libutil-tests: Add tests for makeFSSourceAccessor

Should be pretty self-explanatory. We didn't really have unit tests
for the filesystem source accessor. Now we do and this will be immensely
useful for implementing a unix-only smarter accessor that doesn't suffer
from TOCTOU on symlinks.

.version

@@ -1 +1 @@
-2.33.0
+2.34.0

doc/manual/rl-next/channels-subdomain.md

@@ -1,9 +0,0 @@
----
-synopsis: Channel URLs migrated to channels.nixos.org subdomain
-prs: [14518]
-issues: [14517]
----
-
-Channel URLs have been updated from `https://nixos.org/channels/` to `https://channels.nixos.org/` throughout Nix.
-
-The subdomain provides better reliability with IPv6 support and improved CDN distribution. The old domain apex (`nixos.org/channels/`) currently redirects to the new location but may be deprecated in the future.

doc/manual/rl-next/json-format-changes.md

@@ -1,88 +0,0 @@
----
-synopsis: "JSON format changes for store path info and derivations"
-prs: []
-issues: []
----
-
-JSON formats for store path info and derivations have been updated with new versions and structured fields.
-
-## Store Path Info JSON
-
-`nix path-info --json` now requires a `--json-format` flag to specify the output format version.
-Using `--json` without `--json-format` is deprecated and will become an error in a future release.
-For now, it defaults to version 1 with a warning, for a smoother migration.
-
-### Version 1 (`--json-format 1`)
-
-This is the legacy format, preserved for backwards compatibility:
-
-- String-based hash values (e.g., `"narHash": "sha256:FePFYIlM..."`)
-- String-based content addresses (e.g., `"ca": "fixed:r:sha256:1abc..."`)
-- Full store paths for map keys and references (e.g., `"/nix/store/abc...-foo"`)
-- Now includes `"storeDir"` field at the top level
-
-### Version 2 (`--json-format 2`)
-
-The new structured format follows the [JSON guidelines](@docroot@/development/json-guideline.md) with the following changes:
-
-- **Nested structure with top-level metadata**:
-
-  The output is now wrapped in an object with `version`, `storeDir`, and `info` fields:
-
-  ```json
-  {
-    "version": 2,
-    "storeDir": "/nix/store",
-    "info": { ... }
-  }
-  ```
-
-  The map from store bath base names to store object info is nested under the `info` field.
-
-- **Store path base names instead of full paths**:
-
-  Map keys and references use store path base names (e.g., `"abc...-foo"`) instead of full absolute store paths.
-  Combined with `storeDir`, the full path can be reconstructed.
-
-- **Structured `ca` field**:
-
-  Content address is now a structured JSON object instead of a string:
-
-  - Old: `"ca": "fixed:r:sha256:1abc..."`
-  - New: `"ca": {"method": "nar", "hash": "sha256-ungWv48Bz+pBQUDeXa4iI7ADYaOWF3qctBD/YfIAFa0="}`
-  - Still `null` values for input-addressed store objects
-
-  The `hash` field uses the [SRI](https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity) format like other hashes.
-
-Nix currently only produces, and doesn't consume this format.
-
-Additionally the following field is added to both formats.
-(The `version` tracks breaking changes, and adding fields to outputted JSON is not a breaking change.)
-
-- **`version` field**:
-
-  All store path info JSON now includes `"version": <1|2>`.
-
-- **`storeDir` field**:
-
-  Top-level `"storeDir"` field contains the store directory path (e.g., `"/nix/store"`).
-
-## Derivation JSON (Version 4)
-
-The derivation JSON format has been updated from version 3 to version 4:
-
-- **Restructured inputs**:
-
-  Inputs are now nested under an `inputs` object:
-
-  - Old: `"inputSrcs": [...], "inputDrvs": {...}`
-  - New: `"inputs": {"srcs": [...], "drvs": {...}}`
-
-- **Consistent content addresses**:
-
-  Fixed content-addressed outputs now use structured JSON format.
-  This is the same format as `ca` in store path info (after the new version).
-
-Version 3 and earlier formats are *not* accepted when reading.
-
-**Affected command**: `nix derivation`, namely its `show` and `add` sub-commands.

doc/manual/rl-next/libcurl-pausing.md

@@ -1,12 +0,0 @@
----
-synopsis: Fix "download buffer is full; consider increasing the 'download-buffer-size' setting" warning
-prs: [14614]
-issues: [11728]
----
-
-The underlying issue that led to [#11728](https://github.com/NixOS/nix/issues/11728) has been resolved by utilizing
-[libcurl write pausing functionality](https://curl.se/libcurl/c/curl_easy_pause.html) to control backpressure when unpacking to slow destinations like the git-backed tarball cache. The default value of `download-buffer-size` is now 1 MiB and it's no longer recommended to increase it, since the root cause has been fixed.
-
-This is expected to improve download performance on fast connections, since previously a single slow download consumer would stall the thread and prevent any other transfers from progressing.
-
-Many thanks go out to the [Lix project](https://lix.systems/) for the [implementation](https://git.lix.systems/lix-project/lix/commit/4ae6fb5a8f0d456b8d2ba2aaca3712b4e49057fc) that served as inspiration for this change and for triaging libcurl [issues with pausing](https://github.com/curl/curl/issues/19334).

doc/manual/rl-next/repl-interrupt.md

@@ -1,8 +0,0 @@
----
-synopsis: Interrupting REPL commands works more than once
-issues: [13481]
----
-
-Previously, this only worked once per REPL session; further attempts would be ignored.
-This issue is now fixed, so REPL commands such as `:b` or `:p` can be canceled consistently.
-This is a cherry-pick of the change from the [Lix project](https://gerrit.lix.systems/c/lix/+/1097).

doc/manual/rl-next/s3-curl-implementation.md

@@ -1,40 +0,0 @@
----
-synopsis: "Improved S3 binary cache support via HTTP"
-prs: [13752, 13823, 14026, 14120, 14131, 14135, 14144, 14170, 14190, 14198, 14206, 14209, 14222, 14223, 14330, 14333, 14335, 14336, 14337, 14350, 14356, 14357, 14374, 14375, 14376, 14377, 14391, 14393, 14420, 14421]
-issues: [13084, 12671, 11748, 12403]
----
-
-S3 binary cache operations now happen via HTTP, leveraging `libcurl`'s native
-AWS SigV4 authentication instead of the AWS C++ SDK, providing significant
-improvements:
-
-- **Reduced memory usage**: Eliminates memory buffering issues that caused
-  segfaults with large files
-- **Fixed upload reliability**: Resolves AWS SDK chunking errors
-  (`InvalidChunkSizeError`)
-- **Lighter dependencies**: Uses lightweight `aws-crt-cpp` instead of full
-  `aws-cpp-sdk`, reducing build complexity
-
-The new implementation requires curl >= 7.75.0 and `aws-crt-cpp` for credential
-management.
-
-All existing S3 URL formats and parameters remain supported, however the store
-settings for configuring multipart uploads have changed:
-
-- **`multipart-upload`** (default: `false`): Enable multipart uploads for large
-  files. When enabled, files exceeding the multipart threshold will be uploaded
-  in multiple parts.
-
-- **`multipart-threshold`** (default: `100 MiB`): Minimum file size for using
-  multipart uploads. Files smaller than this will use regular PUT requests.
-  Only takes effect when `multipart-upload` is enabled.
-
-- **`multipart-chunk-size`** (default: `5 MiB`): Size of each part in multipart
-  uploads. Must be at least 5 MiB (AWS S3 requirement). Larger chunk sizes
-  reduce the number of requests but use more memory.
-
-- **`buffer-size`**: Has been replaced by `multipart-chunk-size` and is now an alias to it.
-
-Note that this change also means Nix now supports S3 binary cache stores even
-if built without `aws-crt-cpp`, but only for public buckets which do not
-require authentication.

doc/manual/rl-next/s3-object-versioning.md

@@ -1,14 +0,0 @@
----
-synopsis: "S3 URLs now support object versioning via versionId parameter"
-prs: [14274]
-issues: [13955]
----
-
-S3 URLs now support a `versionId` query parameter to fetch specific versions
-of objects from S3 buckets with versioning enabled. This allows pinning to
-exact object versions for reproducibility and protection against unexpected
-changes:
-
-```
-s3://bucket/key?region=us-east-1&versionId=abc123def456
-```

doc/manual/rl-next/s3-storage-class.md

@@ -1,21 +0,0 @@
----
-synopsis: "S3 binary cache stores now support storage class configuration"
-prs: [14464]
-issues: [7015]
----
-
-S3 binary cache stores now support configuring the storage class for uploaded objects via the `storage-class` parameter. This allows users to optimize costs by selecting appropriate storage tiers based on access patterns.
-
-Example usage:
-
-```bash
-# Use Glacier storage for long-term archival
-nix copy --to 's3://my-bucket?storage-class=GLACIER' /nix/store/...
-
-# Use Intelligent Tiering for automatic cost optimization
-nix copy --to 's3://my-bucket?storage-class=INTELLIGENT_TIERING' /nix/store/...
-```
-
-The storage class applies to both regular uploads and multipart uploads. When not specified, objects use the bucket's default storage class.
-
-See the [S3 storage classes documentation](https://docs.aws.amazon.com/AmazonS3/latest/userguide/storage-class-intro.html) for available storage classes and their characteristics.

doc/manual/source/SUMMARY.md.in

@@ -151,6 +151,7 @@
   - [Contributing](development/contributing.md)
 - [Releases](release-notes/index.md)
 {{#include ./SUMMARY-rl-next.md}}
+  - [Release 2.33 (2025-12-09)](release-notes/rl-2.33.md)
   - [Release 2.32 (2025-10-06)](release-notes/rl-2.32.md)
   - [Release 2.31 (2025-08-21)](release-notes/rl-2.31.md)
   - [Release 2.30 (2025-07-07)](release-notes/rl-2.30.md)

doc/manual/source/development/debugging.md

@@ -6,14 +6,7 @@ Additionally, see [Testing Nix](./testing.md) for further instructions on how to
 
 ## Building Nix with Debug Symbols
 
-In the development shell, set the `mesonBuildType` environment variable to `debug` before configuring the build:
-
-```console
-[nix-shell]$ export mesonBuildType=debugoptimized
-```
-
-Then, proceed to build Nix as described in [Building Nix](./building.md).
-This will build Nix with debug symbols, which are essential for effective debugging.
+In the development shell, `mesonBuildType` is set automatically to `debugoptimized`. This builds Nix with debug symbols, which are essential for effective debugging.
 
 It is also possible to build without optimization for faster build:
 

