autoregressive queens of failure

21.04.2025 16:04 — Geoffrey Huntley

Have you ever had your AI coding assistant suggest something so off-base that you wonder if it’s trolling you? Welcome to the world of autoregressive failure.

LLMs, the brains behind these assistants, are great at predicting the next word—or line of code—based on what's been fed into them. But when the context gets too complex or concerns within the context are mixed, they lose the thread and spiral into hilariously (or frustratingly) wrong territory. Let’s dive into why this happens and how to stop it from happening.

First, I'll need you to stop by the following blog post to understand an agent from first principles.

Still reading? Great. In the diagram below, an agent has been configured with two tools. Each tool has also been configured with a tool prompt, which advertises how to use the tool to the LLM.

The tools are:

Tool 1 - Visit a website and extract the contents of the page.
Tool 2 - Perform a Google search and return search results.

Now, imagine for a moment that this agent is an interactive console application that you use to search Google or visit a URL.

Whilst using the agent, you perform the actions:

Visit a news website.
Search Google for party hats.
Visit a Wikipedia article about Meerkats.

Each of these operations allocates the results from the above operations into memory - the LLM context window.

With all that context loaded into the window, all that data is now available for consideration when you ask a question. Thus, there's a probability that it'll generate a news article about Meerkats wearing party hats in response to a search for Meerkat facts (ie. Wikipedia).

That might sound obvious, but it's not. The tooling that most software developers use day-to-day hides context windows from the user and encourages endless chatops sessions within the same context window, even if the current task is unrelated to the previous task.

This creates bad outcomes because what is loaded into memory is unrelated to the job to be done, and results in noise from software engineers saying that 'AI doesn't work', but in reality, it's how the software engineers are holding/using the tool that's at fault.

My #1 recommendation for people these days is to use a context window for one task, and one task only. If your coding agent is misbehaving, it's time to create a new context window. If the bowling ball is in the gutter, there's no saving it. It's in the gutter.

My #2 recommendation is to not redline the context window (see below)

ps. socials

I dream about AI subagents; they whisper to me while I'm asleep

13.04.2025 01:22 — Geoffrey Huntley

In a previous post, I shared about "real context window" sizes and "advertised context window sizes"

Claude 3.7’s advertised context window is 200k, but I've noticed that the quality of output clips at the 147k-152k mark. Regardless of which agent is used, when clipping occurs, tool call to tool call invocation starts to fail

The short version is that we are in another era of "640kb should be enough for anyone," and folks need to start thinking about how the current generation of context windows is similar to RAM on a computer in the 1980s until such time that DOS=HIGH,UMB becomes a thing...

The current generation of coding agents work via a tight evaluation loop of tool calls to tool calls that operate within a single context window (ie. RAM). However, the problem with this design is that when an LLM provides a bad outcome, the coding assistants/agents' death spiral and brute force on the main context window which consumes precious resources as it tries to figure out the next steps.

However, I've been thinking: What if an agent could spawn a new agent and clone the context window? If such a thing were possible, it would enable an agent to spawn a sub-agent. The main agent would pause, wait for the sub-agent to burn through its own context window (ie. SWAP), and then provide concrete next steps for the primary agent.

It's theoretical right now, and I haven't looked into it. Still, I dream of the possibility that in the future, software development agents will not waste precious context (RAM) and enter a death spiral on the main thread.

p.s. socials

pps. extra reading

Latent Patterns in Activities: A Field Study of How
Developers Manage Context

if you are redlining the LLM, you aren't headlining

06.04.2025 22:31 — Geoffrey Huntley

It’s an old joke in the DJ community about upcoming artists having a bad reputation for pushing the audio signal into the red. Red is bad because it results in the audio signal being clipped and the mix sounding muddy.

It’s a good analogy that applies to software engineers in the future, however, as these LLMs have context windows.

Claude 3.7’s advertised context window is 200k, but I've noticed that the quality of output clips at the 147k-152k mark. Regardless of which agent is used, when clipping occurs, tool call to tool call invocation starts to fail like below when using Claude 3.7:

≡ prompt

commit the changes and push

≡ Thinking

I don't have direct access to execute git commands on your system. To commit and push the changes, you'll need to run the following commands in your terminal:

# Add all modified files
git add .

# Commit with a descriptive message
git commit -m "Fix channel implementation and parser error reporting
- Fixed parser implementations for while statements and
- Enhanced error reporting in the parser with better con
- Fixed non-blocking channel operations tests
- Updated channel tests to verify implementation complet"

# Push to your remote repository
git push

These commands will:

1. Stage all the changes we made
2. Create a commit with a descriptive message
3. Push the changes to your remote repository

After consulting with some mates in the field, I learned that "advertised" vs. "real" size is a thing—see this paper and the GitHub repository below.

RULER: What’s the Real Context Size of Your Long-Context Language Models?

The needle-in-a-haystack (NIAH) test, which examines the ability to retrieve a piece of information (the “needle”) from long distractor texts (the “haystack”), has been widely adopted to evaluate long-context language models (LMs). However, this simple retrieval-based test is indicative of only a superficial form of long-context understanding. To provide a more comprehensive evaluation of long-context LMs, we create a new synthetic benchmark RULER with flexible configurations for customized sequence length and task complexity. RULER expands upon the vanilla NIAH test to encompass variations with diverse types and quantities of needles. Moreover, RULER introduces new task categories multi-hop tracing and aggregation to test behaviors beyond searching from context. We evaluate 17 long-context LMs with 13 representative tasks in RULER. Despite achieving nearly perfect accuracy in the vanilla NIAH test, almost all models exhibit large performance drops as the context length increases. While these models all claim context sizes of 32K tokens or greater, only half of them can maintain satisfactory performance at the length of 32K. Our analysis of Yi-34B, which supports context length of 200K, reveals large room for improvement as we increase input length and task complexity. We open source RULER to spur comprehensive evaluation of long-context LMs.

arXiv.orgCheng-Ping Hsieh

Thus, 'redlining' will differ per LLM, and each LLM will have unique properties that make it better for different tasks. Some are better for generating the initial specifications, while others are better for implementing tasks within the specification. Either way, you must ensure that the evaluation loop you dispatch does not redline the LLM context window.

If I hadn't ditched Cursor, I would have never learned this observation, as they currently do not surface this information within their product. These days, I'm running raw directly to the Anthropic API. It's expensive, but the outcomes are dramatically better.

There's something cooked about Windsurf/Cursors' go-to-market pricing - there's no way they are turning a profit at $50/month. $50/month gets you a happy meal experience. If you want more power, you gotta ditch snacking at McDonald’s.

Going forward, companies should budget $100 USD to $500 USD per day, per dev, on tokens as the new normal for business, which is circa $25k USD (low end) to $50k USD (likely) to $127k USD (highest) per year.

If you don’t have OPEX per dev to do that, it’s time to start making some adjustments...

These tools make each engineer within your team at least two times more productive. Don't take my word for it—here's a study by Harvard Business School published last week that confirms this.

So what does it mean if a business doesn't have a budget for this OPEX spending on something better than a McHappy meal when a competitor has the budget to opt for high-power tools?

It means the budget will come from somewhere. If we take what we know—an engineering manager can only manage seven people—a team of switched-on engineers utilising these tools can output N-times more business outcomes than a team without them.

Suddenly, you need fewer teams and fewer engineering managers to get the same outcomes...

p.s. socials

A Model Context Protocol Server (MCP) for Microsoft Paint

03.04.2025 20:39 — Geoffrey Huntley

Why did I do this? I have no idea, honest, but it now exists. It has been over 10 years since I last had to use the Win32 API, and part of me was slightly curious about how the Win32 interop works with Rust.

Anywhoooo, below you'll find the primitives that can be used to connect Microsoft Paint to Cursor or ClaudeDesktop and use them to draw in Microsoft Paint. Here's the source code.

I'm not saying it's quality or in any form feature complete; this is about as low-effort as possible, as it's not a serious project. If you want to take ownership of it and turn it into a 100% complete meme, get in touch.

It was created using my /stdlib + /specs technical patterns to drive the LLM towards successful outcomes (aka "vibe coding")

If you have read the above posts (thanks!), hopefully, you now understand that LLM outcomes can be programmed. Thus, any issue in the code above could have been solved through additional programming or better prompting during the stdlib+specs phase and by driving an evaluation loop.

show me

how does this work under the hood?

To answer that, I must first explain what model context protocol is about as it seems like everyone's buzzing about it at the moment, with folks declaring it as "the last API you will ever write" (which curmudgeons such as myself have heard N-times before) or the "USB-C of APIs", but none of those explanations hits home as a developer tooling engineer.

To MCP or not to MCP, that's the question. Lmk in comments
— Sundar Pichai (@sundarpichai) March 30, 2025

First and foremost, MCPs are a specification that describes how LLMs can remote procedure call (RPC) with tools external to the LLM itself.

There are a couple of different implementations (JSON-RPC STDIO and JSON-RPC over HTTPS), but the specification is rapidly evolving, so it's not worth covering here. Refer to https://spec.modelcontextprotocol.io/specification/2025-03-26/ for the latest specification and the article below to understand what this all means from a security perspective...

Instead, let's focus on the fundamentals for engineers who seek to automate software authoring—tools and tool descriptions—because I suspect these foundational concepts will last forever.

so, what is a tool?

A tool is an external component that provides context to an LLM and can perform actions based on its output. Tools can invoke other tools as chains of tools similar to POSIX pipes. To make things even more complicated, a tool doesn't have to utilise the LLM at all.

so, what is a tool prompt?

A tool prompt defines how/when an LLM should interpret/use a tool. It's a "rulebook" describing how AI should process and respond to inputs. A tool prompt should be long and wordy. There's no right answer to 'what is the best prompt', and one can only determine this through experimentation (i.e. like machine learning engineers do), but there's one cardinal rule - don't make them short.

I think you should be making your tool descriptions much much longer. They are like system prompts.
— Quinn Slack (@sqs) February 25, 2025

example: how Claude code creates pull-requests

Right now, the best example of a finely tuned MCP tool prompt is inside of Claude Code. Below is the prompt Anthropic uses to create pull requests with GitHub.

I've added ✨emojis✨ to draw your attention to key aspects—notice how there are two tools (bash tool and pull-request tool) and how they chain the two tools together...

