Cardano Updates

feat(governance): proposal cards + DB-cached live vote tallies + current-vote UX

Redesign the proposals list into cards (replacing the desktop table) and surface
the "current voting state" two ways, per the requested mockup:

1. Live Yes/No/Abstain tally bar per proposal.
   - Blockfrost exposes no aggregate and no voting power, so the tally is counted
     by distinct voter (each voter's latest vote) from the proposal votes feed,
     labeled "by votes" — not stake-weighted.
   - Cached in the DB (new ProposalTally model) via a read-through tRPC router
     (governance.getProposalTallies / refreshProposalTally). The list reads the
     cache; refreshes are driven by user activity (on load when stale/missing,
     and on expand). A 10-min TTL guards both client and server so redundant
     activity doesn't re-hit Blockfrost.

2. The wallet's own vote as a "Voted Yes/No/Abstain" pill next to the type chip.

Also refines VoteButton: the segmented control no longer pre-selects Abstain
(it starts unselected and adopts the on-chain vote when known), the primary
button is disabled until a choice is made and its label reflects intent
(Vote / Change to / Re-submit, + Proxy), and vote()/voteProxy() guard against an
empty selection.

Backend: ProposalTally model + migration; governanceRouter registered in root.

NOTE: requires `prisma migrate deploy` (creates "ProposalTally") before the
tally router works in production.

Co-Authored-By: Claude Opus 4.8 (1M context) <[email protected]>

Surface the ready-to-run configs under examples/ in the v2 docs. Adds a
new Examples section with a how-to-run intro (run from the example dir),
a companion-files/setup guide, categorized index tables linking each
example to GitHub with a Setup column, and three inlined end-to-end
recipes. Cross-linked from the introduction page.

Excludes examples/pool_metadata (references the removed Deno filter) and
examples/_deprecated.

Co-Authored-By: Claude Opus 4.8 (1M context) <[email protected]>

Replace the single oura submodule (pinned to v3) with three submodules,
one per version, so each version's docs can track an independent
upstream branch without one branch needing to bundle the others.

- oura-v1 and oura-v2 track main (where docs/v1 and docs/v2 currently
  live); can be repointed to lts/v1 once it carries a docs/v1 source.
- oura-v3 tracks v3.
- src/content/docs/oura/{v1,v2,v3} now symlink into their respective
  submodule's docs/vN/ folder.

Co-Authored-By: Claude Opus 4.7 (1M context) <[email protected]>

Signed-off-by: KtorZ <[email protected]>

Signed-off-by: KtorZ <[email protected]>

All three findings verified against the implementation:

- sql_db: `record` is `null` on reset events (hbs_data renders the reset
  template with record=None -> null), not omitted.
- zeromq: clarify that events without a record (resets) are skipped and
  not published (zeromq.rs returns early when record.is_none()).
- docker: reword the tags intro; only `sha-*` is per-build, while
  `latest`/`stable`/semver tags are gated by branch/tag triggers.

Co-Authored-By: Claude Opus 4.8 (1M context) <[email protected]>

The top-level [finalize] block is not wired to the runtime (ConfigRoot.finalize /
Context.finalize is deserialized but never consumed). The WorkStats filter is the
only working finalization mechanism, so document it as such. Follow-up to remove the
dead config tracked in #938.

Co-Authored-By: Claude Opus 4.8 (1M context) <[email protected]>

Flake lock file updates:

