diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
index ba9c41f..235a49e 100644
--- a/.github/workflows/ci.yaml
+++ b/.github/workflows/ci.yaml
@@ -38,7 +38,7 @@ jobs:
       - name: Run Lint
         run: nix develop --command pnpm run lint
 
-  build-and-test:
+  build:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout repository
@@ -47,8 +47,17 @@ jobs:
       - name: Setup Nix
         uses: ./.github/actions/setup-nix
 
-      - name: Run Build
-        run: nix develop --command pnpm run build
+      - name: Build package
+        run: nix build --print-build-logs
+
+  test:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+
+      - name: Setup Nix
+        uses: ./.github/actions/setup-nix
 
       - name: Run Tests
         run: nix develop --command pnpm test
diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
index 802525c..34f51ae 100644
--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@@ -41,12 +41,12 @@ jobs:
           registry-url: 'https://registry.npmjs.org'
           node-version: lts/*
 
-      - name: 📦 Pack package
-        run: nix develop --command pnpm pack
+      - name: 📦 Build package
+        run: nix build --print-build-logs
 
       - name: 🚀 Publish package
         shell: bash
         run: |
-          PACKAGE_TGZ=$(ls *.tgz | head -n 1)
+          PACKAGE_TGZ=$(ls result/*.tgz | head -n 1)
           echo "Publishing package: $PACKAGE_TGZ"
           npm publish "$PACKAGE_TGZ" --access public
diff --git a/.gitignore b/.gitignore
index ca35cce..5d06827 100644
--- a/.gitignore
+++ b/.gitignore
@@ -181,3 +181,4 @@ dist
 .direnv
 !.envrc
 
+result
diff --git a/flake.nix b/flake.nix
index e953f20..b77eca4 100644
--- a/flake.nix
+++ b/flake.nix
@@ -16,8 +16,49 @@
       ];
 
       perSystem =
-        { pkgs, ... }:
+        { pkgs, system, ... }:
         {
+          packages.default =
+            let
+              packageJson = builtins.fromJSON (builtins.readFile ./package.json);
+              pnpmDepsHash = {
+                x86_64-linux = "sha256-PrCGXf5r03gfsoGJAzew592Al1G5dx6xa/qFxazuqUo=";
+                aarch64-linux = "sha256-AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=";
+                aarch64-darwin = "sha256-GDY7RZUl6A0d3l8Rz6X1sHQfwHgM2GKpcJ65yAKOmrg=";
+              };
+            in
+            pkgs.stdenv.mkDerivation (finalAttrs: {
+              pname = "stackone-ai";
+              version = packageJson.version;
+
+              src = ./.;
+
+              nativeBuildInputs = with pkgs; [
+                nodejs_24
+                pnpm_10
+                pnpm_10.configHook
+              ];
+
+              pnpmDeps = pkgs.pnpm_10.fetchDeps {
+                inherit (finalAttrs) pname version src;
+                hash = pnpmDepsHash.${system};
+                fetcherVersion = 1;
+              };
+
+              buildPhase = ''
+                runHook preBuild
+                pnpm run build
+                runHook postBuild
+              '';
+
+              installPhase = ''
+                runHook preInstall
+                mkdir -p $out
+                pnpm pack --pack-destination $out
+                runHook postInstall
+              '';
+            });
+
           devShells.default = pkgs.mkShell {
             buildInputs = with pkgs; [
               # runtime
diff --git a/lefthook.yaml b/lefthook.yaml
index 21bf81b..699d848 100644
--- a/lefthook.yaml
+++ b/lefthook.yaml
@@ -13,6 +13,10 @@ pre-commit:
       glob: '*.nix'
       run: nix develop --command nixfmt {staged_files}
       stage_fixed: true
+    - name: update-pnpm-hash
+      glob: 'pnpm-lock.yaml'
+      run: ./scripts/update-pnpm-hash.sh
+      stage_fixed: true
 
 pre-push:
   jobs:
diff --git a/package.json b/package.json
index 478f334..e4f0b9c 100644
--- a/package.json
+++ b/package.json
@@ -45,7 +45,6 @@
 		"lint:oxfmt": "oxfmt --no-error-on-unmatched-pattern --check .",
 		"lint:oxlint": "oxlint --max-warnings=0 --type-aware --type-check",
 		"lint:knip": "knip",
-		"preinstall": "npx only-allow pnpm",
 		"prepack": "npm pkg delete scripts.preinstall && pnpm run build",
 		"test": "vitest",
 		"coverage": "vitest run --coverage"
diff --git a/scripts/update-pnpm-hash.sh b/scripts/update-pnpm-hash.sh
new file mode 100755
index 0000000..d6e005b
--- /dev/null
+++ b/scripts/update-pnpm-hash.sh
@@ -0,0 +1,42 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+# Update pnpm deps hash in flake.nix for the current system
+# This script runs nix build to get the correct hash and updates flake.nix
+
+FLAKE_FILE="flake.nix"
+
+# Check if flake.nix exists
+if [[ ! -f "$FLAKE_FILE" ]]; then
+  echo "Error: $FLAKE_FILE not found"
+  exit 1
+fi
+
+# Detect current system
+SYSTEM=$(nix eval --impure --raw --expr 'builtins.currentSystem')
+echo "Current system: $SYSTEM"
+
+# Run nix build and capture the output
+echo "Calculating pnpm deps hash..."
+OUTPUT=$(nix build --no-link 2>&1 || true)
+
+# Check if there's a hash mismatch
+if echo "$OUTPUT" | grep -q "hash mismatch"; then
+  # Extract the new hash
+  NEW_HASH=$(echo "$OUTPUT" | grep "got:" | sed 's/.*got:[[:space:]]*//' | tr -d '[:space:]')
+
+  if [[ -z "$NEW_HASH" ]]; then
+    echo "Error: Could not extract new hash"
+    exit 1
+  fi
+
+  echo "New hash for $SYSTEM: $NEW_HASH"
+
+  # Update the hash for current system in flake.nix
+  sed -i.bak "s|${SYSTEM} = \"sha256-[^\"]*\"|${SYSTEM} = \"${NEW_HASH}\"|" "$FLAKE_FILE"
+  rm -f "${FLAKE_FILE}.bak"
+
+  echo "Updated $FLAKE_FILE with new hash for $SYSTEM"
+else
+  echo "Hash is up to date for $SYSTEM"
+fi