build(nix): add per-crate crane workspace builds

.gitignore

@@ -224,3 +224,6 @@ rfc.md
 
 # Markdown/mermaid lint tooling deps
 scripts/lint-mermaid/node_modules/
+
+# Nix
+result*

crates/openshell-bootstrap/Cargo.toml

@@ -9,6 +9,10 @@ license.workspace = true
 repository.workspace = true
 rust-version.workspace = true
 
+[lib]
+name = "openshell_bootstrap"
+path = "src/lib.rs"
+
 [dependencies]
 openshell-core = { path = "../openshell-core" }
 bollard = "0.20"

crates/openshell-core/Cargo.toml

@@ -10,6 +10,10 @@ rust-version.workspace = true
 license.workspace = true
 repository.workspace = true
 
+[lib]
+name = "openshell_core"
+path = "src/lib.rs"
+
 [dependencies]
 prost = { workspace = true }
 prost-types = { workspace = true }

crates/openshell-core/build.rs

@@ -12,8 +12,12 @@ fn main() -> Result<(), Box<dyn std::error::Error>> {
     // builds where .git is absent, this silently does nothing and the binary
     // falls back to CARGO_PKG_VERSION (which is already sed-patched by the
     // build pipeline).
-    println!("cargo:rerun-if-changed=../../.git/HEAD");
-    println!("cargo:rerun-if-changed=../../.git/refs/tags");
+    if Path::new("../../.git/HEAD").exists() {
+        println!("cargo:rerun-if-changed=../../.git/HEAD");
+    }
+    if Path::new("../../.git/refs/tags").exists() {
+        println!("cargo:rerun-if-changed=../../.git/refs/tags");
+    }
 
     if let Some(version) = git_version() {
         println!("cargo:rustc-env=OPENSHELL_GIT_VERSION={version}");
@@ -22,15 +26,16 @@ fn main() -> Result<(), Box<dyn std::error::Error>> {
     // --- Protobuf compilation ---
     // Re-run when anything under proto/ changes (including newly added .proto files).
     println!("cargo:rerun-if-changed={PROTO_REL}");
-    // Use bundled protoc from protobuf-src.  The system protoc (from apt-get)
-    // does not bundle the well-known type includes (google/protobuf/struct.proto
-    // etc.), so we must use protobuf-src which ships both the binary and the
-    // include tree.
-    // SAFETY: This is run at build time in a single-threaded build script context.
-    // No other threads are reading environment variables concurrently.
-    #[allow(unsafe_code)]
-    unsafe {
-        env::set_var("PROTOC", protobuf_src::protoc());
+    if env::var_os("PROTOC").is_none() && !path_has_protoc() {
+        // Keep non-Nix builds working without requiring users to install protoc.
+        // Nix builds provide protoc explicitly, so they do not rely on this
+        // vendored fallback.
+        // SAFETY: This is run at build time in a single-threaded build script context.
+        // No other threads are reading environment variables concurrently.
+        #[allow(unsafe_code)]
+        unsafe {
+            env::set_var("PROTOC", protobuf_src::protoc());
+        }
     }
 
     let manifest_dir = PathBuf::from(env::var("CARGO_MANIFEST_DIR")?);
@@ -72,6 +77,16 @@ fn collect_proto_files(dir: &Path, out: &mut Vec<PathBuf>) -> std::io::Result<()
     Ok(())
 }
 
+fn path_has_protoc() -> bool {
+    let Some(path) = env::var_os("PATH") else {
+        return false;
+    };
+
+    env::split_paths(&path)
+        .map(|dir| dir.join(format!("protoc{}", env::consts::EXE_SUFFIX)))
+        .any(|candidate| candidate.is_file())
+}
+
 /// Derive a version string from `git describe --tags`.
 ///
 /// Implements the "guess-next-dev" convention used by the release pipeline

crates/openshell-driver-docker/Cargo.toml

@@ -10,6 +10,10 @@ rust-version.workspace = true
 license.workspace = true
 repository.workspace = true
 
+[lib]
+name = "openshell_driver_docker"
+path = "src/lib.rs"
+
 [dependencies]
 openshell-core = { path = "../openshell-core" }
 

crates/openshell-driver-kubernetes/Cargo.toml

@@ -10,6 +10,10 @@ rust-version.workspace = true
 license.workspace = true
 repository.workspace = true
 
+[lib]
+name = "openshell_driver_kubernetes"
+path = "src/lib.rs"
+
 [[bin]]
 name = "openshell-driver-kubernetes"
 path = "src/main.rs"

crates/openshell-driver-podman/Cargo.toml

@@ -10,6 +10,10 @@ rust-version.workspace = true
 license.workspace = true
 repository.workspace = true
 
+[lib]
+name = "openshell_driver_podman"
+path = "src/lib.rs"
+
 [[bin]]
 name = "openshell-driver-podman"
 path = "src/main.rs"

crates/openshell-ocsf/Cargo.toml

@@ -10,6 +10,10 @@ rust-version.workspace = true
 license.workspace = true
 repository.workspace = true
 
