internal/rosa/package: replace assignment syntax

internal/rosa/package: create az.mod and remove preprocessor directive
internal/rosa/package: azalea proposal
2026-05-23 23:15:20 -05:00 · 2026-05-23 22:55:21 -05:00 · 2026-05-23 20:50:35 -05:00 · 2026-05-23 17:53:05 +09:00 · 2026-05-23 17:44:38 +09:00 · 2026-05-23 17:30:39 +09:00
286 changed files with 15171 additions and 9136 deletions
--- a/.gitignore
+++ b/.gitignore
@@ -7,7 +7,8 @@

 # go generate
 /cmd/hakurei/LICENSE
-/internal/pkg/testdata/testtool
+/cmd/mbf/internal/pkgserver/ui/static
+/internal/pkg/internal/testtool/testtool
 /internal/rosa/hakurei_current.tar.gz

 # cmd/dist default destination
--- a/all.sh
+++ b/all.sh
@@ -1,6 +1,3 @@
 #!/bin/sh -e

-TOOLCHAIN_VERSION="$(go version)"
-cd "$(dirname -- "$0")/"
-echo "# Building cmd/dist using ${TOOLCHAIN_VERSION}."
-go run -v --tags=dist ./cmd/dist
+HAKUREI_DIST_MAKE='' exec "$(dirname -- "$0")/cmd/dist/dist.sh"
--- a/check/overlay.go
+++ b/check/overlay.go
@@ -4,15 +4,23 @@ import "strings"

 const (
 	// SpecialOverlayEscape is the escape string for overlay mount options.
+	//
+	// Deprecated: This is no longer used and will be removed in 0.5.
 	SpecialOverlayEscape = `\`
 	// SpecialOverlayOption is the separator string between overlay mount options.
+	//
+	// Deprecated: This is no longer used and will be removed in 0.5.
 	SpecialOverlayOption = ","
 	// SpecialOverlayPath is the separator string between overlay paths.
+	//
+	// Deprecated: This is no longer used and will be removed in 0.5.
 	SpecialOverlayPath = ":"
 )

 // EscapeOverlayDataSegment escapes a string for formatting into the data
 // argument of an overlay mount system call.
+//
+// Deprecated: This is no longer used and will be removed in 0.5.
 func EscapeOverlayDataSegment(s string) string {
 	if s == "" {
 		return ""
--- a/cmd/dist/VERSION
+++ b/cmd/dist/VERSION
@@ -0,0 +1 @@
+v0.4.3
--- a/cmd/dist/dist.sh
+++ b/cmd/dist/dist.sh
@@ -0,0 +1,10 @@
+#!/bin/sh -e
+
+TOOLCHAIN_VERSION="$(go version)"
+cd "$(dirname -- "$0")/../.."
+echo "Building cmd/dist using ${TOOLCHAIN_VERSION}."
+FLAGS=''
+if test -n "$VERBOSE"; then
+    FLAGS="$FLAGS -v"
+fi
+go run $FLAGS --tags=dist ./cmd/dist
--- a/cmd/dist/main.go
+++ b/cmd/dist/main.go
@@ -18,8 +18,13 @@ import (
 	"os/signal"
 	"path/filepath"
 	"runtime"
+	"strings"
 )

+//go:generate sh -c "git describe --tags > VERSION"
+//go:embed VERSION
+var version string
+
 // getenv looks up an environment variable, and returns fallback if it is unset.
 func getenv(key, fallback string) string {
 	if v, ok := os.LookupEnv(key); ok {
@@ -42,14 +47,19 @@ func mustRun(ctx context.Context, name string, arg ...string) {
 var comp []byte

 func main() {
-	fmt.Println()
 	log.SetFlags(0)
-	log.SetPrefix("# ")
+	log.SetPrefix("")

-	version := getenv("HAKUREI_VERSION", "untagged")
+	verbose := os.Getenv("VERBOSE") != ""
+	runTests := os.Getenv("HAKUREI_DIST_MAKE") == ""
+	version = getenv("HAKUREI_VERSION", strings.TrimSpace(version))
 	prefix := getenv("PREFIX", "/usr")
 	destdir := getenv("DESTDIR", "dist")

+	if verbose {
+		log.Println()
+	}
+
 	if err := os.MkdirAll(destdir, 0755); err != nil {
 		log.Fatal(err)
 	}
@@ -76,12 +86,17 @@ func main() {
 	ctx, cancel := signal.NotifyContext(context.Background(), os.Interrupt)
 	defer cancel()

-	log.Println("Building hakurei.")
+	verboseFlag := "-v"
+	if !verbose {
+		verboseFlag = "-buildvcs=false"
+	}
+
+	log.Printf("Building hakurei for %s/%s.", runtime.GOOS, runtime.GOARCH)
 	mustRun(ctx, "go", "generate", "./...")
 	mustRun(
 		ctx, "go", "build",
 		"-trimpath",
-		"-v", "-o", s,
+		verboseFlag, "-o", s,
 		"-ldflags=-s -w "+
 			"-buildid= -linkmode external -extldflags=-static "+
 			"-X hakurei.app/internal/info.buildVersion="+version+" "+
@@ -90,17 +105,19 @@ func main() {
 			"-X main.hakureiPath="+prefix+"/bin/hakurei",
 		"./...",
 	)
-	fmt.Println()
+	log.Println()

-	log.Println("Testing Hakurei.")
-	mustRun(
-		ctx, "go", "test",
-		"-ldflags=-buildid= -linkmode external -extldflags=-static",
-		"./...",
-	)
-	fmt.Println()
+	if runTests {
+		log.Println("##### Testing Hakurei.")
+		mustRun(
+			ctx, "go", "test",
+			"-ldflags=-buildid= -linkmode external -extldflags=-static",
+			"./...",
+		)
+		log.Println()
+	}

