Bump nightly to 2026-05-27 and vendor crates without nixpkgs importCargoLock (#227)

## Why

Three things landed together because untangling them midway through
wasn't worth a separate PR cycle.

1. **Nightly bump to `2026-05-27`** and the in-tree clippy fork promoted
to a flake input (`clippy-fork`), so it's pinned alongside the rest of
the toolchain.
2. **Audit pass on tautological test assertions** in `tests/default.nix`
per the `AGENTS.md` guidance — checks that just restate the source got
deleted.
3. **Stop using nixpkgs `rustPlatform.importCargoLock` for crate
vendoring.** This was forced by crates.io rolling out a User-Agent gate:
any UA containing `curl` now returns HTTP 403, which catches nixpkgs's
default `curl/X.Y Nixpkgs/Z`. Rather than patch curl,
`ix.buildRustPackage` now materializes its own vendor dir via the
existing `resolveVendorDir` and hands it to
`rustPlatform.buildRustPackage` as `cargoDeps`. One vendor builder, one
URL pattern (`static.crates.io` CDN — same one cargo's sparse protocol
uses), and we own all of it.

## What this means for callers

- Every Rust package built via `ix.buildRustPackage` now goes through
the new path. `llm-clippy` was the last holdout calling
`rustPlatform.buildRustPackage` directly; it's switched. Its own clippy
policy gate is off (would recurse — it IS the clippy that lints
everything else); other policy gates stay on.
- User-supplied `cargoHash`, `cargoDeps`, or `cargoVendorDir` still
wins. The new code only fires on the default path.
- FOD hashing is content-only, so cached crate tarballs survive the URL
change.

## Verified locally

- `nix run .#lint` clean
- `nix eval` succeeds for `llm-clippy`, `dag-runner`, `ix`,
`nix-cargo-unit` on `aarch64-darwin`
- Full Linux builds left for CI

Author: andrewgazelka

flake.lock

@@ -31,6 +31,14 @@
       inputs.nixpkgs.follows = "nixpkgs";
     };
 
+    # Fork of rust-lang/rust-clippy with extra restriction lints tuned for
+    # LLM-assisted codebases. Pinned in flake.lock so `nix flake update`
+    # bumps it; consumed as the source tree for `packages/llm-clippy`.
+    clippy-fork = {
+      url = "github:indexable-inc/clippy";
+      flake = false;
+    };
+
     # Nous Research's Hermes agent ships its own NixOS module
     # (`nixosModules.default`) and uv2nix-built Python closure. Pinned to
     # a release tag so routine bumps are review events; `nix flake update
@@ -50,6 +58,7 @@
       determinate,
       home-manager,
       hermes-agent,
+      clippy-fork,
       ...
     }:
     let
@@ -86,6 +95,7 @@
           determinate
           home-manager
           hermes-agent
+          clippy-fork
           ;
       };
       devSystems = [

flake.nix

@@ -7,6 +7,7 @@
   determinate,
   home-manager,
   hermes-agent,
+  clippy-fork,
   cliArtifacts ? { },
 }:
 let
@@ -259,6 +260,7 @@ let
           final
           buildIxRustTool
           rustNightlyClippyToolchainFor
+          clippy-fork
           ;
         pkgs = final;
         inherit (entry) path;
@@ -369,10 +371,19 @@ let
         "rustfmt"
       ];
     };
+  # ix.buildRustPackage closure handed to `callPackage`'d Rust packages.
+  # Kept minimal so it stays usable from the bootstrap path (no `cargoUnit`,
+  # no `rustWorkspace`); `buildIxRustTool` adds those for packages that need
+  # them.
+  ixBuildSurfaceFor = _pkgs: {
+    buildRustPackage = innerPkgs: (rustFor innerPkgs).buildPackage;
+  };
   llmClippyFor =
     pkgs:
     pkgs.callPackage (packagePath "llm-clippy") {
+      ix = ixBuildSurfaceFor pkgs;
       rustToolchain = rustNightlyClippyToolchainFor pkgs;
+      src = clippy-fork;
     };
   rustFor =
     pkgs:
@@ -778,6 +789,7 @@ let
           packageSystem
           cliArtifacts
           rustNightlyClippyToolchainFor
+          clippy-fork
           ixForPackages
           ;
         ix = ixForPackages;

lib/default.nix

@@ -23,7 +23,7 @@ let
     consumer that calls `toolchain pkgs { channel = "nightly"; version
     = languages.rust.defaultNightlyDate; }`.
   */
-  defaultNightlyDate = "2026-05-17";
+  defaultNightlyDate = "2026-05-27";
 
   /**
     Toolchain components everyone gets by default. The shape mirrors

lib/languages/rust.nix

@@ -258,11 +258,15 @@ let
       '';
       pkgs.linkFarm "cargo-vendor-dir" vendorEntries;
 
