fix(env): preserve user-set NIX_SSL_CERT_FILE / SSL_CERT_FILE

[mikeland73]

Summary

Fixes #2604.

Adding a package that pulls in nss-cacert (for example httpie, or anything depending on python) silently changed NIX_SSL_CERT_FILE inside the Devbox environment:

❯ devbox run -- 'echo $NIX_SSL_CERT_FILE'
# /Library/Application Support/Netskope/STAgent/data/nscacert_combined.pem

❯ devbox add httpie
❯ devbox run -- 'echo $NIX_SSL_CERT_FILE'
# /nix/store/…-nss-cacert-3.108/etc/ssl/certs/ca-bundle.crt   ← clobbered

On machines behind a corporate MITM/proxy, users set NIX_SSL_CERT_FILE (and SSL_CERT_FILE) to a custom CA bundle so that TLS works. When Nix's build environment injected its own store CA bundle, that user value was overwritten and outbound TLS broke for the rest of the project (e.g. bundle install failing). Plain nix shell nixpkgs#httpie leaves the variable untouched, so the behavior was also inconsistent with Nix itself.

Root cause

computeEnv (internal/devbox/devbox.go) layers the output of nix print-dev-env on top of the ambient environment, unconditionally overwriting duplicate keys:

for k, v := range nixEnv {
    env[k] = v
}

When a package brings in nss-cacert, its setup hook sets NIX_SSL_CERT_FILE/SSL_CERT_FILE to a Nix store path, and that value wins over whatever the user had exported. Devbox already special-cases SSL_CERT_FILE for the /no-cert-file.crt sentinel, but nothing protected a real user-provided value, and NIX_SSL_CERT_FILE wasn't handled at all.

Fix

After layering the Nix dev-env, restore the user's own certificate-bundle variables (captured in originalEnv before the merge) when they had explicitly set them:

• User set NIX_SSL_CERT_FILE/SSL_CERT_FILE → their value is kept (custom CA bundle keeps working).
• User did not set it → the Nix store value is used, so default behavior is unchanged.

This mirrors how nix shell leaves these variables untouched, and is scoped strictly to the two certificate-bundle variables so the rest of the env layering is unaffected.

cc @jay-aye-see-kay (issue reporter) — thanks for the detailed write-up and for narrowing it down to the env layering.

How was it tested?

• go test ./internal/devbox/ -run 'SSLCert|ComputeEnv' — passes.
• Added TestPreserveUserSSLCertFiles (unit test for the restore helper) and TestComputeEnvPreservesUserSSLCertFile (end-to-end through computeEnv with a Nix mock that returns the store CA bundle). The latter fails before this change (returns the Nix store path) and passes after.
• gofmt and go vet ./internal/devbox/ are clean.

Note: the Nix-backed end-to-end testscripts could not be run in the authoring environment (no nix binary available), but the added tests exercise the exact env-layering logic that gates this behavior.

Community Contribution License

All community contributions in this pull request are licensed to the project
maintainers under the terms of the
Apache 2 License.

By creating this pull request, I represent that I have the right to license the
contributions to the project maintainers under the Apache 2 License as stated in
the
Community Contribution License.

🤖 Generated with Claude Code

https://claude.ai/code/session_01C1aHkQxSgAg5xYXsm1pYRQ

---

Generated by Claude Code

[Copilot]

Copilot was unable to review this pull request because the user who requested the review has reached their quota limit.