diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS
index ab5908649..39d595199 100644
--- a/.github/CODEOWNERS
+++ b/.github/CODEOWNERS
@@ -14,5 +14,12 @@
 /doc @fricklerhandwerk
 *.md @fricklerhandwerk
 
+# Documentation of built-in functions
+src/libexpr/primops.cc @fricklerhandwerk @roberth
+# Documentation on experimental features
+src/libutil/experimental-features.cc @fricklerhandwerk
+# Documentation on configuration settings
+src/libstore/globals.hh @fricklerhandwerk
+
 # Libstore layer
 /src/libstore @thufschmitt
diff --git a/.gitignore b/.gitignore
index 04d96ca2c..f7dcea422 100644
--- a/.gitignore
+++ b/.gitignore
@@ -144,3 +144,6 @@ result
 
 # clangd and possibly more
 .cache/
+
+# Mac OS
+.DS_Store
diff --git a/src/libexpr/flake/flake.cc b/src/libexpr/flake/flake.cc
index 66776f0f6..b11983f62 100644
--- a/src/libexpr/flake/flake.cc
+++ b/src/libexpr/flake/flake.cc
@@ -212,8 +212,16 @@ static Flake getFlake(
     auto [storePath, resolvedRef, lockedRef] = fetchOrSubstituteTree(
         state, originalRef, allowLookup, flakeCache);
 
+    // We need to guard against symlink attacks, but before we start doing
+    // filesystem operations we should make sure there's a flake.nix in the
+    // first place.
+    auto unsafeFlakeDir = state.store->toRealPath(storePath) + "/" + lockedRef.subdir;
+    auto unsafeFlakeFile = unsafeFlakeDir + "/flake.nix";
+    if (!pathExists(unsafeFlakeFile))
+        throw Error("source tree referenced by '%s' does not contain a '%s/flake.nix' file", lockedRef, lockedRef.subdir);
+
     // Guard against symlink attacks.
-    auto flakeDir = canonPath(state.store->toRealPath(storePath) + "/" + lockedRef.subdir, true);
+    auto flakeDir = canonPath(unsafeFlakeDir, true);
     auto flakeFile = canonPath(flakeDir + "/flake.nix", true);
     if (!isInDir(flakeFile, state.store->toRealPath(storePath)))
         throw Error("'flake.nix' file of flake '%s' escapes from '%s'",
@@ -226,9 +234,6 @@ static Flake getFlake(
         .storePath = storePath,
     };
 
-    if (!pathExists(flakeFile))
-        throw Error("source tree referenced by '%s' does not contain a '%s/flake.nix' file", lockedRef, lockedRef.subdir);
-
     Value vInfo;
     state.evalFile(state.rootPath(CanonPath(flakeFile)), vInfo, false); // FIXME: symlink attack
 
@@ -358,10 +363,13 @@ LockedFlake lockFlake(
         debug("old lock file: %s", oldLockFile);
 
         std::map<InputPath, FlakeInput> overrides;
+        std::set<InputPath> explicitCliOverrides;
         std::set<InputPath> overridesUsed, updatesUsed;
 
-        for (auto & i : lockFlags.inputOverrides)
+        for (auto & i : lockFlags.inputOverrides) {
             overrides.insert_or_assign(i.first, FlakeInput { .ref = i.second });
+            explicitCliOverrides.insert(i.first);
+        }
 
         LockFile newLockFile;
 
@@ -432,6 +440,7 @@ LockedFlake lockFlake(
                        ancestors? */
                     auto i = overrides.find(inputPath);
                     bool hasOverride = i != overrides.end();
+                    bool hasCliOverride = explicitCliOverrides.contains(inputPath);
                     if (hasOverride) {
                         overridesUsed.insert(inputPath);
                         // Respect the “flakeness” of the input even if we
@@ -467,7 +476,7 @@ LockedFlake lockFlake(
 
                     if (oldLock
                         && oldLock->originalRef == *input.ref
-                        && !hasOverride)
+                        && !hasCliOverride)
                     {
                         debug("keeping existing input '%s'", inputPathS);
 
