Add warning for non-JSON-object exportReferencesGraph

Correct `build-dir` error in manual, link relevant settings

.coderabbit.yaml

@@ -1,3 +1,4 @@
+# yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json
 # Disable CodeRabbit auto-review to prevent verbose comments on PRs.
 # When enabled: false, CodeRabbit won't attempt reviews and won't post
 # "Review skipped" or other automated comments.
@@ -12,3 +13,6 @@ reviews:
   tools:
     github-checks:
       enabled: false
+chat:
+  art: false
+  auto_reply: false

.github/workflows/backport.yml

@@ -20,7 +20,7 @@ jobs:
         with:
           app-id: ${{ vars.CI_APP_ID }}
           private-key: ${{ secrets.CI_APP_PRIVATE_KEY }}
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v6
         with:
           ref: ${{ github.event.pull_request.head.sha }}
           # required to find all branches

.github/workflows/ci.yml

@@ -24,7 +24,7 @@ jobs:
   eval:
     runs-on: ubuntu-24.04
     steps:
-    - uses: actions/checkout@v5
+    - uses: actions/checkout@v6
       with:
         fetch-depth: 0
     - uses: ./.github/actions/install-nix-action
@@ -40,7 +40,7 @@ jobs:
     name: pre-commit checks
     runs-on: ubuntu-24.04
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v6
       - uses: ./.github/actions/install-nix-action
         with:
           dogfood: ${{ github.event_name == 'workflow_dispatch' && inputs.dogfood || github.event_name != 'workflow_dispatch' }}
@@ -87,7 +87,7 @@ jobs:
     runs-on: ${{ matrix.runs-on }}
     timeout-minutes: 60
     steps:
-    - uses: actions/checkout@v5
+    - uses: actions/checkout@v6
       with:
         fetch-depth: 0
     - uses: ./.github/actions/install-nix-action
@@ -125,13 +125,13 @@ jobs:
         cat coverage-reports/index.txt >> $GITHUB_STEP_SUMMARY
       if: ${{ matrix.instrumented }}
     - name: Upload coverage reports
-      uses: actions/upload-artifact@v4
+      uses: actions/upload-artifact@v5
       with:
         name: coverage-reports
         path: coverage-reports/
       if: ${{ matrix.instrumented }}
     - name: Upload installer tarball
-      uses: actions/upload-artifact@v4
+      uses: actions/upload-artifact@v5
       with:
         name: installer-${{matrix.os}}
         path: out/*
@@ -162,9 +162,9 @@ jobs:
     name: installer test ${{ matrix.scenario }}
     runs-on: ${{ matrix.runs-on }}
     steps:
-    - uses: actions/checkout@v5
+    - uses: actions/checkout@v6
     - name: Download installer tarball
-      uses: actions/download-artifact@v5
+      uses: actions/download-artifact@v6
       with:
         name: installer-${{matrix.os}}
         path: out
@@ -174,7 +174,7 @@ jobs:
         echo "installer-url=file://$GITHUB_WORKSPACE/out" >> "$GITHUB_OUTPUT"
         TARBALL_PATH="$(find "$GITHUB_WORKSPACE/out" -name 'nix*.tar.xz' -print | head -n 1)"
         echo "tarball-path=file://$TARBALL_PATH" >> "$GITHUB_OUTPUT"
-    - uses: cachix/install-nix-action@c134e4c9e34bac6cab09cf239815f9339aaaf84e # v31.5.1
+    - uses: cachix/install-nix-action@0b0e072294b088b73964f1d72dfdac0951439dbd # v31.8.4
       if: ${{ !matrix.experimental-installer }}
       with:
         install_url: ${{ format('{0}/install', steps.installer-tarball-url.outputs.installer-url) }}
@@ -227,7 +227,7 @@ jobs:
       github.ref_name == 'master'
     runs-on: ubuntu-24.04
     steps:
-    - uses: actions/checkout@v5
+    - uses: actions/checkout@v6
       with:
         fetch-depth: 0
     - uses: ./.github/actions/install-nix-action
@@ -276,14 +276,14 @@ jobs:
     runs-on: ubuntu-24.04
     steps:
       - name: Checkout nix
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
       - name: Checkout flake-regressions
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
         with:
           repository: NixOS/flake-regressions
           path: flake-regressions
       - name: Checkout flake-regressions-data
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
         with:
           repository: NixOS/flake-regressions-data
           path: flake-regressions/tests
@@ -303,7 +303,7 @@ jobs:
       github.event_name == 'push' &&
       github.ref_name == 'master'
     steps:
-    - uses: actions/checkout@v5
+    - uses: actions/checkout@v6
       with:
         fetch-depth: 0
     - uses: ./.github/actions/install-nix-action

CONTRIBUTING.md

@@ -94,6 +94,8 @@ The underlying source files are located in [`doc/manual/source`](./doc/manual/so
 For small changes you can [use GitHub to edit these files](https://docs.github.com/en/repositories/working-with-files/managing-files/editing-files)
 For larger changes see the [Nix reference manual](https://nix.dev/manual/nix/development/development/contributing.html).
 
+You're encouraged to add line breaks at semantic boundaries, per [sembr](https://sembr.org).
+
 ## Getting help
 
 Whenever you're stuck or do not know how to proceed, you can always ask for help.

ci/gha/tests/default.nix

@@ -107,12 +107,29 @@ rec {
         };
   };
 
+  disable =
+    let
+      inherit (pkgs.stdenv) hostPlatform;
+    in
+    args@{
+      pkgName,
+      testName,
+      test,
+    }:
+    lib.any (b: b) [
+      # FIXME: Nix manual is impure and does not produce all settings on darwin
+      (hostPlatform.isDarwin && pkgName == "nix-manual" && testName == "linkcheck")
+    ];
+
   componentTests =
     (lib.concatMapAttrs (
       pkgName: pkg:
-      lib.concatMapAttrs (testName: test: {
-        "${componentTestsPrefix}${pkgName}-${testName}" = test;
-      }) (pkg.tests or { })
+      lib.concatMapAttrs (
+        testName: test:
+        lib.optionalAttrs (!disable { inherit pkgName testName test; }) {
+          "${componentTestsPrefix}${pkgName}-${testName}" = test;
+        }
+      ) (pkg.tests or { })
     ) nixComponentsInstrumented)
     // lib.optionalAttrs (pkgs.stdenv.hostPlatform == pkgs.stdenv.buildPlatform) {
       "${componentTestsPrefix}nix-functional-tests" = nixComponentsInstrumented.nix-functional-tests;

doc/manual/anchors.jq

@@ -3,7 +3,7 @@
 
 
 def transform_anchors_html:
-    . | gsub($empty_anchor_regex; "<a name=\"" + .anchor + "\"></a>")
+    . | gsub($empty_anchor_regex; "<a id=\"" + .anchor + "\"></a>")
       | gsub($anchor_regex; "<a href=\"#" + .anchor + "\" id=\"" + .anchor + "\">" + .text + "</a>");
 
 
@@ -24,8 +24,15 @@ def map_contents_recursively(transformer):
 def process_command:
     .[0] as $context |
     .[1] as $body |
-    $body + {
-        sections: $body.sections | map(map_contents_recursively(if $context.renderer == "html" then transform_anchors_html else transform_anchors_strip end)),
-    };
+    # mdbook 0.5.x uses 'items' instead of 'sections'
+    if $body.items then
+        $body + {
+            items: $body.items | map(map_contents_recursively(if $context.renderer == "html" then transform_anchors_html else transform_anchors_strip end)),
+        }
+    else
+        $body + {
+            sections: $body.sections | map(map_contents_recursively(if $context.renderer == "html" then transform_anchors_html else transform_anchors_strip end)),
+        }
+    end;
 
 process_command

doc/manual/book.toml.in

@@ -7,6 +7,7 @@ additional-css = ["custom.css"]
 additional-js = ["redirects.js"]
 edit-url-template = "https://github.com/NixOS/nix/tree/master/doc/manual/{path}"
 git-repository-url = "https://github.com/NixOS/nix"
+mathjax-support = true
 
 # Handles replacing @docroot@ with a path to ./source relative to that markdown file,
 # {{#include handlebars}}, and the @generated@ syntax used within these. it mostly
@@ -23,12 +24,3 @@ renderers = ["html"]
 command = "jq --from-file ./anchors.jq"
 
 [output.markdown]
-
-[output.linkcheck]
-# no Internet during the build (in the sandbox)
-follow-web-links = false
-
-# mdbook-linkcheck does not understand [foo]{#bar} style links, resulting in
-# excessive "Potential incomplete link" warnings. No other kind of warning was
-# produced at the time of writing.
-warning-policy = "ignore"

doc/manual/expand-includes.py

@@ -0,0 +1,223 @@
+#!/usr/bin/env python3
+"""
+Standalone markdown preprocessor for manpage generation.
+
+Expands {{#include}} directives and handles @docroot@ references
+without requiring mdbook.
+"""
+
+from pathlib import Path
+import sys
+import argparse
+import re
+
+
+def expand_includes(
+    content: str,
+    current_file: Path,
+    source_root: Path,
+    generated_root: Path | None,
+    visited: set[Path] | None = None,
+) -> str:
+    """
+    Recursively expand {{#include path}} directives.
+
+    Args:
+        content: Markdown content to process
+        current_file: Path to the current file (for resolving relative includes)
+        source_root: Root of the source directory
+        generated_root: Root of generated files (for @generated@/ includes)
+        visited: Set of already-visited files (for cycle detection)
+    """
+    if visited is None:
+        visited = set()
+
+    # Track current file to detect cycles
+    visited.add(current_file.resolve())
+
+    lines = []
+    include_pattern = re.compile(r'^\s*\{\{#include\s+(.+?)\}\}\s*$')
+
+    for line in content.splitlines(keepends=True):
+        match = include_pattern.match(line)
+        if not match:
+            lines.append(line)
+            continue
+
+        # Found an include directive
+        include_path_str = match.group(1).strip()
+
+        # Resolve the include path
+        if include_path_str.startswith("@generated@/"):
+            # Generated file
+            if generated_root is None:
+                raise ValueError(
+                    f"Cannot resolve @generated@ path '{include_path_str}' "
+                    f"without --generated-root"
+                )
+            include_path = generated_root / include_path_str[12:]
+        else:
+            # Relative to current file
+            include_path = (current_file.parent / include_path_str).resolve()
+
+        # Check for cycles
+        if include_path.resolve() in visited:
+            raise RuntimeError(
+                f"Include cycle detected: {include_path} is already being processed"
+            )
+
+        # Check that file exists
+        if not include_path.exists():
+            raise FileNotFoundError(
+                f"Include file not found: {include_path_str}\n"
+                f"  Resolved to: {include_path}\n"
+                f"  From: {current_file}"
+            )
+
+        # Recursively expand the included file
+        included_content = include_path.read_text()
+        expanded = expand_includes(
+            included_content,
+            include_path,
+            source_root,
+            generated_root,
+            visited.copy(),  # Copy visited set for this branch
+        )
+        lines.append(expanded)
+        # Add newline if the included content doesn't end with one
+        if not expanded.endswith('\n'):
+            lines.append('\n')
+
+    return ''.join(lines)
+
+
+def resolve_docroot(content: str, current_file: Path, source_root: Path, docroot_url: str) -> str:
+    """
+    Replace @docroot@ with nix.dev URL and convert .md to .html.
+
+    For manpages, absolute URLs are more useful than relative paths since
+    manpages are viewed standalone. lowdown will display these as proper
+    references in the manpage output.
+    """
+    # Replace @docroot@ with the base URL
+    content = content.replace("@docroot@", docroot_url)
+
+    # Convert .md extensions to .html for web links
+    # Use lookahead to ensure that .md occurs before a fragment or a possible URL end.
+    content = re.sub(
+        r'(https://nix\.dev/[^)\s]*?)\.md(?=[#)\s]|$)',
+        r'\1.html',
+        content
+    )
+
+    return content
+
+
+def resolve_at_escapes(content: str) -> str:
+    """Replace @_at_ with @"""
+    return content.replace("@_at_", "@")
+
+
+def process_file(
+    input_file: Path,
+    source_root: Path,
+    generated_root: Path | None,
+    docroot_url: str,
+) -> str:
+    """Process a single markdown file."""
+    content = input_file.read_text()
+
+    # Expand includes
+    content = expand_includes(content, input_file, source_root, generated_root)
+
+    # Resolve @docroot@ references
+    content = resolve_docroot(content, input_file, source_root, docroot_url)
+
+    # Resolve @_at_ escapes
+    content = resolve_at_escapes(content)
+
+    return content
+
+
+def main():
+    parser = argparse.ArgumentParser(
+        description="Expand markdown includes for manpage generation",
+        formatter_class=argparse.RawDescriptionHelpFormatter,
+        epilog="""
+Examples:
+  # Expand a manpage source file
+  %(prog)s \\
+    --source-root doc/manual/source \\
+    --generated-root build/doc/manual/source \\
+    doc/manual/source/command-ref/nix-store/query.md
+
+  # Pipe to lowdown for manpage generation
+  %(prog)s -s doc/manual/source -g build/doc/manual/source \\
+    doc/manual/source/command-ref/nix-env.md | \\
+    lowdown -sT man -M section=1 -o nix-env.1
+        """,
+    )
+    parser.add_argument(
+        "input_file",
+        type=Path,
+        help="Input markdown file to process",
+    )
+    parser.add_argument(
+        "-s", "--source-root",
+        type=Path,
+        required=True,
+        help="Root directory of markdown sources",
+    )
+    parser.add_argument(
+        "-g", "--generated-root",
+        type=Path,
+        help="Root directory of generated files (for @generated@/ includes)",
+    )
+    parser.add_argument(
+        "-o", "--output",
+        type=Path,
+        help="Output file (default: stdout)",
+    )
+    parser.add_argument(
+        "-u", "--doc-url",
+        type=str,
+        default="https://nix.dev/manual/nix/latest",
+        help="Base URL for documentation links (default: https://nix.dev/manual/nix/latest)",
+    )
+
+    args = parser.parse_args()
+
+    # Validate paths
+    if not args.input_file.exists():
+        print(f"Error: Input file not found: {args.input_file}", file=sys.stderr)
+        return 1
+
+    if not args.source_root.is_dir():
+        print(f"Error: Source root is not a directory: {args.source_root}", file=sys.stderr)
+        return 1
+
+    if args.generated_root and not args.generated_root.is_dir():
+        print(f"Error: Generated root is not a directory: {args.generated_root}", file=sys.stderr)
+        return 1
+
+    try:
+        # Process the file
+        output = process_file(args.input_file, args.source_root, args.generated_root, args.doc_url)
+
+        # Write output
+        if args.output:
+            args.output.write_text(output)
+        else:
+            print(output, end='')
+
+        return 0
+
+    except Exception as e:
+        print(f"Error processing {args.input_file}: {e}", file=sys.stderr)
+        import traceback
+        traceback.print_exc(file=sys.stderr)
+        return 1
+
+
+if __name__ == "__main__":
+    sys.exit(main())

doc/manual/generate-redirects.py

@@ -0,0 +1,15 @@
+#!/usr/bin/env python3
+"""Generate redirects.js from template and JSON data."""
+
+import sys
+
+template_path, json_path, output_path = sys.argv[1:]
+
+with open(json_path) as f:
+    json_content = f.read().rstrip()
+
+with open(template_path) as f:
+    template = f.read()
+
+with open(output_path, 'w') as f:
+    f.write(template.replace('@REDIRECTS_JSON@', json_content))

doc/manual/generate-store-types.nix

@@ -24,9 +24,9 @@ let
     in
     concatStringsSep "\n" (map showEntry storesList);
 
-  "index.md" =
-    replaceStrings [ "@store-types@" ] [ index ]
-      (readFile ./source/store/types/index.md.in);
+  "index.md" = replaceStrings [ "@store-types@" ] [ index ] (
+    readFile ./source/store/types/index.md.in
+  );
 
   tableOfContents =
     let

doc/manual/meson.build

@@ -5,11 +5,29 @@ project(
   license : 'LGPL-2.1-or-later',
 )
 
+# Compute documentation URL based on version and release type
+version = meson.project_version()
+official_release = get_option('official-release')
+
+if official_release
+  # For official releases, use versioned URL (dropping patch version)
+  version_parts = version.split('.')
+  major_minor = '@0@.@1@'.format(version_parts[0], version_parts[1])
+  doc_url = 'https://nix.dev/manual/nix/@0@'.format(major_minor)
+else
+  # For development builds, use /latest
+  doc_url = 'https://nix.dev/manual/nix/latest'
+endif
+
 nix = find_program('nix', native : true)
 
-mdbook = find_program('mdbook', native : true)
 bash = find_program('bash', native : true)
-rsync = find_program('rsync', required : true, native : true)
+
+# HTML manual dependencies (conditional)
+if get_option('html-manual')
+  mdbook = find_program('mdbook', native : true)
+  rsync = find_program('rsync', required : true, native : true)
+endif
 
 pymod = import('python')
 python = pymod.find_installation('python3')
@@ -57,6 +75,24 @@ generate_manual_deps = files(
   'generate-deps.py',
 )
 
+# Generate redirects.js from template and JSON data
+redirects_js = custom_target(
+  'redirects.js',
+  command : [
+    python,
+    '@INPUT0@',
+    '@INPUT1@',
+    '@INPUT2@',
+    '@OUTPUT@',
+  ],
+  input : [
+    'generate-redirects.py',
+    'redirects.js.in',
+    'redirects.json',
+  ],
+  output : 'redirects.js',
+)
+
 # Generates types
 subdir('source/store')
 # Generates builtins.md and builtin-constants.md.
@@ -77,64 +113,71 @@ else
   nix_input = []
 endif
 
-manual = custom_target(
-  'manual',
-  command : [
-    bash,
-    '-euo',
-    'pipefail',
-    '-c',
-    '''
-        @0@ @INPUT0@ @CURRENT_SOURCE_DIR@ > @DEPFILE@
-        @0@ @INPUT1@ summary @2@ < @CURRENT_SOURCE_DIR@/source/SUMMARY.md.in > @2@/source/SUMMARY.md
-        sed -e 's|@version@|@3@|g' < @INPUT2@ > @2@/book.toml
-        @4@ -r -L --include='*.md' @CURRENT_SOURCE_DIR@/ @2@/
-        (cd @2@; RUST_LOG=warn @1@ build -d @2@ 3>&2 2>&1 1>&3) | { grep -Fv "because fragment resolution isn't implemented" || :; } 3>&2 2>&1 1>&3
-        rm -rf @2@/manual
-        mv @2@/html @2@/manual
-        find @2@/manual -iname meson.build -delete
-    '''.format(
-      python.full_path(),
-      mdbook.full_path(),
-      meson.current_build_dir(),
-      meson.project_version(),
-      rsync.full_path(),
-    ),
-  ],
-  input : [
-    generate_manual_deps,
-    'substitute.py',
-    'book.toml.in',
-    'anchors.jq',
-    'custom.css',
-    nix3_cli_files,
-    experimental_features_shortlist_md,
-    experimental_feature_descriptions_md,
-    types_dir,
-    conf_file_md,
-    builtins_md,
-    rl_next_generated,
-    summary_rl_next,
-    json_schema_generated_files,
-    nix_input,
-  ],
-  output : [
+# HTML manual build (conditional)
+if get_option('html-manual')
+  manual = custom_target(
     'manual',
-    'markdown',
-  ],
-  depfile : 'manual.d',
-  env : {
-    'RUST_LOG' : 'info',
-    'MDBOOK_SUBSTITUTE_SEARCH' : meson.current_build_dir() / 'source',
-  },
-)
-manual_html = manual[0]
-manual_md = manual[1]
+    command : [
+      bash,
+      '-euo',
+      'pipefail',
+      '-c',
+      '''
+          @0@ @INPUT0@ @CURRENT_SOURCE_DIR@ > @DEPFILE@
+          @0@ @INPUT1@ summary @2@ < @CURRENT_SOURCE_DIR@/source/SUMMARY.md.in > @2@/source/SUMMARY.md
+          sed -e 's|@version@|@3@|g' < @INPUT2@ > @2@/book.toml
+          @4@ -r -L --exclude='*.drv' --include='*.md' @CURRENT_SOURCE_DIR@/ @2@/
+          (cd @2@; RUST_LOG=warn @1@ build -d @2@ 3>&2 2>&1 1>&3) | { grep -Fv "because fragment resolution isn't implemented" || :; } 3>&2 2>&1 1>&3
+          rm -rf @2@/manual
+          mv @2@/html @2@/manual
+          # Remove Mathjax 2.7, because we will actually use MathJax 3.x
+          find @2@/manual | grep .html | xargs sed -i -e '/2.7.1.MathJax.js/d'
+          find @2@/manual -iname meson.build -delete
+      '''.format(
+        python.full_path(),
+        mdbook.full_path(),
+        meson.current_build_dir(),
+        meson.project_version(),
+        rsync.full_path(),
+      ),
+    ],
+    input : [
+      generate_manual_deps,
+      'substitute.py',
+      'book.toml.in',
+      'anchors.jq',
+      'custom.css',
+      redirects_js,
+      nix3_cli_files,
+      experimental_features_shortlist_md,
+      experimental_feature_descriptions_md,
+      types_dir,
+      conf_file_md,
+      builtins_md,
+      rl_next_generated,
+      summary_rl_next,
+      json_schema_generated_files,
+      nix_input,
+    ],
+    output : [
+      'manual',
+      'markdown',
+    ],
+    depfile : 'manual.d',
+    build_by_default : true,
+    env : {
+      'RUST_LOG' : 'info',
+      'MDBOOK_SUBSTITUTE_SEARCH' : meson.current_build_dir() / 'source',
+    },
+  )
+  manual_html = manual[0]
+  manual_md = manual[1]
 
-install_subdir(
-  manual_html.full_path(),
-  install_dir : get_option('datadir') / 'doc/nix',
-)
+  install_subdir(
+    manual_html.full_path(),
+    install_dir : get_option('datadir') / 'doc/nix',
+  )
+endif
 
 nix_nested_manpages = [
   [
@@ -180,6 +223,7 @@ nix_nested_manpages = [
   ],
 ]
 
+# Manpage generation (standalone, no mdbook dependency)
 foreach command : nix_nested_manpages
   foreach page : command[1]
     title = command[0] + ' --' + page
@@ -187,15 +231,19 @@ foreach command : nix_nested_manpages
     custom_target(
       command : [
         bash,
-        files('./render-manpage.sh'),
+        '@INPUT0@',
         '--out-no-smarty',
         title,
         section,
-        '@INPUT0@/command-ref' / command[0] / (page + '.md'),
+        meson.current_source_dir() / 'source',
+        meson.current_build_dir() / 'source',
+        doc_url,
+        meson.current_source_dir() / 'source/command-ref' / command[0] / (page + '.md'),
         '@OUTPUT0@',
       ],
       input : [
-        manual_md,
+        files('./render-manpage.sh'),
+        files('./expand-includes.py'),
         nix_input,
       ],
       output : command[0] + '-' + page + '.1',
@@ -304,14 +352,21 @@ foreach page : nix3_manpages
     command : [
       bash,
       '@INPUT0@',
+      # Note: no --out-no-smarty flag (original behavior)
       page,
       section,
-      '@INPUT1@/command-ref/new-cli/@0@.md'.format(page),
+      meson.current_source_dir() / 'source',
+      meson.current_build_dir() / 'source',
+      doc_url,
+      meson.current_build_dir() / 'source/command-ref/new-cli/@0@.md'.format(
+        page,
+      ),
       '@OUTPUT@',
     ],
     input : [
       files('./render-manpage.sh'),
-      manual_md,
+      files('./expand-includes.py'),
+      nix3_cli_files,
       nix_input,
     ],
     output : page + '.1',
@@ -331,7 +386,12 @@ nix_manpages = [
   [ 'nix-channel', 1 ],
   [ 'nix-hash', 1 ],
   [ 'nix-copy-closure', 1 ],
-  [ 'nix.conf', 5, conf_file_md.full_path() ],
+  [
+    'nix.conf',
+    5,
+    conf_file_md.full_path(),
+    [ conf_file_md, experimental_features_shortlist_md ],
+  ],
   [ 'nix-daemon', 8 ],
   [ 'nix-profiles', 5, 'files/profiles.md' ],
 ]
@@ -343,19 +403,24 @@ foreach entry : nix_manpages
   # Therefore we use an optional third element of this array to override the name pattern
   md_file = entry.get(2, title + '.md')
   section = entry[1].to_string()
-  md_file_resolved = join_paths('@INPUT1@/command-ref/', md_file)
+  input_file = meson.current_source_dir() / 'source/command-ref' / md_file
+
   custom_target(
     command : [
       bash,
       '@INPUT0@',
+      # Note: no --out-no-smarty flag (original behavior)
       title,
       section,
-      md_file_resolved,
+      meson.current_source_dir() / 'source',
+      meson.current_build_dir() / 'source',
+      doc_url,
+      input_file,
       '@OUTPUT@',
     ],
     input : [
       files('./render-manpage.sh'),
-      manual_md,
+      files('./expand-includes.py'),
       entry.get(3, []),
       nix_input,
     ],

doc/manual/meson.options

@@ -0,0 +1,13 @@
+option(
+  'official-release',
+  type : 'boolean',
+  value : true,
+  description : 'Whether this is an official release build (affects documentation URLs)',
+)
+
+option(
+  'html-manual',
+  type : 'boolean',
+  value : true,
+  description : 'Whether to build the HTML manual (requires mdbook)',
+)

doc/manual/package.nix

@@ -1,12 +1,13 @@
 {
   lib,
+  callPackage,
   mkMesonDerivation,
+  runCommand,
 
   meson,
   ninja,
   lowdown-unsandboxed,
   mdbook,
-  mdbook-linkcheck,
   jq,
   python3,
   rsync,
@@ -18,6 +19,14 @@
   # Configuration Options
 
   version,
+  /**
+    Whether to build the HTML manual.
+    When false, only manpages are built, avoiding the mdbook dependency.
+  */
+  buildHtmlManual ? true,
+
+  # `tests` attribute
+  testers,
 }:
 
 let
@@ -34,12 +43,17 @@ mkMesonDerivation (finalAttrs: {
       (fileset.unions [
         ../../.version
         # For example JSON
+        ../../src/libutil-tests/data/memory-source-accessor
         ../../src/libutil-tests/data/hash
         ../../src/libstore-tests/data/content-address
         ../../src/libstore-tests/data/store-path
+        ../../src/libstore-tests/data/realisation
+        ../../src/libstore-tests/data/derivation
         ../../src/libstore-tests/data/derived-path
         ../../src/libstore-tests/data/path-info
         ../../src/libstore-tests/data/nar-info
+        ../../src/libstore-tests/data/build-result
+        ../../src/libstore-tests/data/dummy-store
         # Too many different types of files to filter for now
         ../../doc/manual
         ./.
@@ -48,45 +62,92 @@ mkMesonDerivation (finalAttrs: {
       ../../doc/manual/package.nix;
 
   # TODO the man pages should probably be separate
-  outputs = [
-    "out"
-    "man"
+  outputs =
+    if buildHtmlManual then
+      [
+        "out"
+        "man"
+      ]
+    else
+      [ "out" ]; # Only one output when HTML manual is disabled; use "out" for manpages
+
+  # When HTML manual is disabled, install manpages to "out" instead of "man"
+  mesonFlags = [
+    (lib.mesonBool "official-release" officialRelease)
+    (lib.mesonBool "html-manual" buildHtmlManual)
+  ]
+  ++ lib.optionals (!buildHtmlManual) [
+    "--mandir=${placeholder "out"}/share/man"
   ];
 
-  # Hack for sake of the dev shell
-  passthru.externalNativeBuildInputs = [
+  nativeBuildInputs = [
+    nix-cli
     meson
     ninja
     (lib.getBin lowdown-unsandboxed)
-    mdbook
-    mdbook-linkcheck
     jq
     python3
+  ]
+  ++ lib.optionals buildHtmlManual [
+    mdbook
     rsync
     json-schema-for-humans
-    changelog-d
   ]
-  ++ lib.optionals (!officialRelease) [
+  ++ lib.optionals (!officialRelease && buildHtmlManual) [
     # When not an official release, we likely have changelog entries that have
     # yet to be rendered.
     # When released, these are rendered into a committed file to save a dependency.
     changelog-d
   ];
 
-  nativeBuildInputs = finalAttrs.passthru.externalNativeBuildInputs ++ [
-    nix-cli
-  ];
-
   preConfigure = ''
     chmod u+w ./.version
     echo ${finalAttrs.version} > ./.version
   '';
 
-  postInstall = ''
+  postInstall = lib.optionalString buildHtmlManual ''
     mkdir -p ''$out/nix-support
     echo "doc manual ''$out/share/doc/nix/manual" >> ''$out/nix-support/hydra-build-products
   '';
 
