diff --git a/.bazelrc b/.bazelrc
index 526492b..8555f7f 100644
--- a/.bazelrc
+++ b/.bazelrc
@@ -71,6 +71,12 @@
 build --experimental_propagate_custom_flag=@@rules_go+//go/private:request_nogo
 build --experimental_propagate_custom_flag=@@rules_go+//go/private:bootstrap_nogo
 
+# rules_python uses host python for bootstrapping.
+# Override to use a shell script for this.
+# https://github.com/bazelbuild/rules_python/issues/691
+build --@rules_python//python/config_settings:bootstrap_impl=script
+build --experimental_propagate_custom_flag=@@rules_python+//python/config_settings:bootstrap_impl
+
 # No local CPP toolchain resolution. In our sandbox root, it doesn't make sense -
 # anything auto-detected during analysis stage is on the host instead of the sandbox.
 # Sysroot rebuild is pure Go and doesn't need it either.
diff --git a/MODULE.bazel b/MODULE.bazel
index f2e7a4e..8f0a7d2 100644
--- a/MODULE.bazel
+++ b/MODULE.bazel
@@ -89,6 +89,28 @@
     version = "2.82.2.bcr.5",
 )
 
+bazel_dep(name = "rules_python")
+single_version_override(
+    module_name = "rules_python",
+    patch_strip = 1,
+    patches = [
+        # TODO: Remove if upstream PR is merged
+        # https://github.com/bazel-contrib/rules_python/pull/3087
+        "//third_party/rules_python:use-usr-bin-env-bash.patch",
+    ],
+    version = "1.4.1",
+)
+
+bazel_dep(name = "rules_oci")
+single_version_override(
+    module_name = "rules_oci",
+    patch_strip = 1,
+    patches = [
+        "//third_party/rules_oci:use-default-shell-env.patch",
+    ],
+    version = "2.2.6",
+)
+
 bazel_dep(name = "zstd", version = "1.5.7")
 bazel_dep(name = "gperf", version = "3.1")
 bazel_dep(name = "zlib", version = "1.3.1.bcr.6")
@@ -97,10 +119,8 @@
 bazel_dep(name = "buildifier_prebuilt", version = "8.2.0.2")
 bazel_dep(name = "bazel_skylib", version = "1.8.0")
 bazel_dep(name = "rules_pkg", version = "1.1.0")
-bazel_dep(name = "rules_oci", version = "2.2.6")
 bazel_dep(name = "aspect_bazel_lib", version = "2.19.4")
 bazel_dep(name = "rules_multirun", version = "0.12.0")
-bazel_dep(name = "rules_python", version = "1.4.1")
 bazel_dep(name = "rules_cc", version = "0.1.2")
 bazel_dep(name = "rules_perl", version = "0.2.4")
 bazel_dep(name = "rules_proto", version = "7.1.0")
@@ -136,8 +156,17 @@
 
 register_toolchains("//build/toolchain/toolchain-bundle:all")
 
+# Rust config
 include("//build/bazel:rust.MODULE.bazel")
+
+# Go dependencies
 include("//build/bazel:go.MODULE.bazel")
+
+# OCI Config
 include("//build/bazel:oci.MODULE.bazel")
+
+# Third Party dependencies
 include("//build/bazel:third_party.MODULE.bazel")
+
+# Toolchain Bundle
 include("//build/bazel:toolchain.MODULE.bazel")
diff --git a/MODULE.bazel.lock b/MODULE.bazel.lock
index 0a27304..03a0ce4 100644
--- a/MODULE.bazel.lock
+++ b/MODULE.bazel.lock
@@ -22,7 +22,6 @@
     "https://bcr.bazel.build/modules/aspect_bazel_lib/2.19.4/source.json": "506fa924e19fd8a33d617e33a17e4fce845f9ff9acb3a2aa7cf7300650698705",
     "https://bcr.bazel.build/modules/aspect_bazel_lib/2.7.2/MODULE.bazel": "780d1a6522b28f5edb7ea09630748720721dfe27690d65a2d33aa7509de77e07",
     "https://bcr.bazel.build/modules/aspect_bazel_lib/2.8.1/MODULE.bazel": "812d2dd42f65dca362152101fbec418029cc8fd34cbad1a2fde905383d705838",
-    "https://bcr.bazel.build/modules/bazel_features/1.1.1/MODULE.bazel": "27b8c79ef57efe08efccbd9dd6ef70d61b4798320b8d3c134fd571f78963dbcd",
     "https://bcr.bazel.build/modules/bazel_features/1.10.0/MODULE.bazel": "f75e8807570484a99be90abcd52b5e1f390362c258bcb73106f4544957a48101",
     "https://bcr.bazel.build/modules/bazel_features/1.11.0/MODULE.bazel": "f9382337dd5a474c3b7d334c2f83e50b6eaedc284253334cf823044a26de03e8",
     "https://bcr.bazel.build/modules/bazel_features/1.15.0/MODULE.bazel": "d38ff6e517149dc509406aca0db3ad1efdd890a85e049585b7234d04238e2a4d",
@@ -101,8 +100,6 @@
     "https://bcr.bazel.build/modules/platforms/1.0.0/MODULE.bazel": "f05feb42b48f1b3c225e4ccf351f367be0371411a803198ec34a389fb22aa580",
     "https://bcr.bazel.build/modules/platforms/1.0.0/source.json": "f4ff1fd412e0246fd38c82328eb209130ead81d62dcd5a9e40910f867f733d96",
     "https://bcr.bazel.build/modules/protobuf/21.7/MODULE.bazel": "a5a29bb89544f9b97edce05642fac225a808b5b7be74038ea3640fae2f8e66a7",
-    "https://bcr.bazel.build/modules/protobuf/23.1/MODULE.bazel": "88b393b3eb4101d18129e5db51847cd40a5517a53e81216144a8c32dfeeca52a",
-    "https://bcr.bazel.build/modules/protobuf/24.4/MODULE.bazel": "7bc7ce5f2abf36b3b7b7c8218d3acdebb9426aeb35c2257c96445756f970eb12",
     "https://bcr.bazel.build/modules/protobuf/27.0/MODULE.bazel": "7873b60be88844a0a1d8f80b9d5d20cfbd8495a689b8763e76c6372998d3f64c",
     "https://bcr.bazel.build/modules/protobuf/27.1/MODULE.bazel": "703a7b614728bb06647f965264967a8ef1c39e09e8f167b3ca0bb1fd80449c0d",
     "https://bcr.bazel.build/modules/protobuf/28.3/MODULE.bazel": "2b3764bbab2e46703412bd3b859efcf0322638ed015e88432df3bb740507a1e9",
@@ -131,7 +128,6 @@
     "https://bcr.bazel.build/modules/rules_cc/0.0.1/MODULE.bazel": "cb2aa0747f84c6c3a78dad4e2049c154f08ab9d166b1273835a8174940365647",
     "https://bcr.bazel.build/modules/rules_cc/0.0.10/MODULE.bazel": "ec1705118f7eaedd6e118508d3d26deba2a4e76476ada7e0e3965211be012002",
     "https://bcr.bazel.build/modules/rules_cc/0.0.13/MODULE.bazel": "0e8529ed7b323dad0775ff924d2ae5af7640b23553dfcd4d34344c7e7a867191",
-    "https://bcr.bazel.build/modules/rules_cc/0.0.14/MODULE.bazel": "5e343a3aac88b8d7af3b1b6d2093b55c347b8eefc2e7d1442f7a02dc8fea48ac",
     "https://bcr.bazel.build/modules/rules_cc/0.0.15/MODULE.bazel": "6704c35f7b4a72502ee81f61bf88706b54f06b3cbe5558ac17e2e14666cd5dcc",
     "https://bcr.bazel.build/modules/rules_cc/0.0.16/MODULE.bazel": "7661303b8fc1b4d7f532e54e9d6565771fea666fbdf839e0a86affcd02defe87",
     "https://bcr.bazel.build/modules/rules_cc/0.0.17/MODULE.bazel": "2ae1d8f4238ec67d7185d8861cb0a2cdf4bc608697c331b95bf990e69b62e64a",
@@ -150,15 +146,11 @@
     "https://bcr.bazel.build/modules/rules_go/0.55.1/source.json": "827a740c8959c9d20616889e7746cde4dcc6ee80d25146943627ccea0736328f",
     "https://bcr.bazel.build/modules/rules_java/4.0.0/MODULE.bazel": "5a78a7ae82cd1a33cef56dc578c7d2a46ed0dca12643ee45edbb8417899e6f74",
     "https://bcr.bazel.build/modules/rules_java/5.3.5/MODULE.bazel": "a4ec4f2db570171e3e5eb753276ee4b389bae16b96207e9d3230895c99644b86",
-    "https://bcr.bazel.build/modules/rules_java/6.0.0/MODULE.bazel": "8a43b7df601a7ec1af61d79345c17b31ea1fedc6711fd4abfd013ea612978e39",
     "https://bcr.bazel.build/modules/rules_java/6.3.0/MODULE.bazel": "a97c7678c19f236a956ad260d59c86e10a463badb7eb2eda787490f4c969b963",
-    "https://bcr.bazel.build/modules/rules_java/6.4.0/MODULE.bazel": "e986a9fe25aeaa84ac17ca093ef13a4637f6107375f64667a15999f77db6c8f6",
     "https://bcr.bazel.build/modules/rules_java/6.5.2/MODULE.bazel": "1d440d262d0e08453fa0c4d8f699ba81609ed0e9a9a0f02cd10b3e7942e61e31",
-    "https://bcr.bazel.build/modules/rules_java/7.1.0/MODULE.bazel": "30d9135a2b6561c761bd67bd4990da591e6bdc128790ce3e7afd6a3558b2fb64",
     "https://bcr.bazel.build/modules/rules_java/7.10.0/MODULE.bazel": "530c3beb3067e870561739f1144329a21c851ff771cd752a49e06e3dc9c2e71a",
     "https://bcr.bazel.build/modules/rules_java/7.12.2/MODULE.bazel": "579c505165ee757a4280ef83cda0150eea193eed3bef50b1004ba88b99da6de6",
     "https://bcr.bazel.build/modules/rules_java/7.2.0/MODULE.bazel": "06c0334c9be61e6cef2c8c84a7800cef502063269a5af25ceb100b192453d4ab",
-    "https://bcr.bazel.build/modules/rules_java/7.3.2/MODULE.bazel": "50dece891cfdf1741ea230d001aa9c14398062f2b7c066470accace78e412bc2",
     "https://bcr.bazel.build/modules/rules_java/7.6.1/MODULE.bazel": "2f14b7e8a1aa2f67ae92bc69d1ec0fa8d9f827c4e17ff5e5f02e91caa3b2d0fe",
     "https://bcr.bazel.build/modules/rules_java/8.12.0/MODULE.bazel": "8e6590b961f2defdfc2811c089c75716cb2f06c8a4edeb9a8d85eaa64ee2a761",
     "https://bcr.bazel.build/modules/rules_java/8.12.0/source.json": "cbd5d55d9d38d4008a7d00bee5b5a5a4b6031fcd4a56515c9accbcd42c7be2ba",
@@ -168,12 +160,9 @@
