[M7] buildCppPackage: hermetic single-derivation, sandbox-safe

Resolve dep store paths and synthesize vendor.toml at outer eval time.
Add tests/e2e/buildCppPackage smoke fixture with a run.sh
Update CHANGELOG.md with the M7 changes.
This commit is contained in:
2026-05-16 01:13:38 +00:00
parent 85417f317c
commit 1f63984b60
7 changed files with 183 additions and 25 deletions

View File

@@ -341,3 +341,60 @@ All notable changes to cargoxx will be documented in this file.
window. `tests/linkdb_overlay.cpp` covers 7 cases (insert/persist,
override-curated, version-range gating, components rejection,
move semantics).
- M7 generated flake.nix moves to `build/flake.nix`. The project root
belongs to the user — any hand-written `flake.nix` there is never
overwritten by cargoxx. `cargoxx build` always invokes `nix develop`
against `path:./build`.
- M7 lockfile pins top-level `nixpkgs_rev` and `flake_utils_rev`. The
generated flake's `inputs.nixpkgs.url` / `inputs.flake-utils.url` now
use the pinned revs (falling back to the branch tips during the
transitional first build before the lock is written). Per-package
schema gains the full recipe (`find_package`, `targets`,
`pkg_config_module`, `brute_force_libs`, `brute_force_includes`,
`linkdb_source`) so the lockfile is a complete dependency-pinning
artifact and `cmd_build`'s `recipe_from_lock` can short-circuit the
linkdb entirely. `tests/lockfile_round_trip.cpp` extended.
- M7 `codegen::VendorIndex` + `parse_vendor_toml` — new pure parser
(`src/codegen/vendor.cpp`) returns a struct of
`nixpkgs_store_path`, `flake_utils_store_path`, and a per-dep
`nixpkgs_attr → store_path` map. `GenerateInputs` gains an optional
`vendor` field; when set, `emit_inputs_block` emits `path:` inputs
and drops the per-dep `github:` pins.
- M7 new helpers in `cargoxx.resolver`:
`realize_path_at_rev(rev, attr)` realizes
`github:NixOS/nixpkgs/<rev>#<attr>` to a `/nix/store/...` path
(used by `cmd_vendor`); `realize_flake_source(flake_ref)` returns
the source store path via `nix flake prefetch --json` (used to pin
`nixpkgs` and `flake-utils` for offline mode).
- M7 `cargoxx vendor [--output <path>]` — new CLI verb. Reads
`Cargoxx.lock`, realizes each locked dep at its pinned
`(nixpkgs_rev, nixpkgs_attr)` into `/nix/store`, and writes
`vendor.toml` (schema = 1) recording the resolved store paths for
every dep plus the `nixpkgs` and `flake-utils` flake sources. The
output is the input to `cargoxx build --offline`.
- M7 `cargoxx build --offline [--vendor <path>]` — skips every network
probe (Conan/vcpkg fuzzy, devbox, nixpkgs_git, linkdb auto-resolve),
reads `vendor.toml` (default `./vendor.toml`), and emits
`build/flake.nix` with literal `path:/nix/store/...` inputs for
`nixpkgs`, `flake-utils`, and every dep. Offline mode also runs cmake
directly (no outer `nix develop` wrapper) since all paths are already
realized in the local store.
- M7 `cargoxx.lib.buildCppPackage` — hermetic, sandbox-safe nix builder
for downstream flakes. Mirrors `rustPlatform.buildRustPackage`'s
ergonomics: a consumer flake passes `src` and gets a derivation. Reads
`Cargoxx.lock` at outer eval time, resolves each dep's
`(nixpkgs_rev, nixpkgs_attr)` via `builtins.getFlake` into concrete
`/nix/store/...` paths, and synthesizes a `vendor.toml` via
`pkgs.writeText` — no network or nested `nix` invocations inside any
build phase. The single derivation runs `cargoxx build --release
--offline --vendor <store-path>/vendor.toml`, which emits a hermetic
`build/flake.nix` with literal `path:/nix/store/...` inputs and drives
cmake directly. Works under the host's default sandbox (sandbox=true,
non-trusted user, no `__noChroot`, no daemon escape). New e2e fixture
at `tests/e2e/buildCppPackage/` with a `run.sh` smoke test that
scaffolds the fixture in a tmp dir and runs `nix build .#default`
end-to-end. Live verified: `Hello from world!` from a binary built
entirely inside the standard nix sandbox.
- Fix: `-Wparentheses` warning in `looks_like_missing_attribute`
(`src/resolver/nixpkgs_probe.cpp:34`) — explicitly parenthesize the
`&&` clause inside `||`.