Merge master into staging-next

nixos/modules/security/sudo.nix

@@ -192,6 +192,10 @@ in
   ###### implementation
 
   config = mkIf cfg.enable {
+    assertions = [
+      { assertion = cfg.package.pname != "sudo-rs";
+        message = "The NixOS `sudo` module does not work with `sudo-rs` yet."; }
+    ];
 
     # We `mkOrder 600` so that the default rule shows up first, but there is
     # still enough room for a user to `mkBefore` it.

nixos/modules/services/matrix/mautrix-telegram.nix

@@ -159,7 +159,6 @@ in {
         if [ ! -f '${registrationFile}' ]; then
           ${pkgs.mautrix-telegram}/bin/mautrix-telegram \
             --generate-registration \
-            --base-config='${pkgs.mautrix-telegram}/${pkgs.mautrix-telegram.pythonModule.sitePackages}/mautrix_telegram/example-config.yaml' \
             --config='${settingsFile}' \
             --registration='${registrationFile}'
         fi

nixos/modules/services/monitoring/mimir.nix

@@ -32,11 +32,21 @@ in {
       type = types.package;
       description = lib.mdDoc ''Mimir package to use.'';
     };
+
+    extraFlags = mkOption {
+      type = types.listOf types.str;
+      default = [];
+      example = [ "--config.expand-env=true" ];
+      description = lib.mdDoc ''
+        Specify a list of additional command line flags,
+        which get escaped and are then passed to Mimir.
+      '';
+    };
   };
 
   config = mkIf cfg.enable {
     # for mimirtool
-    environment.systemPackages = [ pkgs.mimir ];
+    environment.systemPackages = [ cfg.package ];
 
     assertions = [{
       assertion = (
@@ -60,7 +70,7 @@ in {
                else cfg.configFile;
       in
       {
-        ExecStart = "${cfg.package}/bin/mimir --config.file=${conf}";
+        ExecStart = "${cfg.package}/bin/mimir --config.file=${conf} ${escapeShellArgs cfg.extraFlags}";
         DynamicUser = true;
         Restart = "always";
         ProtectSystem = "full";

nixos/modules/services/networking/nftables.nix

@@ -70,6 +70,26 @@ in
       '';
     };
 
+    networking.nftables.checkRulesetRedirects = mkOption {
+      type = types.addCheck (types.attrsOf types.path) (attrs: all types.path.check (attrNames attrs));
+      default = {
+        "/etc/hosts" = config.environment.etc.hosts.source;
+        "/etc/protocols" = config.environment.etc.protocols.source;
+        "/etc/services" = config.environment.etc.services.source;
+      };
+      defaultText = literalExpression ''
+        {
+          "/etc/hosts" = config.environment.etc.hosts.source;
+          "/etc/protocols" = config.environment.etc.protocols.source;
+          "/etc/services" = config.environment.etc.services.source;
+        }
+      '';
+      description = mdDoc ''
+        Set of paths that should be intercepted and rewritten while checking the ruleset
+        using `pkgs.buildPackages.libredirect`.
+      '';
+    };
+
     networking.nftables.preCheckRuleset = mkOption {
       type = types.lines;
       default = "";
@@ -282,7 +302,7 @@ in
             cp $out ruleset.conf
             sed 's|include "${deletionsScriptVar}"||' -i ruleset.conf
             ${cfg.preCheckRuleset}
-            export NIX_REDIRECTS=/etc/protocols=${pkgs.buildPackages.iana-etc}/etc/protocols:/etc/services=${pkgs.buildPackages.iana-etc}/etc/services
+            export NIX_REDIRECTS=${escapeShellArg (concatStringsSep ":" (mapAttrsToList (n: v: "${n}=${v}") cfg.checkRulesetRedirects))}
             LD_PRELOAD="${pkgs.buildPackages.libredirect}/lib/libredirect.so ${pkgs.buildPackages.lklWithFirewall.lib}/lib/liblkl-hijack.so" \
               ${pkgs.buildPackages.nftables}/bin/nft --check --file ruleset.conf
           '';

pkgs/applications/blockchains/wasabiwallet/default.nix

@@ -3,24 +3,18 @@
 , makeWrapper
 , fetchurl
 , makeDesktopItem
-, curl
-, dotnetCorePackages
 , lttng-ust_2_12
 , fontconfig
-, krb5
 , openssl
 , xorg
 , zlib
 }:
 