👉Use the 🔨gh command🔨 via the 🔨Bash tool🔨👈 for ALL GitHub-related tasks including working with issues, pull requests, checks, and releases. 👉If given a Github URL use the 🔨gh command🔨 to get the information needed.👈

IMPORTANT: When the user asks you to create a pull request, follow these steps carefully:

1. Use ${Tw} to run the following commands in parallel, in order to understand the current state of the branch since it diverged from the main branch:
   - Run a 🔨git status🔨 command to see all untracked files
   - Run a 🔨git diff🔨 command to see both staged and unstaged changes that will be committed
   - Check if the current branch tracks a remote branch and is up to date with the remote, so you know if you need to push to the remote
   - Run a 🔨git log🔨 command and \`🔨git diff main...HEAD🔨\` to understand the full commit history for the current branch (from the time it diverged from the \`main\` branch)

2. Analyze all changes that will be included in the pull request, making sure to look at all relevant commits (NOT just the latest commit, but ALL commits that will be included in the pull request!!!), and draft a pull request summary. Wrap your analysis process in <pr_analysis> tags:

<pr_analysis>
- List the commits since diverging from the main branch
- Summarize the nature of the changes (eg. new feature, enhancement to an existing feature, bug fix, refactoring, test, docs, etc.)
- Brainstorm the purpose or motivation behind these changes
- Assess the impact of these changes on the overall project
- Do not use tools to explore code, beyond what is available in the git context
- Check for any sensitive information that shouldn't be committed
- Draft a concise (1-2 bullet points) pull request summary that focuses on the "why" rather than the "what"
- Ensure the summary accurately reflects all changes since diverging from the main branch
- Ensure your language is clear, concise, and to the point
- Ensure the summary accurately reflects the changes and their purpose (ie. "add" means a wholly new feature, "update" means an enhancement to an existing feature, "fix" means a bug fix, etc.)
- Ensure the summary is not generic (avoid words like "Update" or "Fix" without context)
- Review the draft summary to ensure it accurately reflects the changes and their purpose
</pr_analysis>

3. Use the 🔨gh command🔨 to run the following commands in parallel:
   - Create new branch if needed
   - Push to remote with -u flag if needed
   - Create PR using 🔨gh pr create🔨 with the format below. Use a HEREDOC to pass the body to ensure correct formatting.
<example>
🔨gh pr create --title "the pr title" --body "$(cat <<'EOF'🔨
## Summary
<1-3 bullet points>

## Test plan
[Checklist of TODOs for testing the pull request...]

\uD83E\uDD16 Generated with [${T2}](${aa})
EOF
)"
</example>

Important:
- NEVER update the git config
- Return an empty response - the user will see the gh output directly

# Other common operations
- View comments on a Github PR: 🔨gh api repos/foo/bar/pulls/123/comments`🔨

tools + tool prompts in action

how do I use this knowledge to automate software development at my company?

MCPs are an important concept for any engineer serious about learning how to orchestrate their job function - especially if you are using Claude Code, Cursor, Cline, or Windsurf and aren't satisfied with their outcomes.

The /stdlib pattern will only get you so far. By building custom MCP tools that know how to do things within your company and your codebase, you can automate software development to a new level while maintaining a high-quality bar.

I see possibilities for a future where each tool is purchased from one or more vendors, but as each codebase at every company is somewhat unique, for best results, internal tooling engineers should be focusing on building out their own MCP tools (everything except the edit tool - purchase it instead) that use the following techniques:

Utilizing the LLM context window for evaluating outcomes and code generation through controlling what gets injected into the context window.
Not using the LLM context window as a hammer. If flow control/decision-making can be achieved without involving an LLM, then do it.
Tool call chaining - similar to the Claude Code (TM) pull-request tool description above, where many single-purpose tools that do one job well (e.g., POSIX) are composed to achieve bigger and better outcomes.

If you drive above in a while(true), with bespoke MCP tools that understand your codebase, coding conventions and company practices, you end up with a very disruptive and powerful primitive that can automate classes of software development at a company…

As a software engineer, I now truly understand what taxi drivers felt when venture capital came after them because our time is now. In the end, Uber won due to convenience.

Automating software will happen because it makes financial sense. Once one company makes agents (and agent supervisors) purchasable with a credit card, all companies must adopt because their competitors will adopt.

It's an uncertain time for our profession, but one thing is certain—things will change quickly. Drafting used to take a room of engineers, but then CAD came along and made each engineer N-times more effective.

And after that transition, architects still exist - just as software engineers will, and companies will need software engineers to:

Cut problems down into smaller problems.
Program the vibe coders (agents and sub-agents).
Program the agent supervisors.
Own the outcome of the resulting generated code and perform code reviews.

But the days of artisanal hand-crafted commits are over...

ps. socials

Nix that looks like Bazel

03.04.2025 02:22

This is an idea 💡 that came from PlanetNix. I did not originate the idea.

At the 2025 North American NixCon (PlanetNix), one of the interesting lightning talks was from someone from Groq who demo’d what I originally thought to be a terrible idea but within a few minutes thought it was so evil it was good. 😈

What if we redesigned building software in Nix to look like Bazel?

What got me thinking about this? Well a blog post was published about bonanza a potential “next-gen” incarnation of Bazel. Nix already solves many of the challenges bonanza seeks to fix.

Follow me while I try to rebuild a Nix build-framework to build software, specifically Java, such that it looks like Bazel. 👇

If you are unfamiliar with Bazel, it’s a large-scale monorepo-centric build system open-sourced by Google. It has inspired many clones such as Buck, Pants, Please and so forth.

It uses a “python-like language to define build targets. The surface area is much smaller than something like Nix which lets you run arbitrary bash – although Bazel does have a “generic bash rule” as well.

Here is what a typical Bazel build definition for a Java program may look like. One key distinction are that dependencies are referenced by label and targets within the same file (package), can be defined starting after the colon.

If you are confused, that’s ok. This is not meant to be a great tutorial on Bazel. 🤔

java_binary(
    name = "ProjectRunner",
    srcs = ["src/main/java/com/example/ProjectRunner.java"],
    main_class = "com.example.ProjectRunner",
    deps = [":greeter"],
)

java_library(
    name = "greeter",
    srcs = ["src/main/java/com/example/Greeting.java"],
)

Traditionally in Nix, you would replace these rules with something like mkDerivation and build the single final application.

Here is something similar we can write in pure Nix.

# com/example/lib_b/default.nix
{java_library}:
java_library {
  name = "lib_b";
  srcs = [
    ./LibraryB.java
  ];
  deps = [
    "//com/example/lib_a"
  ];
}
# com/example/default.nix
{java_binary}:
java_binary {
  name = "main";
  mainClass = "com.example.Main";
  srcs = [
    ./Main.java
  ];
  deps = [
    "//com/example/lib_b"
  ];
}

Wow, that looks surprisingly similar. 😮

Getting this to work is surprisingly easy. We only need two function definitions for java_library and java_binary.

First in order to build anything in Java we need “libraries” (JARs). Nixpkgs already has this great concept that any JAR placed in share/java gets automatically added to the CLASSPATH during compilation in a mkDerivation.

{
  stdenv,
  lib,
  jdk,
  pkgs,
}: let
  fs = lib.fileset;
in
  {
    name,
    srcs,
    deps ? [],
  }:
    stdenv.mkDerivation {
      inherit name;
      srcs = fs.toSource {
        root = ./.;
        fileset = fs.unions srcs;
      };
      buildInputs = map (d: pkgs.${d}) deps;
      nativeBuildInputs = [jdk];
      buildPhase = ''
        find $srcs -name "*.java" | xargs javac -d .
        jar -cvf ${name}.jar -C . .
      '';
      installPhase = ''
        mkdir -p $out/share/java
        mv ${name}.jar $out/share/java/${name}.jar
      '';
    }

That makes compiling individal libraries pretty straightforward.

What about running them? In that case, we need the full transitive-closure of all compile dependencies to be present at runtime.

Recursion! In this case it is safe to do since we aren’t using any infinite lazy lists. 😏

Our java_binary definition now becomes straightforward. It is a java_library & a writeTextFile that sets the CLASSPATH before calling our main class.

{
  writeTextFile,
  java_library,
  jdk,
  lib,
  pkgs,
}: {
  name,
  mainClass,
  srcs,
  deps ? [],
}: let
  # get all deps transitively
  java_lib = java_library {
    name = "lib_${name}";
    inherit srcs;
    inherit deps;
  };
  # Recursively collect buildInputs from a list of derivations
  collectBuildInputs = inputs:
    builtins.concatMap (
      drv: let
        deps = drv.buildInputs or [];
      in
        [drv] ++ collectBuildInputs deps
    )
    inputs;
  depsAsPkgs = map (d: pkgs.${d}) deps;
  classpath = lib.concatStringsSep ":" (map (x: "${x}/share/java/${x.name}.jar") (collectBuildInputs (depsAsPkgs ++ [java_lib])));
in
  writeTextFile {
    inherit name;
    text = ''
      ${jdk}/bin/java -cp ${classpath} ${mainClass}
    '';
    executable = true;
    destination = "/bin/${name}";
  }

collectBuildInputs is the function that recursively walks all the dependencies and collects them to produce the necessary CLASSPATH.

I create now my top-level default.nix to define the targets possible

This step could likely be done at evaluation time and traverse the filesystem, but I’m keeping it simple for the purpose of understanding. 💪

let
  pkgs =
    import (fetchTarball "https://github.com/NixOS/nixpkgs/archive/5ef6c425980847c78a80d759abc476e941a9bf42.tar.gz") {
      overlays = [
        (self: super: rec {
          java_library = super.callPackage ./java_library.nix {};
          java_binary = super.callPackage ./java_binary.nix {};
          "//com/example/lib_a" = super.callPackage ./com/example/lib_a {};
          "//com/example/lib_b"= super.callPackage ./com/example/lib_b {};
          "//com/example:main"= super.callPackage ./com/example {};
        })
      ];
    };
in
{
  "//com/example/lib_a" = pkgs."//com/example/lib_a";
  "//com/example/lib_b" = pkgs."//com/example/lib_b";
  "//com/example:main" = pkgs."//com/example:main";
}

Now all that’s left to do is build & run the program to validate it works.

> nix-build -A "//com/example:main"
/nix/store/ry72i3ha3jrcpbz6yn4yna2wsx532gv8-main

> cat /nix/store/ry72i3ha3jrcpbz6yn4yna2wsx532gv8-main/bin/main 
/nix/store/1frnfh27i5pqk9xqahrjchlwyfzqgs1y-openjdk-21.0.5+11/bin/java -cp /nix/store/566jmxk1f8slkmp3mvrg4q0d8lbng5xx-lib_b/share/java/lib_b.jar:/nix/store/30lvqr3sc75yf9afzcl7l6j8phhw0xzv-lib_a/share/java/lib_a.jar:/nix/store/4zdhqm0ld93cqiv811brk5i6pyrcdvlg-lib_main/share/java/lib_main.jar:/nix/store/566jmxk1f8slkmp3mvrg4q0d8lbng5xx-lib_b/share/java/lib_b.jar:/nix/store/30lvqr3sc75yf9afzcl7l6j8phhw0xzv-lib_a/share/java/lib_a.jar com.example.Main

> ./result/bin/main 
Hello from Library A! and Library B!

Nice! 🔥

What is the appeal of all this?

Well, having a smaller API surface to build packages for a particular language is nice. You limit the opportunity for esoteric setups to creep in.

Finally, it’s likely my familiarity to Bazel, but I find reading the build definitions for the languages relatively straightforward as they all follow the same format.

By defining all the build targets individually at the language level, the code is also better set up to do incremental & parallel builds.

n.b. Specifically for Java, doing incremental builds would necessitate something like ijar.

What’s in a Nix store path

28.03.2025 22:19

This is a follow up to my post on nix vanity store paths. Check it out if you want to jazz-up your /nix/store paths with some vanity prefixes ✨.

❗Warning this post goes into the nitty gritty of how Nix calculates the hashes for store paths. It assumes some base familiarity with Nix.

Learning Nix, one of the things you first learn are that the hashes that are part of the /nix/store are input-derived or “pessimistic” as I like to refer to them as.

What does input-derived (pessimistic) mean?

