From 441e188220751076b6dca2d56156ee5988517452 Mon Sep 17 00:00:00 2001
From: Robert DeLanghe <1240090+bdelanghe@users.noreply.github.com>
Date: Sun, 28 Jun 2026 21:41:14 -0400
Subject: [PATCH] feat(nix): package the gates as a reproducible flake
 (buildNpmPackage, runtime-bundled bins)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

A third consumption model alongside vendoring + npm: a nix flake exposing every
ck-* gate/generator as a hermetic, pinned CLI — fitting the bounded-systems
nix-everything ecosystem (tezcatl-flake et al.) and the kit's reproducibility ethos.

The win beyond consistency: each bin bundles the runtime it shells out to, so it is
self-contained (the way tezcatl-flake bundles WebKit):
  • ck-html-validator-gate carries a JRE (vnu is a Java jar)
  • ck-vuln-gate carries npm (for `npm audit`)
— verified each runs with NO java/node on $PATH. The other gates are pure Node +
their bundled node_modules. (ck-axe-gate still needs a browser via $AXE_RUNNER.)

  nix run github:bounded-systems/conformance-kit#ck-axe-gate -- dist

flake.nix (buildNpmPackage, npmDepsHash pinned, dontNpmBuild) + flake.lock; README
documents the third model.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
---
 README.md  |  9 ++++++-
 flake.lock | 61 ++++++++++++++++++++++++++++++++++++++++++
 flake.nix  | 78 ++++++++++++++++++++++++++++++++++++++++++++++++++++++
 3 files changed, 147 insertions(+), 1 deletion(-)
 create mode 100644 flake.lock
 create mode 100644 flake.nix

diff --git a/README.md b/README.md
index c241777..1d6ad8b 100644
--- a/README.md
+++ b/README.md
@@ -26,7 +26,7 @@ clock); fail-closed (`exit 1`) on any violation.
 
 ## Install / vendor
 
-Two consumption models:
+Three consumption models:
 
 1. **Vendor (recommended, matches the existing `vendor/integrity/` pattern).** Copy
    the kit at a pinned commit into `vendor/conformance-kit/`, write a hash-pin
@@ -38,6 +38,13 @@ Two consumption models:
    tool was generalized from.
 2. **npm dep.** `npm i @bounded-systems/conformance-kit` and use the `ck-*` bins
    (see `package.json`) or `import` the library modules.
+3. **Nix flake (reproducible, runtime-bundled).** `nix run
+   github:bounded-systems/conformance-kit#ck-axe-gate -- dist`, or add the flake to
+   a `home-manager` / `nix profile`. Each `ck-*` bin is a hermetic, pinned closure;
+   the gates that shell out get their runtime bundled in — `ck-html-validator-gate`
+   carries a JRE for vnu, `ck-vuln-gate` carries npm — so no JRE/Node on `$PATH` is
+   needed. (`ck-axe-gate` still needs a browser the consumer supplies via
+   `$AXE_RUNNER`: `tezcatl` or Playwright.)
 
