dev: devenv deprecation

removed devenv in favor for plain nix, implemented using flake-parts

nix/checks.nix

@@ -0,0 +1,82 @@
+# Flake checks: version gates, clippy, tests, formatting, VM smoke.
+{
+  ortVersion,
+  ...
+}:
+{
+  perSystem =
+    {
+      pkgs,
+      lib,
+      minneCtx,
+      ...
+    }:
+    let
+      inherit (minneCtx)
+        craneLib
+        rustToolchain
+        commonArgs
+        minne-pkg
+        minneVersion
+        vmSmokeTest
+        src
+        ;
+    in
+    {
+      checks = {
+        ortVersion = pkgs.runCommand "ort-version-check" { } ''
+          if [ "${pkgs.onnxruntime.version}" != "${ortVersion}" ]; then
+            echo "pkgs.onnxruntime.version is ${pkgs.onnxruntime.version}, but flake pins ${ortVersion}" >&2
+            echo "Update ortVersion in flake.nix or wait for nixpkgs to catch up." >&2
+            exit 1
+          fi
+          touch $out
+        '';
+
+        rustToolchain =
+          pkgs.runCommand "rust-toolchain-check"
+            {
+              nativeBuildInputs = [ rustToolchain.toolchain ];
+            }
+            ''
+              expected="${rustToolchain.rustVersion}"
+              actual="$(${rustToolchain.toolchain}/bin/rustc --version | awk '{print $2}')"
+              if [ "$actual" != "$expected" ]; then
+                echo "rustc version mismatch: expected $expected, got $actual" >&2
+                echo "Update rust-toolchain.toml and rebuild the fenix toolchain." >&2
+                exit 1
+              fi
+              touch $out
+            '';
+
+        minne-clippy = craneLib.cargoClippy (
+          commonArgs
+          // {
+            cargoArtifacts = minne-pkg;
+            pname = "minne";
+            cargoClippyExtraArgs = "--all-targets -- --deny warnings";
+          }
+        );
+
+        minne-test = craneLib.cargoTest (
+          commonArgs
+          // {
+            cargoArtifacts = minne-pkg;
+            pname = "minne";
+            buildInputs = commonArgs.buildInputs ++ [ pkgs.cacert ];
+            SSL_CERT_FILE = "${pkgs.cacert}/etc/ssl/certs/ca-certificates.crt";
+            cargoTestExtraArgs = "--lib --bins";
+          }
+        );
+
+        minne-fmt = craneLib.cargoFmt {
+          pname = "minne-fmt";
+          version = minneVersion;
+          src = craneLib.cleanCargoSource src;
+        };
+      }
+      // lib.optionalAttrs (vmSmokeTest != null) {
+        minne-vm-smoke = vmSmokeTest;
+      };
+    };
+}

nix/context.nix

@@ -0,0 +1,33 @@
+# Evaluates shared build context once per system for downstream flake-parts modules.
+{
+  inputs,
+  ortVersion,
+  toolchainFile,
+  ...
+}:
+{
+  perSystem =
+    { system, ... }:
+    let
+      pkgs = import inputs.nixpkgs {
+        inherit system;
+        config = {
+          allowUnfree = true;
+          permittedInsecurePackages = [ "minio-2025-10-15T17-29-55Z" ];
+        };
+      };
+    in
+    {
+      _module.args.pkgs = pkgs;
+      _module.args.minneCtx = import ./minne-lib.nix {
+        inherit
+          inputs
+          pkgs
+          system
+          ortVersion
+          toolchainFile
+          ;
+        src = inputs.self;
+      };
+    };
+}

