    else:
+        CI_IMAGE_LABEL = "bitcoin-ci-test"
+
+        # Use buildx unconditionally
+        # Using buildx is required to properly load the correct driver, for use with registry caching. Neither build, nor BUILDKIT=1 currently do this properly
+        cmd_build = ["docker", "buildx", "build"]
+        cmd_build += [
+            f"--file={os.environ['BASE_READ_ONLY_DIR']}/ci/test_imagefile",
+            f"--build-arg=CI_IMAGE_NAME_TAG={os.environ['CI_IMAGE_NAME_TAG']}",
+            f"--build-arg=FILE_ENV={os.environ['FILE_ENV']}",
+            f"--build-arg=BASE_ROOT_DIR={os.environ['BASE_ROOT_DIR']}",
+            f"--platform={os.environ['CI_IMAGE_PLATFORM']}",
+            f"--label={CI_IMAGE_LABEL}",
+            f"--tag={os.environ['CONTAINER_NAME']}",
+        ]
+        cmd_build += shlex.split(os.getenv("DOCKER_BUILD_CACHE_ARG", ""))
+        cmd_build += [os.environ["BASE_READ_ONLY_DIR"]]
+
+        print(f"Building {os.environ['CONTAINER_NAME']} image tag to run in")
+        if run(cmd_build, check=False).returncode != 0:
+            print(f"Retry building {os.environ['CONTAINER_NAME']} image tag after failure")
+            time.sleep(3)
+            run(cmd_build)
+
+        for suffix in ["ccache", "depends", "depends_sources", "previous_releases"]:
+            run(["docker", "volume", "create", f"{os.environ['CONTAINER_NAME']}_{suffix}"], check=False)
+
+        CI_CCACHE_MOUNT = f"type=volume,src={os.environ['CONTAINER_NAME']}_ccache,dst={os.environ['CCACHE_DIR']}"
+        CI_DEPENDS_MOUNT = f"type=volume,src={os.environ['CONTAINER_NAME']}_depends,dst={os.environ['DEPENDS_DIR']}/built"
+        CI_DEPENDS_SOURCES_MOUNT = f"type=volume,src={os.environ['CONTAINER_NAME']}_depends_sources,dst={os.environ['DEPENDS_DIR']}/sources"
+        CI_PREVIOUS_RELEASES_MOUNT = f"type=volume,src={os.environ['CONTAINER_NAME']}_previous_releases,dst={os.environ['PREVIOUS_RELEASES_DIR']}"
+        CI_BUILD_MOUNT = []
+
+        if os.getenv("DANGER_CI_ON_HOST_FOLDERS"):
+            # ensure the directories exist
+            for create_dir in [
+                    os.environ["CCACHE_DIR"],
+                    f"{os.environ['DEPENDS_DIR']}/built",
+                    f"{os.environ['DEPENDS_DIR']}/sources",
+                    os.environ["PREVIOUS_RELEASES_DIR"],
+                    os.environ["BASE_BUILD_DIR"],  # Unset by default, must be defined externally
+            ]:
+                Path(create_dir).mkdir(parents=True, exist_ok=True)
+
+            CI_CCACHE_MOUNT = f"type=bind,src={os.environ['CCACHE_DIR']},dst={os.environ['CCACHE_DIR']}"
+            CI_DEPENDS_MOUNT = f"type=bind,src={os.environ['DEPENDS_DIR']}/built,dst={os.environ['DEPENDS_DIR']}/built"
+            CI_DEPENDS_SOURCES_MOUNT = f"type=bind,src={os.environ['DEPENDS_DIR']}/sources,dst={os.environ['DEPENDS_DIR']}/sources"
+            CI_PREVIOUS_RELEASES_MOUNT = f"type=bind,src={os.environ['PREVIOUS_RELEASES_DIR']},dst={os.environ['PREVIOUS_RELEASES_DIR']}"
+            CI_BUILD_MOUNT = [f"--mount=type=bind,src={os.environ['BASE_BUILD_DIR']},dst={os.environ['BASE_BUILD_DIR']}"]
+
+        if os.getenv("DANGER_CI_ON_HOST_CCACHE_FOLDER"):
+            if not os.path.isdir(os.environ["CCACHE_DIR"]):
+                print(f"Error: Directory '{os.environ['CCACHE_DIR']}' must be created in advance.")
+                sys.exit(1)
+            CI_CCACHE_MOUNT = f"type=bind,src={os.environ['CCACHE_DIR']},dst={os.environ['CCACHE_DIR']}"
+
+        run(["docker", "network", "create", "--ipv6", "--subnet", "1111:1111::/112", "ci-ip6net"], check=False)
+
+        if os.getenv("RESTART_CI_DOCKER_BEFORE_RUN"):
+            print("Restart docker before run to stop and clear all containers started with --rm")
+            run(["podman", "container", "rm", "--force", "--all"])  # Similar to "systemctl restart docker"
+
+            # Still prune everything in case the filtered pruning doesn't work, or if labels were not set
+            # on a previous run. Belt and suspenders approach, should be fine to remove in the future.
+            # Prune images used by --external containers (e.g. build containers) when
+            # using podman.
+            print("Prune all dangling images")
+            run(["podman", "image", "prune", "--force", "--external"])
+
+        print(f"Prune all dangling {CI_IMAGE_LABEL} images")
+        # When detecting podman-docker, `--external` should be added.
+        run(["docker", "image", "prune", "--force", "--filter", f"label={CI_IMAGE_LABEL}"])
+
+        cmd_run = ["docker", "run", "--rm", "--interactive", "--detach", "--tty"]
+        cmd_run += [
+            "--cap-add=LINUX_IMMUTABLE",
+            *shlex.split(os.getenv("CI_CONTAINER_CAP", "")),
+            f"--mount=type=bind,src={os.environ['BASE_READ_ONLY_DIR']},dst={os.environ['BASE_READ_ONLY_DIR']},readonly",
+            f"--mount={CI_CCACHE_MOUNT}",
+            f"--mount={CI_DEPENDS_MOUNT}",
+            f"--mount={CI_DEPENDS_SOURCES_MOUNT}",
+            f"--mount={CI_PREVIOUS_RELEASES_MOUNT}",
+            *CI_BUILD_MOUNT,
+            f"--env-file={env_file}",
+            f"--name={os.environ['CONTAINER_NAME']}",
+            "--network=ci-ip6net",
+            f"--platform={os.environ['CI_IMAGE_PLATFORM']}",
+            os.environ["CONTAINER_NAME"],
+        ]
+
+        container_id = run(
+            cmd_run,
+            stdout=subprocess.PIPE,
+            text=True,
+        ).stdout.strip()
+
+    def ci_exec(cmd_inner, **kwargs):
+        if os.getenv("DANGER_RUN_CI_ON_HOST"):
+            prefix = []
+        else:
+            prefix = ["docker", "exec", container_id]
+
+        return run([*prefix, *cmd_inner], **kwargs)
+
+    # Normalize all folders to BASE_ROOT_DIR
+    ci_exec([
+        "rsync",
+        "--recursive",
+        "--perms",
+        "--stats",
+        "--human-readable",
+        f"{os.environ['BASE_READ_ONLY_DIR']}/",
+        f"{os.environ['BASE_ROOT_DIR']}",
+    ])
+    ci_exec([f"{os.environ['BASE_ROOT_DIR']}/ci/test/01_base_install.sh"])
+    ci_exec([f"{os.environ['BASE_ROOT_DIR']}/ci/test/03_test_script.sh"])
+
+    if not os.getenv("DANGER_RUN_CI_ON_HOST"):
+        print("Stop and remove CI container by ID")
+        run(["docker", "container", "kill", container_id])
 
 
 if __name__ == "__main__":

ci/test/02_run_container.sh

@@ -1,131 +0,0 @@
-#!/usr/bin/env bash
-#
-# Copyright (c) 2018-present The Bitcoin Core developers
-# Distributed under the MIT software license, see the accompanying
-# file COPYING or http://www.opensource.org/licenses/mit-license.php.
-
-export LC_ALL=C.UTF-8
-export CI_IMAGE_LABEL="bitcoin-ci-test"
-
-set -o errexit -o pipefail -o xtrace
-
-if [ -z "$DANGER_RUN_CI_ON_HOST" ]; then
-  # Env vars during the build can not be changed. For example, a modified
-  # $MAKEJOBS is ignored in the build process. Use --cpuset-cpus as an
-  # approximation to respect $MAKEJOBS somewhat, if cpuset is available.
-  MAYBE_CPUSET=""
-  if [ "$HAVE_CGROUP_CPUSET" ]; then
-    MAYBE_CPUSET="--cpuset-cpus=$( python3 -c "import random;P=$( nproc );M=min(P,int('$MAKEJOBS'.lstrip('-j')));print(','.join(map(str,sorted(random.sample(range(P),M)))))" )"
-  fi
-  echo "Creating $CI_IMAGE_NAME_TAG container to run in"
-
-  # Use buildx unconditionally
-  # Using buildx is required to properly load the correct driver, for use with registry caching. Neither build, nor BUILDKIT=1 currently do this properly
-  # shellcheck disable=SC2086
-  docker buildx build \
-      --file "${BASE_READ_ONLY_DIR}/ci/test_imagefile" \
-      --build-arg "CI_IMAGE_NAME_TAG=${CI_IMAGE_NAME_TAG}" \
-      --build-arg "FILE_ENV=${FILE_ENV}" \
-      --build-arg "BASE_ROOT_DIR=${BASE_ROOT_DIR}" \
-      $MAYBE_CPUSET \
-      --platform="${CI_IMAGE_PLATFORM}" \
-      --label="${CI_IMAGE_LABEL}" \
-      --tag="${CONTAINER_NAME}" \
-      $DOCKER_BUILD_CACHE_ARG \
-      "${BASE_READ_ONLY_DIR}"
-
-  docker volume create "${CONTAINER_NAME}_ccache" || true
-  docker volume create "${CONTAINER_NAME}_depends" || true
-  docker volume create "${CONTAINER_NAME}_depends_sources" || true
-  docker volume create "${CONTAINER_NAME}_previous_releases" || true
-
-  CI_CCACHE_MOUNT="type=volume,src=${CONTAINER_NAME}_ccache,dst=$CCACHE_DIR"
-  CI_DEPENDS_MOUNT="type=volume,src=${CONTAINER_NAME}_depends,dst=$DEPENDS_DIR/built"
-  CI_DEPENDS_SOURCES_MOUNT="type=volume,src=${CONTAINER_NAME}_depends_sources,dst=$DEPENDS_DIR/sources"
-  CI_PREVIOUS_RELEASES_MOUNT="type=volume,src=${CONTAINER_NAME}_previous_releases,dst=$PREVIOUS_RELEASES_DIR"
-  CI_BUILD_MOUNT=""
-
-  if [ "$DANGER_CI_ON_HOST_FOLDERS" ]; then
-    # ensure the directories exist
-    mkdir -p "${CCACHE_DIR}"
-    mkdir -p "${DEPENDS_DIR}/built"
-    mkdir -p "${DEPENDS_DIR}/sources"
-    mkdir -p "${PREVIOUS_RELEASES_DIR}"
-    mkdir -p "${BASE_BUILD_DIR}"  # Unset by default, must be defined externally
-
-    CI_CCACHE_MOUNT="type=bind,src=${CCACHE_DIR},dst=$CCACHE_DIR"
-    CI_DEPENDS_MOUNT="type=bind,src=${DEPENDS_DIR}/built,dst=$DEPENDS_DIR/built"
-    CI_DEPENDS_SOURCES_MOUNT="type=bind,src=${DEPENDS_DIR}/sources,dst=$DEPENDS_DIR/sources"
-    CI_PREVIOUS_RELEASES_MOUNT="type=bind,src=${PREVIOUS_RELEASES_DIR},dst=$PREVIOUS_RELEASES_DIR"
-    CI_BUILD_MOUNT="--mount type=bind,src=${BASE_BUILD_DIR},dst=${BASE_BUILD_DIR}"
-  fi
-
-  if [ "$DANGER_CI_ON_HOST_CCACHE_FOLDER" ]; then
-    if [ ! -d "${CCACHE_DIR}" ]; then
-      echo "Error: Directory '${CCACHE_DIR}' must be created in advance."
-      exit 1
-    fi
-    CI_CCACHE_MOUNT="type=bind,src=${CCACHE_DIR},dst=${CCACHE_DIR}"
-  fi
-
-  docker network create --ipv6 --subnet 1111:1111::/112 ci-ip6net || true
-
-  if [ -n "${RESTART_CI_DOCKER_BEFORE_RUN}" ] ; then
-    echo "Restart docker before run to stop and clear all containers started with --rm"
-    podman container rm --force --all  # Similar to "systemctl restart docker"
-
-    # Still prune everything in case the filtered pruning doesn't work, or if labels were not set
-    # on a previous run. Belt and suspenders approach, should be fine to remove in the future.
-    # Prune images used by --external containers (e.g. build containers) when
-    # using podman.
-    echo "Prune all dangling images"
-    podman image prune --force --external
-  fi
-  echo "Prune all dangling $CI_IMAGE_LABEL images"
-  # When detecting podman-docker, `--external` should be added.
-  docker image prune --force --filter "label=$CI_IMAGE_LABEL"
-
-  # shellcheck disable=SC2086
-  CI_CONTAINER_ID=$(docker run --cap-add LINUX_IMMUTABLE $CI_CONTAINER_CAP --rm --interactive --detach --tty \
-                  --mount "type=bind,src=$BASE_READ_ONLY_DIR,dst=$BASE_READ_ONLY_DIR,readonly" \
-                  --mount "${CI_CCACHE_MOUNT}" \
-                  --mount "${CI_DEPENDS_MOUNT}" \
-                  --mount "${CI_DEPENDS_SOURCES_MOUNT}" \
-                  --mount "${CI_PREVIOUS_RELEASES_MOUNT}" \
-                  ${CI_BUILD_MOUNT} \
-                  --env-file /tmp/env-$USER-$CONTAINER_NAME \
-                  --name "$CONTAINER_NAME" \
-                  --network ci-ip6net \
-                  --platform="${CI_IMAGE_PLATFORM}" \
-                  "$CONTAINER_NAME")
-  export CI_CONTAINER_ID
-  export CI_EXEC_CMD_PREFIX="docker exec ${CI_CONTAINER_ID}"
-else
-  echo "Running on host system without docker wrapper"
-  echo "Create missing folders"
-  mkdir -p "${CCACHE_DIR}"
-  mkdir -p "${PREVIOUS_RELEASES_DIR}"
-fi
-
-if [ "$CI_OS_NAME" == "macos" ]; then
-  IN_GETOPT_BIN="$(brew --prefix gnu-getopt)/bin/getopt"
-  export IN_GETOPT_BIN
-fi
-
-CI_EXEC () {
-  $CI_EXEC_CMD_PREFIX bash -c "export PATH=\"/path_with space:${BINS_SCRATCH_DIR}:${BASE_ROOT_DIR}/ci/retry:\$PATH\" && cd \"${BASE_ROOT_DIR}\" && $*"
-}
-export -f CI_EXEC
-
-# Normalize all folders to BASE_ROOT_DIR
-CI_EXEC rsync --recursive --perms --stats --human-readable "${BASE_READ_ONLY_DIR}/" "${BASE_ROOT_DIR}" || echo "Nothing to copy from ${BASE_READ_ONLY_DIR}/"
-CI_EXEC "${BASE_ROOT_DIR}/ci/test/01_base_install.sh"
-
-CI_EXEC mkdir -p "${BINS_SCRATCH_DIR}"
-
-CI_EXEC "${BASE_ROOT_DIR}/ci/test/03_test_script.sh"
-
-if [ -z "$DANGER_RUN_CI_ON_HOST" ]; then
-  echo "Stop and remove CI container by ID"
-  docker container kill "${CI_CONTAINER_ID}"
-fi

ci/test/03_test_script.sh

@@ -8,6 +8,9 @@ export LC_ALL=C.UTF-8
 
 set -ex
 
+cd "${BASE_ROOT_DIR}"
+
+export PATH="/path_with space:${PATH}"
 export ASAN_OPTIONS="detect_leaks=1:detect_stack_use_after_return=1:check_initialization_order=1:strict_init_order=1"
 export LSAN_OPTIONS="suppressions=${BASE_ROOT_DIR}/test/sanitizer_suppressions/lsan"
 export TSAN_OPTIONS="suppressions=${BASE_ROOT_DIR}/test/sanitizer_suppressions/tsan:halt_on_error=1:second_deadlock_stack=1"
@@ -41,7 +44,10 @@ echo "=== BEGIN env ==="
 env
 echo "=== END env ==="
 