@@ -547,7 +556,7 @@ LockedFlake lockFlake(
                             nuked the next time we update the lock
                             file. That is, overrides are sticky unless you
                             use --no-write-lock-file. */
-                        auto ref = input2.ref ? *input2.ref : *input.ref;
+                        auto ref = (input2.ref && explicitCliOverrides.contains(inputPath)) ? *input2.ref : *input.ref;
 
                         if (input.isFlake) {
                             Path localPath = parentPath;
diff --git a/src/libexpr/primops.cc b/src/libexpr/primops.cc
index 8ac135504..f4133a7f7 100644
--- a/src/libexpr/primops.cc
+++ b/src/libexpr/primops.cc
@@ -3179,9 +3179,16 @@ static RegisterPrimOp primop_foldlStrict({
     .doc = R"(
       Reduce a list by applying a binary operator, from left to right,
       e.g. `foldl' op nul [x0 x1 x2 ...] = op (op (op nul x0) x1) x2)
-      ...`. For example, `foldl' (x: y: x + y) 0 [1 2 3]` evaluates to 6.
-      The return value of each application of `op` is evaluated immediately,
-      even for intermediate values.
+      ...`.
+
+      For example, `foldl' (acc: elem: acc + elem) 0 [1 2 3]` evaluates
+      to `6` and `foldl' (acc: elem: { "${elem}" = elem; } // acc) {}
+      ["a" "b"]` evaluates to `{ a = "a"; b = "b"; }`.
+
+      The first argument of `op` is the accumulator whereas the second
+      argument is the current element being processed. The return value
+      of each application of `op` is evaluated immediately, even for
+      intermediate values.
     )",
     .fun = prim_foldlStrict,
 });
diff --git a/src/libfetchers/git.cc b/src/libfetchers/git.cc
index caa402715..dd7f40075 100644
--- a/src/libfetchers/git.cc
+++ b/src/libfetchers/git.cc
@@ -11,6 +11,8 @@
 #include "fs-input-accessor.hh"
 #include "mounted-input-accessor.hh"
 #include "git-utils.hh"
+#include "logging.hh"
+#include "finally.hh"
 
 #include "fetch-settings.hh"
 
@@ -315,6 +317,9 @@ struct GitInputScheme : InputScheme
         runProgram("git", true,
             { "-C", repoInfo.url, "--git-dir", repoInfo.gitDir, "add", "--intent-to-add", "--", std::string(path.rel()) });
 
+        // Pause the logger to allow for user input (such as a gpg passphrase) in `git commit`
+        logger->pause();
+        Finally restoreLogger([]() { logger->resume(); });
         if (commitMsg)
             runProgram("git", true,
                 { "-C", repoInfo.url, "--git-dir", repoInfo.gitDir, "commit", std::string(path.rel()), "-m", *commitMsg });
diff --git a/src/libstore/globals.hh b/src/libstore/globals.hh
index 27caf42c4..838d2aba2 100644
--- a/src/libstore/globals.hh
+++ b/src/libstore/globals.hh
@@ -183,7 +183,9 @@ public:
           command line switch and defaults to `1`. The value `0` means that
           the builder should use all available CPU cores in the system.
         )",
-        {"build-cores"}, false};
+        {"build-cores"},
+        // Don't document the machine-specific default value
+        false};
 
     /**
      * Read-only mode.  Don't copy stuff to the store, don't change
@@ -699,7 +701,10 @@ public:
 
           Build systems will usually detect the target platform to be the current physical system and therefore produce machine code incompatible with what may be intended in the derivation.
           You should design your derivation's `builder` accordingly and cross-check the results when using this option against natively-built versions of your derivation.
-        )", {}, false};
+        )",
+        {},
+        // Don't document the machine-specific default value
+        false};
 
     Setting<StringSet> systemFeatures{
         this,
@@ -744,7 +749,10 @@ public:
             [nspawn]: https://github.com/NixOS/nix/blob/67bcb99700a0da1395fa063d7c6586740b304598/tests/systemd-nspawn.nix.
 