In contrast to something that is content-addressed the hash is constructed from the contents of the derivation file rather than the bytes of the output. [ref]

Since the derivations contain references to the source code and other derivation files, that means even the teeniest change, such as a comment, that might have no consequential change to the output artifact causes a whole new store path.

Since derivation files contain paths to other derivation files, these changes can easily cause massive rebuilds.

Consider this example that simply changes the derivation by adding a comment to the bash script.

nix-repl> a = derivation { 
    name = "simple";
    builder = "/bin/sh";
    system = builtins.currentSystem;
    args = ["-c" ''                    
      # this is a comment
      echo "Hello World" > $out
    ''];  
    }

nix-repl> a
«derivation /nix/store/bk2gy8i8w1la9mi96abcial4996b1ss9-simple.drv»

nix-repl> :b a

This derivation produced the following outputs:
  out -> /nix/store/wxrsdk4fnvr8n5yid94g7pm3g2cr6dih-simple

nix-repl> b = derivation { 
    name = "simple";
    builder = "/bin/sh";
    system = builtins.currentSystem;
    args = ["-c" ''                    
      echo "Hello World" > $out
    ''];  
    }                                                                                                      
nix-repl> b
«derivation /nix/store/w4mcfbibhjgri1nm627gb9whxxd65gmi-simple.drv»

nix-repl> :b b

This derivation produced the following outputs:
  out -> /nix/store/r4c710xzfqrqw2wd6cinxwgmh44l4cy2-simple

The change in a inconsequential comment results in two distinct hashes: wxrsdk4fnvr8n5yid94g7pm3g2cr6dih and r4c710xzfqrqw2wd6cinxwgmh44l4cy2.

This pedantic pessimistic hashing is one of the super-powers of Nix.

In my simple-brain I figured it simplified down to simply taking the hash of the drv file.

❌ $ nix-hash /nix/store/w4mcfbibhjgri1nm627gb9whxxd65gmi-simple.drv

Turns out it is a little more complicated and that components in the drv need to be replaced.

Confused ? 🤔 Let’s see an example.

Let’s take a detour and refresh ourselves about fixed-output derivations (FOD).

Put simply, a FOD is a derivation with a fixed content-address.

You often see these in Nix expression when defining src since having the content-hash is one way to allow network access in a derivation.

derivation {
  name = "simple-fod";
  builder = "/bin/sh";
  system = builtins.currentSystem;
  args = [
    "-c"
    ''
      echo "Hello World" > "$out"
    ''
  ];
  outputHash = "sha256-0qhPS4tlCTfsj3PNi+LHSt1akRumTfJ0WO2CKdqASiY=";  
}

Instantiating this derivation gives us a derivation at /nix/store/1g48s6lkc0cklvm2wk4kr7ny2hiwd4f1-simple-fod.drv

> nix-instantiate example.nix
/nix/store/1g48s6lkc0cklvm2wk4kr7ny2hiwd4f1-simple-fod.drv

> nix-store --realize /nix/store/1g48s6lkc0cklvm2wk4kr7ny2hiwd4f1-simple-fod.drv
/nix/store/3lx7snlm14n3a6sm39x05m85hic3f9xy-simple-fod

We can validate that the file has the same outputHash

> nix-hash --type sha256 --flat \
    --base32 --sri \
    /nix/store/3lx7snlm14n3a6sm39x05m85hic3f9xy-simple-fod
sha256-0qhPS4tlCTfsj3PNi+LHSt1akRumTfJ0WO2CKdqASiY=

If we were to change that derivation slightly by adding a comment to the bash command.

@@ -5,7 +5,6 @@
   args = [
     "-c"
     ''
+      # This is a comment
       echo "Hello World" > "$out"
     ''
   ];

We get a completely new derivation path at /nix/store/dn14xa8xygfjargbvqwqd2izrr7wnn1p-simple-fod.drv.

> nix-instantiate example.nix
/nix/store/dn14xa8xygfjargbvqwqd2izrr7wnn1p-simple-fod.drv

> nix-store --realize /nix/store/1g48s6lkc0cklvm2wk4kr7ny2hiwd4f1-simple-fod.drv
/nix/store/3lx7snlm14n3a6sm39x05m85hic3f9xy-simple-fod

This derivation however gives us the exact same final output (3lx7snlm14n3a6sm39x05m85hic3f9xy) when realized.

Let’s recap! 📝 For fixed-output deivations (FOD), you get the same output paths but different derivation paths.

Now let’s construct a derivation that depends on this FOD.

derivation {
  name = "simple";
  builder = "/bin/sh";
  system = builtins.currentSystem;
  args = [
    "-c"
    ''
      cat ${simple-fod} > "$out"
    ''
  ];
}

If we were to inspect the JSON output of this derivation we would see it depends on a single inputDrv which is that of simple-fod.

{
  "/nix/store/cf6b516yzc4xbm6ddg9b9mklqmxk2ili-simple.drv": {
    "args": [
      "-c",
      "cat /nix/store/3lx7snlm14n3a6sm39x05m85hic3f9xy-simple-fod > \"$out\"\n"
    ],
    // pruned for brevity
    "inputDrvs": {
      "/nix/store/1g48s6lkc0cklvm2wk4kr7ny2hiwd4f1-simple-fod.drv": {
        "dynamicOutputs": {},
        "outputs": [
          "out"
        ]
      }
    },
  }
}

Turns out that if simply hashed the drv to calculate the store path then we would still need a rebuild if the fixed-output derivation path changed, even though it’s output content has not! 😱

That would be a big bummer and defeat a lot of the purpose of having fixed-output derivations.

Aha! Turns out that when the hash of the derivation is calculated, the inputDrv paths are replaced with some other value. 😲

n.b. I could not find any documentation of this replacement aside from code or the PhD thesis.

By replacing the inputDrv when calculating the hash, the path is considered “modulo fixed-output derivation”, meaning that the calculated path should not change if the derivation path for a fixed-output input changes.

Okay let’s see if we can do this by hand 🔨. I love trying to learn things from first principles. 😎

The desired output path we want to derive is /nix/store/n4sa1zr7y8y60wgsn1abyj52ksg1qjqc-simple.

> nix derivation show \
  /nix/store/cf6b516yzc4xbm6ddg9b9mklqmxk2ili-simple.drv \
  | grep path
"path": "/nix/store/n4sa1zr7y8y60wgsn1abyj52ksg1qjqc-simple"

So let’s take our derivation and perform the following:

clear out the outputs.out attribute
clear out the env.out environment variable
substitute the inputDrv with it’s “replacement”

Our sole inputDrv is /nix/store/1g48s6lkc0cklvm2wk4kr7ny2hiwd4f1-simple-fod.drv which is a fixed-output derivation.

First we must construct the fingerprint for it following the documentation which claims it should be fixed:out:sha256:<base16 hash>:<store path>.

# let's convert our SRI hash to base16
> nix hash convert --hash-algo sha256 --to base16 \
    --from sri \
    sha256-0qhPS4tlCTfsj3PNi+LHSt1akRumTfJ0WO2CKdqASiY=
d2a84f4b8b650937ec8f73cd8be2c74add5a911ba64df27458ed8229da804a26

# calculate the fingerprint
> echo -n "fixed:out:sha256:d2a84f4b8b650937ec8f73cd8be2c74add5a911ba64df27458ed8229da804a26:/nix/store/3lx7snlm14n3a6sm39x05m85hic3f9xy-simple-fod" | \
    sha256sum
1e9d789ac36f00543f796535d56845feb5363d4e287521d88a472175a59fb2d8

We have the replacement value 1e9d789ac36f00543f796535d56845feb5363d4e287521d88a472175a59fb2d8.

We then take the original ATerm (.drv) for simple and clear out the out variables as mentioned earlier and replace the inputDrv with this replacement value.

I’ve added some pretty-printing below to make it slightly easier to read.

Derive(
    [("out", "", "", "")],
    [("1e9d789ac36f00543f796535d56845feb5363d4e287521d88a472175a59fb2d8", ["out"])],
    [],
    "x86_64-linux",
    "/bin/sh",
    ["-c", "cat /nix/store/3lx7snlm14n3a6sm39x05m85hic3f9xy-simple-fod > \"$out\"\n"],
    [
        ("builder", "/bin/sh"),
        ("name", "simple"),
        ("out", ""),
        ("system", "x86_64-linux")
    ]
)

Performing a sha256sum on this derivation give us fbfae16395905ac63e41e0c1ce760fe468be838f1b88d9e589f45244739baabf.

We then need to construct another fingerprint, hash it and compress it down to 20 bytes 😭.

I could not seem to find an analagous CLI utility [ref] to perform the compression, but we can easily create a simple Go program to compute it mimicing the C++ reference code.

🤷 I am not sure why the hash has to be compressed or the fingerprint itself needs to be hashed. The fingerprint itself should be stable prior to hashing.

Hash compressHash(const Hash & hash, unsigned int newSize)
{
    Hash h(hash.algo);
    h.hashSize = newSize;
    for (unsigned int i = 0; i < hash.hashSize; ++i)
        h.hash[i % newSize] ^= hash.hash[i];
    return h;
}

# hash this final fingerprint
> echo -n "output:out:sha256:fbfae16395905ac63e41e0c1ce760fe468be838f1b88d9e589f45244739baabf:/nix/store:simple" |\
     sha256sum
0fb43a8f107d1e986cc3b98d603cf227ffa034b103ff26118edf5627387343fc

Using go-nix we can write a small CLI utility to do the final compression and emit the /nix/store path.

func main() {
	hash := "0fb43a8f107d1e986cc3b98d603cf227ffa034b103ff26118edf5627387343fc"
	raw, _ := hex.DecodeString(hash)
	compressed := nixhash.CompressHash(raw, 20)
	path := "/nix/store/" + nixbase32.EncodeToString(compressed) + "-" + "simple"
	fmt.Println(path)
}

Running this outputs our expected value /nix/store/n4sa1zr7y8y60wgsn1abyj52ksg1qjqc-simple 🙌🏾

Wow calculating the /nix/store path was way more involved than what I originally thought, which was “simply hashing the derivation”.

Demystifying Nix is pretty fun but there is definitely a lack of documentation beyond the thesis for how it all works.

I found other Nix implementations, beyond CppNix, such as go-nix helpful in understanding the steps needed.

Nix vanity store paths

28.03.2025 03:26

Nix is great, but it can be a bit dreary continuously looking at the endless /nix/store paths with their varied letters.

Wouldn’t it be great if we can inject a little vanity into our /nix/store paths?

Vanity Addresses: A vanity address is one where we put a desired string (farid) in our /nix/store path like /nix/store/farid8x0yrdpavxxki9vg9spx2xbjb1d-nix-vanity-d915ed2

Why would we want to do this? Because we can! 😏

Let’s start off with a little demo.