doc/manual/source/release-notes/rl-2.33.md

@@ -0,0 +1,281 @@
+# Release 2.33.0 (2025-12-09)
+
+## New features
+
+- New command `nix registry resolve` [#14595](https://github.com/NixOS/nix/pull/14595)
+
+  This command looks up a flake registry input name and returns the flakeref it resolves to.
+
+  For example, looking up Nixpkgs:
+
+  ```
+  $ nix registry resolve nixpkgs
+  github:NixOS/nixpkgs/nixpkgs-unstable
+  ```
+
+  Upstreamed from [Determinate Nix 3.14.0](https://github.com/DeterminateSystems/nix-src/pull/273).
+
+- `nix flake clone` supports all input types [#14581](https://github.com/NixOS/nix/pull/14581)
+
+  `nix flake clone` now supports arbitrary input types. In particular, this allows you to clone tarball flakes, such as flakes on FlakeHub.
+
+  Upstreamed from [Determinate Nix 3.12.0](https://github.com/DeterminateSystems/nix-src/pull/229).
+
+## Performance improvements
+
+- Git fetcher computes `revCount`s using multiple threads [#14462](https://github.com/NixOS/nix/pull/14462)
+
+  When using Git repositories with a long history, calculating the `revCount` attribute can take a long time. Nix now computes `revCount` using multiple threads, making it much faster (e.g. 9.1s to 3.7s for Nixpkgs).
+
+  Note that if you don't need `revCount`, you can disable it altogether by setting the flake input attribute `shallow = true`.
+
+  Upstreamed from [Determinate Nix 3.12.2](https://github.com/DeterminateSystems/nix-src/pull/245).
+
+- `builtins.stringLength` now runs in constant time [#14442](https://github.com/NixOS/nix/pull/14442)
+
+  The internal representation of strings has been replaced with a size-prefixed Pascal style string. Previously Nix stored strings as a NUL-terminated array of bytes, necessitating a linear scan to calculate the length.
+
+- Uploads to `http://` and `https://` binary cache stores now run in constant memory [#14390](https://github.com/NixOS/nix/pull/14390)
+
+  Nix used to buffer the whole compressed NAR contents in memory. It now reads it in a streaming fashion.
+
+- Channel URLs migrated to channels.nixos.org subdomain [#14517](https://github.com/NixOS/nix/issues/14517) [#14518](https://github.com/NixOS/nix/pull/14518)
+
+  Channel URLs have been updated from `https://nixos.org/channels/` to `https://channels.nixos.org/` throughout Nix. This subdomain provides better reliability with IPv6 support and improved CDN distribution. The old domain apex (`nixos.org/channels/`) currently redirects to the new location but may be deprecated in the future.
+
+- Fix `download buffer is full; consider increasing the 'download-buffer-size' setting` warning [#11728](https://github.com/NixOS/nix/issues/11728) [#14614](https://github.com/NixOS/nix/pull/14614)
+
+  The underlying issue that led to [#11728](https://github.com/NixOS/nix/issues/11728) has been resolved by utilizing
+  [libcurl write pausing functionality](https://curl.se/libcurl/c/curl_easy_pause.html) to control backpressure when unpacking to slow destinations like the git-backed tarball cache. The default value of `download-buffer-size` is now 1 MiB and it's no longer recommended to increase it, since the root cause has been fixed.
+
+  This is expected to improve download performance on fast connections, since previously a single slow download consumer would stall the thread and prevent any other transfers from progressing.
+
+  Many thanks go out to the [Lix project](https://lix.systems/) for the [implementation](https://git.lix.systems/lix-project/lix/commit/4ae6fb5a8f0d456b8d2ba2aaca3712b4e49057fc) that served as inspiration for this change and for triaging libcurl [issues with pausing](https://github.com/curl/curl/issues/19334).
+
+- Significantly improve tarball unpacking performance [#14689](https://github.com/NixOS/nix/pull/14689) [#14696](https://github.com/NixOS/nix/pull/14696) [#10683](https://github.com/NixOS/nix/issues/10683) [#11098](https://github.com/NixOS/nix/issues/11098)
+
+  Nix uses a content-addressed cache backed by libgit2 for deduplicating files fetched via `fetchTarball` and `github`, `tarball` flake inputs. Its usage has been significantly optimised to reduce the amount of I/O operations that are performed. For a typical nixpkgs source tarball this results in 200 times fewer system calls on Linux. In combination with libcurl pausing this alleviates performance regressions stemming from the tarball cache.
+
+- Already valid derivations are no longer copied to the store [#14219](https://github.com/NixOS/nix/pull/14219)
+
+  This results in a modest speedup when using the Nix daemon.
+
+- `nix nar ls` and `nix nar cat` are significantly faster and no longer buffer the whole NAR in memory [#14273](https://github.com/NixOS/nix/pull/14273) [#14732](https://github.com/NixOS/nix/pull/14732)
+
+## S3 improvements
+
+- Improved S3 binary cache support via HTTP [#11748](https://github.com/NixOS/nix/issues/11748) [#12403](https://github.com/NixOS/nix/issues/12403) [#12671](https://github.com/NixOS/nix/issues/12671) [#13084](https://github.com/NixOS/nix/issues/13084) [#13752](https://github.com/NixOS/nix/pull/13752) [#13823](https://github.com/NixOS/nix/pull/13823) [#14026](https://github.com/NixOS/nix/pull/14026) [#14120](https://github.com/NixOS/nix/pull/14120) [#14131](https://github.com/NixOS/nix/pull/14131) [#14135](https://github.com/NixOS/nix/pull/14135) [#14144](https://github.com/NixOS/nix/pull/14144) [#14170](https://github.com/NixOS/nix/pull/14170) [#14190](https://github.com/NixOS/nix/pull/14190) [#14198](https://github.com/NixOS/nix/pull/14198) [#14206](https://github.com/NixOS/nix/pull/14206) [#14209](https://github.com/NixOS/nix/pull/14209) [#14222](https://github.com/NixOS/nix/pull/14222) [#14223](https://github.com/NixOS/nix/pull/14223) [#14330](https://github.com/NixOS/nix/pull/14330) [#14333](https://github.com/NixOS/nix/pull/14333) [#14335](https://github.com/NixOS/nix/pull/14335) [#14336](https://github.com/NixOS/nix/pull/14336) [#14337](https://github.com/NixOS/nix/pull/14337) [#14350](https://github.com/NixOS/nix/pull/14350) [#14356](https://github.com/NixOS/nix/pull/14356) [#14357](https://github.com/NixOS/nix/pull/14357) [#14374](https://github.com/NixOS/nix/pull/14374) [#14375](https://github.com/NixOS/nix/pull/14375) [#14376](https://github.com/NixOS/nix/pull/14376) [#14377](https://github.com/NixOS/nix/pull/14377) [#14391](https://github.com/NixOS/nix/pull/14391) [#14393](https://github.com/NixOS/nix/pull/14393) [#14420](https://github.com/NixOS/nix/pull/14420) [#14421](https://github.com/NixOS/nix/pull/14421)
+
+  S3 binary cache operations now happen via HTTP, leveraging `libcurl`'s native AWS SigV4 authentication instead of the AWS C++ SDK, providing significant improvements:
+
+  - **Reduced memory usage**: Eliminates memory buffering issues that caused segfaults with large files
+  - **Fixed upload reliability**: Resolves AWS SDK chunking errors (`InvalidChunkSizeError`)
+  - **Lighter dependencies**: Uses lightweight `aws-crt-cpp` instead of full `aws-cpp-sdk`, reducing build complexity
+
+  The new implementation requires curl >= 7.75.0 and `aws-crt-cpp` for credential management.
+
+  All existing S3 URL formats and parameters remain supported, however the store settings for configuring multipart uploads have changed:
+
+  - **`multipart-upload`** (default: `false`): Enable multipart uploads for large files. When enabled, files exceeding the multipart threshold will be uploaded in multiple parts.
+
+  - **`multipart-threshold`** (default: `100 MiB`): Minimum file size for using multipart uploads. Files smaller than this will use regular PUT requests. Only takes effect when `multipart-upload` is enabled.
+
+  - **`multipart-chunk-size`** (default: `5 MiB`): Size of each part in multipart uploads. Must be at least 5 MiB (AWS S3 requirement). Larger chunk sizes reduce the number of requests but use more memory.
+
+  - **`buffer-size`**: Has been replaced by `multipart-chunk-size` and is now an alias to it.
+
+  Note that this change also means Nix now supports S3 binary cache stores even if built without `aws-crt-cpp`, but only for public buckets which do not require authentication.
+
+- S3 URLs now support object versioning via `versionId` parameter [#13955](https://github.com/NixOS/nix/issues/13955) [#14274](https://github.com/NixOS/nix/pull/14274)
+
+  S3 URLs now support a `versionId` query parameter to fetch specific versions
+  of objects from S3 buckets with versioning enabled. This allows pinning to
+  exact object versions for reproducibility and protection against unexpected
+  changes:
+
+  ```
+  s3://bucket/key?region=us-east-1&versionId=abc123def456
+  ```
+
+- S3 binary cache stores now support storage class configuration [#7015](https://github.com/NixOS/nix/issues/7015) [#14464](https://github.com/NixOS/nix/pull/14464)
+
+  S3 binary cache stores now support configuring the storage class for uploaded objects via the `storage-class` parameter. This allows users to optimize costs by selecting appropriate storage tiers based on access patterns.
+
+  Example usage:
+
+  ```bash
+  # Use Glacier storage for long-term archival
+  nix copy --to 's3://my-bucket?storage-class=GLACIER' /nix/store/...
+
+  # Use Intelligent Tiering for automatic cost optimization
+  nix copy --to 's3://my-bucket?storage-class=INTELLIGENT_TIERING' /nix/store/...
+  ```
+
+  The storage class applies to both regular uploads and multipart uploads. When not specified, objects use the bucket's default storage class.
+
+  See the [S3 storage classes documentation](https://docs.aws.amazon.com/AmazonS3/latest/userguide/storage-class-intro.html) for available storage classes and their characteristics.
+
+
+## Store path info JSON format changes
+
+The JSON format emitted by `nix path-info --json` has been updated to a new version with improved structure.
+
+To maintain compatibility, `nix path-info --json` now requires a `--json-format` flag to specify the output format version.
+Using `--json` without `--json-format` is deprecated and will become an error in a future release.
+For now, it defaults to version 1 with a warning, for a smoother migration.
+
+### Version 1 (`--json-format 1`)
+
+This is the legacy format, preserved for backwards compatibility:
+
+- String-based hash values (e.g., `"narHash": "sha256:FePFYIlM..."`)
+- String-based content addresses (e.g., `"ca": "fixed:r:sha256:1abc..."`)
+- Full store paths for map keys and references (e.g., `"/nix/store/abc...-foo"`)
+- Now includes `"storeDir"` field at the top level
+
+### Version 2 (`--json-format 2`)
+
+The new structured format follows the [JSON guidelines](@docroot@/development/json-guideline.md) with the following changes:
+
+- **Nested structure with top-level metadata**:
+
+  The output is now wrapped in an object with `version`, `storeDir`, and `info` fields:
+
+  ```json
+  {
+    "version": 2,
+    "storeDir": "/nix/store",
+    "info": { ... }
+  }
+  ```
+
+  The map from store path base names to store object info is nested under the `info` field.
+
+- **Store path base names instead of full paths**:
+
+  Map keys and references use store path base names (e.g., `"abc...-foo"`) instead of full absolute store paths.
+  Combined with `storeDir`, the full path can be reconstructed.
+
+- **Structured `ca` field**:
+
+  Content address is now a structured JSON object instead of a string:
+
+  - Old: `"ca": "fixed:r:sha256:1abc..."`
+  - New: `"ca": {"method": "nar", "hash": "sha256-ungWv48Bz+pBQUDeXa4iI7ADYaOWF3qctBD/YfIAFa0="}`
+  - Still `null` values for input-addressed store objects
+
+  The `hash` field uses the [SRI](https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity) format like other hashes.
+
+Additionally the following fields are added to both formats:
+
+  - **`version` field**:
+
+    All store path info JSON now includes `"version": <1|2>`. The `version` tracks breaking changes, and adding fields to outputted JSON is not a breaking change.
+
+  - **`storeDir` field**:
+
+    Top-level `"storeDir"` field contains the store directory path (e.g., `"/nix/store"`).
+
+## Derivation JSON format changes
+
+The derivation JSON format has been updated from version 3 to version 4:
+
+- **Nested structure with top-level metadata**:
+
+  The output of `nix derivation show` is now wrapped in an object with `version` and `derivations` fields:
+
+  ```json
+  {
+    "version": 4,
+    "derivations": { ... }
+  }
+  ```
+
+  The map from derivation paths to derivation info is nested under the `derivations` field.
+
+  This matches the structure used for `nix path-info --json --json-format 2`, and likewise brings this command into compliance with the JSON guidelines.
+
+- **Restructured inputs**:
+
+  Inputs are now nested under an `inputs` object:
+
+  - Old: `"inputSrcs": [...], "inputDrvs": {...}`
+  - New: `"inputs": {"srcs": [...], "drvs": {...}}`
+
+- **Consistent content addresses**:
+
+  Fixed content-addressed outputs now use structured JSON format.
+  This is the same format as `ca` in store path info (after the new version).
+
+Version 3 and earlier formats are *not* accepted when reading.
+
+**Affected command**: `nix derivation`, namely its `show` and `add` sub-commands.
+
+## Miscellaneous changes
+
+- Git fetcher: Restore progress indication [#14487](https://github.com/NixOS/nix/pull/14487)
+
+  Nix used to feel "stuck" while it was cloning large repositories. Nix now shows Git's native progress indicator while fetching.
+
+  Upstreamed from [Determinate Nix 3.13.0](https://github.com/DeterminateSystems/nix-src/pull/250).
+
+- Interrupting REPL commands works more than once [#13481](https://github.com/NixOS/nix/issues/13481)
+
+  Previously, this only worked once per REPL session; further attempts would be ignored.
+  This issue is now fixed, so REPL commands such as `:b` or `:p` can be canceled consistently.
+  This is a cherry-pick of the change from the [Lix project](https://gerrit.lix.systems/c/lix/+/1097).
+
+- NAR unpacking code has been rewritten to make use of dirfd-based `openat` and `openat2` system calls when available [#14597](https://github.com/NixOS/nix/pull/14597)
+
+- Dynamic size unit rendering [#14423](https://github.com/NixOS/nix/pull/14423) [#14364](https://github.com/NixOS/nix/pull/14364)
+
+  Various commands and the progress bar now use dynamically determined size units instead
+  of always using `MiB`. For example, the progress bar now reports download status like:
+
+  ```
+  [1/196/197 copied (773.7 MiB/2.1 GiB), 172.4/421.5 MiB DL]
+  ```
+
+  Instead of:
+
+  ```
+  [1/196/197 copied (773.7/2147.3 MiB), 172.4/421.5 MiB DL]
+  ```
+
+## Contributors
+
+This release was made possible by the following 33 contributors:
+
+- Adam Dinwoodie [**(@me-and)**](https://github.com/me-and)
+- jonhermansen [**(@jonhermansen)**](https://github.com/jonhermansen)
+- Arnout Engelen [**(@raboof)**](https://github.com/raboof)
+- Jean-François Roche [**(@jfroche)**](https://github.com/jfroche)
+- tomberek [**(@tomberek)**](https://github.com/tomberek)
+- Eelco Dolstra [**(@edolstra)**](https://github.com/edolstra)
+- Marcel [**(@MarcelCoding)**](https://github.com/MarcelCoding)
+- David McFarland [**(@corngood)**](https://github.com/corngood)
+- Soumyadip Sarkar [**(@neuralsorcerer)**](https://github.com/neuralsorcerer)
+- Cole Helbling [**(@cole-h)**](https://github.com/cole-h)
+- John Ericson [**(@Ericson2314)**](https://github.com/Ericson2314)
+- Tristan Ross [**(@RossComputerGuy)**](https://github.com/RossComputerGuy)
+- Alex Auvolat [**(@Alexis211)**](https://github.com/Alexis211)
+- edef [**(@edef1c)**](https://github.com/edef1c)
+- Sergei Zimmerman [**(@xokdvium)**](https://github.com/xokdvium)
+- Vinayak Goyal [**(@vinayakankugoyal)**](https://github.com/vinayakankugoyal)
+- Graham Dennis [**(@GrahamDennis)**](https://github.com/GrahamDennis)
+- Aspen Smith [**(@glittershark)**](https://github.com/glittershark)
+- Jens Petersen [**(@juhp)**](https://github.com/juhp)
+- Bernardo Meurer [**(@lovesegfault)**](https://github.com/lovesegfault)
+- Peter Bynum [**(@pkpbynum)**](https://github.com/pkpbynum)
+- Jörg Thalheim [**(@Mic92)**](https://github.com/Mic92)
+- Alex Decious [**(@adeci)**](https://github.com/adeci)
+- Matthieu Coudron [**(@teto)**](https://github.com/teto)
+- Domen Kožar [**(@domenkozar)**](https://github.com/domenkozar)
+- Taeer Bar-Yam [**(@Radvendii)**](https://github.com/Radvendii)
+- Seth Flynn [**(@getchoo)**](https://github.com/getchoo)
+- Robert Hensing [**(@roberth)**](https://github.com/roberth)
+- Vladimir Panteleev [**(@CyberShadow)**](https://github.com/CyberShadow)
+- bryango [**(@bryango)**](https://github.com/bryango)
+- Henry [**(@cootshk)**](https://github.com/cootshk)
+- Martin Joerg [**(@mjoerg)**](https://github.com/mjoerg)
+- Farid Zakaria [**(@fzakaria)**](https://github.com/fzakaria)

maintainers/data/release-credits-email-to-handle.json

@@ -224,5 +224,25 @@
     "42688647+netadr@users.noreply.github.com": "netadr",
     "matej.urbas@gmail.com": "urbas",
     "ethanalexevans@gmail.com": "ethanavatar",
-    "greg.marti@gmail.com": "gmarti"
+    "greg.marti@gmail.com": "gmarti",
+    "arnout@bzzt.net": "raboof",
+    "vinayakankugoyal@gmail.com": "vinayakankugoyal",
+    "Radvendii@users.noreply.github.com": "Radvendii",
+    "jon@jh86.org": "jonhermansen",
+    "edef@edef.eu": "edef1c",
+    "pkpbynum@gmail.com": "pkpbynum",
+    "886074+teto@users.noreply.github.com": "teto",
+    "alex@adnab.me": "Alexis211",
+    "root@gws.fyi": "glittershark",
+    "me@m4rc3l.de": "MarcelCoding",
+    "taeer.bar-yam@bevuta.com": "Radvendii",
+    "martin.joerg@gmail.com": "mjoerg",
+    "git@cy.md": "CyberShadow",
+    "cootshk@duck.com": "cootshk",
+    "adam@dinwoodie.org": "me-and",
+    "domen@cachix.org": "domenkozar",
+    "alex.decious@gmail.com": "adeci",
+    "soumya.papanvk18@gmail.com": "neuralsorcerer",
+    "gdennis@anduril.com": null,
+    "graham.dennis@gmail.com": "GrahamDennis"
 }

maintainers/data/release-credits-handle-to-name.json

@@ -196,5 +196,21 @@
     "gmarti": "Gr\u00e9gory Marti",
     "lovesegfault": "Bernardo Meurer",
     "EphraimSiegfried": "Ephraim Siegfried",
-    "hgl": "Glen Huang"
+    "hgl": "Glen Huang",
+    "mjoerg": "Martin Joerg",
+    "Alexis211": "Alex Auvolat",
+    "domenkozar": "Domen Ko\u017ear",
+    "edef1c": "edef",
+    "cootshk": "Henry",
+    "raboof": "Arnout Engelen",
+    "pkpbynum": "Peter Bynum",
+    "glittershark": "Aspen Smith",
+    "MarcelCoding": "Marcel",
+    "teto": "Matthieu Coudron",
+    "jonhermansen": null,
+    "neuralsorcerer": "Soumyadip Sarkar",
+    "adeci": "Alex Decious",
+    "vinayakankugoyal": "Vinayak Goyal",
+    "me-and": "Adam Dinwoodie",
+    "GrahamDennis": "Graham Dennis"
 }

packaging/dev-shell.nix

@@ -258,10 +258,13 @@ pkgs.nixComponents2.nix-util.overrideAttrs (
 
     # We use this shell with the local checkout, not unpackPhase.
     src = null;
+
     # Workaround https://sourceware.org/pipermail/gdb-patches/2025-October/221398.html
     # Remove when gdb fix is rolled out everywhere.
     separateDebugInfo = false;
 
