feat(logseq-cli): build the OCaml/Melange CLI front-end via opam-nix

[Bad3r]

Summary

Tracks upstream Logseq's CLI rewrite. Since logseq/logseq dbd220c95d, the CLI front-end lives under cli/, compiles OCaml 5.4 through Melange, and bundles with Vite. This PR builds that front-end inside Nix with opam-nix, keeps the spawned db-worker-node as a shadow-cljs release, and updates the desktop nightly workflow so desktop tarballs stage the same OCaml CLI runtime.

Commit stack

1. feat(flake): add opam-nix inputs for OCaml CLI
   Pins opam-nix and opam-repository so the flake can resolve cli/logseq-cli.opam with OCaml 5.4.0.
2. feat(logseq-cli): build OCaml CLI with opam-nix
   Reworks the Nix CLI package around dune build @bundle, the cli/ pnpm workspace, the root pnpm runtime closure, the db-worker Clojure deps, the new manifest hash, the update script, the wrapper, and the ported OAuth callback patch.
3. ci(build-desktop): compile OCaml CLI in nightly build
   Mirrors upstream's OCaml CLI release step in the reusable desktop build workflow and verifies the staged runtime files.
4. test(logseq-cli): match OCaml doctor output
   Updates the CLI smoke check to assert the OCaml doctor status table while keeping the db-worker spawn probe.
5. test(desktop): require staged runtime JS assets
   Derives required ASAR /js/* runtime entries from prepare-desktop-runtime-js.mjs instead of accepting the obsolete root-entry layout.
6. docs(logseq-cli): document OCaml CLI packaging
   Updates README.md and AGENTS.md for the OCaml/Melange CLI, cliBundlePnpmDepsHash, the desktop release step, and opam-nix IFD during evaluation.

What changed

• Adds opam-nix and a pinned opam-repository input for the OCaml CLI closure. modules/_packages/logseq-cli/opam-deps.nix resolves OCaml 5.4.0, dune, melange*, and humanize, and links Melange's stdlib to the path that melc -where resolves under opam-nix.
• Adds the cliBundlePnpmDepsHash manifest field plus modules/_packages/logseq-cli/cli-pnpm-deps.nix for the separate cli/ pnpm workspace (vite and transit-js). The manifest producer, validator, manifest data, and package scope were updated together.
• Reworks modules/_packages/logseq-cli/build.nix to mirror upstream's release flow: install root pnpm dependencies offline, install the cli/ pnpm store offline, run dune build @bundle, stage static/logseq-cli.js, build and bundle the shadow-cljs db-worker-node, and run prepare-cli-package.mjs.
• Keeps runtime native dependencies explicit. The build compiles keytar.node, prunes build-only node-gyp intermediates, preserves the Linux libsecret RPATH, and puts sqlite3 on PATH for the cli/ pnpm store extraction.
• Wraps the CLI so it works from any current directory by setting LOGSEQ_DB_WORKER_NODE_SCRIPT to the packaged worker and prepending the bundled Node.js to PATH before executing dist/logseq.js.
• Ports the OAuth callback patch to the OCaml platform implementation. The patch keeps the registered localhost redirect URI, binds explicit 127.0.0.1 and ::1 loopback listeners, and flushes the HTTP callback response before settling the login task.
• Updates .github/workflows/build-desktop.yml to install the OCaml and cli/ pnpm dependencies, run opam exec -- pnpm cli:release, and verify the staged desktop runtime files (static/js/logseq-cli.js, static/js/db-worker-node.js, and the bundled Logseq CLI skill).
• Tightens checks around the new runtime layout. logseq-runtime-assets derives required ASAR /js/* entries from prepare-desktop-runtime-js.mjs; the CLI help check matches the OCaml doctor's status table and boots the db-worker via a graph create/list probe.
• Updates repository documentation for the OCaml/Melange CLI build and the additional manifest hash.

Validation

History cleanup validation on the rewritten head:

• git diff --exit-code backup/feat-ocaml-cli-pre-cleanup-20260618T082948Z..HEAD
• nix fmt -- --ci
• Commit message scan for non-ASCII dash characters in origin/main..HEAD
• Commit message line-length scan for lines over 120 characters in origin/main..HEAD

The rewritten branch preserves the same final file tree as the pre-cleanup head. Earlier local validation recorded for that same tree:

• nix build .#logseq-cli
• nix build .#checks.x86_64-linux.logseq-runtime-assets
• nix build .#checks.x86_64-linux.logseq-cli-help
• nix build .#checks.x86_64-linux.logseq-cli-graph-query
• nix build .#checks.x86_64-linux.logseq-cli-login-callback
• git apply --check and patch -p1 --dry-run for patches/logseq-cli-auth-bind-loopback-address-families.patch against logseqRev 1d1ca70d13368dafdd1f4181d5a6d0dc3946e577
• actionlint .github/workflows/build-desktop.yml
• nix-instantiate --parse, nixfmt --check, and deadnix --fail on changed Nix files, plus nix fmt

GitHub checks rerun on the force-pushed head ce0d01426ff428bdc3c93c0d57b1b2f417ec1ce8.

