diff --git a/build/nix/grafana.nix b/build/nix/grafana.nix
index 05e47e804c..c8cd5c1132 100644
--- a/build/nix/grafana.nix
+++ b/build/nix/grafana.nix
@@ -142,6 +142,10 @@ in
         security = {
           admin_user = "admin";
           admin_password = cfg.adminPassword;
+          # Newer NixOS grafana modules assert this is set explicitly (no default).
+          # The dev microvm has no real secrets to protect — the file already
+          # warns this is for local development only.
+          secret_key = "pcp-microvm-dev-only-not-a-real-secret";
         };
 
         # Disable analytics/phone-home
diff --git a/build/nix/tests/test-all-microvms.nix b/build/nix/tests/test-all-microvms.nix
index 4d74fecd33..0ad1a9446b 100644
--- a/build/nix/tests/test-all-microvms.nix
+++ b/build/nix/tests/test-all-microvms.nix
@@ -81,6 +81,7 @@ pkgs.writeShellApplication {
     gnugrep
     procps
     nix
+    iproute2
   ];
   text = ''
     set +e  # Don't exit on error - we want to continue and report all results
@@ -91,6 +92,8 @@ pkgs.writeShellApplication {
     SSH_RETRY_DELAY=${toString constants.test.sshRetryDelaySeconds}
     BASE_SSH_PORT=${toString constants.ports.sshForward}
     TAP_VM_IP="${constants.network.vmIp}"
+    TAP_BRIDGE="${constants.network.bridge}"
+    TAP_DEVICE="${constants.network.tap}"
 
     # Service warmup: wait for services to fully start after SSH connects
     # pmlogger takes ~9s, Grafana HTTP takes ~17s after service activation
@@ -259,6 +262,16 @@ pkgs.writeShellApplication {
       run_ssh_check "$host" "$port" "pminfo kernel.all.load" "pminfo -f kernel.all.load"
     }
 
+    # Check whether host TAP networking has been set up.
+    # Returns 0 if both the bridge and TAP device exist on the host.
+    # Note: operational state may be DOWN when no VM is attached — that is
+    # the normal pre-test condition, so we only check for existence.
+    check_tap_network() {
+      ip link show "$TAP_BRIDGE" >/dev/null 2>&1 || return 1
+      ip link show "$TAP_DEVICE" >/dev/null 2>&1 || return 1
+      return 0
+    }
+
     # Check Grafana HTTP endpoint (with retry - Grafana needs extra startup time)
     check_grafana_http() {
       local host="$1"
@@ -546,6 +559,24 @@ pkgs.writeShellApplication {
     # Ensure clean state
     stop_all_vms
 
+    # Preflight: detect whether host TAP networking is set up.
+    # When it is not, tap variants are skipped with an actionable hint
+    # instead of failing with an opaque VM_START_FAILED.
+    TAP_NETWORK_READY=true
+    if check_tap_network; then
+      log "TAP networking detected ($TAP_BRIDGE, $TAP_DEVICE)"
+    else
+      TAP_NETWORK_READY=false
+      log_section "TAP networking not set up — tap variants will be skipped"
+      echo "Bridge '$TAP_BRIDGE' or TAP device '$TAP_DEVICE' is not present/up."
+      echo ""
+      echo "To enable tap variants (base-tap, eval-tap, grafana-tap), run:"
+      echo "    nix run .#pcp-check-host"
+      echo "    sudo nix run .#pcp-network-setup"
+      echo ""
+      echo "Then re-run this test. To suppress this message, pass --skip-tap."
+    fi
+
     # Define test order (NOTE: BCC is deprecated - use BPF PMDA instead)
     VARIANT_ORDER=(base base-tap eval eval-tap grafana grafana-tap bpf)
 
@@ -555,12 +586,20 @@ pkgs.writeShellApplication {
         continue
       fi
 
-      # Skip TAP variants if requested
-      if [[ "$SKIP_TAP" == "true" ]] && [[ "$key" == *"-tap" ]]; then
-        RESULTS[$key]="SKIPPED"
-        DURATIONS[$key]=0
-        TOTAL_SKIPPED=$((TOTAL_SKIPPED + 1))
-        continue
+      # Skip TAP variants when requested or when host networking is not set up.
+      if [[ "$key" == *"-tap" ]]; then
+        if [[ "$SKIP_TAP" == "true" ]]; then
+          RESULTS[$key]="SKIPPED (--skip-tap)"
+          DURATIONS[$key]=0
+          TOTAL_SKIPPED=$((TOTAL_SKIPPED + 1))
+          continue
+        fi
+        if [[ "$TAP_NETWORK_READY" == "false" ]]; then
+          RESULTS[$key]="SKIPPED (tap network not set up)"
+          DURATIONS[$key]=0
+          TOTAL_SKIPPED=$((TOTAL_SKIPPED + 1))
+          continue
+        fi
       fi
 
       # Get variant properties
diff --git a/flake.lock b/flake.lock
index 18301f739f..8be4ded7ff 100644
--- a/flake.lock
+++ b/flake.lock
@@ -26,11 +26,11 @@
         "spectrum": "spectrum"
       },
       "locked": {
-        "lastModified": 1771802632,
-        "narHash": "sha256-UAH8YfrHRvXAMeFxUzJ4h4B1loz1K1wiNUNI8KiPqOg=",
+        "lastModified": 1778669912,
+        "narHash": "sha256-WT2iimtOBZM/6AcZeBoJU2EgUSaywtlItsEgNkZBda0=",
         "owner": "astro",
         "repo": "microvm.nix",
-        "rev": "b67e3d80df3ec35bdfd3a00ad64ee437ef4fcded",
+        "rev": "a7a7009064cec75d9da652c6723412ce27b9bc44",
         "type": "github"
       },
       "original": {
@@ -41,11 +41,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1767640445,
-        "narHash": "sha256-UWYqmD7JFBEDBHWYcqE6s6c77pWdcU/i+bwD6XxMb8A=",
+        "lastModified": 1778443072,
+        "narHash": "sha256-zi7/fsqM/kFdNuED//4WOCUtezGtKKqRNORjMvfwjnA=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "9f0c42f8bc7151b8e7e5840fb3bd454ad850d8c5",
+        "rev": "da5ad661ba4e5ef59ba743f0d112cbc30e474f32",
         "type": "github"
       },
       "original": {
@@ -65,11 +65,11 @@
     "spectrum": {
       "flake": false,
       "locked": {
-        "lastModified": 1759482047,
-        "narHash": "sha256-H1wiXRQHxxPyMMlP39ce3ROKCwI5/tUn36P8x6dFiiQ=",
+        "lastModified": 1772189877,
+        "narHash": "sha256-i1p90Rgssb//aNiTDFq46ZG/fk3LmyRLChtp/9lddyA=",
         "ref": "refs/heads/main",
-        "rev": "c5d5786d3dc938af0b279c542d1e43bce381b4b9",
-        "revCount": 996,
+        "rev": "fe39e122d898f66e89ffa17d4f4209989ccb5358",
+        "revCount": 1255,
         "type": "git",
         "url": "https://spectrum-os.org/git/spectrum"
       },