release: 0.4.1

Signed-off-by: Ophestra <cat@gensokyo.uk>

.gitignore

@@ -7,6 +7,7 @@
 
 # go generate
 /cmd/hakurei/LICENSE
+/cmd/mbf/internal/pkgserver/ui/static
 /internal/pkg/testdata/testtool
 /internal/rosa/hakurei_current.tar.gz
 

all.sh

@@ -2,5 +2,9 @@
 
 TOOLCHAIN_VERSION="$(go version)"
 cd "$(dirname -- "$0")/"
-echo "# Building cmd/dist using ${TOOLCHAIN_VERSION}."
+echo "Building cmd/dist using ${TOOLCHAIN_VERSION}."
-go run -v --tags=dist ./cmd/dist
+FLAGS=''
+if test -n "$VERBOSE"; then
+    FLAGS="$FLAGS -v"
+fi
+go run $FLAGS --tags=dist ./cmd/dist

check/absolute.go

@@ -2,7 +2,7 @@
 package check
 
 import (
-	"encoding/json"
+	"encoding"
 	"errors"
 	"fmt"
 	"path/filepath"
@@ -30,6 +30,16 @@ func (e AbsoluteError) Is(target error) bool {
 // Absolute holds a pathname checked to be absolute.
 type Absolute struct{ pathname unique.Handle[string] }
 
+var (
+	_ encoding.TextAppender    = new(Absolute)
+	_ encoding.TextMarshaler   = new(Absolute)
+	_ encoding.TextUnmarshaler = new(Absolute)
+
+	_ encoding.BinaryAppender    = new(Absolute)
+	_ encoding.BinaryMarshaler   = new(Absolute)
+	_ encoding.BinaryUnmarshaler = new(Absolute)
+)
+
 // ok returns whether [Absolute] is not the zero value.
 func (a *Absolute) ok() bool { return a != nil && *a != (Absolute{}) }
 
@@ -84,13 +94,16 @@ func (a *Absolute) Append(elem ...string) *Absolute {
 // Dir calls [filepath.Dir] with [Absolute] as its argument.
 func (a *Absolute) Dir() *Absolute { return unsafeAbs(filepath.Dir(a.String())) }
 
-// GobEncode returns the checked pathname.
+// AppendText appends the checked pathname.
-func (a *Absolute) GobEncode() ([]byte, error) {
+func (a *Absolute) AppendText(data []byte) ([]byte, error) {
-	return []byte(a.String()), nil
+	return append(data, a.String()...), nil
 }
 
-// GobDecode stores data if it represents an absolute pathname.
+// MarshalText returns the checked pathname.
-func (a *Absolute) GobDecode(data []byte) error {
+func (a *Absolute) MarshalText() ([]byte, error) { return a.AppendText(nil) }
+
+// UnmarshalText stores data if it represents an absolute pathname.
+func (a *Absolute) UnmarshalText(data []byte) error {
 	pathname := string(data)
 	if !filepath.IsAbs(pathname) {
 		return AbsoluteError(pathname)
@@ -99,23 +112,9 @@ func (a *Absolute) GobDecode(data []byte) error {
 	return nil
 }
 
-// MarshalJSON returns a JSON representation of the checked pathname.
+func (a *Absolute) AppendBinary(data []byte) ([]byte, error) { return a.AppendText(data) }
-func (a *Absolute) MarshalJSON() ([]byte, error) {
+func (a *Absolute) MarshalBinary() ([]byte, error)           { return a.MarshalText() }
-	return json.Marshal(a.String())
+func (a *Absolute) UnmarshalBinary(data []byte) error        { return a.UnmarshalText(data) }
-}
-
-// UnmarshalJSON stores data if it represents an absolute pathname.
-func (a *Absolute) UnmarshalJSON(data []byte) error {
-	var pathname string
-	if err := json.Unmarshal(data, &pathname); err != nil {
-		return err
-	}
-	if !filepath.IsAbs(pathname) {
-		return AbsoluteError(pathname)
-	}
-	a.pathname = unique.Make(pathname)
-	return nil
-}
 
 // SortAbs calls [slices.SortFunc] for a slice of [Absolute].
 func SortAbs(x []*Absolute) {

check/absolute_test.go

@@ -170,20 +170,20 @@ func TestCodecAbsolute(t *testing.T) {
 
 		{"good", MustAbs("/etc"),
 			nil,
-			"\t\x7f\x05\x01\x02\xff\x82\x00\x00\x00\b\xff\x80\x00\x04/etc",
+			"\t\x7f\x06\x01\x02\xff\x82\x00\x00\x00\b\xff\x80\x00\x04/etc",
-			",\xff\x83\x03\x01\x01\x06sCheck\x01\xff\x84\x00\x01\x02\x01\bPathname\x01\xff\x80\x00\x01\x05Magic\x01\x06\x00\x00\x00\t\x7f\x05\x01\x02\xff\x82\x00\x00\x00\x0f\xff\x84\x01\x04/etc\x01\xfc\xc0\xed\x00\x00\x00",
+			",\xff\x83\x03\x01\x01\x06sCheck\x01\xff\x84\x00\x01\x02\x01\bPathname\x01\xff\x80\x00\x01\x05Magic\x01\x06\x00\x00\x00\t\x7f\x06\x01\x02\xff\x82\x00\x00\x00\x0f\xff\x84\x01\x04/etc\x01\xfc\xc0\xed\x00\x00\x00",
 
 			`"/etc"`, `{"val":"/etc","magic":3236757504}`},
 		{"not absolute", nil,
 			AbsoluteError("etc"),
-			"\t\x7f\x05\x01\x02\xff\x82\x00\x00\x00\a\xff\x80\x00\x03etc",
+			"\t\x7f\x06\x01\x02\xff\x82\x00\x00\x00\a\xff\x80\x00\x03etc",
-			",\xff\x83\x03\x01\x01\x06sCheck\x01\xff\x84\x00\x01\x02\x01\bPathname\x01\xff\x80\x00\x01\x05Magic\x01\x06\x00\x00\x00\t\x7f\x05\x01\x02\xff\x82\x00\x00\x00\x0f\xff\x84\x01\x03etc\x01\xfb\x01\x81\xda\x00\x00\x00",
+			",\xff\x83\x03\x01\x01\x06sCheck\x01\xff\x84\x00\x01\x02\x01\bPathname\x01\xff\x80\x00\x01\x05Magic\x01\x06\x00\x00\x00\t\x7f\x06\x01\x02\xff\x82\x00\x00\x00\x0f\xff\x84\x01\x03etc\x01\xfb\x01\x81\xda\x00\x00\x00",
 
 			`"etc"`, `{"val":"etc","magic":3236757504}`},
 		{"zero", nil,
 			new(AbsoluteError),
-			"\t\x7f\x05\x01\x02\xff\x82\x00\x00\x00\x04\xff\x80\x00\x00",
+			"\t\x7f\x06\x01\x02\xff\x82\x00\x00\x00\x04\xff\x80\x00\x00",
-			",\xff\x83\x03\x01\x01\x06sCheck\x01\xff\x84\x00\x01\x02\x01\bPathname\x01\xff\x80\x00\x01\x05Magic\x01\x06\x00\x00\x00\t\x7f\x05\x01\x02\xff\x82\x00\x00\x00\f\xff\x84\x01\x00\x01\xfb\x01\x81\xda\x00\x00\x00",
+			",\xff\x83\x03\x01\x01\x06sCheck\x01\xff\x84\x00\x01\x02\x01\bPathname\x01\xff\x80\x00\x01\x05Magic\x01\x06\x00\x00\x00\t\x7f\x06\x01\x02\xff\x82\x00\x00\x00\f\xff\x84\x01\x00\x01\xfb\x01\x81\xda\x00\x00\x00",
 			`""`, `{"val":"","magic":3236757504}`},
 	}
 
@@ -347,15 +347,6 @@ func TestCodecAbsolute(t *testing.T) {
 			})
 		})
 	}
-
-	t.Run("json passthrough", func(t *testing.T) {
-		t.Parallel()
-
-		wantErr := "invalid character ':' looking for beginning of value"
-		if err := new(Absolute).UnmarshalJSON([]byte(":3")); err == nil || err.Error() != wantErr {
-			t.Errorf("UnmarshalJSON: error = %v, want %s", err, wantErr)
-		}
-	})
 }
 
 func TestAbsoluteWrap(t *testing.T) {

check/overlay.go

@@ -4,15 +4,23 @@ import "strings"
 
 const (
 	// SpecialOverlayEscape is the escape string for overlay mount options.
+	//
+	// Deprecated: This is no longer used and will be removed in 0.5.
 	SpecialOverlayEscape = `\`
 	// SpecialOverlayOption is the separator string between overlay mount options.
+	//
+	// Deprecated: This is no longer used and will be removed in 0.5.
 	SpecialOverlayOption = ","
 	// SpecialOverlayPath is the separator string between overlay paths.
+	//
+	// Deprecated: This is no longer used and will be removed in 0.5.
 	SpecialOverlayPath = ":"
 )
 
 // EscapeOverlayDataSegment escapes a string for formatting into the data
 // argument of an overlay mount system call.
+//
+// Deprecated: This is no longer used and will be removed in 0.5.
 func EscapeOverlayDataSegment(s string) string {
 	if s == "" {
 		return ""

cmd/dist/main.go

@@ -42,14 +42,18 @@ func mustRun(ctx context.Context, name string, arg ...string) {
 var comp []byte
 
 func main() {
-	fmt.Println()
 	log.SetFlags(0)
-	log.SetPrefix("# ")
+	log.SetPrefix("")
 
+	verbose := os.Getenv("VERBOSE") != ""
 	version := getenv("HAKUREI_VERSION", "untagged")
 	prefix := getenv("PREFIX", "/usr")
 	destdir := getenv("DESTDIR", "dist")
 
+	if verbose {
+		log.Println()
+	}
+
 	if err := os.MkdirAll(destdir, 0755); err != nil {
 		log.Fatal(err)
 	}
@@ -76,12 +80,17 @@ func main() {
 	ctx, cancel := signal.NotifyContext(context.Background(), os.Interrupt)
 	defer cancel()
 
-	log.Println("Building hakurei.")
+	verboseFlag := "-v"
+	if !verbose {
+		verboseFlag = "-buildvcs=false"
+	}
+
+	log.Printf("Building hakurei for %s/%s.", runtime.GOOS, runtime.GOARCH)
 	mustRun(ctx, "go", "generate", "./...")
 	mustRun(
 		ctx, "go", "build",
 		"-trimpath",
-		"-v", "-o", s,
+		verboseFlag, "-o", s,
 		"-ldflags=-s -w "+
 			"-buildid= -linkmode external -extldflags=-static "+
 			"-X hakurei.app/internal/info.buildVersion="+version+" "+
@@ -90,17 +99,17 @@ func main() {
 			"-X main.hakureiPath="+prefix+"/bin/hakurei",
 		"./...",
 	)
-	fmt.Println()
+	log.Println()
 
-	log.Println("Testing Hakurei.")
+	log.Println("##### Testing Hakurei.")
 	mustRun(
 		ctx, "go", "test",
 		"-ldflags=-buildid= -linkmode external -extldflags=-static",
 		"./...",
 	)
-	fmt.Println()
+	log.Println()
 
-	log.Println("Creating distribution.")
+	log.Println("##### Creating distribution.")
 	const suffix = ".tar.gz"
 	distName := "hakurei-" + version + "-" + runtime.GOARCH
 	var f *os.File
@@ -121,7 +130,7 @@ func main() {
 	}()
 
 	h := sha512.New()
-	gw := gzip.NewWriter(io.MultiWriter(f, h))
+	gw, _ := gzip.NewWriterLevel(io.MultiWriter(f, h), gzip.BestCompression)
 	tw := tar.NewWriter(gw)
 
 	mustWriteHeader := func(name string, size int64, mode os.FileMode) {

cmd/hakurei/command.go

@@ -39,6 +39,7 @@ var errSuccess = errors.New("success")
 func buildCommand(ctx context.Context, msg message.Msg, early *earlyHardeningErrs, out io.Writer) command.Command {
 	var (
 		flagVerbose  bool
+		flagInsecure bool
 		flagJSON     bool
 	)
 	c := command.New(out, log.Printf, "hakurei", func([]string) error {
@@ -57,6 +58,7 @@ func buildCommand(ctx context.Context, msg message.Msg, early *earlyHardeningErr
 		return nil
 	}).
 		Flag(&flagVerbose, "v", command.BoolFlag(false), "Increase log verbosity").
+		Flag(&flagInsecure, "insecure", command.BoolFlag(false), "Allow use of insecure compatibility options").
 		Flag(&flagJSON, "json", command.BoolFlag(false), "Serialise output in JSON when applicable")
 
 	c.Command("shim", command.UsageInternal, func([]string) error { outcome.Shim(msg); return errSuccess })
@@ -75,7 +77,12 @@ func buildCommand(ctx context.Context, msg message.Msg, early *earlyHardeningErr
 				config.Container.Args = append(config.Container.Args, args[1:]...)
 			}
 
-			outcome.Main(ctx, msg, config, flagIdentifierFile)
+			var flags int
+			if flagInsecure {
+				flags |= hst.VAllowInsecure
+			}
+
+			outcome.Main(ctx, msg, config, flags, flagIdentifierFile)
 			panic("unreachable")
 		}).
 			Flag(&flagIdentifierFile, "identifier-fd", command.IntFlag(-1),
@@ -145,7 +152,7 @@ func buildCommand(ctx context.Context, msg message.Msg, early *earlyHardeningErr
 				}
 			}
 
-			var et hst.Enablement
+			var et hst.Enablements
 			if flagWayland {
 				et |= hst.EWayland
 			}
@@ -163,7 +170,7 @@ func buildCommand(ctx context.Context, msg message.Msg, early *earlyHardeningErr
 				ID:          flagID,
 				Identity:    flagIdentity,
 				Groups:      flagGroups,
-				Enablements: hst.NewEnablements(et),
+				Enablements: &et,
 
 				Container: &hst.ContainerConfig{
 					Filesystem: []hst.FilesystemConfigJSON{
@@ -282,7 +289,7 @@ func buildCommand(ctx context.Context, msg message.Msg, early *earlyHardeningErr
 				}
 			}
 
-			outcome.Main(ctx, msg, &config, -1)
+			outcome.Main(ctx, msg, &config, 0, -1)
 			panic("unreachable")
 		}).
 			Flag(&flagDBusConfigSession, "dbus-config", command.StringFlag("builtin"),

cmd/hakurei/command_test.go

@@ -20,7 +20,7 @@ func TestHelp(t *testing.T) {
 	}{
 		{
 			"main", []string{}, `
-Usage:	hakurei [-h | --help] [-v] [--json] COMMAND [OPTIONS]
+Usage:	hakurei [-h | --help] [-v] [--insecure] [--json] COMMAND [OPTIONS]
 
 Commands:
     run         Load and start container from configuration file

cmd/hakurei/print.go

@@ -56,7 +56,7 @@ func printShowInstance(
 	t := newPrinter(output)
 	defer t.MustFlush()
 
-	if err := config.Validate(); err != nil {
+	if err := config.Validate(hst.VAllowInsecure); err != nil {
 		valid = false
 		if m, ok := message.GetMessage(err); ok {
 			mustPrint(output, "Error: "+m+"!\n\n")

cmd/hakurei/print_test.go

@@ -32,7 +32,7 @@ var (
 		PID:     0xbeef,
 		ShimPID: 0xcafe,
 		Config: &hst.Config{
-			Enablements: hst.NewEnablements(hst.EWayland | hst.EPipeWire),
+			Enablements: new(hst.EWayland | hst.EPipeWire),
 			Identity:    1,
 			Container: &hst.ContainerConfig{
 				Shell: check.MustAbs("/bin/sh"),

cmd/mbf/cache.go

@@ -0,0 +1,91 @@
+package main
+
+import (
+	"context"
+	"os"
+	"path/filepath"
+	"testing"
+
+	"hakurei.app/check"
+	"hakurei.app/internal/pkg"
+	"hakurei.app/message"
+)
+
+// cache refers to an instance of [pkg.Cache] that might be open.
+type cache struct {
+	ctx context.Context
+	msg message.Msg
+
+	// Should generally not be used directly.
+	c *pkg.Cache
+
+	cures, jobs        int
+	hostAbstract, idle bool
+
+	base string
+}
+
+// open opens the underlying [pkg.Cache].
+func (cache *cache) open() (err error) {
+	if cache.c != nil {
+		return os.ErrInvalid
+	}
+
+	var base *check.Absolute
+	if cache.base, err = filepath.Abs(cache.base); err != nil {
+		return
+	} else if base, err = check.NewAbs(cache.base); err != nil {
+		return
+	}
+
+	var flags int
+	if cache.idle {
+		flags |= pkg.CSchedIdle
+	}
+	if cache.hostAbstract {
+		flags |= pkg.CHostAbstract
+	}
+
+	done := make(chan struct{})
+	defer close(done)
+	go func() {
+		select {
+		case <-cache.ctx.Done():
+			if testing.Testing() {
+				return
+			}
+			os.Exit(2)
+
+		case <-done:
+			return
+		}
+	}()
+
+	cache.msg.Verbosef("opening cache at %s", base)
+	cache.c, err = pkg.Open(
+		cache.ctx,
+		cache.msg,
+		flags,
+		cache.cures,
+		cache.jobs,
+		base,
+	)
+	return
+}
+
+// Close closes the underlying [pkg.Cache] if it is open.
+func (cache *cache) Close() {
+	if cache.c != nil {
+		cache.c.Close()
+	}
+}
+
+// Do calls f on the underlying cache and returns its error value.
+func (cache *cache) Do(f func(cache *pkg.Cache) error) error {
+	if cache.c == nil {
+		if err := cache.open(); err != nil {
+			return err
+		}
+	}
+	return f(cache.c)
+}

cmd/mbf/cache_test.go

@@ -0,0 +1,37 @@
+package main
+
+import (
+	"log"
+	"os"
+	"testing"
+
+	"hakurei.app/internal/pkg"
+	"hakurei.app/message"
+)
+
+func TestCache(t *testing.T) {
+	t.Parallel()
+
+	cm := cache{
+		ctx:  t.Context(),
+		msg:  message.New(log.New(os.Stderr, "check: ", 0)),
+		base: t.TempDir(),
+
+		hostAbstract: true, idle: true,
+	}
+	defer cm.Close()
+	cm.Close()
+
+	if err := cm.open(); err != nil {
+		t.Fatalf("open: error = %v", err)
+	}
+	if err := cm.open(); err != os.ErrInvalid {
+		t.Errorf("(duplicate) open: error = %v", err)
+	}
+
+	if err := cm.Do(func(cache *pkg.Cache) error {
+		return cache.Scrub(0)
+	}); err != nil {
+		t.Errorf("Scrub: error = %v", err)
+	}
+}

cmd/mbf/daemon.go

@@ -0,0 +1,354 @@
+package main
+
+import (
+	"context"
+	"encoding/binary"
+	"errors"
+	"io"
+	"log"
+	"math"
+	"net"
+	"os"
+	"sync"
+	"syscall"
+	"testing"
+	"time"
+	"unique"
+
+	"hakurei.app/check"
+	"hakurei.app/internal/pkg"
+)
+
+// daemonTimeout is the maximum amount of time cureFromIR will wait on I/O.
+const daemonTimeout = 30 * time.Second
+
+// daemonDeadline returns the deadline corresponding to daemonTimeout, or the
+// zero value when running in a test.
+func daemonDeadline() time.Time {
+	if testing.Testing() {
+		return time.Time{}
+	}
+	return time.Now().Add(daemonTimeout)
+}
+
+const (
+	// remoteNoReply notifies that the client will not receive a cure reply.
+	remoteNoReply = 1 << iota
+)
+
+// cureFromIR services an IR curing request.
+func cureFromIR(
+	cache *pkg.Cache,
+	conn net.Conn,
+	flags uint64,
+) (pkg.Artifact, error) {
+	a, decodeErr := cache.NewDecoder(conn).Decode()
+	if decodeErr != nil {
+		_, err := conn.Write([]byte("\x00" + decodeErr.Error()))
+		return nil, errors.Join(decodeErr, err, conn.Close())
+	}
+
+	pathname, _, cureErr := cache.Cure(a)
+	if flags&remoteNoReply != 0 {
+		return a, errors.Join(cureErr, conn.Close())
+	}
+	if err := conn.SetWriteDeadline(daemonDeadline()); err != nil {
+		return a, errors.Join(cureErr, err, conn.Close())
+	}
+	if cureErr != nil {
+		_, err := conn.Write([]byte("\x00" + cureErr.Error()))
+		return a, errors.Join(cureErr, err, conn.Close())
+	}
+	_, err := conn.Write([]byte(pathname.String()))
+	if testing.Testing() && errors.Is(err, io.ErrClosedPipe) {
+		return a, nil
+	}
+	return a, errors.Join(err, conn.Close())
+}
+
+const (
+	// specialCancel is a message consisting of a single identifier referring
+	// to a curing artifact to be cancelled.
+	specialCancel = iota
+	// specialAbort requests for all pending cures to be aborted. It has no
+	// message body.
+	specialAbort
+
+	// remoteSpecial denotes a special message with custom layout.
+	remoteSpecial = math.MaxUint64
+)
+
+// writeSpecialHeader writes the header of a remoteSpecial message.
+func writeSpecialHeader(conn net.Conn, kind uint64) error {
+	var sh [16]byte
+	binary.LittleEndian.PutUint64(sh[:], remoteSpecial)
+	binary.LittleEndian.PutUint64(sh[8:], kind)
+	if n, err := conn.Write(sh[:]); err != nil {
+		return err
+	} else if n != len(sh) {
+		return io.ErrShortWrite
+	}
+	return nil
+}
+
+// cancelIdent reads an identifier from conn and cancels the corresponding cure.
+func cancelIdent(
+	cache *pkg.Cache,
+	conn net.Conn,
+) (*pkg.ID, bool, error) {
+	var ident pkg.ID
+	if _, err := io.ReadFull(conn, ident[:]); err != nil {
+		return nil, false, errors.Join(err, conn.Close())
+	}
+	ok := cache.Cancel(unique.Make(ident))
+	return &ident, ok, conn.Close()
+}
+
+// serve services connections from a [net.UnixListener].
+func serve(
+	ctx context.Context,
+	log *log.Logger,
+	cm *cache,
+	ul *net.UnixListener,
+) error {
+	ul.SetUnlinkOnClose(true)
+	if cm.c == nil {
+		if err := cm.open(); err != nil {
+			return errors.Join(err, ul.Close())
+		}
+	}
+
+	var wg sync.WaitGroup
+	defer wg.Wait()
+
+	wg.Go(func() {
+		for {
+			if ctx.Err() != nil {
+				break
+			}
+
+			conn, err := ul.AcceptUnix()
+			if err != nil {
+				if !errors.Is(err, os.ErrDeadlineExceeded) {
+					log.Println(err)
+				}
+				continue
+			}
+			wg.Go(func() {
+				done := make(chan struct{})
+				defer close(done)
+				go func() {
+					select {
+					case <-ctx.Done():
+						_ = conn.SetDeadline(time.Now())
+
+					case <-done:
+						return
+					}
+				}()
+
+				if _err := conn.SetReadDeadline(daemonDeadline()); _err != nil {
+					log.Println(_err)
+					if _err = conn.Close(); _err != nil {
+						log.Println(_err)
+					}
+					return
+				}
+
+				var word [8]byte
+				if _, _err := io.ReadFull(conn, word[:]); _err != nil {
+					log.Println(_err)
+					if _err = conn.Close(); _err != nil {
+						log.Println(_err)
+					}
+					return
+				}
+				flags := binary.LittleEndian.Uint64(word[:])
+
+				if flags == remoteSpecial {
+					if _, _err := io.ReadFull(conn, word[:]); _err != nil {
+						log.Println(_err)
+						if _err = conn.Close(); _err != nil {
+							log.Println(_err)
+						}
+						return
+					}
+					switch special := binary.LittleEndian.Uint64(word[:]); special {
+					default:
+						log.Printf("invalid special %d", special)
+
+					case specialCancel:
+						if id, ok, _err := cancelIdent(cm.c, conn); _err != nil {
+							log.Println(_err)
+						} else if !ok {
+							log.Println(
+								"attempting to cancel invalid artifact",
+								pkg.Encode(*id),
+							)
+						} else {
+							log.Println(
+								"cancelled artifact",
+								pkg.Encode(*id),
+							)
+						}
+
+					case specialAbort:
+						log.Println("aborting all pending cures")
+						cm.c.Abort()
+						if _err := conn.Close(); _err != nil {
+							log.Println(_err)
+						}
+					}
+
+					return
+				}
+
+				if a, _err := cureFromIR(cm.c, conn, flags); _err != nil {
+					log.Println(_err)
+				} else {
+					log.Printf(
+						"fulfilled artifact %s",
+						pkg.Encode(cm.c.Ident(a).Value()),
+					)
+				}
+			})
+		}
+	})
+
+	<-ctx.Done()
+	if err := ul.SetDeadline(time.Now()); err != nil {
+		return errors.Join(err, ul.Close())
+	}
+	wg.Wait()
+	return ul.Close()
+}
+
+// dial wraps [net.DialUnix] with a context.
+func dial(ctx context.Context, addr *net.UnixAddr) (
+	done chan<- struct{},
+	conn *net.UnixConn,
+	err error,
+) {
+	conn, err = net.DialUnix("unix", nil, addr)
+	if err != nil {
+		return
+	}
+
+	d := make(chan struct{})
+	done = d
+	go func() {
+		select {
+		case <-ctx.Done():
+			_ = conn.SetDeadline(time.Now())
+
+		case <-d:
+			return
+		}
+	}()
+	return
+}
+
+// cureRemote cures a [pkg.Artifact] on a daemon.
+func cureRemote(
+	ctx context.Context,
+	addr *net.UnixAddr,
+	a pkg.Artifact,
+	flags uint64,
+) (*check.Absolute, error) {
+	if flags == remoteSpecial {
+		return nil, syscall.EINVAL
+	}
+
+	done, conn, err := dial(ctx, addr)
+	if err != nil {
+		return nil, err
+	}
+	defer close(done)
+
+	if n, flagErr := conn.Write(binary.LittleEndian.AppendUint64(nil, flags)); flagErr != nil {
+		return nil, errors.Join(flagErr, conn.Close())
+	} else if n != 8 {
+		return nil, errors.Join(io.ErrShortWrite, conn.Close())
+	}
+
+	if err = pkg.NewIR().EncodeAll(conn, a); err != nil {
+		return nil, errors.Join(err, conn.Close())
+	} else if err = conn.CloseWrite(); err != nil {
+		return nil, errors.Join(err, conn.Close())
+	}
+
+	if flags&remoteNoReply != 0 {
+		return nil, conn.Close()
+	}
+
+	payload, recvErr := io.ReadAll(conn)
+	if err = errors.Join(recvErr, conn.Close()); err != nil {
+		if errors.Is(err, os.ErrDeadlineExceeded) {
+			if cancelErr := ctx.Err(); cancelErr != nil {
+				err = cancelErr
+			}
+		}
+		return nil, err
+	}
+
+	if len(payload) > 0 && payload[0] == 0 {
+		return nil, errors.New(string(payload[1:]))
+	}
+
+	var p *check.Absolute
+	p, err = check.NewAbs(string(payload))
+	return p, err
+}
+
+// cancelRemote cancels a [pkg.Artifact] curing on a daemon.
+func cancelRemote(
+	ctx context.Context,
+	addr *net.UnixAddr,
+	a pkg.Artifact,
+	wait bool,
+) error {
+	done, conn, err := dial(ctx, addr)
+	if err != nil {
+		return err
+	}
+	defer close(done)
+
+	if err = writeSpecialHeader(conn, specialCancel); err != nil {
+		return errors.Join(err, conn.Close())
+	}
+
+	var n int
+	id := pkg.NewIR().Ident(a).Value()
+	if n, err = conn.Write(id[:]); err != nil {
+		return errors.Join(err, conn.Close())
+	} else if n != len(id) {
+		return errors.Join(io.ErrShortWrite, conn.Close())
+	}
+	if wait {
+		if _, err = conn.Read(make([]byte, 1)); err == io.EOF {
+			err = nil
+		}
+	}
+	return errors.Join(err, conn.Close())
+}
+
+// abortRemote aborts all [pkg.Artifact] curing on a daemon.
+func abortRemote(
+	ctx context.Context,
+	addr *net.UnixAddr,
+	wait bool,
+) error {
+	done, conn, err := dial(ctx, addr)
+	if err != nil {
+		return err
+	}
+	defer close(done)
+
+	err = writeSpecialHeader(conn, specialAbort)
+	if wait && err == nil {
+		if _, err = conn.Read(make([]byte, 1)); err == io.EOF {
+			err = nil
+		}
+	}
+	return errors.Join(err, conn.Close())
+}

cmd/mbf/daemon_test.go

@@ -0,0 +1,146 @@
+package main
+
+import (
+	"bytes"
+	"context"
+	"errors"
+	"io"
+	"log"
+	"net"
+	"os"
+	"path/filepath"
+	"slices"
+	"strings"
+	"testing"
+	"time"
+
+	"hakurei.app/check"
+	"hakurei.app/internal/pkg"
+	"hakurei.app/message"
+)
+
+func TestNoReply(t *testing.T) {
+	t.Parallel()
+	if !daemonDeadline().IsZero() {
+		t.Fatal("daemonDeadline did not return the zero value")
+	}
+
+	c, err := pkg.Open(
+		t.Context(),
+		message.New(log.New(os.Stderr, "cir: ", 0)),
+		0, 0, 0,
+		check.MustAbs(t.TempDir()),
+	)
+	if err != nil {
+		t.Fatalf("Open: error = %v", err)
+	}
+	defer c.Close()
+
+	client, server := net.Pipe()
+	done := make(chan struct{})
+	go func() {
+		defer close(done)
+		go func() {
+			<-t.Context().Done()
+			if _err := client.SetDeadline(time.Now()); _err != nil && !errors.Is(_err, io.ErrClosedPipe) {
+				panic(_err)
+			}
+		}()
+
+		if _err := c.EncodeAll(
+			client,
+			pkg.NewFile("check", []byte{0}),
+		); _err != nil {
+			panic(_err)
+		} else if _err = client.Close(); _err != nil {
+			panic(_err)
+		}
+	}()
+
+	a, cureErr := cureFromIR(c, server, remoteNoReply)
+	if cureErr != nil {
+		t.Fatalf("cureFromIR: error = %v", cureErr)
+	}
+
+	<-done
+	wantIdent := pkg.MustDecode("fiZf-ZY_Yq6qxJNrHbMiIPYCsGkUiKCRsZrcSELXTqZWtCnESlHmzV5ThhWWGGYG")
+	if gotIdent := c.Ident(a).Value(); gotIdent != wantIdent {
+		t.Errorf(
+			"cureFromIR: %s, want %s",
+			pkg.Encode(gotIdent), pkg.Encode(wantIdent),
+		)
+	}
+}
+
+func TestDaemon(t *testing.T) {
+	t.Parallel()
+
+	var buf bytes.Buffer
+	logger := log.New(&buf, "daemon: ", 0)
+
+	addr := net.UnixAddr{
+		Name: filepath.Join(t.TempDir(), "daemon"),
+		Net:  "unix",
+	}
+
+	ctx, cancel := context.WithCancel(t.Context())
+	defer cancel()
+
+	cm := cache{
+		ctx:  ctx,
+		msg:  message.New(logger),
+		base: t.TempDir(),
+	}
+	defer cm.Close()
+
+	ul, err := net.ListenUnix("unix", &addr)
+	if err != nil {
+		t.Fatalf("ListenUnix: error = %v", err)
+	}
+
+	done := make(chan struct{})
+	go func() {
+		defer close(done)
+		if _err := serve(ctx, logger, &cm, ul); _err != nil {
+			panic(_err)
+		}
+	}()
+
+	if err = cancelRemote(ctx, &addr, pkg.NewFile("nonexistent", nil), true); err != nil {
+		t.Fatalf("cancelRemote: error = %v", err)
+	}
+
+	if err = abortRemote(ctx, &addr, true); err != nil {
+		t.Fatalf("abortRemote: error = %v", err)
+	}
+
+	// keep this last for synchronisation
+	var p *check.Absolute
+	p, err = cureRemote(ctx, &addr, pkg.NewFile("check", []byte{0}), 0)
+	if err != nil {
+		t.Fatalf("cureRemote: error = %v", err)
+	}
+
+	cancel()
+	<-done
+
+	const want = "fiZf-ZY_Yq6qxJNrHbMiIPYCsGkUiKCRsZrcSELXTqZWtCnESlHmzV5ThhWWGGYG"
+	if got := filepath.Base(p.String()); got != want {
+		t.Errorf("cureRemote: %s, want %s", got, want)
+	}
+
+	wantLog := []string{
+		"",
+		"daemon: aborting all pending cures",
+		"daemon: attempting to cancel invalid artifact kQm9fmnCmXST1-MMmxzcau2oKZCXXrlZydo4PkeV5hO_2PKfeC8t98hrbV_ZZx_j",
+		"daemon: fulfilled artifact fiZf-ZY_Yq6qxJNrHbMiIPYCsGkUiKCRsZrcSELXTqZWtCnESlHmzV5ThhWWGGYG",
+	}
+	gotLog := strings.Split(buf.String(), "\n")
+	slices.Sort(gotLog)
+	if !slices.Equal(gotLog, wantLog) {
+		t.Errorf(
+			"serve: logged\n%s\nwant\n%s",
+			strings.Join(gotLog, "\n"), strings.Join(wantLog, "\n"),
+		)
+	}
+}

cmd/mbf/info.go

@@ -0,0 +1,114 @@
+package main
+
+import (
+	"errors"
+	"fmt"
+	"io"
+	"os"
+	"strings"
+
+	"hakurei.app/internal/pkg"
+	"hakurei.app/internal/rosa"
+)
+
+// commandInfo implements the info subcommand.
+func commandInfo(
+	cm *cache,
+	args []string,
+	w io.Writer,
+	writeStatus bool,
+	r *rosa.Report,
+) (err error) {
+	if len(args) == 0 {
+		return errors.New("info requires at least 1 argument")
+	}
+
+	// recovered by HandleAccess
+	mustPrintln := func(a ...any) {
+		if _, _err := fmt.Fprintln(w, a...); _err != nil {
+			panic(_err)
+		}
+	}
+	mustPrint := func(a ...any) {
+		if _, _err := fmt.Fprint(w, a...); _err != nil {
+			panic(_err)
+		}
+	}
+
+	for i, name := range args {
+		if p, ok := rosa.ResolveName(name); !ok {
+			return fmt.Errorf("unknown artifact %q", name)
+		} else {
+			var suffix string
+			if version := rosa.Std.Version(p); version != rosa.Unversioned {
+				suffix += "-" + version
+			}
+			mustPrintln("name        : " + name + suffix)
+
+			meta := rosa.GetMetadata(p)
+			mustPrintln("description : " + meta.Description)
+			if meta.Website != "" {
+				mustPrintln("website     : " +
+					strings.TrimSuffix(meta.Website, "/"))
+			}
+			if len(meta.Dependencies) > 0 {
+				mustPrint("depends on  :")
+				for _, d := range meta.Dependencies {
+					s := rosa.GetMetadata(d).Name
+					if version := rosa.Std.Version(d); version != rosa.Unversioned {
+						s += "-" + version
+					}
+					mustPrint(" " + s)
+				}
+				mustPrintln()
+			}
+
+			const statusPrefix = "status      : "
+			if writeStatus {
+				if r == nil {
+					var f io.ReadSeekCloser
+					err = cm.Do(func(cache *pkg.Cache) (err error) {
+						f, err = cache.OpenStatus(rosa.Std.Load(p))
+						return
+					})
+					if err != nil {
+						if errors.Is(err, os.ErrNotExist) {
+							mustPrintln(
+								statusPrefix + "not yet cured",
+							)
+						} else {
+							return
+						}
+					} else {
+						mustPrint(statusPrefix)
+						_, err = io.Copy(w, f)
+						if err = errors.Join(err, f.Close()); err != nil {
+							return
+						}
+					}
+				} else if err = cm.Do(func(cache *pkg.Cache) (err error) {
+					status, n := r.ArtifactOf(cache.Ident(rosa.Std.Load(p)))
+					if status == nil {
+						mustPrintln(
+							statusPrefix + "not in report",
+						)
+					} else {
+						mustPrintln("size        :", n)
+						mustPrint(statusPrefix)
+						if _, err = w.Write(status); err != nil {
+							return
+						}
+					}
+					return
+				}); err != nil {
+					return
+				}
+			}
+
+			if i != len(args)-1 {
+				mustPrintln()
+			}
+		}
+	}
+	return nil
+}

cmd/mbf/info_test.go

@@ -0,0 +1,181 @@
+package main
+
+import (
+	"context"
+	"fmt"
+	"log"
+	"os"
+	"path/filepath"
+	"reflect"
+	"strings"
+	"syscall"
+	"testing"
+	"unsafe"
+
+	"hakurei.app/internal/pkg"
+	"hakurei.app/internal/rosa"
+	"hakurei.app/message"
+)
+
+func TestInfo(t *testing.T) {
+	t.Parallel()
+
+	testCases := []struct {
+		name    string
+		args    []string
+		status  map[string]string
+		report  string
+		want    string
+		wantErr any
+	}{
+		{"qemu", []string{"qemu"}, nil, "", `
+name        : qemu-` + rosa.Std.Version(rosa.QEMU) + `
+description : a generic and open source machine emulator and virtualizer
+website     : https://www.qemu.org
+depends on  : glib-` + rosa.Std.Version(rosa.GLib) + ` zstd-` + rosa.Std.Version(rosa.Zstd) + `
+`, nil},
+
+		{"multi", []string{"hakurei", "hakurei-dist"}, nil, "", `
+name        : hakurei-` + rosa.Std.Version(rosa.Hakurei) + `
+description : low-level userspace tooling for Rosa OS
+website     : https://hakurei.app
+
+name        : hakurei-dist-` + rosa.Std.Version(rosa.HakureiDist) + `
+description : low-level userspace tooling for Rosa OS (distribution tarball)
+website     : https://hakurei.app
+`, nil},
+
+		{"nonexistent", []string{"zlib", "\x00"}, nil, "", `
+name        : zlib-` + rosa.Std.Version(rosa.Zlib) + `
+description : lossless data-compression library
+website     : https://zlib.net
+
+`, fmt.Errorf("unknown artifact %q", "\x00")},
+
+		{"status cache", []string{"zlib", "zstd"}, map[string]string{
+			"zstd":    "internal/pkg (amd64) on satori\n",
+			"hakurei": "internal/pkg (amd64) on satori\n\n",
+		}, "", `
+name        : zlib-` + rosa.Std.Version(rosa.Zlib) + `
+description : lossless data-compression library
+website     : https://zlib.net
+status      : not yet cured
+
+name        : zstd-` + rosa.Std.Version(rosa.Zstd) + `
+description : a fast compression algorithm
+website     : https://facebook.github.io/zstd
+status      : internal/pkg (amd64) on satori
+`, nil},
+
+		{"status cache perm", []string{"zlib"}, map[string]string{
+			"zlib": "\x00",
+		}, "", `
+name        : zlib-` + rosa.Std.Version(rosa.Zlib) + `
+description : lossless data-compression library
+website     : https://zlib.net
+`, func(cm *cache) error {
+			return &os.PathError{
+				Op:   "open",
+				Path: filepath.Join(cm.base, "status", pkg.Encode(cm.c.Ident(rosa.Std.Load(rosa.Zlib)).Value())),
+				Err:  syscall.EACCES,
+			}
+		}},
+
+		{"status report", []string{"zlib"}, nil, strings.Repeat("\x00", len(pkg.Checksum{})+8), `
+name        : zlib-` + rosa.Std.Version(rosa.Zlib) + `
+description : lossless data-compression library
+website     : https://zlib.net
+status      : not in report
+`, nil},
+	}
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			t.Parallel()
+
+			var (
+				cm  *cache
+				buf strings.Builder
+				r   *rosa.Report
+			)
+
+			if tc.status != nil || tc.report != "" {
+				cm = &cache{
+					ctx:  context.Background(),
+					msg:  message.New(log.New(os.Stderr, "info: ", 0)),
+					base: t.TempDir(),
+				}
+				defer cm.Close()
+			}
+
+			if tc.report != "" {
+				pathname := filepath.Join(t.TempDir(), "report")
+				err := os.WriteFile(
+					pathname,
+					unsafe.Slice(unsafe.StringData(tc.report), len(tc.report)),
+					0400,
+				)
+				if err != nil {
+					t.Fatal(err)
+				}
+
+				r, err = rosa.OpenReport(pathname)
+				if err != nil {
+					t.Fatal(err)
+				}
+				defer func() {
+					if err = r.Close(); err != nil {
+						t.Fatal(err)
+					}
+				}()
+			}
+
+			if tc.status != nil {
+				for name, status := range tc.status {
+					p, ok := rosa.ResolveName(name)
+					if !ok {
+						t.Fatalf("invalid name %q", name)
+					}
+					perm := os.FileMode(0400)
+					if status == "\x00" {
+						perm = 0
+					}
+					if err := cm.Do(func(cache *pkg.Cache) error {
+						return os.WriteFile(filepath.Join(
+							cm.base,
+							"status",
+							pkg.Encode(cache.Ident(rosa.Std.Load(p)).Value()),
+						), unsafe.Slice(unsafe.StringData(status), len(status)), perm)
+					}); err != nil {
+						t.Fatalf("Do: error = %v", err)
+					}
+				}
+			}
+
+			var wantErr error
+			switch c := tc.wantErr.(type) {
+			case error:
+				wantErr = c
+			case func(cm *cache) error:
+				wantErr = c(cm)
+			default:
+				if tc.wantErr != nil {
+					t.Fatalf("invalid wantErr %#v", tc.wantErr)
+				}
+			}
+
+			if err := commandInfo(
+				cm,
+				tc.args,
+				&buf,
+				cm != nil,
+				r,
+			); !reflect.DeepEqual(err, wantErr) {
+				t.Fatalf("commandInfo: error = %v, want %v", err, wantErr)
+			}
+
+			if got := buf.String(); got != strings.TrimPrefix(tc.want, "\n") {
+				t.Errorf("commandInfo:\n%s\nwant\n%s", got, tc.want)
+			}
+		})
+	}
+}