Review notes

• This PR touches both flake.lock and .github/workflows/build-desktop.yml. The required status(security-review-approved) label is already applied.
• opam-nix introduces IFD for the CLI dependency closure. CLI evaluation and builds can compile the OCaml 5.4.0 toolchain per system if those paths are not already cached.
• opam-nix vendors additional nixpkgs pins through locked inputs (nixpkgs-llvm17, nixpkgs-python38, and nixpkgs-python39), so audit-flake-inputs remains the gate for unsupported or unexpected input drift.

[claude]

Claude finished @Bad3r's task in 5m 23s —— View job

---

Review

No issues found.

The prior review threads (gemini, codex, claude) cover the substantive concerns this diff raises:

• sqlite/zstd plumbed through package.nix -> build.nix -> nativeBuildInputs (commit d536d5d)
• Fail-loud handling of unresolved const refs in the runtime-assets spread branch (commit 5ba55ed)
• logseqRev vs published assets invariants — maintainer decision documented, rationale captured

Spot checks against the working tree:

• modules/_checks/runtime-assets.nix:100-105 raises SystemExit on a non-optional spread whose const cannot be resolved
• modules/_packages/logseq-cli/build.nix:70-73 declares sqlite and zstd explicitly so the manual cli/ store extraction is self-sufficient
• modules/_packages/logseq-cli/wrapper.nix prepends ${logseqNodejs}/bin while preserving the caller's $PATH, and pins LOGSEQ_DB_WORKER_NODE_SCRIPT only when unset
• patches/logseq-cli-auth-bind-loopback-address-families.patch accounting (pending/bound) tracks symmetrically across the EAFNOSUPPORT/EADDRNOTAVAIL paths, listen-success paths, and the synchronous-throw path
• scripts/update-nightly.sh writes the new cliBundlePnpmDepsHash placeholder and resolves it via the FOD-failure parser; matches lib/loadManifest.nix

[gemini-code-assist]

Code Review

This pull request migrates the Logseq CLI build from ClojureScript to OCaml compiled via Melange and bundled with Vite. It integrates opam-nix to resolve OCaml dependencies, introduces a separate pnpm workspace for the CLI bundle, and updates the loopback address binding patch to target the new OCaml implementation. The review feedback recommends explicitly adding and forwarding sqlite and zstd as build inputs to ensure that sqlite3 and tar --zstd are available in the sandboxed build environment.

Important

The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 5ead90d34e

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[Bad3r]

/gemini review

[Bad3r]

@codex review

[gemini-code-assist]

Code Review

This pull request migrates the Logseq CLI build from ClojureScript (shadow-cljs) to OCaml compiled via Melange and bundled with Vite, aligning with upstream changes. It introduces opam-nix to resolve the OCaml/Melange dependency closure, adds a new cliBundlePnpmDepsHash field to the manifest to handle the separate cli/ pnpm workspace, and updates the build process, wrapper script, and checks accordingly. Additionally, the loopback binding patch is rewritten to target the new OCaml implementation in cli_platform.ml. There are no review comments, so no further feedback is provided.

Important

The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 919f1bae87

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[Bad3r]

Review feedback resolved

Implemented

• sqlite/zstd build inputs (gemini + claude): plumbed sqlite and zstd package.nix -> build.nix and added to nativeBuildInputs (d536d5d). The cli/ workspace store is unpacked in buildPhase with bare tar --zstd and sqlite3. Verified against the nixpkgs hook with a standalone probe (nativeBuildInputs = [ pnpmConfigHook ]): the hook already propagates zstd onto PATH but not the sqlite3 CLI, so sqlite3 (build.nix:175) was the real missing binary. Both are declared explicitly so the manual extraction is self-sufficient rather than relying on the hook's propagation.

Not changed (rationale)

• logseqRev bump (codex + claude): keeping logseqRev = 1d1ca70d rather than adding a cliRev field. The CLI source must lead the published desktop assets (80aeb07d has no OCaml cli/); nightlies always build desktop + CLI from the same HEAD, so a cliRev field would never diverge from logseqRev outside a manual transition like this one; and the icon / cliVersion / release-notes effects are cosmetic or one-time and self-heal at the next nightly that publishes assets at/after this rev. Full detail in the inline threads.

Validation: nix-instantiate --parse, nixfmt --check, deadnix, statix, and the pre-commit hook run all pass on the changed modules. The full nix build .#logseq-cli is left to CI (it triggers the opam-nix IFD).

[Bad3r]

Review feedback resolved

Accepted and implemented:

• The two duplicate modules/_checks/runtime-assets.nix findings were valid and in scope. Commit 5ba55ed now fails loudly when a non-optional copyPairs repoRoot spread references a string const that the parser cannot resolve.
• The error names the unresolved identifier and tells maintainers to update the runtime-assets parser instead of silently shrinking required_runtime_names.

Rejected:

• None. No remaining fetched feedback was rejected as invalid or out of scope in this pass.

Reliability impact:

• The ASAR drift guard now preserves fail-closed behavior when upstream changes scripts/prepare-desktop-runtime-js.mjs. An unsupported upstream declaration shape becomes an actionable check failure instead of a false green runtime-assets check.

Validation:

• nixfmt modules/_checks/runtime-assets.nix
• nix-instantiate --parse modules/_checks/runtime-assets.nix >/dev/null
• nix build .#checks.x86_64-linux.logseq-runtime-assets