             Included by default on Linux if the [`auto-allocate-uids`](#conf-auto-allocate-uids) setting is enabled.
-        )", {}, false};
+        )",
+        {},
+        // Don't document the machine-specific default value
+        false};
 
     Setting<Strings> substituters{
         this,
diff --git a/src/libstore/store-api.hh b/src/libstore/store-api.hh
index 32ad2aa44..8b6bf9aed 100644
--- a/src/libstore/store-api.hh
+++ b/src/libstore/store-api.hh
@@ -167,7 +167,10 @@ struct StoreConfig : public Config
           Optional [system features](@docroot@/command-ref/conf-file.md#conf-system-features) available on the system this store uses to build derivations.
 
           Example: `"kvm"`
-        )" };
+        )",
+        {},
+        // Don't document the machine-specific default value
+        false};
 };
 
 class Store : public std::enable_shared_from_this<Store>, public virtual StoreConfig
diff --git a/tests/functional/flakes/follow-paths.sh b/tests/functional/flakes/follow-paths.sh
index 9f23d738b..1afd91bd2 100644
--- a/tests/functional/flakes/follow-paths.sh
+++ b/tests/functional/flakes/follow-paths.sh
@@ -260,3 +260,79 @@ EOF
 
 checkRes=$(nix flake lock "$flakeFollowCycle" 2>&1 && fail "nix flake lock should have failed." || true)
 echo $checkRes | grep -F "error: follow cycle detected: [baz -> foo -> bar -> baz]"
+
+
+# Test transitive input url locking
+# This tests the following lockfile issue: https://github.com/NixOS/nix/issues/9143
+#
+# We construct the following graph, where p->q means p has input q.
+#
+# A -> B -> C
+#
+# And override B/C to flake D, first in A's flake.nix and then with --override-input.
+#
+# A -> B -> D
+flakeFollowsCustomUrlA="$TEST_ROOT/follows/custom-url/flakeA"
+flakeFollowsCustomUrlB="$TEST_ROOT/follows/custom-url/flakeA/flakeB"
+flakeFollowsCustomUrlC="$TEST_ROOT/follows/custom-url/flakeA/flakeB/flakeC"
+flakeFollowsCustomUrlD="$TEST_ROOT/follows/custom-url/flakeA/flakeB/flakeD"
+
+
+createGitRepo "$flakeFollowsCustomUrlA"
+mkdir -p "$flakeFollowsCustomUrlB"
+mkdir -p "$flakeFollowsCustomUrlC"
+mkdir -p "$flakeFollowsCustomUrlD"
+
+cat > "$flakeFollowsCustomUrlD/flake.nix" <<EOF
+{
+    description = "Flake D";
+    inputs = {};
+    outputs = { ... }: {};
+}
+EOF
+
+cat > "$flakeFollowsCustomUrlC/flake.nix" <<EOF
+{
+    description = "Flake C";
+    inputs = {};
+    outputs = { ... }: {};
+}
+EOF
+
+cat > "$flakeFollowsCustomUrlB/flake.nix" <<EOF
+{
+    description = "Flake B";
+    inputs = {
+        C = {
+            url = "path:./flakeC";
+        };
+    };
+    outputs = { ... }: {};
+}
+EOF
+
+cat > "$flakeFollowsCustomUrlA/flake.nix" <<EOF
+{
+    description = "Flake A";
+    inputs = {
+        B = {
+            url = "path:./flakeB";
+            inputs.C.url = "path:./flakeB/flakeD";
+        };
+    };
+    outputs = { ... }: {};
+}
+EOF
+
+git -C "$flakeFollowsCustomUrlA" add flake.nix flakeB/flake.nix \
+  flakeB/flakeC/flake.nix flakeB/flakeD/flake.nix
+
+# lock "original" entry should contain overridden url
+json=$(nix flake metadata "$flakeFollowsCustomUrlA" --json)
+[[ $(echo "$json" | jq -r .locks.nodes.C.original.path) = './flakeB/flakeD' ]]
+rm "$flakeFollowsCustomUrlA"/flake.lock
+
+# if override-input is specified, lock "original" entry should contain original url
+json=$(nix flake metadata "$flakeFollowsCustomUrlA" --override-input B/C "path:./flakeB/flakeD" --json)
+echo "$json" | jq .locks.nodes.C.original
+[[ $(echo "$json" | jq -r .locks.nodes.C.original.path) = './flakeC' ]]