-	log.Println("Creating distribution.")
+	log.Println("##### Creating distribution.")
 	const suffix = ".tar.gz"
 	distName := "hakurei-" + version + "-" + runtime.GOARCH
 	var f *os.File
@@ -121,7 +138,7 @@ func main() {
 	}()

 	h := sha512.New()
-	gw := gzip.NewWriter(io.MultiWriter(f, h))
+	gw, _ := gzip.NewWriterLevel(io.MultiWriter(f, h), gzip.BestCompression)
 	tw := tar.NewWriter(gw)

 	mustWriteHeader := func(name string, size int64, mode os.FileMode) {
--- a/cmd/mbf/cache.go
+++ b/cmd/mbf/cache.go
@@ -7,6 +7,7 @@ import (
 	"testing"

 	"hakurei.app/check"
+	"hakurei.app/container"
 	"hakurei.app/internal/pkg"
 	"hakurei.app/message"
 )
@@ -19,8 +20,15 @@ type cache struct {
 	// Should generally not be used directly.
 	c *pkg.Cache

-	cures, jobs        int
-	hostAbstract, idle bool
+	cures, jobs int
+	// Primarily to work around missing landlock LSM.
+	hostAbstract bool
+	// Set SCHED_IDLE.
+	idle bool
+	// Unset [pkg.CSuppressInit].
+	verboseInit bool
+	// Loaded artifact of [rosa.QEMU].
+	qemu pkg.Artifact

 	base string
 }
@@ -31,9 +39,6 @@ func (cache *cache) open() (err error) {
 		return os.ErrInvalid
 	}

-	if cache.base == "" {
-		cache.base = "cache"
-	}
 	var base *check.Absolute
 	if cache.base, err = filepath.Abs(cache.base); err != nil {
 		return
@@ -48,6 +53,9 @@ func (cache *cache) open() (err error) {
 	if cache.hostAbstract {
 		flags |= pkg.CHostAbstract
 	}
+	if !cache.verboseInit {
+		flags |= pkg.CSuppressInit
+	}

 	done := make(chan struct{})
 	defer close(done)
@@ -73,6 +81,39 @@ func (cache *cache) open() (err error) {
 		cache.jobs,
 		base,
 	)
+	if err != nil {
+		return
+	}
+	done <- struct{}{}
+
+	if cache.qemu != nil {
+		var pathname *check.Absolute
+		pathname, _, err = cache.c.Cure(cache.qemu)
+		if err != nil {
+			cache.c.Close()
+			return
+		}
+
+		pkg.RegisterArch("riscv64", container.BinfmtEntry{
+			Offset: 0,
+			Magic:  "\x7fELF\x02\x01\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\xf3\x00",
+			Mask:   "\xff\xff\xff\xff\xff\xff\xff\x00\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xff\xff\xff",
+			Interpreter: pathname.Append(
+				"system/bin",
+				"qemu-riscv64",
+			),
+		})
+		pkg.RegisterArch("arm64", container.BinfmtEntry{
+			Offset: 0,
+			Magic:  "\x7fELF\x02\x01\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\xb7\x00",
+			Mask:   "\xff\xff\xff\xff\xff\xff\xff\xfc\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xff\xff\xff",
+			Interpreter: pathname.Append(
+				"system/bin",
+				"qemu-aarch64",
+			),
+		})
+	}
+
 	return
 }

--- a/cmd/mbf/daemon.go
+++ b/cmd/mbf/daemon.go
@@ -99,10 +99,9 @@ func cancelIdent(
 	var ident pkg.ID
 	if _, err := io.ReadFull(conn, ident[:]); err != nil {
 		return nil, false, errors.Join(err, conn.Close())
-	} else if err = conn.Close(); err != nil {
-		return nil, false, err
 	}
-	return &ident, cache.Cancel(unique.Make(ident)), nil
+	ok := cache.Cancel(unique.Make(ident))
+	return &ident, ok, conn.Close()
 }

 // serve services connections from a [net.UnixListener].
@@ -194,11 +193,11 @@ func serve(
 						}

 					case specialAbort:
+						log.Println("aborting all pending cures")
+						cm.c.Abort()
 						if _err := conn.Close(); _err != nil {
 							log.Println(_err)
 						}
-						log.Println("aborting all pending cures")
-						cm.c.Abort()
 					}

 					return
@@ -306,6 +305,7 @@ func cancelRemote(
 	ctx context.Context,
 	addr *net.UnixAddr,
 	a pkg.Artifact,
+	wait bool,
 ) error {
 	done, conn, err := dial(ctx, addr)
 	if err != nil {
@@ -324,13 +324,19 @@ func cancelRemote(
 	} else if n != len(id) {
 		return errors.Join(io.ErrShortWrite, conn.Close())
 	}
-	return conn.Close()
+	if wait {
+		if _, err = conn.Read(make([]byte, 1)); err == io.EOF {
+			err = nil
+		}
+	}
+	return errors.Join(err, conn.Close())
 }

 // abortRemote aborts all [pkg.Artifact] curing on a daemon.
 func abortRemote(
 	ctx context.Context,
 	addr *net.UnixAddr,
+	wait bool,
 ) error {
 	done, conn, err := dial(ctx, addr)
 	if err != nil {
@@ -339,5 +345,10 @@ func abortRemote(
 	defer close(done)

 	err = writeSpecialHeader(conn, specialAbort)
+	if wait && err == nil {
+		if _, err = conn.Read(make([]byte, 1)); err == io.EOF {
+			err = nil
+		}
+	}
 	return errors.Join(err, conn.Close())
 }
--- a/cmd/mbf/daemon_test.go
+++ b/cmd/mbf/daemon_test.go
@@ -106,11 +106,11 @@ func TestDaemon(t *testing.T) {
 		}
 	}()