+  passthru = lib.optionalAttrs buildHtmlManual {
+    /**
+      The root of the HTML manual.
+      E.g. "${nix-manual.site}/index.html" exists.
+    */
+
+    site = finalAttrs.finalPackage + "/share/doc/nix/manual";
+
+    tests =
+      let
+        redirect-targets = callPackage ./redirect-targets-html.nix { };
+      in
+      {
+        # https://nixos.org/manual/nixpkgs/stable/index.html#tester-lycheeLinkCheck
+        linkcheck = testers.lycheeLinkCheck {
+          site =
+            let
+              plain = finalAttrs.finalPackage.site;
+            in
+            runCommand "nix-manual-with-redirect-targets" { } ''
+              cp -r ${plain} $out
+              chmod -R u+w $out
+              cp ${redirect-targets}/redirect-targets.html $out/redirect-targets.html
+            '';
+          extraConfig = {
+            exclude = [
+              # Exclude auto-generated JSON schema documentation which has
+              # auto-generated fragment IDs that don't match the link references
+              ".*/protocols/json/.*\\.html"
+              # Exclude undocumented builtins
+              ".*/language/builtins\\.html#builtins-addErrorContext"
+              ".*/language/builtins\\.html#builtins-appendContext"
+            ];
+          };
+        };
+      };
+  };
+
   meta = {
     platforms = lib.platforms.all;
   };

doc/manual/redirect-targets-html.nix

@@ -0,0 +1,62 @@
+# Generates redirect-targets.html containing all redirect targets for link checking.
+# Used by: doc/manual/package.nix (passthru.tests.linkcheck)
+
+{
+  stdenv,
+  lib,
+  jq,
+}:
+
+stdenv.mkDerivation {
+  name = "redirect-targets-html";
+
+  src = lib.fileset.toSource {
+    root = ./.;
+    fileset = ./redirects.json;
+  };
+
+  nativeBuildInputs = [ jq ];
+
+  installPhase = ''
+    mkdir -p $out
+
+    {
+      echo '<!DOCTYPE html>'
+      echo '<html><head><title>Nix Manual Redirect Targets</title></head><body>'
+      echo '<h1>Redirect Targets to Check</h1>'
+      echo '<p>This document contains all redirect targets from the Nix manual.</p>'
+
+      echo '<h2>Client-side redirects (from redirects.json)</h2>'
+      echo '<ul>'
+
+      # Extract all redirects with their source pages to properly resolve relative paths
+      jq -r 'to_entries[] | .key as $page | .value | to_entries[] | "\($page)\t\(.value)"' \
+        redirects.json | while IFS=$'\t' read -r page target; do
+
+        page_dir=$(dirname "$page")
+
+        # Handle fragment-only targets (e.g., #primitives)
+        if [[ "$target" == \#* ]]; then
+          # Fragment is on the same page
+          resolved="$page$target"
+          echo "<li><a href=\"$resolved\">$resolved</a> (fragment on $page)</li>"
+          continue
+        fi
+
+        # Resolve relative path based on the source page location
+        resolved="$page_dir/$target"
+
+        echo "<li><a href=\"$resolved\">$resolved</a> (from $page)</li>"
+      done
+
+      echo '</ul>'
+      echo '</body></html>'
+    } > $out/redirect-targets.html
+
+    echo "Generated redirect targets document with $(grep -c '<li>' $out/redirect-targets.html) links"
+  '';
+
+  meta = {
+    description = "HTML document listing all Nix manual redirect targets for link checking";
+  };
+}

doc/manual/redirects.js

@@ -1,460 +0,0 @@
-// redirect rules for URL fragments (client-side) to prevent link rot.
-// this must be done on the client side, as web servers do not see the fragment part of the URL.
-// it will only work with JavaScript enabled in the browser, but this is the best we can do here.
-// see source/_redirects for path redirects (server-side)
-
-// redirects are declared as follows:
-// each entry has as its key a path matching the requested URL path, relative to the mdBook document root.
-//
-//     IMPORTANT: it must specify the full path with file name and suffix
-//
-// each entry is itself a set of key-value pairs, where
-// - keys are anchors on the matched path.
-// - values are redirection targets relative to the current path.
-
-const redirects = {
- "index.html": {
-    "part-advanced-topics": "advanced-topics/index.html",
-    "chap-tuning-cores-and-jobs": "advanced-topics/cores-vs-jobs.html",
-    "chap-diff-hook": "advanced-topics/diff-hook.html",
-    "check-dirs-are-unregistered": "advanced-topics/diff-hook.html#check-dirs-are-unregistered",
-    "chap-distributed-builds": "command-ref/conf-file.html#conf-builders",
-    "chap-post-build-hook": "advanced-topics/post-build-hook.html",
-    "chap-post-build-hook-caveats": "advanced-topics/post-build-hook.html#implementation-caveats",
-    "chap-writing-nix-expressions": "language/index.html",
-    "part-command-ref": "command-ref/index.html",
-    "conf-allow-import-from-derivation": "command-ref/conf-file.html#conf-allow-import-from-derivation",
-    "conf-allow-new-privileges": "command-ref/conf-file.html#conf-allow-new-privileges",
-    "conf-allowed-uris": "command-ref/conf-file.html#conf-allowed-uris",
-    "conf-allowed-users": "command-ref/conf-file.html#conf-allowed-users",
-    "conf-auto-optimise-store": "command-ref/conf-file.html#conf-auto-optimise-store",
-    "conf-binary-cache-public-keys": "command-ref/conf-file.html#conf-binary-cache-public-keys",
-    "conf-binary-caches": "command-ref/conf-file.html#conf-binary-caches",
-    "conf-build-compress-log": "command-ref/conf-file.html#conf-build-compress-log",
-    "conf-build-cores": "command-ref/conf-file.html#conf-build-cores",
-    "conf-build-extra-chroot-dirs": "command-ref/conf-file.html#conf-build-extra-chroot-dirs",
-    "conf-build-extra-sandbox-paths": "command-ref/conf-file.html#conf-build-extra-sandbox-paths",
-    "conf-build-fallback": "command-ref/conf-file.html#conf-build-fallback",
-    "conf-build-max-jobs": "command-ref/conf-file.html#conf-build-max-jobs",
-    "conf-build-max-log-size": "command-ref/conf-file.html#conf-build-max-log-size",
-    "conf-build-max-silent-time": "command-ref/conf-file.html#conf-build-max-silent-time",
-    "conf-build-timeout": "command-ref/conf-file.html#conf-build-timeout",
-    "conf-build-use-chroot": "command-ref/conf-file.html#conf-build-use-chroot",
-    "conf-build-use-sandbox": "command-ref/conf-file.html#conf-build-use-sandbox",
-    "conf-build-use-substitutes": "command-ref/conf-file.html#conf-build-use-substitutes",
-    "conf-build-users-group": "command-ref/conf-file.html#conf-build-users-group",
-    "conf-builders": "command-ref/conf-file.html#conf-builders",
-    "conf-builders-use-substitutes": "command-ref/conf-file.html#conf-builders-use-substitutes",
-    "conf-compress-build-log": "command-ref/conf-file.html#conf-compress-build-log",
-    "conf-connect-timeout": "command-ref/conf-file.html#conf-connect-timeout",
-    "conf-cores": "command-ref/conf-file.html#conf-cores",
-    "conf-diff-hook": "command-ref/conf-file.html#conf-diff-hook",
-    "conf-env-keep-derivations": "command-ref/conf-file.html#conf-env-keep-derivations",
-    "conf-extra-binary-caches": "command-ref/conf-file.html#conf-extra-binary-caches",
-    "conf-extra-platforms": "command-ref/conf-file.html#conf-extra-platforms",
-    "conf-extra-sandbox-paths": "command-ref/conf-file.html#conf-extra-sandbox-paths",
-    "conf-extra-substituters": "command-ref/conf-file.html#conf-extra-substituters",
-    "conf-fallback": "command-ref/conf-file.html#conf-fallback",
-    "conf-fsync-metadata": "command-ref/conf-file.html#conf-fsync-metadata",
-    "conf-gc-keep-derivations": "command-ref/conf-file.html#conf-gc-keep-derivations",
-    "conf-gc-keep-outputs": "command-ref/conf-file.html#conf-gc-keep-outputs",
-    "conf-hashed-mirrors": "command-ref/conf-file.html#conf-hashed-mirrors",
-    "conf-http-connections": "command-ref/conf-file.html#conf-http-connections",
-    "conf-keep-build-log": "command-ref/conf-file.html#conf-keep-build-log",
-    "conf-keep-derivations": "command-ref/conf-file.html#conf-keep-derivations",
-    "conf-keep-env-derivations": "command-ref/conf-file.html#conf-keep-env-derivations",
-    "conf-keep-outputs": "command-ref/conf-file.html#conf-keep-outputs",
-    "conf-max-build-log-size": "command-ref/conf-file.html#conf-max-build-log-size",
-    "conf-max-free": "command-ref/conf-file.html#conf-max-free",
-    "conf-max-jobs": "command-ref/conf-file.html#conf-max-jobs",
-    "conf-max-silent-time": "command-ref/conf-file.html#conf-max-silent-time",
-    "conf-min-free": "command-ref/conf-file.html#conf-min-free",
-    "conf-narinfo-cache-negative-ttl": "command-ref/conf-file.html#conf-narinfo-cache-negative-ttl",
-    "conf-narinfo-cache-positive-ttl": "command-ref/conf-file.html#conf-narinfo-cache-positive-ttl",
-    "conf-netrc-file": "command-ref/conf-file.html#conf-netrc-file",
-    "conf-plugin-files": "command-ref/conf-file.html#conf-plugin-files",
-    "conf-post-build-hook": "command-ref/conf-file.html#conf-post-build-hook",
-    "conf-pre-build-hook": "command-ref/conf-file.html#conf-pre-build-hook",
-    "conf-require-sigs": "command-ref/conf-file.html#conf-require-sigs",
-    "conf-restrict-eval": "command-ref/conf-file.html#conf-restrict-eval",
-    "conf-run-diff-hook": "command-ref/conf-file.html#conf-run-diff-hook",
-    "conf-sandbox": "command-ref/conf-file.html#conf-sandbox",
-    "conf-sandbox-dev-shm-size": "command-ref/conf-file.html#conf-sandbox-dev-shm-size",
-    "conf-sandbox-paths": "command-ref/conf-file.html#conf-sandbox-paths",
-    "conf-secret-key-files": "command-ref/conf-file.html#conf-secret-key-files",
-    "conf-show-trace": "command-ref/conf-file.html#conf-show-trace",
-    "conf-stalled-download-timeout": "command-ref/conf-file.html#conf-stalled-download-timeout",
-    "conf-substitute": "command-ref/conf-file.html#conf-substitute",
-    "conf-substituters": "command-ref/conf-file.html#conf-substituters",
-    "conf-system": "command-ref/conf-file.html#conf-system",
-    "conf-system-features": "command-ref/conf-file.html#conf-system-features",
-    "conf-tarball-ttl": "command-ref/conf-file.html#conf-tarball-ttl",
-    "conf-timeout": "command-ref/conf-file.html#conf-timeout",
-    "conf-trace-function-calls": "command-ref/conf-file.html#conf-trace-function-calls",
-    "conf-trusted-binary-caches": "command-ref/conf-file.html#conf-trusted-binary-caches",
-    "conf-trusted-public-keys": "command-ref/conf-file.html#conf-trusted-public-keys",
-    "conf-trusted-substituters": "command-ref/conf-file.html#conf-trusted-substituters",
-    "conf-trusted-users": "command-ref/conf-file.html#conf-trusted-users",
-    "extra-sandbox-paths": "command-ref/conf-file.html#extra-sandbox-paths",
-    "sec-conf-file": "command-ref/conf-file.html",
-    "env-NIX_PATH": "command-ref/env-common.html#env-NIX_PATH",
-    "env-common": "command-ref/env-common.html",
-    "envar-remote": "command-ref/env-common.html#env-NIX_REMOTE",
-    "sec-common-env": "command-ref/env-common.html",
-    "ch-files": "command-ref/files.html",
-    "ch-main-commands": "command-ref/main-commands.html",
-    "opt-out-link": "command-ref/nix-build.html#opt-out-link",
-    "sec-nix-build": "command-ref/nix-build.html",
-    "sec-nix-channel": "command-ref/nix-channel.html",
-    "sec-nix-collect-garbage": "command-ref/nix-collect-garbage.html",
-    "sec-nix-copy-closure": "command-ref/nix-copy-closure.html",
-    "sec-nix-daemon": "command-ref/nix-daemon.html",
-    "refsec-nix-env-install-examples": "command-ref/nix-env.html#examples",
-    "rsec-nix-env-install": "command-ref/nix-env.html#operation---install",
-    "rsec-nix-env-set": "command-ref/nix-env.html#operation---set",
-    "rsec-nix-env-set-flag": "command-ref/nix-env.html#operation---set-flag",
-    "rsec-nix-env-upgrade": "command-ref/nix-env.html#operation---upgrade",
-    "sec-nix-env": "command-ref/nix-env.html",
-    "ssec-version-comparisons": "command-ref/nix-env.html#versions",
-    "sec-nix-hash": "command-ref/nix-hash.html",
-    "sec-nix-instantiate": "command-ref/nix-instantiate.html",
-    "sec-nix-prefetch-url": "command-ref/nix-prefetch-url.html",
-    "sec-nix-shell": "command-ref/nix-shell.html",
-    "ssec-nix-shell-shebang": "command-ref/nix-shell.html#use-as-a--interpreter",
-    "nixref-queries": "command-ref/nix-store.html#queries",
-    "opt-add-root": "command-ref/nix-store.html#opt-add-root",
-    "refsec-nix-store-dump": "command-ref/nix-store.html#operation---dump",
-    "refsec-nix-store-export": "command-ref/nix-store.html#operation---export",
-    "refsec-nix-store-import": "command-ref/nix-store.html#operation---import",
-    "refsec-nix-store-query": "command-ref/nix-store.html#operation---query",
-    "refsec-nix-store-verify": "command-ref/nix-store.html#operation---verify",
-    "rsec-nix-store-gc": "command-ref/nix-store.html#operation---gc",
-    "rsec-nix-store-generate-binary-cache-key": "command-ref/nix-store.html#operation---generate-binary-cache-key",
-    "rsec-nix-store-realise": "command-ref/nix-store.html#operation---realise",
-    "rsec-nix-store-serve": "command-ref/nix-store.html#operation---serve",
-    "sec-nix-store": "command-ref/nix-store.html",
-    "opt-I": "command-ref/opt-common.html#opt-I",
-    "opt-attr": "command-ref/opt-common.html#opt-attr",
-    "opt-common": "command-ref/opt-common.html",
-    "opt-cores": "command-ref/opt-common.html#opt-cores",
-    "opt-log-format": "command-ref/opt-common.html#opt-log-format",
-    "opt-max-jobs": "command-ref/opt-common.html#opt-max-jobs",
-    "opt-max-silent-time": "command-ref/opt-common.html#opt-max-silent-time",
-    "opt-timeout": "command-ref/opt-common.html#opt-timeout",
-    "sec-common-options": "command-ref/opt-common.html",
-    "ch-utilities": "command-ref/utilities.html",
-    "chap-hacking": "development/building.html",
-    "adv-attr-allowSubstitutes": "language/advanced-attributes.html#adv-attr-allowSubstitutes",
-    "adv-attr-allowedReferences": "language/advanced-attributes.html#adv-attr-allowedReferences",
-    "adv-attr-allowedRequisites": "language/advanced-attributes.html#adv-attr-allowedRequisites",
-    "adv-attr-disallowedReferences": "language/advanced-attributes.html#adv-attr-disallowedReferences",
-    "adv-attr-disallowedRequisites": "language/advanced-attributes.html#adv-attr-disallowedRequisites",
-    "adv-attr-exportReferencesGraph": "language/advanced-attributes.html#adv-attr-exportReferencesGraph",
-    "adv-attr-impureEnvVars": "language/advanced-attributes.html#adv-attr-impureEnvVars",
-    "adv-attr-outputHash": "language/advanced-attributes.html#adv-attr-outputHash",
-    "adv-attr-outputHashAlgo": "language/advanced-attributes.html#adv-attr-outputHashAlgo",
-    "adv-attr-outputHashMode": "language/advanced-attributes.html#adv-attr-outputHashMode",
-    "adv-attr-passAsFile": "language/advanced-attributes.html#adv-attr-passAsFile",
-    "adv-attr-preferLocalBuild": "language/advanced-attributes.html#adv-attr-preferLocalBuild",
-    "fixed-output-drvs": "language/advanced-attributes.html#adv-attr-outputHash",
-    "sec-advanced-attributes": "language/advanced-attributes.html",
-    "builtin-abort": "language/builtins.html#builtins-abort",
-    "builtin-add": "language/builtins.html#builtins-add",
-    "builtin-all": "language/builtins.html#builtins-all",
-    "builtin-any": "language/builtins.html#builtins-any",
-    "builtin-attrNames": "language/builtins.html#builtins-attrNames",
-    "builtin-attrValues": "language/builtins.html#builtins-attrValues",
-    "builtin-baseNameOf": "language/builtins.html#builtins-baseNameOf",
-    "builtin-bitAnd": "language/builtins.html#builtins-bitAnd",
-    "builtin-bitOr": "language/builtins.html#builtins-bitOr",
-    "builtin-bitXor": "language/builtins.html#builtins-bitXor",
-    "builtin-builtins": "language/builtins.html#builtins-builtins",
-    "builtin-compareVersions": "language/builtins.html#builtins-compareVersions",
-    "builtin-concatLists": "language/builtins.html#builtins-concatLists",
-    "builtin-concatStringsSep": "language/builtins.html#builtins-concatStringsSep",
-    "builtin-currentSystem": "language/builtins.html#builtins-currentSystem",
-    "builtin-deepSeq": "language/builtins.html#builtins-deepSeq",
-    "builtin-derivation": "language/builtins.html#builtins-derivation",
-    "builtin-dirOf": "language/builtins.html#builtins-dirOf",
-    "builtin-div": "language/builtins.html#builtins-div",
-    "builtin-elem": "language/builtins.html#builtins-elem",
-    "builtin-elemAt": "language/builtins.html#builtins-elemAt",
-    "builtin-fetchGit": "language/builtins.html#builtins-fetchGit",
-    "builtin-fetchTarball": "language/builtins.html#builtins-fetchTarball",
-    "builtin-fetchurl": "language/builtins.html#builtins-fetchurl",
-    "builtin-filterSource": "language/builtins.html#builtins-filterSource",
-    "builtin-foldl-prime": "language/builtins.html#builtins-foldl-prime",
-    "builtin-fromJSON": "language/builtins.html#builtins-fromJSON",
-    "builtin-functionArgs": "language/builtins.html#builtins-functionArgs",
-    "builtin-genList": "language/builtins.html#builtins-genList",
-    "builtin-getAttr": "language/builtins.html#builtins-getAttr",
-    "builtin-getEnv": "language/builtins.html#builtins-getEnv",
-    "builtin-hasAttr": "language/builtins.html#builtins-hasAttr",
-    "builtin-hashFile": "language/builtins.html#builtins-hashFile",
-    "builtin-hashString": "language/builtins.html#builtins-hashString",
-    "builtin-head": "language/builtins.html#builtins-head",
-    "builtin-import": "language/builtins.html#builtins-import",
-    "builtin-intersectAttrs": "language/builtins.html#builtins-intersectAttrs",
-    "builtin-isAttrs": "language/builtins.html#builtins-isAttrs",
-    "builtin-isBool": "language/builtins.html#builtins-isBool",
-    "builtin-isFloat": "language/builtins.html#builtins-isFloat",
-    "builtin-isFunction": "language/builtins.html#builtins-isFunction",
-    "builtin-isInt": "language/builtins.html#builtins-isInt",
-    "builtin-isList": "language/builtins.html#builtins-isList",
-    "builtin-isNull": "language/builtins.html#builtins-isNull",
-    "builtin-isString": "language/builtins.html#builtins-isString",
-    "builtin-length": "language/builtins.html#builtins-length",
-    "builtin-lessThan": "language/builtins.html#builtins-lessThan",
-    "builtin-listToAttrs": "language/builtins.html#builtins-listToAttrs",
-    "builtin-map": "language/builtins.html#builtins-map",
-    "builtin-match": "language/builtins.html#builtins-match",
-    "builtin-mul": "language/builtins.html#builtins-mul",
-    "builtin-parseDrvName": "language/builtins.html#builtins-parseDrvName",
-    "builtin-path": "language/builtins.html#builtins-path",
-    "builtin-pathExists": "language/builtins.html#builtins-pathExists",
-    "builtin-placeholder": "language/builtins.html#builtins-placeholder",
-    "builtin-readDir": "language/builtins.html#builtins-readDir",
-    "builtin-readFile": "language/builtins.html#builtins-readFile",
-    "builtin-removeAttrs": "language/builtins.html#builtins-removeAttrs",
-    "builtin-replaceStrings": "language/builtins.html#builtins-replaceStrings",
-    "builtin-seq": "language/builtins.html#builtins-seq",
-    "builtin-sort": "language/builtins.html#builtins-sort",
-    "builtin-split": "language/builtins.html#builtins-split",
-    "builtin-splitVersion": "language/builtins.html#builtins-splitVersion",
-    "builtin-stringLength": "language/builtins.html#builtins-stringLength",
-    "builtin-sub": "language/builtins.html#builtins-sub",
-    "builtin-substring": "language/builtins.html#builtins-substring",
-    "builtin-tail": "language/builtins.html#builtins-tail",
-    "builtin-throw": "language/builtins.html#builtins-throw",
-    "builtin-toFile": "language/builtins.html#builtins-toFile",
-    "builtin-toJSON": "language/builtins.html#builtins-toJSON",
-    "builtin-toPath": "language/builtins.html#builtins-toPath",
-    "builtin-toString": "language/builtins.html#builtins-toString",
-    "builtin-toXML": "language/builtins.html#builtins-toXML",
-    "builtin-trace": "language/builtins.html#builtins-trace",
-    "builtin-tryEval": "language/builtins.html#builtins-tryEval",
-    "builtin-typeOf": "language/builtins.html#builtins-typeOf",
-    "ssec-builtins": "language/builtins.html",
-    "attr-system": "language/derivations.html#attr-system",
-    "ssec-derivation": "language/derivations.html",
-    "ch-expression-language": "language/index.html",
-    "sec-constructs": "language/syntax.html",
-    "sect-let-language": "language/syntax.html#let-expressions",
-    "ss-functions": "language/syntax.html#functions",
-    "sec-language-operators": "language/operators.html",
-    "table-operators": "language/operators.html",
-    "ssec-values": "language/types.html",
-    "gloss-closure": "glossary.html#gloss-closure",
-    "gloss-derivation": "glossary.html#gloss-derivation",
-    "gloss-deriver": "glossary.html#gloss-deriver",
-    "gloss-nar": "glossary.html#gloss-nar",
-    "gloss-output-path": "glossary.html#gloss-output-path",
-    "gloss-profile": "glossary.html#gloss-profile",
-    "gloss-reachable": "glossary.html#gloss-reachable",
-    "gloss-reference": "glossary.html#gloss-reference",
-    "gloss-substitute": "glossary.html#gloss-substitute",
-    "gloss-user-env": "glossary.html#gloss-user-env",
-    "gloss-validity": "glossary.html#gloss-validity",
-    "part-glossary": "glossary.html",
-    "sec-building-source": "installation/building-source.html",
-    "ch-env-variables": "installation/env-variables.html",
-    "sec-installer-proxy-settings": "installation/env-variables.html#proxy-environment-variables",
-    "sec-nix-ssl-cert-file": "installation/env-variables.html#nix_ssl_cert_file",
-    "sec-nix-ssl-cert-file-with-nix-daemon-and-macos": "installation/env-variables.html#nix_ssl_cert_file-with-macos-and-the-nix-daemon",
-    "chap-installation": "installation/index.html",
-    "ch-installing-binary": "installation/installing-binary.html",
-    "sect-macos-installation": "installation/installing-binary.html#macos-installation",
-    "sect-macos-installation-change-store-prefix": "installation/installing-binary.html#macos-installation",
-    "sect-macos-installation-encrypted-volume": "installation/installing-binary.html#macos-installation",
-    "sect-macos-installation-recommended-notes": "installation/installing-binary.html#macos-installation",
-    "sect-macos-installation-symlink": "installation/installing-binary.html#macos-installation",
-    "sect-multi-user-installation": "installation/installing-binary.html#multi-user-installation",
-    "sect-nix-install-binary-tarball": "installation/installing-binary.html#installing-from-a-binary-tarball",
-    "sect-nix-install-pinned-version-url": "installation/installing-binary.html#installing-a-pinned-nix-version-from-a-url",
-    "sect-single-user-installation": "installation/installing-binary.html#single-user-installation",
-    "ch-installing-source": "installation/installing-source.html",
-    "ssec-multi-user": "installation/multi-user.html",
-    "ch-nix-security": "installation/nix-security.html",
-    "sec-obtaining-source": "installation/obtaining-source.html",
-    "sec-prerequisites-source": "installation/prerequisites-source.html",
-    "sec-single-user": "installation/single-user.html",
-    "ch-supported-platforms": "installation/supported-platforms.html",
-    "ch-upgrading-nix": "installation/upgrading.html",
-    "ch-about-nix": "introduction.html",
-    "chap-introduction": "introduction.html",
-    "ch-basic-package-mgmt": "package-management/basic-package-mgmt.html",
-    "ssec-binary-cache-substituter": "package-management/binary-cache-substituter.html",
-    "sec-channels": "command-ref/nix-channel.html",
-    "ssec-copy-closure": "command-ref/nix-copy-closure.html",
-    "sec-garbage-collection": "package-management/garbage-collection.html",
-    "ssec-gc-roots": "package-management/garbage-collector-roots.html",
-    "chap-package-management": "package-management/index.html",
-    "sec-profiles": "package-management/profiles.html",
-    "ssec-s3-substituter": "store/types/s3-substituter.html",
-    "ssec-s3-substituter-anonymous-reads": "store/types/s3-substituter.html#anonymous-reads-to-your-s3-compatible-binary-cache",
-    "ssec-s3-substituter-authenticated-reads": "store/types/s3-substituter.html#authenticated-reads-to-your-s3-binary-cache",
-    "ssec-s3-substituter-authenticated-writes": "store/types/s3-substituter.html#authenticated-writes-to-your-s3-compatible-binary-cache",
-    "sec-sharing-packages": "package-management/sharing-packages.html",
-    "ssec-ssh-substituter": "package-management/ssh-substituter.html",
-    "chap-quick-start": "quick-start.html",
-    "sec-relnotes": "release-notes/index.html",
-    "ch-relnotes-0.10.1": "release-notes/rl-0.10.1.html",
-    "ch-relnotes-0.10": "release-notes/rl-0.10.html",
-    "ssec-relnotes-0.11": "release-notes/rl-0.11.html",
-    "ssec-relnotes-0.12": "release-notes/rl-0.12.html",
-    "ssec-relnotes-0.13": "release-notes/rl-0.13.html",
-    "ssec-relnotes-0.14": "release-notes/rl-0.14.html",
-    "ssec-relnotes-0.15": "release-notes/rl-0.15.html",
-    "ssec-relnotes-0.16": "release-notes/rl-0.16.html",
-    "ch-relnotes-0.5": "release-notes/rl-0.5.html",
-    "ch-relnotes-0.6": "release-notes/rl-0.6.html",
-    "ch-relnotes-0.7": "release-notes/rl-0.7.html",
-    "ch-relnotes-0.8.1": "release-notes/rl-0.8.1.html",
-    "ch-relnotes-0.8": "release-notes/rl-0.8.html",
-    "ch-relnotes-0.9.1": "release-notes/rl-0.9.1.html",
-    "ch-relnotes-0.9.2": "release-notes/rl-0.9.2.html",
-    "ch-relnotes-0.9": "release-notes/rl-0.9.html",
-    "ssec-relnotes-1.0": "release-notes/rl-1.0.html",
-    "ssec-relnotes-1.1": "release-notes/rl-1.1.html",
-    "ssec-relnotes-1.10": "release-notes/rl-1.10.html",
-    "ssec-relnotes-1.11.10": "release-notes/rl-1.11.10.html",
-    "ssec-relnotes-1.11": "release-notes/rl-1.11.html",
-    "ssec-relnotes-1.2": "release-notes/rl-1.2.html",
-    "ssec-relnotes-1.3": "release-notes/rl-1.3.html",
-    "ssec-relnotes-1.4": "release-notes/rl-1.4.html",
-    "ssec-relnotes-1.5.1": "release-notes/rl-1.5.1.html",
-    "ssec-relnotes-1.5.2": "release-notes/rl-1.5.2.html",
-    "ssec-relnotes-1.5": "release-notes/rl-1.5.html",
-    "ssec-relnotes-1.6.1": "release-notes/rl-1.6.1.html",
-    "ssec-relnotes-1.6.0": "release-notes/rl-1.6.html",
-    "ssec-relnotes-1.7": "release-notes/rl-1.7.html",
-    "ssec-relnotes-1.8": "release-notes/rl-1.8.html",
-    "ssec-relnotes-1.9": "release-notes/rl-1.9.html",
-    "ssec-relnotes-2.0": "release-notes/rl-2.0.html",
-    "ssec-relnotes-2.1": "release-notes/rl-2.1.html",
-    "ssec-relnotes-2.2": "release-notes/rl-2.2.html",
-    "ssec-relnotes-2.3": "release-notes/rl-2.3.html",
-  },
-  "language/types.html": {
-    "simple-values": "#primitives",
-    "lists": "#list",
-    "strings": "#string",
-    "attribute-sets": "#attribute-set",
-    "type-number": "#type-int",
-  },
-  "language/syntax.html": {
-    "scoping-rules": "scoping.html",
-    "string-literal": "string-literals.html",
-  },
-  "language/derivations.md": {
-    "builder-execution": "store/drv/building.md#builder-execution",
-  },
-  "installation/installing-binary.html": {
-    "linux": "uninstall.html#linux",
-    "macos": "uninstall.html#macos",
-    "uninstalling": "uninstall.html",
-  },
-  "development/building.html": {
-    "nix-with-flakes": "#building-nix-with-flakes",
-    "classic-nix": "#building-nix",
-    "running-tests": "testing.html#running-tests",
-    "unit-tests": "testing.html#unit-tests",
-    "functional-tests": "testing.html#functional-tests",
-    "debugging-failing-functional-tests": "testing.html#debugging-failing-functional-tests",
-    "integration-tests": "testing.html#integration-tests",
-    "installer-tests": "testing.html#installer-tests",
-    "one-time-setup": "testing.html#one-time-setup",
-    "using-the-ci-generated-installer-for-manual-testing": "testing.html#using-the-ci-generated-installer-for-manual-testing",
-    "characterization-testing": "testing.html#characterisation-testing-unit",
-    "add-a-release-note": "contributing.html#add-a-release-note",
-    "add-an-entry": "contributing.html#add-an-entry",
-    "build-process": "contributing.html#build-process",
-    "reverting": "contributing.html#reverting",
-    "branches": "contributing.html#branches",
-  },
-  "glossary.html": {
-    "gloss-local-store": "store/types/local-store.html",
-    "package-attribute-set": "#package",
-    "gloss-chroot-store": "store/types/local-store.html",
-    "gloss-content-addressed-derivation": "#gloss-content-addressing-derivation",
-  },
-};
-
-// the following code matches the current page's URL against the set of redirects.
-//
-// it is written to minimize the latency between page load and redirect.
-// therefore we avoid function calls, copying data, and unnecessary loops.
-// IMPORTANT: we use stateful array operations and their order matters!
-//
-// matching URLs is more involved than it should be:
-//
-// 1. `document.location.pathname` can have an arbitrary prefix.
-//
-// 2. `path_to_root` is set by mdBook. it consists only of `../`s and
-//    determines the depth of `<path>` relative to the prefix:
-//
-//          `document.location.pathname`
-//        |------------------------------|
-//        /<prefix>/<path>/[<file>[.html]][#<anchor>]
-//                  |----|
-//              `path_to_root` has same number of path segments
-//
-//    source: https://phaiax.github.io/mdBook/format/theme/index-hbs.html#data
-//
-// 3. the following paths are equivalent:
-//
-//        /foo/bar/
-//        /foo/bar/index.html
-//        /foo/bar/index
-//
-//  4. the following paths are also equivalent:
-//
-//        /foo/bar/baz
-//        /foo/bar/baz.html
-//
-
-let segments = document.location.pathname.split('/');
-
-let file = segments.pop();
-
-// normalize file name
-if (file === '') { file = "index.html"; }
-else if (!file.endsWith('.html')) { file = file + '.html'; }
-
-segments.push(file);
-
-// use `path_to_root` to discern prefix from path.
-const depth = path_to_root.split('/').length;
-
-// remove segments containing prefix. the following works because
-// 1. the original `document.location.pathname` is absolute,
-//    hence first element of `segments` is always empty.
-// 2. last element of splitting `path_to_root` is also always empty.
-// 3. last element of `segments` is the file name.
-//
-// visual example:
-//
-//     '/foo/bar/baz.html'.split('/') -> [ '', 'foo', 'bar', 'baz.html' ]
-//          '../'.split('/')          -> [ '..', '' ]
-//
-// the following operations will then result in
-//
-//     path = 'bar/baz.html'
-//
-segments.splice(0, segments.length - depth);
-const path = segments.join('/');
-
-// anchor starts with the hash character (`#`),
-// but our redirect declarations don't, so we strip it.
-// example:
-//     document.location.hash -> '#foo'
-//     document.location.hash.substring(1) -> 'foo'
-const anchor = document.location.hash.substring(1);
-
-const redirect = redirects[path];
-if (redirect) {
-  const target = redirect[anchor];
-  if (target) {
-    document.location.href = target;
-  }
-}

