libutil: Remove really dead code for git hashing

It's not being excersised by anything and already contains bugs (like the fact that copyRecursive only handles the first entry in a directory). Evidently, it can just be removed and was never used by anything.
Merge pull request #14600 from edef1c/push-tvmtozyqsmno
2025-11-20 22:13:58 +03:00 · 2025-11-20 07:36:10 +00:00 · 2025-11-20 03:50:26 +00:00 · 2025-11-20 01:50:10 +00:00 · 2025-11-20 04:01:38 +03:00 · 2025-11-20 04:01:37 +03:00
49 changed files with 1107 additions and 503 deletions
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -174,7 +174,7 @@ jobs:
        echo "installer-url=file://$GITHUB_WORKSPACE/out" >> "$GITHUB_OUTPUT"
        TARBALL_PATH="$(find "$GITHUB_WORKSPACE/out" -name 'nix*.tar.xz' -print | head -n 1)"
        echo "tarball-path=file://$TARBALL_PATH" >> "$GITHUB_OUTPUT"
-    - uses: cachix/install-nix-action@7ec16f2c061ab07b235a7245e06ed46fe9a1cab6 # v31.8.3
+    - uses: cachix/install-nix-action@0b0e072294b088b73964f1d72dfdac0951439dbd # v31.8.4
      if: ${{ !matrix.experimental-installer }}
      with:
        install_url: ${{ format('{0}/install', steps.installer-tarball-url.outputs.installer-url) }}
--- a/doc/manual/source/command-ref/nix-build.md
+++ b/doc/manual/source/command-ref/nix-build.md
@@ -36,7 +36,7 @@ to a temporary location. The tarball must include a single top-level
 directory containing at least a file named `default.nix`.

 `nix-build` is essentially a wrapper around
-[`nix-instantiate`](nix-instantiate.md) (to translate a high-level Nix
+[`nix-instantiate`](./nix-instantiate.md) (to translate a high-level Nix
 expression to a low-level [store derivation]) and [`nix-store
 --realise`](@docroot@/command-ref/nix-store/realise.md) (to build the store
 derivation).
@@ -52,8 +52,8 @@ derivation).
 # Options

 All options not listed here are passed to
-[`nix-store --realise`](nix-store/realise.md),
-except for `--arg` and `--attr` / `-A` which are passed to [`nix-instantiate`](nix-instantiate.md).
+[`nix-store --realise`](./nix-store/realise.md),
+except for `--arg` and `--attr` / `-A` which are passed to [`nix-instantiate`](./nix-instantiate.md).

 - <span id="opt-no-out-link">[`--no-out-link`](#opt-no-out-link)<span>

--- a/doc/manual/source/command-ref/nix-instantiate.md
+++ b/doc/manual/source/command-ref/nix-instantiate.md
@@ -32,7 +32,7 @@ standard input.

 - `--add-root` *path*

-  See the [corresponding option](nix-store.md) in `nix-store`.
+  See the [corresponding option](./nix-store.md) in `nix-store`.

 - `--parse`

--- a/packaging/dev-shell.nix
+++ b/packaging/dev-shell.nix
@@ -130,15 +130,19 @@ pkgs.nixComponents2.nix-util.overrideAttrs (
    havePerl = stdenv.buildPlatform == stdenv.hostPlatform && stdenv.hostPlatform.isUnix;
    ignoreCrossFile = flags: builtins.filter (flag: !(lib.strings.hasInfix "cross-file" flag)) flags;

+    availableComponents = lib.filterAttrs (
+      k: v: lib.meta.availableOn pkgs.hostPlatform v
+    ) allComponents;
+
    activeComponents = buildInputsClosureCond isInternal (
-      lib.attrValues (finalAttrs.passthru.config.getComponents allComponents)
+      lib.attrValues (finalAttrs.passthru.config.getComponents availableComponents)
    );

    allComponents = lib.filterAttrs (k: v: lib.isDerivation v) pkgs.nixComponents2;
    internalDrvs = byDrvPath (
      # Drop the attr names (not present in buildInputs anyway)
-      lib.attrValues allComponents
-      ++ lib.concatMap (c: lib.attrValues c.tests or { }) (lib.attrValues allComponents)
+      lib.attrValues availableComponents
+      ++ lib.concatMap (c: lib.attrValues c.tests or { }) (lib.attrValues availableComponents)
    );

    isInternal =
@@ -187,19 +191,19 @@ pkgs.nixComponents2.nix-util.overrideAttrs (
        );

      small =
-        (finalAttrs.finalPackage.withActiveComponents (c: {
-          inherit (c)
-            nix-cli
-            nix-util-tests
-            nix-store-tests
-            nix-expr-tests
-            nix-fetchers-tests
-            nix-flake-tests
-            nix-functional-tests
-            # Currently required
-            nix-perl-bindings
-            ;
-        })).overrideAttrs
+        (finalAttrs.finalPackage.withActiveComponents (
+          c:
+          lib.intersectAttrs (lib.genAttrs [
+            "nix-cli"
+            "nix-util-tests"
+            "nix-store-tests"
+            "nix-expr-tests"
+            "nix-fetchers-tests"
+            "nix-flake-tests"
+            "nix-functional-tests"
+            "nix-perl-bindings"
+          ] (_: null)) c
+        )).overrideAttrs
          (o: {
            mesonFlags = o.mesonFlags ++ [
              # TODO: infer from activeComponents or vice versa
--- a/src/kaitai-struct-checks/package.nix
+++ b/src/kaitai-struct-checks/package.nix
@@ -65,6 +65,6 @@ mkMesonDerivation (finalAttrs: {
  '';

  meta = {
-    platforms = lib.platforms.all;
+    platforms = lib.platforms.unix;
  };
 })
--- a/src/libcmd/common-eval-args.cc
+++ b/src/libcmd/common-eval-args.cc
@@ -132,7 +132,7 @@ MixEvalArgs::MixEvalArgs()
            fetchers::Attrs extraAttrs;
            if (to.subdir != "")
                extraAttrs["dir"] = to.subdir;
-            fetchers::overrideRegistry(fetchSettings, from.input, to.input, extraAttrs);
+            fetchers::overrideRegistry(from.input, to.input, extraAttrs);
        }},
        .completer = {[&](AddCompletions & completions, size_t, std::string_view prefix) {
            completeFlakeRef(completions, openStore(), prefix);
--- a/src/libcmd/installables.cc
+++ b/src/libcmd/installables.cc
@@ -185,7 +185,6 @@ MixFlakeOptions::MixFlakeOptions()
                    }

                    overrideRegistry(
-                        fetchSettings,
                        fetchers::Input::fromAttrs(fetchSettings, {{"type", "indirect"}, {"id", inputName}}),
                        input3->lockedRef.input,
                        extraAttrs);
--- a/src/libfetchers/include/nix/fetchers/registry.hh
+++ b/src/libfetchers/include/nix/fetchers/registry.hh
@@ -13,8 +13,6 @@ namespace nix::fetchers {

 struct Registry
 {
-    const Settings & settings;
-
    enum RegistryType {
        Flag = 0,
        User = 1,
@@ -34,9 +32,8 @@ struct Registry

    std::vector<Entry> entries;

-    Registry(const Settings & settings, RegistryType type)
-        : settings{settings}
-        , type{type}
+    Registry(RegistryType type)
+        : type{type}
    {
    }

@@ -59,7 +56,7 @@ Path getUserRegistryPath();

 Registries getRegistries(const Settings & settings, Store & store);

-void overrideRegistry(const Settings & settings, const Input & from, const Input & to, const Attrs & extraAttrs);
+void overrideRegistry(const Input & from, const Input & to, const Attrs & extraAttrs);

 enum class UseRegistries : int {
    No,
--- a/src/libfetchers/registry.cc
+++ b/src/libfetchers/registry.cc
@@ -14,10 +14,10 @@ std::shared_ptr<Registry> Registry::read(const Settings & settings, const Source
 {
    debug("reading registry '%s'", path);

-    auto registry = std::make_shared<Registry>(settings, type);
+    auto registry = std::make_shared<Registry>(type);

    if (!path.pathExists())
-        return std::make_shared<Registry>(settings, type);
+        return std::make_shared<Registry>(type);

    try {

@@ -125,15 +125,15 @@ std::shared_ptr<Registry> getCustomRegistry(const Settings & settings, const Pat
    return customRegistry;
 }

-std::shared_ptr<Registry> getFlagRegistry(const Settings & settings)
+std::shared_ptr<Registry> getFlagRegistry()
 {
-    static auto flagRegistry = std::make_shared<Registry>(settings, Registry::Flag);
+    static auto flagRegistry = std::make_shared<Registry>(Registry::Flag);
    return flagRegistry;
 }

-void overrideRegistry(const Settings & settings, const Input & from, const Input & to, const Attrs & extraAttrs)
+void overrideRegistry(const Input & from, const Input & to, const Attrs & extraAttrs)
 {
-    getFlagRegistry(settings)->add(from, to, extraAttrs);
+    getFlagRegistry()->add(from, to, extraAttrs);
 }

 static std::shared_ptr<Registry> getGlobalRegistry(const Settings & settings, Store & store)
@@ -141,7 +141,7 @@ static std::shared_ptr<Registry> getGlobalRegistry(const Settings & settings, St
    static auto reg = [&]() {
        auto path = settings.flakeRegistry.get();
        if (path == "") {
-            return std::make_shared<Registry>(settings, Registry::Global); // empty registry
+            return std::make_shared<Registry>(Registry::Global); // empty registry
        }

        return Registry::read(
@@ -165,7 +165,7 @@ static std::shared_ptr<Registry> getGlobalRegistry(const Settings & settings, St
 Registries getRegistries(const Settings & settings, Store & store)
 {
    Registries registries;
-    registries.push_back(getFlagRegistry(settings));
+    registries.push_back(getFlagRegistry());
    registries.push_back(getUserRegistry(settings));
    registries.push_back(getSystemRegistry(settings));
    registries.push_back(getGlobalRegistry(settings, store));
--- a/src/libstore-tests/data/derivation/ca/all_set.json
+++ b/src/libstore-tests/data/derivation/ca/all_set.json
@@ -4,10 +4,13 @@
  "allowSubstitutes": false,
  "exportReferencesGraph": {
    "refs1": [
-      "/164j69y6zir9z0339n8pjigg3rckinlr77bxsavzizdaaljb7nh9"
+      {
+        "drvPath": "j56sf12rxpcv5swr14vsjn5cwm6bj03h-foo.drv",
+        "output": "out"
+      }
    ],
    "refs2": [
-      "/nix/store/qnml92yh97a6fbrs2m5qg5cqlc8vni58-bar.drv"
+      "qnml92yh97a6fbrs2m5qg5cqlc8vni58-bar.drv"
    ]
  },
  "impureEnvVars": [
@@ -20,18 +23,36 @@
  "outputChecks": {
    "forAllOutputs": {
      "allowedReferences": [
-        "/164j69y6zir9z0339n8pjigg3rckinlr77bxsavzizdaaljb7nh9"
+        {
+          "drvPath": "j56sf12rxpcv5swr14vsjn5cwm6bj03h-foo.drv",
+          "output": "out"
+        }
      ],
      "allowedRequisites": [
-        "/0nr45p69vn6izw9446wsh9bng9nndhvn19kpsm4n96a5mycw0s4z",
-        "bin"
+        {
+          "drvPath": "self",
+          "output": "bin"
+        },
+        {
+          "drvPath": "j56sf12rxpcv5swr14vsjn5cwm6bj03h-foo.drv",
+          "output": "dev"
+        }
      ],
      "disallowedReferences": [
-        "/0nyw57wm2iicnm9rglvjmbci3ikmcp823czdqdzdcgsnnwqps71g",
-        "dev"
+        {
+          "drvPath": "self",
+          "output": "dev"
+        },
+        {
+          "drvPath": "qnml92yh97a6fbrs2m5qg5cqlc8vni58-bar.drv",
+          "output": "out"
+        }
      ],
      "disallowedRequisites": [
-        "/07f301yqyz8c6wf6bbbavb2q39j4n8kmcly1s09xadyhgy6x2wr8"
+        {
+          "drvPath": "qnml92yh97a6fbrs2m5qg5cqlc8vni58-bar.drv",
+          "output": "dev"
+        }
      ],
      "ignoreSelfRefs": true,
      "maxClosureSize": null,
--- a/src/libstore-tests/data/derivation/ca/structuredAttrs_all_set.json
+++ b/src/libstore-tests/data/derivation/ca/structuredAttrs_all_set.json
@@ -4,10 +4,13 @@
  "allowSubstitutes": false,
  "exportReferencesGraph": {
    "refs1": [
-      "/164j69y6zir9z0339n8pjigg3rckinlr77bxsavzizdaaljb7nh9"
+      {
+        "drvPath": "j56sf12rxpcv5swr14vsjn5cwm6bj03h-foo.drv",
+        "output": "out"
+      }
    ],
    "refs2": [
-      "/nix/store/qnml92yh97a6fbrs2m5qg5cqlc8vni58-bar.drv"
+      "qnml92yh97a6fbrs2m5qg5cqlc8vni58-bar.drv"
    ]
  },
  "impureEnvVars": [
@@ -23,11 +26,20 @@
        "allowedReferences": null,
        "allowedRequisites": null,
        "disallowedReferences": [
-          "/0nyw57wm2iicnm9rglvjmbci3ikmcp823czdqdzdcgsnnwqps71g",
-          "dev"
+          {
+            "drvPath": "self",
+            "output": "dev"
+          },
+          {
+            "drvPath": "qnml92yh97a6fbrs2m5qg5cqlc8vni58-bar.drv",
+            "output": "out"
+          }
        ],
        "disallowedRequisites": [
-          "/07f301yqyz8c6wf6bbbavb2q39j4n8kmcly1s09xadyhgy6x2wr8"
+          {
+            "drvPath": "qnml92yh97a6fbrs2m5qg5cqlc8vni58-bar.drv",
+            "output": "dev"
+          }
        ],
        "ignoreSelfRefs": false,
        "maxClosureSize": null,
@@ -44,11 +56,20 @@
      },
      "out": {
        "allowedReferences": [
-          "/164j69y6zir9z0339n8pjigg3rckinlr77bxsavzizdaaljb7nh9"
+          {
+            "drvPath": "j56sf12rxpcv5swr14vsjn5cwm6bj03h-foo.drv",
+            "output": "out"
+          }
        ],
        "allowedRequisites": [
-          "/0nr45p69vn6izw9446wsh9bng9nndhvn19kpsm4n96a5mycw0s4z",
-          "bin"
+          {
+            "drvPath": "self",
+            "output": "bin"
+          },
+          {
+            "drvPath": "j56sf12rxpcv5swr14vsjn5cwm6bj03h-foo.drv",
+            "output": "dev"
+          }
        ],
        "disallowedReferences": [],
        "disallowedRequisites": [],
--- a/src/libstore-tests/data/derivation/ia/all_set.json
+++ b/src/libstore-tests/data/derivation/ia/all_set.json
@@ -4,10 +4,10 @@
  "allowSubstitutes": false,
  "exportReferencesGraph": {
    "refs1": [
-      "/nix/store/p0hax2lzvjpfc2gwkk62xdglz0fcqfzn-foo"
+      "p0hax2lzvjpfc2gwkk62xdglz0fcqfzn-foo"
    ],
    "refs2": [
-      "/nix/store/vj2i49jm2868j2fmqvxm70vlzmzvgv14-bar.drv"
+      "vj2i49jm2868j2fmqvxm70vlzmzvgv14-bar.drv"
    ]
  },
  "impureEnvVars": [
@@ -20,18 +20,24 @@
  "outputChecks": {
    "forAllOutputs": {
      "allowedReferences": [
-        "/nix/store/p0hax2lzvjpfc2gwkk62xdglz0fcqfzn-foo"
+        "p0hax2lzvjpfc2gwkk62xdglz0fcqfzn-foo"
      ],
      "allowedRequisites": [
-        "/nix/store/z0rjzy29v9k5qa4nqpykrbzirj7sd43v-foo-dev",
-        "bin"
+        {
+          "drvPath": "self",
+          "output": "bin"
+        },
+        "z0rjzy29v9k5qa4nqpykrbzirj7sd43v-foo-dev"
      ],
      "disallowedReferences": [
-        "/nix/store/r5cff30838majxk5mp3ip2diffi8vpaj-bar",
-        "dev"
+        {
+          "drvPath": "self",
+          "output": "dev"
+        },
+        "r5cff30838majxk5mp3ip2diffi8vpaj-bar"
      ],
      "disallowedRequisites": [
-        "/nix/store/9b61w26b4avv870dw0ymb6rw4r1hzpws-bar-dev"
+        "9b61w26b4avv870dw0ymb6rw4r1hzpws-bar-dev"
      ],
      "ignoreSelfRefs": true,
      "maxClosureSize": null,
--- a/src/libstore-tests/data/derivation/ia/structuredAttrs_all_set.json
+++ b/src/libstore-tests/data/derivation/ia/structuredAttrs_all_set.json
@@ -4,10 +4,10 @@
  "allowSubstitutes": false,
  "exportReferencesGraph": {
    "refs1": [
-      "/nix/store/p0hax2lzvjpfc2gwkk62xdglz0fcqfzn-foo"
+      "p0hax2lzvjpfc2gwkk62xdglz0fcqfzn-foo"
    ],
    "refs2": [
-      "/nix/store/vj2i49jm2868j2fmqvxm70vlzmzvgv14-bar.drv"
+      "vj2i49jm2868j2fmqvxm70vlzmzvgv14-bar.drv"
    ]
  },
  "impureEnvVars": [
@@ -23,11 +23,14 @@
        "allowedReferences": null,
        "allowedRequisites": null,
        "disallowedReferences": [
-          "/nix/store/r5cff30838majxk5mp3ip2diffi8vpaj-bar",
-          "dev"
+          {
+            "drvPath": "self",
+            "output": "dev"
+          },
+          "r5cff30838majxk5mp3ip2diffi8vpaj-bar"
        ],
        "disallowedRequisites": [
-          "/nix/store/9b61w26b4avv870dw0ymb6rw4r1hzpws-bar-dev"
+          "9b61w26b4avv870dw0ymb6rw4r1hzpws-bar-dev"
        ],
        "ignoreSelfRefs": false,
        "maxClosureSize": null,
@@ -44,11 +47,14 @@
      },
      "out": {
        "allowedReferences": [
-          "/nix/store/p0hax2lzvjpfc2gwkk62xdglz0fcqfzn-foo"
+          "p0hax2lzvjpfc2gwkk62xdglz0fcqfzn-foo"
        ],
        "allowedRequisites": [
-          "/nix/store/z0rjzy29v9k5qa4nqpykrbzirj7sd43v-foo-dev",
-          "bin"
+          {
+            "drvPath": "self",
+            "output": "bin"
+          },
+          "z0rjzy29v9k5qa4nqpykrbzirj7sd43v-foo-dev"
        ],
        "disallowedReferences": [],
        "disallowedRequisites": [],
--- a/src/libstore-tests/derivation-advanced-attrs.cc
+++ b/src/libstore-tests/derivation-advanced-attrs.cc
@@ -3,7 +3,7 @@

