Cardano Updates

Upgrade cardano-node from 10.6.2 to 10.7.1 and configure the V2LSM
ledger backend to reduce memory usage by storing UTxO data on disk
rather than in-heap. Also updates the cardano-playground config pin
and switches the config path to environments-pre/.

Replace hardcoded newsfeed.daedalus.io and newsfeed.daedaluswallet.io
with NEWS_URL / NEWS_HASH_URL webpack EnvironmentPlugin variables so
installers can be built pointing at a test server. Supports both http://
and https:// schemes; hostname, protocol, and port are parsed from the
full URL and forwarded to externalRequest.

Adds the drt (Daedalus Release Tool) Rust CLI, replacing the old
proposal-ui Haskell tool.

Commands:
  drt fetch-installers  — download unsigned installers from a Hydra eval
  drt sign              — GPG + macOS/Windows code signing via SSH hosts
  drt release           — hash, sign, upload to S3, push version JSON
  drt serve             — local HTTP mirror for end-to-end tester workflows
                          (generates newsfeed + verification files on the fly)

Nix:
  - Add crane + fenix flake inputs for Rust builds
  - Add perSystem/release-cli.nix (drt package + devShell + checks)
  - Add ops/ direnv environment for signing credentials

Add and require CI checks

shell.openPath() returns a Promise<string> where a non-empty string
indicates failure. The previous code treated it as a boolean and
always resolved immediately.

style: prettier formatting for open-local-directory.ts

- codesign.sh: quote $XML_PATH and ${TS} (SC2086)
- darwin-no-x-compile.sh: explicitly assign system from environment (SC2154)
- rebuild-native-modules.sh: replace unicode curly quotes with ASCII (SC1112)
- devshells.nix: add shellcheck to devshell buildInputs

Formatting is now enforced by treefmt in Nix CI. The pre-commit and
pre-push hooks are no longer needed.

Replaces verify_pr.yml with Nix-native checks: lint (ESLint), compile
(tsc --noEmit), stylelint, i18n, storybook build, jest, shellcheck, and
treefmt. All run on x86_64-linux, reusing the installer's node_modules
derivation to avoid a redundant yarn install.

chore(ci): remove verify_pr.yml GitHub Actions workflow

Replaced by Nix checks in hydraJobs.required.

chore(ci): remove netlify.toml

Storybook build is now covered by the Nix checks in hydraJobs.required.
Netlify deploy previews were not being used.

chore(ci): make only checks required, not installers or devshells

Installers and devshells remain in hydraJobs for Hydra to build but
are no longer blocking PR merges.

chore(ci): add nonrequired aggregate for installers and devshells

- sign: add --skip-upload (reuse already-uploaded file on signing host),
  --skip-darwin, --skip-darwin-legacy, --skip-windows flags for targeted
  re-testing without re-running successful platforms
- sign: fix macOS keychain unlock — source signing.sh, unlock-keychain,
  add to search list before productsign; use local vars in do_sign so
  declare -f serialises correctly for sudo subprocess
- sign: cd /tmp and rm stale signed output as root before sudo to avoid
  Permission denied on leftover files from previous runs
- fetch: write meta.json instead of plain version file; captures gitrev,
  nar_hash, env, and eval_url from the Hydra eval's flake field
- installers: add Meta struct; InstallerDir.load() tries meta.json first,
  falls back to plain version file for backwards compatibility
- ops devshell: add serve step (step 3) between sign and release

productsign fails with errSecInteractionNotAllowed when the signing
keychain is locked, and can't find the identity if the keychain isn't
in the user's search list.

Fix: source signing.sh (which exports $KEYCHAIN), unlock the keychain,
and prepend it to the keychain search list before calling productsign.

Adds `drt` (Daedalus Release Tool), a Rust CLI that replaces the
legacy Haskell `proposal-ui` for release operations.

Commands:
  drt fetch-installers  download unsigned installers from a Hydra eval
  drt sign              code-sign (macOS/Windows via SSH) + GPG-sign
  drt release           hash, GPG-sign, upload to S3, push version JSON
  drt serve             local HTTP mirror for end-to-end tester workflows

Key details:
- Hash algorithm: CBOR-wrapped Blake2b-256 matching Haskell installerHash
- macOS signing: SSH to OSX_SIGN_HOST, productsign with buildkite-agent
  credentials; mirrors sudo-to-buildkite-agent-default logic from nix
- Windows signing: pipe .exe directly through ssh WIN_SIGN_HOST (HSM,
  ProxyJump via deployer in ~/.ssh/config)
- S3 upload: hash-keyed object + filename copy, public-read ACL
- Nix: crane + fenix build; devShells.ops (drt + gpg only, no Yarn);
  devShells.release-cli (full Rust toolchain for development)
- ops/.envrc: loads .envrc.local for OSX_SIGN_HOST/WIN_SIGN_HOST/GPG_USER

Also fixes macOS installer signing: uncomment security unlock-keychain
call in makeSignedInstaller so productsign can access the signing
keychain without errSecInteractionNotAllowed in non-interactive sessions.

Replaced by Nix checks in hydraJobs.required.

@ts-ignore is position-sensitive and breaks when prettier reformats
multi-line expressions. Cast execute() to Promise<T> instead.

Prettier split the await onto its own line, leaving the @ts-ignore
suppressing the const line instead of the await (TS1320).

- codesign.sh: quote $XML_PATH and ${TS} (SC2086)
- darwin-no-x-compile.sh: explicitly assign system from environment (SC2154)
- rebuild-native-modules.sh: replace unicode curly quotes with ASCII (SC1112)
- devshells.nix: add shellcheck to devshell buildInputs

Formatting is now enforced by treefmt in Nix CI. The pre-commit and
pre-push hooks are no longer needed.

Replaces verify_pr.yml with Nix-native checks: lint (ESLint), compile
(tsc --noEmit), stylelint, i18n, storybook build, jest, shellcheck, and
treefmt. All run on x86_64-linux, reusing the installer's node_modules
derivation to avoid a redundant yarn install.

Mithril snapshot UX polish for initial release

- codesign.sh: quote $XML_PATH and ${TS} (SC2086)
- darwin-no-x-compile.sh: explicitly assign system from environment (SC2154)
- rebuild-native-modules.sh: replace unicode curly quotes with ASCII (SC1112)
- devshells.nix: add shellcheck to devshell buildInputs