-(
+# Don't apply patches in the iwyu job, because it relies on the `git diff`
+# command to detect IWYU errors. It is safe to skip this patch in the iwyu job
+# because it doesn't run a UB detector.
+if [[ "${RUN_IWYU}" != true ]]; then
   # compact->outputs[i].file_size is uninitialized memory, so reading it is UB.
   # The statistic bytes_written is only used for logging, which is disabled in
   # CI, so as a temporary minimal fix to work around UB and CI failures, leave
@@ -62,7 +68,7 @@ echo "=== END env ==="
    mutex_.Lock();
    stats_[compact->compaction->level() + 1].Add(stats);
 EOF
-)
+fi
 
 if [ "$RUN_FUZZ_TESTS" = "true" ]; then
   export DIR_FUZZ_IN=${DIR_QA_ASSETS}/fuzz_corpora/
@@ -82,15 +88,6 @@ elif [ "$RUN_UNIT_TESTS" = "true" ]; then
   fi
 fi
 
-if [ "$USE_BUSY_BOX" = "true" ]; then
-  echo "Setup to use BusyBox utils"
-  # tar excluded for now because it requires passing in the exact archive type in ./depends (fixed in later BusyBox version)
-  # ar excluded for now because it does not recognize the -q option in ./depends (unknown if fixed)
-  for util in $(busybox --list | grep -v "^ar$" | grep -v "^tar$" ); do ln -s "$(command -v busybox)" "${BINS_SCRATCH_DIR}/$util"; done
-  # Print BusyBox version
-  patch --help
-fi
-
 # Make sure default datadir does not exist and is never read by creating a dummy file
 if [ "$CI_OS_NAME" == "macos" ]; then
   echo > "${HOME}/Library/Application Support/Bitcoin"
@@ -99,8 +96,8 @@ else
 fi
 
 if [ -z "$NO_DEPENDS" ]; then
-  if [[ $CI_IMAGE_NAME_TAG == *centos* ]]; then
-    SHELL_OPTS="CONFIG_SHELL=/bin/dash"
+  if [[ $CI_IMAGE_NAME_TAG == *alpine* ]]; then
+    SHELL_OPTS="CONFIG_SHELL=/usr/bin/dash"
   else
     SHELL_OPTS="CONFIG_SHELL="
   fi
@@ -126,22 +123,27 @@ BASE_BUILD_DIR=${BASE_BUILD_DIR:-$BASE_SCRATCH_DIR/build-$HOST}
 
 BITCOIN_CONFIG_ALL="$BITCOIN_CONFIG_ALL -DCMAKE_INSTALL_PREFIX=$BASE_OUTDIR -Werror=dev"
 
-if [[ "${RUN_TIDY}" == "true" ]]; then
+if [[ "${RUN_IWYU}" == true || "${RUN_TIDY}" == true ]]; then
   BITCOIN_CONFIG_ALL="$BITCOIN_CONFIG_ALL -DCMAKE_EXPORT_COMPILE_COMMANDS=ON"
 fi
 
-bash -c "cmake -S $BASE_ROOT_DIR -B ${BASE_BUILD_DIR} $BITCOIN_CONFIG_ALL $BITCOIN_CONFIG" || (
+eval "CMAKE_ARGS=($BITCOIN_CONFIG_ALL $BITCOIN_CONFIG)"
+cmake -S "$BASE_ROOT_DIR" -B "$BASE_BUILD_DIR" "${CMAKE_ARGS[@]}" || (
   cd "${BASE_BUILD_DIR}"
   # shellcheck disable=SC2046
   cat $(cmake -P "${BASE_ROOT_DIR}/ci/test/GetCMakeLogFiles.cmake")
   false
 )
 
+if [[ "${GOAL}" != all && "${GOAL}" != codegen ]]; then
+  GOAL="all ${GOAL}"
+fi
+
 # shellcheck disable=SC2086
-cmake --build "${BASE_BUILD_DIR}" "$MAKEJOBS" --target all $GOAL || (
+cmake --build "${BASE_BUILD_DIR}" "$MAKEJOBS" --target $GOAL || (
   echo "Build failure. Verbose build follows."
   # shellcheck disable=SC2086
-  cmake --build "${BASE_BUILD_DIR}" -j1 --target all $GOAL --verbose
+  cmake --build "${BASE_BUILD_DIR}" -j1 --target $GOAL --verbose
   false
 )
 
@@ -182,7 +184,7 @@ if [ "$RUN_FUNCTIONAL_TESTS" = "true" ]; then
   eval "TEST_RUNNER_EXTRA=($TEST_RUNNER_EXTRA)"
   LD_LIBRARY_PATH="${DEPENDS_DIR}/${HOST}/lib" \
   "${BASE_BUILD_DIR}/test/functional/test_runner.py" \
-    --ci "${MAKEJOBS}" \
+    "${MAKEJOBS}" \
     --tmpdirprefix "${BASE_SCRATCH_DIR}/test_runner/" \
     --ansi \
     --combinedlogslen=99999999 \
@@ -209,15 +211,34 @@ if [ "${RUN_TIDY}" = "true" ]; then
     echo "^^^ ⚠️ Failure generated from clang-tidy"
     false
   fi
+fi
+
+if [[ "${RUN_IWYU}" == true ]]; then
+  # TODO: Consider enforcing IWYU across the entire codebase.
+  FILES_WITH_ENFORCED_IWYU="/src/((crypto|index|kernel)/.*\\.cpp|node/blockstorage.cpp|node/utxo_snapshot.cpp|core_io.cpp|signet.cpp)"
+  jq --arg patterns "$FILES_WITH_ENFORCED_IWYU" 'map(select(.file | test($patterns)))' "${BASE_BUILD_DIR}/compile_commands.json" > "${BASE_BUILD_DIR}/compile_commands_iwyu_errors.json"
+  jq --arg patterns "$FILES_WITH_ENFORCED_IWYU" 'map(select(.file | test($patterns) | not))' "${BASE_BUILD_DIR}/compile_commands.json" > "${BASE_BUILD_DIR}/compile_commands_iwyu_warnings.json"
 
   cd "${BASE_ROOT_DIR}"
-  python3 "/include-what-you-use/iwyu_tool.py" \
-           -p "${BASE_BUILD_DIR}" "${MAKEJOBS}" \
-           -- -Xiwyu --cxx17ns -Xiwyu --mapping_file="${BASE_ROOT_DIR}/contrib/devtools/iwyu/bitcoin.core.imp" \
-           -Xiwyu --max_line_length=160 \
-           2>&1 | tee /tmp/iwyu_ci.out
-  cd "${BASE_ROOT_DIR}/src"
-  python3 "/include-what-you-use/fix_includes.py" --nosafe_headers < /tmp/iwyu_ci.out
+
+  run_iwyu() {
+    mv "${BASE_BUILD_DIR}/$1" "${BASE_BUILD_DIR}/compile_commands.json"
+    python3 "/include-what-you-use/iwyu_tool.py" \
+             -p "${BASE_BUILD_DIR}" "${MAKEJOBS}" \
+             -- -Xiwyu --cxx17ns -Xiwyu --mapping_file="${BASE_ROOT_DIR}/contrib/devtools/iwyu/bitcoin.core.imp" \
+             -Xiwyu --max_line_length=160 \
+             2>&1 | tee /tmp/iwyu_ci.out
+    python3 "/include-what-you-use/fix_includes.py" --nosafe_headers < /tmp/iwyu_ci.out
+    git diff -U0 | ./contrib/devtools/clang-format-diff.py -binary="clang-format-${TIDY_LLVM_V}" -p1 -i -v
+  }
+
+  run_iwyu "compile_commands_iwyu_errors.json"
+  if ! ( git --no-pager diff --exit-code ); then
+    echo "^^^ ⚠️ Failure generated from IWYU"
+    false
+  fi
+
+  run_iwyu "compile_commands_iwyu_warnings.json"
   git --no-pager diff
 fi
 

ci/test_imagefile

@@ -14,7 +14,11 @@ ENV FILE_ENV=${FILE_ENV}
 ARG BASE_ROOT_DIR
 ENV BASE_ROOT_DIR=${BASE_ROOT_DIR}
 
+# Make retry available in PATH, needed for CI_RETRY_EXE
 COPY ./ci/retry/retry /usr/bin/retry
-COPY ./ci/test/00_setup_env.sh ./${FILE_ENV} ./ci/test/01_base_install.sh /ci_container_base/ci/test/
+COPY ./ci/test/00_setup_env.sh ./${FILE_ENV} ./ci/test/01_base_install.sh ./ci/test/01_iwyu.patch /ci_container_base/ci/test/
+
+# Bash is required, so install it when missing
+RUN sh -c "bash -c 'true' || ( apk update && apk add --no-cache bash )"
 
 RUN ["bash", "-c", "cd /ci_container_base/ && set -o errexit && source ./ci/test/00_setup_env.sh && ./ci/test/01_base_install.sh"]

cmake/libmultiprocess.cmake

@@ -1,4 +1,4 @@
-# Copyright (c) 2025 The Bitcoin Core developers
+# Copyright (c) 2025-present The Bitcoin Core developers
 # Distributed under the MIT software license, see the accompanying
 # file COPYING or https://opensource.org/license/mit/.
 
@@ -27,7 +27,7 @@ function(add_libmultiprocess subdir)
   mark_as_advanced(CapnProto_kj-tls_IMPORTED_LOCATION)
   if(BUILD_TESTS)
     # Add tests to "all" target so ctest can run them
-    set_target_properties(mptests PROPERTIES EXCLUDE_FROM_ALL OFF)
+    set_target_properties(mptest PROPERTIES EXCLUDE_FROM_ALL OFF)
   endif()
   # Exclude examples from compilation database, because the examples are not
   # built by default, and they contain generated c++ code. Without this

cmake/module/AddBoostIfNeeded.cmake

@@ -29,7 +29,7 @@ function(add_boost_if_needed)
     endif()
   endif()
 
-  find_package(Boost 1.73.0 REQUIRED CONFIG)
+  find_package(Boost 1.74.0 REQUIRED CONFIG)
   mark_as_advanced(Boost_INCLUDE_DIR boost_headers_DIR)
   # Workaround for a bug in NetBSD pkgsrc.
   # See: https://github.com/NetBSD/pkgsrc/issues/167.

cmake/module/FindUSDT.cmake

@@ -36,6 +36,10 @@ if(USDT_INCLUDE_DIR)
   include(CheckCXXSourceCompiles)
   set(CMAKE_REQUIRED_INCLUDES ${USDT_INCLUDE_DIR})
   check_cxx_source_compiles("
+    #if defined(__arm__)
+    #  define STAP_SDT_ARG_CONSTRAINT g
+    #endif
+
     // Setting SDT_USE_VARIADIC lets systemtap (sys/sdt.h) know that we want to use
     // the optional variadic macros to define tracepoints.
     #define SDT_USE_VARIADIC 1

cmake/module/Maintenance.cmake

@@ -18,30 +18,6 @@ function(setup_split_debug_script)
   endif()
 endfunction()
 
-function(add_maintenance_targets)
-  if(NOT TARGET Python3::Interpreter)
-    return()
-  endif()
-
-  foreach(target IN ITEMS bitcoin bitcoind bitcoin-node bitcoin-qt bitcoin-gui bitcoin-cli bitcoin-tx bitcoin-util bitcoin-wallet test_bitcoin bench_bitcoin)
-    if(TARGET ${target})
-      list(APPEND executables $<TARGET_FILE:${target}>)
-    endif()
-  endforeach()
-
-  add_custom_target(check-symbols
-    COMMAND ${CMAKE_COMMAND} -E echo "Running symbol and dynamic library checks..."
-    COMMAND Python3::Interpreter ${PROJECT_SOURCE_DIR}/contrib/guix/symbol-check.py ${executables}
-    VERBATIM
-  )
-
-  add_custom_target(check-security
-    COMMAND ${CMAKE_COMMAND} -E echo "Checking binary security..."
-    COMMAND Python3::Interpreter ${PROJECT_SOURCE_DIR}/contrib/guix/security-check.py ${executables}
-    VERBATIM
-  )
-endfunction()
-
 function(add_windows_deploy_target)
   if(MINGW AND TARGET bitcoin AND TARGET bitcoin-qt AND TARGET bitcoind AND TARGET bitcoin-cli AND TARGET bitcoin-tx AND TARGET bitcoin-wallet AND TARGET bitcoin-util AND TARGET test_bitcoin)
     find_program(MAKENSIS_EXECUTABLE makensis)
@@ -96,24 +72,24 @@ function(add_macos_deploy_target)
       VERBATIM
     )
 
-    string(REPLACE " " "-" osx_volname ${CLIENT_NAME})
+    set(macos_zip "bitcoin-macos-app")
     if(CMAKE_HOST_APPLE)
       add_custom_command(
-        OUTPUT ${PROJECT_BINARY_DIR}/${osx_volname}.zip
-        COMMAND Python3::Interpreter ${PROJECT_SOURCE_DIR}/contrib/macdeploy/macdeployqtplus ${macos_app} ${osx_volname} -translations-dir=${QT_TRANSLATIONS_DIR} -zip
+        OUTPUT ${PROJECT_BINARY_DIR}/${macos_zip}.zip
+        COMMAND Python3::Interpreter ${PROJECT_SOURCE_DIR}/contrib/macdeploy/macdeployqtplus ${macos_app} -translations-dir=${QT_TRANSLATIONS_DIR} -zip=${macos_zip}
         DEPENDS ${PROJECT_BINARY_DIR}/${macos_app}/Contents/MacOS/Bitcoin-Qt
         VERBATIM
       )
       add_custom_target(deploydir
-        DEPENDS ${PROJECT_BINARY_DIR}/${osx_volname}.zip
+        DEPENDS ${PROJECT_BINARY_DIR}/${macos_zip}.zip
       )
       add_custom_target(deploy
-        DEPENDS ${PROJECT_BINARY_DIR}/${osx_volname}.zip
+        DEPENDS ${PROJECT_BINARY_DIR}/${macos_zip}.zip
       )
     else()
       add_custom_command(
         OUTPUT ${PROJECT_BINARY_DIR}/dist/${macos_app}/Contents/MacOS/Bitcoin-Qt
-        COMMAND ${CMAKE_COMMAND} -E env OBJDUMP=${CMAKE_OBJDUMP} $<TARGET_FILE:Python3::Interpreter> ${PROJECT_SOURCE_DIR}/contrib/macdeploy/macdeployqtplus ${macos_app} ${osx_volname} -translations-dir=${QT_TRANSLATIONS_DIR}
+        COMMAND ${CMAKE_COMMAND} -E env OBJDUMP=${CMAKE_OBJDUMP} $<TARGET_FILE:Python3::Interpreter> ${PROJECT_SOURCE_DIR}/contrib/macdeploy/macdeployqtplus ${macos_app} -translations-dir=${QT_TRANSLATIONS_DIR}
         DEPENDS ${PROJECT_BINARY_DIR}/${macos_app}/Contents/MacOS/Bitcoin-Qt
         VERBATIM
       )
@@ -128,13 +104,13 @@ function(add_macos_deploy_target)
         )
       else()
         add_custom_command(
-          OUTPUT ${PROJECT_BINARY_DIR}/dist/${osx_volname}.zip
+          OUTPUT ${PROJECT_BINARY_DIR}/dist/${macos_zip}.zip
           WORKING_DIRECTORY dist
-          COMMAND ${PROJECT_SOURCE_DIR}/cmake/script/macos_zip.sh ${ZIP_EXECUTABLE} ${osx_volname}.zip
+          COMMAND ${PROJECT_SOURCE_DIR}/cmake/script/macos_zip.sh ${ZIP_EXECUTABLE} ${macos_zip}.zip
           VERBATIM
         )
         add_custom_target(deploy
-          DEPENDS ${PROJECT_BINARY_DIR}/dist/${osx_volname}.zip
+          DEPENDS ${PROJECT_BINARY_DIR}/dist/${macos_zip}.zip
         )
       endif()
     endif()

cmake/secp256k1.cmake

@@ -2,6 +2,8 @@
 # Distributed under the MIT software license, see the accompanying
 # file COPYING or https://opensource.org/license/mit/.
 