-	if err = cancelRemote(ctx, &addr, pkg.NewFile("nonexistent", nil)); err != nil {
+	if err = cancelRemote(ctx, &addr, pkg.NewFile("nonexistent", nil), true); err != nil {
 		t.Fatalf("cancelRemote: error = %v", err)
 	}

-	if err = abortRemote(ctx, &addr); err != nil {
+	if err = abortRemote(ctx, &addr, true); err != nil {
 		t.Fatalf("abortRemote: error = %v", err)
 	}

--- a/cmd/mbf/info.go
+++ b/cmd/mbf/info.go
@@ -6,6 +6,7 @@ import (
 	"io"
 	"os"
 	"strings"
+	"unique"

 	"hakurei.app/internal/pkg"
 	"hakurei.app/internal/rosa"
@@ -17,25 +18,12 @@ func commandInfo(
 	args []string,
 	w io.Writer,
 	writeStatus bool,
-	reportPath string,
+	r *rosa.Report,
 ) (err error) {
 	if len(args) == 0 {
 		return errors.New("info requires at least 1 argument")
 	}

-	var r *rosa.Report
-	if reportPath != "" {
-		if r, err = rosa.OpenReport(reportPath); err != nil {
-			return err
-		}
-		defer func() {
-			if closeErr := r.Close(); err == nil {
-				err = closeErr
-			}
-		}()
-		defer r.HandleAccess(&err)()
-	}
-
 	// recovered by HandleAccess
 	mustPrintln := func(a ...any) {
 		if _, _err := fmt.Fprintln(w, a...); _err != nil {
@@ -48,17 +36,19 @@ func commandInfo(
 		}
 	}

+	t := rosa.Native().Std()
 	for i, name := range args {
-		if p, ok := rosa.ResolveName(name); !ok {
+		handle := rosa.ArtifactH(unique.Make(name))
+		if meta, a := t.Load(handle); meta == nil {
 			return fmt.Errorf("unknown artifact %q", name)
 		} else {
 			var suffix string
-			if version := rosa.Std.Version(p); version != rosa.Unversioned {
-				suffix += "-" + version
+
+			if meta.Version != rosa.Unversioned {
+				suffix += "-" + meta.Version
 			}
 			mustPrintln("name        : " + name + suffix)

-			meta := rosa.GetMetadata(p)
 			mustPrintln("description : " + meta.Description)
 			if meta.Website != "" {
 				mustPrintln("website     : " +
@@ -67,9 +57,10 @@ func commandInfo(
 			if len(meta.Dependencies) > 0 {
 				mustPrint("depends on  :")
 				for _, d := range meta.Dependencies {
-					s := rosa.GetMetadata(d).Name
-					if version := rosa.Std.Version(d); version != rosa.Unversioned {
-						s += "-" + version
+					_meta, _ := rosa.Native().Std().MustLoad(d)
+					s := _meta.Name
+					if _meta.Version != rosa.Unversioned {
+						s += "-" + _meta.Version
 					}
 					mustPrint(" " + s)
 				}
@@ -81,7 +72,7 @@ func commandInfo(
 				if r == nil {
 					var f io.ReadSeekCloser
 					err = cm.Do(func(cache *pkg.Cache) (err error) {
-						f, err = cache.OpenStatus(rosa.Std.Load(p))
+						f, err = cache.OpenStatus(a)
 						return
 					})
 					if err != nil {
@@ -100,7 +91,7 @@ func commandInfo(
 						}
 					}
 				} else if err = cm.Do(func(cache *pkg.Cache) (err error) {
-					status, n := r.ArtifactOf(cache.Ident(rosa.Std.Load(p)))
+					status, n := r.ArtifactOf(cache.Ident(a))
 					if status == nil {
 						mustPrintln(
 							statusPrefix + "not in report",
--- a/cmd/mbf/info_test.go
+++ b/cmd/mbf/info_test.go
@@ -10,6 +10,7 @@ import (
 	"strings"
 	"syscall"
 	"testing"
+	"unique"
 	"unsafe"

 	"hakurei.app/internal/pkg"
@@ -20,6 +21,14 @@ import (
 func TestInfo(t *testing.T) {
 	t.Parallel()

+	_t := rosa.Native().Std()
+	qemuMeta, _ := _t.Load(rosa.H("qemu"))
+	glibMeta, _ := _t.Load(rosa.H("glib"))
+	zlibMeta, zlib := _t.Load(rosa.H("zlib"))
+	zstdMeta, _ := _t.Load(rosa.H("zstd"))
+	hakureiMeta, _ := _t.Load(rosa.H("hakurei"))
+	hakureiDistMeta, _ := _t.Load(rosa.H("hakurei-dist"))
+
 	testCases := []struct {
 		name    string
 		args    []string
@@ -29,24 +38,24 @@ func TestInfo(t *testing.T) {
 		wantErr any
 	}{
 		{"qemu", []string{"qemu"}, nil, "", `
-name        : qemu-` + rosa.Std.Version(rosa.QEMU) + `
+name        : qemu-` + qemuMeta.Version + `
 description : a generic and open source machine emulator and virtualizer
 website     : https://www.qemu.org
-depends on  : glib-` + rosa.Std.Version(rosa.GLib) + ` zstd-` + rosa.Std.Version(rosa.Zstd) + `
+depends on  : glib-` + glibMeta.Version + ` zstd-` + zstdMeta.Version + `
 `, nil},

 		{"multi", []string{"hakurei", "hakurei-dist"}, nil, "", `
-name        : hakurei-` + rosa.Std.Version(rosa.Hakurei) + `
+name        : hakurei-` + hakureiMeta.Version + `
 description : low-level userspace tooling for Rosa OS
 website     : https://hakurei.app