nix/dev-shell.nix

@@ -0,0 +1,172 @@
+# Local development shell, git hooks, and process-compose runner.
+{ inputs, ... }:
+{
+  perSystem =
+    {
+      pkgs,
+      lib,
+      system,
+      minneCtx,
+      ...
+    }:
+    let
+      inherit (minneCtx) rustToolchain surrealdbPkg devGraphicsLibs;
+
+      ortDylib =
+        if pkgs.stdenv.isDarwin then
+          "${pkgs.onnxruntime}/lib/libonnxruntime.dylib"
+        else
+          "${pkgs.onnxruntime}/lib/libonnxruntime.so";
+
+      processComposeFile = pkgs.writeText "minne-process-compose.yaml" ''
+        version: "0.5"
+
+        environment:
+          - MINIO_ROOT_USER=minioadmin
+          - MINIO_ROOT_PASSWORD=minioadmin
+          - MINIO_REGION=us-east-1
+
+        processes:
+          surreal_db:
+            command: |
+              mkdir -p database
+              exec ${surrealdbPkg}/bin/surreal start \
+                --bind 127.0.0.1:8000 \
+                --log info \
+                --user root_user \
+                --pass root_password \
+                rocksdb:database/database.db
+            availability:
+              restart: on_failure
+
+          tailwind:
+            command: ${pkgs.tailwindcss_4}/bin/tailwindcss --cwd html-router -i app.css -o assets/style.css --watch=always
+            availability:
+              restart: on_failure
+
+          minio:
+            command: |
+              mkdir -p .data/minio
+              exec ${pkgs.minio}/bin/minio server .data/minio \
+                --address 127.0.0.1:19000 \
+                --console-address 127.0.0.1:19001
+            availability:
+              restart: on_failure
+
+          minio_setup:
+            command: |
+              for _ in $(seq 1 30); do
+                if ${pkgs.minio-client}/bin/mc alias set local http://127.0.0.1:19000 minioadmin minioadmin 2>/dev/null; then
+                  ${pkgs.minio-client}/bin/mc mb local/minne-tests --ignore-existing
+                  exit 0
+                fi
+                sleep 1
+              done
+              echo "minio did not become ready" >&2
+              exit 1
+            depends_on:
+              minio:
+                condition: process_started
+      '';
+
+      processComposeRunner = pkgs.writeShellScriptBin "minne-dev-up" ''
+        set -euo pipefail
+        root="''${MINNE_ROOT:-$(git rev-parse --show-toplevel 2>/dev/null || pwd)}"
+        cd "$root"
+        exec ${pkgs.process-compose}/bin/process-compose up -f ${processComposeFile} "$@"
+      '';
+
+      moldFlags = if pkgs.stdenv.isLinux then "-C link-arg=-fuse-ld=mold" else "";
+
+      preCommitCheck = inputs.git-hooks.lib.${system}.run {
+        src = inputs.self;
+        hooks = {
+          rustfmt.enable = true;
+          clippy = {
+            enable = true;
+            settings.allFeatures = true;
+          };
+          nixfmt.enable = true;
+        };
+        tools = {
+          cargo = rustToolchain.toolchain;
+          clippy = rustToolchain.toolchain;
+          rustfmt = rustToolchain.toolchain;
+          nixfmt = pkgs.nixfmt;
+        };
+      };
+
+      installGitHooks = ''
+        legacy="$(git rev-parse --git-path hooks/pre-commit.legacy 2>/dev/null || true)"
+        if [ -n "$legacy" ] && [ -f "$legacy" ]; then
+          rm -f "$legacy"
+        fi
+        # prek migration can leave core.hooksPath set; pre-commit refuses to install then.
+        hooks_path="$(git config --local --get core.hooksPath 2>/dev/null || true)"
+        if [ -n "$hooks_path" ]; then
+          git config --local --unset-all core.hooksPath
+        fi
+      '';
+
+      devPackages = [
+        rustToolchain.toolchain
+        surrealdbPkg
+        processComposeRunner
+        pkgs.process-compose
+        pkgs.minio
+        pkgs.minio-client
+        pkgs.openssl
+        pkgs.nodejs
+        pkgs.watchman
+        pkgs.vscode-langservers-extracted
+        pkgs.cargo-xwin
+        pkgs.clang
+        pkgs.onnxruntime
+        pkgs.cargo-watch
+        pkgs.tailwindcss_4
+        pkgs.python3
+        pkgs.fontconfig
+        pkgs.fontconfig.dev
+        pkgs.libGL
+        pkgs.libGLU
+        pkgs.libclang
+        pkgs.mold
+        pkgs.nixfmt
+      ];
+
+      devEnv = {
+        NIX_CFLAGS_COMPILE = "-Wno-error=cpp";
+        LIBCLANG_PATH = "${pkgs.libclang.lib}/lib";
+        LD_LIBRARY_PATH = lib.makeLibraryPath devGraphicsLibs;
+        ORT_DYLIB_PATH = ortDylib;
+        S3_ENDPOINT = "http://127.0.0.1:19000";
+        S3_BUCKET = "minne-tests";
+        MINNE_TEST_S3_ENDPOINT = "http://127.0.0.1:19000";
+        MINNE_TEST_S3_BUCKET = "minne-tests";
+        RUSTFLAGS = moldFlags;
+        MINNE_ROOT = "${inputs.self}";
+      };
+    in
+    {
+      packages.process-compose-runner = processComposeRunner;
+
+      apps.dev = {
+        type = "app";
+        program = "${processComposeRunner}/bin/minne-dev-up";
+        meta.description = "Start local dev services (SurrealDB, MinIO, Tailwind)";
+      };
+
+      devShells.default = pkgs.mkShell {
+        packages = devPackages;
+        env = devEnv;
+        shellHook = ''
+          ${preCommitCheck.shellHook}
+          ${installGitHooks}
+          echo "Minne dev shell (fenix ${rustToolchain.rustVersion})"
+          echo "  nix run .#dev          # or: minne-dev-up"
+          echo "  cargo test --workspace"
+          echo "  nix flake check"
+        '';
+      };
+    };
+}