+    mesonBuildType = "debugoptimized";
+
     env = {
       # For `make format`, to work without installing pre-commit
       _NIX_PRE_COMMIT_HOOKS_CONFIG = "${(pkgs.formats.yaml { }).generate "pre-commit-config.yaml"

src/libfetchers-tests/git-utils.cc

@@ -48,7 +48,7 @@ public:
 
     ref<GitRepo> openRepo()
     {
-        return GitRepo::openRepo(tmpDir, true, false);
+        return GitRepo::openRepo(tmpDir, {.create = true});
     }
 
     std::string getRepoName() const

src/libfetchers/git-utils.cc

@@ -203,16 +203,19 @@ static git_packbuilder_progress PACKBUILDER_PROGRESS_CHECK_INTERRUPT = &packBuil
 
 } // extern "C"
 
-static void initRepoAtomically(std::filesystem::path & path, bool bare)
+static void initRepoAtomically(std::filesystem::path & path, GitRepo::Options options)
 {
     if (pathExists(path.string()))
         return;
 
+    if (!options.create)
+        throw Error("Git repository %s does not exist.", path);
+
     std::filesystem::path tmpDir = createTempDir(path.parent_path());
     AutoDelete delTmpDir(tmpDir, true);
     Repository tmpRepo;
 
-    if (git_repository_init(Setter(tmpRepo), tmpDir.string().c_str(), bare))
+    if (git_repository_init(Setter(tmpRepo), tmpDir.string().c_str(), options.bare))
         throw Error("creating Git repository %s: %s", path, git_error_last()->message);
     try {
         std::filesystem::rename(tmpDir, path);
@@ -234,7 +237,7 @@ struct GitRepoImpl : GitRepo, std::enable_shared_from_this<GitRepoImpl>
     /** Location of the repository on disk. */
     std::filesystem::path path;
 
-    bool bare;
+    Options options;
 
     /**
      * libgit2 repository. Note that new objects are not written to disk,
@@ -255,18 +258,18 @@ struct GitRepoImpl : GitRepo, std::enable_shared_from_this<GitRepoImpl>
      */
     git_odb_backend * packBackend = nullptr;
 
-    GitRepoImpl(std::filesystem::path _path, bool create, bool bare, bool packfilesOnly = false)
+    GitRepoImpl(std::filesystem::path _path, Options _options)
         : path(std::move(_path))
-        , bare(bare)
+        , options(_options)
     {
         initLibGit2();
 
-        initRepoAtomically(path, bare);
+        initRepoAtomically(path, options);
         if (git_repository_open(Setter(repo), path.string().c_str()))
             throw Error("opening Git repository %s: %s", path, git_error_last()->message);
 
         ObjectDb odb;
-        if (packfilesOnly) {
+        if (options.packfilesOnly) {
             /* Create a fresh object database because by default the repo also
                loose object backends. We are not using any of those for the
                tarball cache, but libgit2 still does a bunch of unnecessary
@@ -295,7 +298,7 @@ struct GitRepoImpl : GitRepo, std::enable_shared_from_this<GitRepoImpl>
         if (git_odb_add_backend(odb.get(), mempackBackend, 999))
             throw Error("adding mempack backend to Git object database: %s", git_error_last()->message);
 
-        if (packfilesOnly) {
+        if (options.packfilesOnly) {
             if (git_repository_set_odb(repo.get(), odb.get()))
                 throw Error("setting Git object database: %s", git_error_last()->message);
         }
@@ -366,7 +369,7 @@ struct GitRepoImpl : GitRepo, std::enable_shared_from_this<GitRepoImpl>
     {
         // TODO: as an optimization, it would be nice to include `this` in the pool.
         return Pool<GitRepoImpl>(std::numeric_limits<size_t>::max(), [this]() -> ref<GitRepoImpl> {
-            return make_ref<GitRepoImpl>(path, false, bare);
+            return make_ref<GitRepoImpl>(path, options);
         });
     }
 
@@ -712,9 +715,9 @@ struct GitRepoImpl : GitRepo, std::enable_shared_from_this<GitRepoImpl>
     }
 };
 
-ref<GitRepo> GitRepo::openRepo(const std::filesystem::path & path, bool create, bool bare, bool packfilesOnly)
+ref<GitRepo> GitRepo::openRepo(const std::filesystem::path & path, GitRepo::Options options)
 {
-    return make_ref<GitRepoImpl>(path, create, bare, packfilesOnly);
+    return make_ref<GitRepoImpl>(path, options);
 }
 
 /**
@@ -1427,8 +1430,12 @@ namespace fetchers {
 
 ref<GitRepo> Settings::getTarballCache() const
 {
-    static auto repoDir = std::filesystem::path(getCacheDir()) / "tarball-cache";
-    return GitRepo::openRepo(repoDir, /*create=*/true, /*bare=*/true, /*packfilesOnly=*/true);
+    /* v1: Had either only loose objects or thin packfiles referring to loose objects
+     * v2: Must have only packfiles with no loose objects. Should get repacked periodically
+     * for optimal packfiles.
+     */
+    static auto repoDir = std::filesystem::path(getCacheDir()) / "tarball-cache-v2";
+    return GitRepo::openRepo(repoDir, {.create = true, .bare = true, .packfilesOnly = true});
 }
 
 } // namespace fetchers
@@ -1442,7 +1449,7 @@ GitRepo::WorkdirInfo GitRepo::getCachedWorkdirInfo(const std::filesystem::path &
         if (i != cache->end())
             return i->second;
     }
-    auto workdirInfo = GitRepo::openRepo(path)->getWorkdirInfo();
+    auto workdirInfo = GitRepo::openRepo(path, {})->getWorkdirInfo();
     _cache.lock()->emplace(path, workdirInfo);
     return workdirInfo;
 }

src/libfetchers/git.cc

@@ -637,11 +637,6 @@ struct GitInputScheme : InputScheme
                     url);
             }
 
-            // If we don't check here for the path existence, then we can give libgit2 any directory
-            // and it will initialize them as git directories.
-            if (!pathExists(path)) {
-                throw Error("The path '%s' does not exist.", path);
-            }
             repoInfo.location = std::filesystem::absolute(path);
         } else {
             if (url.scheme == "file")
@@ -703,7 +698,7 @@ struct GitInputScheme : InputScheme
         if (auto res = cache->lookup(key))
             return getIntAttr(*res, "lastModified");
 
-        auto lastModified = GitRepo::openRepo(repoDir)->getLastModified(rev);
+        auto lastModified = GitRepo::openRepo(repoDir, {})->getLastModified(rev);
 
         cache->upsert(key, {{"lastModified", lastModified}});
 
@@ -726,7 +721,7 @@ struct GitInputScheme : InputScheme
         Activity act(
             *logger, lvlChatty, actUnknown, fmt("getting Git revision count of '%s'", repoInfo.locationToArg()));
 
-        auto revCount = GitRepo::openRepo(repoDir)->getRevCount(rev);
+        auto revCount = GitRepo::openRepo(repoDir, {})->getRevCount(rev);
 
         cache->upsert(key, Attrs{{"revCount", revCount}});
 
@@ -737,7 +732,7 @@ struct GitInputScheme : InputScheme
     {
         auto head = std::visit(
             overloaded{
-                [&](const std::filesystem::path & path) { return GitRepo::openRepo(path)->getWorkdirRef(); },
+                [&](const std::filesystem::path & path) { return GitRepo::openRepo(path, {})->getWorkdirRef(); },
                 [&](const ParsedURL & url) { return readHeadCached(url.to_string(), shallow); }},
             repoInfo.location);
         if (!head) {
@@ -795,7 +790,7 @@ struct GitInputScheme : InputScheme
         if (auto repoPath = repoInfo.getPath()) {
             repoDir = *repoPath;
             if (!input.getRev())
-                input.attrs.insert_or_assign("rev", GitRepo::openRepo(repoDir)->resolveRef(ref).gitRev());
+                input.attrs.insert_or_assign("rev", GitRepo::openRepo(repoDir, {})->resolveRef(ref).gitRev());
         } else {
             auto repoUrl = std::get<ParsedURL>(repoInfo.location);
             std::filesystem::path cacheDir = getCachePath(repoUrl.to_string(), shallow);
@@ -805,7 +800,7 @@ struct GitInputScheme : InputScheme
             std::filesystem::create_directories(cacheDir.parent_path());
             PathLocks cacheDirLock({cacheDir.string()});
 
-            auto repo = GitRepo::openRepo(cacheDir, true, true);
+            auto repo = GitRepo::openRepo(cacheDir, {.create = true, .bare = true});
 
             // We need to set the origin so resolving submodule URLs works
             repo->setRemote("origin", repoUrl.to_string());
@@ -876,7 +871,7 @@ struct GitInputScheme : InputScheme
             // the remainder
         }
 
-        auto repo = GitRepo::openRepo(repoDir);
+        auto repo = GitRepo::openRepo(repoDir, {});
 
         auto isShallow = repo->isShallow();
 
@@ -963,7 +958,7 @@ struct GitInputScheme : InputScheme
             for (auto & submodule : repoInfo.workdirInfo.submodules)
                 repoInfo.workdirInfo.files.insert(submodule.path);
 
-        auto repo = GitRepo::openRepo(repoPath, false, false);
+        auto repo = GitRepo::openRepo(repoPath, {});
 
         auto exportIgnore = getExportIgnoreAttr(input);
 
@@ -1003,7 +998,7 @@ struct GitInputScheme : InputScheme
         }
 
         if (!repoInfo.workdirInfo.isDirty) {
-            auto repo = GitRepo::openRepo(repoPath);
+            auto repo = GitRepo::openRepo(repoPath, {});
 
             if (auto ref = repo->getWorkdirRef())
                 input.attrs.insert_or_assign("ref", *ref);

src/libfetchers/include/nix/fetchers/git-utils.hh

@@ -32,8 +32,14 @@ struct GitRepo
 {
     virtual ~GitRepo() {}
 
-    static ref<GitRepo>
-    openRepo(const std::filesystem::path & path, bool create = false, bool bare = false, bool packfilesOnly = false);
+    struct Options
+    {
+        bool create = false;
+        bool bare = false;
+        bool packfilesOnly = false;
+    };
+
+    static ref<GitRepo> openRepo(const std::filesystem::path & path, Options options);
 
     virtual uint64_t getRevCount(const Hash & rev) = 0;
 

src/libstore-tests/derivation-parser-bench.cc

@@ -2,7 +2,7 @@
 #include "nix/store/derivations.hh"
 #include "nix/store/store-api.hh"
 #include "nix/util/experimental-features.hh"
-#include "nix/util/environment-variables.hh"
+#include "nix/util/tests/test-data.hh"
 #include "nix/store/store-open.hh"
 #include <fstream>
 #include <sstream>
@@ -50,11 +50,7 @@ static void BM_UnparseRealDerivationFile(benchmark::State & state, const std::st
 }
 
 // Register benchmarks for actual test derivation files if they exist
-BENCHMARK_CAPTURE(
-    BM_ParseRealDerivationFile, hello, getEnvNonEmpty("_NIX_TEST_UNIT_DATA").value() + "/derivation/hello.drv");
-BENCHMARK_CAPTURE(
-    BM_ParseRealDerivationFile, firefox, getEnvNonEmpty("_NIX_TEST_UNIT_DATA").value() + "/derivation/firefox.drv");
-BENCHMARK_CAPTURE(
-    BM_UnparseRealDerivationFile, hello, getEnvNonEmpty("_NIX_TEST_UNIT_DATA").value() + "/derivation/hello.drv");
-BENCHMARK_CAPTURE(
-    BM_UnparseRealDerivationFile, firefox, getEnvNonEmpty("_NIX_TEST_UNIT_DATA").value() + "/derivation/firefox.drv");
+BENCHMARK_CAPTURE(BM_ParseRealDerivationFile, hello, (getUnitTestData() / "derivation/hello.drv").string());
+BENCHMARK_CAPTURE(BM_ParseRealDerivationFile, firefox, (getUnitTestData() / "derivation/firefox.drv").string());
+BENCHMARK_CAPTURE(BM_UnparseRealDerivationFile, hello, (getUnitTestData() / "derivation/hello.drv").string());
+BENCHMARK_CAPTURE(BM_UnparseRealDerivationFile, firefox, (getUnitTestData() / "derivation/firefox.drv").string());

src/libstore-tests/nix_api_store.cc

@@ -8,6 +8,7 @@
 #include "nix/store/tests/nix_api_store.hh"
 #include "nix/store/globals.hh"
 #include "nix/util/tests/string_callback.hh"
+#include "nix/util/tests/test-data.hh"
 #include "nix/util/url.hh"
 
 #include "store-tests-config.hh"
@@ -302,7 +303,7 @@ public:
 
         store = open_local_store();
 
-        std::filesystem::path unitTestData{getenv("_NIX_TEST_UNIT_DATA")};
+        std::filesystem::path unitTestData = nix::getUnitTestData();
         std::ifstream t{unitTestData / "derivation/ca/self-contained.json"};
         std::stringstream buffer;
         buffer << t.rdbuf();
@@ -357,7 +358,7 @@ TEST_F(nix_api_store_test_base, build_from_json)
 
     auto * store = open_local_store();
 
-    std::filesystem::path unitTestData{getenv("_NIX_TEST_UNIT_DATA")};
+    std::filesystem::path unitTestData = nix::getUnitTestData();
 
     std::ifstream t{unitTestData / "derivation/ca/self-contained.json"};
     std::stringstream buffer;
@@ -404,7 +405,7 @@ TEST_F(nix_api_store_test_base, nix_store_realise_invalid_system)
 
     auto * store = open_local_store();
 
-    std::filesystem::path unitTestData{getenv("_NIX_TEST_UNIT_DATA")};
+    std::filesystem::path unitTestData = nix::getUnitTestData();
     std::ifstream t{unitTestData / "derivation/ca/self-contained.json"};
     std::stringstream buffer;
     buffer << t.rdbuf();
@@ -449,7 +450,7 @@ TEST_F(nix_api_store_test_base, nix_store_realise_builder_fails)
 
     auto * store = open_local_store();
 
-    std::filesystem::path unitTestData{getenv("_NIX_TEST_UNIT_DATA")};
+    std::filesystem::path unitTestData = nix::getUnitTestData();
     std::ifstream t{unitTestData / "derivation/ca/self-contained.json"};
     std::stringstream buffer;
     buffer << t.rdbuf();
@@ -494,7 +495,7 @@ TEST_F(nix_api_store_test_base, nix_store_realise_builder_no_output)
 
     auto * store = open_local_store();
 
-    std::filesystem::path unitTestData{getenv("_NIX_TEST_UNIT_DATA")};
+    std::filesystem::path unitTestData = nix::getUnitTestData();
     std::ifstream t{unitTestData / "derivation/ca/self-contained.json"};
     std::stringstream buffer;
     buffer << t.rdbuf();
@@ -870,7 +871,7 @@ TEST_F(NixApiStoreTestWithRealisedPath, nix_store_get_fs_closure_error_propagati
  */
 static std::string load_json_from_test_data(const char * filename)
 {
-    std::filesystem::path unitTestData{getenv("_NIX_TEST_UNIT_DATA")};
+    std::filesystem::path unitTestData = nix::getUnitTestData();
     std::ifstream t{unitTestData / filename};
     std::stringstream buffer;
     buffer << t.rdbuf();

src/libstore/aws-creds.cc

@@ -4,15 +4,15 @@
 
 #  include <aws/crt/Types.h>
 #  include "nix/store/s3-url.hh"
-#  include "nix/util/finally.hh"
 #  include "nix/util/logging.hh"
-#  include "nix/util/url.hh"
-#  include "nix/util/util.hh"
 
 #  include <aws/crt/Api.h>
 #  include <aws/crt/auth/Credentials.h>
 #  include <aws/crt/io/Bootstrap.h>
 
+// C library headers for SSO provider support
+#  include <aws/auth/credentials.h>
+
 #  include <boost/unordered/concurrent_flat_map.hpp>
 