 let
-  dotnet-runtime = dotnetCorePackages.runtime_6_0;
   # These libraries are dynamically loaded by the application,
   # and need to be present in LD_LIBRARY_PATH
   runtimeLibs = [
-    curl
     fontconfig.lib
-    krb5
     openssl
     stdenv.cc.cc.lib
     xorg.libX11
@@ -31,11 +25,11 @@ let
 in
 stdenv.mkDerivation rec {
   pname = "wasabiwallet";
-  version = "2.0.3";
+  version = "2.0.4";
 
   src = fetchurl {
     url = "https://github.com/zkSNACKs/WalletWasabi/releases/download/v${version}/Wasabi-${version}.tar.gz";
-    sha256 = "sha256-RlWaeOK6XqxyCIQQp1/X6iG9t7f3ER5K+S3ZvPg6wBg=";
+    sha256 = "sha256-VYyf9rKBRPpnxuaeO6aAq7cQwDfBRLRbH4SlPS+bxFQ=";
   };
 
   dontBuild = true;
@@ -58,8 +52,10 @@ stdenv.mkDerivation rec {
     mkdir -p $out/opt/${pname} $out/bin $out/share/applications
     cp -Rv . $out/opt/${pname}
 
-    makeWrapper "${dotnet-runtime}/bin/dotnet" "$out/bin/${pname}" \
-      --add-flags "$out/opt/${pname}/WalletWasabi.Fluent.Desktop.dll" \
+    makeWrapper "$out/opt/${pname}/wassabee" "$out/bin/${pname}" \
+      --suffix "LD_LIBRARY_PATH" : "${lib.makeLibraryPath runtimeLibs}"
+
+    makeWrapper "$out/opt/${pname}/wassabeed" "$out/bin/${pname}d" \
       --suffix "LD_LIBRARY_PATH" : "${lib.makeLibraryPath runtimeLibs}"
 
     cp -v $desktopItem/share/applications/* $out/share/applications

pkgs/applications/editors/cudatext/default.nix

@@ -38,13 +38,13 @@ let
 in
 stdenv.mkDerivation rec {
   pname = "cudatext";
-  version = "1.197.0";
+  version = "1.198.0";
 
   src = fetchFromGitHub {
     owner = "Alexey-T";
     repo = "CudaText";
     rev = version;
-    hash = "sha256-960Ucp2iNDqK2n/sJSIyMWxgCCs0LVyafn8SRRhli4c=";
+    hash = "sha256-zm5acOTcjQdgKf6cSPP3mE070TVXbV6ixVa/+7g/SFE=";
   };
 
   postPatch = ''

pkgs/applications/editors/cudatext/deps.json

@@ -11,13 +11,13 @@
   },
   "ATFlatControls": {
     "owner": "Alexey-T",
-    "rev": "2023.08.12",
-    "hash": "sha256-YBIuwiHE83mxxtl9PNrQN3LrEBFHvYY74zhV+UtAbZ4="
+    "rev": "2023.09.03",
+    "hash": "sha256-8mopVCqhmDW5MkrOzjt9+iBVgOf7/SbZy0Y40CzuNG0="
   },
   "ATSynEdit": {
     "owner": "Alexey-T",
-    "rev": "2023.08.12",
-    "hash": "sha256-hFDWb7gMQiTkItFC5KfSrpAW3FSkmAhxcc5GOdov3EE="
+    "rev": "2023.09.03",
+    "hash": "sha256-Sk7G4dP5703yq26MC/c1EBhphBVWIbanvHJMcFJDqfk="
   },
   "ATSynEdit_Cmp": {
     "owner": "Alexey-T",

pkgs/applications/editors/ldtk/default.nix

@@ -3,11 +3,11 @@
 
 stdenv.mkDerivation (finalAttrs: {
   pname = "ldtk";
-  version = "1.3.3";
+  version = "1.3.4";
 
   src = fetchurl {
     url = "https://github.com/deepnight/ldtk/releases/download/v${finalAttrs.version}/ubuntu-distribution.zip";
-    hash = "sha256-egvAe4nAzPDBeTaAzrqhlDsG60bGNnKXB5Vt16vIZrQ";
+    hash = "sha256-/EFmuzj8hYhQJegZpZhZb4fuSeMF9wdG1Be4duEvW54=";
   };
 
   nativeBuildInputs = [ unzip makeWrapper copyDesktopItems appimage-run ];

pkgs/applications/misc/khard/default.nix

@@ -10,10 +10,15 @@ python3.pkgs.buildPythonApplication rec {
   };
 