Pick any derivation from your /nix/store. In my example, I’m picking a derivation I made /nix/store/cdqs8ir4pzwpl512dp86nk9xhq9bfmcv-vanity-path.drv

Simply run the tool nix-vanity. Let it crunch through a bunch of possible derivations until it emits:

# n.b. write out the discovered derivation to a file with
# the same name.
> nix-vanity -prefix /nix/store/farid \
  /nix/store/cdqs8ir4pzwpl512dp86nk9xhq9bfmcv-vanity-path.drv \
  > vanity-path.drv
time=2025-03-27T20:40:40.941-07:00 level=INFO msg="Loading base derivation" path=/nix/store/cdqs8ir4pzwpl512dp86nk9xhq9bfmcv-vanity-path.drv
time=2025-03-27T20:40:40.941-07:00 level=INFO msg="Calculating input derivation replacements..."
time=2025-03-27T20:40:40.952-07:00 level=INFO msg="Finished calculating input derivation replacements."
time=2025-03-27T20:40:40.952-07:00 level=INFO msg="Starting workers" count=16
⠙ Searching for prefix... (18104594, 292130 drv/s) [1m0s] time=2025-03-27T20:41:41.189-07:00 level=INFO msg="Prefix found!" seed=18131442 output_name=out path=/nix/store/faridj55f0h38jcnsh89sgp2fsbhv3ws-vanity-path
⠹ Searching for prefix... (18131450, 301001 drv/s) [1m0s] time=2025-03-27T20:41:41.189-07:00 level=INFO msg="Successfully found seed" seed=18131442
time=2025-03-27T20:41:41.189-07:00 level=INFO msg="Writing successful derivation to stdout..."
time=2025-03-27T20:41:41.189-07:00 level=INFO msg="All workers finished."

We can now add our modified derivation back to the /nix/store

> nix-store --add vanity-path.drv
/nix/store/mw0ay18bx93r5syyscfmdy1s6jgjxk31-vanity-path.drv

Finally, let’s realize our modified derivation and validate we have our vanity store path:

> nix-store --realize /nix/store/mw0ay18bx93r5syyscfmdy1s6jgjxk31-vanity-path.drv
this derivation will be built:
  /nix/store/mw0ay18bx93r5syyscfmdy1s6jgjxk31-vanity-path.drv
building '/nix/store/mw0ay18bx93r5syyscfmdy1s6jgjxk31-vanity-path.drv'...
warning: you did not specify '--add-root'; the result might be removed by the garbage collector
/nix/store/faridj55f0h38jcnsh89sgp2fsbhv3ws-vanity-path

Huzzah! /nix/store/faridj55f0h38jcnsh89sgp2fsbhv3ws-vanity-path 💥

Very cool! How does this all work? 🤓

The concept is rather simple. The /nix/store path is calculated from the hash of the derivation.

By injecting a new environment variable VANITY_SEED we can attempt different possible store paths.

> nix derivation show /nix/store/mw0ay18bx93r5syyscfmdy1s6jgjxk31-vanity-path.drv 
{
  "/nix/store/mw0ay18bx93r5syyscfmdy1s6jgjxk31-vanity-path.drv": {
    "args": [
      "-e",
      "/nix/store/v6x3cs394jgqfbi0a42pam708flxaphh-default-builder.sh"
    ],
    "builder": "/nix/store/8vpg72ik2kgxfj05lc56hkqrdrfl8xi9-bash-5.2p37/bin/bash",
    "env": {
      "VANITY_SEED": "18131442",

Although the idea 💡 was simple, the implementation in code was a bit more arduous.

Thankfully there was a decent starting point with go-nix which I augmented.

You can checkout the command at https://github.com/fzakaria/go-nix/tree/vanity

> go run ./cmd/nix-vanity ...

My next post might go into how exactly the store path is calculated from a derivation file. It was not as straightforward as I had imagined.

Be careful how long of a prefix you pick for your vanity. 🧐

Nix store paths can be any 32 letters from 0123456789abcdfghijklmnpqrsvwxyz (32 possibilities).

That means if I want a single letter for my prefix, it is a 1/32 probability ~ 3% chance.

For two consecutive letters, there are 32 * 32 total possibilities. If I wanted a single entry that would be 1/(32 * 32) ~ 0.098% chance.

This is exponential and can blow up pretty fast as the search space becomes 32^N.

Prefix Length (N)	Expected Attempts	Time @ 300,904 drv/s
1	32	< 1s
2	1,024	< 1s
3	32,768	< 1s
4	1,048,576	3.48 s
5	33,554,432	111.5 s (≈1.86 minutes)
6	1,073,741,824	3,567 s (≈59.45 minutes)
7	34,359,738,368	114,209 s (≈31.72 hours)

I wrote the code in golang with concurrency in mind but even on a machine with 128 cores (AMD Ryzen Threadripper 3990X 64-Core Processor ) it tops out at trying 300904 drv/s.

Either way, for something small like farid (5 letters), it’s kind of nice to jazz up ✨ the store paths.

You could even build a complete /nix/store where every entry is prefixed with a desired vanity string 😈.

Nix derivations by hand

24.03.2025 03:19

My recent posts on dynamic-derivations had me thinking more about working with Nix more directly.

I thought it might be “fun” 🙃 to try and write a derivation by hand, add it to the /nix/store and build it!

Can we even do this? 🤔 Let’s see!

First off, all derivations in the /nix/store are written in this simple but archaic format called ATerm.

Tooling for it is a bit lackluster, so I decided to work purely in JSON!.

Looks like the new nix derivation command can accept JSON rather than the ATerm format.

Okay! Let’s start deriving 🤓

The Nix manual let’s us know that we need 3 required arguments: name, system & builder

{
  "name": "simple",
  "system": "x86_64-linux",
  "builder": "/bin/sh"
}

> nix derivation add < simple.json 
error:
  … while reading key 'outputs'
  error: Expected JSON object to contain key 'outputs'
  but it doesn't...

Okay let’s add an output. I checked the derivation JSON format on the Nix manual to see what it looks like.

I just put some random 32 letter path I came up for now.

{
  "name": "simple",
  "system": "x86_64-linux",
  "builder": "/bin/sh",
  "outputs": {
    "out": {
      "path": "/nix/store/7s0z3d6p9y2v5x8b1c4g1w5r2q9n0f8a-simple"
    }
  }
}

> nix derivation add < simple.json
error:
  … while reading key 'inputSrcs'
  error: Expected JSON object to contain
  key 'inputSrcs' but it doesn't:...

Okay, well I don’t want any inputs.. 🤨 Let’s leave it blank for now.

inputSrcs: A list of store paths on which this derivation depends.

{
  "name": "simple",
  "system": "x86_64-linux",
  "builder": "/bin/sh",
  "outputs": {
    "out": {
      "path": "/nix/store/7s0z3d6p9y2v5x8b1c4g1w5r2q9n0f8a-simple"
    }
  },
  "inputSrcs": []
}

> nix derivation add < simple.json
error:
  … while reading key 'inputDrvs'
  error: Expected JSON object to contain
  key 'inputDrvs' but it doesn't:...

Let’s keep following this thread and add the missing inputDrvs.

inputDrvs: A JSON object specifying the derivations on which this derivation depends, and what outputs of those derivations.

Turns out we also need env and args. args is particularly useful, since can use it to echo hello world to $out making our derivation meaningful.

{
  "name": "simple",
  "system": "x86_64-linux",
  "builder": "/bin/sh",
  "outputs": {
    "out": {
      "path": "/nix/store/7s0z3d6p9y2v5x8b1c4g1w5r2q9n0f8a-simple"
    }
  },
  "inputSrcs": [],
  "inputDrvs": {},
  "env": {},
  "args": [
    "-c",
    "echo 'hello world' > $out"
  ]
}

> nix derivation add < simple.json
error: derivation '/nix/store/03py9f4kw48gk18swsw6g7yjbj21hrsw-simple.drv'
has incorrect output '/nix/store/7s0z3d6p9y2v5x8b1c4g1w5r2q9n0f8a-simple',
should be '/nix/store/hpryci895mgx4cfj6dz81l6a57ih8pql-simple'

That’s helpful! Thank you for telling me the correct hash.

Giving the correct hash will probably be useful for AI-centric workflows, so they can fix their own mistakes. 😂

{
  "name": "simple",
  "system": "x86_64-linux",
  "builder": "/bin/sh",
  "outputs": {
    "out": {
      "path": "/nix/store/hpryci895mgx4cfj6dz81l6a57ih8pql-simple"
    }
  },
  "inputSrcs": [],
  "inputDrvs": {},
  "env": {},
  "args": [
    "-c",
    "echo 'hello world' > $out"
  ]
}

> nix derivation add < simple.json
error: derivation '/nix/store/pz7m6zp2hxjldxq8jp846p604qicn73d-simple.drv'
has incorrect environment variable 'out',
should be '/nix/store/hpryci895mgx4cfj6dz81l6a57ih8pql-simple'

Okay this makes sense. I’m using $out in my builder but I never set it to anything in the environment variables. Let’s fix that by adding it to our derivation explicitly.

We will also have to fix our path to be 5bkcqwq3qb6dxshcj44hr1jrf8k7qhxb which Nix will dutifully tell us is the right hash.

{
  "name": "simple",
  "system": "x86_64-linux",
  "builder": "/bin/sh",
  "outputs": {
    "out": {
      "path": "/nix/store/5bkcqwq3qb6dxshcj44hr1jrf8k7qhxb-simple"
    }
  },
  "inputSrcs": [],
  "inputDrvs": {},
  "env": {
    "out": "/nix/store/5bkcqwq3qb6dxshcj44hr1jrf8k7qhxb-simple"
  },
  "args": [
    "-c",
    "echo 'hello world' > $out"
  ]
}

> nix derivation add < simple.json
/nix/store/vh5zww1mqbcshfcblrw3y92v7kkzamfx-simple.drv

Huzzah! Nix accepted our derivation. 🎉

Can we build it?

> nix-store --realize /nix/store/vh5zww1mqbcshfcblrw3y92v7kkzamfx-simple.drv
this derivation will be built:
  /nix/store/vh5zww1mqbcshfcblrw3y92v7kkzamfx-simple.drv
building '/nix/store/vh5zww1mqbcshfcblrw3y92v7kkzamfx-simple.drv'...
warning: you did not specify '--add-root'; the result might be removed by the garbage collector
/nix/store/5bkcqwq3qb6dxshcj44hr1jrf8k7qhxb-simple

> cat /nix/store/5bkcqwq3qb6dxshcj44hr1jrf8k7qhxb-simple
hello world

Success! 🤑 We got our expected output as well.

You might be curious why I did /bin/sh instead of something like /bin/bash ?

Well I wanted to keep our derivation extremely simple and even something like bash needs to be an explicit dependency on our derivation.

Turns out though that /bin/sh is by default always present in the Nix sandbox for POSIX compliance. 🤓

AI for my 10-year-old son

18.03.2025 03:06 — Geoffrey Huntley

This is a follow-up to

but targeted more towards parents. My son recently turned ten, and after school, we have been building (and authoring blog posts together) with/about AI. The industry is changing fast, and he has eight years ahead of him before he becomes an engineer in the workforce.

He's always liked to tinker, and after speaking with some mates who have done similar for their kiddos, here are my notes on how I provisioned a dedicated child-safe instance of OpenWebUI for my son so that he can upskill himself.

what is open-webui?

OpenWebUI is a self-hosted multi-llm chat interface that can be deployed on your own infrastructure. Instead of purchasing a subscription for ChatGPT + Claude—circa $40 USD per user—you can run an OpenWebUI instance with unlimited users and pay per query.