nix/minne-lib.nix

@@ -0,0 +1,373 @@
+# Shared build context for packages, checks, and the dev shell.
+{
+  inputs,
+  pkgs,
+  system,
+  src,
+  ortVersion,
+  toolchainFile,
+}:
+let
+  lib = pkgs.lib;
+  inherit (inputs) crane fenix;
+
+  surrealdbPkg =
+    if system == "x86_64-linux" then pkgs.callPackage ./surrealdb-binary.nix { } else pkgs.surrealdb;
+
+  rustToolchain = import ./rust-toolchain.nix {
+    inherit fenix system toolchainFile;
+  };
+
+  craneLib = rustToolchain.mkCraneLib pkgs (crane.mkLib pkgs);
+
+  libExt = if pkgs.stdenv.isDarwin then "dylib" else "so";
+
+  linuxRuntimeLibs = with pkgs; [
+    libglvnd
+    stdenv.cc.cc.lib
+    zlib
+    fontconfig.lib
+    freetype
+    openssl.out
+    onnxruntime
+  ];
+
+  devGraphicsLibs = with pkgs; [
+    wayland
+    libxkbcommon
+    pipewire
+    libglvnd
+  ];
+
+  wrapLinuxBinary = libExt: ''
+    wrapProgram $out/bin/main \
+      --prefix LD_LIBRARY_PATH : ${lib.makeLibraryPath linuxRuntimeLibs} \
+      --set ORT_DYLIB_PATH ${pkgs.onnxruntime}/lib/libonnxruntime.${libExt}
+    for b in worker server; do
+      if [ -x "$out/bin/$b" ]; then
+        wrapProgram $out/bin/$b \
+          --prefix LD_LIBRARY_PATH : ${lib.makeLibraryPath linuxRuntimeLibs} \
+          --set ORT_DYLIB_PATH ${pkgs.onnxruntime}/lib/libonnxruntime.${libExt}
+      fi
+    done
+  '';
+
+  minneVersion = "1.0.5";
+  mozjsRelease = "mozjs-sys-v140.10.1-0";
+
+  mozjsTarget =
+    {
+      "x86_64-linux" = "x86_64-unknown-linux-gnu";
+      "aarch64-linux" = "aarch64-unknown-linux-gnu";
+      "aarch64-darwin" = "aarch64-apple-darwin";
+      "x86_64-darwin" = "x86_64-apple-darwin";
+    }
+    .${system} or (throw "mozjs prebuilt archive not configured for system ${system}");
+
+  mozjsHashes = {
+    "x86_64-unknown-linux-gnu" = "sha256-e5kW8HTg6Hrd3sGgU9bqFNTTf7wJCChFOwKE3xyYT4Q=";
+    "aarch64-unknown-linux-gnu" = "sha256-VXrcktvjSH+14tO9Kzx+n9f/9ZQGAzfEsniiT+xKT6Q=";
+    "aarch64-apple-darwin" = "sha256-T3y73nVic6R60keUpmVRFe110Eh7AcE/VwZQWXRU9A0=";
+    "x86_64-apple-darwin" = "sha256-4v6f6c1OwYdg1FKnFfdLEsrRdyghcxup4gF7ioTZzm4=";
+  };
+
+  mozjsArchive = pkgs.fetchurl {
+    url = "https://github.com/servo/mozjs/releases/download/${mozjsRelease}/libmozjs-${mozjsTarget}.tar.gz";
+    hash = mozjsHashes.${mozjsTarget} or (throw "missing mozjs hash for ${mozjsTarget}");
+  };
+
+  commonArgs = {
+    version = minneVersion;
+    src = lib.cleanSourceWith {
+      inherit src;
+      filter =
+        path: type:
+        craneLib.filterCargoSources path type
+        || lib.any (x: lib.hasPrefix (toString x) (toString path)) [
+          (toString src + "/Cargo.lock")
+          (toString src + "/common/db")
+          (toString src + "/html-router/templates")
+          (toString src + "/html-router/assets")
+        ];
+    };
+    strictDeps = true;
+
+    buildInputs = [
+      pkgs.openssl
+      pkgs.libglvnd
+      pkgs.onnxruntime
+      pkgs.fontconfig
+      pkgs.libclang.lib
+    ];
+
+    nativeBuildInputs = [
+      pkgs.pkg-config
+      pkgs.rustfmt
+      pkgs.makeWrapper
+      pkgs.python3
+      pkgs.llvmPackages.llvm
+      pkgs.rustPlatform.bindgenHook
+      pkgs.stdenv.cc.cc.lib
+    ];
+
+    MOZJS_ARCHIVE = "${mozjsArchive}";
+    env.LD_LIBRARY_PATH = lib.makeLibraryPath linuxRuntimeLibs;
+  };
+
+  cargoArtifacts = craneLib.buildDepsOnly (
+    commonArgs
+    // {
+      pname = "minne";
+      cargoExtraArgs = "--workspace";
+      doCheck = false;
+    }
+  );
+
+  minne-pkg =
+    if pkgs.onnxruntime.version == ortVersion then
+      craneLib.buildPackage (
+        commonArgs
+        // {
+          pname = "minne";
+          version = minneVersion;
+          inherit cargoArtifacts;
+          doCheck = false;
+          doInstallCargoArtifacts = true;
+