 #include "nix/util/experimental-features.hh"
 #include "nix/store/derivations.hh"
-#include "nix/store/derivations.hh"
+#include "nix/store/derived-path.hh"
 #include "nix/store/derivation-options.hh"
 #include "nix/store/parsed-derivations.hh"
 #include "nix/util/types.hh"
@@ -17,7 +17,7 @@ namespace nix {
 using namespace nlohmann;

 class DerivationAdvancedAttrsTest : public JsonCharacterizationTest<Derivation>,
-                                    public JsonCharacterizationTest<DerivationOptions>,
+                                    public JsonCharacterizationTest<DerivationOptions<SingleDerivedPath>>,
                                    public LibStoreTest
 {
 protected:
@@ -42,7 +42,8 @@ public:
    {
        this->readTest(fileName, [&](auto encoded) {
            auto got = parseDerivation(*this->store, std::move(encoded), "foo", this->mockXpSettings);
-            DerivationOptions options = DerivationOptions::fromStructuredAttrs(got.env, got.structuredAttrs);
+            auto options = derivationOptionsFromStructuredAttrs(
+                *this->store, got.inputDrvs, got.env, get(got.structuredAttrs), true, this->mockXpSettings);
            EXPECT_EQ(options.getRequiredSystemFeatures(got), expectedFeatures);
        });
    }
@@ -51,11 +52,14 @@ public:
     * Helper function to test DerivationOptions parsing and comparison
     */
    void testDerivationOptions(
-        const std::string & fileName, const DerivationOptions & expected, const StringSet & expectedSystemFeatures)
+        const std::string & fileName,
+        const DerivationOptions<SingleDerivedPath> & expected,
+        const StringSet & expectedSystemFeatures)
    {
        this->readTest(fileName, [&](auto encoded) {
            auto got = parseDerivation(*this->store, std::move(encoded), "foo", this->mockXpSettings);
-            DerivationOptions options = DerivationOptions::fromStructuredAttrs(got.env, got.structuredAttrs);
+            auto options = derivationOptionsFromStructuredAttrs(
+                *this->store, got.inputDrvs, got.env, get(got.structuredAttrs), true, this->mockXpSettings);

            EXPECT_EQ(options, expected);
            EXPECT_EQ(options.getRequiredSystemFeatures(got), expectedSystemFeatures);
@@ -131,22 +135,38 @@ TEST_ATERM_JSON(advancedAttributes_structuredAttrs_defaults, "advanced-attribute
 * Since these are both repeated and sensative opaque values, it makes
 * sense to give them names in this file.
 */
-static std::string pathFoo = "/nix/store/p0hax2lzvjpfc2gwkk62xdglz0fcqfzn-foo",
-                   pathFooDev = "/nix/store/z0rjzy29v9k5qa4nqpykrbzirj7sd43v-foo-dev",
-                   pathBar = "/nix/store/r5cff30838majxk5mp3ip2diffi8vpaj-bar",
-                   pathBarDev = "/nix/store/9b61w26b4avv870dw0ymb6rw4r1hzpws-bar-dev",
-                   pathBarDrvIA = "/nix/store/vj2i49jm2868j2fmqvxm70vlzmzvgv14-bar.drv",
-                   pathBarDrvCA = "/nix/store/qnml92yh97a6fbrs2m5qg5cqlc8vni58-bar.drv",
-                   placeholderFoo = "/164j69y6zir9z0339n8pjigg3rckinlr77bxsavzizdaaljb7nh9",
-                   placeholderFooDev = "/0nr45p69vn6izw9446wsh9bng9nndhvn19kpsm4n96a5mycw0s4z",
-                   placeholderBar = "/0nyw57wm2iicnm9rglvjmbci3ikmcp823czdqdzdcgsnnwqps71g",
-                   placeholderBarDev = "/07f301yqyz8c6wf6bbbavb2q39j4n8kmcly1s09xadyhgy6x2wr8";
+static SingleDerivedPath
+    pathFoo = SingleDerivedPath::Opaque{StorePath{"p0hax2lzvjpfc2gwkk62xdglz0fcqfzn-foo"}},
+    pathFooDev = SingleDerivedPath::Opaque{StorePath{"z0rjzy29v9k5qa4nqpykrbzirj7sd43v-foo-dev"}},
+    pathBar = SingleDerivedPath::Opaque{StorePath{"r5cff30838majxk5mp3ip2diffi8vpaj-bar"}},
+    pathBarDev = SingleDerivedPath::Opaque{StorePath{"9b61w26b4avv870dw0ymb6rw4r1hzpws-bar-dev"}},
+    pathBarDrvIA = SingleDerivedPath::Opaque{StorePath{"vj2i49jm2868j2fmqvxm70vlzmzvgv14-bar.drv"}},
+    pathBarDrvCA = SingleDerivedPath::Opaque{StorePath{"qnml92yh97a6fbrs2m5qg5cqlc8vni58-bar.drv"}},
+    placeholderFoo =
+        SingleDerivedPath::Built{
+            .drvPath = makeConstantStorePathRef(StorePath{"j56sf12rxpcv5swr14vsjn5cwm6bj03h-foo.drv"}),
+            .output = "out",
+        },
+    placeholderFooDev =
+        SingleDerivedPath::Built{
+            .drvPath = makeConstantStorePathRef(StorePath{"j56sf12rxpcv5swr14vsjn5cwm6bj03h-foo.drv"}),
+            .output = "dev",
+        },
+    placeholderBar =
+        SingleDerivedPath::Built{
+            .drvPath = makeConstantStorePathRef(StorePath{"qnml92yh97a6fbrs2m5qg5cqlc8vni58-bar.drv"}),
+            .output = "out",
+        },
+    placeholderBarDev = SingleDerivedPath::Built{
+        .drvPath = makeConstantStorePathRef(StorePath{"qnml92yh97a6fbrs2m5qg5cqlc8vni58-bar.drv"}),
+        .output = "dev",
+    };

-using ExportReferencesMap = decltype(DerivationOptions::exportReferencesGraph);
+using ExportReferencesMap = decltype(DerivationOptions<SingleDerivedPath>::exportReferencesGraph);

-static const DerivationOptions advancedAttributes_defaults = {
+static const DerivationOptions<SingleDerivedPath> advancedAttributes_defaults = {
    .outputChecks =
-        DerivationOptions::OutputChecks{
+        DerivationOptions<SingleDerivedPath>::OutputChecks{
            .ignoreSelfRefs = true,
        },
    .unsafeDiscardReferences = {},
@@ -167,7 +187,8 @@ TYPED_TEST(DerivationAdvancedAttrsBothTest, advancedAttributes_defaults)
    this->readTest("advanced-attributes-defaults.drv", [&](auto encoded) {
        auto got = parseDerivation(*this->store, std::move(encoded), "foo", this->mockXpSettings);

-        DerivationOptions options = DerivationOptions::fromStructuredAttrs(got.env, got.structuredAttrs);
+        auto options = derivationOptionsFromStructuredAttrs(
+            *this->store, got.inputDrvs, got.env, get(got.structuredAttrs), true, this->mockXpSettings);

        EXPECT_TRUE(!got.structuredAttrs);

@@ -192,9 +213,9 @@ TEST_F(CaDerivationAdvancedAttrsTest, advancedAttributes_defaults)

 TYPED_TEST(DerivationAdvancedAttrsBothTest, advancedAttributes)
 {
-    DerivationOptions expected = {
+    DerivationOptions<SingleDerivedPath> expected = {
        .outputChecks =
-            DerivationOptions::OutputChecks{
+            DerivationOptions<SingleDerivedPath>::OutputChecks{
                .ignoreSelfRefs = true,
            },
        .unsafeDiscardReferences = {},
@@ -212,12 +233,13 @@ TYPED_TEST(DerivationAdvancedAttrsBothTest, advancedAttributes)
    this->readTest("advanced-attributes.drv", [&](auto encoded) {
        auto got = parseDerivation(*this->store, std::move(encoded), "foo", this->mockXpSettings);

-        DerivationOptions options = DerivationOptions::fromStructuredAttrs(got.env, got.structuredAttrs);
+        auto options = derivationOptionsFromStructuredAttrs(
+            *this->store, got.inputDrvs, got.env, get(got.structuredAttrs), true, this->mockXpSettings);

        EXPECT_TRUE(!got.structuredAttrs);

        // Reset fields that vary between test cases to enable whole-object comparison
-        options.outputChecks = DerivationOptions::OutputChecks{.ignoreSelfRefs = true};
+        options.outputChecks = DerivationOptions<SingleDerivedPath>::OutputChecks{.ignoreSelfRefs = true};
        options.exportReferencesGraph = {};

        EXPECT_EQ(options, expected);
@@ -227,14 +249,14 @@ TYPED_TEST(DerivationAdvancedAttrsBothTest, advancedAttributes)
    });
 };

-DerivationOptions advancedAttributes_ia = {
+DerivationOptions<SingleDerivedPath> advancedAttributes_ia = {
    .outputChecks =
-        DerivationOptions::OutputChecks{
+        DerivationOptions<SingleDerivedPath>::OutputChecks{
            .ignoreSelfRefs = true,
-            .allowedReferences = StringSet{pathFoo},
-            .disallowedReferences = StringSet{pathBar, "dev"},
-            .allowedRequisites = StringSet{pathFooDev, "bin"},
-            .disallowedRequisites = StringSet{pathBarDev},
+            .allowedReferences = std::set<DrvRef<SingleDerivedPath>>{pathFoo},
+            .disallowedReferences = std::set<DrvRef<SingleDerivedPath>>{pathBar, OutputName{"dev"}},
+            .allowedRequisites = std::set<DrvRef<SingleDerivedPath>>{pathFooDev, OutputName{"bin"}},
+            .disallowedRequisites = std::set<DrvRef<SingleDerivedPath>>{pathBarDev},
        },
    .unsafeDiscardReferences = {},
    .passAsFile = {},
@@ -257,14 +279,14 @@ TEST_F(DerivationAdvancedAttrsTest, advancedAttributes_ia)
    testDerivationOptions("advanced-attributes.drv", advancedAttributes_ia, {"rainbow", "uid-range"});
 };

-DerivationOptions advancedAttributes_ca = {
+DerivationOptions<SingleDerivedPath> advancedAttributes_ca = {
    .outputChecks =
-        DerivationOptions::OutputChecks{
+        DerivationOptions<SingleDerivedPath>::OutputChecks{
            .ignoreSelfRefs = true,
-            .allowedReferences = StringSet{placeholderFoo},
-            .disallowedReferences = StringSet{placeholderBar, "dev"},
-            .allowedRequisites = StringSet{placeholderFooDev, "bin"},
-            .disallowedRequisites = StringSet{placeholderBarDev},
+            .allowedReferences = std::set<DrvRef<SingleDerivedPath>>{placeholderFoo},
+            .disallowedReferences = std::set<DrvRef<SingleDerivedPath>>{placeholderBar, OutputName{"dev"}},
+            .allowedRequisites = std::set<DrvRef<SingleDerivedPath>>{placeholderFooDev, OutputName{"bin"}},
+            .disallowedRequisites = std::set<DrvRef<SingleDerivedPath>>{placeholderBarDev},
        },
    .unsafeDiscardReferences = {},
    .passAsFile = {},
@@ -287,8 +309,8 @@ TEST_F(CaDerivationAdvancedAttrsTest, advancedAttributes)
    testDerivationOptions("advanced-attributes.drv", advancedAttributes_ca, {"rainbow", "uid-range", "ca-derivations"});
 };

-DerivationOptions advancedAttributes_structuredAttrs_defaults = {
-    .outputChecks = std::map<std::string, DerivationOptions::OutputChecks>{},
+DerivationOptions<SingleDerivedPath> advancedAttributes_structuredAttrs_defaults = {
+    .outputChecks = std::map<std::string, DerivationOptions<SingleDerivedPath>::OutputChecks>{},
    .unsafeDiscardReferences = {},
    .passAsFile = {},
    .exportReferencesGraph = {},
@@ -307,7 +329,8 @@ TYPED_TEST(DerivationAdvancedAttrsBothTest, advancedAttributes_structuredAttrs_d
    this->readTest("advanced-attributes-structured-attrs-defaults.drv", [&](auto encoded) {
        auto got = parseDerivation(*this->store, std::move(encoded), "foo", this->mockXpSettings);

-        DerivationOptions options = DerivationOptions::fromStructuredAttrs(got.env, got.structuredAttrs);
+        auto options = derivationOptionsFromStructuredAttrs(
+            *this->store, got.inputDrvs, got.env, get(got.structuredAttrs), true, this->mockXpSettings);

        EXPECT_TRUE(got.structuredAttrs);

@@ -332,11 +355,11 @@ TEST_F(CaDerivationAdvancedAttrsTest, advancedAttributes_structuredAttrs_default

 TYPED_TEST(DerivationAdvancedAttrsBothTest, advancedAttributes_structuredAttrs)
 {
-    DerivationOptions expected = {
+    DerivationOptions<SingleDerivedPath> expected = {
        .outputChecks =
-            std::map<std::string, DerivationOptions::OutputChecks>{
+            std::map<std::string, DerivationOptions<SingleDerivedPath>::OutputChecks>{
                {"dev",
-                 DerivationOptions::OutputChecks{
+                 DerivationOptions<SingleDerivedPath>::OutputChecks{
                     .maxSize = 789,
                     .maxClosureSize = 5909,
                 }},
@@ -357,7 +380,8 @@ TYPED_TEST(DerivationAdvancedAttrsBothTest, advancedAttributes_structuredAttrs)
    this->readTest("advanced-attributes-structured-attrs.drv", [&](auto encoded) {
        auto got = parseDerivation(*this->store, std::move(encoded), "foo", this->mockXpSettings);

-        DerivationOptions options = DerivationOptions::fromStructuredAttrs(got.env, got.structuredAttrs);
+        auto options = derivationOptionsFromStructuredAttrs(
+            *this->store, got.inputDrvs, got.env, get(got.structuredAttrs), true, this->mockXpSettings);

        EXPECT_TRUE(got.structuredAttrs);

