jacobpevans/nix-tool-policy
project-standards/skills/nix-tool-policy/SKILL.md
Use when installing or choosing CLI tools in a Nix flake repo, editing flake.nix or home-manager config, or when tempted to pip/pipx/uv/brew/npm install anything. Tools come from the dev shell or nix shell — never ad-hoc package managers.
$ install --global
skillsauthnpx skillsauth add jacobpevans/claude-code-plugins nix-tool-policyInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Jun 11, 2026, 8:35 AM130.6s1 file scanned
SKILL.md
- name:
- nix-tool-policy
- description:
- Use when installing or choosing CLI tools in a Nix flake repo, editing flake.nix or home-manager config, or when tempted to pip/pipx/uv/brew/npm install anything. Tools come from the dev shell or nix shell — never ad-hoc package managers.
Nix Tool Policy
Rule: Never Install Tools That Nix Dev Shells Provide
Scope: All repositories with flake.nix + .envrc (Nix dev shell pattern)
Prohibited Actions
pipx install <tool>/pipx reinstall <tool>— pipx virtualenvs reference Nix store Python; breaks after GCpip install <tool>/pip3 install <tool>— same problem, also pollutes global Pythonuv pip install <tool>— same Nix store Python problemuv run <tool>— generally unnecessary in Nix dev shells; prefer bare commands from the dev shell PATH. Last-resort package runner (with confirmation) only when the dev shell does not provide the tool.brew install <tool>for tools already in the dev shell — creates version conflicts
What To Do Instead
-
Tools are on PATH: When a repo has
flake.nix+.envrc, all project tools are provided by the Nix dev shell. Run them as bare commands. -
If a tool is not found: Use
direnv exec . <command>to run within the dev shell environment. This works even when direnv shell hooks haven't fired. -
If direnv exec fails: Use
nix develop --command <command>as a fallback. This is slower but always works. -
If the tool truly isn't in the flake: Prefer adding the tool to
flake.nixso it becomes part of the dev shell. For one-off usage, run it vianix shell -p <tool>rather than installing with pipx/pip/uv. -
Never install globally: Do not respond to a missing tool by installing it system-wide with pipx/pip/uv/brew; use the dev shell or a temporary Nix invocation, and update
flake.nixwhen the tool is needed long term.
Nix-Specific Alternatives
| Task | Use This | Not This |
| --- | --- | --- |
| Config generation | Nix functions (lib.mkIf, lib.generators.*) | Shell/Python generator |
| Nix data processing | builtins.fromJSON, builtins.readFile, lib.strings.* | Python wrapper |
Nix Script Patterns
When a Nix script IS needed (committed artifact):
- Use
writeShellApplicationwithruntimeInputs, reference via${./<relative-path>} - For inline Nix wrappers: one-liner
execpatterns inwriteShellScriptBinare acceptable
Why This Matters
Nix manages Python interpreters in the Nix store (/nix/store/...).
Tools installed via pipx/pip create virtual environments that hardcode paths to these interpreters.
When nix-collect-garbage runs or a flake update changes the Python version,
those paths become invalid and every pipx/pip-installed tool breaks silently.
The Nix dev shell pattern avoids this by providing tools through the flake lockfile, ensuring consistent, reproducible environments that survive garbage collection.
Repos Using This Pattern
All JacobPEvans repositories with flake.nix + .envrc, including:
- ansible-proxmox, ansible-proxmox-apps, ansible-splunk
- terraform-proxmox, terraform-aws, terraform-aws-bedrock
- nix-darwin, nix-ai, nix-home, nix-devenv
- orbstack-kubernetes
Related Skills
jacobpevans/shared-workflow-org-refs
testing
VerifiedTrustedCommunity
Use when creating or editing GitHub Actions workflows that call reusable workflows (uses: OWNER/repo/.github/workflows/...) — org owner references must be the literal current org, and shared-CI homes are under dryvist.
3SKILL.mdUpdated Jun 11, 2026
jacobpevans/pre-commit-architecture
development
VerifiedTrustedCommunity
Use when adding or editing .pre-commit-config.yaml, wiring pre-commit hooks into a repo, scaffolding a new repo's lint/hook setup, or deciding where a hook or shared lint config should live. Covers the canonical nix-devenv/dryvist-.github architecture, profiles, and consumer patterns.
3SKILL.mdUpdated Jun 11, 2026
jacobpevans/refresh-repo
testing
VerifiedTrustedCommunity
Check PR merge readiness, sync local repo, cleanup stale worktrees; optional cross-repo sweep and stale-branch prune modes
3SKILL.mdUpdated Apr 28, 2026
jacobpevans/rebase-pr
tools
VerifiedTrustedCommunity
Local rebase-merge workflow for pull requests with signed commits
3SKILL.mdUpdated Apr 28, 2026