 #  include <chrono>
@@ -30,6 +30,46 @@ AwsAuthError::AwsAuthError(int errorCode)
 
 namespace {
 
+/**
+ * Helper function to wrap a C credentials provider in the C++ interface.
+ * This replicates the static s_CreateWrappedProvider from aws-crt-cpp.
+ */
+static std::shared_ptr<Aws::Crt::Auth::ICredentialsProvider> createWrappedProvider(
+    aws_credentials_provider * rawProvider, Aws::Crt::Allocator * allocator = Aws::Crt::ApiAllocator())
+{
+    if (rawProvider == nullptr) {
+        return nullptr;
+    }
+
+    auto provider = Aws::Crt::MakeShared<Aws::Crt::Auth::CredentialsProvider>(allocator, rawProvider, allocator);
+    return std::static_pointer_cast<Aws::Crt::Auth::ICredentialsProvider>(provider);
+}
+
+/**
+ * Create an SSO credentials provider using the C library directly.
+ * The C++ wrapper doesn't expose SSO, so we call the C library and wrap the result.
+ * Returns nullptr if SSO provider creation fails (e.g., profile doesn't have SSO config).
+ */
+static std::shared_ptr<Aws::Crt::Auth::ICredentialsProvider> createSSOProvider(
+    const std::string & profileName,
+    Aws::Crt::Io::ClientBootstrap * bootstrap,
+    Aws::Crt::Io::TlsContext * tlsContext,
+    Aws::Crt::Allocator * allocator = Aws::Crt::ApiAllocator())
+{
+    aws_credentials_provider_sso_options options;
+    AWS_ZERO_STRUCT(options);
+
+    options.bootstrap = bootstrap->GetUnderlyingHandle();
+    options.tls_ctx = tlsContext ? tlsContext->GetUnderlyingHandle() : nullptr;
+    if (!profileName.empty()) {
+        options.profile_name_override = aws_byte_cursor_from_c_str(profileName.c_str());
+    }
+
+    // Create the SSO provider - will return nullptr if SSO isn't configured for this profile
+    // createWrappedProvider handles nullptr gracefully
+    return createWrappedProvider(aws_credentials_provider_new_sso(allocator, &options), allocator);
+}
+
 static AwsCredentials getCredentialsFromProvider(std::shared_ptr<Aws::Crt::Auth::ICredentialsProvider> provider)
 {
     if (!provider || !provider->IsValid()) {
@@ -91,6 +131,22 @@ public:
             logLevel = Aws::Crt::LogLevel::Warn;
         }
         apiHandle.InitializeLogging(logLevel, stderr);
+
+        // Create a shared TLS context for SSO (required for HTTPS connections)
+        auto allocator = Aws::Crt::ApiAllocator();
+        auto tlsCtxOptions = Aws::Crt::Io::TlsContextOptions::InitDefaultClient(allocator);
+        tlsContext =
+            std::make_shared<Aws::Crt::Io::TlsContext>(tlsCtxOptions, Aws::Crt::Io::TlsMode::CLIENT, allocator);
+        if (!tlsContext || !*tlsContext) {
+            warn("failed to create TLS context for AWS SSO; SSO authentication will be unavailable");
+            tlsContext = nullptr;
+        }
+
+        // Get bootstrap (lives as long as apiHandle)
+        bootstrap = Aws::Crt::ApiHandle::GetOrCreateStaticDefaultClientBootstrap();
+        if (!bootstrap) {
+            throw AwsAuthError("failed to create AWS client bootstrap");
+        }
     }
 
     AwsCredentials getCredentialsRaw(const std::string & profile);
@@ -111,6 +167,8 @@ public:
 
 private:
     Aws::Crt::ApiHandle apiHandle;
+    std::shared_ptr<Aws::Crt::Io::TlsContext> tlsContext;
+    Aws::Crt::Io::ClientBootstrap * bootstrap;
     boost::concurrent_flat_map<std::string, std::shared_ptr<Aws::Crt::Auth::ICredentialsProvider>>
         credentialProviderCache;
 };
@@ -118,23 +176,58 @@ private:
 std::shared_ptr<Aws::Crt::Auth::ICredentialsProvider>
 AwsCredentialProviderImpl::createProviderForProfile(const std::string & profile)
 {
-    debug(
-        "[pid=%d] creating new AWS credential provider for profile '%s'",
-        getpid(),
-        profile.empty() ? "(default)" : profile.c_str());
+    // profileDisplayName is only used for debug logging - SDK uses its default profile
+    // when ProfileNameOverride is not set
+    const char * profileDisplayName = profile.empty() ? "(default)" : profile.c_str();
 
-    if (profile.empty()) {
-        Aws::Crt::Auth::CredentialsProviderChainDefaultConfig config;
-        config.Bootstrap = Aws::Crt::ApiHandle::GetOrCreateStaticDefaultClientBootstrap();
-        return Aws::Crt::Auth::CredentialsProvider::CreateCredentialsProviderChainDefault(config);
+    debug("[pid=%d] creating new AWS credential provider for profile '%s'", getpid(), profileDisplayName);
+
+    // Build a custom credential chain: Environment → SSO → Profile → IMDS
+    // This works for both default and named profiles, ensuring consistent behavior
+    // including SSO support and proper TLS context for STS-based role assumption.
+    Aws::Crt::Auth::CredentialsProviderChainConfig chainConfig;
+    auto allocator = Aws::Crt::ApiAllocator();
+
+    auto addProviderToChain = [&](std::string_view name, auto createProvider) {
+        if (auto provider = createProvider()) {
+            chainConfig.Providers.push_back(provider);
+            debug("Added AWS %s Credential Provider to chain for profile '%s'", name, profileDisplayName);
+        } else {
+            debug("Skipped AWS %s Credential Provider for profile '%s'", name, profileDisplayName);
+        }
+    };
+
+    // 1. Environment variables (highest priority)
+    addProviderToChain("Environment", [&]() {
+        return Aws::Crt::Auth::CredentialsProvider::CreateCredentialsProviderEnvironment(allocator);
+    });
+
+    // 2. SSO provider (try it, will fail gracefully if not configured)
+    if (tlsContext) {
+        addProviderToChain("SSO", [&]() { return createSSOProvider(profile, bootstrap, tlsContext.get(), allocator); });
+    } else {
+        debug("Skipped AWS SSO Credential Provider for profile '%s': TLS context unavailable", profileDisplayName);
     }
 
-    Aws::Crt::Auth::CredentialsProviderProfileConfig config;
-    config.Bootstrap = Aws::Crt::ApiHandle::GetOrCreateStaticDefaultClientBootstrap();
-    // This is safe because the underlying C library will copy this string
-    // c.f. https://github.com/awslabs/aws-c-auth/blob/main/source/credentials_provider_profile.c#L220
-    config.ProfileNameOverride = Aws::Crt::ByteCursorFromCString(profile.c_str());
-    return Aws::Crt::Auth::CredentialsProvider::CreateCredentialsProviderProfile(config);
+    // 3. Profile provider (for static credentials and role_arn/source_profile with STS)
+    addProviderToChain("Profile", [&]() {
+        Aws::Crt::Auth::CredentialsProviderProfileConfig profileConfig;
+        profileConfig.Bootstrap = bootstrap;
+        profileConfig.TlsContext = tlsContext.get();
+        if (!profile.empty()) {
+            profileConfig.ProfileNameOverride = Aws::Crt::ByteCursorFromCString(profile.c_str());
+        }
+        return Aws::Crt::Auth::CredentialsProvider::CreateCredentialsProviderProfile(profileConfig, allocator);
+    });
+
+    // 4. IMDS provider (for EC2 instances, lowest priority)
+    addProviderToChain("IMDS", [&]() {
+        Aws::Crt::Auth::CredentialsProviderImdsConfig imdsConfig;
+        imdsConfig.Bootstrap = bootstrap;
+        return Aws::Crt::Auth::CredentialsProvider::CreateCredentialsProviderImds(imdsConfig, allocator);
+    });
+
+    return Aws::Crt::Auth::CredentialsProvider::CreateCredentialsProviderChain(chainConfig, allocator);
 }
 
 AwsCredentials AwsCredentialProviderImpl::getCredentialsRaw(const std::string & profile)

src/libstore/build/derivation-building-goal.cc

@@ -71,14 +71,6 @@ void DerivationBuildingGoal::killChild()
 #endif
 }
 
-void DerivationBuildingGoal::timedOut(Error && ex)
-{
-    killChild();
-    // We're not inside a coroutine, hence we can't use co_return here.
-    // Thus we ignore the return value.
-    [[maybe_unused]] Done _ = doneFailure({BuildResult::Failure::TimedOut, std::move(ex)});
-}
-
 std::string showKnownOutputs(const StoreDirConfig & store, const Derivation & drv)
 {
     std::string msg;
@@ -443,7 +435,20 @@ Goal::Co DerivationBuildingGoal::tryToBuild()
     if (useHook) {
         buildResult.startTime = time(0); // inexact
         started();
-        co_await Suspend{};
+
+        while (true) {
+            auto event = co_await WaitForChildEvent{};
+            if (auto * output = std::get_if<ChildOutput>(&event)) {
+                co_await processChildOutput(output->fd, output->data);
+            } else if (std::get_if<ChildEOF>(&event)) {
+                if (!currentLogLine.empty())
+                    flushLine();
+                break;
+            } else if (auto * timeout = std::get_if<TimedOut>(&event)) {
+                killChild();
+                co_return doneFailure(std::move(*timeout));
+            }
+        }
 
 #ifndef _WIN32
         assert(hook);
@@ -664,7 +669,20 @@ Goal::Co DerivationBuildingGoal::tryToBuild()
     worker.childStarted(shared_from_this(), {builderOut}, true, true);
 
     started();
-    co_await Suspend{};
+
+    while (true) {
+        auto event = co_await WaitForChildEvent{};
+        if (auto * output = std::get_if<ChildOutput>(&event)) {
+            co_await processChildOutput(output->fd, output->data);
+        } else if (std::get_if<ChildEOF>(&event)) {
+            if (!currentLogLine.empty())
+                flushLine();
+            break;
+        } else if (auto * timeout = std::get_if<TimedOut>(&event)) {
+            killChild();
+            co_return doneFailure(std::move(*timeout));
+        }
+    }
 
     trace("build done");
 
@@ -997,7 +1015,7 @@ bool DerivationBuildingGoal::isReadDesc(Descriptor fd)
 #endif
 }
 
-void DerivationBuildingGoal::handleChildOutput(Descriptor fd, std::string_view data)
+Goal::Co DerivationBuildingGoal::processChildOutput(Descriptor fd, std::string_view data)
 {
     // local & `ssh://`-builds are dealt with here.
     auto isWrittenToLog = isReadDesc(fd);
@@ -1005,14 +1023,11 @@ void DerivationBuildingGoal::handleChildOutput(Descriptor fd, std::string_view d
         logSize += data.size();
         if (settings.maxLogSize && logSize > settings.maxLogSize) {
             killChild();
-            // We're not inside a coroutine, hence we can't use co_return here.
-            // Thus we ignore the return value.
-            [[maybe_unused]] Done _ = doneFailure(BuildError(
+            co_return doneFailure(BuildError(
                 BuildResult::Failure::LogLimitExceeded,
                 "%s killed after writing more than %d bytes of log output",
                 getName(),
                 settings.maxLogSize));
-            return;
         }
 
         for (auto c : data)
@@ -1065,13 +1080,7 @@ void DerivationBuildingGoal::handleChildOutput(Descriptor fd, std::string_view d
                 currentHookLine += c;
     }
 #endif
-}
-
-void DerivationBuildingGoal::handleEOF(Descriptor fd)
-{
-    if (!currentLogLine.empty())
-        flushLine();
-    worker.wakeUp(shared_from_this());
+    co_return Return{};
 }
 
 void DerivationBuildingGoal::flushLine()

src/libstore/build/drv-output-substitution-goal.cc

@@ -66,7 +66,16 @@ Goal::Co DrvOutputSubstitutionGoal::init()
             true,
             false);
 
-        co_await Suspend{};
+        while (true) {
+            auto event = co_await WaitForChildEvent{};
+            if (std::get_if<ChildOutput>(&event)) {
+                // Doesn't process child output
+            } else if (std::get_if<ChildEOF>(&event)) {
+                break;
+            } else if (std::get_if<TimedOut>(&event)) {
+                unreachable();
+            }
+        }
 
         worker.childTerminated(this);
 
@@ -149,9 +158,4 @@ std::string DrvOutputSubstitutionGoal::key()
     return "a$" + std::string(id.to_string());
 }
 
-void DrvOutputSubstitutionGoal::handleEOF(Descriptor fd)
-{
-    worker.wakeUp(shared_from_this());
-}
-
 } // namespace nix

src/libstore/build/goal.cc

@@ -4,8 +4,58 @@
 
 namespace nix {
 
+TimedOut::TimedOut(time_t maxDuration)
+    : BuildError(BuildResult::Failure::TimedOut, "timed out after %1% seconds", maxDuration)
+    , maxDuration(maxDuration)
+{
+}
+
 using Co = nix::Goal::Co;
 using promise_type = nix::Goal::promise_type;
+using ChildEvents = decltype(promise_type::childEvents);
+
+void ChildEvents::pushChildEvent(ChildOutput event)
+{
+    if (childTimeout)
+        return; // Already timed out, ignore
+    childOutputs.push(std::move(event));
+}
+
+void ChildEvents::pushChildEvent(ChildEOF event)
+{
+    if (childTimeout)
+        return; // Already timed out, ignore
+    assert(!childEOF);
+    childEOF = std::move(event);
+}
+
+void ChildEvents::pushChildEvent(TimedOut event)
+{
+    // Timeout is immediate - flush pending events
+    childOutputs = {};
+    childEOF.reset();
+    childTimeout = std::move(event);
+}
+
+bool ChildEvents::hasChildEvent() const
+{
+    return !childOutputs.empty() || childEOF || childTimeout;
+}
+
+Goal::ChildEvent ChildEvents::popChildEvent()
+{
+    if (!childOutputs.empty()) {
+        auto event = std::move(childOutputs.front());
+        childOutputs.pop();
+        return event;
+    }
+    if (childEOF)
+        return *std::exchange(childEOF, std::nullopt);
+    if (childTimeout)
+        return *std::exchange(childTimeout, std::nullopt);
+    unreachable();
+}
+
 using handle_type = nix::Goal::handle_type;
 using Suspend = nix::Goal::Suspend;
 
@@ -206,6 +256,27 @@ void Goal::work()
     assert(top_co || exitCode != ecBusy);
 }
 
+void Goal::handleChildOutput(Descriptor fd, std::string_view data)
+{
+    assert(top_co);
+    top_co->handle.promise().childEvents.pushChildEvent(ChildOutput{fd, std::string{data}});
+    worker.wakeUp(shared_from_this());
+}
+
+void Goal::handleEOF(Descriptor fd)
+{
+    assert(top_co);
+    top_co->handle.promise().childEvents.pushChildEvent(ChildEOF{fd});
+    worker.wakeUp(shared_from_this());
+}
+
+void Goal::timedOut(TimedOut && ex)
+{
+    assert(top_co);
+    top_co->handle.promise().childEvents.pushChildEvent(std::move(ex));
+    worker.wakeUp(shared_from_this());
+}
+
 Goal::Co Goal::yield()
 {
     worker.wakeUp(shared_from_this());

src/libstore/build/substitution-goal.cc

@@ -258,7 +258,16 @@ Goal::Co PathSubstitutionGoal::tryToRun(
         true,
         false);
 
-    co_await Suspend{};
+    while (true) {
+        auto event = co_await WaitForChildEvent{};
+        if (std::get_if<ChildOutput>(&event)) {
+            // Substitution doesn't process child output
+        } else if (std::get_if<ChildEOF>(&event)) {
+            break;
+        } else if (std::get_if<TimedOut>(&event)) {
+            unreachable(); // Substitution doesn't use timeouts
+        }
+    }
 
     trace("substitute finished");
 