@@ -365,7 +389,8 @@ TYPED_TEST(DerivationAdvancedAttrsBothTest, advancedAttributes_structuredAttrs)
        {
            // Delete all keys but "dev" in options.outputChecks
            auto * outputChecksMapP =
-                std::get_if<std::map<std::string, DerivationOptions::OutputChecks>>(&options.outputChecks);
+                std::get_if<std::map<std::string, DerivationOptions<SingleDerivedPath>::OutputChecks>>(
+                    &options.outputChecks);
            ASSERT_TRUE(outputChecksMapP);
            auto & outputChecksMap = *outputChecksMapP;
            auto devEntry = outputChecksMap.find("dev");
@@ -385,21 +410,21 @@ TYPED_TEST(DerivationAdvancedAttrsBothTest, advancedAttributes_structuredAttrs)
    });
 };

-DerivationOptions advancedAttributes_structuredAttrs_ia = {
+DerivationOptions<SingleDerivedPath> advancedAttributes_structuredAttrs_ia = {
    .outputChecks =
-        std::map<std::string, DerivationOptions::OutputChecks>{
+        std::map<std::string, DerivationOptions<SingleDerivedPath>::OutputChecks>{
            {"out",
-             DerivationOptions::OutputChecks{
-                 .allowedReferences = StringSet{pathFoo},
-                 .allowedRequisites = StringSet{pathFooDev, "bin"},
+             DerivationOptions<SingleDerivedPath>::OutputChecks{
+                 .allowedReferences = std::set<DrvRef<SingleDerivedPath>>{pathFoo},
+                 .allowedRequisites = std::set<DrvRef<SingleDerivedPath>>{pathFooDev, OutputName{"bin"}},
             }},
            {"bin",
-             DerivationOptions::OutputChecks{
-                 .disallowedReferences = StringSet{pathBar, "dev"},
-                 .disallowedRequisites = StringSet{pathBarDev},
+             DerivationOptions<SingleDerivedPath>::OutputChecks{
+                 .disallowedReferences = std::set<DrvRef<SingleDerivedPath>>{pathBar, OutputName{"dev"}},
+                 .disallowedRequisites = std::set<DrvRef<SingleDerivedPath>>{pathBarDev},
             }},
            {"dev",
-             DerivationOptions::OutputChecks{
+             DerivationOptions<SingleDerivedPath>::OutputChecks{
                 .maxSize = 789,
                 .maxClosureSize = 5909,
             }},
@@ -427,21 +452,21 @@ TEST_F(DerivationAdvancedAttrsTest, advancedAttributes_structuredAttrs)
        "advanced-attributes-structured-attrs.drv", advancedAttributes_structuredAttrs_ia, {"rainbow", "uid-range"});
 };

-DerivationOptions advancedAttributes_structuredAttrs_ca = {
+DerivationOptions<SingleDerivedPath> advancedAttributes_structuredAttrs_ca = {
    .outputChecks =
-        std::map<std::string, DerivationOptions::OutputChecks>{
+        std::map<std::string, DerivationOptions<SingleDerivedPath>::OutputChecks>{
            {"out",
-             DerivationOptions::OutputChecks{
-                 .allowedReferences = StringSet{placeholderFoo},
-                 .allowedRequisites = StringSet{placeholderFooDev, "bin"},
+             DerivationOptions<SingleDerivedPath>::OutputChecks{
+                 .allowedReferences = std::set<DrvRef<SingleDerivedPath>>{placeholderFoo},
+                 .allowedRequisites = std::set<DrvRef<SingleDerivedPath>>{placeholderFooDev, OutputName{"bin"}},
             }},
            {"bin",
-             DerivationOptions::OutputChecks{
-                 .disallowedReferences = StringSet{placeholderBar, "dev"},
-                 .disallowedRequisites = StringSet{placeholderBarDev},
+             DerivationOptions<SingleDerivedPath>::OutputChecks{
+                 .disallowedReferences = std::set<DrvRef<SingleDerivedPath>>{placeholderBar, OutputName{"dev"}},
+                 .disallowedRequisites = std::set<DrvRef<SingleDerivedPath>>{placeholderBarDev},
             }},
            {"dev",
-             DerivationOptions::OutputChecks{
+             DerivationOptions<SingleDerivedPath>::OutputChecks{
                 .maxSize = 789,
                 .maxClosureSize = 5909,
             }},
@@ -471,14 +496,16 @@ TEST_F(CaDerivationAdvancedAttrsTest, advancedAttributes_structuredAttrs)
        {"rainbow", "uid-range", "ca-derivations"});
 };

-#define TEST_JSON_OPTIONS(FIXUTURE, VAR, VAR2)                                                             \
-    TEST_F(FIXUTURE, DerivationOptions_##VAR##_from_json)                                                  \
-    {                                                                                                      \
-        this->JsonCharacterizationTest<DerivationOptions>::readJsonTest(#VAR, advancedAttributes_##VAR2);  \
-    }                                                                                                      \
-    TEST_F(FIXUTURE, DerivationOptions_##VAR##_to_json)                                                    \
-    {                                                                                                      \
-        this->JsonCharacterizationTest<DerivationOptions>::writeJsonTest(#VAR, advancedAttributes_##VAR2); \
+#define TEST_JSON_OPTIONS(FIXUTURE, VAR, VAR2)                                               \
+    TEST_F(FIXUTURE, DerivationOptions_##VAR##_from_json)                                    \
+    {                                                                                        \
+        this->JsonCharacterizationTest<DerivationOptions<SingleDerivedPath>>::readJsonTest(  \
+            #VAR, advancedAttributes_##VAR2);                                                \
+    }                                                                                        \
+    TEST_F(FIXUTURE, DerivationOptions_##VAR##_to_json)                                      \
+    {                                                                                        \
+        this->JsonCharacterizationTest<DerivationOptions<SingleDerivedPath>>::writeJsonTest( \
+            #VAR, advancedAttributes_##VAR2);                                                \
    }

 TEST_JSON_OPTIONS(DerivationAdvancedAttrsTest, defaults, defaults)
--- a/src/libstore/build/derivation-building-goal.cc
+++ b/src/libstore/build/derivation-building-goal.cc
@@ -32,14 +32,6 @@ DerivationBuildingGoal::DerivationBuildingGoal(
    , drv{std::make_unique<Derivation>(drv)}
    , buildMode(buildMode)
 {
-    try {
-        drvOptions =
-            std::make_unique<DerivationOptions>(DerivationOptions::fromStructuredAttrs(drv.env, drv.structuredAttrs));
-    } catch (Error & e) {
-        e.addTrace({}, "while parsing derivation '%s'", worker.store.printStorePath(drvPath));
-        throw;
-    }
-
    name = fmt("building derivation '%s'", worker.store.printStorePath(drvPath));
    trace("created");

@@ -206,6 +198,38 @@ Goal::Co DerivationBuildingGoal::gaveUpOnSubstitution(bool storeDerivation)

 Goal::Co DerivationBuildingGoal::tryToBuild()
 {
+    auto drvOptions = [&] {
+        DerivationOptions<SingleDerivedPath> temp;
+        try {
+            temp =
+                derivationOptionsFromStructuredAttrs(worker.store, drv->inputDrvs, drv->env, get(drv->structuredAttrs));
+        } catch (Error & e) {
+            e.addTrace({}, "while parsing derivation '%s'", worker.store.printStorePath(drvPath));
+            throw;
+        }
+
+        auto res = tryResolve(
+            temp,
+            [&](ref<const SingleDerivedPath> drvPath, const std::string & outputName) -> std::optional<StorePath> {
+                try {
+                    return resolveDerivedPath(
+                        worker.store, SingleDerivedPath::Built{drvPath, outputName}, &worker.evalStore);
+                } catch (Error &) {
+                    return std::nullopt;
+                }
+            });
+
+        /* The derivation must have all of its inputs gotten this point,
+           so the resolution will surely succeed.
+
+           (Actually, we shouldn't even enter this goal until we have a
+           resolved derivation, or derivation with only input addressed
+           transitive inputs, so this should be a no-opt anyways.)
+         */
+        assert(res);
+        return *res;
+    }();
+
    std::map<std::string, InitialOutput> initialOutputs;

    /* Recheck at this point. In particular, whereas before we were
@@ -344,13 +368,13 @@ Goal::Co DerivationBuildingGoal::tryToBuild()
        /* Don't do a remote build if the derivation has the attribute
           `preferLocalBuild' set.  Also, check and repair modes are only
           supported for local builds. */
-        bool buildLocally = (buildMode != bmNormal || drvOptions->willBuildLocally(worker.store, *drv))
+        bool buildLocally = (buildMode != bmNormal || drvOptions.willBuildLocally(worker.store, *drv))
                            && settings.maxBuildJobs.get() != 0;

        if (buildLocally) {
            useHook = false;
        } else {
-            switch (tryBuildHook(initialOutputs)) {
+            switch (tryBuildHook(initialOutputs, drvOptions)) {
            case rpAccept:
                /* Yes, it has started doing so.  Wait until we get
                   EOF from the hook. */
@@ -379,7 +403,7 @@ Goal::Co DerivationBuildingGoal::tryToBuild()

                externalBuilder = settings.findExternalDerivationBuilderIfSupported(*drv);

-                if (!externalBuilder && !drvOptions->canBuildLocally(worker.store, *drv)) {
+                if (!externalBuilder && !drvOptions.canBuildLocally(worker.store, *drv)) {
                    auto msg =
                        fmt("Cannot build '%s'.\n"
                            "Reason: " ANSI_RED "required system or feature not available" ANSI_NORMAL
@@ -388,7 +412,7 @@ Goal::Co DerivationBuildingGoal::tryToBuild()
                            "Current system: '%s' with features {%s}",
                            Magenta(worker.store.printStorePath(drvPath)),
                            Magenta(drv->platform),
-                            concatStringsSep(", ", drvOptions->getRequiredSystemFeatures(*drv)),
+                            concatStringsSep(", ", drvOptions.getRequiredSystemFeatures(*drv)),
                            Magenta(settings.thisSystem),
                            concatStringsSep<StringSet>(", ", worker.store.Store::config.systemFeatures));

@@ -586,7 +610,7 @@ Goal::Co DerivationBuildingGoal::tryToBuild()
            }

            try {
-                desugaredEnv = DesugaredEnv::create(worker.store, *drv, *drvOptions, inputPaths);
+                desugaredEnv = DesugaredEnv::create(worker.store, *drv, drvOptions, inputPaths);
            } catch (BuildError & e) {
                outputLocks.unlock();
                worker.permanentFailure = true;
@@ -597,7 +621,7 @@ Goal::Co DerivationBuildingGoal::tryToBuild()
                .drvPath = drvPath,
                .buildResult = buildResult,
                .drv = *drv,
-                .drvOptions = *drvOptions,
+                .drvOptions = drvOptions,
                .inputPaths = inputPaths,
                .initialOutputs = initialOutputs,
                .buildMode = buildMode,
@@ -803,7 +827,8 @@ BuildError DerivationBuildingGoal::fixupBuilderFailureErrorMessage(BuilderFailur
    return BuildError{e.status, msg};
 }

-HookReply DerivationBuildingGoal::tryBuildHook(const std::map<std::string, InitialOutput> & initialOutputs)
+HookReply DerivationBuildingGoal::tryBuildHook(
+    const std::map<std::string, InitialOutput> & initialOutputs, const DerivationOptions<StorePath> & drvOptions)
 {
 #ifdef _WIN32 // TODO enable build hook on Windows
    return rpDecline;
@@ -820,7 +845,7 @@ HookReply DerivationBuildingGoal::tryBuildHook(const std::map<std::string, Initi

        /* Send the request to the hook. */
        worker.hook->sink << "try" << (worker.getNrLocalBuilds() < settings.maxBuildJobs ? 1 : 0) << drv->platform
-                          << worker.store.printStorePath(drvPath) << drvOptions->getRequiredSystemFeatures(*drv);
+                          << worker.store.printStorePath(drvPath) << drvOptions.getRequiredSystemFeatures(*drv);
        worker.hook->sink.flush();

        /* Read the first line of input, which should be a word indicating
--- a/src/libstore/build/derivation-check.cc
+++ b/src/libstore/build/derivation-check.cc
@@ -11,7 +11,7 @@ void checkOutputs(
    Store & store,
    const StorePath & drvPath,
    const decltype(Derivation::outputs) & drvOutputs,
-    const decltype(DerivationOptions::outputChecks) & outputChecks,
+    const decltype(DerivationOptions<StorePath>::outputChecks) & outputChecks,
    const std::map<std::string, ValidPathInfo> & outputs)
 {
    std::map<Path, const ValidPathInfo &> outputsByPath;
@@ -85,7 +85,7 @@ void checkOutputs(
            return std::make_pair(std::move(pathsDone), closureSize);
        };

-        auto applyChecks = [&](const DerivationOptions::OutputChecks & checks) {
+        auto applyChecks = [&](const DerivationOptions<StorePath>::OutputChecks & checks) {
            if (checks.maxSize && info.narSize > *checks.maxSize)
                throw BuildError(
                    BuildResult::Failure::OutputRejected,
@@ -105,28 +105,33 @@ void checkOutputs(
                        *checks.maxClosureSize);
            }

-            auto checkRefs = [&](const StringSet & value, bool allowed, bool recursive) {
+            auto checkRefs = [&](const std::set<DrvRef<StorePath>> & value, bool allowed, bool recursive) {
                /* Parse a list of reference specifiers.  Each element must
                   either be a store path, or the symbolic name of the output
                   of the derivation (such as `out'). */
                StorePathSet spec;
                for (auto & i : value) {
-                    if (store.isStorePath(i))
-                        spec.insert(store.parseStorePath(i));
-                    else if (auto output = get(outputs, i))
-                        spec.insert(output->path);
-                    else {
-                        std::string outputsListing =
-                            concatMapStringsSep(", ", outputs, [](auto & o) { return o.first; });
-                        throw BuildError(
-                            BuildResult::Failure::OutputRejected,
-                            "derivation '%s' output check for '%s' contains an illegal reference specifier '%s',"
-                            " expected store path or output name (one of [%s])",
-                            store.printStorePath(drvPath),
-                            outputName,
-                            i,
-                            outputsListing);
-                    }
+                    std::visit(
+                        overloaded{
+                            [&](const StorePath & path) { spec.insert(path); },
+                            [&](const OutputName & refOutputName) {
+                                if (auto output = get(outputs, refOutputName))
+                                    spec.insert(output->path);
+                                else {
+                                    std::string outputsListing =
+                                        concatMapStringsSep(", ", outputs, [](auto & o) { return o.first; });
+                                    throw BuildError(
+                                        BuildResult::Failure::OutputRejected,
+                                        "derivation '%s' output check for '%s' contains output name '%s',"
+                                        " but this is not a valid output of this derivation."
+                                        " (Valid outputs are [%s].)",
+                                        store.printStorePath(drvPath),
+                                        outputName,
+                                        refOutputName,
+                                        outputsListing);
+                                }
+                            }},
+                        i);
                }

                auto used = recursive ? getClosure(info.path).first : info.references;
@@ -180,8 +185,8 @@ void checkOutputs(

        std::visit(
            overloaded{
-                [&](const DerivationOptions::OutputChecks & checks) { applyChecks(checks); },
-                [&](const std::map<std::string, DerivationOptions::OutputChecks> & checksPerOutput) {
+                [&](const DerivationOptions<StorePath>::OutputChecks & checks) { applyChecks(checks); },
+                [&](const std::map<std::string, DerivationOptions<StorePath>::OutputChecks> & checksPerOutput) {
                    if (auto outputChecks = get(checksPerOutput, outputName))

                        applyChecks(*outputChecks);
--- a/src/libstore/build/derivation-check.hh
+++ b/src/libstore/build/derivation-check.hh
@@ -21,7 +21,7 @@ void checkOutputs(
    Store & store,
    const StorePath & drvPath,
    const decltype(Derivation::outputs) & drvOutputs,
-    const decltype(DerivationOptions::outputChecks) & drvOptions,
+    const decltype(DerivationOptions<StorePath>::outputChecks) & drvOptions,
    const std::map<std::string, ValidPathInfo> & outputs);

 } // namespace nix
--- a/src/libstore/build/derivation-env-desugar.cc
+++ b/src/libstore/build/derivation-env-desugar.cc
@@ -18,7 +18,10 @@ std::string & DesugaredEnv::atFileEnvPair(std::string_view name, std::string fil
 }

 DesugaredEnv DesugaredEnv::create(
-    Store & store, const Derivation & drv, const DerivationOptions & drvOptions, const StorePathSet & inputPaths)
+    Store & store,
+    const Derivation & drv,
+    const DerivationOptions<StorePath> & drvOptions,
+    const StorePathSet & inputPaths)
 {
    DesugaredEnv res;