+  # Both registry shapes resolve to the same CDN artifact. `static.crates.io` is
+  # the direct CloudFront URL cargo's sparse protocol uses; the older
+  # `api.crates.io/api/v1/crates/.../download` endpoint just 302s here and, as
+  # of 2026-05, rejects curl's default User-Agent with HTTP 403.
+  cratesIoDownloadUrl =
+    pkg: "https://static.crates.io/crates/${pkg.name}/${pkg.name}-${pkg.version}.crate";
   registryDownloadUrls = {
-    "registry+https://github.com/rust-lang/crates.io-index" =
-      pkg: "https://crates.io/api/v1/crates/${pkg.name}/${pkg.version}/download";
-    "sparse+https://index.crates.io/" =
-      pkg: "https://static.crates.io/crates/${pkg.name}/${pkg.name}-${pkg.version}.crate";
+    "registry+https://github.com/rust-lang/crates.io-index" = cratesIoDownloadUrl;
+    "sparse+https://index.crates.io/" = cratesIoDownloadUrl;
   };
 
   parseGitSource =
@@ -684,27 +688,44 @@ let
       cargoTestFlags =
         (rawArgs.cargoTestFlags or [ ])
         ++ lib.optionals (testEnabled && args.policy.tests.useNextest) [ "--no-tests=pass" ];
+      # Vendor through our own fetcher (`resolveVendorDir` -> `static.crates.io`)
+      # instead of letting nixpkgs's `importCargoLock` re-fetch each crate via
+      # the legacy `crates.io/api/v1/crates/.../download` URL. The legacy
+      # endpoint is now gated on User-Agent (no `curl/...`) and is a redirect
+      # to the same CDN anyway, so going direct is both unblocked and faster.
+      # Surface the vendor dir as `cargoDeps` (absolute store path); the
+      # cargo-setup hook expects `cargoVendorDir` to be in-source, not a
+      # `/nix/store` path. User-supplied `cargoHash`, `cargoDeps`, or
+      # `cargoVendorDir` still wins.
+      bareVendorDir = resolveVendorDir {
+        inherit (args) cargoLock outputHashes vendorDir;
+        sourceOverrides = rawArgs.sourceOverrides or { };
+      };
+      # nixpkgs's `cargoSetupPostPatchHook` diffs `$cargoDeps/Cargo.lock`
+      # against the lockfile in the source tree. `resolveVendorDir` only
+      # emits the per-crate symlinks, so re-attach the lockfile here.
+      defaultCargoDeps = pkgs.runCommand "cargo-deps" { } ''
+        mkdir -p "$out"
+        cp -RL ${bareVendorDir}/. "$out/"
+        cp ${cargoLockFile args.cargoLock} "$out/Cargo.lock"
+      '';
       buildArgs =
         builtins.removeAttrs rawArgs [
           "cargoArgs"
           "cargoExtraConfig"
+          "cargoLock"
           "cargoTestFlags"
           "outputHashes"
           "policy"
           "rustPlatform"
           "rustToolchain"
+          "sourceOverrides"
           "vendorDir"
         ]
         //
-          lib.optionalAttrs
-            (
-              !(rawArgs ? cargoLock)
-              && !(rawArgs ? cargoHash)
-              && !(rawArgs ? cargoDeps)
-              && !(rawArgs ? cargoVendorDir)
-            )
+          lib.optionalAttrs (!(rawArgs ? cargoHash) && !(rawArgs ? cargoDeps) && !(rawArgs ? cargoVendorDir))
             {
-              cargoLock.lockFile = cargoLockFile args.cargoLock;
+              cargoDeps = defaultCargoDeps;
             }
         // {
           nativeBuildInputs = (rawArgs.nativeBuildInputs or [ ]) ++ nativeBuildInputsForPolicy args.policy;

lib/rust.nix

@@ -1,41 +1,33 @@
 {
+  ix,
   lib,
   makeWrapper,
   pkgs,
+  src,
   rustToolchain ? null,
 }:
 
 let
-  src = pkgs.fetchFromGitHub {
-    owner = "indexable-inc";
-    repo = "clippy";
-    rev = "c5f8f62dacfc666fa29615b13f777bb7404a1e60";
-    hash = "sha256-pFGUPLgM0lSDz8Iv3FLapQAJJV507B1DmJp4pKxp6JA=";
-  };
-
   toolchain =
     if rustToolchain != null then
       rustToolchain
     else
       pkgs.rust-bin.fromRustupToolchainFile (src + "/rust-toolchain.toml");
 
-  rustPlatform = pkgs.makeRustPlatform {
-    cargo = toolchain;
-    rustc = toolchain;
-  };
-
   rustcLibPathVar =
     if pkgs.stdenv.hostPlatform.isDarwin then "DYLD_LIBRARY_PATH" else "LD_LIBRARY_PATH";
 in
-rustPlatform.buildRustPackage {
+ix.buildRustPackage pkgs {
   pname = "llm-clippy";
   version = "0.1.97";
 
   inherit src;
+  rustToolchain = toolchain;
+  # Vendor through ix.buildRustPackage's `resolveVendorDir`, which fetches from
+  # `static.crates.io`. Upstream indexable-inc/clippy ships no Cargo.lock, so
+  # the patch plants one into $sourceRoot for cargo at build time; the same
+  # file is what `cargoLock.lockFile` points at for vendoring.
   cargoLock.lockFile = ./Cargo.lock;
-  # Upstream indexable-inc/clippy ships no Cargo.lock. cargoLock.lockFile only
-  # vendors and validates ("ERROR: Missing Cargo.lock from src" if it isn't
-  # present), so cargoPatches is how we plant the file into $sourceRoot.
   cargoPatches = [ ./cargo-lock.patch ];
 
   nativeBuildInputs = [ makeWrapper ];
@@ -46,9 +38,13 @@ rustPlatform.buildRustPackage {
     pkgs.libiconv
   ];
   doCheck = false;
+  # llm-clippy IS the clippy that lints every other repo Rust package, so its
+  # own clippy check cannot reach for `llmClippyFor` again - it would recurse
+  # forever back into this build. Machete and other policy gates stay on.
+  policy.clippy.enable = false;
 
   # This Clippy fork links against rustc_private crates from its Rust toolchain.
-  RUSTC_BOOTSTRAP = "1";
+  env.RUSTC_BOOTSTRAP = "1";
 
   postInstall = ''
     for bin in "$out/bin/cargo-clippy" "$out/bin/clippy-driver"; do