nix-native ios cross compile

.envrc

@@ -1,2 +1,2 @@
-watch_file nix/shells/local.nix
-use flake .
+# watch_file nix/shells/local.nix
+use flake .#rust

.github/actions/setup-ios-xcode/action.yml

@@ -0,0 +1,41 @@
+name: Setup iOS Xcode
+description: >
+  Materialize the pinned Xcode at its /nix/store path via xmtp-cache-apple
+  (Apple's license forbids serving Xcode from a binary cache). Single source
+  of truth for the Xcode version and store path used by the iOS workflows —
+  keep in sync with xcodeVer in nix/ios-packages.nix.
+
+runs:
+  using: composite
+  steps:
+    # The local bundle is only needed for the cold-cache bootstrap import;
+    # warm runs restore a NAR and never touch it. A runner with no local
+    # Xcode still works warm — and on a cold cache it fails in the
+    # bootstrap step with a clear missing-bundle cause (nothing can
+    # conjure Xcode there anyway).
+    - name: Resolve Xcode bundle path
+      id: xcode-path
+      shell: bash
+      run: |
+        p=""
+        for c in /Applications/Xcode_26.3*.app /Applications/Xcode-26.3*.app /Applications/Xcode.app; do
+          [ -d "$c" ] || continue
+          v=$(defaults read "$c/Contents/version" CFBundleShortVersionString 2>/dev/null || true)
+          case "$v" in 26.3|26.3.*) p="$c"; break ;; esac
+        done
+        if [ -z "$p" ]; then
+          echo "::warning::No local Xcode 26.3 bundle found; OK on a warm cache, the cold-cache bootstrap will fail."
+          p=/Applications/Xcode_26.3.app
+        fi
+        echo "path=$p" >> "$GITHUB_OUTPUT"
+    - uses: xmtplabs/xmtp-cache-apple@v1.0.3
+      with:
+        xcode-path: ${{ steps.xcode-path.outputs.path }}
+        # requireFile fixed-output path: moves only if the pinned sha256 for
+        # xcode_26_3 changes, never with nixpkgs/flake.lock bumps.
+        xcode-nix-path: /nix/store/x9hdz5mfp44i9b05sswp271jdv68r8vx-Xcode.app
+    # Point non-nix tool invocations (raw xcodebuild/swift steps) at the
+    # pinned Xcode too; nix builds get this via the xcode-tools setup hook.
+    - name: Export DEVELOPER_DIR
+      shell: bash
+      run: echo "DEVELOPER_DIR=/nix/store/x9hdz5mfp44i9b05sswp271jdv68r8vx-Xcode.app/Contents/Developer" >> "$GITHUB_ENV"

.github/workflows/lint-ios.yml

@@ -13,6 +13,7 @@ jobs:
         with:
           github-token: ${{ github.token }}
           cachix-auth-token: ${{ secrets.CACHIX_AUTH_TOKEN }}
+      - uses: ./.github/actions/setup-ios-xcode
       - uses: taiki-e/install-action@just
       - name: Lint iOS SDK
         run: just ios lint

.github/workflows/release-ios.yml

@@ -48,6 +48,7 @@ jobs:
         with:
           github-token: ${{ github.token }}
           cachix-auth-token: ${{ secrets.CACHIX_AUTH_TOKEN }}
+      - uses: ./.github/actions/setup-ios-xcode
       - name: Compute version
         id: version
         run: |
@@ -76,7 +77,7 @@ jobs:
           echo "base-version=$BASE" >> "$GITHUB_OUTPUT"
           echo "Computed version: $VERSION"
       - name: Build xcframeworks
-        run: nix build .#ios-xcframeworks --out-link build/ios
+        run: nix build .#ios-release --out-link build/ios
 
       - name: Package and checksum
         id: checksum

.github/workflows/test-ios.yml

@@ -52,9 +52,7 @@ jobs:
           github-token: ${{ github.token }}
           cachix-auth-token: ${{ secrets.CACHIX_AUTH_TOKEN }}
           with-warpbuild-cache: "false"
-      - uses: maxim-lobanov/setup-xcode@v1
-        with:
-          xcode-version: "26"
+      - uses: ./.github/actions/setup-ios-xcode
       - uses: taiki-e/install-action@just
       - name: Build and test
         env:

.gitignore

@@ -209,3 +209,4 @@ docs/plans
 # Claude Code
 .claude/scheduled_tasks.lock
 /target-linux-amd64
+nixpkgs

bindings/wasm/package.json

@@ -66,7 +66,7 @@
     "@vitest/browser-playwright": "^4.0.8",
     "@xmtp/content-type-remote-attachment": "^2.0.3",
     "binaryen": "^125.0.0",
-    "playwright": "=1.58",
+    "playwright": "=1.59.1",
     "prettier": "^3.7.4",
     "prettier-plugin-packagejson": "^3.0.0",
     "tsx": "^4.20.6",

bindings/wasm/yarn.lock

@@ -1095,7 +1095,7 @@ __metadata:
     "@vitest/browser-playwright": "npm:^4.0.8"
     "@xmtp/content-type-remote-attachment": "npm:^2.0.3"
     binaryen: "npm:^125.0.0"
-    playwright: "npm:=1.58"
+    playwright: "npm:=1.59.1"
     prettier: "npm:^3.7.4"
     prettier-plugin-packagejson: "npm:^3.0.0"
     tsx: "npm:^4.20.6"
@@ -2068,27 +2068,27 @@ __metadata:
   languageName: node
   linkType: hard
 
