Cardano Updates

Flake lock file updates:

• Updated input 'haskellNix':
    'github:input-output-hk/haskell.nix/cc939d0' (2026-02-23)
  → 'github:input-output-hk/haskell.nix/7f5a9ef' (2026-02-28)
• Removed input 'haskellNix/cabal-32'
• Updated input 'haskellNix/hackage':
    'github:input-output-hk/hackage.nix/06f38c7' (2026-02-23)
  → 'github:input-output-hk/hackage.nix/93f0f7e' (2026-02-28)
• Updated input 'haskellNix/hackage-for-stackage':
    'github:input-output-hk/hackage.nix/2d5bbb1' (2026-02-23)
  → 'github:input-output-hk/hackage.nix/a240f6b' (2026-02-28)
• Updated input 'haskellNix/stackage':
    'github:input-output-hk/stackage.nix/862226e' (2026-02-23)
  → 'github:input-output-hk/stackage.nix/d3613b6' (2026-02-28)
• Updated input 'iohk-nix':
    'github:input-output-hk/iohk-nix/a704b93' (2025-11-12)
  → 'github:input-output-hk/iohk-nix/0ce7cc2' (2026-02-02)

When Hydra resolves builds from cache, it creates only aggregate
"required" check-runs but not individual per-build check-runs.
This causes the GHA upload workflow to discover zero -env closures
and skip all container uploads.

Add a fallback path: when no Hydra check-runs ending in "-env"
are found, evaluate the store paths directly from the flake using
nix eval with extra/discover-env.nix. This ensures containers are
always uploaded regardless of Hydra's check-run behavior.

Also install Nix and checkout the repo in the Discover step to
support the fallback evaluation.

The wait-for-hydra SSE mode now uses read -t 60 for periodic timeout
checks and re-checks the one-shot endpoint when the SSE stream ends.

* Centralize IOG library lists in iog-libs.nix

Extract the duplicated IOG dependency lists from dynamic.nix,
static.nix, cross-js.nix, and cross-windows.nix into a single
iog-libs.nix file. This eliminates manual synchronization when
adding new libraries (e.g., lmdb was previously missing from
cross-compilation targets) and provides a canonical source of
truth for IOG-specific dependencies.

The centralized file categorizes dependencies into:
- crypto: libblst, libsodium-vrf, secp256k1 (all shell types)
- data: lmdb (dynamic/static only)
- tools: cbor-diag, cddl, gh, icu, jq, yq-go (dynamic/static)
- cross-tools: cbor-diag, cddl (cross-compilation targets)

Each consumer imports iog-libs.nix and transforms as needed
(e.g., static.nix passes static=true to resolve static-* variants).

Addresses #56

* Fix ShellCheck SC2215 in wrapped-cabal script

Move the iog-libs.nix sync comment from inside the shell heredoc
(where it breaks line continuation and triggers SC2215) to a Nix
comment above the writeShellApplicationWithRuntime block.

The wait-for-hydra/sse-support branch now has the pipe subshell fix
(process substitution instead of pipe) so SSE exit codes propagate
correctly.

Switch pr-validate workflow to use the SSE-enabled wait-for-hydra
action branch. This connects to ci.zw3rk.com's SSE endpoint for
instant build status updates instead of polling the GitHub API.

Test PR — do not merge.

Move the iog-libs.nix sync comment from inside the shell heredoc
(where it breaks line continuation and triggers SC2215) to a Nix
comment above the writeShellApplicationWithRuntime block.

Extract the duplicated IOG dependency lists from dynamic.nix,
static.nix, cross-js.nix, and cross-windows.nix into a single
iog-libs.nix file. This eliminates manual synchronization when
adding new libraries (e.g., lmdb was previously missing from
cross-compilation targets) and provides a canonical source of
truth for IOG-specific dependencies.

The centralized file categorizes dependencies into:
- crypto: libblst, libsodium-vrf, secp256k1 (all shell types)
- data: lmdb (dynamic/static only)
- tools: cbor-diag, cddl, gh, icu, jq, yq-go (dynamic/static)
- cross-tools: cbor-diag, cddl (cross-compilation targets)

Each consumer imports iog-libs.nix and transforms as needed
(e.g., static.nix passes static=true to resolve static-* variants).

Addresses #56

Replace outdated GHC 8.10 references with current compilers (ghc96,
ghc98, ghc910, ghc912). Update the flavor table to include lmdb in
-iog descriptions. Note that Windows cross-compilation is currently
disabled pending nixpkgs-2511 crossThreadsStdenv fix. Update Docker
image list to match available compilers.

Fixes #114

Replace outdated GHC 8.10 references with current compilers (ghc96,
ghc98, ghc910, ghc912). Update the flavor table to include lmdb in
-iog descriptions. Note that Windows cross-compilation is currently
disabled pending nixpkgs-2511 crossThreadsStdenv fix. Update Docker
image list to match available compilers.

