diff --git a/.github/workflows/cli-tests.yaml b/.github/workflows/cli-tests.yaml
index 21a0a2038ae..a4deb69eed5 100644
--- a/.github/workflows/cli-tests.yaml
+++ b/.github/workflows/cli-tests.yaml
@@ -129,9 +129,8 @@ jobs:
         run-project-tests: ["project-tests", "project-tests-off"]
         # Run tests on:
         # 1. the oldest supported nix version (which is 2.9.0? But determinate-systems installer has 2.12.0)
-        # 2. nix version 2.17.0 which introduces a new code path that minimizes nixpkgs downloads.
-        # 3. latest nix version
-        nix-version: ["2.12.0", "2.17.0", "2.19.2"]
+        # 2. latest nix version, must be > 2.17.0 which introduces a new code path that minimizes nixpkgs downloads.
+        nix-version: ["2.12.0", "2.19.2"]
         exclude:
           - is-main: "not-main"
             os: "${{ inputs.run-mac-tests && 'dummy' || 'macos-latest' }}"
diff --git a/internal/devbox/nixprofile.go b/internal/devbox/nixprofile.go
new file mode 100644
index 00000000000..5414051897e
--- /dev/null
+++ b/internal/devbox/nixprofile.go
@@ -0,0 +1,74 @@
+package devbox
+
+import (
+	"context"
+	"fmt"
+	"strings"
+
+	"github.com/samber/lo"
+	"go.jetpack.io/devbox/internal/nix"
+	"go.jetpack.io/devbox/internal/nix/nixprofile"
+	"go.jetpack.io/devbox/internal/ux"
+)
+
+// syncNixProfile ensures the nix profile has the packages specified in wantStorePaths.
+// It also removes any packages from the nix profile that are not in wantStorePaths.
+func (d *Devbox) syncNixProfile(ctx context.Context, wantStorePaths []string) error {
+	profilePath, err := d.profilePath()
+	if err != nil {
+		return err
+	}
+
+	// Get the store-paths of the packages currently installed in the nix profile
+	items, err := nixprofile.ProfileListItems(ctx, d.stderr, profilePath)
+	if err != nil {
+		return fmt.Errorf("nix profile list: %v", err)
+	}
+	gotStorePaths := make([]string, 0, len(items))
+	for _, item := range items {
+		gotStorePaths = append(gotStorePaths, item.StorePaths()...)
+	}
+
+	// Diff the store paths and install/remove packages as needed
+	remove, add := lo.Difference(gotStorePaths, wantStorePaths)
+	if len(remove) > 0 {
+		packagesToRemove := make([]string, 0, len(remove))
+		for _, p := range remove {
+			storePath := nix.NewStorePathParts(p)
+			packagesToRemove = append(packagesToRemove, fmt.Sprintf("%s@%s", storePath.Name, storePath.Version))
+		}
+		if len(packagesToRemove) == 1 {
+			ux.Finfo(d.stderr, "Removing %s\n", strings.Join(packagesToRemove, ", "))
+		} else {
+			ux.Finfo(d.stderr, "Removing packages: %s\n", strings.Join(packagesToRemove, ", "))
+		}
+
+		if err := nix.ProfileRemove(profilePath, remove...); err != nil {
+			return err
+		}
+	}
+	if len(add) > 0 {
+		total := len(add)
+		for idx, addPath := range add {
+			stepNum := idx + 1
+			storePath := nix.NewStorePathParts(addPath)
+			nameAndVersion := fmt.Sprintf("%s@%s", storePath.Name, storePath.Version)
+			stepMsg := fmt.Sprintf("[%d/%d] %s", stepNum, total, nameAndVersion)
+
+			if err = nixprofile.ProfileInstall(ctx, &nixprofile.ProfileInstallArgs{
+				CustomStepMessage: stepMsg,
+				Installable:       addPath,
+				// Install in offline mode for speed. We know we should have all the files
+				// locally in /nix/store since we have run `nix print-dev-env` prior to this.
+				// Also avoids some "substituter not found for store-path" errors.
+				Offline:     true,
+				PackageName: storePath.Name,
+				ProfilePath: profilePath,
+				Writer:      d.stderr,
+			}); err != nil {
+				return fmt.Errorf("error installing package %s: %w", addPath, err)
+			}
+		}
+	}
+	return nil
+}
diff --git a/internal/devbox/packages.go b/internal/devbox/packages.go
index c750f4d0b89..9f581269333 100644
--- a/internal/devbox/packages.go
+++ b/internal/devbox/packages.go
@@ -248,10 +248,20 @@ const (
 // The `mode` is used for:
 // 1. Skipping certain operations that may not apply.
 // 2. User messaging to explain what operations are happening, because this function may take time to execute.
-func (d *Devbox) ensureStateIsUpToDate(ctx context.Context, mode installMode) error {
+//
+// linter:revive is turned off due to complaining about function complexity
+func (d *Devbox) ensureStateIsUpToDate(ctx context.Context, mode installMode) error { //nolint:revive
 	defer trace.StartRegion(ctx, "devboxEnsureStateIsUpToDate").End()
 	defer debug.FunctionTimer().End()
 
+	if mode != ensure && !d.IsEnvEnabled() {
+		// if mode is install/uninstall/update and we are not in a devbox environment,
+		// then we skip some operations below for speed.
+		// Remove the local.lock file so that we re-compute the project state when
+		// we are in the devbox environment again.
+		defer func() { _ = d.lockfile.RemoveLocal() }()
+	}
+
 	// if mode is install or uninstall, then we need to update the nix-profile
 	// and lockfile, so we must continue below.
 	upToDate, err := d.lockfile.IsUpToDateAndInstalled()
@@ -267,6 +277,13 @@ func (d *Devbox) ensureStateIsUpToDate(ctx context.Context, mode installMode) er
 		fmt.Fprintln(d.stderr, "Ensuring packages are installed.")
 	}
 
