Cardano Updates

Addresses PR review: instead of throwing when --unrestricted is used on a
device/app that can't honor it, fall back to the auto-inferred signing mode
and log a warning. This keeps callers device-agnostic - a script can always
pass --unrestricted without first branching on device kind or app version.

- Add downgradeUnsupportedUnrestricted helper (crypto-providers/util.ts).
- Trezor and Keystone: warn + ignore instead of erroring.
- Ledger: check compatibility.supportsUnrestrictedTransaction from
  getVersion(); on app v7 and older, warn + fall back.
- Remove the now-unused Trezor/Keystone "not supported" errors.
- Reword the --unrestricted help (code + README): "Ledger app v8 or newer";
  "ignored (with a warning)" on Trezor/Keystone/older apps.
- Unit tests for the fallback helper.

Co-Authored-By: Claude Opus 4.7 (1M context) <[email protected]>

Per review: instead of picking UNRESTRICTED and then undoing it per-provider,
decide up front whether unrestricted is actually applicable, so the signing
mode is never UNRESTRICTED on a device/app that can't honor it.

- Add supportsUnrestrictedTxSigning() to the CryptoProvider interface
  (Ledger: compatibility.supportsUnrestrictedTransaction from getVersion;
  Trezor/Keystone: false).
- commandExecutor consults it before determineSigningMode and, if
  --unrestricted was requested but unsupported, warns and ignores it. So
  validateWitnessing already sees the effective mode.
- Remove the per-provider downgrade and the downgradeUnsupportedUnrestricted
  helper (and its now-redundant tests).

Co-Authored-By: Claude Opus 4.7 (1M context) <[email protected]>

Unit tests for the new unrestricted signing mode (no device needed):
- command parser sets unrestricted: true when --unrestricted is passed
- determineSigningMode returns UNRESTRICTED_TRANSACTION when requested and
  takes precedence over auto-inference (even over a pool registration tx),
  and is unaffected when the flag is absent/false
- validateWitnessing accepts an ordinary tx in unrestricted mode and rejects
  a tx carrying a pool registration certificate

Co-Authored-By: Claude Opus 4.7 (1M context) <[email protected]>

The ledgerjs/transport bump pulled @ledgerhq/devices up to 8.x.
@ledgerhq/hw-transport-node-hid-noevents loads it via the exports-map
subpath `require("@ledgerhq/devices/hid-framing")`, which resolves to
lib/hid-framing.js. pkg's static analysis does not follow that exports
subpath into the snapshot, so the packaged binary failed at startup with
"Cannot find module .../@ledgerhq/devices/lib/hid-framing.js" (CI test-bin).

Add the devices lib to pkg.scripts so it is compiled into the snapshot.
Verified by packaging the macOS arm64 binary and running --help: it now
starts cleanly with no missing-module error.

Co-Authored-By: Claude Opus 4.7 (1M context) <[email protected]>

Add --unrestricted to the `transaction witness` command reference in the
README: Ledger app v8 + expert mode, relaxed client-side checks, no pool
registration certificate, unsupported on Trezor/Keystone.

Co-Authored-By: Claude Opus 4.7 (1M context) <[email protected]>

Expose the new unrestricted transaction signing mode (Ledger app v8 with
expert mode) via a `--unrestricted` flag on `transaction witness`.

- SigningMode.UNRESTRICTED_TRANSACTION enum value + mapping to the ledgerjs
  TransactionSigningMode in the Ledger provider.
- determineSigningMode takes precedence for unrestricted when requested; it
  is never auto-inferred (per the lib's contract).
- Trezor and Keystone reject it explicitly (Ledger-v8-only).
- Expert mode is enabled by ledgerjs itself before signing, so no extra
  device plumbing is needed here.

Security-relevant relaxations (please review): unrestricted mode is a
superset of ordinary allowances, so device-owned address params and
key-hash credentials are permitted (areAddressParamsAllowed / allowKeyHash),
and witnessing validation only enforces the one invariant the Ledger app
keeps - no pool registration certificate. The device shows every element
for the expert user to review.

Co-Authored-By: Claude Opus 4.7 (1M context) <[email protected]>

Pull in @cardano-foundation/ledgerjs-hw-app-cardano 8.0.0-rc.2 (Ledger
app v8: unrestricted signing mode, combined certificates). Sourced from
the vacuumlabs GitHub pre-release tarball since 8.x is not yet on npm;
repoint to the npm version once published.

The 8.x lib requires @ledgerhq/hw-transport ^6.31.2, which adds tracing
methods to Transport. Bump hw-transport and the node-hid-noevents /
node-speculos impl packages so the whole tree dedupes to a single
hw-transport (6.35.2) and the Ledger(transport) type matches. No hw-cli
source changes were needed; build, lint and unit tests pass.

Co-Authored-By: Claude Opus 4.7 (1M context) <[email protected]>

Co-Authored-By: Claude Opus 4.7 (1M context) <[email protected]>

Per review: instead of picking UNRESTRICTED and then undoing it per-provider,
decide up front whether unrestricted is actually applicable, so the signing
mode is never UNRESTRICTED on a device/app that can't honor it.

- Add supportsUnrestrictedTxSigning() to the CryptoProvider interface
  (Ledger: compatibility.supportsUnrestrictedTransaction from getVersion;
  Trezor/Keystone: false).
- commandExecutor consults it before determineSigningMode and, if
  --unrestricted was requested but unsupported, warns and ignores it. So
  validateWitnessing already sees the effective mode.
- Remove the per-provider downgrade and the downgradeUnsupportedUnrestricted
  helper (and its now-redundant tests).

