Cardano Updates

blake-hash and node-hid fail to compile on Darwin because the current
build deletes all prebuilt .node files then re-runs install scripts,
which invoke node-gyp against node-addon-api napi.h — rejected by Apple
Clang 15+ as a non-constant in-class initializer.

Both packages bundle N-API prebuilt binaries in their npm tarballs (ABI-
stable, no Electron-version-specific recompilation needed). Preserve
their prebuilds/ directories from the blanket deletion and skip their
install scripts. usb is handled the same way (universal fat binary).

On aarch64-darwin, blake-hash ships no arm64 prebuilt so node-gyp-build
falls back to compilation. Patch node-addon-api napi.h to use
'static inline const' (C++17), deferring the initializer to program
startup and removing the constant-expression requirement.

Supersedes the ineffective CXXFLAGS/npm_config_cxxflags approach: those
env vars are not read by node-gyp on this build setup.

The electron binary in relocatableElectron has an absolute Nix store path
embedded as its ELF interpreter (PT_INTERP) via patchelf --set-interpreter.
This works for nix run (symlinks into the store), but after the self-extracting
installer copies the bundle to ~/.daedalus/<cluster>/, that store path no longer
exists, causing the kernel to return ENOENT: "cannot execute: required file not
found".

Fix: bundle a statically-linked patchelf (pkgsStatic, doCheck=false to skip the
musl test-suite shared-object build failure) in the archive as .patchelf-static.
The installer script re-patches electron's PT_INTERP to the installed ld-linux
path immediately after extraction, then removes the helper binary.

The three chmod +w calls are required because Nix store permissions (555 dirs,
444 files) are preserved in the tar archive:
  - libexec/               for rm of .patchelf-static
  - lib/electron/          for patchelf's rename(tmpfile, electron)
  - lib/electron/electron  for patchelf's O_RDWR open

Apple Clang 15+ rejects static_cast<enum>(-1) in constant expressions
(Wenum-constexpr-conversion), causing blake-hash and node-hid to fail
in the Darwin node_modules build. NIX_CFLAGS_COMPILE doesn't reach
node-gyp since it invokes the compiler directly, bypassing the Nix CC
wrapper. Set CXXFLAGS and npm_config_cxxflags before the install scripts
loop — both are read directly by node-gyp.

- jest.config.js: add legacyDecorator and useDefineForClassFields=false to
  @swc/jest transform so MobX 5 decorators work correctly with SWC 1.10+
- storybook/main.ts: same SWC decorator fix, plus add dgram:false fallback
  for @trezor/transport which imports the Node.js dgram UDP module
- hardware-wallets.types.ts: move import after type declarations to top to
  fix ESLint import/first error

Skip the electron-chromedriver binary download during node_modules install
(mirrors the existing Linux skip: v12 package downloads v12 chromedriver,
mismatching our electron v41; the binary is provided via darwinSpecificCaches).

Also fix SHASUMS256.txt, electron zip, and chromedriver zip hashes for
both x64 and arm64, derived from the official Electron 41.3.0 release.

Update electronShaSums, electronChromedriverShaSums (SHASUMS256.txt),
electron zip, and chromedriver zip hashes for both x64 and arm64.
Hashes derived from the official Electron 41.3.0 SHASUMS256.txt.

usb uses node-gyp-build (searches usb/build/Release/*.node), node-hid uses
pkg-prebuilds (searches node-hid/build/Release/HID.node), and usb-detection
uses bindings (patched to search DAEDALUS_INSTALL_DIRECTORY). Previously all
three were copied to the install root from build/Debug, which only worked for
bindings-based modules and used unoptimised debug builds.