• Updated input 'CHaP':
    'github:input-output-hk/cardano-haskell-packages/bc93f1caabfdc4d38c5b44e6eea8f5b8f535775a?narHash=sha256-3YDsDhjAcm5QatdluTKuQ9WeDdwrxZMnKH587pVyv9o%3D' (2026-06-02)
  → 'github:input-output-hk/cardano-haskell-packages/0aa7afd943dbcf2dc51fe652c982da281f8cb621?narHash=sha256-lipiKNOJ/NIGO/pcwQT030%2BsSgbTkP3N0w/ck5jBJlw%3D' (2026-06-10)
• Updated input 'haskell-nix':
    'github:input-output-hk/haskell.nix/08b27295bfecb9e057eda635f676733b461bec64?narHash=sha256-ujViTkgO8rGoTRLSZxgWnPkciw%2BTGzBIVsL81KcRjz4%3D' (2026-06-07)
  → 'github:input-output-hk/haskell.nix/6c5002f0ff6c9ace7912f631037062b34217dfc4?narHash=sha256-qao/Z/C9VkPfReFAPMZdFJYfHT9wnXTAlU6sBDdLtss%3D' (2026-06-14)
• Updated input 'haskell-nix/hackage':
    'github:input-output-hk/hackage.nix/986511a754b71eeab27e5c61843b01f8f7d0bdd7?narHash=sha256-Vm3brZrmc%2BzcJCndzr0nmQZ%2BpskgbnZcOVxVIzfe/zo%3D' (2026-06-07)
  → 'github:input-output-hk/hackage.nix/47bf40dc8656dde45659f2cacf5a57b1316f6904?narHash=sha256-cvS8/no4kVkNQhtmCRnAWLCn1C%2B5VvCvwMDyvE3QtJ4%3D' (2026-06-14)
• Updated input 'haskell-nix/hackage-for-stackage':
    'github:input-output-hk/hackage.nix/4b4a5d5c7fe95e6e2e857e19a9380edd599eba08?narHash=sha256-Mqw%2Bw/IkQCKQ%2BoOUJdNccAPsZz/AJR6WlDrotVr%2B%2Bxc%3D' (2026-06-07)
  → 'github:input-output-hk/hackage.nix/caf95ada373db6002b152de311e10654a97b3ba7?narHash=sha256-bbFORKtmhvknFvPpSBwuDFQUW3j/vqgLjMe4X8xjDpY%3D' (2026-06-14)
• Updated input 'haskell-nix/stackage':
    'github:input-output-hk/stackage.nix/4c667204ecf3973b72a3f482572864fffcdabb25?narHash=sha256-Le3RUWp3CrAdH%2BXgXCBvxGqmosCgC9I/yQPhpC2PFdA%3D' (2026-06-07)
  → 'github:input-output-hk/stackage.nix/196744650c154c553c925bcbc5033b5b9548e248?narHash=sha256-mQs4Xo%2Bj9RzlcRHyb3KqVFK6RBAc6t7esSMAtMOLsB4%3D' (2026-06-14)
• Updated input 'nixpkgs':
    'github:NixOS/nixpkgs/ca14f513f38c08235d72944890596a4ddbbe76f0?narHash=sha256-qS0lSxHzqqq%2B7wuIC85QgqlAt76H4bBjxv63gOEziC4%3D' (2026-06-07)
  → 'github:NixOS/nixpkgs/86ab56c5680e27f7536d666f11620122f81b87a6?narHash=sha256-gMSeTjmluyNTrPehc77NR7oyTaG43GX9cAo2E8%2B9ig8%3D' (2026-06-14)

The docker install reference only mentioned `latest` plus a single
pre-release versioned example. The Docker CI workflow
(.github/workflows/docker.yml) actually publishes: latest (main tip),
stable (newest release), v{major}, v{major}.{minor}, v{version}, and
sha-{commit}.

- add a table covering every published tag and when it updates
- clarify that `latest` tracks `main`, not the latest release
- use the v2.1.0 release (not a pre-release) as the pin example

Co-Authored-By: Claude Opus 4.8 (1M context) <[email protected]>

fix(db): cap pg pool + stop retrying pool saturation (Supabase EMAXCONNSESSION)

Audit of docs/v2 against src/ surfaced several config-breaking
inaccuracies, missing components, and stale field lists. All claims
verified directly against the config structs/enums (serde `tag = "type"`,
no `rename_all`, so type tags must match variant names verbatim).

Config-breaking fixes:
- webhook: type "Webhook" -> "WebHook"; drop nonexistent error_policy
- elasticsearch: type "Elastic" -> "ElasticSearch"
- gcp_cloudfunction: authorization (string) -> authentication (bool)
- pipeline_metrics: drop nonexistent `endpoint` field
- stateful_cursor: Memory is the default; File default path is
  ./cursor.json; document max_breadcrumbs/flush_interval and Redis backend

Newly documented components:
- sinks: SqlDb, Zeromq
- filters: IntoJson, WorkStats

Backfilled fields:
- kafka: ack_timeout_secs, paritioning
- redis sink: correct default (oura-sink), add stream_max_length
- terminal: adahandle_policy
- finalize: max_block_quantity

Data dictionary:
- document the v2-native pipeline data model (ChainEvent envelope and
  Record variants) alongside the legacy v1 event catalogue

Co-Authored-By: Claude Opus 4.8 (1M context) <[email protected]>

chore: release 1.0.0-rc.2

deps: override npm to ^11 to clear bundled brace-expansion ReDoS

The last open Dependabot alert (brace-expansion <=2.0.1, GHSA-v6h2-p8h4-qcjw,
ReDoS) was a copy bundled inside [email protected], which @cardano-sdk/crypto pulls in
via `npm@^9.3.0`. That npm dependency is spurious — @cardano-sdk/crypto declares
it but never imports it in its compiled code — so it only drags in npm's vendored
dependency tree (including the vulnerable brace-expansion and the noise behind
`npm audit`'s large count).