+enable_language(C)
+
 function(add_secp256k1 subdir)
   message("")
   message("Configuring secp256k1 subtree...")
@@ -30,7 +32,6 @@ function(add_secp256k1 subdir)
   string(STRIP "${SECP256K1_APPEND_LDFLAGS} ${APPEND_LDFLAGS}" SECP256K1_APPEND_LDFLAGS)
   set(SECP256K1_APPEND_LDFLAGS ${SECP256K1_APPEND_LDFLAGS} CACHE STRING "" FORCE)
   # We want to build libsecp256k1 with the most tested RelWithDebInfo configuration.
-  enable_language(C)
   foreach(config IN LISTS CMAKE_BUILD_TYPE CMAKE_CONFIGURATION_TYPES)
     if(config STREQUAL "")
       continue()

cmake/windows-app.manifest.in

@@ -1,10 +1,15 @@
 <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
-<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
+<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0" xmlns:asmv3="urn:schemas-microsoft-com:asm.v3">
   <assemblyIdentity
       type="win32"
       name="org.bitcoincore.${target}"
       version="${CLIENT_VERSION_MAJOR}.${CLIENT_VERSION_MINOR}.${CLIENT_VERSION_BUILD}.0"
   />
+  <asmv3:application>
+    <asmv3:windowsSettings xmlns="http://schemas.microsoft.com/SMI/2019/WindowsSettings">
+      <activeCodePage>UTF-8</activeCodePage>
+    </asmv3:windowsSettings>
+  </asmv3:application>
   <trustInfo xmlns="urn:schemas-microsoft-com:asm.v3">
     <security>
       <requestedPrivileges>

contrib/asmap/asmap-tool.py

@@ -131,6 +131,8 @@ def main():
     if args.subcommand is None:
         parser.print_help()
     elif args.subcommand == "encode":
+        if args.outfile.isatty():
+            sys.exit("Not much use in writing binary to a TTY. Please specify an output file or pipe output to another process.")
         state = load_file(args.infile)
         save_binary(args.outfile, state, fill=args.fill)
     elif args.subcommand == "decode":
@@ -140,15 +142,19 @@ def main():
         state1 = load_file(args.infile1)
         state2 = load_file(args.infile2)
         ipv4_changed = 0
+        ipv4_entries_changed = 0
         ipv6_changed = 0
+        ipv6_entries_changed = 0
         for prefix, old_asn, new_asn in state1.diff(state2):
             if args.ignore_unassigned and old_asn == 0:
                 continue
             net = asmap.prefix_to_net(prefix)
             if isinstance(net, ipaddress.IPv4Network):
-                ipv4_changed += 1 << (32 - net.prefixlen)
+                ipv4_changed += net.num_addresses
+                ipv4_entries_changed += 1
             elif isinstance(net, ipaddress.IPv6Network):
-                ipv6_changed += 1 << (128 - net.prefixlen)
+                ipv6_changed += net.num_addresses
+                ipv6_entries_changed += 1
             if new_asn == 0:
                 print(f"# {net} was AS{old_asn}")
             elif old_asn == 0:
@@ -159,8 +165,9 @@ def main():
         ipv6_change_str = "" if ipv6_changed == 0 else f" (2^{math.log2(ipv6_changed):.2f})"
 
         print(
-            f"# {ipv4_changed}{ipv4_change_str} IPv4 addresses changed; "
-            f"{ipv6_changed}{ipv6_change_str} IPv6 addresses changed"
+f"""# Summary
+IPv4: {ipv4_entries_changed} entries with {ipv4_changed}{ipv4_change_str} addresses changed
+IPv6: {ipv6_entries_changed} entries with {ipv6_changed}{ipv6_change_str} addresses changed"""
         )
     elif args.subcommand == "diff_addrs":
         state1 = load_file(args.infile1)

contrib/completions/bash/bitcoin-cli.bash

@@ -1,5 +1,5 @@
 # bash programmable completion for bitcoin-cli(1)
-# Copyright (c) 2012-2022 The Bitcoin Core developers
+# Copyright (c) 2012-present The Bitcoin Core developers
 # Distributed under the MIT software license, see the accompanying
 # file COPYING or http://www.opensource.org/licenses/mit-license.php.
 

contrib/completions/bash/bitcoin-tx.bash

@@ -1,5 +1,5 @@
 # bash programmable completion for bitcoin-tx(1)
-# Copyright (c) 2016-2022 The Bitcoin Core developers
+# Copyright (c) 2016-present The Bitcoin Core developers
 # Distributed under the MIT software license, see the accompanying
 # file COPYING or http://www.opensource.org/licenses/mit-license.php.
 

contrib/completions/bash/bitcoind.bash

@@ -1,5 +1,5 @@
 # bash programmable completion for bitcoind(1) and bitcoin-qt(1)
-# Copyright (c) 2012-2022 The Bitcoin Core developers
+# Copyright (c) 2012-present The Bitcoin Core developers
 # Distributed under the MIT software license, see the accompanying
 # file COPYING or http://www.opensource.org/licenses/mit-license.php.
 

contrib/debian/copyright

@@ -5,7 +5,7 @@ Upstream-Contact: Satoshi Nakamoto <satoshin@gmx.com>
 Source: https://github.com/bitcoin/bitcoin
 
 Files: *
-Copyright: 2009-2025, Bitcoin Core Developers
+Copyright: 2009-2026, Bitcoin Core Developers
 License: Expat
 Comment: The Bitcoin Core Developers encompasses all contributors to the
          project, listed in the release notes or the git log.

contrib/devtools/README.md

@@ -61,65 +61,6 @@ the script should be called from the git root folder as follows.
 git diff -U0 HEAD~1.. | ./contrib/devtools/clang-format-diff.py -p1 -i -v
 ```
 
-copyright\_header.py
-====================
-
-Provides utilities for managing copyright headers of `The Bitcoin Core
-developers` in repository source files. It has three subcommands:
-
-```
-$ ./copyright_header.py report <base_directory> [verbose]
-$ ./copyright_header.py update <base_directory>
-$ ./copyright_header.py insert <file>
-```
-Running these subcommands without arguments displays a usage string.
-
-copyright\_header.py report \<base\_directory\> [verbose]
----------------------------------------------------------
-
-Produces a report of all copyright header notices found inside the source files
-of a repository. Useful to quickly visualize the state of the headers.
-Specifying `verbose` will list the full filenames of files of each category.
-
-copyright\_header.py update \<base\_directory\> [verbose]
----------------------------------------------------------
-Updates all the copyright headers of `The Bitcoin Core developers` which were
-changed in a year more recent than is listed. For example:
-```
-// Copyright (c) <firstYear>-<lastYear> The Bitcoin Core developers
-```
-will be updated to:
-```
-// Copyright (c) <firstYear>-<lastModifiedYear> The Bitcoin Core developers
-```
-where `<lastModifiedYear>` is obtained from the `git log` history.
-
-This subcommand also handles copyright headers that have only a single year. In
-those cases:
-```
-// Copyright (c) <year> The Bitcoin Core developers
-```
-will be updated to:
-```
-// Copyright (c) <year>-<lastModifiedYear> The Bitcoin Core developers
-```
-where the update is appropriate.
-
-copyright\_header.py insert \<file\>
-------------------------------------
-Inserts a copyright header for `The Bitcoin Core developers` at the top of the
-file in either Python or C++ style as determined by the file extension. If the
-file is a Python file and it has  `#!` starting the first line, the header is
-inserted in the line below it.
-
-The copyright dates will be set to be `<year_introduced>-<current_year>` where
-`<year_introduced>` is according to the `git log` history. If
-`<year_introduced>` is equal to `<current_year>`, it will be set as a single
-year rather than two hyphenated years.
-
-If the file already has a copyright for `The Bitcoin Core developers`, the
-script will exit.
-
 gen-manpages.py
 ===============
 
@@ -137,7 +78,7 @@ BUILDDIR=$PWD/my-build-dir contrib/devtools/gen-manpages.py
 headerssync-params.py
 =====================
 
-A script to generate optimal parameters for the headerssync module (src/headerssync.cpp). It takes no command-line
+A script to generate optimal parameters for the headerssync module (stored in src/kernel/chainparams.cpp). It takes no command-line
 options, as all its configuration is set at the top of the file. It runs many times faster inside PyPy. Invocation:
 
 ```bash

contrib/devtools/circular-dependencies.py

@@ -1,16 +1,11 @@
 #!/usr/bin/env python3
-# Copyright (c) 2018-2020 The Bitcoin Core developers
+# Copyright (c) 2018-present The Bitcoin Core developers
 # Distributed under the MIT software license, see the accompanying
 # file COPYING or http://www.opensource.org/licenses/mit-license.php.
 
 import sys
 import re
 
-MAPPING = {
-    'core_read.cpp': 'core_io.cpp',
-    'core_write.cpp': 'core_io.cpp',
-}
-
 # Directories with header-based modules, where the assumption that .cpp files
 # define functions and variables declared in corresponding .h files is
 # incorrect.
@@ -19,8 +14,6 @@ HEADER_MODULE_PATHS = [
 ]
 
 def module_name(path):
-    if path in MAPPING:
-        path = MAPPING[path]
     if any(path.startswith(dirpath) for dirpath in HEADER_MODULE_PATHS):
         return path
     if path.endswith(".h"):
@@ -49,7 +42,7 @@ for arg in sys.argv[1:]:
 # TODO: implement support for multiple include directories
 for arg in sorted(files.keys()):
     module = files[arg]
-    with open(arg, 'r', encoding="utf8") as f:
+    with open(arg, 'r') as f:
         for line in f:
             match = RE.match(line)
             if match:

contrib/devtools/clang-format-diff.py

@@ -169,7 +169,7 @@ def main():
             sys.exit(p.returncode)
 
         if not args.i:
-            with open(filename, encoding="utf8") as f:
+            with open(filename) as f:
                 code = f.readlines()
             formatted_code = StringIO(stdout).readlines()
             diff = difflib.unified_diff(