@@ -46,7 +49,7 @@ DesugaredEnv DesugaredEnv::create(
        }

        /* Handle exportReferencesGraph(), if set. */
-        for (auto & [fileName, storePaths] : drvOptions.getParsedExportReferencesGraph(store)) {
+        for (auto & [fileName, storePaths] : drvOptions.exportReferencesGraph) {
            /* Write closure info to <fileName>. */
            res.extraFiles.insert_or_assign(
                fileName, store.makeValidityRegistration(store.exportReferences(storePaths, inputPaths), false, false));
--- a/src/libstore/build/derivation-goal.cc
+++ b/src/libstore/build/derivation-goal.cc
@@ -64,9 +64,10 @@ Goal::Co DerivationGoal::haveDerivation(bool storeDerivation)
 {
    trace("have derivation");

-    auto drvOptions = [&]() -> DerivationOptions {
+    auto drvOptions = [&]() -> DerivationOptions<SingleDerivedPath> {
        try {
-            return DerivationOptions::fromStructuredAttrs(drv->env, drv->structuredAttrs);
+            return derivationOptionsFromStructuredAttrs(
+                worker.store, drv->inputDrvs, drv->env, get(drv->structuredAttrs));
        } catch (Error & e) {
            e.addTrace({}, "while parsing derivation '%s'", worker.store.printStorePath(drvPath));
            throw;
--- a/src/libstore/derivation-options.cc
+++ b/src/libstore/derivation-options.cc
@@ -2,15 +2,18 @@
 #include "nix/util/json-utils.hh"
 #include "nix/store/parsed-derivations.hh"
 #include "nix/store/derivations.hh"
+#include "nix/store/derived-path.hh"
 #include "nix/store/store-api.hh"
 #include "nix/util/types.hh"
 #include "nix/util/util.hh"
 #include "nix/store/globals.hh"
+#include "nix/util/variant-wrapper.hh"

 #include <optional>
 #include <string>
 #include <variant>
 #include <regex>
+#include <ranges>

 namespace nix {

@@ -90,14 +93,38 @@ getStringSetAttr(const StringMap & env, const StructuredAttrs * parsed, const st
    return ss ? (std::optional{StringSet{ss->begin(), ss->end()}}) : (std::optional<StringSet>{});
 }

-using OutputChecks = DerivationOptions::OutputChecks;
+template<typename Inputs>
+using OutputChecks = DerivationOptions<Inputs>::OutputChecks;

-using OutputChecksVariant = std::variant<OutputChecks, std::map<std::string, OutputChecks>>;
+template<typename Inputs>
+using OutputChecksVariant = std::variant<OutputChecks<Inputs>, std::map<std::string, OutputChecks<Inputs>>>;

-DerivationOptions DerivationOptions::fromStructuredAttrs(
-    const StringMap & env, const std::optional<StructuredAttrs> & parsed, bool shouldWarn)
+DerivationOptions<StorePath> derivationOptionsFromStructuredAttrs(
+    const StoreDirConfig & store,
+    const StringMap & env,
+    const StructuredAttrs * parsed,
+    bool shouldWarn,
+    const ExperimentalFeatureSettings & mockXpSettings)
 {
-    return fromStructuredAttrs(env, parsed ? &*parsed : nullptr);
+    /* Use the SingleDerivedPath version with empty inputDrvs, then
+       resolve. */
+    DerivedPathMap<StringSet> emptyInputDrvs{};
+    auto singleDerivedPathOptions =
+        derivationOptionsFromStructuredAttrs(store, emptyInputDrvs, env, parsed, shouldWarn, mockXpSettings);
+
+    /* "Resolve" all SingleDerivedPath inputs to StorePath. */
+    auto resolved = tryResolve(
+        singleDerivedPathOptions,
+        [&](ref<const SingleDerivedPath> drvPath, const std::string & outputName) -> std::optional<StorePath> {
+            // there should be nothing to resolve
+            assert(false);
+        });
+
+    /* Since we should never need to call the call back, there should be
+       no way it fails. */
+    assert(resolved);
+
+    return *resolved;
 }

 static void flatten(const nlohmann::json & value, StringSet & res)
@@ -111,10 +138,63 @@ static void flatten(const nlohmann::json & value, StringSet & res)
        throw Error("'exportReferencesGraph' value is not an array or a string");
 }

-DerivationOptions
-DerivationOptions::fromStructuredAttrs(const StringMap & env, const StructuredAttrs * parsed, bool shouldWarn)
+DerivationOptions<SingleDerivedPath> derivationOptionsFromStructuredAttrs(
+    const StoreDirConfig & store,
+    const DerivedPathMap<StringSet> & inputDrvs,
+    const StringMap & env,
+    const StructuredAttrs * parsed,
+    bool shouldWarn,
+    const ExperimentalFeatureSettings & mockXpSettings)
 {
-    DerivationOptions defaults = {};
+    DerivationOptions<SingleDerivedPath> defaults = {};
+
+    std::map<std::string, SingleDerivedPath::Built> placeholders;
+    if (mockXpSettings.isEnabled(Xp::CaDerivations)) {
+        /* Initialize placeholder map from inputDrvs */
+        auto initPlaceholders = [&](this const auto & initPlaceholders,
+                                    ref<const SingleDerivedPath> basePath,
+                                    const DerivedPathMap<StringSet>::ChildNode & node) -> void {
+            for (const auto & outputName : node.value) {
+                auto built = SingleDerivedPath::Built{
+                    .drvPath = basePath,
+                    .output = outputName,
+                };
+                placeholders.insert_or_assign(
+                    DownstreamPlaceholder::fromSingleDerivedPathBuilt(built, mockXpSettings).render(),
+                    std::move(built));
+            }
+
+            for (const auto & [outputName, childNode] : node.childMap) {
+                initPlaceholders(
+                    make_ref<const SingleDerivedPath>(SingleDerivedPath::Built{
+                        .drvPath = basePath,
+                        .output = outputName,
+                    }),
+                    childNode);
+            }
+        };
+
+        for (const auto & [drvPath, outputs] : inputDrvs.map) {
+            auto basePath = make_ref<const SingleDerivedPath>(SingleDerivedPath::Opaque{drvPath});
+            initPlaceholders(basePath, outputs);
+        }
+    }
+
+    auto parseSingleDerivedPath = [&](const std::string & pathS) -> SingleDerivedPath {
+        if (auto it = placeholders.find(pathS); it != placeholders.end())
+            return it->second;
+        else
+            return SingleDerivedPath::Opaque{store.toStorePath(pathS).first};
+    };
+
+    auto parseRef = [&](const std::string & pathS) -> DrvRef<SingleDerivedPath> {
+        if (auto it = placeholders.find(pathS); it != placeholders.end())
+            return it->second;
+        if (store.isStorePath(pathS))
+            return SingleDerivedPath::Opaque{store.toStorePath(pathS).first};
+        else
+            return pathS;
+    };

    if (shouldWarn && parsed) {
        auto & structuredAttrs = parsed->structuredAttrs;
@@ -146,14 +226,14 @@ DerivationOptions::fromStructuredAttrs(const StringMap & env, const StructuredAt
    }

    return {
-        .outputChecks = [&]() -> OutputChecksVariant {
+        .outputChecks = [&]() -> OutputChecksVariant<SingleDerivedPath> {
            if (parsed) {
                auto & structuredAttrs = parsed->structuredAttrs;

-                std::map<std::string, OutputChecks> res;
+                std::map<std::string, OutputChecks<SingleDerivedPath>> res;
                if (auto * outputChecks = get(structuredAttrs, "outputChecks")) {
                    for (auto & [outputName, output_] : getObject(*outputChecks)) {
-                        OutputChecks checks;
+                        OutputChecks<SingleDerivedPath> checks;

                        auto & output = getObject(output_);

@@ -163,13 +243,14 @@ DerivationOptions::fromStructuredAttrs(const StringMap & env, const StructuredAt
                        if (auto maxClosureSize = get(output, "maxClosureSize"))
                            checks.maxClosureSize = maxClosureSize->get<uint64_t>();

-                        auto get_ = [&output = output](const std::string & name) -> std::optional<StringSet> {
+                        auto get_ =
+                            [&](const std::string & name) -> std::optional<std::set<DrvRef<SingleDerivedPath>>> {
                            if (auto i = get(output, name)) {
-                                StringSet res;
+                                std::set<DrvRef<SingleDerivedPath>> res;
                                for (auto j = i->begin(); j != i->end(); ++j) {
                                    if (!j->is_string())
                                        throw Error("attribute '%s' must be a list of strings", name);
-                                    res.insert(j->get<std::string>());
+                                    res.insert(parseRef(j->get<std::string>()));
                                }
                                return res;
                            }
@@ -178,7 +259,7 @@ DerivationOptions::fromStructuredAttrs(const StringMap & env, const StructuredAt

                        res.insert_or_assign(
                            outputName,
-                            OutputChecks{
+                            OutputChecks<SingleDerivedPath>{
                                .maxSize = [&]() -> std::optional<uint64_t> {
                                    if (auto maxSize = get(output, "maxSize"))
                                        return maxSize->get<uint64_t>();
@@ -192,21 +273,32 @@ DerivationOptions::fromStructuredAttrs(const StringMap & env, const StructuredAt
                                        return std::nullopt;
                                }(),
                                .allowedReferences = get_("allowedReferences"),
-                                .disallowedReferences = get_("disallowedReferences").value_or(StringSet{}),
+                                .disallowedReferences =
+                                    get_("disallowedReferences").value_or(std::set<DrvRef<SingleDerivedPath>>{}),
                                .allowedRequisites = get_("allowedRequisites"),
-                                .disallowedRequisites = get_("disallowedRequisites").value_or(StringSet{}),
+                                .disallowedRequisites =
+                                    get_("disallowedRequisites").value_or(std::set<DrvRef<SingleDerivedPath>>{}),
                            });
                    }
                }
                return res;
            } else {
-                return OutputChecks{
+                auto parseRefSet = [&](const std::optional<StringSet> optionalStringSet)
+                    -> std::optional<std::set<DrvRef<SingleDerivedPath>>> {
+                    if (!optionalStringSet)
+                        return std::nullopt;
+                    auto range = *optionalStringSet | std::views::transform(parseRef);
+                    return std::set<DrvRef<SingleDerivedPath>>(range.begin(), range.end());
+                };
+                return OutputChecks<SingleDerivedPath>{
                    // legacy non-structured-attributes case
                    .ignoreSelfRefs = true,
-                    .allowedReferences = getStringSetAttr(env, parsed, "allowedReferences"),
-                    .disallowedReferences = getStringSetAttr(env, parsed, "disallowedReferences").value_or(StringSet{}),
-                    .allowedRequisites = getStringSetAttr(env, parsed, "allowedRequisites"),
-                    .disallowedRequisites = getStringSetAttr(env, parsed, "disallowedRequisites").value_or(StringSet{}),
+                    .allowedReferences = parseRefSet(getStringSetAttr(env, parsed, "allowedReferences")),
+                    .disallowedReferences = parseRefSet(getStringSetAttr(env, parsed, "disallowedReferences"))
+                                                .value_or(std::set<DrvRef<SingleDerivedPath>>{}),
+                    .allowedRequisites = parseRefSet(getStringSetAttr(env, parsed, "allowedRequisites")),
+                    .disallowedRequisites = parseRefSet(getStringSetAttr(env, parsed, "disallowedRequisites"))
+                                                .value_or(std::set<DrvRef<SingleDerivedPath>>{}),
                };
            }
        }(),
@@ -245,16 +337,19 @@ DerivationOptions::fromStructuredAttrs(const StringMap & env, const StructuredAt
            }(),
        .exportReferencesGraph =
            [&] {
-                std::map<std::string, StringSet> ret;
+                std::map<std::string, std::set<SingleDerivedPath>> ret;

                if (parsed) {
                    auto * e = optionalValueAt(parsed->structuredAttrs, "exportReferencesGraph");
                    if (!e || !e->is_object())
                        return ret;
-                    for (auto & [key, value] : getObject(*e)) {
+                    for (auto & [key, storePathsJson] : getObject(*e)) {
                        StringSet ss;
-                        flatten(value, ss);
-                        ret.insert_or_assign(key, std::move(ss));
+                        flatten(storePathsJson, ss);
+                        std::set<SingleDerivedPath> storePaths;
+                        for (auto & s : ss)
+                            storePaths.insert(parseSingleDerivedPath(s));
+                        ret.insert_or_assign(key, std::move(storePaths));
                    }
                } else {
                    auto s = getOr(env, "exportReferencesGraph", "");
@@ -268,7 +363,7 @@ DerivationOptions::fromStructuredAttrs(const StringMap & env, const StructuredAt
                            throw Error("invalid file name '%s' in 'exportReferencesGraph'", fileName);

                        auto & storePathS = *i++;
-                        ret.insert_or_assign(std::move(fileName), StringSet{storePathS});
+                        ret.insert_or_assign(std::move(fileName), std::set{parseSingleDerivedPath(storePathS)});
                    }
                }
                return ret;
@@ -286,28 +381,8 @@ DerivationOptions::fromStructuredAttrs(const StringMap & env, const StructuredAt
    };
 }

-std::map<std::string, StorePathSet>
-DerivationOptions::getParsedExportReferencesGraph(const StoreDirConfig & store) const
-{
-    std::map<std::string, StorePathSet> res;
-
-    for (auto & [fileName, ss] : exportReferencesGraph) {
-        StorePathSet storePaths;
-        for (auto & storePathS : ss) {
-            if (!store.isInStore(storePathS))
-                throw BuildError(
-                    BuildResult::Failure::InputRejected,
-                    "'exportReferencesGraph' contains a non-store path '%1%'",
-                    storePathS);
-            storePaths.insert(store.toStorePath(storePathS).first);
-        }
-        res.insert_or_assign(fileName, storePaths);
-    }
-
-    return res;
-}
-
-StringSet DerivationOptions::getRequiredSystemFeatures(const BasicDerivation & drv) const
+template<typename Input>
+StringSet DerivationOptions<Input>::getRequiredSystemFeatures(const BasicDerivation & drv) const
 {
    // FIXME: cache this?
    StringSet res;
@@ -318,7 +393,8 @@ StringSet DerivationOptions::getRequiredSystemFeatures(const BasicDerivation & d
    return res;
 }

-bool DerivationOptions::canBuildLocally(Store & localStore, const BasicDerivation & drv) const
+template<typename Input>
+bool DerivationOptions<Input>::canBuildLocally(Store & localStore, const BasicDerivation & drv) const
 {
    if (drv.platform != settings.thisSystem.get() && !settings.extraPlatforms.get().count(drv.platform)
        && !drv.isBuiltin())
@@ -334,42 +410,194 @@ bool DerivationOptions::canBuildLocally(Store & localStore, const BasicDerivatio
    return true;
 }

-bool DerivationOptions::willBuildLocally(Store & localStore, const BasicDerivation & drv) const
+template<typename Input>
+bool DerivationOptions<Input>::willBuildLocally(Store & localStore, const BasicDerivation & drv) const
 {
    return preferLocalBuild && canBuildLocally(localStore, drv);
 }

-bool DerivationOptions::substitutesAllowed() const
+template<typename Input>
+bool DerivationOptions<Input>::substitutesAllowed() const
 {
    return settings.alwaysAllowSubstitutes ? true : allowSubstitutes;
 }

-bool DerivationOptions::useUidRange(const BasicDerivation & drv) const
+template<typename Input>
+bool DerivationOptions<Input>::useUidRange(const BasicDerivation & drv) const
 {
    return getRequiredSystemFeatures(drv).count("uid-range");
 }