+          postInstall =
+            lib.optionalString pkgs.stdenv.isLinux (wrapLinuxBinary libExt)
+            + lib.optionalString pkgs.stdenv.isDarwin ''
+              for b in main worker server; do
+                if [ -x "$out/bin/$b" ]; then
+                  wrapProgram $out/bin/$b \
+                    --set ORT_DYLIB_PATH ${pkgs.onnxruntime}/lib/libonnxruntime.${libExt}
+                fi
+              done
+            '';
+        }
+      )
+    else
+      throw "pkgs.onnxruntime.version (${pkgs.onnxruntime.version}) must match ortVersion (${ortVersion})";
+
+  targetTriple = pkgs.stdenv.hostPlatform.config;
+
+  releaseCommonArgs = {
+    inherit minneVersion targetTriple;
+    bzip2 = pkgs.bzip2.out;
+    brotli = pkgs.brotli.lib;
+    srcRoot = src;
+  };
+
+  minne-release =
+    if pkgs.stdenv.isLinux then
+      pkgs.callPackage ./minne-release.nix (
+        releaseCommonArgs
+        // {
+          platform = "linux";
+          inherit minne-pkg;
+        }
+      )
+    else if pkgs.stdenv.isDarwin then
+      pkgs.callPackage ./minne-release.nix (
+        releaseCommonArgs
+        // {
+          platform = "darwin";
+          inherit minne-pkg;
+        }
+      )
+    else
+      null;
+
+  windowsTarget = rustToolchain.windowsTarget;
+
+  mozjsArchiveWindows = pkgs.fetchurl {
+    url = "https://github.com/servo/mozjs/releases/download/${mozjsRelease}/libmozjs-${windowsTarget}.tar.gz";
+    hash = "sha256-nEX55a4vZJGxlDMCea9TEee60HiNe/yQzXtUqMlaM3c=";
+  };
+
+  ortArchiveWindows = pkgs.fetchurl {
+    url = "https://github.com/microsoft/onnxruntime/releases/download/v${ortVersion}/onnxruntime-win-x64-${ortVersion}.zip";
+    hash = "sha256-CzjfmvIYNOQec9YC2Q21ywbb0cphiUi48dZtYHrJ880=";
+  };
+
+  windowsCross = pkgs.callPackage ./windows-cross.nix { };
+
+  inherit (windowsCross) clangClWrapper xwinCargoCache;
+
+  msvcShim = pkgs.symlinkJoin {
+    name = "minne-msvc-shim";
+    paths = [
+      (pkgs.writeShellScriptBin "cl.exe" ''
+        exec ${clangClWrapper} "$@"
+      '')
+      (pkgs.writeShellScriptBin "ml64.exe" ''
+        exec ${pkgs.llvmPackages.llvm}/bin/llvm-ml64 "$@"
+      '')
+    ];
+  };
+
+  xwinSetup = pkgs.writeShellScript "minne-xwin-setup" ''
+    set -eo pipefail
+
+    cache=${xwinCargoCache}
+    crt="$cache/xwin/crt"
+    sdk="$cache/xwin/sdk"
+
+    export PATH="${msvcShim}/bin:${pkgs.llvmPackages.clang-unwrapped}/bin:${pkgs.llvmPackages.lld}/bin:${pkgs.llvmPackages.llvm}/bin:$PATH"
+    export LD_LIBRARY_PATH="${pkgs.stdenv.cc.cc.lib}/lib''${LD_LIBRARY_PATH:+:$LD_LIBRARY_PATH}"
+
+    export AR_x86_64_pc_windows_msvc=${pkgs.llvmPackages.llvm}/bin/llvm-lib
+    export BINDGEN_EXTRA_CLANG_ARGS_x86_64_pc_windows_msvc="-I$crt/include -I$sdk/include/ucrt -I$sdk/include/um -I$sdk/include/shared -I$sdk/include/winrt"
+    export CARGO_TARGET_X86_64_PC_WINDOWS_MSVC_LINKER=${pkgs.llvmPackages.lld}/bin/lld-link
+    export CARGO_TARGET_X86_64_PC_WINDOWS_MSVC_RUSTFLAGS="-C linker-flavor=lld-link -Lnative=$crt/lib/x86_64 -Lnative=$sdk/lib/um/x86_64 -Lnative=$sdk/lib/ucrt/x86_64"
+    export CC_x86_64_pc_windows_msvc=cl.exe
+    export CXX_x86_64_pc_windows_msvc=cl.exe
+    export REAL_CLANG_CL=${pkgs.llvmPackages.clang-unwrapped}/bin/clang-cl
+    export REAL_LLD_LINK=${pkgs.llvmPackages.lld}/bin/lld-link
+
+    _imsvc="--target=x86_64-pc-windows-msvc -Wno-unused-command-line-argument -fuse-ld=lld-link /imsvc $crt/include /imsvc $sdk/include/ucrt /imsvc $sdk/include/um /imsvc $sdk/include/shared /imsvc $sdk/include/winrt"
+    export CFLAGS_x86_64_pc_windows_msvc="$_imsvc"
+    export CXXFLAGS_x86_64_pc_windows_msvc="$_imsvc /EHsc"
+    export CL_FLAGS="--target=x86_64-pc-windows-msvc -Wno-unused-command-line-argument -fuse-ld=lld-link /imsvc $crt/include /imsvc $sdk/include/ucrt /imsvc $sdk/include/um /imsvc $sdk/include/shared /imsvc $sdk/include/winrt"