- Use electron-packager's electronZipDir to bypass @electron/get cache/network entirely
- Fix electron-headers extraction (flat tarball layout in Electron 41)
- Switch Wine Windows version to win10 (Node.js 20+ requires it)
- Use Node.js 20.20.2 for native module rebuilds (Node.js 24 OOMs under Wine 8.0)
- Run @electron/rebuild via node.exe directly instead of npm.cmd (avoids Wine hang)
- Update findVisualStudio stub for node-gyp 12.x async API
- Fix ESM-incompatible require("fs") call in @electron/rebuild patch
- Fix return→exit in shell script (can't return outside a function)
- Add mkdir -p for scoped package parent dirs in installPhase
- Fix NSIS LoadLanguage → LoadLanguageFile for makensis 3.10+
- Update electron zip and node.lib hashes for Electron 41.3.0

Remove the daedalus-installer Haskell executable (which required a GHC
version removed from nixpkgs-25.11) and generate the two NSIS scripts
(daedalus.nsi, uninstaller.nsi) directly as Nix writeText derivations.
All inputs are known at eval time so no build-time Haskell tool is needed.

- Remove darwin.apple_sdk.frameworks.{CoreServices,AppKit} and
  darwin.libobjc from buildInputs in any-darwin.nix and devshells.nix;
  darwin.apple_sdk (aliased to apple_sdk_11_0) was removed as a legacy
  compatibility stub — the default Darwin stdenv SDK provides all
  frameworks automatically
- Update ghc8107 → ghc810 in installers/default.nix; ghc8107 was
  removed from nixpkgs-25.11 (closest available: ghc810)

Update Electron to 41.3.0 and adapt all affected layers:

Nix packaging:
- Rebuild electron headers derivation for 41.3.0
- Update patchelf/rpath/interpreter handling for new binary layout
- Expand runtime-nodejs-deps.json to include transitive closure (~445 packages)
- Add ELECTRON_SKIP_BINARY_DOWNLOAD=1 to prevent install script fetching
- Migrate nixpkgsJs compat shim to nixpkgs-25.11 nodejs_22; drop glibc-electron-loader.patch

JS dependencies (yarn.lock / package.json):
- @ledgerhq/hw-transport-node-hid 6.33.0, @trezor/connect 9.7.2
- @cardano-foundation/ledgerjs-hw-app-cardano 7.1.4
- @electron/rebuild 4.0.4, @swc/core 1.10.18, webpack 5.106.2
- node-hid 3.3.0, node-forge 1.4.0, moment 2.30.1, ws 8.18.2, axios 1.7.7

Renderer / MobX compatibility (SWC 1.10):
- Set legacyDecorator: true and useDefineForClassFields: false in swc-loader
  options so MobX 5 prototype setters intercept observable class field
  initialisation (SWC 1.3+ changed decorator defaults)
- Relax MobX enforceActions to 'observed' (was 'always'); 'always' blocked
  constructor initialisation routed through setters outside any action

Main process / Electron 41 API fixes:
- safeExitWithCode: app.exit() → process.exit() — app.exit() triggers
  Chromium teardown that causes SIGABRT when renderer is still alive
- CardanoNode._handleCardanoNodeExit: return early when state is STOPPING
  or STOPPED so stop() exclusively owns the shutdown sequence; prevents a
  double broadcastStateChange(STOPPED) IPC call that crashes Chromium
- mainErrorHandler: 'gpu-process-crashed' → 'child-process-gone' (Electron 23+)
- windows/main: 'crashed' → 'render-process-gone' (Electron 23+); remove
  event parameter from 'closed' handler (listener takes no arguments)
- webpack.config (dev): exit webpack watcher when Electron closes cleanly
- package.json dev script: --kill-others --success first so concurrently
  stops all processes when Electron exits

TypeScript fixes (updated @trezor/connect 9.x API):
- Define BridgeInfo/UdevInfo locally (removed from public exports)
- Add required appName field to Trezor manifest
- type: 'warning' as const for dialog MessageBoxOptions
- Cast devicePath to DeviceUniquePath branded type
- Make node-hid-incompatible Device fields optional in local types
- Remove non-existent onLearnMoreClick prop from StakingRewards story

Skip the electron-chromedriver binary download during node_modules install
(mirrors the existing Linux skip: v12 package downloads v12 chromedriver,
mismatching our electron v41; the binary is provided via darwinSpecificCaches).