+std::optional<DerivationOptions<StorePath>> tryResolve(
+    const DerivationOptions<SingleDerivedPath> & drvOptions,
+    std::function<std::optional<StorePath>(ref<const SingleDerivedPath> drvPath, const std::string & outputName)>
+        queryResolutionChain)
+{
+    auto tryResolvePath = [&](const SingleDerivedPath & input) -> std::optional<StorePath> {
+        return std::visit(
+            overloaded{
+                [](const SingleDerivedPath::Opaque & p) -> std::optional<StorePath> { return p.path; },
+                [&](const SingleDerivedPath::Built & p) -> std::optional<StorePath> {
+                    return queryResolutionChain(p.drvPath, p.output);
+                }},
+            input.raw());
+    };
+
+    auto tryResolveRef = [&](const DrvRef<SingleDerivedPath> & ref) -> std::optional<DrvRef<StorePath>> {
+        return std::visit(
+            overloaded{
+                [](const OutputName & outputName) -> std::optional<DrvRef<StorePath>> { return outputName; },
+                [&](const SingleDerivedPath & input) -> std::optional<DrvRef<StorePath>> {
+                    return tryResolvePath(input);
+                }},
+            ref);
+    };
+
+    auto tryResolveRefSet =
+        [&](const std::set<DrvRef<SingleDerivedPath>> & refSet) -> std::optional<std::set<DrvRef<StorePath>>> {
+        std::set<DrvRef<StorePath>> resolvedSet;
+        for (const auto & ref : refSet) {
+            auto resolvedRef = tryResolveRef(ref);
+            if (!resolvedRef)
+                return std::nullopt;
+            resolvedSet.insert(*resolvedRef);
+        }
+        return resolvedSet;
+    };
+
+    // Helper function to try resolving OutputChecks using functional style
+    auto tryResolveOutputChecks = [&](const DerivationOptions<SingleDerivedPath>::OutputChecks & checks)
+        -> std::optional<DerivationOptions<StorePath>::OutputChecks> {
+        std::optional<std::set<DrvRef<StorePath>>> resolvedAllowedReferences;
+        if (checks.allowedReferences) {
+            resolvedAllowedReferences = tryResolveRefSet(*checks.allowedReferences);
+            if (!resolvedAllowedReferences)
+                return std::nullopt;
+        }
+
+        std::optional<std::set<DrvRef<StorePath>>> resolvedAllowedRequisites;
+        if (checks.allowedRequisites) {
+            resolvedAllowedRequisites = tryResolveRefSet(*checks.allowedRequisites);
+            if (!resolvedAllowedRequisites)
+                return std::nullopt;
+        }
+
+        auto resolvedDisallowedReferences = tryResolveRefSet(checks.disallowedReferences);
+        if (!resolvedDisallowedReferences)
+            return std::nullopt;
+
+        auto resolvedDisallowedRequisites = tryResolveRefSet(checks.disallowedRequisites);
+        if (!resolvedDisallowedRequisites)
+            return std::nullopt;
+
+        return DerivationOptions<StorePath>::OutputChecks{
+            .ignoreSelfRefs = checks.ignoreSelfRefs,
+            .maxSize = checks.maxSize,
+            .maxClosureSize = checks.maxClosureSize,
+            .allowedReferences = resolvedAllowedReferences,
+            .disallowedReferences = *resolvedDisallowedReferences,
+            .allowedRequisites = resolvedAllowedRequisites,
+            .disallowedRequisites = *resolvedDisallowedRequisites,
+        };
+    };
+
+    // Helper function to resolve exportReferencesGraph using functional style
+    auto tryResolveExportReferencesGraph = [&](const std::map<std::string, std::set<SingleDerivedPath>> & exportGraph)
+        -> std::optional<std::map<std::string, std::set<StorePath>>> {
+        std::map<std::string, std::set<StorePath>> resolved;
+        for (const auto & [name, inputPaths] : exportGraph) {
+            std::set<StorePath> resolvedPaths;
+            for (const auto & inputPath : inputPaths) {
+                auto resolvedPath = tryResolvePath(inputPath);
+                if (!resolvedPath)
+                    return std::nullopt;
+                resolvedPaths.insert(*resolvedPath);
+            }
+            resolved.emplace(name, std::move(resolvedPaths));
+        }
+        return resolved;
+    };
+
+    // Resolve outputChecks using functional style with std::visit
+    auto resolvedOutputChecks = std::visit(
+        overloaded{
+            [&](const DerivationOptions<SingleDerivedPath>::OutputChecks & checks)
+                -> std::optional<std::variant<
+                    DerivationOptions<StorePath>::OutputChecks,
+                    std::map<std::string, DerivationOptions<StorePath>::OutputChecks>>> {
+                auto resolved = tryResolveOutputChecks(checks);
+                if (!resolved)
+                    return std::nullopt;
+                return std::variant<
+                    DerivationOptions<StorePath>::OutputChecks,
+                    std::map<std::string, DerivationOptions<StorePath>::OutputChecks>>(*resolved);
+            },
+            [&](const std::map<std::string, DerivationOptions<SingleDerivedPath>::OutputChecks> & checksMap)
+                -> std::optional<std::variant<
+                    DerivationOptions<StorePath>::OutputChecks,
+                    std::map<std::string, DerivationOptions<StorePath>::OutputChecks>>> {
+                std::map<std::string, DerivationOptions<StorePath>::OutputChecks> resolvedMap;
+                for (const auto & [outputName, checks] : checksMap) {
+                    auto resolved = tryResolveOutputChecks(checks);
+                    if (!resolved)
+                        return std::nullopt;
+                    resolvedMap.emplace(outputName, *resolved);
+                }
+                return std::variant<
+                    DerivationOptions<StorePath>::OutputChecks,
+                    std::map<std::string, DerivationOptions<StorePath>::OutputChecks>>(resolvedMap);
+            }},
+        drvOptions.outputChecks);
+
+    if (!resolvedOutputChecks)
+        return std::nullopt;
+
+    // Resolve exportReferencesGraph
+    auto resolvedExportGraph = tryResolveExportReferencesGraph(drvOptions.exportReferencesGraph);
+    if (!resolvedExportGraph)
+        return std::nullopt;
+
+    // Return resolved DerivationOptions using designated initializers
+    return DerivationOptions<StorePath>{
+        .outputChecks = *resolvedOutputChecks,
+        .unsafeDiscardReferences = drvOptions.unsafeDiscardReferences,
+        .passAsFile = drvOptions.passAsFile,
+        .exportReferencesGraph = *resolvedExportGraph,
+        .additionalSandboxProfile = drvOptions.additionalSandboxProfile,
+        .noChroot = drvOptions.noChroot,
+        .impureHostDeps = drvOptions.impureHostDeps,
+        .impureEnvVars = drvOptions.impureEnvVars,
+        .allowLocalNetworking = drvOptions.allowLocalNetworking,
+        .requiredSystemFeatures = drvOptions.requiredSystemFeatures,
+        .preferLocalBuild = drvOptions.preferLocalBuild,
+        .allowSubstitutes = drvOptions.allowSubstitutes,
+    };
+}
+
+template struct DerivationOptions<StorePath>;
+template struct DerivationOptions<SingleDerivedPath>;
+
 } // namespace nix

 namespace nlohmann {

 using namespace nix;

-DerivationOptions adl_serializer<DerivationOptions>::from_json(const json & json_)
+DerivationOptions<SingleDerivedPath> adl_serializer<DerivationOptions<SingleDerivedPath>>::from_json(const json & json_)
 {
    auto & json = getObject(json_);

    return {
-        .outputChecks = [&]() -> OutputChecksVariant {
+        .outputChecks = [&]() -> OutputChecksVariant<SingleDerivedPath> {
            auto outputChecks = getObject(valueAt(json, "outputChecks"));

            auto forAllOutputsOpt = optionalValueAt(outputChecks, "forAllOutputs");
            auto perOutputOpt = optionalValueAt(outputChecks, "perOutput");

            if (forAllOutputsOpt && !perOutputOpt) {
-                return static_cast<OutputChecks>(*forAllOutputsOpt);
+                return static_cast<OutputChecks<SingleDerivedPath>>(*forAllOutputsOpt);
            } else if (perOutputOpt && !forAllOutputsOpt) {
-                return static_cast<std::map<std::string, OutputChecks>>(*perOutputOpt);
+                return static_cast<std::map<std::string, OutputChecks<SingleDerivedPath>>>(*perOutputOpt);
            } else {
                throw Error("Exactly one of 'perOutput' or 'forAllOutputs' is required");
            }
@@ -377,7 +605,7 @@ DerivationOptions adl_serializer<DerivationOptions>::from_json(const json & json

        .unsafeDiscardReferences = valueAt(json, "unsafeDiscardReferences"),
        .passAsFile = getStringSet(valueAt(json, "passAsFile")),
-        .exportReferencesGraph = getMap<StringSet>(getObject(valueAt(json, "exportReferencesGraph")), getStringSet),
+        .exportReferencesGraph = valueAt(json, "exportReferencesGraph"),

        .additionalSandboxProfile = getString(valueAt(json, "additionalSandboxProfile")),
        .noChroot = getBoolean(valueAt(json, "noChroot")),
@@ -391,16 +619,17 @@ DerivationOptions adl_serializer<DerivationOptions>::from_json(const json & json
    };
 }

-void adl_serializer<DerivationOptions>::to_json(json & json, const DerivationOptions & o)
+void adl_serializer<DerivationOptions<SingleDerivedPath>>::to_json(
+    json & json, const DerivationOptions<SingleDerivedPath> & o)
 {
    json["outputChecks"] = std::visit(
        overloaded{
-            [&](const OutputChecks & checks) {
+            [&](const OutputChecks<SingleDerivedPath> & checks) {
                nlohmann::json outputChecks;
                outputChecks["forAllOutputs"] = checks;
                return outputChecks;
            },
-            [&](const std::map<std::string, OutputChecks> & checksPerOutput) {
+            [&](const std::map<std::string, OutputChecks<SingleDerivedPath>> & checksPerOutput) {
                nlohmann::json outputChecks;
                outputChecks["perOutput"] = checksPerOutput;
                return outputChecks;
@@ -423,7 +652,7 @@ void adl_serializer<DerivationOptions>::to_json(json & json, const DerivationOpt
    json["allowSubstitutes"] = o.allowSubstitutes;
 }

-DerivationOptions::OutputChecks adl_serializer<DerivationOptions::OutputChecks>::from_json(const json & json_)
+OutputChecks<SingleDerivedPath> adl_serializer<OutputChecks<SingleDerivedPath>>::from_json(const json & json_)
 {
    auto & json = getObject(json_);

@@ -431,14 +660,16 @@ DerivationOptions::OutputChecks adl_serializer<DerivationOptions::OutputChecks>:
        .ignoreSelfRefs = getBoolean(valueAt(json, "ignoreSelfRefs")),
        .maxSize = ptrToOwned<uint64_t>(getNullable(valueAt(json, "maxSize"))),
        .maxClosureSize = ptrToOwned<uint64_t>(getNullable(valueAt(json, "maxClosureSize"))),
-        .allowedReferences = ptrToOwned<StringSet>(getNullable(valueAt(json, "allowedReferences"))),
-        .disallowedReferences = getStringSet(valueAt(json, "disallowedReferences")),
-        .allowedRequisites = ptrToOwned<StringSet>(getNullable(valueAt(json, "allowedRequisites"))),
-        .disallowedRequisites = getStringSet(valueAt(json, "disallowedRequisites")),
+        .allowedReferences =
+            ptrToOwned<std::set<DrvRef<SingleDerivedPath>>>(getNullable(valueAt(json, "allowedReferences"))),
+        .disallowedReferences = valueAt(json, "disallowedReferences"),
+        .allowedRequisites =
+            ptrToOwned<std::set<DrvRef<SingleDerivedPath>>>(getNullable(valueAt(json, "allowedRequisites"))),
+        .disallowedRequisites = valueAt(json, "disallowedRequisites"),
    };
 }

-void adl_serializer<DerivationOptions::OutputChecks>::to_json(json & json, const DerivationOptions::OutputChecks & c)
+void adl_serializer<OutputChecks<SingleDerivedPath>>::to_json(json & json, const OutputChecks<SingleDerivedPath> & c)
 {
    json["ignoreSelfRefs"] = c.ignoreSelfRefs;
    json["maxSize"] = c.maxSize;
--- a/src/libstore/derivations.cc
+++ b/src/libstore/derivations.cc
@@ -13,6 +13,7 @@
 #include <boost/container/small_vector.hpp>
 #include <boost/unordered/concurrent_flat_map.hpp>
 #include <nlohmann/json.hpp>
+#include <optional>

 namespace nix {

@@ -791,71 +792,63 @@ std::string outputPathName(std::string_view drvName, OutputNameView outputName)

 DerivationType BasicDerivation::type() const
 {
-    std::set<std::string_view> inputAddressedOutputs, fixedCAOutputs, floatingCAOutputs, deferredIAOutputs,
-        impureOutputs;
    std::optional<HashAlgorithm> floatingHashAlgo;
+    std::optional<DerivationType> ty;
+
+    auto decide = [&](DerivationType newTy) {
+        if (!ty)
+            ty = newTy;
+        else if (ty.value() != newTy)
+            throw Error("can't mix derivation output types");
+        else if (ty.value() == DerivationType::ContentAddressed{.sandboxed = false, .fixed = true})
+            // FIXME: Experimental feature?
+            throw Error("only one fixed output is allowed for now");
+    };

    for (auto & i : outputs) {
        std::visit(
            overloaded{
-                [&](const DerivationOutput::InputAddressed &) { inputAddressedOutputs.insert(i.first); },
-                [&](const DerivationOutput::CAFixed &) { fixedCAOutputs.insert(i.first); },
-                [&](const DerivationOutput::CAFloating & dof) {
-                    floatingCAOutputs.insert(i.first);
-                    if (!floatingHashAlgo) {
-                        floatingHashAlgo = dof.hashAlgo;
-                    } else {
-                        if (*floatingHashAlgo != dof.hashAlgo)
-                            throw Error("all floating outputs must use the same hash algorithm");
-                    }
+                [&](const DerivationOutput::InputAddressed &) {
+                    decide(
+                        DerivationType::InputAddressed{
+                            .deferred = false,
+                        });
                },
-                [&](const DerivationOutput::Deferred &) { deferredIAOutputs.insert(i.first); },
-                [&](const DerivationOutput::Impure &) { impureOutputs.insert(i.first); },
+                [&](const DerivationOutput::CAFixed &) {
+                    decide(
+                        DerivationType::ContentAddressed{
+                            .sandboxed = false,
+                            .fixed = true,
+                        });
+                    if (i.first != "out"sv)
+                        throw Error("single fixed output must be named \"out\"");
+                },
+                [&](const DerivationOutput::CAFloating & dof) {
+                    decide(
+                        DerivationType::ContentAddressed{
+                            .sandboxed = true,
+                            .fixed = false,
+                        });
+                    if (!floatingHashAlgo)
+                        floatingHashAlgo = dof.hashAlgo;
+                    else if (*floatingHashAlgo != dof.hashAlgo)
+                        throw Error("all floating outputs must use the same hash algorithm");
+                },
+                [&](const DerivationOutput::Deferred &) {
+                    decide(
+                        DerivationType::InputAddressed{
+                            .deferred = true,
+                        });
+                },
+                [&](const DerivationOutput::Impure &) { decide(DerivationType::Impure{}); },
            },
            i.second.raw);
    }

-    if (inputAddressedOutputs.empty() && fixedCAOutputs.empty() && floatingCAOutputs.empty()
-        && deferredIAOutputs.empty() && impureOutputs.empty())
+    if (!ty)
        throw Error("must have at least one output");

-    if (!inputAddressedOutputs.empty() && fixedCAOutputs.empty() && floatingCAOutputs.empty()
-        && deferredIAOutputs.empty() && impureOutputs.empty())
-        return DerivationType::InputAddressed{
-            .deferred = false,
-        };
-
-    if (inputAddressedOutputs.empty() && !fixedCAOutputs.empty() && floatingCAOutputs.empty()
-        && deferredIAOutputs.empty() && impureOutputs.empty()) {
-        if (fixedCAOutputs.size() > 1)
-            // FIXME: Experimental feature?
-            throw Error("only one fixed output is allowed for now");
-        if (*fixedCAOutputs.begin() != "out"sv)
-            throw Error("single fixed output must be named \"out\"");
-        return DerivationType::ContentAddressed{
-            .sandboxed = false,
-            .fixed = true,
-        };
-    }
-
-    if (inputAddressedOutputs.empty() && fixedCAOutputs.empty() && !floatingCAOutputs.empty()
-        && deferredIAOutputs.empty() && impureOutputs.empty())
-        return DerivationType::ContentAddressed{
-            .sandboxed = true,
-            .fixed = false,
-        };
-
-    if (inputAddressedOutputs.empty() && fixedCAOutputs.empty() && floatingCAOutputs.empty()
-        && !deferredIAOutputs.empty() && impureOutputs.empty())
-        return DerivationType::InputAddressed{
-            .deferred = true,
-        };
-
-    if (inputAddressedOutputs.empty() && fixedCAOutputs.empty() && floatingCAOutputs.empty()
-        && deferredIAOutputs.empty() && !impureOutputs.empty())
-        return DerivationType::Impure{};
-
-    throw Error("can't mix derivation output types");
+    return ty.value();
 }

 DrvHashes drvHashes;
--- a/src/libstore/downstream-placeholder.cc
+++ b/src/libstore/downstream-placeholder.cc
@@ -1,5 +1,6 @@
 #include "nix/store/downstream-placeholder.hh"
 #include "nix/store/derivations.hh"
+#include "nix/util/json-utils.hh"

 namespace nix {

@@ -49,3 +50,45 @@ DownstreamPlaceholder DownstreamPlaceholder::fromSingleDerivedPathBuilt(
 }