-"playwright-core@npm:1.58.2":
-  version: 1.58.2
-  resolution: "playwright-core@npm:1.58.2"
+"playwright-core@npm:1.59.1":
+  version: 1.59.1
+  resolution: "playwright-core@npm:1.59.1"
   bin:
     playwright-core: cli.js
-  checksum: 10/8a98fcf122167e8703d525db2252de0e3da4ab9110ab6ea9951247e52d846310eb25ea2c805e1b7ccb54b4010c44e5adc3a76aae6da02f34324ccc3e76683bb1
+  checksum: 10/d27857a6701587c2a9bfa26fed9a5d8c617a392299b99b187f2ddc198d012a1e296449806bc907220debea938152677e8b4d91d304ed00645f762f778de3abec
   languageName: node
   linkType: hard
 
-"playwright@npm:=1.58":
-  version: 1.58.2
-  resolution: "playwright@npm:1.58.2"
+"playwright@npm:=1.59.1":
+  version: 1.59.1
+  resolution: "playwright@npm:1.59.1"
   dependencies:
     fsevents: "npm:2.3.2"
-    playwright-core: "npm:1.58.2"
+    playwright-core: "npm:1.59.1"
   dependenciesMeta:
     fsevents:
       optional: true
   bin:
     playwright: cli.js
-  checksum: 10/d89d6c8a32388911b9aff9ee0f1a90076219f15c804f2b287db048b9e9cde182aea3131fac1959051d25189ed4218ec4272b137c83cd7f9cd24781cbc77edd86
+  checksum: 10/17b2df42effa362adc6aa3192b625bd80f26b91a0c253a2375ac89ace68407b746dd87b4081629c50c58c3cb031c5b837a32fef43a3c98c60ea504e0b001e5fa
   languageName: node
   linkType: hard
 

flake.nix

 packages = { 
 packages = { 
@@ -7,6 +7,8 @@
   };
 
   inputs = {
+    # Cross pkgsets apply the upstream iOS branch as a patch
+    # on top — see nixpkgs-patched in nix/lib/default.nix.
     nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable";
     fenix = {
       url = "github:nix-community/fenix";
@@ -17,7 +19,10 @@
     flake-parts = {
       url = "github:hercules-ci/flake-parts";
     };
-    foundry.url = "github:shazow/foundry.nix/stable";
+    foundry = {
+      url = "github:shazow/foundry.nix/stable";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
     crane = {
       url = "github:ipetkov/crane";
     };
@@ -46,6 +51,7 @@
         ./nix/node-packages.nix
         ./nix/android-packages.nix
         ./nix/apps.nix
+        ./nix/ios-packages.nix
       ];
       perSystem =
         {
@@ -83,36 +89,6 @@
               ;
             wasm-bindings = (pkgs.callPackage ./nix/package/wasm.nix { }).bin;
             wasm-bindings-test = (pkgs.callPackage ./nix/package/wasm.nix { test = true; }).bin;
-          }
-          // lib.optionalAttrs pkgs.stdenv.isDarwin {
-            # stdenvNoCC is passed to callPackage (for the aggregate derivation).
-            # This avoids Nix's apple-sdk and cc-wrapper,
-            # which inject -mmacos-version-min flags that
-            # conflict with iOS cross-compilation. The builds are impure (__noChroot)
-            # and use the system Xcode SDK directly via ios-env.nix paths.
-            ios-libs =
-              (pkgs.callPackage ./nix/package/ios.nix {
-                stdenv = pkgs.stdenvNoCC;
-              }).aggregate;
-            # iOS bindings - simulator + host macOS only (fast dev/CI builds)
-            ios-libs-fast =
-              (
-                (pkgs.callPackage ./nix/package/ios.nix {
-                  stdenv = pkgs.stdenvNoCC;
-                }).mkIos
-                [
-                  "aarch64-apple-darwin"
-                  "aarch64-apple-ios-sim"
-                ]
-              ).aggregate;
-            ios-xcframeworks =
-              (pkgs.callPackage ./nix/package/ios.nix {
-                stdenv = pkgs.stdenvNoCC;
-              }).release;
-            ios-xcframeworks-fast =
-              (pkgs.callPackage ./nix/package/ios.nix {
-                stdenv = pkgs.stdenvNoCC;
-              }).devFast;
           };
         };
     };