contrib/devtools/copyright_header.py

@@ -1,601 +0,0 @@
-#!/usr/bin/env python3
-# Copyright (c) 2016-2022 The Bitcoin Core developers
-# Distributed under the MIT software license, see the accompanying
-# file COPYING or http://www.opensource.org/licenses/mit-license.php.
-
-import re
-import fnmatch
-import sys
-import subprocess
-import datetime
-import os
-
-################################################################################
-# file filtering
-################################################################################
-
-EXCLUDE = [
-    # auto generated:
-    'src/qt/bitcoinstrings.cpp',
-    'src/chainparamsseeds.h',
-    # other external copyrights:
-    'src/test/fuzz/FuzzedDataProvider.h',
-    'src/tinyformat.h',
-    'src/bench/nanobench.h',
-    # python init:
-    '*__init__.py',
-]
-EXCLUDE_COMPILED = re.compile('|'.join([fnmatch.translate(m) for m in EXCLUDE]))
-
-EXCLUDE_DIRS = [
-    # git subtrees
-    "src/crypto/ctaes/",
-    "src/leveldb/",
-    "src/minisketch",
-    "src/secp256k1/",
-    "src/crc32c/",
-]
-
-INCLUDE = ['*.h', '*.cpp', '*.cc', '*.c', '*.mm', '*.py', '*.sh', '*.bash-completion']
-INCLUDE_COMPILED = re.compile('|'.join([fnmatch.translate(m) for m in INCLUDE]))
-
-def applies_to_file(filename):
-    for excluded_dir in EXCLUDE_DIRS:
-        if filename.startswith(excluded_dir):
-            return False
-    return ((EXCLUDE_COMPILED.match(filename) is None) and
-            (INCLUDE_COMPILED.match(filename) is not None))
-
-################################################################################
-# obtain list of files in repo according to INCLUDE and EXCLUDE
-################################################################################
-
-GIT_LS_CMD = 'git ls-files --full-name'.split(' ')
-GIT_TOPLEVEL_CMD = 'git rev-parse --show-toplevel'.split(' ')
-
-def call_git_ls(base_directory):
-    out = subprocess.check_output([*GIT_LS_CMD, base_directory])
-    return [f for f in out.decode("utf-8").split('\n') if f != '']
-
-def call_git_toplevel():
-    "Returns the absolute path to the project root"
-    return subprocess.check_output(GIT_TOPLEVEL_CMD).strip().decode("utf-8")
-
-def get_filenames_to_examine(base_directory):
-    "Returns an array of absolute paths to any project files in the base_directory that pass the include/exclude filters"
-    root = call_git_toplevel()
-    filenames = call_git_ls(base_directory)
-    return sorted([os.path.join(root, filename) for filename in filenames if
-                   applies_to_file(filename)])
-
-################################################################################
-# define and compile regexes for the patterns we are looking for
-################################################################################
-
-
-COPYRIGHT_WITH_C = r'Copyright \(c\)'
-COPYRIGHT_WITHOUT_C = 'Copyright'
-ANY_COPYRIGHT_STYLE = '(%s|%s)' % (COPYRIGHT_WITH_C, COPYRIGHT_WITHOUT_C)
-
-YEAR = "20[0-9][0-9]"
-YEAR_RANGE = '(%s)(-%s)?' % (YEAR, YEAR)
-YEAR_LIST = '(%s)(, %s)+' % (YEAR, YEAR)
-ANY_YEAR_STYLE = '(%s|%s)' % (YEAR_RANGE, YEAR_LIST)
-ANY_COPYRIGHT_STYLE_OR_YEAR_STYLE = ("%s %s" % (ANY_COPYRIGHT_STYLE,
-                                                ANY_YEAR_STYLE))
-
-ANY_COPYRIGHT_COMPILED = re.compile(ANY_COPYRIGHT_STYLE_OR_YEAR_STYLE)
-
-def compile_copyright_regex(copyright_style, year_style, name):
-    return re.compile(r'%s %s,? %s( +\*)?\n' % (copyright_style, year_style, name))
-
-EXPECTED_HOLDER_NAMES = [
-    r"Satoshi Nakamoto",
-    r"The Bitcoin Core developers",
-    r"BitPay Inc\.",
-    r"Pieter Wuille",
-    r"Wladimir J\. van der Laan",
-    r"Jeff Garzik",
-    r"Jan-Klaas Kollhof",
-    r"ArtForz -- public domain half-a-node",
-    r"Intel Corporation ?",
-    r"The Zcash developers",
-    r"Jeremy Rubin",
-]
-
-DOMINANT_STYLE_COMPILED = {}
-YEAR_LIST_STYLE_COMPILED = {}
-WITHOUT_C_STYLE_COMPILED = {}
-
-for holder_name in EXPECTED_HOLDER_NAMES:
-    DOMINANT_STYLE_COMPILED[holder_name] = (
-        compile_copyright_regex(COPYRIGHT_WITH_C, YEAR_RANGE, holder_name))
-    YEAR_LIST_STYLE_COMPILED[holder_name] = (
-        compile_copyright_regex(COPYRIGHT_WITH_C, YEAR_LIST, holder_name))
-    WITHOUT_C_STYLE_COMPILED[holder_name] = (
-        compile_copyright_regex(COPYRIGHT_WITHOUT_C, ANY_YEAR_STYLE,
-                                holder_name))
-
-################################################################################
-# search file contents for copyright message of particular category
-################################################################################
-
-def get_count_of_copyrights_of_any_style_any_holder(contents):
-    return len(ANY_COPYRIGHT_COMPILED.findall(contents))
-
-def file_has_dominant_style_copyright_for_holder(contents, holder_name):
-    match = DOMINANT_STYLE_COMPILED[holder_name].search(contents)
-    return match is not None
-
-def file_has_year_list_style_copyright_for_holder(contents, holder_name):
-    match = YEAR_LIST_STYLE_COMPILED[holder_name].search(contents)
-    return match is not None
-
-def file_has_without_c_style_copyright_for_holder(contents, holder_name):
-    match = WITHOUT_C_STYLE_COMPILED[holder_name].search(contents)
-    return match is not None
-
-################################################################################
-# get file info
-################################################################################
-
-def read_file(filename):
-    return open(filename, 'r', encoding="utf8").read()
-
-def gather_file_info(filename):
-    info = {}
-    info['filename'] = filename
-    c = read_file(filename)
-    info['contents'] = c
-
-    info['all_copyrights'] = get_count_of_copyrights_of_any_style_any_holder(c)
-
-    info['classified_copyrights'] = 0
-    info['dominant_style'] = {}
-    info['year_list_style'] = {}
-    info['without_c_style'] = {}
-    for holder_name in EXPECTED_HOLDER_NAMES:
-        has_dominant_style = (
-            file_has_dominant_style_copyright_for_holder(c, holder_name))
-        has_year_list_style = (
-            file_has_year_list_style_copyright_for_holder(c, holder_name))
-        has_without_c_style = (
-            file_has_without_c_style_copyright_for_holder(c, holder_name))
-        info['dominant_style'][holder_name] = has_dominant_style
-        info['year_list_style'][holder_name] = has_year_list_style
-        info['without_c_style'][holder_name] = has_without_c_style
-        if has_dominant_style or has_year_list_style or has_without_c_style:
-            info['classified_copyrights'] = info['classified_copyrights'] + 1
-    return info
-
-################################################################################
-# report execution
-################################################################################
-
-SEPARATOR = '-'.join(['' for _ in range(80)])
-
-def print_filenames(filenames, verbose):
-    if not verbose:
-        return
-    for filename in filenames:
-        print("\t%s" % filename)
-
-def print_report(file_infos, verbose):
-    print(SEPARATOR)
-    examined = [i['filename'] for i in file_infos]
-    print("%d files examined according to INCLUDE and EXCLUDE fnmatch rules" %
-          len(examined))
-    print_filenames(examined, verbose)
-
-    print(SEPARATOR)
-    print('')
-    zero_copyrights = [i['filename'] for i in file_infos if
-                       i['all_copyrights'] == 0]
-    print("%4d with zero copyrights" % len(zero_copyrights))
-    print_filenames(zero_copyrights, verbose)
-    one_copyright = [i['filename'] for i in file_infos if
-                     i['all_copyrights'] == 1]
-    print("%4d with one copyright" % len(one_copyright))
-    print_filenames(one_copyright, verbose)
-    two_copyrights = [i['filename'] for i in file_infos if
-                      i['all_copyrights'] == 2]
-    print("%4d with two copyrights" % len(two_copyrights))
-    print_filenames(two_copyrights, verbose)
-    three_copyrights = [i['filename'] for i in file_infos if
-                        i['all_copyrights'] == 3]
-    print("%4d with three copyrights" % len(three_copyrights))
-    print_filenames(three_copyrights, verbose)
-    four_or_more_copyrights = [i['filename'] for i in file_infos if
-                               i['all_copyrights'] >= 4]
-    print("%4d with four or more copyrights" % len(four_or_more_copyrights))
-    print_filenames(four_or_more_copyrights, verbose)
-    print('')
-    print(SEPARATOR)
-    print('Copyrights with dominant style:\ne.g. "Copyright (c)" and '
-          '"<year>" or "<startYear>-<endYear>":\n')
-    for holder_name in EXPECTED_HOLDER_NAMES:
-        dominant_style = [i['filename'] for i in file_infos if
-                          i['dominant_style'][holder_name]]
-        if len(dominant_style) > 0:
-            print("%4d with '%s'" % (len(dominant_style),
-                                     holder_name.replace('\n', '\\n')))
-            print_filenames(dominant_style, verbose)
-    print('')
-    print(SEPARATOR)
-    print('Copyrights with year list style:\ne.g. "Copyright (c)" and '
-          '"<year1>, <year2>, ...":\n')
-    for holder_name in EXPECTED_HOLDER_NAMES:
-        year_list_style = [i['filename'] for i in file_infos if
-                           i['year_list_style'][holder_name]]
-        if len(year_list_style) > 0:
-            print("%4d with '%s'" % (len(year_list_style),
-                                     holder_name.replace('\n', '\\n')))
-            print_filenames(year_list_style, verbose)
-    print('')
-    print(SEPARATOR)
-    print('Copyrights with no "(c)" style:\ne.g. "Copyright" and "<year>" or '
-          '"<startYear>-<endYear>":\n')
-    for holder_name in EXPECTED_HOLDER_NAMES:
-        without_c_style = [i['filename'] for i in file_infos if
-                           i['without_c_style'][holder_name]]
-        if len(without_c_style) > 0:
-            print("%4d with '%s'" % (len(without_c_style),
-                                     holder_name.replace('\n', '\\n')))
-            print_filenames(without_c_style, verbose)
-
-    print('')
-    print(SEPARATOR)
-
-    unclassified_copyrights = [i['filename'] for i in file_infos if
-                               i['classified_copyrights'] < i['all_copyrights']]
-    print("%d with unexpected copyright holder names" %
-          len(unclassified_copyrights))
-    print_filenames(unclassified_copyrights, verbose)
-    print(SEPARATOR)
-
-def exec_report(base_directory, verbose):
-    filenames = get_filenames_to_examine(base_directory)
-    file_infos = [gather_file_info(f) for f in filenames]
-    print_report(file_infos, verbose)
-
-################################################################################
-# report cmd
-################################################################################
-
-REPORT_USAGE = """
-Produces a report of all copyright header notices found inside the source files
-of a repository.
-
-Usage:
-    $ ./copyright_header.py report <base_directory> [verbose]
-
-Arguments:
-    <base_directory> - The base directory of a bitcoin source code repository.
-    [verbose] - Includes a list of every file of each subcategory in the report.
-"""
-
-def report_cmd(argv):
-    if len(argv) == 2:
-        sys.exit(REPORT_USAGE)
-
-    base_directory = argv[2]
-    if not os.path.exists(base_directory):
-        sys.exit("*** bad <base_directory>: %s" % base_directory)
-
-    if len(argv) == 3:
-        verbose = False
-    elif argv[3] == 'verbose':
-        verbose = True
-    else:
-        sys.exit("*** unknown argument: %s" % argv[2])
-
-    exec_report(base_directory, verbose)
-
-################################################################################
-# query git for year of last change
-################################################################################
-
-GIT_LOG_CMD = "git log --pretty=format:%%ai %s"
-
-def call_git_log(filename):
-    out = subprocess.check_output((GIT_LOG_CMD % filename).split(' '))
-    return out.decode("utf-8").split('\n')
-
-def get_git_change_years(filename):
-    git_log_lines = call_git_log(filename)
-    if len(git_log_lines) == 0:
-        return [datetime.date.today().year]
-    # timestamp is in ISO 8601 format. e.g. "2016-09-05 14:25:32 -0600"
-    return [line.split(' ')[0].split('-')[0] for line in git_log_lines]
-
-def get_most_recent_git_change_year(filename):
-    return max(get_git_change_years(filename))
-
-################################################################################
-# read and write to file
-################################################################################
-
-def read_file_lines(filename):
-    with open(filename, 'r', encoding="utf8") as f:
-        file_lines = f.readlines()
-    return file_lines
-
-def write_file_lines(filename, file_lines):
-    with open(filename, 'w', encoding="utf8") as f:
-        f.write(''.join(file_lines))
-
-################################################################################
-# update header years execution
-################################################################################
-
-COPYRIGHT = r'Copyright \(c\)'
-YEAR = "20[0-9][0-9]"
-YEAR_RANGE = '(%s)(-%s)?' % (YEAR, YEAR)
-HOLDER = 'The Bitcoin Core developers'
-UPDATEABLE_LINE_COMPILED = re.compile(' '.join([COPYRIGHT, YEAR_RANGE, HOLDER]))
-
-def get_updatable_copyright_line(file_lines):
-    index = 0
-    for line in file_lines:
-        if UPDATEABLE_LINE_COMPILED.search(line) is not None:
-            return index, line
-        index = index + 1
-    return None, None
-
-def parse_year_range(year_range):
-    year_split = year_range.split('-')
-    start_year = year_split[0]
-    if len(year_split) == 1:
-        return start_year, start_year
-    return start_year, year_split[1]
-
-def year_range_to_str(start_year, end_year):
-    if start_year == end_year:
-        return start_year
-    return "%s-%s" % (start_year, end_year)
-
-def create_updated_copyright_line(line, last_git_change_year):
-    copyright_splitter = 'Copyright (c) '
-    copyright_split = line.split(copyright_splitter)
-    # Preserve characters on line that are ahead of the start of the copyright
-    # notice - they are part of the comment block and vary from file-to-file.
-    before_copyright = copyright_split[0]
-    after_copyright = copyright_split[1]
-
-    space_split = after_copyright.split(' ')
-    year_range = space_split[0]
-    start_year, end_year = parse_year_range(year_range)
-    if end_year >= last_git_change_year:
-        return line
-    return (before_copyright + copyright_splitter +
-            year_range_to_str(start_year, last_git_change_year) + ' ' +
-            ' '.join(space_split[1:]))
-
-def update_updatable_copyright(filename):
-    file_lines = read_file_lines(filename)
-    index, line = get_updatable_copyright_line(file_lines)
-    if not line:
-        print_file_action_message(filename, "No updatable copyright.")
-        return
-    last_git_change_year = get_most_recent_git_change_year(filename)
-    new_line = create_updated_copyright_line(line, last_git_change_year)
-    if line == new_line:
-        print_file_action_message(filename, "Copyright up-to-date.")
-        return
-    file_lines[index] = new_line
-    write_file_lines(filename, file_lines)
-    print_file_action_message(filename,
-                              "Copyright updated! -> %s" % last_git_change_year)
-
-def exec_update_header_year(base_directory):
-    for filename in get_filenames_to_examine(base_directory):
-        update_updatable_copyright(filename)
-
-################################################################################
-# update cmd
-################################################################################
-
-UPDATE_USAGE = """
-Updates all the copyright headers of "The Bitcoin Core developers" which were
-changed in a year more recent than is listed. For example:
-
-// Copyright (c) <firstYear>-<lastYear> The Bitcoin Core developers
-
-will be updated to:
-
-// Copyright (c) <firstYear>-<lastModifiedYear> The Bitcoin Core developers
-
-where <lastModifiedYear> is obtained from the 'git log' history.
-
-This subcommand also handles copyright headers that have only a single year. In those cases:
-
-// Copyright (c) <year> The Bitcoin Core developers
-
-will be updated to:
-
-// Copyright (c) <year>-<lastModifiedYear> The Bitcoin Core developers
-
-where the update is appropriate.
-
-Usage:
-    $ ./copyright_header.py update <base_directory>
-
-Arguments:
-    <base_directory> - The base directory of a bitcoin source code repository.
-"""
-
-def print_file_action_message(filename, action):
-    print("%-52s %s" % (filename, action))
-
-def update_cmd(argv):
-    if len(argv) != 3:
-        sys.exit(UPDATE_USAGE)
-
-    base_directory = argv[2]
-    if not os.path.exists(base_directory):
-        sys.exit("*** bad base_directory: %s" % base_directory)
-    exec_update_header_year(base_directory)
-
-################################################################################
-# inserted copyright header format
-################################################################################
-
-def get_header_lines(header, start_year, end_year):
-    lines = header.split('\n')[1:-1]
-    lines[0] = lines[0] % year_range_to_str(start_year, end_year)
-    return [line + '\n' for line in lines]
-
-CPP_HEADER = '''
-// Copyright (c) %s The Bitcoin Core developers
-// Distributed under the MIT software license, see the accompanying
-// file COPYING or http://www.opensource.org/licenses/mit-license.php.
-'''
-
-def get_cpp_header_lines_to_insert(start_year, end_year):
-    return reversed(get_header_lines(CPP_HEADER, start_year, end_year))
-
-SCRIPT_HEADER = '''
-# Copyright (c) %s The Bitcoin Core developers
-# Distributed under the MIT software license, see the accompanying
-# file COPYING or http://www.opensource.org/licenses/mit-license.php.
-'''
-
-def get_script_header_lines_to_insert(start_year, end_year):
-    return reversed(get_header_lines(SCRIPT_HEADER, start_year, end_year))
-
-################################################################################
-# query git for year of last change
-################################################################################
-
-def get_git_change_year_range(filename):
-    years = get_git_change_years(filename)
-    return min(years), max(years)
-
-################################################################################
-# check for existing core copyright
-################################################################################
-
-def file_already_has_core_copyright(file_lines):
-    index, _ = get_updatable_copyright_line(file_lines)
-    return index is not None
-
-################################################################################
-# insert header execution
-################################################################################
-
-def file_has_hashbang(file_lines):
-    if len(file_lines) < 1:
-        return False
-    if len(file_lines[0]) <= 2:
-        return False
-    return file_lines[0][:2] == '#!'
-
-def insert_script_header(filename, file_lines, start_year, end_year):
-    if file_has_hashbang(file_lines):
-        insert_idx = 1
-    else:
-        insert_idx = 0
-    header_lines = get_script_header_lines_to_insert(start_year, end_year)
-    for line in header_lines:
-        file_lines.insert(insert_idx, line)
-    write_file_lines(filename, file_lines)
-
-def insert_cpp_header(filename, file_lines, start_year, end_year):
-    file_lines.insert(0, '\n')
-    header_lines = get_cpp_header_lines_to_insert(start_year, end_year)
-    for line in header_lines:
-        file_lines.insert(0, line)
-    write_file_lines(filename, file_lines)
-
-def exec_insert_header(filename, style):
-    file_lines = read_file_lines(filename)
-    if file_already_has_core_copyright(file_lines):
-        sys.exit('*** %s already has a copyright by The Bitcoin Core developers'
-                 % (filename))
-    start_year, end_year = get_git_change_year_range(filename)
-    if style in ['python', 'shell']:
-        insert_script_header(filename, file_lines, start_year, end_year)
-    else:
-        insert_cpp_header(filename, file_lines, start_year, end_year)
-
-################################################################################
-# insert cmd
-################################################################################
-
-INSERT_USAGE = """
-Inserts a copyright header for "The Bitcoin Core developers" at the top of the
-file in either Python or C++ style as determined by the file extension. If the
-file is a Python file and it has a '#!' starting the first line, the header is
-inserted in the line below it.
-
-The copyright dates will be set to be:
-
-"<year_introduced>-<current_year>"
-
-where <year_introduced> is according to the 'git log' history. If
-<year_introduced> is equal to <current_year>, the date will be set to be:
-
-"<current_year>"
-
-If the file already has a copyright for "The Bitcoin Core developers", the
-script will exit.
-
-Usage:
-    $ ./copyright_header.py insert <file>
-
-Arguments:
-    <file> - A source file in the bitcoin repository.
-"""
-
-def insert_cmd(argv):
-    if len(argv) != 3:
-        sys.exit(INSERT_USAGE)
-
-    filename = argv[2]
-    if not os.path.isfile(filename):
-        sys.exit("*** bad filename: %s" % filename)
-    _, extension = os.path.splitext(filename)
-    if extension not in ['.h', '.cpp', '.cc', '.c', '.py', '.sh']:
-        sys.exit("*** cannot insert for file extension %s" % extension)
-
-    if extension == '.py':
-        style = 'python'
-    elif extension == '.sh':
-        style = 'shell'
-    else:
-        style = 'cpp'
-    exec_insert_header(filename, style)
-
-################################################################################
-# UI
-################################################################################
-
-USAGE = """
-copyright_header.py - utilities for managing copyright headers of 'The Bitcoin
-Core developers' in repository source files.
-
-Usage:
-    $ ./copyright_header <subcommand>
-
-Subcommands:
-    report
-    update
-    insert
-
-To see subcommand usage, run them without arguments.
-"""
-
-SUBCOMMANDS = ['report', 'update', 'insert']
-
-if __name__ == "__main__":
-    if len(sys.argv) == 1:
-        sys.exit(USAGE)
-    subcommand = sys.argv[1]
-    if subcommand not in SUBCOMMANDS:
-        sys.exit(USAGE)
-    if subcommand == 'report':
-        report_cmd(sys.argv)
-    elif subcommand == 'update':
-        update_cmd(sys.argv)
-    elif subcommand == 'insert':
-        insert_cmd(sys.argv)

contrib/devtools/deterministic-fuzz-coverage/src/main.rs

@@ -36,7 +36,7 @@ fn sanity_check(corpora_dir: &Path, fuzz_exe: &Path) -> AppResult {
         let output = Command::new(tool).arg("--help").output();
         match output {
             Ok(output) if output.status.success() => {}
-            _ => Err(exit_help(&format!("The tool {} is not installed", tool)))?,
+            _ => Err(exit_help(&format!("The tool {tool} is not installed")))?,
         }
     }
     if !corpora_dir.is_dir() {
@@ -274,7 +274,7 @@ fn main() -> ExitCode {
     match app() {
         Ok(()) => ExitCode::SUCCESS,
         Err(err) => {
-            eprintln!("⚠️\n{}", err);
+            eprintln!("⚠️\n{err}");
             ExitCode::FAILURE
         }
     }

contrib/devtools/deterministic-unittest-coverage/src/main.rs

@@ -32,7 +32,7 @@ fn sanity_check(test_exe: &Path) -> AppResult {
         let output = Command::new(tool).arg("--help").output();
         match output {
             Ok(output) if output.status.success() => {}
-            _ => Err(exit_help(&format!("The tool {} is not installed", tool)))?,
+            _ => Err(exit_help(&format!("The tool {tool} is not installed")))?,
         }
     }
     if !test_exe.exists() {
@@ -142,7 +142,7 @@ fn main() -> ExitCode {
     match app() {
         Ok(()) => ExitCode::SUCCESS,
         Err(err) => {
-            eprintln!("⚠️\n{}", err);
+            eprintln!("⚠️\n{err}");
             ExitCode::FAILURE
         }
     }

contrib/devtools/gen-bitcoin-conf.sh

@@ -1,5 +1,5 @@
 #!/usr/bin/env bash
-# Copyright (c) 2021 The Bitcoin Core developers
+# Copyright (c) 2021-present The Bitcoin Core developers
 # Distributed under the MIT software license, see the accompanying
 # file COPYING or http://www.opensource.org/licenses/mit-license.php.
 

