Cardano Updates

(cherry picked from commit a874da18c15e97766e0006c97f4025a6119da2b1)

In fetch-installers, verify the -unsigned companion's hash against
Hydra's expected value before skipping re-download; this confirms the
companion is the genuine unsigned original and the main file is the
signed installer.

In drt sign, compare the SHA-256 of the main file against its -unsigned
companion before concluding it is already signed. On Windows, signing
renames the original before the remote nix run, so a failed signing
attempt leaves the companion on disk; if fetch-installers then
re-downloads a fresh unsigned copy both files are byte-identical and
signing must be retried rather than skipped.

Upgrade cardano-node from 10.6.2 to 10.7.1 and configure the V2LSM
ledger backend to reduce memory usage by storing UTxO data on disk
rather than in-heap. Also updates the cardano-playground config pin
and switches the config path to environments-pre/.

chore(nix): use mithril flake for windows client instead of fetching tarball

Mithril now exposes a cross-compiled Windows build directly at
packages.x86_64-linux.mithril-client-cli-windows, so the previous
workaround of downloading a pre-built tarball from GitHub releases is
no longer needed.

The mithril input remains pinned to a patched branch
(sl/fix-darwin-mithril-cli) which restores Darwin builds accidentally
dropped in the latest upstream release.

fix: update mithril to fix nix builds for mac

fix: update mithril to fix rustc version mismatch on darwin

Points mithril input at sl/fix-mismatch-rust-versions branch which
ensures all craneLib instances use the rust-overlay toolchain (1.94)
rather than falling back to nixpkgs rustc (1.91), fixing Darwin builds
that fail with [email protected] requiring rustc 1.93+.

fix(nix): remove erroneous space in WIN_SIGN_HOST bash default substitution

\${WIN_SIGN_HOST: -HSM} with a space causes bash to parse -HSM as a
substring-from-end offset, treating HSM as a variable. With set -u this
throws "HSM: unbound variable". The correct syntax for a default-value
substitution is \${WIN_SIGN_HOST:-HSM} (no space).

test: mock _convertSnapshot in tests that call startBootstrap

_convertSnapshot was added to startBootstrap after these tests were
written. Without a mock it falls through to _runCommand → buildMithrilEnv
which fetches genesis/ancillary keys from raw.githubusercontent.com,
causing EAI_AGAIN failures in network-isolated environments.

feat: use snapshot-converter binary for UTxO-HD LSM snapshot conversion

Replace the mithril-client subcommand invocation with the standalone
snapshot-converter binary from cardano-node for converting downloaded
in-memory snapshots to LSM format.

- Add snapshot-converter to daedalus-bridge (all platforms) and expose
  daedalus-bridge in perSystem/packages for all target systems
- Thread snapshot-converter through common.nix and cardano-bridge.nix;
  include it in the aarch64-darwin codesign loop and the NSIS installer
- Add runBinary() to mithrilCommandRunner for running non-mithril
  binaries with plain process.env (no mithril env vars or origin tag)
- Rewrite _convertSnapshot to find the most recent ledger slot, build
  the LSM output paths, and invoke snapshot-converter directly
- Update tests accordingly

fix(darwin): bundle .so files into binary-lib subdirs alongside .dylib

moveDylibsToSubdir was only handling *.dylib, causing liblmdb.so
(introduced by cardano-node's UTxO-HD LSM support) to be left in
Contents/MacOS/ root while its install name was already patched to
@executable_path/cardano-node-lib/liblmdb.so, resulting in a dyld
load failure at runtime.

fix(mithril): correct snapshot-converter args and finalizing diagnostics

Fix snapshot-converter invocation to properly replace the in-memory ledger
snapshot with an LSM one: move the in-memory snapshot out of ledger/ to a
temp location, then run converter with --input-mem pointing to the temp path
and --output-lsm-snapshot as a full path back into ledger/<slot>, so
cardano-node finds an LSM-format snapshot at the expected location.

Also fix --output-lsm-database (was pointing into a non-existent tmp/snapshots
subdir, now uses dbDirectory/lsm) and --config (was constructing a path that
doesn't exist, now uses launcherConfig.nodeConfig.network.configFile).

