Cardano Updates

Use the hydra-github-bridge SSE endpoint for real-time build status
detection instead of polling the GitHub API. Reduces wait time from
minutes (poll interval) to seconds (event-driven).

Tested end-to-end in PR #241 — all validation jobs passed.

Use the hydra-github-bridge SSE endpoint for real-time build status
detection instead of polling the GitHub API. Reduces wait time from
minutes (poll interval) to seconds (event-driven).

Tested end-to-end in PR #241 — all validation jobs passed.

Cloudflare now bypasses cache for /status/* paths, enabling real-time
SSE event delivery.

SSE through Cloudflare buffers events. Now the script polls the
bridge's one-shot endpoint every 120s as a safety net alongside
the SSE stream.

When Hydra resolves builds from cache, it creates only aggregate
"required" check-runs but not individual per-build check-runs.
This causes the GHA upload workflow to discover zero -env closures
and skip all container uploads.

Add a fallback path: when no Hydra check-runs ending in "-env"
are found, evaluate the store paths directly from the flake using
nix eval with extra/discover-env.nix. This ensures containers are
always uploaded regardless of Hydra's check-run behavior.

Also install Nix and checkout the repo in the Discover step to
support the fallback evaluation.

Move the iog-libs.nix sync comment from inside the shell heredoc
(where it breaks line continuation and triggers SC2215) to a Nix
comment above the writeShellApplicationWithRuntime block.

Extract the duplicated IOG dependency lists from dynamic.nix,
static.nix, cross-js.nix, and cross-windows.nix into a single
iog-libs.nix file. This eliminates manual synchronization when
adding new libraries (e.g., lmdb was previously missing from
cross-compilation targets) and provides a canonical source of
truth for IOG-specific dependencies.

The centralized file categorizes dependencies into:
- crypto: libblst, libsodium-vrf, secp256k1 (all shell types)
- data: lmdb (dynamic/static only)
- tools: cbor-diag, cddl, gh, icu, jq, yq-go (dynamic/static)
- cross-tools: cbor-diag, cddl (cross-compilation targets)

Each consumer imports iog-libs.nix and transforms as needed
(e.g., static.nix passes static=true to resolve static-* variants).

Addresses #56

ouroboros-consensus depends on cardano-lmdb which requires the lmdb
system library (pkg-config: lmdb>=0.9 && <0.10). Since UTxO-HD was
integrated in Cardano Node 10.4.1, lmdb is required for all Cardano
development.

Adds lmdb to dynamic shells and static-lmdb (static-only build via
Makefile ILIBS patching, matching nixpkgs isStatic pattern) to static
shells. The wrapped-cabal in static.nix gets the corresponding -L flag
so GHC finds the static library.

Closes #218
Supersedes #221

ouroboros-consensus depends on cardano-lmdb which requires the lmdb
system library (pkg-config: lmdb>=0.9 && <0.10). Since UTxO-HD was
integrated in Cardano Node 10.4.1, lmdb is required for all Cardano
development.

Adds lmdb to dynamic shells and static-lmdb (static-only build via
Makefile ILIBS patching, matching nixpkgs isStatic pattern) to static
shells. The wrapped-cabal in static.nix gets the corresponding -L flag
so GHC finds the static library.

Closes #218
Supersedes #221

GNU config.sub normalises to "aarch64-apple-darwin" while Apple's
LLVM toolchain (and nix cc-wrapper's @defaultTarget@) uses
"arm64-apple-darwin". Older GHC versions pass --target=aarch64-apple-darwin
which triggers a noisy warning from the cc-wrapper's
add-clang-cc-cflags-before hook on every compiler invocation.

The warning is harmless — clang handles both triples identically — but
it pollutes stderr and causes thousands of GHC testsuite failures due
to unexpected compiler output.

Set NIX_CC_WRAPPER_SUPPRESS_TARGET_WARNING=1 in the env script before
sourcing stdenv/setup to suppress this warning.