cmd/mbf/internal/pkgserver/api.go

@@ -0,0 +1,202 @@
+// Package pkgserver implements the package metadata service backend.
+package pkgserver
+
+import (
+	"context"
+	"encoding/json"
+	"log"
+	"net/http"
+	"net/url"
+	"path"
+	"strconv"
+	"sync"
+	"time"
+
+	"hakurei.app/internal/info"
+	"hakurei.app/internal/rosa"
+)
+
+// for lazy initialisation of serveInfo
+var (
+	infoPayload struct {
+		// Current package count.
+		Count int `json:"count"`
+		// Hakurei version, set at link time.
+		HakureiVersion string `json:"hakurei_version"`
+	}
+	infoPayloadOnce sync.Once
+)
+
+// handleInfo writes constant system information.
+func handleInfo(w http.ResponseWriter, _ *http.Request) {
+	infoPayloadOnce.Do(func() {
+		infoPayload.Count = int(rosa.PresetUnexportedStart)
+		infoPayload.HakureiVersion = info.Version()
+	})
+	// TODO(mae): cache entire response if no additional fields are planned
+	writeAPIPayload(w, infoPayload)
+}
+
+// newStatusHandler returns a [http.HandlerFunc] that offers status files for
+// viewing or download, if available.
+func (index *packageIndex) newStatusHandler(disposition bool) http.HandlerFunc {
+	return func(w http.ResponseWriter, r *http.Request) {
+		m, ok := index.names[path.Base(r.URL.Path)]
+		if !ok || !m.HasReport {
+			http.NotFound(w, r)
+			return
+		}
+
+		contentType := "text/plain; charset=utf-8"
+		if disposition {
+			contentType = "application/octet-stream"
+
+			// quoting like this is unsound, but okay, because metadata is hardcoded
+			contentDisposition := `attachment; filename="`
+			contentDisposition += m.Name + "-"
+			if m.Version != "" {
+				contentDisposition += m.Version + "-"
+			}
+			contentDisposition += m.ids + `.log"`
+			w.Header().Set("Content-Disposition", contentDisposition)
+		}
+		w.Header().Set("Content-Type", contentType)
+		w.Header().Set("Cache-Control", "no-cache, no-store, must-revalidate")
+		if err := func() (err error) {
+			defer index.handleAccess(&err)()
+			_, err = w.Write(m.status)
+			return
+		}(); err != nil {
+			log.Println(err)
+			http.Error(
+				w, "cannot deliver status, contact maintainers",
+				http.StatusInternalServerError,
+			)
+		}
+	}
+}
+
+// handleGet writes a slice of metadata with specified order.
+func (index *packageIndex) handleGet(w http.ResponseWriter, r *http.Request) {
+	q := r.URL.Query()
+	limit, err := strconv.Atoi(q.Get("limit"))
+	if err != nil || limit > 100 || limit < 1 {
+		http.Error(
+			w, "limit must be an integer between 1 and 100",
+			http.StatusBadRequest,
+		)
+		return
+	}
+	i, err := strconv.Atoi(q.Get("index"))
+	if err != nil || i >= len(index.sorts[0]) || i < 0 {
+		http.Error(
+			w, "index must be an integer between 0 and "+
+				strconv.Itoa(int(rosa.PresetUnexportedStart-1)),
+			http.StatusBadRequest,
+		)
+		return
+	}
+	sort, err := strconv.Atoi(q.Get("sort"))
+	if err != nil || sort >= len(index.sorts) || sort < 0 {
+		http.Error(
+			w, "sort must be an integer between 0 and "+
+				strconv.Itoa(sortOrderEnd),
+			http.StatusBadRequest,
+		)
+		return
+	}
+	values := index.sorts[sort][i:min(i+limit, len(index.sorts[sort]))]
+	writeAPIPayload(w, &struct {
+		Values []*metadata `json:"values"`
+	}{values})
+}
+
+func (index *packageIndex) handleSearch(w http.ResponseWriter, r *http.Request) {
+	q := r.URL.Query()
+	limit, err := strconv.Atoi(q.Get("limit"))
+	if err != nil || limit > 100 || limit < 1 {
+		http.Error(
+			w, "limit must be an integer between 1 and 100",
+			http.StatusBadRequest,
+		)
+		return
+	}
+	i, err := strconv.Atoi(q.Get("index"))
+	if err != nil || i >= len(index.sorts[0]) || i < 0 {
+		http.Error(
+			w, "index must be an integer between 0 and "+
+				strconv.Itoa(int(rosa.PresetUnexportedStart-1)),
+			http.StatusBadRequest,
+		)
+		return
+	}
+	search, err := url.QueryUnescape(q.Get("search"))
+	if len(search) > 100 || err != nil {
+		http.Error(
+			w, "search must be a string between 0 and 100 characters long",
+			http.StatusBadRequest,
+		)
+		return
+	}
+	desc := q.Get("desc") == "true"
+	n, res, err := index.performSearchQuery(limit, i, search, desc)
+	if err != nil {
+		http.Error(w, err.Error(), http.StatusInternalServerError)
+	}
+	writeAPIPayload(w, &struct {
+		Count  int            `json:"count"`
+		Values []searchResult `json:"values"`
+	}{n, res})
+}
+
+// apiVersion is the name of the current API revision, as part of the pattern.
+const apiVersion = "v1"
+
+// registerAPI registers API handler functions.
+func (index *packageIndex) registerAPI(mux *http.ServeMux) {
+	mux.HandleFunc("GET /api/"+apiVersion+"/info", handleInfo)
+	mux.HandleFunc("GET /api/"+apiVersion+"/get", index.handleGet)
+	mux.HandleFunc("GET /api/"+apiVersion+"/search", index.handleSearch)
+	mux.HandleFunc("GET /api/"+apiVersion+"/status/", index.newStatusHandler(false))
+	mux.HandleFunc("GET /status/", index.newStatusHandler(true))
+}
+
+// Register arranges for mux to service API requests.
+func Register(ctx context.Context, mux *http.ServeMux, report *rosa.Report) error {
+	var index packageIndex
+	index.search = make(searchCache)
+	if err := index.populate(report); err != nil {
+		return err
+	}
+	ticker := time.NewTicker(1 * time.Minute)
+	go func() {
+		for {
+			select {
+			case <-ctx.Done():
+				ticker.Stop()
+				return
+			case <-ticker.C:
+				index.search.clean()
+			}
+		}
+	}()
+	index.registerAPI(mux)
+	return nil
+}
+
+// writeAPIPayload sets headers common to API responses and encodes payload as
+// JSON for the response body.
+func writeAPIPayload(w http.ResponseWriter, payload any) {
+	w.Header().Set("Content-Type", "application/json; charset=utf-8")
+	w.Header().Set("Cache-Control", "no-cache, no-store, must-revalidate")
+	w.Header().Set("Pragma", "no-cache")
+	w.Header().Set("Expires", "0")
+
+	if err := json.NewEncoder(w).Encode(payload); err != nil {
+		log.Println(err)
+		http.Error(
+			w, "cannot encode payload, contact maintainers",
+			http.StatusInternalServerError,
+		)
+	}
+}

cmd/mbf/internal/pkgserver/api_test.go

@@ -0,0 +1,181 @@
+package pkgserver
+
+import (
+	"net/http"
+	"net/http/httptest"
+	"slices"
+	"strconv"
+	"testing"
+
+	"hakurei.app/internal/info"
+	"hakurei.app/internal/rosa"
+)
+
+// prefix is prepended to every API path.
+const prefix = "/api/" + apiVersion + "/"
+
+func TestAPIInfo(t *testing.T) {
+	t.Parallel()
+
+	w := httptest.NewRecorder()
+	handleInfo(w, httptest.NewRequestWithContext(
+		t.Context(),
+		http.MethodGet,
+		prefix+"info",
+		nil,
+	))
+
+	resp := w.Result()
+	checkStatus(t, resp, http.StatusOK)
+	checkAPIHeader(t, w.Header())
+
+	checkPayload(t, resp, struct {
+		Count          int    `json:"count"`
+		HakureiVersion string `json:"hakurei_version"`
+	}{int(rosa.PresetUnexportedStart), info.Version()})
+}
+
+func TestAPIGet(t *testing.T) {
+	t.Parallel()
+	const target = prefix + "get"
+
+	index := newIndex(t)
+	newRequest := func(suffix string) *httptest.ResponseRecorder {
+		w := httptest.NewRecorder()
+		index.handleGet(w, httptest.NewRequestWithContext(
+			t.Context(),
+			http.MethodGet,
+			target+suffix,
+			nil,
+		))
+		return w
+	}
+
+	checkValidate := func(t *testing.T, suffix string, vmin, vmax int, wantErr string) {
+		t.Run("invalid", func(t *testing.T) {
+			t.Parallel()
+
+			w := newRequest("?" + suffix + "=invalid")
+			resp := w.Result()
+			checkError(t, resp, wantErr, http.StatusBadRequest)
+		})
+
+		t.Run("min", func(t *testing.T) {
+			t.Parallel()
+
+			w := newRequest("?" + suffix + "=" + strconv.Itoa(vmin-1))
+			resp := w.Result()
+			checkError(t, resp, wantErr, http.StatusBadRequest)
+
+			w = newRequest("?" + suffix + "=" + strconv.Itoa(vmin))
+			resp = w.Result()
+			checkStatus(t, resp, http.StatusOK)
+		})
+
+		t.Run("max", func(t *testing.T) {
+			t.Parallel()
+
+			w := newRequest("?" + suffix + "=" + strconv.Itoa(vmax+1))
+			resp := w.Result()
+			checkError(t, resp, wantErr, http.StatusBadRequest)
+
+			w = newRequest("?" + suffix + "=" + strconv.Itoa(vmax))
+			resp = w.Result()
+			checkStatus(t, resp, http.StatusOK)
+		})
+	}
+
+	t.Run("limit", func(t *testing.T) {
+		t.Parallel()
+		checkValidate(
+			t, "index=0&sort=0&limit", 1, 100,
+			"limit must be an integer between 1 and 100",
+		)
+	})
+
+	t.Run("index", func(t *testing.T) {
+		t.Parallel()
+		checkValidate(
+			t, "limit=1&sort=0&index", 0, int(rosa.PresetUnexportedStart-1),
+			"index must be an integer between 0 and "+strconv.Itoa(int(rosa.PresetUnexportedStart-1)),
+		)
+	})
+
+	t.Run("sort", func(t *testing.T) {
+		t.Parallel()
+		checkValidate(
+			t, "index=0&limit=1&sort", 0, int(sortOrderEnd),
+			"sort must be an integer between 0 and "+strconv.Itoa(int(sortOrderEnd)),
+		)
+	})
+
+	checkWithSuffix := func(name, suffix string, want []*metadata) {
+		t.Run(name, func(t *testing.T) {
+			t.Parallel()
+
+			w := newRequest(suffix)
+			resp := w.Result()
+			checkStatus(t, resp, http.StatusOK)
+			checkAPIHeader(t, w.Header())
+			checkPayloadFunc(t, resp, func(got *struct {
+				Values []*metadata `json:"values"`
+			}) bool {
+				return slices.EqualFunc(got.Values, want, func(a, b *metadata) bool {
+					return (a.Version == b.Version ||
+						a.Version == rosa.Unversioned ||
+						b.Version == rosa.Unversioned) &&
+						a.HasReport == b.HasReport &&
+						a.Name == b.Name &&
+						a.Description == b.Description &&
+						a.Website == b.Website
+				})
+			})
+
+		})
+	}
+
+	checkWithSuffix("declarationAscending", "?limit=2&index=1&sort=0", []*metadata{
+		{
+			Metadata: rosa.GetMetadata(1),
+			Version:  rosa.Std.Version(1),
+		},
+		{
+			Metadata: rosa.GetMetadata(2),
+			Version:  rosa.Std.Version(2),
+		},
+	})
+	checkWithSuffix("declarationAscending offset", "?limit=3&index=5&sort=0", []*metadata{
+		{
+			Metadata: rosa.GetMetadata(5),
+			Version:  rosa.Std.Version(5),
+		},
+		{
+			Metadata: rosa.GetMetadata(6),
+			Version:  rosa.Std.Version(6),
+		},
+		{
+			Metadata: rosa.GetMetadata(7),
+			Version:  rosa.Std.Version(7),
+		},
+	})
+	checkWithSuffix("declarationDescending", "?limit=3&index=0&sort=1", []*metadata{
+		{
+			Metadata: rosa.GetMetadata(rosa.PresetUnexportedStart - 1),
+			Version:  rosa.Std.Version(rosa.PresetUnexportedStart - 1),
+		},
+		{
+			Metadata: rosa.GetMetadata(rosa.PresetUnexportedStart - 2),
+			Version:  rosa.Std.Version(rosa.PresetUnexportedStart - 2),
+		},
+		{
+			Metadata: rosa.GetMetadata(rosa.PresetUnexportedStart - 3),
+			Version:  rosa.Std.Version(rosa.PresetUnexportedStart - 3),
+		},
+	})
+	checkWithSuffix("declarationDescending offset", "?limit=1&index=37&sort=1", []*metadata{
+		{
+			Metadata: rosa.GetMetadata(rosa.PresetUnexportedStart - 38),
+			Version:  rosa.Std.Version(rosa.PresetUnexportedStart - 38),
+		},
+	})
+}

cmd/mbf/internal/pkgserver/index.go

@@ -0,0 +1,106 @@
+package pkgserver
+
+import (
+	"cmp"
+	"errors"
+	"slices"
+	"strings"
+
+	"hakurei.app/internal/pkg"
+	"hakurei.app/internal/rosa"
+)
+
+const (
+	declarationAscending = iota
+	declarationDescending
+	nameAscending
+	nameDescending
+	sizeAscending
+	sizeDescending
+
+	sortOrderEnd = iota - 1
+)
+
+// packageIndex refers to metadata by name and various sort orders.
+type packageIndex struct {
+	sorts  [sortOrderEnd + 1][rosa.PresetUnexportedStart]*metadata
+	names  map[string]*metadata
+	search searchCache
+	// Taken from [rosa.Report] if available.
+	handleAccess func(*error) func()
+}
+
+// metadata holds [rosa.Metadata] extended with additional information.
+type metadata struct {
+	p rosa.PArtifact
+	*rosa.Metadata
+
+	// Populated via [rosa.Toolchain.Version], [rosa.Unversioned] is equivalent
+	// to the zero value. Otherwise, the zero value is invalid.
+	Version string `json:"version,omitempty"`
+	// Output data size, available if present in report.
+	Size int64 `json:"size,omitempty"`
+	// Whether the underlying [pkg.Artifact] is present in the report.
+	HasReport bool `json:"report"`
+
+	// Ident string encoded ahead of time.
+	ids string
+	// Backed by [rosa.Report], access must be prepared by HandleAccess.
+	status []byte
+}
+
+// populate deterministically populates packageIndex, optionally with a report.
+func (index *packageIndex) populate(report *rosa.Report) (err error) {
+	if report != nil {
+		defer report.HandleAccess(&err)()
+		index.handleAccess = report.HandleAccess
+	}
+
+	var work [rosa.PresetUnexportedStart]*metadata
+	index.names = make(map[string]*metadata)
+	ir := pkg.NewIR()
+	for p := range rosa.PresetUnexportedStart {
+		m := metadata{
+			p: p,
+
+			Metadata: rosa.GetMetadata(p),
+			Version:  rosa.Std.Version(p),
+		}
+		if m.Version == "" {
+			return errors.New("invalid version from " + m.Name)
+		}
+		if m.Version == rosa.Unversioned {
+			m.Version = ""
+		}
+
+		if report != nil {
+			id := ir.Ident(rosa.Std.Load(p))
+			m.ids = pkg.Encode(id.Value())
+			m.status, m.Size = report.ArtifactOf(id)
+			m.HasReport = m.Size >= 0
+		}
+
+		work[p] = &m
+		index.names[m.Name] = &m
+	}
+
+	index.sorts[declarationAscending] = work
+	index.sorts[declarationDescending] = work
+	slices.Reverse(index.sorts[declarationDescending][:])
+
+	index.sorts[nameAscending] = work
+	slices.SortFunc(index.sorts[nameAscending][:], func(a, b *metadata) int {
+		return strings.Compare(a.Name, b.Name)
+	})
+	index.sorts[nameDescending] = index.sorts[nameAscending]
+	slices.Reverse(index.sorts[nameDescending][:])
+
+	index.sorts[sizeAscending] = work
+	slices.SortFunc(index.sorts[sizeAscending][:], func(a, b *metadata) int {
+		return cmp.Compare(a.Size, b.Size)
+	})
+	index.sorts[sizeDescending] = index.sorts[sizeAscending]
+	slices.Reverse(index.sorts[sizeDescending][:])
+
+	return
+}

cmd/mbf/internal/pkgserver/index_test.go

@@ -0,0 +1,96 @@
+package pkgserver
+
+import (
+	"bytes"
+	"encoding/json"
+	"fmt"
+	"io"
+	"net/http"
+	"reflect"
+	"testing"
+)
+
+// newIndex returns the address of a newly populated packageIndex.
+func newIndex(t *testing.T) *packageIndex {
+	t.Helper()
+
+	var index packageIndex
+	if err := index.populate(nil); err != nil {
+		t.Fatalf("populate: error = %v", err)
+	}
+	return &index
+}
+
+// checkStatus checks response status code.
+func checkStatus(t *testing.T, resp *http.Response, want int) {
+	t.Helper()
+
+	if resp.StatusCode != want {
+		t.Errorf(
+			"StatusCode: %s, want %s",
+			http.StatusText(resp.StatusCode),
+			http.StatusText(want),
+		)
+	}
+}
+
+// checkHeader checks the value of a header entry.
+func checkHeader(t *testing.T, h http.Header, key, want string) {
+	t.Helper()
+
+	if got := h.Get(key); got != want {
+		t.Errorf("%s: %q, want %q", key, got, want)
+	}
+}
+
+// checkAPIHeader checks common entries set for API endpoints.
+func checkAPIHeader(t *testing.T, h http.Header) {
+	t.Helper()
+
+	checkHeader(t, h, "Content-Type", "application/json; charset=utf-8")
+	checkHeader(t, h, "Cache-Control", "no-cache, no-store, must-revalidate")
+	checkHeader(t, h, "Pragma", "no-cache")
+	checkHeader(t, h, "Expires", "0")
+}
+
+// checkPayloadFunc checks the JSON response of an API endpoint by passing it to f.
+func checkPayloadFunc[T any](
+	t *testing.T,
+	resp *http.Response,
+	f func(got *T) bool,
+) {
+	t.Helper()
+
+	var got T
+	r := io.Reader(resp.Body)
+	if testing.Verbose() {
+		var buf bytes.Buffer
+		r = io.TeeReader(r, &buf)
+		defer func() { t.Helper(); t.Log(buf.String()) }()
+	}
+	if err := json.NewDecoder(r).Decode(&got); err != nil {
+		t.Fatalf("Decode: error = %v", err)
+	}
+
+	if !f(&got) {
+		t.Errorf("Body: %#v", got)
+	}
+}
+
+// checkPayload checks the JSON response of an API endpoint.
+func checkPayload[T any](t *testing.T, resp *http.Response, want T) {
+	t.Helper()
+
+	checkPayloadFunc(t, resp, func(got *T) bool {
+		return reflect.DeepEqual(got, &want)
+	})
+}
+
+func checkError(t *testing.T, resp *http.Response, error string, code int) {
+	t.Helper()
+
+	checkStatus(t, resp, code)
+	if got, _ := io.ReadAll(resp.Body); string(got) != fmt.Sprintln(error) {
+		t.Errorf("Body: %q, want %q", string(got), error)
+	}
+}

cmd/mbf/internal/pkgserver/search.go

@@ -0,0 +1,81 @@
+package pkgserver
+
+import (
+	"cmp"
+	"maps"
+	"regexp"
+	"slices"
+	"time"
+)
+
+type searchCache map[string]searchCacheEntry
+type searchResult struct {
+	NameIndices [][]int `json:"name_matches"`
+	DescIndices [][]int `json:"desc_matches,omitempty"`
+	Score       float64 `json:"score"`
+	*metadata
+}
+type searchCacheEntry struct {
+	query   string
+	results []searchResult
+	expiry  time.Time
+}
+
+func (index *packageIndex) performSearchQuery(limit int, i int, search string, desc bool) (int, []searchResult, error) {
+	query := search
+	if desc {
+		query += ";withDesc"
+	}
+	entry, ok := index.search[query]
+	if ok && len(entry.results) > 0 {
+		return len(entry.results), entry.results[min(i, len(entry.results)-1):min(i+limit, len(entry.results))], nil
+	}
+
+	regex, err := regexp.Compile(search)
+	if err != nil {
+		return 0, make([]searchResult, 0), err
+	}
+	res := make([]searchResult, 0)
+	for p := range maps.Values(index.names) {
+		nameIndices := regex.FindAllIndex([]byte(p.Name), -1)
+		var descIndices [][]int = nil
+		if desc {
+			descIndices = regex.FindAllIndex([]byte(p.Description), -1)
+		}
+		if nameIndices == nil && descIndices == nil {
+			continue
+		}
+		score := float64(indexsum(nameIndices)) / (float64(len(nameIndices)) + 1)
+		if desc {
+			score += float64(indexsum(descIndices)) / (float64(len(descIndices)) + 1) / 10.0
+		}
+		res = append(res, searchResult{
+			NameIndices: nameIndices,
+			DescIndices: descIndices,
+			Score:       score,
+			metadata:    p,
+		})
+	}
+	slices.SortFunc(res[:], func(a, b searchResult) int { return -cmp.Compare(a.Score, b.Score) })
+	expiry := time.Now().Add(1 * time.Minute)
+	entry = searchCacheEntry{
+		query:   search,
+		results: res,
+		expiry:  expiry,
+	}
+	index.search[query] = entry
+
+	return len(res), res[i:min(i+limit, len(entry.results))], nil
+}
+func (s *searchCache) clean() {
+	maps.DeleteFunc(*s, func(_ string, v searchCacheEntry) bool {
+		return v.expiry.Before(time.Now())
+	})
+}
+func indexsum(in [][]int) int {
+	sum := 0
+	for i := 0; i < len(in); i++ {
+		sum += in[i][1] - in[i][0]
+	}
+	return sum
+}

cmd/mbf/internal/pkgserver/ui/index.html

@@ -0,0 +1,57 @@
+<!DOCTYPE html>
+<html lang="en">
+<head>
+    <meta charset="UTF-8">
+    <meta name="viewport" content="width=device-width, initial-scale=1.0">
+    <link rel="stylesheet" href="style.css">
+    <title>Hakurei PkgServer</title>
+    <script src="index.js"></script>
+</head>
+<body>
+<h1>Hakurei PkgServer</h1>
+<div class="top-controls" id="top-controls-regular">
+    <p>Showing entries <span id="entry-counter"></span>.</p>
+    <span id="search-bar">
+        <label for="search">Search: </label>
+        <input type="text" name="search" id="search"/>
+        <button onclick="doSearch()">Find</button>
+        <label for="include-desc">Include descriptions: </label>
+        <input type="checkbox" name="include-desc" id="include-desc" checked/>
+    </span>
+    <div><label for="count">Entries per page: </label><select name="count" id="count">
+        <option value="10">10</option>
+        <option value="20">20</option>
+        <option value="30">30</option>
+        <option value="50">50</option>
+    </select></div>
+    <div><label for="sort">Sort by: </label><select name="sort" id="sort">
+        <option value="0">Definition (ascending)</option>
+        <option value="1">Definition (descending)</option>
+        <option value="2">Name (ascending)</option>
+        <option value="3">Name (descending)</option>
+        <option value="4">Size (ascending)</option>
+        <option value="5">Size (descending)</option>
+    </select></div>
+</div>
+<div class="top-controls" id="search-top-controls" hidden>
+    <p>Showing search results <span id="search-entry-counter"></span> for query "<span id="search-query"></span>".</p>
+    <button onclick="exitSearch()">Back</button>
+    <div><label for="search-count">Entries per page: </label><select name="search-count" id="search-count">
+        <option value="10">10</option>
+        <option value="20">20</option>
+        <option value="30">30</option>
+        <option value="50">50</option>
+    </select></div>
+    <p>Sorted by best match</p>
+</div>
+<div class="page-controls"><a href="javascript:prevPage()">&laquo; Previous</a> <input type="text" class="page-number" value="1"/> <a href="javascript:nextPage()">Next &raquo;</a></div>
+<table id="pkg-list">
+    <tr><td>Loading...</td></tr>
+</table>
+<div class="page-controls"><a href="javascript:prevPage()">&laquo; Previous</a> <input type="text" class="page-number" value="1"/> <a href="javascript:nextPage()">Next &raquo;</a></div>
+<footer>
+    <p>&copy;<a href="https://hakurei.app/">Hakurei</a> (<span id="hakurei-version">unknown</span>). Licensed under the MIT license.</p>
+</footer>
+<script>main();</script>
+</body>
+</html>

cmd/mbf/internal/pkgserver/ui/index.ts

@@ -0,0 +1,331 @@
+interface PackageIndexEntry {
+    name: string
+    size?: number
+    description?: string
+    website?: string
+    version?: string
+    report?: boolean
+}
+
+function entryToHTML(entry: PackageIndexEntry | SearchResult): HTMLTableRowElement {
+    let v = entry.version != null ? `<span>${escapeHtml(entry.version)}</span>` : ""
+    let s = entry.size != null && entry.size > 0 ? `<p>Size: ${toByteSizeString(entry.size)} (${entry.size})</p>` : ""
+    let n: string
+    let d: string
+    if ('name_matches' in entry) {
+        n = `<h2>${nameMatches(entry as SearchResult)} ${v}</h2>`
+    } else {
+        n = `<h2>${escapeHtml(entry.name)} ${v}</h2>`
+    }
+    if ('desc_matches' in entry && STATE.getIncludeDescriptions()) {
+        d = descMatches(entry as SearchResult)
+    } else {
+        d = (entry as PackageIndexEntry).description != null ? `<p>${escapeHtml((entry as PackageIndexEntry).description)}</p>` : ""
+    }
+    let w = entry.website != null ? `<a href="${encodeURI(entry.website)}">Website</a>` : ""
+    let r = entry.report ? `Log (<a href=\"${encodeURI('/api/v1/status/' + entry.name)}\">View</a> | <a href=\"${encodeURI('/status/' + entry.name)}\">Download</a>)` : ""
+    let row = <HTMLTableRowElement>(document.createElement('tr'))
+    row.innerHTML = `<td>
+            ${n}
+            ${d}
+            ${s}
+            ${w}
+            ${r}
+        </td>`
+    return row
+}
+
+function nameMatches(sr: SearchResult): string {
+    return markMatches(sr.name, sr.name_matches)
+}
+
+function descMatches(sr: SearchResult): string {
+    return markMatches(sr.description!, sr.desc_matches)
+}
+
+function markMatches(str: string, indices: [number, number][]): string {
+    if (indices == null) {
+        return str
+    }
+    let out: string = ""
+    let j = 0
+    for (let i = 0; i < str.length; i++) {
+        if (j < indices.length) {
+            if (i === indices[j][0]) {
+                out += `<mark>${escapeHtmlChar(str[i])}`
+                continue
+            }
+            if (i === indices[j][1]) {
+                out += `</mark>${escapeHtmlChar(str[i])}`
+                j++
+                continue
+            }
+        }
+        out += escapeHtmlChar(str[i])
+    }
+    if (indices[j] !== undefined) {
+        out += "</mark>"
+    }
+    return out
+}
+
+function toByteSizeString(bytes: number): string {
+    if (bytes == null) return `unspecified`
+    if (bytes < 1024) return `${bytes}B`
+    if (bytes < Math.pow(1024, 2)) return `${(bytes / 1024).toFixed(2)}kiB`
+    if (bytes < Math.pow(1024, 3)) return `${(bytes / Math.pow(1024, 2)).toFixed(2)}MiB`
+    if (bytes < Math.pow(1024, 4)) return `${(bytes / Math.pow(1024, 3)).toFixed(2)}GiB`
+    if (bytes < Math.pow(1024, 5)) return `${(bytes / Math.pow(1024, 4)).toFixed(2)}TiB`
+    return "not only is it big, it's large"
+}
+
+const API_VERSION = 1
+const ENDPOINT = `/api/v${API_VERSION}`
+
+interface InfoPayload {
+    count?: number
+    hakurei_version?: string
+}
+
+async function infoRequest(): Promise<InfoPayload> {
+    const res = await fetch(`${ENDPOINT}/info`)
+    const payload = await res.json()
+    return payload as InfoPayload
+}
+
+interface GetPayload {
+    values?: PackageIndexEntry[]
+}
+
+enum SortOrders {
+    DeclarationAscending,
+    DeclarationDescending,
+    NameAscending,
+    NameDescending
+}
+
+async function getRequest(limit: number, index: number, sort: SortOrders): Promise<GetPayload> {
+    const res = await fetch(`${ENDPOINT}/get?limit=${limit}&index=${index}&sort=${sort.valueOf()}`)
+    const payload = await res.json()
+    return payload as GetPayload
+}
+
+interface SearchResult extends PackageIndexEntry {
+    name_matches: [number, number][]
+    desc_matches: [number, number][]
+    score: number
+}
+
+interface SearchPayload {
+    count?: number
+    values?: SearchResult[]
+}
+
+async function searchRequest(limit: number, index: number, search: string, desc: boolean): Promise<SearchPayload> {
+    const res = await fetch(`${ENDPOINT}/search?limit=${limit}&index=${index}&search=${encodeURIComponent(search)}&desc=${desc}`)
+    if (!res.ok) {
+        exitSearch()
+        alert("invalid search query!")
+        return Promise.reject(res.statusText)
+    }
+    const payload = await res.json()
+    return payload as SearchPayload
+}
+
+class State {
+    entriesPerPage: number = 10
+    entryIndex: number = 0
+    maxTotal: number = 0
+    maxEntries: number = 0
+    sort: SortOrders = SortOrders.DeclarationAscending
+    search: boolean = false
+
+    getEntriesPerPage(): number {
+        return this.entriesPerPage
+    }
+
+    setEntriesPerPage(entriesPerPage: number) {
+        this.entriesPerPage = entriesPerPage
+        this.setEntryIndex(Math.floor(this.getEntryIndex() / entriesPerPage) * entriesPerPage)
+    }
+
+    getEntryIndex(): number {
+        return this.entryIndex
+    }
+
+    setEntryIndex(entryIndex: number) {
+        this.entryIndex = entryIndex
+        this.updatePage()
+        this.updateRange()
+        this.updateListings()
+    }
+
+    getMaxTotal(): number {
+        return this.maxTotal
+    }
+
+    setMaxTotal(max: number) {
+        this.maxTotal = max
+    }
+
+    getSortOrder(): SortOrders {
+        return this.sort
+    }
+
+    setSortOrder(sortOrder: SortOrders) {
+        this.sort = sortOrder
+        this.setEntryIndex(0)
+    }
+
+    updatePage() {
+        let page = Math.ceil(((this.getEntryIndex() + this.getEntriesPerPage()) - 1) / this.getEntriesPerPage())
+        for (let e of document.getElementsByClassName("page-number")) {
+            (e as HTMLInputElement).value = String(page)
+        }
+    }
+
+    updateRange() {
+        let max = Math.min(this.getEntryIndex() + this.getEntriesPerPage(), this.getMaxTotal())
+        document.getElementById("entry-counter")!.textContent = `${this.getEntryIndex() + 1}-${max} of ${this.getMaxTotal()}`
+        if (this.search) {
+            document.getElementById("search-entry-counter")!.textContent = `${this.getEntryIndex() + 1}-${max} of ${this.maxTotal}/${this.maxEntries}`
+            document.getElementById("search-query")!.innerHTML = `<code>${escapeHtml(this.getSearchQuery())}</code>`
+        }
+    }
+
+    getSearchQuery(): string {
+        let queryString = document.getElementById("search")!;
+        return (queryString as HTMLInputElement).value
+    }
+
+    getIncludeDescriptions(): boolean {
+        let includeDesc = document.getElementById("include-desc")!;
+        return (includeDesc as HTMLInputElement).checked
+    }
+
+    updateListings() {
+        if (this.search) {
+            searchRequest(this.getEntriesPerPage(), this.getEntryIndex(), this.getSearchQuery(), this.getIncludeDescriptions())
+                .then(res => {
+                    let table = document.getElementById("pkg-list")!
+                    table.innerHTML = ''
+                    for (let row of res.values!) {
+                        table.appendChild(entryToHTML(row))
+                    }
+                    STATE.maxTotal = res.count!
+                    STATE.updateRange()
+                    if(res.count! < 1) {
+                        exitSearch()
+                        alert("no results found!")
+                    }
+                })
+        } else {
+            getRequest(this.getEntriesPerPage(), this.getEntryIndex(), this.getSortOrder())
+                .then(res => {
+                    let table = document.getElementById("pkg-list")!
+                    table.innerHTML = ''
+                    for (let row of res.values!) {
+                        table.appendChild(entryToHTML(row))
+                    }
+                })
+        }
+    }
+}
+
+let STATE: State
+
+
+function lastPageIndex(): number {
+    return Math.floor(STATE.getMaxTotal() / STATE.getEntriesPerPage()) * STATE.getEntriesPerPage()
+}
+
+function setPage(page: number) {
+    STATE.setEntryIndex(Math.max(0, Math.min(STATE.getEntriesPerPage() * (page - 1), lastPageIndex())))
+}
+
+
+function escapeHtml(str?: string): string {
+    let out: string = ''
+    if (str == undefined) return ""
+    for (let i = 0; i < str.length; i++) {
+        out += escapeHtmlChar(str[i])
+    }
+    return out
+}
+
+function escapeHtmlChar(char: string): string {
+    if (char.length != 1) return char
+    switch (char[0]) {
+        case '&':
+            return "&amp;"
+        case '<':
+            return "&lt;"
+        case '>':
+            return "&gt;"
+        case '"':
+            return "&quot;"
+        case "'":
+            return "&apos;"
+        default:
+            return char
+    }
+}
+
+function firstPage() {
+    STATE.setEntryIndex(0)
+}
+
+function prevPage() {
+    let index = STATE.getEntryIndex()
+    STATE.setEntryIndex(Math.max(0, index - STATE.getEntriesPerPage()))
+}
+
+function lastPage() {
+    STATE.setEntryIndex(lastPageIndex())
+}
+
+function nextPage() {
+    let index = STATE.getEntryIndex()
+    STATE.setEntryIndex(Math.min(lastPageIndex(), index + STATE.getEntriesPerPage()))
+}
+
+function doSearch() {
+    document.getElementById("top-controls-regular")!.toggleAttribute("hidden");
+    document.getElementById("search-top-controls")!.toggleAttribute("hidden");
+    STATE.search = true;
+    STATE.setEntryIndex(0);
+}
+
+function exitSearch() {
+    document.getElementById("top-controls-regular")!.toggleAttribute("hidden");
+    document.getElementById("search-top-controls")!.toggleAttribute("hidden");
+    STATE.search = false;
+    STATE.setMaxTotal(STATE.maxEntries)
+    STATE.setEntryIndex(0)
+}
+
+function main() {
+    STATE = new State()
+    infoRequest()
+        .then(res => {
+            STATE.maxEntries = res.count!
+            STATE.setMaxTotal(STATE.maxEntries)
+            document.getElementById("hakurei-version")!.textContent = res.hakurei_version!
+            STATE.updateRange()
+            STATE.updateListings()
+        })
+    for (let e of document.getElementsByClassName("page-number")) {
+        e.addEventListener("change", (_) => {
+            setPage(parseInt((e as HTMLInputElement).value))
+        })
+    }
+    document.getElementById("count")?.addEventListener("change", (event) => {
+        STATE.setEntriesPerPage(parseInt((event.target as HTMLSelectElement).value))
+    })
+    document.getElementById("sort")?.addEventListener("change", (event) => {
+        STATE.setSortOrder(parseInt((event.target as HTMLSelectElement).value))
+    })
+    document.getElementById("search")?.addEventListener("keyup", (event) => {
+        if (event.key === 'Enter') doSearch()
+    })
+}

cmd/mbf/internal/pkgserver/ui/style.css

@@ -0,0 +1,21 @@
+.page-number {
+  width: 2em;
+  text-align: center;
+}
+.page-number {
+  width: 2em;
+  text-align: center;
+}
+
+@media (prefers-color-scheme: dark) {
+  html {
+    background-color: #2c2c2c;
+    color: ghostwhite;
+  }
+}
+@media (prefers-color-scheme: light) {
+  html {
+    background-color: #d3d3d3;
+    color: black;
+  }
+}

cmd/mbf/internal/pkgserver/ui/tsconfig.json

@@ -0,0 +1,8 @@
+{
+  "compilerOptions": {
+    "target": "ES2024",
+    "strict": true,
+    "alwaysStrict": true,
+    "outDir": "static"
+  }
+}

cmd/mbf/internal/pkgserver/ui/ui.go

@@ -0,0 +1,9 @@
+// Package ui holds the static web UI.
+package ui
+
+import "net/http"
+
+// Register arranges for mux to serve the embedded frontend.
+func Register(mux *http.ServeMux) {
+	mux.Handle("GET /", http.FileServer(http.FS(static)))
+}

cmd/mbf/internal/pkgserver/ui/ui_full.go

@@ -0,0 +1,21 @@
+//go:build frontend
+
+package ui
+
+import (
+	"embed"
+	"io/fs"
+)
+
+//go:generate tsc
+//go:generate cp index.html style.css static
+//go:embed static
+var _static embed.FS
+
+var static = func() fs.FS {
+	if f, err := fs.Sub(_static, "static"); err != nil {
+		panic(err)
+	} else {
+		return f
+	}
+}()

cmd/mbf/internal/pkgserver/ui/ui_stub.go

@@ -0,0 +1,7 @@
+//go:build !frontend
+
+package ui
+
+import "testing/fstest"
+
+var static fstest.MapFS

cmd/mbf/main.go

@@ -14,16 +14,18 @@ package main
 
 import (
 	"context"
+	"crypto/sha512"
 	"errors"
 	"fmt"
 	"io"
 	"log"
+	"net"
+	"net/http"
 	"os"
 	"os/signal"
 	"path/filepath"
 	"runtime"
 	"strconv"
-	"strings"
 	"sync"
 	"sync/atomic"
 	"syscall"
@@ -40,6 +42,9 @@ import (
 	"hakurei.app/internal/pkg"
 	"hakurei.app/internal/rosa"
 	"hakurei.app/message"
+
+	"hakurei.app/cmd/mbf/internal/pkgserver"
+	"hakurei.app/cmd/mbf/internal/pkgserver/ui"
 )
 
 func main() {
@@ -53,77 +58,106 @@ func main() {
 		log.Fatal("this program must not run as root")
 	}
 
-	var cache *pkg.Cache
 	ctx, stop := signal.NotifyContext(context.Background(),
 		syscall.SIGINT, syscall.SIGTERM, syscall.SIGHUP)
 	defer stop()
-	defer func() {
-		if cache != nil {
-			cache.Close()
-		}
 
-		if r := recover(); r != nil {
+	var cm cache
-			fmt.Println(r)
+	defer func() { cm.Close() }()
-			log.Fatal("consider scrubbing the on-disk cache")
-		}
-	}()
 
 	var (
 		flagQuiet bool
-		flagCures int
+		flagCheck bool
-		flagBase  string
+		flagLTO   bool
-		flagIdle  bool
 
-		flagHostAbstract bool
+		addr net.UnixAddr
 	)
-	c := command.New(os.Stderr, log.Printf, "mbf", func([]string) (err error) {
+	c := command.New(os.Stderr, log.Printf, "mbf", func([]string) error {
 		msg.SwapVerbose(!flagQuiet)
-
+		cm.ctx, cm.msg = ctx, msg
-		flagBase = os.ExpandEnv(flagBase)
+		cm.base = os.ExpandEnv(cm.base)
-		if flagBase == "" {
+		if cm.base == "" {
-			flagBase = "cache"
+			cm.base = "cache"
 		}
 