-name        : hakurei-dist-` + rosa.Std.Version(rosa.HakureiDist) + `
+name        : hakurei-dist-` + hakureiDistMeta.Version + `
 description : low-level userspace tooling for Rosa OS (distribution tarball)
 website     : https://hakurei.app
 `, nil},

 		{"nonexistent", []string{"zlib", "\x00"}, nil, "", `
-name        : zlib-` + rosa.Std.Version(rosa.Zlib) + `
+name        : zlib-` + zlibMeta.Version + `
 description : lossless data-compression library
 website     : https://zlib.net

@@ -56,12 +65,12 @@ website     : https://zlib.net
 			"zstd":    "internal/pkg (amd64) on satori\n",
 			"hakurei": "internal/pkg (amd64) on satori\n\n",
 		}, "", `
-name        : zlib-` + rosa.Std.Version(rosa.Zlib) + `
+name        : zlib-` + zlibMeta.Version + `
 description : lossless data-compression library
 website     : https://zlib.net
 status      : not yet cured

-name        : zstd-` + rosa.Std.Version(rosa.Zstd) + `
+name        : zstd-` + zstdMeta.Version + `
 description : a fast compression algorithm
 website     : https://facebook.github.io/zstd
 status      : internal/pkg (amd64) on satori
@@ -70,19 +79,19 @@ status      : internal/pkg (amd64) on satori
 		{"status cache perm", []string{"zlib"}, map[string]string{
 			"zlib": "\x00",
 		}, "", `
-name        : zlib-` + rosa.Std.Version(rosa.Zlib) + `
+name        : zlib-` + zlibMeta.Version + `
 description : lossless data-compression library
 website     : https://zlib.net
 `, func(cm *cache) error {
 			return &os.PathError{
 				Op:   "open",
-				Path: filepath.Join(cm.base, "status", pkg.Encode(cm.c.Ident(rosa.Std.Load(rosa.Zlib)).Value())),
+				Path: filepath.Join(cm.base, "status", pkg.Encode(cm.c.Ident(zlib).Value())),
 				Err:  syscall.EACCES,
 			}
 		}},

 		{"status report", []string{"zlib"}, nil, strings.Repeat("\x00", len(pkg.Checksum{})+8), `
-name        : zlib-` + rosa.Std.Version(rosa.Zlib) + `
+name        : zlib-` + zlibMeta.Version + `
 description : lossless data-compression library
 website     : https://zlib.net
 status      : not in report
@@ -95,7 +104,7 @@ status      : not in report
 			var (
 				cm  *cache
 				buf strings.Builder
-				rp  string
+				r   *rosa.Report
 			)

 			if tc.status != nil || tc.report != "" {
@@ -108,20 +117,31 @@ status      : not in report
 			}

 			if tc.report != "" {
-				rp = filepath.Join(t.TempDir(), "report")
-				if err := os.WriteFile(
-					rp,
+				pathname := filepath.Join(t.TempDir(), "report")
+				err := os.WriteFile(
+					pathname,
 					unsafe.Slice(unsafe.StringData(tc.report), len(tc.report)),
 					0400,
-				); err != nil {
+				)
+				if err != nil {
 					t.Fatal(err)
 				}
+
+				r, err = rosa.OpenReport(pathname)
+				if err != nil {
+					t.Fatal(err)
+				}
+				defer func() {
+					if err = r.Close(); err != nil {
+						t.Fatal(err)
+					}
+				}()
 			}

