Cardano Updates

Co-Authored-By: Claude Fable 5 <[email protected]>

Review feedback from refi93 on PR #209.

Co-Authored-By: Claude Fable 5 <[email protected]>

The flag becomes a permission instead of a request: determineSigningMode
picks the mode the tx shape and signing files point at, and falls back
to unrestricted mode only when that mode cannot sign the tx. The
canSignWith*Mode predicates mirror the per-signing-mode rejection rules
of ledgerjs parsing/transaction.ts clause by clause, which is verifiable
rule by rule — unlike the previous approach of enumerating tx shapes
that require unrestricted mode, which missed combinations (script
credentials without multisig files, path-resolvable credentials with
multisig files, reference inputs without collateral).

commandExecutor asserts the permission: signing in unrestricted mode
without --allow-unrestricted-mode or on a device that does not support
it (CryptoProvider.supportsUnrestrictedTransaction, named after the
ledgerjs compatibility field) is refused with a clear error.

Pool registration txs never fall back to unrestricted mode (it rejects
pool registration certs, too); they keep their POOL_REGISTRATION_* mode
so per-mode validation reports the violated rule precisely.

Co-Authored-By: Claude Fable 5 <[email protected]>

The ledgerjs per-mode rules constrain only the cold credential of
committee certs; the hot credential is the cert's subject, not its
authorizer, and its form is unconstrained in every signing mode. hw-cli
still refused to send it as a bare key hash outside ordinary mode, so a
multisig committee hot authorization whose hot key is not on the device
failed with a missing-signing-file error. Predates this branch.

Co-Authored-By: Claude Fable 5 <[email protected]>

The ledgerjs per-mode rules constrain only the cold credential of
committee certs; the hot credential is the cert's subject, not its
authorizer, and its form is unconstrained in every signing mode. hw-cli
still refused to send it as a bare key hash outside ordinary mode, so a
multisig committee hot authorization whose hot key is not on the device
failed with a missing-signing-file error. Predates this branch.

Co-Authored-By: Claude Fable 5 <[email protected]>

Unit tests for the new unrestricted signing mode (no device needed):
- command parser sets unrestricted: true when --unrestricted is passed
- determineSigningMode returns UNRESTRICTED_TRANSACTION when requested and
  takes precedence over auto-inference (even over a pool registration tx),
  and is unaffected when the flag is absent/false
- validateWitnessing accepts an ordinary tx in unrestricted mode and rejects
  a tx carrying a pool registration certificate

Co-Authored-By: Claude Opus 4.7 (1M context) <[email protected]>

The flag becomes a permission instead of a request: determineSigningMode
picks the mode the tx shape and signing files point at, and falls back
to unrestricted mode only when that mode cannot sign the tx. The
canSignWith*Mode predicates mirror the per-signing-mode rejection rules
of ledgerjs parsing/transaction.ts clause by clause, which is verifiable
rule by rule — unlike the previous approach of enumerating tx shapes
that require unrestricted mode, which missed combinations (script
credentials without multisig files, path-resolvable credentials with
multisig files, reference inputs without collateral).

commandExecutor asserts the permission: signing in unrestricted mode
without --allow-unrestricted-mode or on a device that does not support
it (CryptoProvider.supportsUnrestrictedTransaction, named after the
ledgerjs compatibility field) is refused with a clear error.

Pool registration txs never fall back to unrestricted mode (it rejects
pool registration certs, too); they keep their POOL_REGISTRATION_* mode
so per-mode validation reports the violated rule precisely.

Co-Authored-By: Claude Fable 5 <[email protected]>

develop already uses 3.1.0-only exports (CostModels, PLUTUS_LANGUAGES,
CostModelLanguageName) without having bumped the lockfile, which breaks
CI; re-resolve within the existing ^3.0.2 range.

Co-Authored-By: Claude Fable 5 <[email protected]>

Add --unrestricted to the `transaction witness` command reference in the
README: Ledger app v8 + expert mode, relaxed client-side checks, no pool
registration certificate, unsupported on Trezor/Keystone.