+[lib]
+name = "openshell_ocsf"
+path = "src/lib.rs"
+
 [dependencies]
 chrono = { version = "0.4", features = ["serde"] }
 serde = { workspace = true }

crates/openshell-policy/Cargo.toml

@@ -10,6 +10,10 @@ rust-version.workspace = true
 license.workspace = true
 repository.workspace = true
 
+[lib]
+name = "openshell_policy"
+path = "src/lib.rs"
+
 [dependencies]
 openshell-core = { path = "../openshell-core" }
 serde = { workspace = true }

crates/openshell-prover/Cargo.toml

@@ -10,6 +10,10 @@ rust-version.workspace = true
 license.workspace = true
 repository.workspace = true
 
+[lib]
+name = "openshell_prover"
+path = "src/lib.rs"
+
 [features]
 bundled-z3 = ["z3/bundled"]
 

crates/openshell-providers/Cargo.toml

@@ -10,6 +10,10 @@ rust-version.workspace = true
 license.workspace = true
 repository.workspace = true
 
+[lib]
+name = "openshell_providers"
+path = "src/lib.rs"
+
 [dependencies]
 openshell-core = { path = "../openshell-core" }
 serde = { workspace = true }

crates/openshell-router/Cargo.toml

@@ -10,6 +10,10 @@ rust-version.workspace = true
 license.workspace = true
 repository.workspace = true
 
+[lib]
+name = "openshell_router"
+path = "src/lib.rs"
+
 [dependencies]
 openshell-core = { path = "../openshell-core" }
 bytes = { workspace = true }

crates/openshell-server-macros/Cargo.toml

@@ -10,6 +10,8 @@ license.workspace = true
 repository.workspace = true
 
 [lib]
+name = "openshell_server_macros"
+path = "src/lib.rs"
 proc-macro = true
 
 [dependencies]

crates/openshell-tui/Cargo.toml

@@ -10,6 +10,10 @@ rust-version.workspace = true
 license.workspace = true
 repository.workspace = true
 
+[lib]
+name = "openshell_tui"
+path = "src/lib.rs"
+
 [dependencies]
 openshell-core = { path = "../openshell-core" }
 openshell-bootstrap = { path = "../openshell-bootstrap" }

crates/openshell-vfio/Cargo.toml

@@ -10,6 +10,10 @@ rust-version.workspace = true
 license.workspace = true
 repository.workspace = true
 
+[lib]
+name = "openshell_vfio"
+path = "src/lib.rs"
+
 [dependencies]
 serde = { workspace = true }
 serde_json = { workspace = true }

flake.nix

@@ -11,6 +11,7 @@
       url = "github:oxalica/rust-overlay";
       inputs.nixpkgs.follows = "nixpkgs";
     };
+    crane.url = "github:ipetkov/crane";
     treefmt-nix = {
       url = "github:numtide/treefmt-nix";
       inputs.nixpkgs.follows = "nixpkgs";
@@ -22,6 +23,7 @@
       flake-utils,
       nixpkgs,
       rust-overlay,
+      crane,
       treefmt-nix,
       ...
     }:
@@ -32,18 +34,55 @@
           inherit system;
           overlays = [ (import rust-overlay) ];
         };
+        lib = pkgs.lib;
         rustToolchain = pkgs.rust-bin.fromRustupToolchainFile ./rust-toolchain.toml;
+
+        craneLib = (crane.mkLib pkgs).overrideToolchain (_: rustToolchain);
+
+        crateSpecs = import ./nix/crate.nix {
+          inherit pkgs;
+          root = ./.;
+        };
+
+        # Crate-by-crate crane helpers (workspace graph, minimal per-crate
+        # source, buildWorkspaceCrate). See nix/workspace.nix.
+        workspace = import ./nix/workspace.nix {
+          inherit lib pkgs craneLib;
+          root = ./.;
+          inherit crateSpecs;
+        };
+        inherit (workspace) buildWorkspaceCrate;
+
+        workspaceCrates = lib.mapAttrs (_: buildWorkspaceCrate) crateSpecs;
+        crates = {
+          openshell = workspaceCrates.openshell-cli.package;
+          openshell-gateway = workspaceCrates.openshell-server.package;
+          openshell-sandbox = workspaceCrates.openshell-sandbox.package;
+          openshell-driver-vm = workspaceCrates.openshell-driver-vm.package;
+          openshell-driver-kubernetes = workspaceCrates.openshell-driver-kubernetes.package;
+          openshell-driver-podman = workspaceCrates.openshell-driver-podman.package;
+        };
+
         treefmtEval = treefmt-nix.lib.evalModule pkgs {
           projectRootFile = "flake.nix";
           programs.nixfmt.enable = true;
         };
       in
       {
+        packages = crates // {
+          default = pkgs.symlinkJoin {
+            name = "openshell-0.0.0";
+            paths = lib.attrValues crates;
+          };
+        };
+
         devShells.default = pkgs.mkShell {
           packages = with pkgs; [
             rustToolchain
             # Required to find packages
             pkg-config
+            # Required for protobuf code generation.
+            protobuf
             # Required for bindgen generation.
             llvmPackages.libclang
             # system dependency for openshell-prover