Co-Authored-By: Claude Opus 4.7 (1M context) <[email protected]>

Addresses PR review: instead of throwing when --unrestricted is used on a
device/app that can't honor it, fall back to the auto-inferred signing mode
and log a warning. This keeps callers device-agnostic - a script can always
pass --unrestricted without first branching on device kind or app version.

- Add downgradeUnsupportedUnrestricted helper (crypto-providers/util.ts).
- Trezor and Keystone: warn + ignore instead of erroring.
- Ledger: check compatibility.supportsUnrestrictedTransaction from
  getVersion(); on app v7 and older, warn + fall back.
- Remove the now-unused Trezor/Keystone "not supported" errors.
- Reword the --unrestricted help (code + README): "Ledger app v8 or newer";
  "ignored (with a warning)" on Trezor/Keystone/older apps.
- Unit tests for the fallback helper.

Co-Authored-By: Claude Opus 4.7 (1M context) <[email protected]>

Add --unrestricted to the `transaction witness` command reference in the
README: Ledger app v8 + expert mode, relaxed client-side checks, no pool
registration certificate, unsupported on Trezor/Keystone.

Co-Authored-By: Claude Opus 4.7 (1M context) <[email protected]>

The ledgerjs/transport bump pulled @ledgerhq/devices up to 8.x.
@ledgerhq/hw-transport-node-hid-noevents loads it via the exports-map
subpath `require("@ledgerhq/devices/hid-framing")`, which resolves to
lib/hid-framing.js. pkg's static analysis does not follow that exports
subpath into the snapshot, so the packaged binary failed at startup with
"Cannot find module .../@ledgerhq/devices/lib/hid-framing.js" (CI test-bin).

Add the devices lib to pkg.scripts so it is compiled into the snapshot.
Verified by packaging the macOS arm64 binary and running --help: it now
starts cleanly with no missing-module error.

Co-Authored-By: Claude Opus 4.7 (1M context) <[email protected]>

Unit tests for the new unrestricted signing mode (no device needed):
- command parser sets unrestricted: true when --unrestricted is passed
- determineSigningMode returns UNRESTRICTED_TRANSACTION when requested and
  takes precedence over auto-inference (even over a pool registration tx),
  and is unaffected when the flag is absent/false
- validateWitnessing accepts an ordinary tx in unrestricted mode and rejects
  a tx carrying a pool registration certificate

Co-Authored-By: Claude Opus 4.7 (1M context) <[email protected]>

Expose the new unrestricted transaction signing mode (Ledger app v8 with
expert mode) via a `--unrestricted` flag on `transaction witness`.

- SigningMode.UNRESTRICTED_TRANSACTION enum value + mapping to the ledgerjs
  TransactionSigningMode in the Ledger provider.
- determineSigningMode takes precedence for unrestricted when requested; it
  is never auto-inferred (per the lib's contract).
- Trezor and Keystone reject it explicitly (Ledger-v8-only).
- Expert mode is enabled by ledgerjs itself before signing, so no extra
  device plumbing is needed here.

Security-relevant relaxations (please review): unrestricted mode is a
superset of ordinary allowances, so device-owned address params and
key-hash credentials are permitted (areAddressParamsAllowed / allowKeyHash),
and witnessing validation only enforces the one invariant the Ledger app
keeps - no pool registration certificate. The device shows every element
for the expert user to review.

Co-Authored-By: Claude Opus 4.7 (1M context) <[email protected]>

Pull in @cardano-foundation/ledgerjs-hw-app-cardano 8.0.0-rc.2 (Ledger
app v8: unrestricted signing mode, combined certificates). Sourced from
the vacuumlabs GitHub pre-release tarball since 8.x is not yet on npm;
repoint to the npm version once published.

The 8.x lib requires @ledgerhq/hw-transport ^6.31.2, which adds tracing
methods to Transport. Bump hw-transport and the node-hid-noevents /
node-speculos impl packages so the whole tree dedupes to a single
hw-transport (6.35.2) and the Ledger(transport) type matches. No hw-cli
source changes were needed; build, lint and unit tests pass.

Co-Authored-By: Claude Opus 4.7 (1M context) <[email protected]>

Why: engines.node is >=22.0.0, but @types/node was still on ^20,
so APIs added in Node 22 were not reflected in the type definitions.

Co-Authored-By: Claude Opus 4.7 (1M context) <[email protected]>

Fresh yarn install resolved eslint ^9.35.0 to v9, which requires flat config (eslint.config.js) by default. Instead of migrating the entire config, use ESLINT_USE_FLAT_CONFIG=false to keep the existing .eslintrc.js.
  Also disable two new rules from the updated @typescript-eslint plugin that would require source code changes:
  - no-require-imports: new rule that flags require() calls
  - no-unused-vars caughtErrors: now flags unused catch variables

Lodash 4.17.23 had known prototype pollution and code injection
advisories (GHSA-r5fr-rjxr-66jc, GHSA-f23m-r3pf-42rh). Uuid 10
was deprecated upstream. Drop @types/uuid since uuid 11+ ships
its own types and the stub was pulling uuid@14 transitively.

Co-Authored-By: Claude Opus 4.7 (1M context) <[email protected]>