fix(setup): retry verifier-jar download on transient 5xx (Otto-285)

[AceHack]

Summary

tools/setup/common/verifiers.sh calls curl -fsSL to download tla2tools.jar and alloy.jar without retries. GitHub's release-asset CDN occasionally returns 502 / 5xx errors during install, killing CI on every job that uses the install script (which is most of them).

Most recent observed: 2026-04-25 ~13:52 UTC, hit:

• PR deps: bump actions/upload-artifact from 5.0.0 to 7.0.1 #481 (CodeQL csharp) — `tla2tools.jar` 502
• PR fix(tests): HLL fuzz test — deterministic AddBytes (Otto-281) #482 (markdownlint) — `elan` 502 (via mise:elan plugin; outside our control but same pattern)

Both PRs had zero code changes related to the failures — pure environmental flake.

The fix

Per Otto-285 (don't use DST/determinism to avoid edge-case handling — when we can't control real-world chaos, react to it algorithmically), the curl call now retries:

• `--retry 5` attempts
• `--retry-delay 2` (initial; exponential-backs to 2/4/8/16/32 s)
• `--retry-all-errors` (so 4xx/5xx retry too — curl's default only retries connect/dns/408/429)

`-fsSL` semantics preserved: if all 5 attempts hit the same transient, the final exit still fails. We don't silently swallow persistent CDN outages.

Aaron's framing

"the right fix is making install robust to network blips ... that is the right answer we cant control that part of the real world environment we have to react to it, good call"

Test plan

• `bash -n tools/setup/common/verifiers.sh` syntax OK
• CI runs (this PR exercises the install script via every job that runs setup)
• Future CI flake counts on transient 5xx should drop measurably

Doesn't fix

The mise:elan curl on PR #482 is in mise's plugin code, not ours. Filing a separate BACKLOG row to investigate whether mise has a similar retry config or whether we need to mirror these assets.

🤖 Generated with Claude Code

[Copilot]

Pull request overview

This PR hardens the tools/setup/ bootstrap path by making verifier JAR downloads resilient to transient GitHub release-asset CDN failures (5xx), reducing CI/install flakiness while preserving failure-on-persistent-outage behavior.

Changes:

• Add curl retry flags (--retry, --retry-delay, --retry-all-errors) when downloading verifier JARs.
• Add inline rationale comments explaining the transient-failure motivation and retry behavior.

[Copilot]

P1: This comment block’s cross-reference looks incorrect: it says “PR #482 markdownlint”, but in this repo PR #482 is a different change (HLL fuzz test). Consider removing the PR-number references (they’ll drift) or updating them to the correct incident/PR IDs so the rationale stays accurate.

Suggested change

	# ~13:52 UTC, hit PR #481 CodeQL csharp + PR #482 markdownlint
	# CI runs). Per Otto-285 (don't use determinism to avoid
	# edge-case handling — handle the network-non-determinism
	# algorithmically), curl handles the retry: `--retry 5` attempts,
	# exponential backoff (2/4/8/16/32 s default), `--retry-all-errors`
	# so 4xx/5xx server errors retry too (curl's default only retries
	# ~13:52 UTC during CI runs). Per Otto-285 (don't use
	# determinism to avoid edge-case handling — handle the
	# network-non-determinism algorithmically), curl handles the
	# retry: `--retry 5` attempts, exponential backoff
	# (2/4/8/16/32 s default), `--retry-all-errors` so 4xx/5xx
	# server errors retry too (curl's default only retries

[Copilot]

P1: The comment claims “exponential backoff (2/4/8/16/32 s default)”, but the command uses --retry-delay 2, which makes the delay behavior differ from curl’s default backoff (and may be a constant delay depending on curl version). Please align the comment with the actual retry behavior, or adjust the curl flags to match what the comment promises.