feat(nix): package the gates as a reproducible flake (runtime-bundled bins)

README.md

@@ -26,7 +26,7 @@ clock); fail-closed (`exit 1`) on any violation.
 
 ## Install / vendor
 
-Two consumption models:
+Three consumption models:
 
 1. **Vendor (recommended, matches the existing `vendor/integrity/` pattern).** Copy
    the kit at a pinned commit into `vendor/conformance-kit/`, write a hash-pin
@@ -38,6 +38,13 @@ Two consumption models:
    tool was generalized from.
 2. **npm dep.** `npm i @bounded-systems/conformance-kit` and use the `ck-*` bins
    (see `package.json`) or `import` the library modules.
+3. **Nix flake (reproducible, runtime-bundled).** `nix run
+   github:bounded-systems/conformance-kit#ck-axe-gate -- dist`, or add the flake to
+   a `home-manager` / `nix profile`. Each `ck-*` bin is a hermetic, pinned closure;
+   the gates that shell out get their runtime bundled in — `ck-html-validator-gate`
+   carries a JRE for vnu, `ck-vuln-gate` carries npm — so no JRE/Node on `$PATH` is
+   needed. (`ck-axe-gate` still needs a browser the consumer supplies via
+   `$AXE_RUNNER`: `tezcatl` or Playwright.)
 
 Runtime deps are declared in `package.json` (only the gates that need them pull
 them: `linkedom`/`@mozilla/readability` for structure-audit; `jsonld`/`n3`/

flake.nix

@@ -0,0 +1,78 @@
+{
+  description = "@bounded-systems/conformance-kit — fail-closed web-conformance gates + generators as reproducible CLIs";
+
+  inputs = {
+    nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable";
+    flake-utils.url = "github:numtide/flake-utils";
+  };
+
+  outputs = { self, nixpkgs, flake-utils }:
+    flake-utils.lib.eachDefaultSystem (system:
+      let
+        pkgs = import nixpkgs { inherit system; };
+        version = "0.2.0";
+
+        # Every ck-* bin the package.json declares (kept in sync with "bin").
+        bins = [
+          "ck-axe-gate"
+          "ck-vuln-gate"
+          "ck-html-validator-gate"
+          "ck-baseline-gate"
+          "ck-seo-gate"
+          "ck-shacl-runner"
+          "ck-readability-gate"
+          "ck-commonmark-runner"
+          "ck-gen-sbom"
+          "ck-check-sbom"
+          "ck-gen-sitemanifest"
+          "ck-gen-provenance"
+          "ck-verify-site"
+          "ck-http-probe"
+          "ck-structure-audit"
+          "ck-gen-cid"
+          "ck-gen-identity"
+          "ck-gen-snapshots"
+        ];
+
+        kit = pkgs.buildNpmPackage {
+          pname = "conformance-kit";
+          inherit version;
+          src = ./.;
+          npmDepsHash = "sha256-eqr1kqr3to34/tE5dYVMU6LPsp63XhnI+L4TGtd/Fyk=";
+          dontNpmBuild = true; # the kit has no build step (pure .mjs)
+
+          nativeBuildInputs = [ pkgs.makeWrapper ];
+          # Bundle the runtimes the gates shell out to, so each bin is self-contained
+          # (the way tezcatl-flake bundles WebKit):
+          #   • vnu  → a JRE (the Nu HTML Checker is a Java jar)
+          #   • npm  → nodejs, for `ck-vuln-gate`'s `npm audit`
+          # The other gates are pure Node + their bundled node_modules. (axe needs a
+          # browser the consumer supplies via $AXE_RUNNER: tezcatl / Playwright.)
+          postInstall = ''
+            wrapProgram $out/bin/ck-html-validator-gate \
+              --prefix PATH : ${pkgs.lib.makeBinPath [ pkgs.jre ]}
+            wrapProgram $out/bin/ck-vuln-gate \
+              --prefix PATH : ${pkgs.lib.makeBinPath [ pkgs.nodejs ]}
+          '';
+
+          meta = with pkgs.lib; {
+            description = "Site-agnostic web-conformance toolkit: fail-closed gates + provenance generators, as reproducible CLIs.";
+            homepage = "https://github.com/bounded-systems/conformance-kit";
+            license = licenses.mit;
+            mainProgram = "ck-vuln-gate";
+          };
+        };
+      in
+      {
+        packages.default = kit;
+        packages.conformance-kit = kit;
+
+        # `nix run github:bounded-systems/conformance-kit#ck-axe-gate -- dist`
+        apps = nixpkgs.lib.genAttrs bins (name: {
+          type = "app";
+          program = "${kit}/bin/${name}";
+        }) // {
+          default = { type = "app"; program = "${kit}/bin/ck-vuln-gate"; };
+        };
+      });
+}