GHC's test suite requires `perl` (e.g. the testsuite driver and various
test scripts). Like `which`, `perl` is not part of stdenv's initialPath
and was only reachable via the host system before the hermetic PATH
change. Add it explicitly to all four shell definitions.

GHC's test suite requires `perl` (e.g. the testsuite driver and various
test scripts). Like `which`, `perl` is not part of stdenv's initialPath
and was only reachable via the host system before the hermetic PATH
change. Add it explicitly to all four shell definitions.

GHC's Makefile unconditionally calls `tput bold` and `tput sgr0`
(lines 217-218) which fail with "No value for $TERM and no -T
specified" when TERM is unset. This happens in CI runners and
containers where no terminal is attached.

Set TERM to "dumb" as a fallback after sourcing setup.sh so ncurses
tools like tput degrade gracefully instead of erroring.

writeTextFile sets `buildCommand` in the derivation, which causes
stdenv's genericBuild to skip the entire phase system — installPhase,
postInstall, fixupPhase — none of them execute. The previous commit
used postInstall which was silently ignored, leaving the wrapper
output without nix-support/propagated-native-build-inputs.

Append the file creation directly to buildCommand, which is the only
code path the builder actually runs.

writeShellApplication uses writeTextFile internally, which does NOT
run stdenv.mkDerivation's fixupPhase. Setting propagatedNativeBuildInputs
via overrideAttrs only adds the attribute to the derivation but never
materializes the $out/nix-support/propagated-native-build-inputs file
that setup.sh's findInputs actually reads at runtime.

Without this file, curl was invisible to the shell environment despite
being set as a propagated dep — the wrapper script itself had curl on
its internal PATH, but other programs (like GHC's stage0 cabal) could
not find it.

Fix: explicitly create the nix-support file in postInstall.

The switch from nix-print-dev-env to devShellTools (a354771) broke
runtimeInputs visibility in -env container scripts. writeShellApplication
embeds runtimeInputs in the wrapper's own PATH, but $stdenv/setup (which
the -env scripts source) only walks buildInputs/nativeBuildInputs — not
the internal PATH of wrappers within those inputs.

The previous fix (76d6b37) added curl explicitly to buildInputs, but
this is fragile: any future runtimeInputs change requires a parallel
edit in the shell's input lists.

Instead, use propagatedNativeBuildInputs on the wrapper derivation.
When $stdenv/setup processes wrapped-cabal from nativeBuildInputs, it
transitively follows propagatedNativeBuildInputs and adds curl (and
cabal-install) to PATH for the whole environment. This is the standard
Nix mechanism for transitive dependency propagation.

Applies to all four shell definitions: dynamic, static, cross-js,
cross-windows. Removes the explicit curl additions from 76d6b37.

* Update workflow step name for prefix-less check-runs

The hydra-github-bridge no longer prefixes check-run names with
"ci/hydra-build:" for zw3rk CI. Update the step name to match.
The JQ filters and wait-for-hydra action (check: required) now
work correctly with the bare job names.

* Update head.hackage FOD hash

The head.hackage index is a rolling target — upstream published new
packages, invalidating the previous hash.

  specified: sha256-nFFut7+8NzUps+4MsmnAo2bLp1EE2Dx4eWqTeZ2aYqI=
  got:       sha256-P0hOiQyh54Y5Pyl9rjpEE5Er/u83aeXIKBygzniRZtk=

* Add curl to shell buildInputs for HTTPS transport

The wrapped-cabal writeShellApplication includes curl as a
runtimeInput, but that only puts curl on PATH when the wrapper
script itself runs. In the -env container scripts (which source
$stdenv/setup to construct PATH from buildInputs/nativeBuildInputs),
curl is NOT on PATH for other programs.

This breaks GHC CI builds: GHC's Makefile bootstraps its own
stage0 cabal (debug build, no native TLS) which then needs curl
on PATH to download packages from Hackage over HTTPS. Without
curl available, it fails with Cabal-7113.

Fix: add curl directly to buildInputs/nativeBuildInputs in
dynamic.nix, static.nix, and cross-js.nix so it's always
available on PATH regardless of how the environment is sourced.