+	// Validate packages. Must be run up-front and definitely prior to computeEnv
+	// and syncNixProfile below that will evaluate the flake and may give
+	// inscrutable errors if the package is uninstallable.
+	if err := d.validatePackagesToBeInstalled(ctx); err != nil {
+		return err
+	}
+
 	// Create plugin directories first because packages might need them
 	for _, pkg := range d.InstallablePackages() {
 		if err := d.PluginManager().Create(pkg); err != nil {
@@ -274,10 +291,6 @@ func (d *Devbox) ensureStateIsUpToDate(ctx context.Context, mode installMode) er
 		}
 	}
 
-	if err := d.syncPackagesToProfile(ctx, mode); err != nil {
-		return err
-	}
-
 	if err := d.InstallRunXPackages(ctx); err != nil {
 		return err
 	}
@@ -290,11 +303,34 @@ func (d *Devbox) ensureStateIsUpToDate(ctx context.Context, mode installMode) er
 		return err
 	}
 
-	// Use the printDevEnvCache if we are adding or removing or updating any package,
-	// AND we are not in the shellenv-enabled environment of the current devbox-project.
-	usePrintDevEnvCache := mode != ensure && !d.IsEnvEnabled()
-	if _, err := d.computeEnv(ctx, usePrintDevEnvCache); err != nil {
-		return err
+	// The steps contained in this if-block of computeEnv and syncNixProfile are a tad
+	// slow. So, we only do it if we are in a devbox environment, or if mode is ensure.
+	if mode == ensure || d.IsEnvEnabled() {
+		// Re-compute print-dev-env to ensure all packages are installed, and
+		// the correct set of packages are reflected in the nix-profile below.
+		env, err := d.computeEnv(ctx, false /*usePrintDevEnvCache*/)
+		if err != nil {
+			return err
+		}
+
+		// Ensure the nix profile has the packages from the flake.
+		buildInputs := []string{}
+		if env["buildInputs"] != "" {
+			// env["buildInputs"] can be empty string if there are no packages in the project
+			// if buildInputs is empty, then we don't want wantStorePaths to be an array with a single "" entry
+			buildInputs = strings.Split(env["buildInputs"], " ")
+		}
+		if err := d.syncNixProfile(ctx, buildInputs); err != nil {
+			return err
+		}
+
+	} else if mode == install || mode == update {
+		// Else: if we are not in a devbox environment, and we are installing or updating
+		// then we must ensure the new nix packages are in the nix store. This way, the
+		// next time we enter a devbox environment, we will have the packages available locally.
+		if err := d.installNixPackagesToStore(ctx); err != nil {
+			return err
+		}
 	}
 
 	// Ensure we clean out packages that are no longer needed.
@@ -331,162 +367,6 @@ func (d *Devbox) profilePath() (string, error) {
 	return absPath, errors.WithStack(os.MkdirAll(filepath.Dir(absPath), 0o755))
 }
 