-		var base *check.Absolute
+		addr.Net = "unix"
-		if flagBase, err = filepath.Abs(flagBase); err != nil {
+		addr.Name = os.ExpandEnv(addr.Name)
-			return
+		if addr.Name == "" {
-		} else if base, err = check.NewAbs(flagBase); err != nil {
+			addr.Name = filepath.Join(cm.base, "daemon")
-			return
 		}
 
 		var flags int
-		if flagIdle {
+		if !flagCheck {
-			flags |= pkg.CSchedIdle
+			flags |= rosa.OptSkipCheck
 		}
-		if flagHostAbstract {
+		if !flagLTO {
-			flags |= pkg.CHostAbstract
+			flags |= rosa.OptLLVMNoLTO
 		}
-		cache, err = pkg.Open(ctx, msg, flags, flagCures, base)
+		rosa.DropCaches(flags)
 
-		return
+		return nil
 	}).Flag(
 		&flagQuiet,
 		"q", command.BoolFlag(false),
 		"Do not print cure messages",
 	).Flag(
-		&flagCures,
+		&flagLTO,
+		"lto", command.BoolFlag(false),
+		"Enable LTO in stage2 and stage3 LLVM toolchains",
+	).Flag(
+		&flagCheck,
+		"check", command.BoolFlag(true),
+		"Run test suites",
+	).Flag(
+		&cm.cures,
 		"cures", command.IntFlag(0),
 		"Maximum number of dependencies to cure at any given time",
 	).Flag(
-		&flagBase,
+		&cm.jobs,
+		"jobs", command.IntFlag(0),
+		"Preferred number of jobs to run, when applicable",
+	).Flag(
+		&cm.base,
 		"d", command.StringFlag("$MBF_CACHE_DIR"),
 		"Directory to store cured artifacts",
 	).Flag(
-		&flagIdle,
+		&cm.idle,
 		"sched-idle", command.BoolFlag(false),
 		"Set SCHED_IDLE scheduling policy",
 	).Flag(
-		&flagHostAbstract,
+		&cm.hostAbstract,
 		"host-abstract", command.BoolFlag(
 			os.Getenv("MBF_HOST_ABSTRACT") != "",
 		),
 		"Do not restrict networked cure containers from connecting to host "+
 			"abstract UNIX sockets",
+	).Flag(
+		&addr.Name,
+		"socket", command.StringFlag("$MBF_DAEMON_SOCKET"),
+		"Pathname of socket to bind to",
+	)
+
+	c.NewCommand(
+		"checksum", "Compute checksum of data read from standard input",
+		func([]string) error {
+			done := make(chan struct{})
+			defer close(done)
+			go func() {
+				select {
+				case <-ctx.Done():
+					os.Exit(1)
+				case <-done:
+					return
+				}
+			}()
+
+			h := sha512.New384()
+			if _, err := io.Copy(h, os.Stdin); err != nil {
+				return err
+			}
+			log.Println(pkg.Encode(pkg.Checksum(h.Sum(nil))))
+			return nil
+		},
 	)
 
 	{
@@ -137,7 +171,9 @@ func main() {
 				if flagShifts < 0 || flagShifts > 31 {
 					flagShifts = 12
 				}
+				return cm.Do(func(cache *pkg.Cache) error {
 					return cache.Scrub(runtime.NumCPU() << flagShifts)
+				})
 			},
 		).Flag(
 			&flagShifts,
@@ -148,6 +184,7 @@ func main() {
 
 	{
 		var (
+			flagBind   string
 			flagStatus bool
 			flagReport string
 		)
@@ -155,9 +192,7 @@ func main() {
 			"info",
 			"Display out-of-band metadata of an artifact",
 			func(args []string) (err error) {
-				if len(args) == 0 {
+				const shutdownTimeout = 15 * time.Second
-					return errors.New("info requires at least 1 argument")
-				}
 
 				var r *rosa.Report
 				if flagReport != "" {
@@ -172,84 +207,42 @@ func main() {
 					defer r.HandleAccess(&err)()
 				}
 
-				for i, name := range args {
+				if flagBind == "" {
-					if p, ok := rosa.ResolveName(name); !ok {
+					return commandInfo(&cm, args, os.Stdout, flagStatus, r)
-						return fmt.Errorf("unknown artifact %q", name)
-					} else {
-						var suffix string
-						if version := rosa.Std.Version(p); version != rosa.Unversioned {
-							suffix += "-" + version
-						}
-						fmt.Println("name        : " + name + suffix)
-
-						meta := rosa.GetMetadata(p)
-						fmt.Println("description : " + meta.Description)
-						if meta.Website != "" {
-							fmt.Println("website     : " +
-								strings.TrimSuffix(meta.Website, "/"))
-						}
-						if len(meta.Dependencies) > 0 {
-							fmt.Print("depends on  :")
-							for _, d := range meta.Dependencies {
-								s := rosa.GetMetadata(d).Name
-								if version := rosa.Std.Version(d); version != rosa.Unversioned {
-									s += "-" + version
-								}
-								fmt.Print(" " + s)
-							}
-							fmt.Println()
 				}
 
-						const statusPrefix = "status      : "
+				var mux http.ServeMux
-						if flagStatus {
+				ui.Register(&mux)
-							if r == nil {
+				if err = pkgserver.Register(ctx, &mux, r); err != nil {
-								var f io.ReadSeekCloser
-								f, err = cache.OpenStatus(rosa.Std.Load(p))
-								if err != nil {
-									if errors.Is(err, os.ErrNotExist) {
-										fmt.Println(
-											statusPrefix + "not yet cured",
-										)
-									} else {
 					return
 				}
-								} else {
-									fmt.Print(statusPrefix)
-									_, err = io.Copy(os.Stdout, f)
-									if err = errors.Join(err, f.Close()); err != nil {
-										return
-									}
-								}
-							} else {
-								status, n := r.ArtifactOf(cache.Ident(rosa.Std.Load(p)))
-								if status == nil {
-									fmt.Println(
-										statusPrefix + "not in report",
-									)
-								} else {
-									fmt.Println("size        :", n)
-									fmt.Print(statusPrefix)
-									if _, err = os.Stdout.Write(status); err != nil {
-										return
-									}
-								}
-							}
-						}
 
-						if i != len(args)-1 {
+				server := http.Server{Addr: flagBind, Handler: &mux}
-							fmt.Println()
+				go func() {
+					<-ctx.Done()
+					cc, cancel := context.WithTimeout(context.Background(), shutdownTimeout)
+					defer cancel()
+					if _err := server.Shutdown(cc); _err != nil {
+						log.Fatal(_err)
 					}
+				}()
+
+				msg.Verbosef("listening on %q", flagBind)
+				err = server.ListenAndServe()
+				if errors.Is(err, http.ErrServerClosed) {
+					err = nil
 				}
-				}
+				return
-				return nil
 			},
-		).
+		).Flag(
-			Flag(
+			&flagBind,
+			"bind", command.StringFlag(""),
+			"TCP address for the server to listen on",
+		).Flag(
 			&flagStatus,
 			"status", command.BoolFlag(false),
 			"Display cure status if available",
-			).
+		).Flag(
-			Flag(
 			&flagReport,
 			"report", command.StringFlag(""),
 			"Load cure status from this report file instead of cache",
@@ -287,7 +280,9 @@ func main() {
 			if ext.Isatty(int(w.Fd())) {
 				return errors.New("output appears to be a terminal")
 			}
+			return cm.Do(func(cache *pkg.Cache) error {
 				return rosa.WriteReport(msg, w, cache)
+			})
 		},
 	)
 
@@ -350,14 +345,26 @@ func main() {
 					" package(s) are out of date"))
 			}
 			return errors.Join(errs...)
-		}).
+		}).Flag(
-			Flag(
 			&flagJobs,
 			"j", command.IntFlag(32),
 			"Maximum number of simultaneous connections",
 		)
 	}
 
+	c.NewCommand(
+		"daemon",
+		"Service artifact IR with Rosa OS extensions",
+		func(args []string) error {
+			ul, err := net.ListenUnix("unix", &addr)
+			if err != nil {
+				return err
+			}
+			log.Printf("listening on pathname socket at %s", addr.Name)
+			return serve(ctx, log.Default(), &cm, ul)
+		},
+	)
+
 	{
 		var (
 			flagGentoo   string
@@ -382,25 +389,37 @@ func main() {
 					rosa.SetGentooStage3(flagGentoo, checksum)
 				}
 
-				_, _, _, stage1 := (t - 2).NewLLVM()
-				_, _, _, stage2 := (t - 1).NewLLVM()
-				_, _, _, stage3 := t.NewLLVM()
 				var (
 					pathname *check.Absolute
 					checksum [2]unique.Handle[pkg.Checksum]
 				)
 
-				if pathname, _, err = cache.Cure(stage1); err != nil {
+				if err = cm.Do(func(cache *pkg.Cache) (err error) {
-					return err
+					pathname, _, err = cache.Cure(
+						(t - 2).Load(rosa.LLVM),
+					)
+					return
+				}); err != nil {
+					return
 				}
 				log.Println("stage1:", pathname)
 
-				if pathname, checksum[0], err = cache.Cure(stage2); err != nil {
+				if err = cm.Do(func(cache *pkg.Cache) (err error) {
-					return err
+					pathname, checksum[0], err = cache.Cure(
+						(t - 1).Load(rosa.LLVM),
+					)
+					return
+				}); err != nil {
+					return
 				}
 				log.Println("stage2:", pathname)
-				if pathname, checksum[1], err = cache.Cure(stage3); err != nil {
+				if err = cm.Do(func(cache *pkg.Cache) (err error) {
-					return err
+					pathname, checksum[1], err = cache.Cure(
+						t.Load(rosa.LLVM),
+					)
+					return
+				}); err != nil {
+					return
 				}
 				log.Println("stage3:", pathname)
 
@@ -417,28 +436,28 @@ func main() {
 				}
 
 				if flagStage0 {
-					if pathname, _, err = cache.Cure(
+					if err = cm.Do(func(cache *pkg.Cache) (err error) {
+						pathname, _, err = cache.Cure(
 							t.Load(rosa.Stage0),
-					); err != nil {
+						)
-						return err
+						return
+					}); err != nil {
+						return
 					}
 					log.Println(pathname)
 				}
 
 				return
 			},
-		).
+		).Flag(
-			Flag(
 			&flagGentoo,
 			"gentoo", command.StringFlag(""),
 			"Bootstrap from a Gentoo stage3 tarball",
-			).
+		).Flag(
-			Flag(
 			&flagChecksum,
 			"checksum", command.StringFlag(""),
 			"Checksum of Gentoo stage3 tarball",
-			).
+		).Flag(
-			Flag(
 			&flagStage0,
 			"stage0", command.BoolFlag(false),
 			"Create bootstrap stage0 tarball",
@@ -450,6 +469,11 @@ func main() {
 			flagDump    string
 			flagEnter   bool
 			flagExport  string
+			flagRemote  bool
+			flagNoReply bool
+
+			flagBoot bool
+			flagStd  bool
 		)
 		c.NewCommand(
 			"cure",
@@ -463,9 +487,20 @@ func main() {
 					return fmt.Errorf("unknown artifact %q", args[0])
 				}
 
+				t := rosa.Std
+				if flagBoot {
+					t -= 2
+				} else if flagStd {
+					t -= 1
+				}
+
 				switch {
 				default:
-					pathname, _, err := cache.Cure(rosa.Std.Load(p))
+					var pathname *check.Absolute
+					err := cm.Do(func(cache *pkg.Cache) (err error) {
+						pathname, _, err = cache.Cure(t.Load(p))
+						return
+					})
 					if err != nil {
 						return err
 					}
@@ -505,7 +540,7 @@ func main() {
 						return err
 					}
 
-					if err = cache.EncodeAll(f, rosa.Std.Load(p)); err != nil {
+					if err = pkg.NewIR().EncodeAll(f, rosa.Std.Load(p)); err != nil {
 						_ = f.Close()
 						return err
 					}
@@ -513,33 +548,76 @@ func main() {
 					return f.Close()
 
 				case flagEnter:
+					return cm.Do(func(cache *pkg.Cache) error {
 						return cache.EnterExec(
 							ctx,
-						rosa.Std.Load(p),
+							t.Load(p),
 							true, os.Stdin, os.Stdout, os.Stderr,
 							rosa.AbsSystem.Append("bin", "mksh"),
 							"sh",
 						)
+					})
+
+				case flagRemote:
+					var flags uint64
+					if flagNoReply {
+						flags |= remoteNoReply
+					}
+					a := t.Load(p)
+					pathname, err := cureRemote(ctx, &addr, a, flags)
+					if !flagNoReply && err == nil {
+						log.Println(pathname)
+					}
+
+					if errors.Is(err, context.Canceled) {
+						cc, cancel := context.WithDeadline(context.Background(), daemonDeadline())
+						defer cancel()
+
+						if _err := cancelRemote(cc, &addr, a, false); _err != nil {
+							log.Println(err)
+						}
+					}
+
+					return err
 				}
 			},
-		).
+		).Flag(
-			Flag(
 			&flagDump,
 			"dump", command.StringFlag(""),
 			"Write IR to specified pathname and terminate",
-			).
+		).Flag(
-			Flag(
 			&flagExport,
 			"export", command.StringFlag(""),
 			"Export cured artifact to specified pathname",
-			).
+		).Flag(
-			Flag(
 			&flagEnter,
 			"enter", command.BoolFlag(false),
 			"Enter cure container with an interactive shell",
+		).Flag(
+			&flagRemote,
+			"daemon", command.BoolFlag(false),
+			"Cure artifact on the daemon",
+		).Flag(
+			&flagNoReply,
+			"no-reply", command.BoolFlag(false),
+			"Do not receive a reply from the daemon",
+		).Flag(
+			&flagBoot,
+			"boot", command.BoolFlag(false),
+			"Build on the stage0 toolchain",
+		).Flag(
+			&flagStd,
+			"std", command.BoolFlag(false),
+			"Build on the intermediate toolchain",
 		)
 	}
 
+	c.NewCommand(
+		"abort",
+		"Abort all pending cures on the daemon",
+		func([]string) error { return abortRemote(ctx, &addr, false) },
+	)
+
 	{
 		var (
 			flagNet     bool
@@ -551,7 +629,7 @@ func main() {
 			"shell",
 			"Interactive shell in the specified Rosa OS environment",
 			func(args []string) error {
-				presets := make([]rosa.PArtifact, len(args))
+				presets := make([]rosa.PArtifact, len(args)+3)
 				for i, arg := range args {
 					p, ok := rosa.ResolveName(arg)
 					if !ok {
@@ -559,21 +637,24 @@ func main() {
 					}
 					presets[i] = p
 				}
+
+				base := rosa.LLVM
+				if !flagWithToolchain {
+					base = rosa.Musl
+				}
+				presets = append(presets,
+					base,
+					rosa.Mksh,
+					rosa.Toybox,
+				)
+
 				root := make(pkg.Collect, 0, 6+len(args))
 				root = rosa.Std.AppendPresets(root, presets...)
 
-				if flagWithToolchain {
+				if err := cm.Do(func(cache *pkg.Cache) error {
-					musl, compilerRT, runtimes, clang := (rosa.Std - 1).NewLLVM()
+					_, _, err := cache.Cure(&root)
-					root = append(root, musl, compilerRT, runtimes, clang)
+					return err
-				} else {
+				}); err == nil {
-					root = append(root, rosa.Std.Load(rosa.Musl))
-				}
-				root = append(root,
-					rosa.Std.Load(rosa.Mksh),
-					rosa.Std.Load(rosa.Toybox),
-				)
-
-				if _, _, err := cache.Cure(&root); err == nil {
 					return errors.New("unreachable")
 				} else if !pkg.IsCollected(err) {
 					return err
@@ -585,11 +666,22 @@ func main() {
 				}
 				cured := make(map[pkg.Artifact]cureRes)
 				for _, a := range root {
+					if err := cm.Do(func(cache *pkg.Cache) error {
 						pathname, checksum, err := cache.Cure(a)
-					if err != nil {
+						if err == nil {
+							cured[a] = cureRes{pathname, checksum}
+						}
+						return err
+					}); err != nil {
+						return err
+					}
+				}
+
+				// explicitly open for direct error-free use from this point
+				if cm.c == nil {
+					if err := cm.open(); err != nil {
 						return err
 					}
-					cured[a] = cureRes{pathname, checksum}
 				}
 
 				layers := pkg.PromoteLayers(root, func(a pkg.Artifact) (
@@ -599,7 +691,7 @@ func main() {
 					res := cured[a]
 					return res.pathname, res.checksum
 				}, func(i int, d pkg.Artifact) {
-					r := pkg.Encode(cache.Ident(d).Value())
+					r := pkg.Encode(cm.c.Ident(d).Value())
 					if s, ok := d.(fmt.Stringer); ok {
 						if name := s.String(); name != "" {
 							r += "-" + name
@@ -663,18 +755,15 @@ func main() {
 				}
 				return z.Wait()
 			},
-		).
+		).Flag(
-			Flag(
 			&flagNet,
 			"net", command.BoolFlag(false),
 			"Share host net namespace",
-			).
+		).Flag(
-			Flag(
 			&flagSession,
 			"session", command.BoolFlag(true),
 			"Retain session",
-			).
+		).Flag(
-			Flag(
 			&flagWithToolchain,
 			"with-toolchain", command.BoolFlag(false),
 			"Include the stage2 LLVM toolchain",
@@ -689,9 +778,7 @@ func main() {
 	)
 
 	c.MustParse(os.Args[1:], func(err error) {
-		if cache != nil {
+		cm.Close()
-			cache.Close()
-		}
 		if w, ok := err.(interface{ Unwrap() []error }); !ok {
 			log.Fatal(err)
 		} else {

cmd/mbf/main_test.go

@@ -0,0 +1,47 @@
+package main
+
+import (
+	"net"
+	"os"
+	"testing"
+
+	"hakurei.app/internal/rosa"
+)
+
+func TestMain(m *testing.M) {
+	rosa.DropCaches(rosa.OptLLVMNoLTO)
+	os.Exit(m.Run())
+}
+
+func TestCureAll(t *testing.T) {
+	t.Parallel()
+	const env = "ROSA_TEST_DAEMON"
+
+	if !testing.Verbose() {
+		t.Skip("verbose flag not set")
+	}
+
+	pathname, ok := os.LookupEnv(env)
+	if !ok {
+		t.Skip(env + " not set")
+	}
+
+	addr := net.UnixAddr{Net: "unix", Name: pathname}
+	t.Cleanup(func() {
+		if t.Failed() {
+			if err := abortRemote(t.Context(), &addr, false); err != nil {
+				t.Fatal(err)
+			}
+		}
+	})
+
+	for i := range rosa.PresetEnd {
+		p := rosa.PArtifact(i)
+		t.Run(rosa.GetMetadata(p).Name, func(t *testing.T) {
+			_, err := cureRemote(t.Context(), &addr, rosa.Std.Load(p), 0)
+			if err != nil {
+				t.Error(err)
+			}
+		})
+	}
+}

container/container.go

@@ -21,6 +21,7 @@ import (
 	"hakurei.app/container/std"
 	"hakurei.app/ext"
 	"hakurei.app/fhs"
+	"hakurei.app/internal/landlock"
 	"hakurei.app/message"
 )
 
@@ -307,7 +308,7 @@ func (p *Container) Start() error {
 		done <- func() error {
 			// PR_SET_NO_NEW_PRIVS: thread-directed but acts on all processes
 			// created from the calling thread
-			if err := SetNoNewPrivs(); err != nil {
+			if err := setNoNewPrivs(); err != nil {
 				return &StartError{
 					Fatal: true,
 					Step:  "prctl(PR_SET_NO_NEW_PRIVS)",
@@ -317,12 +318,14 @@ func (p *Container) Start() error {
 
 			// landlock: depends on per-thread state but acts on a process group
 			{
-				rulesetAttr := &RulesetAttr{Scoped: LANDLOCK_SCOPE_SIGNAL}
+				rulesetAttr := &landlock.RulesetAttr{
+					Scoped: landlock.LANDLOCK_SCOPE_SIGNAL,
+				}
 				if !p.HostAbstract {
-					rulesetAttr.Scoped |= LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET
+					rulesetAttr.Scoped |= landlock.LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET
 				}
 
-				if abi, err := LandlockGetABI(); err != nil {
+				if abi, err := landlock.GetABI(); err != nil {
 					if p.HostAbstract || !p.HostNet {
 						// landlock can be skipped here as it restricts access
 						// to resources already covered by namespaces (pid, net)
@@ -351,7 +354,7 @@ func (p *Container) Start() error {
 					}
 				} else {
 					p.msg.Verbosef("enforcing landlock ruleset %s", rulesetAttr)
-					if err = LandlockRestrictSelf(rulesetFd, 0); err != nil {
+					if err = landlock.RestrictSelf(rulesetFd, 0); err != nil {
 						_ = Close(rulesetFd)
 						return &StartError{
 							Fatal: true,

container/container_test.go

@@ -16,6 +16,7 @@ import (
 	"strings"
 	"syscall"
 	"testing"
+	_ "unsafe" // for go:linkname
 
 	"hakurei.app/check"
 	"hakurei.app/command"
@@ -26,6 +27,7 @@ import (
 	"hakurei.app/fhs"
 	"hakurei.app/hst"
 	"hakurei.app/internal/info"
+	"hakurei.app/internal/landlock"
 	"hakurei.app/internal/params"
 	"hakurei.app/ldd"
 	"hakurei.app/message"
@@ -232,6 +234,9 @@ func earlyMnt(mnt ...*vfs.MountInfoEntry) func(*testing.T, context.Context) []*v
 	return func(*testing.T, context.Context) []*vfs.MountInfoEntry { return mnt }
 }
 
+//go:linkname toHost hakurei.app/container.toHost
+func toHost(name string) string
+
 var containerTestCases = []struct {
 	name    string
 	filter  bool
@@ -331,13 +336,15 @@ var containerTestCases = []struct {
 		func(t *testing.T, ctx context.Context) []*vfs.MountInfoEntry {
 			return []*vfs.MountInfoEntry{
 				ent("/", hst.PrivateTmp, "rw", "overlay", "overlay",
-					"rw,lowerdir="+
+					"rw"+
-						container.InternalToHostOvlEscape(ctx.Value(testVal("lower0")).(*check.Absolute).String())+":"+
+						",lowerdir+="+
-						container.InternalToHostOvlEscape(ctx.Value(testVal("lower1")).(*check.Absolute).String())+
+						toHost(ctx.Value(testVal("lower0")).(*check.Absolute).String())+
+						",lowerdir+="+
+						toHost(ctx.Value(testVal("lower1")).(*check.Absolute).String())+
 						",upperdir="+
-						container.InternalToHostOvlEscape(ctx.Value(testVal("upper")).(*check.Absolute).String())+
+						toHost(ctx.Value(testVal("upper")).(*check.Absolute).String())+
 						",workdir="+
-						container.InternalToHostOvlEscape(ctx.Value(testVal("work")).(*check.Absolute).String())+
+						toHost(ctx.Value(testVal("work")).(*check.Absolute).String())+
 						",redirect_dir=nofollow,uuid=on,userxattr"),
 			}
 		},
@@ -387,9 +394,11 @@ var containerTestCases = []struct {
 		func(t *testing.T, ctx context.Context) []*vfs.MountInfoEntry {
 			return []*vfs.MountInfoEntry{
 				ent("/", hst.PrivateTmp, "rw", "overlay", "overlay",
-					"ro,lowerdir="+
+					"ro"+
-						container.InternalToHostOvlEscape(ctx.Value(testVal("lower0")).(*check.Absolute).String())+":"+
+						",lowerdir+="+
-						container.InternalToHostOvlEscape(ctx.Value(testVal("lower1")).(*check.Absolute).String())+
+						toHost(ctx.Value(testVal("lower0")).(*check.Absolute).String())+
+						",lowerdir+="+
+						toHost(ctx.Value(testVal("lower1")).(*check.Absolute).String())+
 						",redirect_dir=nofollow,userxattr"),
 			}
 		},
@@ -456,7 +465,7 @@ func TestContainer(t *testing.T) {
 			c.RetainSession = tc.session
 			c.HostNet = tc.net
 			if info.CanDegrade {
-				if _, err := container.LandlockGetABI(); err != nil {
+				if _, err := landlock.GetABI(); err != nil {
 					if !errors.Is(err, syscall.ENOSYS) {
 						t.Fatalf("LandlockGetABI: error = %v", err)
 					}

container/dispatcher.go

@@ -65,6 +65,8 @@ type syscallDispatcher interface {
 	remount(msg message.Msg, target string, flags uintptr) error
 	// mountTmpfs provides mountTmpfs.
 	mountTmpfs(fsname, target string, flags uintptr, size int, perm os.FileMode) error
+	// mountOverlay provides mountOverlay.
+	mountOverlay(target string, options [][2]string) error
 	// ensureFile provides ensureFile.
 	ensureFile(name string, perm, pperm os.FileMode) error
 	// mustLoopback provides mustLoopback.
@@ -148,7 +150,7 @@ func (direct) lockOSThread() { runtime.LockOSThread() }
 
 func (direct) setPtracer(pid uintptr) error       { return ext.SetPtracer(pid) }
 func (direct) setDumpable(dumpable uintptr) error { return ext.SetDumpable(dumpable) }
-func (direct) setNoNewPrivs() error               { return SetNoNewPrivs() }
+func (direct) setNoNewPrivs() error               { return setNoNewPrivs() }
 
 func (direct) lastcap(msg message.Msg) uintptr                 { return LastCap(msg) }
 func (direct) capset(hdrp *capHeader, datap *[2]capData) error { return capset(hdrp, datap) }
@@ -169,6 +171,9 @@ func (direct) remount(msg message.Msg, target string, flags uintptr) error {
 func (k direct) mountTmpfs(fsname, target string, flags uintptr, size int, perm os.FileMode) error {
 	return mountTmpfs(k, fsname, target, flags, size, perm)
 }
+func (k direct) mountOverlay(target string, options [][2]string) error {
+	return mountOverlay(target, options)
+}
 func (direct) ensureFile(name string, perm, pperm os.FileMode) error {
 	return ensureFile(name, perm, pperm)
 }

container/dispatcher_test.go

@@ -468,6 +468,14 @@ func (k *kstub) mountTmpfs(fsname, target string, flags uintptr, size int, perm
 		stub.CheckArg(k.Stub, "perm", perm, 4))
 }
 
+func (k *kstub) mountOverlay(target string, options [][2]string) error {
+	k.Helper()
+	return k.Expects("mountOverlay").Error(
+		stub.CheckArg(k.Stub, "target", target, 0),
+		stub.CheckArgReflect(k.Stub, "options", options, 1),
+	)
+}
+
 func (k *kstub) ensureFile(name string, perm, pperm os.FileMode) error {
 	k.Helper()
 	return k.Expects("ensureFile").Error(

container/errors.go

@@ -118,6 +118,10 @@ func errnoFallback(op, path string, err error) (syscall.Errno, *os.PathError) {
 
 // mount wraps syscall.Mount for error handling.
 func mount(source, target, fstype string, flags uintptr, data string) error {
+	if max(len(source), len(target), len(data))+1 > os.Getpagesize() {
+		return &MountError{source, target, fstype, flags, data, syscall.ENOMEM}
+	}
+
 	err := syscall.Mount(source, target, fstype, flags, data)
 	if err == nil {
 		return nil

container/initoverlay.go

@@ -4,9 +4,9 @@ import (
 	"encoding/gob"
 	"fmt"
 	"slices"
-	"strings"
 
 	"hakurei.app/check"
+	"hakurei.app/ext"
 	"hakurei.app/fhs"
 )
 
@@ -150,7 +150,7 @@ func (o *MountOverlayOp) early(_ *setupState, k syscallDispatcher) error {
 			if v, err := k.evalSymlinks(o.Upper.String()); err != nil {
 				return err
 			} else {
-				o.upper = check.EscapeOverlayDataSegment(toHost(v))
+				o.upper = toHost(v)
 			}
 		}
 
@@ -158,7 +158,7 @@ func (o *MountOverlayOp) early(_ *setupState, k syscallDispatcher) error {
 			if v, err := k.evalSymlinks(o.Work.String()); err != nil {
 				return err
 			} else {
-				o.work = check.EscapeOverlayDataSegment(toHost(v))
+				o.work = toHost(v)
 			}
 		}
 	}
@@ -168,12 +168,39 @@ func (o *MountOverlayOp) early(_ *setupState, k syscallDispatcher) error {
 		if v, err := k.evalSymlinks(a.String()); err != nil {
 			return err
 		} else {
-			o.lower[i] = check.EscapeOverlayDataSegment(toHost(v))
+			o.lower[i] = toHost(v)
 		}
 	}
 	return nil
 }
 
+// mountOverlay sets up an overlay mount via [ext.FS].
+func mountOverlay(target string, options [][2]string) error {
+	fs, err := ext.OpenFS(SourceOverlay, 0)
+	if err != nil {
+		return err
+	}
+	if err = fs.SetString("source", SourceOverlay); err != nil {
+		_ = fs.Close()
+		return err
+	}
+	for _, option := range options {
+		if err = fs.SetString(option[0], option[1]); err != nil {
+			_ = fs.Close()
+			return err
+		}
+	}
+	if err = fs.SetFlag(OptionOverlayUserxattr); err != nil {
+		_ = fs.Close()
+		return err
+	}
+	if err = fs.Mount(target, 0); err != nil {
+		_ = fs.Close()
+		return err
+	}
+	return fs.Close()
+}
+
 func (o *MountOverlayOp) apply(state *setupState, k syscallDispatcher) error {
 	target := o.Target.String()
 	if !o.noPrefix {
@@ -194,7 +221,7 @@ func (o *MountOverlayOp) apply(state *setupState, k syscallDispatcher) error {
 		}
 	}
 
-	options := make([]string, 0, 4)
+	options := make([][2]string, 0, 2+len(o.lower))
 
 	if o.upper == zeroString && o.work == zeroString { // readonly
 		if len(o.Lower) < 2 {
@@ -205,15 +232,16 @@ func (o *MountOverlayOp) apply(state *setupState, k syscallDispatcher) error {
 		if len(o.Lower) == 0 {
 			return &OverlayArgumentError{OverlayEmptyLower, zeroString}
 		}
-		options = append(options,
+		options = append(options, [][2]string{
-			OptionOverlayUpperdir+"="+o.upper,
+			{OptionOverlayUpperdir, o.upper},
-			OptionOverlayWorkdir+"="+o.work)
+			{OptionOverlayWorkdir, o.work},
+		}...)
+	}
+	for _, lower := range o.lower {
+		options = append(options, [2]string{OptionOverlayLowerdir + "+", lower})
 	}
-	options = append(options,
-		OptionOverlayLowerdir+"="+strings.Join(o.lower, check.SpecialOverlayPath),
-		OptionOverlayUserxattr)
 
-	return k.mount(SourceOverlay, target, FstypeOverlay, 0, strings.Join(options, check.SpecialOverlayOption))
+	return k.mountOverlay(target, options)
 }
 
 func (o *MountOverlayOp) late(*setupState, syscallDispatcher) error { return nil }

container/initoverlay_test.go

@@ -97,13 +97,12 @@ func TestMountOverlayOp(t *testing.T) {
 			call("mkdirAll", stub.ExpectArgs{"/sysroot", os.FileMode(0705)}, nil, nil),
 			call("mkdirTemp", stub.ExpectArgs{"/", "overlay.upper.*"}, "overlay.upper.32768", nil),
 			call("mkdirTemp", stub.ExpectArgs{"/", "overlay.work.*"}, "overlay.work.32768", nil),
-			call("mount", stub.ExpectArgs{"overlay", "/sysroot", "overlay", uintptr(0), "" +
+			call("mountOverlay", stub.ExpectArgs{"/sysroot", [][2]string{
-				"upperdir=overlay.upper.32768," +
+				{"upperdir", "overlay.upper.32768"},
-				"workdir=overlay.work.32768," +
+				{"workdir", "overlay.work.32768"},
-				"lowerdir=" +
+				{"lowerdir+", `/host/var/lib/planterette/base/debian:f92c9052`},
-				`/host/var/lib/planterette/base/debian\:f92c9052:` +
+				{"lowerdir+", `/host/var/lib/planterette/app/org.chromium.Chromium@debian:f92c9052`},
-				`/host/var/lib/planterette/app/org.chromium.Chromium@debian\:f92c9052,` +
+			}}, nil, nil),
-				"userxattr"}, nil, nil),
 		}, nil},
 
 		{"short lower ro", &Params{ParentPerm: 0755}, &MountOverlayOp{
@@ -129,11 +128,10 @@ func TestMountOverlayOp(t *testing.T) {
 			call("evalSymlinks", stub.ExpectArgs{"/mnt-root/nix/.ro-store0"}, "/mnt-root/nix/.ro-store0", nil),
 		}, nil, []stub.Call{
 			call("mkdirAll", stub.ExpectArgs{"/nix/store", os.FileMode(0755)}, nil, nil),
-			call("mount", stub.ExpectArgs{"overlay", "/nix/store", "overlay", uintptr(0), "" +
+			call("mountOverlay", stub.ExpectArgs{"/nix/store", [][2]string{
-				"lowerdir=" +
+				{"lowerdir+", "/host/mnt-root/nix/.ro-store"},
-				"/host/mnt-root/nix/.ro-store:" +
+				{"lowerdir+", "/host/mnt-root/nix/.ro-store0"},
-				"/host/mnt-root/nix/.ro-store0," +
+			}}, nil, nil),
-				"userxattr"}, nil, nil),
 		}, nil},
 
 		{"success ro", &Params{ParentPerm: 0755}, &MountOverlayOp{
@@ -147,11 +145,10 @@ func TestMountOverlayOp(t *testing.T) {
 			call("evalSymlinks", stub.ExpectArgs{"/mnt-root/nix/.ro-store0"}, "/mnt-root/nix/.ro-store0", nil),
 		}, nil, []stub.Call{
 			call("mkdirAll", stub.ExpectArgs{"/sysroot/nix/store", os.FileMode(0755)}, nil, nil),
-			call("mount", stub.ExpectArgs{"overlay", "/sysroot/nix/store", "overlay", uintptr(0), "" +
+			call("mountOverlay", stub.ExpectArgs{"/sysroot/nix/store", [][2]string{
-				"lowerdir=" +
+				{"lowerdir+", "/host/mnt-root/nix/.ro-store"},
-				"/host/mnt-root/nix/.ro-store:" +
+				{"lowerdir+", "/host/mnt-root/nix/.ro-store0"},
-				"/host/mnt-root/nix/.ro-store0," +
+			}}, nil, nil),
-				"userxattr"}, nil, nil),
 		}, nil},
 
 		{"nil lower", &Params{ParentPerm: 0700}, &MountOverlayOp{
@@ -219,7 +216,11 @@ func TestMountOverlayOp(t *testing.T) {
 			call("evalSymlinks", stub.ExpectArgs{"/mnt-root/nix/.ro-store"}, "/mnt-root/nix/ro-store", nil),
 		}, nil, []stub.Call{
 			call("mkdirAll", stub.ExpectArgs{"/sysroot/nix/store", os.FileMode(0700)}, nil, nil),
-			call("mount", stub.ExpectArgs{"overlay", "/sysroot/nix/store", "overlay", uintptr(0), "upperdir=/host/mnt-root/nix/.rw-store/.upper,workdir=/host/mnt-root/nix/.rw-store/.work,lowerdir=/host/mnt-root/nix/ro-store,userxattr"}, nil, stub.UniqueError(0)),
+			call("mountOverlay", stub.ExpectArgs{"/sysroot/nix/store", [][2]string{
+				{"upperdir", "/host/mnt-root/nix/.rw-store/.upper"},
+				{"workdir", "/host/mnt-root/nix/.rw-store/.work"},
+				{"lowerdir+", "/host/mnt-root/nix/ro-store"},
+			}}, nil, stub.UniqueError(0)),
 		}, stub.UniqueError(0)},
 
 		{"success single layer", &Params{ParentPerm: 0700}, &MountOverlayOp{
@@ -233,11 +234,11 @@ func TestMountOverlayOp(t *testing.T) {
 			call("evalSymlinks", stub.ExpectArgs{"/mnt-root/nix/.ro-store"}, "/mnt-root/nix/ro-store", nil),
 		}, nil, []stub.Call{
 			call("mkdirAll", stub.ExpectArgs{"/sysroot/nix/store", os.FileMode(0700)}, nil, nil),
-			call("mount", stub.ExpectArgs{"overlay", "/sysroot/nix/store", "overlay", uintptr(0), "" +
+			call("mountOverlay", stub.ExpectArgs{"/sysroot/nix/store", [][2]string{
-				"upperdir=/host/mnt-root/nix/.rw-store/.upper," +
+				{"upperdir", "/host/mnt-root/nix/.rw-store/.upper"},
-				"workdir=/host/mnt-root/nix/.rw-store/.work," +
+				{"workdir", "/host/mnt-root/nix/.rw-store/.work"},
-				"lowerdir=/host/mnt-root/nix/ro-store," +
+				{"lowerdir+", "/host/mnt-root/nix/ro-store"},
-				"userxattr"}, nil, nil),
+			}}, nil, nil),
 		}, nil},
 
 		{"success", &Params{ParentPerm: 0700}, &MountOverlayOp{
@@ -261,16 +262,15 @@ func TestMountOverlayOp(t *testing.T) {
 			call("evalSymlinks", stub.ExpectArgs{"/mnt-root/nix/.ro-store3"}, "/mnt-root/nix/ro-store3", nil),
 		}, nil, []stub.Call{
 			call("mkdirAll", stub.ExpectArgs{"/sysroot/nix/store", os.FileMode(0700)}, nil, nil),
-			call("mount", stub.ExpectArgs{"overlay", "/sysroot/nix/store", "overlay", uintptr(0), "" +
+			call("mountOverlay", stub.ExpectArgs{"/sysroot/nix/store", [][2]string{
-				"upperdir=/host/mnt-root/nix/.rw-store/.upper," +
+				{"upperdir", "/host/mnt-root/nix/.rw-store/.upper"},
-				"workdir=/host/mnt-root/nix/.rw-store/.work," +
+				{"workdir", "/host/mnt-root/nix/.rw-store/.work"},
-				"lowerdir=" +
+				{"lowerdir+", "/host/mnt-root/nix/ro-store"},
-				"/host/mnt-root/nix/ro-store:" +
+				{"lowerdir+", "/host/mnt-root/nix/ro-store0"},
-				"/host/mnt-root/nix/ro-store0:" +
+				{"lowerdir+", "/host/mnt-root/nix/ro-store1"},
-				"/host/mnt-root/nix/ro-store1:" +
+				{"lowerdir+", "/host/mnt-root/nix/ro-store2"},
-				"/host/mnt-root/nix/ro-store2:" +
+				{"lowerdir+", "/host/mnt-root/nix/ro-store3"},
-				"/host/mnt-root/nix/ro-store3," +
+			}}, nil, nil),
-				"userxattr"}, nil, nil),
 		}, nil},
 	})
 

container/landlock_test.go

@@ -1,65 +0,0 @@
-package container_test
-
-import (
-	"testing"
-	"unsafe"
-
-	"hakurei.app/container"
-)
-
-func TestLandlockString(t *testing.T) {
-	t.Parallel()
-
-	testCases := []struct {
-		name        string
-		rulesetAttr *container.RulesetAttr
-		want        string
-	}{
-		{"nil", nil, "NULL"},
-		{"zero", new(container.RulesetAttr), "0"},
-		{"some", &container.RulesetAttr{Scoped: container.LANDLOCK_SCOPE_SIGNAL}, "scoped: signal"},
-		{"set", &container.RulesetAttr{
-			HandledAccessFS:  container.LANDLOCK_ACCESS_FS_MAKE_SYM | container.LANDLOCK_ACCESS_FS_IOCTL_DEV | container.LANDLOCK_ACCESS_FS_WRITE_FILE,
-			HandledAccessNet: container.LANDLOCK_ACCESS_NET_BIND_TCP,
-			Scoped:           container.LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET | container.LANDLOCK_SCOPE_SIGNAL,
-		}, "fs: write_file make_sym fs_ioctl_dev, net: bind_tcp, scoped: abstract_unix_socket signal"},
-		{"all", &container.RulesetAttr{
-			HandledAccessFS: container.LANDLOCK_ACCESS_FS_EXECUTE |
-				container.LANDLOCK_ACCESS_FS_WRITE_FILE |
-				container.LANDLOCK_ACCESS_FS_READ_FILE |
-				container.LANDLOCK_ACCESS_FS_READ_DIR |
-				container.LANDLOCK_ACCESS_FS_REMOVE_DIR |
-				container.LANDLOCK_ACCESS_FS_REMOVE_FILE |
-				container.LANDLOCK_ACCESS_FS_MAKE_CHAR |
-				container.LANDLOCK_ACCESS_FS_MAKE_DIR |
-				container.LANDLOCK_ACCESS_FS_MAKE_REG |
-				container.LANDLOCK_ACCESS_FS_MAKE_SOCK |
-				container.LANDLOCK_ACCESS_FS_MAKE_FIFO |
-				container.LANDLOCK_ACCESS_FS_MAKE_BLOCK |
-				container.LANDLOCK_ACCESS_FS_MAKE_SYM |
-				container.LANDLOCK_ACCESS_FS_REFER |
-				container.LANDLOCK_ACCESS_FS_TRUNCATE |
-				container.LANDLOCK_ACCESS_FS_IOCTL_DEV,
-			HandledAccessNet: container.LANDLOCK_ACCESS_NET_BIND_TCP |
-				container.LANDLOCK_ACCESS_NET_CONNECT_TCP,
-			Scoped: container.LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET |
-				container.LANDLOCK_SCOPE_SIGNAL,
-		}, "fs: execute write_file read_file read_dir remove_dir remove_file make_char make_dir make_reg make_sock make_fifo make_block make_sym fs_refer fs_truncate fs_ioctl_dev, net: bind_tcp connect_tcp, scoped: abstract_unix_socket signal"},
-	}
-	for _, tc := range testCases {
-		t.Run(tc.name, func(t *testing.T) {
-			t.Parallel()
-			if got := tc.rulesetAttr.String(); got != tc.want {
-				t.Errorf("String: %s, want %s", got, tc.want)
-			}
-		})
-	}
-}
-
-func TestLandlockAttrSize(t *testing.T) {
-	t.Parallel()
-	want := 24
-	if got := unsafe.Sizeof(container.RulesetAttr{}); got != uintptr(want) {
-		t.Errorf("Sizeof: %d, want %d", got, want)
-	}
-}

container/path_test.go

@@ -10,7 +10,6 @@ import (
 	"testing"
 	"unsafe"
 