+
+    export CMAKE_GENERATOR=Ninja
+    export CMAKE_SYSTEM_NAME=Windows
+    export CMAKE_TOOLCHAIN_FILE_x86_64_pc_windows_msvc="$cache/cmake/clang-cl/x86_64-pc-windows-msvc-toolchain.cmake"
+
+    export LIB="$crt/lib/x86_64;$sdk/lib/um/x86_64;$sdk/lib/ucrt/x86_64"
+    export RCFLAGS="-I$crt/include -I$sdk/include/ucrt -I$sdk/include/um -I$sdk/include/shared -I$sdk/include/winrt"
+    export TARGET_AR=${pkgs.llvmPackages.llvm}/bin/llvm-lib
+    export TARGET_CC=${pkgs.llvmPackages.clang-unwrapped}/bin/clang-cl
+    export TARGET_CXX=${pkgs.llvmPackages.clang-unwrapped}/bin/clang-cl
+    export WINEDEBUG=-all
+  '';
+
+  windowsCommonArgs = commonArgs // {
+    MOZJS_ARCHIVE = "${mozjsArchiveWindows}";
+    CARGO_BUILD_TARGET = windowsTarget;
+    doIncludeCrossToolchainEnv = false;
+    env.CARGO_PROFILE = "dist";
+    buildInputs = [
+      pkgs.openssl
+      pkgs.fontconfig
+      pkgs.libclang.lib
+    ];
+    nativeBuildInputs = commonArgs.nativeBuildInputs ++ [
+      pkgs.llvmPackages.llvm
+      pkgs.llvmPackages.clang-unwrapped
+      pkgs.llvmPackages.lld
+      pkgs.stdenv.cc.cc.lib
+    ];
+  };
+
+  windowsCargoArtifacts =
+    if system == "x86_64-linux" then
+      craneLib.buildDepsOnly (
+        windowsCommonArgs
+        // {
+          pname = "minne";
+          cargoExtraArgs = "--workspace";
+          doCheck = false;
+          preBuild = "source ${xwinSetup}";
+        }
+      )
+    else
+      null;
+
+  minne-pkg-windows =
+    if system == "x86_64-linux" then
+      craneLib.buildPackage (
+        windowsCommonArgs
+        // {
+          pname = "minne-windows";
+          version = minneVersion;
+          cargoArtifacts = windowsCargoArtifacts;
+          cargoExtraArgs = "--target ${windowsTarget} -p main --bin main --bin server --bin worker";
+          doCheck = false;
+          doInstallCargoArtifacts = false;
+          preBuild = "source ${xwinSetup}";
+          installPhaseCommand = ''
+            mkdir -p "$out/bin"
+            for b in main server worker; do
+              install -m 755 "target/${windowsTarget}/dist/$b.exe" "$out/bin/$b.exe"
+            done
+          '';
+        }
+      )
+    else
+      null;
+
+  minne-release-windows =
+    if system == "x86_64-linux" then
+      pkgs.callPackage ./minne-release.nix (
+        releaseCommonArgs
+        // {
+          platform = "windows";
+          inherit minne-pkg-windows ortArchiveWindows;
+          targetTriple = windowsTarget;
+        }
+      )
+    else
+      null;
+
+  dockerImage = pkgs.dockerTools.buildLayeredImage {
+    name = "minne";
+    tag = minneVersion;
+    created = "now";
+
+    contents = [
+      minne-pkg
+      pkgs.cacert
+      pkgs.bashInteractive
+      pkgs.libglvnd
+      pkgs.fontconfig.lib
+      pkgs.freetype
+      pkgs.stdenv.cc.cc.lib
+    ];
+
+    maxLayers = 25;
+
+    config = {
+      Cmd = [ "${minne-pkg}/bin/main" ];
+      Env = [
+        "SSL_CERT_FILE=${pkgs.cacert}/etc/ssl/certs/ca-certificates.crt"
+        "ORT_DYLIB_PATH=${pkgs.onnxruntime}/lib/libonnxruntime.${libExt}"
+      ];
+      ExposedPorts = {
+        "3000/tcp" = { };
+      };
+      User = "appuser";
+    };
+  };
+
+  vmSmokeTest =
+    if system == "x86_64-linux" then
+      pkgs.callPackage ./vm-smoke-test.nix {
+        inherit minne-pkg;
+        surrealdb = surrealdbPkg;
+      }
+    else
+      null;
+in
+{
+  inherit
+    src
+    ortVersion
+    lib
+    libExt
+    craneLib
+    rustToolchain
+    surrealdbPkg
+    linuxRuntimeLibs
+    devGraphicsLibs
+    commonArgs
+    minneVersion
+    minne-pkg
+    minne-pkg-windows
+    minne-release
+    minne-release-windows
+    dockerImage
+    vmSmokeTest
+    xwinCargoCache
+    ;
+}

