build(nix): add per-crate crane workspace builds

.gitignore

@@ -224,3 +224,6 @@ rfc.md
 
 # Markdown/mermaid lint tooling deps
 scripts/lint-mermaid/node_modules/
+
+# Nix
+result*

crates/openshell-bootstrap/Cargo.toml

@@ -9,6 +9,10 @@ license.workspace = true
 repository.workspace = true
 rust-version.workspace = true
 
+[lib]
+name = "openshell_bootstrap"
+path = "src/lib.rs"
+
 [dependencies]
 openshell-core = { path = "../openshell-core" }
 bollard = "0.20"

crates/openshell-core/Cargo.toml

@@ -10,6 +10,10 @@ rust-version.workspace = true
 license.workspace = true
 repository.workspace = true
 
+[lib]
+name = "openshell_core"
+path = "src/lib.rs"
+
 [dependencies]
 prost = { workspace = true }
 prost-types = { workspace = true }

crates/openshell-core/build.rs

@@ -12,8 +12,12 @@ fn main() -> Result<(), Box<dyn std::error::Error>> {
     // builds where .git is absent, this silently does nothing and the binary
     // falls back to CARGO_PKG_VERSION (which is already sed-patched by the
     // build pipeline).
-    println!("cargo:rerun-if-changed=../../.git/HEAD");
-    println!("cargo:rerun-if-changed=../../.git/refs/tags");
+    if Path::new("../../.git/HEAD").exists() {
+        println!("cargo:rerun-if-changed=../../.git/HEAD");
+    }
+    if Path::new("../../.git/refs/tags").exists() {
+        println!("cargo:rerun-if-changed=../../.git/refs/tags");
+    }
 
     if let Some(version) = git_version() {
         println!("cargo:rustc-env=OPENSHELL_GIT_VERSION={version}");

crates/openshell-driver-docker/Cargo.toml

@@ -10,6 +10,10 @@ rust-version.workspace = true
 license.workspace = true
 repository.workspace = true
 
+[lib]
+name = "openshell_driver_docker"
+path = "src/lib.rs"
+
 [dependencies]
 openshell-core = { path = "../openshell-core" }
 

crates/openshell-driver-kubernetes/Cargo.toml

@@ -10,6 +10,10 @@ rust-version.workspace = true
 license.workspace = true
 repository.workspace = true
 
+[lib]
+name = "openshell_driver_kubernetes"
+path = "src/lib.rs"
+
 [[bin]]
 name = "openshell-driver-kubernetes"
 path = "src/main.rs"

crates/openshell-driver-podman/Cargo.toml

@@ -10,6 +10,10 @@ rust-version.workspace = true
 license.workspace = true
 repository.workspace = true
 
+[lib]
+name = "openshell_driver_podman"
+path = "src/lib.rs"
+
 [[bin]]
 name = "openshell-driver-podman"
 path = "src/main.rs"

crates/openshell-ocsf/Cargo.toml

@@ -10,6 +10,10 @@ rust-version.workspace = true
 license.workspace = true
 repository.workspace = true
 
+[lib]
+name = "openshell_ocsf"
+path = "src/lib.rs"
+
 [dependencies]
 chrono = { version = "0.4", features = ["serde"] }
 serde = { workspace = true }

crates/openshell-policy/Cargo.toml

@@ -10,6 +10,10 @@ rust-version.workspace = true
 license.workspace = true
 repository.workspace = true
 
+[lib]
+name = "openshell_policy"
+path = "src/lib.rs"
+
 [dependencies]
 openshell-core = { path = "../openshell-core" }
 serde = { workspace = true }

crates/openshell-prover/Cargo.toml

@@ -10,6 +10,10 @@ rust-version.workspace = true
 license.workspace = true
 repository.workspace = true
 
+[lib]
+name = "openshell_prover"
+path = "src/lib.rs"
+
 [features]
 bundled-z3 = ["z3/bundled"]
 

crates/openshell-providers/Cargo.toml

@@ -10,6 +10,10 @@ rust-version.workspace = true
 license.workspace = true
 repository.workspace = true
 
+[lib]
+name = "openshell_providers"
+path = "src/lib.rs"
+
 [dependencies]
 openshell-core = { path = "../openshell-core" }
 serde = { workspace = true }

crates/openshell-router/Cargo.toml

@@ -10,6 +10,10 @@ rust-version.workspace = true
 license.workspace = true
 repository.workspace = true
 
+[lib]
+name = "openshell_router"
+path = "src/lib.rs"
+
 [dependencies]
 openshell-core = { path = "../openshell-core" }
 bytes = { workspace = true }

crates/openshell-server-macros/Cargo.toml

@@ -10,6 +10,8 @@ license.workspace = true
 repository.workspace = true
 
 [lib]
+name = "openshell_server_macros"
+path = "src/lib.rs"
 proc-macro = true
 
 [dependencies]

crates/openshell-tui/Cargo.toml

@@ -10,6 +10,10 @@ rust-version.workspace = true
 license.workspace = true
 repository.workspace = true
 