@@ -310,11 +319,6 @@ Goal::Co PathSubstitutionGoal::tryToRun(
     co_return doneSuccess(BuildResult::Success::Substituted);
 }
 
-void PathSubstitutionGoal::handleEOF(Descriptor fd)
-{
-    worker.wakeUp(shared_from_this());
-}
-
 void PathSubstitutionGoal::cleanup()
 {
     try {

src/libstore/build/worker.cc

@@ -479,14 +479,13 @@ void Worker::waitForInput()
 
         if (goal->exitCode == Goal::ecBusy && 0 != settings.maxSilentTime && j->respectTimeouts
             && after - j->lastOutput >= std::chrono::seconds(settings.maxSilentTime)) {
-            goal->timedOut(
-                Error("%1% timed out after %2% seconds of silence", goal->getName(), settings.maxSilentTime));
+            goal->timedOut(TimedOut(settings.maxSilentTime));
         }
 
         else if (
             goal->exitCode == Goal::ecBusy && 0 != settings.buildTimeout && j->respectTimeouts
             && after - j->timeStarted >= std::chrono::seconds(settings.buildTimeout)) {
-            goal->timedOut(Error("%1% timed out after %2% seconds", goal->getName(), settings.buildTimeout));
+            goal->timedOut(TimedOut(settings.buildTimeout));
         }
     }
 

src/libstore/derivation-options.cc

@@ -341,12 +341,8 @@ DerivationOptions<SingleDerivedPath> derivationOptionsFromStructuredAttrs(
 
                 if (parsed) {
                     auto * e = optionalValueAt(parsed->structuredAttrs, "exportReferencesGraph");
-                    if (!e)
+                    if (!e || !e->is_object())
                         return ret;
-                    if (!e->is_object()) {
-                        warn("'exportReferencesGraph' in structured attrs is not a JSON object, ignoring");
-                        return ret;
-                    }
                     for (auto & [key, storePathsJson] : getObject(*e)) {
                         StringSet ss;
                         flatten(storePathsJson, ss);

src/libstore/derivations.cc

@@ -1489,8 +1489,6 @@ adl_serializer<DerivationOutput>::from_json(const json & _json, const Experiment
     }
 }
 
-static unsigned constexpr expectedJsonVersionDerivation = 4;
-
 void adl_serializer<Derivation>::to_json(json & res, const Derivation & d)
 {
     res = nlohmann::json::object();

src/libstore/filetransfer.cc

@@ -41,9 +41,27 @@ FileTransferSettings fileTransferSettings;
 
 static GlobalConfig::Register rFileTransferSettings(&fileTransferSettings);
 
+namespace {
+
+using curlSList = std::unique_ptr<::curl_slist, decltype([](::curl_slist * list) { ::curl_slist_free_all(list); })>;
+using curlMulti = std::unique_ptr<::CURLM, decltype([](::CURLM * multi) { ::curl_multi_cleanup(multi); })>;
+
+struct curlMultiError : Error
+{
+    ::CURLMcode code;
+
+    curlMultiError(::CURLMcode code)
+        : Error{"unexpected curl multi error: %s", ::curl_multi_strerror(code)}
+    {
+        assert(code != CURLM_OK);
+    }
+};
+
+} // namespace
+
 struct curlFileTransfer : public FileTransfer
 {
-    CURLM * curlm = 0;
+    curlMulti curlm;
 
     std::random_device rd;
     std::mt19937 mt19937;
@@ -69,7 +87,7 @@ struct curlFileTransfer : public FileTransfer
            has been reached. */
         std::chrono::steady_clock::time_point embargo;
 
-        struct curl_slist * requestHeaders = 0;
+        curlSList requestHeaders;
 
         std::string encoding;
 
@@ -92,6 +110,15 @@ struct curlFileTransfer : public FileTransfer
             return httpStatus;
         }
 
+        void appendHeaders(const std::string & header)
+        {
+            curlSList tmpSList = curlSList(::curl_slist_append(requestHeaders.get(), requireCString(header)));
+            if (!tmpSList)
+                throw std::bad_alloc();
+            requestHeaders.release();
+            requestHeaders = std::move(tmpSList);
+        }
+
         TransferItem(
             curlFileTransfer & fileTransfer,
             const FileTransferRequest & request,
@@ -131,13 +158,13 @@ struct curlFileTransfer : public FileTransfer
         {
             result.urls.push_back(request.uri.to_string());
 
-            requestHeaders = curl_slist_append(requestHeaders, "Accept-Encoding: zstd, br, gzip, deflate, bzip2, xz");
+            appendHeaders("Accept-Encoding: zstd, br, gzip, deflate, bzip2, xz");
             if (!request.expectedETag.empty())
-                requestHeaders = curl_slist_append(requestHeaders, ("If-None-Match: " + request.expectedETag).c_str());
+                appendHeaders("If-None-Match: " + request.expectedETag);
             if (!request.mimeType.empty())
-                requestHeaders = curl_slist_append(requestHeaders, ("Content-Type: " + request.mimeType).c_str());
+                appendHeaders("Content-Type: " + request.mimeType);
             for (auto it = request.headers.begin(); it != request.headers.end(); ++it) {
-                requestHeaders = curl_slist_append(requestHeaders, fmt("%s: %s", it->first, it->second).c_str());
+                appendHeaders(fmt("%s: %s", it->first, it->second));
             }
         }
 
@@ -145,11 +172,9 @@ struct curlFileTransfer : public FileTransfer
         {
             if (req) {
                 if (active)
-                    curl_multi_remove_handle(fileTransfer.curlm, req);
+                    curl_multi_remove_handle(fileTransfer.curlm.get(), req);
                 curl_easy_cleanup(req);
             }
-            if (requestHeaders)
-                curl_slist_free_all(requestHeaders);
             try {
                 if (!done)
                     fail(FileTransferError(
@@ -348,7 +373,7 @@ struct curlFileTransfer : public FileTransfer
             return ((TransferItem *) userp)->readCallback(buffer, size, nitems);
         }
 
-#if !defined(_WIN32) && LIBCURL_VERSION_NUM >= 0x071000
+#if !defined(_WIN32)
         static int cloexec_callback(void *, curl_socket_t curlfd, curlsocktype purpose)
         {
             unix::closeOnExec(curlfd);
@@ -411,15 +436,11 @@ struct curlFileTransfer : public FileTransfer
                 ("curl/" LIBCURL_VERSION " Nix/" + nixVersion
                  + (fileTransferSettings.userAgentSuffix != "" ? " " + fileTransferSettings.userAgentSuffix.get() : ""))
                     .c_str());
-#if LIBCURL_VERSION_NUM >= 0x072b00
             curl_easy_setopt(req, CURLOPT_PIPEWAIT, 1);
-#endif
-#if LIBCURL_VERSION_NUM >= 0x072f00
             if (fileTransferSettings.enableHttp2)
                 curl_easy_setopt(req, CURLOPT_HTTP_VERSION, CURL_HTTP_VERSION_2TLS);
             else
                 curl_easy_setopt(req, CURLOPT_HTTP_VERSION, CURL_HTTP_VERSION_1_1);
-#endif
             curl_easy_setopt(req, CURLOPT_WRITEFUNCTION, TransferItem::writeCallbackWrapper);
             curl_easy_setopt(req, CURLOPT_WRITEDATA, this);
             curl_easy_setopt(req, CURLOPT_HEADERFUNCTION, TransferItem::headerCallbackWrapper);
@@ -429,7 +450,7 @@ struct curlFileTransfer : public FileTransfer
             curl_easy_setopt(req, CURLOPT_XFERINFODATA, this);
             curl_easy_setopt(req, CURLOPT_NOPROGRESS, 0);
 
-            curl_easy_setopt(req, CURLOPT_HTTPHEADER, requestHeaders);
+            curl_easy_setopt(req, CURLOPT_HTTPHEADER, requestHeaders.get());
 
             if (settings.downloadSpeed.get() > 0)
                 curl_easy_setopt(req, CURLOPT_MAX_RECV_SPEED_LARGE, (curl_off_t) (settings.downloadSpeed.get() * 1024));
@@ -459,10 +480,9 @@ struct curlFileTransfer : public FileTransfer
             if (settings.caFile != "")
                 curl_easy_setopt(req, CURLOPT_CAINFO, settings.caFile.get().c_str());
 
-#if !defined(_WIN32) && LIBCURL_VERSION_NUM >= 0x071000
+#if !defined(_WIN32)
             curl_easy_setopt(req, CURLOPT_SOCKOPTFUNCTION, cloexec_callback);
 #endif
-
             curl_easy_setopt(req, CURLOPT_CONNECTTIMEOUT, fileTransferSettings.connectTimeout.get());
 
             curl_easy_setopt(req, CURLOPT_LOW_SPEED_LIMIT, 1L);
@@ -694,13 +714,6 @@ struct curlFileTransfer : public FileTransfer
 
     Sync<State> state_;
 
-#ifndef _WIN32 // TODO need graceful async exit support on Windows?
-    /* We can't use a std::condition_variable to wake up the curl
-       thread, because it only monitors file descriptors. So use a
-       pipe instead. */
-    Pipe wakeupPipe;
-#endif
-
     std::thread workerThread;
 
     curlFileTransfer()
@@ -709,43 +722,35 @@ struct curlFileTransfer : public FileTransfer
         static std::once_flag globalInit;
         std::call_once(globalInit, curl_global_init, CURL_GLOBAL_ALL);
 
-        curlm = curl_multi_init();
+        curlm = curlMulti(curl_multi_init());
 
-#if LIBCURL_VERSION_NUM >= 0x072b00 // Multiplex requires >= 7.43.0
-        curl_multi_setopt(curlm, CURLMOPT_PIPELINING, CURLPIPE_MULTIPLEX);
-#endif
-#if LIBCURL_VERSION_NUM >= 0x071e00 // Max connections requires >= 7.30.0
-        curl_multi_setopt(curlm, CURLMOPT_MAX_TOTAL_CONNECTIONS, fileTransferSettings.httpConnections.get());
-#endif
-
-#ifndef _WIN32 // TODO need graceful async exit support on Windows?
-        wakeupPipe.create();
-        fcntl(wakeupPipe.readSide.get(), F_SETFL, O_NONBLOCK);
-#endif
+        curl_multi_setopt(curlm.get(), CURLMOPT_PIPELINING, CURLPIPE_MULTIPLEX);
+        curl_multi_setopt(curlm.get(), CURLMOPT_MAX_TOTAL_CONNECTIONS, fileTransferSettings.httpConnections.get());
 
         workerThread = std::thread([&]() { workerThreadEntry(); });
     }
 
     ~curlFileTransfer()
     {
-        stopWorkerThread();
-
+        try {
+            stopWorkerThread();
+        } catch (...) {
+            ignoreExceptionInDestructor();
+        }
         workerThread.join();
-
-        if (curlm)
-            curl_multi_cleanup(curlm);
     }
 
     void stopWorkerThread()
     {
         /* Signal the worker thread to exit. */
-        {
-            auto state(state_.lock());
-            state->quit();
-        }
-#ifndef _WIN32 // TODO need graceful async exit support on Windows?
-        writeFull(wakeupPipe.writeSide.get(), " ", false);
-#endif
+        state_.lock()->quit();
+        wakeupMulti();
+    }
+
+    void wakeupMulti()
+    {
+        if (auto ec = ::curl_multi_wakeup(curlm.get()))
+            throw curlMultiError(ec);
     }
 
     void workerThreadMain()
@@ -775,32 +780,25 @@ struct curlFileTransfer : public FileTransfer
 
             /* Let curl do its thing. */
             int running;
-            CURLMcode mc = curl_multi_perform(curlm, &running);
+            CURLMcode mc = curl_multi_perform(curlm.get(), &running);
             if (mc != CURLM_OK)
                 throw nix::Error("unexpected error from curl_multi_perform(): %s", curl_multi_strerror(mc));
 
             /* Set the promises of any finished requests. */
             CURLMsg * msg;
             int left;
-            while ((msg = curl_multi_info_read(curlm, &left))) {
+            while ((msg = curl_multi_info_read(curlm.get(), &left))) {
                 if (msg->msg == CURLMSG_DONE) {
                     auto i = items.find(msg->easy_handle);
                     assert(i != items.end());
                     i->second->finish(msg->data.result);
-                    curl_multi_remove_handle(curlm, i->second->req);
+                    curl_multi_remove_handle(curlm.get(), i->second->req);
                     i->second->active = false;
                     items.erase(i);
                 }
             }
 
             /* Wait for activity, including wakeup events. */
-            int numfds = 0;
-            struct curl_waitfd extraFDs[1];
-#ifndef _WIN32 // TODO need graceful async exit support on Windows?
-            extraFDs[0].fd = wakeupPipe.readSide.get();
-            extraFDs[0].events = CURL_WAIT_POLLIN;
-            extraFDs[0].revents = 0;
-#endif
             long maxSleepTimeMs = items.empty() ? 10000 : 100;
             auto sleepTimeMs = nextWakeup != std::chrono::steady_clock::time_point()
                                    ? std::max(
@@ -809,23 +807,14 @@ struct curlFileTransfer : public FileTransfer
                                              nextWakeup - std::chrono::steady_clock::now())
                                              .count())
                                    : maxSleepTimeMs;
-            vomit("download thread waiting for %d ms", sleepTimeMs);
-            mc = curl_multi_wait(curlm, extraFDs, 1, sleepTimeMs, &numfds);
+
+            int numfds = 0;
+            mc = curl_multi_poll(curlm.get(), nullptr, 0, sleepTimeMs, &numfds);
             if (mc != CURLM_OK)
-                throw nix::Error("unexpected error from curl_multi_wait(): %s", curl_multi_strerror(mc));
+                throw curlMultiError(mc);
 
             nextWakeup = std::chrono::steady_clock::time_point();
 
-            /* Add new curl requests from the incoming requests queue,
-               except for requests that are embargoed (waiting for a
-               retry timeout to expire). */
-            if (extraFDs[0].revents & CURL_WAIT_POLLIN) {
-                char buf[1024];
-                auto res = read(extraFDs[0].fd, buf, sizeof(buf));
-                if (res == -1 && errno != EINTR)
-                    throw SysError("reading curl wakeup socket");
-            }
-
             std::vector<std::shared_ptr<TransferItem>> incoming;
             auto now = std::chrono::steady_clock::now();
 
@@ -848,7 +837,7 @@ struct curlFileTransfer : public FileTransfer
             for (auto & item : incoming) {
                 debug("starting %s of %s", item->request.noun(), item->request.uri);
                 item->init();
-                curl_multi_add_handle(curlm, item->req);
+                curl_multi_add_handle(curlm.get(), item->req);
                 item->active = true;
                 items[item->req] = item;
             }
@@ -899,10 +888,8 @@ struct curlFileTransfer : public FileTransfer
                 throw nix::Error("cannot enqueue download request because the download thread is shutting down");
             state->incoming.push(item);
         }
-#ifndef _WIN32 // TODO need graceful async exit support on Windows?
-        writeFull(wakeupPipe.writeSide.get(), " ");
-#endif
 
+        wakeupMulti();
         return ItemHandle(static_cast<Item &>(*item));
     }
 
@@ -922,9 +909,7 @@ struct curlFileTransfer : public FileTransfer
     {
         auto state(state_.lock());
         state->unpause.push_back(std::move(item));
-#ifndef _WIN32 // TODO need graceful async exit support on Windows?
-        writeFull(wakeupPipe.writeSide.get(), " ");
-#endif
+        wakeupMulti();
     }
 
     void unpauseTransfer(ItemHandle handle) override

src/libstore/include/nix/store/build/derivation-builder.hh

@@ -79,7 +79,7 @@ struct DerivationBuilderParams
      */
     const StorePathSet & inputPaths;
 