Fixes #114

If GITHUB_ACTIONS is not defined the check "$GITHUB_ACTIONS" = "true"
might fail. The CODESPACES variable is always set to "true" in GitHub
Codespaces so we can use the same mechanism there.

GNU config.sub normalises to "aarch64-apple-darwin" while Apple's
LLVM toolchain (and nix cc-wrapper's @defaultTarget@) uses
"arm64-apple-darwin". Older GHC versions pass --target=aarch64-apple-darwin
which triggers a noisy warning from the cc-wrapper's
add-clang-cc-cflags-before hook on every compiler invocation.

The warning is harmless — clang handles both triples identically — but
it pollutes stderr and causes thousands of GHC testsuite failures due
to unexpected compiler output.

Set NIX_CC_WRAPPER_SUPPRESS_TARGET_WARNING=1 in the env script before
sourcing stdenv/setup to suppress this warning.

GHC's Makefile unconditionally calls `tput bold` and `tput sgr0`
(lines 217-218) which fail with "No value for $TERM and no -T
specified" when TERM is unset. This happens in CI runners and
containers where no terminal is attached.

Set TERM to "dumb" as a fallback after sourcing setup.sh so ncurses
tools like tput degrade gracefully instead of erroring.

GHC's test suite requires `perl` (e.g. the testsuite driver and various
test scripts). Like `which`, `perl` is not part of stdenv's initialPath
and was only reachable via the host system before the hermetic PATH
change. Add it explicitly to all four shell definitions.

GHC's build system (mk/boilerplate.mk:182) uses `which` to locate ghc.
After commit a354771 switched from recursive-nix `nix print-dev-env` to
`devShellTools.unstructuredDerivationInputEnv`, `which` was no longer
transitively included. This caused CI failures:

  make[1]: which: No such file or directory
  ../mk/boilerplate.mk:182: *** Cannot find ghc: .  Stop.

Add pkgs.which explicitly to nativeBuildInputs/buildInputs in all four
shell definitions (dynamic, static, cross-js, cross-windows).

GHC's build system (mk/boilerplate.mk:182) uses `which` to locate ghc.
After commit a354771 switched from recursive-nix `nix print-dev-env` to
`devShellTools.unstructuredDerivationInputEnv`, `which` was no longer
transitively included. This caused CI failures:

  make[1]: which: No such file or directory
  ../mk/boilerplate.mk:182: *** Cannot find ghc: .  Stop.

Add pkgs.which explicitly to nativeBuildInputs/buildInputs in all four
shell definitions (dynamic, static, cross-js, cross-windows).

curl does NOT check SSL_CERT_FILE — it only checks CURL_CA_BUNDLE and
its built-in CA bundle path. The nixpkgs-built curl has /no-cert-file.crt
as its built-in path (a sentinel when cacert is absent at build time).

The cacert setup-hook (from PR #232) sets SSL_CERT_FILE but not
CURL_CA_BUNDLE, so curl still fails in containers with:
  curl: (77) error adding trust anchors from file: /no-cert-file.crt

Set both CURL_CA_BUNDLE (for curl) and SSL_CERT_FILE (for OpenSSL-based
tools) directly in mkShell to ensure CA certificates are found regardless
of whether the cacert setup-hook has run.

curl does NOT check SSL_CERT_FILE — it only checks CURL_CA_BUNDLE and
its built-in CA bundle path. The nixpkgs-built curl has /no-cert-file.crt
as its built-in path (a sentinel when cacert is absent at build time).

The cacert setup-hook (from PR #232) sets SSL_CERT_FILE but not
CURL_CA_BUNDLE, so curl still fails in containers with:
  curl: (77) error adding trust anchors from file: /no-cert-file.crt

Set both CURL_CA_BUNDLE (for curl) and SSL_CERT_FILE (for OpenSSL-based
tools) directly in mkShell to ensure CA certificates are found regardless
of whether the cacert setup-hook has run.

curl requires CA certificates to validate HTTPS connections. In the
-env containers (rootless, no system CA store), OpenSSL falls back to
/no-cert-file.crt when cacert is not in the dependency closure. Adding
pkgs.cacert to runtimeInputs propagates it through nix-support/, and
its setup-hook sets SSL_CERT_FILE, NIX_SSL_CERT_FILE, and
SYSTEM_CERTIFICATE_PATH — enabling curl to verify HTTPS certificates
in the container environment.