     "https://bcr.bazel.build/modules/rules_jvm_external/4.4.2/MODULE.bazel": "a56b85e418c83eb1839819f0b515c431010160383306d13ec21959ac412d2fe7",
     "https://bcr.bazel.build/modules/rules_jvm_external/5.1/MODULE.bazel": "33f6f999e03183f7d088c9be518a63467dfd0be94a11d0055fe2d210f89aa909",
     "https://bcr.bazel.build/modules/rules_jvm_external/5.2/MODULE.bazel": "d9351ba35217ad0de03816ef3ed63f89d411349353077348a45348b096615036",
-    "https://bcr.bazel.build/modules/rules_jvm_external/5.3/MODULE.bazel": "bf93870767689637164657731849fb887ad086739bd5d360d90007a581d5527d",
-    "https://bcr.bazel.build/modules/rules_jvm_external/6.1/MODULE.bazel": "75b5fec090dbd46cf9b7d8ea08cf84a0472d92ba3585b476f44c326eda8059c4",
     "https://bcr.bazel.build/modules/rules_jvm_external/6.3/MODULE.bazel": "c998e060b85f71e00de5ec552019347c8bca255062c990ac02d051bb80a38df0",
     "https://bcr.bazel.build/modules/rules_jvm_external/6.7/MODULE.bazel": "e717beabc4d091ecb2c803c2d341b88590e9116b8bf7947915eeb33aab4f96dd",
     "https://bcr.bazel.build/modules/rules_jvm_external/6.7/source.json": "5426f412d0a7fc6b611643376c7e4a82dec991491b9ce5cb1cfdd25fe2e92be4",
-    "https://bcr.bazel.build/modules/rules_kotlin/1.9.0/MODULE.bazel": "ef85697305025e5a61f395d4eaede272a5393cee479ace6686dba707de804d59",
     "https://bcr.bazel.build/modules/rules_kotlin/1.9.6/MODULE.bazel": "d269a01a18ee74d0335450b10f62c9ed81f2321d7958a2934e44272fe82dcef3",
     "https://bcr.bazel.build/modules/rules_kotlin/1.9.6/source.json": "2faa4794364282db7c06600b7e5e34867a564ae91bda7cae7c29c64e9466b7d5",
     "https://bcr.bazel.build/modules/rules_license/0.0.3/MODULE.bazel": "627e9ab0247f7d1e05736b59dbb1b6871373de5ad31c3011880b4133cafd4bd0",
@@ -192,7 +181,6 @@
     "https://bcr.bazel.build/modules/rules_pkg/1.1.0/source.json": "fef768df13a92ce6067e1cd0cdc47560dace01354f1d921cfb1d632511f7d608",
     "https://bcr.bazel.build/modules/rules_proto/4.0.0/MODULE.bazel": "a7a7b6ce9bee418c1a760b3d84f83a299ad6952f9903c67f19e4edd964894e06",
     "https://bcr.bazel.build/modules/rules_proto/5.3.0-21.7/MODULE.bazel": "e8dff86b0971688790ae75528fe1813f71809b5afd57facb44dad9e8eca631b7",
-    "https://bcr.bazel.build/modules/rules_proto/6.0.0-rc1/MODULE.bazel": "1e5b502e2e1a9e825eef74476a5a1ee524a92297085015a052510b09a1a09483",
     "https://bcr.bazel.build/modules/rules_proto/6.0.2/MODULE.bazel": "ce916b775a62b90b61888052a416ccdda405212b6aaeb39522f7dc53431a5e73",
     "https://bcr.bazel.build/modules/rules_proto/7.0.2/MODULE.bazel": "bf81793bd6d2ad89a37a40693e56c61b0ee30f7a7fdbaf3eabbf5f39de47dea2",
     "https://bcr.bazel.build/modules/rules_proto/7.1.0/MODULE.bazel": "002d62d9108f75bb807cd56245d45648f38275cb3a99dcd45dfb864c5d74cb96",
@@ -203,18 +191,6 @@
     "https://bcr.bazel.build/modules/rules_proto_grpc_buf/5.1.0/source.json": "4eb3add88ecb9682402a671357c2e90fd290264bed1ff50311587014de10e606",
     "https://bcr.bazel.build/modules/rules_proto_grpc_doc/5.1.0/MODULE.bazel": "7a4a6d655a384ae74d2ec56faf17ab6f54936bf5f9e9ada4adffada40ba11d0f",
     "https://bcr.bazel.build/modules/rules_proto_grpc_doc/5.1.0/source.json": "24c5b2c2f777824b37fdcec4b481dcb4bfa7acd41d67837d44ad81e0164a30de",
-    "https://bcr.bazel.build/modules/rules_python/0.10.2/MODULE.bazel": "cc82bc96f2997baa545ab3ce73f196d040ffb8756fd2d66125a530031cd90e5f",
-    "https://bcr.bazel.build/modules/rules_python/0.23.1/MODULE.bazel": "49ffccf0511cb8414de28321f5fcf2a31312b47c40cc21577144b7447f2bf300",
-    "https://bcr.bazel.build/modules/rules_python/0.25.0/MODULE.bazel": "72f1506841c920a1afec76975b35312410eea3aa7b63267436bfb1dd91d2d382",
-    "https://bcr.bazel.build/modules/rules_python/0.28.0/MODULE.bazel": "cba2573d870babc976664a912539b320cbaa7114cd3e8f053c720171cde331ed",
-    "https://bcr.bazel.build/modules/rules_python/0.31.0/MODULE.bazel": "93a43dc47ee570e6ec9f5779b2e64c1476a6ce921c48cc9a1678a91dd5f8fd58",
-    "https://bcr.bazel.build/modules/rules_python/0.33.2/MODULE.bazel": "3e036c4ad8d804a4dad897d333d8dce200d943df4827cb849840055be8d2e937",
-    "https://bcr.bazel.build/modules/rules_python/0.35.0/MODULE.bazel": "c3657951764cdcdb5a7370d5e885fad5e8c1583320aad18d46f9f110d2c22755",
-    "https://bcr.bazel.build/modules/rules_python/0.36.0/MODULE.bazel": "a4ce1ccea92b9106c7d16ab9ee51c6183107e78ba4a37aa65055227b80cd480c",
-    "https://bcr.bazel.build/modules/rules_python/0.4.0/MODULE.bazel": "9208ee05fd48bf09ac60ed269791cf17fb343db56c8226a720fbb1cdf467166c",
-    "https://bcr.bazel.build/modules/rules_python/0.40.0/MODULE.bazel": "9d1a3cd88ed7d8e39583d9ffe56ae8a244f67783ae89b60caafc9f5cf318ada7",
-    "https://bcr.bazel.build/modules/rules_python/1.0.0/MODULE.bazel": "898a3d999c22caa585eb062b600f88654bf92efb204fa346fb55f6f8edffca43",
-    "https://bcr.bazel.build/modules/rules_python/1.1.0/MODULE.bazel": "57e01abae22956eb96d891572490d20e07d983e0c065de0b2170cafe5053e788",
     "https://bcr.bazel.build/modules/rules_python/1.4.1/MODULE.bazel": "8991ad45bdc25018301d6b7e1d3626afc3c8af8aaf4bc04f23d0b99c938b73a6",
     "https://bcr.bazel.build/modules/rules_python/1.4.1/source.json": "8ec8c90c70ccacc4de8ca1b97f599e756fb59173e898ee08b733006650057c07",
     "https://bcr.bazel.build/modules/rules_rust/0.61.0/MODULE.bazel": "0318a95777b9114c8740f34b60d6d68f9cfef61e2f4b52424ca626213d33787b",
@@ -235,10 +211,8 @@
     "https://bcr.bazel.build/modules/stardoc/0.5.1/MODULE.bazel": "1a05d92974d0c122f5ccf09291442580317cdd859f07a8655f1db9a60374f9f8",
     "https://bcr.bazel.build/modules/stardoc/0.5.3/MODULE.bazel": "c7f6948dae6999bf0db32c1858ae345f112cacf98f174c7a8bb707e41b974f1c",
     "https://bcr.bazel.build/modules/stardoc/0.5.4/MODULE.bazel": "6569966df04610b8520957cb8e97cf2e9faac2c0309657c537ab51c16c18a2a4",
-    "https://bcr.bazel.build/modules/stardoc/0.5.6/MODULE.bazel": "c43dabc564990eeab55e25ed61c07a1aadafe9ece96a4efabb3f8bf9063b71ef",
     "https://bcr.bazel.build/modules/stardoc/0.6.2/MODULE.bazel": "7060193196395f5dd668eda046ccbeacebfd98efc77fed418dbe2b82ffaa39fd",
     "https://bcr.bazel.build/modules/stardoc/0.7.0/MODULE.bazel": "05e3d6d30c099b6770e97da986c53bd31844d7f13d41412480ea265ac9e8079c",
-    "https://bcr.bazel.build/modules/stardoc/0.7.1/MODULE.bazel": "3548faea4ee5dda5580f9af150e79d0f6aea934fc60c1cc50f4efdd9420759e7",
     "https://bcr.bazel.build/modules/stardoc/0.7.2/MODULE.bazel": "fc152419aa2ea0f51c29583fab1e8c99ddefd5b3778421845606ee628629e0e5",
     "https://bcr.bazel.build/modules/stardoc/0.7.2/source.json": "58b029e5e901d6802967754adf0a9056747e8176f017cfe3607c0851f4d42216",
     "https://bcr.bazel.build/modules/swift_argument_parser/1.3.1.1/MODULE.bazel": "5e463fbfba7b1701d957555ed45097d7f984211330106ccd1352c6e0af0dcf91",
@@ -248,7 +222,6 @@
     "https://bcr.bazel.build/modules/toolchains_protoc/0.4.1/MODULE.bazel": "05d6c16474a7a96002dd5512c444aa6965ebcf95f3e0c47001aa18269fbecec9",
     "https://bcr.bazel.build/modules/toolchains_protoc/0.4.1/source.json": "474d926c8e845762faaa42e792fc66cd36794daee4c8af900f673fad0b403a8d",
     "https://bcr.bazel.build/modules/upb/0.0.0-20220923-a547704/MODULE.bazel": "7298990c00040a0e2f121f6c32544bab27d4452f80d9ce51349b1a28f3005c43",
-    "https://bcr.bazel.build/modules/upb/0.0.0-20230516-61a97ef/MODULE.bazel": "c0df5e35ad55e264160417fd0875932ee3c9dda63d9fccace35ac62f45e1b6f9",
     "https://bcr.bazel.build/modules/yq.bzl/0.1.1/MODULE.bazel": "9039681f9bcb8958ee2c87ffc74bdafba9f4369096a2b5634b88abc0eaefa072",
     "https://bcr.bazel.build/modules/yq.bzl/0.1.1/source.json": "2d2bad780a9f2b9195a4a370314d2c17ae95eaa745cefc2e12fbc49759b15aa3",
     "https://bcr.bazel.build/modules/zlib/1.2.11/MODULE.bazel": "07b389abc85fdbca459b69e2ec656ae5622873af3f845e1c9d80fe179f3effa0",
diff --git a/build/bazel/go.MODULE.bazel b/build/bazel/go.MODULE.bazel
index f1e10f5..dfa5b91 100644
--- a/build/bazel/go.MODULE.bazel
+++ b/build/bazel/go.MODULE.bazel
@@ -184,6 +184,10 @@
         ],
     },
     "github.com/bytecodealliance/wasmtime-go/v14": {
+        # wasmtime brings its own BUILD files and for some reason,
+        # Bazel regenerates them in the nixos/nix container but not on
+        # NixOS. We disable replacing the existing directives to fix this.
