[danhudlow]

What I desperately want is the generation of a lock file so that environment installs are cryptographically guaranteed to be repeatable byte-for-byte. I recognize that this means either checksums every platform supported, but I’ve been startled that none of the options I’ve found seem to have the capacity for this.

[lytedev]

I think you're looking for Nix flakes proper! This is one of the promises!

Given so, this means many tools based on nix provide this too, though it's not as easily surfaced.

[danhudlow]

Unfortunately, neither nix flakes nor tools based on nix that don’t “easily surface” this feature provide the security guarantees I’m seeking, since security guarantees are a function of cryptographic proofs and abstractions that are comprehensible to an end user.