Also fix SHASUMS256.txt, electron zip, and chromedriver zip hashes for
both x64 and arm64, derived from the official Electron 41.3.0 release.

Update electronShaSums, electronChromedriverShaSums (SHASUMS256.txt),
electron zip, and chromedriver zip hashes for both x64 and arm64.
Hashes derived from the official Electron 41.3.0 SHASUMS256.txt.

usb uses node-gyp-build (searches usb/build/Release/*.node), node-hid uses
pkg-prebuilds (searches node-hid/build/Release/HID.node), and usb-detection
uses bindings (patched to search DAEDALUS_INSTALL_DIRECTORY). Previously all
three were copied to the install root from build/Debug, which only worked for
bindings-based modules and used unoptimised debug builds.

- Use electron-packager's electronZipDir to bypass @electron/get cache/network entirely
- Fix electron-headers extraction (flat tarball layout in Electron 41)
- Switch Wine Windows version to win10 (Node.js 20+ requires it)
- Use Node.js 20.20.2 for native module rebuilds (Node.js 24 OOMs under Wine 8.0)
- Run @electron/rebuild via node.exe directly instead of npm.cmd (avoids Wine hang)
- Update findVisualStudio stub for node-gyp 12.x async API
- Fix ESM-incompatible require("fs") call in @electron/rebuild patch
- Fix return→exit in shell script (can't return outside a function)
- Add mkdir -p for scoped package parent dirs in installPhase
- Fix NSIS LoadLanguage → LoadLanguageFile for makensis 3.10+
- Update electron zip and node.lib hashes for Electron 41.3.0

- Use electron-packager's electronZipDir to bypass @electron/get cache/network entirely
- Fix electron-headers extraction (flat tarball layout in Electron 41)
- Switch Wine Windows version to win10 (Node.js 20+ requires it)
- Use Node.js 20.20.2 for native module rebuilds (Node.js 24 OOMs under Wine 8.0)
- Run @electron/rebuild via node.exe directly instead of npm.cmd (avoids Wine hang)
- Update findVisualStudio stub for node-gyp 12.x async API
- Fix ESM-incompatible require("fs") call in @electron/rebuild patch
- Fix return→exit in shell script (can't return outside a function)
- Add mkdir -p for scoped package parent dirs in installPhase
- Fix NSIS LoadLanguage → LoadLanguageFile for makensis 3.10+
- Update electron zip and node.lib hashes for Electron 41.3.0

Remove the daedalus-installer Haskell executable (which required a GHC
version removed from nixpkgs-25.11) and generate the two NSIS scripts
(daedalus.nsi, uninstaller.nsi) directly as Nix writeText derivations.
All inputs are known at eval time so no build-time Haskell tool is needed.

- Remove darwin.apple_sdk.frameworks.{CoreServices,AppKit} and
  darwin.libobjc from buildInputs in any-darwin.nix and devshells.nix;
  darwin.apple_sdk (aliased to apple_sdk_11_0) was removed as a legacy
  compatibility stub — the default Darwin stdenv SDK provides all
  frameworks automatically
- Update ghc8107 → ghc810 in installers/default.nix; ghc8107 was
  removed from nixpkgs-25.11 (closest available: ghc810)

feat(release-cli): add drt newsfeed subcommands

Update Electron to 41.3.0 and adapt all affected layers:

Nix packaging:
- Rebuild electron headers derivation for 41.3.0
- Update patchelf/rpath/interpreter handling for new binary layout
- Expand runtime-nodejs-deps.json to include transitive closure (~445 packages)
- Add ELECTRON_SKIP_BINARY_DOWNLOAD=1 to prevent install script fetching
- Migrate nixpkgsJs compat shim to nixpkgs-25.11 nodejs_22; drop glibc-electron-loader.patch

