Add subcommand 'nix provenance show'

[edolstra]

Motivation

This adds a subcommand nix provenance show that displays the provenance record of a store path in a human-readable form, e.g.

# nix provenance show /run/current-system
/nix/store/k145bdxhdb89i4fkvgdisdz1yh2wiymm-nixos-system-machine-25.05.20251210.d2b1213
← copied from cache.flakehub.com
← built from derivation /nix/store/w3p3xkminq61hs00kihd34w1dglpj5s9-nixos-system-machine-25.05.20251210.d2b1213.drv (output out)
← instantiated from flake output nixosConfigurations.machine.config.system.build.toplevel
← from file /machine/flake.nix
← from tree github:my-org/my-repo/6b03eb949597fe96d536e956a2c14da9901dbd21

Context

Summary by CodeRabbit

• New Features

  • Added nix provenance show to print the provenance chain for store paths; now recognizes and displays more provenance kinds (build, flake, subpath, tree, etc.) and nested provenance links.

• Documentation

  • Added user documentation for the provenance show feature with examples and JSON output notes.

• Tests

  • Added a functional test exercising nix provenance show output for flake-based store paths.

[coderabbitai]

📝 Walkthrough

Walkthrough

Registers JSON deserializers for several provenance types, adds a TreeProvenance constructor, implements a new provenance CLI with provenance show, wires in the new translation unit to the build, adds docs for the feature, and adds a functional test to validate provenance output.

Changes

Cohort / File(s)	Summary
Type registration & deserialization src/libfetchers/provenance.cc, src/libflake/provenance.cc, src/libstore/provenance.cc, src/libutil/provenance.cc	Adds global Provenance::Register instances for "tree", "flake", "build", and "subpath" types that parse JSON (including optional nested "next") and construct the corresponding Provenance objects.
TreeProvenance constructor src/libfetchers/include/nix/fetchers/provenance.hh	Adds a public constructor TreeProvenance(ref<nlohmann::json> attrs) that initializes the attrs member via move.
CLI: provenance commands src/nix/provenance.cc	Introduces provenance multi-command and provenance show subcommand; walks provenance chains, dispatches by provenance subtype (Copied, Built, Flake, Tree, Subpath) for formatted output, and falls back to JSON for unknown types.
Build list update src/nix/meson.build	Adds provenance.cc to the nix_sources list so the new CLI code is built.
Docs & tests src/nix/provenance-show.md, tests/functional/flakes/provenance.sh	Adds documentation for provenance show (examples and notes) and a functional test that asserts expected provenance output for a built flake path.
Small includes src/libflake/provenance.cc, src/libfetchers/provenance.cc	Adds nix/util/json-utils.hh includes to aid JSON parsing in new registration lambdas.

Sequence Diagram(s)

sequenceDiagram
    participant User as User/CLI
    participant Cmd as CmdProvenanceShow
    participant Store as Store
    participant Reg as ProvenanceRegistry
    participant Display as Formatter

    User->>Cmd: nix provenance show <store-path>
    Cmd->>Store: request provenance JSON for path
    Store->>Reg: Provenance::from_json(provenance JSON)
    Reg->>Reg: match "type" and call registered parser (may call from_json recursively for "next")
    Reg-->>Store: std::shared_ptr<const Provenance>
    Store-->>Cmd: provenance object
    Cmd->>Display: displayProvenanceChain(provenance)
    Display->>Display: dynamic cast to Copied/Build/Flake/Tree/Subpath
    Display-->>User: formatted provenance chain (or JSON fallback)

Loading

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

Possibly related PRs

• Provenance #321: Overlapping provenance subsystem work (TreeProvenance constructor and provenance type registrations).

Suggested reviewers

• cole-h
• grahamc

Poem

🐰 I nibble traces, stitch each hop and leaf,
From flakes to builds — a breadcrumb motif.
Paths unfurl, a hop, a fetched bouquet,
I hop, I show — the provenance ballet! 🥕

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The pull request title accurately summarizes the main change: adding a new subcommand 'nix provenance show'. The title directly corresponds to the primary feature implementation evident across all modified files.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch provenance-show

---

No actionable comments were generated in the recent review. 🎉

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🤖 Fix all issues with AI agents

In `@src/nix/provenance-show.md`:
- Around line 17-28: Add a brief note to the provenance docs indicating that the
command is behind the experimental feature gate named "provenance" so users know
it may be disabled by default; update the section that introduces "nix
provenance" (the heading and the opening paragraphs describing what it shows) to
include a single sentence like "This command is experimental and requires
enabling the 'provenance' feature flag" and, if present, link to the global
experimental features/configuration instructions for enabling it.

In `@tests/functional/flakes/provenance.sh`:
- Around line 123-125: Replace the hard-coded /tmp/x write and duplicate `nix
provenance show "$outPath"` invocation by capturing the command output once
(e.g., assign the result of `nix provenance show "$outPath"` to a variable) and
use that variable in the subsequent comparison block; remove the `> /tmp/x`
write and the second command call so the script uses the single captured value
for the `[[ ... = $(cat <<EOF` check.

[github-actions]

🚀 Deployed on https://698a72e20ded2a65a9a84e53--determinate-nix.netlify.app

[cole-h]

I think we should probably exit with an error in this case; wdyt?

[edolstra]

Not sure, a path having no provenance is in itself not an error. For a nix provenance verify command it should be, but it's probably fine here.

[cole-h]

LGTM after my last comment