 			if tc.status != nil {
 				for name, status := range tc.status {
-					p, ok := rosa.ResolveName(name)
-					if !ok {
+					_, a := _t.Load(rosa.ArtifactH(unique.Make(name)))
+					if a == nil {
 						t.Fatalf("invalid name %q", name)
 					}
 					perm := os.FileMode(0400)
@@ -132,7 +152,7 @@ status      : not in report
 						return os.WriteFile(filepath.Join(
 							cm.base,
 							"status",
-							pkg.Encode(cache.Ident(rosa.Std.Load(p)).Value()),
+							pkg.Encode(cache.Ident(a).Value()),
 						), unsafe.Slice(unsafe.StringData(status), len(status)), perm)
 					}); err != nil {
 						t.Fatalf("Do: error = %v", err)
@@ -157,7 +177,7 @@ status      : not in report
 				tc.args,
 				&buf,
 				cm != nil,
-				rp,
+				r,
 			); !reflect.DeepEqual(err, wantErr) {
 				t.Fatalf("commandInfo: error = %v, want %v", err, wantErr)
 			}
--- a/cmd/mbf/internal/pkgserver/api.go
+++ b/cmd/mbf/internal/pkgserver/api.go
@@ -0,0 +1,202 @@
+// Package pkgserver implements the package metadata service backend.
+package pkgserver
+
+import (
+	"context"
+	"encoding/json"
+	"log"
+	"net/http"
+	"net/url"
+	"path"
+	"strconv"
+	"sync"
+	"time"
+
+	"hakurei.app/internal/info"
+	"hakurei.app/internal/rosa"
+)
+
+// for lazy initialisation of serveInfo
+var (
+	infoPayload struct {
+		// Current package count.
+		Count int `json:"count"`
+		// Hakurei version, set at link time.
+		HakureiVersion string `json:"hakurei_version"`
+	}
+	infoPayloadOnce sync.Once
+)
+
+// handleInfo writes constant system information.
+func handleInfo(w http.ResponseWriter, _ *http.Request) {
+	infoPayloadOnce.Do(func() {
+		infoPayload.Count = len(rosa.Native().Collect())
+		infoPayload.HakureiVersion = info.Version()
+	})
+	// TODO(mae): cache entire response if no additional fields are planned
+	writeAPIPayload(w, infoPayload)
+}
+
+// newStatusHandler returns a [http.HandlerFunc] that offers status files for
+// viewing or download, if available.
+func (index *packageIndex) newStatusHandler(disposition bool) http.HandlerFunc {
+	return func(w http.ResponseWriter, r *http.Request) {
+		m, ok := index.names[path.Base(r.URL.Path)]
+		if !ok || !m.HasReport {
+			http.NotFound(w, r)
+			return
+		}
+
+		contentType := "text/plain; charset=utf-8"
+		if disposition {
+			contentType = "application/octet-stream"
+
+			// quoting like this is unsound, but okay, because metadata is hardcoded
+			contentDisposition := `attachment; filename="`
+			contentDisposition += m.Name + "-"
+			if m.Version != "" {
+				contentDisposition += m.Version + "-"
+			}
+			contentDisposition += m.ids + `.log"`
+			w.Header().Set("Content-Disposition", contentDisposition)
+		}
+		w.Header().Set("Content-Type", contentType)
+		w.Header().Set("Cache-Control", "no-cache, no-store, must-revalidate")
+		if err := func() (err error) {
+			defer index.handleAccess(&err)()
+			_, err = w.Write(m.status)
+			return
+		}(); err != nil {
+			log.Println(err)
+			http.Error(
+				w, "cannot deliver status, contact maintainers",
+				http.StatusInternalServerError,
+			)
+		}
+	}
+}
+
+// handleGet writes a slice of metadata with specified order.
+func (index *packageIndex) handleGet(w http.ResponseWriter, r *http.Request) {
+	q := r.URL.Query()
+	limit, err := strconv.Atoi(q.Get("limit"))
+	if err != nil || limit > 100 || limit < 1 {
+		http.Error(
+			w, "limit must be an integer between 1 and 100",
+			http.StatusBadRequest,
+		)
+		return
+	}
+	i, err := strconv.Atoi(q.Get("index"))
+	if err != nil || i >= len(index.sorts[0]) || i < 0 {
+		http.Error(
+			w, "index must be an integer between 0 and "+
+				strconv.Itoa(len(index.sorts[0])-1),
+			http.StatusBadRequest,
+		)
+		return
+	}
+	sort, err := strconv.Atoi(q.Get("sort"))
+	if err != nil || sort >= len(index.sorts) || sort < 0 {
+		http.Error(
+			w, "sort must be an integer between 0 and "+
+				strconv.Itoa(sortOrderEnd),
+			http.StatusBadRequest,
+		)
+		return
+	}
+	values := index.sorts[sort][i:min(i+limit, len(index.sorts[sort]))]
+	writeAPIPayload(w, &struct {
+		Values []*metadata `json:"values"`
+	}{values})
+}
+
+func (index *packageIndex) handleSearch(w http.ResponseWriter, r *http.Request) {
+	q := r.URL.Query()
+	limit, err := strconv.Atoi(q.Get("limit"))
+	if err != nil || limit > 100 || limit < 1 {
+		http.Error(
+			w, "limit must be an integer between 1 and 100",
+			http.StatusBadRequest,
+		)
+		return
+	}
+	i, err := strconv.Atoi(q.Get("index"))
+	if err != nil || i >= len(index.sorts[0]) || i < 0 {
+		http.Error(
+			w, "index must be an integer between 0 and "+
+				strconv.Itoa(len(index.sorts[0])-1),
+			http.StatusBadRequest,
+		)
+		return
+	}
+	search, err := url.QueryUnescape(q.Get("search"))
+	if len(search) > 100 || err != nil {
+		http.Error(
+			w, "search must be a string between 0 and 100 characters long",
+			http.StatusBadRequest,
+		)
+		return
+	}
+	desc := q.Get("desc") == "true"
+	n, res, err := index.performSearchQuery(limit, i, search, desc)
+	if err != nil {
+		http.Error(w, err.Error(), http.StatusInternalServerError)
+	}
+	writeAPIPayload(w, &struct {
+		Count  int            `json:"count"`
+		Values []searchResult `json:"values"`
