Please confirm you have done the following:

• I have searched existing issues and pull
  requests (including closed ones) to ensure this isn't a duplicate
• I have read CONTRIBUTING.md

If this is a feature or change that was previously closed/rejected:

• I have explained in the description below why this should be reconsidered
• I have gathered community feedback (link to discussion below)

Human Written Description

The Nix build (nix build .#handy) keeps breaking because the fixed-output derivation
hash for bun dependencies has to be manually updated every time bun.lock changes.
The same problem exists for cargo git dependency hashes. This makes maintaining the Nix
package tedious and results in frequent hash-update PRs.

This PR eliminates all manual hash management by switching to bun2nix (per-package
fetchurl expressions) for bun deps and allowBuiltinFetchGit for cargo git deps.
A postinstall hook auto-regenerates the Nix files whenever bun.lock changes, so
non-Nix developers won't accidentally break the Nix build.

Normally, when you update TS dependencies with bun add ... or
bun update ..., Nix dependency files are auto-updated via the postinstall hook.
A developer just needs to commit the updated files, same as with Cargo.lock.

If bun.lock is updated manually (without bun), the CI job nix build check will catch it
and show a red status with an error message explaining that you should run
bun scripts/check-nix-deps.ts to update Nix dependencies.

I believe this should eliminate 99% of problems with Nix dependencies.
After this PR, manual fixes are only expected when ferrous-opencc is updated
(it requires a special patch currently), or if you decide to publish the app in
nixpkgs (which prohibits allowBuiltinFetchGit — but for standalone flake packages
it's fine). In all other cases, Nix dependencies should be updated automatically
via the hook or by running the script in the same PR where the bun dependency changed,
without requiring a separate manual PR.

Note: The nix build check CI job is currently set to continue-on-error: false,
meaning it will block PRs with outdated Nix files. The fix is always straightforward
(just run bun install or bun scripts/check-nix-deps.ts), but if you'd prefer
this check to be non-blocking, simply change it to continue-on-error: true in
.github/workflows/nix-check.yml.

Note 2: The CI job now performs a full nix build .#handy in addition to dependency sync
and flake evaluation, to catch runtime build errors. This takes ~27 min on a cold cache.
In the future, this could potentially be reduced to ~5 min by adding
Cachix (requires an account and setup; the estimate is based on
the assumption that only changed derivations would be rebuilt, similar to how rust-cache
works for cargo in the rust-tests job).

@cjpais For this PR, you can choose:

• Keep the full build — if ~27 min CI time is acceptable for the extra reliability
• Remove the build step — I can drop the Build handy step, keeping only the dependency
  sync check + flake evaluation (~30s), which still catches most issues

Related Issues/Discussions

Supersedes the manual hash update approach from #948.

Community Feedback

This is a fix for a recurring maintenance burden that has required multiple PRs just to update hashes. It doesn't add any new features.

Testing

• nix eval .#packages.x86_64-linux.handy.drvPath — flake evaluation passes
• nix build .#handy — full build succeeds
• Verified bun install triggers postinstall hook and regenerates .nix/bun.nix when bun.lock changes
• Verified no regeneration occurs when bun.lock is unchanged (~2ms check)

Screenshots/Videos (if applicable)

N/A

AI Assistance

• AI was used (please describe below)

If AI was used:

• Tools used: Claude Code (Claude Opus)
• How extensively: wrote the implementation code (flake.nix rewrite, check-nix-deps.ts script, CI workflow).