Cardano Updates

The Dockerfile ran `nix-build` twice — once for the `result` symlink and
again with `--no-out-link` just to resolve the path for a second symlink.
Build once with `-o result` and run from `result/bin/...` directly.

Add a `.dockerignore` so `COPY . /app` no longer pulls `.git`,
`node_modules`, `dist`, `result` and coverage into the image layer
(smaller context, fewer cache busts). The in-image `nix-build` already
filters these via `lib.cleanSource`, but the COPY layer carried them.

Note: this is the manual/fallback build path; the image actually
published by CI is the Nix `dockerTools` image (see flake.nix), which is
addressed separately in this PR.

Co-Authored-By: Claude Opus 4.8 (1M context) <[email protected]>

Switch the published image from `dockerTools.buildImage` to
`dockerTools.buildLayeredImage`. `buildImage` packs the entire runtime
closure into a single ~382 MiB layer, so every release re-pushes and
every pull re-fetches the whole image even when only a few node_modules
store paths changed. `buildLayeredImage` splits the closure into many
content-addressed layers, enabling cross-version dedup — a patch release
then transfers only the changed layers instead of the full closure.

Same image contents (node + pm2 + app dist + node_modules + configs);
all consumers (`nix build .#dockerImage`, `nix flake check`) are
unaffected. Also declare `ExposedPorts = 3000/tcp` so the image carries
the port metadata the Dockerfile already documented.

Co-Authored-By: Claude Opus 4.8 (1M context) <[email protected]>

(no label)

chore: update deps and prepare 6.6.1 release

Security-focused dependency upgrades:

- @fastify/http-proxy 11.5.0 (pulls @fastify/reply-from 12.6.2)
- vitest / @vitest/coverage-v8 4.1.9
- @blockfrost/blockfrost-utils 3.0.0 (drops pm2, removing the
  transitive vm2 package from the tree entirely)
- additional yarn-audit-flagged bumps: fastify 5.8.5, axios 1.18.0,
  @sentry/node 10.58.0, @blockfrost/blockfrost-js 6.1.1, ajv 8.20.0,
  path-to-regexp 8.4.2

Co-Authored-By: Claude Opus 4.8 (1M context) <[email protected]>

- Update wallet notification settings to utilize connected wallet address for managing notifications.
- Improve email verification flow with enhanced error handling and user feedback.
- Introduce new utility functions for address normalization and authorization checks.
- Refactor notification API to support signer address in queries and mutations.
- Update environment configuration for notification link base URL.

chore: release 3.0.0

@types/node should match the oldest supported Node line (engines >=20.19),
not the newest. v25 types describe APIs absent on Node 20, which would
type-check but be undefined at runtime. Pin to ^20.19.43.

Co-Authored-By: Claude Opus 4.8 (1M context) <[email protected]>

Node 18 is below the new >=20.19 engines floor (and ESLint 10 / Vite 8
won't run on it). Also modernize the workflow actions and fix the Yarn 4
install flag.

- build.yml: matrix 18.x/20.x -> 20.x/22.x/24.x; checkout@v2 -> v4,
  setup-node@v1 -> v4
- release.yaml: node 18 -> 20; checkout/setup-node -> v4;
  yarn install --frozen-lockfile -> --immutable (Yarn 4 syntax)

Co-Authored-By: Claude Opus 4.8 (1M context) <[email protected]>

Upgrade all dependencies to their latest versions, including majors.

Runtime:
- @emurgo/cardano-serialization-lib-nodejs 11 -> 15 (migrate PlutusMap.get
  which now returns PlutusMapValues)
- cbor 9 -> 10, yaml 2.3 -> 2.9

Dev toolchain:
- ESLint 8 -> 10 (migrate .eslintrc.js -> flat eslint.config.mjs)
- TypeScript 5 -> 6, Vitest 0.32 -> 4, Prettier 2 -> 3, Fastify 4 -> 5
- Yarn 4.5 -> 4.17 (4.5 TS compat patch can't apply to TS 6 under PnP)
- drop unused eslint-plugin-import

Other:
- raise minimum Node.js to 20.19 (ESLint 10 / Vite 8 floor)
- tsconfig: target/lib ES2022, add rootDir + ignoreDeprecations
- fix NodeJS.Timer -> NodeJS.Timeout for @types/node 25
- remove unused pm2Metrics (never exported)

Co-Authored-By: Claude Opus 4.8 (1M context) <[email protected]>

Mark peras as unsupported. The machinery is interesting though and we
should also make it negotiate leios support like this?

The unit tests are not needed anymore

TODO: Fix cabal.project to not have local paths

On aarch64-darwin, executables built by haskell.nix could ship an invalid
ad-hoc code signature, causing macOS to kill them at startup with SIGKILL
("Code Signature Invalid" / "Invalid Page") before any code runs. It is
intermittent: the same derivation builds a valid binary on one run and an
invalid one on the next, so it slips through CI and lands in the binary cache
(see haskell.nix#2018).

Root cause is a write->sign page-cache coherence race, not an ld64 or sigtool
bug. ld64 ad-hoc signs the executable during linking; for large Mach-Os the
bytes hashed for the signature can differ from what is finally on disk, so the
kernel rejects the signature at load time. The same applies to any signer run
inside the build. macOS `sync` is asynchronous and does not settle it; a real
flush to stable storage (F_FULLFSYNC) does.

Fix: add autoSignDarwinBinariesHook to the component and v2 cabal-slice
builders, with signingUtils patched so sign() F_FULLFSYNCs (+ F_NOCACHE drops
the stale mapping) the binary before reading it for signing. It then hashes
exactly the bytes that land on disk, producing a signature the kernel accepts.

The concrete buildPackages.darwin derivations are overridden directly rather
than via an overlay: `darwin` is a spliced package set, so overlay `//`
additions do not survive splicing, and overrideScope rebuilds far too much.

Verified on cardano-ledger's cardano-ledger-shelley:test:tests (a ~170 MB
binary that reproduced reliably): 6/6 invalid before, 6/6 valid after via the
v1 component builder, and 4/4 valid via the v2 cabal-slice builder
(builderVersion = 2, full 556-derivation tree). Confirmed the hook re-signs
and the binary runs in both.