JS dependencies (yarn.lock / package.json):
- @ledgerhq/hw-transport-node-hid 6.33.0, @trezor/connect 9.7.2
- @cardano-foundation/ledgerjs-hw-app-cardano 7.1.4
- @electron/rebuild 4.0.4, @swc/core 1.10.18, webpack 5.106.2
- node-hid 3.3.0, node-forge 1.4.0, moment 2.30.1, ws 8.18.2, axios 1.7.7

Renderer / MobX compatibility (SWC 1.10):
- Set legacyDecorator: true and useDefineForClassFields: false in swc-loader
  options so MobX 5 prototype setters intercept observable class field
  initialisation (SWC 1.3+ changed decorator defaults)
- Relax MobX enforceActions to 'observed' (was 'always'); 'always' blocked
  constructor initialisation routed through setters outside any action

Main process / Electron 41 API fixes:
- safeExitWithCode: app.exit() → process.exit() — app.exit() triggers
  Chromium teardown that causes SIGABRT when renderer is still alive
- CardanoNode._handleCardanoNodeExit: return early when state is STOPPING
  or STOPPED so stop() exclusively owns the shutdown sequence; prevents a
  double broadcastStateChange(STOPPED) IPC call that crashes Chromium
- mainErrorHandler: 'gpu-process-crashed' → 'child-process-gone' (Electron 23+)
- windows/main: 'crashed' → 'render-process-gone' (Electron 23+); remove
  event parameter from 'closed' handler (listener takes no arguments)
- webpack.config (dev): exit webpack watcher when Electron closes cleanly
- package.json dev script: --kill-others --success first so concurrently
  stops all processes when Electron exits

TypeScript fixes (updated @trezor/connect 9.x API):
- Define BridgeInfo/UdevInfo locally (removed from public exports)
- Add required appName field to Trezor manifest
- type: 'warning' as const for dialog MessageBoxOptions
- Cast devicePath to DeviceUniquePath branded type
- Make node-hid-incompatible Device fields optional in local types
- Remove non-existent onLearnMoreClick prop from StakingRewards story

Adds three subcommands under `drt newsfeed`:

- `release` — fetches installer metadata from a URL, builds a
  software-update + announcement pair with pre-filled hashes/URLs and
  localised text, opens \$EDITOR for review, then writes the newsfeed
  JSON and verification file.  Release notes URL defaults to the GitHub
  release tag derived from the fetched version.
- `publish` — uploads the current newsfeed JSON and verification file
  to an S3 bucket for end-to-end testing (--dry-run supported).
- `message` — adds a standalone announcement item with a configurable
  version target.

Common repo/env args (--env, --newsfeed-repo, --verification-repo) are
shared via a flattened NewsfeedRepoArgs struct and read from NEWSFEED_*
environment variables.

Adds three subcommands under `drt newsfeed`:

- `release` — fetches installer metadata from a URL, builds a
  software-update + announcement pair with pre-filled hashes/URLs and
  localised text, opens \$EDITOR for review, then writes the newsfeed
  JSON and verification file.  Release notes URL defaults to the GitHub
  release tag derived from the fetched version.
- `publish` — uploads the current newsfeed JSON and verification file
  to an S3 bucket for end-to-end testing (--dry-run supported).
- `message` — adds a standalone announcement item with a configurable
  version target.

Common repo/env args (--env, --newsfeed-repo, --verification-repo) are
shared via a flattened NewsfeedRepoArgs struct and read from NEWSFEED_*
environment variables.

Adds three subcommands under `drt newsfeed`:

- `release` — fetches installer metadata from a URL, builds a
  software-update + announcement pair with pre-filled hashes/URLs and
  localised text, opens \$EDITOR for review, then writes the newsfeed
  JSON and verification file.  Release notes URL defaults to the GitHub
  release tag derived from the fetched version.
- `publish` — uploads the current newsfeed JSON and verification file
  to an S3 bucket for end-to-end testing (--dry-run supported).
- `message` — adds a standalone announcement item with a configurable
  version target.

Common repo/env args (--env, --newsfeed-repo, --verification-repo) are
shared via a flattened NewsfeedRepoArgs struct and read from NEWSFEED_*
environment variables.