   SETUPTOOLS_SCM_PRETEND_VERSION = version;
-  nativeBuildInputs = [
-    python3.pkgs.setuptools-scm
+  nativeBuildInputs = with python3.pkgs; [
+    setuptools-scm
+    sphinxHook
+    sphinx-autoapi
+    sphinx-autodoc-typehints
   ];
 
+  sphinxBuilders = [ "man" ];
+
   propagatedBuildInputs = with python3.pkgs; [
     atomicwrites
     configobj
@@ -40,5 +45,6 @@ python3.pkgs.buildPythonApplication rec {
     description = "Console carddav client";
     license = lib.licenses.gpl3;
     maintainers = with lib.maintainers; [ matthiasbeyer ];
+    mainProgram = "khard";
   };
 }

pkgs/applications/networking/instant-messengers/signal-desktop/default.nix

@@ -1,12 +1,12 @@
 { callPackage }: builtins.mapAttrs (pname: attrs: callPackage ./generic.nix (attrs // { inherit pname; })) {
   signal-desktop = {
     dir = "Signal";
-    version = "6.27.1";
-    hash = "sha256-nEOt6bep6SqhAab8yD9NlRrDGU2IvZeOxSqPj2u1bio=";
+    version = "6.29.1";
+    hash = "sha256-QtQVH8cs42vwzJNiq6klaSQO2pmB80OYjzAR4Bibb/s";
   };
   signal-desktop-beta = {
     dir = "Signal Beta";
-    version = "6.24.0-beta.1";
-    hash = "sha256-tA1xsgtAeOn0c0HcZutj+Pqrsr0JV5bQOnknH4t/QkY=";
+    version = "6.30.0-beta.2";
+    hash = "sha256-EMgstKlHA6ilSlbDmsPAu/jNC21XGzF7LS7QzWcK2F0";
   };
 }

pkgs/applications/radio/multimon-ng/default.nix

@@ -1,4 +1,4 @@
-{ lib, stdenv, fetchFromGitHub, cmake, libpulseaudio, libX11 }:
+{ lib, stdenv, fetchFromGitHub, cmake, libpulseaudio, libX11, makeWrapper, sox }:
 
 stdenv.mkDerivation rec {
   pname = "multimon-ng";
@@ -13,7 +13,11 @@ stdenv.mkDerivation rec {
 
   buildInputs = lib.optionals stdenv.isLinux [ libpulseaudio libX11 ];
 
-  nativeBuildInputs = [ cmake ];
+  nativeBuildInputs = [ cmake makeWrapper ];
+
+  postInstall = ''
+    wrapProgram $out/bin/multimon-ng --prefix PATH : "${lib.makeBinPath [sox]}"
+  '';
 
   meta = with lib; {
     description = "Multimon is a digital baseband audio protocol decoder";

pkgs/build-support/make-startupitem/default.nix

@@ -1,4 +1,4 @@
-# given a pakcage with a $name.desktop file, makes a copy
+# given a package with a $name.desktop file, makes a copy
 # as autostart item.
 
 {stdenv, lib}:

pkgs/development/libraries/cm256cc/default.nix

@@ -1,4 +1,4 @@
-{ lib, stdenv, fetchFromGitHub, cmake, boost } :
+{ lib, stdenv, fetchFromGitHub, fetchpatch, cmake, boost } :
 
 stdenv.mkDerivation rec {
   pname = "cm256cc";
@@ -11,6 +11,16 @@ stdenv.mkDerivation rec {
     sha256 = "sha256-T7ZUVVYGdzAialse//MoqWCVNBpbZvzWMAKc0cw7O9k=";
   };
 