Co-Authored-By: Claude Opus 4.7 (1M context) <[email protected]>

The ledgerjs/transport bump pulled @ledgerhq/devices up to 8.x.
@ledgerhq/hw-transport-node-hid-noevents loads it via the exports-map
subpath `require("@ledgerhq/devices/hid-framing")`, which resolves to
lib/hid-framing.js. pkg's static analysis does not follow that exports
subpath into the snapshot, so the packaged binary failed at startup with
"Cannot find module .../@ledgerhq/devices/lib/hid-framing.js" (CI test-bin).

Add the devices lib to pkg.scripts so it is compiled into the snapshot.
Verified by packaging the macOS arm64 binary and running --help: it now
starts cleanly with no missing-module error.

Co-Authored-By: Claude Opus 4.7 (1M context) <[email protected]>

Expose the new unrestricted transaction signing mode (Ledger app v8 with
expert mode) via a `--unrestricted` flag on `transaction witness`.

- SigningMode.UNRESTRICTED_TRANSACTION enum value + mapping to the ledgerjs
  TransactionSigningMode in the Ledger provider.
- determineSigningMode takes precedence for unrestricted when requested; it
  is never auto-inferred (per the lib's contract).
- Trezor and Keystone reject it explicitly (Ledger-v8-only).
- Expert mode is enabled by ledgerjs itself before signing, so no extra
  device plumbing is needed here.

Security-relevant relaxations (please review): unrestricted mode is a
superset of ordinary allowances, so device-owned address params and
key-hash credentials are permitted (areAddressParamsAllowed / allowKeyHash),
and witnessing validation only enforces the one invariant the Ledger app
keeps - no pool registration certificate. The device shows every element
for the expert user to review.

Co-Authored-By: Claude Opus 4.7 (1M context) <[email protected]>

Pull in @cardano-foundation/ledgerjs-hw-app-cardano 8.0.0-beta from npm
(Ledger app v8: unrestricted signing mode, combined certificates).

The 8.x lib requires @ledgerhq/hw-transport ^6.31.2, which adds tracing
methods to Transport. Bump hw-transport and the node-hid-noevents /
node-speculos impl packages so the whole tree dedupes to a single
hw-transport (6.35.2) and the Ledger(transport) type matches. No hw-cli
source changes were needed; build, lint and unit tests pass.

Co-Authored-By: Claude Opus 4.7 (1M context) <[email protected]>
Co-Authored-By: Claude Fable 5 <[email protected]>

The ledgerjs per-mode rules constrain only the cold credential of
committee certs; the hot credential is the cert's subject, not its
authorizer, and its form is unconstrained in every signing mode. hw-cli
still refused to send it as a bare key hash outside ordinary mode, so a
multisig committee hot authorization whose hot key is not on the device
failed with a missing-signing-file error. Predates this branch.

Co-Authored-By: Claude Fable 5 <[email protected]>

The flag becomes a permission instead of a request: determineSigningMode
picks the mode the tx shape and signing files point at, and falls back
to unrestricted mode only when that mode cannot sign the tx. The
canSignWith*Mode predicates mirror the per-signing-mode rejection rules
of ledgerjs parsing/transaction.ts clause by clause, which is verifiable
rule by rule — unlike the previous approach of enumerating tx shapes
that require unrestricted mode, which missed combinations (script
credentials without multisig files, path-resolvable credentials with
multisig files, reference inputs without collateral).

commandExecutor asserts the permission: signing in unrestricted mode
without --allow-unrestricted-mode or on a device that does not support
it (CryptoProvider.supportsUnrestrictedTransaction, named after the
ledgerjs compatibility field) is refused with a clear error.

Pool registration txs never fall back to unrestricted mode (it rejects
pool registration certs, too); they keep their POOL_REGISTRATION_* mode
so per-mode validation reports the violated rule precisely.

Co-Authored-By: Claude Fable 5 <[email protected]>

develop already uses 3.1.0-only exports (CostModels, PLUTUS_LANGUAGES,
CostModelLanguageName) without having bumped the lockfile, which breaks
CI; re-resolve within the existing ^3.0.2 range.

Co-Authored-By: Claude Fable 5 <[email protected]>