-	"hakurei.app/check"
 	"hakurei.app/vfs"
 )
 
@@ -50,9 +49,6 @@ func TestToHost(t *testing.T) {
 	}
 }
 
-// InternalToHostOvlEscape exports toHost passed to [check.EscapeOverlayDataSegment].
-func InternalToHostOvlEscape(s string) string { return check.EscapeOverlayDataSegment(toHost(s)) }
-
 func TestCreateFile(t *testing.T) {
 	t.Run("nonexistent", func(t *testing.T) {
 		t.Run("mkdir", func(t *testing.T) {

container/syscall.go

@@ -7,8 +7,8 @@ import (
 	"hakurei.app/ext"
 )
 
-// SetNoNewPrivs sets the calling thread's no_new_privs attribute.
+// setNoNewPrivs sets the calling thread's no_new_privs attribute.
-func SetNoNewPrivs() error {
+func setNoNewPrivs() error {
 	return ext.Prctl(PR_SET_NO_NEW_PRIVS, 1, 0)
 }
 

ext/fs.go

@@ -0,0 +1,267 @@
+package ext
+
+import (
+	"os"
+	"runtime"
+	"syscall"
+	"unsafe"
+)
+
+// include/uapi/linux/mount.h
+
+/*
+ * move_mount() flags.
+ */
+const (
+	MOVE_MOUNT_F_SYMLINKS   = 1 << iota /* Follow symlinks on from path */
+	MOVE_MOUNT_F_AUTOMOUNTS             /* Follow automounts on from path */
+	MOVE_MOUNT_F_EMPTY_PATH             /* Empty from path permitted */
+	_
+	MOVE_MOUNT_T_SYMLINKS   /* Follow symlinks on to path */
+	MOVE_MOUNT_T_AUTOMOUNTS /* Follow automounts on to path */
+	MOVE_MOUNT_T_EMPTY_PATH /* Empty to path permitted */
+	_
+	MOVE_MOUNT_SET_GROUP /* Set sharing group instead */
+	MOVE_MOUNT_BENEATH   /* Mount beneath top mount */
+)
+
+/*
+ * fsopen() flags.
+ */
+const (
+	FSOPEN_CLOEXEC = 1 << iota
+)
+
+/*
+ * fspick() flags.
+ */
+const (
+	FSPICK_CLOEXEC = 1 << iota
+	FSPICK_SYMLINK_NOFOLLOW
+	FSPICK_NO_AUTOMOUNT
+	FSPICK_EMPTY_PATH
+)
+
+/*
+ * The type of fsconfig() call made.
+ */
+const (
+	FSCONFIG_SET_FLAG        = iota /* Set parameter, supplying no value */
+	FSCONFIG_SET_STRING             /* Set parameter, supplying a string value */
+	FSCONFIG_SET_BINARY             /* Set parameter, supplying a binary blob value */
+	FSCONFIG_SET_PATH               /* Set parameter, supplying an object by path */
+	FSCONFIG_SET_PATH_EMPTY         /* Set parameter, supplying an object by (empty) path */
+	FSCONFIG_SET_FD                 /* Set parameter, supplying an object by fd */
+	FSCONFIG_CMD_CREATE             /* Create new or reuse existing superblock */
+	FSCONFIG_CMD_RECONFIGURE        /* Invoke superblock reconfiguration */
+	FSCONFIG_CMD_CREATE_EXCL        /* Create new superblock, fail if reusing existing superblock */
+)
+
+/*
+ * fsmount() flags.
+ */
+const (
+	FSMOUNT_CLOEXEC = 1 << iota
+)
+
+/*
+ * Mount attributes.
+ */
+const (
+	MOUNT_ATTR_RDONLY      = 0x00000001 /* Mount read-only */
+	MOUNT_ATTR_NOSUID      = 0x00000002 /* Ignore suid and sgid bits */
+	MOUNT_ATTR_NODEV       = 0x00000004 /* Disallow access to device special files */
+	MOUNT_ATTR_NOEXEC      = 0x00000008 /* Disallow program execution */
+	MOUNT_ATTR__ATIME      = 0x00000070 /* Setting on how atime should be updated */
+	MOUNT_ATTR_RELATIME    = 0x00000000 /* - Update atime relative to mtime/ctime. */
+	MOUNT_ATTR_NOATIME     = 0x00000010 /* - Do not update access times. */
+	MOUNT_ATTR_STRICTATIME = 0x00000020 /* - Always perform atime updates */
+	MOUNT_ATTR_NODIRATIME  = 0x00000080 /* Do not update directory access times */
+	MOUNT_ATTR_IDMAP       = 0x00100000 /* Idmap mount to @userns_fd in struct mount_attr. */
+	MOUNT_ATTR_NOSYMFOLLOW = 0x00200000 /* Do not follow symlinks */
+)
+
+// FS provides low-level wrappers around the suite of file-descriptor-based
+// mount facilities in Linux.
+type FS struct {
+	fd uintptr
+	c  runtime.Cleanup
+}
+
+// newFS allocates a new [FS] for the specified fd.
+func newFS(fd uintptr) *FS {
+	fs := FS{fd: fd}
+	fs.c = runtime.AddCleanup(&fs, func(fd uintptr) {
+		_ = syscall.Close(int(fd))
+	}, fd)
+	return &fs
+}
+
+// Close closes the underlying filesystem context.
+func (fs *FS) Close() error {
+	if fs == nil {
+		return syscall.EINVAL
+	}
+	err := syscall.Close(int(fs.fd))
+	fs.c.Stop()
+	return err
+}
+
+// OpenFS creates a new filesystem context.
+func OpenFS(fsname string, flags int) (fs *FS, err error) {
+	var s *byte
+	s, err = syscall.BytePtrFromString(fsname)
+	if err != nil {
+		return
+	}
+	fd, _, errno := syscall.Syscall(
+		SYS_FSOPEN,
+		uintptr(unsafe.Pointer(s)),
+		uintptr(flags|FSOPEN_CLOEXEC),
+		0,
+	)
+	if errno != 0 {
+		err = os.NewSyscallError("fsopen", errno)
+	} else {
+		fs = newFS(fd)
+	}
+	return
+}
+
+// PickFS selects filesystem for reconfiguration.
+func PickFS(dirfd int, pathname string, flags int) (fs *FS, err error) {
+	var s *byte
+	s, err = syscall.BytePtrFromString(pathname)
+	if err != nil {
+		return
+	}
+	fd, _, errno := syscall.Syscall(
+		SYS_FSPICK,
+		uintptr(dirfd),
+		uintptr(unsafe.Pointer(s)),
+		uintptr(flags|FSPICK_CLOEXEC),
+	)
+	if errno != 0 {
+		err = os.NewSyscallError("fspick", errno)
+	} else {
+		fs = newFS(fd)
+	}
+	return
+}
+
+// config configures new or existing filesystem context.
+func (fs *FS) config(cmd uint, key *byte, value unsafe.Pointer, aux int) (err error) {
+	_, _, errno := syscall.Syscall6(
+		SYS_FSCONFIG,
+		fs.fd,
+		uintptr(cmd),
+		uintptr(unsafe.Pointer(key)),
+		uintptr(value),
+		uintptr(aux),
+		0,
+	)
+	if errno != 0 {
+		err = os.NewSyscallError("fsconfig", errno)
+	}
+	return
+}
+
+// SetFlag sets the flag parameter named by key. ([FSCONFIG_SET_FLAG])
+func (fs *FS) SetFlag(key string) (err error) {
+	var s *byte
+	s, err = syscall.BytePtrFromString(key)
+	if err != nil {
+		return
+	}
+
+	return fs.config(FSCONFIG_SET_FLAG, s, nil, 0)
+}
+
+// SetString sets the string parameter named by key to the value specified by
+// value. ([FSCONFIG_SET_STRING])
+func (fs *FS) SetString(key, value string) (err error) {
+	var s0 *byte
+	s0, err = syscall.BytePtrFromString(key)
+	if err != nil {
+		return
+	}
+
+	var s1 *byte
+	s1, err = syscall.BytePtrFromString(value)
+	if err != nil {
+		return
+	}
+
+	return fs.config(FSCONFIG_SET_STRING, s0, unsafe.Pointer(s1), 0)
+}
+
+// mount instantiates mount object from filesystem context.
+func (fs *FS) mount(flags, attrFlags int) (fsfd int, err error) {
+	r, _, errno := syscall.Syscall(
+		SYS_FSMOUNT,
+		fs.fd,
+		uintptr(flags|FSMOUNT_CLOEXEC),
+		uintptr(attrFlags),
+	)
+	fsfd = int(r)
+	if errno != 0 {
+		err = os.NewSyscallError("fsmount", errno)
+	}
+	return
+}
+
+// MoveMount moves or attaches mount object to filesystem.
+func MoveMount(
+	fromDirfd int,
+	fromPathname string,
+	toDirfd int,
+	toPathname string,
+	flags int,
+) (err error) {
+	var s0 *byte
+	s0, err = syscall.BytePtrFromString(fromPathname)
+	if err != nil {
+		return
+	}
+
+	var s1 *byte
+	s1, err = syscall.BytePtrFromString(toPathname)
+	if err != nil {
+		return
+	}
+
+	_, _, errno := syscall.Syscall6(
+		SYS_MOVE_MOUNT,
+		uintptr(fromDirfd),
+		uintptr(unsafe.Pointer(s0)),
+		uintptr(toDirfd),
+		uintptr(unsafe.Pointer(s1)),
+		uintptr(flags),
+		0,
+	)
+	if errno != 0 {
+		err = os.NewSyscallError("move_mount", errno)
+	}
+	return
+}
+
+// Mount attaches the underlying filesystem context to the specified pathname.
+func (fs *FS) Mount(pathname string, attrFlags int) error {
+	if err := fs.config(FSCONFIG_CMD_CREATE_EXCL, nil, nil, 0); err != nil {
+		return err
+	}
+	fd, err := fs.mount(0, attrFlags)
+	if err != nil {
+		return err
+	}
+	err = MoveMount(
+		fd, "",
+		-1, pathname,
+		MOVE_MOUNT_F_EMPTY_PATH,
+	)
+	closeErr := syscall.Close(fd)
+	if err == nil {
+		err = closeErr
+	}
+	return err
+}

hst/config.go

@@ -140,21 +140,29 @@ var (
 	ErrInsecure = errors.New("configuration is insecure")
 )
 
+const (
+	// VAllowInsecure allows use of compatibility options considered insecure
+	// under any configuration, to work around ecosystem-wide flaws.
+	VAllowInsecure = 1 << iota
+)
+
 // Validate checks [Config] and returns [AppError] if an invalid value is encountered.
-func (config *Config) Validate() error {
+func (config *Config) Validate(flags int) error {
+	const step = "validate configuration"
+
 	if config == nil {
-		return &AppError{Step: "validate configuration", Err: ErrConfigNull,
+		return &AppError{Step: step, Err: ErrConfigNull,
 			Msg: "invalid configuration"}
 	}
 
 	// this is checked again in hsu
 	if config.Identity < IdentityStart || config.Identity > IdentityEnd {
-		return &AppError{Step: "validate configuration", Err: ErrIdentityBounds,
+		return &AppError{Step: step, Err: ErrIdentityBounds,
 			Msg: "identity " + strconv.Itoa(config.Identity) + " out of range"}
 	}
 
 	if config.SchedPolicy < 0 || config.SchedPolicy > ext.SCHED_LAST {
-		return &AppError{Step: "validate configuration", Err: ErrSchedPolicyBounds,
+		return &AppError{Step: step, Err: ErrSchedPolicyBounds,
 			Msg: "scheduling policy " +
 				strconv.Itoa(int(config.SchedPolicy)) +
 				" out of range"}
@@ -168,34 +176,51 @@ func (config *Config) Validate() error {
 	}
 
 	if config.Container == nil {
-		return &AppError{Step: "validate configuration", Err: ErrConfigNull,
+		return &AppError{Step: step, Err: ErrConfigNull,
 			Msg: "configuration missing container state"}
 	}
 	if config.Container.Home == nil {
-		return &AppError{Step: "validate configuration", Err: ErrConfigNull,
+		return &AppError{Step: step, Err: ErrConfigNull,
 			Msg: "container configuration missing path to home directory"}
 	}
 	if config.Container.Shell == nil {
-		return &AppError{Step: "validate configuration", Err: ErrConfigNull,
+		return &AppError{Step: step, Err: ErrConfigNull,
 			Msg: "container configuration missing path to shell"}
 	}
 	if config.Container.Path == nil {
-		return &AppError{Step: "validate configuration", Err: ErrConfigNull,
+		return &AppError{Step: step, Err: ErrConfigNull,
 			Msg: "container configuration missing path to initial program"}
 	}
 
 	for key := range config.Container.Env {
 		if strings.IndexByte(key, '=') != -1 || strings.IndexByte(key, 0) != -1 {
-			return &AppError{Step: "validate configuration", Err: ErrEnviron,
+			return &AppError{Step: step, Err: ErrEnviron,
 				Msg: "invalid environment variable " + strconv.Quote(key)}
 		}
 	}
 
-	if et := config.Enablements.Unwrap(); !config.DirectPulse && et&EPulse != 0 {
+	et := config.Enablements.Unwrap()
-		return &AppError{Step: "validate configuration", Err: ErrInsecure,
+	if !config.DirectPulse && et&EPulse != 0 {
+		return &AppError{Step: step, Err: ErrInsecure,
 			Msg: "enablement PulseAudio is insecure and no longer supported"}
 	}
 
+	if flags&VAllowInsecure == 0 {
+		switch {
+		case et&EWayland != 0 && config.DirectWayland:
+			return &AppError{Step: step, Err: ErrInsecure,
+				Msg: "direct_wayland is insecure and no longer supported"}
+
+		case et&EPipeWire != 0 && config.DirectPipeWire:
+			return &AppError{Step: step, Err: ErrInsecure,
+				Msg: "direct_pipewire is insecure and no longer supported"}
+
+		case et&EPulse != 0 && config.DirectPulse:
+			return &AppError{Step: step, Err: ErrInsecure,
+				Msg: "direct_pulse is insecure and no longer supported"}
+		}
+	}
+
 	return nil
 }
 

hst/config_test.go

@@ -14,65 +14,109 @@ func TestConfigValidate(t *testing.T) {
 	testCases := []struct {
 		name    string
 		config  *hst.Config
+		flags   int
 		wantErr error
 	}{
-		{"nil", nil, &hst.AppError{Step: "validate configuration", Err: hst.ErrConfigNull,
+		{"nil", nil, 0, &hst.AppError{Step: "validate configuration", Err: hst.ErrConfigNull,
 			Msg: "invalid configuration"}},
-		{"identity lower", &hst.Config{Identity: -1}, &hst.AppError{Step: "validate configuration", Err: hst.ErrIdentityBounds,
+
+		{"identity lower", &hst.Config{Identity: -1}, 0, &hst.AppError{Step: "validate configuration", Err: hst.ErrIdentityBounds,
 			Msg: "identity -1 out of range"}},
-		{"identity upper", &hst.Config{Identity: 10000}, &hst.AppError{Step: "validate configuration", Err: hst.ErrIdentityBounds,
+		{"identity upper", &hst.Config{Identity: 10000}, 0, &hst.AppError{Step: "validate configuration", Err: hst.ErrIdentityBounds,
 			Msg: "identity 10000 out of range"}},
-		{"sched lower", &hst.Config{SchedPolicy: -1}, &hst.AppError{Step: "validate configuration", Err: hst.ErrSchedPolicyBounds,
+
+		{"sched lower", &hst.Config{SchedPolicy: -1}, 0, &hst.AppError{Step: "validate configuration", Err: hst.ErrSchedPolicyBounds,
 			Msg: "scheduling policy -1 out of range"}},
-		{"sched upper", &hst.Config{SchedPolicy: 0xcafe}, &hst.AppError{Step: "validate configuration", Err: hst.ErrSchedPolicyBounds,
+		{"sched upper", &hst.Config{SchedPolicy: 0xcafe}, 0, &hst.AppError{Step: "validate configuration", Err: hst.ErrSchedPolicyBounds,
 			Msg: "scheduling policy 51966 out of range"}},
-		{"dbus session", &hst.Config{SessionBus: &hst.BusConfig{See: []string{""}}},
+
+		{"dbus session", &hst.Config{SessionBus: &hst.BusConfig{See: []string{""}}}, 0,
 			&hst.BadInterfaceError{Interface: "", Segment: "session"}},
-		{"dbus system", &hst.Config{SystemBus: &hst.BusConfig{See: []string{""}}},
+		{"dbus system", &hst.Config{SystemBus: &hst.BusConfig{See: []string{""}}}, 0,
 			&hst.BadInterfaceError{Interface: "", Segment: "system"}},
-		{"container", &hst.Config{}, &hst.AppError{Step: "validate configuration", Err: hst.ErrConfigNull,
+
+		{"container", &hst.Config{}, 0, &hst.AppError{Step: "validate configuration", Err: hst.ErrConfigNull,
 			Msg: "configuration missing container state"}},
-		{"home", &hst.Config{Container: &hst.ContainerConfig{}}, &hst.AppError{Step: "validate configuration", Err: hst.ErrConfigNull,
+		{"home", &hst.Config{Container: &hst.ContainerConfig{}}, 0, &hst.AppError{Step: "validate configuration", Err: hst.ErrConfigNull,
 			Msg: "container configuration missing path to home directory"}},
 		{"shell", &hst.Config{Container: &hst.ContainerConfig{
 			Home: fhs.AbsTmp,
-		}}, &hst.AppError{Step: "validate configuration", Err: hst.ErrConfigNull,
+		}}, 0, &hst.AppError{Step: "validate configuration", Err: hst.ErrConfigNull,
 			Msg: "container configuration missing path to shell"}},
 		{"path", &hst.Config{Container: &hst.ContainerConfig{
 			Home:  fhs.AbsTmp,
 			Shell: fhs.AbsTmp,
-		}}, &hst.AppError{Step: "validate configuration", Err: hst.ErrConfigNull,
+		}}, 0, &hst.AppError{Step: "validate configuration", Err: hst.ErrConfigNull,
 			Msg: "container configuration missing path to initial program"}},
+
 		{"env equals", &hst.Config{Container: &hst.ContainerConfig{
 			Home:  fhs.AbsTmp,
 			Shell: fhs.AbsTmp,
 			Path:  fhs.AbsTmp,
 			Env:   map[string]string{"TERM=": ""},
-		}}, &hst.AppError{Step: "validate configuration", Err: hst.ErrEnviron,
+		}}, 0, &hst.AppError{Step: "validate configuration", Err: hst.ErrEnviron,
 			Msg: `invalid environment variable "TERM="`}},
 		{"env NUL", &hst.Config{Container: &hst.ContainerConfig{
 			Home:  fhs.AbsTmp,
 			Shell: fhs.AbsTmp,
 			Path:  fhs.AbsTmp,
 			Env:   map[string]string{"TERM\x00": ""},
-		}}, &hst.AppError{Step: "validate configuration", Err: hst.ErrEnviron,
+		}}, 0, &hst.AppError{Step: "validate configuration", Err: hst.ErrEnviron,
 			Msg: `invalid environment variable "TERM\x00"`}},
-		{"insecure pulse", &hst.Config{Enablements: hst.NewEnablements(hst.EPulse), Container: &hst.ContainerConfig{
+
+		{"insecure pulse", &hst.Config{Enablements: new(hst.EPulse), Container: &hst.ContainerConfig{
 			Home:  fhs.AbsTmp,
 			Shell: fhs.AbsTmp,
 			Path:  fhs.AbsTmp,
-		}}, &hst.AppError{Step: "validate configuration", Err: hst.ErrInsecure,
+		}}, 0, &hst.AppError{Step: "validate configuration", Err: hst.ErrInsecure,
 			Msg: "enablement PulseAudio is insecure and no longer supported"}},
+
+		{"direct wayland", &hst.Config{Enablements: new(hst.EWayland), DirectWayland: true, Container: &hst.ContainerConfig{
+			Home:  fhs.AbsTmp,
+			Shell: fhs.AbsTmp,
+			Path:  fhs.AbsTmp,
+		}}, 0, &hst.AppError{Step: "validate configuration", Err: hst.ErrInsecure,
+			Msg: "direct_wayland is insecure and no longer supported"}},
+		{"direct wayland allow", &hst.Config{Enablements: new(hst.EWayland), DirectWayland: true, Container: &hst.ContainerConfig{
+			Home:  fhs.AbsTmp,
+			Shell: fhs.AbsTmp,
+			Path:  fhs.AbsTmp,
+		}}, hst.VAllowInsecure, nil},
+
+		{"direct pipewire", &hst.Config{Enablements: new(hst.EPipeWire), DirectPipeWire: true, Container: &hst.ContainerConfig{
+			Home:  fhs.AbsTmp,
+			Shell: fhs.AbsTmp,
+			Path:  fhs.AbsTmp,
+		}}, 0, &hst.AppError{Step: "validate configuration", Err: hst.ErrInsecure,
+			Msg: "direct_pipewire is insecure and no longer supported"}},
+		{"direct pipewire allow", &hst.Config{Enablements: new(hst.EPipeWire), DirectPipeWire: true, Container: &hst.ContainerConfig{
+			Home:  fhs.AbsTmp,
+			Shell: fhs.AbsTmp,
+			Path:  fhs.AbsTmp,
+		}}, hst.VAllowInsecure, nil},
+
+		{"direct pulse", &hst.Config{Enablements: new(hst.EPulse), DirectPulse: true, Container: &hst.ContainerConfig{
+			Home:  fhs.AbsTmp,
+			Shell: fhs.AbsTmp,
+			Path:  fhs.AbsTmp,
+		}}, 0, &hst.AppError{Step: "validate configuration", Err: hst.ErrInsecure,
+			Msg: "direct_pulse is insecure and no longer supported"}},
+		{"direct pulse allow", &hst.Config{Enablements: new(hst.EPulse), DirectPulse: true, Container: &hst.ContainerConfig{
+			Home:  fhs.AbsTmp,
+			Shell: fhs.AbsTmp,
+			Path:  fhs.AbsTmp,
+		}}, hst.VAllowInsecure, nil},
+
 		{"valid", &hst.Config{Container: &hst.ContainerConfig{
 			Home:  fhs.AbsTmp,
 			Shell: fhs.AbsTmp,
 			Path:  fhs.AbsTmp,
-		}}, nil},
+		}}, 0, nil},
 	}
 	for _, tc := range testCases {
 		t.Run(tc.name, func(t *testing.T) {
 			t.Parallel()
-			if err := tc.config.Validate(); !reflect.DeepEqual(err, tc.wantErr) {
+			if err := tc.config.Validate(tc.flags); !reflect.DeepEqual(err, tc.wantErr) {
 				t.Errorf("Validate: error = %#v, want %#v", err, tc.wantErr)
 			}
 		})

hst/enablement.go

@@ -7,12 +7,12 @@ import (
 	"syscall"
 )
 
-// Enablement represents an optional host service to export to the target user.
+// Enablements denotes optional host service to export to the target user.
-type Enablement byte
+type Enablements byte
 
 const (
 	// EWayland exposes a Wayland pathname socket via security-context-v1.
-	EWayland Enablement = 1 << iota
+	EWayland Enablements = 1 << iota
 	// EX11 adds the target user via X11 ChangeHosts and exposes the X11
 	// pathname socket.
 	EX11
@@ -28,8 +28,8 @@ const (
 	EM
 )
 
-// String returns a string representation of the flags set on [Enablement].
+// String returns a string representation of the flags set on [Enablements].
-func (e Enablement) String() string {
+func (e Enablements) String() string {
 	switch e {
 	case 0:
 		return "(no enablements)"
@@ -47,7 +47,7 @@ func (e Enablement) String() string {
 		buf := new(strings.Builder)
 		buf.Grow(32)
 
-		for i := Enablement(1); i < EM; i <<= 1 {
+		for i := Enablements(1); i < EM; i <<= 1 {
 			if e&i != 0 {
 				buf.WriteString(", " + i.String())
 			}
@@ -60,12 +60,6 @@ func (e Enablement) String() string {
 	}
 }
 
-// NewEnablements returns the address of [Enablement] as [Enablements].
-func NewEnablements(e Enablement) *Enablements { return (*Enablements)(&e) }
-
-// Enablements is the [json] adapter for [Enablement].
-type Enablements Enablement
-
 // enablementsJSON is the [json] representation of [Enablements].
 type enablementsJSON = struct {
 	Wayland  bool `json:"wayland,omitempty"`
@@ -75,24 +69,21 @@ type enablementsJSON = struct {
 	Pulse    bool `json:"pulse,omitempty"`
 }
 
-// Unwrap returns the underlying [Enablement].
+// Unwrap returns the value pointed to by e.
-func (e *Enablements) Unwrap() Enablement {
+func (e *Enablements) Unwrap() Enablements {
 	if e == nil {
 		return 0
 	}
-	return Enablement(*e)
+	return *e
 }
 
-func (e *Enablements) MarshalJSON() ([]byte, error) {
+func (e Enablements) MarshalJSON() ([]byte, error) {
-	if e == nil {
-		return nil, syscall.EINVAL
-	}
 	return json.Marshal(&enablementsJSON{
-		Wayland:  Enablement(*e)&EWayland != 0,
+		Wayland:  e&EWayland != 0,
-		X11:      Enablement(*e)&EX11 != 0,
+		X11:      e&EX11 != 0,
-		DBus:     Enablement(*e)&EDBus != 0,
+		DBus:     e&EDBus != 0,
-		PipeWire: Enablement(*e)&EPipeWire != 0,
+		PipeWire: e&EPipeWire != 0,
-		Pulse:    Enablement(*e)&EPulse != 0,
+		Pulse:    e&EPulse != 0,
 	})
 }
 
@@ -106,22 +97,21 @@ func (e *Enablements) UnmarshalJSON(data []byte) error {
 		return err
 	}
 
-	var ve Enablement
+	*e = 0
 	if v.Wayland {
-		ve |= EWayland
+		*e |= EWayland
 	}
 	if v.X11 {
-		ve |= EX11
+		*e |= EX11
 	}
 	if v.DBus {
-		ve |= EDBus
+		*e |= EDBus
 	}
 	if v.PipeWire {
-		ve |= EPipeWire
+		*e |= EPipeWire
 	}
 	if v.Pulse {
-		ve |= EPulse
+		*e |= EPulse
 	}
-	*e = Enablements(ve)
 	return nil
 }

hst/enablement_test.go

@@ -13,7 +13,7 @@ func TestEnablementString(t *testing.T) {
 	t.Parallel()
 
 	testCases := []struct {
-		flags hst.Enablement
+		flags hst.Enablements
 		want  string
 	}{
 		{0, "(no enablements)"},
@@ -59,13 +59,13 @@ func TestEnablements(t *testing.T) {
 		sData string
 	}{
 		{"nil", nil, "null", `{"value":null,"magic":3236757504}`},
-		{"zero", hst.NewEnablements(0), `{}`, `{"value":{},"magic":3236757504}`},
+		{"zero", new(hst.Enablements(0)), `{}`, `{"value":{},"magic":3236757504}`},
-		{"wayland", hst.NewEnablements(hst.EWayland), `{"wayland":true}`, `{"value":{"wayland":true},"magic":3236757504}`},
+		{"wayland", new(hst.EWayland), `{"wayland":true}`, `{"value":{"wayland":true},"magic":3236757504}`},
-		{"x11", hst.NewEnablements(hst.EX11), `{"x11":true}`, `{"value":{"x11":true},"magic":3236757504}`},
+		{"x11", new(hst.EX11), `{"x11":true}`, `{"value":{"x11":true},"magic":3236757504}`},
-		{"dbus", hst.NewEnablements(hst.EDBus), `{"dbus":true}`, `{"value":{"dbus":true},"magic":3236757504}`},
+		{"dbus", new(hst.EDBus), `{"dbus":true}`, `{"value":{"dbus":true},"magic":3236757504}`},
-		{"pipewire", hst.NewEnablements(hst.EPipeWire), `{"pipewire":true}`, `{"value":{"pipewire":true},"magic":3236757504}`},
+		{"pipewire", new(hst.EPipeWire), `{"pipewire":true}`, `{"value":{"pipewire":true},"magic":3236757504}`},
-		{"pulse", hst.NewEnablements(hst.EPulse), `{"pulse":true}`, `{"value":{"pulse":true},"magic":3236757504}`},
+		{"pulse", new(hst.EPulse), `{"pulse":true}`, `{"value":{"pulse":true},"magic":3236757504}`},
-		{"all", hst.NewEnablements(hst.EM - 1), `{"wayland":true,"x11":true,"dbus":true,"pipewire":true,"pulse":true}`, `{"value":{"wayland":true,"x11":true,"dbus":true,"pipewire":true,"pulse":true},"magic":3236757504}`},
+		{"all", new(hst.EM - 1), `{"wayland":true,"x11":true,"dbus":true,"pipewire":true,"pulse":true}`, `{"value":{"wayland":true,"x11":true,"dbus":true,"pipewire":true,"pulse":true},"magic":3236757504}`},
 	}
 
 	for _, tc := range testCases {
@@ -137,7 +137,7 @@ func TestEnablements(t *testing.T) {
 		})
 
 		t.Run("val", func(t *testing.T) {
-			if got := hst.NewEnablements(hst.EWayland | hst.EPulse).Unwrap(); got != hst.EWayland|hst.EPulse {
+			if got := new(hst.EWayland | hst.EPulse).Unwrap(); got != hst.EWayland|hst.EPulse {
 				t.Errorf("Unwrap: %v", got)
 			}
 		})
@@ -146,9 +146,6 @@ func TestEnablements(t *testing.T) {
 	t.Run("passthrough", func(t *testing.T) {
 		t.Parallel()
 
-		if _, err := (*hst.Enablements)(nil).MarshalJSON(); !errors.Is(err, syscall.EINVAL) {
-			t.Errorf("MarshalJSON: error = %v", err)
-		}
 		if err := (*hst.Enablements)(nil).UnmarshalJSON(nil); !errors.Is(err, syscall.EINVAL) {
 			t.Errorf("UnmarshalJSON: error = %v", err)
 		}

hst/hst.go

@@ -72,7 +72,7 @@ func Template() *Config {
 	return &Config{
 		ID: "org.chromium.Chromium",
 
-		Enablements: NewEnablements(EWayland | EDBus | EPipeWire),
+		Enablements: new(EWayland | EDBus | EPipeWire),
 
 		SessionBus: &BusConfig{
 			See: nil,

internal/landlock/landlock.go

@@ -1,4 +1,4 @@
-package container
+package landlock
 
 import (
 	"strings"
@@ -14,11 +14,11 @@ const (
 	LANDLOCK_CREATE_RULESET_VERSION = 1 << iota
 )
 
-// LandlockAccessFS is bitmask of handled filesystem actions.
+// AccessFS is bitmask of handled filesystem actions.
-type LandlockAccessFS uint64
+type AccessFS uint64
 
 const (
-	LANDLOCK_ACCESS_FS_EXECUTE LandlockAccessFS = 1 << iota
+	LANDLOCK_ACCESS_FS_EXECUTE AccessFS = 1 << iota
 	LANDLOCK_ACCESS_FS_WRITE_FILE
 	LANDLOCK_ACCESS_FS_READ_FILE
 	LANDLOCK_ACCESS_FS_READ_DIR
@@ -38,8 +38,8 @@ const (
 	_LANDLOCK_ACCESS_FS_DELIM
 )
 
-// String returns a space-separated string of [LandlockAccessFS] flags.
+// String returns a space-separated string of [AccessFS] flags.
-func (f LandlockAccessFS) String() string {
+func (f AccessFS) String() string {
 	switch f {
 	case LANDLOCK_ACCESS_FS_EXECUTE:
 		return "execute"
@@ -90,8 +90,8 @@ func (f LandlockAccessFS) String() string {
 		return "fs_ioctl_dev"
 
 	default:
-		var c []LandlockAccessFS
+		var c []AccessFS
-		for i := LandlockAccessFS(1); i < _LANDLOCK_ACCESS_FS_DELIM; i <<= 1 {
+		for i := AccessFS(1); i < _LANDLOCK_ACCESS_FS_DELIM; i <<= 1 {
 			if f&i != 0 {
 				c = append(c, i)
 			}
@@ -107,18 +107,18 @@ func (f LandlockAccessFS) String() string {
 	}
 }
 
-// LandlockAccessNet is bitmask of handled network actions.
+// AccessNet is bitmask of handled network actions.
-type LandlockAccessNet uint64
+type AccessNet uint64
 
 const (
-	LANDLOCK_ACCESS_NET_BIND_TCP LandlockAccessNet = 1 << iota
+	LANDLOCK_ACCESS_NET_BIND_TCP AccessNet = 1 << iota
 	LANDLOCK_ACCESS_NET_CONNECT_TCP
 
 	_LANDLOCK_ACCESS_NET_DELIM
 )
 
-// String returns a space-separated string of [LandlockAccessNet] flags.
+// String returns a space-separated string of [AccessNet] flags.
-func (f LandlockAccessNet) String() string {
+func (f AccessNet) String() string {
 	switch f {
 	case LANDLOCK_ACCESS_NET_BIND_TCP:
 		return "bind_tcp"
@@ -127,8 +127,8 @@ func (f LandlockAccessNet) String() string {
 		return "connect_tcp"
 
 	default:
-		var c []LandlockAccessNet
+		var c []AccessNet
-		for i := LandlockAccessNet(1); i < _LANDLOCK_ACCESS_NET_DELIM; i <<= 1 {
+		for i := AccessNet(1); i < _LANDLOCK_ACCESS_NET_DELIM; i <<= 1 {
 			if f&i != 0 {
 				c = append(c, i)
 			}
@@ -144,18 +144,18 @@ func (f LandlockAccessNet) String() string {
 	}
 }
 
-// LandlockScope is bitmask of scopes restricting a Landlock domain from accessing outside resources.
+// Scope is bitmask of scopes restricting a Landlock domain from accessing outside resources.
-type LandlockScope uint64
+type Scope uint64
 
 const (
-	LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET LandlockScope = 1 << iota
+	LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET Scope = 1 << iota
 	LANDLOCK_SCOPE_SIGNAL
 
 	_LANDLOCK_SCOPE_DELIM
 )
 
-// String returns a space-separated string of [LandlockScope] flags.
+// String returns a space-separated string of [Scope] flags.
-func (f LandlockScope) String() string {
+func (f Scope) String() string {
 	switch f {
 	case LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET:
 		return "abstract_unix_socket"
@@ -164,8 +164,8 @@ func (f LandlockScope) String() string {
 		return "signal"
 
 	default:
-		var c []LandlockScope
+		var c []Scope
-		for i := LandlockScope(1); i < _LANDLOCK_SCOPE_DELIM; i <<= 1 {
+		for i := Scope(1); i < _LANDLOCK_SCOPE_DELIM; i <<= 1 {
 			if f&i != 0 {
 				c = append(c, i)
 			}
@@ -184,12 +184,12 @@ func (f LandlockScope) String() string {
 // RulesetAttr is equivalent to struct landlock_ruleset_attr.
 type RulesetAttr struct {
 	// Bitmask of handled filesystem actions.
-	HandledAccessFS LandlockAccessFS
+	HandledAccessFS AccessFS
 	// Bitmask of handled network actions.
-	HandledAccessNet LandlockAccessNet
+	HandledAccessNet AccessNet
 	// Bitmask of scopes restricting a Landlock domain from accessing outside
 	// resources (e.g. IPCs).
-	Scoped LandlockScope
+	Scoped Scope
 }
 
 // String returns a user-facing description of [RulesetAttr].
@@ -239,13 +239,13 @@ func (rulesetAttr *RulesetAttr) Create(flags uintptr) (fd int, err error) {
 	return fd, nil
 }
 
-// LandlockGetABI returns the ABI version supported by the kernel.
+// GetABI returns the ABI version supported by the kernel.
-func LandlockGetABI() (int, error) {
+func GetABI() (int, error) {
 	return (*RulesetAttr)(nil).Create(LANDLOCK_CREATE_RULESET_VERSION)
 }
 
-// LandlockRestrictSelf applies a loaded ruleset to the calling thread.
+// RestrictSelf applies a loaded ruleset to the calling thread.
-func LandlockRestrictSelf(rulesetFd int, flags uintptr) error {
+func RestrictSelf(rulesetFd int, flags uintptr) error {
 	r, _, errno := syscall.Syscall(
 		ext.SYS_LANDLOCK_RESTRICT_SELF,
 		uintptr(rulesetFd),

internal/landlock/landlock_test.go

@@ -0,0 +1,65 @@
+package landlock_test
+
+import (
+	"testing"
+	"unsafe"
+
+	"hakurei.app/internal/landlock"
+)
+
+func TestLandlockString(t *testing.T) {
+	t.Parallel()
+
+	testCases := []struct {
+		name        string
+		rulesetAttr *landlock.RulesetAttr
+		want        string
+	}{
+		{"nil", nil, "NULL"},
+		{"zero", new(landlock.RulesetAttr), "0"},
+		{"some", &landlock.RulesetAttr{Scoped: landlock.LANDLOCK_SCOPE_SIGNAL}, "scoped: signal"},
+		{"set", &landlock.RulesetAttr{
+			HandledAccessFS:  landlock.LANDLOCK_ACCESS_FS_MAKE_SYM | landlock.LANDLOCK_ACCESS_FS_IOCTL_DEV | landlock.LANDLOCK_ACCESS_FS_WRITE_FILE,
+			HandledAccessNet: landlock.LANDLOCK_ACCESS_NET_BIND_TCP,
+			Scoped:           landlock.LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET | landlock.LANDLOCK_SCOPE_SIGNAL,
+		}, "fs: write_file make_sym fs_ioctl_dev, net: bind_tcp, scoped: abstract_unix_socket signal"},
+		{"all", &landlock.RulesetAttr{
+			HandledAccessFS: landlock.LANDLOCK_ACCESS_FS_EXECUTE |
+				landlock.LANDLOCK_ACCESS_FS_WRITE_FILE |
+				landlock.LANDLOCK_ACCESS_FS_READ_FILE |
+				landlock.LANDLOCK_ACCESS_FS_READ_DIR |
+				landlock.LANDLOCK_ACCESS_FS_REMOVE_DIR |
+				landlock.LANDLOCK_ACCESS_FS_REMOVE_FILE |
+				landlock.LANDLOCK_ACCESS_FS_MAKE_CHAR |
+				landlock.LANDLOCK_ACCESS_FS_MAKE_DIR |
+				landlock.LANDLOCK_ACCESS_FS_MAKE_REG |
+				landlock.LANDLOCK_ACCESS_FS_MAKE_SOCK |
+				landlock.LANDLOCK_ACCESS_FS_MAKE_FIFO |
+				landlock.LANDLOCK_ACCESS_FS_MAKE_BLOCK |
+				landlock.LANDLOCK_ACCESS_FS_MAKE_SYM |
+				landlock.LANDLOCK_ACCESS_FS_REFER |
+				landlock.LANDLOCK_ACCESS_FS_TRUNCATE |
+				landlock.LANDLOCK_ACCESS_FS_IOCTL_DEV,
+			HandledAccessNet: landlock.LANDLOCK_ACCESS_NET_BIND_TCP |
+				landlock.LANDLOCK_ACCESS_NET_CONNECT_TCP,
+			Scoped: landlock.LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET |
+				landlock.LANDLOCK_SCOPE_SIGNAL,
+		}, "fs: execute write_file read_file read_dir remove_dir remove_file make_char make_dir make_reg make_sock make_fifo make_block make_sym fs_refer fs_truncate fs_ioctl_dev, net: bind_tcp connect_tcp, scoped: abstract_unix_socket signal"},
+	}
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			t.Parallel()
+			if got := tc.rulesetAttr.String(); got != tc.want {
+				t.Errorf("String: %s, want %s", got, tc.want)
+			}
+		})
+	}
+}
+
+func TestLandlockAttrSize(t *testing.T) {
+	t.Parallel()
+	want := 24
+	if got := unsafe.Sizeof(landlock.RulesetAttr{}); got != uintptr(want) {
+		t.Errorf("Sizeof: %d, want %d", got, want)
+	}
+}

internal/outcome/finalise.go

@@ -32,7 +32,14 @@ type outcome struct {
 	syscallDispatcher
 }
 
-func (k *outcome) finalise(ctx context.Context, msg message.Msg, id *hst.ID, config *hst.Config) error {
+// finalise prepares an outcome for main.
+func (k *outcome) finalise(
+	ctx context.Context,
+	msg message.Msg,
+	id *hst.ID,
+	config *hst.Config,
+	flags int,
+) error {
 	if ctx == nil || id == nil {
 		// unreachable
 		panic("invalid call to finalise")
@@ -43,7 +50,7 @@ func (k *outcome) finalise(ctx context.Context, msg message.Msg, id *hst.ID, con
 	}
 	k.ctx = ctx
 