+  patches = [
+    # Pull fix pending upstream inclusion for gcc-13 support:
+    #   https://github.com/f4exb/cm256cc/pull/18
+    (fetchpatch {
+      name = "gcc-13.patch";
+      url = "https://github.com/f4exb/cm256cc/commit/a7f142bcdae8be1c646d67176ba0ba0f7e8dcd68.patch";
+      hash = "sha256-J7bm44sqnGsdPhJxQrE8LDxZ6tkTzLslHQnnKmtgrtM=";
+    })
+  ];
+
   nativeBuildInputs = [ cmake ];
   buildInputs = [ boost ];
 

pkgs/development/libraries/exiv2/default.nix

@@ -88,6 +88,12 @@ stdenv.mkDerivation rec {
      ''}
   '' + lib.optionalString (stdenv.isDarwin && stdenv.isAarch64) ''
     export LC_ALL=C
+  '' + lib.optionalString stdenv.isAarch32 ''
+    # these tests are fixed in 0.28, remove when updating to 0.28
+    rm -f ../tests/bugfixes/github/test_issue_1503.py
+    rm -f ../tests/bugfixes/github/test_pr1475_AVIF.py
+    rm -f ../tests/bugfixes/github/test_pr1475_HEIC.py
+    rm -f ../tests/bugfixes/github/test_pr1475_HIF.py
   '';
 
   # With CMake we have to enable samples or there won't be

pkgs/development/libraries/geos/default.nix

@@ -1,5 +1,6 @@
 { lib
 , fetchurl
+, fetchpatch
 , stdenv
 , testers
 , cmake
@@ -14,6 +15,16 @@ stdenv.mkDerivation (finalAttrs: {
     hash = "sha256-sfB3ZpSBxaPmKv/EnpbrBvKBmHpdNv2rIlIX5bgl5Mw=";
   };
 
+  patches = [
+    # Pull upstream fix of `gcc-13` build failure:
+    #   https://github.com/libgeos/geos/pull/805
+    (fetchpatch {
+      name = "gcc-13.patch";
+      url = "https://github.com/libgeos/geos/commit/bea3188be44075034fd349f5bb117c943bdb7fb1.patch";
+      hash = "sha256-dQT3Hf9YJchgjon/r46TLIXXbE6C0ZnewyvfYJea4jM=";
+    })
+  ];
+
   nativeBuildInputs = [ cmake ];
 
   doCheck = true;

pkgs/development/python-modules/mautrix/default.nix

@@ -20,7 +20,7 @@
 
 buildPythonPackage rec {
   pname = "mautrix";
-  version = "0.20.0";
+  version = "0.20.1";
   format = "setuptools";
 
   disabled = pythonOlder "3.9";
@@ -29,7 +29,7 @@ buildPythonPackage rec {
     owner = "mautrix";
     repo = "python";
     rev = "refs/tags/v${version}";
-    hash = "sha256-op28CGpJBcCBiy0WXboaf4JeNRIMX6653QkAV6XW/yI=";
+    hash = "sha256-Byvwg6WW4b8kRWJkl6DG2Ioz4HYDaJyVEV98tS/ybXQ=";
   };
 
   propagatedBuildInputs = [

pkgs/development/python-modules/weconnect-mqtt/default.nix

@@ -10,7 +10,7 @@
 
 buildPythonPackage rec {
   pname = "weconnect-mqtt";
-  version = "0.45.1";
+  version = "0.46.0";
   format = "setuptools";
 
   disabled = pythonOlder "3.8";
@@ -19,7 +19,7 @@ buildPythonPackage rec {
     owner = "tillsteinbach";
     repo = "WeConnect-mqtt";
     rev = "refs/tags/v${version}";
-    hash = "sha256-lZa8HIGLSDd/avNuoYSUHJ0b3rSx8uHLuUz8lABQHO4=";
+    hash = "sha256-7TR6+woAV8f80t4epCnZj4jYYpTPKDkzwzNNsgofiwg=";
   };
 
   postPatch = ''

pkgs/development/python-modules/weconnect/default.nix

@@ -12,7 +12,7 @@
 
 buildPythonPackage rec {
   pname = "weconnect";
-  version = "0.57.0";
+  version = "0.58.0";
   format = "setuptools";
 
   disabled = pythonOlder "3.8";
@@ -21,7 +21,7 @@ buildPythonPackage rec {
     owner = "tillsteinbach";
     repo = "WeConnect-python";
     rev = "refs/tags/v${version}";
-    hash = "sha256-EqKjDPSjhI03ZwkHyNG4ZbIdrzn7wrjpGfze1Qkk0lk=";
+    hash = "sha256-2+RvDAKIUsQwmVrqcgt0RXOF+Z+lZ6oSyZyI+HTcZBs=";
   };
 