+	}{n, res})
+}
+
+// apiVersion is the name of the current API revision, as part of the pattern.
+const apiVersion = "v1"
+
+// registerAPI registers API handler functions.
+func (index *packageIndex) registerAPI(mux *http.ServeMux) {
+	mux.HandleFunc("GET /api/"+apiVersion+"/info", handleInfo)
+	mux.HandleFunc("GET /api/"+apiVersion+"/get", index.handleGet)
+	mux.HandleFunc("GET /api/"+apiVersion+"/search", index.handleSearch)
+	mux.HandleFunc("GET /api/"+apiVersion+"/status/", index.newStatusHandler(false))
+	mux.HandleFunc("GET /status/", index.newStatusHandler(true))
+}
+
+// Register arranges for mux to service API requests.
+func Register(ctx context.Context, mux *http.ServeMux, report *rosa.Report) error {
+	var index packageIndex
+	index.search = make(searchCache)
+	if err := index.populate(report); err != nil {
+		return err
+	}
+	ticker := time.NewTicker(1 * time.Minute)
+	go func() {
+		for {
+			select {
+			case <-ctx.Done():
+				ticker.Stop()
+				return
+			case <-ticker.C:
+				index.search.clean()
+			}
+		}
+	}()
+	index.registerAPI(mux)
+	return nil
+}
+
+// writeAPIPayload sets headers common to API responses and encodes payload as
+// JSON for the response body.
+func writeAPIPayload(w http.ResponseWriter, payload any) {
+	w.Header().Set("Content-Type", "application/json; charset=utf-8")
+	w.Header().Set("Cache-Control", "no-cache, no-store, must-revalidate")
+	w.Header().Set("Pragma", "no-cache")
+	w.Header().Set("Expires", "0")
+
+	if err := json.NewEncoder(w).Encode(payload); err != nil {
+		log.Println(err)
+		http.Error(
+			w, "cannot encode payload, contact maintainers",
+			http.StatusInternalServerError,
+		)
+	}
+}
--- a/cmd/mbf/internal/pkgserver/api_test.go
+++ b/cmd/mbf/internal/pkgserver/api_test.go
@@ -0,0 +1,111 @@
+package pkgserver
+
+import (
+	"net/http"
+	"net/http/httptest"
+	"strconv"
+	"testing"
+
+	"hakurei.app/internal/info"
+	"hakurei.app/internal/rosa"
+)
+
+// prefix is prepended to every API path.
+const prefix = "/api/" + apiVersion + "/"
+
+func TestAPIInfo(t *testing.T) {
+	t.Parallel()
+
+	w := httptest.NewRecorder()
+	handleInfo(w, httptest.NewRequestWithContext(
+		t.Context(),
+		http.MethodGet,
+		prefix+"info",
+		nil,
+	))
+
+	resp := w.Result()
+	checkStatus(t, resp, http.StatusOK)
+	checkAPIHeader(t, w.Header())
+
+	checkPayload(t, resp, struct {
+		Count          int    `json:"count"`
+		HakureiVersion string `json:"hakurei_version"`
+	}{len(rosa.Native().Collect()), info.Version()})
+}
+
+func TestAPIGet(t *testing.T) {
+	t.Parallel()
+	const target = prefix + "get"
+
+	index := newIndex(t)
+	newRequest := func(suffix string) *httptest.ResponseRecorder {
+		w := httptest.NewRecorder()
+		index.handleGet(w, httptest.NewRequestWithContext(
+			t.Context(),
+			http.MethodGet,
+			target+suffix,
+			nil,
+		))
+		return w
+	}
+
+	checkValidate := func(t *testing.T, suffix string, vmin, vmax int, wantErr string) {
+		t.Run("invalid", func(t *testing.T) {
+			t.Parallel()
+
+			w := newRequest("?" + suffix + "=invalid")
+			resp := w.Result()
+			checkError(t, resp, wantErr, http.StatusBadRequest)
+		})
+
+		t.Run("min", func(t *testing.T) {
+			t.Parallel()
+
+			w := newRequest("?" + suffix + "=" + strconv.Itoa(vmin-1))
+			resp := w.Result()
+			checkError(t, resp, wantErr, http.StatusBadRequest)
+
+			w = newRequest("?" + suffix + "=" + strconv.Itoa(vmin))
+			resp = w.Result()
+			checkStatus(t, resp, http.StatusOK)
+		})
+
+		t.Run("max", func(t *testing.T) {
+			t.Parallel()
+
+			w := newRequest("?" + suffix + "=" + strconv.Itoa(vmax+1))
+			resp := w.Result()
+			checkError(t, resp, wantErr, http.StatusBadRequest)
+
+			w = newRequest("?" + suffix + "=" + strconv.Itoa(vmax))
+			resp = w.Result()
+			checkStatus(t, resp, http.StatusOK)
+		})
+	}
+
+	t.Run("limit", func(t *testing.T) {
+		t.Parallel()
+		checkValidate(
+			t, "index=0&sort=0&limit", 1, 100,
+			"limit must be an integer between 1 and 100",
+		)
+	})
+
+	count := len(rosa.Native().Collect())
+	t.Run("index", func(t *testing.T) {
+		t.Parallel()
+		checkValidate(
+			t, "limit=1&sort=0&index", 0, count-1,
+			"index must be an integer between 0 and "+strconv.Itoa(count-1),
+		)
+	})
+
+	t.Run("sort", func(t *testing.T) {
+		t.Parallel()
+		checkValidate(
+			t, "index=0&limit=1&sort", 0, int(sortOrderEnd),
+			"sort must be an integer between 0 and "+strconv.Itoa(int(sortOrderEnd)),
+		)
+	})
+}
--- a/cmd/mbf/internal/pkgserver/index.go
+++ b/cmd/mbf/internal/pkgserver/index.go
@@ -0,0 +1,108 @@
+package pkgserver
+
+import (
+	"cmp"
+	"errors"
+	"slices"
+	"strings"
+
+	"hakurei.app/internal/pkg"
+	"hakurei.app/internal/rosa"
+)
+
+const (
+	declarationAscending = iota
+	declarationDescending
+	nameAscending
+	nameDescending
+	sizeAscending
+	sizeDescending
+
+	sortOrderEnd = iota - 1
+)
+
+// packageIndex refers to metadata by name and various sort orders.
+type packageIndex struct {
+	sorts  [sortOrderEnd + 1][]*metadata
+	names  map[string]*metadata
+	search searchCache
+	// Taken from [rosa.Report] if available.
+	handleAccess func(*error) func()
+}
+
+// metadata holds [rosa.Metadata] extended with additional information.
+type metadata struct {
