Add Nix flake for reproducible development and build environment

[avrabe]

Motivation

A qualified safety-critical toolchain requires reproducible builds — the same inputs must produce the same outputs on any machine, at any time. ISO 26262 requires traceability from requirements to the deployed artifact. DO-178C requires configuration management that can reproduce any released build.

Ferrocene — the qualified Rust compiler — built custom build orchestration for exactly this reason. For the PulseEngine pipeline, we use Bazel for hermetic builds and Nix for hermetic toolchain provisioning.

Currently, only rules_rocq_rust uses Nix (flake.nix) for toolchain management. Extending this across the pipeline ensures that every developer, CI runner, and qualification environment uses identical toolchain versions.

Scope

• Add flake.nix providing a development shell with all required toolchain dependencies
• Pin toolchain versions (Rust, Bazel, any tool-specific dependencies)
• Integrate with the existing Bazel build so that nix develop provides everything needed for bazel build //...
• Add flake.lock to version control

Context

This is part of a broader effort to make the entire PulseEngine pipeline — meld, loom, synth, kiln, sigil — reproducible end-to-end. See the blog series on hermetic builds (upcoming) for the full picture.

Related: rules_rocq_rust already has a working flake.nix that can serve as a reference implementation.