   propagatedBuildInputs = [

pkgs/development/tools/code-maat/default.nix

@@ -0,0 +1,45 @@
+{ lib
+, stdenvNoCC
+, fetchurl
+, makeBinaryWrapper
+, jre
+}:
+
+stdenvNoCC.mkDerivation (finalAttrs: {
+  pname = "code-maat";
+  version = "1.0.3";
+
+  src = fetchurl {
+    url = "https://github.com/adamtornhill/code-maat/releases/download/v${finalAttrs.version}/code-maat-${finalAttrs.version}-standalone.jar";
+    hash = "sha256-cAaGX9BX27Z2GN583YmhagWsBIygVc0ZDkzbspM9OJw=";
+  };
+
+  dontUnpack = true;
+
+  nativeBuildInputs = [
+    makeBinaryWrapper
+  ];
+
+  installPhase =
+    let
+      jar = "$out/libexec/code-maat/code-maat.jar";
+    in
+    ''
+      runHook preInstall
+
+      install -D ${finalAttrs.src} ${jar}
+      mkdir -p "$out/bin"
+      makeWrapper "${jre}/bin/java" "$out/bin/code-maat" \
+          --add-flags "-jar ${jar}"
+
+      runHook postInstall
+    '';
+
+  meta = with lib; {
+    description = "A command line tool to mine and analyze data from version-control systems";
+    homepage = "https://github.com/adamtornhill/code-maat";
+    platforms = platforms.unix;
+    license = licenses.gpl3;
+    maintainers = with maintainers; [ sir4ur0n ];
+  };
+})

pkgs/stdenv/booter.nix

@@ -8,7 +8,7 @@
 # special snowflake due to different authors writing in different times.]
 #
 # The second goal is consistency across each stdenv's stage functions. By
-# writing each stage it terms of the previous stage, commonalities between them
+# writing each stage in terms of the previous stage, commonalities between them
 # are more easily observable. [Before, there usually was a big attribute set
 # with each stage, and stages would access the previous stage by name.]
 #

pkgs/tools/nix/fh/default.nix

@@ -9,16 +9,16 @@
 
 rustPlatform.buildRustPackage rec {
   pname = "fh";
-  version = "0.1.2";
+  version = "0.1.3";
 
   src = fetchFromGitHub {
     owner = "DeterminateSystems";
     repo = "fh";
     rev = "v${version}";
-    hash = "sha256-4IpfVkmSTMTZKsm+eXPtcenMgbis12RaPrJpM1kYaE8=";
+    hash = "sha256-9dWd0syDzoyjnhVoOCazRVA4pAAXud+cxggVlxXzJFg=";
   };
 
-  cargoHash = "sha256-RHUMrA+mzvT9xXOt/flGfvK0uBBUnAtgHOrgvYivTGs=";
+  cargoHash = "sha256-GzS/grxiMlrpJ2OG5BSne4RmSMUXXjKiwYyW4Aj69gc=";
 
   nativeBuildInputs = [
     rustPlatform.bindgenHook

pkgs/tools/security/nuclei/default.nix

@@ -5,16 +5,16 @@
 
 buildGoModule rec {
   pname = "nuclei";
-  version = "2.9.13";
+  version = "2.9.14";
 
   src = fetchFromGitHub {
     owner = "projectdiscovery";
     repo = pname;
     rev = "refs/tags/v${version}";
-    hash = "sha256-mjb7U7F4OZ9nRjtLjZk1s7T+n/VqV/RPMbnGodxRVUE=";
+    hash = "sha256-73MOUzIWA2sO6Y+Xku7f7DlUtsoa0GpfaqJzpEHCV/M=";
   };
 
-  vendorHash = "sha256-/1F2aY3cRLRz06s1KXQ6bt7UgaZgiXEjS/5stGi7xIw=";
+  vendorHash = "sha256-H4QBt00WSvCJi7P6gh4JBDCLSZwt/H5LWcahusdQoRE=";
 