 } // namespace nix
+
+namespace nlohmann {
+
+using namespace nix;
+
+template<typename Item>
+DrvRef<Item> adl_serializer<DrvRef<Item>>::from_json(const json & json)
+{
+    // OutputName case: { "drvPath": "self", "output": <output> }
+    if (json.type() == nlohmann::json::value_t::object) {
+        auto & obj = getObject(json);
+        if (auto * drvPath_ = get(obj, "drvPath")) {
+            auto & drvPath = *drvPath_;
+            if (drvPath.type() == nlohmann::json::value_t::string && getString(drvPath) == "self") {
+                return getString(valueAt(obj, "output"));
+            }
+        }
+    }
+
+    // Input case
+    return adl_serializer<Item>::from_json(json);
+}
+
+template<typename Item>
+void adl_serializer<DrvRef<Item>>::to_json(json & json, const DrvRef<Item> & ref)
+{
+    std::visit(
+        overloaded{
+            [&](const OutputName & outputName) {
+                json = nlohmann::json::object();
+                json["drvPath"] = "self";
+                json["output"] = outputName;
+            },
+            [&](const Item & item) { json = item; },
+        },
+        ref);
+}
+
+template struct adl_serializer<nix::DrvRef<StorePath>>;
+template struct adl_serializer<nix::DrvRef<SingleDerivedPath>>;
+
+} // namespace nlohmann
--- a/src/libstore/filetransfer.cc
+++ b/src/libstore/filetransfer.cc
@@ -151,15 +151,23 @@ struct curlFileTransfer : public FileTransfer
            }
        }

-        void failEx(std::exception_ptr ex)
+        void failEx(std::exception_ptr ex) noexcept
        {
            assert(!done);
            done = true;
+            try {
+                std::rethrow_exception(ex);
+            } catch (nix::Error & e) {
+                /* Add more context to the error message. */
+                e.addTrace({}, "during %s of '%s'", Uncolored(request.verb()), request.uri.to_string());
+            } catch (...) {
+                /* Can't add more context to the error. */
+            }
            callback.rethrow(ex);
        }

        template<class T>
-        void fail(T && e)
+        void fail(T && e) noexcept
        {
            failEx(std::make_exception_ptr(std::forward<T>(e)));
        }
@@ -168,32 +176,30 @@ struct curlFileTransfer : public FileTransfer
        std::shared_ptr<FinishSink> decompressionSink;
        std::optional<StringSink> errorSink;

-        std::exception_ptr writeException;
+        std::exception_ptr callbackException;

-        size_t writeCallback(void * contents, size_t size, size_t nmemb)
-        {
-            try {
-                size_t realSize = size * nmemb;
-                result.bodySize += realSize;
+        size_t writeCallback(void * contents, size_t size, size_t nmemb) noexcept
+        try {
+            size_t realSize = size * nmemb;
+            result.bodySize += realSize;

-                if (!decompressionSink) {
-                    decompressionSink = makeDecompressionSink(encoding, finalSink);
-                    if (!successfulStatuses.count(getHTTPStatus())) {
-                        // In this case we want to construct a TeeSink, to keep
-                        // the response around (which we figure won't be big
-                        // like an actual download should be) to improve error
-                        // messages.
-                        errorSink = StringSink{};
-                    }
+            if (!decompressionSink) {
+                decompressionSink = makeDecompressionSink(encoding, finalSink);
+                if (!successfulStatuses.count(getHTTPStatus())) {
+                    // In this case we want to construct a TeeSink, to keep
+                    // the response around (which we figure won't be big
+                    // like an actual download should be) to improve error
+                    // messages.
+                    errorSink = StringSink{};
                }
-
-                (*decompressionSink)({(char *) contents, realSize});
-
-                return realSize;
-            } catch (...) {
-                writeException = std::current_exception();
-                return 0;
            }
+
+            (*decompressionSink)({(char *) contents, realSize});
+
+            return realSize;
+        } catch (...) {
+            callbackException = std::current_exception();
+            return 0;
        }

        static size_t writeCallbackWrapper(void * contents, size_t size, size_t nmemb, void * userp)
@@ -209,8 +215,8 @@ struct curlFileTransfer : public FileTransfer
                result.urls.push_back(effectiveUriCStr);
        }

-        size_t headerCallback(void * contents, size_t size, size_t nmemb)
-        {
+        size_t headerCallback(void * contents, size_t size, size_t nmemb) noexcept
+        try {
            size_t realSize = size * nmemb;
            std::string line((char *) contents, realSize);
            printMsg(lvlVomit, "got header for '%s': %s", request.uri, trim(line));
@@ -263,6 +269,15 @@ struct curlFileTransfer : public FileTransfer
                }
            }
            return realSize;
+        } catch (...) {
+#if LIBCURL_VERSION_NUM >= 0x075700
+            /* https://curl.se/libcurl/c/CURLOPT_HEADERFUNCTION.html:
+               You can also abort the transfer by returning CURL_WRITEFUNC_ERROR. */
+            callbackException = std::current_exception();
+            return CURL_WRITEFUNC_ERROR;
+#else
+            return realSize;
+#endif
        }

        static size_t headerCallbackWrapper(void * contents, size_t size, size_t nmemb, void * userp)
@@ -270,14 +285,17 @@ struct curlFileTransfer : public FileTransfer
            return ((TransferItem *) userp)->headerCallback(contents, size, nmemb);
        }

-        int progressCallback(curl_off_t dltotal, curl_off_t dlnow)
-        {
-            try {
-                act.progress(dlnow, dltotal);
-            } catch (nix::Interrupted &) {
-                assert(getInterrupted());
-            }
+        int progressCallback(curl_off_t dltotal, curl_off_t dlnow) noexcept
+        try {
+            act.progress(dlnow, dltotal);
            return getInterrupted();
+        } catch (nix::Interrupted &) {
+            assert(getInterrupted());
+            return 1;
+        } catch (...) {
+            /* Something unexpected has happened like logger throwing an exception. */
+            callbackException = std::current_exception();
+            return 1;
        }

        static int progressCallbackWrapper(
@@ -288,11 +306,14 @@ struct curlFileTransfer : public FileTransfer
            return item.progressCallback(isUpload ? ultotal : dltotal, isUpload ? ulnow : dlnow);
        }

-        static int debugCallback(CURL * handle, curl_infotype type, char * data, size_t size, void * userptr)
-        {
+        static int debugCallback(CURL * handle, curl_infotype type, char * data, size_t size, void * userptr) noexcept
+        try {
            if (type == CURLINFO_TEXT)
                vomit("curl: %s", chomp(std::string(data, size)));
            return 0;
+        } catch (...) {
+            /* Swallow the exception. Nothing left to do. */
+            return 0;
        }

        size_t readCallback(char * buffer, size_t size, size_t nitems) noexcept
@@ -302,6 +323,7 @@ struct curlFileTransfer : public FileTransfer
        } catch (EndOfFile &) {
            return 0;
        } catch (...) {
+            callbackException = std::current_exception();
            return CURL_READFUNC_ABORT;
        }

@@ -333,6 +355,7 @@ struct curlFileTransfer : public FileTransfer
            }
            return CURL_SEEKFUNC_OK;
        } catch (...) {
+            callbackException = std::current_exception();
            return CURL_SEEKFUNC_FAIL;
        }

@@ -476,7 +499,7 @@ struct curlFileTransfer : public FileTransfer
                try {
                    decompressionSink->finish();
                } catch (...) {
-                    writeException = std::current_exception();
+                    callbackException = std::current_exception();
                }
            }

@@ -485,8 +508,8 @@ struct curlFileTransfer : public FileTransfer
                httpStatus = 304;
            }

-            if (writeException)
-                failEx(writeException);
+            if (callbackException)
+                failEx(callbackException);

            else if (code == CURLE_OK && successfulStatuses.count(httpStatus)) {
                result.cached = httpStatus == 304;
--- a/src/libstore/include/nix/store/build/derivation-builder.hh
+++ b/src/libstore/include/nix/store/build/derivation-builder.hh
@@ -69,7 +69,7 @@ struct DerivationBuilderParams
     *
     * @todo this should be part of `Derivation`.
     */
-    const DerivationOptions & drvOptions;
+    const DerivationOptions<StorePath> & drvOptions;

    // The remainder is state held during the build.

--- a/src/libstore/include/nix/store/build/derivation-building-goal.hh
+++ b/src/libstore/include/nix/store/build/derivation-building-goal.hh
@@ -52,8 +52,6 @@ private:
     */
    std::unique_ptr<Derivation> drv;

-    std::unique_ptr<DerivationOptions> drvOptions;
-
    /**
     * The remainder is state held during the build.
     */
@@ -115,7 +113,8 @@ private:
    /**
     * Is the build hook willing to perform the build?
     */
-    HookReply tryBuildHook(const std::map<std::string, InitialOutput> & initialOutputs);
+    HookReply tryBuildHook(
+        const std::map<std::string, InitialOutput> & initialOutputs, const DerivationOptions<StorePath> & drvOptions);

    /**
     * Open a log file and a pipe to it.
--- a/src/libstore/include/nix/store/build/derivation-env-desugar.hh
+++ b/src/libstore/include/nix/store/build/derivation-env-desugar.hh
@@ -8,6 +8,7 @@ namespace nix {

 class Store;
 struct Derivation;
+template<typename Input>
 struct DerivationOptions;

 /**
@@ -77,7 +78,10 @@ struct DesugaredEnv
     * just part of `Derivation`.
     */
    static DesugaredEnv create(
-        Store & store, const Derivation & drv, const DerivationOptions & drvOptions, const StorePathSet & inputPaths);
+        Store & store,
+        const Derivation & drv,
+        const DerivationOptions<StorePath> & drvOptions,
+        const StorePathSet & inputPaths);
 };

 } // namespace nix
--- a/src/libstore/include/nix/store/derivation-options.hh
+++ b/src/libstore/include/nix/store/derivation-options.hh
@@ -8,7 +8,8 @@

 #include "nix/util/types.hh"
 #include "nix/util/json-impls.hh"
-#include "nix/store/path.hh"
+#include "nix/store/store-dir-config.hh"
+#include "nix/store/downstream-placeholder.hh"

 namespace nix {

@@ -17,6 +18,9 @@ struct StoreDirConfig;
 struct BasicDerivation;
 struct StructuredAttrs;

+template<typename V>
+struct DerivedPathMap;
+
 /**
 * This represents all the special options on a `Derivation`.
 *
@@ -34,6 +38,7 @@ struct StructuredAttrs;
 * separately. That would be nice to separate concerns, and not make any
 * environment variable names magical.
 */
+template<typename Input>
 struct DerivationOptions
 {
    struct OutputChecks
@@ -41,13 +46,15 @@ struct DerivationOptions
        bool ignoreSelfRefs = false;
        std::optional<uint64_t> maxSize, maxClosureSize;

+        using DrvRef = nix::DrvRef<Input>;
+
        /**
         * env: allowedReferences
         *
         * A value of `nullopt` indicates that the check is skipped.
         * This means that all references are allowed.
         */
-        std::optional<StringSet> allowedReferences;
+        std::optional<std::set<DrvRef>> allowedReferences;

        /**
         * env: disallowedReferences
@@ -55,21 +62,21 @@ struct DerivationOptions
         * No needed for `std::optional`, because skipping the check is
         * the same as disallowing the references.
         */
-        StringSet disallowedReferences;
+        std::set<DrvRef> disallowedReferences;

        /**
         * env: allowedRequisites
         *
         * See `allowedReferences`
         */
-        std::optional<StringSet> allowedRequisites;
+        std::optional<std::set<DrvRef>> allowedRequisites;

        /**
         * env: disallowedRequisites
         *
         * See `disallowedReferences`
         */
-        StringSet disallowedRequisites;
+        std::set<DrvRef> disallowedRequisites;

        bool operator==(const OutputChecks &) const = default;
    };
@@ -116,23 +123,7 @@ struct DerivationOptions
     * attributes give to the builder. The set of paths in the original JSON
     * is replaced with a list of `PathInfo` in JSON format.
     */
-    std::map<std::string, StringSet> exportReferencesGraph;
-
-    /**
-     * Once a derivations is resolved, the strings in in
-     * `exportReferencesGraph` should all be store paths (with possible
-     * suffix paths, but those are discarded).
-     *
-     * @return The parsed path set for for each key in the map.
-     *
-     * @todo Ideally, `exportReferencesGraph` would just store
-     * `StorePath`s for this, but we can't just do that, because for CA
-     * derivations they is actually in general `DerivedPath`s (via
-     * placeholder strings) until the derivation is resolved and exact
-     * inputs store paths are known. We can use better types for that
-     * too, but that is a longer project.
-     */
-    std::map<std::string, StorePathSet> getParsedExportReferencesGraph(const StoreDirConfig & store) const;
+    std::map<std::string, std::set<Input>> exportReferencesGraph;

    /**
     * env: __sandboxProfile
@@ -185,18 +176,6 @@ struct DerivationOptions

    bool operator==(const DerivationOptions &) const = default;

-    /**
-     * Parse this information from its legacy encoding as part of the
-     * environment. This should not be used with nice greenfield formats
-     * (e.g. JSON) but is necessary for supporting old formats (e.g.
-     * ATerm).
-     */
-    static DerivationOptions
-    fromStructuredAttrs(const StringMap & env, const StructuredAttrs * parsed, bool shouldWarn = true);
-
-    static DerivationOptions
-    fromStructuredAttrs(const StringMap & env, const std::optional<StructuredAttrs> & parsed, bool shouldWarn = true);
-
    /**
     * @param drv Must be the same derivation we parsed this from. In
     * the future we'll flip things around so a `BasicDerivation` has
@@ -222,7 +201,49 @@ struct DerivationOptions
    bool useUidRange(const BasicDerivation & drv) const;
 };

+extern template struct DerivationOptions<StorePath>;
+extern template struct DerivationOptions<SingleDerivedPath>;
+
+struct DerivationOutput;
+
+/**
+ * Parse this information from its legacy encoding as part of the
+ * environment. This should not be used with nice greenfield formats
+ * (e.g. JSON) but is necessary for supporting old formats (e.g.
+ * ATerm).
+ */
+DerivationOptions<SingleDerivedPath> derivationOptionsFromStructuredAttrs(
+    const StoreDirConfig & store,
+    const DerivedPathMap<StringSet> & inputDrvs,
+    const StringMap & env,
+    const StructuredAttrs * parsed,
+    bool shouldWarn = true,
+    const ExperimentalFeatureSettings & mockXpSettings = experimentalFeatureSettings);
+
+DerivationOptions<StorePath> derivationOptionsFromStructuredAttrs(
+    const StoreDirConfig & store,
+    const StringMap & env,
+    const StructuredAttrs * parsed,
+    bool shouldWarn = true,
+    const ExperimentalFeatureSettings & mockXpSettings = experimentalFeatureSettings);
+
+/**
+ * This is the counterpart of `Derivation::tryResolve`. In particular,
+ * it takes the same sort of callback, which is used to reolve
+ * non-constant deriving paths.
+ *
+ * We need this function when resolving a derivation, and we will use
+ * this as part of that if/when `Derivation` includes
+ * `DerivationOptions`
+ */
+std::optional<DerivationOptions<StorePath>> tryResolve(
+    const DerivationOptions<SingleDerivedPath> & drvOptions,
+    std::function<std::optional<StorePath>(ref<const SingleDerivedPath> drvPath, const std::string & outputName)>
+        queryResolutionChain);
+
 }; // namespace nix

-JSON_IMPL(DerivationOptions);
-JSON_IMPL(DerivationOptions::OutputChecks)
+JSON_IMPL(nix::DerivationOptions<nix::StorePath>);
+JSON_IMPL(nix::DerivationOptions<nix::SingleDerivedPath>);
+JSON_IMPL(nix::DerivationOptions<nix::StorePath>::OutputChecks)
+JSON_IMPL(nix::DerivationOptions<nix::SingleDerivedPath>::OutputChecks)
--- a/src/libstore/include/nix/store/downstream-placeholder.hh
+++ b/src/libstore/include/nix/store/downstream-placeholder.hh
@@ -2,11 +2,23 @@
 ///@file

 #include "nix/util/hash.hh"
+#include "nix/util/json-impls.hh"
 #include "nix/store/path.hh"
 #include "nix/store/derived-path.hh"

 namespace nix {

+/**
+ * A reference is either to a to-be-registered output (by name),
+ * or to an already-registered store object (by `Input`).
+ *
+ * `Ref<SingleDerivedPath` is a representation of something that can be
+ * turned into a placeholder. (Regular own-output placeholder in the
+ * first case, `DownstreamPlaceholder` in the second case.)
+ */
+template<typename Input>
+using DrvRef = std::variant<OutputName, Input>;
+
 /**
 * Downstream Placeholders are opaque and almost certainly unique values
 * used to allow derivations to refer to store objects which are yet to
@@ -92,3 +104,17 @@ public:
 };