-    const std::map<std::string, InitialOutput> & initialOutputs;
+    const std::map<std::string, InitialOutput> initialOutputs;
 
     const BuildMode & buildMode;
 

src/libstore/include/nix/store/build/derivation-building-goal.hh

@@ -100,8 +100,6 @@ private:
 
     std::map<ActivityId, Activity> builderActivities;
 
-    void timedOut(Error && ex) override;
-
     std::string key() override;
 
     /**
@@ -129,10 +127,10 @@ private:
     bool isReadDesc(Descriptor fd);
 
     /**
-     * Callback used by the worker to write to the log.
+     * Process output from a child process.
      */
-    void handleChildOutput(Descriptor fd, std::string_view data) override;
-    void handleEOF(Descriptor fd) override;
+    Co processChildOutput(Descriptor fd, std::string_view data);
+
     void flushLine();
 
     /**

src/libstore/include/nix/store/build/derivation-goal.hh

@@ -52,11 +52,6 @@ struct DerivationGoal : public Goal
         bool storeDerivation);
     ~DerivationGoal() = default;
 
-    void timedOut(Error && ex) override
-    {
-        unreachable();
-    };
-
     std::string key() override;
 
     JobCategory jobCategory() const override

src/libstore/include/nix/store/build/derivation-resolution-goal.hh

@@ -43,8 +43,6 @@ struct DerivationResolutionGoal : public Goal
      */
     std::unique_ptr<std::pair<StorePath, BasicDerivation>> resolvedDrv;
 
-    void timedOut(Error && ex) override {}
-
 private:
 
     /**

src/libstore/include/nix/store/build/derivation-trampoline-goal.hh

@@ -109,8 +109,6 @@ struct DerivationTrampolineGoal : public Goal
 
     virtual ~DerivationTrampolineGoal();
 
-    void timedOut(Error && ex) override {}
-
     std::string key() override;
 
     JobCategory jobCategory() const override

src/libstore/include/nix/store/build/drv-output-substitution-goal.hh

@@ -33,15 +33,8 @@ public:
 
     Co init();
 
-    void timedOut(Error && ex) override
-    {
-        unreachable();
-    };
-
     std::string key() override;
 
-    void handleEOF(Descriptor fd) override;
-
     JobCategory jobCategory() const override
     {
         return JobCategory::Substitution;

src/libstore/include/nix/store/build/goal.hh

@@ -5,9 +5,18 @@
 #include "nix/store/build-result.hh"
 
 #include <coroutine>
+#include <queue>
+#include <variant>
 
 namespace nix {
 
+struct TimedOut : BuildError
+{
+    time_t maxDuration;
+
+    TimedOut(time_t maxDuration);
+};
+
 /**
  * Forward definition.
  */
@@ -138,6 +147,29 @@ public:
         friend Goal;
     };
 
+    /**
+     * Event types for child process communication, delivered via coroutines.
+     */
+    struct ChildOutput
+    {
+        Descriptor fd;
+        std::string data;
+    };
+
+    struct ChildEOF
+    {
+        Descriptor fd;
+    };
+
+    using ChildEvent = std::variant<ChildOutput, ChildEOF, TimedOut>;
+
+    /**
+     * Tag type for `co_await`-ing child events.
+     * Returns a `ChildEvent` when resumed.
+     */
+    struct WaitForChildEvent
+    {};
+
     // forward declaration of promise_type, see below
     struct promise_type;
 
@@ -276,6 +308,28 @@ public:
          */
         bool alive = true;
 
+        class
+        {
+            /**
+             * Structured queue of child events:
+             * - outputs: stream of data from child
+             * - eof: optional end-of-stream marker
+             * - timeout: optional timeout that flushes/overrides other events
+             */
+            std::queue<ChildOutput> childOutputs;
+            std::optional<ChildEOF> childEOF;
+            std::optional<TimedOut> childTimeout;
+
+        public:
+
+            void pushChildEvent(ChildOutput event);
+            void pushChildEvent(ChildEOF event);
+            void pushChildEvent(TimedOut event);
+            bool hasChildEvent() const;
+            ChildEvent popChildEvent();
+
+        } childEvents;
+
         /**
          * The awaiter used by @ref final_suspend.
          */
@@ -369,13 +423,66 @@ public:
             return static_cast<Co &&>(co);
         }
 
+        /**
+         * Awaiter for @ref Suspend. Always suspends, but asserts
+         * there are no pending child events (those should be
+         * consumed first via @ref WaitForChildEvent).
+         */
+        struct SuspendAwaiter
+        {
+            promise_type & promise;
+
+            bool await_ready()
+            {
+                assert(!promise.childEvents.hasChildEvent());
+                return false;
+            }
+
+            void await_suspend(handle_type) {}
+
+            void await_resume() {}
+        };
+
         /**
          * Allows awaiting a @ref Suspend.
          * Always suspends.
          */
-        std::suspend_always await_transform(Suspend)
+        SuspendAwaiter await_transform(Suspend)
         {
-            return {};
+            return SuspendAwaiter{*this};
+        };
+
+        /**
+         * Awaiter for child events. Suspends and returns the
+         * pending child event when resumed.
+         */
+        struct ChildEventAwaiter
+        {
+            handle_type handle;
+
+            bool await_ready()
+            {
+                return handle && handle.promise().childEvents.hasChildEvent();
+            }
+
+            void await_suspend(handle_type h)
+            {
+                handle = h;
+            }
+
+            ChildEvent await_resume()
+            {
+                assert(handle);
+                return handle.promise().childEvents.popChildEvent();
+            }
+        };
+
+        /**
+         * Allows awaiting child events (output, EOF, timeout).
+         */
+        ChildEventAwaiter await_transform(WaitForChildEvent)
+        {
+            return ChildEventAwaiter{handle_type::from_promise(*this)};
         };
     };
 
@@ -432,15 +539,23 @@ public:
 
     void work();
 
-    virtual void handleChildOutput(Descriptor fd, std::string_view data)
-    {
-        unreachable();
-    }
+    /**
+     * Called by the worker when data is received from a child process.
+     * Stores the event and resumes the coroutine.
+     */
+    void handleChildOutput(Descriptor fd, std::string_view data);
 
-    virtual void handleEOF(Descriptor fd)
-    {
-        unreachable();
-    }
+    /**
+     * Called by the worker when EOF is received from a child process.
+     * Stores the event and resumes the coroutine.
+     */
+    void handleEOF(Descriptor fd);
+
+    /**
+     * Called by the worker when a build times out.
+     * Stores the event and resumes the coroutine.
+     */
+    void timedOut(TimedOut && ex);
 
     void trace(std::string_view s);
 
@@ -449,13 +564,6 @@ public:
         return name;
     }
 
-    /**
-     * Callback in case of a timeout.  It should wake up its waiters,
-     * get rid of any running child processes that are being monitored
-     * by the worker (important!), etc.
-     */
-    virtual void timedOut(Error && ex) = 0;
-
     /**
      * Used for comparisons. The order matters a bit for scheduling. We
      * want:

src/libstore/include/nix/store/build/substitution-goal.hh

@@ -53,11 +53,6 @@ public:
         std::optional<ContentAddress> ca = std::nullopt);
     ~PathSubstitutionGoal();
 
-    void timedOut(Error && ex) override
-    {
-        unreachable();
-    };
-
     std::string key() override
     {
         return "a$" + std::string(storePath.name()) + "$" + worker.store.printStorePath(storePath);
@@ -72,12 +67,6 @@ public:
         StorePath subPath, nix::ref<Store> sub, std::shared_ptr<const ValidPathInfo> info, bool & substituterFailed);
     Co finished();
 
-    /**
-     * Callback used by the worker to write to the log.
-     */
-    void handleChildOutput(Descriptor fd, std::string_view data) override {};
-    void handleEOF(Descriptor fd) override;
-
     /* Called by destructor, can't be overridden */
     void cleanup() override final;
 

src/libstore/include/nix/store/derivations.hh

@@ -586,6 +586,12 @@ void writeDerivation(Sink & out, const StoreDirConfig & store, const BasicDeriva
  */
 std::string hashPlaceholder(const OutputNameView outputName);
 
+/**
+ * The expected JSON version for derivation serialization.
+ * Used by `nix derivation show` and `nix derivation add`.
+ */
+constexpr unsigned expectedJsonVersionDerivation = 4;
+
 } // namespace nix
 
 JSON_IMPL_WITH_XP_FEATURES(nix::DerivationOutput)

src/libstore/include/nix/store/globals.hh

@@ -1143,7 +1143,7 @@ public:
 
     Setting<std::string> netrcFile{
         this,
-        fmt("%s/%s", nixConfDir, "netrc"),
+        (nixConfDir / "netrc").string(),
         "netrc-file",
         R"(
           If set to an absolute path to a `netrc` file, Nix uses the HTTP

src/libstore/meson.build

@@ -39,28 +39,32 @@ deps_public_maybe_subproject = [
 ]
 subdir('nix-meson-build-support/subprojects')
 
-run_command(
-  'ln',
-  '-s',
-  meson.project_build_root() / '__nothing_link_target',
-  meson.project_build_root() / '__nothing_symlink',
-  # native doesn't allow dangling symlinks, which the tests require
-  env : {'MSYS' : 'winsymlinks:lnk'},
-  check : true,
-)
-can_link_symlink = run_command(
-  'ln',
-  meson.project_build_root() / '__nothing_symlink',
-  meson.project_build_root() / '__nothing_hardlink',
-  check : false,
-).returncode() == 0
-run_command(
-  'rm',
-  '-f',
-  meson.project_build_root() / '__nothing_symlink',
-  meson.project_build_root() / '__nothing_hardlink',
-  check : true,
-)
+can_link_symlink = false
+native_ln = find_program('ln', required : false, native : true)
+if native_ln.found()
+  run_command(
+    native_ln,
+    '-s',
+    meson.project_build_root() / '__nothing_link_target',
+    meson.project_build_root() / '__nothing_symlink',
+    # native doesn't allow dangling symlinks, which the tests require
+    env : {'MSYS' : 'winsymlinks:lnk'},
+    check : true,
+  )
+  can_link_symlink = run_command(
+    native_ln,
+    meson.project_build_root() / '__nothing_symlink',
+    meson.project_build_root() / '__nothing_hardlink',
+    check : false,
+  ).returncode() == 0
+  run_command(
+    'rm',
+    '-f',
+    meson.project_build_root() / '__nothing_symlink',
+    meson.project_build_root() / '__nothing_hardlink',
+    check : true,
+  )
+endif
 summary('can hardlink to symlink', can_link_symlink, bool_yn : true)
 configdata_priv.set('CAN_LINK_SYMLINK', can_link_symlink.to_int())
 
@@ -160,6 +164,8 @@ if s3_aws_auth.enabled()
   deps_other += aws_crt_cpp
   aws_c_common = cxx.find_library('aws-c-common', required : true)
   deps_other += aws_c_common
+  aws_c_auth = cxx.find_library('aws-c-auth', required : true)
+  deps_other += aws_c_auth
 endif
 
 configdata_pub.set('NIX_WITH_AWS_AUTH', s3_aws_auth.enabled().to_int())

src/libutil-test-support/include/nix/util/tests/characterization.hh

@@ -4,20 +4,11 @@
 #include <gtest/gtest.h>
 
 #include "nix/util/types.hh"
-#include "nix/util/environment-variables.hh"
 #include "nix/util/file-system.hh"
+#include "nix/util/tests/test-data.hh"
 
 namespace nix {
 
-/**
- * The path to the unit test data directory. See the contributing guide
- * in the manual for further details.
- */
-static inline std::filesystem::path getUnitTestData()
-{
-    return getEnv("_NIX_TEST_UNIT_DATA").value();
-}
-
 /**
  * Whether we should update "golden masters" instead of running tests
  * against them. See the contributing guide in the manual for further

src/libutil-test-support/include/nix/util/tests/meson.build

@@ -10,4 +10,5 @@ headers = files(
   'json-characterization.hh',
   'nix_api_util.hh',
   'string_callback.hh',
+  'test-data.hh',
 )

src/libutil-test-support/include/nix/util/tests/test-data.hh

@@ -0,0 +1,24 @@
+#pragma once
+///@file
+
+#include <filesystem>
+#include "nix/util/environment-variables.hh"
+#include "nix/util/error.hh"
+
+namespace nix {
+
+/**
+ * The path to the unit test data directory. See the contributing guide
+ * in the manual for further details.
+ */
+static inline std::filesystem::path getUnitTestData()
+{
+    auto data = getEnv("_NIX_TEST_UNIT_DATA");
+    if (!data)
+        throw Error(
+            "_NIX_TEST_UNIT_DATA environment variable is not set. "
+            "Recommendation: use meson, example: 'meson test -C build --gdb'");
+    return std::filesystem::path(*data);
+}
+
+} // namespace nix

src/libutil-tests/meson.build

@@ -33,6 +33,9 @@ deps_private += rapidcheck
 gtest = dependency('gtest', main : true)
 deps_private += gtest
 
+gmock = dependency('gmock')
+deps_private += gmock
+
 configdata = configuration_data()
 configdata.set_quoted('PACKAGE_VERSION', meson.project_version())
 
@@ -72,6 +75,7 @@ sources = files(
   'position.cc',
   'processes.cc',
   'sort.cc',
+  'source-accessor.cc',
   'spawn.cc',
   'strings.cc',
   'suggestions.cc',