contrib/devtools/gen-manpages.py

@@ -1,14 +1,16 @@
 #!/usr/bin/env python3
-# Copyright (c) 2022 The Bitcoin Core developers
+# Copyright (c) 2022-present The Bitcoin Core developers
 # Distributed under the MIT software license, see the accompanying
 # file COPYING or http://www.opensource.org/licenses/mit-license.php.
 import os
+import re
 import subprocess
 import sys
 import tempfile
 import argparse
 
 BINARIES = [
+'bin/bitcoin',
 'bin/bitcoind',
 'bin/bitcoin-cli',
 'bin/bitcoin-tx',
@@ -58,10 +60,11 @@ for relpath in BINARIES:
             print(f'{abspath} not found or not an executable', file=sys.stderr)
             sys.exit(1)
     # take first line (which must contain version)
-    verstr = r.stdout.splitlines()[0]
-    # last word of line is the actual version e.g. v22.99.0-5c6b3d5b3508
-    verstr = verstr.split()[-1]
-    assert verstr.startswith('v')
+    output = r.stdout.splitlines()[0]
+    # find the version e.g. v30.99.0-ce771726f3e7
+    search = re.search(r"v[0-9]\S+", output)
+    assert search
+    verstr = search.group(0)
     # remaining lines are copyright
     copyright = r.stdout.split('\n')[1:]
     assert copyright[0].startswith('Copyright (C)')

contrib/devtools/headerssync-params.py

@@ -5,8 +5,8 @@
 
 """Script to find the optimal parameters for the headerssync module through simulation."""
 
-from math import log, exp, sqrt
 from datetime import datetime, timedelta
+from math import log, exp, sqrt
 import random
 
 # Parameters:
@@ -337,15 +337,15 @@ def analyze(when):
     attack_volume = NET_HEADER_SIZE * MINCHAINWORK_HEADERS
     # And report them.
     print()
-    print("Optimal configuration:")
+    print(f"Given current min chainwork headers of {MINCHAINWORK_HEADERS}, the optimal parameters for low")
+    print(f"memory usage on mainchain for release until {TIME:%Y-%m-%d} is:")
     print()
-    print("//! Store one header commitment per HEADER_COMMITMENT_PERIOD blocks.")
-    print(f"constexpr size_t HEADER_COMMITMENT_PERIOD{{{period}}};")
-    print()
-    print("//! Only feed headers to validation once this many headers on top have been")
-    print("//! received and validated against commitments.")
-    print(f"constexpr size_t REDOWNLOAD_BUFFER_SIZE{{{bufsize}}};"
+    print(f"        // Generated by headerssync-params.py on {datetime.today():%Y-%m-%d}.")
+    print( "        m_headers_sync_params = HeadersSyncParams{")
+    print(f"            .commitment_period = {period},")
+    print(f"            .redownload_buffer_size = {bufsize},"
           f" // {bufsize}/{period} = ~{bufsize/period:.1f} commitments")
+    print( "        };")
     print()
     print("Properties:")
     print(f"- Per-peer memory for mainchain sync: {mem_mainchain / 8192:.3f} KiB")

contrib/devtools/iwyu/bitcoin.core.imp

@@ -1,3 +1,20 @@
-# Nothing for now.
 [
+  # Compiler intrinsics.
+  # See: https://github.com/include-what-you-use/include-what-you-use/issues/1764.
+  { "include": [ "<emmintrin.h>", "private", "<immintrin.h>", "public" ] },
+  { "include": [ "<smmintrin.h>", "private", "<immintrin.h>", "public" ] },
+  { "include": [ "<tmmintrin.h>", "private", "<immintrin.h>", "public" ] },
+
+  # libc symbols.
+  { "symbol": ["AT_HWCAP", "private", "<sys/auxv.h>", "public"] },
+  { "symbol": ["AT_HWCAP2", "private", "<sys/auxv.h>", "public"] },
+
+  # Fixed in https://github.com/include-what-you-use/include-what-you-use/pull/1706.
+  { "symbol": ["SEEK_CUR", "private", "<cstdio>", "public"] },
+  { "symbol": ["SEEK_END", "private", "<cstdio>", "public"] },
+  { "symbol": ["SEEK_SET", "private", "<cstdio>", "public"] },
+
+  # IWYU bug.
+  # See: https://github.com/include-what-you-use/include-what-you-use/issues/1863.
+  { "symbol": ["std::vector", "private", "<vector>", "public"] },
 ]

contrib/devtools/utils.py

@@ -1,21 +0,0 @@
-#!/usr/bin/env python3
-# Copyright (c) 2021 The Bitcoin Core developers
-# Distributed under the MIT software license, see the accompanying
-# file COPYING or http://www.opensource.org/licenses/mit-license.php.
-'''
-Common utility functions
-'''
-import shutil
-import sys
-import os
-
-
-def determine_wellknown_cmd(envvar, progname) -> list[str]:
-    maybe_env = os.getenv(envvar)
-    maybe_which = shutil.which(progname)
-    if maybe_env:
-        return maybe_env.split(' ')  # Well-known vars are often meant to be word-split
-    elif maybe_which:
-        return [ maybe_which ]
-    else:
-        sys.exit(f"{progname} not found")

contrib/filter-lcov.py

@@ -1,5 +1,5 @@
 #!/usr/bin/env python3
-# Copyright (c) 2017-2020 The Bitcoin Core developers
+# Copyright (c) 2017-present The Bitcoin Core developers
 # Distributed under the MIT software license, see the accompanying
 # file COPYING or http://www.opensource.org/licenses/mit-license.php.
 
@@ -16,8 +16,8 @@ pattern = args.pattern
 outfile = args.outfile
 
 in_remove = False
-with open(tracefile, 'r', encoding="utf8") as f:
-    with open(outfile, 'w', encoding="utf8") as wf:
+with open(tracefile, 'r') as f:
+    with open(outfile, 'w') as wf:
         for line in f:
             for p in pattern:
                 if line.startswith("SF:") and p in line:

contrib/guix/INSTALL.md

@@ -64,14 +64,12 @@ Please refer to fanquake's instructions
 
 ## Option 4: Using a distribution-maintained package
 
-Note that this section is based on the distro packaging situation at the time of
-writing (July 2021). Guix is expected to be more widely packaged over time. For
-an up-to-date view on Guix's package status/version across distros, please see:
-https://repology.org/project/guix/versions
+For an up-to-date view on Guix's package status/version across
+distros, please see: https://repology.org/project/guix/versions
 
 ### Debian / Ubuntu
 
-Guix is available as a distribution package in [Debian
+Guix is available as a distribution package in various versions of [Debian
 ](https://packages.debian.org/search?keywords=guix) and [Ubuntu
 ](https://packages.ubuntu.com/search?keywords=guix).
 