doc/manual/redirects.js.in

@@ -0,0 +1,94 @@
+// redirect rules for URL fragments (client-side) to prevent link rot.
+// this must be done on the client side, as web servers do not see the fragment part of the URL.
+// it will only work with JavaScript enabled in the browser, but this is the best we can do here.
+// see source/_redirects for path redirects (server-side)
+
+// redirects are declared as follows:
+// each entry has as its key a path matching the requested URL path, relative to the mdBook document root.
+//
+//     IMPORTANT: it must specify the full path with file name and suffix
+//
+// each entry is itself a set of key-value pairs, where
+// - keys are anchors on the matched path.
+// - values are redirection targets relative to the current path.
+
+const redirects = @REDIRECTS_JSON@;
+
+// the following code matches the current page's URL against the set of redirects.
+//
+// it is written to minimize the latency between page load and redirect.
+// therefore we avoid function calls, copying data, and unnecessary loops.
+// IMPORTANT: we use stateful array operations and their order matters!
+//
+// matching URLs is more involved than it should be:
+//
+// 1. `document.location.pathname` can have an arbitrary prefix.
+//
+// 2. `path_to_root` is set by mdBook. it consists only of `../`s and
+//    determines the depth of `<path>` relative to the prefix:
+//
+//          `document.location.pathname`
+//        |------------------------------|
+//        /<prefix>/<path>/[<file>[.html]][#<anchor>]
+//                  |----|
+//              `path_to_root` has same number of path segments
+//
+//    source: https://phaiax.github.io/mdBook/format/theme/index-hbs.html#data
+//
+// 3. the following paths are equivalent:
+//
+//        /foo/bar/
+//        /foo/bar/index.html
+//        /foo/bar/index
+//
+//  4. the following paths are also equivalent:
+//
+//        /foo/bar/baz
+//        /foo/bar/baz.html
+//
+
+let segments = document.location.pathname.split('/');
+
+let file = segments.pop();
+
+// normalize file name
+if (file === '') { file = "index.html"; }
+else if (!file.endsWith('.html')) { file = file + '.html'; }
+
+segments.push(file);
+
+// use `path_to_root` to discern prefix from path.
+const depth = path_to_root.split('/').length;
+
+// remove segments containing prefix. the following works because
+// 1. the original `document.location.pathname` is absolute,
+//    hence first element of `segments` is always empty.
+// 2. last element of splitting `path_to_root` is also always empty.
+// 3. last element of `segments` is the file name.
+//
+// visual example:
+//
+//     '/foo/bar/baz.html'.split('/') -> [ '', 'foo', 'bar', 'baz.html' ]
+//          '../'.split('/')          -> [ '..', '' ]
+//
+// the following operations will then result in
+//
+//     path = 'bar/baz.html'
+//
+segments.splice(0, segments.length - depth);
+const path = segments.join('/');
+
+// anchor starts with the hash character (`#`),
+// but our redirect declarations don't, so we strip it.
+// example:
+//     document.location.hash -> '#foo'
+//     document.location.hash.substring(1) -> 'foo'
+const anchor = document.location.hash.substring(1);
+
+const redirect = redirects[path];
+if (redirect) {
+  const target = redirect[anchor];
+  if (target) {
+    document.location.href = target;
+  }
+}

doc/manual/redirects.json

@@ -0,0 +1,372 @@
+{
+    "index.html": {
+        "part-advanced-topics": "advanced-topics/index.html",
+        "chap-tuning-cores-and-jobs": "advanced-topics/cores-vs-jobs.html",
+        "chap-diff-hook": "advanced-topics/diff-hook.html",
+        "check-dirs-are-unregistered": "advanced-topics/diff-hook.html#check-dirs-are-unregistered",
+        "chap-distributed-builds": "command-ref/conf-file.html#conf-builders",
+        "chap-post-build-hook": "advanced-topics/post-build-hook.html",
+        "chap-post-build-hook-caveats": "advanced-topics/post-build-hook.html#implementation-caveats",
+        "chap-writing-nix-expressions": "language/index.html",
+        "part-command-ref": "command-ref/index.html",
+        "conf-allow-import-from-derivation": "command-ref/conf-file.html#conf-allow-import-from-derivation",
+        "conf-allow-new-privileges": "command-ref/conf-file.html#conf-allow-new-privileges",
+        "conf-allowed-uris": "command-ref/conf-file.html#conf-allowed-uris",
+        "conf-allowed-users": "command-ref/conf-file.html#conf-allowed-users",
+        "conf-auto-optimise-store": "command-ref/conf-file.html#conf-auto-optimise-store",
+        "conf-binary-cache-public-keys": "command-ref/conf-file.html#conf-trusted-public-keys",
+        "conf-binary-caches": "command-ref/conf-file.html#conf-substituters",
+        "conf-build-compress-log": "command-ref/conf-file.html#conf-compress-build-log",
+        "conf-build-cores": "command-ref/conf-file.html#conf-cores",
+        "conf-build-extra-chroot-dirs": "command-ref/conf-file.html#conf-sandbox-paths",
+        "conf-build-extra-sandbox-paths": "command-ref/conf-file.html#conf-sandbox-paths",
+        "conf-build-fallback": "command-ref/conf-file.html#conf-fallback",
+        "conf-build-max-jobs": "command-ref/conf-file.html#conf-max-jobs",
+        "conf-build-max-log-size": "command-ref/conf-file.html#conf-max-build-log-size",
+        "conf-build-max-silent-time": "command-ref/conf-file.html#conf-max-silent-time",
+        "conf-build-timeout": "command-ref/conf-file.html#conf-timeout",
+        "conf-build-use-chroot": "command-ref/conf-file.html#conf-sandbox",
+        "conf-build-use-sandbox": "command-ref/conf-file.html#conf-sandbox",
+        "conf-build-use-substitutes": "command-ref/conf-file.html#conf-substitute",
+        "conf-build-users-group": "command-ref/conf-file.html#conf-build-users-group",
+        "conf-builders": "command-ref/conf-file.html#conf-builders",
+        "conf-builders-use-substitutes": "command-ref/conf-file.html#conf-builders-use-substitutes",
+        "conf-compress-build-log": "command-ref/conf-file.html#conf-compress-build-log",
+        "conf-connect-timeout": "command-ref/conf-file.html#conf-connect-timeout",
+        "conf-cores": "command-ref/conf-file.html#conf-cores",
+        "conf-diff-hook": "command-ref/conf-file.html#conf-diff-hook",
+        "conf-env-keep-derivations": "command-ref/conf-file.html#conf-keep-env-derivations",
+        "conf-extra-binary-caches": "command-ref/conf-file.html#conf-substituters",
+        "conf-extra-platforms": "command-ref/conf-file.html#conf-extra-platforms",
+        "conf-extra-sandbox-paths": "command-ref/conf-file.html#conf-sandbox-paths",
+        "conf-extra-substituters": "command-ref/conf-file.html#conf-substituters",
+        "conf-fallback": "command-ref/conf-file.html#conf-fallback",
+        "conf-fsync-metadata": "command-ref/conf-file.html#conf-fsync-metadata",
+        "conf-gc-keep-derivations": "command-ref/conf-file.html#conf-keep-derivations",
+        "conf-gc-keep-outputs": "command-ref/conf-file.html#conf-keep-outputs",
+        "conf-hashed-mirrors": "command-ref/conf-file.html#conf-hashed-mirrors",
+        "conf-http-connections": "command-ref/conf-file.html#conf-http-connections",
+        "conf-keep-build-log": "command-ref/conf-file.html#conf-keep-build-log",
+        "conf-keep-derivations": "command-ref/conf-file.html#conf-keep-derivations",
+        "conf-keep-env-derivations": "command-ref/conf-file.html#conf-keep-env-derivations",
+        "conf-keep-outputs": "command-ref/conf-file.html#conf-keep-outputs",
+        "conf-max-build-log-size": "command-ref/conf-file.html#conf-max-build-log-size",
+        "conf-max-free": "command-ref/conf-file.html#conf-max-free",
+        "conf-max-jobs": "command-ref/conf-file.html#conf-max-jobs",
+        "conf-max-silent-time": "command-ref/conf-file.html#conf-max-silent-time",
+        "conf-min-free": "command-ref/conf-file.html#conf-min-free",
+        "conf-narinfo-cache-negative-ttl": "command-ref/conf-file.html#conf-narinfo-cache-negative-ttl",
+        "conf-narinfo-cache-positive-ttl": "command-ref/conf-file.html#conf-narinfo-cache-positive-ttl",
+        "conf-netrc-file": "command-ref/conf-file.html#conf-netrc-file",
+        "conf-plugin-files": "command-ref/conf-file.html#conf-plugin-files",
+        "conf-post-build-hook": "command-ref/conf-file.html#conf-post-build-hook",
+        "conf-pre-build-hook": "command-ref/conf-file.html#conf-pre-build-hook",
+        "conf-require-sigs": "command-ref/conf-file.html#conf-require-sigs",
+        "conf-restrict-eval": "command-ref/conf-file.html#conf-restrict-eval",
+        "conf-run-diff-hook": "command-ref/conf-file.html#conf-run-diff-hook",
+        "conf-sandbox": "command-ref/conf-file.html#conf-sandbox",
+        "conf-sandbox-dev-shm-size": "command-ref/conf-file.html#conf-sandbox-dev-shm-size",
+        "conf-sandbox-paths": "command-ref/conf-file.html#conf-sandbox-paths",
+        "conf-secret-key-files": "command-ref/conf-file.html#conf-secret-key-files",
+        "conf-show-trace": "command-ref/conf-file.html#conf-show-trace",
+        "conf-stalled-download-timeout": "command-ref/conf-file.html#conf-stalled-download-timeout",
+        "conf-substitute": "command-ref/conf-file.html#conf-substitute",
+        "conf-substituters": "command-ref/conf-file.html#conf-substituters",
+        "conf-system": "command-ref/conf-file.html#conf-system",
+        "conf-system-features": "command-ref/conf-file.html#conf-system-features",
+        "conf-tarball-ttl": "command-ref/conf-file.html#conf-tarball-ttl",
+        "conf-timeout": "command-ref/conf-file.html#conf-timeout",
+        "conf-trace-function-calls": "command-ref/conf-file.html#conf-trace-function-calls",
+        "conf-trusted-binary-caches": "command-ref/conf-file.html#conf-trusted-substituters",
+        "conf-trusted-public-keys": "command-ref/conf-file.html#conf-trusted-public-keys",
+        "conf-trusted-substituters": "command-ref/conf-file.html#conf-trusted-substituters",
+        "conf-trusted-users": "command-ref/conf-file.html#conf-trusted-users",
+        "extra-sandbox-paths": "command-ref/conf-file.html#conf-sandbox-paths",
+        "sec-conf-file": "command-ref/conf-file.html",
+        "env-NIX_PATH": "command-ref/env-common.html#env-NIX_PATH",
+        "env-common": "command-ref/env-common.html",
+        "envar-remote": "command-ref/env-common.html#env-NIX_REMOTE",
+        "sec-common-env": "command-ref/env-common.html",
+        "ch-files": "command-ref/files.html",
+        "ch-main-commands": "command-ref/main-commands.html",
+        "opt-out-link": "command-ref/nix-build.html#opt-out-link",
+        "sec-nix-build": "command-ref/nix-build.html",
+        "sec-nix-channel": "command-ref/nix-channel.html",
+        "sec-nix-collect-garbage": "command-ref/nix-collect-garbage.html",
+        "sec-nix-copy-closure": "command-ref/nix-copy-closure.html",
+        "sec-nix-daemon": "command-ref/nix-daemon.html",
+        "refsec-nix-env-install-examples": "command-ref/nix-env/install.html#examples",
+        "rsec-nix-env-install": "command-ref/nix-env/install.html",
+        "rsec-nix-env-set": "command-ref/nix-env/set.html",
+        "rsec-nix-env-set-flag": "command-ref/nix-env/set-flag.html",
+        "rsec-nix-env-upgrade": "command-ref/nix-env/upgrade.html",
+        "sec-nix-env": "command-ref/nix-env.html",
+        "ssec-version-comparisons": "command-ref/nix-env.html#selectors",
+        "sec-nix-hash": "command-ref/nix-hash.html",
+        "sec-nix-instantiate": "command-ref/nix-instantiate.html",
+        "sec-nix-prefetch-url": "command-ref/nix-prefetch-url.html",
+        "sec-nix-shell": "command-ref/nix-shell.html",
+        "ssec-nix-shell-shebang": "command-ref/nix-shell.html#use-as-a--interpreter",
+        "nixref-queries": "command-ref/nix-store/query.html#queries",
+        "opt-add-root": "command-ref/nix-store/query.html#opt-add-root",
+        "refsec-nix-store-dump": "command-ref/nix-store/dump.html",
+        "refsec-nix-store-export": "command-ref/nix-store/export.html",
+        "refsec-nix-store-import": "command-ref/nix-store/import.html",
+        "refsec-nix-store-query": "command-ref/nix-store/query.html",
+        "refsec-nix-store-verify": "command-ref/nix-store/verify.html",
+        "rsec-nix-store-gc": "command-ref/nix-store/gc.html",
+        "rsec-nix-store-generate-binary-cache-key": "command-ref/nix-store/generate-binary-cache-key.html",
+        "rsec-nix-store-realise": "command-ref/nix-store/realise.html",
+        "rsec-nix-store-serve": "command-ref/nix-store/serve.html",
+        "sec-nix-store": "command-ref/nix-store.html",
+        "opt-I": "command-ref/opt-common.html#opt-I",
+        "opt-attr": "command-ref/opt-common.html#opt-attr",
+        "opt-common": "command-ref/opt-common.html",
+        "opt-cores": "command-ref/opt-common.html#opt-cores",
+        "opt-log-format": "command-ref/opt-common.html#opt-log-format",
+        "opt-max-jobs": "command-ref/opt-common.html#opt-max-jobs",
+        "opt-max-silent-time": "command-ref/opt-common.html#opt-max-silent-time",
+        "opt-timeout": "command-ref/opt-common.html#opt-timeout",
+        "sec-common-options": "command-ref/opt-common.html",
+        "ch-utilities": "command-ref/utilities.html",
+        "chap-hacking": "development/building.html",
+        "adv-attr-allowSubstitutes": "language/advanced-attributes.html#adv-attr-allowSubstitutes",
+        "adv-attr-allowedReferences": "language/advanced-attributes.html#adv-attr-allowedReferences",
+        "adv-attr-allowedRequisites": "language/advanced-attributes.html#adv-attr-allowedRequisites",
+        "adv-attr-disallowedReferences": "language/advanced-attributes.html#adv-attr-disallowedReferences",
+        "adv-attr-disallowedRequisites": "language/advanced-attributes.html#adv-attr-disallowedRequisites",
+        "adv-attr-exportReferencesGraph": "language/advanced-attributes.html#adv-attr-exportReferencesGraph",
+        "adv-attr-impureEnvVars": "language/advanced-attributes.html#adv-attr-impureEnvVars",
+        "adv-attr-outputHash": "language/advanced-attributes.html#adv-attr-outputHash",
+        "adv-attr-outputHashAlgo": "language/advanced-attributes.html#adv-attr-outputHashAlgo",
+        "adv-attr-outputHashMode": "language/advanced-attributes.html#adv-attr-outputHashMode",
+        "adv-attr-passAsFile": "language/advanced-attributes.html#adv-attr-passAsFile",
+        "adv-attr-preferLocalBuild": "language/advanced-attributes.html#adv-attr-preferLocalBuild",
+        "fixed-output-drvs": "language/advanced-attributes.html#adv-attr-outputHash",
+        "sec-advanced-attributes": "language/advanced-attributes.html",
+        "builtin-abort": "language/builtins.html#builtins-abort",
+        "builtin-add": "language/builtins.html#builtins-add",
+        "builtin-all": "language/builtins.html#builtins-all",
+        "builtin-any": "language/builtins.html#builtins-any",
+        "builtin-attrNames": "language/builtins.html#builtins-attrNames",
+        "builtin-attrValues": "language/builtins.html#builtins-attrValues",
+        "builtin-baseNameOf": "language/builtins.html#builtins-baseNameOf",
+        "builtin-bitAnd": "language/builtins.html#builtins-bitAnd",
+        "builtin-bitOr": "language/builtins.html#builtins-bitOr",
+        "builtin-bitXor": "language/builtins.html#builtins-bitXor",
+        "builtin-builtins": "language/builtins.html#builtins-builtins",
+        "builtin-compareVersions": "language/builtins.html#builtins-compareVersions",
+        "builtin-concatLists": "language/builtins.html#builtins-concatLists",
+        "builtin-concatStringsSep": "language/builtins.html#builtins-concatStringsSep",
+        "builtin-currentSystem": "language/builtins.html#builtins-currentSystem",
+        "builtin-deepSeq": "language/builtins.html#builtins-deepSeq",
+        "builtin-derivation": "language/builtins.html#builtins-derivation",
+        "builtin-dirOf": "language/builtins.html#builtins-dirOf",
+        "builtin-div": "language/builtins.html#builtins-div",
+        "builtin-elem": "language/builtins.html#builtins-elem",
+        "builtin-elemAt": "language/builtins.html#builtins-elemAt",
+        "builtin-fetchGit": "language/builtins.html#builtins-fetchGit",
+        "builtin-fetchTarball": "language/builtins.html#builtins-fetchTarball",
+        "builtin-fetchurl": "language/builtins.html#builtins-fetchurl",
+        "builtin-filterSource": "language/builtins.html#builtins-filterSource",
+        "builtin-foldl-prime": "language/builtins.html#builtins-foldl'",
+        "builtin-fromJSON": "language/builtins.html#builtins-fromJSON",
+        "builtin-functionArgs": "language/builtins.html#builtins-functionArgs",
+        "builtin-genList": "language/builtins.html#builtins-genList",
+        "builtin-getAttr": "language/builtins.html#builtins-getAttr",
+        "builtin-getEnv": "language/builtins.html#builtins-getEnv",
+        "builtin-hasAttr": "language/builtins.html#builtins-hasAttr",
+        "builtin-hashFile": "language/builtins.html#builtins-hashFile",
+        "builtin-hashString": "language/builtins.html#builtins-hashString",
+        "builtin-head": "language/builtins.html#builtins-head",
+        "builtin-import": "language/builtins.html#builtins-import",
+        "builtin-intersectAttrs": "language/builtins.html#builtins-intersectAttrs",
+        "builtin-isAttrs": "language/builtins.html#builtins-isAttrs",
+        "builtin-isBool": "language/builtins.html#builtins-isBool",
+        "builtin-isFloat": "language/builtins.html#builtins-isFloat",
+        "builtin-isFunction": "language/builtins.html#builtins-isFunction",
+        "builtin-isInt": "language/builtins.html#builtins-isInt",
+        "builtin-isList": "language/builtins.html#builtins-isList",
+        "builtin-isNull": "language/builtins.html#builtins-isNull",
+        "builtin-isString": "language/builtins.html#builtins-isString",
+        "builtin-length": "language/builtins.html#builtins-length",
+        "builtin-lessThan": "language/builtins.html#builtins-lessThan",
+        "builtin-listToAttrs": "language/builtins.html#builtins-listToAttrs",
+        "builtin-map": "language/builtins.html#builtins-map",
+        "builtin-match": "language/builtins.html#builtins-match",
+        "builtin-mul": "language/builtins.html#builtins-mul",
+        "builtin-parseDrvName": "language/builtins.html#builtins-parseDrvName",
+        "builtin-path": "language/builtins.html#builtins-path",
+        "builtin-pathExists": "language/builtins.html#builtins-pathExists",
+        "builtin-placeholder": "language/builtins.html#builtins-placeholder",
+        "builtin-readDir": "language/builtins.html#builtins-readDir",
+        "builtin-readFile": "language/builtins.html#builtins-readFile",
+        "builtin-removeAttrs": "language/builtins.html#builtins-removeAttrs",
+        "builtin-replaceStrings": "language/builtins.html#builtins-replaceStrings",
+        "builtin-seq": "language/builtins.html#builtins-seq",
+        "builtin-sort": "language/builtins.html#builtins-sort",
+        "builtin-split": "language/builtins.html#builtins-split",
+        "builtin-splitVersion": "language/builtins.html#builtins-splitVersion",
+        "builtin-stringLength": "language/builtins.html#builtins-stringLength",
+        "builtin-sub": "language/builtins.html#builtins-sub",
+        "builtin-substring": "language/builtins.html#builtins-substring",
+        "builtin-tail": "language/builtins.html#builtins-tail",
+        "builtin-throw": "language/builtins.html#builtins-throw",
+        "builtin-toFile": "language/builtins.html#builtins-toFile",
+        "builtin-toJSON": "language/builtins.html#builtins-toJSON",
+        "builtin-toPath": "language/builtins.html#builtins-toPath",
+        "builtin-toString": "language/builtins.html#builtins-toString",
+        "builtin-toXML": "language/builtins.html#builtins-toXML",
+        "builtin-trace": "language/builtins.html#builtins-trace",
+        "builtin-tryEval": "language/builtins.html#builtins-tryEval",
+        "builtin-typeOf": "language/builtins.html#builtins-typeOf",
+        "ssec-builtins": "language/builtins.html",
+        "attr-system": "language/derivations.html#attr-system",
+        "ssec-derivation": "language/derivations.html",
+        "ch-expression-language": "language/index.html",
+        "sec-constructs": "language/syntax.html",
+        "sect-let-language": "language/syntax.html#let-expressions",
+        "ss-functions": "language/syntax.html#functions",
+        "sec-language-operators": "language/operators.html",
+        "table-operators": "language/operators.html",
+        "ssec-values": "language/types.html",
+        "gloss-closure": "glossary.html#gloss-closure",
+        "gloss-derivation": "glossary.html#gloss-derivation",
+        "gloss-deriver": "glossary.html#gloss-deriver",
+        "gloss-nar": "glossary.html#gloss-nar",
+        "gloss-output-path": "glossary.html#gloss-output-path",
+        "gloss-profile": "glossary.html#gloss-profile",
+        "gloss-reachable": "glossary.html#gloss-reachable",
+        "gloss-reference": "glossary.html#gloss-reference",
+        "gloss-substitute": "glossary.html#gloss-substitute",
+        "gloss-user-env": "glossary.html#gloss-user-env",
+        "gloss-validity": "glossary.html#gloss-validity",
+        "part-glossary": "glossary.html",
+        "sec-building-source": "installation/building-source.html",
+        "ch-env-variables": "installation/env-variables.html",
+        "sec-installer-proxy-settings": "installation/env-variables.html#proxy-environment-variables",
+        "sec-nix-ssl-cert-file": "installation/env-variables.html#nix_ssl_cert_file",
+        "sec-nix-ssl-cert-file-with-nix-daemon-and-macos": "installation/env-variables.html#nix_ssl_cert_file",
+        "chap-installation": "installation/index.html",
+        "ch-installing-binary": "installation/installing-binary.html",
+        "sect-macos-installation": "installation/installing-binary.html#macos-installation",
+        "sect-macos-installation-change-store-prefix": "installation/installing-binary.html#macos-installation",
+        "sect-macos-installation-encrypted-volume": "installation/installing-binary.html#macos-installation",
+        "sect-macos-installation-recommended-notes": "installation/installing-binary.html#macos-installation",
+        "sect-macos-installation-symlink": "installation/installing-binary.html#macos-installation",
+        "sect-multi-user-installation": "installation/installing-binary.html#multi-user-installation",
+        "sect-nix-install-binary-tarball": "installation/installing-binary.html#installing-from-a-binary-tarball",
+        "sect-nix-install-pinned-version-url":
+            "installation/installing-binary.html#installing-a-pinned-nix-version-from-a-url",
+        "sect-single-user-installation": "installation/installing-binary.html#single-user-installation",
+        "ch-installing-source": "installation/installing-source.html",
+        "ssec-multi-user": "installation/multi-user.html",
+        "ch-nix-security": "installation/nix-security.html",
+        "sec-obtaining-source": "installation/obtaining-source.html",
+        "sec-prerequisites-source": "installation/prerequisites-source.html",
+        "sec-single-user": "installation/single-user.html",
+        "ch-supported-platforms": "installation/supported-platforms.html",
+        "ch-upgrading-nix": "installation/upgrading.html",
+        "ch-about-nix": "introduction.html",
+        "chap-introduction": "introduction.html",
+        "ch-basic-package-mgmt": "package-management/index.html",
+        "ssec-binary-cache-substituter": "package-management/binary-cache-substituter.html",
+        "sec-channels": "command-ref/nix-channel.html",
+        "ssec-copy-closure": "command-ref/nix-copy-closure.html",
+        "sec-garbage-collection": "package-management/garbage-collection.html",
+        "ssec-gc-roots": "package-management/garbage-collector-roots.html",
+        "chap-package-management": "package-management/index.html",
+        "sec-profiles": "package-management/profiles.html",
+        "ssec-s3-substituter": "store/types/s3-binary-cache-store.html",
+        "ssec-s3-substituter-anonymous-reads":
+            "store/types/s3-binary-cache-store.html#anonymous-reads-to-your-s3-compatible-binary-cache",
+        "ssec-s3-substituter-authenticated-reads":
+            "store/types/s3-binary-cache-store.html#authenticated-reads-to-your-s3-binary-cache",
+        "ssec-s3-substituter-authenticated-writes":
+            "store/types/s3-binary-cache-store.html#authenticated-writes-to-your-s3-compatible-binary-cache",
+        "sec-sharing-packages": "package-management/sharing-packages.html",
+        "ssec-ssh-substituter": "package-management/ssh-substituter.html",
+        "chap-quick-start": "quick-start.html",
+        "sec-relnotes": "release-notes/index.html",
+        "ch-relnotes-0.10.1": "release-notes/rl-0.10.1.html",
+        "ch-relnotes-0.10": "release-notes/rl-0.10.html",
+        "ssec-relnotes-0.11": "release-notes/rl-0.11.html",
+        "ssec-relnotes-0.12": "release-notes/rl-0.12.html",
+        "ssec-relnotes-0.13": "release-notes/rl-0.13.html",
+        "ssec-relnotes-0.14": "release-notes/rl-0.14.html",
+        "ssec-relnotes-0.15": "release-notes/rl-0.15.html",
+        "ssec-relnotes-0.16": "release-notes/rl-0.16.html",
+        "ch-relnotes-0.5": "release-notes/rl-0.5.html",
+        "ch-relnotes-0.6": "release-notes/rl-0.6.html",
+        "ch-relnotes-0.7": "release-notes/rl-0.7.html",
+        "ch-relnotes-0.8.1": "release-notes/rl-0.8.1.html",
+        "ch-relnotes-0.8": "release-notes/rl-0.8.html",
+        "ch-relnotes-0.9.1": "release-notes/rl-0.9.1.html",
+        "ch-relnotes-0.9.2": "release-notes/rl-0.9.2.html",
+        "ch-relnotes-0.9": "release-notes/rl-0.9.html",
+        "ssec-relnotes-1.0": "release-notes/rl-1.0.html",
+        "ssec-relnotes-1.1": "release-notes/rl-1.1.html",
+        "ssec-relnotes-1.10": "release-notes/rl-1.10.html",
+        "ssec-relnotes-1.11.10": "release-notes/rl-1.11.10.html",
+        "ssec-relnotes-1.11": "release-notes/rl-1.11.html",
+        "ssec-relnotes-1.2": "release-notes/rl-1.2.html",
+        "ssec-relnotes-1.3": "release-notes/rl-1.3.html",
+        "ssec-relnotes-1.4": "release-notes/rl-1.4.html",
+        "ssec-relnotes-1.5.1": "release-notes/rl-1.5.html",
+        "ssec-relnotes-1.5.2": "release-notes/rl-1.5.2.html",
+        "ssec-relnotes-1.5": "release-notes/rl-1.5.html",
+        "ssec-relnotes-1.6.1": "release-notes/rl-1.6.1.html",
+        "ssec-relnotes-1.6.0": "release-notes/rl-1.6.html",
+        "ssec-relnotes-1.7": "release-notes/rl-1.7.html",
+        "ssec-relnotes-1.8": "release-notes/rl-1.8.html",
+        "ssec-relnotes-1.9": "release-notes/rl-1.9.html",
+        "ssec-relnotes-2.0": "release-notes/rl-2.0.html",
+        "ssec-relnotes-2.1": "release-notes/rl-2.1.html",
+        "ssec-relnotes-2.2": "release-notes/rl-2.2.html",
+        "ssec-relnotes-2.3": "release-notes/rl-2.3.html"
+    },
+    "language/types.html": {
+        "simple-values": "#primitives",
+        "lists": "#type-list",
+        "strings": "#type-string",
+        "attribute-sets": "#type-attrs",
+        "type-number": "#type-int"
+    },
+    "language/syntax.html": {
+        "scoping-rules": "scope.html",
+        "string-literal": "string-literals.html"
+    },
+    "language/derivations.html": {
+        "builder-execution": "../store/building.html#builder-execution"
+    },
+    "installation/installing-binary.html": {
+        "linux": "uninstall.html#linux",
+        "macos": "uninstall.html#macos",
+        "uninstalling": "uninstall.html"
+    },
+    "development/building.html": {
+        "nix-with-flakes": "#building-nix-with-flakes",
+        "classic-nix": "#building-nix",
+        "running-tests": "testing.html#running-tests",
+        "unit-tests": "testing.html#unit-tests",
+        "functional-tests": "testing.html#functional-tests",
+        "debugging-failing-functional-tests": "testing.html#debugging-failing-functional-tests",
+        "integration-tests": "testing.html#integration-tests",
+        "installer-tests": "testing.html#installer-tests",
+        "one-time-setup": "testing.html#one-time-setup",
+        "using-the-ci-generated-installer-for-manual-testing":
+            "testing.html#using-the-ci-generated-installer-for-manual-testing",
+        "characterization-testing": "testing.html#characterisation-testing-unit",
+        "add-a-release-note": "contributing.html#add-a-release-note",
+        "add-an-entry": "contributing.html#add-an-entry",
+        "build-process": "contributing.html#build-process",
+        "reverting": "contributing.html#reverting",
+        "branches": "contributing.html#branches"
+    },
+    "glossary.html": {
+        "gloss-local-store": "store/types/local-store.html",
+        "package-attribute-set": "#package",
+        "gloss-chroot-store": "store/types/local-store.html",
+        "gloss-content-addressed-derivation": "#gloss-content-addressing-derivation"
+    }
+}

