Attest build environment configuration (Bazel version, Nix hash, toolchain versions)

[avrabe]

Motivation

sigil currently attests pipeline transformation steps (meld → loom → synth). For full qualification traceability, the attestation chain should also capture the build environment:

• Bazel version and configuration
• Nix flake lock hash (when available)
• Toolchain versions (rustc, wasm-tools, etc.)
• Host platform and OS version

Ferrocene's Safety Manual includes build monitoring constraints (RUSTC_CSTR_0030) requiring verification that "proper versions of the tools have been used with the appropriate options." Automating this through sigil attestation is stronger than procedural controls.

Scope

• Capture build environment metadata as part of attestation
• Include Bazel invocation details (version, config, platform)
• Include Nix flake lock hash when builds use Nix-provisioned toolchains
• Include toolchain version strings (rustc --version, wasm-tools --version, etc.)
• Embed environment attestation in SLSA provenance format

Related

• feat: sign native artifacts from synth (ELF / MCUboot image format) #47 — Sign native artifacts (ELF sections)
• Add Nix flake for reproducible development and build environment #48 — Add Nix flake for reproducible development