feat(nix): add Nix flake build support

[jmikedupont2]

Add Nix flake for reproducible builds of moltis.

Changes

• flake.nix with buildRustPackage, dev shell, and perf witness derivation
• Disable tests in nix package build (run separately in checks)
• Regenerate Cargo.lock to include all workspace deps (fixes missing a2 crate for courier)

Testing

• nix build succeeds
• nix develop provides full dev environment with rust toolchain

[greptile-apps]

Greptile Summary

This PR adds Nix flake support (flake.nix + flake.lock) for reproducible builds and developer shells, and regenerates Cargo.lock to include the missing a2 crate needed by the courier app. The concept is sound, but the flake.nix has critical gaps that will prevent a successful nix build, and the Cargo.lock regeneration introduced broad unintentional dependency upgrades that conflict with the project's lockfile policy.

Key issues:

• nix build will fail: buildRustPackage has no nativeBuildInputs. The project uses vendored OpenSSL (needs perl), llama-cpp-2 (needs cmake and a C++ compiler), and multiple tree-sitter-* grammars (need a C compiler). At minimum perl, cmake, and pkg-config are required.
• checks.auth-tests is referenced but not defined: doCheck = false cites running tests "separately in checks.auth-tests", but no checks output is present in the flake.
• Perf witness derivation missing: The PR description lists it as a deliverable; it does not appear in the actual flake.nix.
• devShells uses buildInputs instead of nativeBuildInputs for host tools, and is missing pkg-config, perl, cmake, openssl.dev, and sqlite.
• Hardcoded version = "0.1.0" is inconsistent with the date-based versioning (YYYYMMDD.NN) documented in CLAUDE.md.
• Cargo.lock contains broad unintentional upgrades (e.g. anstream, anstyle-parse, anyhow, windows-sys) beyond the targeted a2 crate addition, violating the cargo fetch (not cargo update) lockfile policy in CLAUDE.md.

Confidence Score: 1/5

• Not safe to merge — nix build will fail due to missing native build inputs, checks are undefined, the perf witness derivation is absent, and Cargo.lock contains unintentional bulk upgrades.
• The flake.nix is missing critical nativeBuildInputs (perl, cmake, pkg-config) that are required for the project's C-linked crates, meaning the primary deliverable (nix build succeeding) cannot work as claimed. Additional structural gaps (no checks derivation, missing perf witness, wrong devShell attribute) and a broad Cargo.lock drift issue require resolution before merging.
• flake.nix requires significant additions before the build can succeed; Cargo.lock needs review to confirm all version bumps are intentional.

Important Files Changed

Filename	Overview
flake.nix	New Nix flake with buildRustPackage and devShell; missing nativeBuildInputs (perl, cmake, pkg-config) required for native C deps, no checks.auth-tests despite the inline comment, and the perf witness derivation claimed in the PR description is absent.
flake.lock	Auto-generated lockfile pinning nixpkgs (unstable, rev 6c9a78c) and flake-utils; pins look correct and consistent with flake.nix inputs.
Cargo.lock	Adds missing a2 crate for the courier app, but also includes broad unintentional version bumps (anstream, anstyle, anyhow, windows-sys, and others) which conflicts with CLAUDE.md's policy of using cargo fetch rather than cargo update.

Flowchart

%%{init: {'theme': 'neutral'}}%%
flowchart TD
    A[nix build / nix develop] --> B{flake.nix outputs}
    B --> C[packages.default\nbuildRustPackage -p moltis]
    B --> D[devShells.default\nmkShell]
    B -.->|❌ missing| E[checks.auth-tests\nnot defined]
    B -.->|❌ missing| F[perf-witness derivation\nnot defined]

    C --> G{cargoLock.lockFile}
    G --> H[Cargo.lock\nregenerated with a2 crate]
    H -.->|⚠️ unintentional bumps| I[anstream, anstyle,\nanyhow, windows-sys...]

    C --> J{nativeBuildInputs}
    J -.->|❌ absent| K[perl — vendored OpenSSL\ncmake — llama-cpp-2\npkg-config — tree-sitter\ngcc/clang — C grammars]

    D --> L{buildInputs}
    L -.->|⚠️ wrong attr| M[should be nativeBuildInputs\nfor host tools]
    L -.->|❌ missing| N[pkg-config, perl,\ncmake, openssl.dev,\nsqlite, nodejs]

    style E fill:#f88,stroke:#c00
    style F fill:#f88,stroke:#c00
    style K fill:#f88,stroke:#c00
    style M fill:#ffa,stroke:#990
    style N fill:#ffa,stroke:#990
    style I fill:#ffa,stroke:#990

Loading

Comments Outside Diff (5)

1. flake.nix, line 15-29 (link)

   Missing nativeBuildInputs — build will fail

   The buildRustPackage derivation has no nativeBuildInputs or buildInputs. This project uses several crates that compile native C/C++ code at build time:

   • openssl = { features = ["vendored"] } — vendored OpenSSL invokes perl to configure and build OpenSSL from source. Without perl in nativeBuildInputs, the build will fail with a perl: command not found error.
   • llama-cpp-2 — compiles llama.cpp (C++); requires cmake and a C++ compiler.
   • tree-sitter-* crates — each compiles a small C grammar; requires a C compiler and cc/pkg-config.
   • portable-pty — links against system PTY headers.
   • tikv-jemallocator — compiles jemalloc from source.