Fixes: curl: (77) error adding trust anchors from file: /no-cert-file.crt

curl requires CA certificates to validate HTTPS connections. In the
-env containers (rootless, no system CA store), OpenSSL falls back to
/no-cert-file.crt when cacert is not in the dependency closure. Adding
pkgs.cacert to runtimeInputs propagates it through nix-support/, and
its setup-hook sets SSL_CERT_FILE, NIX_SSL_CERT_FILE, and
SYSTEM_CERTIFICATE_PATH — enabling curl to verify HTTPS certificates
in the container environment.

Fixes: curl: (77) error adding trust anchors from file: /no-cert-file.crt

* Fix: write nix-support/propagated-native-build-inputs file

writeShellApplication uses writeTextFile internally, which does NOT
run stdenv.mkDerivation's fixupPhase. Setting propagatedNativeBuildInputs
via overrideAttrs only adds the attribute to the derivation but never
materializes the $out/nix-support/propagated-native-build-inputs file
that setup.sh's findInputs actually reads at runtime.

Without this file, curl was invisible to the shell environment despite
being set as a propagated dep — the wrapper script itself had curl on
its internal PATH, but other programs (like GHC's stage0 cabal) could
not find it.

Fix: explicitly create the nix-support file in postInstall.

* Fix: use buildCommand instead of postInstall for nix-support file

writeTextFile sets `buildCommand` in the derivation, which causes
stdenv's genericBuild to skip the entire phase system — installPhase,
postInstall, fixupPhase — none of them execute. The previous commit
used postInstall which was silently ignored, leaving the wrapper
output without nix-support/propagated-native-build-inputs.

Append the file creation directly to buildCommand, which is the only
code path the builder actually runs.

writeTextFile sets `buildCommand` in the derivation, which causes
stdenv's genericBuild to skip the entire phase system — installPhase,
postInstall, fixupPhase — none of them execute. The previous commit
used postInstall which was silently ignored, leaving the wrapper
output without nix-support/propagated-native-build-inputs.

Append the file creation directly to buildCommand, which is the only
code path the builder actually runs.

writeShellApplication uses writeTextFile internally, which does NOT
run stdenv.mkDerivation's fixupPhase. Setting propagatedNativeBuildInputs
via overrideAttrs only adds the attribute to the derivation but never
materializes the $out/nix-support/propagated-native-build-inputs file
that setup.sh's findInputs actually reads at runtime.

Without this file, curl was invisible to the shell environment despite
being set as a propagated dep — the wrapper script itself had curl on
its internal PATH, but other programs (like GHC's stage0 cabal) could
not find it.

Fix: explicitly create the nix-support file in postInstall.

* Propagate writeShellApplication runtimeInputs via propagatedNativeBuildInputs

The switch from nix-print-dev-env to devShellTools (a354771) broke
runtimeInputs visibility in -env container scripts. writeShellApplication
embeds runtimeInputs in the wrapper's own PATH, but $stdenv/setup (which
the -env scripts source) only walks buildInputs/nativeBuildInputs — not
the internal PATH of wrappers within those inputs.

The previous fix (76d6b37) added curl explicitly to buildInputs, but
this is fragile: any future runtimeInputs change requires a parallel
edit in the shell's input lists.

Instead, use propagatedNativeBuildInputs on the wrapper derivation.
When $stdenv/setup processes wrapped-cabal from nativeBuildInputs, it
transitively follows propagatedNativeBuildInputs and adds curl (and
cabal-install) to PATH for the whole environment. This is the standard
Nix mechanism for transitive dependency propagation.

Applies to all four shell definitions: dynamic, static, cross-js,
cross-windows. Removes the explicit curl additions from 76d6b37.

* Extract writeShellApplicationWithRuntime helper to writers.nix

Refactor the inline .overrideAttrs pattern (used to propagate
writeShellApplication's runtimeInputs via propagatedNativeBuildInputs)
into a shared helper function with extensive documentation explaining
why this is needed.

The core issue: devx generates -env container scripts using devShellTools,
which reconstructs the environment via $stdenv/setup's findInputs.
findInputs walks propagatedNativeBuildInputs metadata files but does NOT
look inside writeShellApplication wrapper scripts. Without propagation,
runtimeInputs (e.g. curl for HTTPS hackage transport) are invisible to
the container environment.

See writers.nix for the full architectural explanation.

Refactor the inline .overrideAttrs pattern (used to propagate
writeShellApplication's runtimeInputs via propagatedNativeBuildInputs)
into a shared helper function with extensive documentation explaining
why this is needed.

The core issue: devx generates -env container scripts using devShellTools,
which reconstructs the environment via $stdenv/setup's findInputs.
findInputs walks propagatedNativeBuildInputs metadata files but does NOT
look inside writeShellApplication wrapper scripts. Without propagation,
runtimeInputs (e.g. curl for HTTPS hackage transport) are invisible to
the container environment.

See writers.nix for the full architectural explanation.