-	if err := config.Validate(); err != nil {
+	if err := config.Validate(flags); err != nil {
 		return err
 	}
 

internal/outcome/outcome.go

@@ -194,7 +194,7 @@ type outcomeStateSys struct {
 	// Copied from [hst.Config]. Safe for read by outcomeOp.toSystem.
 	appId string
 	// Copied from [hst.Config]. Safe for read by outcomeOp.toSystem.
-	et hst.Enablement
+	et hst.Enablements
 
 	// Copied from [hst.Config]. Safe for read by spWaylandOp.toSystem only.
 	directWayland bool

internal/outcome/process.go

@@ -297,12 +297,12 @@ func (k *outcome) main(msg message.Msg, identifierFd int) {
 					// accumulate enablements of remaining instances
 					var (
 						// alive enablement bits
-						rt hst.Enablement
+						rt hst.Enablements
 						// alive instance count
 						n int
 					)
 					for eh := range entries {
-						var et hst.Enablement
+						var et hst.Enablements
 						if et, err = eh.Load(nil); err != nil {
 							perror(err, "read state header of instance "+eh.ID.String())
 						} else {

internal/outcome/run.go

@@ -18,7 +18,13 @@ import (
 func IsPollDescriptor(fd uintptr) bool
 
 // Main runs an app according to [hst.Config] and terminates. Main does not return.
-func Main(ctx context.Context, msg message.Msg, config *hst.Config, fd int) {
+func Main(
+	ctx context.Context,
+	msg message.Msg,
+	config *hst.Config,
+	flags int,
+	fd int,
+) {
 	// avoids runtime internals or standard streams
 	if fd >= 0 {
 		if IsPollDescriptor(uintptr(fd)) || fd < 3 {
@@ -34,7 +40,7 @@ func Main(ctx context.Context, msg message.Msg, config *hst.Config, fd int) {
 	k := outcome{syscallDispatcher: direct{msg}}
 
 	finaliseTime := time.Now()
-	if err := k.finalise(ctx, msg, &id, config); err != nil {
+	if err := k.finalise(ctx, msg, &id, config, flags); err != nil {
 		printMessageError(msg.GetLogger().Fatalln, "cannot seal app:", err)
 		panic("unreachable")
 	}

internal/outcome/run_test.go

@@ -288,7 +288,7 @@ func TestOutcomeRun(t *testing.T) {
 				},
 				Filter: true,
 			},
-			Enablements: hst.NewEnablements(hst.EWayland | hst.EDBus | hst.EPipeWire | hst.EPulse),
+			Enablements: new(hst.EWayland | hst.EDBus | hst.EPipeWire | hst.EPulse),
 
 			Container: &hst.ContainerConfig{
 				Filesystem: []hst.FilesystemConfigJSON{
@@ -427,7 +427,7 @@ func TestOutcomeRun(t *testing.T) {
 			DirectPipeWire: true,
 
 			ID:          "org.chromium.Chromium",
-			Enablements: hst.NewEnablements(hst.EWayland | hst.EDBus | hst.EPipeWire | hst.EPulse),
+			Enablements: new(hst.EWayland | hst.EDBus | hst.EPipeWire | hst.EPulse),
 			Container: &hst.ContainerConfig{
 				Env: nil,
 				Filesystem: []hst.FilesystemConfigJSON{

internal/outcome/sppulse_test.go

@@ -21,7 +21,7 @@ func TestSpPulseOp(t *testing.T) {
 	newConfig := func() *hst.Config {
 		config := hst.Template()
 		config.DirectPulse = true
-		config.Enablements = hst.NewEnablements(hst.EPulse)
+		config.Enablements = new(hst.EPulse)
 		return config
 	}
 

internal/pkg/exec.go

@@ -27,6 +27,11 @@ import (
 // AbsWork is the container pathname [TContext.GetWorkDir] is mounted on.
 var AbsWork = fhs.AbsRoot.Append("work/")
 
+// EnvJobs is the name of the environment variable holding a decimal
+// representation of the preferred job count. Its value must not affect cure
+// outcome.
+const EnvJobs = "CURE_JOBS"
+
 // ExecPath is a slice of [Artifact] and the [check.Absolute] pathname to make
 // it available at under in the container.
 type ExecPath struct {
@@ -397,7 +402,7 @@ const SeccompPresets = std.PresetStrict &
 func (a *execArtifact) makeContainer(
 	ctx context.Context,
 	msg message.Msg,
-	flags int,
+	flags, jobs int,
 	hostNet bool,
 	temp, work *check.Absolute,
 	getArtifact GetArtifactFunc,
@@ -432,8 +437,8 @@ func (a *execArtifact) makeContainer(
 		z.Hostname = "cure-net"
 	}
 	z.Uid, z.Gid = (1<<10)-1, (1<<10)-1
-
+	z.Dir, z.Path, z.Args = a.dir, a.path, a.args
-	z.Dir, z.Env, z.Path, z.Args = a.dir, a.env, a.path, a.args
+	z.Env = slices.Concat(a.env, []string{EnvJobs + "=" + strconv.Itoa(jobs)})
 	z.Grow(len(a.paths) + 4)
 
 	for i, b := range a.paths {
@@ -563,6 +568,7 @@ func (c *Cache) EnterExec(
 	z, err = e.makeContainer(
 		ctx, c.msg,
 		c.flags,
+		c.jobs,
 		hostNet,
 		temp, work,
 		func(a Artifact) (*check.Absolute, unique.Handle[Checksum]) {
@@ -602,7 +608,7 @@ func (a *execArtifact) cure(f *FContext, hostNet bool) (err error) {
 	msg := f.GetMessage()
 	var z *container.Container
 	if z, err = a.makeContainer(
-		ctx, msg, f.cache.flags, hostNet,
+		ctx, msg, f.cache.flags, f.GetJobs(), hostNet,
 		f.GetTempDir(), f.GetWorkDir(),
 		f.GetArtifact,
 		f.cache.Ident,

internal/pkg/ir.go

@@ -3,7 +3,6 @@ package pkg
 import (
 	"bufio"
 	"bytes"
-	"context"
 	"crypto/sha512"
 	"encoding/binary"
 	"errors"
@@ -11,6 +10,7 @@ import (
 	"io"
 	"slices"
 	"strconv"
+	"sync"
 	"syscall"
 	"unique"
 	"unsafe"
@@ -39,22 +39,45 @@ func panicToError(errP *error) {
 	}
 }
 
+// irCache implements [IRCache].
+type irCache struct {
+	// Artifact to [unique.Handle] of identifier cache.
+	artifact sync.Map
+	// Identifier free list, must not be accessed directly.
+	identPool sync.Pool
+}
+
+// zeroIRCache returns the initialised value of irCache.
+func zeroIRCache() irCache {
+	return irCache{
+		identPool: sync.Pool{New: func() any { return new(extIdent) }},
+	}
+}
+
+// IRCache provides memory management and caching primitives for IR and
+// identifier operations against [Artifact] implementations.
+//
+// The zero value is not safe for use.
+type IRCache struct{ irCache }
+
+// NewIR returns the address of a new [IRCache].
+func NewIR() *IRCache {
+	return &IRCache{zeroIRCache()}
+}
+
 // IContext is passed to [Artifact.Params] and provides methods for writing
 // values to the IR writer. It does not expose the underlying [io.Writer].
 //
 // IContext is valid until [Artifact.Params] returns.
 type IContext struct {
-	// Address of underlying [Cache], should be zeroed or made unusable after
+	// Address of underlying irCache, should be zeroed or made unusable after
 	// [Artifact.Params] returns and must not be exposed directly.
-	cache *Cache
+	ic *irCache
 	// Written to by various methods, should be zeroed after [Artifact.Params]
 	// returns and must not be exposed directly.
 	w io.Writer
 }
 
-// Unwrap returns the underlying [context.Context].
-func (i *IContext) Unwrap() context.Context { return i.cache.ctx }
-
 // irZero is a zero IR word.
 var irZero [wordSize]byte
 
@@ -136,11 +159,11 @@ func (i *IContext) mustWrite(p []byte) {
 // WriteIdent is not defined for an [Artifact] not part of the slice returned by
 // [Artifact.Dependencies].
 func (i *IContext) WriteIdent(a Artifact) {
-	buf := i.cache.getIdentBuf()
+	buf := i.ic.getIdentBuf()
-	defer i.cache.putIdentBuf(buf)
+	defer i.ic.putIdentBuf(buf)
 
 	IRKindIdent.encodeHeader(0).put(buf[:])
-	*(*ID)(buf[wordSize:]) = i.cache.Ident(a).Value()
+	*(*ID)(buf[wordSize:]) = i.ic.Ident(a).Value()
 	i.mustWrite(buf[:])
 }
 
@@ -183,19 +206,19 @@ func (i *IContext) WriteString(s string) {
 
 // Encode writes a deterministic, efficient representation of a to w and returns
 // the first non-nil error encountered while writing to w.
-func (c *Cache) Encode(w io.Writer, a Artifact) (err error) {
+func (ic *irCache) Encode(w io.Writer, a Artifact) (err error) {
 	deps := a.Dependencies()
 	idents := make([]*extIdent, len(deps))
 	for i, d := range deps {
-		dbuf, did := c.unsafeIdent(d, true)
+		dbuf, did := ic.unsafeIdent(d, true)
 		if dbuf == nil {
-			dbuf = c.getIdentBuf()
+			dbuf = ic.getIdentBuf()
 			binary.LittleEndian.PutUint64(dbuf[:], uint64(d.Kind()))
 			*(*ID)(dbuf[wordSize:]) = did.Value()
 		} else {
-			c.storeIdent(d, dbuf)
+			ic.storeIdent(d, dbuf)
 		}
-		defer c.putIdentBuf(dbuf)
+		defer ic.putIdentBuf(dbuf)
 		idents[i] = dbuf
 	}
 	slices.SortFunc(idents, func(a, b *extIdent) int {
@@ -221,10 +244,10 @@ func (c *Cache) Encode(w io.Writer, a Artifact) (err error) {
 	}
 
 	func() {
-		i := IContext{c, w}
+		i := IContext{ic, w}
 
 		defer panicToError(&err)
-		defer func() { i.cache, i.w = nil, nil }()
+		defer func() { i.ic, i.w = nil, nil }()
 
 		a.Params(&i)
 	}()
@@ -233,7 +256,7 @@ func (c *Cache) Encode(w io.Writer, a Artifact) (err error) {
 	}
 
 	var f IREndFlag
-	kcBuf := c.getIdentBuf()
+	kcBuf := ic.getIdentBuf()
 	sz := wordSize
 	if kc, ok := a.(KnownChecksum); ok {
 		f |= IREndKnownChecksum
@@ -243,13 +266,13 @@ func (c *Cache) Encode(w io.Writer, a Artifact) (err error) {
 	IRKindEnd.encodeHeader(uint32(f)).put(kcBuf[:])
 
 	_, err = w.Write(kcBuf[:sz])
-	c.putIdentBuf(kcBuf)
+	ic.putIdentBuf(kcBuf)
 	return
 }
 
 // encodeAll implements EncodeAll by recursively encoding dependencies and
 // performs deduplication by value via the encoded map.
-func (c *Cache) encodeAll(
+func (ic *irCache) encodeAll(
 	w io.Writer,
 	a Artifact,
 	encoded map[Artifact]struct{},
@@ -259,13 +282,13 @@ func (c *Cache) encodeAll(
 	}
 
 	for _, d := range a.Dependencies() {
-		if err = c.encodeAll(w, d, encoded); err != nil {
+		if err = ic.encodeAll(w, d, encoded); err != nil {
 			return
 		}
 	}
 
 	encoded[a] = struct{}{}
-	return c.Encode(w, a)
+	return ic.Encode(w, a)
 }
 
 // EncodeAll writes a self-describing IR stream of a to w and returns the first
@@ -283,8 +306,8 @@ func (c *Cache) encodeAll(
 // the ident cache, nor does it contribute identifiers it computes back to the
 // ident cache. Because of this, multiple invocations of EncodeAll will have
 // similar cost and does not amortise when combined with a call to Cure.
-func (c *Cache) EncodeAll(w io.Writer, a Artifact) error {
+func (ic *irCache) EncodeAll(w io.Writer, a Artifact) error {
-	return c.encodeAll(w, a, make(map[Artifact]struct{}))
+	return ic.encodeAll(w, a, make(map[Artifact]struct{}))
 }
 
 // ErrRemainingIR is returned for a [IRReadFunc] that failed to call
@@ -409,6 +432,12 @@ func (e InvalidKindError) Error() string {
 // register is not safe for concurrent use. register must not be called after
 // the first instance of [Cache] has been opened.
 func register(k Kind, f IRReadFunc) {
+	openMu.Lock()
+	defer openMu.Unlock()
+
+	if opened {
+		panic("attempting to register after open")
+	}
 	if _, ok := irArtifact[k]; ok {
 		panic("attempting to register " + strconv.Itoa(int(k)) + " twice")
 	}

internal/pkg/net_test.go

@@ -8,7 +8,6 @@ import (
 	"testing"
 	"testing/fstest"
 	"unique"
-	"unsafe"
 
 	"hakurei.app/check"
 	"hakurei.app/internal/pkg"
@@ -33,20 +32,14 @@ func TestHTTPGet(t *testing.T) {
 
 	checkWithCache(t, []cacheTestCase{
 		{"direct", pkg.CValidateKnown, nil, func(t *testing.T, base *check.Absolute, c *pkg.Cache) {
-			var r pkg.RContext
+			r := newRContext(t, c)
-			rCacheVal := reflect.ValueOf(&r).Elem().FieldByName("cache")
-			reflect.NewAt(
-				rCacheVal.Type(),
-				unsafe.Pointer(rCacheVal.UnsafeAddr()),
-			).Elem().Set(reflect.ValueOf(c))
-
 			f := pkg.NewHTTPGet(
 				&client,
 				"file:///testdata",
 				testdataChecksum.Value(),
 			)
 			var got []byte
-			if rc, err := f.Cure(&r); err != nil {
+			if rc, err := f.Cure(r); err != nil {
 				t.Fatalf("Cure: error = %v", err)
 			} else if got, err = io.ReadAll(rc); err != nil {
 				t.Fatalf("ReadAll: error = %v", err)
@@ -65,7 +58,7 @@ func TestHTTPGet(t *testing.T) {
 			wantErrMismatch := &pkg.ChecksumMismatchError{
 				Got: testdataChecksum.Value(),
 			}
-			if rc, err := f.Cure(&r); err != nil {
+			if rc, err := f.Cure(r); err != nil {
 				t.Fatalf("Cure: error = %v", err)
 			} else if got, err = io.ReadAll(rc); err != nil {
 				t.Fatalf("ReadAll: error = %v", err)
@@ -76,7 +69,7 @@ func TestHTTPGet(t *testing.T) {
 			}
 
 			// check fallback validation
-			if rc, err := f.Cure(&r); err != nil {
+			if rc, err := f.Cure(r); err != nil {
 				t.Fatalf("Cure: error = %v", err)
 			} else if err = rc.Close(); !reflect.DeepEqual(err, wantErrMismatch) {
 				t.Fatalf("Close: error = %#v, want %#v", err, wantErrMismatch)
@@ -89,18 +82,13 @@ func TestHTTPGet(t *testing.T) {
 				pkg.Checksum{},
 			)
 			wantErrNotFound := pkg.ResponseStatusError(http.StatusNotFound)
-			if _, err := f.Cure(&r); !reflect.DeepEqual(err, wantErrNotFound) {
+			if _, err := f.Cure(r); !reflect.DeepEqual(err, wantErrNotFound) {
 				t.Fatalf("Cure: error = %#v, want %#v", err, wantErrNotFound)
 			}
 		}, pkg.MustDecode("E4vEZKhCcL2gPZ2Tt59FS3lDng-d_2SKa2i5G_RbDfwGn6EemptFaGLPUDiOa94C")},
 
 		{"cure", pkg.CValidateKnown, nil, func(t *testing.T, base *check.Absolute, c *pkg.Cache) {
-			var r pkg.RContext
+			r := newRContext(t, c)
-			rCacheVal := reflect.ValueOf(&r).Elem().FieldByName("cache")
-			reflect.NewAt(
-				rCacheVal.Type(),
-				unsafe.Pointer(rCacheVal.UnsafeAddr()),
-			).Elem().Set(reflect.ValueOf(c))
 
 			f := pkg.NewHTTPGet(
 				&client,
@@ -120,7 +108,7 @@ func TestHTTPGet(t *testing.T) {
 			}
 
 			var got []byte
-			if rc, err := f.Cure(&r); err != nil {
+			if rc, err := f.Cure(r); err != nil {
 				t.Fatalf("Cure: error = %v", err)
 			} else if got, err = io.ReadAll(rc); err != nil {
 				t.Fatalf("ReadAll: error = %v", err)
@@ -136,7 +124,7 @@ func TestHTTPGet(t *testing.T) {
 				"file:///testdata",
 				testdataChecksum.Value(),
 			)
-			if rc, err := f.Cure(&r); err != nil {
+			if rc, err := f.Cure(r); err != nil {
 				t.Fatalf("Cure: error = %v", err)
 			} else if got, err = io.ReadAll(rc); err != nil {
 				t.Fatalf("ReadAll: error = %v", err)

internal/pkg/pkg.go

@@ -18,6 +18,7 @@ import (
 	"path/filepath"
 	"runtime"
 	"slices"
+	"strconv"
 	"strings"
 	"sync"
 	"sync/atomic"
@@ -70,8 +71,70 @@ func MustDecode(s string) (checksum Checksum) {
 	return
 }
 
+var (
+	// extension is a string uniquely identifying a set of custom [Artifact]
+	// implementations registered by calling [Register].
+	extension string
+
+	// openMu synchronises access to global state for initialisation.
+	openMu sync.Mutex
+	// opened is false if [Open] was never called.
+	opened bool
+)
+
+// Extension returns a string uniquely identifying the currently registered set
+// of custom [Artifact], or the zero value if none was registered.
+func Extension() string { return extension }
+
+// ValidExtension returns whether s is valid for use in a call to SetExtension.
+func ValidExtension(s string) bool {
+	if l := len(s); l == 0 || l > 128 {
+		return false
+	}
+	for _, v := range s {
+		if v < 'a' || v > 'z' {
+			return false
+		}
+	}
+	return true
+}
+
+// ErrInvalidExtension is returned for a variant identification string for which
+// [ValidExtension] returns false.
+var ErrInvalidExtension = errors.New("invalid extension variant identification string")
+
+// SetExtension sets the extension variant identification string. SetExtension
+// must be called before [Open] if custom [Artifact] implementations had been
+// recorded by calling [Register].
+//
+// The variant identification string must be between 1 and 128 bytes long and
+// consists of only bytes between 'a' and 'z'.
+//
+// SetExtension is not safe for concurrent use. SetExtension is called at most
+// once and must not be called after the first instance of Cache has been opened.
+func SetExtension(s string) {
+	openMu.Lock()
+	defer openMu.Unlock()
+
+	if opened {
+		panic("attempting to set extension after open")
+	}
+	if extension != "" {
+		panic("attempting to set extension twice")
+	}
+	if !ValidExtension(s) {
+		panic(ErrInvalidExtension)
+	}
+	extension = s
+	statusHeader = makeStatusHeader(s)
+}
+
 // common holds elements and receives methods shared between different contexts.
 type common struct {
+	// Context specific to this [Artifact]. The toplevel context in [Cache] must
+	// not be exposed directly.
+	ctx context.Context
+
 	// Address of underlying [Cache], should be zeroed or made unusable after
 	// Cure returns and must not be exposed directly.
 	cache *Cache
@@ -98,19 +161,27 @@ type TContext struct {
 	common
 }
 
-// statusHeader is the header written to all status files in dirStatus.
+// makeStatusHeader creates the header written to every status file. This should
-var statusHeader = func() string {
+// not be called directly, its result is stored in statusHeader and will not
+// change after the first [Cache] is opened.
+func makeStatusHeader(extension string) string {
 	s := programName
 	if v := info.Version(); v != info.FallbackVersion {
 		s += " " + v
 	}
+	if extension != "" {
+		s += " with " + extension + " extensions"
+	}
 	s += " (" + runtime.GOARCH + ")"
 	if name, err := os.Hostname(); err == nil {
 		s += " on " + name
 	}
 	s += "\n\n"
 	return s
-}()
+}
+
+// statusHeader is the header written to all status files in dirStatus.
+var statusHeader = makeStatusHeader("")
 
 // prepareStatus initialises the status file once.
 func (t *TContext) prepareStatus() error {
@@ -183,11 +254,15 @@ func (t *TContext) destroy(errP *error) {
 }
 
 // Unwrap returns the underlying [context.Context].
-func (c *common) Unwrap() context.Context { return c.cache.ctx }
+func (c *common) Unwrap() context.Context { return c.ctx }
 
 // GetMessage returns [message.Msg] held by the underlying [Cache].
 func (c *common) GetMessage() message.Msg { return c.cache.msg }
 
+// GetJobs returns the preferred number of jobs to run, when applicable. Its
+// value must not affect cure outcome.
+func (c *common) GetJobs() int { return c.cache.jobs }
+
 // GetWorkDir returns a pathname to a directory which [Artifact] is expected to
 // write its output to. This is not the final resting place of the [Artifact]
 // and this pathname should not be directly referred to in the final contents.
@@ -207,11 +282,11 @@ func (t *TContext) GetTempDir() *check.Absolute { return t.temp }
 // [ChecksumMismatchError], or the underlying implementation may block on Close.
 func (c *common) Open(a Artifact) (r io.ReadCloser, err error) {
 	if f, ok := a.(FileArtifact); ok {
-		return c.cache.openFile(f)
+		return c.cache.openFile(c.ctx, f)
 	}
 
 	var pathname *check.Absolute
-	if pathname, _, err = c.cache.Cure(a); err != nil {
+	if pathname, _, err = c.cache.cure(a, true); err != nil {
 		return
 	}
 
@@ -372,6 +447,9 @@ type KnownChecksum interface {
 }
 
 // FileArtifact refers to an [Artifact] backed by a single file.
+//
+// FileArtifact does not support fine-grained cancellation. Its context is
+// inherited from the first [TrivialArtifact] or [FloodArtifact] that opens it.
 type FileArtifact interface {
 	// Cure returns [io.ReadCloser] of the full contents of [FileArtifact]. If
 	// [FileArtifact] implements [KnownChecksum], Cure is responsible for
@@ -416,6 +494,9 @@ const (
 	// KindFile is the kind of [Artifact] returned by [NewFile].
 	KindFile
 
+	// _kindEnd is the total number of kinds and does not denote a kind.
+	_kindEnd
+
 	// KindCustomOffset is the first [Kind] value reserved for implementations
 	// not from this package.
 	KindCustomOffset = 1 << 31
@@ -430,6 +511,9 @@ const (
 	// fileLock is the file name appended to Cache.base for guaranteeing
 	// exclusive access to the cache directory.
 	fileLock = "lock"
+	// fileVariant is the file name appended to Cache.base holding the variant
+	// identification string set by a prior call to [SetExtension].
+	fileVariant = "variant"
 
 	// dirIdentifier is the directory name appended to Cache.base for storing
 	// artifacts named after their [ID].
@@ -529,8 +613,36 @@ const (
 	// impurity due to [KindExecNet] being [KnownChecksum]. This flag exists
 	// to support kernels without Landlock LSM enabled.
 	CHostAbstract
+
+	// CPromoteVariant allows [pkg.Open] to promote an unextended on-disk cache
+	// to the current extension variant. This is a one-way operation.
+	CPromoteVariant
 )
 
+// toplevel holds [context.WithCancel] over caller-supplied context, where all
+// [Artifact] context are derived from.
+type toplevel struct {
+	ctx    context.Context
+	cancel context.CancelFunc
+}
+
+// newToplevel returns the address of a new toplevel via ctx.
+func newToplevel(ctx context.Context) *toplevel {
+	var t toplevel
+	t.ctx, t.cancel = context.WithCancel(ctx)
+	return &t
+}
+
+// pendingCure provides synchronisation and cancellation for pending cures.
+type pendingCure struct {
+	// Closed on cure completion.
+	done <-chan struct{}
+	// Error outcome, safe to access after done is closed.
+	err error
+	// Cancels the corresponding cure.
+	cancel context.CancelFunc
+}
+
 // Cache is a support layer that implementations of [Artifact] can use to store
 // cured [Artifact] data in a content addressed fashion.
 type Cache struct {
@@ -538,11 +650,10 @@ type Cache struct {
 	// implementation and receives an equal amount of elements after.
 	cures chan struct{}
 
-	// [context.WithCancel] over caller-supplied context, used by [Artifact] and
+	// Parent context which toplevel was derived from.
-	// all dependency curing goroutines.
+	parent context.Context
-	ctx context.Context
+	// For deriving curing context, must not be accessed directly.
-	// Cancels ctx.
+	toplevel atomic.Pointer[toplevel]
-	cancel context.CancelFunc
 	// For waiting on dependency curing goroutines.
 	wg sync.WaitGroup
 	// Reports new cures and passed to [Artifact].
@@ -552,11 +663,11 @@ type Cache struct {
 	base *check.Absolute
 	// Immutable cure options set by [Open].
 	flags int
+	// Immutable job count, when applicable.
+	jobs int
 
-	// Artifact to [unique.Handle] of identifier cache.
+	// Must not be exposed directly.
-	artifact sync.Map
+	irCache
-	// Identifier free list, must not be accessed directly.
-	identPool sync.Pool
 
 	// Synchronises access to dirChecksum.
 	checksumMu sync.RWMutex
@@ -566,9 +677,11 @@ type Cache struct {
 	// Identifier to error pair for unrecoverably faulted [Artifact].
 	identErr map[unique.Handle[ID]]error
 	// Pending identifiers, accessed through Cure for entries not in ident.
-	identPending map[unique.Handle[ID]]<-chan struct{}
+	identPending map[unique.Handle[ID]]*pendingCure
 	// Synchronises access to ident and corresponding filesystem entries.
 	identMu sync.RWMutex
+	// Synchronises entry into Abort and Cure.
+	abortMu sync.RWMutex
 
 	// Synchronises entry into exclusive artifacts for the cure method.
 	exclMu sync.Mutex
@@ -577,8 +690,10 @@ type Cache struct {
 
 	// Unlocks the on-filesystem cache. Must only be called from Close.
 	unlock func()
-	// Synchronises calls to Close.
+	// Whether [Cache] is considered closed.
-	closeOnce sync.Once
+	closed bool
+	// Synchronises calls to Abort and Close.
+	closeMu sync.Mutex
 
 	// Whether EnterExec has not yet returned.
 	inExec atomic.Bool
@@ -588,24 +703,24 @@ type Cache struct {
 type extIdent [wordSize + len(ID{})]byte
 
 // getIdentBuf returns the address of an extIdent for Ident.
-func (c *Cache) getIdentBuf() *extIdent { return c.identPool.Get().(*extIdent) }
+func (ic *irCache) getIdentBuf() *extIdent { return ic.identPool.Get().(*extIdent) }
 
 // putIdentBuf adds buf to identPool.
-func (c *Cache) putIdentBuf(buf *extIdent) { c.identPool.Put(buf) }
+func (ic *irCache) putIdentBuf(buf *extIdent) { ic.identPool.Put(buf) }
 
 // storeIdent adds an [Artifact] to the artifact cache.
-func (c *Cache) storeIdent(a Artifact, buf *extIdent) unique.Handle[ID] {
+func (ic *irCache) storeIdent(a Artifact, buf *extIdent) unique.Handle[ID] {
 	idu := unique.Make(ID(buf[wordSize:]))
-	c.artifact.Store(a, idu)
+	ic.artifact.Store(a, idu)
 	return idu
 }
 
 // Ident returns the identifier of an [Artifact].
-func (c *Cache) Ident(a Artifact) unique.Handle[ID] {
+func (ic *irCache) Ident(a Artifact) unique.Handle[ID] {
-	buf, idu := c.unsafeIdent(a, false)
+	buf, idu := ic.unsafeIdent(a, false)
 	if buf != nil {
-		idu = c.storeIdent(a, buf)
+		idu = ic.storeIdent(a, buf)
-		c.putIdentBuf(buf)
+		ic.putIdentBuf(buf)
 	}
 	return idu
 }
@@ -613,17 +728,17 @@ func (c *Cache) Ident(a Artifact) unique.Handle[ID] {
 // unsafeIdent implements Ident but returns the underlying buffer for a newly
 // computed identifier. Callers must return this buffer to identPool. encodeKind
 // is only a hint, kind may still be encoded in the buffer.
-func (c *Cache) unsafeIdent(a Artifact, encodeKind bool) (
+func (ic *irCache) unsafeIdent(a Artifact, encodeKind bool) (
 	buf *extIdent,
 	idu unique.Handle[ID],
 ) {
-	if id, ok := c.artifact.Load(a); ok {
+	if id, ok := ic.artifact.Load(a); ok {
 		idu = id.(unique.Handle[ID])
 		return
 	}
 
 	if ki, ok := a.(KnownIdent); ok {
-		buf = c.getIdentBuf()
+		buf = ic.getIdentBuf()
 		if encodeKind {
 			binary.LittleEndian.PutUint64(buf[:], uint64(a.Kind()))
 		}
@@ -631,9 +746,9 @@ func (c *Cache) unsafeIdent(a Artifact, encodeKind bool) (
 		return
 	}
 
-	buf = c.getIdentBuf()
+	buf = ic.getIdentBuf()
 	h := sha512.New384()
-	if err := c.Encode(h, a); err != nil {
+	if err := ic.Encode(h, a); err != nil {
 		// unreachable
 		panic(err)
 	}
@@ -1002,7 +1117,11 @@ func (c *Cache) Scrub(checks int) error {
 // loadOrStoreIdent attempts to load a cached [Artifact] by its identifier or
 // wait for a pending [Artifact] to cure. If neither is possible, the current
 // identifier is stored in identPending and a non-nil channel is returned.
+//
+// Since identErr is treated as grow-only, loadOrStoreIdent must not be entered
+// without holding a read lock on abortMu.
 func (c *Cache) loadOrStoreIdent(id unique.Handle[ID]) (
+	ctx context.Context,
 	done chan<- struct{},
 	checksum unique.Handle[Checksum],
 	err error,
@@ -1019,20 +1138,23 @@ func (c *Cache) loadOrStoreIdent(id unique.Handle[ID]) (
 		return
 	}
 
-	var notify <-chan struct{}
+	var pending *pendingCure
-	if notify, ok = c.identPending[id]; ok {
+	if pending, ok = c.identPending[id]; ok {
 		c.identMu.Unlock()
-		<-notify
+		<-pending.done
 		c.identMu.RLock()
 		if checksum, ok = c.ident[id]; !ok {
-			err = c.identErr[id]
+			err = pending.err
 		}
 		c.identMu.RUnlock()
 		return
 	}
 
 	d := make(chan struct{})
-	c.identPending[id] = d
+	pending = &pendingCure{done: d}
+	ctx, pending.cancel = context.WithCancel(c.toplevel.Load().ctx)
+	c.wg.Add(1)
+	c.identPending[id] = pending
 	c.identMu.Unlock()
 	done = d
 	return
@@ -1048,21 +1170,62 @@ func (c *Cache) finaliseIdent(
 ) {
 	c.identMu.Lock()
 	if err != nil {
+		c.identPending[id].err = err
 		c.identErr[id] = err
 	} else {
 		c.ident[id] = checksum
 	}
 	delete(c.identPending, id)
 	c.identMu.Unlock()
+	c.wg.Done()
 
 	close(done)
 }
 
+// Done returns a channel that is closed when the ongoing cure of an [Artifact]
+// referred to by the specified identifier completes. Done may return nil if
+// no ongoing cure of the specified identifier exists.
+func (c *Cache) Done(id unique.Handle[ID]) <-chan struct{} {
+	c.identMu.RLock()
+	pending, ok := c.identPending[id]
+	c.identMu.RUnlock()
+	if !ok || pending == nil {
+		return nil
+	}
+	return pending.done
+}
+
+// Cancel cancels the ongoing cure of an [Artifact] referred to by the specified
+// identifier. Cancel returns whether the [context.CancelFunc] has been killed.
+// Cancel returns after the cure is complete.
+func (c *Cache) Cancel(id unique.Handle[ID]) bool {
+	c.identMu.RLock()
+	pending, ok := c.identPending[id]
+	c.identMu.RUnlock()
+	if !ok || pending == nil || pending.cancel == nil {
+		return false
+	}
+	pending.cancel()
+	<-pending.done
+
+	c.abortMu.Lock()
+	c.identMu.Lock()
+	delete(c.identErr, id)
+	c.identMu.Unlock()
+	c.abortMu.Unlock()
+	return true
+}
+
 // openFile tries to load [FileArtifact] from [Cache], and if that fails,
 // obtains it via [FileArtifact.Cure] instead. Notably, it does not cure
 // [FileArtifact] to the filesystem. If err is nil, the caller is responsible
 // for closing the resulting [io.ReadCloser].
-func (c *Cache) openFile(f FileArtifact) (r io.ReadCloser, err error) {
+//
+// The context must originate from loadOrStoreIdent to enable cancellation.
+func (c *Cache) openFile(
+	ctx context.Context,
+	f FileArtifact,
+) (r io.ReadCloser, err error) {
 	if kc, ok := f.(KnownChecksum); c.flags&CAssumeChecksum != 0 && ok {
 		c.checksumMu.RLock()
 		r, err = os.Open(c.base.Append(
@@ -1093,7 +1256,7 @@ func (c *Cache) openFile(f FileArtifact) (r io.ReadCloser, err error) {
 				}
 			}()
 		}
-		return f.Cure(&RContext{common{c}})
+		return f.Cure(&RContext{common{ctx, c}})
 	}
 	return
 }
@@ -1241,12 +1404,11 @@ func (c *Cache) Cure(a Artifact) (
 	checksum unique.Handle[Checksum],
 	err error,
 ) {
-	select {
+	c.abortMu.RLock()
-	case <-c.ctx.Done():
+	defer c.abortMu.RUnlock()
-		err = c.ctx.Err()
-		return
 
-	default:
+	if err = c.toplevel.Load().ctx.Err(); err != nil {
+		return
 	}
 
 	return c.cure(a, true)
@@ -1332,15 +1494,16 @@ func (c *Cache) enterCure(a Artifact, curesExempt bool) error {
 		return nil
 	}
 
+	ctx := c.toplevel.Load().ctx
 	select {
 	case c.cures <- struct{}{}:
 		return nil
 
-	case <-c.ctx.Done():
+	case <-ctx.Done():
 		if a.IsExclusive() {
 			c.exclMu.Unlock()
 		}
-		return c.ctx.Err()
+		return ctx.Err()
 	}
 }
 
@@ -1438,7 +1601,8 @@ func (r *RContext) NewMeasuredReader(
 	return r.cache.newMeasuredReader(rc, checksum)
 }
 
-// cure implements Cure without checking the full dependency graph.
+// cure implements Cure without acquiring a read lock on abortMu. cure must not
+// be entered during Abort.
 func (c *Cache) cure(a Artifact, curesExempt bool) (
 	pathname *check.Absolute,
 	checksum unique.Handle[Checksum],
@@ -1457,8 +1621,11 @@ func (c *Cache) cure(a Artifact, curesExempt bool) (
 		}
 	}()
 
-	var done chan<- struct{}
+	var (
-	done, checksum, err = c.loadOrStoreIdent(id)
+		ctx  context.Context
+		done chan<- struct{}
+	)
+	ctx, done, checksum, err = c.loadOrStoreIdent(id)
 	if done == nil {
 		return
 	} else {
@@ -1571,7 +1738,7 @@ func (c *Cache) cure(a Artifact, curesExempt bool) (
 		if err = c.enterCure(a, curesExempt); err != nil {
 			return
 		}
-		r, err = f.Cure(&RContext{common{c}})
+		r, err = f.Cure(&RContext{common{ctx, c}})
 		if err == nil {
 			if checksumPathname == nil || c.flags&CValidateKnown != 0 {
 				h := sha512.New384()
@@ -1651,7 +1818,7 @@ func (c *Cache) cure(a Artifact, curesExempt bool) (
 		c.base.Append(dirWork, ids),
 		c.base.Append(dirTemp, ids),
 		ids, nil, nil, nil,
-		common{c},
+		common{ctx, c},
 	}
 	switch ca := a.(type) {
 	case TrivialArtifact:
@@ -1802,23 +1969,65 @@ func (c *Cache) OpenStatus(a Artifact) (r io.ReadSeekCloser, err error) {
 	return
 }
 
+// Abort cancels all pending cures and waits for them to clean up, but does not
+// close the cache.
+func (c *Cache) Abort() {
+	c.closeMu.Lock()
+	defer c.closeMu.Unlock()
+
+	if c.closed {
+		return
+	}
+
+	c.toplevel.Load().cancel()
+	c.abortMu.Lock()
+	defer c.abortMu.Unlock()
+
+	// holding abortMu, identPending stays empty
+	c.wg.Wait()
+	c.identMu.Lock()
+	c.toplevel.Store(newToplevel(c.parent))
+	clear(c.identErr)
+	c.identMu.Unlock()
+}
+
 // Close cancels all pending cures and waits for them to clean up.
 func (c *Cache) Close() {
-	c.closeOnce.Do(func() {
+	c.closeMu.Lock()
-		c.cancel()
+	defer c.closeMu.Unlock()
+
+	if c.closed {
+		return
+	}
+
+	c.closed = true
+	c.toplevel.Load().cancel()
 	c.wg.Wait()
 	close(c.cures)
 	c.unlock()
-	})
 }
 
+// UnsupportedVariantError describes an on-disk cache with an extension variant
+// identification string that differs from the value returned by [Extension].
+type UnsupportedVariantError string
+
+func (e UnsupportedVariantError) Error() string {
+	return "unsupported variant " + strconv.Quote(string(e))
+}
+
+var (
+	// ErrWouldPromote is returned by [Open] if the [CPromoteVariant] bit is not
+	// set and the on-disk cache requires variant promotion.
+	ErrWouldPromote = errors.New("operation would promote unextended cache")
+)
+
 // Open returns the address of a newly opened instance of [Cache].
 //
 // Concurrent cures of a [FloodArtifact] dependency graph is limited to the
 // caller-supplied value, however direct calls to [Cache.Cure] is not subject
 // to this limitation.
 //
-// A cures value of 0 or lower is equivalent to the value returned by
+// A cures or jobs value of 0 or lower is equivalent to the value returned by
 // [runtime.NumCPU].
 //
 // A successful call to Open guarantees exclusive access to the on-filesystem
@@ -1828,10 +2037,10 @@ func (c *Cache) Close() {
 func Open(
 	ctx context.Context,
 	msg message.Msg,
-	flags, cures int,
+	flags, cures, jobs int,
 	base *check.Absolute,
 ) (*Cache, error) {
-	return open(ctx, msg, flags, cures, base, true)
+	return open(ctx, msg, flags, cures, jobs, base, true)
 }
 