+	handle rosa.ArtifactH
+	*rosa.Metadata
+
+	// Copied from [rosa.Metadata], [rosa.Unversioned] is equivalent to the zero
+	// value. Otherwise, the zero value is invalid.
+	Version string `json:"version,omitempty"`
+	// Output data size, available if present in report.
+	Size int64 `json:"size,omitempty"`
+	// Whether the underlying [pkg.Artifact] is present in the report.
+	HasReport bool `json:"report"`
+
+	// Ident string encoded ahead of time.
+	ids string
+	// Backed by [rosa.Report], access must be prepared by HandleAccess.
+	status []byte
+}
+
+// populate deterministically populates packageIndex, optionally with a report.
+func (index *packageIndex) populate(report *rosa.Report) (err error) {
+	if report != nil {
+		defer report.HandleAccess(&err)()
+		index.handleAccess = report.HandleAccess
+	}
+
+	handles := rosa.Native().Collect()
+	work := make([]*metadata, len(handles))
+	index.names = make(map[string]*metadata)
+	ir := pkg.NewIR()
+	for i, handle := range handles {
+		meta, a := rosa.Native().Std().MustLoad(handle)
+		m := metadata{
+			handle: handle,
+
+			Metadata: meta,
+			Version:  meta.Version,
+		}
+		if m.Version == "" {
+			return errors.New("invalid version from " + m.Name)
+		}
+		if m.Version == rosa.Unversioned {
+			m.Version = ""
+		}
+
+		if report != nil {
+			id := ir.Ident(a)
+			m.ids = pkg.Encode(id.Value())
+			m.status, m.Size = report.ArtifactOf(id)
+			m.HasReport = m.Size >= 0
+		}
+
+		work[i] = &m
+		index.names[m.Name] = &m
+	}
+
+	index.sorts[declarationAscending] = work
+	index.sorts[declarationDescending] = slices.Clone(work)
+	slices.Reverse(index.sorts[declarationDescending][:])
+
+	index.sorts[nameAscending] = slices.Clone(work)
+	slices.SortFunc(index.sorts[nameAscending][:], func(a, b *metadata) int {
+		return strings.Compare(a.Name, b.Name)
+	})
+	index.sorts[nameDescending] = slices.Clone(index.sorts[nameAscending])
+	slices.Reverse(index.sorts[nameDescending][:])
+
+	index.sorts[sizeAscending] = slices.Clone(work)
+	slices.SortFunc(index.sorts[sizeAscending][:], func(a, b *metadata) int {
+		return cmp.Compare(a.Size, b.Size)
+	})
+	index.sorts[sizeDescending] = slices.Clone(index.sorts[sizeAscending])
+	slices.Reverse(index.sorts[sizeDescending][:])
+
+	return
+}
--- a/cmd/mbf/internal/pkgserver/index_test.go
+++ b/cmd/mbf/internal/pkgserver/index_test.go
@@ -0,0 +1,96 @@
+package pkgserver
+
+import (
+	"bytes"
+	"encoding/json"
+	"fmt"
+	"io"
+	"net/http"
+	"reflect"
+	"testing"
+)
+
+// newIndex returns the address of a newly populated packageIndex.
+func newIndex(t *testing.T) *packageIndex {
+	t.Helper()
+
+	var index packageIndex
+	if err := index.populate(nil); err != nil {
+		t.Fatalf("populate: error = %v", err)
+	}
+	return &index
+}
+
+// checkStatus checks response status code.
+func checkStatus(t *testing.T, resp *http.Response, want int) {
+	t.Helper()
+
+	if resp.StatusCode != want {
+		t.Errorf(
+			"StatusCode: %s, want %s",
+			http.StatusText(resp.StatusCode),
+			http.StatusText(want),
+		)
+	}
+}
+
+// checkHeader checks the value of a header entry.
+func checkHeader(t *testing.T, h http.Header, key, want string) {
+	t.Helper()
+
+	if got := h.Get(key); got != want {
+		t.Errorf("%s: %q, want %q", key, got, want)
+	}
+}
+
+// checkAPIHeader checks common entries set for API endpoints.
+func checkAPIHeader(t *testing.T, h http.Header) {
+	t.Helper()
+
+	checkHeader(t, h, "Content-Type", "application/json; charset=utf-8")
+	checkHeader(t, h, "Cache-Control", "no-cache, no-store, must-revalidate")
+	checkHeader(t, h, "Pragma", "no-cache")
+	checkHeader(t, h, "Expires", "0")
+}
+
+// checkPayloadFunc checks the JSON response of an API endpoint by passing it to f.
+func checkPayloadFunc[T any](
+	t *testing.T,
+	resp *http.Response,
+	f func(got *T) bool,
+) {
+	t.Helper()
+
+	var got T
+	r := io.Reader(resp.Body)
+	if testing.Verbose() {
+		var buf bytes.Buffer
+		r = io.TeeReader(r, &buf)
+		defer func() { t.Helper(); t.Log(buf.String()) }()
+	}
+	if err := json.NewDecoder(r).Decode(&got); err != nil {
+		t.Fatalf("Decode: error = %v", err)
+	}
+
+	if !f(&got) {
+		t.Errorf("Body: %#v", got)
+	}
+}
+
+// checkPayload checks the JSON response of an API endpoint.
+func checkPayload[T any](t *testing.T, resp *http.Response, want T) {
+	t.Helper()
+
+	checkPayloadFunc(t, resp, func(got *T) bool {
+		return reflect.DeepEqual(got, &want)
+	})
+}
+
+func checkError(t *testing.T, resp *http.Response, error string, code int) {
+	t.Helper()
+
+	checkStatus(t, resp, code)
+	if got, _ := io.ReadAll(resp.Body); string(got) != fmt.Sprintln(error) {
+		t.Errorf("Body: %q, want %q", string(got), error)
+	}
+}
--- a/cmd/mbf/internal/pkgserver/search.go
+++ b/cmd/mbf/internal/pkgserver/search.go
@@ -0,0 +1,81 @@
+package pkgserver
+
+import (
+	"cmp"
+	"maps"
+	"regexp"
+	"slices"
+	"time"
+)
+
+type searchCache map[string]searchCacheEntry
+type searchResult struct {
+	NameIndices [][]int `json:"name_matches"`
+	DescIndices [][]int `json:"desc_matches,omitempty"`
+	Score       float64 `json:"score"`
+	*metadata
+}
+type searchCacheEntry struct {
+	query   string
+	results []searchResult
+	expiry  time.Time
+}
+