doc/manual/render-manpage.sh

@@ -1,25 +1,55 @@
 #!/usr/bin/env bash
+#
+# Standalone manpage renderer that doesn't require mdbook.
+# Uses expand-includes.py to preprocess markdown, then lowdown to generate manpages.
 
 set -euo pipefail
 
+script_dir="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+
 lowdown_args=
 
+# Optional --out-no-smarty flag for compatibility with nix_nested_manpages
 if [ "$1" = --out-no-smarty ]; then
     lowdown_args=--out-no-smarty
     shift
 fi
 
-[ "$#" = 4 ] || {
-    echo "wrong number of args passed" >&2
+[ "$#" = 7 ] || {
+    cat >&2 <<EOF
+Usage: $0 [--out-no-smarty] <title> <section> <source-root> <generated-root> <doc-url> <infile> <outfile>
+
+Arguments:
+  title           - Manpage title (e.g., "nix-env --install")
+  section         - Manpage section number (1, 5, 8, etc.)
+  source-root     - Root directory of markdown sources
+  generated-root  - Root directory of generated markdown files
+  doc-url         - Base URL for documentation links
+  infile          - Input markdown file (relative to build directory)
+  outfile         - Output manpage file
+
+Examples:
+  $0 "nix-store --query" 1 doc/manual/source build/doc/manual/source \\
+     https://nix.dev/manual/nix/latest \\
+     build/doc/manual/source/command-ref/nix-store/query.md nix-store-query.1
+EOF
     exit 1
 }
 
 title="$1"
 section="$2"
-infile="$3"
-outfile="$4"
+source_root="$3"
+generated_root="$4"
+doc_url="$5"
+infile="$6"
+outfile="$7"
 
+# Expand includes and pipe to lowdown
 (
     printf "Title: %s\n\n" "$title"
-    cat "$infile"
+    python3 "$script_dir/expand-includes.py" \
+        --source-root "$source_root" \
+        --generated-root "$generated_root" \
+        --doc-url "$doc_url" \
+        "$infile"
 ) | lowdown -sT man --nroff-nolinks $lowdown_args -M section="$section" -o "$outfile"

doc/manual/rl-next/channels-subdomain.md

@@ -0,0 +1,9 @@
+---
+synopsis: Channel URLs migrated to channels.nixos.org subdomain
+prs: [14518]
+issues: [14517]
+---
+
+Channel URLs have been updated from `https://nixos.org/channels/` to `https://channels.nixos.org/` throughout Nix.
+
+The subdomain provides better reliability with IPv6 support and improved CDN distribution. The old domain apex (`nixos.org/channels/`) currently redirects to the new location but may be deprecated in the future.

doc/manual/rl-next/json-format-changes.md

@@ -0,0 +1,88 @@
+---
+synopsis: "JSON format changes for store path info and derivations"
+prs: []
+issues: []
+---
+
+JSON formats for store path info and derivations have been updated with new versions and structured fields.
+
+## Store Path Info JSON
+
+`nix path-info --json` now requires a `--json-format` flag to specify the output format version.
+Using `--json` without `--json-format` is deprecated and will become an error in a future release.
+For now, it defaults to version 1 with a warning, for a smoother migration.
+
+### Version 1 (`--json-format 1`)
+
+This is the legacy format, preserved for backwards compatibility:
+
+- String-based hash values (e.g., `"narHash": "sha256:FePFYIlM..."`)
+- String-based content addresses (e.g., `"ca": "fixed:r:sha256:1abc..."`)
+- Full store paths for map keys and references (e.g., `"/nix/store/abc...-foo"`)
+- Now includes `"storeDir"` field at the top level
+
+### Version 2 (`--json-format 2`)
+
+The new structured format follows the [JSON guidelines](@docroot@/development/json-guideline.md) with the following changes:
+
+- **Nested structure with top-level metadata**:
+
+  The output is now wrapped in an object with `version`, `storeDir`, and `info` fields:
+
+  ```json
+  {
+    "version": 2,
+    "storeDir": "/nix/store",
+    "info": { ... }
+  }
+  ```
+
+  The map from store bath base names to store object info is nested under the `info` field.
+
+- **Store path base names instead of full paths**:
+
+  Map keys and references use store path base names (e.g., `"abc...-foo"`) instead of full absolute store paths.
+  Combined with `storeDir`, the full path can be reconstructed.
+
+- **Structured `ca` field**:
+
+  Content address is now a structured JSON object instead of a string:
+
+  - Old: `"ca": "fixed:r:sha256:1abc..."`
+  - New: `"ca": {"method": "nar", "hash": "sha256-ungWv48Bz+pBQUDeXa4iI7ADYaOWF3qctBD/YfIAFa0="}`
+  - Still `null` values for input-addressed store objects
+
+  The `hash` field uses the [SRI](https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity) format like other hashes.
+
+Nix currently only produces, and doesn't consume this format.
+
+Additionally the following field is added to both formats.
+(The `version` tracks breaking changes, and adding fields to outputted JSON is not a breaking change.)
+
+- **`version` field**:
+
+  All store path info JSON now includes `"version": <1|2>`.
+
+- **`storeDir` field**:
+
+  Top-level `"storeDir"` field contains the store directory path (e.g., `"/nix/store"`).
+
+## Derivation JSON (Version 4)
+
+The derivation JSON format has been updated from version 3 to version 4:
+
+- **Restructured inputs**:
+
+  Inputs are now nested under an `inputs` object:
+
+  - Old: `"inputSrcs": [...], "inputDrvs": {...}`
+  - New: `"inputs": {"srcs": [...], "drvs": {...}}`
+
+- **Consistent content addresses**:
+
+  Fixed content-addressed outputs now use structured JSON format.
+  This is the same format as `ca` in store path info (after the new version).
+
+Version 3 and earlier formats are *not* accepted when reading.
+
+**Affected command**: `nix derivation`, namely its `show` and `add` sub-commands.

doc/manual/rl-next/libcurl-pausing.md

@@ -0,0 +1,12 @@
+---
+synopsis: Fix "download buffer is full; consider increasing the 'download-buffer-size' setting" warning
+prs: [14614]
+issues: [11728]
+---
+
+The underlying issue that led to [#11728](https://github.com/NixOS/nix/issues/11728) has been resolved by utilizing
+[libcurl write pausing functionality](https://curl.se/libcurl/c/curl_easy_pause.html) to control backpressure when unpacking to slow destinations like the git-backed tarball cache. The default value of `download-buffer-size` is now 1 MiB and it's no longer recommended to increase it, since the root cause has been fixed.
+
+This is expected to improve download performance on fast connections, since previously a single slow download consumer would stall the thread and prevent any other transfers from progressing.
+
+Many thanks go out to the [Lix project](https://lix.systems/) for the [implementation](https://git.lix.systems/lix-project/lix/commit/4ae6fb5a8f0d456b8d2ba2aaca3712b4e49057fc) that served as inspiration for this change and for triaging libcurl [issues with pausing](https://github.com/curl/curl/issues/19334).

doc/manual/rl-next/repl-interrupt.md

@@ -0,0 +1,8 @@
+---
+synopsis: Interrupting REPL commands works more than once
+issues: [13481]
+---
+
+Previously, this only worked once per REPL session; further attempts would be ignored.
+This issue is now fixed, so REPL commands such as `:b` or `:p` can be canceled consistently.
+This is a cherry-pick of the change from the [Lix project](https://gerrit.lix.systems/c/lix/+/1097).

doc/manual/rl-next/s3-curl-implementation.md

@@ -1,6 +1,6 @@
 ---
 synopsis: "Improved S3 binary cache support via HTTP"
-prs: [13823, 14026, 14120, 14131, 14135, 14144, 14170, 14190, 14198, 14206, 14209, 14222, 14223, 13752]
+prs: [13752, 13823, 14026, 14120, 14131, 14135, 14144, 14170, 14190, 14198, 14206, 14209, 14222, 14223, 14330, 14333, 14335, 14336, 14337, 14350, 14356, 14357, 14374, 14375, 14376, 14377, 14391, 14393, 14420, 14421]
 issues: [13084, 12671, 11748, 12403]
 ---
 
@@ -18,9 +18,23 @@ improvements:
 The new implementation requires curl >= 7.75.0 and `aws-crt-cpp` for credential
 management.
 
-All existing S3 URL formats and parameters remain supported, with the notable
-exception of multi-part uploads, which are no longer supported.
+All existing S3 URL formats and parameters remain supported, however the store
+settings for configuring multipart uploads have changed:
+
+- **`multipart-upload`** (default: `false`): Enable multipart uploads for large
+  files. When enabled, files exceeding the multipart threshold will be uploaded
+  in multiple parts.
+
+- **`multipart-threshold`** (default: `100 MiB`): Minimum file size for using
+  multipart uploads. Files smaller than this will use regular PUT requests.
+  Only takes effect when `multipart-upload` is enabled.
+
+- **`multipart-chunk-size`** (default: `5 MiB`): Size of each part in multipart
+  uploads. Must be at least 5 MiB (AWS S3 requirement). Larger chunk sizes
+  reduce the number of requests but use more memory.
+
+- **`buffer-size`**: Has been replaced by `multipart-chunk-size` and is now an alias to it.
 
 Note that this change also means Nix now supports S3 binary cache stores even
-if build without `aws-crt-cpp`, but only for public buckets which do not
-require auth.
+if built without `aws-crt-cpp`, but only for public buckets which do not
+require authentication.

doc/manual/rl-next/s3-storage-class.md

@@ -0,0 +1,21 @@
+---
+synopsis: "S3 binary cache stores now support storage class configuration"
+prs: [14464]
+issues: [7015]
+---
+
+S3 binary cache stores now support configuring the storage class for uploaded objects via the `storage-class` parameter. This allows users to optimize costs by selecting appropriate storage tiers based on access patterns.
+
+Example usage:
+
+```bash
+# Use Glacier storage for long-term archival
+nix copy --to 's3://my-bucket?storage-class=GLACIER' /nix/store/...
+
+# Use Intelligent Tiering for automatic cost optimization
+nix copy --to 's3://my-bucket?storage-class=INTELLIGENT_TIERING' /nix/store/...
+```
+
+The storage class applies to both regular uploads and multipart uploads. When not specified, objects use the bucket's default storage class.
+
+See the [S3 storage classes documentation](https://docs.aws.amazon.com/AmazonS3/latest/userguide/storage-class-intro.html) for available storage classes and their characteristics.

doc/manual/source/SUMMARY.md.in

@@ -26,9 +26,13 @@
     - [Derivation Outputs and Types of Derivations](store/derivation/outputs/index.md)
       - [Content-addressing derivation outputs](store/derivation/outputs/content-address.md)
       - [Input-addressing derivation outputs](store/derivation/outputs/input-address.md)
+  - [Build Trace](store/build-trace.md)
+  - [Derivation Resolution](store/resolution.md)
   - [Building](store/building.md)
+  - [Secrets](store/secrets.md)
   - [Store Types](store/types/index.md)
 {{#include ./store/types/SUMMARY.md}}
+  - [Appendix: Math notation](store/math-notation.md)
 - [Nix Language](language/index.md)
   - [Data Types](language/types.md)
     - [String context](language/string-context.md)
@@ -117,15 +121,20 @@
 - [Architecture and Design](architecture/architecture.md)
 - [Formats and Protocols](protocols/index.md)
   - [JSON Formats](protocols/json/index.md)
+    - [File System Object](protocols/json/file-system-object.md)
     - [Hash](protocols/json/hash.md)
     - [Content Address](protocols/json/content-address.md)
     - [Store Path](protocols/json/store-path.md)
     - [Store Object Info](protocols/json/store-object-info.md)
-    - [Derivation](protocols/json/derivation.md)
+    - [Derivation](protocols/json/derivation/index.md)
+      - [Derivation Options](protocols/json/derivation/options.md)
     - [Deriving Path](protocols/json/deriving-path.md)
+    - [Build Trace Entry](protocols/json/build-trace-entry.md)
+    - [Build Result](protocols/json/build-result.md)
+    - [Store](protocols/json/store.md)
   - [Serving Tarball Flakes](protocols/tarball-fetcher.md)
   - [Store Path Specification](protocols/store-path.md)
-  - [Nix Archive (NAR) Format](protocols/nix-archive.md)
+  - [Nix Archive (NAR) Format](protocols/nix-archive/index.md)
   - [Derivation "ATerm" file format](protocols/derivation-aterm.md)
 - [C API](c-api.md)
 - [Glossary](glossary.md)

doc/manual/source/command-ref/nix-build.md

@@ -36,7 +36,7 @@ to a temporary location. The tarball must include a single top-level
 directory containing at least a file named `default.nix`.
 
 `nix-build` is essentially a wrapper around
-[`nix-instantiate`](nix-instantiate.md) (to translate a high-level Nix
+[`nix-instantiate`](./nix-instantiate.md) (to translate a high-level Nix
 expression to a low-level [store derivation]) and [`nix-store
 --realise`](@docroot@/command-ref/nix-store/realise.md) (to build the store
 derivation).
@@ -52,8 +52,8 @@ derivation).
 # Options
 
 All options not listed here are passed to
-[`nix-store --realise`](nix-store/realise.md),
-except for `--arg` and `--attr` / `-A` which are passed to [`nix-instantiate`](nix-instantiate.md).
+[`nix-store --realise`](./nix-store/realise.md),
+except for `--arg` and `--attr` / `-A` which are passed to [`nix-instantiate`](./nix-instantiate.md).
 
 - <span id="opt-no-out-link">[`--no-out-link`](#opt-no-out-link)<span>
 

doc/manual/source/command-ref/nix-channel.md

@@ -11,10 +11,10 @@
 Channels are a mechanism for referencing remote Nix expressions and conveniently retrieving their latest version.
 
 The moving parts of channels are:
-- The official channels listed at <https://nixos.org/channels>
+- The official channels listed at <https://channels.nixos.org>
 - The user-specific list of [subscribed channels](#subscribed-channels)
 - The [downloaded channel contents](#channels)
-- The [Nix expression search path](@docroot@/command-ref/conf-file.md#conf-nix-path), set with the [`-I` option](#opt-i) or the [`NIX_PATH` environment variable](#env-NIX_PATH)
+- The [Nix expression search path](@docroot@/command-ref/conf-file.md#conf-nix-path), set with the [`-I` option](#opt-I) or the [`NIX_PATH` environment variable](#env-NIX_PATH)
 
 > **Note**
 >
@@ -88,9 +88,9 @@ This command has the following operations:
 Subscribe to the Nixpkgs channel and run `hello` from the GNU Hello package:
 
 ```console
-$ nix-channel --add https://nixos.org/channels/nixpkgs-unstable
+$ nix-channel --add https://channels.nixos.org/nixpkgs-unstable
 $ nix-channel --list
-nixpkgs https://nixos.org/channels/nixpkgs
+nixpkgs https://channels.nixos.org/nixpkgs
 $ nix-channel --update
 $ nix-shell -p hello --run hello
 hello

doc/manual/source/command-ref/nix-env/upgrade.md

@@ -22,7 +22,7 @@ left untouched; this is not an error. It is also not an error if an
 element of *args* matches no installed derivations.
 
 For a description of how *args* is mapped to a set of store paths, see
-[`--install`](#operation---install). If *args* describes multiple
+[`--install`](./install.md). If *args* describes multiple
 store paths with the same symbolic name, only the one with the highest
 version is installed.
 

doc/manual/source/command-ref/nix-hash.md

@@ -34,7 +34,7 @@ md5sum`.
   Print the cryptographic hash of the contents of each regular file *path*.
   That is, instead of computing
   the hash of the [Nix Archive (NAR)](@docroot@/store/file-system-object/content-address.md#serial-nix-archive) of *path*,
-  just [directly hash]((@docroot@/store/file-system-object/content-address.md#serial-flat) *path* as is.
+  just [directly hash](@docroot@/store/file-system-object/content-address.md#serial-flat) *path* as is.
   This requires *path* to resolve to a regular file rather than directory.
   The result is identical to that produced by the GNU commands
   `md5sum` and `sha1sum`.

doc/manual/source/command-ref/nix-instantiate.md

@@ -32,7 +32,7 @@ standard input.
 
 - `--add-root` *path*
 
-  See the [corresponding option](nix-store.md) in `nix-store`.
+  See the [corresponding option](./nix-store.md) in `nix-store`.
 
 - `--parse`
 

doc/manual/source/command-ref/nix-shell.md

@@ -19,7 +19,7 @@
 
 This man page describes the command `nix-shell`, which is distinct from `nix
 shell`. For documentation on the latter, run `nix shell --help` or see `man
-nix3-shell`.
+nix3-env-shell`.
 
 # Description
 

doc/manual/source/development/building.md

@@ -66,7 +66,7 @@ You can also build Nix for one of the [supported platforms](#platforms).
 This section assumes you are using Nix with the [`flakes`] and [`nix-command`] experimental features enabled.
 
 [`flakes`]: @docroot@/development/experimental-features.md#xp-feature-flakes
-[`nix-command`]: @docroot@/development/experimental-features.md#xp-nix-command
+[`nix-command`]: @docroot@/development/experimental-features.md#xp-feature-nix-command
 
 To build all dependencies and start a shell in which all environment variables are set up so that those dependencies can be found:
 
@@ -256,7 +256,7 @@ You can use any of the other supported environments in place of `nix-cli-ccacheS
 ## Editor integration
 
 The `clangd` LSP server is installed by default on the `clang`-based `devShell`s.
-See [supported compilation environments](#compilation-environments) and instructions how to set up a shell [with flakes](#nix-with-flakes) or in [classic Nix](#classic-nix).
+See [supported compilation environments](#compilation-environments) and instructions how to set up a shell [with flakes](#building-nix-with-flakes) or in [classic Nix](#building-nix).
 
 To use the LSP with your editor, you will want a `compile_commands.json` file telling `clangd` how we are compiling the code.
 Meson's configure always produces this inside the build directory.

doc/manual/source/development/debugging.md

@@ -15,7 +15,7 @@ In the development shell, set the `mesonBuildType` environment variable to `debu
 Then, proceed to build Nix as described in [Building Nix](./building.md).
 This will build Nix with debug symbols, which are essential for effective debugging.
 
-It is also possible to build without debugging for faster build:
+It is also possible to build without optimization for faster build:
 
 ```console
 [nix-shell]$ NIX_HARDENING_ENABLE=$(printLines $NIX_HARDENING_ENABLE | grep -v fortify)

doc/manual/source/development/testing.md

@@ -119,7 +119,7 @@ This will:
 
 3. Stop the program when the test fails, allowing the user to then issue arbitrary commands to GDB.
 
-### Characterisation testing { #characaterisation-testing-unit }
+### Characterisation testing { #characterisation-testing-unit }
 
 See [functional characterisation testing](#characterisation-testing-functional) for a broader discussion of characterisation testing.
 
@@ -137,6 +137,12 @@ $ _NIX_TEST_ACCEPT=1 meson test nix-store-tests -v
 will regenerate the "golden master" expected result for the `libnixstore` characterisation tests.
 The characterisation tests will mark themselves "skipped" since they regenerated the expected result instead of actually testing anything.
 
+### JSON Schema testing
+
+In `doc/manual/source/protocols/json/` we have a number of manual pages generated from [JSON Schema](https://json-schema.org/).
+That JSON schema is tested against the JSON file test data used in [characterisation tests](#characterisation-testing-unit ) for JSON (de)serialization, in `src/json-schema-checks`.
+Between the JSON (de)serialization testing, and this testing of the same data against the schema, we make sure that the manual, the implementation, and a machine-readable schema are are all in sync.
+
 ### Unit test support libraries
 
 There are headers and code which are not just used to test the library in question, but also downstream libraries.

doc/manual/source/glossary.md

@@ -208,7 +208,7 @@
 
 - [impure derivation]{#gloss-impure-derivation}
 
-  [An experimental feature](#@docroot@/development/experimental-features.md#xp-feature-impure-derivations) that allows derivations to be explicitly marked as impure,
+  [An experimental feature](@docroot@/development/experimental-features.md#xp-feature-impure-derivations) that allows derivations to be explicitly marked as impure,
   so that they are always rebuilt, and their outputs not reused by subsequent calls to realise them.
 
 - [Nix database]{#gloss-nix-database}
@@ -279,7 +279,7 @@
 
   See [References](@docroot@/store/store-object.md#references) for details.
 
-- [referrer]{#gloss-reference}
+- [referrer]{#gloss-referrer}
 
   A reversed edge from one [store object] to another.
 
@@ -367,8 +367,8 @@
 
   Nix represents files as [file system objects][file system object], and how they belong together is encoded as [references][reference] between [store objects][store object] that contain these file system objects.
 
-  The [Nix language] allows denoting packages in terms of [attribute sets](@docroot@/language/types.md#attribute-set) containing:
-  - attributes that refer to the files of a package, typically in the form of [derivation outputs](#output),
+  The [Nix language] allows denoting packages in terms of [attribute sets](@docroot@/language/types.md#type-attrs) containing:
+  - attributes that refer to the files of a package, typically in the form of [derivation outputs](#gloss-output),
   - attributes with metadata, such as information about how the package is supposed to be used.
 
   The exact shape of these attribute sets is up to convention.
@@ -383,7 +383,7 @@
 
   [string]: ./language/types.md#type-string
   [path]: ./language/types.md#type-path
-  [attribute name]: ./language/types.md#attribute-set
+  [attribute name]: ./language/types.md#type-attrs
 
 - [base directory]{#gloss-base-directory}
 

doc/manual/source/language/advanced-attributes.md

@@ -333,7 +333,7 @@ Here is more information on the `output*` attributes, and what values they may b
 
     `outputHashAlgo` can only be `null` when `outputHash` follows the SRI format, because in that case the choice of hash algorithm is determined by `outputHash`.
 