contrib/guix/README.md

@@ -37,7 +37,7 @@ You can then either point to the SDK using the `SDK_PATH` environment variable:
 
 ```sh
 # Extract the SDK tarball to /path/to/parent/dir/of/extracted/SDK/Xcode-<foo>-<bar>-extracted-SDK-with-libcxx-headers
-tar -C /path/to/parent/dir/of/extracted/SDK -xaf /path/to/Xcode-<foo>-<bar>-extracted-SDK-with-libcxx-headers.tar.gz
+tar -C /path/to/parent/dir/of/extracted/SDK -xaf /path/to/Xcode-<foo>-<bar>-extracted-SDK-with-libcxx-headers.tar
 
 # Indicate where to locate the SDK tarball
 export SDK_PATH=/path/to/parent/dir/of/extracted/SDK

contrib/guix/libexec/build.sh

@@ -1,5 +1,5 @@
 #!/usr/bin/env bash
-# Copyright (c) 2019-2022 The Bitcoin Core developers
+# Copyright (c) 2019-present The Bitcoin Core developers
 # Distributed under the MIT software license, see the accompanying
 # file COPYING or http://www.opensource.org/licenses/mit-license.php.
 export LC_ALL=C
@@ -206,7 +206,7 @@ mkdir -p "$OUTDIR"
 ###########################
 
 # CONFIGFLAGS
-CONFIGFLAGS="-DREDUCE_EXPORTS=ON -DBUILD_BENCH=OFF -DBUILD_GUI_TESTS=OFF -DBUILD_FUZZ_BINARY=OFF"
+CONFIGFLAGS="-DREDUCE_EXPORTS=ON -DBUILD_BENCH=OFF -DBUILD_GUI_TESTS=OFF -DBUILD_FUZZ_BINARY=OFF -DCMAKE_SKIP_RPATH=TRUE"
 
 # CFLAGS
 HOST_CFLAGS="-O2 -g"
@@ -225,10 +225,15 @@ esac
 
 # LDFLAGS
 case "$HOST" in
-    *linux*)  HOST_LDFLAGS="-Wl,--as-needed -Wl,--dynamic-linker=$glibc_dynamic_linker -static-libstdc++ -Wl,-O2" ;;
+    *linux*)  HOST_LDFLAGS="-Wl,--as-needed -Wl,--dynamic-linker=$glibc_dynamic_linker -Wl,-O2" ;;
     *mingw*)  HOST_LDFLAGS="-Wl,--no-insert-timestamp" ;;
 esac
 
+# EXE FLAGS
+case "$HOST" in
+    *linux*)  CMAKE_EXE_LINKER_FLAGS="-DCMAKE_EXE_LINKER_FLAGS=${HOST_LDFLAGS} -static-libstdc++ -static-libgcc" ;;
+esac
+
 mkdir -p "$DISTSRC"
 (
     cd "$DISTSRC"
@@ -243,16 +248,12 @@ mkdir -p "$DISTSRC"
           --toolchain "${BASEPREFIX}/${HOST}/toolchain.cmake" \
           -DWITH_CCACHE=OFF \
           -Werror=dev \
-          ${CONFIGFLAGS}
+          ${CONFIGFLAGS} \
+          "${CMAKE_EXE_LINKER_FLAGS}"
 
     # Build Bitcoin Core
     cmake --build build -j "$JOBS" ${V:+--verbose}
 
-    # Perform basic security checks on a series of executables.
-    cmake --build build -j 1 --target check-security ${V:+--verbose}
-    # Check that executables only contain allowed version symbols.
-    cmake --build build -j 1 --target check-symbols ${V:+--verbose}
-
     mkdir -p "$OUTDIR"
 
     # Make the os-specific installers
@@ -282,6 +283,13 @@ mkdir -p "$DISTSRC"
             ;;
     esac
 
+    # Perform basic security checks on installed executables.
+    echo "Checking binary security on installed executables..."
+    python3 "${DISTSRC}/contrib/guix/security-check.py" "${INSTALLPATH}/bin/"* "${INSTALLPATH}/libexec/"*
+    # Check that executables only contain allowed version symbols.
+    echo "Running symbol and dynamic library checks on installed executables..."
+    python3 "${DISTSRC}/contrib/guix/symbol-check.py" "${INSTALLPATH}/bin/"* "${INSTALLPATH}/libexec/"*
+
     (
         cd installed
 
@@ -369,7 +377,7 @@ mkdir -p "$DISTSRC"
             ;;
         *darwin*)
             cmake --build build --target deploy ${V:+--verbose}
-            mv build/dist/Bitcoin-Core.zip "${OUTDIR}/${DISTNAME}-${HOST}-unsigned.zip"
+            mv build/dist/bitcoin-macos-app.zip "${OUTDIR}/${DISTNAME}-${HOST}-unsigned.zip"
             mkdir -p "unsigned-app-${HOST}"
             cp  --target-directory="unsigned-app-${HOST}" \
                 contrib/macdeploy/detached-sig-create.sh

contrib/guix/libexec/codesign.sh

@@ -1,5 +1,5 @@
 #!/usr/bin/env bash
-# Copyright (c) 2021-2022 The Bitcoin Core developers
+# Copyright (c) 2021-present The Bitcoin Core developers
 # Distributed under the MIT software license, see the accompanying
 # file COPYING or http://www.opensource.org/licenses/mit-license.php.
 export LC_ALL=C

contrib/guix/libexec/prelude.bash

@@ -71,7 +71,7 @@ fi
 time-machine() {
     # shellcheck disable=SC2086
     guix time-machine --url=https://codeberg.org/guix/guix.git \
-                      --commit=53396a22afc04536ddf75d8f82ad2eafa5082725 \
+                      --commit=5cb84f2013c5b1e48a7d0e617032266f1e6059e2 \
                       --cores="$JOBS" \
                       --keep-failed \
                       --fallback \

contrib/guix/manifest.scm

@@ -2,6 +2,7 @@
              ((gnu packages bash) #:select (bash-minimal))
              (gnu packages bison)
              ((gnu packages certs) #:select (nss-certs))
+             ((gnu packages check) #:select (libfaketime))
              ((gnu packages cmake) #:select (cmake-minimal))
              (gnu packages commencement)
              (gnu packages compression)
@@ -18,7 +19,7 @@
              ((gnu packages python-build) #:select (python-poetry-core))
              ((gnu packages python-crypto) #:select (python-asn1crypto))
              ((gnu packages python-science) #:select (python-scikit-build-core))
-             ((gnu packages python-xyz) #:select (python-pydantic-2 python-pydantic-core))
+             ((gnu packages python-xyz) #:select (python-pydantic-2))
              ((gnu packages tls) #:select (openssl))
              ((gnu packages version-control) #:select (git-minimal))
              (guix build-system cmake)
@@ -93,16 +94,26 @@ chain for " target " development."))
       (home-page (package-home-page xgcc))
       (license (package-license xgcc)))))
 
-(define base-gcc gcc-13) ;; 13.3.0
+(define base-gcc
+  (package
+    (inherit gcc-14) ;; 14.2.0
+    (version "14.3.0")
+    (source (origin
+              (method url-fetch)
+              (uri (string-append "mirror://gnu/gcc/gcc-"
+                                  version "/gcc-" version ".tar.xz"))
+              (sha256
+               (base32
+                "0fna78ly417g69fdm4i5f3ms96g8xzzjza8gwp41lqr5fqlpgp70"))))))
 
 (define base-linux-kernel-headers linux-libre-headers-6.1)
 
 (define* (make-bitcoin-cross-toolchain target
                                        #:key
-                                       (base-gcc-for-libc linux-base-gcc)
+                                       (base-gcc-for-libc (gcc-libgcc-patches linux-base-gcc))
                                        (base-kernel-headers base-linux-kernel-headers)
                                        (base-libc glibc-2.31)
-                                       (base-gcc linux-base-gcc))
+                                       (base-gcc (gcc-libgcc-patches linux-base-gcc)))
   "Convenience wrapper around MAKE-CROSS-TOOLCHAIN with default values
 desirable for building Bitcoin Core release binaries."
   (make-cross-toolchain target
@@ -111,9 +122,9 @@ desirable for building Bitcoin Core release binaries."
                         base-libc
                         base-gcc))
 
-(define (gcc-mingw-patches gcc)
+(define (gcc-libgcc-patches gcc)
   (package-with-extra-patches gcc
-    (search-our-patches "gcc-remap-guix-store.patch")))
+    (search-our-patches "gcc-remap-guix-store.patch" "gcc-ssa-generation.patch")))
 
 (define (binutils-mingw-patches binutils)
   (package-with-extra-patches binutils
@@ -128,10 +139,10 @@ desirable for building Bitcoin Core release binaries."
   (let* ((xbinutils (binutils-mingw-patches (cross-binutils target)))
          (machine (substring target 0 (string-index target #\-)))
          (pthreads-xlibc (winpthreads-patches (make-mingw-w64 machine
-                                         #:xgcc (cross-gcc target #:xgcc (gcc-mingw-patches base-gcc))
+                                         #:xgcc (cross-gcc target #:xgcc (gcc-libgcc-patches base-gcc))
                                          #:with-winpthreads? #t)))
          (pthreads-xgcc (cross-gcc target
-                                    #:xgcc (gcc-mingw-patches mingw-w64-base-gcc)
+                                    #:xgcc (gcc-libgcc-patches mingw-w64-base-gcc)
                                     #:xbinutils xbinutils
                                     #:libc pthreads-xlibc)))
     ;; Define a meta-package that propagates the resulting XBINUTILS, XLIBC, and
@@ -175,7 +186,6 @@ chain for " target " development."))
     (native-inputs (list cmake-minimal
                          ninja
                          python-scikit-build-core
-                         python-pydantic-core
                          python-pydantic-2))
     (arguments
      (list
@@ -209,7 +219,17 @@ and abstract ELF, PE and MachO formats.")
                (base32
                 "1j47vwq4caxfv0xw68kw5yh00qcpbd56d7rq6c483ma3y7s96yyz"))))
     (build-system cmake-build-system)
-    (inputs (list openssl))
+    (arguments
+     (list
+      #:phases
+      #~(modify-phases %standard-phases
+          (replace 'check
+            (lambda* (#:key tests? #:allow-other-keys)
+              (if tests?
+                  (invoke "faketime" "-f" "@2025-01-01 00:00:00" ;; Tests fail after 2025.
+                          "ctest" "--output-on-failure" "--no-tests=error")
+                  (format #t "test suite not run~%")))))))
+    (inputs (list libfaketime openssl))
     (home-page "https://github.com/mtrojnar/osslsigncode")
     (synopsis "Authenticode signing and timestamping tool")
     (description "osslsigncode is a small tool that implements part of the
@@ -422,7 +442,9 @@ inspecting signatures in Mach-O binaries.")
             ;; https://gcc.gnu.org/install/configure.html
             (list "--enable-threads=posix",
                   "--enable-default-ssp=yes",
+                  "--enable-host-bind-now=yes",
                   "--disable-gcov",
+                  "--disable-libgomp",
                   building-on)))))))
 
 (define-public linux-base-gcc
@@ -436,9 +458,14 @@ inspecting signatures in Mach-O binaries.")
             (list "--enable-initfini-array=yes",
                   "--enable-default-ssp=yes",
                   "--enable-default-pie=yes",
+                  "--enable-host-bind-now=yes",
                   "--enable-standard-branch-protection=yes",
                   "--enable-cet=yes",
+                  "--enable-gprofng=no",
                   "--disable-gcov",
+                  "--disable-libgomp",
+                  "--disable-libquadmath",
+                  "--disable-libsanitizer",
                   building-on)))
         ((#:phases phases)
           `(modify-phases ,phases
@@ -455,7 +482,7 @@ inspecting signatures in Mach-O binaries.")
 (define-public glibc-2.31
   (let ((commit "7b27c450c34563a28e634cccb399cd415e71ebfe"))
   (package
-    (inherit glibc) ;; 2.35
+    (inherit glibc) ;; 2.39
     (version "2.31")
     (source (origin
               (method git-fetch)
@@ -466,7 +493,8 @@ inspecting signatures in Mach-O binaries.")
               (sha256
                (base32
                 "017qdpr5id7ddb4lpkzj2li1abvw916m3fc6n7nw28z4h5qbv2n0"))
-              (patches (search-our-patches "glibc-guix-prefix.patch"))))
+              (patches (search-our-patches "glibc-guix-prefix.patch"
+                                           "glibc-riscv-jumptarget.patch"))))
     (arguments
       (substitute-keyword-arguments (package-arguments glibc)
         ((#:configure-flags flags)
@@ -543,7 +571,7 @@ inspecting signatures in Mach-O binaries.")
         gzip
         xz
         ;; Build tools
-        gcc-toolchain-13
+        gcc-toolchain-14
         cmake-minimal
         gnu-make
         ninja
@@ -563,12 +591,12 @@ inspecting signatures in Mach-O binaries.")
           ((string-contains target "-linux-")
            (list bison
                  pkg-config
-                 (list gcc-toolchain-13 "static")
+                 (list gcc-toolchain-14 "static")
                  (make-bitcoin-cross-toolchain target)))
           ((string-contains target "darwin")
-           (list clang-toolchain-18
-                 lld-18
-                 (make-lld-wrapper lld-18 #:lld-as-ld? #t)
+           (list clang-toolchain-19
+                 lld-19
+                 (make-lld-wrapper lld-19 #:lld-as-ld? #t)
                  python-signapple
                  zip))
           (else '())))))

contrib/guix/patches/gcc-remap-guix-store.patch

@@ -1,4 +1,4 @@
-Without ffile-prefix-map, the debug symbols will contain paths for the
+Without -ffile-prefix-map, the debug symbols will contain paths for the
 guix store which will include the hashes of each package. However, the
 hash for the same package will differ when on different architectures.
 In order to be reproducible regardless of the architecture used to build
@@ -6,7 +6,7 @@ the package, map all guix store prefixes to something fixed, e.g. /usr.
 
 --- a/libgcc/Makefile.in
 +++ b/libgcc/Makefile.in
-@@ -854,7 +854,7 @@ endif
+@@ -857,7 +857,7 @@ endif
  # libgcc_eh.a, only LIB2ADDEH matters.  If we do, only LIB2ADDEHSTATIC and
  # LIB2ADDEHSHARED matter.  (Usually all three are identical.)
  
@@ -15,6 +15,15 @@ the package, map all guix store prefixes to something fixed, e.g. /usr.
  
  ifeq ($(enable_shared),yes)
  
+@@ -880,7 +880,7 @@ endif
+ # Build LIBUNWIND. Use -fno-exceptions so that the unwind library does
+ # not generate calls to __gcc_personality_v0.
+ 
+-c_flags := -fno-exceptions
++c_flags := -fno-exceptions $(shell find /gnu/store -maxdepth 1 -mindepth 1 -type d -exec echo -n " -ffile-prefix-map={}=/usr" \;)
+ 
+ libunwind-objects += $(addsuffix $(objext),$(basename $(notdir $(LIBUNWIND))))
+ 
 -- 
 2.37.0
 

contrib/guix/patches/gcc-ssa-generation.patch

@@ -0,0 +1,49 @@
+commit b46614ebfc57ccca8a050668ad0e8ba5968c5943
+Author: Jakub Jelinek <jakub@redhat.com>
+Date:   Tue Jan 6 08:36:20 2026 +0100
+
+    tree-object-size: Deterministic SSA generation [PR123351]
+    
+    The order of evaluation of function arguments is unspecified in C++.
+    The function object_sizes_set_temp called object_sizes_set with two
+    calls to make_ssa_name() as arguments.  Since make_ssa_name() has the
+    side effect of incrementing the global SSA version counter, different
+    architectures of the same compiler evaluated these calls in different
+    orders.
+    
+    This resulted in non-deterministic SSA version numbering between
+    x86_64 and aarch64 hosts during cross-compilation, leading to
+    divergent object files.
+    
+    Sequencing the calls into separate statements ensures deterministic
+    evaluation order.
+
+    https://gcc.gnu.org/bugzilla/show_bug.cgi?id=123351
+    https://gcc.gnu.org/pipermail/gcc-patches/2026-January/704817.html
+    
+    2026-01-06  Jakub Jelinek  <jakub@redhat.com>
+                Marco Falke  <falke.marco@gmail.com>
+    
+            PR tree-optimization/123351
+            * tree-object-size.cc (object_sizes_set_temp): Separate calls to
+            make_ssa_name to ensure deterministic execution order.
+
+diff --git a/gcc/tree-object-size.cc b/gcc/tree-object-size.cc
+index 018fbc30cbb..24e7d710371 100644
+--- a/gcc/tree-object-size.cc
++++ b/gcc/tree-object-size.cc
+@@ -319,9 +319,11 @@ object_sizes_set_temp (struct object_size_info *osi, unsigned varno)
+   tree val = object_sizes_get (osi, varno);
+ 
+   if (size_initval_p (val, osi->object_size_type))
+-    object_sizes_set (osi, varno,
+-		      make_ssa_name (sizetype),
+-		      make_ssa_name (sizetype));
++    {
++      val = make_ssa_name (sizetype);
++      tree wholeval = make_ssa_name (sizetype);
++      object_sizes_set (osi, varno, val, wholeval);
++    }
+ }
+ 
+ /* Initialize OFFSET_LIMIT variable.  */

contrib/guix/patches/glibc-riscv-jumptarget.patch

@@ -0,0 +1,57 @@
+commit 68389203832ab39dd0dbaabbc4059e7fff51c29b
+Author: Fangrui Song <maskray@google.com>
+Date:   Thu Oct 28 11:39:49 2021 -0700
+
+    riscv: Fix incorrect jal with HIDDEN_JUMPTARGET
+    
+    A non-local STV_DEFAULT defined symbol is by default preemptible in a
+    shared object. j/jal cannot target a preemptible symbol. On other
+    architectures, such a jump instruction either causes PLT [BZ #18822], or
+    if short-ranged, sometimes rejected by the linker (but not by GNU ld's
+    riscv port [ld PR/28509]).
+    
+    Use HIDDEN_JUMPTARGET to target a non-preemptible symbol instead.
+    
+    With this patch, ld.so and libc.so can be linked with LLD if source
+    files are compiled/assembled with -mno-relax/-Wa,-mno-relax.
+    
+    Acked-by: Palmer Dabbelt <palmer@dabbelt.com>
+    Reviewed-by: Adhemerval Zanella  <adhemerval.zanella@linaro.org>
+
+Can be dropped when we are using glibc 2.35 or later.
+
+diff --git a/sysdeps/riscv/setjmp.S b/sysdeps/riscv/setjmp.S
+index 0b92016b31..bec7ff80f4 100644
+--- a/sysdeps/riscv/setjmp.S
++++ b/sysdeps/riscv/setjmp.S
+@@ -21,7 +21,7 @@
+ 
+ ENTRY (_setjmp)
+   li	a1, 0
+-  j	__sigsetjmp
++  j	HIDDEN_JUMPTARGET (__sigsetjmp)
+ END (_setjmp)
+ ENTRY (setjmp)
+   li	a1, 1
+diff --git a/sysdeps/unix/sysv/linux/riscv/setcontext.S b/sysdeps/unix/sysv/linux/riscv/setcontext.S
+index 9510518750..e44a68aad4 100644
+--- a/sysdeps/unix/sysv/linux/riscv/setcontext.S
++++ b/sysdeps/unix/sysv/linux/riscv/setcontext.S
+@@ -95,6 +95,7 @@ LEAF (__setcontext)
+ 99:	j	__syscall_error
+ 
+ END (__setcontext)
++libc_hidden_def (__setcontext)
+ weak_alias (__setcontext, setcontext)
+ 
+ LEAF (__start_context)
+@@ -108,7 +109,7 @@ LEAF (__start_context)
+ 	/* Invoke subsequent context if present, else exit(0).  */
+ 	mv	a0, s2
+ 	beqz	s2, 1f
+-	jal	__setcontext
+-1:	j	exit
++	jal	HIDDEN_JUMPTARGET (__setcontext)
++1:	j	HIDDEN_JUMPTARGET (exit)
+ 
+ END (__start_context)

contrib/guix/security-check.py

@@ -1,5 +1,5 @@
 #!/usr/bin/env python3
-# Copyright (c) 2015-2022 The Bitcoin Core developers
+# Copyright (c) 2015-present The Bitcoin Core developers
 # Distributed under the MIT software license, see the accompanying
 # file COPYING or http://www.opensource.org/licenses/mit-license.php.
 '''

contrib/guix/symbol-check.py

@@ -16,38 +16,37 @@ import lief
 
 # Debian 11 (Bullseye) EOL: 2026. https://wiki.debian.org/LTS
 #
-# - libgcc version 10.2.1 (https://packages.debian.org/bullseye/libgcc-s1)
 # - libc version 2.31 (https://packages.debian.org/source/bullseye/glibc)
 #
 # Ubuntu 20.04 (Focal) EOL: 2030. https://wiki.ubuntu.com/ReleaseTeam
 #
-# - libgcc version 10.5.0 (https://packages.ubuntu.com/focal/libgcc1)
 # - libc version 2.31 (https://packages.ubuntu.com/focal/libc6)
 #
 # CentOS Stream 9 EOL: 2027. https://www.centos.org/cl-vs-cs/#end-of-life
 #
-# - libgcc version 12.2.1 (https://mirror.stream.centos.org/9-stream/AppStream/x86_64/os/Packages/)
 # - libc version 2.34 (https://mirror.stream.centos.org/9-stream/AppStream/x86_64/os/Packages/)
 #
-# See https://gcc.gnu.org/onlinedocs/libstdc++/manual/abi.html for more info.
+# bitcoin-qt
+#
+# Ubuntu 22.04 is currently the baseline for ELF_ALLOWED_LIBRARIES:
+#
+# libfontconfig version 2.13.1 (https://packages.ubuntu.com/jammy/libfontconfig1)
+#
+# libfreetype version 2.11.1 (https://packages.ubuntu.com/jammy/libfreetype6)
 
 MAX_VERSIONS = {
-'GCC':       (7,0,0),
 'GLIBC': {
     lief.ELF.ARCH.X86_64: (2,31),
     lief.ELF.ARCH.ARM:    (2,31),
     lief.ELF.ARCH.AARCH64:(2,31),
     lief.ELF.ARCH.PPC64:  (2,31),
     lief.ELF.ARCH.RISCV:  (2,31),
-},
-'LIBATOMIC': (1,0),
-'V':         (0,5,0),  # xkb (bitcoin-qt only)
+    }
 }
 
 # Ignore symbols that are exported as part of every executable
 IGNORE_EXPORTS = {
-'environ', '_environ', '__environ', '_fini', '_init', 'stdin',
-'stdout', 'stderr',
+'stdin', 'stdout', 'stderr',
 }
 
 # Expected linker-loader names can be found here:
@@ -93,11 +92,9 @@ ELF_ABIS: dict[lief.ELF.ARCH, dict[lief.Header.ENDIANNESS, list[int]]] = {
 # Allowed NEEDED libraries
 ELF_ALLOWED_LIBRARIES = {
 # bitcoind and bitcoin-qt
-'libgcc_s.so.1', # GCC base support
 'libc.so.6', # C library
 'libpthread.so.0', # threading
 'libm.so.6', # math library
-'libatomic.so.1',
 'ld-linux-x86-64.so.2', # 64-bit dynamic linker
 'ld-linux.so.2', # 32-bit dynamic linker
 'ld-linux-aarch64.so.1', # 64-bit ARM dynamic linker
@@ -106,24 +103,9 @@ ELF_ALLOWED_LIBRARIES = {
 'ld64.so.2', # POWER64 ABIv2 dynamic linker
 'ld-linux-riscv64-lp64d.so.1', # 64-bit RISC-V dynamic linker
 # bitcoin-qt only
-'libxcb.so.1', # part of X11
-'libxkbcommon.so.0', # keyboard keymapping
-'libxkbcommon-x11.so.0', # keyboard keymapping
 'libfontconfig.so.1', # font support
 'libfreetype.so.6', # font parsing
 'libdl.so.2', # programming interface to dynamic linker
-'libxcb-cursor.so.0',
-'libxcb-icccm.so.4',
-'libxcb-image.so.0',
-'libxcb-shm.so.0',
-'libxcb-keysyms.so.1',
-'libxcb-randr.so.0',
-'libxcb-render-util.so.0',
-'libxcb-render.so.0',
-'libxcb-shape.so.0',
-'libxcb-sync.so.1',
-'libxcb-xfixes.so.0',
-'libxcb-xkb.so.1',
 }
 
 MACHO_ALLOWED_LIBRARIES = {
@@ -190,7 +172,7 @@ PE_ALLOWED_LIBRARIES = {
 def check_version(max_versions, version, arch) -> bool:
     (lib, _, ver) = version.rpartition('_')
     ver = tuple([int(x) for x in ver.split('.')])
-    if not lib in max_versions:
+    if lib not in max_versions:
         return False
     if isinstance(max_versions[lib], tuple):
         return ver <= max_versions[lib]
@@ -249,7 +231,7 @@ def check_MACHO_libraries(binary) -> bool:
     return ok
 
 def check_MACHO_min_os(binary) -> bool:
-    if binary.build_version.minos == [13,0,0]:
+    if binary.build_version.minos == [14,0,0]:
         return True
     return False
 
@@ -259,7 +241,7 @@ def check_MACHO_sdk(binary) -> bool:
     return False
 
 def check_MACHO_lld(binary) -> bool:
-    if binary.build_version.tools[0].version == [18, 1, 8]:
+    if binary.build_version.tools[0].version == [19, 1, 4]:
         return True
     return False
 

contrib/linearize/linearize-data.py

@@ -2,7 +2,7 @@
 #
 # linearize-data.py: Construct a linear, no-fork version of the chain.
 #
-# Copyright (c) 2013-2022 The Bitcoin Core developers
+# Copyright (c) 2013-present The Bitcoin Core developers
 # Distributed under the MIT software license, see the accompanying
 # file COPYING or http://www.opensource.org/licenses/mit-license.php.
 #
@@ -34,7 +34,7 @@ def get_blk_dt(blk_hdr):
 # When getting the list of block hashes, undo any byte reversals.
 def get_block_hashes(settings):
     blkindex = []
-    with open(settings['hashlist'], "r", encoding="utf8") as f:
+    with open(settings['hashlist'], "r") as f:
         for line in f:
             line = line.rstrip()
             if settings['rev_hash_bytes'] == 'true':
@@ -229,7 +229,7 @@ class BlockDataCopier:
             inExtent = BlockExtent(self.inFn, self.inF.tell(), inhdr, blk_hdr, inLen)
 
             self.hash_str = calc_hash_str(blk_hdr)
-            if not self.hash_str in blkmap:
+            if self.hash_str not in blkmap:
                 # Because blocks can be written to files out-of-order as of 0.10, the script
                 # may encounter blocks it doesn't know about. Treat as debug output.
                 if settings['debug_output'] == 'true':
@@ -267,7 +267,7 @@ if __name__ == '__main__':
         print("Usage: linearize-data.py CONFIG-FILE")
         sys.exit(1)
 
-    with open(sys.argv[1], encoding="utf8") as f:
+    with open(sys.argv[1]) as f:
         for line in f:
             # skip comment lines
             m = re.search(r'^\s*#', line)
@@ -320,7 +320,7 @@ if __name__ == '__main__':
     blkmap = mkblockmap(blkindex)
 
     # Block hash map won't be byte-reversed. Neither should the genesis hash.
-    if not settings['genesis'] in blkmap:
+    if settings['genesis'] not in blkmap:
         print("Genesis block not found in hashlist")
     else:
         BlockDataCopier(settings, blkindex, blkmap).run()

contrib/linearize/linearize-hashes.py

@@ -2,7 +2,7 @@
 #
 # linearize-hashes.py:  List blocks in a linear, no-fork version of the chain.
 #
-# Copyright (c) 2013-2022 The Bitcoin Core developers
+# Copyright (c) 2013-present The Bitcoin Core developers
 # Distributed under the MIT software license, see the accompanying
 # file COPYING or http://www.opensource.org/licenses/mit-license.php.
 #
@@ -87,7 +87,7 @@ def get_block_hashes(settings, max_blocks_per_call=10000):
 
 def get_rpc_cookie():
     # Open the cookie file
-    with open(os.path.join(os.path.expanduser(settings['datadir']), '.cookie'), 'r', encoding="ascii") as f:
+    with open(os.path.join(os.path.expanduser(settings['datadir']), '.cookie'), 'r') as f:
         combined = f.readline()
         combined_split = combined.split(":")
         settings['rpcuser'] = combined_split[0]
@@ -98,7 +98,7 @@ if __name__ == '__main__':
         print("Usage: linearize-hashes.py CONFIG-FILE")
         sys.exit(1)
 
-    with open(sys.argv[1], encoding="utf8") as f:
+    with open(sys.argv[1]) as f:
         for line in f:
             # skip comment lines
             m = re.search(r'^\s*#', line)

contrib/macdeploy/README.md

@@ -44,15 +44,15 @@ xip -x Xcode_15.xip
 
 ### Step 2: Generating the SDK tarball from `Xcode.app`
 
-To generate the SDK, run the script [`gen-sdk`](./gen-sdk) with the
+To generate the SDK, run the script [`gen-sdk.py`](./gen-sdk.py) with the
 path to `Xcode.app` (extracted in the previous stage) as the first argument.
 
