-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathflake.nix
More file actions
56 lines (53 loc) · 1.86 KB
/
flake.nix
File metadata and controls
56 lines (53 loc) · 1.86 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
{
description = "cairn — content-addressed witnessed agent work. Stones stacked to mark I was here.";
inputs = {
nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable";
flake-utils.url = "github:numtide/flake-utils";
};
outputs = { self, nixpkgs, flake-utils }:
flake-utils.lib.eachDefaultSystem (system:
let
pkgs = nixpkgs.legacyPackages.${system};
beamPkgs = pkgs.beam.packages.erlang_27;
erlang = pkgs.erlang_27;
gleam = pkgs.gleam;
rebar3 = beamPkgs.rebar3;
in {
# Development shell: all tools needed to build and run cairn.
devShells.default = pkgs.mkShell {
buildInputs = [
gleam
erlang
rebar3
pkgs.rustc pkgs.cargo pkgs.clippy pkgs.rustfmt
pkgs.pkg-config
pkgs.git
pkgs.openssh # ssh-keygen for agent key derivation
pkgs.just
];
shellHook = ''
export LANG=en_US.UTF-8
'';
};
# Spawn a sandboxed agent session.
# Usage: nix develop .#agent --command gleam run --module cairn/daemon
#
# The agent shell deliberately omits direct git write access.
# cairn (the host process) controls what enters the project's git history.
# The agent reads history through cairn's MCP tools; it never writes .git.
devShells.agent = pkgs.mkShell {
buildInputs = [
gleam
erlang
rebar3
pkgs.git # read-only git operations (clone, log, blame, show)
pkgs.openssh
];
shellHook = ''
export LANG=en_US.UTF-8
# Agent sessions are sandboxed: no network by default.
# git push / git send-email are available only to cairn (the host).
'';
};
});
}