 } // namespace nix
+
+namespace nlohmann {
+
+template<typename Item>
+struct adl_serializer<nix::DrvRef<Item>>
+{
+    static nix::DrvRef<Item> from_json(const json & json);
+    static void to_json(json & json, const nix::DrvRef<Item> & t);
+};
+
+extern template struct adl_serializer<nix::DrvRef<nix::StorePath>>;
+extern template struct adl_serializer<nix::DrvRef<nix::SingleDerivedPath>>;
+
+} // namespace nlohmann
--- a/src/libstore/include/nix/store/parsed-derivations.hh
+++ b/src/libstore/include/nix/store/parsed-derivations.hh
@@ -9,6 +9,7 @@
 namespace nix {

 class Store;
+template<typename Input>
 struct DerivationOptions;
 struct DerivationOutput;

@@ -47,7 +48,7 @@ struct StructuredAttrs

    nlohmann::json::object_t prepareStructuredAttrs(
        Store & store,
-        const DerivationOptions & drvOptions,
+        const DerivationOptions<StorePath> & drvOptions,
        const StorePathSet & inputPaths,
        const DerivationOutputs & outputs) const;

--- a/src/libstore/misc.cc
+++ b/src/libstore/misc.cc
@@ -225,11 +225,12 @@ MissingPaths Store::queryMissing(const std::vector<DerivedPath> & targets)
                        return;

                    auto drv = make_ref<Derivation>(derivationFromPath(drvPath));
-                    DerivationOptions drvOptions;
+                    DerivationOptions<SingleDerivedPath> drvOptions;
                    try {
                        // FIXME: this is a lot of work just to get the value
                        // of `allowSubstitutes`.
-                        drvOptions = DerivationOptions::fromStructuredAttrs(drv->env, drv->structuredAttrs);
+                        drvOptions = derivationOptionsFromStructuredAttrs(
+                            *this, drv->inputDrvs, drv->env, get(drv->structuredAttrs));
                    } catch (Error & e) {
                        e.addTrace({}, "while parsing derivation '%s'", printStorePath(drvPath));
                        throw;
--- a/src/libstore/parsed-derivations.cc
+++ b/src/libstore/parsed-derivations.cc
@@ -100,7 +100,7 @@ static nlohmann::json pathInfoToJSON(Store & store, const StorePathSet & storePa

 nlohmann::json::object_t StructuredAttrs::prepareStructuredAttrs(
    Store & store,
-    const DerivationOptions & drvOptions,
+    const DerivationOptions<StorePath> & drvOptions,
    const StorePathSet & inputPaths,
    const DerivationOutputs & outputs) const
 {
@@ -114,8 +114,8 @@ nlohmann::json::object_t StructuredAttrs::prepareStructuredAttrs(
    json["outputs"] = std::move(outputsJson);

    /* Handle exportReferencesGraph. */
-    for (auto & [key, storePaths] : drvOptions.getParsedExportReferencesGraph(store)) {
-        json[key] = pathInfoToJSON(store, store.exportReferences(storePaths, storePaths));
+    for (auto & [key, storePaths] : drvOptions.exportReferencesGraph) {
+        json[key] = pathInfoToJSON(store, store.exportReferences(storePaths, inputPaths));
    }

    return json;
--- a/src/libutil-c/nix_api_util.cc
+++ b/src/libutil-c/nix_api_util.cc
@@ -36,7 +36,7 @@ nix_err nix_context_error(nix_c_context * context)
        const char * demangled = abi::__cxa_demangle(typeid(e).name(), 0, 0, &status);
        if (demangled) {
            context->name = demangled;
-            // todo: free(demangled);
+            free((void *) demangled);
        } else {
            context->name = typeid(e).name();
        }
--- a/src/libutil/archive.cc
+++ b/src/libutil/archive.cc
@@ -200,54 +200,54 @@ static void parse(FileSystemObjectSink & sink, Source & source, const CanonPath
    }

    else if (type == "directory") {
-        sink.createDirectory(path);
+        sink.createDirectory(path, [&](FileSystemObjectSink & dirSink, const CanonPath & relDirPath) {
+            std::map<Path, int, CaseInsensitiveCompare> names;

-        std::map<Path, int, CaseInsensitiveCompare> names;
+            std::string prevName;

-        std::string prevName;
+            while (1) {
+                auto tag = getString();

-        while (1) {
-            auto tag = getString();
+                if (tag == ")")
+                    break;

-            if (tag == ")")
-                break;
+                if (tag != "entry")
+                    throw badArchive("expected tag 'entry' or ')', got '%s'", tag);

-            if (tag != "entry")
-                throw badArchive("expected tag 'entry' or ')', got '%s'", tag);
+                expectTag("(");

-            expectTag("(");
+                expectTag("name");

-            expectTag("name");
+                auto name = getString();
+                if (name.empty() || name == "." || name == ".." || name.find('/') != std::string::npos
+                    || name.find((char) 0) != std::string::npos)
+                    throw badArchive("NAR contains invalid file name '%1%'", name);
+                if (name <= prevName)
+                    throw badArchive("NAR directory is not sorted");
+                prevName = name;
+                if (archiveSettings.useCaseHack) {
+                    auto i = names.find(name);
+                    if (i != names.end()) {
+                        debug("case collision between '%1%' and '%2%'", i->first, name);
+                        name += caseHackSuffix;
+                        name += std::to_string(++i->second);
+                        auto j = names.find(name);
+                        if (j != names.end())
+                            throw badArchive(
+                                "NAR contains file name '%s' that collides with case-hacked file name '%s'",
+                                prevName,
+                                j->first);
+                    } else
+                        names[name] = 0;
+                }

-            auto name = getString();
-            if (name.empty() || name == "." || name == ".." || name.find('/') != std::string::npos
-                || name.find((char) 0) != std::string::npos)
-                throw badArchive("NAR contains invalid file name '%1%'", name);
-            if (name <= prevName)
-                throw badArchive("NAR directory is not sorted");
-            prevName = name;
-            if (archiveSettings.useCaseHack) {
-                auto i = names.find(name);
-                if (i != names.end()) {
-                    debug("case collision between '%1%' and '%2%'", i->first, name);
-                    name += caseHackSuffix;
-                    name += std::to_string(++i->second);
-                    auto j = names.find(name);
-                    if (j != names.end())
-                        throw badArchive(
-                            "NAR contains file name '%s' that collides with case-hacked file name '%s'",
-                            prevName,
-                            j->first);
-                } else
-                    names[name] = 0;
+                expectTag("node");
+
+                parse(dirSink, source, relDirPath / name);
+
+                expectTag(")");
            }
-
-            expectTag("node");
-
-            parse(sink, source, path / name);
-
-            expectTag(")");
-        }
+        });
    }

    else if (type == "symlink") {
--- a/src/libutil/fs-sink.cc
+++ b/src/libutil/fs-sink.cc
@@ -14,44 +14,6 @@

 namespace nix {

-void copyRecursive(SourceAccessor & accessor, const CanonPath & from, FileSystemObjectSink & sink, const CanonPath & to)
-{
-    auto stat = accessor.lstat(from);
-
-    switch (stat.type) {
-    case SourceAccessor::tSymlink: {
-        sink.createSymlink(to, accessor.readLink(from));
-        break;
-    }
-
-    case SourceAccessor::tRegular: {
-        sink.createRegularFile(to, [&](CreateRegularFileSink & crf) {
-            if (stat.isExecutable)
-                crf.isExecutable();
-            accessor.readFile(from, crf, [&](uint64_t size) { crf.preallocateContents(size); });
-        });
-        break;
-    }
-
-    case SourceAccessor::tDirectory: {
-        sink.createDirectory(to);
-        for (auto & [name, _] : accessor.readDirectory(from)) {
-            copyRecursive(accessor, from / name, sink, to / name);
-            break;
-        }
-        break;
-    }
-
-    case SourceAccessor::tChar:
-    case SourceAccessor::tBlock:
-    case SourceAccessor::tSocket:
-    case SourceAccessor::tFifo:
-    case SourceAccessor::tUnknown:
-    default:
-        throw Error("file '%1%' has an unsupported type of %2%", from, stat.typeString());
-    }
-}
-
 struct RestoreSinkSettings : Config
 {
    Setting<bool> preallocateContents{
@@ -70,11 +32,60 @@ static std::filesystem::path append(const std::filesystem::path & src, const Can
    return dst;
 }

+#ifndef _WIN32
+void RestoreSink::createDirectory(const CanonPath & path, DirectoryCreatedCallback callback)
+{
+    if (path.isRoot()) {
+        createDirectory(path);
+        callback(*this, path);
+        return;
+    }
+
+    createDirectory(path);
+    assert(dirFd); // If that's not true the above call must have thrown an exception.
+
+    RestoreSink dirSink{startFsync};
+    dirSink.dstPath = append(dstPath, path);
+    dirSink.dirFd = ::openat(dirFd.get(), path.rel_c_str(), O_RDONLY | O_DIRECTORY | O_NOFOLLOW | O_CLOEXEC);
+
+    if (!dirSink.dirFd)
+        throw SysError("opening directory '%s'", dirSink.dstPath.string());
+
+    callback(dirSink, CanonPath::root);
+}
+#endif
+
 void RestoreSink::createDirectory(const CanonPath & path)
 {
    auto p = append(dstPath, path);
+
+#ifndef _WIN32
+    if (dirFd) {
+        if (path.isRoot())
+            /* Trying to create a directory that we already have a file descriptor for. */
+            throw Error("path '%s' already exists", p.string());
+
+        if (::mkdirat(dirFd.get(), path.rel_c_str(), 0777) == -1)
+            throw SysError("creating directory '%s'", p.string());
+
+        return;
+    }
+#endif
+
    if (!std::filesystem::create_directory(p))
        throw Error("path '%s' already exists", p.string());
+
+#ifndef _WIN32
+    if (path.isRoot()) {
+        assert(!dirFd); // Handled above
+
+        /* Open directory for further *at operations relative to the sink root
+           directory. */
+        dirFd = open(p.c_str(), O_RDONLY | O_DIRECTORY | O_NOFOLLOW | O_CLOEXEC);
+        if (!dirFd)
+            throw SysError("creating directory '%1%'", p.string());
+    }
+#endif
 };

 struct RestoreRegularFile : CreateRegularFileSink
@@ -114,7 +125,14 @@ void RestoreSink::createRegularFile(const CanonPath & path, std::function<void(C
            FILE_ATTRIBUTE_NORMAL,
            NULL)
 #else
-        open(p.c_str(), O_CREAT | O_EXCL | O_WRONLY | O_CLOEXEC, 0666)
+        [&]() {
+            /* O_EXCL together with O_CREAT ensures symbolic links in the last
+              component are not followed. */
+            constexpr int flags = O_CREAT | O_EXCL | O_WRONLY | O_CLOEXEC;
+            if (!dirFd)
+                return ::open(p.c_str(), flags, 0666);
+            return ::openat(dirFd.get(), path.rel_c_str(), flags, 0666);
+        }();
 #endif
        ;
    if (!crf.fd)
@@ -161,6 +179,13 @@ void RestoreRegularFile::operator()(std::string_view data)
 void RestoreSink::createSymlink(const CanonPath & path, const std::string & target)
 {
    auto p = append(dstPath, path);
+#ifndef _WIN32
+    if (dirFd) {
+        if (::symlinkat(requireCString(target), dirFd.get(), path.rel_c_str()) == -1)
+            throw SysError("creating symlink from '%1%' -> '%2%'", p.string(), target);
+        return;
+    }
+#endif
    nix::createSymlink(target, p.string());
 }

--- a/src/libutil/git.cc
+++ b/src/libutil/git.cc
@@ -217,29 +217,6 @@ std::optional<Mode> convertMode(SourceAccessor::Type type)
    }
 }

-void restore(FileSystemObjectSink & sink, Source & source, HashAlgorithm hashAlgo, std::function<RestoreHook> hook)
-{
-    parse(sink, CanonPath::root, source, BlobMode::Regular, hashAlgo, [&](CanonPath name, TreeEntry entry) {
-        auto [accessor, from] = hook(entry.hash);
-        auto stat = accessor->lstat(from);
-        auto gotOpt = convertMode(stat.type);
-        if (!gotOpt)
-            throw Error(
-                "file '%s' (git hash %s) has an unsupported type",
-                from,
-                entry.hash.to_string(HashFormat::Base16, false));
-        auto & got = *gotOpt;
-        if (got != entry.mode)
-            throw Error(
-                "git mode of file '%s' (git hash %s) is %o but expected %o",
-                from,
-                entry.hash.to_string(HashFormat::Base16, false),
-                (RawMode) got,
-                (RawMode) entry.mode);
-        copyRecursive(*accessor, from, sink, name);
-    });
-}
-
 void dumpBlobPrefix(uint64_t size, Sink & sink, const ExperimentalFeatureSettings & xpSettings)
 {
    xpSettings.require(Xp::GitHashing);
--- a/src/libutil/include/nix/util/fs-sink.hh
+++ b/src/libutil/include/nix/util/fs-sink.hh
@@ -36,6 +36,23 @@ struct FileSystemObjectSink

    virtual void createDirectory(const CanonPath & path) = 0;

+    using DirectoryCreatedCallback = std::function<void(FileSystemObjectSink & dirSink, const CanonPath & dirRelPath)>;
+
+    /**
+     * Create a directory and invoke a callback with a pair of sink + CanonPath
+     * of the created subdirectory relative to dirSink.
+     *
+     * @note This allows for UNIX RestoreSink implementations to implement
+     * *at-style accessors that always keep an open file descriptor for the
+     * freshly created directory. Use this when it's important to disallow any
+     * intermediate path components from being symlinks.
+     */
+    virtual void createDirectory(const CanonPath & path, DirectoryCreatedCallback callback)
+    {
+        createDirectory(path);
+        callback(*this, path);
+    }
+
    /**
     * This function in general is no re-entrant. Only one file can be
     * written at a time.
@@ -82,6 +99,18 @@ struct NullFileSystemObjectSink : FileSystemObjectSink
 struct RestoreSink : FileSystemObjectSink
 {
    std::filesystem::path dstPath;
+#ifndef _WIN32
+    /**
+     * File descriptor for the directory located at dstPath. Used for *at
+     * operations relative to this file descriptor. This sink must *never*
+     * follow intermediate symlinks (starting from dstPath) in case a file
+     * collision is encountered for various reasons like case-insensitivity or
+     * other types on normalization. using appropriate *at system calls and traversing
+     * only one path component at a time ensures that writing is race-free and is
+     * is not susceptible to symlink replacement.
+     */
+    AutoCloseFD dirFd;
+#endif
    bool startFsync = false;

    explicit RestoreSink(bool startFsync)
@@ -91,6 +120,10 @@ struct RestoreSink : FileSystemObjectSink

    void createDirectory(const CanonPath & path) override;

+#ifndef _WIN32
+    void createDirectory(const CanonPath & path, DirectoryCreatedCallback callback) override;
+#endif
+
    void createRegularFile(const CanonPath & path, std::function<void(CreateRegularFileSink &)>) override;

    void createSymlink(const CanonPath & path, const std::string & target) override;
--- a/src/libutil/include/nix/util/git.hh
+++ b/src/libutil/include/nix/util/git.hh
@@ -136,13 +136,6 @@ std::optional<Mode> convertMode(SourceAccessor::Type type);
 */
 using RestoreHook = SourcePath(Hash);

-/**
- * Wrapper around `parse` and `RestoreSink`
- *
- * @param hashAlgo must be `HashAlgo::SHA1` or `HashAlgo::SHA256` for now.
- */
-void restore(FileSystemObjectSink & sink, Source & source, HashAlgorithm hashAlgo, std::function<RestoreHook> hook);
-
 /**
 * Dumps a single file to a sink
 *
--- a/src/libutil/include/nix/util/strings.hh
+++ b/src/libutil/include/nix/util/strings.hh
@@ -166,4 +166,10 @@ public:
    }
 };

+/**
+ * Check that the string does not contain any NUL bytes and return c_str().
+ * @throws Error if str contains '\0' bytes.
+ */
+const char * requireCString(const std::string & str);
+
 } // namespace nix
--- a/src/libutil/include/nix/util/util.hh
+++ b/src/libutil/include/nix/util/util.hh
@@ -242,6 +242,28 @@ std::string stripIndentation(std::string_view s);
 */
 std::pair<std::string_view, std::string_view> getLine(std::string_view s);