   At minimum you need:

   packages.default = pkgs.rustPlatform.buildRustPackage {
     pname = "moltis";
     version = "0.1.0";
     src = ./.;
     cargoBuildFlags = [ "-p" "moltis" ];
     cargoLock.lockFile = ./Cargo.lock;
     doCheck = false;
   
     nativeBuildInputs = with pkgs; [
       pkg-config
       perl       # required by openssl-src (vendored OpenSSL)
       cmake      # required by llama-cpp-2
       gcc        # C/C++ compiler for tree-sitter grammars, jemalloc, etc.
     ];
   
     buildInputs = with pkgs; [
       openssl    # non-vendored headers for any linked system libs
     ];
   
     meta = with pkgs.lib; { ... };
   };

2. flake.nix, line 31-39 (link)

   devShells uses wrong attribute and is missing critical tools

   Two issues here:

   1. Wrong attribute name: In Nix, buildInputs in mkShell is used for libraries that need to be linked; host tools that run during development (compilers, formatters, linters) should be listed in nativeBuildInputs. Using buildInputs for cargo, rustc, etc., works on native builds but is semantically incorrect and breaks cross-compilation scenarios.

   2. Missing essential tools: The dev shell is missing several tools required by CLAUDE.md and the project's dependencies:

      • pkg-config — needed for any crate that calls pkg-config during build
      • openssl.dev — header files for OpenSSL-linked crates
      • perl — required by vendored OpenSSL build scripts
      • cmake — required by llama-cpp-2
      • sqlite — used by sqlx with sqlite feature
      • nodejs / biome / npx — required by the web UI Tailwind/Playwright workflow in CLAUDE.md

3. flake.nix, line 17 (link)

   Hardcoded version inconsistent with date-based versioning policy

   CLAUDE.md states the project uses date-based versioning (YYYYMMDD.NN, e.g. 20260311.01) injected at build time via the MOLTIS_VERSION environment variable — Cargo.toml intentionally stays at the static 0.1.0 placeholder. The Nix derivation should honour this convention rather than re-exposing the placeholder version. Consider deriving the version from the git tag or injecting it as an env var:

   version = builtins.getEnv "MOLTIS_VERSION"; # "" falls back gracefully
   # or
   preBuild = ''
     export MOLTIS_VERSION=$(git describe --tags --always 2>/dev/null || echo "0.1.0")
   '';

   If keeping 0.1.0, add a comment explaining this is intentional per the project versioning policy so future readers aren't confused.

4. Cargo.lock, line 127-140 (link)

   Broad Cargo dependency upgrades conflict with CLAUDE.md lockfile policy

   The PR description says the Cargo.lock was regenerated to add the missing a2 crate for the courier app. However, the diff shows wide-ranging version bumps across unrelated crates (e.g. anstream 0.6.21→1.0.0, anstyle-parse 0.2.7→1.0.0, anstyle 1.0.13→1.0.14, anyhow 1.0.101→1.0.102, windows-sys 0.60.2→0.61.2, and many others).

   CLAUDE.md explicitly states:

   cargo fetch to sync (not cargo update). Verify with cargo fetch --locked. cargo update --workspace only for intentional upgrades.

   Regenerating the lockfile with what appears to be cargo update rather than a targeted cargo add/cargo fetch violates this policy. Bulk upgrades in a single PR that also introduces a new build system make it harder to bisect regressions. Please:

   1. Document which upgrades are intentional in the PR description.
   2. Run cargo fetch --locked to verify no unintended drift remains.
   3. Consider splitting unrelated dependency upgrades into a separate PR.

5. flake.nix, line 1-42 (link)

   PR description mentions "perf witness derivation" — not present in flake.nix

   The PR description lists "perf witness derivation" as one of the three main deliverables of this PR:

   flake.nix with buildRustPackage, dev shell, and perf witness derivation

   No such derivation (e.g., a packages.perf-witness or apps.perf-witness) exists in the current outputs. Either the description is outdated and the perf witness work was deferred, or it was accidentally omitted. Please either add it or update the PR description to reflect what was actually shipped.

_{Reviews (1): Last reviewed commit: "fix(nix): regenerate Cargo.lock for nix ..." | Re-trigger Greptile}

[greptile-apps]

checks.auth-tests referenced but never defined

The comment # tests run separately in checks.auth-tests implies there is (or will be) a checks output containing an auth-tests derivation. However, no checks attribute is present anywhere in this flake's outputs. As written, doCheck = false silently drops all tests with no replacement check derivation, contradicting CLAUDE.md which requires high test coverage and a CI gate.

Either add the checks.auth-tests derivation alongside the package, or update the comment to accurately reflect that tests are run only in the external cargo test CI step.