src/libutil-tests/source-accessor.cc

@@ -0,0 +1,138 @@
+#include "nix/util/fs-sink.hh"
+#include "nix/util/file-system.hh"
+#include "nix/util/processes.hh"
+
+#include <gtest/gtest.h>
+#include <gmock/gmock.h>
+#include <rapidcheck/gtest.h>
+
+namespace nix {
+
+MATCHER_P2(HasContents, path, expected, "")
+{
+    auto stat = arg->maybeLstat(path);
+    if (!stat) {
+        *result_listener << arg->showPath(path) << " does not exist";
+        return false;
+    }
+    if (stat->type != SourceAccessor::tRegular) {
+        *result_listener << arg->showPath(path) << " is not a regular file";
+        return false;
+    }
+    auto actual = arg->readFile(path);
+    if (actual != expected) {
+        *result_listener << arg->showPath(path) << " has contents " << ::testing::PrintToString(actual);
+        return false;
+    }
+    return true;
+}
+
+MATCHER_P2(HasSymlink, path, target, "")
+{
+    auto stat = arg->maybeLstat(path);
+    if (!stat) {
+        *result_listener << arg->showPath(path) << " does not exist";
+        return false;
+    }
+    if (stat->type != SourceAccessor::tSymlink) {
+        *result_listener << arg->showPath(path) << " is not a symlink";
+        return false;
+    }
+    auto actual = arg->readLink(path);
+    if (actual != target) {
+        *result_listener << arg->showPath(path) << " points to " << ::testing::PrintToString(actual);
+        return false;
+    }
+    return true;
+}
+
+MATCHER_P2(HasDirectory, path, dirents, "")
+{
+    auto stat = arg->maybeLstat(path);
+    if (!stat) {
+        *result_listener << arg->showPath(path) << " does not exist";
+        return false;
+    }
+    if (stat->type != SourceAccessor::tDirectory) {
+        *result_listener << arg->showPath(path) << " is not a directory";
+        return false;
+    }
+    auto actual = arg->readDirectory(path);
+    std::set<std::string> actualKeys, expectedKeys(dirents.begin(), dirents.end());
+    for (auto & [k, _] : actual)
+        actualKeys.insert(k);
+    if (actualKeys != expectedKeys) {
+        *result_listener << arg->showPath(path) << " has entries " << ::testing::PrintToString(actualKeys);
+        return false;
+    }
+    return true;
+}
+
+class FSSourceAccessorTest : public ::testing::Test
+{
+protected:
+    std::filesystem::path tmpDir;
+    std::unique_ptr<nix::AutoDelete> delTmpDir;
+
+    void SetUp() override
+    {
+        tmpDir = nix::createTempDir();
+        delTmpDir = std::make_unique<nix::AutoDelete>(tmpDir, true);
+    }
+
+    void TearDown() override
+    {
+        delTmpDir.release();
+    }
+};
+
+TEST_F(FSSourceAccessorTest, works)
+{
+    {
+        RestoreSink sink(false);
+        sink.dstPath = tmpDir;
+        sink.dirFd = openDirectory(tmpDir);
+        sink.createDirectory(CanonPath("subdir"));
+        sink.createRegularFile(CanonPath("file1"), [](CreateRegularFileSink & crf) { crf("content1"); });
+        sink.createRegularFile(CanonPath("subdir/file2"), [](CreateRegularFileSink & crf) { crf("content2"); });
+        sink.createSymlink(CanonPath("rootlink"), "target");
+        sink.createDirectory(CanonPath("a"));
+        sink.createSymlink(CanonPath("a/dirlink"), "../subdir");
+    }
+
+    EXPECT_THAT(makeFSSourceAccessor(tmpDir / "file1"), HasContents(CanonPath::root, "content1"));
+    EXPECT_THAT(makeFSSourceAccessor(tmpDir / "rootlink"), HasSymlink(CanonPath::root, "target"));
+    EXPECT_THAT(
+        makeFSSourceAccessor(tmpDir),
+        HasDirectory(CanonPath::root, std::set<std::string>{"file1", "subdir", "rootlink", "a"}));
+    EXPECT_THAT(makeFSSourceAccessor(tmpDir / "subdir"), HasDirectory(CanonPath::root, std::set<std::string>{"file2"}));
+
+    {
+        auto accessor = makeFSSourceAccessor(tmpDir);
+        EXPECT_THAT(accessor, HasContents(CanonPath("file1"), "content1"));
+        EXPECT_THAT(accessor, HasContents(CanonPath("subdir/file2"), "content2"));
+
+        EXPECT_TRUE(accessor->pathExists(CanonPath("file1")));
+        EXPECT_FALSE(accessor->pathExists(CanonPath("nonexistent")));
+
+        EXPECT_THROW(accessor->readFile(CanonPath("a/dirlink/file2")), SymlinkNotAllowed);
+        EXPECT_THROW(accessor->maybeLstat(CanonPath("a/dirlink/file2")), SymlinkNotAllowed);
+        EXPECT_THROW(accessor->readDirectory(CanonPath("a/dirlink")), SymlinkNotAllowed);
+        EXPECT_THROW(accessor->pathExists(CanonPath("a/dirlink/file2")), SymlinkNotAllowed);
+    }
+
+    {
+        auto accessor = makeFSSourceAccessor(tmpDir / "nonexistent");
+        EXPECT_FALSE(accessor->maybeLstat(CanonPath::root));
+        EXPECT_THROW(accessor->readFile(CanonPath::root), SystemError);
+    }
+
+    {
+        auto accessor = makeFSSourceAccessor(tmpDir, true);
+        EXPECT_EQ(accessor->getLastModified(), 0);
+        accessor->maybeLstat(CanonPath("file1"));
+        EXPECT_GT(accessor->getLastModified(), 0);
+    }
+}
+
+} // namespace nix

src/libutil/archive.cc

@@ -103,7 +103,8 @@ void SourceAccessor::dumpPath(const CanonPath & path, Sink & sink, PathFilter &
 
 time_t dumpPathAndGetMtime(const Path & path, Sink & sink, PathFilter & filter)
 {
-    auto path2 = PosixSourceAccessor::createAtRoot(path, /*trackLastModified=*/true);
+    SourcePath path2 = {
+        makeFSSourceAccessor(std::filesystem::path{}, /*trackLastModified=*/true), CanonPath(absPath(path))};
     path2.dumpPath(sink, filter);
     return path2.accessor->getLastModified().value();
 }

src/libutil/include/nix/util/file-descriptor.hh

@@ -2,7 +2,6 @@
 ///@file
 
 #include "nix/util/canon-path.hh"
-#include "nix/util/types.hh"
 #include "nix/util/error.hh"
 
 #ifdef _WIN32
@@ -236,18 +235,6 @@ std::wstring handleToFileName(Descriptor handle);
 #ifndef _WIN32
 namespace unix {
 
-struct SymlinkNotAllowed : public Error
-{
-    CanonPath path;
-
-    SymlinkNotAllowed(CanonPath path)
-        /* Can't provide better error message, since the parent directory is only known to the caller. */
-        : Error("relative path '%s' points to a symlink, which is not allowed", path.rel())
-        , path(std::move(path))
-    {
-    }
-};
-
 /**
  * Safe(r) function to open \param path file relative to \param dirFd, while
  * disallowing escaping from a directory and resolving any symlinks in the

src/libutil/include/nix/util/posix-source-accessor.hh

@@ -43,36 +43,6 @@ public:
 
     std::optional<std::filesystem::path> getPhysicalPath(const CanonPath & path) override;
 
-    /**
-     * Create a `PosixSourceAccessor` and `SourcePath` corresponding to
-     * some native path.
-     *
-     * @param Whether the accessor should return a non-null getLastModified.
-     * When true the accessor must be used only by a single thread.
-     *
-     * The `PosixSourceAccessor` is rooted as far up the tree as
-     * possible, (e.g. on Windows it could scoped to a drive like
-     * `C:\`). This allows more `..` parent accessing to work.
-     *
-     * @note When `path` is trusted user input, canonicalize it using
-     * `std::filesystem::canonical`, `makeParentCanonical`, `std::filesystem::weakly_canonical`, etc,
-     * as appropriate for the use case. At least weak canonicalization is
-     * required for the `SourcePath` to do anything useful at the location it
-     * points to.
-     *
-     * @note A canonicalizing behavior is not built in `createAtRoot` so that
-     * callers do not accidentally introduce symlink-related security vulnerabilities.
-     * Furthermore, `createAtRoot` does not know whether the file pointed to by
-     * `path` should be resolved if it is itself a symlink. In other words,
-     * `createAtRoot` can not decide between aforementioned `canonical`, `makeParentCanonical`, etc. for its callers.
-     *
-     * See
-     * [`std::filesystem::path::root_path`](https://en.cppreference.com/w/cpp/filesystem/path/root_path)
-     * and
-     * [`std::filesystem::path::relative_path`](https://en.cppreference.com/w/cpp/filesystem/path/relative_path).
-     */
-    static SourcePath createAtRoot(const std::filesystem::path & path, bool trackLastModified = false);
-
     std::optional<std::time_t> getLastModified() override
     {
         return trackLastModified ? std::optional{mtime} : std::nullopt;

src/libutil/include/nix/util/source-accessor.hh

@@ -222,6 +222,24 @@ ref<SourceAccessor> makeEmptySourceAccessor();
  */
 MakeError(RestrictedPathError, Error);
 
+struct SymlinkNotAllowed : public Error
+{
+    CanonPath path;
+
+    SymlinkNotAllowed(CanonPath path)
+        : Error("relative path '%s' points to a symlink, which is not allowed", path.rel())
+        , path(std::move(path))
+    {
+    }
+
+    template<typename... Args>
+    SymlinkNotAllowed(CanonPath path, const std::string & fs, Args &&... args)
+        : Error(fs, std::forward<Args>(args)...)
+        , path(std::move(path))
+    {
+    }
+};
+
 /**
  * Return an accessor for the root filesystem.
  */
@@ -233,7 +251,7 @@ ref<SourceAccessor> getFSSourceAccessor();
  * elements, and that absolute symlinks are resolved relative to
  * `root`.
  */
-ref<SourceAccessor> makeFSSourceAccessor(std::filesystem::path root);
+ref<SourceAccessor> makeFSSourceAccessor(std::filesystem::path root, bool trackLastModified = false);
 
 /**
  * Construct an accessor that presents a "union" view of a vector of

src/libutil/posix-source-accessor.cc

@@ -1,7 +1,5 @@
 #include "nix/util/posix-source-accessor.hh"
-#include "nix/util/source-path.hh"
 #include "nix/util/signals.hh"
-#include "nix/util/sync.hh"
 
 #include <boost/unordered/concurrent_flat_map.hpp>
 
@@ -20,15 +18,6 @@ PosixSourceAccessor::PosixSourceAccessor()
 {
 }
 
-SourcePath PosixSourceAccessor::createAtRoot(const std::filesystem::path & path, bool trackLastModified)
-{
-    std::filesystem::path path2 = absPath(path);
-    return {
-        make_ref<PosixSourceAccessor>(path2.root_path(), trackLastModified),
-        CanonPath{path2.relative_path().string()},
-    };
-}
-
 std::filesystem::path PosixSourceAccessor::makeAbsPath(const CanonPath & path)
 {
     return root.empty()    ? (std::filesystem::path{path.abs()})
@@ -208,7 +197,7 @@ void PosixSourceAccessor::assertNoSymlinks(CanonPath path)
     while (!path.isRoot()) {
         auto st = cachedLstat(path);
         if (st && S_ISLNK(st->st_mode))
-            throw Error("path '%s' is a symlink", showPath(path));
+            throw SymlinkNotAllowed(path, "path '%s' is a symlink", showPath(path));
         path.pop();
     }
 }
@@ -219,8 +208,8 @@ ref<SourceAccessor> getFSSourceAccessor()
     return rootFS;
 }
 
-ref<SourceAccessor> makeFSSourceAccessor(std::filesystem::path root)
+ref<SourceAccessor> makeFSSourceAccessor(std::filesystem::path root, bool trackLastModified)
 {
-    return make_ref<PosixSourceAccessor>(std::move(root));
+    return make_ref<PosixSourceAccessor>(std::move(root), trackLastModified);
 }
 } // namespace nix

src/libutil/tarfile.cc

@@ -136,7 +136,7 @@ static void extract_archive(TarArchive & archive, const std::filesystem::path &
         if (!name)
             throw Error("cannot get archive member name: %s", archive_error_string(archive.archive));
         if (r == ARCHIVE_WARN)
-            warn(archive_error_string(archive.archive));
+            warn("getting archive member '%1%': %2%", name, archive_error_string(archive.archive));
         else
             archive.check(r);
 
@@ -193,7 +193,7 @@ time_t unpackTarfileToSink(TarArchive & archive, ExtendedFileSystemObjectSink &
             throw Error("cannot get archive member name: %s", archive_error_string(archive.archive));
         auto cpath = CanonPath{path};
         if (r == ARCHIVE_WARN)
-            warn(archive_error_string(archive.archive));
+            warn("getting archive member '%1%': %2%", path, archive_error_string(archive.archive));
         else
             archive.check(r);
 

src/libutil/unix/file-descriptor.cc

@@ -3,6 +3,7 @@
 #include "nix/util/signals.hh"
 #include "nix/util/finally.hh"
 #include "nix/util/serialise.hh"
+#include "nix/util/source-accessor.hh"
 
 #include <fcntl.h>
 #include <unistd.h>
@@ -301,10 +302,10 @@ openFileEnsureBeneathNoSymlinksIterative(Descriptor dirFd, const CanonPath & pat
             if (errno == ENOTDIR) /* Path component might be a symlink. */ {
                 struct ::stat st;
                 if (::fstatat(getParentFd(), component.c_str(), &st, AT_SYMLINK_NOFOLLOW) == 0 && S_ISLNK(st.st_mode))
-                    throw unix::SymlinkNotAllowed(path2);
+                    throw SymlinkNotAllowed(path2);
                 errno = ENOTDIR; /* Restore the errno. */
             } else if (errno == ELOOP) {
-                throw unix::SymlinkNotAllowed(path2);
+                throw SymlinkNotAllowed(path2);
             }
 
             return INVALID_DESCRIPTOR;
@@ -315,7 +316,7 @@ openFileEnsureBeneathNoSymlinksIterative(Descriptor dirFd, const CanonPath & pat
 
     auto res = ::openat(getParentFd(), std::string(path.baseName().value()).c_str(), flags | O_NOFOLLOW, mode);
     if (res < 0 && errno == ELOOP)
-        throw unix::SymlinkNotAllowed(path);
+        throw SymlinkNotAllowed(path);
     return res;
 }
 
@@ -328,7 +329,7 @@ Descriptor unix::openFileEnsureBeneathNoSymlinks(Descriptor dirFd, const CanonPa
         dirFd, path.rel_c_str(), flags, static_cast<uint64_t>(mode), RESOLVE_BENEATH | RESOLVE_NO_SYMLINKS);
     if (maybeFd) {
         if (*maybeFd < 0 && errno == ELOOP)
-            throw unix::SymlinkNotAllowed(path);
+            throw SymlinkNotAllowed(path);
         return *maybeFd;
     }
 #endif

src/nix/add-to-store.cc

@@ -38,7 +38,7 @@ struct CmdAddToStore : MixDryRun, StoreCommand
         if (!namePart)
             namePart = baseNameOf(path);
 
-        auto sourcePath = PosixSourceAccessor::createAtRoot(makeParentCanonical(path));
+        SourcePath sourcePath = makeFSSourceAccessor(makeParentCanonical(path));
 
         auto storePath = dryRun ? store->computeStorePath(*namePart, sourcePath, caMethod, hashAlgo, {}).first
                                 : store->addToStoreSlow(*namePart, sourcePath, caMethod, hashAlgo, {}).path;

src/nix/derivation-show.cc

@@ -60,7 +60,11 @@ struct CmdShowDerivation : InstallablesCommand, MixPrintJSON
 
             jsonRoot[drvPath.to_string()] = store->readDerivation(drvPath);
         }
-        printJSON(jsonRoot);
+        printJSON(
+            nlohmann::json{
+                {"version", expectedJsonVersionDerivation},
+                {"derivations", std::move(jsonRoot)},
+            });
     }
 };
 

src/nix/hash.cc

@@ -85,9 +85,7 @@ struct CmdHashBase : Command
                     return std::make_unique<HashSink>(hashAlgo);
             };
 
-            auto makeSourcePath = [&]() -> SourcePath {
-                return PosixSourceAccessor::createAtRoot(makeParentCanonical(path));
-            };
+            auto makeSourcePath = [&]() -> SourcePath { return makeFSSourceAccessor(makeParentCanonical(path)); };
 