-  - [`outputHash`]{#adv-attr-outputHashAlgo}; [`outputHash`]{#adv-attr-outputHashMode}
+  - [`outputHash`]{#adv-attr-outputHash}
 
     This will specify the output hash of the single output of a [fixed-output derivation].
 

doc/manual/source/language/builtins-prefix.md

@@ -23,7 +23,7 @@ Some built-ins are also exposed directly in the global scope:
 - [`null`](#builtins-null)
 - [`placeholder`](#builtins-placeholder)
 - [`removeAttrs`](#builtins-removeAttrs)
-- `scopedImport`
+- [`scopedImport`](#builtins-scopedImport)
 - [`throw`](#builtins-throw)
 - [`toString`](#builtins-toString)
 - [`true`](#builtins-true)

doc/manual/source/language/derivations.md

@@ -16,7 +16,7 @@ It outputs an attribute set, and produces a [store derivation] as a side effect
 - [`name`]{#attr-name} ([String](@docroot@/language/types.md#type-string))
 
   A symbolic name for the derivation.
-  See [derivation outputs](@docroot@/store/derivation/index.md#outputs) for what this is affects.
+  See [derivation outputs](@docroot@/store/derivation/outputs/index.md#outputs) for what this is affects.
 
   [store path]: @docroot@/store/store-path.md
 

doc/manual/source/language/evaluation.md

@@ -74,4 +74,48 @@ in f { x = throw "error"; y = throw "error"; }
 => "ok"
 ```
 
+## Evaluation order
+
+The order in which expressions are evaluated is generally unspecified, because it does not affect successful evaluation outcomes.
+This allows more freedom for the evaluator to evolve and to evaluate efficiently.
+
+Data dependencies naturally impose some ordering constraints: a value cannot be used before it is computed.
+Beyond these constraints, the evaluator is free to choose any order.
+
+The order in which side effects such as [`builtins.trace`](@docroot@/language/builtins.md#builtins-trace) output occurs is not defined, but may be expected to follow data dependencies. <!-- we may want to be more specific about this. -->
+
+In a lazy language, evaluation order is often opposite to expectations from strict languages.
+For example, in `let wrap = x: { wrapped = x; }; in wrap (1 + 2)`, the function body produces a result (`{ wrapped = ...; }`) *before* evaluating `x`.
+
+## Infinite recursion and stack overflow
+
+During evaluation, two types of errors can occur when expressions reference themselves or call functions too deeply:
+
+### Infinite recursion
+
+This error occurs when a value depends on itself through a cycle, making it impossible to compute.
+
+```nix
+let x = x; in x
+=> error: infinite recursion encountered
+```
+
+Infinite recursion happens at the value level when evaluating an expression requires evaluating the same expression again.
+
+Despite the name, infinite recursion is cheap to compute and does not involve a stack overflow.
+The cycle is finite and fairly easy to detect.
+
+### Stack overflow
+
+This error occurs when the call depth exceeds the maximum allowed limit.
+
+```nix
+let f = x: f (x + 1);
+in f 0
+=> error: stack overflow; max-call-depth exceeded
+```
+
+Stack overflow happens when too many function calls are nested without returning.
+The maximum call depth is controlled by the [`max-call-depth` setting](@docroot@/command-ref/conf-file.md#conf-max-call-depth).
+
 [C API]: @docroot@/c-api.md

doc/manual/source/language/identifiers.md

@@ -16,7 +16,7 @@ An *identifier* is an [ASCII](https://en.wikipedia.org/wiki/ASCII) character seq
 
 # Names
 
-A *name* can be written as an [identifier](#identifier) or a [string literal](./string-literals.md).
+A *name* can be written as an [identifier](#identifiers) or a [string literal](./string-literals.md).
 
 > **Syntax**
 >

doc/manual/source/language/index.md

@@ -137,7 +137,7 @@ This is an incomplete overview of language features, by example.
   </td>
   <td>
 
-   [Booleans](@docroot@/language/types.md#type-boolean)
+   [Booleans](@docroot@/language/types.md#type-bool)
 
   </td>
  </tr>
@@ -245,7 +245,7 @@ This is an incomplete overview of language features, by example.
   </td>
   <td>
 
-   An [attribute set](@docroot@/language/types.md#attribute-set) with attributes named `x` and `y`
+   An [attribute set](@docroot@/language/types.md#type-attrs) with attributes named `x` and `y`
 
   </td>
  </tr>
@@ -285,7 +285,7 @@ This is an incomplete overview of language features, by example.
   </td>
   <td>
 
-   [Lists](@docroot@/language/types.md#list) with three elements.
+   [Lists](@docroot@/language/types.md#type-list) with three elements.
 
   </td>
  </tr>
@@ -369,7 +369,7 @@ This is an incomplete overview of language features, by example.
   </td>
   <td>
 
-   [Attribute selection](@docroot@/language/types.md#attribute-set) (evaluates to `1`)
+   [Attribute selection](@docroot@/language/types.md#type-attrs) (evaluates to `1`)
 
   </td>
  </tr>
@@ -381,7 +381,7 @@ This is an incomplete overview of language features, by example.
   </td>
   <td>
 
-   [Attribute selection](@docroot@/language/types.md#attribute-set) with default (evaluates to `3`)
+   [Attribute selection](@docroot@/language/types.md#type-attrs) with default (evaluates to `3`)
 
   </td>
  </tr>

doc/manual/source/language/operators.md

@@ -23,8 +23,8 @@
 | [Greater than or equal to][Comparison] | *expr* `>=` *expr*                         | none          | 10         |
 | [Equality]                             | *expr* `==` *expr*                         | none          | 11         |
 | Inequality                             | *expr* `!=` *expr*                         | none          | 11         |
-| Logical conjunction (`AND`)            | *bool* `&&` *bool*                         | left          | 12         |
-| Logical disjunction (`OR`)             | *bool* <code>\|\|</code> *bool*            | left          | 13         |
+| [Logical conjunction] (`AND`)          | *bool* `&&` *bool*                         | left          | [12](#precedence-and-disjunctive-normal-form)         |
+| [Logical disjunction] (`OR`)           | *bool* <code>\|\|</code> *bool*            | left          | [13](#precedence-and-disjunctive-normal-form)         |
 | [Logical implication]                  | *bool* `->` *bool*                         | right         | 14         |
 | [Pipe operator] (experimental)         | *expr* `\|>` *func*                        | left          | 15         |
 | [Pipe operator] (experimental)         | *func* `<\|` *expr*                        | right         | 15         |
@@ -162,6 +162,9 @@ Update [attribute set] *attrset1* with names and values from *attrset2*.
 The returned attribute set will have all of the attributes in *attrset1* and *attrset2*.
 If an attribute name is present in both, the attribute value from the latter is taken.
 
+This operator is [strict](@docroot@/language/evaluation.md#strictness) in both *attrset1* and *attrset2*.
+That means that both arguments are evaluated to [weak head normal form](@docroot@/language/evaluation.md#values), so the attribute sets themselves are evaluated, but their attribute values are not evaluated.
+
 [Update]: #update
 
 ## Comparison
@@ -185,18 +188,95 @@ All comparison operators are implemented in terms of `<`, and the following equi
 
 ## Equality
 
-- [Attribute sets][attribute set] and [lists][list] are compared recursively, and therefore are fully evaluated.
-- Comparison of [functions][function] always returns `false`.
+- [Attribute sets][attribute set] are compared first by attribute names and then by items until a difference is found.
+- [Lists][list] are compared first by length and then by items until a difference is found.
+- Comparison of distinct [functions][function] returns `false`, but identical functions may be subject to [value identity optimization](#value-identity-optimization).
 - Numbers are type-compatible, see [arithmetic] operators.
 - Floating point numbers only differ up to a limited precision.
 
+The `==` operator is [strict](@docroot@/language/evaluation.md#strictness) in both arguments; when comparing composite types ([attribute sets][attribute set] and [lists][list]), it is partially strict in their contained values: they are evaluated until a difference is found. <!-- this is woefully underspecified, affecting which expressions evaluate correctly; not just "ordering" or error messages. -->
+
+### Value identity optimization
+
+Nix performs equality comparisons of nested values by pointer equality or more abstractly, _identity_.
+Nix semantics ideally do not assign a unique identity to values as they are created, but equality is an exception to this rule.
+The disputable benefit of this is that it is more efficient, and it allows cyclical structures to be compared, e.g. `let x = { x = x; }; in x == x` evaluates to `true`.
+However, as a consequence, it makes a function equal to itself when the comparison is made in a list or attribute set, in contradiction to a simple direct comparison.
+
 [function]: ./syntax.md#functions
 
 [Equality]: #equality
 
+## Logical conjunction
+
+> **Syntax**
+>
+> *bool1* `&&` *bool2*
+
+Logical AND. Equivalent to `if` *bool1* `then` *bool2* `else false`.
+
+This operator is [strict](@docroot@/language/evaluation.md#strictness) in *bool1*, but only evaluates *bool2* if *bool1* is `true`.
+
+> **Example**
+>
+> ```nix
+> true && false
+> => false
+>
+> false && throw "never evaluated"
+> => false
+> ```
+
+[Logical conjunction]: #logical-conjunction
+
+## Logical disjunction
+
+> **Syntax**
+>
+> *bool1* `||` *bool2*
+
+Logical OR. Equivalent to `if` *bool1* `then true` `else` *bool2*.
+
+This operator is [strict](@docroot@/language/evaluation.md#strictness) in *bool1*, but only evaluates *bool2* if *bool1* is `false`.
+
+> **Example**
+>
+> ```nix
+> true || false
+> => true
+>
+> true || throw "never evaluated"
+> => true
+> ```
+
+[Logical disjunction]: #logical-disjunction
+
+### Precedence and disjunctive normal form
+
+The precedence of `&&` and `||` aligns with disjunctive normal form.
+Without parentheses, an expression describes multiple "permissible situations" (connected by `||`), where each situation consists of multiple simultaneous conditions (connected by `&&`).
+
+For example, `A || B && C || D && E` is parsed as `A || (B && C) || (D && E)`, describing three permissible situations: A holds, or both B and C hold, or both D and E hold.
+
 ## Logical implication
 
-Equivalent to `!`*b1* `||` *b2*  (or `if` *b1* `then` *b2* `else true`)
+> **Syntax**
+>
+> *bool1* `->` *bool2*
+
+Logical implication. Equivalent to `!`*bool1* `||` *bool2* (or `if` *bool1* `then` *bool2* `else true`).
+
+This operator is [strict](@docroot@/language/evaluation.md#strictness) in *bool1*, but only evaluates *bool2* if *bool1* is `true`.
+
+> **Example**
+>
+> ```nix
+> true -> false
+> => false
+>
+> false -> throw "never evaluated"
+> => true
+> ```
 
 [Logical implication]: #logical-implication
 

doc/manual/source/language/string-context.md

@@ -111,7 +111,7 @@ It creates an [attribute set] representing the string context, which can be insp
 
 [`builtins.hasContext`]: ./builtins.md#builtins-hasContext
 [`builtins.getContext`]: ./builtins.md#builtins-getContext
-[attribute set]: ./types.md#attribute-set
+[attribute set]: ./types.md#type-attrs
 
 ## Clearing string contexts
 

doc/manual/source/language/string-interpolation.md

@@ -6,7 +6,7 @@ Such a construct is called *interpolated string*, and the expression inside is a
 
 [string]: ./types.md#type-string
 [path]: ./types.md#type-path
-[attribute set]: ./types.md#attribute-set
+[attribute set]: ./types.md#type-attrs
 
 > **Syntax**
 >

doc/manual/source/language/syntax.md

@@ -51,7 +51,7 @@ See [String literals](string-literals.md).
 
   Path literals can also include [string interpolation], besides being [interpolated into other expressions].
 
-  [interpolated into other expressions]: ./string-interpolation.md#interpolated-expressions
+  [interpolated into other expressions]: ./string-interpolation.md#interpolated-expression
 
   At least one slash (`/`) must appear *before* any interpolated expression for the result to be recognized as a path.
 
@@ -235,7 +235,7 @@ of object-oriented programming, for example.
 
 ## Recursive sets
 
-Recursive sets are like normal [attribute sets](./types.md#attribute-set), but the attributes can refer to each other.
+Recursive sets are like normal [attribute sets](./types.md#type-attrs), but the attributes can refer to each other.
 
 > *rec-attrset* = `rec {` [ *name* `=` *expr* `;` `]`... `}`
 
@@ -287,7 +287,7 @@ This evaluates to `"foobar"`.
 
 ## Inheriting attributes
 
-When defining an [attribute set](./types.md#attribute-set) or in a [let-expression](#let-expressions) it is often convenient to copy variables from the surrounding lexical scope (e.g., when you want to propagate attributes).
+When defining an [attribute set](./types.md#type-attrs) or in a [let-expression](#let-expressions) it is often convenient to copy variables from the surrounding lexical scope (e.g., when you want to propagate attributes).
 This can be shortened using the `inherit` keyword.
 
 Example:

doc/manual/source/protocols/derivation-aterm.md

@@ -1,6 +1,8 @@
 # Derivation "ATerm" file format
 
-For historical reasons, [store derivations][store derivation] are stored on-disk in [ATerm](https://homepages.cwi.nl/~daybuild/daily-books/technology/aterm-guide/aterm-guide.html) format.
+For historical reasons, [store derivations][store derivation] are stored on-disk in "Annotated Term" (ATerm) format
+([guide](https://homepages.cwi.nl/~daybuild/daily-books/technology/aterm-guide/aterm-guide.html),
+[paper](https://doi.org/10.1002/(SICI)1097-024X(200003)30:3%3C259::AID-SPE298%3E3.0.CO;2-Y)).
 
 ## The ATerm format used
 

doc/manual/source/protocols/json/build-result.md

@@ -0,0 +1,21 @@
+{{#include build-result-v1-fixed.md}}
+
+## Examples
+
+### Successful build
+
+```json
+{{#include schema/build-result-v1/success.json}}
+```
+
+### Failed build (output rejected)
+
+```json
+{{#include schema/build-result-v1/output-rejected.json}}
+```
+
+### Failed build (non-deterministic)
+
+```json
+{{#include schema/build-result-v1/not-deterministic.json}}
+```

doc/manual/source/protocols/json/build-trace-entry.md

@@ -0,0 +1,27 @@
+{{#include build-trace-entry-v1-fixed.md}}
+
+## Examples
+
+### Simple build trace entry
+
+```json
+{{#include schema/build-trace-entry-v1/simple.json}}
+```
+
+### Build trace entry with dependencies
+
+```json
+{{#include schema/build-trace-entry-v1/with-dependent-realisations.json}}
+```
+
+### Build trace entry with signature
+
+```json
+{{#include schema/build-trace-entry-v1/with-signature.json}}
+```
+
+<!--
+## Raw Schema
+
+[JSON Schema for Build Trace Entry v1](schema/build-trace-entry-v1.json)
+-->

doc/manual/source/protocols/json/derivation.md

@@ -1,7 +0,0 @@
-{{#include derivation-v3-fixed.md}}
-
-<!-- need to convert YAML to JSON first
-## Raw Schema
-
-[JSON Schema for Derivation v3](schema/derivation-v3.json)
--->

doc/manual/source/protocols/json/derivation/index.md

@@ -0,0 +1,7 @@
+{{#include ../derivation-v4-fixed.md}}
+
+<!-- need to convert YAML to JSON first
+## Raw Schema
+
+[JSON Schema for Derivation v4](schema/derivation-v4.json)
+-->

doc/manual/source/protocols/json/derivation/options.md

@@ -0,0 +1,49 @@
+{{#include ../derivation-options-v1-fixed.md}}
+
+## Examples
+
+### Input-addressed derivations
+
+#### Default options
+
+```json
+{{#include ../schema/derivation-options-v1/ia/derivation-options/defaults.json}}
+```
+
+#### All options set
+
+```json
+{{#include ../schema/derivation-options-v1/ia/derivation-options/all_set.json}}
+```
+
+#### Default options (structured attributes)
+
+```json
+{{#include ../schema/derivation-options-v1/ia/derivation-options/structuredAttrs_defaults.json}}
+```
+
+#### All options set (structured attributes)
+
+```json
+{{#include ../schema/derivation-options-v1/ia/derivation-options/structuredAttrs_all_set.json}}
+```
+
+### Content-addressed derivations
+
+#### All options set
+
+```json
+{{#include ../schema/derivation-options-v1/ca/derivation-options/all_set.json}}
+```
+
+#### All options set (structured attributes)
+
+```json
+{{#include ../schema/derivation-options-v1/ca/derivation-options/structuredAttrs_all_set.json}}
+```
+
+<!-- need to convert YAML to JSON first
+## Raw Schema
+
+[JSON Schema for Derivation Options v1](schema/derivation-options-v1.json)
+-->

doc/manual/source/protocols/json/file-system-object.md

@@ -0,0 +1,21 @@
+{{#include file-system-object-v1-fixed.md}}
+
+## Examples
+
+### Simple
+
+```json
+{{#include schema/file-system-object-v1/simple.json}}
+```
+
+### Complex
+
+```json
+{{#include schema/file-system-object-v1/complex.json}}
+```
+
+<!-- need to convert YAML to JSON first
+## Raw Schema
+
+[JSON Schema for File System Object v1](schema/file-system-object-v1.json)
+-->

doc/manual/source/protocols/json/fixup-json-schema-generated-doc.sed

@@ -11,7 +11,8 @@ s/\\`/`/g
 #
 # As we have more such relative links, more replacements of this nature
 # should appear below.
-s^\(./hash-v1.yaml\)\?#/$defs/algorithm^[JSON format for `Hash`](./hash.html#algorithm)^g
-s^\(./hash-v1.yaml\)^[JSON format for `Hash`](./hash.html)^g
-s^\(./content-address-v1.yaml\)\?#/$defs/method^[JSON format for `ContentAddress`](./content-address.html#method)^g
-s^\(./content-address-v1.yaml\)^[JSON format for `ContentAddress`](./content-address.html)^g
+s^#/\$defs/\(regular\|symlink\|directory\)^In this schema^g
+s^\(./hash-v1.yaml\)\?#/$defs/algorithm^[JSON format for `Hash`](@docroot@/protocols/json/hash.html#algorithm)^g
+s^\(./hash-v1.yaml\)^[JSON format for `Hash`](@docroot@/protocols/json/hash.html)^g
+s^\(./content-address-v1.yaml\)\?#/$defs/method^[JSON format for `ContentAddress`](@docroot@/protocols/json/content-address.html#method)^g
+s^\(./content-address-v1.yaml\)^[JSON format for `ContentAddress`](@docroot@/protocols/json/content-address.html)^g

doc/manual/source/protocols/json/hash.md

@@ -2,28 +2,16 @@
 
 ## Examples
 
-### SHA-256 with Base64 encoding
+### SHA-256
 
 ```json
-{{#include schema/hash-v1/sha256-base64.json}}
+{{#include schema/hash-v1/sha256.json}}
 ```
 
-### SHA-256 with Base16 (hexadecimal) encoding
+### BLAKE3
 