 // open implements Open but allows omitting the [lockedfile] lock when called
@@ -1839,13 +2048,24 @@ func Open(
 func open(
 	ctx context.Context,
 	msg message.Msg,
-	flags, cures int,
+	flags, cures, jobs int,
 	base *check.Absolute,
 	lock bool,
 ) (*Cache, error) {
+	openMu.Lock()
+	defer openMu.Unlock()
+	opened = true
+
+	if extension == "" && len(irArtifact) != int(_kindEnd) {
+		panic("attempting to open cache with incomplete variant setup")
+	}
+
 	if cures < 1 {
 		cures = runtime.NumCPU()
 	}
+	if jobs < 1 {
+		jobs = runtime.NumCPU()
+	}
 
 	for _, name := range []string{
 		dirIdentifier,
@@ -1853,29 +2073,34 @@ func open(
 		dirStatus,
 		dirWork,
 	} {
-		if err := os.MkdirAll(base.Append(name).String(), 0700); err != nil &&
+		if err := os.MkdirAll(
-			!errors.Is(err, os.ErrExist) {
+			base.Append(name).String(),
+			0700,
+		); err != nil && !errors.Is(err, os.ErrExist) {
 			return nil, err
 		}
 	}
 
 	c := Cache{
+		parent: ctx,
+
 		cures: make(chan struct{}, cures),
 		flags: flags,
+		jobs:  jobs,
 
 		msg:  msg,
 		base: base,
 
-		identPool: sync.Pool{New: func() any { return new(extIdent) }},
+		irCache: zeroIRCache(),
 
 		ident:        make(map[unique.Handle[ID]]unique.Handle[Checksum]),
 		identErr:     make(map[unique.Handle[ID]]error),
-		identPending: make(map[unique.Handle[ID]]<-chan struct{}),
+		identPending: make(map[unique.Handle[ID]]*pendingCure),
 
 		brPool: sync.Pool{New: func() any { return new(bufio.Reader) }},
 		bwPool: sync.Pool{New: func() any { return new(bufio.Writer) }},
 	}
-	c.ctx, c.cancel = context.WithCancel(ctx)
+	c.toplevel.Store(newToplevel(ctx))
 
 	if lock || !testing.Testing() {
 		if unlock, err := lockedfile.MutexAt(
@@ -1889,6 +2114,45 @@ func open(
 		c.unlock = func() {}
 	}
 
+	variantPath := base.Append(fileVariant).String()
+	if p, err := os.ReadFile(variantPath); err != nil {
+		if !errors.Is(err, os.ErrNotExist) {
+			c.unlock()
+			return nil, err
+		}
+		// nonexistence implies newly created cache, or a cache predating
+		// variant identification strings, in which case it is silently promoted
+		if err = os.WriteFile(
+			variantPath,
+			[]byte(extension),
+			0400,
+		); err != nil {
+			c.unlock()
+			return nil, err
+		}
+	} else if s := string(p); s == "" {
+		if extension != "" {
+			if flags&CPromoteVariant == 0 {
+				c.unlock()
+				return nil, ErrWouldPromote
+			}
+			if err = os.WriteFile(
+				variantPath,
+				[]byte(extension),
+				0400,
+			); err != nil {
+				c.unlock()
+				return nil, err
+			}
+		}
+	} else if !ValidExtension(s) {
+		c.unlock()
+		return nil, ErrInvalidExtension
+	} else if s != extension {
+		c.unlock()
+		return nil, UnsupportedVariantError(s)
+	}
+
 	return &c, nil
 }
 

internal/pkg/pkg_test.go

@@ -16,6 +16,7 @@ import (
 	"path/filepath"
 	"reflect"
 	"strconv"
+	"sync"
 	"syscall"
 	"testing"
 	"unique"
@@ -25,6 +26,7 @@ import (
 	"hakurei.app/container"
 	"hakurei.app/fhs"
 	"hakurei.app/internal/info"
+	"hakurei.app/internal/landlock"
 	"hakurei.app/internal/pkg"
 	"hakurei.app/internal/stub"
 	"hakurei.app/message"
@@ -34,11 +36,47 @@ import (
 func unsafeOpen(
 	ctx context.Context,
 	msg message.Msg,
-	flags, cures int,
+	flags, cures, jobs int,
 	base *check.Absolute,
 	lock bool,
 ) (*pkg.Cache, error)
 
+var (
+	// extension is a string uniquely identifying a set of custom [Artifact]
+	// implementations registered by calling [Register].
+	//
+	//go:linkname extension hakurei.app/internal/pkg.extension
+	extension string
+
+	// opened is false if [Open] was never called.
+	//
+	//go:linkname opened hakurei.app/internal/pkg.opened
+	opened bool
+
+	// irArtifact refers to artifact IR interpretation functions and must not be
+	// written to directly.
+	//
+	//go:linkname irArtifact hakurei.app/internal/pkg.irArtifact
+	irArtifact map[pkg.Kind]pkg.IRReadFunc
+)
+
+// newRContext returns the address of a new [pkg.RContext] unsafely created for
+// the specified [testing.TB].
+func newRContext(tb testing.TB, c *pkg.Cache) *pkg.RContext {
+	var r pkg.RContext
+	rContextVal := reflect.ValueOf(&r).Elem().FieldByName("ctx")
+	reflect.NewAt(
+		rContextVal.Type(),
+		unsafe.Pointer(rContextVal.UnsafeAddr()),
+	).Elem().Set(reflect.ValueOf(tb.Context()))
+	rCacheVal := reflect.ValueOf(&r).Elem().FieldByName("cache")
+	reflect.NewAt(
+		rCacheVal.Type(),
+		unsafe.Pointer(rCacheVal.UnsafeAddr()),
+	).Elem().Set(reflect.ValueOf(c))
+	return &r
+}
+
 func TestMain(m *testing.M) { container.TryArgv0(nil); os.Exit(m.Run()) }
 
 // overrideIdent overrides the ID method of [Artifact].
@@ -229,7 +267,7 @@ func TestIdent(t *testing.T) {
 	var cache *pkg.Cache
 	if a, err := check.NewAbs(t.TempDir()); err != nil {
 		t.Fatal(err)
-	} else if cache, err = pkg.Open(t.Context(), msg, 0, 0, a); err != nil {
+	} else if cache, err = pkg.Open(t.Context(), msg, 0, 0, 0, a); err != nil {
 		t.Fatal(err)
 	}
 	t.Cleanup(cache.Close)
@@ -293,7 +331,7 @@ func checkWithCache(t *testing.T, testCases []cacheTestCase) {
 			flags := tc.flags
 
 			if info.CanDegrade {
-				if _, err := container.LandlockGetABI(); err != nil {
+				if _, err := landlock.GetABI(); err != nil {
 					if !errors.Is(err, syscall.ENOSYS) {
 						t.Fatalf("LandlockGetABI: error = %v", err)
 					}
@@ -303,7 +341,7 @@ func checkWithCache(t *testing.T, testCases []cacheTestCase) {
 			}
 
 			var scrubFunc func() error // scrub after hashing
-			if c, err := pkg.Open(t.Context(), msg, flags, 1<<4, base); err != nil {
+			if c, err := pkg.Open(t.Context(), msg, flags, 1<<4, 0, base); err != nil {
 				t.Fatalf("Open: error = %v", err)
 			} else {
 				t.Cleanup(c.Close)
@@ -323,9 +361,20 @@ func checkWithCache(t *testing.T, testCases []cacheTestCase) {
 				restoreTemp = true
 			}
 
-			// destroy lock file to avoid changing cache checksums
+			// destroy lock and variant file to avoid changing cache checksums
-			if err := os.Remove(base.Append("lock").String()); err != nil {
+			for _, s := range []string{
+				"lock",
+				"variant",
+			} {
+				pathname := base.Append(s)
+				if p, err := os.ReadFile(pathname.String()); err != nil {
 					t.Fatal(err)
+				} else if len(p) != 0 {
+					t.Fatalf("file %q: %q", s, string(p))
+				}
+				if err := os.Remove(pathname.String()); err != nil {
+					t.Fatal(err)
+				}
 			}
 
 			// destroy non-deterministic status files
@@ -605,7 +654,7 @@ func TestCache(t *testing.T) {
 			if c0, err := unsafeOpen(
 				t.Context(),
 				message.New(nil),
-				0, 0, base, false,
+				0, 0, 0, base, false,
 			); err != nil {
 				t.Fatalf("open: error = %v", err)
 			} else {
@@ -875,17 +924,69 @@ func TestCache(t *testing.T) {
 				t.Fatalf("Scrub: error = %#v, want %#v", err, wantErrScrub)
 			}
 
-			identPendingVal := reflect.ValueOf(c).Elem().FieldByName("identPending")
+			notify := c.Done(unique.Make(pkg.ID{0xff}))
-			identPending := reflect.NewAt(
-				identPendingVal.Type(),
-				unsafe.Pointer(identPendingVal.UnsafeAddr()),
-			).Elem().Interface().(map[unique.Handle[pkg.ID]]<-chan struct{})
-			notify := identPending[unique.Make(pkg.ID{0xff})]
 			go close(n)
+			if notify != nil {
 				<-notify
+			}
+			for c.Done(unique.Make(pkg.ID{0xff})) != nil {
+			}
 			<-wCureDone
 		}, pkg.MustDecode("E4vEZKhCcL2gPZ2Tt59FS3lDng-d_2SKa2i5G_RbDfwGn6EemptFaGLPUDiOa94C")},
 
+		{"cancel abort block", pkg.CValidateKnown, nil, func(t *testing.T, base *check.Absolute, c *pkg.Cache) {
+			var wg sync.WaitGroup
+			defer wg.Wait()
+
+			var started sync.WaitGroup
+			defer started.Wait()
+
+			blockCures := func(d byte, e stub.UniqueError, n int) {
+				started.Add(n)
+				for i := range n {
+					wg.Go(func() {
+						if _, _, err := c.Cure(overrideIdent{pkg.ID{d, byte(i)}, &stubArtifact{
+							kind: pkg.KindTar,
+							cure: func(t *pkg.TContext) error {
+								started.Done()
+								<-t.Unwrap().Done()
+								return e + stub.UniqueError(i)
+							},
+						}}); !reflect.DeepEqual(err, e+stub.UniqueError(i)) {
+							panic(err)
+						}
+					})
+				}
+				started.Wait()
+			}
+
+			blockCures(0xfd, 0xbad, 16)
+			c.Abort()
+			wg.Wait()
+
+			blockCures(0xfd, 0xcafe, 16)
+			c.Abort()
+			wg.Wait()
+
+			blockCures(0xff, 0xbad, 1)
+			if !c.Cancel(unique.Make(pkg.ID{0xff})) {
+				t.Fatal("missed cancellation")
+			}
+			wg.Wait()
+
+			blockCures(0xff, 0xcafe, 1)
+			if !c.Cancel(unique.Make(pkg.ID{0xff})) {
+				t.Fatal("missed cancellation")
+			}
+			wg.Wait()
+
+			for c.Cancel(unique.Make(pkg.ID{0xff})) {
+			}
+
+			c.Close()
+			c.Abort()
+		}, pkg.MustDecode("E4vEZKhCcL2gPZ2Tt59FS3lDng-d_2SKa2i5G_RbDfwGn6EemptFaGLPUDiOa94C")},
+
 		{"no assume checksum", 0, nil, func(t *testing.T, base *check.Absolute, c *pkg.Cache) {
 			makeGarbage := func(work *check.Absolute, wantErr error) error {
 				if err := os.Mkdir(work.String(), 0700); err != nil {
@@ -1030,6 +1131,10 @@ func TestErrors(t *testing.T) {
 			Want:      pkg.IRKindIdent,
 			Ancillary: 0xcafe,
 		}, "got invalid kind 48879 IR value (0xcafe) instead of ident"},
+
+		{"UnsupportedVariantError", pkg.UnsupportedVariantError(
+			"rosa",
+		), `unsupported variant "rosa"`},
 	}
 	for _, tc := range testCases {
 		t.Run(tc.name, func(t *testing.T) {
@@ -1238,6 +1343,8 @@ func (a earlyFailureF) Cure(*pkg.FContext) error {
 }
 
 func TestDependencyCureErrorEarly(t *testing.T) {
+	t.Parallel()
+
 	checkWithCache(t, []cacheTestCase{
 		{"early", 0, nil, func(t *testing.T, _ *check.Absolute, c *pkg.Cache) {
 			_, _, err := c.Cure(earlyFailureF(8))
@@ -1248,7 +1355,7 @@ func TestDependencyCureErrorEarly(t *testing.T) {
 	})
 }
 
-func TestNew(t *testing.T) {
+func TestOpen(t *testing.T) {
 	t.Parallel()
 
 	t.Run("nonexistent", func(t *testing.T) {
@@ -1262,7 +1369,7 @@ func TestNew(t *testing.T) {
 		if _, err := pkg.Open(
 			t.Context(),
 			message.New(nil),
-			0, 0, check.MustAbs(container.Nonexistent),
+			0, 0, 0, check.MustAbs(container.Nonexistent),
 		); !reflect.DeepEqual(err, wantErr) {
 			t.Errorf("Open: error = %#v, want %#v", err, wantErr)
 		}
@@ -1290,9 +1397,225 @@ func TestNew(t *testing.T) {
 		if _, err := pkg.Open(
 			t.Context(),
 			message.New(nil),
-			0, 0, tempDir.Append("cache"),
+			0, 0, 0, tempDir.Append("cache"),
 		); !reflect.DeepEqual(err, wantErr) {
 			t.Errorf("Open: error = %#v, want %#v", err, wantErr)
 		}
 	})
 }
+
+func TestExtensionRegister(t *testing.T) {
+	extensionOld := extension
+	openedOld := opened
+	t.Cleanup(func() { extension = extensionOld; opened = openedOld })
+	extension = ""
+	opened = false
+
+	t.Run("set", func(t *testing.T) {
+		t.Cleanup(func() { extension = "" })
+
+		const want = "rosa"
+		pkg.SetExtension(want)
+		if got := pkg.Extension(); got != want {
+			t.Fatalf("Extension: %q, want %q", got, want)
+		}
+	})
+
+	t.Run("twice", func(t *testing.T) {
+		t.Cleanup(func() { extension = "" })
+
+		defer func() {
+			const wantPanic = "attempting to set extension twice"
+			if r := recover(); r != wantPanic {
+				t.Errorf("panic: %#v, want %q", r, wantPanic)
+			}
+		}()
+		pkg.SetExtension("rosa")
+		pkg.SetExtension("rosa")
+	})
+
+	t.Run("invalid", func(t *testing.T) {
+		defer func() {
+			var wantPanic = pkg.ErrInvalidExtension
+			if r := recover(); r != wantPanic {
+				t.Errorf("panic: %#v, want %#v", r, wantPanic)
+			}
+		}()
+		pkg.SetExtension(" ")
+	})
+
+	t.Run("opened", func(t *testing.T) {
+		t.Cleanup(func() { opened = false })
+
+		if _, err := pkg.Open(
+			t.Context(),
+			message.New(log.Default()),
+			0, 0, 0,
+			check.MustAbs(container.Nonexistent),
+		); !errors.Is(err, os.ErrNotExist) {
+			t.Fatalf("Open: error = %v", err)
+		}
+
+		t.Run("variant", func(t *testing.T) {
+			defer func() {
+				const wantPanic = "attempting to set extension after open"
+				if r := recover(); r != wantPanic {
+					t.Errorf("panic: %#v, want %q", r, wantPanic)
+				}
+			}()
+			pkg.SetExtension("rosa")
+		})
+
+		t.Run("register", func(t *testing.T) {
+			defer func() {
+				const wantPanic = "attempting to register after open"
+				if r := recover(); r != wantPanic {
+					t.Errorf("panic: %#v, want %q", r, wantPanic)
+				}
+			}()
+			pkg.Register(pkg.KindCustomOffset, nil)
+		})
+	})
+
+	t.Run("incomplete", func(t *testing.T) {
+		t.Cleanup(func() { delete(irArtifact, pkg.KindCustomOffset) })
+
+		defer func() {
+			const wantPanic = "attempting to open cache with incomplete variant setup"
+			if r := recover(); r != wantPanic {
+				t.Errorf("panic: %#v, want %q", r, wantPanic)
+			}
+		}()
+		pkg.Register(pkg.KindCustomOffset, nil)
+
+		t.Cleanup(func() { opened = false })
+		_, _ = pkg.Open(nil, nil, 0, 0, 0, nil)
+		panic("unreachable")
+	})
+
+	t.Run("create", func(t *testing.T) {
+		t.Cleanup(func() { extension = "" })
+		const want = "rosa"
+		pkg.SetExtension(want)
+
+		base := check.MustAbs(t.TempDir())
+		t.Cleanup(func() { opened = false })
+		if c, err := pkg.Open(
+			t.Context(), nil,
+			0, 0, 0,
+			base,
+		); err != nil {
+			t.Fatal(err)
+		} else {
+			c.Close()
+		}
+
+		if got, err := os.ReadFile(base.Append("variant").String()); err != nil {
+			t.Fatal(err)
+		} else if string(got) != want {
+			t.Fatalf("variant: %q", string(got))
+		}
+	})
+
+	t.Run("access", func(t *testing.T) {
+		base := check.MustAbs(t.TempDir())
+		t.Cleanup(func() { opened = false })
+
+		if err := os.WriteFile(base.Append("variant").String(), nil, 0); err != nil {
+			t.Fatal(err)
+		}
+
+		wantErr := &os.PathError{
+			Op:   "open",
+			Path: base.Append("variant").String(),
+			Err:  syscall.EACCES,
+		}
+		if _, err := pkg.Open(
+			t.Context(), nil,
+			0, 0, 0,
+			base,
+		); !reflect.DeepEqual(err, wantErr) {
+			t.Fatalf("Open: error = %v, want %v", err, wantErr)
+		}
+	})
+
+	t.Run("promote", func(t *testing.T) {
+		t.Cleanup(func() { extension = "" })
+		const want = "rosa"
+		pkg.SetExtension(want)
+
+		base := check.MustAbs(t.TempDir())
+		t.Cleanup(func() { opened = false })
+
+		variantPath := base.Append("variant")
+		if err := os.WriteFile(variantPath.String(), nil, 0600); err != nil {
+			t.Fatal(err)
+		}
+
+		if _, err := pkg.Open(
+			t.Context(), nil,
+			0, 0, 0,
+			base,
+		); !reflect.DeepEqual(err, pkg.ErrWouldPromote) {
+			t.Fatalf("Open: error = %v", err)
+		}
+
+		if p, err := os.ReadFile(variantPath.String()); err != nil {
+			t.Fatal(err)
+		} else if len(p) != 0 {
+			t.Fatalf("variant: %q", string(p))
+		}
+
+		if c, err := pkg.Open(
+			t.Context(), nil,
+			pkg.CPromoteVariant, 0, 0,
+			base,
+		); err != nil {
+			t.Fatalf("Open: error = %v", err)
+		} else {
+			c.Close()
+		}
+
+		if p, err := os.ReadFile(variantPath.String()); err != nil {
+			t.Fatal(err)
+		} else if string(p) != want {
+			t.Fatalf("variant: %q, want %q", string(p), want)
+		}
+	})
+
+	t.Run("open invalid", func(t *testing.T) {
+		base := check.MustAbs(t.TempDir())
+		t.Cleanup(func() { opened = false })
+
+		variantPath := base.Append("variant")
+		if err := os.WriteFile(variantPath.String(), make([]byte, 129), 0400); err != nil {
+			t.Fatal(err)
+		}
+
+		if _, err := pkg.Open(
+			t.Context(), nil,
+			0, 0, 0,
+			base,
+		); !reflect.DeepEqual(err, pkg.ErrInvalidExtension) {
+			t.Fatalf("Open: error = %v", err)
+		}
+	})
+
+	t.Run("unsupported", func(t *testing.T) {
+		base := check.MustAbs(t.TempDir())
+		t.Cleanup(func() { opened = false })
+
+		variantPath := base.Append("variant")
+		if err := os.WriteFile(variantPath.String(), []byte("rosa"), 0400); err != nil {
+			t.Fatal(err)
+		}
+
+		if _, err := pkg.Open(
+			t.Context(), nil,
+			0, 0, 0,
+			base,
+		); !reflect.DeepEqual(err, pkg.UnsupportedVariantError("rosa")) {
+			t.Fatalf("Open: error = %v", err)
+		}
+	})
+}

internal/pkg/tar.go

@@ -43,8 +43,7 @@ var _ fmt.Stringer = new(tarArtifactNamed)
 func (a *tarArtifactNamed) String() string { return a.name + "-unpack" }
 
 // NewTar returns a new [Artifact] backed by the supplied [Artifact] and
-// compression method. The source [Artifact] must be compatible with
+// compression method. The source [Artifact] must be a [FileArtifact].
-// [TContext.Open].
 func NewTar(a Artifact, compression uint32) Artifact {
 	ta := tarArtifact{a, compression}
 	if s, ok := a.(fmt.Stringer); ok {

internal/pkg/testdata/main.go

@@ -9,10 +9,11 @@ import (
 	"os"
 	"path/filepath"
 	"reflect"
+	"runtime"
 	"slices"
+	"strconv"
 	"strings"
 
-	"hakurei.app/check"
 	"hakurei.app/fhs"
 	"hakurei.app/vfs"
 )
@@ -21,6 +22,10 @@ func main() {
 	log.SetFlags(0)
 	log.SetPrefix("testtool: ")
 
+	environ := slices.DeleteFunc(slices.Clone(os.Environ()), func(s string) bool {
+		return s == "CURE_JOBS="+strconv.Itoa(runtime.NumCPU())
+	})
+
 	var hostNet, layers, promote bool
 	if len(os.Args) == 2 && os.Args[0] == "testtool" {
 		switch os.Args[1] {
@@ -48,15 +53,15 @@ func main() {
 
 	var overlayRoot bool
 	wantEnv := []string{"HAKUREI_TEST=1"}
-	if len(os.Environ()) == 2 {
+	if len(environ) == 2 {
 		overlayRoot = true
 		if !layers && !promote {
 			log.SetPrefix("testtool(overlay root): ")
 		}
 		wantEnv = []string{"HAKUREI_TEST=1", "HAKUREI_ROOT=1"}
 	}
-	if !slices.Equal(wantEnv, os.Environ()) {
+	if !slices.Equal(wantEnv, environ) {
-		log.Fatalf("Environ: %q, want %q", os.Environ(), wantEnv)
+		log.Fatalf("Environ: %q, want %q", environ, wantEnv)
 	}
 
 	var overlayWork bool
@@ -153,43 +158,24 @@ func main() {
 			m.Source != "overlay" || m.FsType != "overlay" {
 			log.Fatal("unexpected root mount entry")
 		}
-		var lowerdir string
+		var lowerdir []string
 		for _, o := range strings.Split(m.FsOptstr, ",") {
-			const lowerdirKey = "lowerdir="
+			const lowerdirKey = "lowerdir+="
 			if strings.HasPrefix(o, lowerdirKey) {
-				lowerdir = o[len(lowerdirKey):]
+				lowerdir = append(lowerdir, o[len(lowerdirKey):])
 			}
 		}
 		if !layers {
-			if filepath.Base(lowerdir) != checksumEmptyDir {
+			if len(lowerdir) != 1 || filepath.Base(lowerdir[0]) != checksumEmptyDir {
 				log.Fatal("unexpected artifact checksum")
 			}
 		} else {
 			ident = "p1t_drXr34i-jZNuxDMLaMOdL6tZvQqhavNafGynGqxOZoXAUTSn7kqNh3Ovv3DT"
 
-			lowerdirsEscaped := strings.Split(lowerdir, ":")
+			if len(lowerdir) != 2 ||
-			lowerdirs := lowerdirsEscaped[:0]
+				filepath.Base(lowerdir[0]) != "MGWmEfjut2QE2xPJwTsmUzpff4BN_FEnQ7T0j7gvUCCiugJQNwqt9m151fm9D1yU" ||
-			// ignore the option separator since it does not appear in ident
+				filepath.Base(lowerdir[1]) != "nY_CUdiaUM1OL4cPr5TS92FCJ3rCRV7Hm5oVTzAvMXwC03_QnTRfQ5PPs7mOU9fK" {
-			for i, e := range lowerdirsEscaped {
+				log.Fatalf("unexpected lowerdirs %s", strings.Join(lowerdir, ", "))
-				if len(e) > 0 &&
-					e[len(e)-1] == check.SpecialOverlayEscape[0] &&
-					(len(e) == 1 || e[len(e)-2] != check.SpecialOverlayEscape[0]) {
-					// ignore escaped pathname separator since it does not
-					// appear in ident
-
-					e = e[:len(e)-1]
-					if len(lowerdirsEscaped) != i {
-						lowerdirsEscaped[i+1] = e + lowerdirsEscaped[i+1]
-						continue
-					}
-				}
-				lowerdirs = append(lowerdirs, e)
-			}
-
-			if len(lowerdirs) != 2 ||
-				filepath.Base(lowerdirs[0]) != "MGWmEfjut2QE2xPJwTsmUzpff4BN_FEnQ7T0j7gvUCCiugJQNwqt9m151fm9D1yU" ||
-				filepath.Base(lowerdirs[1]) != "nY_CUdiaUM1OL4cPr5TS92FCJ3rCRV7Hm5oVTzAvMXwC03_QnTRfQ5PPs7mOU9fK" {
-				log.Fatalf("unexpected lowerdirs %s", strings.Join(lowerdirs, ", "))
 			}
 		}
 	} else {

internal/rosa/acl.go

@@ -7,10 +7,10 @@ func (t Toolchain) newAttr() (pkg.Artifact, string) {
 		version  = "2.5.2"
 		checksum = "YWEphrz6vg1sUMmHHVr1CRo53pFXRhq_pjN-AlG8UgwZK1y6m7zuDhxqJhD0SV0l"
 	)
-	return t.NewPackage("attr", version, pkg.NewHTTPGetTar(
+	return t.NewPackage("attr", version, newTar(
-		nil, "https://download.savannah.nongnu.org/releases/attr/"+
+		"https://download.savannah.nongnu.org/releases/attr/"+
 			"attr-"+version+".tar.gz",
-		mustDecode(checksum),
+		checksum,
 		pkg.TarGzip,
 	), &PackageAttr{
 		Patches: []KV{
@@ -81,10 +81,10 @@ func (t Toolchain) newACL() (pkg.Artifact, string) {
 		version  = "2.3.2"
 		checksum = "-fY5nwH4K8ZHBCRXrzLdguPkqjKI6WIiGu4dBtrZ1o0t6AIU73w8wwJz_UyjIS0P"
 	)
-	return t.NewPackage("acl", version, pkg.NewHTTPGetTar(
+	return t.NewPackage("acl", version, newTar(
-		nil, "https://download.savannah.nongnu.org/releases/acl/"+
+		"https://download.savannah.nongnu.org/releases/acl/"+
 			"acl-"+version+".tar.gz",
-		mustDecode(checksum),
+		checksum,
 		pkg.TarGzip,
 	), nil, &MakeHelper{
 		// makes assumptions about uid_map/gid_map

internal/rosa/all.go

@@ -16,9 +16,7 @@ import (
 type PArtifact int
 
 const (
-	LLVMCompilerRT PArtifact = iota
+	LLVM PArtifact = iota
-	LLVMRuntimes
-	LLVMClang
 
 	// EarlyInit is the Rosa OS init program.
 	EarlyInit
@@ -64,6 +62,7 @@ const (
 	GenInitCPIO
 	Gettext
 	Git
+	Glslang
 	GnuTLS
 	Go
 	Gperf
@@ -73,16 +72,22 @@ const (
 	HakureiDist
 	IPTables
 	Kmod
+	LIT
+	LibX11
 	LibXau
+	LibXext
 	Libbsd
 	Libcap
+	Libdrm
 	Libev
 	Libexpat
 	Libffi
 	Libgd
+	Libglvnd
 	Libiconv
 	Libmd
 	Libmnl
+	Libpciaccess
 	Libnftnl
 	Libpsl
 	Libseccomp
@@ -90,8 +95,10 @@ const (
 	Libtool
 	Libucontext
 	Libunistring
+	Libxshmfence
 	Libxml2
 	Libxslt
+	Libxtrans
 	M4
 	MPC
 	MPFR
@@ -119,22 +126,35 @@ const (
 	PerlTermReadKey
 	PerlTextCharWidth
 	PerlTextWrapI18N
-	PerlUnicodeGCString
+	PerlUnicodeLineBreak
 	PerlYAMLTiny
 	PkgConfig
 	Procps
 	Python
+	PythonFlitCore
+	PythonHatchling
 	PythonIniConfig
+	PythonMako
+	PythonMarkupSafe
 	PythonPackaging
+	PythonPathspec
 	PythonPluggy
 	PythonPyTest
+	PythonPyYAML
 	PythonPygments
+	PythonSetuptools
+	PythonSetuptoolsSCM
+	PythonTroveClassifiers
+	PythonVCSVersioning
+	PythonWheel
 	QEMU
 	Rdfind
 	Readline
 	Rsync
 	Sed
-	Setuptools
+	SPIRVHeaders
+	SPIRVLLVMTranslator
+	SPIRVTools
 	SquashfsTools
 	Strace
 	TamaGo
@@ -148,19 +168,35 @@ const (
 	WaylandProtocols
 	XCB
 	XCBProto
-	Xproto
+	XDGDBusProxy
 	XZ
+	XorgProto
 	Zlib
 	Zstd
 
 	// PresetUnexportedStart is the first unexported preset.
 	PresetUnexportedStart
 
-	buildcatrust = iota - 1
+	llvmSource = iota - 1
+	// earlyCompilerRT is an early, standalone compiler-rt installation for the
+	// standalone runtimes build.
+	//
+	// earlyCompilerRT must only be loaded by [LLVM].
+	earlyCompilerRT
+	// earlyRuntimes is an early, standalone installation of LLVM runtimes to
+	// work around the cmake build system leaking the system LLVM installation
+	// when invoking the newly built toolchain.
+	//
+	// earlyRuntimes must only be loaded by [LLVM].
+	earlyRuntimes
+
+	buildcatrust
 	utilMacros
 
 	// Musl is a standalone libc that does not depend on the toolchain.
 	Musl
+	// muslHeaders is a system installation of [Musl] headers.
+	muslHeaders
 
 	// gcc is a hacked-to-pieces GCC toolchain meant for use in intermediate
 	// stages only. This preset and its direct output must never be exposed.
@@ -305,15 +341,29 @@ var (
 	}
 	// artifactsOnce is for lazy initialisation of artifacts.
 	artifactsOnce [_toolchainEnd][len(artifactsM)]sync.Once
+
+	// presetOpts globally modifies behaviour of presets.
+	presetOpts int
 )
 
+const (
+	// OptSkipCheck skips running all test suites.
+	OptSkipCheck = 1 << iota
+	// OptLLVMNoLTO disables LTO in all [LLVM] stages.
+	OptLLVMNoLTO
+)
+
+// Flags returns the current preset flags
+func Flags() int { return presetOpts }
+
 // zero zeros the value pointed to by p.
 func zero[T any](p *T) { var v T; *p = v }
 
 // DropCaches arranges for all cached [pkg.Artifact] to be freed some time after
 // it returns. Must not be used concurrently with any other function from this
 // package.
-func DropCaches() {
+func DropCaches(flags int) {
+	presetOpts = flags
 	zero(&artifacts)
 	zero(&artifactsOnce)
 }

internal/rosa/all_test.go

@@ -20,13 +20,16 @@ func TestLoad(t *testing.T) {
 }
 
 func BenchmarkAll(b *testing.B) {
+	flags := rosa.Flags()
+	b.Cleanup(func() { rosa.DropCaches(flags) })
+
 	for b.Loop() {
 		for i := range rosa.PresetEnd {
 			rosa.Std.Load(rosa.PArtifact(i))
 		}
 
 		b.StopTimer()
-		rosa.DropCaches()
+		rosa.DropCaches(0)
 		b.StartTimer()
 	}
 }

internal/rosa/argp-standalone.go

@@ -7,10 +7,10 @@ func (t Toolchain) newArgpStandalone() (pkg.Artifact, string) {
 		version  = "1.3"
 		checksum = "vtW0VyO2pJ-hPyYmDI2zwSLS8QL0sPAUKC1t3zNYbwN2TmsaE-fADhaVtNd3eNFl"
 	)
-	return t.NewPackage("argp-standalone", version, pkg.NewHTTPGetTar(
+	return t.NewPackage("argp-standalone", version, newTar(
-		nil, "http://www.lysator.liu.se/~nisse/misc/"+
+		"http://www.lysator.liu.se/~nisse/misc/"+
 			"argp-standalone-"+version+".tar.gz",
-		mustDecode(checksum),
+		checksum,
 		pkg.TarGzip,
 	), &PackageAttr{
 		Env: []string{

internal/rosa/bzip2.go

@@ -7,9 +7,9 @@ func (t Toolchain) newBzip2() (pkg.Artifact, string) {
 		version  = "1.0.8"
 		checksum = "cTLykcco7boom-s05H1JVsQi1AtChYL84nXkg_92Dm1Xt94Ob_qlMg_-NSguIK-c"
 	)
-	return t.NewPackage("bzip2", version, pkg.NewHTTPGetTar(
+	return t.NewPackage("bzip2", version, newTar(
-		nil, "https://sourceware.org/pub/bzip2/bzip2-"+version+".tar.gz",
+		"https://sourceware.org/pub/bzip2/bzip2-"+version+".tar.gz",
-		mustDecode(checksum),
+		checksum,
 		pkg.TarGzip,
 	), &PackageAttr{
 		Writable:    true,

internal/rosa/cmake.go

@@ -10,13 +10,14 @@ import (
 
 func (t Toolchain) newCMake() (pkg.Artifact, string) {
 	const (
-		version  = "4.3.1"
+		version  = "4.3.2"
-		checksum = "RHpzZiM1kJ5bwLjo9CpXSeHJJg3hTtV9QxBYpQoYwKFtRh5YhGWpShrqZCSOzQN6"
+		checksum = "6QylwRVKletndTSkZTV2YBRwgd_9rUVgav_QW23HpjUgV21AVYZOUOal8tdBDmO7"
 	)
-	return t.NewPackage("cmake", version, pkg.NewHTTPGetTar(
+	return t.NewPackage("cmake", version, newFromGitHubRelease(
-		nil, "https://github.com/Kitware/CMake/releases/download/"+
+		"Kitware/CMake",
-			"v"+version+"/cmake-"+version+".tar.gz",
+		"v"+version,
-		mustDecode(checksum),
+		"cmake-"+version+".tar.gz",
+		checksum,
 		pkg.TarGzip,
 	), &PackageAttr{
 		// test suite expects writable source tree
@@ -90,7 +91,7 @@ index 2ead810437..f85cbb8b1c 100644
 		ConfigureName: "/usr/src/cmake/bootstrap",
 		Configure: []KV{
 			{"prefix", "/system"},
-			{"parallel", `"$(nproc)"`},
+			{"parallel", jobsE},
 			{"--"},
 			{"-DCMAKE_USE_OPENSSL", "OFF"},
 			{"-DCMake_TEST_NO_NETWORK", "ON"},
@@ -118,31 +119,27 @@ func init() {
 
 // CMakeHelper is the [CMake] build system helper.
 type CMakeHelper struct {
-	// Joined with name with a dash if non-empty.
-	Variant string
-
 	// Path elements joined with source.
 	Append []string
 
+	// Value of CMAKE_BUILD_TYPE. The zero value is equivalent to "Release".
+	BuildType string
 	// CMake CACHE entries.
 	Cache []KV
 	// Runs after install.
 	Script string
 
+	// Replaces the default test command.
+	Test string
+	// Whether to skip running tests.
+	SkipTest bool
+
 	// Whether to generate Makefile instead.
 	Make bool
 }
 
 var _ Helper = new(CMakeHelper)
 
-// name returns its arguments and an optional variant string joined with '-'.
-func (attr *CMakeHelper) name(name, version string) string {
-	if attr != nil && attr.Variant != "" {
-		name += "-" + attr.Variant
-	}
-	return name + "-" + version
-}
-
 // extra returns a hardcoded slice of [CMake] and [Ninja].
 func (attr *CMakeHelper) extra(int) P {
 	if attr != nil && attr.Make {
@@ -169,22 +166,30 @@ func (*CMakeHelper) wantsDir() string { return "/cure/" }
 // script generates the cure script.
 func (attr *CMakeHelper) script(name string) string {
 	if attr == nil {
-		attr = &CMakeHelper{
+		attr = new(CMakeHelper)
-			Cache: []KV{
-				{"CMAKE_BUILD_TYPE", "Release"},
-			},
-		}
-	}
-	if len(attr.Cache) == 0 {
-		panic("CACHE must be non-empty")
 	}
 
 	generate := "Ninja"
-	jobs := ""
+	test := "ninja " + jobsFlagE + " test"
 	if attr.Make {
 		generate = "'Unix Makefiles'"
-		jobs += ` "--parallel=$(nproc)"`
+		test = "make " + jobsFlagE + " test"
 	}
+	if attr.Test != "" {
+		test = attr.Test
+	}
+
+	script := attr.Script
+	if !attr.SkipTest && presetOpts&OptSkipCheck == 0 {
+		script += "\n" + test
+	}
+
+	cache := make([]KV, 1, 1+len(attr.Cache))
+	cache[0] = KV{"CMAKE_BUILD_TYPE", "Release"}
+	if attr.BuildType != "" {
+		cache[0][1] = attr.BuildType
+	}
+	cache = append(cache, attr.Cache...)
 