A `brace-expansion` override can't fix this: npm overrides don't reach into a
bundled package's vendored node_modules, and a blanket brace-expansion override
instead downgrades the legitimate [email protected] that glob@11 / minimatch@10
require (named `expand` export), breaking glob.

Override `npm` to ^11 instead (resolves to 11.17.0), whose bundle ships the
patched [email protected]. Net effect:
- zero vulnerable brace-expansion instances remain in the tree
- glob / minimatch still resolve and brace-expand correctly
- safe because @cardano-sdk/crypto never executes npm

The lockfile was regenerated with npm 10.9.3 (matching CI's node:22-slim, not the
local npm 11) via `npm install --package-lock-only`, so it stays in sync for the
`npm ci` CI runs — npm 11 drops @auth/core's optional @simplewebauthn entries that
npm 10 keeps, which made `npm ci` fail. Churn is limited to the npm subtree.

The other 14 Dependabot alerts were already remediated in the committed lockfile
(next@16, [email protected], [email protected], ip/tar-fs absent, etc.) and dismissed.

Verified: `npm ci` (npm 10.9.3) succeeds; tsc --noEmit clean; next build --webpack succeeds.

Co-Authored-By: Claude Opus 4.8 (1M context) <[email protected]>

Removes [esbuild](https://github.com/evanw/esbuild). It's no longer used after updating ancestor dependencies [esbuild](https://github.com/evanw/esbuild), [@vitejs/plugin-react](https://github.com/vitejs/vite-plugin-react/tree/HEAD/packages/plugin-react) and [vite](https://github.com/vitejs/vite/tree/HEAD/packages/vite). These dependencies need to be updated together.


Removes `esbuild`

Updates `@vitejs/plugin-react` from 5.1.4 to 5.2.0
- [Release notes](https://github.com/vitejs/vite-plugin-react/releases)
- [Changelog](https://github.com/vitejs/vite-plugin-react/blob/[email protected]/packages/plugin-react/CHANGELOG.md)
- [Commits](https://github.com/vitejs/vite-plugin-react/commits/[email protected]/packages/plugin-react)

Updates `vite` from 7.3.2 to 8.0.16
- [Release notes](https://github.com/vitejs/vite/releases)
- [Changelog](https://github.com/vitejs/vite/blob/main/packages/vite/CHANGELOG.md)
- [Commits](https://github.com/vitejs/vite/commits/v8.0.16/packages/vite)

---
updated-dependencies:
- dependency-name: esbuild
  dependency-version:
  dependency-type: indirect
- dependency-name: "@vitejs/plugin-react"
  dependency-version: 5.2.0
  dependency-type: direct:development
- dependency-name: vite
  dependency-version: 8.0.16
  dependency-type: direct:development
...

Signed-off-by: dependabot[bot] <[email protected]>

Reliable IPFS, rationale drafting/caching, and ballot CSV

Flake lock file updates:

• Updated input 'advisory-db':
    'github:rustsec/advisory-db/eaf48e7' (2026-05-29)
  → 'github:rustsec/advisory-db/09735e1' (2026-06-13)
• Updated input 'blockfrost-tests':
    'github:blockfrost/blockfrost-tests/e1f3b72' (2026-06-03)
  → 'github:blockfrost/blockfrost-tests/2a9b647' (2026-06-08)
• Updated input 'crane':
    'github:ipetkov/crane/0532eb1' (2026-05-30)
  → 'github:ipetkov/crane/59a82a1' (2026-06-04)
• Updated input 'fenix':
    'github:nix-community/fenix/2118601' (2026-05-30)
  → 'github:nix-community/fenix/aad7d8b' (2026-06-13)
• Updated input 'fenix/rust-analyzer-src':
    'github:rust-lang/rust-analyzer/5ebf65c' (2026-05-29)
  → 'github:rust-lang/rust-analyzer/3f92cd1' (2026-06-12)
• Updated input 'nixpkgs':
    'github:nixos/nixpkgs/25f5383' (2026-05-26)
  → 'github:nixos/nixpkgs/e820eb4' (2026-06-08)
• Updated input 'treefmt-nix':
    'github:numtide/treefmt-nix/790751f' (2026-04-08)
  → 'github:numtide/treefmt-nix/db94781' (2026-05-31)