diff --git a/default.nix b/default.nix
index 992cb0c..aa9bcc6 100644
--- a/default.nix
+++ b/default.nix
@@ -26,7 +26,17 @@ in
 }:
 dir:
 let
-  std = compose { } ./std // builtins;
+  std =
+    compose { } ./std
+    // filterMap (
+      k: v:
+      if
+        builtins.match "^import|^scopedImport|^builtins|^fetch.*|^current.*|^nixPath|^storePath" k != null
+      then
+        null
+      else
+        { ${k} = v; }
+    ) builtins;
   atom' = builtins.removeAttrs (extern // atom // { inherit extern; }) [
     "atom"
     (baseNameOf dir)
@@ -54,17 +64,31 @@ let
 
       mod = if hasMod then scope "${dir + "/mod.nix"}" else { };
 
-      scope = scopedImport (
-        {
-          inherit std;
-          atom = atom';
-          mod = lowerKeys (builtins.removeAttrs self [ "mod" ] // { outPath = filterMod dir; });
-        }
-        // cond {
-          _if = pre != null;
-          inherit pre;
-        }
-      );
+      scope =
+        let
+          importErr = "Importing arbitrary Nix files is forbidden. Declare your dependencies via the module system instead.";
+        in
+        scopedImport (
+          {
+            inherit std;
+            atom = atom';
+            mod = lowerKeys (builtins.removeAttrs self [ "mod" ] // { outPath = filterMod dir; });
+            # override builtins, so they can only be accessed via `std`
+            builtins = abort "Please access builtins uniformly via the `std` scope.";
+            import = abort importErr;
+            scopedImport = abort importErr;
+            __fetchurl = abort "Ad hoc fetching is illegal. Declare dependencies statically in the manifest instead.";
+            __currentSystem = abort "Accessing the current system is impure. Declare supported systems in the manifest.";
+            __currentTime = abort "Accessing the current time is impure & illegal.";
+            __nixPath = abort "The NIX_PATH is an impure feature, and therefore illegal.";
+            __storePath = abort "Making explicit dependencies on store paths is illegal.";
+
+          }
+          // cond {
+            _if = pre != null;
+            inherit pre;
+          }
+        );
 
       g =
         name: type:
diff --git a/dev/mod.nix b/dev/mod.nix
index 9262f19..a540a34 100644
--- a/dev/mod.nix
+++ b/dev/mod.nix
@@ -1,4 +1 @@
-{
-  Pkgs = mod.pkgs;
-  Shell = mod.shell;
-}
+{ Shell = mod.shell; }
diff --git a/dev/pkgs.nix b/dev/pkgs.nix
deleted file mode 100644
index 18f9084..0000000
--- a/dev/pkgs.nix
+++ /dev/null
@@ -1,4 +0,0 @@
-let
-  inherit (atom.pins) nixpkgs;
-in
-import nixpkgs { }
diff --git a/dev/shell.nix b/dev/shell.nix
index 07c3995..691fa96 100644
--- a/dev/shell.nix
+++ b/dev/shell.nix
@@ -1,5 +1,5 @@
 {
-  pkgs ? mod.pkgs,
+  pkgs ? atom.pkgs,
 }:
 pkgs.mkShell {
   packages = with pkgs; [
diff --git a/shell.nix b/shell.nix
index 52e62ec..1b1e6d2 100644
--- a/shell.nix
+++ b/shell.nix
@@ -1,7 +1,8 @@
 let
   dev = import ./. {
-    extern = {
+    extern = rec {
       pins = import ./npins;
+      pkgs = import pins.nixpkgs { };
     };
   } ./dev;
 in
diff --git a/test/bld.nix b/test/bld.nix
index 33e435a..1dd86c6 100644
--- a/test/bld.nix
+++ b/test/bld.nix
@@ -2,8 +2,7 @@ let
   compose = import ../.;
   mod = compose { } (
     # added to test implicit path conversion when path is a string
-    builtins.toPath
-    ./bld
+    builtins.toPath ./bld
   );
 in
 builtins.deepSeq mod mod
diff --git a/test/bld/mod.nix b/test/bld/mod.nix
index 9451116..aaf307b 100644
--- a/test/bld/mod.nix
+++ b/test/bld/mod.nix
@@ -3,7 +3,7 @@
   bar = atom.foo + 2;
   baz = mod.bar + 4;
   F = std.set.filterMap;
-  File = builtins.readFile "${mod}/bum";
+  File = std.readFile "${mod}/bum";
   Buzz = mod.buzz;
   Next = ./next; # should be a non-existant path: /nix/store/next
   Bar = mod.bar;