 	return `
 cmake -G ` + generate + ` \
@@ -193,7 +198,7 @@ cmake -G ` + generate + ` \
 	-DCMAKE_ASM_COMPILER_TARGET="${ROSA_TRIPLE}" \
 	-DCMAKE_INSTALL_LIBDIR=lib \
 	` + strings.Join(slices.Collect(func(yield func(string) bool) {
-		for _, v := range attr.Cache {
+		for _, v := range cache {
 			if !yield("-D" + v[0] + "=" + v[1]) {
 				return
 			}
@@ -201,7 +206,7 @@ cmake -G ` + generate + ` \
 	}), " \\\n\t") + ` \
 	-DCMAKE_INSTALL_PREFIX=/system \
 	'/usr/src/` + name + `/` + filepath.Join(attr.Append...) + `'
-cmake --build .` + jobs + `
+cmake --build . --parallel=` + jobsE + `
 cmake --install . --prefix=/work/system
-` + attr.Script
+` + script
 }

internal/rosa/connman.go

@@ -7,10 +7,10 @@ func (t Toolchain) newConnman() (pkg.Artifact, string) {
 		version  = "2.0"
 		checksum = "MhVTdJOhndnZn2SWd8URKo_Pj7Zvc14tntEbrVOf9L3yVWJvpb3v3Q6104tWJgtW"
 	)
-	return t.NewPackage("connman", version, pkg.NewHTTPGetTar(
+	return t.NewPackage("connman", version, newTar(
-		nil, "https://git.kernel.org/pub/scm/network/connman/connman.git/"+
+		"https://git.kernel.org/pub/scm/network/connman/connman.git/"+
 			"snapshot/connman-"+version+".tar.gz",
-		mustDecode(checksum),
+		checksum,
 		pkg.TarGzip,
 	), &PackageAttr{
 		Patches: []KV{

internal/rosa/curl.go

@@ -7,15 +7,15 @@ func (t Toolchain) newCurl() (pkg.Artifact, string) {
 		version  = "8.19.0"
 		checksum = "YHuVLVVp8q_Y7-JWpID5ReNjq2Zk6t7ArHB6ngQXilp_R5l3cubdxu3UKo-xDByv"
 	)
-	return t.NewPackage("curl", version, pkg.NewHTTPGetTar(
+	return t.NewPackage("curl", version, newTar(
-		nil, "https://curl.se/download/curl-"+version+".tar.bz2",
+		"https://curl.se/download/curl-"+version+".tar.bz2",
-		mustDecode(checksum),
+		checksum,
 		pkg.TarBzip2,
 	), &PackageAttr{
 		// remove broken test
 		Writable: true,
 		ScriptEarly: `
-chmod +w tests/data && rm tests/data/test459
+chmod +w tests/data && rm -f tests/data/test459
 `,
 	}, &MakeHelper{
 		Configure: []KV{
@@ -25,7 +25,7 @@ chmod +w tests/data && rm tests/data/test459
 			{"disable-smb"},
 		},
 		Check: []string{
-			`TFLAGS="-j$(expr "$(nproc)" '*' 2)"`,
+			"TFLAGS=" + jobsLFlagE,
 			"test-nonflaky",
 		},
 	},

internal/rosa/dbus.go

@@ -7,11 +7,11 @@ func (t Toolchain) newDBus() (pkg.Artifact, string) {
 		version  = "1.16.2"
 		checksum = "INwOuNdrDG7XW5ilW_vn8JSxEa444rRNc5ho97i84I1CNF09OmcFcV-gzbF4uCyg"
 	)
-	return t.NewPackage("dbus", version, pkg.NewHTTPGetTar(
+	return t.NewPackage("dbus", version, newFromGitLab(
-		nil, "https://gitlab.freedesktop.org/dbus/dbus/-/archive/"+
+		"gitlab.freedesktop.org",
-			"dbus-"+version+"/dbus-dbus-"+version+".tar.bz2",
+		"dbus/dbus",
-		mustDecode(checksum),
+		"dbus-"+version,
-		pkg.TarBzip2,
+		checksum,
 	), &PackageAttr{
 		// OSError: [Errno 30] Read-only file system: '/usr/src/dbus/subprojects/packagecache'
 		Writable: true,
@@ -44,3 +44,38 @@ func init() {
 		ID: 5356,
 	}
 }
+
+func (t Toolchain) newXDGDBusProxy() (pkg.Artifact, string) {
+	const (
+		version  = "0.1.7"
+		checksum = "UW5Pe-TP-XAaN-kTbxrkOQ7eYdmlAQlr2pdreLtPT0uwdAz-7rzDP8V_8PWuZBup"
+	)
+	return t.NewPackage("xdg-dbus-proxy", version, newFromGitHub(
+		"flatpak/xdg-dbus-proxy",
+		version,
+		checksum,
+	), nil, &MesonHelper{
+		Setup: []KV{
+			{"Dman", "disabled"},
+		},
+	},
+		DBus,
+
+		GLib,
+	), version
+}
+func init() {
+	artifactsM[XDGDBusProxy] = Metadata{
+		f: Toolchain.newXDGDBusProxy,
+
+		Name:        "xdg-dbus-proxy",
+		Description: "a filtering proxy for D-Bus connections",
+		Website:     "https://github.com/flatpak/xdg-dbus-proxy",
+
+		Dependencies: P{
+			GLib,
+		},
+
+		ID: 58434,
+	}
+}

internal/rosa/dtc.go

@@ -7,10 +7,10 @@ func (t Toolchain) newDTC() (pkg.Artifact, string) {
 		version  = "1.7.2"
 		checksum = "vUoiRynPyYRexTpS6USweT5p4SVHvvVJs8uqFkkVD-YnFjwf6v3elQ0-Etrh00Dt"
 	)
-	return t.NewPackage("dtc", version, pkg.NewHTTPGetTar(
+	return t.NewPackage("dtc", version, newTar(
-		nil, "https://git.kernel.org/pub/scm/utils/dtc/dtc.git/snapshot/"+
+		"https://git.kernel.org/pub/scm/utils/dtc/dtc.git/snapshot/"+
 			"dtc-v"+version+".tar.gz",
-		mustDecode(checksum),
+		checksum,
 		pkg.TarGzip,
 	), &PackageAttr{
 		// works around buggy test:

internal/rosa/elfutils.go

@@ -4,13 +4,13 @@ import "hakurei.app/internal/pkg"
 
 func (t Toolchain) newElfutils() (pkg.Artifact, string) {
 	const (
-		version  = "0.194"
+		version  = "0.195"
-		checksum = "Q3XUygUPv9vR1TkWucwUsQ8Kb1_F6gzk-KMPELr3cC_4AcTrprhVPMvN0CKkiYRa"
+		checksum = "JrGnBD38w8Mj0ZxDw3fKlRBFcLvRKu8rcYnX35R9yTlUSYnzTazyLboG-a2CsJlu"
 	)
-	return t.NewPackage("elfutils", version, pkg.NewHTTPGetTar(
+	return t.NewPackage("elfutils", version, newTar(
-		nil, "https://sourceware.org/elfutils/ftp/"+
+		"https://sourceware.org/elfutils/ftp/"+
 			version+"/elfutils-"+version+".tar.bz2",
-		mustDecode(checksum),
+		checksum,
 		pkg.TarBzip2,
 	), &PackageAttr{
 		Env: []string{

internal/rosa/etc.go

@@ -135,10 +135,11 @@ func newIANAEtc() pkg.Artifact {
 		version  = "20251215"
 		checksum = "kvKz0gW_rGG5QaNK9ZWmWu1IEgYAdmhj_wR7DYrh3axDfIql_clGRHmelP7525NJ"
 	)
-	return pkg.NewHTTPGetTar(
+	return newFromGitHubRelease(
-		nil, "https://github.com/Mic92/iana-etc/releases/download/"+
+		"Mic92/iana-etc",
-			version+"/iana-etc-"+version+".tar.gz",
+		version,
-		mustDecode(checksum),
+		"iana-etc-"+version+".tar.gz",
+		checksum,
 		pkg.TarGzip,
 	)
 }

internal/rosa/fakeroot.go

@@ -7,11 +7,11 @@ func (t Toolchain) newFakeroot() (pkg.Artifact, string) {
 		version  = "1.37.2"
 		checksum = "4ve-eDqVspzQ6VWDhPS0NjW3aSenBJcPAJq_BFT7OOFgUdrQzoTBxZWipDAGWxF8"
 	)
-	return t.NewPackage("fakeroot", version, pkg.NewHTTPGetTar(
+	return t.NewPackage("fakeroot", version, newFromGitLab(
-		nil, "https://salsa.debian.org/clint/fakeroot/-/archive/upstream/"+
+		"salsa.debian.org",
-			version+"/fakeroot-upstream-"+version+".tar.bz2",
+		"clint/fakeroot",
-		mustDecode(checksum),
+		"upstream/"+version,
-		pkg.TarBzip2,
+		checksum,
 	), &PackageAttr{
 		Patches: []KV{
 			{"remove-broken-docs", `diff --git a/doc/Makefile.am b/doc/Makefile.am

internal/rosa/flex.go

@@ -9,10 +9,11 @@ func (t Toolchain) newFlex() (pkg.Artifact, string) {
 		version  = "2.6.4"
 		checksum = "p9POjQU7VhgOf3x5iFro8fjhy0NOanvA7CTeuWS_veSNgCixIJshTrWVkc5XLZkB"
 	)
-	return t.NewPackage("flex", version, pkg.NewHTTPGetTar(
+	return t.NewPackage("flex", version, newFromGitHubRelease(
-		nil, "https://github.com/westes/flex/releases/download/"+
+		"westes/flex",
-			"v"+version+"/flex-"+version+".tar.gz",
+		"v"+version,
-		mustDecode(checksum),
+		"flex-"+version+".tar.gz",
+		checksum,
 		pkg.TarGzip,
 	), nil, (*MakeHelper)(nil),
 		M4,

internal/rosa/fuse.go

@@ -7,10 +7,11 @@ func (t Toolchain) newFuse() (pkg.Artifact, string) {
 		version  = "3.18.2"
 		checksum = "iL-7b7eUtmlVSf5cSq0dzow3UiqSjBmzV3cI_ENPs1tXcHdktkG45j1V12h-4jZe"
 	)
-	return t.NewPackage("fuse", version, pkg.NewHTTPGetTar(
+	return t.NewPackage("fuse", version, newFromGitHubRelease(
-		nil, "https://github.com/libfuse/libfuse/releases/download/"+
+		"libfuse/libfuse",
-			"fuse-"+version+"/fuse-"+version+".tar.gz",
+		"fuse-"+version,
-		mustDecode(checksum),
+		"fuse-"+version+".tar.gz",
+		checksum,
 		pkg.TarGzip,
 	), nil, &MesonHelper{
 		Setup: []KV{

internal/rosa/git.go

@@ -9,17 +9,20 @@ import (
 
 func (t Toolchain) newGit() (pkg.Artifact, string) {
 	const (
-		version  = "2.53.0"
+		version  = "2.54.0"
-		checksum = "rlqSTeNgSeVKJA7nvzGqddFH8q3eFEPB4qRZft-4zth8wTHnbTbm7J90kp_obHGm"
+		checksum = "7vGKtFOJGqY8DO4e8UMRax7dLgImXKQz5MMalec6MlgYrsarffSJjgOughwRFpSH"
 	)
-	return t.NewPackage("git", version, pkg.NewHTTPGetTar(
+	return t.NewPackage("git", version, newTar(
-		nil, "https://www.kernel.org/pub/software/scm/git/"+
+		"https://www.kernel.org/pub/software/scm/git/"+
 			"git-"+version+".tar.gz",
-		mustDecode(checksum),
+		checksum,
 		pkg.TarGzip,
 	), &PackageAttr{
 		ScriptEarly: `
 ln -s ../../system/bin/perl /usr/bin/ || true
+
+# test suite assumes apache
+rm -f /system/bin/httpd
 `,
 
 		// uses source tree as scratch space
@@ -38,6 +41,7 @@ function disable_test {
 	fi
 }
 
+disable_test t1800-hook
 disable_test t5319-multi-pack-index
 disable_test t1305-config-include
 disable_test t3900-i18n-commit
@@ -58,11 +62,14 @@ disable_test t2200-add-update
 			"prove",
 		},
 		Install: `make \
-	"-j$(nproc)" \
+	` + jobsFlagE + ` \
 	DESTDIR=/work \
 	NO_INSTALL_HARDLINKS=1 \
 	install`,
 	},
+		// test suite hangs on mksh
+		Bash,
+
 		Diffutils,
 		Autoconf,
 		Gettext,
@@ -114,3 +121,8 @@ git \
 rm -rf /work/.git
 `, resolvconf())
 }
+
+// newTagRemote is a helper around NewViaGit for a tag on a git remote.
+func (t Toolchain) newTagRemote(url, tag, checksum string) pkg.Artifact {
+	return t.NewViaGit(url, "refs/tags/"+tag, mustDecode(checksum))
+}

internal/rosa/glslang.go

@@ -0,0 +1,190 @@
+package rosa
+
+import (
+	"slices"
+	"strings"
+
+	"hakurei.app/internal/pkg"
+)
+
+func (t Toolchain) newSPIRVHeaders() (pkg.Artifact, string) {
+	const (
+		version  = "1.4.341.0"
+		checksum = "0PL43-19Iaw4k7_D8J8BvoJ-iLgCVSYZ2ThgDPGfAJwIJFtre7l0cnQtLjcY-JvD"
+	)
+	return t.NewPackage("spirv-headers", version, newFromGitHub(
+		"KhronosGroup/SPIRV-Headers",
+		"vulkan-sdk-"+version,
+		checksum,
+	), nil, &CMakeHelper{
+		// upstream has no tests
+		SkipTest: true,
+	}), version
+}
+func init() {
+	artifactsM[SPIRVHeaders] = Metadata{
+		f: Toolchain.newSPIRVHeaders,
+
+		Name:        "spirv-headers",
+		Description: "machine-readable files for the SPIR-V Registry",
+		Website:     "https://github.com/KhronosGroup/SPIRV-Headers",
+
+		ID: 230542,
+
+		// upstream changed version scheme, anitya incapable of filtering them
+		latest: func(v *Versions) string {
+			for _, s := range v.Stable {
+				fields := strings.SplitN(s, ".", 4)
+				if len(fields) != 4 {
+					continue
+				}
+				if slices.ContainsFunc(fields, func(f string) bool {
+					return slices.ContainsFunc([]byte(f), func(d byte) bool {
+						return d < '0' || d > '9'
+					})
+				}) {
+					continue
+				}
+				return s
+			}
+			return v.Latest
+		},
+	}
+}
+
+func (t Toolchain) newSPIRVTools() (pkg.Artifact, string) {
+	const (
+		version  = "2026.1"
+		checksum = "ZSQPQx8NltCDzQLk4qlaVxyWRWeI_JtsjEpeFt3kezTanl9DTHfLixSUCezMFBjv"
+	)
+	return t.NewPackage("spirv-tools", version, newFromGitHub(
+		"KhronosGroup/SPIRV-Tools",
+		"v"+version,
+		checksum,
+	), nil, &CMakeHelper{
+		Cache: []KV{
+			{"SPIRV-Headers_SOURCE_DIR", "/system"},
+		},
+	},
+		Python,
+
+		SPIRVHeaders,
+	), version
+}
+func init() {
+	artifactsM[SPIRVTools] = Metadata{
+		f: Toolchain.newSPIRVTools,
+
+		Name:        "spirv-tools",
+		Description: "an API and commands for processing SPIR-V modules",
+		Website:     "https://github.com/KhronosGroup/SPIRV-Tools",
+
+		Dependencies: P{
+			SPIRVHeaders,
+		},
+
+		ID: 14894,
+
+		latest: (*Versions).getStable,
+	}
+}
+
+func (t Toolchain) newGlslang() (pkg.Artifact, string) {
+	const (
+		version  = "16.2.0"
+		checksum = "6_UuF9reLRDaVkgO-9IfB3kMwme3lQZM8LL8YsJwPdUFkrjzxJtf2A9X3w9nFxj2"
+	)
+	return t.NewPackage("glslang", version, newFromGitHub(
+		"KhronosGroup/glslang",
+		version,
+		checksum,
+	), &PackageAttr{
+		// test suite writes to source
+		Writable: true,
+		Chmod:    true,
+	}, &CMakeHelper{
+		Cache: []KV{
+			{"BUILD_SHARED_LIBS", "ON"},
+			{"ALLOW_EXTERNAL_SPIRV_TOOLS", "ON"},
+		},
+	},
+		Python,
+		Bash,
+		Diffutils,
+
+		SPIRVTools,
+	), version
+}
+func init() {
+	artifactsM[Glslang] = Metadata{
+		f: Toolchain.newGlslang,
+
+		Name:        "glslang",
+		Description: "reference front end for GLSL/ESSL",
+		Website:     "https://github.com/KhronosGroup/glslang",
+
+		ID: 205796,
+	}
+}
+
+func (t Toolchain) newSPIRVLLVMTranslator() (pkg.Artifact, string) {
+	const (
+		version  = "22.1.2"
+		checksum = "JZAaV5ewYcm-35YA_U2BM2IcsQouZtX1BLZR0zh2vSlfEXMsT5OCtY4Gh5RJkcGy"
+	)
+	return t.NewPackage("spirv-llvm-translator", version, newFromGitHub(
+		"KhronosGroup/SPIRV-LLVM-Translator",
+		"v"+version, checksum,
+	), &PackageAttr{
+		Patches: []KV{
+			{"remove-early-prefix", `diff --git a/CMakeLists.txt b/CMakeLists.txt
+index c000a77e..86f79b03 100644
+--- a/CMakeLists.txt
++++ b/CMakeLists.txt
+@@ -172,5 +172,5 @@ install(
+   FILES
+     ${CMAKE_BINARY_DIR}/LLVMSPIRVLib.pc
+   DESTINATION
+-    ${CMAKE_INSTALL_PREFIX}/lib${LLVM_LIBDIR_SUFFIX}/pkgconfig
++    lib${LLVM_LIBDIR_SUFFIX}/pkgconfig
+ )
+`},
+		},
+
+		// litArgs emits shell syntax
+		ScriptEarly: `
+export LIT_OPTS=` + litArgs(true,
+			// error: line 13: OpTypeCooperativeMatrixKHR Scope is limited to Workgroup and Subgroup
+			"cooperative_matrix_constant_null.spvasm") + `
+`,
+	}, &CMakeHelper{
+		Cache: []KV{
+			{"CMAKE_SKIP_BUILD_RPATH", "ON"},
+			{"BUILD_SHARED_LIBS", "ON"},
+			{"LLVM_SPIRV_ENABLE_LIBSPIRV_DIS", "ON"},
+			{"LLVM_EXTERNAL_SPIRV_HEADERS_SOURCE_DIR", "/system"},
+			{"LLVM_EXTERNAL_LIT", "/system/bin/lit"},
+			{"LLVM_INCLUDE_TESTS", "ON"},
+		},
+	},
+		Bash,
+		LIT,
+
+		SPIRVTools,
+	), version
+}
+func init() {
+	artifactsM[SPIRVLLVMTranslator] = Metadata{
+		f: Toolchain.newSPIRVLLVMTranslator,
+
+		Name:        "spirv-llvm-translator",
+		Description: "bi-directional translation between SPIR-V and LLVM IR",
+		Website:     "https://github.com/KhronosGroup/SPIRV-LLVM-Translator",
+
+		Dependencies: P{
+			SPIRVTools,
+		},
+
+		ID: 227273,
+	}
+}

internal/rosa/gnu.go

@@ -2,18 +2,55 @@ package rosa
 
 import (
 	"runtime"
+	"slices"
+	"strconv"
+	"strings"
 
 	"hakurei.app/internal/pkg"
 )
 
+// skipGNUTests generates a string for skipping specific tests by number in a
+// GNU test suite. This is nontrivial because the test suite does not support
+// excluding tests in any way, so ranges for all but the skipped tests have to
+// be specified instead.
+//
+// For example, to skip test 764, ranges around the skipped test must be
+// specified:
+//
+//	1-763 765-
+//
+// Tests are numbered starting from 1. The resulting string is unquoted.
+func skipGNUTests(tests ...int) string {
+	tests = slices.Clone(tests)
+	slices.Sort(tests)
+
+	var buf strings.Builder
+
+	if tests[0] != 1 {
+		buf.WriteString("1-")
+	}
+
+	for i, n := range tests {
+		if n != 1 && (i == 0 || tests[i-1] != n-1) {
+			buf.WriteString(strconv.Itoa(n - 1))
+			buf.WriteString(" ")
+		}
+		if i == len(tests)-1 || tests[i+1] != n+1 {
+			buf.WriteString(strconv.Itoa(n + 1))
+			buf.WriteString("-")
+		}
+	}
+	return buf.String()
+}
+
 func (t Toolchain) newM4() (pkg.Artifact, string) {
 	const (
 		version  = "1.4.21"
 		checksum = "pPa6YOo722Jw80l1OsH1tnUaklnPFjFT-bxGw5iAVrZTm1P8FQaWao_NXop46-pm"
 	)
-	return t.NewPackage("m4", version, pkg.NewHTTPGetTar(
+	return t.NewPackage("m4", version, newTar(
-		nil, "https://ftpmirror.gnu.org/gnu/m4/m4-"+version+".tar.bz2",
+		"https://ftpmirror.gnu.org/gnu/m4/m4-"+version+".tar.bz2",
-		mustDecode(checksum),
+		checksum,
 		pkg.TarBzip2,
 	), &PackageAttr{
 		Writable: true,
@@ -43,11 +80,19 @@ func (t Toolchain) newBison() (pkg.Artifact, string) {
 		version  = "3.8.2"
 		checksum = "BhRM6K7URj1LNOkIDCFDctSErLS-Xo5d9ba9seg10o6ACrgC1uNhED7CQPgIY29Y"
 	)
-	return t.NewPackage("bison", version, pkg.NewHTTPGetTar(
+	return t.NewPackage("bison", version, newTar(
-		nil, "https://ftpmirror.gnu.org/gnu/bison/bison-"+version+".tar.gz",
+		"https://ftpmirror.gnu.org/gnu/bison/bison-"+version+".tar.gz",
-		mustDecode(checksum),
+		checksum,
 		pkg.TarGzip,
-	), nil, (*MakeHelper)(nil),
+	), nil, &MakeHelper{
+		Check: []string{
+			"TESTSUITEFLAGS=" + jobsFlagE + "' " + skipGNUTests(
+				// clang miscompiles (SIGILL)
+				764,
+			) + "'",
+			"check",
+		},
+	},
 		M4,
 		Diffutils,
 		Sed,
@@ -67,15 +112,17 @@ func init() {
 
 func (t Toolchain) newSed() (pkg.Artifact, string) {
 	const (
-		version  = "4.9"
+		version  = "4.10"
-		checksum = "pe7HWH4PHNYrazOTlUoE1fXmhn2GOPFN_xE62i0llOr3kYGrH1g2_orDz0UtZ9Nt"
+		checksum = "TXTRFQJCyflb-bpBRI2S5Y1DpplwvT7-KfXtpqN4AdZgZ5OtI6yStn1-bkhDKx51"
 	)
-	return t.NewPackage("sed", version, pkg.NewHTTPGetTar(
+	return t.NewPackage("sed", version, newTar(
-		nil, "https://ftpmirror.gnu.org/gnu/sed/sed-"+version+".tar.gz",
+		"https://ftpmirror.gnu.org/gnu/sed/sed-"+version+".tar.gz",
-		mustDecode(checksum),
+		checksum,
 		pkg.TarGzip,
 	), nil, (*MakeHelper)(nil),
 		Diffutils,
+
+		KernelHeaders,
 	), version
 }
 func init() {
@@ -95,15 +142,15 @@ func (t Toolchain) newAutoconf() (pkg.Artifact, string) {
 		version  = "2.73"
 		checksum = "yGabDTeOfaCUB0JX-h3REYLYzMzvpDwFmFFzHNR7QilChCUNE4hR6q7nma4viDYg"
 	)
-	return t.NewPackage("autoconf", version, pkg.NewHTTPGetTar(
+	return t.NewPackage("autoconf", version, newTar(
-		nil, "https://ftpmirror.gnu.org/gnu/autoconf/autoconf-"+version+".tar.gz",
+		"https://ftpmirror.gnu.org/gnu/autoconf/autoconf-"+version+".tar.gz",
-		mustDecode(checksum),
+		checksum,
 		pkg.TarGzip,
 	), &PackageAttr{
 		Flag: TExclusive,
 	}, &MakeHelper{
 		Check: []string{
-			`TESTSUITEFLAGS="-j$(nproc)"`,
+			"TESTSUITEFLAGS=" + jobsFlagE,
 			"check",
 		},
 	},
@@ -135,9 +182,9 @@ func (t Toolchain) newAutomake() (pkg.Artifact, string) {
 		version  = "1.18.1"
 		checksum = "FjvLG_GdQP7cThTZJLDMxYpRcKdpAVG-YDs1Fj1yaHlSdh_Kx6nRGN14E0r_BjcG"
 	)
-	return t.NewPackage("automake", version, pkg.NewHTTPGetTar(
+	return t.NewPackage("automake", version, newTar(
-		nil, "https://ftpmirror.gnu.org/gnu/automake/automake-"+version+".tar.gz",
+		"https://ftpmirror.gnu.org/gnu/automake/automake-"+version+".tar.gz",
-		mustDecode(checksum),
+		checksum,
 		pkg.TarGzip,
 	), &PackageAttr{
 		Writable: true,
@@ -179,13 +226,16 @@ func (t Toolchain) newLibtool() (pkg.Artifact, string) {
 		version  = "2.5.4"
 		checksum = "pa6LSrQggh8mSJHQfwGjysAApmZlGJt8wif2cCLzqAAa2jpsTY0jZ-6stS3BWZ2Q"
 	)
-	return t.NewPackage("libtool", version, pkg.NewHTTPGetTar(
+	return t.NewPackage("libtool", version, newTar(
-		nil, "https://ftpmirror.gnu.org/gnu/libtool/libtool-"+version+".tar.gz",
+		"https://ftpmirror.gnu.org/gnu/libtool/libtool-"+version+".tar.gz",
-		mustDecode(checksum),
+		checksum,
 		pkg.TarGzip,
 	), nil, &MakeHelper{
+		// _Z2a2c: symbol not found
+		SkipCheck: t.isStage0(),
+
 		Check: []string{
-			`TESTSUITEFLAGS="-j$(nproc)"`,
+			"TESTSUITEFLAGS=" + jobsFlagE,
 			"check",
 		},
 	},
@@ -210,9 +260,9 @@ func (t Toolchain) newGzip() (pkg.Artifact, string) {
 		version  = "1.14"
 		checksum = "NWhjUavnNfTDFkZJyAUonL9aCOak8GVajWX2OMlzpFnuI0ErpBFyj88mz2xSjz0q"
 	)
-	return t.NewPackage("gzip", version, pkg.NewHTTPGetTar(
+	return t.NewPackage("gzip", version, newTar(
-		nil, "https://ftpmirror.gnu.org/gnu/gzip/gzip-"+version+".tar.gz",
+		"https://ftpmirror.gnu.org/gnu/gzip/gzip-"+version+".tar.gz",
-		mustDecode(checksum),
+		checksum,
 		pkg.TarGzip,
 	), nil, &MakeHelper{
 		// dependency loop
@@ -236,9 +286,9 @@ func (t Toolchain) newGettext() (pkg.Artifact, string) {
 		version  = "1.0"
 		checksum = "3MasKeEdPeFEgWgzsBKk7JqWqql1wEMbgPmzAfs-mluyokoW0N8oQVxPQoOnSdgC"
 	)
-	return t.NewPackage("gettext", version, pkg.NewHTTPGetTar(
+	return t.NewPackage("gettext", version, newTar(
-		nil, "https://ftpmirror.gnu.org/gnu/gettext/gettext-"+version+".tar.gz",
+		"https://ftpmirror.gnu.org/gnu/gettext/gettext-"+version+".tar.gz",
-		mustDecode(checksum),
+		checksum,
 		pkg.TarGzip,
 	), &PackageAttr{
 		Writable: true,
@@ -282,9 +332,9 @@ func (t Toolchain) newDiffutils() (pkg.Artifact, string) {
 		version  = "3.12"
 		checksum = "9J5VAq5oA7eqwzS1Yvw-l3G5o-TccUrNQR3PvyB_lgdryOFAfxtvQfKfhdpquE44"
 	)
-	return t.NewPackage("diffutils", version, pkg.NewHTTPGetTar(
+	return t.NewPackage("diffutils", version, newTar(
-		nil, "https://ftpmirror.gnu.org/gnu/diffutils/diffutils-"+version+".tar.gz",
+		"https://ftpmirror.gnu.org/gnu/diffutils/diffutils-"+version+".tar.gz",
-		mustDecode(checksum),
+		checksum,
 		pkg.TarGzip,
 	), &PackageAttr{
 		Writable: true,
@@ -315,9 +365,9 @@ func (t Toolchain) newPatch() (pkg.Artifact, string) {
 		version  = "2.8"
 		checksum = "MA0BQc662i8QYBD-DdGgyyfTwaeALZ1K0yusV9rAmNiIsQdX-69YC4t9JEGXZkeR"
 	)
-	return t.NewPackage("patch", version, pkg.NewHTTPGetTar(
+	return t.NewPackage("patch", version, newTar(
-		nil, "https://ftpmirror.gnu.org/gnu/patch/patch-"+version+".tar.gz",
+		"https://ftpmirror.gnu.org/gnu/patch/patch-"+version+".tar.gz",
-		mustDecode(checksum),
+		checksum,
 		pkg.TarGzip,
 	), &PackageAttr{
 		Writable: true,
@@ -347,9 +397,9 @@ func (t Toolchain) newBash() (pkg.Artifact, string) {
 		version  = "5.3"
 		checksum = "4LQ_GRoB_ko-Ih8QPf_xRKA02xAm_TOxQgcJLmFDT6udUPxTAWrsj-ZNeuTusyDq"
 	)
-	return t.NewPackage("bash", version, pkg.NewHTTPGetTar(
+	return t.NewPackage("bash", version, newTar(
-		nil, "https://ftpmirror.gnu.org/gnu/bash/bash-"+version+".tar.gz",
+		"https://ftpmirror.gnu.org/gnu/bash/bash-"+version+".tar.gz",
-		mustDecode(checksum),
+		checksum,
 		pkg.TarGzip,
 	), &PackageAttr{
 		Flag: TEarly,
@@ -374,12 +424,12 @@ func init() {
 
 func (t Toolchain) newCoreutils() (pkg.Artifact, string) {
 	const (
-		version  = "9.10"
+		version  = "9.11"
-		checksum = "o-B9wssRnZySzJUI1ZJAgw-bZtj1RC67R9po2AcM2OjjS8FQIl16IRHpC6IwO30i"
+		checksum = "t8UMed5wpFEoC56aa42_yidfOAaRGzOfj7MRtQkkqgGbpXiskNA8bd-EmVSQkZie"
 	)
-	return t.NewPackage("coreutils", version, pkg.NewHTTPGetTar(
+	return t.NewPackage("coreutils", version, newTar(
-		nil, "https://ftpmirror.gnu.org/gnu/coreutils/coreutils-"+version+".tar.gz",
+		"https://ftpmirror.gnu.org/gnu/coreutils/coreutils-"+version+".tar.gz",
-		mustDecode(checksum),
+		checksum,
 		pkg.TarGzip,
 	), &PackageAttr{
 		Writable: true,
@@ -387,106 +437,13 @@ func (t Toolchain) newCoreutils() (pkg.Artifact, string) {
 test_disable() { chmod +w "$2" && echo "$1" > "$2"; }
 
 test_disable '#!/bin/sh' gnulib-tests/test-c32ispunct.sh
-test_disable '#!/bin/sh' tests/split/line-bytes.sh
 test_disable '#!/bin/sh' tests/ls/hyperlink.sh
+test_disable '#!/bin/sh' tests/misc/user.sh
 test_disable 'int main(){return 0;}' gnulib-tests/test-chown.c
 test_disable 'int main(){return 0;}' gnulib-tests/test-fchownat.c
 test_disable 'int main(){return 0;}' gnulib-tests/test-lchown.c
 `,
 
-		Patches: []KV{
-			{"tests-fix-job-control", `From 21d287324aa43aa3a31f39619ade0deac7fd6013 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?P=C3=A1draig=20Brady?= <P@draigBrady.com>
-Date: Tue, 24 Feb 2026 15:44:41 +0000
-Subject: [PATCH] tests: fix job control triggering test termination
-
-This avoids the test harness being terminated like:
-  make[1]: *** [Makefile:24419: check-recursive] Hangup
-  make[3]: *** [Makefile:24668: check-TESTS] Hangup
-  make: *** [Makefile:24922: check] Hangup
-  make[2]: *** [Makefile:24920: check-am] Hangup
-  make[4]: *** [Makefile:24685: tests/misc/usage_vs_refs.log] Error 129
-  ...
-
-This happened sometimes when the tests were being run non interactively.
-For example when run like:
-
-  setsid make TESTS="tests/timeout/timeout.sh \
-   tests/tail/overlay-headers.sh" SUBDIRS=. -j2 check
-
-Note the race window can be made bigger by adding a sleep
-after tail is stopped in overlay-headers.sh
-
-The race can trigger the kernel to induce its job control
-mechanism to prevent stuck processes.
-I.e. where it sends SIGHUP + SIGCONT to a process group
-when it determines that group may become orphaned,
-and there are stopped processes in that group.
-
-* tests/tail/overlay-headers.sh: Use setsid(1) to keep the stopped
-tail process in a separate process group, thus avoiding any kernel
-job control protection mechanism.
-* tests/timeout/timeout.sh: Use setsid(1) to avoid the kernel
-checking the main process group when sleep(1) is reparented.
-Fixes https://bugs.gnu.org/80477
----
- tests/tail/overlay-headers.sh |  8 +++++++-
- tests/timeout/timeout.sh      | 11 ++++++++---
- 2 files changed, 15 insertions(+), 4 deletions(-)
-
-diff --git a/tests/tail/overlay-headers.sh b/tests/tail/overlay-headers.sh
-index be9b6a7df..1e6da0a3f 100755
---- a/tests/tail/overlay-headers.sh
-+++ b/tests/tail/overlay-headers.sh
-@@ -20,6 +20,8 @@
- . "${srcdir=.}/tests/init.sh"; path_prepend_ ./src
- print_ver_ tail sleep
- 
-+setsid true || skip_ 'setsid required to control groups'
-+
- # Function to count number of lines from tail
- # while ignoring transient errors due to resource limits
- countlines_ ()
-@@ -54,7 +56,11 @@ echo start > file2 || framework_failure_
- env sleep 60 & sleep=$!
- 
- # Note don't use timeout(1) here as it currently
--# does not propagate SIGCONT
-+# does not propagate SIGCONT.
-+# Note use setsid here to ensure we're in a separate process group
-+# as we're going to STOP this tail process, and this can trigger
-+# the kernel to send SIGHUP to a group if other tests have
-+# processes that are reparented. (See tests/timeout/timeout.sh).
- tail $fastpoll --pid=$sleep -f file1 file2 > out & pid=$!
- 
- # Ensure tail is running
-diff --git a/tests/timeout/timeout.sh b/tests/timeout/timeout.sh
-index 9a395416b..fbb043312 100755
---- a/tests/timeout/timeout.sh
-+++ b/tests/timeout/timeout.sh
-@@ -56,9 +56,14 @@ returns_ 124 timeout --foreground -s0 -k1 .1 sleep 10 && fail=1
- ) || fail=1
- 
- # Don't be confused when starting off with a child (Bug#9098).
--out=$(sleep .1 & exec timeout .5 sh -c 'sleep 2; echo foo')
--status=$?
--test "$out" = "" && test $status = 124 || fail=1
-+# Use setsid to avoid sleep being in the test's process group, as
-+# upon reparenting it can trigger an orphaned process group SIGHUP
-+# (if there were stopped processes in other tests).
-+if setsid true; then
-+  out=$(setsid sleep .1 & exec timeout .5 sh -c 'sleep 2; echo foo')
-+  status=$?
-+  test "$out" = "" && test $status = 124 || fail=1
-+fi
- 
- # Verify --verbose output
- cat > exp <<\EOF
--- 
-2.53.0
-`},
-		},
-
 		Flag: TEarly,
 	}, &MakeHelper{
 		Configure: []KV{
@@ -516,9 +473,9 @@ func (t Toolchain) newTexinfo() (pkg.Artifact, string) {
 		version  = "7.3"
 		checksum = "RRmC8Xwdof7JuZJeWGAQ_GeASIHAuJFQMbNONXBz5InooKIQGmqmWRjGNGEr5n4-"
 	)
-	return t.NewPackage("texinfo", version, pkg.NewHTTPGetTar(
+	return t.NewPackage("texinfo", version, newTar(
-		nil, "https://ftpmirror.gnu.org/gnu/texinfo/texinfo-"+version+".tar.gz",
+		"https://ftpmirror.gnu.org/gnu/texinfo/texinfo-"+version+".tar.gz",
-		mustDecode(checksum),
+		checksum,
 		pkg.TarGzip,
 	), nil, &MakeHelper{
 		// nonstandard glibc extension
@@ -549,9 +506,9 @@ func (t Toolchain) newGperf() (pkg.Artifact, string) {
 		version  = "3.3"
 		checksum = "RtIy9pPb_Bb8-31J2Nw-rRGso2JlS-lDlVhuNYhqR7Nt4xM_nObznxAlBMnarJv7"
 	)
-	return t.NewPackage("gperf", version, pkg.NewHTTPGetTar(
+	return t.NewPackage("gperf", version, newTar(
-		nil, "https://ftpmirror.gnu.org/gperf/gperf-"+version+".tar.gz",
+		"https://ftpmirror.gnu.org/gperf/gperf-"+version+".tar.gz",
-		mustDecode(checksum),
+		checksum,
 		pkg.TarGzip,
 	), nil, (*MakeHelper)(nil),
 		Diffutils,
@@ -574,9 +531,9 @@ func (t Toolchain) newGawk() (pkg.Artifact, string) {
 		version  = "5.4.0"
 		checksum = "m0RkIolC-PI7EY5q8pcx5Y-0twlIW0Yp3wXXmV-QaHorSdf8BhZ7kW9F8iWomz0C"
 	)
-	return t.NewPackage("gawk", version, pkg.NewHTTPGetTar(
+	return t.NewPackage("gawk", version, newTar(
-		nil, "https://ftpmirror.gnu.org/gnu/gawk/gawk-"+version+".tar.gz",
+		"https://ftpmirror.gnu.org/gnu/gawk/gawk-"+version+".tar.gz",
-		mustDecode(checksum),
+		checksum,
 		pkg.TarGzip,
 	), &PackageAttr{
 		Flag: TEarly,
@@ -602,9 +559,9 @@ func (t Toolchain) newGrep() (pkg.Artifact, string) {
 		version  = "3.12"
 		checksum = "qMB4RjaPNRRYsxix6YOrjE8gyAT1zVSTy4nW4wKW9fqa0CHYAuWgPwDTirENzm_1"
 	)
-	return t.NewPackage("grep", version, pkg.NewHTTPGetTar(
+	return t.NewPackage("grep", version, newTar(
-		nil, "https://ftpmirror.gnu.org/gnu/grep/grep-"+version+".tar.gz",
+		"https://ftpmirror.gnu.org/gnu/grep/grep-"+version+".tar.gz",
-		mustDecode(checksum),
+		checksum,
 		pkg.TarGzip,
 	), &PackageAttr{
 		Writable: true,
@@ -639,7 +596,6 @@ func (t Toolchain) newFindutils() (pkg.Artifact, string) {
 		nil, "https://ftpmirror.gnu.org/gnu/findutils/findutils-"+version+".tar.xz",
 		mustDecode(checksum),
 	), &PackageAttr{
-		SourceKind: SourceKindTarXZ,
 		ScriptEarly: `
 echo '#!/bin/sh' > gnulib-tests/test-c32ispunct.sh
 echo 'int main(){return 0;}' > tests/xargs/test-sigusr.c
@@ -667,9 +623,9 @@ func (t Toolchain) newBC() (pkg.Artifact, string) {
 		version  = "1.08.2"
 		checksum = "8h6f3hjV80XiFs6v9HOPF2KEyg1kuOgn5eeFdVspV05ODBVQss-ey5glc8AmneLy"
 	)
-	return t.NewPackage("bc", version, pkg.NewHTTPGetTar(
+	return t.NewPackage("bc", version, newTar(
-		nil, "https://ftpmirror.gnu.org/gnu/bc/bc-"+version+".tar.gz",
+		"https://ftpmirror.gnu.org/gnu/bc/bc-"+version+".tar.gz",
-		mustDecode(checksum),
+		checksum,
 		pkg.TarGzip,
 	), &PackageAttr{
 		// source expected to be writable
@@ -696,9 +652,9 @@ func (t Toolchain) newLibiconv() (pkg.Artifact, string) {
 		version  = "1.19"
 		checksum = "UibB6E23y4MksNqYmCCrA3zTFO6vJugD1DEDqqWYFZNuBsUWMVMcncb_5pPAr88x"
 	)
-	return t.NewPackage("libiconv", version, pkg.NewHTTPGetTar(
+	return t.NewPackage("libiconv", version, newTar(
-		nil, "https://ftpmirror.gnu.org/gnu/libiconv/libiconv-"+version+".tar.gz",
+		"https://ftpmirror.gnu.org/gnu/libiconv/libiconv-"+version+".tar.gz",
-		mustDecode(checksum),
+		checksum,
 		pkg.TarGzip,
 	), nil, (*MakeHelper)(nil)), version
 }
@@ -719,9 +675,9 @@ func (t Toolchain) newTar() (pkg.Artifact, string) {
 		version  = "1.35"
 		checksum = "zSaoSlVUDW0dSfm4sbL4FrXLFR8U40Fh3zY5DWhR5NCIJ6GjU6Kc4VZo2-ZqpBRA"
 	)
-	return t.NewPackage("tar", version, pkg.NewHTTPGetTar(
+	return t.NewPackage("tar", version, newTar(
-		nil, "https://ftpmirror.gnu.org/gnu/tar/tar-"+version+".tar.gz",
+		"https://ftpmirror.gnu.org/gnu/tar/tar-"+version+".tar.gz",
-		mustDecode(checksum),
+		checksum,
 		pkg.TarGzip,
 	), nil, &MakeHelper{
 		Configure: []KV{
@@ -733,7 +689,7 @@ func (t Toolchain) newTar() (pkg.Artifact, string) {
 			// very expensive
 			"TARTEST_SKIP_LARGE_FILES=1",
 
-			`TESTSUITEFLAGS="-j$(nproc)"`,
+			"TESTSUITEFLAGS=" + jobsFlagE,
 			"check",
 		},
 	},
@@ -758,15 +714,20 @@ func init() {
 
 func (t Toolchain) newParallel() (pkg.Artifact, string) {
 	const (
-		version  = "20260322"
+		version  = "20260422"
-		checksum = "gHoPmFkOO62ev4xW59HqyMlodhjp8LvTsBOwsVKHUUdfrt7KwB8koXmSVqQ4VOrB"
+		checksum = "eTsepxgqhXpMEhPd55qh-W5y4vjKn0x9TD2mzbJCNZYtFf4lT4Wzoqr74HGJYBEH"
 	)
-	return t.NewPackage("parallel", version, pkg.NewHTTPGetTar(
+	return t.NewPackage("parallel", version, newTar(
-		nil, "https://ftpmirror.gnu.org/gnu/parallel/parallel-"+version+".tar.bz2",
+		"https://ftpmirror.gnu.org/gnu/parallel/parallel-"+version+".tar.bz2",
-		mustDecode(checksum),
+		checksum,
 		pkg.TarBzip2,
-	), nil, (*MakeHelper)(nil),
+	), &PackageAttr{
+		ScriptEarly: `
+ln -s ../system/bin/bash /bin/
+`,
+	}, (*MakeHelper)(nil),
 		Perl,
+		Bash,
 	), version
 }
 func init() {
@@ -790,9 +751,9 @@ func (t Toolchain) newLibunistring() (pkg.Artifact, string) {
 		version  = "1.4.2"
 		checksum = "iW9BbfLoVlXjWoLTZ4AekQSu4cFBnLcZ4W8OHWbv0AhJNgD3j65_zqaLMzFKylg2"
 	)
-	return t.NewPackage("libunistring", version, pkg.NewHTTPGetTar(
+	return t.NewPackage("libunistring", version, newTar(
-		nil, "https://ftp.gnu.org/gnu/libunistring/libunistring-"+version+".tar.gz",
+		"https://ftpmirror.gnu.org/gnu/libunistring/libunistring-"+version+".tar.gz",
-		mustDecode(checksum),
+		checksum,
 		pkg.TarGzip,
 	), &PackageAttr{
 		Writable: true,
@@ -823,9 +784,9 @@ func (t Toolchain) newLibtasn1() (pkg.Artifact, string) {
 		version  = "4.21.0"
 		checksum = "9DYI3UYbfYLy8JsKUcY6f0irskbfL0fHZA91Q-JEOA3kiUwpodyjemRsYRjUpjuq"
 	)
-	return t.NewPackage("libtasn1", version, pkg.NewHTTPGetTar(
+	return t.NewPackage("libtasn1", version, newTar(
-		nil, "https://ftpmirror.gnu.org/gnu/libtasn1/libtasn1-"+version+".tar.gz",
+		"https://ftpmirror.gnu.org/gnu/libtasn1/libtasn1-"+version+".tar.gz",
-		mustDecode(checksum),
+		checksum,
 		pkg.TarGzip,
 	), nil, (*MakeHelper)(nil)), version
 }
@@ -846,9 +807,9 @@ func (t Toolchain) newReadline() (pkg.Artifact, string) {
 		version  = "8.3"
 		checksum = "r-lcGRJq_MvvBpOq47Z2Y1OI2iqrmtcqhTLVXR0xWo37ZpC2uT_md7gKq5o_qTMV"
 	)
-	return t.NewPackage("readline", version, pkg.NewHTTPGetTar(
+	return t.NewPackage("readline", version, newTar(
-		nil, "https://ftp.gnu.org/gnu/readline/readline-"+version+".tar.gz",
+		"https://ftpmirror.gnu.org/gnu/readline/readline-"+version+".tar.gz",
-		mustDecode(checksum),
+		checksum,
 		pkg.TarGzip,
 	), nil, &MakeHelper{
 		Configure: []KV{
@@ -889,10 +850,9 @@ func (t Toolchain) newGnuTLS() (pkg.Artifact, string) {
 		}
 	}
 
