feat(pkg,nix): migrate 14 leaf tools to nix; drop 6 unused packages

Migrated to Home-Manager (nix/common.nix):

  duf, gdu, nmap, procs, yazi, difftastic, direnv (was duplicated),
  git-absorb, samply, strace, t-rec, act, pandoc, gdb, lldb

  lldb stays nix-only (no longer in base.txt) — per user policy, only
  ever used to debug own builds, so glibc/kernel ABI skew vs the
  pacman-built system isn't a concern. Same logic could extend to
  valgrind, but valgrind has tighter glibc compat needs; perf links
  against kernel ABI and must match the running kernel. Both stay
  pacman.

  uv was already in nix; removed pacman duplicate.

Kept on pacman (cannot migrate without breaking system builds, per
nix/common.nix policy that bans compilers/linkers/build systems on
PATH):

  ccache, clang, cmake, lld, mold, ninja, npm, rustup, sccache,
  podman-compose, podman-docker (system runtime integration),
  perf, valgrind (kernel/glibc-coupled), unzip (transitive via base),
  doxygen (huge nixpkgs closure not worth it).

Dropped entirely (unused):

  android-tools, go, gpg-tui, luarocks (was for Mason-managed nvim
  plugin deps; Mason is gone), bash-completion (zsh-only setup),
  pandoc-bin (replaced by nix pandoc).

  jdk21-openjdk kept — still needed for the groovy/jenkins toolchain
  paths in nvim.

Rewrote the --- dev --- section comment to explain the policy.

1 files changed, 12 insertions, 33 deletions

diff --git a/meta/base.txt b/meta/base.txt
index 6ea9439..19407f5 100644
--- a/meta/base.txt
+++ b/meta/base.txt
@@ -1,23 +1,19 @@
 # --- core ---
-# Note: the leaf-CLI tooling (ripgrep, fd, bat, glow, fzf, lsd, jq, yq-go,
-# zoxide, just, sd, choose, dog, curlie, hyperfine, htop, fastfetch, tldr,
-# rsync, mergiraf, delta, tree-sitter, neovim, zellij, gh, pass + pass-otp,
-# openssh, git, gnupg, wget, zsh + plugins + zsh-completions, basedpyright,
-# rust-analyzer, etc.) is provisioned via Home-Manager from nix/common.nix
-# and lives under ~/.nix-profile/bin (first in PATH). Anything pacman drops
-# that's still needed (curl, git, openssh, gnupg) comes back transitively
-# via base/base-devel/desktop deps.
+# Leaf CLI / editor / multiplexer / git stack / json+yaml / system viewers /
+# net / debug+trace / docs / secrets — all provisioned via Home-Manager
+# from nix/common.nix and live under ~/.nix-profile/bin (first in PATH).
+# What stays on pacman in this section is the pieces tightly coupled to
+# the distro (man-db/man-pages files), the system runtime (sudo-rs,
+# base/base-devel), and things needed pre-bootstrap or by other system
+# packages transitively.
 acpid
 arch-audit
 base
 base-devel
-bash-completion
 chezmoi
 cpupower
 dashbinsh
-duf
 fwupd
-gdu
 iwd
 kernel-modules-hook
 linux-firmware
@@ -27,7 +23,6 @@ man-db
 man-pages
 nfs-utils
 nftables
-nmap
 ocl-icd
 overdue
 pacman-cleanup-hook
@@ -36,7 +31,6 @@ paru
 pbzip2
 pigz
 pkgstats
-procs
 qrencode
 rebuild-detector
 reflector
@@ -46,9 +40,7 @@ sudo-rs
 systemd-resolvconf
 tlp
 torsocks
-unzip
 wireguard-tools
-yazi
 zram-generator
 
 # --- bluetooth ---
@@ -66,21 +58,15 @@ ell
 # direnv's source_url with a content hash, so no extra package needed.) ---
 nix
 
-# --- dev ---
-android-tools
+# --- dev (compiler / linker / build-system / language toolchains — these
+# MUST stay on pacman: nix/common.nix is forbidden from shipping them
+# because nix-store paths on PATH would shadow the system ones and
+# silently link projects against nixpkgs glibc instead of the system
+# sysroot. See policy comment at the top of nix/common.nix.) ---
 ccache
 clang
 cmake
-difftastic
-direnv
-doxygen
-gdb
-git-absorb
-go
-jdk21-openjdk
 lld
-lldb
-luarocks
 mold
 ninja
 npm
@@ -88,11 +74,7 @@ perf
 podman-compose
 podman-docker
 rustup
-samply
 sccache
-strace
-t-rec
-uv
 valgrind
 
 # --- sound ---
@@ -224,8 +206,6 @@ streamlink
 yt-dlp
 
 # --- desktop extras ---
-gpg-tui
-pandoc-bin
 syncthing
 udisks2
 
@@ -249,4 +229,3 @@ tesseract-data-por
 # WHISPER_MODEL in the script's environment to use a different ggml model.
 whisper.cpp-vulkan
 whisper.cpp-model-base
-act