-// syncPackagesToProfile can ensure that all packages in devbox.json exist in the nix profile,
-// and no more. However, it may skip some steps depending on the `mode`.
-func (d *Devbox) syncPackagesToProfile(ctx context.Context, mode installMode) error {
-	defer debug.FunctionTimer().End()
-	defer trace.StartRegion(ctx, "syncPackagesToProfile").End()
-
-	// First, fetch the profile items from the nix-profile,
-	// and get the installable packages
-	profileDir, err := d.profilePath()
-	if err != nil {
-		return err
-	}
-	profileItems, err := nixprofile.ProfileListItems(d.stderr, profileDir)
-	if err != nil {
-		return err
-	}
-	packages, err := d.AllInstallablePackages()
-	if err != nil {
-		return err
-	}
-
-	// Remove non-nix packages from the list
-	packages = lo.Filter(packages, devpkg.IsNix)
-
-	if err := devpkg.FillNarInfoCache(ctx, packages...); err != nil {
-		return err
-	}
-
-	// Second, remove any packages from the nix-profile that are not in the config
-	itemsToKeep := profileItems
-	if mode != install {
-		itemsToKeep, err = d.removeExtraItemsFromProfile(ctx, profileDir, profileItems, packages)
-		if err != nil {
-			return err
-		}
-	}
-
-	// we are done if mode is uninstall
-	if mode == uninstall {
-		return nil
-	}
-
-	// Last, find the pending packages, and ensure they are added to the nix-profile
-	// Important to maintain the order of packages as specified by
-	// Devbox.InstallablePackages() (higher priority first).
-	// We also run nix profile upgrade on any virtenv flakes. This is a bit of a
-	// blunt approach, but ensured any plugin created flakes are up-to-date.
-	pending := []*devpkg.Package{}
-	for _, pkg := range packages {
-		idx, err := nixprofile.ProfileListIndex(&nixprofile.ProfileListIndexArgs{
-			Items:      itemsToKeep,
-			Lockfile:   d.lockfile,
-			Writer:     d.stderr,
-			Package:    pkg,
-			ProfileDir: profileDir,
-		})
-		if err != nil {
-			if !errors.Is(err, nix.ErrPackageNotFound) {
-				return err
-			}
-			pending = append(pending, pkg)
-		} else if f, err := pkg.FlakeInstallable(); err == nil && d.pluginManager.PathIsInVirtenv(f.Ref.Path) {
-			if err := nix.ProfileUpgrade(profileDir, idx); err != nil {
-				return err
-			}
-		}
-	}
-
-	return d.addPackagesToProfile(ctx, pending)
-}
-
-func (d *Devbox) removeExtraItemsFromProfile(
-	ctx context.Context,
-	profileDir string,
-	profileItems []*nixprofile.NixProfileListItem,
-	packages []*devpkg.Package,
-) ([]*nixprofile.NixProfileListItem, error) {
-	defer debug.FunctionTimer().End()
-	defer trace.StartRegion(ctx, "removeExtraPackagesFromProfile").End()
-
-	itemsToKeep := []*nixprofile.NixProfileListItem{}
-	extras := []*nixprofile.NixProfileListItem{}
-	// Note: because devpkg.Package uses memoization when normalizing attribute paths (slow operation),
-	// and since we're reusing the Package objects, this O(n*m) loop becomes O(n+m) wrt the slow operation.
-	for _, item := range profileItems {
-		found := false
-		for _, pkg := range packages {
-			if item.Matches(pkg, d.lockfile) {
-				itemsToKeep = append(itemsToKeep, item)
-				found = true
-				break
-			}
-		}
-		if !found {
-			extras = append(extras, item)
-		}
-	}
-	// Remove by index to avoid comparing nix.ProfileListItem <> nix.Inputs again.
-	if err := nixprofile.ProfileRemoveItems(profileDir, extras); err != nil {
-		return nil, err
-	}
-	return itemsToKeep, nil
-}
-
-// addPackagesToProfile inspects the packages in devbox.json, checks which of them
-// are missing from the nix profile, and then installs each package individually into the
-// nix profile.
-func (d *Devbox) addPackagesToProfile(ctx context.Context, pkgs []*devpkg.Package) error {
-	defer debug.FunctionTimer().End()
-	defer trace.StartRegion(ctx, "addPackagesToProfile").End()
-
-	if len(pkgs) == 0 {
-		return nil
-	}
-
-	// If packages are in profile but nixpkgs has been purged, the experience
-	// will be poor when we try to run print-dev-env. So we ensure nixpkgs is
-	// prefetched for all relevant packages (those not in binary cache).
-	if err := devpkg.EnsureNixpkgsPrefetched(ctx, d.stderr, pkgs); err != nil {
-		return err
-	}
-
-	var msg string
-	if len(pkgs) == 1 {
-		msg = fmt.Sprintf("Installing package: %s.", pkgs[0])
-	} else {
-		pkgNames := lo.Map(pkgs, func(p *devpkg.Package, _ int) string { return p.Raw })
-		msg = fmt.Sprintf("Installing %d packages: %s.", len(pkgs), strings.Join(pkgNames, ", "))
-	}
-	fmt.Fprintf(d.stderr, "\n%s\n\n", msg)
-
-	profileDir, err := d.profilePath()
-	if err != nil {
-		return fmt.Errorf("error getting profile path: %w", err)
-	}
-
-	total := len(pkgs)
-	for idx, pkg := range pkgs {
-		stepNum := idx + 1
-
-		stepMsg := fmt.Sprintf("[%d/%d] %s", stepNum, total, pkg)
-
-		if err = nixprofile.ProfileInstall(ctx, &nixprofile.ProfileInstallArgs{
-			CustomStepMessage: stepMsg,
-			Lockfile:          d.lockfile,
-			Package:           pkg.Raw,
-			ProfilePath:       profileDir,
-			Writer:            d.stderr,
-		}); err != nil {
-			return fmt.Errorf("error installing package %s: %w", pkg, err)
-		}
-	}
-
-	return nil
-}
-
 var resetCheckDone = false
 
 // resetProfileDirForFlakes ensures the profileDir directory is cleared of old
@@ -536,3 +416,116 @@ func (d *Devbox) InstallRunXPackages(ctx context.Context) error {
 	}
 	return nil
 }
+
+// installNixPackagesToStore will install all the packages in the nix store, if
+// mode is install or update, and we're not in a devbox environment.
+// This is done by running `nix build` on the flake. We do this so that the
+// packages will be available in the nix store when computing the devbox environment
+// and installing in the nix profile (even if offline).
+func (d *Devbox) installNixPackagesToStore(ctx context.Context) error {
+	packages, err := d.packagesToInstallInProfile(ctx)
+	if err != nil {
+		return err
+	}
+
+	names := []string{}
+	installables := []string{}
+	for _, pkg := range packages {
+		i, err := pkg.Installable()
+		if err != nil {
+			return err
+		}
+		installables = append(installables, i)
+		names = append(names, pkg.String())
+	}
+
+	if len(installables) == 0 {
+		return nil
+	}
+
+	ux.Finfo(d.stderr, "Installing to the nix store: %s. This may take a brief while.\n", strings.Join(names, " "))
+
+	// --no-link to avoid generating the result objects
+	return nix.Build(ctx, []string{"--no-link"}, installables...)
+}
+
+// validatePackagesToBeInstalled will ensure that packages are available to be installed
+// in the user's current system.
+func (d *Devbox) validatePackagesToBeInstalled(ctx context.Context) error {
+	// First, get the packages to install
+	packagesToInstall, err := d.packagesToInstallInProfile(ctx)
+	if err != nil {
+		return err
+	}
+
+	// Then, validate that packages that need to be installed are in fact installable
+	// on the user's current system.
+	for _, pkg := range packagesToInstall {
+		inCache, err := pkg.IsInBinaryCache()
+		if err != nil {
+			return err
+		}
+
+		if !inCache && nix.IsGithubNixpkgsURL(pkg.URLForFlakeInput()) {
+			if err := nix.EnsureNixpkgsPrefetched(d.stderr, pkg.HashFromNixPkgsURL()); err != nil {
+				return err
+			}
+			if exists, err := pkg.ValidateInstallsOnSystem(); err != nil {
+				return err
+			} else if !exists {
+				platform := nix.System()
+				return usererr.New(
+					"package %s cannot be installed on your platform %s.\n"+
+						"If you know this package is incompatible with %[2]s, then "+
+						"you could run `devbox add %[1]s --exclude-platform %[2]s` and re-try.\n"+
+						"If you think this package should be compatible with %[2]s, then "+
+						"it's possible this particular version is not available yet from the nix registry. "+
+						"You could try `devbox add` with a different version for this package.\n",
+					pkg.Raw,
+					platform,
+				)
+			}
+		}
+	}
+	return nil
+}
+
+func (d *Devbox) packagesToInstallInProfile(ctx context.Context) ([]*devpkg.Package, error) {
+	// First, fetch the profile items from the nix-profile,
+	profileDir, err := d.profilePath()
+	if err != nil {
+		return nil, err
+	}
+	profileItems, err := nixprofile.ProfileListItems(ctx, d.stderr, profileDir)
+	if err != nil {
+		return nil, err
+	}
+
+	// Second, get and prepare all the packages that must be installed in this project
+	packages, err := d.AllInstallablePackages()
+	if err != nil {
+		return nil, err
+	}
+	packages = lo.Filter(packages, devpkg.IsNix) // Remove non-nix packages from the list
+	if err := devpkg.FillNarInfoCache(ctx, packages...); err != nil {
+		return nil, err
+	}
+
+	// Third, compute which packages need to be installed
+	packagesToInstall := []*devpkg.Package{}
+	// Note: because devpkg.Package uses memoization when normalizing attribute paths (slow operation),
+	// and since we're reusing the Package objects, this O(n*m) loop becomes O(n+m) wrt the slow operation.
+	for _, pkg := range packages {
+		found := false
+		for _, item := range profileItems {
+			if item.Matches(pkg, d.lockfile) {
+				found = true
+				break
+			}
+		}
+		if !found {
+			packagesToInstall = append(packagesToInstall, pkg)
+		}
+	}
+	return packagesToInstall, nil
+}
diff --git a/internal/devbox/util.go b/internal/devbox/util.go
index 64c5168a7cb..a79e89abaef 100644
--- a/internal/devbox/util.go
+++ b/internal/devbox/util.go
@@ -10,8 +10,9 @@ import (
 	"path/filepath"
 
