[M7] buildCppPackage: hermetic single-derivation, sandbox-safe
Resolve dep store paths and synthesize vendor.toml at outer eval time. Add tests/e2e/buildCppPackage smoke fixture with a run.sh Update CHANGELOG.md with the M7 changes.
This commit is contained in:
57
CHANGELOG.md
57
CHANGELOG.md
@@ -341,3 +341,60 @@ All notable changes to cargoxx will be documented in this file.
|
||||
window. `tests/linkdb_overlay.cpp` covers 7 cases (insert/persist,
|
||||
override-curated, version-range gating, components rejection,
|
||||
move semantics).
|
||||
- M7 generated flake.nix moves to `build/flake.nix`. The project root
|
||||
belongs to the user — any hand-written `flake.nix` there is never
|
||||
overwritten by cargoxx. `cargoxx build` always invokes `nix develop`
|
||||
against `path:./build`.
|
||||
- M7 lockfile pins top-level `nixpkgs_rev` and `flake_utils_rev`. The
|
||||
generated flake's `inputs.nixpkgs.url` / `inputs.flake-utils.url` now
|
||||
use the pinned revs (falling back to the branch tips during the
|
||||
transitional first build before the lock is written). Per-package
|
||||
schema gains the full recipe (`find_package`, `targets`,
|
||||
`pkg_config_module`, `brute_force_libs`, `brute_force_includes`,
|
||||
`linkdb_source`) so the lockfile is a complete dependency-pinning
|
||||
artifact and `cmd_build`'s `recipe_from_lock` can short-circuit the
|
||||
linkdb entirely. `tests/lockfile_round_trip.cpp` extended.
|
||||
- M7 `codegen::VendorIndex` + `parse_vendor_toml` — new pure parser
|
||||
(`src/codegen/vendor.cpp`) returns a struct of
|
||||
`nixpkgs_store_path`, `flake_utils_store_path`, and a per-dep
|
||||
`nixpkgs_attr → store_path` map. `GenerateInputs` gains an optional
|
||||
`vendor` field; when set, `emit_inputs_block` emits `path:` inputs
|
||||
and drops the per-dep `github:` pins.
|
||||
- M7 new helpers in `cargoxx.resolver`:
|
||||
`realize_path_at_rev(rev, attr)` realizes
|
||||
`github:NixOS/nixpkgs/<rev>#<attr>` to a `/nix/store/...` path
|
||||
(used by `cmd_vendor`); `realize_flake_source(flake_ref)` returns
|
||||
the source store path via `nix flake prefetch --json` (used to pin
|
||||
`nixpkgs` and `flake-utils` for offline mode).
|
||||
- M7 `cargoxx vendor [--output <path>]` — new CLI verb. Reads
|
||||
`Cargoxx.lock`, realizes each locked dep at its pinned
|
||||
`(nixpkgs_rev, nixpkgs_attr)` into `/nix/store`, and writes
|
||||
`vendor.toml` (schema = 1) recording the resolved store paths for
|
||||
every dep plus the `nixpkgs` and `flake-utils` flake sources. The
|
||||
output is the input to `cargoxx build --offline`.
|
||||
- M7 `cargoxx build --offline [--vendor <path>]` — skips every network
|
||||
probe (Conan/vcpkg fuzzy, devbox, nixpkgs_git, linkdb auto-resolve),
|
||||
reads `vendor.toml` (default `./vendor.toml`), and emits
|
||||
`build/flake.nix` with literal `path:/nix/store/...` inputs for
|
||||
`nixpkgs`, `flake-utils`, and every dep. Offline mode also runs cmake
|
||||
directly (no outer `nix develop` wrapper) since all paths are already
|
||||
realized in the local store.
|
||||
- M7 `cargoxx.lib.buildCppPackage` — hermetic, sandbox-safe nix builder
|
||||
for downstream flakes. Mirrors `rustPlatform.buildRustPackage`'s
|
||||
ergonomics: a consumer flake passes `src` and gets a derivation. Reads
|
||||
`Cargoxx.lock` at outer eval time, resolves each dep's
|
||||
`(nixpkgs_rev, nixpkgs_attr)` via `builtins.getFlake` into concrete
|
||||
`/nix/store/...` paths, and synthesizes a `vendor.toml` via
|
||||
`pkgs.writeText` — no network or nested `nix` invocations inside any
|
||||
build phase. The single derivation runs `cargoxx build --release
|
||||
--offline --vendor <store-path>/vendor.toml`, which emits a hermetic
|
||||
`build/flake.nix` with literal `path:/nix/store/...` inputs and drives
|
||||
cmake directly. Works under the host's default sandbox (sandbox=true,
|
||||
non-trusted user, no `__noChroot`, no daemon escape). New e2e fixture
|
||||
at `tests/e2e/buildCppPackage/` with a `run.sh` smoke test that
|
||||
scaffolds the fixture in a tmp dir and runs `nix build .#default`
|
||||
end-to-end. Live verified: `Hello from world!` from a binary built
|
||||
entirely inside the standard nix sandbox.
|
||||
- Fix: `-Wparentheses` warning in `looks_like_missing_attribute`
|
||||
(`src/resolver/nixpkgs_probe.cpp:34`) — explicitly parenthesize the
|
||||
`&&` clause inside `||`.
|
||||
|
||||
Reference in New Issue
Block a user