Cardano Updates

The real reference cycle is dev↔out (not dev↔lib as previously thought):
- dev references out via .pc -L flags
- out references dev via baked-in paths in binaries

Building on hydra (standard Nix, ext4) confirmed:
  "cycle detected in references of output 'dev' from output 'out'"

On darwin builders (Determinate Nix, APFS), this manifests as orphaned
store paths instead of a clean error: outputs exist on disk but daemon
fails to register them in the Nix DB.

Fix: strip dev references from BOTH out and lib outputs in postFixup,
since neither needs dev at runtime. Also remove .la files which embed
dev paths.

The build failure is NOT a reference cycle — it's the Determinate Nix
daemon's orphaned store path bug on macOS (APFS). Outputs exist on disk
but fail to register in the Nix DB (.lock files present, nix path-info
says "not valid"). Confirmed on darwin-8: all 5 postgresql outputs are
orphaned despite sync-before-registering=true being deployed.

Keep the remove-references-to fix (strips dev ref from libecpg.so) as
a precaution against actual cycles, but the primary failure mode is the
daemon registration bug.

The changed postFixup produces a new drv hash, avoiding the FailedPaths
cache on hydra without manual DB cleanup.

This reverts commit bbb7fa77388af0b8353c73ec07230403a5bbcb52.

The postgresql musl cross-build fails with:
  error: cycle detected in build of '...-postgresql-musl-17.7.drv'
  in the references of output 'dev' from output 'lib'

The lib output (shared libraries) contains baked-in references to
the dev output path, while dev naturally references lib. The
remove-references-to approach didn't resolve it (references may be
in ELF sections or .rodata that survive stripping).

Instead, merge dev into out by removing "dev" from outputs. When
"dev" is absent from outputs, $dev defaults to $out, so headers and
pkgconfig files end up in $out. Downstream packages using
postgresql.dev get postgresql.out (default output for missing output
names). This eliminates the cycle entirely.

Need to understand why remove-references-to isn't preventing the
dev↔lib reference cycle. Adding verbose output to show:
- Which files exist in the lib output
- Which files reference the dev hash before/after stripping

ngtcp2 CMakeLists.txt doesn't have an ENABLE_EXAMPLES option.
The correct flag to disable building examples is ENABLE_LIB_ONLY,
which is what nixpkgs itself uses for static/FreeBSD builds.

The postgresql multi-output build for musl cross-compilation fails with:
  error: cycle detected in build of '...-postgresql-aarch64-unknown-linux-musl-17.7.drv'
  in the references of output 'dev' from output 'lib'

The lib output picks up references to dev through .la files (libtool
archives with baked-in -I/-L paths) and possibly .pc files. Since dev
already references lib (for -L flags in pkgconfig), this creates a cycle.

Fix by adding postFixup that:
1. Deletes .la files from lib (unnecessary for runtime, embed dev paths)
2. Strips remaining dev references from lib via remove-references-to

Multi-output derivations on macOS (APFS) fail to register in the Nix
DB — build completes but outputs remain orphaned. sync-before-registering
= true did not fix this. Merging all outputs into "out" avoids the
multi-output registration path. Consumers only need lib/ and pg_config.

The gcc14 override caused a full x86_64-linux toolchain rebuild,
including glibc. The rebuilt glibc fails on Determinate Nix's Linux
VM (darwin builders) with "undefined symbol: __libc_start_main",
breaking 178+ x86_64-linux Haskell builds — far worse than the 32
Windows cross-builds the override was meant to fix.

The fixincludes issue needs a narrower solution that doesn't
invalidate all x86_64-linux derivation hashes.

Using !isDarwin would also rebuild gcc14 for Windows (mingw32) targets
unnecessarily. The fixincludes /usr/include issue only affects Linux
builders, so scope to isLinux to avoid touching darwin and windows
gcc14 derivations.

