packages/yc packages the Y Combinator CLI (yc: search Bookface and chat with
the YC Agent from the terminal), installing the upstream prebuilt per-platform
binaries. The repo owns a generated manifest.json pin and an updater. It is
the worked example, alongside claude-code, for the
prebuilt-binary intake shape, but with NO upstream provenance check.
default.nix selects the right prebuilt binary, installs it, and patches it for
NixOS on Linux (packages/yc/default.nix):
- Source pin:
versionand per-platform{ slug, hash }come frommanifest.json(lib.importJSON,default.nix:16-17; currently0.0.8for four platforms). The binary for the host system isfetchurled from${baseUrl}/${version}/yc-${target.slug}wheretargetismanifest.platforms.${system}, with a clearthrowlisting supported systems if the host is unsupported (default.nix:19-29). - Install (
default.nix:87-91):install -Dm755 $src $out/bin/yc. On Linux,autoPatchelfHookpatches the dynamically-linked interpreter to the Nix store (default.nix:83-85); Darwin binaries need no patching. meta:mainProgram = "yc",platforms = builtins.attrNames manifest.platforms,sourceProvenance = [ binaryNativeCode ].meta.licenseis omitted (notlicenses.unfree) so the no-allowUnfreeflake set cannix run .#yc; terms are Y Combinator's (default.nix:97-107).
passthru.updateScript is a writeNushellApplication, bound only on the flake
package path (the overlay passes writeNushellApplication = null, so pkgs.yc
carries no updateScript, default.nix:7-11, 93-95):
nix run .#yc.updateScript -- [version]tracks the upstreamcli/latestpointer (a 6-byte text file holding the version) when no version is given, thennix store prefetch-files all four platform binaries and writes{ version, platforms }with per-platform SRI hashes topackages/yc/manifest.json(default.nix:41-76). The S3 bucket deniesListBucket, hence thelatestpointer rather than enumerating versions.- No provenance check: unlike claude-code, Y Combinator publishes no signed
manifest, so the updater pins whatever bytes the release host serves (the
version tag is not even immutable;
0.0.5was observed republished under the same tag). Thenix build .#ycstep in the update workflow only proves the pinned bytes fetch and patch, not that they are authentic, so the real gate is human review of the four hash changes in the auto-bump PR (default.nix:31-40).
- Flake output:
nix run .#yc/nix build .#yc, pluspkgs.yc(overlay).package.nixsetspackageSet,flake,overlay, andupdateScriptalltrue(packages/yc/package.nix). - Joins
nix run .#updateviaupdateScript = true, which runs every flagged package's updater in parallel (lib/per-system.nix:461-501); theupdate.ymlworkflow runs it hourly into one PR. - Platforms: aarch64/x86_64 darwin and linux (the four
manifest.jsonkeys).