 	"github.com/pkg/errors"
-	"go.jetpack.io/devbox/internal/nix/nixprofile"
 
+	"go.jetpack.io/devbox/internal/devpkg"
+	"go.jetpack.io/devbox/internal/nix/nixprofile"
 	"go.jetpack.io/devbox/internal/xdg"
 )
 
@@ -19,15 +20,19 @@ import (
 // It's used to install applications devbox might need, like process-compose
 // This is an alternative to a global install which would modify a user's
 // environment.
-func (d *Devbox) addDevboxUtilityPackage(ctx context.Context, pkg string) error {
+func (d *Devbox) addDevboxUtilityPackage(ctx context.Context, pkgName string) error {
+	pkg := devpkg.PackageFromStringWithDefaults(pkgName, d.lockfile)
+	installable, err := pkg.Installable()
+	if err != nil {
+		return err
+	}
 	profilePath, err := utilityNixProfilePath()
 	if err != nil {
 		return err
 	}
-
 	return nixprofile.ProfileInstall(ctx, &nixprofile.ProfileInstallArgs{
-		Lockfile:    d.lockfile,
-		Package:     pkg,
+		Installable: installable,
+		PackageName: pkgName,
 		ProfilePath: profilePath,
 		Writer:      d.stderr,
 	})
diff --git a/internal/devpkg/narinfo_cache.go b/internal/devpkg/narinfo_cache.go
index ba8475bf320..170ff7e00cc 100644
--- a/internal/devpkg/narinfo_cache.go
+++ b/internal/devpkg/narinfo_cache.go
@@ -4,10 +4,8 @@ import (
 	"context"
 	"io"
 	"net/http"
-	"strings"
 	"sync"
 	"time"
-	"unicode"
 
 	"github.com/pkg/errors"
 	"go.jetpack.io/devbox/internal/boxcli/featureflag"
@@ -110,8 +108,8 @@ func (p *Package) fetchNarInfoStatus() (bool, error) {
 		)
 	}
 
-	pathParts := newStorePathParts(sysInfo.StorePath)
-	reqURL := BinaryCache + "/" + pathParts.hash + ".narinfo"
+	pathParts := nix.NewStorePathParts(sysInfo.StorePath)
+	reqURL := BinaryCache + "/" + pathParts.Hash + ".narinfo"
 	ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
 	defer cancel()
 	req, err := http.NewRequestWithContext(ctx, http.MethodHead, reqURL, nil)
@@ -181,35 +179,3 @@ func (p *Package) sysInfoIfExists() (*lock.SystemInfo, error) {
 	}
 	return sysInfo, nil
 }
-
-// storePath are the constituent parts of
-// /nix/store/<hash>-<name>-<version>
-//
-// This is a helper struct for analyzing the string representation
-type storePathParts struct {
-	hash    string
-	name    string
-	version string
-}
-
-// newStorePathParts splits a Nix store path into its hash, name and version
-// components in the same way that Nix does.
-//
-// See https://nixos.org/manual/nix/stable/language/builtins.html#builtins-parseDrvName
-func newStorePathParts(path string) storePathParts {
-	path = strings.TrimPrefix(path, "/nix/store/")
-	// path is now <hash>-<name>-<version
-
-	hash, name := path[:32], path[33:]
-	dashIndex := 0
-	for i, r := range name {
-		if dashIndex != 0 && !unicode.IsLetter(r) {
-			return storePathParts{hash: hash, name: name[:dashIndex], version: name[i:]}
-		}
-		dashIndex = 0
-		if r == '-' {
-			dashIndex = i
-		}
-	}
-	return storePathParts{hash: hash, name: name}
-}
diff --git a/internal/devpkg/package_test.go b/internal/devpkg/package_test.go
index 7aa84542e10..8975f93bcbf 100644
--- a/internal/devpkg/package_test.go
+++ b/internal/devpkg/package_test.go
@@ -181,49 +181,6 @@ func TestHashFromNixPkgsURL(t *testing.T) {
 	}
 }
 