             Hash h{HashAlgorithm::SHA256}; // throwaway def to appease C++
             switch (mode) {

src/nix/nix-build/nix-build.cc

@@ -613,6 +613,8 @@ static void main_nix_build(int argc, char ** argv)
            environment variables and shell functions.  Also don't
            lose the current $PATH directories. */
         auto rcfile = (tmpDir.path() / "rc").string();
+        auto tz = getEnv("TZ");
+        auto tzExport = tz ? "export TZ=" + escapeShellArgAlways(*tz) + "; " : "";
         std::string rc = fmt(
                 (R"(_nix_shell_clean_tmpdir() { command rm -rf %1%; };)"s
                   "trap _nix_shell_clean_tmpdir EXIT; "
@@ -646,7 +648,7 @@ static void main_nix_build(int argc, char ** argv)
                 (pure ? "" : "PATH=$PATH:$p; unset p; "),
                 escapeShellArgAlways(dirOf(*shell)),
                 escapeShellArgAlways(*shell),
-                (getenv("TZ") ? (std::string("export TZ=") + escapeShellArgAlways(getenv("TZ")) + "; ") : ""),
+                tzExport,
                 envCommand);
         vomit("Sourcing nix-shell with file %s and contents:\n%s", rcfile, rc);
         writeFile(rcfile, rc);

src/nix/nix-store/nix-store.cc

@@ -191,7 +191,7 @@ static void opAdd(Strings opFlags, Strings opArgs)
         throw UsageError("unknown flag");
 
     for (auto & i : opArgs) {
-        auto sourcePath = PosixSourceAccessor::createAtRoot(makeParentCanonical(i));
+        SourcePath sourcePath = makeFSSourceAccessor(makeParentCanonical(i));
         cout << fmt("%s\n", store->printStorePath(store->addToStore(std::string(baseNameOf(i)), sourcePath)));
     }
 }
@@ -215,7 +215,7 @@ static void opAddFixed(Strings opFlags, Strings opArgs)
     opArgs.pop_front();
 
     for (auto & i : opArgs) {
-        auto sourcePath = PosixSourceAccessor::createAtRoot(makeParentCanonical(i));
+        SourcePath sourcePath = makeFSSourceAccessor(makeParentCanonical(i));
         std::cout << fmt(
             "%s\n", store->printStorePath(store->addToStoreSlow(baseNameOf(i), sourcePath, method, hashAlgo).path));
     }

src/perl/lib/Nix/Store.xs

@@ -256,7 +256,7 @@ hashPath(char * algo, int base32, char * path)
     PPCODE:
         try {
             Hash h = hashPath(
-                PosixSourceAccessor::createAtRoot(path),
+                SourcePath{getFSSourceAccessor(), CanonPath(absPath(Path(path)))},
                 FileIngestionMethod::NixArchive, parseHashAlgo(algo)).first;
             auto s = h.to_string(base32 ? HashFormat::Nix32 : HashFormat::Base16, false);
             XPUSHs(sv_2mortal(newSVpv(s.c_str(), 0)));
@@ -336,7 +336,7 @@ StoreWrapper::addToStore(char * srcPath, int recursive, char * algo)
             auto method = recursive ? ContentAddressMethod::Raw::NixArchive : ContentAddressMethod::Raw::Flat;
             auto path = THIS->store->addToStore(
                 std::string(baseNameOf(srcPath)),
-                PosixSourceAccessor::createAtRoot(srcPath),
+                SourcePath{getFSSourceAccessor(), CanonPath(absPath(Path(srcPath)))},
                 method, parseHashAlgo(algo));
             XPUSHs(sv_2mortal(newSVpv(THIS->store->printStorePath(path).c_str(), 0)));
         } catch (Error & e) {

tests/functional/ca/derivation-json.sh

@@ -6,7 +6,7 @@ export NIX_TESTS_CA_BY_DEFAULT=1
 
 drvPath=$(nix-instantiate ../simple.nix)
 
-nix derivation show "$drvPath" | jq .[] > "$TEST_HOME"/simple.json
+nix derivation show "$drvPath" | jq '.derivations[]' > "$TEST_HOME"/simple.json
 
 drvPath2=$(nix derivation add < "$TEST_HOME"/simple.json)
 
@@ -27,5 +27,5 @@ drvPath4=$(nix derivation add < "$TEST_HOME"/foo.json)
 [[ -e "$drvPath3" ]]
 
 # The modified derivation read back as JSON matches
-nix derivation show "$drvPath3" | jq .[] > "$TEST_HOME"/foo-read.json
+nix derivation show "$drvPath3" | jq '.derivations[]' > "$TEST_HOME"/foo-read.json
 diff "$TEST_HOME"/foo.json "$TEST_HOME"/foo-read.json

tests/functional/derivation-json.sh

@@ -4,7 +4,7 @@ source common.sh
 
 drvPath=$(nix-instantiate simple.nix)
 
-nix derivation show "$drvPath" | jq '.[]' > "$TEST_HOME/simple.json"
+nix derivation show "$drvPath" | jq '.derivations[]' > "$TEST_HOME/simple.json"
 
 # Round tripping to JSON works
 drvPath2=$(nix derivation add < "$TEST_HOME/simple.json")

tests/functional/dyn-drv/recursive-mod-json.nix

@@ -18,7 +18,7 @@ mkDerivation rec {
     PATH=${builtins.getEnv "EXTRA_PATH"}:$PATH
 
     # JSON of pre-existing drv
-    nix derivation show $drv | jq .[] > drv0.json
+    nix derivation show $drv | jq '.derivations[]' > drv0.json
 
     # Fix name
     jq < drv0.json '.name = "${innerName}"' > drv1.json

tests/functional/impure-derivations.sh

@@ -16,7 +16,7 @@ printf 0 > "$TEST_ROOT"/counter
 
 # `nix derivation add` with impure derivations work
 drvPath=$(nix-instantiate ./impure-derivations.nix -A impure)
-nix derivation show "$drvPath" | jq .[] > "$TEST_HOME"/impure-drv.json
+nix derivation show "$drvPath" | jq '.derivations[]' > "$TEST_HOME"/impure-drv.json
 drvPath2=$(nix derivation add < "$TEST_HOME"/impure-drv.json)
 [[ "$drvPath" = "$drvPath2" ]]
 
@@ -50,8 +50,8 @@ path4=$(nix build -L --no-link --json --file ./impure-derivations.nix impureOnIm
 (! nix build -L --no-link --json --file ./impure-derivations.nix inputAddressed 2>&1) | grep 'depends on impure derivation'
 
 drvPath=$(nix eval --json --file ./impure-derivations.nix impure.drvPath | jq -r .)
-[[ $(nix derivation show "$drvPath" | jq ".[\"$(basename "$drvPath")\"].outputs.out.impure") = true ]]
-[[ $(nix derivation show "$drvPath" | jq ".[\"$(basename "$drvPath")\"].outputs.stuff.impure") = true ]]
+[[ $(nix derivation show "$drvPath" | jq ".derivations[\"$(basename "$drvPath")\"].outputs.out.impure") = true ]]
+[[ $(nix derivation show "$drvPath" | jq ".derivations[\"$(basename "$drvPath")\"].outputs.stuff.impure") = true ]]
 
 # Fixed-output derivations *can* depend on impure derivations.
 path5=$(nix build -L --no-link --json --file ./impure-derivations.nix contentAddressed | jq -r .[].outputs.out)

tests/functional/shell.nix

@@ -106,14 +106,16 @@ let
 
     foo = runCommand "foo" { } ''
       mkdir -p $out/bin
-      echo 'echo ${fooContents}' > $out/bin/foo
+      echo '#!${shell}' > $out/bin/foo
+      echo 'echo ${fooContents}' >> $out/bin/foo
       chmod a+rx $out/bin/foo
       ln -s ${shell} $out/bin/bash
     '';
 
     bar = runCommand "bar" { } ''
       mkdir -p $out/bin
-      echo 'echo bar' > $out/bin/bar
+      echo '#!${shell}' > $out/bin/bar
+      echo 'echo bar' >> $out/bin/bar
       chmod a+rx $out/bin/bar
     '';
 
@@ -126,7 +128,8 @@ let
     # ruby "interpreter" that outputs "$@"
     ruby = runCommand "ruby" { } ''
       mkdir -p $out/bin
-      echo 'printf %s "$*"' > $out/bin/ruby
+      echo '#!${shell}' > $out/bin/ruby
+      echo 'printf %s "$*"' >> $out/bin/ruby
       chmod a+rx $out/bin/ruby
     '';
 

tests/functional/structured-attrs.sh

@@ -49,4 +49,4 @@ expectStderr 0 nix-instantiate --expr "$hackyExpr" --eval --strict | grepQuiet "
 
 # Check it works with the expected structured attrs
 hacky=$(nix-instantiate --expr "$hackyExpr")
-nix derivation show "$hacky" | jq --exit-status '."'"$(basename "$hacky")"'".structuredAttrs | . == {"a": 1}'
+nix derivation show "$hacky" | jq --exit-status '.derivations."'"$(basename "$hacky")"'".structuredAttrs | . == {"a": 1}'

tests/nixos/s3-binary-cache-store.nix

@@ -147,7 +147,7 @@ in
               else:
                   machine.fail(f"nix path-info {pkg}")
 
-      def setup_s3(populate_bucket=[], public=False, versioned=False):
+      def setup_s3(populate_bucket=[], public=False, versioned=False, profiles=None):
           """
           Decorator that creates/destroys a unique bucket for each test.
           Optionally pre-populates bucket with specified packages.
@@ -157,9 +157,22 @@ in
               populate_bucket: List of packages to upload before test runs
               public: If True, make the bucket publicly accessible
               versioned: If True, enable versioning on the bucket before populating
+              profiles: Dict of AWS profiles to create, e.g.:
+                  {"valid": {"access_key": "...", "secret_key": "..."},
+                   "invalid": {"access_key": "WRONG", "secret_key": "WRONG"}}
+                  Profiles are created on the client machine at /root/.aws/credentials
           """
           def decorator(test_func):
               def wrapper():
+                  # Restart nix-daemon on both machines to clear the credential provider cache.
+                  # The AwsCredentialProviderImpl singleton persists in the daemon process,
+                  # and its cache can cause credentials from previous tests to be reused.
+                  # We reset-failed first to avoid systemd's start rate limiting.
+                  server.succeed("systemctl reset-failed nix-daemon.service nix-daemon.socket")
+                  server.succeed("systemctl restart nix-daemon")
+                  client.succeed("systemctl reset-failed nix-daemon.service nix-daemon.socket")
+                  client.succeed("systemctl restart nix-daemon")
+
                   bucket = str(uuid.uuid4())
                   server.succeed(f"mc mb minio/{bucket}")
                   try:
@@ -167,6 +180,15 @@ in
                           server.succeed(f"mc anonymous set download minio/{bucket}")
                       if versioned:
                           server.succeed(f"mc version enable minio/{bucket}")
+                      if profiles:
+                          # Build credentials file content
+                          creds_content = ""
+                          for name, creds in profiles.items():
+                              creds_content += f"[{name}]\n"
+                              creds_content += f"aws_access_key_id = {creds['access_key']}\n"
+                              creds_content += f"aws_secret_access_key = {creds['secret_key']}\n\n"
+                          client.succeed("mkdir -p /root/.aws")
+                          client.succeed(f"cat > /root/.aws/credentials << 'AWSCREDS'\n{creds_content}AWSCREDS")
                       if populate_bucket:
                           store_url = make_s3_url(bucket)
                           for pkg in populate_bucket:
@@ -174,6 +196,9 @@ in
                       test_func(bucket)
                   finally:
                       server.succeed(f"mc rb --force minio/{bucket}")
+                      # Clean up AWS profiles if created
+                      if profiles:
+                          client.succeed("rm -rf /root/.aws")
                       # Clean up client store - only delete if path exists
                       for pkg in PKGS.values():
                           client.succeed(f"[ ! -e {pkg} ] || nix store delete --ignore-liveness {pkg}")
@@ -764,6 +789,108 @@ in
 
           print("  ✓ Compressed log uploaded with multipart")
 
+      @setup_s3(
+          populate_bucket=[PKGS['A']],
+          profiles={
+              "valid": {"access_key": ACCESS_KEY, "secret_key": SECRET_KEY},
+              "invalid": {"access_key": "INVALIDKEY", "secret_key": "INVALIDSECRET"},
+          }
+      )
+      def test_profile_credentials(bucket):
+          """Test that profile-based credentials work without environment variables"""
+          print("\n=== Testing Profile-Based Credentials ===")
+
+          store_url = make_s3_url(bucket, profile="valid")
+
+          # Verify store info works with profile credentials (no env vars)
+          client.succeed(f"HOME=/root nix store info --store '{store_url}' >&2")
+          print("  ✓ nix store info works with profile credentials")
+
+          # Verify we can copy from the store using profile
+          verify_packages_in_store(client, PKGS['A'], should_exist=False)
+          client.succeed(f"HOME=/root nix copy --no-check-sigs --from '{store_url}' {PKGS['A']}")
+          verify_packages_in_store(client, PKGS['A'])
+          print("  ✓ nix copy works with profile credentials")
+
+          # Clean up the package we just copied so we can test invalid profile
+          client.succeed(f"nix store delete --ignore-liveness {PKGS['A']}")
+          verify_packages_in_store(client, PKGS['A'], should_exist=False)
+
+          # Verify invalid profile fails when trying to copy
+          invalid_url = make_s3_url(bucket, profile="invalid")
+          client.fail(f"HOME=/root nix copy --no-check-sigs --from '{invalid_url}' {PKGS['A']} 2>&1")
+          print("  ✓ Invalid profile credentials correctly rejected")
+
+      @setup_s3(
+          populate_bucket=[PKGS['A']],
+          profiles={
+              "wrong": {"access_key": "WRONGKEY", "secret_key": "WRONGSECRET"},
+          }
+      )
+      def test_env_vars_precedence(bucket):
+          """Test that environment variables take precedence over profile credentials"""
+          print("\n=== Testing Environment Variables Precedence ===")
+
+          # Use profile with wrong credentials, but provide correct creds via env vars
+          store_url = make_s3_url(bucket, profile="wrong")
+
+          # Ensure package is not in client store
+          verify_packages_in_store(client, PKGS['A'], should_exist=False)
+
+          # This should succeed because env vars (correct) override profile (wrong)
+          output = client.succeed(
+              f"HOME=/root {ENV_WITH_CREDS} nix copy --no-check-sigs --debug --from '{store_url}' {PKGS['A']} 2>&1"
+          )
+          print("  ✓ nix copy succeeded with env vars overriding wrong profile")
+
+          # Verify the credential chain shows Environment provider was added
+          if "Added AWS Environment Credential Provider" not in output:
+              print("Debug output:")
+              print(output)
+              raise Exception("Expected Environment provider to be added to chain")
+          print("  ✓ Environment provider added to credential chain")
+
+          # Clean up the package so we can test again without env vars
+          client.succeed(f"nix store delete --ignore-liveness {PKGS['A']}")
+          verify_packages_in_store(client, PKGS['A'], should_exist=False)
+
+          # Without env vars, same URL should fail (proving profile creds are actually wrong)
+          client.fail(f"HOME=/root nix copy --no-check-sigs --from '{store_url}' {PKGS['A']} 2>&1")
+          print("  ✓ Without env vars, wrong profile credentials correctly fail")
+
+      @setup_s3(
+          populate_bucket=[PKGS['A']],
+          profiles={
+              "testprofile": {"access_key": ACCESS_KEY, "secret_key": SECRET_KEY},
+          }
+      )
+      def test_credential_provider_chain(bucket):
+          """Test that debug logging shows which providers are added to the chain"""
+          print("\n=== Testing Credential Provider Chain Logging ===")
+
+          store_url = make_s3_url(bucket, profile="testprofile")
+
+          output = client.succeed(
+              f"HOME=/root nix store info --debug --store '{store_url}' 2>&1"
+          )
+
+          # For a named profile, we expect to see these providers in the chain
+          expected_providers = ["Environment", "Profile", "IMDS"]
+          for provider in expected_providers:
+              msg = f"Added AWS {provider} Credential Provider to chain for profile 'testprofile'"
+              if msg not in output:
+                  print("Debug output:")
+                  print(output)
+                  raise Exception(f"Expected to find: {msg}")
+              print(f"  ✓ {provider} provider added to chain")
+
+          # SSO should be skipped (no SSO config for this profile)
+          if "Skipped AWS SSO Credential Provider for profile 'testprofile'" not in output:
+              print("Debug output:")
+              print(output)
+              raise Exception("Expected SSO provider to be skipped")
+          print("  ✓ SSO provider correctly skipped (not configured)")
+
       # ============================================================================
       # Main Test Execution
       # ============================================================================
@@ -797,6 +924,9 @@ in
       test_multipart_upload_basic()
       test_multipart_threshold()
       test_multipart_with_log_compression()
+      test_profile_credentials()
+      test_env_vars_precedence()
+      test_credential_provider_chain()
 
       print("\n" + "="*80)
       print("✓ All S3 Binary Cache Store Tests Passed!")