fix(nix): enable sandboxed builds with bun2nix (#199)

* fix(nix): enable sandboxed builds with bun2nix

The Nix package was broken on Linux because `bun install` requires
network access, which is blocked by Nix sandboxing (enabled by default
on Linux).

This switches to bun2nix for dependency management:
- Add bun2nix flake input to pre-fetch all npm dependencies
- Generate bun.nix lockfile for reproducible dependency resolution
- Copy bun cache to writable location during build to avoid EACCES
  errors from bunx writing to the read-only Nix store
- Add nanoid as an explicit dependency (was imported directly but only
  available as a transitive dep, which breaks with isolated linker)
- Update CI workflow to perform a full sandboxed build
- Add bun2nix to devShell for easy lockfile regeneration

Closes #197

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* fix(nix): create writable workdir for database access

The app uses process.cwd()/data for the database path, but when running
from the Nix store the cwd is read-only. Create a writable working
directory with symlinks to app files and a real data directory.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

---------

Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>

.github/workflows/nix-build.yml

@@ -33,13 +33,5 @@ jobs:
       - name: Show flake info
         run: nix flake show
 
-      - name: Evaluate package
-        run: |
-          # Evaluate the derivation without building (validates the Nix expression)
-          nix eval .#packages.$(nix eval --impure --expr 'builtins.currentSystem').default.name
-          echo "Flake evaluation successful"
-
-      # Note: Full build requires network access for bun install.
-      # Nix sandboxed builds block network access.
-      # To build locally: nix build --option sandbox false
-      # Or use: nix develop && bun install && bun run build
+      - name: Build package
+        run: nix build --print-build-logs