The head.hackage index is a rolling target — upstream published new
packages, invalidating the previous hash.

  specified: sha256-nFFut7+8NzUps+4MsmnAo2bLp1EE2Dx4eWqTeZ2aYqI=
  got:       sha256-P0hOiQyh54Y5Pyl9rjpEE5Er/u83aeXIKBygzniRZtk=

The hydra-github-bridge no longer prefixes check-run names with
"ci/hydra-build:" for zw3rk CI. Update the step name to match.
The JQ filters and wait-for-hydra action (check: required) now
work correctly with the bare job names.

The head.hackage index is a rolling target — upstream published new
packages, invalidating the previous hash.

  specified: sha256-nFFut7+8NzUps+4MsmnAo2bLp1EE2Dx4eWqTeZ2aYqI=
  got:       sha256-P0hOiQyh54Y5Pyl9rjpEE5Er/u83aeXIKBygzniRZtk=

The hydra-github-bridge no longer prefixes check-run names with
"ci/hydra-build:" for zw3rk CI. Update the step name to match.
The JQ filters and wait-for-hydra action (check: required) now
work correctly with the bare job names.

* Drop cabal-experimental input, use regular cabal for all shells

The cabal-experimental input (stable-haskell/cabal cross-compile branch)
was used for withGHCTooling shells. The pinned version (Apr 2025) has
hackage-security bounds incompatible with GHC 9.10+/9.12+ (ghc-prim
>= 0.12), causing IFD plan resolution failures. The newer version
(Aug 2025) fixes that but regresses shared library handling, breaking
downstream CI.

Simplify by using the regular cabal input for all shell variants.

* Update haskell.nix to fix head.hackage FOD hash mismatch

The head.hackage upstream content changed after Feb 21, making the
fixed-output derivation hash stale. With the cached outputs GC'd,
all JS backend IFD evaluations fail with hash mismatch, blocking
the entire Hydra eval (no jobsetevals entry produced).

Update haskell.nix from 7e7550c (Dec 9 2025) to cc939d0 (Feb 23 2026)
which includes the daily "Update Hackage and Stackage" with the
current head.hackage hash.

* Update head.hackage FOD hash and haskell.nix input

The head.hackage upstream content changed (upstream index grew),
making the fixed-output derivation hash in tool-map.nix stale.
With the cached outputs GC'd from hydra builders, all JS backend
IFD evaluations fail with hash mismatch, blocking the entire
Hydra eval (no jobsetevals produced).

Update the head.hackage sha256 from
  sha256-AO/vHIMSIBwjbp5GY561SmnPr5qTTyBt9ruy8D3lKZI=
to
  sha256-nFFut7+8NzUps+4MsmnAo2bLp1EE2Dx4eWqTeZ2aYqI=

Also update haskell.nix from 7e7550c (Dec 2025) to cc939d0
(Feb 23 2026) to pick up latest Hackage/Stackage indexes.

The head.hackage upstream content changed (upstream index grew),
making the fixed-output derivation hash in tool-map.nix stale.
With the cached outputs GC'd from hydra builders, all JS backend
IFD evaluations fail with hash mismatch, blocking the entire
Hydra eval (no jobsetevals produced).

Update the head.hackage sha256 from
  sha256-AO/vHIMSIBwjbp5GY561SmnPr5qTTyBt9ruy8D3lKZI=
to
  sha256-nFFut7+8NzUps+4MsmnAo2bLp1EE2Dx4eWqTeZ2aYqI=

Also update haskell.nix from 7e7550c (Dec 2025) to cc939d0
(Feb 23 2026) to pick up latest Hackage/Stackage indexes.

The head.hackage upstream content changed after Feb 21, making the
fixed-output derivation hash stale. With the cached outputs GC'd,
all JS backend IFD evaluations fail with hash mismatch, blocking
the entire Hydra eval (no jobsetevals entry produced).

Update haskell.nix from 7e7550c (Dec 9 2025) to cc939d0 (Feb 23 2026)
which includes the daily "Update Hackage and Stackage" with the
current head.hackage hash.