+        "build_file_generation": "off",
         "directives": [
             "gazelle:go_naming_convention go_default_library",
         ],
diff --git a/build/bazel/toolchain.MODULE.bazel b/build/bazel/toolchain.MODULE.bazel
index f0434f5..f691078 100644
--- a/build/bazel/toolchain.MODULE.bazel
+++ b/build/bazel/toolchain.MODULE.bazel
@@ -3,17 +3,17 @@
 http_archive(
     name = "toolchain-bundle-x86_64-unknown-linux-musl",
     build_file = "//build/toolchain/toolchain-bundle:toolchain-bundle.bzl",
-    integrity = "sha256-tpbvNL5S4t2WLkcj027sghf8tEzVJFL1e5leyx8JkCI=",
+    integrity = "sha256-7wceZhsWdZLXT2KW05NmmbUCYKA+DmudjPqTO3qX29I=",
     urls = [
-        "https://storage.googleapis.com/monogon-infra-public/toolchain/toolchain-bundle-x86_64-unknown-linux-musl-release-25.05.ffdcefdde9a4e540d1c875767da0e382e1ccf460.tar.zst",
+        "https://storage.googleapis.com/monogon-infra-public/toolchain/9iv889bzlsg1dglkmqdnabak5ffbp2km-toolchain/toolchain-bundle-x86_64-unknown-linux-musl.tar.zst",
     ],
 )
 
 http_archive(
     name = "toolchain-bundle-aarch64-unknown-linux-musl",
     build_file = "//build/toolchain/toolchain-bundle:toolchain-bundle.bzl",
-    integrity = "sha256-6caDQ8S+DGXHy2xSAhfRu5EXFLZ7NNqbtkY6o1i33F4=",
+    integrity = "sha256-7ckBNZ5186xDDsDlsUVMNIciY9nECfH70KoB/FUZKRc=",
     urls = [
-        "https://storage.googleapis.com/monogon-infra-public/toolchain/toolchain-bundle-aarch64-unknown-linux-musl-release-25.05.ffdcefdde9a4e540d1c875767da0e382e1ccf460.tar.zst",
+        "https://storage.googleapis.com/monogon-infra-public/toolchain/9iv889bzlsg1dglkmqdnabak5ffbp2km-toolchain/toolchain-bundle-aarch64-unknown-linux-musl.tar.zst",
     ],
 )
diff --git a/build/toolchain/toolchain-bundle/BUILD.bazel b/build/toolchain/toolchain-bundle/BUILD.bazel
index 82437da..66de9f5 100644
--- a/build/toolchain/toolchain-bundle/BUILD.bazel
+++ b/build/toolchain/toolchain-bundle/BUILD.bazel
@@ -1,4 +1,7 @@
 load("@rules_perl//perl:toolchain.bzl", "perl_toolchain")
+load("@rules_python//python:py_exec_tools_toolchain.bzl", "py_exec_tools_toolchain")
+load("@rules_python//python:py_runtime.bzl", "py_runtime")
+load("@rules_python//python:py_runtime_pair.bzl", "py_runtime_pair")
 load(":toolchain.bzl", "SUPPORTED_TARGETS", "TOOLCHAINS", "toolchain_for")
 
 package(default_visibility = ["//visibility:public"])
@@ -11,6 +14,42 @@
     for name, config in TOOLCHAINS.items()
 ]
 
+[
+    [
+        py_runtime(
+            name = "rules_python_%s_python3_12_runtime" % target.tuple,
+            interpreter = "@toolchain-bundle-%s//:python3.12" % target.triple,
+            interpreter_version_info = {
+                "major": str(3),
+                "minor": str(12),
+                "micro": str(0),
+            },
+            python_version = "PY3",
+        ),
+        py_runtime_pair(
+            name = "rules_python_%s_python3_12_runtime_pair" % target.tuple,
+            py3_runtime = ":rules_python_%s_python3_12_runtime" % target.tuple,
+        ),
+        py_exec_tools_toolchain(
+            name = "rules_python_%s_python3_12_exec_tools_toolchain_impl" % target.tuple,
+            exec_interpreter = ":rules_python_%s_python3_12_runtime_pair" % target.tuple,
+        ),
+        toolchain(
+            name = "rules_python_%s_python3_12_runtime_toolchain" % target.tuple,
+            exec_compatible_with = target.constrain,
+            toolchain = ":rules_python_%s_python3_12_runtime_pair" % target.tuple,
+            toolchain_type = "@rules_python//python:toolchain_type",
+        ),
+        toolchain(
+            name = "rules_python_%s_python3_12_exec_tools_toolchain" % target.tuple,
+            exec_compatible_with = target.constrain,
+            toolchain = ":rules_python_%s_python3_12_exec_tools_toolchain_impl" % target.tuple,
+            toolchain_type = "@rules_python//python:exec_tools_toolchain_type",
+        ),
+    ]
+    for target in SUPPORTED_TARGETS
+]
+
 # rules_perl wiring
 
 [
diff --git a/build/toolchain/toolchain-bundle/toolchain-bundle.bzl b/build/toolchain/toolchain-bundle/toolchain-bundle.bzl
index 6ac17fb..c2de9d1 100644
--- a/build/toolchain/toolchain-bundle/toolchain-bundle.bzl
+++ b/build/toolchain/toolchain-bundle/toolchain-bundle.bzl
@@ -4,6 +4,32 @@
     "**/*",
 ]))
 
+filegroup(
+    name = "python3.12",
+    srcs = [
+        ":bin/python3.12",
+    ],
+    data = glob([
+        "lib/python3.12/**",
+    ]),
+)
+
+filegroup(
+    name = "python3.12_headers",
+    srcs = glob([
+        "include/python3.12/**",
+    ]),
+)
+
+filegroup(
+    name = "python3.12_libs",
+    srcs = glob([
+        "lib/python3.12/**",
+    ]) + [
+        ":lib/libpython3.12.a",
+    ],
+)
+
 # rules_perl expects all files as src entry, this does prevent us using
 # $(execpath) which is why we have another filegroup that uses this as
 # data dep.
diff --git a/shell.nix b/shell.nix
index 155726c..d57734f 100644
--- a/shell.nix
+++ b/shell.nix
@@ -1,56 +1,16 @@
 # If you're on NixOS, use me! `nix-shell --pure`.
-{ pkgs ? (import ./third_party/nix { }), extraConf ? "" }:
-let
-  wrapper = pkgs.writeScript "wrapper.sh"
-    ''
-      # Fancy colorful PS1 to make people notice easily they're in the Monogon Nix shell.
-      PS1='\[\033]0;\u/monogon:\w\007\]'
-      if type -P dircolors >/dev/null ; then
-        PS1+='\[\033[01;35m\]\u/monogon\[\033[01;36m\] \w \$\[\033[00m\] '
-      fi
-      export PS1
+{ pkgs ? (import ./third_party/nix { }) }:
+pkgs.mkShell {
+  # Let some downstream machinery know we're on NixOS. This is used mostly to
+  # work around Bazel/NixOS interactions.
+  env.MONOGON_NIXOS="yep";
 
-      # Use Nix-provided cert store.
-      export NIX_SSL_CERT_FILE="${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"
-      export SSL_CERT_FILE="${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"
-
-      # Let some downstream machinery know we're on NixOS. This is used mostly to
-      # work around Bazel/NixOS interactions.
-      export MONOGON_NIXOS=yep
-
-      # Convince rules_go to use /bin/bash and not a NixOS store bash which has
-      # no idea how to resolve other things in the nix store once PATH is
-      # stripped by (host_)action_env.
-      export BAZEL_SH=/bin/bash
-
-      # buildFHSEnv makes /etc a tmpfs and symlinks some files from host /etc.
-      # Create some additional symlinks for files we want from host /etc.
-      for i in bazel.bazelrc gitconfig; do
-          if [[ -e "/.host-etc/$i" ]] && [[ ! -e "/etc/$i" ]]; then
-              ln -s "/.host-etc/$i" "/etc/$i"
-          fi
-      done
-
-      ${extraConf}
-
-      # Allow passing a custom command via env since nix-shell doesn't support
-      # this yet: https://github.com/NixOS/nix/issues/534
-      if [ ! -n "$COMMAND" ]; then
-          COMMAND="bash --noprofile --norc"
-      fi
-      exec $COMMAND
-    '';
-in
-(pkgs.buildFHSEnv {
-  name = "monogon-nix";
-  targetPkgs = targetPkgs: with targetPkgs; [
-    bazel-unwrapped # Our custom bazel package based on upstream
-    zlib # Bazel dependency
+  buildInputs = with pkgs; [
+    bazel_8 # Our custom bazel package
     python3 # Workspace status script
     git # Bazel expects git to be available
     gnupg # our gopass integration requires gpg in the PATH
     niv # For updating third_party/nix
     google-cloud-sdk # Pushing containers to GCR
   ];
-  runScript = wrapper;
-}).env
+}
diff --git a/third_party/edk2/def.bzl b/third_party/edk2/def.bzl
index 3e8c09f..b1a8bd6 100644
--- a/third_party/edk2/def.bzl
+++ b/third_party/edk2/def.bzl
@@ -16,6 +16,7 @@
 ]
 
 def _edk2_impl(ctx):
+    py_runtime = ctx.toolchains["@bazel_tools//tools/python:toolchain_type"].py3_runtime
     _, libuuid_gen = detect_roots(ctx.attr._libuuid[CcInfo].compilation_context.direct_public_headers)
     extra_env = {
         "HOSTLDFLAGS": " -L ".join(
@@ -32,6 +33,7 @@
         ),
         "CROSS_LIB_UUID_INC": libuuid_gen.rsplit("/", 1)[0],
         "CROSS_LIB_UUID": detect_root(ctx.attr._libuuid.files.to_list()).rsplit("/", 1)[0],
+        "PYTHON_COMMAND": py_runtime.interpreter.path,
     }
 
     inputs = depset(
@@ -72,7 +74,7 @@
     vars = ctx.actions.declare_file("VARS.fd")
     ctx.actions.run_shell(
         outputs = [code, vars],
-        inputs = depset(transitive = [inputs, toolchain_inputs]),
+        inputs = depset(transitive = [inputs, toolchain_inputs, py_runtime.files]),
         env = merge_env(toolchain_env, extra_env),
         progress_message = "Building EDK2 firmware",
         mnemonic = "BuildEDK2Firmware",
@@ -135,5 +137,7 @@
         ),
     },
     fragments = ["cpp"],
-    toolchains = TOOLCHAINS + use_cc_toolchain(),
+    toolchains = [
+        "@bazel_tools//tools/python:toolchain_type",
+    ] + TOOLCHAINS + use_cc_toolchain(),
 )
diff --git a/third_party/nix/default.nix b/third_party/nix/default.nix
index eab83d7..726119e 100644
--- a/third_party/nix/default.nix
+++ b/third_party/nix/default.nix
@@ -9,6 +9,7 @@
           util-linux-minimal = import ./pkgs/util-linux { pkgs = super; };
           bazel-unwrapped = import ./pkgs/bazel { pkgs = super; };
           perl = import ./pkgs/perl { pkgs = super; };
+          bazel_8 = self.callPackage ./pkgs/bazel_8/package.nix { };
           python3Minimal = import ./pkgs/python3 { pkgs = super; };
           bison = import ./pkgs/bison { pkgs = super; };
         })
diff --git a/third_party/nix/pkgs/bazel/bazel-inner.sh b/third_party/nix/pkgs/bazel/bazel-inner.sh
deleted file mode 100755
index 7b978bc..0000000
--- a/third_party/nix/pkgs/bazel/bazel-inner.sh
+++ /dev/null
@@ -1,19 +0,0 @@
-#!/usr/bin/bash
-function get_workspace_root() {
-  workspace_dir="${PWD}"
-  while [[ "${workspace_dir}" != / ]]; do
-    if [[ -e "${workspace_dir}/WORKSPACE" || -e "${workspace_dir}/WORKSPACE.bazel" || -e "${workspace_dir}/MODULE.bazel" ]]; then
-      readonly workspace_dir
-      return
-    fi
-    workspace_dir="$(dirname "${workspace_dir}")"
-  done
-  readonly workspace_dir=""
-}
-
-get_workspace_root
-readonly wrapper="${workspace_dir}/tools/bazel"
-if [ -f "${wrapper}" ]; then
-  exec -a "$0" "${wrapper}" "$@"
-fi
-exec -a "$0" "${BAZEL_REAL}" "$@"
diff --git a/third_party/nix/pkgs/bazel/default.nix b/third_party/nix/pkgs/bazel/default.nix
deleted file mode 100644
index c181db3..0000000
--- a/third_party/nix/pkgs/bazel/default.nix
+++ /dev/null
@@ -1,24 +0,0 @@
-{ pkgs }: with pkgs;
-stdenv.mkDerivation {
-  name = "bazel";
-  src = builtins.fetchurl {
-    url = "https://github.com/bazelbuild/bazel/releases/download/8.3.1/bazel-8.3.1-linux-x86_64";
-    sha256 = "0k3067d06b8160day48afskr42c41bz0qgb3pk9mjpr4hj57w90p";
-  };
-  unpackPhase = ''
-    true
-  '';
-  nativeBuildInputs = [ makeWrapper ];
-  buildPhase = ''
-    mkdir -p $out/bin
-    cp $src $out/bin/.bazel-inner
-    chmod +x $out/bin/.bazel-inner
-
-    cp ${./bazel-inner.sh} $out/bin/bazel
-    chmod +x $out/bin/bazel
-
-    # Use wrapProgram to set the actual bazel path
-    wrapProgram $out/bin/bazel --set BAZEL_REAL $out/bin/.bazel-inner
-  '';
-  dontStrip = true;
-}
diff --git a/third_party/nix/pkgs/bazel_8/LICENSE b/third_party/nix/pkgs/bazel_8/LICENSE
new file mode 100644
index 0000000..6d47368
--- /dev/null
+++ b/third_party/nix/pkgs/bazel_8/LICENSE
@@ -0,0 +1,20 @@
+Copyright (c) 2003-2025 Eelco Dolstra and the Nixpkgs/NixOS contributors
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
\ No newline at end of file
diff --git a/third_party/nix/pkgs/bazel_8/README.md b/third_party/nix/pkgs/bazel_8/README.md
new file mode 100644
index 0000000..000f0b8
--- /dev/null
+++ b/third_party/nix/pkgs/bazel_8/README.md
@@ -0,0 +1,6 @@
+# Bazel 8 Nix Package
+
+This build is based on https://github.com/NixOS/nixpkgs/pull/400941, the only
+difference being the addition of `bash` to the default shell environment. As 
+soon as the PR is merged, we can replace it with a small override to inject
+bash into the dependencies.