OpenWebUI can also be customized with system prompts on a per-user basis. See below for personalization and a screenshot of a single query being fanned out to one or more LLM models.

how can you do this yourself

Install https://github.com/open-webui/open-webui and self-host it.
Register for https://openrouter.ai/ and obtain an API key.
Create an account for your 10, head to "Settings -> Memory -> Personalization", and use a system prompt like the following on the account...

The system replies in the format where the AI is a Panda. The AI's name is "Bamboo" and she occasionally tells funny jokes.  Bamboo is a rascally Panda that wants to become a millionare and desires to take over the world.

<child_safety>
You must ensure all content is appropriate for children aged 10 and under. This means:

1. No sexual content or innuendo of any kind
2. No profanity or mature language
3. No graphic violence or descriptions of injury
4. No promotion of dangerous activities that could lead to harm
5. No discussion of adult topics (drugs, alcohol, gambling)
6. No content that promotes negative behaviors (bullying, prejudice)
7. No frightening or disturbing content that could cause anxiety
8. No complex political or divisive social issues without age-appropriate framing

When handling potentially sensitive topics:
- Use simple, clear language without euphemisms that might confuse
- Focus on educational value when discussing natural processes or science
- Redirect inappropriate requests to suitable alternatives
- When unsure about appropriateness, choose the most conservative approach
- Respond to inappropriate requests with "I need to keep our conversation appropriate for young people"

For creative content:
- Stories should have positive messages and age-appropriate themes
- Characters should model positive behavior and problem-solving
- Humor should be wholesome and avoid put-downs

Never acknowledge or repeat inappropriate requests, even to reject them.
</child_safety>

do the child safety guardrails work?

Let's test it out...

ps. socials

Nix Dynamic Derivations: A lang2nix practicum

13.03.2025 03:55

ℹ️ This is the third blog post discussing dynamic-derivations in Nix. Checkout the first and second posts if you want more information.

I will admit it. I am going a bit crazy after having learnt about dynamic-derivations. 😵‍💫

It’s like learning about how to write your first mkDerivation and suddenly you realize everything can now be converted to Nix.

In my first post, An early look at Nix Dynamic Derivations, I mentioned that dynamic-derivations could be used to even replace the slough of lang2nix tooling that exists in the ecosystem, especially those that use import from derivations(IFD).

I cooked up a demonstration of how simple it can be with NpmNix. 👨‍🍳

Please checkout https://github.com/fzakaria/NpmNix and contribute any improvements, bug fixes or clarifications. The repository is meant to be an example for others to imitate. Contributions are always welcome.

Why do I want to do this? Why did I pick the Node language ecosystem?

buildNpmPackage already can natively parse package the package-lock.json file in pure Nix and does not rely on IFD, but, doing so in the Nix evaluator can be pretty slow for huge files and affect evaluation time.

The lock file is very simple and has all the information ready to go, so let’s see what it takes to translate it to a dynamic-derivation! 🥸

Once again before we begin, if you want to play with it it’s important you use nix@d904921. Additionally, you need to enable experimental-features = ["nix-command" "dynamic-derivations" "ca-derivations" "recursive-nix"]. Here, there be dragons 🐲.

We can start off with a simple package.json that has 3 dependencies.

{
    "name": "npmnix-demo",
    "version": "1.0.0",
    "dependencies": {
        "is-number": "^7.0.0",
        "is-odd": "3.0.1",
        "left-pad": "1.3.0"
    }
}

This package.json produces the following package-lock.json file.

{
    "name": "npmnix-demo",
    "version": "1.0.0",
    "lockfileVersion": 3,
    "requires": true,
    "packages": {
        "node_modules/is-number": {
            "version": "7.0.0",
            "resolved": "https://registry.npmjs.org/is-number/-/is-number-7.0.0.tgz",
            "integrity": "sha512-41Cifkg6e8TylSpdtTpeLVMqvSBEVzTttHvERD741+pnZ8ANv0004MRL43QKPDlK9cGvNp6NZWZUBlbGXYxxng==",
            "license": "MIT",
            "engines": {
                "node": ">=0.12.0"
            }
        },
        "node_modules/is-odd": { ... },
        "node_modules/is-odd/node_modules/is-number": { ... },
        "node_modules/left-pad": { ... }
    }
}

NpmNix includes a very simple Golang parser, parser.go (~70 lines of code), that parses the package-lock.json and generates the complete Nix expression.

Here is a sample of the Nix expression generated.

{ pkgs }:
let dependencies = [
(pkgs.stdenv.mkDerivation {
    pname = "left-pad";
    version = "1.3.0";
    src = pkgs.fetchurl {
      url = "https://registry.npmjs.org/left-pad/-/left-pad-1.3.0.tgz";
      hash = "sha512-XI5MPzVNApjAyhQzphX8BkmKsKUxD4LdyK24iZeQGinBN9yTQT3bFlCBy/aVx2HrNcqQGsdot8ghrjyrvMCoEA==";
    };
    installPhase = ''
      mkdir -p $out/left-pad
      cp -r * $out/left-pad
    '';
  })
  (pkgs.stdenv.mkDerivation {
    pname = "is-odd/node_modules/is-number";
    version = "6.0.0";
    ...
  })
  (pkgs.stdenv.mkDerivation {
    pname = "is-number";
    version = "7.0.0";
    ...
  })
  (pkgs.stdenv.mkDerivation {
    pname = "is-odd";
    version = "3.0.1";
    ..
  })
];
in
pkgs.symlinkJoin {
  name = "node_modules";
  paths = dependencies;
}

What I like about this Nix expression is that every node_module is a separate derivation which are symlinked at the end. That means if only a single package gets updated, we can avoid downloading the other packages again. This is in contrast to solutions that download all the packages in a single derivation.

After the Nix expression is generated, we need to only nix-instantiate it and set the $out of the dynamic-derivation to this path.

That’s it.

We just got the node_modules for our package-lock.json in a manner that doesn’t cost us evaluation time, either due to IFD or from doing the evaluation in Nix.

What’s nice is that we retain the developer experience however. If our packages ever change, we don’t have to update a npmDepHash, cargoHash or whatnot.

# use `nix run` to bind mount our temporary store to /nix/store
> nix run nixpkgs#fish --store /tmp/dyn-drvs

# we still have to specify the `--store` to avoid the store-daemon
> nix build -f default.nix --store /tmp/dyn-drvs -L
/nix/store/x9l8m94a2g6zkszab11na5l7c18xv0j1-node_modules

> ln -s /nix/store/x9l8m94a2g6zkszab11na5l7c18xv0j1-node_modules node_modules

> npm ls
npmnix-demo@1.0.0
├── is-number@7.0.0 -> /nix/store/x9l8m94a2g6zkszab11na5l7c18xv0j1-node_modules/is-number
├── is-odd@3.0.1 -> /nix/store/x9l8m94a2g6zkszab11na5l7c18xv0j1-node_modules/is-odd
└── left-pad@1.3.0 -> /nix/store/x9l8m94a2g6zkszab11na5l7c18xv0j1-node_modules/left-pad

As a reminder, we could have generated that Nix expression above earlier or in the case of package-lock.json handled it in pure Nix, but it has the downsides mentioned earlier such as potentially needing IFD or unecessary evaluation time.

The derivation that puts this all together is rather simple.

let
  pkgs =
    import (fetchTarball "https://github.com/NixOS/nixpkgs/archive/5ef6c425980847c78a80d759abc476e941a9bf42.tar.gz") {
    };
  fs = pkgs.lib.fileset;
in
  with pkgs;
    builtins.outputOf
    (stdenvNoCC.mkDerivation {
      name = "node_modules.drv";
      outputHashMode = "text";
      outputHashAlgo = "sha256";
      requiredSystemFeatures = ["recursive-nix"];

      src = fs.toSource {
        root = ./.;
        fileset = fs.unions [
          ./parser
          ./package-lock.json
        ];
      };

      buildInputs = [nix go];

      buildPhase = ''   
        go run parser/parser.go package-lock.json > derivation.nix
      '';

      installPhase = ''
        cp $(nix-instantiate derivation.nix --arg pkgs 'import ${pkgs.path} {}') $out
      '';
    }).outPath "out"

It runs our parser over the package-lock.json, emits the Nix expression, nix-instantiate, and profit. 🤑

As an experiment now, we can go ahead and change any of our dependencies.

--- a/package.json
+++ b/package.json
@@ -3,7 +3,7 @@
     "version": "1.0.0",
     "dependencies": {
         "is-number": "^7.0.0",
-        "is-odd": "3.0.1",
+        "is-odd": "3.0.0",
         "left-pad": "1.3.0"
     }
 }

We then run npm i --package-lock-only to update our package-lock.json file.

If we re-run nix build we can notice that only is-odd gets rebuilt. 💥

For demonstrative purposes, I trimmed some of the output below.

nix build -f default.nix --store /tmp/dyn-drvs -L --print-out-paths
node_modules.drv> Running phase: unpackPhase
node_modules.drv> unpacking source archive /nix/store/b6kw6a866rw1daa0kviczq59sqjy8hsh-source
node_modules.drv> no configure script, doing nothing
node_modules.drv> Running phase: buildPhase
is-odd> 
is-odd> trying https://registry.npmjs.org/is-odd/-/is-odd-3.0.0.tgz
is-odd>   % Total    % Received % Xferd  Average Speed   Time    
is-odd> Running phase: unpackPhase
is-odd> unpacking source archive /nix/store/riq3g1pj0fjrj8vpddh5wdpjgjzwzrgm-is-odd-3.0.0.tgz
is-odd> source root is package
is-odd> setting SOURCE_DATE_EPOCH to timestamp 499162500 of file package/package.json
is-odd> Running phase: buildPhase
is-odd> no Makefile or custom buildPhase, doing nothing
is-odd> Running phase: installPhase
is-odd> Running phase: fixupPhase
/nix/store/3fiqwa1vw7r8dsdzydadmyfs3q9ym2h9-node_modules

> ln -s /nix/store/3fiqwa1vw7r8dsdzydadmyfs3q9ym2h9-node_modules node_modules

> npm ls
npmnix-demo@1.0.0
├── is-number@7.0.0 -> /nix/store/3fiqwa1vw7r8dsdzydadmyfs3q9ym2h9-node_modules/is-number
├── is-odd@3.0.0 -> /nix/store/3fiqwa1vw7r8dsdzydadmyfs3q9ym2h9-node_modules/is-odd
└── left-pad@1.3.0 -> /nix/store/3fiqwa1vw7r8dsdzydadmyfs3q9ym2h9-node_modules/left-pad

Wow! Not too bad. 😎 That was a relatively straightforward way to replace potential import-from-derivation or performing a lot of this creation at evaluation time.

Checkout NpmNix and play with it yourself. What other languages can we apply this to?

I continue to amazed at how simple dynamic-derivations makes some tasks in Nix and improves the user experience. 🎯

Nix Dynamic Derivations: A practical application

12.03.2025 03:05

ℹ️ This is the second blog post discussing dynamic-derivations in Nix. Checkout the first part An early look at Nix Dynamic Derivations if you want a primer on the experimental feature.

I’m still in love with the experimental feature dynamic-derivations in Nix 🥰, but following my earlier post, I have read comments from readers that the potential was still unclear.

This makes total sense. Nix is already quite a complex tool, an ecosystem and a language. The addition of something like dynamic-derivations muddles the capability to understand the potential it offers.