-func TestStorePathParts(t *testing.T) {
-	testCases := []struct {
-		storePath string
-		expected  storePathParts
-	}{
-		// simple case:
-		{
-			storePath: "/nix/store/cvrn84c1hshv2wcds7n1rhydi6lacqns-gnumake-4.4.1",
-			expected: storePathParts{
-				hash:    "cvrn84c1hshv2wcds7n1rhydi6lacqns",
-				name:    "gnumake",
-				version: "4.4.1",
-			},
-		},
-		// the package name can have dashes:
-		{
-			storePath: "/nix/store/q2xdxsswjqmqcbax81pmazm367s7jzyb-cctools-binutils-darwin-wrapper-973.0.1",
-			expected: storePathParts{
-				hash:    "q2xdxsswjqmqcbax81pmazm367s7jzyb",
-				name:    "cctools-binutils-darwin-wrapper",
-				version: "973.0.1",
-			},
-		},
-		// version is optional. This is an artificial example I constructed
-		{
-			storePath: "/nix/store/gfxwrd5nggc68pjj3g3jhlldim9rpg0p-coreutils",
-			expected: storePathParts{
-				hash: "gfxwrd5nggc68pjj3g3jhlldim9rpg0p",
-				name: "coreutils",
-			},
-		},
-	}
-
-	for _, testCase := range testCases {
-		t.Run(testCase.storePath, func(t *testing.T) {
-			parts := newStorePathParts(testCase.storePath)
-			if parts != testCase.expected {
-				t.Errorf("Expected %v, got %v", testCase.expected, parts)
-			}
-		})
-	}
-}
-
 func TestCanonicalName(t *testing.T) {
 	tests := []struct {
 		pkgName      string
diff --git a/internal/lock/local.go b/internal/lock/local.go
index 65b490eefc9..cefc4cb2a11 100644
--- a/internal/lock/local.go
+++ b/internal/lock/local.go
@@ -6,6 +6,7 @@ package lock
 import (
 	"errors"
 	"io/fs"
+	"os"
 	"path/filepath"
 
 	"go.jetpack.io/devbox/internal/build"
@@ -74,6 +75,11 @@ func readLocal(project devboxProject) (*localLockFile, error) {
 	return lockFile, nil
 }
 
+func removeLocal(project devboxProject) error {
+	// RemoveAll to avoid error in case file does not exist.
+	return os.RemoveAll(localLockFilePath(project))
+}
+
 func forProject(project devboxProject) (*localLockFile, error) {
 	configHash, err := project.ConfigHash()
 	if err != nil {
diff --git a/internal/lock/lockfile.go b/internal/lock/lockfile.go
index f7d4fa7cfdf..5e76b9a14e9 100644
--- a/internal/lock/lockfile.go
+++ b/internal/lock/lockfile.go
@@ -176,6 +176,11 @@ func (f *File) isDirty() (bool, error) {
 	return currentHash != filesystemHash, nil
 }
 
+// RemoveLocal removes the local.lock file
+func (f *File) RemoveLocal() error {
+	return removeLocal(f.devboxProject)
+}
+
 func lockFilePath(project devboxProject) string {
 	return filepath.Join(project.ProjectDir(), "devbox.lock")
 }
diff --git a/internal/nix/build.go b/internal/nix/build.go
new file mode 100644
index 00000000000..3211cec26ab
--- /dev/null
+++ b/internal/nix/build.go
@@ -0,0 +1,29 @@
+package nix
+
+import (
+	"context"
+	"os/exec"
+
+	"github.com/pkg/errors"
+	"go.jetpack.io/devbox/internal/debug"
+)
+
+func Build(ctx context.Context, flags []string, installables ...string) error {
+	// --impure is required for allowUnfreeEnv to work.
+	cmd := commandContext(ctx, "build", "--impure")
+	cmd.Args = append(cmd.Args, flags...)
+	cmd.Args = append(cmd.Args, installables...)
+	// We need to allow Unfree packages to be installed. We choose to not also add os.Environ() to the environment
+	// to keep the command as pure as possible, even though we must pass --impure to nix build.
+	cmd.Env = allowUnfreeEnv([]string{})
+
+	debug.Log("Running cmd: %s\n", cmd)
+	_, err := cmd.Output()
+	if err != nil {
+		if exitErr := (&exec.ExitError{}); errors.As(err, &exitErr) {
+			debug.Log("Nix build exit code: %d, output: %s\n", exitErr.ExitCode(), exitErr.Stderr)
+		}
+		return err
+	}
+	return nil
+}
diff --git a/internal/nix/nixprofile/item.go b/internal/nix/nixprofile/item.go
index b6759500ee9..af14ad0b4f0 100644
--- a/internal/nix/nixprofile/item.go
+++ b/internal/nix/nixprofile/item.go
@@ -83,3 +83,7 @@ func (i *NixProfileListItem) String() string {
 		i.nixStorePaths,
 	)
 }
+
+func (i *NixProfileListItem) StorePaths() []string {
+	return i.nixStorePaths
+}
diff --git a/internal/nix/nixprofile/profile.go b/internal/nix/nixprofile/profile.go
index dc9490f6c69..521f08495d9 100644
--- a/internal/nix/nixprofile/profile.go
+++ b/internal/nix/nixprofile/profile.go
@@ -15,7 +15,6 @@ import (
 	"github.com/fatih/color"
 	"github.com/pkg/errors"
 	"github.com/samber/lo"
-	"go.jetpack.io/devbox/internal/boxcli/usererr"
 	"go.jetpack.io/devbox/internal/devpkg"
 	"go.jetpack.io/devbox/internal/lock"
 	"go.jetpack.io/devbox/internal/nix"
@@ -23,15 +22,17 @@ import (
 )
 