+[lib]
+name = "openshell_tui"
+path = "src/lib.rs"
+
 [dependencies]
 openshell-core = { path = "../openshell-core" }
 openshell-bootstrap = { path = "../openshell-bootstrap" }

crates/openshell-vfio/Cargo.toml

@@ -10,6 +10,10 @@ rust-version.workspace = true
 license.workspace = true
 repository.workspace = true
 
+[lib]
+name = "openshell_vfio"
+path = "src/lib.rs"
+
 [dependencies]
 serde = { workspace = true }
 serde_json = { workspace = true }

flake.nix

@@ -11,6 +11,7 @@
       url = "github:oxalica/rust-overlay";
       inputs.nixpkgs.follows = "nixpkgs";
     };
+    crane.url = "github:ipetkov/crane";
     treefmt-nix = {
       url = "github:numtide/treefmt-nix";
       inputs.nixpkgs.follows = "nixpkgs";
@@ -22,6 +23,7 @@
       flake-utils,
       nixpkgs,
       rust-overlay,
+      crane,
       treefmt-nix,
       ...
     }:
@@ -32,13 +34,38 @@
           inherit system;
           overlays = [ (import rust-overlay) ];
         };
+        lib = pkgs.lib;
         rustToolchain = pkgs.rust-bin.fromRustupToolchainFile ./rust-toolchain.toml;
+
+        craneLib = (crane.mkLib pkgs).overrideToolchain (_: rustToolchain);
+
+        # Crate-by-crate crane helpers (workspace graph, minimal per-crate
+        # source, buildWorkspaceCrate). See nix/workspace.nix.
+        workspace = import ./nix/workspace.nix {
+          inherit lib pkgs craneLib;
+          root = ./.;
+        };
+        inherit (workspace) buildWorkspaceCrate;
+
+        crateSpecs = import ./nix/crate.nix {
+          inherit pkgs;
+          root = ./.;
+        };
+        crates = lib.mapAttrs (_: buildWorkspaceCrate) crateSpecs;
+
         treefmtEval = treefmt-nix.lib.evalModule pkgs {
           projectRootFile = "flake.nix";
           programs.nixfmt.enable = true;
         };
       in
       {
+        packages = crates // {
+          default = pkgs.symlinkJoin {
+            name = "openshell-0.0.0";
+            paths = lib.attrValues crates;
+          };
+        };
+
         devShells.default = pkgs.mkShell {
           packages = with pkgs; [
             rustToolchain

nix/crate.nix

@@ -0,0 +1,61 @@
+# SPDX-FileCopyrightText: Copyright (c) 2025-2026 NVIDIA CORPORATION & AFFILIATES. All rights reserved.
+# SPDX-License-Identifier: Apache-2.0
+
+{
+  pkgs,
+  root,
+}:
+let
+  # z3 (found via pkg-config) and libclang (for z3-sys bindgen) are only needed
+  # by crates whose closure contains openshell-prover.
+  withZ3 = {
+    nativeBuildInputs = [ pkgs.pkg-config ];
+    buildInputs = [ pkgs.z3 ];
+    env.LIBCLANG_PATH = "${pkgs.llvmPackages.libclang.lib}/lib";
+  };
+in
+{
+  # Each crate declares the compile-time assets its build needs: its own plus
+  # those of its workspace deps (proto/ arrives via openshell-core, providers/
+  # via openshell-providers, registry/ via openshell-prover).
+  openshell-cli = withZ3 // {
+    dir = "openshell-cli";
+    assets = [
+      (root + "/proto")
+      (root + "/providers")
+      (root + "/crates/openshell-prover/registry")
+    ];
+  };
+  openshell-server = withZ3 // {
+    dir = "openshell-server";
+    assets = [
+      (root + "/proto")
+      (root + "/providers")
+      (root + "/crates/openshell-prover/registry")
+      (root + "/crates/openshell-server/migrations")
+    ];
+  };
+  openshell-sandbox = {
+    dir = "openshell-sandbox";
+    assets = [
+      (root + "/proto")
+      (root + "/crates/openshell-sandbox/data")
+      (root + "/crates/openshell-sandbox/src/skills")
+    ];
+  };
+  openshell-driver-vm = {
+    dir = "openshell-driver-vm";
+    assets = [
+      (root + "/proto")
+      (root + "/crates/openshell-driver-vm/scripts")
+    ];
+  };
+  openshell-driver-kubernetes = {
+    dir = "openshell-driver-kubernetes";
+    assets = [ (root + "/proto") ];
+  };
+  openshell-driver-podman = {
+    dir = "openshell-driver-podman";
+    assets = [ (root + "/proto") ];
+  };
+}