Add stdinInput support to runBinary and diagnostic logger.info calls around
each async step in the finalizing phase to pinpoint any future hangs.

fix(windows): bundle libsnappy.dll with installer

cardano-node.exe now links against libsnappy (used by the LSM storage
backend), but the DLL was not listed in the NSIS installer manifest.

fix(nix): bundle snapshot-converter into macOS app

Add snapshot-converter to mkBundle and copy it into Contents/MacOS alongside mithril-client. libsnappy and other dylibs are picked up automatically by mkBundle's otool-L-based discovery.

fix(nix): bundle libmcfgthread-2.dll for cardano-wallet on Windows

cardano-wallet was built against libmcfgthread-2.dll (MCF thread runtime v2)
but only v1 was bundled, causing STATUS_ACCESS_VIOLATION on startup.

fix(nix): copy checkpoints.json into macOS app bundle

fix(nix): copy genesis-dijkstra.json into macOS app bundle

fix(mithril): skip node start when bootstrap is in progress on disk check

The 10-minute disk space check fires during mithril sync with chain data
already present (partial download). The chain-present path was missing a
guard for in-progress mithril statuses, causing it to call cardanoNode.start()
on an incomplete chain. This exhausted the 5-retry budget, leaving the FSM
in unrecoverable state just before mithril finished. Uses the existing
isMithrilBootstrapBlockingNodeStart helper to break early.

test(mithril): verify disk check does not start node during active bootstrap

(cherry picked from commit a874da18c15e97766e0006c97f4025a6119da2b1)

In fetch-installers, verify the -unsigned companion's hash against
Hydra's expected value before skipping re-download; this confirms the
companion is the genuine unsigned original and the main file is the
signed installer.

In drt sign, compare the SHA-256 of the main file against its -unsigned
companion before concluding it is already signed. On Windows, signing
renames the original before the remote nix run, so a failed signing
attempt leaves the companion on disk; if fetch-installers then
re-downloads a fresh unsigned copy both files are byte-identical and
signing must be retried rather than skipped.

Upgrade cardano-node from 10.6.2 to 10.7.1 and configure the V2LSM
ledger backend to reduce memory usage by storing UTxO data on disk
rather than in-heap. Also updates the cardano-playground config pin
and switches the config path to environments-pre/.

chore(nix): use mithril flake for windows client instead of fetching tarball

Mithril now exposes a cross-compiled Windows build directly at
packages.x86_64-linux.mithril-client-cli-windows, so the previous
workaround of downloading a pre-built tarball from GitHub releases is
no longer needed.

The mithril input remains pinned to a patched branch
(sl/fix-darwin-mithril-cli) which restores Darwin builds accidentally
dropped in the latest upstream release.

fix: update mithril to fix nix builds for mac

fix: update mithril to fix rustc version mismatch on darwin

Points mithril input at sl/fix-mismatch-rust-versions branch which
ensures all craneLib instances use the rust-overlay toolchain (1.94)
rather than falling back to nixpkgs rustc (1.91), fixing Darwin builds
that fail with [email protected] requiring rustc 1.93+.

fix(nix): remove erroneous space in WIN_SIGN_HOST bash default substitution

\${WIN_SIGN_HOST: -HSM} with a space causes bash to parse -HSM as a
substring-from-end offset, treating HSM as a variable. With set -u this
throws "HSM: unbound variable". The correct syntax for a default-value
substitution is \${WIN_SIGN_HOST:-HSM} (no space).

test: mock _convertSnapshot in tests that call startBootstrap

_convertSnapshot was added to startBootstrap after these tests were
written. Without a mock it falls through to _runCommand → buildMithrilEnv
which fetches genesis/ancillary keys from raw.githubusercontent.com,
causing EAI_AGAIN failures in network-isolated environments.

feat: use snapshot-converter binary for UTxO-HD LSM snapshot conversion

Replace the mithril-client subcommand invocation with the standalone
snapshot-converter binary from cardano-node for converting downloaded
in-memory snapshots to LSM format.

- Add snapshot-converter to daedalus-bridge (all platforms) and expose
  daedalus-bridge in perSystem/packages for all target systems
- Thread snapshot-converter through common.nix and cardano-bridge.nix;
  include it in the aarch64-darwin codesign loop and the NSIS installer
- Add runBinary() to mithrilCommandRunner for running non-mithril
  binaries with plain process.env (no mithril env vars or origin tag)
- Rewrite _convertSnapshot to find the most recent ledger slot, build
  the LSM output paths, and invoke snapshot-converter directly
- Update tests accordingly

fix(darwin): bundle .so files into binary-lib subdirs alongside .dylib

moveDylibsToSubdir was only handling *.dylib, causing liblmdb.so
(introduced by cardano-node's UTxO-HD LSM support) to be left in
Contents/MacOS/ root while its install name was already patched to
@executable_path/cardano-node-lib/liblmdb.so, resulting in a dyld
load failure at runtime.