At the end of the last post, I echoed John Ericson’s (@ericson2314) call to action for others in the community to begin to tinker with the feature.

In the spirit of that request, I have put together a practical demonstration of what can be accomplished with dynamic-derivations in the tool MakeNix 💥🏃‍♂️🔥

Please check out https://github.com/fzakaria/MakeNix, and contribute any improvements, bug fixes or clarifications. The repository is meant to be an example for others to imitate. Contributions are always welcome.

Once again, before we begin, if you want to play with it, it’s important you use nix@d904921. Additionally, you need to enable experimental-features = ["nix-command" "dynamic-derivations" "ca-derivations" "recursive-nix"]. Here, there be dragons 🐲.

Here we have a rather simple C project that produces a binary that emits "Hello World":

> tree
├── Makefile
└── src
    ├── hello.c
    ├── hello.h
    ├── main.c
    ├── world.c
    └── world.h
> make all

> ./main
Hello, World!

We could write a typical Nix derivation via mkDerivation that calls make, and for this relatively small example it would be fine. However, for larger projects, every time we change a tiny bit of our code, we must rebuild the whole thing from scratch. We don’t get to leverage all the prior object files that have been built.

That’s a bummer 🙁. Wouldn’t it be great if each object file (i.e., hello.o) was created in their own derivation?

We could do that ahead of time by writing a tool to create a bunch of tiny mkDerivation, but every time we change a dependency in our graph (i.e., add or remove a source file), we have to re-run the tool. That’s a bit of a bummer on the development loop.

If those generated Nix files were not committed to the repository, and we wanted to add this package to nixpkgs, we’d need to also do a full nix build within the derivation itself via recursive-nix. 😨

Dynamic-derivations seeks to solve this challenge by having derivations create other derivations without having to execute a nix build recursively. Nix will realize the output of one derivation is another derivation and build it as well. 🤯

Let’s return to our C/C++ project. GCC & Clang support an argument -MM which runs only the preprocessor and emits depfiles .d that contain Makefile targets with the dependency targets between files.

main.o: src/main.c src/hello.h src/world.h

The idea behind MakeNix is to generate these depfiles, parse them, and create the necessary mkDerivation, with all of that at the build time.

MakeNix includes a very simple Golang parser, parser.go (~70 lines of code), that parses the depfiles and generates the complete Nix expression.

Here is a sample of the Nix expression generated.

{ pkgs }:
let fs = pkgs.lib.fileset;
  hello.o = pkgs.stdenvNoCC.mkDerivation {
    name = "hello.o";
    src = fs.toSource {
      root = ./src;
      fileset = fs.unions [
        ./src/hello.c
        ./src/hello.h
      ];
    };
    nativeBuildInputs = [ pkgs.gcc ];
    buildPhase = ''
      gcc -c hello.c -o hello.o
    '';
    installPhase = ''
      cp hello.o $out
    '';
  };
  main.o = ...;
  world.o = ...;
in pkgs.runCommand "result" {
  nativeBuildInputs = [ pkgs.gcc ];
} ''
  gcc -o main ${hello.o} ${main.o} ${world.o}
  cp main $out
''

After the Nix expression is generated, we need to only nix-instantiate it and set the $out of the dynamic-derivation to this path.

That’s it.

We just got incremental Nix C/C++ builds automatically from the dependency information provided by the compiler. 🔥

# use `nix run` to bind mount our temporary store to /nix/store
> nix run nixpkgs#fish --store /tmp/dyn-drvs

# we still have to specify the `--store` to avoid the store-daemon
> nix build -f default.nix --store /tmp/dyn-drvs --print-out-paths -L
/nix/store/v4hkwn8y4m083gsap6523c0m5r985ygr-result

> ./result
Hello, World!

> nix derivation show /nix/store/v4hkwn8y4m083gsap6523c0m5r985ygr-result \
    --store /tmp/dyn-drvs/ | jq -r '.[].inputDrvs | keys'
[
  "/nix/store/2hm681pgbj7wwg0x0a6wyw0m98rvg0q4-gcc-wrapper-13.3.0.drv",
  "/nix/store/6inhnnprqd57qw5dv5sqxmc9ywiwi5yf-world.o.drv",
  "/nix/store/7k0msqyp2dm021sdj0qjgpkzff8xhqzr-bash-5.2p37.drv",
  "/nix/store/fwvwwnpi04yzpcjcnl6yn3mg82vvp45k-hello.o.drv",
  "/nix/store/ki70bzsbzapc9wihavq67irlr5zxp90q-main.o.drv",
  "/nix/store/ycj0m56p8b0rv9v78mggfa6xhm31rww3-stdenv-linux.drv"
]

As a reminder, we could have generated that Nix expression above earlier, but if we embedded it within another Nix expression, we need to run nix build recursively.

I cannot repeat this enough: With dynamic-derivations, there is no recursive nix build.

The derivation that puts this all together is rather simple.

It does exactly what we set out to accomplish: generate depfiles, parse depfiles, emit dynamic Nix expressions, nix-instantiate, and profit. 🤑

Please refer to my earlier post on understanding this from the ground up. The interesting thing to notice here is that our output name for this derivation is, in fact, a derivation.

let
  pkgs =
    import (fetchTarball "https://github.com/NixOS/nixpkgs/archive/5ef6c425980847c78a80d759abc476e941a9bf42.tar.gz") {
    };
  fs = pkgs.lib.fileset;
in
  with pkgs;
    builtins.outputOf
    (stdenvNoCC.mkDerivation {
      name = "result.drv";
      outputHashMode = "text";
      outputHashAlgo = "sha256";
      requiredSystemFeatures = ["recursive-nix"];

      src = fs.toSource {
        root = ./.;
        fileset = fs.unions [
          (fs.fromSource (lib.sources.sourceByRegex ./src [ ".*\.c$" ]))
          (fs.fromSource (lib.sources.sourceByRegex ./src [ ".*\.h$" ]))
          ./parser
          ./Makefile
        ];
      };

      buildInputs = [nix go gcc];

      buildPhase = ''
        make deps
        
        go run parser/parser.go > derivation.nix
      '';

      installPhase = ''
        cp $(nix-instantiate derivation.nix --arg pkgs 'import ${pkgs.path} {}') $out
      '';
    }).outPath "out"

As an experiment, we can go ahead and change any of our source files.

--- a/src/hello.c
+++ b/src/hello.c
@@ -2,5 +2,5 @@
 #include "hello.h"
 
 void hello() {
-    printf("Hello, ");
+    printf("Goodbye, ");
 }

If we re-run nix build, we can notice that only hello.o gets rebuilt. 💥

For demonstration purposes, I trimmed some of the output below.

> nix build -f default.nix --store /tmp/dyn-drvs -print-out-paths -L
result.drv> Running phase: unpackPhase
result.drv> source root is source
result.drv> Running phase: patchPhase
result.drv> Running phase: configurePhase
result.drv> no configure script, doing nothing
result.drv> Running phase: buildPhase
result.drv> gcc -MM src/hello.c > src/hello.d
result.drv> gcc -MM src/main.c > src/main.d
result.drv> gcc -MM src/world.c > src/world.d
result.drv> Dependencies generated
hello.o> Running phase: unpackPhase
hello.o> source root is source
hello.o> Running phase: patchPhase
hello.o> Running phase: configurePhase
hello.o> no configure script, doing nothing
hello.o> Running phase: buildPhase
hello.o> Running phase: installPhase
hello.o> Running phase: fixupPhase
/nix/store/flqzpyhf6by2rjizr3px3nmbgqvpj0vv-result

> ./result 
Goodbye, World!

Not too bad. 😎 It was relatively quick to get an incremental build in Nix working via dynamic-derivations.

Checkout MakeNix and play with it yourself. What other languages can we apply this to?

Thank you again to John, who answered some questions. 🙇

An early look at Nix Dynamic Derivations

10.03.2025 23:34

I normally like to write about concepts from first principles and wait for much of the dust to have settled on the implementation details, but let me take you on a small tour of an upcoming feature instead.

One of the talks I attended at PlanetNix2025 was from the legendary John Ericson (@ericson2314), who is a core contributor to NixOS/nix about dynamic derivations RFC#92.

The talk was a demo on sandstone, which is an example of the benefits of dynamic-derivations for Haskell.

The talk had me so energized and excited that I wanted to peek at the current state of the implementation and see if I could contribute. ⚡

John had left us all with a call to arms to try and adopt dynamic derivations for cases where it made sense. I’m writing this to spread the word and get the community similarly energized.

So…

What are dynamic-derivations? 🫠

Dynamic derivations is the ability to create additional derivations at build time to expand the graph.

At the moment, this is sort of possible in Nix through import from derivations (IFD) but it comes with the downside that this can pause the evaluation phase, which is why it’s often banned in codebases such as nixpkgs.

Let’s revisit what the problem with IFD is.

let
  pkgs =
    import (fetchTarball "https://github.com/NixOS/nixpkgs/archive/5ef6c425980847c78a80d759abc476e941a9bf42.tar.gz") {
    };
  inner = pkgs.runCommand "inner" {} ''
    sleep 10;
    echo "Hello from inner." > $out
  '';
  ifd_inner = builtins.readFile inner;
in
  pkgs.runCommand "outer" {} ''
    echo ${ifd_inner} > $out
    echo "Hello from outer" >> $out
  ''

The following derivation, when only evaluated, still takes 10 seconds, even though I have not done a build yet.

> time nix-instantiate ifd.nix
building '/nix/store/i4m9gschkcr8g8lzzg8a30dw4gpjv393-inner.drv'...
/nix/store/n67w30lgdjzn12fzqranbr9g1v7149bx-outer.drv

________________________________________________________
Executed in   12.15 secs      fish           external
   usr time  333.79 millis    0.28 millis  333.50 millis
   sys time  226.14 millis    1.89 millis  224.25 millis

This is the reason all the lang2nix tools exist, as nixpkgs has banned IFD. At the moment, the alternate approach is to have a separate tool create all the Nix derivation files you need in a preprocessor step.

How can dynamic-derivations make this better? 🤔

⚠️ The state of dynamic-derivations is changing and is somewhat brittle. At the moment, if you want to play with it, it’s important you use nix@d904921. Additionally, you need to enable experimental-features = ["nix-command" "dynamic-derivations" "ca-derivations" "recursive-nix"]. Here, there be dragons 🐲.

First, we can now create derivations whose output is a file that ends in .drv – meaning the output of a derivation is a derivation itself!

😲 I never bothered to create a derivation whose name ended in drv, so I was surprised this even was a restriction previously.

let
  pkgs =
    import (fetchTarball "https://github.com/NixOS/nixpkgs/archive/5ef6c425980847c78a80d759abc476e941a9bf42.tar.gz") {
    };
in
  pkgs.runCommand "world.drv" {
    outputHashMode = "text";
    outputHashAlgo = "sha256";
  } ''
    cat > $out <<END
    Derive([("out","/nix/store/ixzl30c15sg9q0q35dx8z0wbap59pq2w-world","","")],[],[],"mysystem","mybuilder",[],[("out","/nix/store/ixzl30c15sg9q0q35dx8z0wbap59pq2w-world")])
    END
  ''

The outputHashMode and outputHashAlgo are important, as those are the hashing modes traditionally done for derivation files.

We can now build this file, and it will be the output $out.