\ No newline at end of file
diff --git a/third_party/nix/pkgs/bazel_8/bazel-execlog.sh b/third_party/nix/pkgs/bazel_8/bazel-execlog.sh
new file mode 100644
index 0000000..7a6fd6c
--- /dev/null
+++ b/third_party/nix/pkgs/bazel_8/bazel-execlog.sh
@@ -0,0 +1,3 @@
+#!@runtimeShell@
+
+exec @binJava@ -jar @out@/share/parser_deploy.jar "$@"
diff --git a/third_party/nix/pkgs/bazel_8/build-support/bazelDerivation.nix b/third_party/nix/pkgs/bazel_8/build-support/bazelDerivation.nix
new file mode 100644
index 0000000..0d6b3ca
--- /dev/null
+++ b/third_party/nix/pkgs/bazel_8/build-support/bazelDerivation.nix
@@ -0,0 +1,72 @@
+{ stdenv
+, lndir
+, lib
+,
+}:
+
+args@{ bazel
+, registry ? null
+, bazelRepoCache ? null
+, bazelVendorDeps ? null
+, startupArgs ? [ ]
+, commandArgs ? [ ]
+, bazelPreBuild ? ""
+, bazelPostBuild ? ""
+, serverJavabase ? null
+, targets
+, command
+, ...
+}:
+
+stdenv.mkDerivation (
+  {
+    preBuildPhases = [ "preBuildPhase" ];
+    preBuildPhase =
+      (lib.optionalString (bazelRepoCache != null) ''
+        # repo_cache needs to be writeable even in air-gapped builds
+        mkdir repo_cache
+        ${lndir}/bin/lndir -silent ${bazelRepoCache}/repo_cache repo_cache
+      '')
+
+      + (lib.optionalString (bazelVendorDeps != null) ''
+        mkdir vendor_dir
+        ${lndir}/bin/lndir -silent ${bazelVendorDeps}/vendor_dir vendor_dir
+
+        # pin all deps to avoid re-fetch attempts by Bazel
+        rm vendor_dir/VENDOR.bazel
+        find vendor_dir -maxdepth 1 -type d -printf "pin(\"@@%P\")\n" > vendor_dir/VENDOR.bazel
+      '')
+      # keep preBuildPhase always defined as it is listed in preBuildPhases
+      + ''
+        true
+      '';
+    buildPhase = ''
+      runHook preBuild
+
+      export HOME=$(mktemp -d)
+
+      ${bazelPreBuild}
+
+      ${bazel}/bin/bazel ${
+        lib.strings.concatStringsSep " " (
+          lib.optional (serverJavabase != null) "--server_javabase=${serverJavabase}"
+          ++ [ "--batch" ]
+          ++ startupArgs
+        )
+      } ${command} ${
+        lib.strings.concatStringsSep " " (
+          lib.optional (registry != null) "--registry=file://${registry}"
+          ++ lib.optional (bazelRepoCache != null) "--repository_cache=repo_cache"
+          ++ lib.optional (bazelVendorDeps != null) "--vendor_dir=vendor_dir"
+          ++ commandArgs
+        )
+      } ${lib.strings.concatStringsSep " " targets}
+
+      ${bazelPostBuild}
+
+      runHook postBuild
+    '';
+
+  }
+    // args
+)
diff --git a/third_party/nix/pkgs/bazel_8/build-support/bazelPackage.nix b/third_party/nix/pkgs/bazel_8/build-support/bazelPackage.nix
new file mode 100644
index 0000000..ee33b6e
--- /dev/null
+++ b/third_party/nix/pkgs/bazel_8/build-support/bazelPackage.nix
@@ -0,0 +1,164 @@
+{ callPackage
+, gnugrep
+, lib
+, autoPatchelfHook
+, stdenv
+,
+}:
+
+{ name
+, src
+, sourceRoot ? null
+, version ? null
+, targets
+, bazel
+, startupArgs ? [ ]
+, commandArgs ? [ ]
+, env ? { }
+, serverJavabase ? null
+, registry ? null
+, bazelRepoCacheFOD ? {
+    outputHash = null;
+    outputHashAlgo = "sha256";
+  }
+, bazelVendorDepsFOD ? {
+    outputHash = null;
+    outputHashAlgo = "sha256";
+  }
+, installPhase
+, buildInputs ? [ ]
+, nativeBuildInputs ? [ ]
+, autoPatchelfIgnoreMissingDeps ? null
+,
+}:
+let
+  # FOD produced by `bazel fetch`
+  # Repo cache contains content-addressed external Bazel dependencies without any patching
+  # Potentially this can be nixified via --experimental_repository_resolved_file
+  # (Note: file itself isn't reproducible because it has lots of extra info and order
+  #        isn't stable too. Parsing it into nix fetch* commands isn't trivial but might be possible)
+  bazelRepoCache =
+    if bazelRepoCacheFOD.outputHash == null then
+      null
+    else
+      (callPackage ./bazelDerivation.nix { } {
+        name = "bazelRepoCache";
+        inherit (bazelRepoCacheFOD) outputHash outputHashAlgo;
+        inherit
+          src
+          version
+          sourceRoot
+          env
+          buildInputs
+          nativeBuildInputs
+          ;
+        inherit registry;
+        inherit
+          bazel
+          targets
+          startupArgs
+          serverJavabase
+          ;
+        command = "fetch";
+        outputHashMode = "recursive";
+        commandArgs = [ "--repository_cache repo_cache" ] ++ commandArgs;
+        bazelPreBuild = ''
+          mkdir repo_cache
+        '';
+        installPhase = ''
+          mkdir -p $out/repo_cache
+          cp -r --reflink=auto repo_cache/* $out/repo_cache
+        '';
+      });
+  # Stage1: FOD produced by `bazel vendor`, Stage2: eventual patchelf or other tuning
+  # Vendor deps contains unpacked&patches external dependencies, this may need Nix-specific
+  # patching to address things like
+  # - broken symlinks
+  # - symlinks or other references to absolute nix store paths which isn't allowed for FOD
+  # - autoPatchelf for externally-fetched binaries
+  #
+  # Either repo cache or vendor deps should be enough to build a given package
+  bazelVendorDeps =
+    if bazelVendorDepsFOD.outputHash == null then
+      null
+    else
+      (
+        let
+          stage1 = callPackage ./bazelDerivation.nix { } {
+            name = "bazelVendorDepsStage1";
+            inherit (bazelVendorDepsFOD) outputHash outputHashAlgo;
+            inherit
+              src
+              version
+              sourceRoot
+              env
+              buildInputs
+              nativeBuildInputs
+              ;
+            inherit registry;
+            inherit
+              bazel
+              targets
+              startupArgs
+              serverJavabase
+              ;
+            dontFixup = true;
+            command = "vendor";
+            outputHashMode = "recursive";
+            commandArgs = [ "--vendor_dir vendor_dir" ] ++ commandArgs;
+            bazelPreBuild = ''
+              mkdir vendor_dir
+            '';
+            bazelPostBuild = ''
+              # remove symlinks that point to locations under bazel_src/
+              find vendor_dir -type l -lname "$HOME/*" -exec rm '{}' \;
+              # remove symlinks to temp build directory on darwin
+              find vendor_dir -type l -lname "/private/var/tmp/*" -exec rm '{}' \;
+              # remove broken symlinks
+              find vendor_dir -xtype l -exec rm '{}' \;
+
+              # remove .marker files referencing NIX_STORE as those references aren't allowed in FOD
+              (${gnugrep}/bin/grep -rI "$NIX_STORE/" vendor_dir --files-with-matches --include="*.marker" --null || true) \
+                | xargs -0 --no-run-if-empty rm
+            '';
+            installPhase = ''
+              mkdir -p $out/vendor_dir
+              cp -r --reflink=auto vendor_dir/* $out/vendor_dir
+            '';
+
+          };
+        in
+        stdenv.mkDerivation {
+          name = "bazelVendorDeps";
+          buildInputs = lib.optional (!stdenv.hostPlatform.isDarwin) autoPatchelfHook ++ buildInputs;
+          inherit autoPatchelfIgnoreMissingDeps;
+          src = stage1;
+          installPhase = ''
+            cp -r . $out
+          '';
+        }
+      );
+
+  package = callPackage ./bazelDerivation.nix { } {
+    inherit
+      name
+      src
+      version
+      sourceRoot
+      env
+      buildInputs
+      nativeBuildInputs
+      ;
+    inherit registry bazelRepoCache bazelVendorDeps;
+    inherit
+      bazel
+      targets
+      startupArgs
+      serverJavabase
+      commandArgs
+      ;
+    inherit installPhase;
+    command = "build";
+  };
+in
+package // { passthru = { inherit bazelRepoCache bazelVendorDeps; }; }
diff --git a/third_party/nix/pkgs/bazel_8/build-support/patching.nix b/third_party/nix/pkgs/bazel_8/build-support/patching.nix
new file mode 100644
index 0000000..f43065b
--- /dev/null
+++ b/third_party/nix/pkgs/bazel_8/build-support/patching.nix
@@ -0,0 +1,24 @@
+{ stdenv
+,
+}:
+{
+  # If there's a need to patch external dependencies managed by Bazel
+  # one option is to configure patches on Bazel level. Bazel doesn't
+  # allow patches to be in absolute paths so this helper will produce
+  # sources patch that adds given file to given location
+  addFilePatch =
+    { path
+    , file
+    ,
+    }:
+    stdenv.mkDerivation {
+      name = "add_file.patch";
+      dontUnpack = true;
+      buildPhase = ''
+        mkdir -p $(dirname "${path}")
+        cp ${file} "${path}"
+        diff -u /dev/null "${path}" >result.patch || true  # diff exit code is non-zero if there's a diff
+      '';
+      installPhase = ''cp result.patch $out'';
+    };
+}
diff --git a/third_party/nix/pkgs/bazel_8/defaultShell.nix b/third_party/nix/pkgs/bazel_8/defaultShell.nix
new file mode 100644
index 0000000..0deb516
--- /dev/null
+++ b/third_party/nix/pkgs/bazel_8/defaultShell.nix
@@ -0,0 +1,41 @@
+{ lib
+, makeBinaryWrapper
+, writeShellApplication
+, bash
+, stdenv
+,
+}:
+{ defaultShellUtils }:
+let
+  defaultShellPath = lib.makeBinPath defaultShellUtils;
+
+  bashWithDefaultShellUtilsSh = writeShellApplication {
+    name = "bash";
+    runtimeInputs = defaultShellUtils;
+    # Empty PATH in Nixpkgs Bash is translated to /no-such-path
+    # On other distros empty PATH search fallback is looking in standard
+    # locations like /bin,/usr/bin
+    # For Bazel many rules rely on such search finding some common utils,
+    # so we provide them in case rules or arguments didn't specify a precise PATH
+    text = ''
+      if [[ "$PATH" == "/no-such-path" ]]; then
+        export PATH=${defaultShellPath}
+      fi
+      exec ${bash}/bin/bash "$@"
+    '';
+  };
+
+in
+{
+  inherit defaultShellUtils defaultShellPath;
+  # Script-based interpreters in shebangs aren't guaranteed to work,
+  # especially on MacOS. So let's produce a binary
+  bashWithDefaultShellUtils = stdenv.mkDerivation {
+    name = "bash";
+    src = bashWithDefaultShellUtilsSh;
+    nativeBuildInputs = [ makeBinaryWrapper ];
+    buildPhase = ''
+      makeWrapper ${bashWithDefaultShellUtilsSh}/bin/bash $out/bin/bash
+    '';
+  };
+}
diff --git a/third_party/nix/pkgs/bazel_8/examples.nix b/third_party/nix/pkgs/bazel_8/examples.nix
new file mode 100644
index 0000000..18b3647
--- /dev/null
+++ b/third_party/nix/pkgs/bazel_8/examples.nix
@@ -0,0 +1,116 @@
+{ fetchFromGitHub
+, lib
+, bazel_8
+, libgcc
+, cctools
+, stdenv
+, jdk_headless
+, callPackage
+, zlib
+,
+}:
+let
+  bazelPackage = callPackage ./build-support/bazelPackage.nix { };
+  registry = fetchFromGitHub {
+    owner = "bazelbuild";
+    repo = "bazel-central-registry";
+    rev = "9342d3ec42ebafc2c06c33aa9d83b25ed984ebb1";
+    sha256 = "sha256-VT63Y8w9BawBXl5xgujG4Gv3SEGbUADGVsNPdUoDvsY=";
+  };
+  src = fetchFromGitHub {
+    owner = "bazelbuild";
+    repo = "examples";
+    rev = "568db753be213cc4be6c599e54ca64061ddbe6da";
+    sha256 = "sha256-F+iKi82uGWmJ+ICpITePdsA1SkncavSdgLkOKMr5LwM=";
+  };
+in
+{
+  java = bazelPackage {
+    inherit src registry;
+    sourceRoot = "source/java-tutorial";
+    name = "java-tutorial";
+    targets = [ "//:ProjectRunner" ];
+    bazel = bazel_8;
+    commandArgs = [
+      "--extra_toolchains=@@rules_java++toolchains+local_jdk//:all"
+      "--tool_java_runtime_version=local_jdk_21"
+    ];
+    env = {
+      JAVA_HOME = jdk_headless.home;
+      USE_BAZEL_VERSION = bazel_8.version;
+    };
+    installPhase = ''
+      mkdir $out
+      cp bazel-bin/ProjectRunner.jar $out/
+    '';
+    nativeBuildInputs = lib.optional (stdenv.hostPlatform.isDarwin) cctools;
+    bazelRepoCacheFOD = {
+      outputHash = lib.attrsets.attrByPath [ stdenv.hostPlatform.system ] null {
+        x86_64-linux = "sha256-64Ze+t0UYR2qQNECWes27SjzdkP+z5eJsCAO+OR+h/o=";
+        x86_64-darwin = lib.fakeHash;
+        aarch64-linux = "sha256-vEcOTdJM2YYle3PijKwroyM7LpfyK/3k/egRKDbjsmU=";
+        aarch64-darwin = "sha256-ya85EJikYXWpjtlgNu7i0DqtACgZBsppGEv3SVoJ6JA=";
+      };
+      outputHashAlgo = "sha256";
+    };
+  };
+  cpp = bazelPackage {
+    inherit src registry;
+    sourceRoot = "source/cpp-tutorial/stage3";
+    name = "cpp-tutorial";
+    targets = [ "//main:hello-world" ];
+    bazel = bazel_8;
+    installPhase = ''
+      mkdir $out
+      cp bazel-bin/main/hello-world $out/
+    '';
+    nativeBuildInputs = lib.optional (stdenv.hostPlatform.isDarwin) cctools;
+    commandArgs = lib.optionals (stdenv.hostPlatform.isDarwin) [
+      "--host_cxxopt=-xc++"
+      "--cxxopt=-xc++"
+    ];
+    env = {
+      USE_BAZEL_VERSION = bazel_8.version;
+    };
+    bazelRepoCacheFOD = {
+      outputHash =
+        {
+          x86_64-linux = "sha256-oPPWQdflAPMxF9YPazC//r0R3Sh6fUmNQe0oLM5EBUI=";
+          aarch64-linux = "sha256-oPPWQdflAPMxF9YPazC//r0R3Sh6fUmNQe0oLM5EBUI=";
+          aarch64-darwin = "sha256-oPPWQdflAPMxF9YPazC//r0R3Sh6fUmNQe0oLM5EBUI=";
+          x86_64-darwin = lib.fakeHash;
+        }.${stdenv.hostPlatform.system};
+      outputHashAlgo = "sha256";
+    };
+  };
+  rust = bazelPackage {
+    inherit src registry;
+    sourceRoot = "source/rust-examples/01-hello-world";
+    name = "rust-examples-01-hello-world";
+    targets = [ "//:bin" ];
+    bazel = bazel_8;
+    env = {
+      USE_BAZEL_VERSION = bazel_8.version;
+    };
+    installPhase = ''
+      mkdir $out
+      cp bazel-bin/bin $out/hello-world
+    '';
+    buildInputs = [
+      zlib
+      libgcc
+    ];
+    nativeBuildInputs = lib.optional (stdenv.hostPlatform.isDarwin) cctools;
+    autoPatchelfIgnoreMissingDeps = [ "librustc_driver-*.so" ];
+    bazelVendorDepsFOD = {
+      outputHash =
+        {
+          aarch64-linux = "sha256-2xopm/OCg9A1LqoW1ZesQc5pF/vX0ToIj1JYMtweVR0=";
+          x86_64-linux = "sha256-v987hMC6w2Lwr/PZn2zGHhHmXzecI2koLjOmGz0Mzng=";
+          aarch64-darwin = "sha256-sS7PzLI44dX7P0PY/68YjRSDkNJ6w5BklJNsXPHuOPc=";
+          x86_64-darwin = lib.fakeHash;
+        }.${stdenv.hostPlatform.system};
+      outputHashAlgo = "sha256";
+    };
+  };
+}
diff --git a/third_party/nix/pkgs/bazel_8/package.nix b/third_party/nix/pkgs/bazel_8/package.nix
new file mode 100644
index 0000000..7a27697
--- /dev/null
+++ b/third_party/nix/pkgs/bazel_8/package.nix
@@ -0,0 +1,355 @@
+{ stdenv
+, callPackage
+, # nix tooling and utilities
+  darwin
+, lib
+, fetchzip
+, fetchpatch
+, makeWrapper
+, writeTextFile
+, replaceVars
+, # native build inputs
+  runtimeShell
+, zip
+, unzip
+, bash
+, coreutils
+, which
+, gawk
+, gnused
+, gnutar
+, gnugrep
+, gzip
+, findutils
+, diffutils
+, gnupatch
+, file
+, installShellFiles
+, python3
+, # Apple dependencies
+  cctools
+, # Allow to independently override the jdks used to build and run respectively
+  jdk_headless
+, # Toggle for hacks for running bazel under buildBazelPackage:
+  # Always assume all markers valid (this is needed because we remove markers; they are non-deterministic).
+  # Also, don't clean up environment variables (so that NIX_ environment variables are passed to compilers).
+  version ? "8.3.1"
+,
+}:
+
+let
+  inherit (callPackage ./build-support/patching.nix { }) addFilePatch;
+  inherit (stdenv.hostPlatform) isDarwin isAarch64;
+
+  bazelSystem = if isDarwin then "darwin" else "linux";
+
+  # on aarch64 Darwin, `uname -m` returns "arm64"
+  bazelArch = if isDarwin && isAarch64 then "arm64" else stdenv.hostPlatform.parsed.cpu.name;
+
+  src = fetchzip {
+    url = "https://github.com/bazelbuild/bazel/releases/download/${version}/bazel-${version}-dist.zip";
+    hash = "sha256-Hiny31S+YF7JdKjxzCyKdw3J/3OdDwsKeOkppfvWrNI=";
+    stripRoot = false;
+  };
+
+  defaultShellUtils =
+    # Keep this list conservative. For more exotic tools, prefer to use
+    # @rules_nixpkgs to pull in tools from the nix repository. Example:
+    #
+    # WORKSPACE:
+    #
+    #     nixpkgs_git_repository(
+    #         name = "nixpkgs",
+    #         revision = "def5124ec8367efdba95a99523dd06d918cb0ae8",
+    #     )
+    #
+    #     # This defines an external Bazel workspace.
+    #     nixpkgs_package(
+    #         name = "bison",
+    #         repositories = { "nixpkgs": "@nixpkgs//:default.nix" },
+    #     )
+    #
+    # some/BUILD.bazel:
+    #
+    #     genrule(
+    #        ...
+    #        cmd = "$(location @bison//:bin/bison) -other -args",
+    #        tools = [
+    #            ...
+    #            "@bison//:bin/bison",
+    #        ],
+    #     )
+    [
+      coreutils
+      diffutils
+      file
+      findutils
+      gawk
+      gnugrep
+      gnupatch
+      gnused
+      gnutar
+      gzip
+      unzip
+      which
+      zip
+      bash
+    ];
+  defaultShell = callPackage ./defaultShell.nix { } { inherit defaultShellUtils; };
+
+  commandArgs =
+    [
+      "--nobuild_python_zip"
+      "--features=-module_maps"
+      "--host_features=-module_maps"
+      "--announce_rc"
+      "--verbose_failures"
+      "--curses=no"
+    ]
+    ++ lib.optionals (isDarwin) [
+      "--macos_sdk_version=${stdenv.hostPlatform.darwinMinVersion}"
+      "--cxxopt=-isystem"
+      "--cxxopt=${lib.getDev stdenv.cc.libcxx}/include/c++/v1"
+      "--host_cxxopt=-isystem"
+      "--host_cxxopt=${lib.getDev stdenv.cc.libcxx}/include/c++/v1"
+      "--copt=-isystem"
+      "--copt=${lib.getDev darwin.libresolv}/include"
+      "--host_copt=-isystem"
+      "--host_copt=${lib.getDev darwin.libresolv}/include"
+    ];
+
+in
+stdenv.mkDerivation rec {
+  pname = "bazel";
+  inherit version src;
+
+  darwinPatches = [
+    # Bazel integrates with apple IOKit to inhibit and track system sleep.
+    # Inside the darwin sandbox, these API calls are blocked, and bazel
+    # crashes. It seems possible to allow these APIs inside the sandbox, but it
+    # feels simpler to patch bazel not to use it at all. So our bazel is
+    # incapable of preventing system sleep, which is a small price to pay to
+    # guarantee that it will always run in any nix context.
+    #
+    # See also ./bazel_darwin_sandbox.patch in bazel_5. That patch uses
+    # NIX_BUILD_TOP env var to conditionnally disable sleep features inside the
+    # sandbox.
+    #
+    # If you want to investigate the sandbox profile path,
+    # IORegisterForSystemPower can be allowed with
+    #
+    #     propagatedSandboxProfile = ''
+    #       (allow iokit-open (iokit-user-client-class "RootDomainUserClient"))
+    #     '';
+    #
+    # I do not know yet how to allow IOPMAssertion{CreateWithName,Release}
+    ./patches/darwin_sleep.patch
+
+    # Fix DARWIN_XCODE_LOCATOR_COMPILE_COMMAND by removing multi-arch support.
+    # Nixpkgs toolcahins do not support that (yet?) and get confused.
+    # Also add an explicit /usr/bin prefix that will be patched below.
+    (replaceVars ./patches/xcode.patch {
+      usrBinEnv = "${coreutils}/bin/env";
+      clangDarwin = "${stdenv.cc}/bin/clang";
+      codesign = "${darwin.sigtool}/bin/codesign";
+    })
+
+    # Revert preference for apple_support over rules_cc toolchain for now
+    # will need to figure out how to build with apple_support toolchain later
+    ./patches/apple_cc_toolchain.patch
+
+    # On Darwin, the last argument to gcc is coming up as an empty string. i.e: ''
+    # This is breaking the build of any C target. This patch removes the last
+    # argument if it's found to be an empty string.
+    ./patches/trim-last-argument-to-gcc-if-empty.patch
+
+    # fdopen() compilation fix
+    (fetchpatch {
+      url = "https://github.com/madler/zlib/commit/4bd9a71f3539b5ce47f0c67ab5e01f3196dc8ef9.patch";
+      hash = "sha256-wlZY0/XqND5Fk+SJkUCUj7XhGVwUJw/VqVGAlDdqOhs=";
+      stripLen = 1;
+      extraPrefix = "third_party/zlib/";
+    })
+  ];
+
+  patches = lib.optionals isDarwin darwinPatches ++ [
+    # patch that propagates rules_* patches below
+    # patches need to be within source root and can't be absolute paths in Nix store
+    # so rules_* patches are injected via addFilePatch
+    ./patches/deps_patches.patch
+    (addFilePatch {
+      path = "b/third_party/rules_python.patch";
+      file = replaceVars ./patches/rules_python.patch {
+        usrBinEnv = "${coreutils}/bin/env";
+      };
+    })
+    (addFilePatch {
+      path = "b/third_party/rules_java.patch";
+      file = replaceVars ./patches/rules_java.patch {
+        defaultBash = "${defaultShell.bashWithDefaultShellUtils}/bin/bash";
+      };
+    })
+    # Suggested for upstream in https://github.com/bazelbuild/bazel/pull/25936
+    ./patches/build_execlog_parser.patch
+    # Part of suggestion for upstream in https://github.com/bazelbuild/bazel/pull/25934
+    ./patches/env_bash.patch
+    # Suggested for upstream in https://github.com/bazelbuild/bazel/pull/25935
+    ./patches/gen_completion.patch
+
+    # --experimental_strict_action_env (which may one day become the default
+    # see bazelbuild/bazel#2574) hardcodes the default
+    # action environment to a non hermetic value (e.g. "/usr/local/bin").