-	return t.NewPackage("gnutls", version, t.NewViaGit(
+	return t.NewPackage("gnutls", version, t.newTagRemote(
 		"https://gitlab.com/gnutls/gnutls.git",
-		"refs/tags/"+version,
+		version, checksum,
-		mustDecode(checksum),
 	), &PackageAttr{
 		Patches: []KV{
 			{"bootstrap-remove-gtk-doc", `diff --git a/bootstrap.conf b/bootstrap.conf
@@ -1062,9 +1022,9 @@ func (t Toolchain) newBinutils() (pkg.Artifact, string) {
 		version  = "2.46.0"
 		checksum = "4kK1_EXQipxSqqyvwD4LbiMLFKCUApjq6PeG4XJP4dzxYGqDeqXfh8zLuTyOuOVR"
 	)
-	return t.NewPackage("binutils", version, pkg.NewHTTPGetTar(
+	return t.NewPackage("binutils", version, newTar(
-		nil, "https://ftpmirror.gnu.org/gnu/binutils/binutils-"+version+".tar.bz2",
+		"https://ftpmirror.gnu.org/gnu/binutils/binutils-"+version+".tar.bz2",
-		mustDecode(checksum),
+		checksum,
 		pkg.TarBzip2,
 	), nil, (*MakeHelper)(nil),
 		Bash,
@@ -1087,12 +1047,16 @@ func (t Toolchain) newGMP() (pkg.Artifact, string) {
 		version  = "6.3.0"
 		checksum = "yrgbgEDWKDdMWVHh7gPbVl56-sRtVVhfvv0M_LX7xMUUk_mvZ1QOJEAnt7g4i3k5"
 	)
-	return t.NewPackage("gmp", version, pkg.NewHTTPGetTar(
+	return t.NewPackage("gmp", version, newTar(
-		nil, "https://gcc.gnu.org/pub/gcc/infrastructure/"+
+		"https://gcc.gnu.org/pub/gcc/infrastructure/"+
 			"gmp-"+version+".tar.bz2",
-		mustDecode(checksum),
+		checksum,
 		pkg.TarBzip2,
-	), nil, (*MakeHelper)(nil),
+	), &PackageAttr{
+		Env: []string{
+			"CC=cc",
+		},
+	}, (*MakeHelper)(nil),
 		M4,
 	), version
 }
@@ -1113,10 +1077,10 @@ func (t Toolchain) newMPFR() (pkg.Artifact, string) {
 		version  = "4.2.2"
 		checksum = "wN3gx0zfIuCn9r3VAn_9bmfvAYILwrRfgBjYSD1IjLqyLrLojNN5vKyQuTE9kA-B"
 	)
-	return t.NewPackage("mpfr", version, pkg.NewHTTPGetTar(
+	return t.NewPackage("mpfr", version, newTar(
-		nil, "https://gcc.gnu.org/pub/gcc/infrastructure/"+
+		"https://gcc.gnu.org/pub/gcc/infrastructure/"+
 			"mpfr-"+version+".tar.bz2",
-		mustDecode(checksum),
+		checksum,
 		pkg.TarBzip2,
 	), nil, (*MakeHelper)(nil),
 		GMP,
@@ -1140,13 +1104,13 @@ func init() {
 
 func (t Toolchain) newMPC() (pkg.Artifact, string) {
 	const (
-		version  = "1.4.0"
+		version  = "1.4.1"
-		checksum = "TbrxLiE3ipQrHz_F3Xzz4zqBAnkMWyjhNwIK6wh9360RZ39xMt8rxfW3LxA9SnvU"
+		checksum = "ZffaZyWkvIw0iPvRe5EJ7O-VvHtSkbbb3K_7SgPtK810NvGan7nbF0T5-6tozjQN"
 	)
-	return t.NewPackage("mpc", version, t.NewViaGit(
+	return t.NewPackage("mpc", version, newFromGitLab(
-		"https://gitlab.inria.fr/mpc/mpc.git",
+		"gitlab.inria.fr",
-		"refs/tags/"+version,
+		"mpc/mpc",
-		mustDecode(checksum),
+		version, checksum,
 	), &PackageAttr{
 		// does not find mpc-impl.h otherwise
 		EnterSource: true,
@@ -1182,10 +1146,17 @@ func (t Toolchain) newGCC() (pkg.Artifact, string) {
 		version  = "15.2.0"
 		checksum = "TXJ5WrbXlGLzy1swghQTr4qxgDCyIZFgJry51XEPTBZ8QYbVmFeB4lZbSMtPJ-a1"
 	)
-	return t.NewPackage("gcc", version, pkg.NewHTTPGetTar(
+
-		nil, "https://ftp.tsukuba.wide.ad.jp/software/gcc/releases/"+
+	var configureExtra []KV
+	switch runtime.GOARCH {
+	case "amd64", "arm64":
+		configureExtra = append(configureExtra, KV{"with-multilib-list", "''"})
+	}
+
+	return t.NewPackage("gcc", version, newTar(
+		"https://ftp.tsukuba.wide.ad.jp/software/gcc/releases/"+
 			"gcc-"+version+"/gcc-"+version+".tar.gz",
-		mustDecode(checksum),
+		checksum,
 		pkg.TarGzip,
 	), &PackageAttr{
 		Patches: []KV{
@@ -1347,9 +1318,8 @@ ln -s system/lib /work/
 		// it also saturates the CPU for a consequential amount of time.
 		Flag: TExclusive,
 	}, &MakeHelper{
-		Configure: []KV{
+		Configure: append([]KV{
 			{"disable-multilib"},
-			{"with-multilib-list", `""`},
 			{"enable-default-pie"},
 			{"disable-nls"},
 			{"with-gnu-as"},
@@ -1357,7 +1327,7 @@ ln -s system/lib /work/
 			{"with-system-zlib"},
 			{"enable-languages", "c,c++,go"},
 			{"with-native-system-header-dir", "/system/include"},
-		},
+		}, configureExtra...),
 		Make: []string{
 			"BOOT_CFLAGS='-O2 -g'",
 			"bootstrap",

internal/rosa/gnu_test.go

@@ -0,0 +1,35 @@
+package rosa
+
+import (
+	"slices"
+	"strconv"
+	"strings"
+	"testing"
+)
+
+func TestSkipGNUTests(t *testing.T) {
+	t.Parallel()
+
+	testCases := []struct {
+		tests []int
+		want  string
+	}{
+		{[]int{764}, "1-763 765-"},
+		{[]int{764, 0xcafe, 37, 9}, "1-8 10-36 38-763 765-51965 51967-"},
+		{[]int{1, 2, 0xbed}, "3-3052 3054-"},
+		{[]int{3, 4}, "1-2 5-"},
+	}
+	for _, tc := range testCases {
+		t.Run(strings.Join(slices.Collect(func(yield func(string) bool) {
+			for _, n := range tc.tests {
+				yield(strconv.Itoa(n))
+			}
+		}), ","), func(t *testing.T) {
+			t.Parallel()
+
+			if got := skipGNUTests(tc.tests...); got != tc.want {
+				t.Errorf("skipGNUTests: %q, want %q", got, tc.want)
+			}
+		})
+	}
+}

internal/rosa/go.go

@@ -10,9 +10,9 @@ import (
 // newGoBootstrap returns the Go bootstrap toolchain.
 func (t Toolchain) newGoBootstrap() pkg.Artifact {
 	const checksum = "8o9JL_ToiQKadCTb04nvBDkp8O1xiWOolAxVEqaTGodieNe4lOFEjlOxN3bwwe23"
-	return t.New("go1.4-bootstrap", 0, []pkg.Artifact{
+	return t.New("go1.4-bootstrap", 0, t.AppendPresets(nil,
-		t.Load(Bash),
+		Bash,
-	}, nil, []string{
+	), nil, []string{
 		"CGO_ENABLED=0",
 	}, `
 mkdir -p /var/tmp/ /work/system/
@@ -21,9 +21,9 @@ cd /work/system/go/src
 chmod -R +w ..
 
 ./make.bash
-`, pkg.Path(AbsUsrSrc.Append("go"), false, pkg.NewHTTPGetTar(
+`, pkg.Path(AbsUsrSrc.Append("go"), false, newTar(
-		nil, "https://dl.google.com/go/go1.4-bootstrap-20171003.tar.gz",
+		"https://dl.google.com/go/go1.4-bootstrap-20171003.tar.gz",
-		mustDecode(checksum),
+		checksum,
 		pkg.TarGzip,
 	)))
 }
@@ -35,9 +35,9 @@ func (t Toolchain) newGo(
 	script string,
 	extra ...pkg.Artifact,
 ) pkg.Artifact {
-	return t.New("go"+version, 0, slices.Concat([]pkg.Artifact{
+	return t.New("go"+version, 0, t.AppendPresets(extra,
-		t.Load(Bash),
+		Bash,
-	}, extra), nil, slices.Concat([]string{
+	), nil, slices.Concat([]string{
 		"CC=cc",
 		"GOCACHE=/tmp/gocache",
 		"GOROOT_BOOTSTRAP=/system/go",
@@ -55,9 +55,9 @@ ln -s \
 	../go/bin/go \
 	../go/bin/gofmt \
 	/work/system/bin
-`, pkg.Path(AbsUsrSrc.Append("go"), false, pkg.NewHTTPGetTar(
+`, pkg.Path(AbsUsrSrc.Append("go"), false, newTar(
-		nil, "https://go.dev/dl/go"+version+".src.tar.gz",
+		"https://go.dev/dl/go"+version+".src.tar.gz",
-		mustDecode(checksum),
+		checksum,
 		pkg.TarGzip,
 	)))
 }
@@ -127,8 +127,8 @@ sed -i \
 	)
 
 	go125 := t.newGo(
-		"1.25.7",
+		"1.25.9",
-		"fyylHdBVRUobnBjYj3NKBaYPUw3kGmo2mEELiZonOYurPfbarNU1x77B99Fjut7Q",
+		"gShJb9uOMk5AxqPSwvn53ZO56S6PyP6nfojzrHUiJ3krAvrgjJpYa6-DPA-jxbpN",
 		[]string{"CGO_ENABLED=0"}, `
 sed -i \
 	's,/lib/ld-musl-`+linuxArch()+`.so.1,/system/bin/linker,' \
@@ -141,8 +141,8 @@ rm \
 	)
 
 	const (
-		version  = "1.26.1"
+		version  = "1.26.2"
-		checksum = "DdC5Ea-aCYPUHNObQh_09uWU0vn4e-8Ben850Vq-5OoamDRrXhuYI4YQ_BOFgaT0"
+		checksum = "v-6BE89_1g3xYf-9oIYpJKFXlo3xKHYJj2_VGkaUq8ZVkIVQmLwrto-xGG03OISH"
 	)
 	return t.newGo(
 		version,
@@ -151,9 +151,14 @@ rm \
 sed -i \
 	's,/lib/ld-musl-`+linuxArch()+`.so.1,/system/bin/linker,' \
 	cmd/link/internal/`+runtime.GOARCH+`/obj.go
+sed -i \
+	's/cpu.X86.HasAVX512VBMI/& \&\& cpu.X86.HasPOPCNT/' \
+	internal/runtime/gc/scan/scan_amd64.go
 
 rm \
-	os/root_unix_test.go
+	os/root_unix_test.go \
+	cmd/cgo/internal/testsanitizers/tsan_test.go \
+	cmd/cgo/internal/testsanitizers/cshared_test.go
 `, go125,
 	), version
 }

internal/rosa/gtk.go

@@ -10,10 +10,9 @@ func (t Toolchain) newGLib() (pkg.Artifact, string) {
 		version  = "2.88.0"
 		checksum = "T79Cg4z6j-sDZ2yIwvbY4ccRv2-fbwbqgcw59F5NQ6qJT6z4v261vbYp3dHO6Ma3"
 	)
-	return t.NewPackage("glib", version, t.NewViaGit(
+	return t.NewPackage("glib", version, t.newTagRemote(
 		"https://gitlab.gnome.org/GNOME/glib.git",
-		"refs/tags/"+version,
+		version, checksum,
-		mustDecode(checksum),
 	), &PackageAttr{
 		Paths: []pkg.ExecPath{
 			pkg.Path(fhs.AbsEtc.Append(

internal/rosa/hakurei.go

@@ -7,9 +7,8 @@ func (t Toolchain) newHakurei(
 	withHostname bool,
 ) pkg.Artifact {
 	hostname := `
-echo '# Building test helper (hostname).'
+echo 'Building test helper (hostname).'
-go build -v -o /bin/hostname /usr/src/hostname/main.go
+go build -o /bin/hostname /usr/src/hostname/main.go
-echo
 `
 	if !withHostname {
 		hostname = ""
@@ -99,7 +98,7 @@ mkdir -p /work/system/bin/
 		f: func(t Toolchain) (pkg.Artifact, string) {
 			return t.newHakurei("-dist", `
 export HAKUREI_VERSION
-DESTDIR=/work /usr/src/hakurei/dist/release.sh
+DESTDIR=/work /usr/src/hakurei/all.sh
 `, true), hakureiVersion
 		},
 

internal/rosa/hakurei_release.go

@@ -4,13 +4,13 @@ package rosa
 
 import "hakurei.app/internal/pkg"
 
-const hakureiVersion = "0.3.7"
+const hakureiVersion = "0.4.0"
 
 // hakureiSource is the source code of a hakurei release.
-var hakureiSource = pkg.NewHTTPGetTar(
+var hakureiSource = newTar(
-	nil, "https://git.gensokyo.uk/rosa/hakurei/archive/"+
+	"https://git.gensokyo.uk/rosa/hakurei/archive/"+
 		"v"+hakureiVersion+".tar.gz",
-	mustDecode("Xh_sdITOATEAQN5_UuaOyrWsgboxorqRO9bml3dGm8GAxF8NFpB7MqhSZgjJxAl2"),
+	"wfQ9DqCW0Fw9o91wj-I55waoqzB-UqzzuC0_2h-P-1M78SgZ1WHSPCDJMth6EyC2",
 	pkg.TarGzip,
 )
 

internal/rosa/kernel.go

@@ -2,12 +2,12 @@ package rosa
 
 import "hakurei.app/internal/pkg"
 
-const kernelVersion = "6.12.80"
+const kernelVersion = "6.12.84"
 
-var kernelSource = pkg.NewHTTPGetTar(
+var kernelSource = newTar(
-	nil, "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/"+
+	"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/"+
 		"snapshot/linux-"+kernelVersion+".tar.gz",
-	mustDecode("_iJEAYoQISJxefuWZYfv0RPWUmHHIjHQw33Fapix-irXrEIREP5ruK37UJW4uMZO"),
+	"GJLUEu68r3DpLYoTcMl4wA_ThMBs_Zwc0gZsp82ii_3AOfcVxpI639IKfq2jAAY2",
 	pkg.TarGzip,
 )
 
@@ -1221,7 +1221,7 @@ install -Dm0500 \
 	/sbin/depmod
 
 make \
-	"-j$(nproc)" \
+	` + jobsFlagE + ` \
 	-f /usr/src/kernel/Makefile \
 	O=/tmp/kbuild \
 	LLVM=1 \
@@ -1282,14 +1282,14 @@ func init() {
 
 func (t Toolchain) newFirmware() (pkg.Artifact, string) {
 	const (
-		version  = "20260309"
+		version  = "20260410"
-		checksum = "M1az8BxSiOEH3LA11Trc5VAlakwAHhP7-_LKWg6k-SVIzU3xclMDO4Tiujw1gQrC"
+		checksum = "J8PdQlGqwrivpskPzbL6xacqR6mlKtXpe5RpzFfVzKPAgG81ZRXsc3qrxwdGJbil"
 	)
-	return t.NewPackage("firmware", version, pkg.NewHTTPGetTar(
+	return t.NewPackage("firmware", version, newFromGitLab(
-		nil, "https://gitlab.com/kernel-firmware/linux-firmware/-/"+
+		"gitlab.com",
-			"archive/"+version+"/linux-firmware-"+version+".tar.bz2",
+		"kernel-firmware/linux-firmware",
-		mustDecode(checksum),
+		version,
-		pkg.TarBzip2,
+		checksum,
 	), &PackageAttr{
 		// dedup creates temporary file
 		Writable: true,
@@ -1309,7 +1309,7 @@ func (t Toolchain) newFirmware() (pkg.Artifact, string) {
 			"install-zst",
 		},
 		SkipCheck: true, // requires pre-commit
-		Install:   `make "-j$(nproc)" DESTDIR=/work/system dedup`,
+		Install:   "make " + jobsFlagE + " DESTDIR=/work/system dedup",
 	},
 		Parallel,
 		Rdfind,

internal/rosa/kernel_amd64.config

@@ -1,16 +1,16 @@
 #
 # Automatically generated file; DO NOT EDIT.
-# Linux/x86 6.12.80 Kernel Configuration
+# Linux/x86 6.12.84 Kernel Configuration
 #
-CONFIG_CC_VERSION_TEXT="clang version 22.1.2"
+CONFIG_CC_VERSION_TEXT="clang version 22.1.4"
 CONFIG_GCC_VERSION=0
 CONFIG_CC_IS_CLANG=y
-CONFIG_CLANG_VERSION=220102
+CONFIG_CLANG_VERSION=220104
 CONFIG_AS_IS_LLVM=y
-CONFIG_AS_VERSION=220102
+CONFIG_AS_VERSION=220104
 CONFIG_LD_VERSION=0
 CONFIG_LD_IS_LLD=y
-CONFIG_LLD_VERSION=220102
+CONFIG_LLD_VERSION=220104
 CONFIG_RUSTC_VERSION=0
 CONFIG_RUSTC_LLVM_VERSION=0
 CONFIG_CC_HAS_ASM_GOTO_OUTPUT=y
@@ -3175,14 +3175,8 @@ CONFIG_PATA_ACPI=y
 CONFIG_ATA_GENERIC=y
 CONFIG_PATA_LEGACY=m
 CONFIG_MD=y
-CONFIG_BLK_DEV_MD=m
+# CONFIG_BLK_DEV_MD is not set
 CONFIG_MD_BITMAP_FILE=y
-CONFIG_MD_LINEAR=m
-CONFIG_MD_RAID0=m
-CONFIG_MD_RAID1=m
-CONFIG_MD_RAID10=m
-CONFIG_MD_RAID456=m
-CONFIG_MD_CLUSTER=m
 CONFIG_BCACHE=m
 # CONFIG_BCACHE_DEBUG is not set
 # CONFIG_BCACHE_ASYNC_REGISTRATION is not set
@@ -3205,7 +3199,7 @@ CONFIG_DM_ERA=m
 CONFIG_DM_CLONE=m
 CONFIG_DM_MIRROR=m
 CONFIG_DM_LOG_USERSPACE=m
-CONFIG_DM_RAID=m
+# CONFIG_DM_RAID is not set
 CONFIG_DM_ZERO=m
 CONFIG_DM_MULTIPATH=m
 CONFIG_DM_MULTIPATH_QL=m
@@ -11636,10 +11630,7 @@ CONFIG_RANDSTRUCT_NONE=y
 
 CONFIG_XOR_BLOCKS=m
 CONFIG_ASYNC_CORE=m
-CONFIG_ASYNC_MEMCPY=m
 CONFIG_ASYNC_XOR=m
-CONFIG_ASYNC_PQ=m
-CONFIG_ASYNC_RAID6_RECOV=m
 CONFIG_CRYPTO=y
 
 #
@@ -11925,8 +11916,6 @@ CONFIG_BINARY_PRINTF=y
 #
 # Library routines
 #
-CONFIG_RAID6_PQ=m
-CONFIG_RAID6_PQ_BENCHMARK=y
 CONFIG_LINEAR_RANGES=y
 CONFIG_PACKING=y
 CONFIG_BITREVERSE=y
@@ -12471,7 +12460,6 @@ CONFIG_RUNTIME_TESTING_MENU=y
 # CONFIG_INTERVAL_TREE_TEST is not set
 # CONFIG_PERCPU_TEST is not set
 # CONFIG_ATOMIC64_SELFTEST is not set
-# CONFIG_ASYNC_RAID6_TEST is not set
 # CONFIG_TEST_HEXDUMP is not set
 # CONFIG_TEST_KSTRTOX is not set
 # CONFIG_TEST_PRINTF is not set

internal/rosa/kernel_arm64.config

@@ -1,16 +1,16 @@
 #
 # Automatically generated file; DO NOT EDIT.
-# Linux/arm64 6.12.80 Kernel Configuration
+# Linux/arm64 6.12.83 Kernel Configuration
 #
-CONFIG_CC_VERSION_TEXT="clang version 21.1.8"
+CONFIG_CC_VERSION_TEXT="clang version 22.1.4"
 CONFIG_GCC_VERSION=0
 CONFIG_CC_IS_CLANG=y
-CONFIG_CLANG_VERSION=210108
+CONFIG_CLANG_VERSION=220104
 CONFIG_AS_IS_LLVM=y
-CONFIG_AS_VERSION=210108
+CONFIG_AS_VERSION=220104
 CONFIG_LD_VERSION=0
 CONFIG_LD_IS_LLD=y
-CONFIG_LLD_VERSION=210108
+CONFIG_LLD_VERSION=220104
 CONFIG_RUSTC_VERSION=0
 CONFIG_RUSTC_LLVM_VERSION=0
 CONFIG_CC_HAS_ASM_GOTO_OUTPUT=y
@@ -3253,14 +3253,8 @@ CONFIG_PATA_ACPI=y
 CONFIG_ATA_GENERIC=y
 CONFIG_PATA_LEGACY=m
 CONFIG_MD=y
-CONFIG_BLK_DEV_MD=m
+# CONFIG_BLK_DEV_MD is not set
 CONFIG_MD_BITMAP_FILE=y
-CONFIG_MD_LINEAR=m
-CONFIG_MD_RAID0=m
-CONFIG_MD_RAID1=m
-CONFIG_MD_RAID10=m
-CONFIG_MD_RAID456=m
-CONFIG_MD_CLUSTER=m
 CONFIG_BCACHE=m
 # CONFIG_BCACHE_DEBUG is not set
 # CONFIG_BCACHE_ASYNC_REGISTRATION is not set
@@ -3283,7 +3277,7 @@ CONFIG_DM_ERA=m
 CONFIG_DM_CLONE=m
 CONFIG_DM_MIRROR=m
 CONFIG_DM_LOG_USERSPACE=m
-CONFIG_DM_RAID=m
+# CONFIG_DM_RAID is not set
 CONFIG_DM_ZERO=m
 CONFIG_DM_MULTIPATH=m
 CONFIG_DM_MULTIPATH_QL=m
@@ -10300,7 +10294,6 @@ CONFIG_ALTERA_MSGDMA=m
 # CONFIG_AMBA_PL08X is not set
 CONFIG_APPLE_ADMAC=m
 CONFIG_AXI_DMAC=m
-CONFIG_BCM_SBA_RAID=m
 CONFIG_DMA_BCM2835=m
 CONFIG_DMA_SUN6I=m
 CONFIG_DW_AXI_DMAC=m
@@ -13292,12 +13285,7 @@ CONFIG_RANDSTRUCT_NONE=y
 
 CONFIG_XOR_BLOCKS=m
 CONFIG_ASYNC_CORE=m
-CONFIG_ASYNC_MEMCPY=m
 CONFIG_ASYNC_XOR=m
-CONFIG_ASYNC_PQ=m
-CONFIG_ASYNC_RAID6_RECOV=m
-CONFIG_ASYNC_TX_DISABLE_PQ_VAL_DMA=y
-CONFIG_ASYNC_TX_DISABLE_XOR_VAL_DMA=y
 CONFIG_CRYPTO=y
 
 #
@@ -13640,8 +13628,6 @@ CONFIG_BINARY_PRINTF=y
 #
 # Library routines
 #
-CONFIG_RAID6_PQ=m
-CONFIG_RAID6_PQ_BENCHMARK=y
 CONFIG_LINEAR_RANGES=y
 CONFIG_PACKING=y
 CONFIG_BITREVERSE=y
@@ -14172,7 +14158,6 @@ CONFIG_RUNTIME_TESTING_MENU=y
 # CONFIG_INTERVAL_TREE_TEST is not set
 # CONFIG_PERCPU_TEST is not set
 # CONFIG_ATOMIC64_SELFTEST is not set
-# CONFIG_ASYNC_RAID6_TEST is not set
 # CONFIG_TEST_HEXDUMP is not set
 # CONFIG_TEST_KSTRTOX is not set
 # CONFIG_TEST_PRINTF is not set

internal/rosa/kernel_riscv64.config

@@ -1,6 +1,6 @@
 #
 # Automatically generated file; DO NOT EDIT.
-# Linux/riscv 6.12.77 Kernel Configuration
+# Linux/riscv 6.12.80 Kernel Configuration
 #
 CONFIG_CC_VERSION_TEXT="clang version 22.1.2"
 CONFIG_GCC_VERSION=0
@@ -37,11 +37,6 @@ CONFIG_BUILD_SALT=""
 CONFIG_HAVE_KERNEL_GZIP=y
 CONFIG_HAVE_KERNEL_ZSTD=y
 # CONFIG_KERNEL_GZIP is not set
-# CONFIG_KERNEL_BZIP2 is not set
-# CONFIG_KERNEL_LZMA is not set
-# CONFIG_KERNEL_XZ is not set
-# CONFIG_KERNEL_LZO is not set
-# CONFIG_KERNEL_LZ4 is not set
 CONFIG_KERNEL_ZSTD=y
 CONFIG_DEFAULT_INIT=""
 CONFIG_DEFAULT_HOSTNAME="rosa-early"
@@ -2848,14 +2843,8 @@ CONFIG_PATA_ACPI=y
 CONFIG_ATA_GENERIC=y
 CONFIG_PATA_LEGACY=m
 CONFIG_MD=y
-CONFIG_BLK_DEV_MD=m
+# CONFIG_BLK_DEV_MD is not set
 CONFIG_MD_BITMAP_FILE=y
-CONFIG_MD_LINEAR=m
-CONFIG_MD_RAID0=m
-CONFIG_MD_RAID1=m
-CONFIG_MD_RAID10=m
-CONFIG_MD_RAID456=m
-CONFIG_MD_CLUSTER=m
 CONFIG_BCACHE=m
 # CONFIG_BCACHE_DEBUG is not set
 # CONFIG_BCACHE_ASYNC_REGISTRATION is not set
@@ -2878,7 +2867,7 @@ CONFIG_DM_ERA=m
 CONFIG_DM_CLONE=m
 CONFIG_DM_MIRROR=m
 CONFIG_DM_LOG_USERSPACE=m
-CONFIG_DM_RAID=m
+# CONFIG_DM_RAID is not set
 CONFIG_DM_ZERO=m
 CONFIG_DM_MULTIPATH=m
 CONFIG_DM_MULTIPATH_QL=m
@@ -10655,10 +10644,7 @@ CONFIG_RANDSTRUCT_NONE=y
 
 CONFIG_XOR_BLOCKS=m
 CONFIG_ASYNC_CORE=m
-CONFIG_ASYNC_MEMCPY=m
 CONFIG_ASYNC_XOR=m
-CONFIG_ASYNC_PQ=m
-CONFIG_ASYNC_RAID6_RECOV=m
 CONFIG_CRYPTO=y
 
 #
@@ -10918,8 +10904,6 @@ CONFIG_BINARY_PRINTF=y
 #
 # Library routines
 #
-CONFIG_RAID6_PQ=m
-CONFIG_RAID6_PQ_BENCHMARK=y
 CONFIG_LINEAR_RANGES=y
 CONFIG_PACKING=y
 CONFIG_BITREVERSE=y
@@ -11408,7 +11392,6 @@ CONFIG_RUNTIME_TESTING_MENU=y
 # CONFIG_INTERVAL_TREE_TEST is not set
 # CONFIG_PERCPU_TEST is not set
 # CONFIG_ATOMIC64_SELFTEST is not set
-# CONFIG_ASYNC_RAID6_TEST is not set
 # CONFIG_TEST_HEXDUMP is not set
 # CONFIG_TEST_KSTRTOX is not set
 # CONFIG_TEST_PRINTF is not set

internal/rosa/kmod.go

@@ -7,10 +7,10 @@ func (t Toolchain) newKmod() (pkg.Artifact, string) {
 		version  = "34.2"
 		checksum = "0K7POeTKxMhExsaTsnKAC6LUNsRSfe6sSZxWONPbOu-GI_pXOw3toU_BIoqfBhJV"
 	)
-	return t.NewPackage("kmod", version, pkg.NewHTTPGetTar(
+	return t.NewPackage("kmod", version, newTar(
-		nil, "https://www.kernel.org/pub/linux/utils/kernel/"+
+		"https://www.kernel.org/pub/linux/utils/kernel/"+
 			"kmod/kmod-"+version+".tar.gz",
-		mustDecode(checksum),
+		checksum,
 		pkg.TarGzip,
 	), nil, &MesonHelper{
 		Setup: []KV{

internal/rosa/libbsd.go

@@ -7,10 +7,9 @@ func (t Toolchain) newLibmd() (pkg.Artifact, string) {
 		version  = "1.1.0"
 		checksum = "9apYqPPZm0j5HQT8sCsVIhnVIqRD7XgN7kPIaTwTqnTuUq5waUAMq4M7ev8CODJ1"
 	)
-	return t.NewPackage("libmd", version, t.NewViaGit(
+	return t.NewPackage("libmd", version, t.newTagRemote(
 		"https://git.hadrons.org/git/libmd.git",
-		"refs/tags/"+version,
+		version, checksum,
-		mustDecode(checksum),
 	), nil, &MakeHelper{
 		Generate: "echo '" + version + "' > .dist-version && ./autogen",
 		ScriptMakeEarly: `
@@ -38,10 +37,9 @@ func (t Toolchain) newLibbsd() (pkg.Artifact, string) {
 		version  = "0.12.2"
 		checksum = "NVS0xFLTwSP8JiElEftsZ-e1_C-IgJhHrHE77RwKt5178M7r087waO-zYx2_dfGX"
 	)
-	return t.NewPackage("libbsd", version, t.NewViaGit(
+	return t.NewPackage("libbsd", version, t.newTagRemote(
 		"https://gitlab.freedesktop.org/libbsd/libbsd.git",
-		"refs/tags/"+version,
+		version, checksum,
-		mustDecode(checksum),
 	), nil, &MakeHelper{
 		Generate: "echo '" + version + "' > .dist-version && ./autogen",
 	},

internal/rosa/libcap.go

@@ -4,13 +4,13 @@ import "hakurei.app/internal/pkg"
 
 func (t Toolchain) newLibcap() (pkg.Artifact, string) {
 	const (
-		version  = "2.77"
+		version  = "2.78"
-		checksum = "2GOTFU4cl2QoS7Dv5wh0c9-hxsQwIzMB9Y_gfAo5xKHqcM13fiHt1RbPkfemzjmB"
+		checksum = "wFdUkBhFMD9InPnrBZyegWrlPSAg_9JiTBC-eSFyWWlmbzL2qjh2mKxr9Kx2a8ut"
 	)
-	return t.NewPackage("libcap", version, pkg.NewHTTPGetTar(
+	return t.NewPackage("libcap", version, newTar(
-		nil, "https://git.kernel.org/pub/scm/libs/libcap/libcap.git/"+
+		"https://git.kernel.org/pub/scm/libs/libcap/libcap.git/"+
 			"snapshot/libcap-"+version+".tar.gz",
-		mustDecode(checksum),
+		checksum,
 		pkg.TarGzip,
 	), &PackageAttr{
 		// uses source tree as scratch space

internal/rosa/libev.go

@@ -7,9 +7,9 @@ func (t Toolchain) newLibev() (pkg.Artifact, string) {
 		version  = "4.33"
 		checksum = "774eSXV_4k8PySRprUDChbEwsw-kzjIFnJ3MpNOl5zDpamBRvC3BqPyRxvkwcL6_"
 	)
-	return t.NewPackage("libev", version, pkg.NewHTTPGetTar(
+	return t.NewPackage("libev", version, newTar(
-		nil, "https://dist.schmorp.de/libev/Attic/libev-"+version+".tar.gz",
+		"https://dist.schmorp.de/libev/Attic/libev-"+version+".tar.gz",
-		mustDecode(checksum),
+		checksum,
 		pkg.TarGzip,
 	), nil, (*MakeHelper)(nil)), version
 }

internal/rosa/libexpat.go

@@ -8,14 +8,14 @@ import (
 
 func (t Toolchain) newLibexpat() (pkg.Artifact, string) {
 	const (
-		version  = "2.7.5"
+		version  = "2.8.0"
-		checksum = "vTRUjjg-qbHSXUBYKXgzVHkUO7UNyuhrkSYrE7ikApQm0g-OvQ8tspw4w55M-1Tp"
+		checksum = "pnwZ_JSif-OfoWIwk2JYXWHagOWMA3Sh-Ea0p-4Rz9U9mDEeAebhyvnfD7OYOMCk"
 	)
-	return t.NewPackage("libexpat", version, pkg.NewHTTPGetTar(
+	return t.NewPackage("libexpat", version, newFromGitHubRelease(
-		nil, "https://github.com/libexpat/libexpat/releases/download/"+
+		"libexpat/libexpat",
-			"R_"+strings.ReplaceAll(version, ".", "_")+"/"+
+		"R_"+strings.ReplaceAll(version, ".", "_"),
 		"expat-"+version+".tar.bz2",
-		mustDecode(checksum),
+		checksum,
 		pkg.TarBzip2,
 	), nil, (*MakeHelper)(nil),
 		Bash,

internal/rosa/libffi.go

@@ -7,10 +7,11 @@ func (t Toolchain) newLibffi() (pkg.Artifact, string) {
 		version  = "3.5.2"
 		checksum = "2_Q-ZNBBbVhltfL5zEr0wljxPegUimTK4VeMSiwJEGksls3n4gj3lV0Ly3vviSFH"
 	)
-	return t.NewPackage("libffi", version, pkg.NewHTTPGetTar(
+	return t.NewPackage("libffi", version, newFromGitHubRelease(
-		nil, "https://github.com/libffi/libffi/releases/download/"+
+		"libffi/libffi",
-			"v"+version+"/libffi-"+version+".tar.gz",
+		"v"+version,
-		mustDecode(checksum),
+		"libffi-"+version+".tar.gz",
+		checksum,
 		pkg.TarGzip,
 	), nil, (*MakeHelper)(nil),
 		KernelHeaders,

internal/rosa/libgd.go

@@ -7,10 +7,10 @@ func (t Toolchain) newLibgd() (pkg.Artifact, string) {
 		version  = "2.3.3"
 		checksum = "8T-sh1_FJT9K9aajgxzh8ot6vWIF-xxjcKAHvTak9MgGUcsFfzP8cAvvv44u2r36"
 	)
-	return t.NewPackage("libgd", version, pkg.NewHTTPGetTar(
+	return t.NewPackage("libgd", version, newFromGitHubRelease(
-		nil, "https://github.com/libgd/libgd/releases/download/"+
+		"libgd/libgd",
-			"gd-"+version+"/libgd-"+version+".tar.gz",
+		"gd-"+version,
-		mustDecode(checksum),
+		"libgd-"+version+".tar.gz", checksum,
 		pkg.TarGzip,
 	), &PackageAttr{
 		Env: []string{

internal/rosa/libpsl.go

@@ -7,10 +7,11 @@ func (t Toolchain) newLibpsl() (pkg.Artifact, string) {
 		version  = "0.21.5"
 		checksum = "XjfxSzh7peG2Vg4vJlL8z4JZJLcXqbuP6pLWkrGCmRxlnYUFTKNBqWGHCxEOlCad"
 	)
-	return t.NewPackage("libpsl", version, pkg.NewHTTPGetTar(
+	return t.NewPackage("libpsl", version, newFromGitHubRelease(
-		nil, "https://github.com/rockdaboot/libpsl/releases/download/"+
+		"rockdaboot/libpsl",
-			version+"/libpsl-"+version+".tar.gz",
+		version,
-		mustDecode(checksum),
+		"libpsl-"+version+".tar.gz",
+		checksum,
 		pkg.TarGzip,
 	), &PackageAttr{
 		Writable: true,

internal/rosa/libseccomp.go

@@ -7,10 +7,11 @@ func (t Toolchain) newLibseccomp() (pkg.Artifact, string) {
 		version  = "2.6.0"
 		checksum = "mMu-iR71guPjFbb31u-YexBaanKE_nYPjPux-vuBiPfS_0kbwJdfCGlkofaUm-EY"
 	)
-	return t.NewPackage("libseccomp", version, pkg.NewHTTPGetTar(
+	return t.NewPackage("libseccomp", version, newFromGitHubRelease(
-		nil, "https://github.com/seccomp/libseccomp/releases/download/"+
+		"seccomp/libseccomp",
-			"v"+version+"/libseccomp-"+version+".tar.gz",
+		"v"+version,
-		mustDecode(checksum),
+		"libseccomp-"+version+".tar.gz",
+		checksum,
 		pkg.TarGzip,
 	), &PackageAttr{
 		ScriptEarly: `

internal/rosa/libucontext.go

@@ -7,11 +7,10 @@ func (t Toolchain) newLibucontext() (pkg.Artifact, string) {
 		version  = "1.5"
 		checksum = "Ggk7FMmDNBdCx1Z9PcNWWW6LSpjGYssn2vU0GK5BLXJYw7ZxZbA2m_eSgT9TFnIG"
 	)
-	return t.NewPackage("libucontext", version, pkg.NewHTTPGetTar(
+	return t.NewPackage("libucontext", version, newFromGitHub(
-		nil, "https://github.com/kaniini/libucontext/archive/refs/tags/"+
+		"kaniini/libucontext",
-			"libucontext-"+version+".tar.gz",
+		"libucontext-"+version,
-		mustDecode(checksum),
+		checksum,
-		pkg.TarGzip,
 	), &PackageAttr{
 		// uses source tree as scratch space
 		Writable:    true,

internal/rosa/libxml2.go

@@ -4,13 +4,13 @@ import "hakurei.app/internal/pkg"
 
 func (t Toolchain) newLibxml2() (pkg.Artifact, string) {
 	const (
-		version  = "2.15.2"
+		version  = "2.15.3"
-		checksum = "zwQvCIBnjzUFY-inX5ckfNT3mIezsCRV55C_Iztde5OnRTB3u33lfO5h03g7DK_8"
+		checksum = "oJy74htGlEpf70KPvpW18fYJo0RQQkCXZRwqUz6NoXborS3HCq3Nm4gsyaSeNmUH"
 	)
-	return t.NewPackage("libxml2", version, t.NewViaGit(
+	return t.NewPackage("libxml2", version, newFromGitLab(
-		"https://gitlab.gnome.org/GNOME/libxml2.git",
+		"gitlab.gnome.org",
-		"refs/tags/v"+version,
+		"GNOME/libxml2",
-		mustDecode(checksum),
+		"v"+version, checksum,
 	), &PackageAttr{
 		// can't create shell.out: Read-only file system
 		Writable: true,

internal/rosa/libxslt.go

@@ -5,12 +5,12 @@ import "hakurei.app/internal/pkg"
 func (t Toolchain) newLibxslt() (pkg.Artifact, string) {
 	const (
 		version  = "1.1.45"
-		checksum = "MZc_dyUWpHChkWDKa5iycrECxBsRd4ZMbYfL4VojTbung593mlH2tHGmxYB6NFYT"
+		checksum = "67ks7v8od2oWaEGf23Sst_Xbn_8brQyolQjqxPoO-lK35k_WJhi2Px5JJgbk-nfn"
 	)
-	return t.NewPackage("libxslt", version, t.NewViaGit(
+	return t.NewPackage("libxslt", version, newFromGitLab(
-		"https://gitlab.gnome.org/GNOME/libxslt.git",
+		"gitlab.gnome.org",
-		"refs/tags/v"+version,
+		"GNOME/libxslt",
-		mustDecode(checksum),
+		"v"+version, checksum,
 	), nil, &MakeHelper{
 		Generate: "NOCONFIGURE=1 ./autogen.sh",