 ```json
-{{#include schema/hash-v1/sha256-base16.json}}
-```
-
-### SHA-256 with Nix32 encoding
-
-```json
-{{#include schema/hash-v1/sha256-nix32.json}}
-```
-
-### BLAKE3 with Base64 encoding
-
-```json
-{{#include schema/hash-v1/blake3-base64.json}}
+{{#include schema/hash-v1/blake3.json}}
 ```
 
 <!-- need to convert YAML to JSON first

doc/manual/source/protocols/json/meson.build

@@ -9,12 +9,17 @@ json_schema_for_humans = find_program('generate-schema-doc', required : false)
 json_schema_config = files('json-schema-for-humans-config.yaml')
 
 schemas = [
+  'file-system-object-v1',
   'hash-v1',
   'content-address-v1',
   'store-path-v1',
-  'store-object-info-v1',
-  'derivation-v3',
+  'store-object-info-v2',
+  'derivation-v4',
+  'derivation-options-v1',
   'deriving-path-v1',
+  'build-trace-entry-v1',
+  'build-result-v1',
+  'store-v1',
 ]
 
 schema_files = files()
@@ -30,27 +35,27 @@ endforeach
 
 json_schema_generated_files = []
 
-# Generate markdown documentation from JSON schema
-# Note: output must be just a filename, not a path
-gen_file = custom_target(
-  schema_name + '-schema-docs.tmp',
-  command : [
-    json_schema_for_humans,
-    '--config-file',
-    json_schema_config,
-    meson.current_source_dir() / 'schema',
-    meson.current_build_dir(),
-  ],
-  input : schema_files + [
-    json_schema_config,
-  ],
-  output : schema_outputs,
-  capture : false,
-  build_by_default : true,
-)
-
-idx = 0
 if json_schema_for_humans.found()
+  # Generate markdown documentation from JSON schema
+  # Note: output must be just a filename, not a path
+  gen_file = custom_target(
+    schema_name + '-schema-docs.tmp',
+    command : [
+      json_schema_for_humans,
+      '--config-file',
+      json_schema_config,
+      meson.current_source_dir() / 'schema',
+      meson.current_build_dir(),
+    ],
+    input : schema_files + [
+      json_schema_config,
+    ],
+    output : schema_outputs,
+    capture : false,
+    build_by_default : true,
+  )
+
+  idx = 0
   foreach schema_name : schemas
     #schema_file = 'schema' / schema_name + '.yaml'
 

doc/manual/source/protocols/json/schema/build-result-v1

@@ -0,0 +1 @@
+../../../../../../src/libstore-tests/data/build-result

doc/manual/source/protocols/json/schema/build-result-v1.yaml

@@ -0,0 +1,136 @@
+"$schema": "http://json-schema.org/draft-04/schema"
+"$id": "https://nix.dev/manual/nix/latest/protocols/json/schema/build-result-v1.json"
+title: Build Result
+description: |
+  This schema describes the JSON representation of Nix's `BuildResult` type, which represents the result of building a derivation or substituting store paths.
+
+  Build results can represent either successful builds (with built outputs) or various types of failures.
+
+oneOf:
+  - "$ref": "#/$defs/success"
+  - "$ref": "#/$defs/failure"
+type: object
+required:
+  - success
+  - status
+properties:
+  timesBuilt:
+    type: integer
+    minimum: 0
+    title: Times built
+    description: |
+      How many times this build was performed.
+
+  startTime:
+    type: integer
+    minimum: 0
+    title: Start time
+    description: |
+      The start time of the build (or one of the rounds, if it was repeated), as a Unix timestamp.
+
+  stopTime:
+    type: integer
+    minimum: 0
+    title: Stop time
+    description: |
+      The stop time of the build (or one of the rounds, if it was repeated), as a Unix timestamp.
+
+  cpuUser:
+    type: integer
+    minimum: 0
+    title: User CPU time
+    description: |
+      User CPU time the build took, in microseconds.
+
+  cpuSystem:
+    type: integer
+    minimum: 0
+    title: System CPU time
+    description: |
+      System CPU time the build took, in microseconds.
+
+"$defs":
+  success:
+    type: object
+    title: Successful Build Result
+    description: |
+      Represents a successful build with built outputs.
+    required:
+      - success
+      - status
+      - builtOutputs
+    properties:
+      success:
+        const: true
+        title: Success indicator
+        description: |
+          Always true for successful build results.
+
+      status:
+        type: string
+        title: Success status
+        description: |
+          Status string for successful builds.
+        enum:
+          - "Built"
+          - "Substituted"
+          - "AlreadyValid"
+          - "ResolvesToAlreadyValid"
+
+      builtOutputs:
+        type: object
+        title: Built outputs
+        description: |
+          A mapping from output names to their build trace entries.
+        additionalProperties:
+          "$ref": "build-trace-entry-v1.yaml"
+
+  failure:
+    type: object
+    title: Failed Build Result
+    description: |
+      Represents a failed build with error information.
+    required:
+      - success
+      - status
+      - errorMsg
+    properties:
+      success:
+        const: false
+        title: Success indicator
+        description: |
+          Always false for failed build results.
+
+      status:
+        type: string
+        title: Failure status
+        description: |
+          Status string for failed builds.
+        enum:
+          - "PermanentFailure"
+          - "InputRejected"
+          - "OutputRejected"
+          - "TransientFailure"
+          - "CachedFailure"
+          - "TimedOut"
+          - "MiscFailure"
+          - "DependencyFailed"
+          - "LogLimitExceeded"
+          - "NotDeterministic"
+          - "NoSubstituters"
+          - "HashMismatch"
+
+      errorMsg:
+        type: string
+        title: Error message
+        description: |
+          Information about the error if the build failed.
+
+      isNonDeterministic:
+        type: boolean
+        title: Non-deterministic flag
+        description: |
+          If timesBuilt > 1, whether some builds did not produce the same result.
+
+          Note that 'isNonDeterministic = false' does not mean the build is deterministic,
+          just that we don't have evidence of non-determinism.

doc/manual/source/protocols/json/schema/build-trace-entry-v1

@@ -0,0 +1 @@
+../../../../../../src/libstore-tests/data/realisation

doc/manual/source/protocols/json/schema/build-trace-entry-v1.yaml

@@ -0,0 +1,100 @@
+"$schema": "http://json-schema.org/draft-04/schema"
+"$id": "https://nix.dev/manual/nix/latest/protocols/json/schema/build-trace-entry-v1.json"
+title: Build Trace Entry
+description: |
+  A record of a successful build outcome for a specific derivation output.
+
+  This schema describes the JSON representation of a [build trace entry](@docroot@/store/build-trace.md).
+
+  > **Warning**
+  >
+  > This JSON format is currently
+  > [**experimental**](@docroot@/development/experimental-features.md#xp-feature-ca-derivations)
+  > and subject to change.
+required:
+  - id
+  - outPath
+  - dependentRealisations
+  - signatures
+allOf:
+  - "$ref": "#/$defs/key"
+  - "$ref": "#/$defs/value"
+properties:
+  id: {}
+  outPath: {}
+  dependentRealisations: {}
+  signatures: {}
+additionalProperties: false
+
+"$defs":
+  key:
+    title: Build Trace Key
+    description: |
+      A [build trace entry](@docroot@/store/build-trace.md) is a key-value pair.
+      This is the "key" part, refering to a derivation and output.
+    type: object
+    required:
+      - id
+    properties:
+      id:
+        type: string
+        title: Derivation Output ID
+        pattern: "^sha256:[0-9a-f]{64}![a-zA-Z_][a-zA-Z0-9_-]*$"
+        description: |
+          Unique identifier for the derivation output that was built.
+
+          Format: `{hash-quotient-drv}!{output-name}`
+
+          - **hash-quotient-drv**: SHA-256 [hash of the quotient derivation](@docroot@/store/derivation/outputs/input-address.md#hash-quotient-drv).
+            Begins with `sha256:`.
+
+          - **output-name**: Name of the specific output (e.g., "out", "dev", "doc")
+
+          Example: `"sha256:ba7816bf8f01cfea414140de5dae2223b00361a396177a9cb410ff61f20015ad!foo"`
+
+  value:
+    title: Build Trace Value
+    description: |
+      A [build trace entry](@docroot@/store/build-trace.md) is a key-value pair.
+      This is the "value" part, describing an output.
+    type: object
+    required:
+      - outPath
+      - dependentRealisations
+      - signatures
+    properties:
+      outPath:
+        "$ref": "store-path-v1.yaml"
+        title: Output Store Path
+        description: |
+          The path to the store object that resulted from building this derivation for the given output name.
+
+      dependentRealisations:
+        type: object
+        title: Underlying Base Build Trace
+        description: |
+          This is for [*derived*](@docroot@/store/build-trace.md#derived) build trace entries to ensure coherence.
+
+          Keys are derivation output IDs (same format as the main `id` field).
+          Values are the store paths that those dependencies resolved to.
+
+          As described in the linked section on derived build trace traces, derived build trace entries must be kept in addition and not instead of the underlying base build entries.
+          This is the set of base build trace entries that this derived build trace is derived from.
+          (The set is also a map since this miniature base build trace must be coherent, mapping each key to a single value.)
+
+        patternProperties:
+          "^sha256:[0-9a-f]{64}![a-zA-Z_][a-zA-Z0-9_-]*$":
+            "$ref": "store-path-v1.yaml"
+            title: Dependent Store Path
+            description: Store path that this dependency resolved to during the build
+        additionalProperties: false
+
+      signatures:
+        type: array
+        title: Build Signatures
+        description: |
+          A set of cryptographic signatures attesting to the authenticity of this build trace entry.
+        items:
+          type: string
+          title: Signature
+          description: A single cryptographic signature

doc/manual/source/protocols/json/schema/derivation-options-v1

@@ -0,0 +1 @@
+../../../../../../src/libstore-tests/data/derivation

doc/manual/source/protocols/json/schema/derivation-options-v1.yaml

@@ -0,0 +1,242 @@
+"$schema": "http://json-schema.org/draft-04/schema"
+"$id": "https://nix.dev/manual/nix/latest/protocols/json/schema/derivation-options-v1.json"
+title: Derivation Options
+description: |
+  JSON representation of Nix's `DerivationOptions` type.
+
+  This schema describes various build-time options and constraints that can be specified for a derivation.
+
+  > **Warning**
+  >
+  > This JSON format is currently
+  > [**experimental**](@docroot@/development/experimental-features.md#xp-feature-nix-command)
+  > and subject to change.
+
+type: object
+required:
+  - outputChecks
+  - unsafeDiscardReferences
+  - passAsFile
+  - exportReferencesGraph
+  - additionalSandboxProfile
+  - noChroot
+  - impureHostDeps
+  - impureEnvVars
+  - allowLocalNetworking
+  - requiredSystemFeatures
+  - preferLocalBuild
+  - allowSubstitutes
+properties:
+  outputChecks:
+    type: object
+    title: Output Check
+    description: |
+      Constraints on what the derivation's outputs can and cannot reference.
+      Can either apply to all outputs or be specified per output.
+    oneOf:
+      - title: Output Checks For All Outputs
+        description: |
+          Output checks that apply to all outputs of the derivation.
+        required:
+          - forAllOutputs
+        properties:
+          forAllOutputs:
+            "$ref": "#/$defs/outputCheckSpec"
+        additionalProperties: false
+
+      - title: Output Checks Per Output
+        description: |
+          Output checks specified individually for each output.
+        required:
+          - perOutput
+        properties:
+          perOutput:
+            type: object
+            additionalProperties:
+              "$ref": "#/$defs/outputCheckSpec"
+        additionalProperties: false
+
+  unsafeDiscardReferences:
+    type: object
+    title: Unsafe Discard References
+    description: |
+      A map specifying which references should be unsafely discarded from each output.
+      This is generally not recommended and requires special permissions.
+    additionalProperties:
+      type: array
+      items:
+        type: string
+
+  passAsFile:
+    type: array
+    title: Pass As File
+    description: |
+      List of environment variable names whose values should be passed as files rather than directly.
+    items:
+      type: string
+
+  exportReferencesGraph:
+    type: object
+    title: Export References Graph
+    description: |
+      Specify paths whose references graph should be exported to files.
+    additionalProperties:
+      type: array
+      items:
+        "$ref": "deriving-path-v1.yaml"
+
+  additionalSandboxProfile:
+    type: string
+    title: Additional Sandbox Profile
+    description: |
+      Additional sandbox profile directives (macOS specific).
+
+  noChroot:
+    type: boolean
+    title: No Chroot
+    description: |
+      Whether to disable the build sandbox, if allowed.
+
+  impureHostDeps:
+    type: array
+    title: Impure Host Dependencies
+    description: |
+      List of host paths that the build can access.
+    items:
+      type: string
+
+  impureEnvVars:
+    type: array
+    title: Impure Environment Variables
+    description: |
+      List of environment variable names that should be passed through to the build from the calling environment.
+    items:
+      type: string
+
+  allowLocalNetworking:
+    type: boolean
+    title: Allow Local Networking
+    description: |
+      Whether the build should have access to local network (macOS specific).
+
+  requiredSystemFeatures:
+    type: array
+    title: Required System Features
+    description: |
+      List of system features required to build this derivation (e.g., "kvm", "nixos-test").
+    items:
+      type: string
+
+  preferLocalBuild:
+    type: boolean
+    title: Prefer Local Build
+    description: |
+      Whether this derivation should preferably be built locally rather than its outputs substituted.
+
+  allowSubstitutes:
+    type: boolean
+    title: Allow Substitutes
+    description: |
+      Whether substituting from other stores should be allowed for this derivation's outputs.
+
+additionalProperties: false
+
+$defs:
+
+  outputCheckSpec:
+    type: object
+    title: Output Check Specification
+    description: |
+      Constraints on what a specific output can reference.
+    required:
+      - ignoreSelfRefs
+      - maxSize
+      - maxClosureSize
+      - allowedReferences
+      - allowedRequisites
+      - disallowedReferences
+      - disallowedRequisites
+    properties:
+      ignoreSelfRefs:
+        type: boolean
+        title: Ignore Self References
+        description: |
+          Whether references from this output to itself should be ignored when checking references.
+
+      maxSize:
+        type: ["integer", "null"]
+        title: Maximum Size
+        description: |
+          Maximum allowed size of this output in bytes, or null for no limit.
+        minimum: 0
+
+      maxClosureSize:
+        type: ["integer", "null"]
+        title: Maximum Closure Size
+        description: |
+          Maximum allowed size of this output's closure in bytes, or null for no limit.
+        minimum: 0
+
+      allowedReferences:
+        oneOf:
+          - type: array
+            items:
+              "$ref": "#/$defs/drvRef"
+          - type: "null"
+        title: Allowed References
+        description: |
+          If set, the output can only reference paths in this list.
+          If null, no restrictions apply.
+
+      allowedRequisites:
+        oneOf:
+          - type: array
+            items:
+              "$ref": "#/$defs/drvRef"
+          - type: "null"
+        title: Allowed Requisites
+        description: |
+          If set, the output's closure can only contain paths in this list.
+          If null, no restrictions apply.
+
+      disallowedReferences:
+        type: array
+        title: Disallowed References
+        description: |
+          The output must not reference any paths in this list.
+        items:
+          "$ref": "#/$defs/drvRef"
+
+      disallowedRequisites:
+        type: array
+        title: Disallowed Requisites
+        description: |
+          The output's closure must not contain any paths in this list.
+        items:
+          "$ref": "#/$defs/drvRef"
+    additionalProperties: false
+
+  drvRef:
+    # TODO fix bug in checker, should be `oneOf`
+    anyOf:
+      - type: object
+        title: Current derivation Output Reference
+        description: |
+          A reference to a specific output of the current derivation.
+        required:
+          - drvPath
+          - output
+        properties:
+          drvPath:
+            type: string
+            const: "self"
+            title: This derivation
+            description: |
+              Won't be confused for a deriving path
+          output:
+            type: string
+            title: Output Name
+            description: |
+              The name of the output being referenced.
+        additionalProperties: false
+      - "$ref": "deriving-path-v1.yaml"

doc/manual/source/protocols/json/schema/derivation-v3.yaml

@@ -1,203 +0,0 @@
-"$schema": "http://json-schema.org/draft-04/schema"
-"$id": "https://nix.dev/manual/nix/latest/protocols/json/schema/derivation-v3.json"
-title: Derivation
-description: |
-  Experimental JSON representation of a Nix derivation (version 3).
-
-  This schema describes the JSON representation of Nix's `Derivation` type.
-
-  > **Warning**
-  >
-  > This JSON format is currently
-  > [**experimental**](@docroot@/development/experimental-features.md#xp-feature-nix-command)
-  > and subject to change.
-
-type: object
-required:
-  - name
-  - version
-  - outputs
-  - inputSrcs
-  - inputDrvs
-  - system
-  - builder
-  - args
-  - env
-properties:
-  name:
-    type: string
-    title: Derivation name
-    description: |
-      The name of the derivation.
-      Used when calculating store paths for the derivation’s outputs.
-
-  version:
-    const: 3
-    title: Format version (must be 3)
-    description: |
-      Must be `3`.
-      This is a guard that allows us to continue evolving this format.
-      The choice of `3` is fairly arbitrary, but corresponds to this informal version:
-
-      - Version 0: A-Term format
-
-      - Version 1: Original JSON format, with ugly `"r:sha256"` inherited from A-Term format.
-
-      - Version 2: Separate `method` and `hashAlgo` fields in output specs
-
-      - Version 3: Drop store dir from store paths, just include base name.
-
-      Note that while this format is experimental, the maintenance of versions is best-effort, and not promised to identify every change.
-
-  outputs:
-    type: object
-    title: Output specifications
-    description: |
-     Information about the output paths of the derivation.
-     This is a JSON object with one member per output, where the key is the output name and the value is a JSON object as described.
-
-      > **Example**
-      >
-      > ```json
-      > "outputs": {
-      >   "out": {
-      >     "method": "nar",
-      >     "hashAlgo": "sha256",
-      >     "hash": "6fc80dcc62179dbc12fc0b5881275898f93444833d21b89dfe5f7fbcbb1d0d62"
-      >   }
-      > }
-      > ```
-    additionalProperties:
-      "$ref": "#/$defs/output"
-
-  inputSrcs:
-    type: array
-    title: Input source paths
-    description: |
-      List of store paths on which this derivation depends.
-
-      > **Example**
-      >
-      > ```json
-      > "inputSrcs": [
-      >   "47y241wqdhac3jm5l7nv0x4975mb1975-separate-debug-info.sh",
-      >   "56d0w71pjj9bdr363ym3wj1zkwyqq97j-fix-pop-var-context-error.patch"
-      > ]
-      > ```
-    items:
-      $ref: "store-path-v1.yaml"
-
-  inputDrvs:
-    type: object
-    title: Input derivations
-    description: |
-      Mapping of derivation paths to lists of output names they provide.
-
-      > **Example**
-      >
-      > ```json
-      > "inputDrvs": {
-      >   "6lkh5yi7nlb7l6dr8fljlli5zfd9hq58-curl-7.73.0.drv": ["dev"],
-      >   "fn3kgnfzl5dzym26j8g907gq3kbm8bfh-unzip-6.0.drv": ["out"]
-      > }
-      > ```
-      >
-      > specifies that this derivation depends on the `dev` output of `curl`, and the `out` output of `unzip`.
-    patternProperties:
-      "^[0123456789abcdfghijklmnpqrsvwxyz]{32}-.+\\.drv$":
-        title: Store Path
-        description: |
-          A store path to a derivation, mapped to the outputs of that derivation.
-        oneOf:
-        - "$ref": "#/$defs/outputNames"
-        - "$ref": "#/$defs/dynamicOutputs"
-    additionalProperties: false
-
-  system:
-    type: string
-    title: Build system type
-    description: |
-      The system type on which this derivation is to be built
-      (e.g. `x86_64-linux`).
-
-  builder:
-    type: string
-    title: Build program path
-    description: |
-      Absolute path of the program used to perform the build.
-      Typically this is the `bash` shell
-      (e.g. `/nix/store/r3j288vpmczbl500w6zz89gyfa4nr0b1-bash-4.4-p23/bin/bash`).
-
-  args:
-    type: array
-    title: Builder arguments
-    description: |
-      Command-line arguments passed to the `builder`.
-    items:
-      type: string
-
-  env:
-    type: object
-    title: Environment variables
-    description: |
-      Environment variables passed to the `builder`.
-    additionalProperties:
-      type: string
-
-  structuredAttrs:
-    title: Structured attributes
-    description: |
-      [Structured Attributes](@docroot@/store/derivation/index.md#structured-attrs), only defined if the derivation contains them.
-      Structured attributes are JSON, and thus embedded as-is.
-    type: object
-    additionalProperties: true
-
-"$defs":
-  output:
-    type: object
-    properties:
-      path:
-        $ref: "store-path-v1.yaml"
-        title: Output path
-        description: |
-          The output path, if known in advance.
-
-      method:
-        "$ref": "./content-address-v1.yaml#/$defs/method"
-        description: |
-          For an output which will be [content addressed](@docroot@/store/derivation/outputs/content-address.md), a string representing the [method](@docroot@/store/store-object/content-address.md) of content addressing that is chosen.
-          See the linked original definition for further details.
-      hashAlgo:
-        title: Hash algorithm
-        "$ref": "./hash-v1.yaml#/$defs/algorithm"
-
-      hash:
-        type: string
-        title: Expected hash value
-        description: |
-          For fixed-output derivations, the expected content hash in base-16.
-
-  outputName:
-    type: string
-    title: Output name
-    description: Name of the derivation output to depend on
-
-  outputNames:
-    type: array
-    title: Output Names
-    description: Set of names of derivation outputs to depend on
-    items:
-      "$ref": "#/$defs/outputName"
-
-  dynamicOutputs:
-    type: object
-    title: Dynamic Outputs
-    description: |
-      **Experimental feature**: [`dynamic-derivations`](@docroot@/development/experimental-features.md#xp-feature-dynamic-derivations)
-
-      This recursive data type allows for depending on outputs of outputs.
-    properties:
-      outputs:
-        "$ref": "#/$defs/outputNames"
-      dynamicOutputs:
-          "$ref": "#/$defs/dynamicOutputs"

doc/manual/source/protocols/json/schema/derivation-v4.yaml

@@ -0,0 +1,299 @@
+"$schema": "http://json-schema.org/draft-04/schema"
+"$id": "https://nix.dev/manual/nix/latest/protocols/json/schema/derivation-v4.json"
+title: Derivation
+description: |
+  Experimental JSON representation of a Nix derivation (version 4).
+
+  This schema describes the JSON representation of Nix's `Derivation` type.
+
+  > **Warning**
+  >
+  > This JSON format is currently
+  > [**experimental**](@docroot@/development/experimental-features.md#xp-feature-nix-command)
+  > and subject to change.
+
+type: object
+required:
+  - name
+  - version
+  - outputs
+  - inputs
+  - system
+  - builder
+  - args
+  - env
+properties:
+  name:
+    type: string
+    title: Derivation name
+    description: |
+      The name of the derivation.
+      Used when calculating store paths for the derivation’s outputs.
+
+  version:
+    const: 4
+    title: Format version (must be 4)
+    description: |
+      Must be `4`.
+      This is a guard that allows us to continue evolving this format.
+      The choice of `3` is fairly arbitrary, but corresponds to this informal version:
+
+      - Version 0: ATerm format
+
+      - Version 1: Original JSON format, with ugly `"r:sha256"` inherited from ATerm format.
+
+      - Version 2: Separate `method` and `hashAlgo` fields in output specs
+
+      - Version 3: Drop store dir from store paths, just include base name.
+
+      - Version 4: Two cleanups, batched together to lesson churn:
+
+        - Reorganize inputs into nested structure (`inputs.srcs` and `inputs.drvs`)
+
+        - Use canonical content address JSON format for floating content addressed derivation outputs.
+
+      Note that while this format is experimental, the maintenance of versions is best-effort, and not promised to identify every change.
+
+  outputs:
+    type: object
+    title: Output specifications
+    description: |
+     Information about the output paths of the derivation.
+     This is a JSON object with one member per output, where the key is the output name and the value is a JSON object as described.
+
+      > **Example**
+      >
+      > ```json
+      > "outputs": {
+      >   "out": {
+      >     "method": "nar",
+      >     "hashAlgo": "sha256",
+      >     "hash": "6fc80dcc62179dbc12fc0b5881275898f93444833d21b89dfe5f7fbcbb1d0d62"
+      >   }
+      > }
+      > ```
+    additionalProperties:
+      "$ref": "#/$defs/output/overall"
+
+  inputs:
+    type: object
+    title: Derivation inputs
+    description: |
+      Input dependencies for the derivation, organized into source paths and derivation dependencies.
+    required:
+      - srcs
+      - drvs
+    properties:
+      srcs:
+        type: array
+        title: Input source paths
+        description: |
+          List of store paths on which this derivation depends.
+
+          > **Example**
+          >
+          > ```json
+          > "srcs": [
+          >   "47y241wqdhac3jm5l7nv0x4975mb1975-separate-debug-info.sh",
+          >   "56d0w71pjj9bdr363ym3wj1zkwyqq97j-fix-pop-var-context-error.patch"
+          > ]
+          > ```
+        items:
+          $ref: "store-path-v1.yaml"
+      drvs:
+        type: object
+        title: Input derivations
+        description: |
+          Mapping of derivation paths to lists of output names they provide.
+
+          > **Example**
+          >
+          > ```json
+          > "drvs": {
+          >   "6lkh5yi7nlb7l6dr8fljlli5zfd9hq58-curl-7.73.0.drv": ["dev"],
+          >   "fn3kgnfzl5dzym26j8g907gq3kbm8bfh-unzip-6.0.drv": ["out"]
+          > }
+          > ```
+          >
+          > specifies that this derivation depends on the `dev` output of `curl`, and the `out` output of `unzip`.
+        patternProperties:
+          "^[0123456789abcdfghijklmnpqrsvwxyz]{32}-.+\\.drv$":
+            title: Store Path
+            description: |
+              A store path to a derivation, mapped to the outputs of that derivation.
+            oneOf:
+            - "$ref": "#/$defs/outputNames"
+            - "$ref": "#/$defs/dynamicOutputs"
+        additionalProperties: false
+    additionalProperties: false
+
+  system:
+    type: string
+    title: Build system type
+    description: |
+      The system type on which this derivation is to be built
+      (e.g. `x86_64-linux`).
+
+  builder:
+    type: string
+    title: Build program path
+    description: |
+      Absolute path of the program used to perform the build.
+      Typically this is the `bash` shell
+      (e.g. `/nix/store/r3j288vpmczbl500w6zz89gyfa4nr0b1-bash-4.4-p23/bin/bash`).
+
+  args:
+    type: array
+    title: Builder arguments
+    description: |
+      Command-line arguments passed to the `builder`.
+    items:
+      type: string
+
+  env:
+    type: object
+    title: Environment variables
+    description: |
+      Environment variables passed to the `builder`.
+    additionalProperties:
+      type: string
+
+  structuredAttrs:
+    title: Structured attributes
+    description: |
+      [Structured Attributes](@docroot@/store/derivation/index.md#structured-attrs), only defined if the derivation contains them.
+      Structured attributes are JSON, and thus embedded as-is.
+    type: object
+    additionalProperties: true
+
+"$defs":
+  output:
+    overall:
+      title: Derivation Output
+      description: |
+        A single output of a derivation, with different variants for different output types.
+      oneOf:
+        - "$ref": "#/$defs/output/inputAddressed"
+        - "$ref": "#/$defs/output/caFixed"
+        - "$ref": "#/$defs/output/caFloating"
+        - "$ref": "#/$defs/output/deferred"
+        - "$ref": "#/$defs/output/impure"
+
+    inputAddressed:
+      title: Input-Addressed Output
+      description: |
+        The traditional non-fixed-output derivation type.
+        The output path is determined from the derivation itself.
+
+        See [Input-addressing derivation outputs](@docroot@/store/derivation/outputs/input-address.md) for more details.
+      type: object
+      required:
+        - path
+      properties:
+        path:
+          $ref: "store-path-v1.yaml"
+          title: Output path
+          description: |
+            The output path determined from the derivation itself.
+      additionalProperties: false
+
+    caFixed:
+      title: Fixed Content-Addressed Output
+      description: |
+        The output is content-addressed, and the content-address is fixed in advance.
+
+        See [Fixed-output content-addressing](@docroot@/store/derivation/outputs/content-address.md#fixed) for more details.
+      "$ref": "./content-address-v1.yaml"
+      required:
+        - method
+        - hash
+      properties:
+        method:
+          description: |
+            Method of content addressing used for this output.
+        hash:
+          title: Expected hash value
+          description: |
+            The expected content hash.
+      additionalProperties: false
+
+    caFloating:
+      title: Floating Content-Addressed Output
+      description: |
+        Floating-output derivations, whose outputs are content
+        addressed, but not fixed, and so the output paths are dynamically calculated from
+        whatever the output ends up being.
+
+        See [Floating Content-Addressing](@docroot@/store/derivation/outputs/content-address.md#floating) for more details.
+      type: object
+      required:
+        - method
+        - hashAlgo
+      properties:
+        method:
+          "$ref": "./content-address-v1.yaml#/$defs/method"
+          description: |
+            Method of content addressing used for this output.
+        hashAlgo:
+          title: Hash algorithm
+          "$ref": "./hash-v1.yaml#/$defs/algorithm"
+          description: |
+            What hash algorithm to use for the given method of content-addressing.
+      additionalProperties: false
+
+    deferred:
+      title: Deferred Output
+      description: |
+        Input-addressed output which depends on a (CA) derivation whose outputs (and thus their content-address
+        are not yet known.
+      type: object
+      properties: {}
+      additionalProperties: false
+
+    impure:
+      title: Impure Output
+      description: |
+        Impure output which is just like a floating content-addressed output, but this derivation runs without sandboxing.
+        As such, we don't record it in the build trace, under the assumption that if we need it again, we should rebuild it, as it might produce something different.
+      required:
+        - impure
+        - method
+        - hashAlgo
+      properties:
+        impure:
+          const: true
+        method:
+          "$ref": "./content-address-v1.yaml#/$defs/method"
+          description: |
+            How the file system objects will be serialized for hashing.
+        hashAlgo:
+          title: Hash algorithm
+          "$ref": "./hash-v1.yaml#/$defs/algorithm"
+          description: |
+            How the serialization will be hashed.
+      additionalProperties: false
+
+  outputName:
+    type: string
+    title: Output name
+    description: Name of the derivation output to depend on
+
+  outputNames:
+    type: array
+    title: Output Names
+    description: Set of names of derivation outputs to depend on
+    items:
+      "$ref": "#/$defs/outputName"
+
+  dynamicOutputs:
+    type: object
+    title: Dynamic Outputs
+    description: |
+      **Experimental feature**: [`dynamic-derivations`](@docroot@/development/experimental-features.md#xp-feature-dynamic-derivations)
+
+      This recursive data type allows for depending on outputs of outputs.
+    properties:
+      outputs:
+        "$ref": "#/$defs/outputNames"
+      dynamicOutputs:
+          "$ref": "#/$defs/dynamicOutputs"

doc/manual/source/protocols/json/schema/file-system-object-v1

@@ -0,0 +1 @@
+../../../../../../src/libutil-tests/data/memory-source-accessor

doc/manual/source/protocols/json/schema/file-system-object-v1.yaml

@@ -0,0 +1,71 @@
+"$schema": http://json-schema.org/draft-04/schema#
+"$id": https://nix.dev/manual/nix/latest/protocols/json/schema/file-system-object-v1.json
+title: File System Object
+description: |
+  This schema describes the JSON representation of Nix's [File System Object](@docroot@/store/file-system-object.md).
+
+  The schema is recursive because file system objects contain other file system objects.
+type: object
+required: ["type"]
+properties:
+  type:
+    type: string
+    enum: ["regular", "symlink", "directory"]
+
+# Enforce conditional structure based on `type`
+anyOf:
+  - $ref: "#/$defs/regular"
+    required: ["type", "contents"]
+
+  - $ref: "#/$defs/directory"
+    required: ["type", "entries"]
+
+  - $ref: "#/$defs/symlink"
+    required: ["type", "target"]
+
+"$defs":
+  regular:
+    title: Regular File
+    description: |
+      See [Regular File](@docroot@/store/file-system-object.md#regular) in the manual for details.
+    required: ["contents"]
+    properties:
+      type:
+        const: "regular"
+      contents:
+        type: string
+        description: File contents
+      executable:
+        type: boolean
+        description: Whether the file is executable.
+        default: false
+    additionalProperties: false
+
+  directory:
+    title: Directory
+    description: |
+      See [Directory](@docroot@/store/file-system-object.md#directory) in the manual for details.
+    required: ["entries"]
+    properties:
+      type:
+        const: "directory"
+      entries:
+        type: object
+        description: |
+          Map of names to nested file system objects (for type=directory)
+        additionalProperties:
+          $ref: "#"
+    additionalProperties: false
+
+  symlink:
+    title: Symbolic Link
+    description: |
+      See [Symbolic Link](@docroot@/store/file-system-object.md#symlink) in the manual for details.
+    required: ["target"]
+    properties:
+      type:
+        const: "symlink"
+      target:
+        type: string
+        description: Target path of the symlink.
+    additionalProperties: false

doc/manual/source/protocols/json/schema/hash-v1.yaml

@@ -4,40 +4,13 @@ title: Hash
 description: |
   A cryptographic hash value used throughout Nix for content addressing and integrity verification.
 
-  This schema describes the JSON representation of Nix's `Hash` type.
-type: object
-properties:
-  algorithm:
-    "$ref": "#/$defs/algorithm"
-  format:
-    type: string
-    enum:
-    - base64
-    - nix32
-    - base16
-    - sri
-    title: Hash format
-    description: |
-      The encoding format of the hash value.
+  This schema describes the JSON representation of Nix's `Hash` type as an [SRI](https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity) string.
+type: string
+pattern: "^(blake3|md5|sha1|sha256|sha512)-[A-Za-z0-9+/]+=*$"
+examples:
+- "sha256-ungWv48Bz+pBQUDeXa4iI7ADYaOWF3qctBD/YfIAFa0="
+- "sha512-IEqPxt2oLwoM7XvrjgikFlfBbvRosiioJ5vjMacDwzWW/RXBOxsH+aodO+pXeJygMa2Fx6cd1wNU7GMSOMo0RQ=="
 
-      - `base64` uses standard Base64 encoding [RFC 4648, section 4](https://datatracker.ietf.org/doc/html/rfc4648#section-4)
-      - `nix32` is Nix-specific base-32 encoding
-      - `base16` is lowercase hexadecimal
-      - `sri` is the [Subresource Integrity format](https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity).
-  hash:
-    type: string
-    title: Hash
-    description: |
-      The encoded hash value, itself.
-
-      It is specified in the format specified by the `format` field.
-      It must be the right length for the hash algorithm specified in the `algorithm` field, also.
-      The hash value does not include any algorithm prefix.
-required:
-- algorithm
-- format
-- hash
-additionalProperties: false
 "$defs":
   algorithm:
     type: string
@@ -51,4 +24,4 @@ additionalProperties: false
     description: |
       The hash algorithm used to compute the hash value.
 
-      `blake3` is currently experimental and requires the [`blake-hashing`](@docroot@/development/experimental-features.md#xp-feature-blake-hashing) experimental feature.
+      `blake3` is currently experimental and requires the [`blake-hashing`](@docroot@/development/experimental-features.md#xp-feature-blake3-hashes) experimental feature.

doc/manual/source/protocols/json/schema/nar-info-v1

@@ -1 +0,0 @@
-../../../../../../src/libstore-tests/data/nar-info

doc/manual/source/protocols/json/schema/nar-info-v2

@@ -0,0 +1 @@
+../../../../../../src/libstore-tests/data/nar-info/json-2

doc/manual/source/protocols/json/schema/store-object-info-v1

@@ -1 +0,0 @@
-../../../../../../src/libstore-tests/data/path-info

doc/manual/source/protocols/json/schema/store-object-info-v2

@@ -0,0 +1 @@
+../../../../../../src/libstore-tests/data/path-info/json-2

doc/manual/source/protocols/json/schema/store-object-info-v2.yaml

@@ -1,6 +1,6 @@
-"$schema": "http://json-schema.org/draft-07/schema"
-"$id": "https://nix.dev/manual/nix/latest/protocols/json/schema/store-object-info-v1.json"
-title: Store Object Info
+"$schema": "http://json-schema.org/draft-04/schema"
+"$id": "https://nix.dev/manual/nix/latest/protocols/json/schema/store-object-info-v2.json"
+title: Store Object Info v2
 description: |
   Information about a [store object](@docroot@/store/store-object.md).
 
@@ -41,13 +41,30 @@ $defs:
       This is the minimal set of fields that describe what a store object contains.
     type: object
     required:
+      - version
       - narHash
       - narSize
       - references
       - ca
+      - storeDir
     properties:
+      version:
+        type: integer
+        const: 2
+        title: Format version (must be 2)
+        description: |
+          Must be `2`.
+          This is a guard that allows us to continue evolving this format.
+          Here is the rough version history:
+
+          - Version 0: `.narinfo` line-oriented format
+
+          - Version 1: Original JSON format, with ugly `"r:sha256"` inherited from `.narinfo` format.
+
+          - Version 2: Use structured JSON type for `ca`
+
       path:
-        type: string
+        "$ref": "./store-path-v1.yaml"
         title: Store Path
         description: |
           [Store path](@docroot@/store/store-path.md) to the given store object.
@@ -55,7 +72,7 @@ $defs:
           Note: This field may not be present in all contexts, such as when the path is used as the key and the the store object info the value in map.
 
       narHash:
-        type: string
+        "$ref": "./hash-v1.yaml"
         title: NAR Hash
         description: |
           Hash of the [file system object](@docroot@/store/file-system-object.md) part of the store object when serialized as a [Nix Archive](@docroot@/store/file-system-object/content-address.md#serial-nix-archive).
@@ -73,15 +90,24 @@ $defs:
         description: |
           An array of [store paths](@docroot@/store/store-path.md), possibly including this one.
         items:
-          type: string
+          "$ref": "./store-path-v1.yaml"
 
       ca:
-        type: ["string", "null"]
+        oneOf:
+          - type: "null"
+            const: null
+          - "$ref": "./content-address-v1.yaml"
         title: Content Address
         description: |
           If the store object is [content-addressed](@docroot@/store/store-object/content-address.md),
           this is the content address of this store object's file system object, used to compute its store path.
           Otherwise (i.e. if it is [input-addressed](@docroot@/glossary.md#gloss-input-addressed-store-object)), this is `null`.
+
+      storeDir:
+        type: string
+        title: Store Directory
+        description: |
+          The [store directory](@docroot@/store/store-path.md#store-directory) this store object belongs to (e.g. `/nix/store`).
     additionalProperties: false
 
   impure:
@@ -91,23 +117,29 @@ $defs:
       In other words, the same store object in different stores could have different values for these impure fields.
     type: object
     required:
+      - version
       - narHash
       - narSize
       - references
       - ca
+      - storeDir
       # impure
       - deriver
       - registrationTime
       - ultimate
       - signatures
     properties:
+      version: { $ref: "#/$defs/base/properties/version" }
       path: { $ref: "#/$defs/base/properties/path" }
       narHash: { $ref: "#/$defs/base/properties/narHash" }
       narSize: { $ref: "#/$defs/base/properties/narSize" }
       references: { $ref: "#/$defs/base/properties/references" }
       ca: { $ref: "#/$defs/base/properties/ca" }
+      storeDir: { $ref: "#/$defs/base/properties/storeDir" }
       deriver:
-        type: ["string", "null"]
+        oneOf:
+          - "$ref": "./store-path-v1.yaml"
+          - type: "null"
         title: Deriver
         description: |
           If known, the path to the [store derivation](@docroot@/glossary.md#gloss-store-derivation) from which this store object was produced.
@@ -164,10 +196,12 @@ $defs:
       This download information, being specific to how the store object happens to be stored and transferred, is also considered to be non-intrinsic / impure.
     type: object
     required:
+      - version
       - narHash
       - narSize
       - references
       - ca
+      - storeDir
       # impure
       - deriver
       - registrationTime
@@ -179,11 +213,13 @@ $defs:
       - downloadHash
       - downloadSize
     properties:
+      version: { $ref: "#/$defs/base/properties/version" }
       path: { $ref: "#/$defs/base/properties/path" }
       narHash: { $ref: "#/$defs/base/properties/narHash" }
       narSize: { $ref: "#/$defs/base/properties/narSize" }
       references: { $ref: "#/$defs/base/properties/references" }
       ca: { $ref: "#/$defs/base/properties/ca" }
+      storeDir: { $ref: "#/$defs/base/properties/storeDir" }
       deriver: { $ref: "#/$defs/impure/properties/deriver" }
       registrationTime: { $ref: "#/$defs/impure/properties/registrationTime" }
       ultimate: { $ref: "#/$defs/impure/properties/ultimate" }
@@ -206,7 +242,7 @@ $defs:
           > This is an impure "`.narinfo`" field that may not be included in certain contexts.
 
       downloadHash:
-        type: string
+        "$ref": "./hash-v1.yaml"
         title: Download Hash
         description: |
           A digest for the compressed archive itself, as opposed to the data contained within.

doc/manual/source/protocols/json/schema/store-v1

@@ -0,0 +1 @@
+../../../../../../src/libstore-tests/data/dummy-store

doc/manual/source/protocols/json/schema/store-v1.yaml

@@ -0,0 +1,90 @@
+"$schema": "http://json-schema.org/draft-04/schema"
+"$id": "https://nix.dev/manual/nix/latest/protocols/json/schema/store-v1.json"
+title: Store
+description: |
+  Experimental JSON representation of a Nix [Store](@docroot@/store/index.md).
+
+  This schema describes the JSON serialization of a Nix store.
+  We use it for (de)serializing in-memory "dummy stores" used for testing, but in principle the data represented in this schema could live in any type of store.
+
+  > **Warning**
+  >
+  > This JSON format is currently
+  > [**experimental**](@docroot@/development/experimental-features.md#xp-feature-nix-command)
+  > and subject to change.
+
+type: object
+required:
+  - config
+  - contents
+  - derivations
+  - buildTrace
+properties:
+  config:
+    "$ref": "#/$defs/storeConfig"
+
+  contents:
+    type: object
+    title: Store Objects
+    description: |
+      Map of [store path](@docroot@/store/store-path.md) base names to [store objects](@docroot@/store/store-object.md).
+    patternProperties:
+      "^[0123456789abcdfghijklmnpqrsvwxyz]{32}-.+$":
+        type: object
+        title: Store Object
+        required:
+          - info
+          - contents
+        properties:
+          info:
+            "$ref": "./store-object-info-v2.yaml#/$defs/impure"
+            title: Store Object Info
+            description: |
+              Metadata about the [store object](@docroot@/store/store-object.md) including hash, size, references, etc.
+          contents:
+            "$ref": "./file-system-object-v1.yaml"
+            title: File System Object Contents
+            description: |
+              The actual [file system object](@docroot@/store/file-system-object.md) contents of this store path.
+        additionalProperties: false
+    additionalProperties: false
+
+  derivations:
+    type: object
+    title: Derivations
+    description: |
+      Map of [store path](@docroot@/store/store-path.md) base names (always ending in `.drv`) to [derivations](@docroot@/store/derivation/index.md).
+    patternProperties:
+      "^[0123456789abcdfghijklmnpqrsvwxyz]{32}-.+\\.drv$":
+        "$ref": "./derivation-v4.yaml"
+    additionalProperties: false
+
+  buildTrace:
+    type: object
+    title: Build Trace
+    description: |
+      Map of output hashes (base64 SHA256) to maps of output names to realisations.
+      Records which outputs have been built and their realisations.
+      See [Build Trace](@docroot@/store/build-trace.md) for more details.
+    patternProperties:
+      "^[A-Za-z0-9+/]{43}=$":
+        type: object
+        additionalProperties:
+          "$ref": "./build-trace-entry-v1.yaml#/$defs/value"
+    additionalProperties: false
+
+"$defs":
+  storeConfig:
+    title: Store Configuration
+    description: |
+      Configuration for the store, including the store directory path.
+    type: object
+    required:
+      - store
+    properties:
+      store:
+        type: string
+        title: Store Directory
+        description: |
+          The store directory path (e.g., `/nix/store`).
+    additionalProperties: false

doc/manual/source/protocols/json/store-object-info.md

@@ -1,45 +1,45 @@
-{{#include store-object-info-v1-fixed.md}}
+{{#include store-object-info-v2-fixed.md}}
 
 ## Examples
 
 ### Minimal store object (content-addressed)
 