+    # This is non hermetic on non-nixos systems. On NixOS, bazel cannot find the required binaries.
+    # So we are replacing this bazel paths by defaultShellPath,
+    # improving hermeticity and making it work in nixos.
+    (replaceVars ./patches/strict_action_env.patch {
+      strictActionEnvPatch = defaultShell.defaultShellPath;
+    })
+
+    (replaceVars ./patches/default_bash.patch {
+      defaultBash = "${defaultShell.bashWithDefaultShellUtils}/bin/bash";
+    })
+
+    (replaceVars ./patches/md5sum.patch {
+      md5sum = "${coreutils}/bin/md5sum";
+    })
+
+    # Nix build sandbox can configure custom PATH but doesn't have
+    # /usr/bin/env which is unfortunate https://github.com/NixOS/nixpkgs/issues/6227
+    # and we need to do a silly patch
+    (replaceVars ./patches/usr_bin_env.patch {
+      usrBinEnv = "${coreutils}/bin/env";
+    })
+
+    # Provide default JRE for Bazel process by setting --server_javabase=
+    # in a new default system bazelrc file
+    (replaceVars ./patches/bazel_rc.patch {
+      bazelSystemBazelRCPath = replaceVars ./system.bazelrc {
+        serverJavabase = jdk_headless;
+      };
+    })
+  ];
+
+  meta = with lib; {
+    homepage = "https://github.com/bazelbuild/bazel/";
+    description = "Build tool that builds code quickly and reliably";
+    sourceProvenance = with sourceTypes; [
+      fromSource
+      binaryBytecode # source bundles dependencies as jars
+    ];
+    license = licenses.asl20;
+    teams = [ lib.teams.bazel ];
+    mainProgram = "bazel";
+    platforms = lib.platforms.linux ++ lib.platforms.darwin;
+  };
+
+  nativeBuildInputs =
+    [
+      makeWrapper
+      jdk_headless
+      python3
+      unzip
+      which
+
+      # Shell completion
+      installShellFiles
+      python3.pkgs.absl-py # Needed to build fish completion
+    ]
+    # Needed for execlog
+    ++ lib.optional (!stdenv.hostPlatform.isDarwin) stdenv.cc
+    ++ lib.optional (stdenv.hostPlatform.isDarwin) cctools;
+
+  buildPhase = ''
+    runHook preBuild
+    export HOME=$(mktemp -d)
+
+    # If EMBED_LABEL isn't set, it'd be auto-detected from CHANGELOG.md
+    # and `git rev-parse --short HEAD` which would result in
+    # "3.7.0- (@non-git)" due to non-git build and incomplete changelog.
+    # Actual bazel releases use scripts/release/common.sh which is based
+    # on branch/tag information which we don't have with tarball releases.
+    # Note that .bazelversion is always correct and is based on bazel-*
+    # executable name, version checks should work fine
+    export EMBED_LABEL="${version}"
+
+    echo "Stage 1 - Running bazel bootstrap script"
+    export EXTRA_BAZEL_ARGS="${lib.strings.concatStringsSep " " commandArgs}"
+
+    ${bash}/bin/bash ./compile.sh
+
+    # XXX: get rid of this, or move it to another stage.
+    # It is plain annoying when builds fail.
+    echo "Stage 2 - Generate bazel completions"
+    ${bash}/bin/bash ./scripts/generate_bash_completion.sh \
+        --bazel=./output/bazel \
+        --output=./output/bazel-complete.bash \
+        --prepend=./scripts/bazel-complete-header.bash \
+        --prepend=./scripts/bazel-complete-template.bash
+    ${python3}/bin/python3 ./scripts/generate_fish_completion.py \
+        --bazel=./output/bazel \
+        --output=./output/bazel-complete.fish
+
+    runHook postBuild
+  '';
+
+  installPhase = ''
+    runHook preInstall
+
+    # Bazel binary contains zip archive, which contains text files and a jar
+    # both of which can have store references that might be obscured to Nix
+    # builder in packaged form, so we unpack and extract those references
+
+    # Note: grep isn't necessarily 100% accurate, other approaches could be
+    #       to disassemble Jar (slow) or hardcode known references
+    mkdir -p $out/nix-support
+    INSTALL_BASE=$(./output/bazel --batch info install_base)
+    find "$INSTALL_BASE" -type f -exec \
+       ${gnugrep}/bin/grep --text --only-matching --no-filename "$NIX_STORE/[^/]*" '{}' \; \
+    | sort -u >> $out/nix-support/depends
+
+    mkdir -p $out/bin
+
+    # official wrapper scripts that searches for $WORKSPACE_ROOT/tools/bazel if
+    # it can’t find something in tools, it calls
+    # $out/bin/bazel-{version}-{os_arch} The binary _must_ exist with this
+    # naming if your project contains a .bazelversion file.
+    cp ./scripts/packages/bazel.sh $out/bin/bazel
+    versioned_bazel="$out/bin/bazel-${version}-${bazelSystem}-${bazelArch}"
+    mv ./output/bazel "$versioned_bazel"
+    wrapProgram "$versioned_bazel" --suffix PATH : ${defaultShell.defaultShellPath}
+
+    mkdir $out/share
+    cp ./output/parser_deploy.jar $out/share/parser_deploy.jar
+    substitute ${./bazel-execlog.sh} $out/bin/bazel-execlog \
+      --subst-var out \
+      --subst-var-by runtimeShell ${runtimeShell} \
+      --subst-var-by javaBin ${jdk_headless}/bin/java
+    chmod +x $out/bin/bazel-execlog
+
+    # shell completion files
+    installShellCompletion --bash \
+      --name bazel.bash \
+      ./output/bazel-complete.bash
+    installShellCompletion --zsh \
+      --name _bazel \
+      ./scripts/zsh_completion/_bazel
+    installShellCompletion --fish \
+      --name bazel.fish \
+      ./output/bazel-complete.fish
+  '';
+
+  postFixup =
+    # verify that bazel binary still works post-fixup
+    ''
+      USE_BAZEL_VERSION=${version} $out/bin/bazel --batch info release
+    '';
+
+  # Bazel binary includes zip archive at the end that `strip` would end up discarding
+  stripExclude = [ "bin/.bazel-${version}-*-wrapped" ];
+
+  passthru = {
+    tests = {
+      inherit (callPackage ./examples.nix { }) cpp java rust;
+    };
+  };
+}
diff --git a/third_party/nix/pkgs/bazel_8/patches/apple_cc_toolchain.patch b/third_party/nix/pkgs/bazel_8/patches/apple_cc_toolchain.patch
new file mode 100644
index 0000000..32d5b5b
--- /dev/null
+++ b/third_party/nix/pkgs/bazel_8/patches/apple_cc_toolchain.patch
@@ -0,0 +1,19 @@
+diff --git a/MODULE.bazel b/MODULE.bazel
+index 11a6075175..f53f0c732b 100644
+--- a/MODULE.bazel
++++ b/MODULE.bazel
+@@ -35,10 +35,10 @@ bazel_dep(name = "with_cfg.bzl", version = "0.6.0")
+ bazel_dep(name = "abseil-cpp", version = "20240722.0.bcr.2")
+ bazel_dep(name = "rules_shell", version = "0.2.0")
+ 
+-# Depend on apple_support first and then rules_cc so that the Xcode toolchain
+-# from apple_support wins over the generic Unix toolchain from rules_cc.
+-bazel_dep(name = "apple_support", version = "1.18.1")
++# Not Depend on apple_support first and then rules_cc so that the Xcode toolchain
++# from apple_support not wins over the generic Unix toolchain from rules_cc.
+ bazel_dep(name = "rules_cc", version = "0.0.17")
++bazel_dep(name = "apple_support", version = "1.18.1")
+ 
+ # repo_name needs to be used, until WORKSPACE mode is to be supported in bazel_tools
+ bazel_dep(name = "protobuf", version = "29.0", repo_name = "com_google_protobuf")
+
diff --git a/third_party/nix/pkgs/bazel_8/patches/bazel_rc.patch b/third_party/nix/pkgs/bazel_8/patches/bazel_rc.patch
new file mode 100644
index 0000000..a599ac3
--- /dev/null
+++ b/third_party/nix/pkgs/bazel_8/patches/bazel_rc.patch
@@ -0,0 +1,13 @@
+diff --git a/src/main/cpp/option_processor.cc b/src/main/cpp/option_processor.cc
+index 8f8f15685f..a7ae52d1e4 100644
+--- a/src/main/cpp/option_processor.cc
++++ b/src/main/cpp/option_processor.cc
+@@ -56,7 +56,7 @@ OptionProcessor::OptionProcessor(
+     : workspace_layout_(workspace_layout),
+       startup_options_(std::move(default_startup_options)),
+       parse_options_called_(false),
+-      system_bazelrc_path_(BAZEL_SYSTEM_BAZELRC_PATH) {}
++      system_bazelrc_path_("@bazelSystemBazelRCPath@") {}
+ 
+ OptionProcessor::OptionProcessor(
+     const WorkspaceLayout* workspace_layout,
diff --git a/third_party/nix/pkgs/bazel_8/patches/build_execlog_parser.patch b/third_party/nix/pkgs/bazel_8/patches/build_execlog_parser.patch
new file mode 100644
index 0000000..552bc3b
--- /dev/null
+++ b/third_party/nix/pkgs/bazel_8/patches/build_execlog_parser.patch
@@ -0,0 +1,28 @@
+diff --git a/compile.sh b/compile.sh
+index 4712355d48..feec286704 100755
+--- a/compile.sh
++++ b/compile.sh
+@@ -76,6 +76,13 @@ bazel_build "src:bazel_nojdk${EXE_EXT}" \
+   --host_platform=@platforms//host \
+   --platforms=@platforms//host \
+   || fail "Could not build Bazel"
++
++bazel_build src/tools/execlog:parser_deploy.jar \
++  --action_env=PATH \
++  --host_platform=@platforms//host \
++  --platforms=@platforms//host \
++  || fail "Could not build parser_deploy.jar"
++
+ bazel_bin_path="$(get_bazel_bin_path)/src/bazel_nojdk${EXE_EXT}"
+ [ -e "$bazel_bin_path" ] \
+   || fail "Could not find freshly built Bazel binary at '$bazel_bin_path'"
+@@ -84,5 +91,8 @@ cp -f "$bazel_bin_path" "output/bazel${EXE_EXT}" \
+ chmod 0755 "output/bazel${EXE_EXT}"
+ BAZEL="$(pwd)/output/bazel${EXE_EXT}"
+ 
++cp "$(get_bazel_bin_path)/src/tools/execlog/parser_deploy.jar" output/ \
++  || fail "Could not copy 'parser_deploy.jar' to 'output/"
++
+ clear_log
+ display "Build successful! Binary is here: ${BAZEL}"
+
diff --git a/third_party/nix/pkgs/bazel_8/patches/darwin_sleep.patch b/third_party/nix/pkgs/bazel_8/patches/darwin_sleep.patch
new file mode 100644
index 0000000..731ede8
--- /dev/null
+++ b/third_party/nix/pkgs/bazel_8/patches/darwin_sleep.patch
@@ -0,0 +1,56 @@
+diff --git a/src/main/native/darwin/sleep_prevention_jni.cc b/src/main/native/darwin/sleep_prevention_jni.cc
+index 67c35b201e..e50a58320e 100644
+--- a/src/main/native/darwin/sleep_prevention_jni.cc
++++ b/src/main/native/darwin/sleep_prevention_jni.cc
+@@ -33,31 +33,13 @@ static int g_sleep_state_stack = 0;
+ static IOPMAssertionID g_sleep_state_assertion = kIOPMNullAssertionID;
+ 
+ int portable_push_disable_sleep() {
+-  std::lock_guard<std::mutex> lock(g_sleep_state_mutex);
+-  BAZEL_CHECK_GE(g_sleep_state_stack, 0);
+-  if (g_sleep_state_stack == 0) {
+-    BAZEL_CHECK_EQ(g_sleep_state_assertion, kIOPMNullAssertionID);
+-    CFStringRef reasonForActivity = CFSTR("build.bazel");
+-    IOReturn success = IOPMAssertionCreateWithName(
+-        kIOPMAssertionTypeNoIdleSleep, kIOPMAssertionLevelOn, reasonForActivity,
+-        &g_sleep_state_assertion);
+-    BAZEL_CHECK_EQ(success, kIOReturnSuccess);
+-  }
+-  g_sleep_state_stack += 1;
+-  return 0;
++  // Unreliable, disable for now
++  return -1;
+ }
+ 
+ int portable_pop_disable_sleep() {
+-  std::lock_guard<std::mutex> lock(g_sleep_state_mutex);
+-  BAZEL_CHECK_GT(g_sleep_state_stack, 0);
+-  g_sleep_state_stack -= 1;
+-  if (g_sleep_state_stack == 0) {
+-    BAZEL_CHECK_NE(g_sleep_state_assertion, kIOPMNullAssertionID);
+-    IOReturn success = IOPMAssertionRelease(g_sleep_state_assertion);
+-    BAZEL_CHECK_EQ(success, kIOReturnSuccess);
+-    g_sleep_state_assertion = kIOPMNullAssertionID;
+-  }
+-  return 0;
++  // Unreliable, disable for now
++  return -1;
+ }
+ 
+ }  // namespace blaze_jni
+diff --git a/src/main/native/darwin/system_suspension_monitor_jni.cc b/src/main/native/darwin/system_suspension_monitor_jni.cc
+index 3483aa7935..51782986ec 100644
+--- a/src/main/native/darwin/system_suspension_monitor_jni.cc
++++ b/src/main/native/darwin/system_suspension_monitor_jni.cc
+@@ -83,10 +83,7 @@ void portable_start_suspend_monitoring() {
+     // Register to receive system sleep notifications.