 // ProfileListItems returns a list of the installed packages.
+// TODO drop the Profile prefix from this function name.
 func ProfileListItems(
+	ctx context.Context,
 	writer io.Writer,
 	profileDir string,
 ) ([]*NixProfileListItem, error) {
-	output, err := nix.ProfileList(writer, profileDir, true /*useJSON*/)
+	output, err := nix.ProfileList(ctx, writer, profileDir, true /*useJSON*/)
 	if err != nil {
 		// fallback to legacy profile list
 		// NOTE: maybe we should check the nix version first, instead of falling back on _any_ error.
-		return profileListLegacy(writer, profileDir)
+		return profileListLegacy(ctx, writer, profileDir)
 	}
 
 	type ProfileListElement struct {
@@ -65,11 +66,13 @@ func ProfileListItems(
 }
 
 // profileListLegacy lists the items in a nix profile before nix 2.17.0 introduced --json.
+// TODO drop the Profile prefix from this function name.
 func profileListLegacy(
+	ctx context.Context,
 	writer io.Writer,
 	profileDir string,
 ) ([]*NixProfileListItem, error) {
-	output, err := nix.ProfileList(writer, profileDir, false /*useJSON*/)
+	output, err := nix.ProfileList(ctx, writer, profileDir, false /*useJSON*/)
 	if err != nil {
 		return nil, errors.WithStack(err)
 	}
@@ -99,6 +102,7 @@ func profileListLegacy(
 	return items, nil
 }
 
+// TODO drop the Profile prefix from this name.
 type ProfileListIndexArgs struct {
 	// For performance, you can reuse the same list in multiple operations if you
 	// are confident index has not changed.
@@ -111,11 +115,12 @@ type ProfileListIndexArgs struct {
 
 // ProfileListIndex returns the index of args.Package in the nix profile specified by args.ProfileDir,
 // or -1 if it's not found. Callers can pass in args.Items to avoid having to call `nix-profile list` again.
-func ProfileListIndex(args *ProfileListIndexArgs) (int, error) {
+// TODO drop the Profile prefix from this name.
+func ProfileListIndex(ctx context.Context, args *ProfileListIndexArgs) (int, error) {
 	var err error
 	items := args.Items
 	if items == nil {
-		items, err = ProfileListItems(args.Writer, args.ProfileDir)
+		items, err = ProfileListItems(ctx, args.Writer, args.ProfileDir)
 		if err != nil {
 			return -1, err
 		}
@@ -189,44 +194,21 @@ func parseNixProfileListItem(line string) (*NixProfileListItem, error) {
 	}, nil
 }
 
+// TODO drop the Profile prefix from this name.
 type ProfileInstallArgs struct {
 	CustomStepMessage string
-	Lockfile          *lock.File
-	Package           string
+	Installable       string
+	Offline           bool
+	PackageName       string
 	ProfilePath       string
 	Writer            io.Writer
 }
 
-// ProfileInstall calls nix profile install with default profile
+// ProfileInstall installs a package into a profile. Its a convenience wrapper around nix.ProfileInstall
+// that can print nicer output when installing multiple packages.
+// TODO drop the Profile prefix from this name.
 func ProfileInstall(ctx context.Context, args *ProfileInstallArgs) error {
-	input := devpkg.PackageFromStringWithDefaults(args.Package, args.Lockfile)
-
-	inCache, err := input.IsInBinaryCache()
-	if err != nil {
-		return err
-	}
-
-	if !inCache && nix.IsGithubNixpkgsURL(input.URLForFlakeInput()) {
-		if err := nix.EnsureNixpkgsPrefetched(args.Writer, input.HashFromNixPkgsURL()); err != nil {
-			return err
-		}
-		if exists, err := input.ValidateInstallsOnSystem(); err != nil {
-			return err
-		} else if !exists {
-			platform := nix.System()
-			return usererr.New(
-				"package %s cannot be installed on your platform %s.\n"+
-					"If you know this package is incompatible with %[2]s, then "+
-					"you could run `devbox add %[1]s --exclude-platform %[2]s` and re-try.\n"+
-					"If you think this package should be compatible with %[2]s, then "+
-					"it's possible this particular version is not available yet from the nix registry. "+
-					"You could try `devbox add` with a different version for this package.\n",
-				input.Raw,
-				platform,
-			)
-		}
-	}
-	stepMsg := args.Package
+	stepMsg := args.PackageName
 	if args.CustomStepMessage != "" {
 		stepMsg = args.CustomStepMessage
 		// Only print this first one if we have a custom message. Otherwise it feels
@@ -234,12 +216,12 @@ func ProfileInstall(ctx context.Context, args *ProfileInstallArgs) error {
 		fmt.Fprintf(args.Writer, "%s\n", stepMsg)
 	}
 
-	installable, err := input.Installable()
-	if err != nil {
-		return err
-	}
-
-	err = nix.ProfileInstall(args.Writer, args.ProfilePath, installable)
+	err := nix.ProfileInstall(ctx, &nix.ProfileInstallArgs{
+		Installable: args.Installable,
+		Offline:     args.Offline,
+		ProfilePath: args.ProfilePath,
+		Writer:      args.Writer,
+	})
 	if err != nil {
 		fmt.Fprintf(args.Writer, "%s: ", stepMsg)
 		color.New(color.FgRed).Fprintf(args.Writer, "Fail\n")
@@ -250,17 +232,3 @@ func ProfileInstall(ctx context.Context, args *ProfileInstallArgs) error {
 	color.New(color.FgGreen).Fprintf(args.Writer, "Success\n")
 	return nil
 }
-
-// ProfileRemoveItems removes the items from the profile, in a single call, using their indexes.
-// It is up to the caller to ensure that the underlying profile has not changed since the items
-// were queried.
-func ProfileRemoveItems(profilePath string, items []*NixProfileListItem) error {
-	if len(items) == 0 {
-		return nil
-	}
-	indexes := []string{}
-	for _, item := range items {
-		indexes = append(indexes, strconv.Itoa(item.index))
-	}
-	return nix.ProfileRemove(profilePath, indexes)
-}
diff --git a/internal/nix/nixprofile/upgrade.go b/internal/nix/nixprofile/upgrade.go
index 2200e56b911..bfd579913df 100644
--- a/internal/nix/nixprofile/upgrade.go
+++ b/internal/nix/nixprofile/upgrade.go
@@ -4,6 +4,7 @@
 package nixprofile
 
 import (
+	"context"
 	"os"
 