nix/minne-release.nix

@@ -2,7 +2,14 @@
 {
   lib,
   stdenv,
-  platform ? (if stdenv.isLinux then "linux" else if stdenv.isDarwin then "darwin" else "windows"),
+  platform ? (
+    if stdenv.isLinux then
+      "linux"
+    else if stdenv.isDarwin then
+      "darwin"
+    else
+      "windows"
+  ),
   patchelf ? null,
   xz,
   unzip ? null,
@@ -28,7 +35,11 @@
 }:
 let
   archiveName = "main-${targetTriple}";
-  binaries = ["main" "server" "worker"];
+  binaries = [
+    "main"
+    "server"
+    "worker"
+  ];
 
   copyBinary = ''
     if [ -f "${minne-pkg}/bin/.$b-wrapped" ]; then
@@ -48,10 +59,7 @@ let
   mkLinux =
     let
       isAarch64 = lib.hasSuffix "aarch64-unknown-linux-gnu" targetTriple;
-      dynamicLinker =
-        if isAarch64
-        then "ld-linux-aarch64.so.1"
-        else "ld-linux-x86-64.so.2";
+      dynamicLinker = if isAarch64 then "ld-linux-aarch64.so.1" else "ld-linux-x86-64.so.2";
 
       copySharedLibs = pkg: ''
         if [ -d "${pkg}/lib" ]; then
@@ -63,7 +71,10 @@ let
       pname = "main";
       version = minneVersion;
 
