improve nix cache action & add binaries to cache

[insipx]

this adds the xdbg and xmtp_cli binaries to https://app.cachix.org/cache/xmtp#pins. building the binaries off main (with nix build .#xdbg) will download the already-built artifact rather than rebuild

adds a description to every crate

still need to verify they work (and fixes the broken fh cache on main that's been there for a while) but my nix flake update is broken b/c of github outage

[claude]

Claude finished @insipx's task —— View job

---

PR Review - January 28, 2026 at 23:47 UTC

Review Checklist:

• Read and analyze workflow changes
• Review Nix flake configuration
• Check Cargo.toml changes
• Provide comprehensive feedback

---

Summary

This PR improves the Nix caching infrastructure and adds CLI binaries (xdbg, xmtp_cli) to Cachix. The changes are generally well-implemented, with previous review comments addressed. I've identified a few areas requiring attention:

Critical Issues

1. Package name mismatch in rust.nix (nix/rust.nix:69)

The flake exposes packages.default = self'.packages.xdbg; but the crate is named xmtp_debug (not xdbg). The binary name is xdbg but the package name needs to match the crate name.

Impact: nix build will fail to find the package.

Fix: Either use packages.xmtp_debug or ensure the package is aliased correctly.

2. Docker image reference mismatch (flake.nix:72)

The entrypoint references self'.packages.musl-mls_validation_service but the crate is named mls_validation_service (with underscore). Need to verify this package exists.

Impact: Docker image build may fail or reference wrong package.

Quality & Best Practices

3. Inconsistent workflow patterns (.github/workflows/check-ios-android-bindings.yml)

• iOS check job uses nix-community/cache-nix-action@v6 without Cachix
• Android check job uses both cachix/cachix-action@v16 AND nix-community/cache-nix-action@v6

Recommendation: Standardize caching strategy across jobs. Either use Cachix for both (recommended for CI consistency) or document why they differ.

4. Cargo caching may be redundant (all workflows)

You're caching ~/.cargo/ and target/ directories with cache-nix-action, but these are ephemeral in CI and Nix manages its own build cache. This may not provide value and could increase cache storage costs.

Recommendation: Measure cache hit rates and consider removing if not beneficial.

Minor Issues

5. Missing description consistency (Cargo.toml files)

While most crates now have descriptions, the root Cargo.toml workspace doesn't have a description field. This is fine but worth noting for completeness.

6. Line 24 in workflows: nix build --version

This is actually correct (runs nix with the build --version subcommand to verify Nix installation). Previous review comment was addressed correctly - this is not an issue.

Security & Performance

• ✅ No security concerns identified
• ✅ Proper use of secrets (CACHIX_AUTH_TOKEN)
• ✅ Appropriate caching strategy for Nix builds
• ✅ Docker image properly references musl-built binary (good for size/portability)

Test Coverage

• ✅ No new test coverage needed (infrastructure changes)
• ✅ Existing CI tests will validate the changes
• ⚠️ Recommend manually testing nix build .#xdbg and nix build .#xmtp_cli before merge

Recommendations

1. Fix package name mismatch in rust.nix:69 (critical)
2. Verify Docker entrypoint package reference (critical)
3. Standardize caching strategy across workflows (quality)
4. Test binary builds manually: nix build .#xdbg, nix build .#xmtp_cli, nix build .#musl-mls_validation_service (validation)

---

[macroscopeapp]

Replace CI Nix installer with nixbuild/nix-quick-install-action@v34 and cache Cargo builds and Nix binaries across iOS, Android, WebAssembly, and Omnix workflows

CI switches to nixbuild/nix-quick-install-action@v34, adds Cargo/Nix caching, introduces a Nix-built Docker image for mls_validation_service, and refactors flake/rust modules to expose a musl binary and broaden filesets.

📍Where to Start

Start with the workflow changes in .github/workflows/fh-cache.yml, then review flake refactors in flake.nix and Rust wiring in nix/rust.nix.

---

Macroscope summarized ced673b.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 73.91%. Comparing base (fb6adfb) to head (ced673b).
⚠️ Report is 1 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #3020      +/-   ##
==========================================
- Coverage   74.01%   73.91%   -0.10%     
==========================================
  Files         447      447              
  Lines       54990    54990              
==========================================
- Hits        40701    40648      -53     
- Misses      14289    14342      +53     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[macroscopeapp]

🟡 Medium

The pattern [!wasm]* is a character class negation, meaning "not any single character in {w,a,s,m}". Since mobile starts with m, it won't match. Consider using a different approach to exclude only wasm, such as explicitly listing bindings/mobile and bindings/node.

Suggested change

	"bindings/[!wasm]*",
	"bindings/mobile",
	"bindings/node",

🚀 Want me to fix this? Reply ex: "fix it for me".