fix(mithril): correct snapshot-converter args and finalizing diagnostics

Fix snapshot-converter invocation to properly replace the in-memory ledger
snapshot with an LSM one: move the in-memory snapshot out of ledger/ to a
temp location, then run converter with --input-mem pointing to the temp path
and --output-lsm-snapshot as a full path back into ledger/<slot>, so
cardano-node finds an LSM-format snapshot at the expected location.

Also fix --output-lsm-database (was pointing into a non-existent tmp/snapshots
subdir, now uses dbDirectory/lsm) and --config (was constructing a path that
doesn't exist, now uses launcherConfig.nodeConfig.network.configFile).

Add stdinInput support to runBinary and diagnostic logger.info calls around
each async step in the finalizing phase to pinpoint any future hangs.

fix(windows): bundle libsnappy.dll with installer

cardano-node.exe now links against libsnappy (used by the LSM storage
backend), but the DLL was not listed in the NSIS installer manifest.

fix(nix): bundle snapshot-converter into macOS app

Add snapshot-converter to mkBundle and copy it into Contents/MacOS alongside mithril-client. libsnappy and other dylibs are picked up automatically by mkBundle's otool-L-based discovery.

fix(nix): bundle libmcfgthread-2.dll for cardano-wallet on Windows

cardano-wallet was built against libmcfgthread-2.dll (MCF thread runtime v2)
but only v1 was bundled, causing STATUS_ACCESS_VIOLATION on startup.

fix(nix): copy checkpoints.json into macOS app bundle

fix(nix): copy genesis-dijkstra.json into macOS app bundle

(cherry picked from commit a874da18c15e97766e0006c97f4025a6119da2b1)

cardano-wallet was built against libmcfgthread-2.dll (MCF thread runtime v2)
but only v1 was bundled, causing STATUS_ACCESS_VIOLATION on startup.

(cherry picked from commit a874da18c15e97766e0006c97f4025a6119da2b1)

Replace the mithril-client subcommand invocation with the standalone
snapshot-converter binary from cardano-node for converting downloaded
in-memory snapshots to LSM format.

- Add snapshot-converter to daedalus-bridge (all platforms) and expose
  daedalus-bridge in perSystem/packages for all target systems
- Thread snapshot-converter through common.nix and cardano-bridge.nix;
  include it in the aarch64-darwin codesign loop and the NSIS installer
- Add runBinary() to mithrilCommandRunner for running non-mithril
  binaries with plain process.env (no mithril env vars or origin tag)
- Rewrite _convertSnapshot to find the most recent ledger slot, build
  the LSM output paths, and invoke snapshot-converter directly
- Update tests accordingly

fix(darwin): bundle .so files into binary-lib subdirs alongside .dylib

moveDylibsToSubdir was only handling *.dylib, causing liblmdb.so
(introduced by cardano-node's UTxO-HD LSM support) to be left in
Contents/MacOS/ root while its install name was already patched to
@executable_path/cardano-node-lib/liblmdb.so, resulting in a dyld
load failure at runtime.

fix(mithril): correct snapshot-converter args and finalizing diagnostics

Fix snapshot-converter invocation to properly replace the in-memory ledger
snapshot with an LSM one: move the in-memory snapshot out of ledger/ to a
temp location, then run converter with --input-mem pointing to the temp path
and --output-lsm-snapshot as a full path back into ledger/<slot>, so
cardano-node finds an LSM-format snapshot at the expected location.

Also fix --output-lsm-database (was pointing into a non-existent tmp/snapshots
subdir, now uses dbDirectory/lsm) and --config (was constructing a path that
doesn't exist, now uses launcherConfig.nodeConfig.network.configFile).

Add stdinInput support to runBinary and diagnostic logger.info calls around
each async step in the finalizing phase to pinpoint any future hangs.

fix(windows): bundle libsnappy.dll with installer

cardano-node.exe now links against libsnappy (used by the LSM storage
backend), but the DLL was not listed in the NSIS installer manifest.

fix(nix): bundle snapshot-converter into macOS app

Add snapshot-converter to mkBundle and copy it into Contents/MacOS alongside mithril-client. libsnappy and other dylibs are picked up automatically by mkBundle's otool-L-based discovery.