 ```bash
-./contrib/macdeploy/gen-sdk '/path/to/Xcode.app'
+./contrib/macdeploy/gen-sdk.py '/path/to/Xcode.app'
 ```
 
-The generated archive should be: `Xcode-15.0-15A240d-extracted-SDK-with-libcxx-headers.tar.gz`.
-The `sha256sum` should be `c0c2e7bb92c1fee0c4e9f3a485e4530786732d6c6dd9e9f418c282aa6892f55d`.
+The generated archive should be: `Xcode-15.0-15A240d-extracted-SDK-with-libcxx-headers.tar`.
+The `sha256sum` should be `95b00dc41fa090747dc0a7907a5031a2fcb2d7f95c9584ba6bccdb99b6e3d498`.
 
 ## Deterministic macOS App Notes
 

contrib/macdeploy/detached-sig-create.sh

@@ -1,5 +1,5 @@
 #!/bin/sh
-# Copyright (c) 2014-2022 The Bitcoin Core developers
+# Copyright (c) 2014-present The Bitcoin Core developers
 # Distributed under the MIT software license, see the accompanying
 # file COPYING or http://www.opensource.org/licenses/mit-license.php.
 

contrib/macdeploy/gen-sdk.py

@@ -2,9 +2,7 @@
 import argparse
 import plistlib
 import pathlib
-import sys
 import tarfile
-import gzip
 import os
 import contextlib
 
@@ -22,12 +20,12 @@ def run():
     parser = argparse.ArgumentParser(
         description=__doc__, formatter_class=argparse.RawTextHelpFormatter)
 
-    parser.add_argument('xcode_app', metavar='XCODEAPP', nargs=1)
-    parser.add_argument("-o", metavar='OUTSDKTGZ', nargs=1, dest='out_sdktgz', required=False)
+    parser.add_argument('xcode_app', metavar='XCODEAPP', type=pathlib.Path)
+    parser.add_argument("-o", metavar='OUTSDKTAR', dest='out_sdkt', type=pathlib.Path, required=False)
 
     args = parser.parse_args()
 
-    xcode_app = pathlib.Path(args.xcode_app[0]).resolve()
+    xcode_app = args.xcode_app.resolve()
     assert xcode_app.is_dir(), "The supplied Xcode.app path '{}' either does not exist or is not a directory".format(xcode_app)
 
     xcode_app_plist = xcode_app.joinpath("Contents/version.plist")
@@ -47,11 +45,7 @@ def run():
 
     out_name = "Xcode-{xcode_version}-{xcode_build_id}-extracted-SDK-with-libcxx-headers".format(xcode_version=xcode_version, xcode_build_id=xcode_build_id)
 
-    if args.out_sdktgz:
-        out_sdktgz_path = pathlib.Path(args.out_sdktgz_path)
-    else:
-        # Construct our own out_sdktgz if not specified on the command line
-        out_sdktgz_path = pathlib.Path("./{}.tar.gz".format(out_name))
+    out_sdkt_path = args.out_sdkt or pathlib.Path("./{}.tar".format(out_name))
 
     def tarfp_add_with_base_change(tarfp, dir_to_add, alt_base_dir):
         """Add all files in dir_to_add to tarfp, but prepend alt_base_dir to the files'
@@ -68,6 +62,8 @@ def run():
 
         """
         def change_tarinfo_base(tarinfo):
+            if tarinfo.name and tarinfo.name.endswith((".swiftmodule", ".modulemap")):
+                return None
             if tarinfo.name and tarinfo.name.startswith("./"):
                 tarinfo.name = str(pathlib.Path(alt_base_dir, tarinfo.name))
             if tarinfo.linkname and tarinfo.linkname.startswith("./"):
@@ -81,16 +77,17 @@ def run():
             return tarinfo
         with cd(dir_to_add):
             # recursion already adds entries in sorted order
-            tarfp.add(".", recursive=True, filter=change_tarinfo_base)
+            tarfp.add("./usr/include", recursive=True, filter=change_tarinfo_base)
+            tarfp.add("./usr/lib", recursive=True, filter=change_tarinfo_base)
+            tarfp.add("./System/Library/Frameworks", recursive=True, filter=change_tarinfo_base)
 
-    print("Creating output .tar.gz file...")
-    with out_sdktgz_path.open("wb") as fp:
-        with gzip.GzipFile(fileobj=fp, mode='wb', compresslevel=9, mtime=0) as gzf:
-            with tarfile.open(mode="w", fileobj=gzf, format=tarfile.GNU_FORMAT) as tarfp:
-                print("Adding MacOSX SDK {} files...".format(sdk_version))
-                tarfp_add_with_base_change(tarfp, sdk_dir, out_name)
-    print("Done! Find the resulting gzipped tarball at:")
-    print(out_sdktgz_path.resolve())
+    print("Creating output .tar file...")
+    with out_sdkt_path.open("wb") as fp:
+        with tarfile.open(mode="w", fileobj=fp, format=tarfile.PAX_FORMAT) as tarfp:
+            print("Adding MacOSX SDK {} files...".format(sdk_version))
+            tarfp_add_with_base_change(tarfp, sdk_dir, out_name)
+    print("Done! Find the resulting tarball at:")
+    print(out_sdkt_path.resolve())
 
 if __name__ == '__main__':
     run()

contrib/macdeploy/macdeployqtplus

@@ -390,12 +390,11 @@ Note, that the "dist" folder will be deleted before deploying on each run.
 Optionally, Qt translation files (.qm) can be added to the bundle.""")
 
 ap.add_argument("app_bundle", nargs=1, metavar="app-bundle", help="application bundle to be deployed")
-ap.add_argument("appname", nargs=1, metavar="appname", help="name of the app being deployed")
 ap.add_argument("-verbose", nargs="?", const=True, help="Output additional debugging information")
 ap.add_argument("-no-plugins", dest="plugins", action="store_false", default=True, help="skip plugin deployment")
 ap.add_argument("-no-strip", dest="strip", action="store_false", default=True, help="don't run 'strip' on the binaries")
 ap.add_argument("-translations-dir", nargs=1, metavar="path", default=None, help="Path to Qt's translations. Base translations will automatically be added to the bundle's resources.")
-ap.add_argument("-zip", nargs="?", const="", metavar="zip", help="create a .zip containing the app bundle")
+ap.add_argument("-zip", nargs=1, metavar="zip", help="create a .zip containing the app bundle")
 
 config = ap.parse_args()
 
@@ -404,7 +403,6 @@ verbose = config.verbose
 # ------------------------------------------------
 
 app_bundle = config.app_bundle[0]
-appname = config.appname[0]
 
 if not os.path.exists(app_bundle):
     sys.stderr.write(f"Error: Could not find app bundle \"{app_bundle}\"\n")
@@ -416,10 +414,6 @@ if os.path.exists("dist"):
     print("+ Removing existing dist folder +")
     shutil.rmtree("dist")
 
-if os.path.exists(appname + ".zip"):
-    print("+ Removing existing .zip +")
-    os.unlink(appname + ".zip")
-
 # ------------------------------------------------
 
 target = os.path.join("dist", "Bitcoin-Qt.app")
@@ -466,18 +460,18 @@ if config.translations_dir:
         sys.stderr.write(f"Error: Could not find translation dir \"{config.translations_dir[0]}\"\n")
         sys.exit(1)
 
-print("+ Adding Qt translations +")
+    print("+ Adding Qt translations +")
 
-translations = Path(config.translations_dir[0])
+    translations = Path(config.translations_dir[0])
 
-regex = re.compile('qt_[a-z]*(.qm|_[A-Z]*.qm)')
+    regex = re.compile('qt_[a-z]*(.qm|_[A-Z]*.qm)')
 
-lang_files = [x for x in translations.iterdir() if regex.match(x.name)]
+    lang_files = [x for x in translations.iterdir() if regex.match(x.name)]
 
-for file in lang_files:
-    if verbose:
-        print(file.as_posix(), "->", os.path.join(applicationBundle.resourcesPath, file.name))
-    shutil.copy2(file.as_posix(), os.path.join(applicationBundle.resourcesPath, file.name))
+    for file in lang_files:
+        if verbose:
+            print(file.as_posix(), "->", os.path.join(applicationBundle.resourcesPath, file.name))
+        shutil.copy2(file.as_posix(), os.path.join(applicationBundle.resourcesPath, file.name))
 
 # ------------------------------------------------
 
@@ -499,7 +493,13 @@ if platform.system() == "Darwin":
 # ------------------------------------------------
 
 if config.zip is not None:
-    shutil.make_archive('{}'.format(appname), format='zip', root_dir='dist', base_dir='Bitcoin-Qt.app')
+    name = config.zip[0]
+
+    if os.path.exists(name + ".zip"):
+        print("+ Removing existing .zip +")
+        os.unlink(name + ".zip")
+
+    shutil.make_archive('{}'.format(name), format='zip', root_dir='dist', base_dir='Bitcoin-Qt.app')
 
 # ------------------------------------------------
 

contrib/message-capture/message-capture-parser.py

@@ -1,5 +1,5 @@
 #!/usr/bin/env python3
-# Copyright (c) 2020-2022 The Bitcoin Core developers
+# Copyright (c) 2020-present The Bitcoin Core developers
 # Distributed under the MIT software license, see the accompanying
 # file COPYING or http://www.opensource.org/licenses/mit-license.php.
 """Parse message capture binary files.  To be used in conjunction with -capturemessages."""
@@ -205,7 +205,7 @@ def main():
 
     jsonrep = json.dumps(messages)
     if output:
-        with open(str(output), 'w+', encoding="utf8") as f_out:
+        with open(str(output), 'w+') as f_out:
             f_out.write(jsonrep)
     else:
         print(jsonrep)

contrib/qos/tc.sh

@@ -1,6 +1,6 @@
 #!/usr/bin/env bash
 #
-# Copyright (c) 2017-2021 The Bitcoin Core developers
+# Copyright (c) 2017-present The Bitcoin Core developers
 # Distributed under the MIT software license, see the accompanying
 # file COPYING or http://www.opensource.org/licenses/mit-license.php.
 

contrib/seeds/README.md

@@ -10,14 +10,13 @@ to addrman with).
 
 Update `MIN_BLOCKS` in  `makeseeds.py` and the `-m`/`--minblocks` arguments below, as needed.
 
-The seeds compiled into the release are created from sipa's, achow101's and luke-jr's
+The seeds compiled into the release are created from sipa's and achow101's
 DNS seed, virtu's crawler, and asmap community AS map data. Run the following commands
 from the `/contrib/seeds` directory:
 
