Cardano Updates

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

A cluster of fixes that together let the v2 dev shell evaluate, build,
and reuse prebuilt slices for cardano-wallet on aarch64-darwin.  Most
fixes are independent in spirit but interact at the slice level — they
are bundled here to keep the cardano-wallet shell green in a single
commit.

- Sublib reachability env var (`HASKELLNIX_EXTRA_SUBLIB_SEEDS`)
  threaded through both the solver-side and install-plan cabal-install
  patches.  Slices that target a sublib (or transitively depend on
  one) seed the patched reachability walk from `pkgLibDepClosure` so
  unrelated sublibs (e.g. `lib:testlib`'s deps) stay pruned.

- Source-repository-package handling in slices.  Each
  `pkg-src.type = "source-repo"` package gets a per-slice minimal git
  repo (`git init -b minimal && git add . && git commit`) wrapped
  around `${src}` and emitted as a `source-repository-package` block
  in the slice's `cabal.project` — the same shape
  `lib/call-cabal-project-to-nix.nix` produces at project level — so
  cabal hashes the same source bytes plan-nix saw and the slice's
  UnitId matches.  Build-tools (`alex`, `happy`, `hsc2hs`, ...)
  composed via `transitiveBuildToolSlices` so consumers find them in
  the cabal-store instead of rebuilding.

- Plan-nix flag honouring for source-repo packages.  Module-level
  flag overrides (e.g. cardano-wallet's `flags.release = true`) don't
  reach cabal at plan time, so plan-nix records cabal-file defaults.
  `flagBlockFor` now reads from plan-json for source-repo pkgs so the
  slice's `pkgHashFlagAssignment` matches plan-nix.

- Custom-build packages skip the UnitId check.  Plan-nix carries a
  single shared `id` per Custom-build package; cabal-install splits
  them into per-component UnitIds that can never match.  Detected via
  missing `component-name` on the plan entry.

- `propagatedBuildInputs` for `depSlices` (was `buildInputs`) so
  pkg-config deps and other propagated inputs chain transitively
  via stdenv.  Splice handles the cross-compilation case for normal
  nixpkgs deps; slice $outs themselves don't auto-swap but cardano-
  wallet's native shell doesn't trip that.

- `cp -rL` for local-package tarballs to inline out-of-bounds
  symlinks like cardano-wallet's `lib/wallet/specifications ->
  ../../specifications` that cabal-install 3.16+ rejects as
  [Cabal-7125] "Unsafe link target in tar archive".

- `$out/store` cleanup at end of installPhase.  When the expected
  UnitId is known, keep only `<uid>/`, `package.db/<uid>.conf` and
  `lib/libHS<uid>-*` — `rm -rf $ghcDir` drops everything else
  (including the lndir-composed dep symlink tree, which on a deep
  graph was 10k+ entries that fixupPhase + NAR serialisation walked
  for nothing).  Falls back to `find -type l -delete` when the UnitId
  isn't known (source-repo or `style: "local"`).  Cache files
  (`package.cache{,.lock}`) dropped from every slice — stale on
  arrival downstream and a major source of "Keeping existing link"
  spam at lndir time.

- `find -type d` instead of `ls -d */` for the unitdirs-before
  snapshot.  bash expands `*/` into args including OS-prefix
  unit-ids (`-clsss-1.8.0.1-...`), and `ls` interprets the leading
  `-` as flags.  Same root cause as the earlier `grep -qx --` fix.

- v2 shell: walk through local packages transitively, collecting
  external deps at every step.  Local packages are excluded from the
  composed cabal-store so cabal compiles them on demand from the
  user's tree; their (transitive) external deps go in.  Build-tool
  exes that resolve to local packages are similarly excluded.

- v2 shell: `pkgs.gitMinimal` on PATH so `git --version` works
  inside the shell.  On Darwin the apple-sdk overlay sets
  `DEVELOPER_DIR` to the SDK path (no tools), so `/usr/bin/git`'s
  xcrun shim fails with "tool 'git' not found"; nix-managed git
  bypasses the shim.

- Slice cabal: `--jobs=$NIX_BUILD_CORES` (capped at 4, mirrors v1)
  on the `cabal v2-build` invocation, which passes through to
  `Setup build -jN` for ghc per-module parallelism.  Build-phase
  flag, so it stays out of `pkgHashConfigureOptions` and UnitIds
  remain stable.

PR #135 (commit fd0543a / merged as e49d4ab on main) tightened
asteria-game's eventually_alive.sh + finally_alive.sh budgets and
dropped the AlwaysOrUnreachable cold-start emit. The fix lives in
source but the compose files in both cardano_node_master and
cardano_node_adversary still pin asteria-game:f7ce4a2 — the
pre-fix tag — so publish-images saw the existing tag in registry,
skipped the rebuild, and the buggy image is what every dispatch
and cron run still pulls.

Bumping both pins to asteria-game:e49d4ab (the merge SHA on main
that contains the fix). publish-images will resolve the new tag,
build from source at e49d4ab, and push. Master cron + adversary
dispatches will pick the new image up on next run.

Production impact: of the last three master cron runs, two failed
on the same flake we diagnosed in PR #135 (eventually_alive.sh and
finally_alive.sh tripping the composer's per-command timeout). This
bump clears the cause.

* Add missing changelog entries.
* Revert missing cddl section in shelley changelog.
* Convert positional args to record syntax in Examples.

Also,
* Needed some examples re-exported from conway, they seemed to have been
updated, and led to updates to the goldens.

JSON goldens should only need to test encoding, and moreover we have to
ensure that all ledger state query result types are able to be encoded:
and so the test harnesses collapse back to a single one.

Some ToJSON instances were found to be orphans in downstream packages
because ledger didn't have those instances.

* DefaultVote: from cardano-cli/src/Cardano/CLI/Orphan.hs
* StakeSnapshot, StakeSnapshots: from
cardano-api/src/Cardano/Api/Internal/Orphans/Serialisation.hs
* QueryPoolStateResult: written fresh — no prior ToJSON found across
cardano-api, cardano-cli, ouroboros-consensus, or cardano-db-sync,
including via intermediate wrapper types. Implemented here via
KeyValuePairs to match other query result types.

We run the tests to add JSON goldens for queryPoolState,
queryStakePoolDefaultVote, and queryStakeSnapshots, which the new
instances unblock.

Note: this bundles three logical changes (instance absorption, harness
collapse, 3 new goldens).

Also export exampleVrfVerKeyHash from Shelley.Examples.