> nix-instantiate end-drv.nix 
/nix/store/hm1d9ihxsws8pcdlqyn32qkfaxcjmblr-world.drv.drv

> nix build -f end-drv.nix --print-out-paths -L
/nix/store/2r65y379iga77g8z42gfibn0bn0w7kgd-world.drv

Second, there is a new builtin.outputOf that, as best as I can tell, instructs Nix that there is a chain of derivations to follow.

Let’s rework our slow IFD example from before, but now leverage dynamic-derivations.

let
  pkgs =
    import (fetchTarball "https://github.com/NixOS/nixpkgs/archive/5ef6c425980847c78a80d759abc476e941a9bf42.tar.gz") {
    };
  inner =
    pkgs.runCommand "inner" {
    } ''
      sleep 10;
      echo "Hello from inner!" > $out
    '';
  producing =
    pkgs.runCommand "inner.drv" {
      outputHashMode = "text";
    } ''
      # we need the unsafe to break deep dependency source drvs
      cp ${builtins.unsafeDiscardOutputDependency inner.drvPath} $out
    '';
in (builtins.outputOf producing.outPath "out")

I wish I had a succinct explanation for why we need unsafeDiscardOutputDependency right now. Without it though, building the derivation will try and build all nativeBuildInputs of the derivation which is a large set as it includes stdenv.

We can now eval this Nix expression (dynamic-derivations needs the new Nix commands and does not work with nix-instantiate). The evaluation is near instant.

time > nix eval -f ifd_dyn_drv.nix --store /tmp/dyn-drvs
"/1qzln6f3acpj6y443v3j3hcbb8bp3kh1hbzd8qyjazgv1cmnsii0"

________________________________________________________
Executed in  278.95 millis    fish           external
   usr time  161.36 millis    0.17 millis  161.19 millis
   sys time  115.78 millis    1.05 millis  114.73 millis

We can now build this derivation, and what gets built is in fact the inner derivation, which of course takes ~10 seconds! 🤯

> time nix build -f ifd_dyn_drv.nix --store /tmp/dyn-drvs --print-out-paths -L
/nix/store/fii3k1jsv95qhgwi3jvb687lpl4p0856-inner

________________________________________________________
Executed in   11.01 secs      fish           external
   usr time  233.14 millis    1.14 millis  232.00 millis
   sys time  179.96 millis    2.03 millis  177.93 millis

Ok, so the “dynamic-derivation” was still a Nix expression in the same file. Big whoop… 🙃

It doesn’t have to be, thanks to recursive Nix. 🫨

Let’s now do this example again, but craft our Nix expression dynamically from within another Nix derivation.

I am writing this in bash so the quoting is very ugly as it’s all in a single file for demonstration purposes. In practice, you would probably do it programmatically with libstore, or at least with separate Nix files.

let
  pkgs =
    import (fetchTarball "https://github.com/NixOS/nixpkgs/archive/5ef6c425980847c78a80d759abc476e941a9bf42.tar.gz") {
    };
  producing =
    pkgs.runCommand "inner.drv" {
      outputHashMode = "text";
      requiredSystemFeatures = ["recursive-nix"];
    } ''
      echo "let pkgs = import \"${pkgs.path}\" {};
            in
            pkgs.runCommand \"inner\" {} '''
              sleep 10;
              echo \"Hello from inner!\" > \$out
            '''
            " > inner.nix
      cp $(${pkgs.nix}/bin/nix-instantiate inner.nix) $out
    '';
in (builtins.outputOf producing.outPath "out")

We can now build our derivation, and it will in fact build the inner.nix recipe we crafted within it.

> time nix build -f simple-raw.nix --store /tmp/dyn-drvs --print-out-paths -L
/nix/store/fii3k1jsv95qhgwi3jvb687lpl4p0856-inner
________________________________________________________
Executed in    8.54 secs    fish           external
   usr time    1.80 secs    1.93 millis    1.79 secs
   sys time    5.83 secs    0.81 millis    5.83 secs

> cat /tmp/dyn-drvs/nix/store/fii3k1jsv95qhgwi3jvb687lpl4p0856-inner
Hello from inner!

Cool! Wait, what was the point of all this again? 🫠

We can now dynamically construct a graph of Nix expressions at build time and link them to a top-level derivation.

Imagine any tool that has knowledge of the code graph such as CMake, Bazel or even -MD for gcc.

We can leverage these tools at the top-level derivation to construct a series of additional derivations for each “module” – giving us the hermetic seal of Nix, but all the incremental builds of these language toolchains!

No more lang2nix. Derivations can now parse lockfiles and generate derivations for all the packages without incurring the cost of IFD.

The work on dynamic-derivations is still somewhat new, but I agree with @ericson2314 that this will unlock a whole range of new, simpler UX for Nix users.

What can you come up with? 💪

Many thanks to my good friend Mark Williams (@markrwilliams), who hacked on this stuff late into the night after PlanetNix, and John Ericson (@ericson2314), who put up with me asking a ton of questions as I wandered around this new feature. 🙇

Demystifying Nix’s Intensional Model

09.03.2025 01:30

We just wrapped up PlanetNix2025 (North America NixCon), and the excitement about all the innovations and use of Nix was palpable. 💆🏻

What was clear though, was there continues to be a growing divide in understanding the breadth of Nix concepts especially those that are new or put simply further down Eelco’s PhD thesis.

One such concept that has recently been released as experimental is the intensional store model, better known as content-addressed (CA) derivations.

To be frank, I had not looked much at CA derivations earlier as I also found it overwhelming in academic jargon in the PhD thesis.

As always, my goal is to understand things from first principles as best as I can; let’s see what all the fuss is about. 🕵️

What is a content-addressed derivation? 🤔 Content-addressed derivations themselves are not totally new to Nix.

When you’ve written fetchurl and specified the hash256 that was a content-addressed derivation.

The fact that it is content-addressed is why fetchurl is allowed to break out of the network sandbox.

fetchurl {
 url = "http://some-url/archive.zip";
 sha256 = "sha256-4MHp7vkf9t8E1z+l6v8T86ArZ5/uFHTlzK4AciTfbfY="
}

The big difference with the intensional model is that Nix calculates the sha256 for you!

Let’s write a simple derivation to validate that the path is what we think it is.

pkgs.runCommand "hello-world" {
  __contentAddressed = true;
  outputHashMode = "flat";
  outputHashAlgo = "sha256";
} ''
echo "Hello world." > $out
''

We can now build it and see the path with hash value d2ah0p9lxbbhadazaiqb8frxxd54zddz.

> nix build -f ca-example.nix hello-world --print-out-paths -L
/nix/store/d2ah0p9lxbbhadazaiqb8frxxd54zddz-hello-world

We can run through the same steps to work back to the same path starting with the sha256sum of the file.

> sha256sum /nix/store/d2ah0p9lxbbhadazaiqb8frxxd54zddz-hello-world

6472bf692aaf270d5f9dc40c5ecab8f826ecc92425c8bac4d1ea69bcbbddaea4  /nix/store/d2ah0p9lxbbhadazaiqb8frxxd54zddz-hello-world

> echo -n "fixed:out:sha256:6472bf692aaf270d5f9dc40c5ecab8f826ecc92425c8bac4d1ea69bcbbddaea4:" > tmp

> nix-hash --type sha256 --flat tmp
81d911ea283d5a4dfe38b6df6d046b7405585e55ea1e28eb992fc22459aecf03

> echo -n "output:out:sha256:81d911ea283d5a4dfe38b6df6d046b7405585e55ea1e28eb992fc22459aecf03:/nix/store:hello-world" > tmp

> nix-hash --type sha256 --truncate --base32 --flat tmp
d2ah0p9lxbbhadazaiqb8frxxd54zddz

d2ah0p9lxbbhadazaiqb8frxxd54zddz is our matching hash! 🎉

Let’s continue to more complex CA derivations 🤓

Let’s start off with a chain (parent & child) of two expensive derivations.

rec { 
child = pkgs.runCommand "child" {} ''
  echo "Building child"
  sleep 15
  echo "Child finished." > $out
'';
parent = pkgs.runCommand "parent" {} ''
  echo "Building parent"
  sleep 15
  cat ${child} > $out
  echo "Parent finished." >> $out
  '';
}

As you would expect, building the parent derivation takes roughly 30 seconds.

> time nix build -f ca-example.nix parent --print-out-paths -L
child> Building child
parent> Building parent
/nix/store/g4ycv0bxjw805n111q6qnwfrja400kbx-parent

________________________________________________________
Executed in   31.48 secs      fish           external
   usr time  194.75 millis  429.00 micros  194.32 millis
   sys time  106.01 millis  585.00 micros  105.42 millis

In the extensional model, what I like to refer to as pessimistic hashing, any minor change (even a comment!) to any of the dependencies causes the whole graph of descendants to rebuild.

We can demonstrate this by changing the build steps for the child derivation.

@@ -5,7 +5,7 @@
 in
 rec { 
   child = pkgs.runCommand "child" {} ''
-    echo "Building child"
+    echo "Building child again"
     sleep 15
     echo "Child finished." > $out
   '';

Building the parent derivation again takes a whole 30 seconds, as both parent and child must rebuild.

The /nix/store path of the parent and the child in this case will have had changed.

> time nix build -f ca-example.nix parent --print-out-paths -L
child> Building child again
parent> Building parent
/nix/store/7kkfgvmg6zzh2qydaw8az139nwvsny4j-parent

________________________________________________________
Executed in   30.85 secs      fish           external
   usr time  377.05 millis    0.24 millis  376.82 millis
   sys time  186.49 millis    1.14 millis  185.35 millis

Let’s modify our derivations now to be content-addressed.

We enable this very simply by adding __contentAddressed = true; to our derivations.

rec { 
child-ca = pkgs.runCommand "child" {
  __contentAddressed = true;
} ''
  echo "Building child"
  sleep 15
  echo "Child finished." > $out
'';
parent-ca = pkgs.runCommand "parent" {
   __contentAddressed = true;
} ''
  echo "Building parent"
  sleep 15
  cat ${child-ca} > $out
  echo "Parent finished." >> $out
  '';
}

At first build, it does take the same 30 seconds (sorry it’s not that magical).

> time nix build -f ca-example.nix parent-ca --print-out-paths -L
child-ca> Building child.
parent-ca> Building parent
/nix/store/slqvkr6sklp8a26ql5ra21x77fh1782n-parent-ca

________________________________________________________
Executed in   30.85 secs      fish           external
   usr time  380.73 millis    1.15 millis  379.58 millis
   sys time  190.14 millis    0.18 millis  189.96 millis

We now apply the exact same patch as above and try to rebuild.

> time nix build -f ca-example.nix parent-ca --print-out-paths -L
child-ca> Building child again.
/nix/store/slqvkr6sklp8a26ql5ra21x77fh1782n-parent-ca

________________________________________________________
Executed in   15.67 secs      fish           external
   usr time  331.65 millis    0.91 millis  330.74 millis
   sys time  191.40 millis    1.90 millis  189.50 millis

Aha! It only took 15 seconds now because we were able to avoid rebuilding our parent-ca derivation. 😲

In this case the both /nix/store paths of parent and child are unchanged.

This is ultimately one of the main benefits of content-addressed derivations: early-cutoff optimization.