 	"go.jetpack.io/devbox/internal/devpkg"
@@ -11,18 +12,19 @@ import (
 	"go.jetpack.io/devbox/internal/nix"
 )
 
-func ProfileUpgrade(ProfileDir string, pkg *devpkg.Package, lock *lock.File) error {
+func ProfileUpgrade(profileDir string, pkg *devpkg.Package, lock *lock.File) error {
 	idx, err := ProfileListIndex(
+		context.TODO(),
 		&ProfileListIndexArgs{
 			Lockfile:   lock,
 			Writer:     os.Stderr,
 			Package:    pkg,
-			ProfileDir: ProfileDir,
+			ProfileDir: profileDir,
 		},
 	)
 	if err != nil {
 		return err
 	}
 
-	return nix.ProfileUpgrade(ProfileDir, idx)
+	return nix.ProfileUpgrade(profileDir, idx)
 }
diff --git a/internal/nix/profiles.go b/internal/nix/profiles.go
index e01516cc1c6..072116722bf 100644
--- a/internal/nix/profiles.go
+++ b/internal/nix/profiles.go
@@ -4,6 +4,7 @@
 package nix
 
 import (
+	"context"
 	"encoding/json"
 	"fmt"
 	"io"
@@ -17,8 +18,8 @@ import (
 	"go.jetpack.io/devbox/internal/redact"
 )
 
-func ProfileList(writer io.Writer, profilePath string, useJSON bool) (string, error) {
-	cmd := command("profile", "list", "--profile", profilePath)
+func ProfileList(ctx context.Context, writer io.Writer, profilePath string, useJSON bool) (string, error) {
+	cmd := commandContext(ctx, "profile", "list", "--profile", profilePath)
 	if useJSON {
 		cmd.Args = append(cmd.Args, "--json")
 	}
@@ -29,10 +30,17 @@ func ProfileList(writer io.Writer, profilePath string, useJSON bool) (string, er
 	return string(out), nil
 }
 
-func ProfileInstall(writer io.Writer, profilePath, installable string) error {
-	if !IsInsecureAllowed() && PackageIsInsecure(installable) {
-		knownVulnerabilities := PackageKnownVulnerabilities(installable)
-		errString := fmt.Sprintf("Package %s is insecure. \n\n", installable)
+type ProfileInstallArgs struct {
+	Installable string
+	Offline     bool
+	ProfilePath string
+	Writer      io.Writer
+}
+
+func ProfileInstall(ctx context.Context, args *ProfileInstallArgs) error {
+	if !IsInsecureAllowed() && PackageIsInsecure(args.Installable) {
+		knownVulnerabilities := PackageKnownVulnerabilities(args.Installable)
+		errString := fmt.Sprintf("Package %s is insecure. \n\n", args.Installable)
 		if len(knownVulnerabilities) > 0 {
 			errString += fmt.Sprintf("Known vulnerabilities: %s \n\n", knownVulnerabilities)
 		}
@@ -40,36 +48,40 @@ func ProfileInstall(writer io.Writer, profilePath, installable string) error {
 		return usererr.New(errString)
 	}
 
-	cmd := command(
+	cmd := commandContext(
+		ctx,
 		"profile", "install",
-		"--profile", profilePath,
+		"--profile", args.ProfilePath,
 		"--impure", // for NIXPKGS_ALLOW_UNFREE
 		// Using an arbitrary priority to avoid conflicts with other packages.
 		// Note that this is not really the priority we care about, since we
 		// use the flake.nix to specify the priority.
-		"--priority", nextPriority(profilePath),
-		installable,
+		"--priority", nextPriority(args.ProfilePath),
 	)
+	if args.Offline {
+		cmd.Args = append(cmd.Args, "--offline")
+	}
+	cmd.Args = append(cmd.Args, args.Installable)
 	cmd.Env = allowUnfreeEnv(os.Environ())
 
 	// If nix profile install runs as tty, the output is much nicer. If we ever
 	// need to change this to our own writers, consider that you may need
 	// to implement your own nicer output. --print-build-logs flag may be useful.
 	cmd.Stdin = os.Stdin
-	cmd.Stdout = writer
-	cmd.Stderr = writer
+	cmd.Stdout = args.Writer
+	cmd.Stderr = args.Writer
 
 	debug.Log("running command: %s\n", cmd)
 	return cmd.Run()
 }
 
-func ProfileRemove(profilePath string, indexes []string) error {
+func ProfileRemove(profilePath string, elements ...string) error {
 	cmd := command(
 		append([]string{
 			"profile", "remove",
 			"--profile", profilePath,
 			"--impure", // for NIXPKGS_ALLOW_UNFREE
-		}, indexes...)...,
+		}, elements...)...,
 	)
 	cmd.Env = allowUnfreeEnv(allowInsecureEnv(os.Environ()))
 