 ```json
-{{#include schema/store-object-info-v1/pure.json}}
+{{#include schema/store-object-info-v2/pure.json}}
 ```
 
 ### Store object with impure fields
 
 ```json
-{{#include schema/store-object-info-v1/impure.json}}
+{{#include schema/store-object-info-v2/impure.json}}
 ```
 
 ### Minimal store object (empty)
 
 ```json
-{{#include schema/store-object-info-v1/empty_pure.json}}
+{{#include schema/store-object-info-v2/empty_pure.json}}
 ```
 
 ### Store object with all impure fields
 
 ```json
-{{#include schema/store-object-info-v1/empty_impure.json}}
+{{#include schema/store-object-info-v2/empty_impure.json}}
 ```
 
 ### NAR info (minimal)
 
 ```json
-{{#include schema/nar-info-v1/pure.json}}
+{{#include schema/nar-info-v2/pure.json}}
 ```
 
 ### NAR info (with binary cache fields)
 
 ```json
-{{#include schema/nar-info-v1/impure.json}}
+{{#include schema/nar-info-v2/impure.json}}
 ```
 
 <!-- need to convert YAML to JSON first
 ## Raw Schema
 
-[JSON Schema for Store Object Info v1](schema/store-object-info-v1.json)
+[JSON Schema for Store Object Info v1](schema/store-object-info-v2.json)
 -->

doc/manual/source/protocols/json/store.md

@@ -0,0 +1,21 @@
+{{#include store-v1-fixed.md}}
+
+## Examples
+
+### Empty store
+
+```json
+{{#include schema/store-v1/empty.json}}
+```
+
+### Store with one file
+
+```json
+{{#include schema/store-v1/one-flat-file.json}}
+```
+
+### Store with one derivation
+
+```json
+{{#include schema/store-v1/one-derivation.json}}
+```

doc/manual/source/protocols/nix-archive/index.md

@@ -4,7 +4,7 @@ This is the complete specification of the [Nix Archive] format.
 The Nix Archive format closely follows the abstract specification of a [file system object] tree,
 because it is designed to serialize exactly that data structure.
 
-[Nix Archive]: @docroot@/store/file-system-object/content-address.md#nix-archive
+[Nix Archive]: @docroot@/store/file-system-object/content-address.md#serial-nix-archive
 [file system object]: @docroot@/store/file-system-object.md
 
 The format of this specification is close to [Extended Backus–Naur form](https://en.wikipedia.org/wiki/Extended_Backus%E2%80%93Naur_form), with the exception of the `str(..)` function / parameterized rule, which length-prefixes and pads strings.
@@ -24,7 +24,7 @@ nar-obj-inner
   | str("type"), str("directory") directory
   ;
 
-regular = [ str("executable") ], str("contents"), str(contents);
+regular = [ str("executable"), str("") ], str("contents"), str(contents);
 
 symlink = str("target"), str(target);
 
@@ -41,3 +41,15 @@ The `str` function / parameterized rule is defined as follows:
 - `int(n)` = the 64-bit little endian representation of the number `n`
 
 - `pad(s)` = the byte sequence `s`, padded with 0s to a multiple of 8 byte
+
+## Kaitai Struct Specification
+
+The Nix Archive (NAR) format is also formally described using [Kaitai Struct](https://kaitai.io/), an Interface Description Language (IDL) for defining binary data structures.
+
+> Kaitai Struct provides a language-agnostic, machine-readable specification that can be compiled into parsers for various programming languages (e.g., C++, Python, Java, Rust).
+
+```yaml
+{{#include nar.ksy}}
+```
+
+The source of the spec can be found [here](https://github.com/nixos/nix/blob/master/src/nix-manual/source/protocols/nix-archive/nar.ksy). Contributions and improvements to the spec are welcomed.

doc/manual/source/protocols/nix-archive/nar.ksy

@@ -0,0 +1,169 @@
+meta:
+  id: nix_nar
+  title: Nix Archive (NAR)
+  file-extension: nar
+  endian: le
+doc: |
+    Nix Archive (NAR) format. A simple, reproducible binary archive
+    format used by the Nix package manager to serialize file system objects.
+doc-ref: 'https://nixos.org/manual/nix/stable/command-ref/nix-store.html#nar-format'
+
+seq:
+  - id: magic
+    type: padded_str
+    doc: "Magic string, must be 'nix-archive-1'."
+    valid:
+      expr: _.body == 'nix-archive-1'
+  - id: root_node
+    type: node
+    doc: "The root of the archive, which is always a single node."
+
+types:
+  padded_str:
+    doc: |
+      A string, prefixed with its length (u8le) and
+      padded with null bytes to the next 8-byte boundary.
+    seq:
+      - id: len_str
+        type: u8
+      - id: body
+        type: str
+        size: len_str
+        encoding: 'ASCII'
+      - id: padding
+        size: (8 - (len_str % 8)) % 8
+
+  node:
+    doc: "A single filesystem node (file, directory, or symlink)."
+    seq:
+      - id: open_paren
+        type: padded_str
+        doc: "Must be '(', a token starting the node definition."
+        valid:
+          expr: _.body == '('
+      - id: type_key
+        type: padded_str
+        doc: "Must be 'type'."
+        valid:
+          expr: _.body == 'type'
+      - id: type_val
+        type: padded_str
+        doc: "The type of the node: 'regular', 'directory', or 'symlink'."
+      - id: body
+        type:
+          switch-on: type_val.body
+          cases:
+            "'directory'": type_directory
+            "'regular'": type_regular
+            "'symlink'": type_symlink
+      - id: close_paren
+        type: padded_str
+        valid:
+          expr: _.body == ')'
+        if: "type_val.body != 'directory'"
+        doc: "Must be ')', a token ending the node definition."
+
+  type_directory:
+    doc: "A directory node, containing a list of entries. Entries must be ordered by their names."
+    seq:
+      - id: entries
+        type: dir_entry
+        repeat: until
+        repeat-until: _.kind.body == ')'
+    types:
+      dir_entry:
+        doc: "A single entry within a directory, or a terminator."
+        seq:
+          - id: kind
+            type: padded_str
+            valid:
+              expr: _.body == 'entry' or _.body == ')'
+            doc: "Must be 'entry' (for a child node) or '' (for terminator)."
+          - id: open_paren
+            type: padded_str
+            valid:
+              expr: _.body == '('
+            if: 'kind.body == "entry"'
+          - id: name_key
+            type: padded_str
+            valid:
+              expr: _.body == 'name'
+            if: 'kind.body == "entry"'
+          - id: name
+            type: padded_str
+            if: 'kind.body == "entry"'
+          - id: node_key
+            type: padded_str
+            valid:
+              expr: _.body == 'node'
+            if: 'kind.body == "entry"'
+          - id: node
+            type: node
+            if: 'kind.body == "entry"'
+            doc: "The child node, present only if kind is 'entry'."
+          - id: close_paren
+            type: padded_str
+            valid:
+              expr: _.body == ')'
+            if: 'kind.body == "entry"'
+        instances:
+          is_terminator:
+            value: kind.body == ')'
+
+  type_regular:
+    doc: "A regular file node."
+    seq:
+      # Read attributes (like 'executable') until we hit 'contents'
+      - id: attributes
+        type: reg_attribute
+        repeat: until
+        repeat-until: _.key.body == "contents"
+      # After the 'contents' token, read the file data
+      - id: file_data
+        type: file_content
+    instances:
+      is_executable:
+        value: 'attributes[0].key.body == "executable"'
+        doc: "True if the file has the 'executable' attribute."
+    types:
+      reg_attribute:
+        doc: "An attribute of the file, e.g., 'executable' or 'contents'."
+        seq:
+          - id: key
+            type: padded_str
+            doc: "Attribute key, e.g., 'executable' or 'contents'."
+            valid:
+              expr: _.body == 'executable' or _.body == 'contents'
+          - id: value
+            type: padded_str
+            if: 'key.body == "executable"'
+            valid:
+              expr: _.body == ''
+            doc: "Must be '' if key is 'executable'."
+      file_content:
+        doc: "The raw data of the file, prefixed by length."
+        seq:
+          - id: len_contents
+            type: u8
+          # # This relies on the property of instances that they are lazily evaluated and cached.
+          - size: 0
+            if: nar_offset < 0
+          - id: contents
+            size: len_contents
+          - id: padding
+            size: (8 - (len_contents % 8)) % 8
+        instances:
+          nar_offset:
+            value: _io.pos
+
+  type_symlink:
+    doc: "A symbolic link node."
+    seq:
+      - id: target_key
+        type: padded_str
+        doc: "Must be 'target'."
+        valid:
+          expr: _.body == 'target'
+      - id: target_val
+        type: padded_str
+        doc: "The destination path of the symlink."

doc/manual/source/release-notes/rl-2.0.md

@@ -358,7 +358,7 @@ This release has the following new features:
     they are needed for evaluation.
 
   - You can now use `channel:` as a short-hand for
-    <https://nixos.org/channels//nixexprs.tar.xz>. For example,
+    <https://nixos.org/channels//nixexprs.tar.xz> [now <https://channels.nixos.org//nixexprs.tar.xz>]. For example,
     `nix-build channel:nixos-15.09 -A hello` will build the GNU Hello
     package from the `nixos-15.09` channel. In the future, this may
     use Git to fetch updates more efficiently.

doc/manual/source/release-notes/rl-2.18.md

@@ -13,7 +13,7 @@
 
 - The `discard-references` feature has been stabilized.
   This means that the
-  [unsafeDiscardReferences](@docroot@/development/experimental-features.md#xp-feature-discard-references)
+  [unsafeDiscardReferences](@docroot@/language/advanced-attributes.md#adv-attr-unsafeDiscardReferences)
   attribute is no longer guarded by an experimental flag and can be used
   freely.
 

doc/manual/source/release-notes/rl-2.19.md

@@ -17,8 +17,8 @@
 
 - `nix-shell` shebang lines now support single-quoted arguments.
 
-- `builtins.fetchTree` is now its own experimental feature, [`fetch-tree`](@docroot@/development/experimental-features.md#xp-fetch-tree).
-  This allows stabilising it independently of the rest of what is encompassed by [`flakes`](@docroot@/development/experimental-features.md#xp-fetch-tree).
+- `builtins.fetchTree` is now its own experimental feature, [`fetch-tree`](@docroot@/development/experimental-features.md#xp-feature-fetch-tree).
+  This allows stabilising it independently of the rest of what is encompassed by [`flakes`](@docroot@/development/experimental-features.md#xp-feature-flakes).
 
 - The interface for creating and updating lock files has been overhauled:
 

doc/manual/source/release-notes/rl-2.23.md

@@ -14,7 +14,7 @@
 
 - Modify `nix derivation {add,show}` JSON format [#9866](https://github.com/NixOS/nix/issues/9866) [#10722](https://github.com/NixOS/nix/pull/10722)
 
-  The JSON format for derivations has been slightly revised to better conform to our [JSON guidelines](@docroot@/development/cli-guideline.md#returning-future-proof-json).
+  The JSON format for derivations has been slightly revised to better conform to our [JSON guidelines](@docroot@/development/json-guideline.md).
   In particular, the hash algorithm and content addressing method of content-addressed derivation outputs are now separated into two fields `hashAlgo` and `method`,
   rather than one field with an arcane `:`-separated format.
 

doc/manual/source/release-notes/rl-2.24.md

@@ -93,7 +93,7 @@
 
 - Support unit prefixes in configuration settings [#10668](https://github.com/NixOS/nix/pull/10668)
 
-  Configuration settings in Nix now support unit prefixes, allowing for more intuitive and readable configurations. For example, you can now specify [`--min-free 1G`](@docroot@/command-ref/opt-common.md#opt-min-free) to set the minimum free space to 1 gigabyte.
+  Configuration settings in Nix now support unit prefixes, allowing for more intuitive and readable configurations. For example, you can now specify [`--min-free 1G`](@docroot@/command-ref/conf-file.md#conf-min-free) to set the minimum free space to 1 gigabyte.
 
   This enhancement was extracted from [#7851](https://github.com/NixOS/nix/pull/7851) and is also useful for PR [#10661](https://github.com/NixOS/nix/pull/10661).
 

doc/manual/source/release-notes/rl-2.26.md

@@ -112,7 +112,7 @@ This release was made possible by the following 45 contributors:
 - Connor Baker [**(@ConnorBaker)**](https://github.com/ConnorBaker)
 - Cole Helbling [**(@cole-h)**](https://github.com/cole-h)
 - Jack Wilsdon [**(@jackwilsdon)**](https://github.com/jackwilsdon)
-- ‮rekcäH nitraM‮ [**(@dwt)**](https://github.com/dwt)
+- Martin Häcker [**(@dwt)**](https://github.com/dwt)
 - Martin Fischer [**(@not-my-profile)**](https://github.com/not-my-profile)
 - John Ericson [**(@Ericson2314)**](https://github.com/Ericson2314)
 - Graham Christensen [**(@grahamc)**](https://github.com/grahamc)

doc/manual/source/release-notes/rl-2.32.md

@@ -12,7 +12,7 @@
 
   We ultimately want to rectify this issue with all JSON formats to the extent allowed by our stability promises. To start with, we are changing the JSON format for derivations because the `nix derivation` commands are — in addition to being formally unstable — less widely used than other unstable commands.
 
-  See the documentation on the [JSON format for derivations](@docroot@/protocols/json/derivation.md) for further details.
+  See the documentation on the [JSON format for derivations](@docroot@/protocols/json/derivation/index.md) for further details.
 
 - C API: `nix_get_attr_name_byidx`, `nix_get_attr_byidx` take a `nix_value *` instead of `const nix_value *` [#13987](https://github.com/NixOS/nix/pull/13987)
 

doc/manual/source/store/build-trace.md

@@ -0,0 +1,53 @@
+# Build Trace
+
+> **Warning**
+>
+> This entire concept is currently
+> [**experimental**](@docroot@/development/experimental-features.md#xp-feature-ca-derivations)
+> and subject to change.
+
+The *build trace* is a [memoization table](https://en.wikipedia.org/wiki/Memoization) for builds.
+It maps the inputs of builds to the outputs of builds.
+Concretely, that means it maps [derivations][derivation] to maps of [output] names to [store objects][store object].
+
+In general the derivations used as a key should be [*resolved*](./resolution.md).
+A build trace with all-resolved-derivation keys is also called a *base build trace* for extra clarity.
+If all the resolved inputs of a derivation are content-addressed, that means the inputs will be fully determined, leaving no ambiguity for what build was performed.
+(Input-addressed inputs however are still ambiguous. They too should be locked down, but this is left as future work.)
+
+Accordingly, to look up an unresolved derivation, one must first resolve it to get a resolved derivation.
+Resolving itself involves looking up entries in the build trace, so this is a mutually recursive process that will end up inspecting possibly many entries.
+
+Except for the issue with input-addressed paths called out above, base build traces are trivially *coherent* -- incoherence is not possible.
+That means that the claims that each key-value base build try entry makes are independent, and no mapping invalidates another mapping.
+
+Whether the mappings are *true*, i.e. the faithful recording of actual builds performed, is another matter.
+Coherence is about the multiple claims of the build trace being mutually consistent, not about whether the claims are individually true or false.
+
+In general, there is no way to audit a build trace entry except for by performing the build again from scratch.
+And even in that case, a different result doesn't mean the original entry was a "lie", because the derivation being built may be non-deterministic.
+As such, the decision of whether to trust a counterparty's build trace is a fundamentally subject policy choice.
+Build trace entries are typically *signed* in order to enable arbitrary public-key-based trust polices.
+
+## Derived build traces {#derived}
+
+Implementations that wish to memoize the above may also keep additional *derived* build trace entries that do map unresolved derivations.
+But if they do so, they *must* also keep the underlying base entries with resolved derivation keys around.
+Firstly, this ensures that the derived entries are merely cache, which could be recomputed from scratch.
+Secondly, this ensures the coherence of the derived build trace.
+
+Unlike with base build traces, incoherence with derived build traces is possible.
+The key ingredient is that derivation resolution is only deterministic with respect to a fixed base build trace.
+Without fixing the base build trace, it inherits the subjectivity of base build traces themselves.
+
+Concretely, suppose there are three derivations \\(a\\), \\(b\\), and \\(c\\).
+Let \\(a\\) be a resolved derivation, but let \\(b\\) and \\(c\\) be unresolved and both take as an input an output of \\(a\\).
+Now suppose that derived entries are made for \\(b\\) and \\(c\\) based on two different entries of \\(a\\).
+(This could happen if \\(a\\) is non-deterministic, \\(a\\) and \\(b\\) are built in one store, \\(a\\) and \\(c\\) are built in another store, and then a third store substitutes from both of the first two stores.)
+
+If trusting the derived build trace entries for \\(b\\) and \\(c\\) requires that each's underlying entry for \\(a\\) be also trusted, the two different mappings for \\(a\\) will be caught.
+However, if \\(b\\) and \\(c\\)'s entries can be combined in isolation, there will be nothing to catch the contradiction in their hidden assumptions about \\(a\\)'s output.
+
+[derivation]: ./derivation/index.md
+[output]: ./derivation/outputs/index.md
+[store object]: @docroot@/store/store-object.md

doc/manual/source/store/building.md

@@ -8,14 +8,15 @@
 
 - Once this is done, the derivation is *normalized*, replacing each input deriving path with its store path, which we now know from realising the input.
 
-## Builder Execution
+## Builder Execution {#builder-execution}
 
 The [`builder`](./derivation/index.md#builder) is executed as follows:
 
-- A temporary directory is created under the directory specified by
-  `TMPDIR` (default `/tmp`) where the build will take place. The
+- A temporary directory is created where the build will take place. The
   current directory is changed to this directory.
 
+  See the per-store [`build-dir`](@docroot@/store/types/local-store.md#store-local-store-build-dir) setting for more information.
+
 - The environment is cleared and set to the derivation attributes, as
   specified above.
 

doc/manual/source/store/derivation/index.md

@@ -102,7 +102,7 @@ But rather than somehow scanning all the other fields for inputs, Nix requires t
 
 ### System {#system}
 
-The system type on which the [`builder`](#attr-builder) executable is meant to be run.
+The system type on which the [`builder`](#builder) executable is meant to be run.
 
 A necessary condition for Nix to schedule a given derivation on some [Nix instance] is for the "system" of that derivation to match that instance's [`system` configuration option] or [`extra-platforms` configuration option].
 
@@ -192,7 +192,7 @@ There are two formats, documented separately:
 
 - The legacy ["ATerm" format](@docroot@/protocols/derivation-aterm.md)
 
-- The experimental, currently under development and changing [JSON format](@docroot@/protocols/json/derivation.md)
+- The experimental, currently under development and changing [JSON format](@docroot@/protocols/json/derivation/index.md)
 
 Every derivation has a canonical choice of encoding used to serialize it to a store object.
 This ensures that there is a canonical [store path] used to refer to the derivation, as described in [Referencing derivations](#derivation-path).
@@ -245,7 +245,7 @@ If those other derivations *also* abide by this common case (and likewise for tr
   >                                                           note the ".drv"
   > ```
 
-## Extending the model to be higher-order
+## Extending the model to be higher-order {#dynamic}
 
 **Experimental feature**: [`dynamic-derivations`](@docroot@/development/experimental-features.md#xp-feature-dynamic-derivations)
 

doc/manual/source/store/derivation/outputs/content-address.md

@@ -167,10 +167,10 @@ It is only in the potential for that check to fail that they are different.
 >
 > In a future world where floating content-addressing is also stable, we in principle no longer need separate [fixed](#fixed) content-addressing.
 > Instead, we could always use floating content-addressing, and separately assert the precise value content address of a given store object to be used as an input (of another derivation).
-> A stand-alone assertion object of this sort is not yet implemented, but its possible creation is tracked in [Issue #11955](https://github.com/NixOS/nix/issues/11955).
+> A stand-alone assertion object of this sort is not yet implemented, but its possible creation is tracked in [issue #11955](https://github.com/NixOS/nix/issues/11955).
 >
 > In the current version of Nix, fixed outputs which fail their hash check are still registered as valid store objects, just not registered as outputs of the derivation which produced them.
-> This is an optimization that means if the wrong output hash is specified in a derivation, and then the derivation is recreated with the right output hash, derivation does not need to be rebuilt --- avoiding downloading potentially large amounts of data twice.
+> This is an optimization that means if the wrong output hash is specified in a derivation, and then the derivation is recreated with the right output hash, derivation does not need to be rebuilt — avoiding downloading potentially large amounts of data twice.
 > This optimisation prefigures the design above:
 > If the output hash assertion was removed outside the derivation itself, Nix could additionally not only register that outputted store object like today, but could also make note that derivation did in fact successfully download some data.
 For example, for the "fetch URL" example above, making such a note is tantamount to recording what data is available at the time of download at the given URL.

doc/manual/source/store/derivation/outputs/index.md

@@ -43,7 +43,7 @@ In particular, the specification decides:
 
 - if the content is content-addressed, how is it content addressed
 
-- if the content is content-addressed, [what is its content address](./content-address.md#fixed-content-addressing) (and thus what is its [store path])
+- if the content is content-addressed, [what is its content address](./content-address.md#fixed) (and thus what is its [store path])
 
 ## Types of derivations
 

doc/manual/source/store/derivation/outputs/input-address.md

@@ -6,26 +6,221 @@
 That is to say, an input-addressed output's store path is a function not of the output itself, but of the derivation that produced it.
 Even if two store paths have the same contents, if they are produced in different ways, and one is input-addressed, then they will have different store paths, and thus guaranteed to not be the same store object.
 
-<!---
+## Modulo content addressed derivation outputs {#hash-quotient-drv}
 
-### Modulo fixed-output derivations
+A naive implementation of an output hash computation for input-addressed outputs would be to hash the derivation hash and output together.
+This clearly has the uniqueness properties we want for input-addressed outputs, but suffers from an inefficiency.
+Specifically, new builds would be required whenever a change is made to a fixed-output derivation, despite having provably no differences in the inputs to the new derivation compared to what it used to be.
+Concretely, this would cause a "mass rebuild" whenever any fetching detail changes, including mirror lists, certificate authority certificates, etc.
 
-**TODO hash derivation modulo.**
+To solve this problem, we compute output hashes differently, so that certain output hashes become identical.
+We call this concept quotient hashing, in reference to quotient types or sets.
 
-So how do we compute the hash part of the output path of a derivation?
-This is done by the function `hashDrv`, shown in Figure 5.10.
-It distinguishes between two cases.
-If the derivation is a fixed-output derivation, then it computes a hash over just the `outputHash` attributes.
+So how do we compute the hash part of the output paths of an input-addressed derivation?
+This is done by the function `hashQuotientDerivation`, shown below.
 
-If the derivation is not a fixed-output derivation, we replace each element in the derivation’s inputDrvs with the result of a call to `hashDrv` for that element.
-(The derivation at each store path in `inputDrvs` is converted from its on-disk ATerm representation back to a `StoreDrv` by the function `parseDrv`.) In essence, `hashDrv` partitions store derivations into equivalence classes, and for hashing purpose it replaces each store path in a derivation graph with its equivalence class.
+First, a word on inputs.
+`hashQuotientDerivation` is only defined on derivations whose [inputs](@docroot@/store/derivation/index.md#inputs) take the first-order form:
+```typescript
+type ConstantPath = {
+  path: StorePath;
+};
 
-The recursion in Figure 5.10 is inefficient:
-it will call itself once for each path by which a subderivation can be reached, i.e., `O(V k)` times for a derivation graph with `V` derivations and with out-degree of at most `k`.
-In the actual implementation, memoisation is used to reduce this to `O(V + E)` complexity for a graph with E edges.
+type FirstOrderOutputPath = {
+  drvPath: StorePath;
+  output: OutputName;
+};
 
--->
+type FirstOrderDerivingPath = ConstantPath | FirstOrderOutputPath;
 
+type Inputs = Set<FirstOrderDerivingPath>;
+```
+
+For the algorithm below, we adopt a derivation where the two types of (first order) derived paths are partitioned into two sets, as follows:
+```typescript
+type Derivation = {
+  // inputs: Set<FirstOrderDerivingPath>; // replaced
+  inputSrcs: Set<ConstantPath>; // new instead
+  inputDrvOutputs: Set<FirstOrderOutputPath>; // new instead
+  // ...other fields...
+};
+```
+