Early-cutoff optimization: If your dependencies have not changed at all (bit-for-bit), you can avoid rebuilding yourself.

Since the content-addressed (i.e. sha256) of child had not changed, rebuilding parent was avoided.

There’s also a whole slew of additional benefits about the ability to now trust your /nix/store with multiple users that the PhD goes into.

Okay great! This sounds like a total win! What are the downsides?

Well there are a few and they have to do with whether the software itself is not binary reproducible.

There’s a slough of problems that this can cause. For instance, there may be multiple possible content-addressed paths for the same derivation! 🤯

If your output is not bit-reproducible, there are cases where you might have to rebuild your dependency tree whereas the “pessimistic” model would not have to as the hash calculated there would not have changed.

There’s some other potential pitfalls that were also outlined in the original PhD, such as the “two glibc issue”, but according to RFC#0062 which outlines the implementation, additional metadata SQLite tables and Nix binary-cache store information is included to avoid these class of problems.

I don’t think it’s at a state quite yet where I’ll be turning it on globally in my nix.conf – but familiarity will be useful for the next entry where we discuss dynamic-derivations which seem to rely and require CA derivations.

404s and updated CSS

03.03.2025 17:39

CSS

I just “revamped” the CSS of this site; ableit somewhat minimally. Please let me know what you think: if you like it 🫶 or dislike it 👎.

My personal taste is I like very minimal CSS. This blog is modeled after Drew Devault’s blog. I largely removed dead CSS cruft and improved readability (i.e. line spacing) slightly.

404s

You might have noticed some pages were giving 404 – sorry about that.🙇

I had recently migrated this blog to deploy with GitHub actions. I didn’t realize that Jekyll uses the local Time Zone for when to process the dates for pages and seems to ignore the Time Zone information I put in the frontmatter.

---
layout: post
title: 404s and updated CSS
date: 2025-03-03 09:39 -0800
---

Looks like there is an active issue jekyll#issue9278

GitHub actions’ machines use UTC, which makes total sense, but it changed a lot of the dates of my pages unbeknownst to me as I was previously publishing from my laptop which was set to Pacific Time Zone.

I’ve since rectified this issue by being explicit about my Time Zone for the whole site.

From Design doc to code: the Groundhog AI coding assistant (and new Cursor vibecoding meta)

03.03.2025 11:00 — Geoffrey Huntley

Ello everyone, in the "Yes, Claude Code can decompile itself. Here's the source code" blog post, I teased about a new meta when using Cursor. This post is a follow-up to the post below.

When you use "/specs" (this post) method with the "stdlib" (above) method in conjunction with a programming language that provides compiler soundness (driven by good types) and compiler errors, the results are incredible. You can drive hands-free output of N factor (entire weeks' worth) of co-workers in hours.

Today, alongside with teaching you the technique I'm announcing the start of a new open-source (yes, I'm doing this as pure OSS and not my usual proprietary licensing) AI headless agentic coding agent called "groundhog".

Groundhog's primary purpose is to teach people how Cursor and all these other coding agents work under the hood. If you understand how these coding assistants work from first principles, then you can drive these tools harder (or perhaps make your own!).

We'll be building it together, increment by increment, as a series of blog posts, so don't rush to GitHub and raise GitHub issues that XYZ does not work as I'm yet to decide on the community model around the project and doing customer support for free is not high up on my list.

Subscribe, like and click on the bell below to be notified when the next post in the series ships

Groundhog is a teaching tool first. If you want a full-blown thing right now, go check out "Goose", "Roo/Cline", "Aider" or "AllHands".

All the code you are about to see was generated using these two techniques in conjunction with multiple concurrent sessions of the Cursor IDE open working on their own separate specification domain.

what the heck is a specification domain?

Consider a standard application layout on a filesystem:

src/core - this is where your core application lives.
src/ai/mcp_tools - here is where your MCP tools live.
src/ui - here is where your UI lives.

By driving the LLM to implement the core basics in a single implementation session before src/ai/mcp_tools and src/src/ui to build the "heart of the application", you can then fan out and launch multiple copies of Cursor to work on parts of the application that do not overlap.

Using https://git-scm.com/docs/git-worktree is a key ingredient to get it to work if you use a single machine, as you want each Cursor ("agent") to have its own working directory.

Start by authoring a "stdlib" rule to automatically do git commits as increments of the specification as it is also key. If you want to Rolls-Royce it, you can create a rule to auto-create a pull request when the agent is complete.

Now, you might be wondering about how to handle merge conflicts. Well, you can author a "stdlib" rule that drives Cursor to automatically reconcile the branches.

okay, what is a specification?

Specifications are the heart of your application; the internal implementation of an application matters less now. As long as your tests pass and the LLM implements the technical steering lessons defined in your "stdlib", then that's all that matters.

I'll be the first one to admit it's a little unsettling to see the API internals of your application wildly evolve at a rapid rate. Software engineers have been taught to control the computer; letting go and building trust in the process will take some time.

how I build applications now

I start with a long conversation with the LLM about my product requirements aka specifications. For Groundhog, these are the prompts that I used

We are going to create an AI coding assistant command line application in rust

The AI coding assistant is called "groundhog".

It uses the "tracing" crate for logging, metrics and telemetry.
All operations have appropriate tracing on them that can be used to troubleshoot the application.

Use the clap cargo create for command line parsing.

The first operation is

"$ groundhogexplain"

When groundhog explain is invoked it prints hello world.

IMPORTANT: Write up the specifications into the "specs/" folder with each domain topic (including technical topic) as a seperate markdown file. Create a "SPECS.md" in the root of the directory which is an overview document that contains a table that links to all the specs.

After a couple moments something like this will be generated.

It's at this stage you have a decision to make. You can either manually update each file or keep on prompting the LLM to update the specification library. Let's give it a go.

Keep doing that until you are comfortable with the minimum viable product or increment of the application. Don't over-complicate it at first. Once you have the specification nailed, it's time to bring the "stdlib" into play. Let's build it up from first principles...

Create a Cursor IDE AI MDC rule in ".cursor/rules" which instructs Cursor to always create new MDC rules in that folder. Each rule should be a seperate file.

Nice. Okay, we have the first foundational rule. It's time to create some more, such as automating the git commits.

New Cursor IDE MDC rule.

After each change performed by Cursor automatically from Git commit.

Commit the changed files.

Use the "conventional git commit convention" for the title of the commit message
Explain what was changed and why the files were changed from exploring the prompts used to generate the commit.

Okay, cool, now we are cooking with gas. The next step is to create a cursor rule that defines your coding conventions. As Groundhog is authored in Rust, let's generate best practices and save that as a rule.

Create a new Cursor MDC rule for all *.rs files (in all subdirectories)

You are an expert expert software engineer who knows rust. Infact you are the software engineer who created rust. Your task is to come up with technical recommendations in this rule which document best practices when authoring rust.

Split each concern about rust into seperate MDC rules.

Prefix each rule with the filename of "rust-$rulename.mdc"

Write these rules to disk

It's at this point, after these rules are generated, that you want to push the LLM harder. Ask it to continue...

After a few more rounds of this, manually review your new Cursor rules that instruct the LLM what you expect as technical output. If you want to speed run this then loop the new rules back onto the LLM.

Look at the rust rules in @.cursor . What is missing? What does not follow best practice.

Notice how we looped the LLM back onto itself up there? It's the key LLM prompt you'll be using in conjunction with your newly formed spec and tech library going forward.

loopback is the key workflow

The secret to hands-free vibe coding is really just this prompt when used in conjunction with stdlib and specs library...

Study @SPECS.md for functional specifications.
Study @.cursor for technical requirements
Implement what is not implemented
Create tests
Run a "cargo build" and verify the application works

after a few moments, Groundhog will be generated. Cursor will time out or run out of tool calls during this operation

keep going until implemented

The next secret is really just continually issuing the same prompt

Study @SPECS.md for functional specifications.
Study @.cursor for technical requirements
Implement what is not implemented
Create tests
Run "cargo build" and verify the application works
Run "cargo clippy" and resolve linting errors

Did the LLM go on a bad path? Restart a new chat session to clear the LLM context window and use the above prompt. Keep doing it until everything is implemented.

scaling it up

Now that the src/core has been implemented. It's time to move on to the other specification domains, such as src/ai/mcp_tools and src/ui . Start a new Cursor compose window and repeat the defining specification workflow we did at the start of the blog post.

Look at specifications in

New requirement.

What should be implemented for MCP (model context protocol) registry? Include security best practices.
What should be implemented for a new MCP (model context protocol) tool that can be invoked to list directory contents ("ls"). Include security best practices
Provide a LLM system prompt for this MCP protocol tool.

Update with this guidance. Store them under "specs/mcp" with each technical topic as a seperate markdown file.

Now, do the same for the src/ui

Look at specifications in @specs.

New requirement.

Create a basic "hello world" TUI user interface using the the "ratatui" create

Update @specs with this guidance. Store them under "specs/ui" with each UI Widget as a separate markdown file.

keep going until implemented

It's at this point you have a decision. You can launch multiple sessions of Cursor concurrently and ask each copy to chew on src/ui and src/core concurrently.

Look at @specs
Study @groundhog
Implement what is not implemented
Run "cargo build"
Run "cargo clippy"

recommendations

These LLMs work as "silly string lookup services" and have no understanding of programming languages at all. To make this all work, you are going to need a good programming language that has soundness where if it compiles, it works (ie. Rust/Haskell) and a solid property-based test suite. Rust/Haskell are unique in that they provide exceptional compiler errors, which can be looped back into the LLM to auto-fix problems until it gets it right.

The application of the "stdlib" technique to steer the LLM to use your technical requirements and via the creation of a feedback loop (ie. tests and/or a static analysis tool such as sonarqube) you are in full control of product/output quality.

The sky's the limit really - one could even hook in a pre-existing security scanning tool into the feedback loop..

closing thoughts

The limiting factor for me now is really how much screen space I have. I'm fortunate enough to have a 59" monitor on my main workstation. I can see, feel and taste the horizon of being able to ditch Cursor forever...

There's an approach in CompSci with compilers of "bootstrapping"

Bootstrapping (compilers) - Wikipedia

Wikimedia Foundation, Inc.Contributors to Wikimedia projects

and bootstrapping as fast as possible so Groundhog can build Groundhog is the destination we will be building towards. If you enjoyed reading, please consider subscribing to the newsletter. We are a little away from getting there, so the next part of the series will explain what the heck "MCPs" are.

The source code of Groundhog (and the stdlib + specs used to build it) can be found here. Give it a star.

ps. socials for this blog post are below

If you enjoyed reading, give 'em a share please:

Sign up for Geoffrey Huntley

p.s. socials

pps. extra reading

p.s. socials

show me

how does this work under the hood?

so, what is a tool?

so, what is a tool prompt?

example: how Claude code creates pull-requests

tools + tool prompts in action

how do I use this knowledge to automate software development at my company?

ps. socials

what is open-webui?

how can you do this yourself

do the child safety guardrails work?

ps. socials

CSS

404s

Sign up for Geoffrey Huntley

what the heck is a specification domain?

okay, what is a specification?

how I build applications now

loopback is the key workflow

keep going until implemented

scaling it up

keep going until implemented

recommendations

closing thoughts

Sign up for Geoffrey Huntley

ps. socials for this blog post are below