Add two-way network split playbook

[parithosh]

Summary

• Adds playbooks/dev/two-way-network-split.yaml — a Kurtosis devnet playbook that uses the disruptoor HTTP API to partition the network into two halves, verifies finality stalls for splitObservationEpochs, clears the split, then verifies finality recovers within recoveryEpochs.
• Updates .hack/devnet/run.sh to pass --privileged to kurtosis run when disruptoor is present in the args file (disruptoor requires it).
• Regenerates playbooks/_index.yaml to include the new playbook.

Test plan

• Launch a 4-node ethereum-package devnet with disruptoor enabled and run the playbook via make devnet-run
• Confirm split partitions are observed via GET /v1/state while the playbook runs
• Confirm finality stalls during the split and recovers within recoveryEpochs after clearing

🤖 Generated with Claude Code

[qu0b-reviewer]

🤖 qu0b-reviewer

Now I have enough context. Let me write the review.

Summary

The PR adds a new two-way-network-split playbook that uses the disruptoor HTTP API to partition a devnet into two halves and verify finality behavior, plus a small related change to the devnet launch script to pass --privileged when disruptoor is enabled.

Issues

• 🔴 blocker playbooks/dev/two-way-network-split.yaml:21 — slotsPerEpoch: 32 is hardcoded. Every other playbook that needs slot/epoch math fetches it dynamically from tasks.get_specs.outputs.specs.SLOTS_PER_EPOCH. Hardcoding 32 will silently produce wrong slot targets on any network with a different slot count (e.g., fast slots, testnets with custom configs). The two minSlotNumber configVars at lines 112 and 144 both depend on this value.

• 🟡 concern playbooks/dev/two-way-network-split.yaml:18 — disruptoorUrl has no http:// prefix in the default but the shell command does jq -r . on it and uses it directly in curl, so it's fine — but the config default "http://disruptoor:7700" is redundant since the shell strips the JSON string wrapper anyway. Minor, but inconsistent with other string config defaults that are plain values.

Suggestions

• playbooks/dev/two-way-network-split.yaml — Add a get_consensus_specs task (with ID get_specs) before the slot-range tasks so the full spec is available; this is the established pattern across the repo and future-proofs the playbook if other spec-dependent logic is added.
• playbooks/dev/two-way-network-split.yaml:107 — The verification curl ... | jq -e '.partitions | length == 1' succeeds quietly because the >/dev/null discards it; since set -euo pipefail is in effect, a non-empty jq result (0 exit) still passes. Consider adding || { echo "partition not created"; exit 1; } after the PUT curl for explicit failure signaling.
• .hack/devnet/run.sh:25 — The grep pattern ^[[:space:]]*-[[:space:]]*disruptoor uses a YAML-unquoted literal - disruptoor; if the args file uses _disruptoor, a different key pattern, or any YAML formatting (e.g. disruptoor: with nested keys), this check silently misses the need for --privileged. A comment in this section noting this limitation would help future editors know what the pattern is and isn't matching.

---

_{Reviewed @ d4d7cdf5
"The bug is always in the last place you look — because you stop looking after you find it."}