-      nativeBuildInputs = [patchelf xz];
+      nativeBuildInputs = [
+        patchelf
+        xz
+      ];
 
       dontUnpack = true;
       dontStrip = true;
@@ -138,7 +149,7 @@ let
       pname = "main";
       version = minneVersion;
 
-      nativeBuildInputs = [xz];
+      nativeBuildInputs = [ xz ];
 
       dontUnpack = true;
       dontStrip = true;
@@ -202,7 +213,10 @@ let
     pname = "main";
     version = minneVersion;
 
-    nativeBuildInputs = [unzip zip];
+    nativeBuildInputs = [
+      unzip
+      zip
+    ];
 
     dontUnpack = true;
     dontStrip = true;
@@ -243,7 +257,11 @@ let
     };
   };
 in
-if platform == "linux" then mkLinux
-else if platform == "darwin" then mkDarwin
-else if platform == "windows" then mkWindows
-else throw "minne-release: unknown platform ${platform}"
+if platform == "linux" then
+  mkLinux
+else if platform == "darwin" then
+  mkDarwin
+else if platform == "windows" then
+  mkWindows
+else
+  throw "minne-release: unknown platform ${platform}"

nix/package.nix

@@ -0,0 +1,57 @@
+# Crane packages, release archives, and flake apps.
+{ ... }:
+{
+  perSystem =
+    {
+      pkgs,
+      lib,
+      minneCtx,
+      ...
+    }:
+    let
+      inherit (minneCtx)
+        minne-pkg
+        minne-pkg-windows
+        minne-release
+        minne-release-windows
+        dockerImage
+        xwinCargoCache
+        ;
+    in
+    {
+      packages = {
+        inherit minne-pkg dockerImage;
+        default = minne-pkg;
+      }
+      // lib.optionalAttrs (minne-release != null) {
+        minne-release = minne-release;
+      }
+      // lib.optionalAttrs (minne-release-windows != null) {
+        inherit xwinCargoCache;
+        minne-release-windows = minne-release-windows;
+      };
+
+      apps = {
+        main = {
+          type = "app";
+          program = "${minne-pkg}/bin/main";
+          meta.description = "Minne main server — API, web UI, and background worker";
+        };
+        worker = {
+          type = "app";
+          program = "${minne-pkg}/bin/worker";
+          meta.description = "Minne standalone background worker (ingestion, indexing, maintenance)";
+        };
+        server = {
+          type = "app";
+          program = "${minne-pkg}/bin/server";
+          meta.description = "Minne API-only server (no background worker)";
+        };
+        default = {
+          type = "app";
+          program = "${minne-pkg}/bin/main";
+          meta.description = "Minne main server — API, web UI, and background worker";
+        };
+      };
+    };
+}

nix/rust-toolchain.nix

@@ -0,0 +1,23 @@
+# Shared Rust toolchain for dev shell, crane builds, and cross-compilation.
+{
+  fenix,
+  system,
+  toolchainFile,
+  # Manifest hash for https://static.rust-lang.org/dist/channel-rust-<version>.toml
+  manifestSha256 ? "sha256-SDu4snEWjuZU475PERvu+iO50Mi39KVjqCeJeNvpguU=",
+}:
+let
+  fenixPkgs = fenix.packages.${system};
+  toolchain = fenixPkgs.fromToolchainFile {
+    file = toolchainFile;
+    sha256 = manifestSha256;
+  };
+  parsed = builtins.fromTOML (builtins.readFile toolchainFile);
+  rustVersion = parsed.toolchain.channel;
+  windowsTarget = "x86_64-pc-windows-msvc";
+in
+{
+  inherit rustVersion toolchain windowsTarget;
+
+  mkCraneLib = pkgs: craneLib: craneLib.overrideToolchain (_: toolchain);
+}