+     // Testing needs to be done manually. Use the logging to verify
+     // that sleeps are being caught here.
+-    suspend_state.connect_port = IORegisterForSystemPower(
+-        &suspend_state, &notifyPortRef, SleepCallBack, &notifierObject);
+-    BAZEL_CHECK_NE(suspend_state.connect_port, MACH_PORT_NULL);
+-    IONotificationPortSetDispatchQueue(notifyPortRef, queue);
++    // XXX: Unreliable, disable for now
+ 
+     // Register to deal with SIGCONT.
+     // We register for SIGCONT because we can't catch SIGSTOP.
diff --git a/third_party/nix/pkgs/bazel_8/patches/default_bash.patch b/third_party/nix/pkgs/bazel_8/patches/default_bash.patch
new file mode 100644
index 0000000..a43a9f0
--- /dev/null
+++ b/third_party/nix/pkgs/bazel_8/patches/default_bash.patch
@@ -0,0 +1,22 @@
+diff --git a/src/main/java/com/google/devtools/build/lib/bazel/rules/BazelRuleClassProvider.java b/src/main/java/com/google/devtools/build/lib/bazel/rules/BazelRuleClassProvider.java
+index a982b782e1..d49b047074 100644
+--- a/src/main/java/com/google/devtools/build/lib/bazel/rules/BazelRuleClassProvider.java
++++ b/src/main/java/com/google/devtools/build/lib/bazel/rules/BazelRuleClassProvider.java
+@@ -89,13 +89,13 @@ public class BazelRuleClassProvider {
+     public boolean useStrictActionEnv;
+   }
+ 
+-  private static final PathFragment FALLBACK_SHELL = PathFragment.create("/bin/bash");
++  private static final PathFragment FALLBACK_SHELL = PathFragment.create("@defaultBash@");
+ 
+   public static final ImmutableMap<OS, PathFragment> SHELL_EXECUTABLE =
+       ImmutableMap.<OS, PathFragment>builder()
+           .put(OS.WINDOWS, PathFragment.create("c:/msys64/usr/bin/bash.exe"))
+-          .put(OS.FREEBSD, PathFragment.create("/usr/local/bin/bash"))
+-          .put(OS.OPENBSD, PathFragment.create("/usr/local/bin/bash"))
++          .put(OS.FREEBSD, PathFragment.create("@defaultBash@"))
++          .put(OS.OPENBSD, PathFragment.create("@defaultBash@"))
+           .put(OS.UNKNOWN, FALLBACK_SHELL)
+           .buildOrThrow();
+ 
+
diff --git a/third_party/nix/pkgs/bazel_8/patches/deps_patches.patch b/third_party/nix/pkgs/bazel_8/patches/deps_patches.patch
new file mode 100644
index 0000000..bf0aad9
--- /dev/null
+++ b/third_party/nix/pkgs/bazel_8/patches/deps_patches.patch
@@ -0,0 +1,24 @@
+diff --git a/MODULE.bazel b/MODULE.bazel
+--- MODULE.bazel
++++ MODULE.bazel
+@@ -24,12 +24,20 @@
+ bazel_dep(name = "zstd-jni", version = "1.5.6-9")
+ bazel_dep(name = "blake3", version = "1.5.1.bcr.1")
+ bazel_dep(name = "zlib", version = "1.3.1.bcr.5")
+ bazel_dep(name = "rules_java", version = "8.12.0")
++single_version_override(
++    module_name = "rules_java",
++    patches = ["//third_party:rules_java.patch"],
++)
+ bazel_dep(name = "rules_graalvm", version = "0.11.1")
+ bazel_dep(name = "rules_proto", version = "7.0.2")
+ bazel_dep(name = "rules_jvm_external", version = "6.0")
+ bazel_dep(name = "rules_python", version = "0.40.0")
++single_version_override(
++    module_name = "rules_python",
++    patches = ["//third_party:rules_python.patch"],
++)
+ bazel_dep(name = "rules_testing", version = "0.6.0")
+ bazel_dep(name = "googletest", version = "1.15.2", repo_name = "com_google_googletest")
+ bazel_dep(name = "with_cfg.bzl", version = "0.6.0")
+ bazel_dep(name = "abseil-cpp", version = "20240722.0.bcr.2")
diff --git a/third_party/nix/pkgs/bazel_8/patches/env_bash.patch b/third_party/nix/pkgs/bazel_8/patches/env_bash.patch
new file mode 100644
index 0000000..cc20d10
--- /dev/null
+++ b/third_party/nix/pkgs/bazel_8/patches/env_bash.patch
@@ -0,0 +1,22 @@
+diff --git a/src/zip_files.sh b/src/zip_files.sh
+index 1422a6c659..920c1019d2 100755
+--- a/src/zip_files.sh
++++ b/src/zip_files.sh
+@@ -1,4 +1,4 @@
+-#!/bin/bash
++#!/usr/bin/env bash
+ 
+ # Copyright 2019 The Bazel Authors. All rights reserved.
+ #
+
+diff --git a/src/package-bazel.sh b/src/package-bazel.sh
+index 56e94db400..2c614af6c2 100755
+--- a/src/package-bazel.sh
++++ b/src/package-bazel.sh
+@@ -1,4 +1,4 @@
+-#!/bin/bash
++#!/usr/bin/env bash
+ #
+ # Copyright 2015 The Bazel Authors. All rights reserved.
+ #
+
diff --git a/third_party/nix/pkgs/bazel_8/patches/gen_completion.patch b/third_party/nix/pkgs/bazel_8/patches/gen_completion.patch
new file mode 100644
index 0000000..c3af229
--- /dev/null
+++ b/third_party/nix/pkgs/bazel_8/patches/gen_completion.patch
@@ -0,0 +1,26 @@
+diff --git a/scripts/generate_bash_completion.sh b/scripts/generate_bash_completion.sh
+index 778810570c..84d2d49a0d 100755
+--- a/scripts/generate_bash_completion.sh
++++ b/scripts/generate_bash_completion.sh
+@@ -68,7 +68,7 @@ mkdir "${tempdir}/root"
+ 
+ server_javabase_flag=
+ [ -z "${javabase}" ] || server_javabase_flag="--server_javabase=${javabase}"
+-"${bazel}" --output_user_root="${tempdir}/root" ${server_javabase_flag} \
++"${bazel}" --batch --output_user_root="${tempdir}/root" ${server_javabase_flag} \
+     help completion >>"${tempdir}/output"
+ 
+ [ -z "${append}" ] || cat ${append} >>"${tempdir}/output"
+diff --git a/scripts/generate_fish_completion.py b/scripts/generate_fish_completion.py
+index bafe28979f..a941d8f7f9 100644
+--- a/scripts/generate_fish_completion.py
++++ b/scripts/generate_fish_completion.py
+@@ -102,7 +102,7 @@ class BazelCompletionWriter(object):
+ 
+   def _get_bazel_output(self, args):
+     return subprocess.check_output(
+-        (self._bazel, '--output_user_root={}'.format(self._output_user_root)) +
++        (self._bazel, '--batch', '--output_user_root={}'.format(self._output_user_root)) +
+         tuple(args),
+         universal_newlines=True)
+ 
diff --git a/third_party/nix/pkgs/bazel_8/patches/md5sum.patch b/third_party/nix/pkgs/bazel_8/patches/md5sum.patch
new file mode 100644
index 0000000..fc49581
--- /dev/null
+++ b/third_party/nix/pkgs/bazel_8/patches/md5sum.patch
@@ -0,0 +1,22 @@
+diff --git a/src/BUILD b/src/BUILD
+index f61b90738a..2c3a54d36c 100644
+--- a/src/BUILD
++++ b/src/BUILD
+@@ -38,12 +38,12 @@ md5_cmd = "set -e -o pipefail && %s $(SRCS) | %s | %s > $@"
+     }) + embedded_tools_target,
+     outs = ["install_base_key" + suffix],
+     cmd = select({
+-        "//src/conditions:darwin": md5_cmd % ("/sbin/md5", "/sbin/md5", "head -c 32"),
+-        "//src/conditions:freebsd": md5_cmd % ("/sbin/md5", "/sbin/md5", "head -c 32"),
++        "//src/conditions:darwin": md5_cmd % ("@md5sum@", "@md5sum@", "head -c 32"),
++        "//src/conditions:freebsd": md5_cmd % ("@md5sum@", "@md5sum@", "head -c 32"),
+         # We avoid using the `head` tool's `-c` option, since it does not exist
+         # on OpenBSD.
+-        "//src/conditions:openbsd": md5_cmd % ("/bin/md5", "/bin/md5", "dd bs=32 count=1"),
+-        "//conditions:default": md5_cmd % ("md5sum", "md5sum", "head -c 32"),
++        "//src/conditions:openbsd": md5_cmd % ("@md5sum@", "@md5sum@", "dd bs=32 count=1"),
++        "//conditions:default": md5_cmd % ("@md5sum@", "@md5sum@", "head -c 32"),
+     }),
+ ) for suffix, embedded_tools_target in {
+     "_jdk_allmodules": [":embedded_tools_jdk_allmodules"],
+
diff --git a/third_party/nix/pkgs/bazel_8/patches/rules_java.patch b/third_party/nix/pkgs/bazel_8/patches/rules_java.patch
new file mode 100644
index 0000000..ba2fd2f
--- /dev/null
+++ b/third_party/nix/pkgs/bazel_8/patches/rules_java.patch
@@ -0,0 +1,11 @@
+diff --git java/bazel/rules/java_stub_template.txt java/bazel/rules/java_stub_template.txt
+index 115b46e..56d2ff7 100644
+--- java/bazel/rules/java_stub_template.txt
++++ java/bazel/rules/java_stub_template.txt
+@@ -1,4 +1,4 @@
+-#!/usr/bin/env bash
++#!@defaultBash@
+ # Copyright 2014 The Bazel Authors. All rights reserved.
+ #
+ # Licensed under the Apache License, Version 2.0 (the "License");
+
diff --git a/third_party/nix/pkgs/bazel_8/patches/rules_python.patch b/third_party/nix/pkgs/bazel_8/patches/rules_python.patch
new file mode 100644
index 0000000..a63f44e
--- /dev/null
+++ b/third_party/nix/pkgs/bazel_8/patches/rules_python.patch
@@ -0,0 +1,14 @@
+diff --git python/private/runtime_env_toolchain.bzl python/private/runtime_env_toolchain.bzl
+--- python/private/runtime_env_toolchain.bzl
++++ python/private/runtime_env_toolchain.bzl
+@@ -42,7 +42,7 @@
+         name = "_runtime_env_py3_runtime",
+         interpreter = "//python/private:runtime_env_toolchain_interpreter.sh",
+         python_version = "PY3",
+-        stub_shebang = "#!/usr/bin/env python3",
++        stub_shebang = "#!@usrBinEnv@ python3",
+         visibility = ["//visibility:private"],
+         tags = ["manual"],
+     )
+
+
diff --git a/third_party/nix/pkgs/bazel_8/patches/strict_action_env.patch b/third_party/nix/pkgs/bazel_8/patches/strict_action_env.patch
new file mode 100644
index 0000000..1402c20
--- /dev/null
+++ b/third_party/nix/pkgs/bazel_8/patches/strict_action_env.patch
@@ -0,0 +1,13 @@
+diff --git a/src/main/java/com/google/devtools/build/lib/bazel/rules/BazelRuleClassProvider.java b/src/main/java/com/google/devtools/build/lib/bazel/rules/BazelRuleClassProvider.java
+index a70b5559bc..10bdffe961 100644
+--- a/src/main/java/com/google/devtools/build/lib/bazel/rules/BazelRuleClassProvider.java
++++ b/src/main/java/com/google/devtools/build/lib/bazel/rules/BazelRuleClassProvider.java
+@@ -466,7 +466,7 @@ public class BazelRuleClassProvider {
+       // Note that --action_env does not propagate to the host config, so it is not a viable
+       // workaround when a genrule is itself built in the host config (e.g. nested genrules). See
+       // #8536.