+/**
+ * Get a pointer to the contents of a `std::optional` if it is set, or a
+ * null pointer otherise.
+ *
+ * Const version.
+ */
+template<class T>
+const T * get(const std::optional<T> & opt)
+{
+    return opt ? &*opt : nullptr;
+}
+
+/**
+ * Non-const counterpart of `const T * get(const std::optional<T>)`.
+ * Takes a mutable reference, but returns a mutable pointer.
+ */
+template<class T>
+T * get(std::optional<T> & opt)
+{
+    return opt ? &*opt : nullptr;
+}
+
 /**
 * Get a value for the specified key from an associate container.
 */
--- a/src/libutil/strings.cc
+++ b/src/libutil/strings.cc
@@ -5,6 +5,7 @@
 #include "nix/util/strings-inline.hh"
 #include "nix/util/os-string.hh"
 #include "nix/util/error.hh"
+#include "nix/util/util.hh"

 namespace nix {

@@ -152,4 +153,14 @@ std::string optionalBracket(std::string_view prefix, std::string_view content, s
    return result;
 }

+const char * requireCString(const std::string & s)
+{
+    if (std::memchr(s.data(), '\0', s.size())) [[unlikely]] {
+        using namespace std::string_view_literals;
+        auto str = replaceStrings(s, "\0"sv, "␀"sv);
+        throw Error("string '%s' with null (\\0) bytes used where it's not allowed", str);
+    }
+    return s.c_str();
+}
+
 } // namespace nix
--- a/src/libutil/url.cc
+++ b/src/libutil/url.cc
@@ -327,8 +327,11 @@ Path renderUrlPathEnsureLegal(const std::vector<std::string> & urlPath)
        /* This is only really valid for UNIX. Windows has more restrictions. */
        if (comp.contains('/'))
            throw BadURL("URL path component '%s' contains '/', which is not allowed in file names", comp);
-        if (comp.contains(char(0)))
-            throw BadURL("URL path component '%s' contains NUL byte which is not allowed", comp);
+        if (comp.contains(char(0))) {
+            using namespace std::string_view_literals;
+            auto str = replaceStrings(comp, "\0"sv, "␀"sv);
+            throw BadURL("URL path component '%s' contains NUL byte which is not allowed", str);
+        }
    }

    return concatStringsSep("/", urlPath);
--- a/src/nix/nix-build/nix-build.cc
+++ b/src/nix/nix-build/nix-build.cc
@@ -554,9 +554,9 @@ static void main_nix_build(int argc, char ** argv)
        env["NIX_STORE"] = store->storeDir;
        env["NIX_BUILD_CORES"] = fmt("%d", settings.buildCores ? settings.buildCores : settings.getDefaultCores());

-        DerivationOptions drvOptions;
+        DerivationOptions<StorePath> drvOptions;
        try {
-            drvOptions = DerivationOptions::fromStructuredAttrs(drv.env, drv.structuredAttrs);
+            drvOptions = derivationOptionsFromStructuredAttrs(*store, drv.env, get(drv.structuredAttrs));
        } catch (Error & e) {
            e.addTrace({}, "while parsing derivation '%s'", store->printStorePath(packageInfo.requireDrvPath()));
            throw;
--- a/src/nix/profile-diff-closures.md
+++ b/src/nix/profile-diff-closures.md
@@ -23,6 +23,6 @@ R""(

 This command shows the difference between the closures of subsequent
 versions of a profile. See [`nix store
-diff-closures`](nix3-store-diff-closures.md) for details.
+diff-closures`](./nix3-store-diff-closures.md) for details.

 )""
--- a/src/nix/registry-resolve.md
+++ b/src/nix/registry-resolve.md
@@ -0,0 +1,28 @@
+R""(
+
+# Examples
+
+* Resolve the `nixpkgs` and `blender-bin` flakerefs:
+
+  ```console
+  # nix registry resolve nixpkgs blender-bin
+  github:NixOS/nixpkgs/nixpkgs-unstable
+  github:edolstra/nix-warez?dir=blender
+  ```
+
+* Resolve an indirect flakeref with a branch override:
+
+  ```console
+  # nix registry resolve nixpkgs/25.05
+  github:NixOS/nixpkgs/25.05
+  ```
+
+# Description
+
+This command resolves indirect flakerefs (e.g. `nixpkgs`) to direct flakerefs (e.g. `github:NixOS/nixpkgs`) using the flake registries. It looks up each provided flakeref in all available registries (flag, user, system, and global) and returns the resolved direct flakeref on a separate line on standard output. It does not fetch any flakes.
+
+The resolution process may apply multiple redirections if necessary until a direct flakeref is found. If an indirect flakeref cannot be found in any registry, an error will be thrown.
+
+See the [`nix registry` manual page](./nix3-registry.md) for more details on the registry.
+
+)""
--- a/src/nix/registry.cc
+++ b/src/nix/registry.cc
@@ -202,6 +202,40 @@ struct CmdRegistryPin : RegistryCommand, EvalCommand
    }
 };

+struct CmdRegistryResolve : StoreCommand
+{
+    std::vector<std::string> urls;
+
+    std::string description() override
+    {
+        return "resolve flake references using the registry";
+    }
+
+    std::string doc() override
+    {
+        return
+#include "registry-resolve.md"
+            ;
+    }
+
+    CmdRegistryResolve()
+    {
+        expectArgs({
+            .label = "flake-refs",
+            .handler = {&urls},
+        });
+    }
+
+    void run(nix::ref<nix::Store> store) override
+    {
+        for (auto & url : urls) {
+            auto ref = parseFlakeRef(fetchSettings, url);
+            auto resolved = ref.resolve(fetchSettings, *store);
+            logger->cout("%s", resolved.to_string());
+        }
+    }
+};
+
 struct CmdRegistry : NixMultiCommand
 {
    CmdRegistry()
@@ -212,6 +246,7 @@ struct CmdRegistry : NixMultiCommand
                  {"add", []() { return make_ref<CmdRegistryAdd>(); }},
                  {"remove", []() { return make_ref<CmdRegistryRemove>(); }},
                  {"pin", []() { return make_ref<CmdRegistryPin>(); }},
+                  {"resolve", []() { return make_ref<CmdRegistryResolve>(); }},
              })
    {
    }
--- a/src/perl/package.nix
+++ b/src/perl/package.nix
@@ -74,5 +74,9 @@ perl.pkgs.toPerlModule (
    ];

    strictDeps = false;
+
+    meta = {
+      platforms = lib.platforms.unix;
+    };
  })
 )
--- a/tests/functional/check-refs.sh
+++ b/tests/functional/check-refs.sh
@@ -64,5 +64,13 @@ fi
 if isDaemonNewer "2.28pre20241225"; then
    # test12 should fail (syntactically invalid).
    expectStderr 1 nix-build -vvv -o "$RESULT" check-refs.nix -A test12 >"$TEST_ROOT/test12.stderr"
-    grepQuiet -F "output check for 'lib' contains an illegal reference specifier 'dev', expected store path or output name (one of [lib, out])" < "$TEST_ROOT/test12.stderr"
+    if isDaemonNewer "2.33pre20251110"; then
+        grepQuiet -F \
+            "output check for 'lib' contains output name 'dev', but this is not a valid output of this derivation. (Valid outputs are [lib, out].)" \
+            < "$TEST_ROOT/test12.stderr"
+    else
+        grepQuiet -F \
+            "output check for 'lib' contains an illegal reference specifier 'dev', expected store path or output name (one of [lib, out])" \
+            < "$TEST_ROOT/test12.stderr"
+    fi
 fi
--- a/tests/functional/flakes/flakes.sh
+++ b/tests/functional/flakes/flakes.sh
@@ -252,15 +252,17 @@ nix flake lock "$flake3Dir"
 nix flake update --flake "$flake3Dir" --override-flake flake2 nixpkgs
 [[ -n $(git -C "$flake3Dir" diff master || echo failed) ]]

-# Testing the nix CLI
+# Test `nix registry` commands.
 nix registry add flake1 flake3
 [[ $(nix registry list | wc -l) == 5 ]]
+[[ $(nix registry resolve flake1) = "git+file://$percentEncodedFlake3Dir" ]]
 nix registry pin flake1
 [[ $(nix registry list | wc -l) == 5 ]]
 nix registry pin flake1 flake3
 [[ $(nix registry list | wc -l) == 5 ]]
 nix registry remove flake1
 [[ $(nix registry list | wc -l) == 4 ]]
+[[ $(nix registry resolve flake1) = "git+file://$flake1Dir" ]]

 # Test 'nix registry list' with a disabled global registry.
 nix registry add user-flake1 git+file://"$flake1Dir"
--- a/tests/functional/nars.sh
+++ b/tests/functional/nars.sh
@@ -114,7 +114,7 @@ if (( unicodeTestCode == 1 )); then
    # If the command failed (MacOS or ZFS + normalization), checks that it failed
    # with the expected "already exists" error, and that this is the same
    # behavior as `touch`
-    echo "$unicodeTestOut" | grepQuiet "path '.*/out/â' already exists"
+    echo "$unicodeTestOut" | grepQuiet "creating directory '.*/out/â': File exists"

    (( touchFilesCount == 1 ))
 elif (( unicodeTestCode == 0 )); then
Author	SHA1	Message	Date
Sergei Zimmerman	2e8ce8e21f	libutil: Remove really dead code for git hashing It's not being excersised by anything and already contains bugs (like the fact that copyRecursive only handles the first entry in a directory). Evidently, it can just be removed and was never used by anything.	2025-11-20 22:13:58 +03:00
John Ericson	5caebab63a	Merge pull request #14600 from edef1c/push-tvmtozyqsmno Simplify `Derivation::type()`	2025-11-20 07:36:10 +00:00
edef	19d83d2605	Simplify Derivation::type() We don't use the various set<string_view>s that we construct, and all we really care about is ensuring that all outputs are of a single, consistent type.	2025-11-20 03:50:26 +00:00
Sergei Zimmerman	70b9fbd76c	Merge pull request #14597 from NixOS/restore-sink-openat libutil: Make RestoreSink use *at system calls on UNIX	2025-11-20 01:50:10 +00:00
Sergei Zimmerman	40b25153b8	libutil: Implement second overload of createDirectory for RestoreSink Now the intermediate symlink following issue should be completely plugged.	2025-11-20 04:01:38 +03:00
Sergei Zimmerman	09755e696a	libutil: Add callback-based FileSystemObjectSink::createDirectory	2025-11-20 04:01:37 +03:00
Sergei Zimmerman	fa380e0991	libutil: Make RestoreSink use *at system calls on UNIX This is necessary to ban symlink following. It can be considered a defense in depth against issues similar to CVE-2024-45593. By slightly changing the API in a follow-up commit we will be able to mitigate the symlink following issue for good.	2025-11-20 04:01:36 +03:00
John Ericson	f7de5b326a	Merge pull request #14506 from obsidiansystems/derivation-options-parse-paths Parse deriving paths in `DerivationOptions`	2025-11-19 21:41:15 +00:00
Sergei Zimmerman	533cced249	libutil: Add requireCString, make renderUrlPathEnsureLegal error on NUL bytes better Same utility as in lix's change I3caf476e59dcb7899ac5a3d83dfa3fb7ceaaabf0. Co-authored-by: eldritch horrors <pennae@lix.systems>	2025-11-20 00:31:10 +03:00
Eelco Dolstra	8b167ea89b	Merge pull request #14567 from pkpbynum/pb/fix-c-api-ctx-err-leak C Util API: Fix leak of demangled error name	2025-11-19 20:49:54 +00:00
John Ericson	76bd600302	Parse deriving paths in `DerivationOptions` This is an example of "Parse, don't validate" principle [1]. Before, we had a number of `StringSet`s in `DerivationOptions` that were not actually allowed to be arbitrary sets of strings. Instead, each set member had to be one of: - a store path - a CA "downstream placeholder" - an output name Only later, in the code that checks outputs, would these strings be further parsed to match these cases. (Actually, only 2 by that point, because the placeholders must be rewritten away by then.) Now, we fully parse everything up front, and have an "honest" data type that reflects these invariants: - store paths are parsed, stored as (opaque) deriving paths - CA "downstream placeholders" are rewritten to the output deriving paths they denote - output names are the only arbitrary strings left Since the first two cases both become deriving paths, that leaves us with a `std::variant<SingleDerivedPath, String>` data type, which we use in our sets instead. Getting rid of placeholders is especially nice because we are replacing them with something much more internally-structured / transparent. [1]: https://lexi-lambda.github.io/blog/2019/11/05/parse-don-t-validate/ Co-authored-by: Sergei Zimmerman <sergei@zimmerman.foo> Co-authored-by: Eelco Dolstra <edolstra@gmail.com>	2025-11-19 15:48:10 -05:00
Eelco Dolstra	b975f719b1	Merge pull request #14595 from NixOS/registry-resolve Add `nix registry resolve` command	2025-11-19 20:37:21 +00:00
Eelco Dolstra	063cdb5508	Add `nix registry resolve` command	2025-11-19 20:55:42 +01:00
Eelco Dolstra	72dbd43882	Merge pull request #14594 from NixOS/registry-drop-settings Registry: Drop settings field	2025-11-19 16:05:33 +00:00
Eelco Dolstra	fb989bd93f	Merge pull request #14585 from NixOS/dependabot/github_actions/cachix/install-nix-action-31.8.4 build(deps): bump cachix/install-nix-action from 31.8.3 to 31.8.4	2025-11-19 12:20:50 +00:00
Eelco Dolstra	b309826a48	Merge pull request #14593 from juhp/patch-3 docs: fixup a few relative links to use ./ prefix for consistency	2025-11-19 12:20:22 +00:00
Eelco Dolstra	bed0570629	Registry: Drop settings field It's not used anywhere.	2025-11-19 11:52:15 +01:00
Jens Petersen	ef6dbe76dc	docs: fixup some rellinks to use ./ prefix for consistency "./" prefix is already used almost everywhere	2025-11-19 15:50:43 +08:00
John Ericson	dfac44cdfb	Merge pull request #14591 from NixOS/filetransfer-error-handling libstore/filetransfer: Improve error handling	2025-11-19 01:38:17 +00:00
Sergei Zimmerman	36f4e290d0	libstore/filetransfer: Add more context to error message Now the error message looks something like: error: … during upload of 'file:///tmp/storeabc/4yxrw9flcvca7f3fs7c5igl2ica39zaw.narinfo' error: blah blah Also makes fail and failEx themselves noexcept, since all the operations they do are noexcept and we don't want exceptions escaping from them.	2025-11-19 02:30:33 +03:00
Sergei Zimmerman	bd0b338e15	libstore/filetransfer: Swallow exceptions in debugCallback	2025-11-19 02:24:38 +03:00
Sergei Zimmerman	b3dfe37aea	libstore/filetransfer: Handle exceptions in progressCallback	2025-11-19 02:24:37 +03:00
Sergei Zimmerman	87d3c3ba1a	libstore/filetransfer: Handle exceptions in headerCallback Callbacks must never throw exceptions on the curl thread!	2025-11-19 02:24:35 +03:00
Sergei Zimmerman	1e42e55fb4	libstore/filetransfer: Set callbackException on exceptions in read/seek callbacks This would provide better error messages if seeking/reading ever fails.	2025-11-19 02:24:34 +03:00
Sergei Zimmerman	e704b8eeed	libstore/filetransfer: Rename writeException -> callbackException	2025-11-19 02:24:33 +03:00
Sergei Zimmerman	6d65f8eea2	libstore: Slightly deindent writeCallback by wrapping it in try/catch The indentation level of the code is already high enough. We can just wrap the whole function in a try/catch and mark it noexcept. Partially cherry-picked from https://gerrit.lix.systems/c/lix/+/2133 Co-authored-by: eldritch horrors <pennae@lix.systems>	2025-11-19 02:23:12 +03:00
John Ericson	f4989b118b	Merge pull request #14590 from NixOS/fix-win-shell packaging: Unbork win shells with unavailable dependencies	2025-11-18 22:19:16 +00:00
Sergei Zimmerman	2de742155a	packaging: Unbork win shells with unavailable dependencies Makes the cross-x86_64-w64-mingw32 devshell slightly less broken. It still needs a bit of massaging to function, but that's much less cumbersome now that the generic machinery with genericClosure that evaluates drvPath doesn't barf on unavailable packages.	2025-11-19 00:43:28 +03:00
dependabot[bot]	ae4ed24257	build(deps): bump cachix/install-nix-action from 31.8.3 to 31.8.4 Bumps [cachix/install-nix-action](https://github.com/cachix/install-nix-action) from 31.8.3 to 31.8.4. - [Release notes](https://github.com/cachix/install-nix-action/releases) - [Changelog](https://github.com/cachix/install-nix-action/blob/master/RELEASE.md) - [Commits](`7ec16f2c06...0b0e072294`) --- updated-dependencies: - dependency-name: cachix/install-nix-action dependency-version: 31.8.4 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>	2025-11-17 22:01:06 +00:00
Peter Bynum	70e56a41ce	fmt	2025-11-15 08:34:16 -08:00
Peter Bynum	a235b454cc	Free alloc of demangled error name	2025-11-14 07:51:11 -08:00