nix/surrealdb-binary.nix

@@ -0,0 +1,41 @@
+# Pinned SurrealDB release binary (avoids building nixpkgs surrealdb from source).
+{
+  lib,
+  stdenv,
+  fetchurl,
+  autoPatchelfHook,
+  openssl,
+  rocksdb,
+}:
+stdenv.mkDerivation {
+  pname = "surrealdb";
+  version = "2.6.5";
+
+  src = fetchurl {
+    url = "https://github.com/surrealdb/surrealdb/releases/download/v2.6.5/surreal-v2.6.5.linux-amd64.tgz";
+    hash = "sha256-kp1z9GxPtZ8jeBDm/m2lTBdWBk8+2NfR9qlw6P3zj7A=";
+  };
+
+  nativeBuildInputs = [ autoPatchelfHook ];
+  buildInputs = [
+    openssl
+    rocksdb
+    stdenv.cc.cc.lib
+  ];
+
+  sourceRoot = ".";
+
+  installPhase = ''
+    runHook preInstall
+    install -Dm755 surreal $out/bin/surreal
+    runHook postInstall
+  '';
+
+  meta = {
+    description = "SurrealDB prebuilt binary pinned for local dev and VM smoke tests";
+    homepage = "https://surrealdb.com/";
+    license = lib.licenses.bsl11;
+    platforms = [ "x86_64-linux" ];
+    sourceProvenance = with lib.sourceTypes; [ binaryNativeCode ];
+  };
+}

nix/vm-smoke-test.nix

@@ -0,0 +1,72 @@
+# NixOS VM smoke test for the packaged Minne server.
+{
+  lib,
+  pkgs,
+  minne-pkg,
+  surrealdb,
+}:
+pkgs.testers.nixosTest {
+  name = "minne-smoke";
+
+  nodes.machine = {
+    virtualisation.memorySize = 4096;
+
+    systemd.services.surrealdb = {
+      description = "SurrealDB for Minne smoke test";
+      wantedBy = [ "multi-user.target" ];
+      after = [ "network.target" ];
+      preStart = "mkdir -p /var/lib/surrealdb";
+      serviceConfig = {
+        Type = "simple";
+        ExecStart = "${surrealdb}/bin/surreal start --bind 127.0.0.1:8000 --user root_user --pass root_password rocksdb:/var/lib/surrealdb/db";
+      };
+    };
+
+    systemd.services.minne = {
+      description = "Minne server smoke test";
+      wantedBy = [ "multi-user.target" ];
+      after = [
+        "surrealdb.service"
+        "network.target"
+      ];
+      requires = [ "surrealdb.service" ];
+      preStart = ''
+        for i in $(seq 1 60); do
+          if ${pkgs.netcat}/bin/nc -z 127.0.0.1 8000; then
+            exit 0
+          fi
+          sleep 1
+        done
+        echo "surrealdb did not become ready on port 8000" >&2
+        exit 1
+      '';
+      serviceConfig = {
+        Type = "simple";
+        ExecStart = "${minne-pkg}/bin/main";
+        Environment = [
+          "SURREALDB_ADDRESS=ws://127.0.0.1:8000"
+          "SURREALDB_USERNAME=root_user"
+          "SURREALDB_PASSWORD=root_password"
+          "SURREALDB_NAMESPACE=test"
+          "SURREALDB_DATABASE=test"
+          "OPENAI_API_KEY=test-key"
+          "HTTP_PORT=3000"
+          "STORAGE=local"
+          "DATA_DIR=/var/lib/minne"
+          "EMBEDDING_BACKEND=hashed"
+          "RUST_LOG=info"
+          "INDEX_REBUILD_INTERVAL_SECS=0"
+        ];
+        StateDirectory = "minne";
+      };
+    };
+  };
+
+  testScript = ''
+    machine.wait_for_unit("surrealdb.service")
+    machine.wait_for_unit("minne.service")
+    machine.wait_for_open_port(3000)
+    machine.succeed("curl -sf http://127.0.0.1:3000/api/v1/live")
+    machine.succeed("curl -sf http://127.0.0.1:3000/api/v1/ready")
+  '';
+}

nix/windows-cross.nix

@@ -6,7 +6,8 @@
   cacert,
   writeText,
   writeShellScript,
-}: let
+}:
+let
   cmakeOverride = writeText "override.cmake" ''
     # macOS paths usually start with /Users/*. Unfortunately, clang-cl interprets
     # paths starting with /U as macro undefines, so we need to put a -- before the
@@ -109,14 +110,18 @@
 
     exec "$real_clang_cl" "$@"
   '';
-in {
+in
+{
   inherit clangClWrapper;
 
   xwinCargoCache = stdenv.mkDerivation {
     pname = "cargo-xwin-cache";
     version = "17.2";
 
-    nativeBuildInputs = [xwin cacert];
+    nativeBuildInputs = [
+      xwin
+      cacert
+    ];
 
     preferLocalBuild = true;
     allowSubstitutes = false;