+In the [currently-experimental][xp-feature-dynamic-derivations] higher-order case where outputs of outputs are allowed as [deriving paths][deriving-path] and thus derivation inputs, derivations using that generalization are not valid arguments to this function.
+Those derivations must be (partially) [resolved](@docroot@/store/resolution.md) enough first, to the point where no such higher-order inputs remain.
+Then, and only then, can input addresses be assigned.
+
+```
+function hashQuotientDerivation(drv) -> Hash:
+    assert(drv.outputs are input-addressed)
+    drv′ ← drv with {
+        inputDrvOutputs = ⋃(
+            assert(drvPath is store path)
+            case hashOutputsOrQuotientDerivation(readDrv(drvPath)) of
+                drvHash : Hash →
+                    (drvHash.toBase16(), output)
+                outputHashes : Map[String, Hash] →
+                    (outputHashes[output].toBase16(), "out")
+            | (drvPath, output) ∈ drv.inputDrvOutputs
+        )
+    }
+    return hashSHA256(printDrv(drv′))
+
+function hashOutputsOrQuotientDerivation(drv) -> Map[String, Hash] | Hash:
+    if drv.outputs are content-addressed:
+        return {
+            outputName ↦ hashSHA256(
+                "fixed:out:" + ca.printMethodAlgo() +
+                ":" + ca.hash.toBase16() +
+                ":" + ca.makeFixedOutputPath(drv.name, outputName))
+            | (outputName ↦ output) ∈ drv.outputs
+            , ca = output.contentAddress // or get from build trace if floating
+        }
+    else: // drv.outputs are input-addressed
+        return hashQuotientDerivation(drv)
+```
+
+### `hashQuotientDerivation`
+
+We replace each element in the derivation's `inputDrvOutputs` using data from a call to `hashOutputsOrQuotientDerivation` on the `drvPath` of that element.
+When `hashOutputsOrQuotientDerivation` returns a single drv hash (because the input derivation in question is input-addressing), we simply swap out the `drvPath` for that hash, and keep the same output name.
+When `hashOutputsOrQuotientDerivation` returns a map of content addresses per-output, we look up the output in question, and pair it with the output name `out`.
+
+The resulting pseudo-derivation (with hashes instead of store paths in `inputDrvs`) is then printed (in the ["ATerm" format](@docroot@/protocols/derivation-aterm.md)) and hashed, and this becomes the hash of the "quotient derivation".
+
+When calculating output hashes, `hashQuotientDerivation` is called on an almost-complete input-addressing derivation, which is just missing its input-addressed outputs paths.
+The derivation hash is then used to calculate output paths for each output.
+<!-- TODO describe how this is done. -->
+Those output paths can then be substituted into the almost-complete input-addressed derivation to complete it.
+
+> **Note**
+>
+> There may be an unintentional deviation from specification currently implemented in the `(outputHashes[output].toBase16(), "out")` case.
+> This is not fatal because the deviation would only apply for content-addressing derivations with more than one output, and that only occurs in the floating case, which is [experimental][xp-feature-ca-derivations].
+> Once this bug is fixed, this note will be removed.
+
+### `hashOutputsOrQuotientDerivation`
+
+How does `hashOutputsOrQuotientDerivation` in turn work?
+It consists of two main cases, based on whether the outputs of the derivation are to be input-addressed or content-addressed.
+
+#### Input-addressed outputs case
+
+In the input-addressed case, it just calls `hashQuotientDerivation`, and returns that derivation hash.
+This makes `hashQuotientDerivation` and `hashOutputsOrQuotientDerivation` mutually-recursive.
+
+> **Note**
+>
+> In this case, `hashQuotientDerivation` is being called on a *complete* input-addressing derivation that already has its output paths calculated.
+> The `inputDrvs` substitution takes place anyways.
+
+#### Content-addressed outputs case
+
+If the outputs are [content-addressed](./content-address.md), then it computes a hash for each output derived from the content-address of that output.
+
+> **Note**
+>
+> In the [fixed](./content-address.md#fixed) content-addressing case, the outputs' content addresses are statically specified in advance, so this always just works.
+> (The fixed case is what the pseudo-code shows.)
+>
+> In the [floating](./content-address.md#floating) case, the content addresses are not specified in advance.
+> This is what the "or get from [build trace](@docroot@/store/build-trace.md) if floating" comment refers to.
+> In this case, the algorithm is *stuck* until the input in question is built, and we know what the actual contents of the output in question is.
+>
+> That is OK however, because there is no problem with delaying the assigning of input addresses (which, remember, is what `hashQuotientDerivation` is ultimately for) until all inputs are known.
+
+### Performance
+
+The recursion in the algorithm is potentially inefficient:
+it could call itself once for each path by which a subderivation can be reached, i.e., `O(V^k)` times for a derivation graph with `V` derivations and with out-degree of at most `k`.
+In the actual implementation, [memoisation](https://en.wikipedia.org/wiki/Memoization) is used to reduce this cost to be proportional to the total number of `inputDrvOutputs` encountered.
+
+### Semantic properties
+
+*See [this chapter's appendix](@docroot@/store/math-notation.md) on grammar and metavariable conventions.*
+
+In essence, `hashQuotientDerivation` partitions input-addressing derivations into equivalence classes: every derivation in that equivalence class is mapped to the same derivation hash.
+We can characterize this equivalence relation directly, by working bottom up.
+
+We start by defining an equivalence relation on first-order output deriving paths that refer content-addressed derivation outputs. Two such paths are equivalent if they refer to the same store object:
+
+\\[
+\\begin{prooftree}
+\\AxiomC{$d\_1$ is content-addressing}
+\\AxiomC{$d\_2$ is content-addressing}
+\\AxiomC{$
+  {}^\*(\text{path}(d\_1), o\_1)
+  \=
+  {}^\*(\text{path}(d\_2), o\_2)
+$}
+\\TrinaryInfC{$(\text{path}(d\_1), o\_1) \\,\\sim_{\\mathrm{CA}}\\, (d\_2, o\_2)$}
+\\end{prooftree}
+\\]
+
+where \\({}^*(s, o)\\) denotes the store object that the output deriving path refers to.
+
+We will also need the following construction to lift any equivalence relation on \\(X\\) to an equivalence relation on (finite) sets of \\(X\\) (in short, \\(\\mathcal{P}(X)\\)):
+
+\\[
+\\begin{prooftree}
+\\AxiomC{$\\forall a \\in A. \\exists b \\in B. a \\,\\sim\_X\\, b$}
+\\AxiomC{$\\forall b \\in B. \\exists a \\in A. b \\,\\sim\_X\\, a$}
+\\BinaryInfC{$A \\,\\sim_{\\mathcal{P}(X)}\\, B$}
+\\end{prooftree}
+\\]
+
+Now we can define the equivalence relation \\(\\sim_\\mathrm{IA}\\) on input-addressed derivation outputs. Two input-addressed outputs are equivalent if their derivations are equivalent (via the yet-to-be-defined \\(\\sim_{\\mathrm{IADrv}}\\) relation) and their output names are the same:
+
+\\[
+\\begin{prooftree}
+\\AxiomC{$d\_1$ is input-addressing}
+\\AxiomC{$d\_2$ is input-addressing}
+\\AxiomC{$d\_1 \\,\\sim_{\\mathrm{IADrv}}\\, d\_2$}
+\\AxiomC{$o\_1 = o\_2$}
+\\QuaternaryInfC{$(\text{path}(d\_1), o\_1) \\,\\sim_{\\mathrm{IA}}\\, (\text{path}(d\_2), o\_2)$}
+\\end{prooftree}
+\\]
+
+And now we can define \\(\\sim_{\\mathrm{IADrv}}\\).
+Two input-addressed derivations are equivalent if their content-addressed inputs are equivalent, their input-addressed inputs are also equivalent, and they are otherwise equal:
+
+<!-- cheating a bit with the semantics to get a good layout that fits on the page -->
+
+\\[
+\\begin{prooftree}
+\\alwaysNoLine
+\\AxiomC{$
+  \\mathrm{caInputs}(d\_1)
+  \\,\\sim_{\\mathcal{P}(\\mathrm{CA})}\\,
+  \\mathrm{caInputs}(d\_2)
+$}
+\\AxiomC{$
+  \\mathrm{iaInputs}(d\_1)
+  \\,\\sim_{\\mathcal{P}(\\mathrm{IA})}\\,
+  \\mathrm{iaInputs}(d\_2)
+$}
+\\BinaryInfC{$
+  d\_1\left[\\mathrm{inputDrvOutputs} := \\{\\}\right]
+  \=
+  d\_2\left[\\mathrm{inputDrvOutputs} := \\{\\}\right]
+$}
+\\alwaysSingleLine
+\\UnaryInfC{$d\_1 \\,\\sim_{\\mathrm{IADrv}}\\, d\_2$}
+\\end{prooftree}
+\\]
+
+where \\(\\mathrm{caInputs}(d)\\) returns the content-addressed inputs of \\(d\\) and \\(\\mathrm{iaInputs}(d)\\) returns the input-addressed inputs.
+
+> **Note**
+>
+> An astute reader might notice that that nowhere does `inputSrcs` enter into these definitions.
+> That means that replacing an input derivation with its outputs directly added to `inputSrcs` always results in a derivation in a different equivalence class, despite the resulting input closure (as would be mounted in the store at build time) being the same.
+> [Issue #9259](https://github.com/NixOS/nix/issues/9259) is about creating a coarser equivalence relation to address this.
+>
+> \\(\\sim_\mathrm{Drv}\\) from [derivation resolution](@docroot@/store/resolution.md) is such an equivalence relation.
+> It is coarser than this one: any two derivations which are "'hash quotient derivation'-equivalent" (\\(\\sim_\mathrm{IADrv}\\)) are also "resolution-equivalent" (\\(\\sim_\mathrm{Drv}\\)).
+> It also relates derivations whose `inputDrvOutputs` have been rewritten into `inputSrcs`.
+
+[deriving-path]: @docroot@/store/derivation/index.md#deriving-path
+[xp-feature-dynamic-derivations]: @docroot@/development/experimental-features.md#xp-feature-dynamic-derivations
 [xp-feature-ca-derivations]: @docroot@/development/experimental-features.md#xp-feature-ca-derivations
-[xp-feature-git-hashing]: @docroot@/development/experimental-features.md#xp-feature-git-hashing
-[xp-feature-impure-derivations]: @docroot@/development/experimental-features.md#xp-feature-impure-derivations

doc/manual/source/store/file-system-object.md

@@ -3,19 +3,23 @@
 Nix uses a simplified model of the file system, which consists of file system objects.
 Every file system object is one of the following:
 
- - File
+ - [**Regular File**]{#regular}
 
    - A possibly empty sequence of bytes for contents
    - A single boolean representing the [executable](https://en.m.wikipedia.org/wiki/File-system_permissions#Permissions) permission
 
- - Directory
+ - [**Directory**]{#directory}
 
    Mapping of names to child file system objects
 
- - [Symbolic link](https://en.m.wikipedia.org/wiki/Symbolic_link)
+ - [**Symbolic link**]{#symlink}
 
-   An arbitrary string.
-   Nix does not assign any semantics to symbolic links.
+   An arbitrary string, known as the *target* of the symlink.
+
+   In general, Nix does not assign any semantics to symbolic links.
+   Certain operations however, may make additional assumptions and attempt to use the target to find another file system object.
+
+   > See [the Wikpedia article on symbolic links](https://en.m.wikipedia.org/wiki/Symbolic_link) for background information if you are unfamiliar with this Unix concept.
 
 File system objects and their children form a tree.
 A bare file or symlink can be a root file system object.

doc/manual/source/store/file-system-object/content-address.md

@@ -46,7 +46,7 @@ be many different serialisations.
 For these reasons, Nix has its very own archive format—the Nix Archive (NAR) format,
 which is carefully designed to avoid the problems described above.
 
-The exact specification of the Nix Archive format is in [specified here](../../protocols/nix-archive.md).
+The exact specification of the Nix Archive format is in [specified here](../../protocols/nix-archive/index.md).
 
 ## Content addressing File System Objects beyond a single serialisation pass
 

doc/manual/source/store/math-notation.md

@@ -0,0 +1,16 @@
+# Appendix: Math notation
+
+A few times in this manual, formal "proof trees" are used for [natural deduction](https://en.wikipedia.org/wiki/Natural_deduction)-style definition of various [relations](https://en.wikipedia.org/wiki/Relation_(mathematics)).
+
+The following grammar and assignment of metavariables to syntactic categories is used in these sections.
+
+\\begin{align}
+s, t &\in \text{store-path} \\\\
+o &\in \text{output-name} \\\\
+i, p &\in \text{deriving-path} \\\\
+d &\in \text{derivation}
+\\end{align}
+
+\\begin{align}
+\text{deriving-path} \quad p &::= s \mid (p, o)
+\\end{align}

doc/manual/source/store/resolution.md

@@ -0,0 +1,219 @@
+# Derivation Resolution
+
+*See [this chapter's appendix](@docroot@/store/math-notation.md) on grammar and metavariable conventions.*
+
+To *resolve* a derivation is to replace its [inputs] with the simplest inputs — plain store paths — that denote the same store objects.
+
+Derivations that only have store paths as inputs are likewise called *resolved derivations*.
+(They are called that whether they are in fact the output of derivation resolution, or just made that way without non-store-path inputs to begin with.)
+
+## Input Content Equivalence of Derivations
+
+[Deriving paths][deriving-path] intentionally make it possible to refer to the same [store object] in multiple ways.
+This is a consequence of content-addressing, since different derivations can produce the same outputs, and the same data can also be manually added to the store.
+This is also a consequence even of input-addressing, as an output can be referred to by derivation and output name, or directly by its [computed](./derivation/outputs/input-address.md) store path.
+Since dereferencing deriving paths is thus not injective, it induces an equivalence relation on deriving paths.
+
+Let's call this equivalence relation \\(\\sim\\), where \\(p_1 \\sim p_2\\) means that deriving paths \\(p_1\\) and \\(p_2\\) refer to the same store object.
+
+**Content Equivalence**: Two deriving paths are equivalent if they refer to the same store object:
+
+\\[
+\\begin{prooftree}
+\\AxiomC{${}^*p_1 = {}^*p_2$}
+\\UnaryInfC{$p_1 \\,\\sim_\\mathrm{DP}\\, p_2$}
+\\end{prooftree}
+\\]
+
+where \\({}^\*p\\) denotes the store object that deriving path \\(p\\) refers to.
+
+This also induces an equivalence relation on sets of deriving paths:
+
+\\[
+\\begin{prooftree}
+\\AxiomC{$\\{ {}^*p | p \\in P_1 \\} = \\{ {}^*p | p \\in P_2 \\}$}
+\\UnaryInfC{$P_1 \\,\\sim_{\\mathcal{P}(\\mathrm{DP})}\\, P_2$}
+\\end{prooftree}
+\\]
+
+**Input Content Equivalence**: This, in turn, induces an equivalence relation on derivations: two derivations are equivalent if their inputs are equivalent, and they are otherwise equal:
+
+\\[
+\\begin{prooftree}
+\\AxiomC{$\\mathrm{inputs}(d_1) \\,\\sim_{\\mathcal{P}(\\mathrm{DP})}\\, \\mathrm{inputs}(d_2)$}
+\\AxiomC{$
+  d\_1\left[\\mathrm{inputs} := \\{\\}\right]
+  \=
+  d\_2\left[\\mathrm{inputs} := \\{\\}\right]
+$}
+\\BinaryInfC{$d_1 \\,\\sim_\\mathrm{Drv}\\, d_2$}
+\\end{prooftree}
+\\]
+
+Derivation resolution always maps derivations to input-content-equivalent derivations.
+
+## Resolution relation
+
+Dereferencing a derived path — \\({}^\*p\\) above — was just introduced as a black box.
+But actually it is a multi-step process of looking up build results in the [build trace] that itself depends on resolving the lookup keys.
+Resolution is thus a recursive multi-step process that is worth diagramming formally.
+
+We can do this with a small-step binary transition relation; let's call it \\(\rightsquigarrow\\).
+We can then conclude dereferenced equality like this:
+
+\\[
+\\begin{prooftree}
+\\AxiomC{$p\_1 \\rightsquigarrow^* p$}
+\\AxiomC{$p\_2 \\rightsquigarrow^* p$}
+\\BinaryInfC{${}^*p\_1 = {}^*p\_2$}
+\\end{prooftree}
+\\]
+
+I.e. by showing that both original items resolve (over 0 or more small steps, hence the \\({}^*\\)) to the same exact item.
+
+With this motivation, let's now formalize a [small-step](https://en.wikipedia.org/wiki/Operational_semantics#Small-step_semantics) system of reduction rules for resolution.
+
+### Formal rules
+
+### \\(\text{resolved}\\) unary relation
+
+\\[
+\\begin{prooftree}
+\\AxiomC{$s \in \text{store-path}$}
+\\UnaryInfC{$s$ resolved}
+\\end{prooftree}
+\\]
+
+\\[
+\\begin{prooftree}
+\\AxiomC{$\forall i \in \mathrm{inputs}(d). i \text{ resolved}$}
+\\UnaryInfC{$d$ resolved}
+\\end{prooftree}
+\\]
+
+### \\(\rightsquigarrow\\) binary relation
+
+> **Remark**
+>
+> Actually, to be completely formal we would need to keep track of the build trace we are choosing to resolve against.
+>
+> We could do that by making \\(\rightsquigarrow\\) a ternary relation, which would pass the build trace to itself until it finally uses it in that one rule.
+> This would add clutter more than insight, so we didn't bother to write it.
+>
+> There are other options too, like saying the whole reduction rule system is parameterized on the build trace, essentially [currying](https://en.wikipedia.org/wiki/Currying) the ternary \\(\rightsquigarrow\\) into a function from build traces to the binary relation written above.
+
+#### Core build trace lookup rule
+
+\\[
+\\begin{prooftree}
+\\AxiomC{$s \in \text{store-path}$}
+\\AxiomC{${}^*s \in \text{derivation}$}
+\\AxiomC{${}^*s$ resolved}
+\\AxiomC{$\mathrm{build\text{-}trace}[s][o] = t$}
+\\QuaternaryInfC{$(s, o) \rightsquigarrow t$}
+\\RightLabel{\\scriptsize output path resolution}
+\\end{prooftree}
+\\]
+
+#### Inductive rules
+
+\\[
+\\begin{prooftree}
+\\AxiomC{$i \\rightsquigarrow i'$}
+\\AxiomC{$i \\in \\mathrm{inputs}(d)$}
+\\BinaryInfC{$d \\rightsquigarrow d[i \\mapsto i']$}
+\\end{prooftree}
+\\]
+
+\\[
+\\begin{prooftree}
+\\AxiomC{$d \\rightsquigarrow d'$}
+\\UnaryInfC{$(\\mathrm{path}(d), o) \\rightsquigarrow (\\mathrm{path}(d'), o)$}
+\\end{prooftree}
+\\]
+
+\\[
+\\begin{prooftree}
+\\AxiomC{$p \\rightsquigarrow p'$}
+\\UnaryInfC{$(p, o) \\rightsquigarrow (p', o)$}
+\\end{prooftree}
+\\]
+
+### Properties
+
+Like all well-behaved evaluation relations, partial resolution is [*confluent*](https://en.wikipedia.org/wiki/Confluence_(abstract_rewriting)).
+Also, if we take the symmetric closure of \\(\\rightsquigarrow^\*\\), we end up with the equivalence relations of the previous section.
+Resolution respects content equivalence for deriving paths, and input content equivalence for derivations.
+
+> **Remark**
+>
+> We chose to define from scratch an "resolved" unary relation explicitly above.
+> But it can also be defined as the normal forms of the \\(\\rightsquigarrow^\*\\) relation:
+>
+> \\[ a \text{ resolved} \Leftrightarrow \forall b. b \rightsquigarrow^* a \Rightarrow b = a\\]
+>
+> In prose, resolved terms are terms which \\(\\rightsquigarrow^\*\\) only relates on the left side to the same term on the right side; they are the terms which can be resolved no further.
+
+## Partial versus Complete Resolution
+
+Similar to evaluation, we can also speak of *partial* versus *complete* derivation resolution.
+Partial derivation resolution is what we've actually formalized above with \\(\\rightsquigarrow^\*\\).
+Complete resolution is resolution ending in a resolved term (deriving path or derivation).
+(Which is a normal form of the relation, per the remark above.)
+
+With partial resolution, a derivation is related to equivalent derivations with the same or simpler inputs, but not all those inputs will be plain store paths.
+This is useful when the input refers to a floating content addressed output we have not yet built — we don't know what (content-address) store path will used for that derivation, so we are "stuck" trying to resolve the deriving path in question.
+(In the above formalization, this happens when the build trace is missing the keys we wish to look up in it.)
+
+Complete resolution is a *functional* relation, i.e. values on the left are uniquely related with values on the right.
+It is not however, a *total* relation (in general, assuming arbitrary build traces).
+This is discussed in the next section.
+
+## Termination
+
+For static derivations graphs, complete resolution is indeed total, because it always terminates for all inputs.
+(A relation that is both total and functional is a function.)
+
+For [dynamic][xp-feature-dynamic-derivations] derivation graphs, however, this is not the case — resolution is not guaranteed to terminate.
+The issue isn't rewriting deriving paths themselves:
+a single rewrite to normalize an output deriving path to a constant one always exists, and always proceeds in one step.
+The issue is that dynamic derivations (i.e. those that are filled-in the graph by a previous resolution) may have more transitive dependencies than the original derivation.
+
+> **Example**
+>
+> Suppose we have this deriving path
+> ```json
+> {
+>   "drvPath": {
+>     "drvPath": "...-foo.drv",
+>     "output": "bar.drv"
+>   },
+>   "output": "baz"
+> }
+> ```
+> and derivation `foo` is already resolved.
+> When we resolve deriving path we'll end up with something like.
+> ```json
+> {
+>   "drvPath": "...-foo-bar.drv",
+>   "output": "baz"
+> }
+> ```
+> So far is just an atomic single rewrite, with no termination issues.
+> But the derivation `foo-bar` may have its *own* dynamic derivation inputs.
+> Resolution must resolve that derivation first before the above deriving path can finally be normalized to a plain `...-foo-bar-baz` store path.
+
+The important thing to notice is that while "build trace" *keys* must be resolved.
+The *value* those keys are mapped to have no such constraints.
+An arbitrary store object has no notion of being resolved or not.
+But, an arbitrary store object can be read back as a derivation (as will in fact be done in case for dynamic derivations / nested output deriving paths).
+And those derivations need *not* be resolved.
+
+It is those dynamic non-resolved derivations which are the source of non-termination.
+By the same token, they are also the reason why dynamic derivations offer greater expressive power.
+
+[store object]: @docroot@/store/store-object.md
+[inputs]: @docroot@/store/derivation/index.md#inputs
+[build trace]: @docroot@/store/build-trace.md
+[deriving-path]: @docroot@/store/derivation/index.md#deriving-path
+[xp-feature-dynamic-derivations]: @docroot@/development/experimental-features.md#xp-feature-dynamic-derivations

doc/manual/source/store/secrets.md

@@ -0,0 +1,20 @@
+# Secrets
+
+The store is readable to all users on the system. For this reason, it
+is generally discouraged to allow secrets to make it into the store.
+
+Even on a single-user system, separate system users isolate services
+from each other and having secrets that all local users can read
+weakens that isolation. When using external store caches the secrets
+may end up there, and on multi-user systems the secrets will be
+available to all those users.
+
+Organize your derivations so that secrets are read from the filesystem
+(with appropriate access controls) at run time. Place the secrets on
+the filesystem manually or use a scheme that includes the secret in
+the store in encrypted form, and decrypts it adding the relevant
+access control on system activation.
+Several such schemes for NixOS can in the
+[comparison of secret managing schemes] on the wiki.
+
+[comparison of secret managing schemes]: https://wiki.nixos.org/wiki/Comparison_of_secret_managing_schemes

doc/manual/source/store/store-object/content-address.md

@@ -1,7 +1,7 @@
 # Content-Addressing Store Objects
 
 Just [like][fso-ca] [File System Objects][File System Object],
-[Store Objects][Store Object] can also be [content-addressed](@docroot@/glossary.md#gloss-content-addressed),
+[Store Objects][Store Object] can also be [content-addressed](@docroot@/glossary.md#gloss-content-address),
 unless they are [input-addressed](@docroot@/glossary.md#gloss-input-addressed-store-object).
 
 For store objects, the content address we produce will take the form of a [Store Path] rather than regular hash.
@@ -107,7 +107,7 @@ References (to other store objects and self-references alike) are supported so l
 >
 > This method is part of the [`git-hashing`][xp-feature-git-hashing] experimental feature.
 
-This uses the corresponding [Git](../file-system-object/content-address.md#serial-git) method of file system object content addressing.
+This uses the corresponding [Git](../file-system-object/content-address.md#git) method of file system object content addressing.
 
 References are not supported.
 

doc/manual/source/store/store-path.md

@@ -6,7 +6,7 @@
 >
 > A rendered store path
 
-Nix implements references to [store objects](./index.md#store-object) as *store paths*.
+Nix implements references to [store objects](./store-object.md) as *store paths*.
 
 Think of a store path as an [opaque], [unique identifier]:
 The only way to obtain store path is by adding or building store objects.

doc/manual/substitute.py

@@ -41,6 +41,10 @@ def recursive_replace(data: dict[str, t.Any], book_root: Path, search_path: Path
             return data | dict(
                 sections = [recursive_replace(section, book_root, search_path) for section in sections],
             )
+        case {'items': items}:
+            return data | dict(
+                items = [recursive_replace(item, book_root, search_path) for item in items],
+            )
         case {'Chapter': chapter}:
             path_to_chapter = Path(chapter['path'])
             chapter_content = chapter['content']

doc/manual/theme/head.hbs

@@ -0,0 +1,15 @@
+<script>
+MathJax = {
+  loader: {load: ['[tex]/bussproofs']},
+  tex: {
+    packages: {'[+]': ['bussproofs']},
+    // Doesn't seem to work in mathjax 3
+    //formatError: function(jax, error) {
+    //  console.log(`TeX error in "${jax.latex}": ${error.message}`);
+    //  return jax.formatError(error);
+    //}
+  }
+};
+</script>
+<!-- Load a newer versino of MathJax than mdbook does by default, and which in particular has working relative paths for the "bussproofs" extension. -->
+<script async src="https://cdnjs.cloudflare.com/ajax/libs/mathjax/3.0.1/es5/tex-mml-chtml.js"></script>

docker.nix

@@ -10,7 +10,7 @@
   tag ? "latest",
   bundleNixpkgs ? true,
   channelName ? "nixpkgs",
-  channelURL ? "https://nixos.org/channels/nixpkgs-unstable",
+  channelURL ? "https://channels.nixos.org/nixpkgs-unstable",
   extraPkgs ? [ ],
   maxLayers ? 70,
   nixConf ? { },