The gcc14 override with --disable-fixincludes was applied globally,
including aarch64-darwin where gfortran fails to bootstrap against
Apple SDK 14.4 (__FLT_EVAL_METHOD__ error in math.h). This caused
the Hydra evaluator to get stuck in an infinite retry loop for 12+
hours trying to build gfortran on darwin builders during IFD.

Scope the override to !isDarwin using optionalAttrs. The fixincludes
issue only affects Linux builders (Determinate Nix VM lacks /usr/include).

568/643 succeeded (88.3%). Remaining 75 failures are from 3 root
causes: GCC fixincludes (32 windows), Determinate Nix orphaned store
paths (32 static-iog-full), hadrian stale cache (8 ghc910-static).
Confirmed the orphaned store path bug is reproducible across all
darwin builders and affects multiple multi-output packages.

Previous postgresql-musl builds completed successfully on darwin builders
but outputs were not registered in the Nix DB (Determinate Nix bug).
The queue runner cached these as failures and persists the cache even
after DB cleanup and log deletion. Adding a harmless preBuild step to
change the drv hash, forcing completely fresh builds now that orphaned
store paths have been cleaned on all builders.

postgresql/generic.nix sets disallowedReferences = [ stdenv'.cc ] which
scans all outputs for references to the C compiler after build phases
complete. For musl cross-compilation, .pc files or .la files may retain
references to the cross-compiler toolchain path, causing the check to
fail silently — all build phases complete successfully with no error in
the log, but the build is recorded as failed.

This explains why postgresql-musl builds consistently "succeed" (all
phases including fixup and stripping complete) but are recorded as
failures on every builder, even with 400+ GB free disk space.

The postgresql musl cross-build completes all phases successfully
(buildPhase, installPhase, fixupPhase) but the outputs get garbage
collected by the builder's min-free auto-GC before they can be
transferred back to the hydra machine. The massive -debug output
(hundreds of debug symlinks) makes the nix-copy transfer too slow.

Disable separateDebugInfo to eliminate the -debug output entirely,
reducing transfer size and avoiding the GC race.

Both x86_64-musl (16 attempts on darwin-7) and aarch64-musl (6
attempts on darwin-6) exhibited this pattern: build log shows all
phases completing but outputs are absent from both builder and
hydra stores.

The previous approach (overriding llvmPackages_20 to use GCC stdenv)
eliminated the LLVM dependency but left GCC LTO active with GNU ld.
GCC LTO + GNU ld produces broken link output for postgresql (undefined
references in .ltrans objects to appendStringInfoString etc.).

The nixpkgs stdenv switch to LLVM bintools exists specifically to
provide ld.lld for GCC LTO. Rather than trying to make GCC LTO work
without LLVM, just disable LTO entirely via hardeningDisable.

tzdata: The real issue is stdenv's `chmod +x $sourceRoot` after
unpackPhase (not makeSourcesWritable). When sourceRoot=".", this
fails on Determinate Nix macOS sandbox. Fix: extract into a
subdirectory so sourceRoot != ".".

libev: Move -lws2_32 from LDFLAGS to LIBS — libtool strips library
flags from LDFLAGS during the link step, so Winsock2 symbols were
never passed to the linker.

nghttp3: Use ENABLE_LIB_ONLY=ON instead of ENABLE_EXAMPLES=OFF —
nghttp3's CMakeLists.txt derives ENABLE_EXAMPLES from ENABLE_LIB_ONLY
(there is no separate ENABLE_EXAMPLES option).

pkgsCross.musl64 doesn't set isStatic=true, so perlSupport defaults
to true. But musl-cross perl is built without shared libperl, causing:
  configure: error: cannot build PL/Perl because libperl is not a shared library

libev: Add -lws2_32 alongside -no-undefined — libev uses Winsock2
functions (WSASend, WSARecv, ioctlsocket, socket, bind, etc.) that
live in ws2_32.dll and must be explicitly linked on Windows.

nghttp3: Disable examples — the qpack example programs include
<arpa/inet.h> which doesn't exist on Windows. The library itself
(libnghttp3.dll) builds successfully.