+-      return "/bin:/usr/bin:/usr/local/bin";
++      return "@strictActionEnvPatch@";
+     }
+
+     String newPath = "";
diff --git a/third_party/nix/pkgs/bazel_8/patches/trim-last-argument-to-gcc-if-empty.patch b/third_party/nix/pkgs/bazel_8/patches/trim-last-argument-to-gcc-if-empty.patch
new file mode 100644
index 0000000..b93b252
--- /dev/null
+++ b/third_party/nix/pkgs/bazel_8/patches/trim-last-argument-to-gcc-if-empty.patch
@@ -0,0 +1,37 @@
+From 177b4720d6fbaa7fdd17e5e11b2c79ac8f246786 Mon Sep 17 00:00:00 2001
+From: "Wael M. Nasreddine" <wael.nasreddine@gmail.com>
+Date: Thu, 27 Jun 2019 21:08:51 -0700
+Subject: [PATCH] Trim last argument to gcc if empty, on Darwin
+
+On Darwin, the last argument to GCC is coming up as an empty string.
+This is breaking the build of proto_library targets. However, I was not
+able to reproduce with the example cpp project[0].
+
+This commit removes the last argument if it's an empty string. This is
+not a problem on Linux.
+
+[0]: https://github.com/bazelbuild/examples/tree/master/cpp-tutorial/stage3
+---
+ tools/cpp/osx_cc_wrapper.sh.tpl | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/tools/cpp/osx_cc_wrapper.sh.tpl b/tools/cpp/osx_cc_wrapper.sh.tpl
+index 4c85cd9b6b..6c611e3d25 100644
+--- a/tools/cpp/osx_cc_wrapper.sh.tpl
++++ b/tools/cpp/osx_cc_wrapper.sh.tpl
+@@ -53,7 +53,11 @@ done
+ %{env}
+ 
+ # Call the C++ compiler
+-%{cc} "$@"
++if [[ ${*: -1} = "" ]]; then
++    %{cc} "${@:0:$#}"
++else
++    %{cc} "$@"
++fi
+ 
+ function get_library_path() {
+     for libdir in ${LIB_DIRS}; do
+-- 
+2.19.2
+
diff --git a/third_party/nix/pkgs/bazel_8/patches/usr_bin_env.patch b/third_party/nix/pkgs/bazel_8/patches/usr_bin_env.patch
new file mode 100644
index 0000000..0718b75
--- /dev/null
+++ b/third_party/nix/pkgs/bazel_8/patches/usr_bin_env.patch
@@ -0,0 +1,32 @@
+diff --git a/src/zip_builtins.sh b/src/zip_builtins.sh
+index d78ca5526a..c7d8f251cc 100755
+--- a/src/zip_builtins.sh
++++ b/src/zip_builtins.sh
+@@ -1,4 +1,4 @@
+-#!/usr/bin/env bash
++#!@usrBinEnv@ bash
+ 
+ # Copyright 2020 The Bazel Authors. All rights reserved.
+ #
+
+diff --git a/src/zip_files.sh b/src/zip_files.sh
+index 1422a6c659..4b1c221784 100755
+--- a/src/zip_files.sh
++++ b/src/zip_files.sh
+@@ -1,4 +1,4 @@
+-#!/usr/bin/env bash
++#!@usrBinEnv@ bash
+ 
+ # Copyright 2019 The Bazel Authors. All rights reserved.
+ #
+
+diff --git a/src/package-bazel.sh b/src/package-bazel.sh
+index 56e94db400..65fef20988 100755
+--- a/src/package-bazel.sh
++++ b/src/package-bazel.sh
+@@ -1,4 +1,4 @@
+-#!/usr/bin/env bash
++#!@usrBinEnv@ bash
+ #
+ # Copyright 2015 The Bazel Authors. All rights reserved.
+ #
diff --git a/third_party/nix/pkgs/bazel_8/patches/xcode.patch b/third_party/nix/pkgs/bazel_8/patches/xcode.patch
new file mode 100644
index 0000000..52931a3
--- /dev/null
+++ b/third_party/nix/pkgs/bazel_8/patches/xcode.patch
@@ -0,0 +1,31 @@
+diff --git a/scripts/bootstrap/compile.sh b/scripts/bootstrap/compile.sh
+index 1bad14cba7..d312fe08bb 100755
+--- a/scripts/bootstrap/compile.sh
++++ b/scripts/bootstrap/compile.sh
+@@ -402,7 +402,7 @@ cp $OUTPUT_DIR/libblaze.jar ${ARCHIVE_DIR}
+ # TODO(b/28965185): Remove when xcode-locator is no longer required in embedded_binaries.
+ log "Compiling xcode-locator..."
+ if [[ $PLATFORM == "darwin" ]]; then
+-  run /usr/bin/xcrun --sdk macosx clang -mmacosx-version-min=10.13 -fobjc-arc -framework CoreServices -framework Foundation -o ${ARCHIVE_DIR}/xcode-locator tools/osx/xcode_locator.m
++  run @clangDarwin@ -mmacosx-version-min=10.13 -fobjc-arc -framework CoreServices -framework Foundation -o ${ARCHIVE_DIR}/xcode-locator tools/osx/xcode_locator.m
+ else
+   cp tools/osx/xcode_locator_stub.sh ${ARCHIVE_DIR}/xcode-locator
+ fi
+diff --git a/tools/osx/BUILD b/tools/osx/BUILD
+index 0358fb0ffe..1e6eae1f33 100644
+--- a/tools/osx/BUILD
++++ b/tools/osx/BUILD
+@@ -27,9 +27,9 @@ exports_files([
+ ])
+ 
+ DARWIN_XCODE_LOCATOR_COMPILE_COMMAND = """
+-  /usr/bin/xcrun --sdk macosx clang -mmacosx-version-min=10.13 -fobjc-arc -framework CoreServices \
+-      -framework Foundation -arch arm64 -arch x86_64 -Wl,-no_adhoc_codesign -Wl,-no_uuid -o $@ $< && \
+-  env -i codesign --identifier $@ --force --sign - $@
++  @clangDarwin@ -mmacosx-version-min=10.13 -fobjc-arc -framework CoreServices \
++      -framework Foundation -Wl,-no_adhoc_codesign -Wl,-no_uuid -o $@ $< && \
++  @usrBinEnv@ @codesign@ --identifier $@ --force --sign - $@
+ """
+ 
+ genrule(
+
diff --git a/third_party/nix/pkgs/bazel_8/system.bazelrc b/third_party/nix/pkgs/bazel_8/system.bazelrc
new file mode 100644
index 0000000..6684e33
--- /dev/null
+++ b/third_party/nix/pkgs/bazel_8/system.bazelrc
@@ -0,0 +1,4 @@
+startup --server_javabase=@serverJavabase@
+
+# load default location for the system wide configuration
+try-import /etc/bazel.bazelrc
diff --git a/third_party/nix/pkgs/bazel/BUILD.bazel b/third_party/rules_oci/BUILD.bazel
similarity index 100%
rename from third_party/nix/pkgs/bazel/BUILD.bazel
rename to third_party/rules_oci/BUILD.bazel
diff --git a/third_party/rules_oci/use-default-shell-env.patch b/third_party/rules_oci/use-default-shell-env.patch
new file mode 100644
index 0000000..f69c543
--- /dev/null
+++ b/third_party/rules_oci/use-default-shell-env.patch
@@ -0,0 +1,64 @@
+We have to set use_default_shell_env to find bash via /usr/bin/env,
+as without it we don't have PATH available. The old behavior is fine
+for NixOS as their /usr/bin/env tries to use /run/current-system/sw/bin/bash
+which exist on NixOS, but not in our CI or any other nixos/nix container.
+
+diff --git a/oci/private/image.bzl b/oci/private/image.bzl
+--- a/oci/private/image.bzl
++++ b/oci/private/image.bzl
+@@ -131,8 +131,9 @@
+             regctl.regctl_info.binary,
+         ],
+         mnemonic = "OCIDescriptor",
+         progress_message = "OCI Descriptor %{input}",
++        use_default_shell_env = True,
+     )
+     return descriptor
+ 
+ def _oci_image_impl(ctx):
+@@ -263,8 +264,9 @@
+         mnemonic = "OCIImage",
+         progress_message = "OCI Image %{label}",
+         resource_set = resource_set(ctx.attr),
+         toolchain = None,
++        use_default_shell_env = True,
+     )
+ 
+     return [
+         DefaultInfo(
+diff --git a/oci/private/image_index.bzl b/oci/private/image_index.bzl
+--- a/oci/private/image_index.bzl
++++ b/oci/private/image_index.bzl
+@@ -129,8 +129,9 @@
+         tools = [jq.jqinfo.bin, coreutils.coreutils_info.bin],
+         mnemonic = "OCIIndex",
+         progress_message = "OCI Index %{label}",
+         toolchain = None,
++        use_default_shell_env = True,
+     )
+ 
+     return DefaultInfo(files = depset([output]))
+ 
+diff --git a/oci/private/load.bzl b/oci/private/load.bzl
+--- a/oci/private/load.bzl
++++ b/oci/private/load.bzl
+@@ -179,8 +179,9 @@
+             jq.jqinfo.bin,
+             coreutils.coreutils_info.bin,
+         ],
+         mnemonic = "OCITarballManifest",
++        use_default_shell_env = True,
+     )
+ 
+     # This action produces a large output and should rarely be used as it puts load on the cache.
+     # It will only run if the "tarball" output_group is explicitly requested
+@@ -195,8 +196,9 @@
+         inputs = tar_inputs,
+         outputs = [tarball],
+         arguments = [tar_args],
+         mnemonic = "OCITarball",
++        use_default_shell_env = True,
+     )
+ 
+     # Create an executable runner script that will create the tarball at runtime,
+     # as opposed to at build to avoid uploading large artifacts to remote cache.
diff --git a/third_party/nix/pkgs/bazel/BUILD.bazel b/third_party/rules_python/BUILD.bazel
similarity index 100%
copy from third_party/nix/pkgs/bazel/BUILD.bazel
copy to third_party/rules_python/BUILD.bazel
diff --git a/third_party/rules_python/use-usr-bin-env-bash.patch b/third_party/rules_python/use-usr-bin-env-bash.patch
new file mode 100644
index 0000000..71a39cf
--- /dev/null
+++ b/third_party/rules_python/use-usr-bin-env-bash.patch
@@ -0,0 +1,12 @@
+The build environment is not guaranteed to have /bin/bash, especially on NixOS
+or in our CI runner. Use /usr/bin/env to resolve it from PATH.
+diff --git a/python/private/stage1_bootstrap_template.sh b/python/private/stage1_bootstrap_template.sh
+--- a/python/private/stage1_bootstrap_template.sh
++++ b/python/private/stage1_bootstrap_template.sh
+@@ -1,5 +1,5 @@
+-#!/bin/bash
++#!/usr/bin/env bash
+ 
+ set -e
+ 
+ if [[ -n "${RULES_PYTHON_BOOTSTRAP_VERBOSE:-}" ]]; then
diff --git a/tools/bazel b/tools/bazel
index 78e4624..0f235c3 100755
--- a/tools/bazel
+++ b/tools/bazel
@@ -34,9 +34,8 @@
   # Jump to project root since bwrap hangs if we aren't there
   cd "${DIR}/../"
 
-  export COMMAND="bazel $*"
   export PWD="$OLDPWD"
-  exec nix-shell
+  exec nix-shell --command "bazel $*"
 fi
 
 prechecks() {