diff --git a/internal/nix/storepath.go b/internal/nix/storepath.go
new file mode 100644
index 00000000000..2f8acb638dc
--- /dev/null
+++ b/internal/nix/storepath.go
@@ -0,0 +1,40 @@
+package nix
+
+import (
+	"strings"
+	"unicode"
+)
+
+// storePath are the constituent parts of
+// /nix/store/<hash>-<name>-<version>
+//
+// This is a helper struct for analyzing the string representation
+type StorePathParts struct {
+	Hash    string
+	Name    string
+	Version string
+}
+
+// NewStorePathParts splits a Nix store path into its hash, name and version
+// components in the same way that Nix does.
+//
+// See https://nixos.org/manual/nix/stable/language/builtins.html#builtins-parseDrvName
+//
+// TODO: store paths can also have `-{output}` suffixes, which need to be handled below.
+func NewStorePathParts(path string) StorePathParts {
+	path = strings.TrimPrefix(path, "/nix/store/")
+	// path is now <hash>-<name>-<version
+
+	hash, name := path[:32], path[33:]
+	dashIndex := 0
+	for i, r := range name {
+		if dashIndex != 0 && !unicode.IsLetter(r) {
+			return StorePathParts{Hash: hash, Name: name[:dashIndex], Version: name[i:]}
+		}
+		dashIndex = 0
+		if r == '-' {
+			dashIndex = i
+		}
+	}
+	return StorePathParts{Hash: hash, Name: name}
+}
diff --git a/internal/nix/storepath_test.go b/internal/nix/storepath_test.go
new file mode 100644
index 00000000000..0756f832fcd
--- /dev/null
+++ b/internal/nix/storepath_test.go
@@ -0,0 +1,48 @@
+package nix
+
+import (
+	"testing"
+)
+
+func TestStorePathParts(t *testing.T) {
+	testCases := []struct {
+		storePath string
+		expected  StorePathParts
+	}{
+		// simple case:
+		{
+			storePath: "/nix/store/cvrn84c1hshv2wcds7n1rhydi6lacqns-gnumake-4.4.1",
+			expected: StorePathParts{
+				Hash:    "cvrn84c1hshv2wcds7n1rhydi6lacqns",
+				Name:    "gnumake",
+				Version: "4.4.1",
+			},
+		},
+		// the package name can have dashes:
+		{
+			storePath: "/nix/store/q2xdxsswjqmqcbax81pmazm367s7jzyb-cctools-binutils-darwin-wrapper-973.0.1",
+			expected: StorePathParts{
+				Hash:    "q2xdxsswjqmqcbax81pmazm367s7jzyb",
+				Name:    "cctools-binutils-darwin-wrapper",
+				Version: "973.0.1",
+			},
+		},
+		// version is optional. This is an artificial example I constructed
+		{
+			storePath: "/nix/store/gfxwrd5nggc68pjj3g3jhlldim9rpg0p-coreutils",
+			expected: StorePathParts{
+				Hash: "gfxwrd5nggc68pjj3g3jhlldim9rpg0p",
+				Name: "coreutils",
+			},
+		},
+	}
+
+	for _, testCase := range testCases {
+		t.Run(testCase.storePath, func(t *testing.T) {
+			parts := NewStorePathParts(testCase.storePath)
+			if parts != testCase.expected {
+				t.Errorf("Expected %v, got %v", testCase.expected, parts)
+			}
+		})
+	}
+}
diff --git a/testscripts/add/add_platforms_flakeref.test.txt b/testscripts/add/add_platforms_flakeref.test.txt
index 345fd45e4b6..4006807c862 100644
--- a/testscripts/add/add_platforms_flakeref.test.txt
+++ b/testscripts/add/add_platforms_flakeref.test.txt
@@ -2,9 +2,15 @@
 
 exec devbox install
 
-exec devbox add github:F1bonacc1/process-compose/v0.40.2 --exclude-platform x86_64-darwin
+# aside: choose armv7l-linux to verify that the add actually works on the
+# current host that is unlikely to be armv7l-linux
+exec devbox add github:F1bonacc1/process-compose/v0.40.2 --exclude-platform armv7l-linux
 json.superset devbox.json expected_devbox1.json
 
+# verify that the package is installed on this platform
+exec devbox run -- process-compose version
+stdout '0.40.2'
+
 -- devbox.json --
 {
   "packages": [
@@ -19,7 +25,7 @@ json.superset devbox.json expected_devbox1.json
     "hello": "",
     "cowsay": "latest",
     "github:F1bonacc1/process-compose/v0.40.2": {
-      "excluded_platforms": ["x86_64-darwin"]
+      "excluded_platforms": ["armv7l-linux"]
     }
   }
 }
diff --git a/testscripts/add/global_add.test.txt b/testscripts/add/global_add.test.txt
index 0bb0ebc5fb8..373ebbde7b1 100644
--- a/testscripts/add/global_add.test.txt
+++ b/testscripts/add/global_add.test.txt
@@ -4,7 +4,7 @@
 ! exec vim --version
 exec devbox global add ripgrep vim
 
-exec devbox global shellenv
+exec devbox global shellenv --recompute
 source.path
 exec rg --version
 exec vim --version
diff --git a/testscripts/languages/php.test.txt b/testscripts/languages/php.test.txt
index 3cd60353e21..16b09e97d49 100644
--- a/testscripts/languages/php.test.txt
+++ b/testscripts/languages/php.test.txt
@@ -1,18 +1,13 @@
 exec devbox run php index.php
 stdout 'done\n'
 
-# temporarily disable rm test until we fix. It requires ensuring that package 
-# in profile matches the flake we are installing.
-# For non-flakes, this involves comparing versions. For flakes we need to compare 
-# the content (or hash)
-
-# exec devbox rm php81Extensions.ds
-# exec devbox run php index.php
-# stdout 'ds extension is not enabled'
+exec devbox rm php81Extensions.ds
+exec devbox run php index.php
+stdout 'ds extension is not enabled'
 
-# exec devbox add php81Extensions.ds
-# exec devbox run php index.php
-# stdout 'done\n'
+exec devbox add php81Extensions.ds
+exec devbox run php index.php
+stdout 'done\n'
 
 -- devbox.json --
 {
diff --git a/testscripts/packages/unfree.test.txt b/testscripts/packages/unfree.test.txt
index f8ae874f251..c2c107c0572 100644
--- a/testscripts/packages/unfree.test.txt
+++ b/testscripts/packages/unfree.test.txt
@@ -4,6 +4,6 @@ exec devbox init
 
 # we could test with slack and/or vscode. Using slack since it is lighter.
 exec devbox add slack
-stderr 'Installing package: slack.'
+stderr 'Adding package "slack@latest" to devbox.json'
 
 exec devbox rm slack