 ```
 curl https://bitcoin.sipa.be/seeds.txt.gz | gzip -dc > seeds_main.txt
 curl https://21.ninja/seeds.txt.gz | gzip -dc >> seeds_main.txt
-curl https://luke.dashjr.org/programs/bitcoin/files/charts/seeds.txt >> seeds_main.txt
 curl https://mainnet.achownodes.xyz/seeds.txt.gz | gzip -dc >> seeds_main.txt
 curl https://signet.achownodes.xyz/seeds.txt.gz | gzip -dc > seeds_signet.txt
 curl https://testnet.achownodes.xyz/seeds.txt.gz | gzip -dc > seeds_test.txt

contrib/seeds/generate-seeds.py

@@ -1,5 +1,5 @@
 #!/usr/bin/env python3
-# Copyright (c) 2014-2021 The Bitcoin Core developers
+# Copyright (c) 2014-present The Bitcoin Core developers
 # Distributed under the MIT software license, see the accompanying
 # file COPYING or http://www.opensource.org/licenses/mit-license.php.
 '''
@@ -160,6 +160,9 @@ def main():
         sys.exit(1)
     g = sys.stdout
     indir = sys.argv[1]
+    g.write('// Copyright (c) The Bitcoin Core developers\n')
+    g.write('// Distributed under the MIT software license, see the accompanying\n')
+    g.write('// file COPYING or https://opensource.org/license/mit.\n\n')
     g.write('#ifndef BITCOIN_CHAINPARAMSSEEDS_H\n')
     g.write('#define BITCOIN_CHAINPARAMSSEEDS_H\n')
     g.write('/**\n')
@@ -168,16 +171,16 @@ def main():
     g.write(' *\n')
     g.write(' * Each line contains a BIP155 serialized (networkID, addr, port) tuple.\n')
     g.write(' */\n')
-    with open(os.path.join(indir,'nodes_main.txt'), 'r', encoding="utf8") as f:
+    with open(os.path.join(indir,'nodes_main.txt'), 'r') as f:
         process_nodes(g, f, 'chainparams_seed_main')
     g.write('\n')
-    with open(os.path.join(indir,'nodes_signet.txt'), 'r', encoding="utf8") as f:
+    with open(os.path.join(indir,'nodes_signet.txt'), 'r') as f:
         process_nodes(g, f, 'chainparams_seed_signet')
     g.write('\n')
-    with open(os.path.join(indir,'nodes_test.txt'), 'r', encoding="utf8") as f:
+    with open(os.path.join(indir,'nodes_test.txt'), 'r') as f:
         process_nodes(g, f, 'chainparams_seed_test')
     g.write('\n')
-    with open(os.path.join(indir,'nodes_testnet4.txt'), 'r', encoding="utf8") as f:
+    with open(os.path.join(indir,'nodes_testnet4.txt'), 'r') as f:
         process_nodes(g, f, 'chainparams_seed_testnet4')
     g.write('#endif // BITCOIN_CHAINPARAMSSEEDS_H\n')
 

contrib/seeds/makeseeds.py

@@ -1,5 +1,5 @@
 #!/usr/bin/env python3
-# Copyright (c) 2013-2022 The Bitcoin Core developers
+# Copyright (c) 2013-present The Bitcoin Core developers
 # Distributed under the MIT software license, see the accompanying
 # file COPYING or http://www.opensource.org/licenses/mit-license.php.
 #
@@ -211,7 +211,7 @@ def main():
     print('Done.', file=sys.stderr)
 
     print('Loading and parsing DNS seeds…', end='', file=sys.stderr, flush=True)
-    with open(args.seeds, 'r', encoding='utf8') as f:
+    with open(args.seeds, 'r') as f:
         lines = f.readlines()
     ips = [parseline(line) for line in lines]
     random.shuffle(ips)

contrib/signet/getcoins.py

@@ -1,5 +1,5 @@
 #!/usr/bin/env python3
-# Copyright (c) 2020-2022 The Bitcoin Core developers
+# Copyright (c) 2020-present The Bitcoin Core developers
 # Distributed under the MIT software license, see the accompanying
 # file COPYING or http://www.opensource.org/licenses/mit-license.php.
 

contrib/signet/miner

@@ -1,5 +1,5 @@
 #!/usr/bin/env python3
-# Copyright (c) 2020 The Bitcoin Core developers
+# Copyright (c) 2020-present The Bitcoin Core developers
 # Distributed under the MIT software license, see the accompanying
 # file COPYING or http://www.opensource.org/licenses/mit-license.php.
 

contrib/testgen/gen_key_io_test_vectors.py

@@ -1,5 +1,5 @@
 #!/usr/bin/env python3
-# Copyright (c) 2012-2022 The Bitcoin Core developers
+# Copyright (c) 2012-present The Bitcoin Core developers
 # Distributed under the MIT software license, see the accompanying
 # file COPYING or http://www.opensource.org/licenses/mit-license.php.
 '''

contrib/tracing/log_raw_p2p_msgs.py

@@ -1,5 +1,5 @@
 #!/usr/bin/env python3
-# Copyright (c) 2021 The Bitcoin Core developers
+# Copyright (c) 2021-present The Bitcoin Core developers
 # Distributed under the MIT software license, see the accompanying
 # file COPYING or http://www.opensource.org/licenses/mit-license.php.
 

contrib/tracing/log_utxocache_flush.py

@@ -1,5 +1,5 @@
 #!/usr/bin/env python3
-# Copyright (c) 2021-2022 The Bitcoin Core developers
+# Copyright (c) 2021-present The Bitcoin Core developers
 # Distributed under the MIT software license, see the accompanying
 # file COPYING or http://www.opensource.org/licenses/mit-license.php.
 

contrib/tracing/mempool_monitor.py

@@ -1,5 +1,5 @@
 #!/usr/bin/env python3
-# Copyright (c) 2022 The Bitcoin Core developers
+# Copyright (c) 2022-present The Bitcoin Core developers
 # Distributed under the MIT software license, see the accompanying
 # file COPYING or http://www.opensource.org/licenses/mit-license.php.
 

contrib/tracing/p2p_monitor.py

@@ -1,5 +1,5 @@
 #!/usr/bin/env python3
-# Copyright (c) 2021 The Bitcoin Core developers
+# Copyright (c) 2021-present The Bitcoin Core developers
 # Distributed under the MIT software license, see the accompanying
 # file COPYING or http://www.opensource.org/licenses/mit-license.php.
 

contrib/verify-binaries/verify.py

@@ -1,5 +1,5 @@
 #!/usr/bin/env python3
-# Copyright (c) 2020-2021 The Bitcoin Core developers
+# Copyright (c) 2020-present The Bitcoin Core developers
 # Distributed under the MIT software license, see the accompanying
 # file COPYING or http://www.opensource.org/licenses/mit-license.php.
 """Script for verifying Bitcoin Core release binaries.
@@ -39,8 +39,6 @@ import sys
 import shutil
 import tempfile
 import textwrap
-import urllib.request
-import urllib.error
 import enum
 from hashlib import sha256
 from pathlib import PurePath, Path
@@ -116,18 +114,6 @@ def download_with_wget(remote_file, local_file):
     return result.returncode == 0, result.stdout.decode().rstrip()
 
 
-def download_lines_with_urllib(url) -> tuple[bool, list[str]]:
-    """Get (success, text lines of a file) over HTTP."""
-    try:
-        return (True, [
-            line.strip().decode() for line in urllib.request.urlopen(url).readlines()])
-    except urllib.error.HTTPError as e:
-        log.warning(f"HTTP request to {url} failed (HTTPError): {e}")
-    except Exception as e:
-        log.warning(f"HTTP request to {url} failed ({e})")
-    return (False, [])
-
-
 def verify_with_gpg(
     filename,
     signature_filename,
@@ -148,11 +134,6 @@ def verify_with_gpg(
     return result.returncode, gpg_data
 
 
-def remove_files(filenames):
-    for filename in filenames:
-        os.remove(filename)
-
-
 class SigData:
     """GPG signature data as parsed from GPG stdout."""
     def __init__(self):
@@ -246,8 +227,8 @@ def files_are_equal(filename1, filename2):
     eq = contents1 == contents2
 
     if not eq:
-        with open(filename1, 'r', encoding='utf-8') as f1, \
-                open(filename2, 'r', encoding='utf-8') as f2:
+        with open(filename1, 'r') as f1, \
+                open(filename2, 'r') as f2:
             f1lines = f1.readlines()
             f2lines = f2.readlines()
 
@@ -426,7 +407,7 @@ def verify_shasums_signature(
 def parse_sums_file(sums_file_path: str, filename_filter: list[str]) -> list[list[str]]:
     # extract hashes/filenames of binaries to verify from hash file;
     # each line has the following format: "<hash> <binary_filename>"
-    with open(sums_file_path, 'r', encoding='utf8') as hash_file:
+    with open(sums_file_path, 'r') as hash_file:
         return [line.split()[:2] for line in hash_file if len(filename_filter) == 0 or any(f in line for f in filename_filter)]
 
 

contrib/verify-commits/gpg.sh

@@ -1,5 +1,5 @@
 #!/bin/sh
-# Copyright (c) 2014-2019 The Bitcoin Core developers
+# Copyright (c) 2014-present The Bitcoin Core developers
 # Distributed under the MIT software license, see the accompanying
 # file COPYING or http://www.opensource.org/licenses/mit-license.php.
 

contrib/verify-commits/pre-push-hook.sh

@@ -1,5 +1,5 @@
 #!/usr/bin/env bash
-# Copyright (c) 2014-2021 The Bitcoin Core developers
+# Copyright (c) 2014-present The Bitcoin Core developers
 # Distributed under the MIT software license, see the accompanying
 # file COPYING or http://www.opensource.org/licenses/mit-license.php.
 

contrib/verify-commits/trusted-keys

@@ -3,3 +3,4 @@ D1DBF2C4B96F2DEBF4C16654410108112E7EA81F
 152812300785C96444D3334D17565732E08E5E41
 6B002C6EA3F91B1B0DF0C9BC8F617F1200A6D25C
 4D1B3D5ECBA1A7E05371EEBE46800E30FC748A66
+A8FC55F3B04BA3146F3492E79303B33A305224CB

contrib/verify-commits/verify-commits.py

@@ -1,5 +1,5 @@
 #!/usr/bin/env python3
-# Copyright (c) 2018-2022 The Bitcoin Core developers
+# Copyright (c) 2018-present The Bitcoin Core developers
 # Distributed under the MIT software license, see the accompanying
 # file COPYING or http://www.opensource.org/licenses/mit-license.php.
 """Verify commits against a trusted keys list."""
@@ -7,6 +7,7 @@ import argparse
 import hashlib
 import logging
 import os
+from pathlib import Path
 import subprocess
 import sys
 import time
@@ -80,20 +81,14 @@ def main():
     args = parser.parse_args()
 
     # get directory of this program and read data files
-    dirname = os.path.dirname(os.path.abspath(__file__))
-    print("Using verify-commits data from " + dirname)
-    with open(dirname + "/trusted-git-root", "r", encoding="utf8") as f:
-        verified_root = f.read().splitlines()[0]
-    with open(dirname + "/trusted-sha512-root-commit", "r", encoding="utf8") as f:
-        verified_sha512_root = f.read().splitlines()[0]
-    with open(dirname + "/allow-revsig-commits", "r", encoding="utf8") as f:
-        revsig_allowed = f.read().splitlines()
-    with open(dirname + "/allow-unclean-merge-commits", "r", encoding="utf8") as f:
-        unclean_merge_allowed = f.read().splitlines()
-    with open(dirname + "/allow-incorrect-sha512-commits", "r", encoding="utf8") as f:
-        incorrect_sha512_allowed = f.read().splitlines()
-    with open(dirname + "/trusted-keys", "r", encoding="utf8") as f:
-        trusted_keys = f.read().splitlines()
+    dirname = Path(__file__).absolute().parent
+    print(f"Using verify-commits data from {dirname}")
+    verified_root = (dirname / "trusted-git-root").read_text().splitlines()[0]
+    verified_sha512_root = (dirname / "trusted-sha512-root-commit").read_text().splitlines()[0]
+    revsig_allowed = (dirname / "allow-revsig-commits").read_text().splitlines()
+    unclean_merge_allowed = (dirname / "allow-unclean-merge-commits").read_text().splitlines()
+    incorrect_sha512_allowed = (dirname / "allow-incorrect-sha512-commits").read_text().splitlines()
+    trusted_keys = (dirname / "trusted-keys").read_text().splitlines()
 
     # Set commit and variables
     current_commit = args.commit
@@ -140,8 +135,8 @@ def main():
 
         # Check that the commit (and parents) was signed with a trusted key
         valid_sig = False
-        verify_res = subprocess.run([GIT, '-c', 'gpg.program={}/gpg.sh'.format(dirname), 'verify-commit', "--raw", current_commit], capture_output=True)
-        for line in verify_res.stderr.decode().splitlines():
+        verify_res = subprocess.run([GIT, '-c', 'gpg.program={}/gpg.sh'.format(dirname), 'verify-commit', "--raw", current_commit], text=True, capture_output=True)
+        for line in verify_res.stderr.splitlines():
             if line.startswith("[GNUPG:] VALIDSIG "):
                 key = line.split(" ")[-1]
                 valid_sig = key in trusted_keys
@@ -152,7 +147,7 @@ def main():
             if prev_commit != "":
                 print("No parent of {} was signed with a trusted key!".format(prev_commit), file=sys.stderr)
                 print("Parents are:", file=sys.stderr)
-                parents = subprocess.check_output([GIT, 'show', '-s', '--format=format:%P', prev_commit]).decode('utf8').splitlines()[0].split(' ')
+                parents = subprocess.check_output([GIT, 'show', '-s', '--format=format:%P', prev_commit], text=True).splitlines()[0].split(' ')
                 for parent in parents:
                     subprocess.call([GIT, 'show', '-s', parent], stdout=sys.stderr)
             else:
@@ -162,29 +157,29 @@ def main():
         # Check the Tree-SHA512
         if (verify_tree or prev_commit == "") and current_commit not in incorrect_sha512_allowed:
             tree_hash = tree_sha512sum(current_commit)
-            if ("Tree-SHA512: {}".format(tree_hash)) not in subprocess.check_output([GIT, 'show', '-s', '--format=format:%B', current_commit]).decode('utf8').splitlines():
+            if ("Tree-SHA512: {}".format(tree_hash)) not in subprocess.check_output([GIT, 'show', '-s', '--format=format:%B', current_commit], text=True).splitlines():
                 print("Tree-SHA512 did not match for commit " + current_commit, file=sys.stderr)
                 sys.exit(1)
 
         # Merge commits should only have two parents
-        parents = subprocess.check_output([GIT, 'show', '-s', '--format=format:%P', current_commit]).decode('utf8').splitlines()[0].split(' ')
+        parents = subprocess.check_output([GIT, 'show', '-s', '--format=format:%P', current_commit], text=True).splitlines()[0].split(' ')
         if len(parents) > 2:
             print("Commit {} is an octopus merge".format(current_commit), file=sys.stderr)
             sys.exit(1)
 
         # Check that the merge commit is clean
-        commit_time = int(subprocess.check_output([GIT, 'show', '-s', '--format=format:%ct', current_commit]).decode('utf8').splitlines()[0])
+        commit_time = int(subprocess.check_output([GIT, 'show', '-s', '--format=format:%ct', current_commit], text=True).splitlines()[0])
         check_merge = commit_time > time.time() - args.clean_merge * 24 * 60 * 60  # Only check commits in clean_merge days
         allow_unclean = current_commit in unclean_merge_allowed
         if len(parents) == 2 and check_merge and not allow_unclean:
-            current_tree = subprocess.check_output([GIT, 'show', '--format=%T', current_commit]).decode('utf8').splitlines()[0]
+            current_tree = subprocess.check_output([GIT, 'show', '--format=%T', current_commit], text=True).splitlines()[0]
 
             # This merge-tree functionality requires git >= 2.38. The
             # --write-tree option was added in order to opt-in to the new
             # behavior. Older versions of git will not recognize the option and
             # will instead exit with code 128.
             try:
-                recreated_tree = subprocess.check_output([GIT, "merge-tree", "--write-tree", parents[0], parents[1]]).decode('utf8').splitlines()[0]
+                recreated_tree = subprocess.check_output([GIT, "merge-tree", "--write-tree", parents[0], parents[1]], text=True).splitlines()[0]
             except subprocess.CalledProcessError as e:
                 if e.returncode == 128:
                     print("git v2.38+ is required for this functionality.", file=sys.stderr)

contrib/windeploy/detached-sig-create.sh

@@ -1,5 +1,5 @@
 #!/bin/sh
-# Copyright (c) 2014-2021 The Bitcoin Core developers
+# Copyright (c) 2014-present The Bitcoin Core developers
 # Distributed under the MIT software license, see the accompanying
 # file COPYING or http://www.opensource.org/licenses/mit-license.php.