(cherry picked from commit a874da18c15e97766e0006c97f4025a6119da2b1)

Fix snapshot-converter invocation to properly replace the in-memory ledger
snapshot with an LSM one: move the in-memory snapshot out of ledger/ to a
temp location, then run converter with --input-mem pointing to the temp path
and --output-lsm-snapshot as a full path back into ledger/<slot>, so
cardano-node finds an LSM-format snapshot at the expected location.

Also fix --output-lsm-database (was pointing into a non-existent tmp/snapshots
subdir, now uses dbDirectory/lsm) and --config (was constructing a path that
doesn't exist, now uses launcherConfig.nodeConfig.network.configFile).

Add stdinInput support to runBinary and diagnostic logger.info calls around
each async step in the finalizing phase to pinpoint any future hangs.

moveDylibsToSubdir was only handling *.dylib, causing liblmdb.so
(introduced by cardano-node's UTxO-HD LSM support) to be left in
Contents/MacOS/ root while its install name was already patched to
@executable_path/cardano-node-lib/liblmdb.so, resulting in a dyld
load failure at runtime.

(cherry picked from commit a874da18c15e97766e0006c97f4025a6119da2b1)

Replace the mithril-client subcommand invocation with the standalone
snapshot-converter binary from cardano-node for converting downloaded
in-memory snapshots to LSM format.

- Add snapshot-converter to daedalus-bridge (all platforms) and expose
  daedalus-bridge in perSystem/packages for all target systems
- Thread snapshot-converter through common.nix and cardano-bridge.nix;
  include it in the aarch64-darwin codesign loop and the NSIS installer
- Add runBinary() to mithrilCommandRunner for running non-mithril
  binaries with plain process.env (no mithril env vars or origin tag)
- Rewrite _convertSnapshot to find the most recent ledger slot, build
  the LSM output paths, and invoke snapshot-converter directly
- Update tests accordingly

In fetch-installers, verify the -unsigned companion's hash against
Hydra's expected value before skipping re-download; this confirms the
companion is the genuine unsigned original and the main file is the
signed installer.

In drt sign, compare the SHA-256 of the main file against its -unsigned
companion before concluding it is already signed. On Windows, signing
renames the original before the remote nix run, so a failed signing
attempt leaves the companion on disk; if fetch-installers then
re-downloads a fresh unsigned copy both files are byte-identical and
signing must be retried rather than skipped.

(cherry picked from commit a874da18c15e97766e0006c97f4025a6119da2b1)

_convertSnapshot was added to startBootstrap after these tests were
written. Without a mock it falls through to _runCommand → buildMithrilEnv
which fetches genesis/ancillary keys from raw.githubusercontent.com,
causing EAI_AGAIN failures in network-isolated environments.

\${WIN_SIGN_HOST: -HSM} with a space causes bash to parse -HSM as a
substring-from-end offset, treating HSM as a variable. With set -u this
throws "HSM: unbound variable". The correct syntax for a default-value
substitution is \${WIN_SIGN_HOST:-HSM} (no space).

(cherry picked from commit 6a0b73f94349630e3bf0da3a3b60894eb00d95fc)

\${WIN_SIGN_HOST: -HSM} with a space causes bash to parse -HSM as a
substring-from-end offset, treating HSM as a variable. With set -u this
throws "HSM: unbound variable". The correct syntax for a default-value
substitution is \${WIN_SIGN_HOST:-HSM} (no space).

Points mithril input at sl/fix-mismatch-rust-versions branch which
ensures all craneLib instances use the rust-overlay toolchain (1.94)
rather than falling back to nixpkgs rustc (1.91), fixing Darwin builds
that fail with [email protected] requiring rustc 1.93+.

Previously hardcoded to Mainnet only, which broke when preview gained a
checkpoints file. Using NonFatal mirrors the existing pattern for
genesis-conway.json: include if present, silently skip if absent.

(cherry picked from commit a6a9ff2a2b6a494a415d72fcb6601d55d8ab4bce)

The echo line used Unicode typographic quotes around the installer path,
causing drt sign to fail to parse the 'Final installer:' line. Drop the
quotes entirely and update the Rust parser to strip only the prefix.

Also replace other curly quotes and ellipsis in the signing echo with
ASCII equivalents while here.

(cherry picked from commit 1beb91b8146146c0a76b2300534383b4cc818a7a)