Cardano Updates

The dynamic discovery via builtins.attrNames config.checks bakes all
check names into the script at eval time.  When downstream repos
consume the pre-push package from cardano-parts' output, the baked
names include perSystem-only checks (e.g. cardano-committee-monitor-
fixture) that don't exist in the consumer's flake, causing the hook
to fail.

Hardcode the two checks the hook should always run — lint and treefmt —
so the fixture check remains a CI/flake-check concern only.

Adds the StrongDM Terraform provider (https://github.com/strongdm/terraform-provider-sdm) to the opentofu.withPlugins list so consumer flakes that use cardano-parts' ops dev shell can declare `sdm_resource` / `sdm_role` / etc. without the runtime hitting registry.opentofu.org on every `tofu init`.

Same pattern as the existing entries (loafoe/ssh, grafana/grafana, etc.) — the provider gets vendored into libexec/terraform-providers at build time, so it works in network-restricted runner environments (self-hosted runners, sandboxed nix shells, etc.).

Concrete use case: shieldedtech/midnight-performance#123 ports the StrongDM resource pattern from shielded-iac-modules/app/midnight into perfnet's terranix-driven tofu config. CI fails on the self-hosted beast runner because the wrapped opentofu only has aws/null/local/tls/etc. and the registry is unreachable for new providers.

* Move the profile readme contents from the top level general readme to the profile
* Match the profile behavior to others: auto-enable with reasonable defaults
  assuming the other co-dependencies are also imported.

nixosModule: add profile-cardano-committee-monitor for constitutional-committee state alerting

Node `11.0.1`, Dbsync `13.7.0.5`, Faucet `11.0`, CVE mitigations

Adds the centrally-rendered alert rules that consume the cardano_cc_*
series published by profile-cardano-committee-monitor, plus a README
section covering enablement, prerequisites, threshold tuning, and the
collector-cadence/staleness coupling.

Alert rules (auto-discovered via parseDir on grafana/alerts):
  - cardano_cc_term_expiring (warning, 30d default)
  - cardano_cc_term_expiring_urgent (page, 7d default)
  - cardano_cc_hot_key_unauthorized / _resigned (page)
  - cardano_cc_member_expired (page)
  - cardano_cc_member_unrecognized (page)
  - cardano_cc_to_be_expired_next_epoch (page, authoritative ledger signal)
  - cardano_cc_no_members (page)
  - cardano_cc_metrics_stale (page, 5400s, paired with hourly cadence)
  - cardano_cc_collector_absent (page)

warnDays / pageDays are constants in the alert file (per-environment
tuning via duplicated rules with environment=~"..." selectors). The
file is part of the project template, so downstream repos own it after
template init.

New profile profile-cardano-committee-monitor publishes per-member
constitutional-committee state to a prometheus textfile-collector .prom
file on an hourly systemd timer. The alloy node-exporter picks the file
up via the textfileCollectorDirectory wiring added in the previous
commit.

Metrics (all carry environment=<env>):
  - cardano_cc_member_epochs_until_expiration  (per cold_credential)
  - cardano_cc_member_seconds_until_expiration (per cold_credential)
  - cardano_cc_member_hot_cred_status          (info-gauge with status label)
  - cardano_cc_member_state                    (info-gauge with state label)
  - cardano_cc_member_next_epoch_change        (info-gauge with change label)
  - cardano_cc_current_epoch
  - cardano_cc_member_count
  - cardano_cc_seconds_per_epoch

The collector script lives in flakeModules/lib/ as a callPackage-able
writeShellApplication so the production unit and the fixture check share
the exact same text; the check swaps cardano-cli for a JSON-fixture shim
and diffs the output against a golden .prom file.

Module asserts on services.alloy.textfileCollectorDirectory != null and
services.cardano-node.shareNodeSocket = true. The cardano-node socket is
read via a SupplementaryGroups=[cardano-node node-textfile] hardened
DynamicUser=true oneshot; output is atomically published via mv on the
same filesystem. Cadence is hourly + RandomizedDelaySec=600s; the
matching staleness threshold lives in the alerts file added in the next
commit.

Wires in via flake-parts auto-discovery (recursiveImports); no
flake.nix or flakeModules/lib.nix changes needed.

Adds two opt-in options consumed by sibling profiles that publish metrics via prometheus textfile collector.

services.alloy.textfileCollectorDirectory (nullOr str, default null):
  - When non-null: enables the node-exporter "textfile" collector,
    emits the textfile { directory = ... } HCL block, creates a
    node-textfile group, and tmpfiles-rules the directory mode 2775
    (setgid so multiple publishers can share it).
  - When null: behaviour is identical to before.

services.alloy.extraPrometheusRelabelNodeKeepRegex (listOf str, default []):
  - Additional alternation arms appended to prometheusRelabelNodeKeepRegex.
    Lets sibling profiles whitelist their textfile metric series without
    a recursive mkForce on the base option.

Also extends the base prometheusRelabelNodeKeepRegex default with
node_textfile_(mtime_seconds|scrape_error) so textfile-collector
self-metrics are scrapeable (un-breaks NodeTextFileCollectorScrapeError
in templates/.../alerts/node-exporter.nix-import and enables a future
metrics-stale alert keyed on node_textfile_mtime_seconds).