 Runtime deps are declared in `package.json` (only the gates that need them pull
 them: `linkedom`/`@mozilla/readability` for structure-audit; `jsonld`/`n3`/
diff --git a/flake.lock b/flake.lock
new file mode 100644
index 0000000..2d3322f
--- /dev/null
+++ b/flake.lock
@@ -0,0 +1,61 @@
+{
+  "nodes": {
+    "flake-utils": {
+      "inputs": {
+        "systems": "systems"
+      },
+      "locked": {
+        "lastModified": 1731533236,
+        "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=",
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "rev": "11707dc2f618dd54ca8739b309ec4fc024de578b",
+        "type": "github"
+      },
+      "original": {
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "type": "github"
+      }
+    },
+    "nixpkgs": {
+      "locked": {
+        "lastModified": 1782467914,
+        "narHash": "sha256-pGvFkM8N0xEkIIXDe5YYfbEAvHrk4IxBrjB/x8OomhE=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "e73de5be04e0eff4190a1432b946d469c794e7b4",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "nixos-unstable",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "root": {
+      "inputs": {
+        "flake-utils": "flake-utils",
+        "nixpkgs": "nixpkgs"
+      }
+    },
+    "systems": {
+      "locked": {
+        "lastModified": 1681028828,
+        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
+        "owner": "nix-systems",
+        "repo": "default",
+        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-systems",
+        "repo": "default",
+        "type": "github"
+      }
+    }
+  },
+  "root": "root",
+  "version": 7
+}
diff --git a/flake.nix b/flake.nix
new file mode 100644
index 0000000..e83071e
--- /dev/null
+++ b/flake.nix
@@ -0,0 +1,78 @@
+{
+  description = "@bounded-systems/conformance-kit — fail-closed web-conformance gates + generators as reproducible CLIs";
+
+  inputs = {
+    nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable";
+    flake-utils.url = "github:numtide/flake-utils";
+  };
+
+  outputs = { self, nixpkgs, flake-utils }:
+    flake-utils.lib.eachDefaultSystem (system:
+      let
+        pkgs = import nixpkgs { inherit system; };
+        version = "0.2.0";
+
+        # Every ck-* bin the package.json declares (kept in sync with "bin").
+        bins = [
+          "ck-axe-gate"
+          "ck-vuln-gate"
+          "ck-html-validator-gate"
+          "ck-baseline-gate"
+          "ck-seo-gate"
+          "ck-shacl-runner"
+          "ck-readability-gate"
+          "ck-commonmark-runner"
+          "ck-gen-sbom"
+          "ck-check-sbom"
+          "ck-gen-sitemanifest"
+          "ck-gen-provenance"
+          "ck-verify-site"
+          "ck-http-probe"
+          "ck-structure-audit"
+          "ck-gen-cid"
+          "ck-gen-identity"
+          "ck-gen-snapshots"
+        ];
+
+        kit = pkgs.buildNpmPackage {
+          pname = "conformance-kit";
+          inherit version;
+          src = ./.;
+          npmDepsHash = "sha256-eqr1kqr3to34/tE5dYVMU6LPsp63XhnI+L4TGtd/Fyk=";
+          dontNpmBuild = true; # the kit has no build step (pure .mjs)
+
+          nativeBuildInputs = [ pkgs.makeWrapper ];
+          # Bundle the runtimes the gates shell out to, so each bin is self-contained
+          # (the way tezcatl-flake bundles WebKit):
+          #   • vnu  → a JRE (the Nu HTML Checker is a Java jar)
+          #   • npm  → nodejs, for `ck-vuln-gate`'s `npm audit`
+          # The other gates are pure Node + their bundled node_modules. (axe needs a
+          # browser the consumer supplies via $AXE_RUNNER: tezcatl / Playwright.)
+          postInstall = ''
+            wrapProgram $out/bin/ck-html-validator-gate \
+              --prefix PATH : ${pkgs.lib.makeBinPath [ pkgs.jre ]}
+            wrapProgram $out/bin/ck-vuln-gate \
+              --prefix PATH : ${pkgs.lib.makeBinPath [ pkgs.nodejs ]}
+          '';
+
+          meta = with pkgs.lib; {
+            description = "Site-agnostic web-conformance toolkit: fail-closed gates + provenance generators, as reproducible CLIs.";
+            homepage = "https://github.com/bounded-systems/conformance-kit";
+            license = licenses.mit;
+            mainProgram = "ck-vuln-gate";
+          };
+        };
+      in
+      {
+        packages.default = kit;
+        packages.conformance-kit = kit;
+
+        # `nix run github:bounded-systems/conformance-kit#ck-axe-gate -- dist`
+        apps = nixpkgs.lib.genAttrs bins (name: {
+          type = "app";
+          program = "${kit}/bin/${name}";
+        }) // {
+          default = { type = "app"; program = "${kit}/bin/ck-vuln-gate"; };
+        };
+      });
+}