   modRoot = "./v2";
   subPackages = [

pkgs/tools/security/sudo-rs/default.nix

@@ -0,0 +1,83 @@
+{ lib
+, bash
+, fetchFromGitHub
+, fetchpatch
+, installShellFiles
+, pam
+, pandoc
+, rustPlatform
+}:
+
+rustPlatform.buildRustPackage rec {
+  pname = "sudo-rs";
+  version = "0.2.0";
+
+  src = fetchFromGitHub {
+    owner = "memorysafety";
+    repo = "sudo-rs";
+    rev = "v${version}";
+    hash = "sha256-Kk5D3387hdl6eGWTSV003r+XajuDh6YgHuqYlj9NnaQ=";
+  };
+  cargoHash = "sha256-yeMK37tOgJcs9pW3IclpR5WMXx0gMDJ2wcmInxJYbQ8=";
+
+  nativeBuildInputs = [ installShellFiles pandoc ];
+
+  buildInputs = [ pam ];
+
+  patches = [
+    (fetchpatch {
+      # @R-VdP's patch to work with NixOS' suid wrappers
+      name = "Skip self_check when executed as root.patch";
+      url = "https://github.com/R-VdP/sudo-rs/commit/a44541dcb36b94f938daaed66b3ff06cfc1c2b40.patch";
+      hash = "sha256-PdmOqp/NDjFy8ve4jEOi58e0N9xUnaVKioQwdC5Jf1U=";
+    })
+  ];
+
+  # Don't attempt to generate the docs in a (pan)Docker container
+  postPatch = ''
+    substituteInPlace util/generate-docs.sh \
+      --replace "/usr/bin/env bash" ${lib.getExe bash} \
+      --replace util/pandoc.sh pandoc
+  '';
+
+  postInstall = ''
+    ./util/generate-docs.sh
+    installManPage target/docs/man/*
+  '';
+
+  checkFlags = map (t: "--skip=${t}") [
+    # Those tests make path assumptions
+    "common::command::test::test_build_command_and_args"
+    "common::context::tests::test_build_context"
+    "common::resolve::test::canonicalization"
+    "common::resolve::tests::test_resolve_path"
+    "system::tests::kill_test"
+
+    # Assumes $SHELL is an actual shell
+    "su::context::tests::su_to_root"
+
+    # Attempts to access /etc files from the build sandbox
+    "system::audit::test::secure_open_is_predictable"
+
+    # Assume there is a `daemon` user and group
+    "system::interface::test::test_unix_group"
+    "system::interface::test::test_unix_user"
+    "system::tests::test_get_user_and_group_by_id"
+
+    # This expects some PATH_TZINFO environment var
+    "env::environment::tests::test_tzinfo"
+
+    # Unsure why those are failing
+    "env::tests::test_environment_variable_filtering"
+    "su::context::tests::invalid_shell"
+  ];
+
+  meta = with lib; {
+    description = "A memory safe implementation of sudo and su.";
+    homepage = "https://github.com/memorysafety/sudo-rs";
+    changelog = "${meta.homepage}/blob/v${version}/CHANGELOG.md";
+    license = with licenses; [ asl20 mit ];
+    maintainers = with maintainers; [ nicoo ];
+    platforms = platforms.linux;
+  };
+}

pkgs/tools/system/ttop/default.nix

@@ -2,14 +2,14 @@
 
 nimPackages.buildNimPackage (finalAttrs: {
   pname = "ttop";
-  version = "1.2.0";
+  version = "1.2.1";
   nimBinOnly = true;
 
   src = fetchFromGitHub {
     owner = "inv2004";
     repo = "ttop";
     rev = "v${finalAttrs.version}";
-    hash = "sha256-4Tjf4Qdpiu0ErH3dkff4cwYyw/8F8+VdFV9NZt8p/3o=";
+    hash = "sha256-3wRGeRR1M3jx6GKVd7wSjTdfVlBGF6u3jY3wtK3lAYI=";
   };
 
   buildInputs = with nimPackages; [ asciigraph illwill jsony parsetoml zippy ];

pkgs/top-level/all-packages.nix

@@ -13460,6 +13460,8 @@ with pkgs;
 
   sudo = callPackage ../tools/security/sudo { };
 
+  sudo-rs = callPackage ../tools/security/sudo-rs { };
+
   suidChroot = callPackage ../tools/system/suid-chroot { };
 
   sundtek = callPackage ../misc/drivers/sundtek { };
@@ -42198,4 +42200,6 @@ with pkgs;
   yazi = callPackage ../applications/file-managers/yazi { inherit (darwin.apple_sdk.frameworks) Foundation; };
 
   ssl-proxy = callPackage ../tools/networking/ssl-proxy { };
+
+  code-maat = callPackage ../development/tools/code-maat {};
 }