+func (index *packageIndex) performSearchQuery(limit int, i int, search string, desc bool) (int, []searchResult, error) {
+	query := search
+	if desc {
+		query += ";withDesc"
+	}
+	entry, ok := index.search[query]
+	if ok && len(entry.results) > 0 {
+		return len(entry.results), entry.results[min(i, len(entry.results)-1):min(i+limit, len(entry.results))], nil
+	}
+
+	regex, err := regexp.Compile(search)
+	if err != nil {
+		return 0, make([]searchResult, 0), err
+	}
+	res := make([]searchResult, 0)
+	for p := range maps.Values(index.names) {
+		nameIndices := regex.FindAllIndex([]byte(p.Name), -1)
+		var descIndices [][]int = nil
+		if desc {
+			descIndices = regex.FindAllIndex([]byte(p.Description), -1)
+		}
+		if nameIndices == nil && descIndices == nil {
+			continue
+		}
+		score := float64(indexsum(nameIndices)) / (float64(len(nameIndices)) + 1)
+		if desc {
+			score += float64(indexsum(descIndices)) / (float64(len(descIndices)) + 1) / 10.0
+		}
+		res = append(res, searchResult{
+			NameIndices: nameIndices,
+			DescIndices: descIndices,
+			Score:       score,
+			metadata:    p,
+		})
+	}
+	slices.SortFunc(res[:], func(a, b searchResult) int { return -cmp.Compare(a.Score, b.Score) })
+	expiry := time.Now().Add(1 * time.Minute)
+	entry = searchCacheEntry{
+		query:   search,
+		results: res,
+		expiry:  expiry,
+	}
+	index.search[query] = entry
+
+	return len(res), res[i:min(i+limit, len(entry.results))], nil
+}
+func (s *searchCache) clean() {
+	maps.DeleteFunc(*s, func(_ string, v searchCacheEntry) bool {
+		return v.expiry.Before(time.Now())
+	})
+}
+func indexsum(in [][]int) int {
+	sum := 0
+	for i := 0; i < len(in); i++ {
+		sum += in[i][1] - in[i][0]
+	}
+	return sum
+}
--- a/cmd/mbf/internal/pkgserver/ui/index.html
+++ b/cmd/mbf/internal/pkgserver/ui/index.html
@@ -0,0 +1,58 @@
+<!DOCTYPE html>
+<html lang="en">
+<head>
+    <meta charset="UTF-8">
+    <meta name="viewport" content="width=device-width, initial-scale=1.0">
+    <link rel="stylesheet" href="style.css">
+    <link rel="icon" href="https://hakurei.app/favicon.ico"/>
+    <title>Rosa OS Packages</title>
+    <script src="index.js"></script>
+</head>
+<body>
+<h1>Rosa OS Packages</h1>
+<div class="top-controls" id="top-controls-regular">
+    <p>Showing entries <span id="entry-counter"></span>.</p>
+    <span id="search-bar">
+        <label for="search">Search: </label>
+        <input type="text" name="search" id="search"/>
+        <button onclick="doSearch()">Find</button>
+        <label for="include-desc">Include descriptions: </label>
+        <input type="checkbox" name="include-desc" id="include-desc" checked/>
+    </span>
+    <div><label for="count">Entries per page: </label><select name="count" id="count">
+        <option value="10">10</option>
+        <option value="20">20</option>
+        <option value="30">30</option>
+        <option value="50">50</option>
+    </select></div>
+    <div><label for="sort">Sort by: </label><select name="sort" id="sort">
+        <option value="0">Definition (ascending)</option>
+        <option value="1">Definition (descending)</option>
+        <option value="2">Name (ascending)</option>
+        <option value="3">Name (descending)</option>
+        <option value="4">Size (ascending)</option>
+        <option value="5">Size (descending)</option>
+    </select></div>
+</div>
+<div class="top-controls" id="search-top-controls" hidden>
+    <p>Showing search results <span id="search-entry-counter"></span> for query "<span id="search-query"></span>".</p>
+    <button onclick="exitSearch()">Back</button>
+    <div><label for="search-count">Entries per page: </label><select name="search-count" id="search-count">
+        <option value="10">10</option>
+        <option value="20">20</option>
+        <option value="30">30</option>
+        <option value="50">50</option>
+    </select></div>
+    <p>Sorted by best match</p>
+</div>
+<div class="page-controls"><a href="javascript:prevPage()">&laquo; Previous</a> <input type="text" class="page-number" value="1"/> <a href="javascript:nextPage()">Next &raquo;</a></div>
+<table id="pkg-list">
+    <tr><td>Loading...</td></tr>
+</table>
+<div class="page-controls"><a href="javascript:prevPage()">&laquo; Previous</a> <input type="text" class="page-number" value="1"/> <a href="javascript:nextPage()">Next &raquo;</a></div>
+<footer>
+    <p>&copy;<a href="https://hakurei.app/">Hakurei</a> (<span id="hakurei-version">unknown</span>). Licensed under the MIT license.</p>
+</footer>
+<script>main();</script>
+</body>
+</html>
--- a/cmd/mbf/internal/pkgserver/ui/index.ts
+++ b/cmd/mbf/internal/pkgserver/ui/index.ts
@@ -0,0 +1,331 @@
+interface PackageIndexEntry {
+    name: string
+    size?: number
+    description?: string
+    website?: string
+    version?: string
+    report?: boolean
+}
+
+function entryToHTML(entry: PackageIndexEntry | SearchResult): HTMLTableRowElement {
+    let v = entry.version != null ? `<span>${escapeHtml(entry.version)}</span>` : ""
+    let s = entry.size != null && entry.size > 0 ? `<p>Size: ${toByteSizeString(entry.size)} (${entry.size})</p>` : ""
+    let n: string
+    let d: string
+    if ('name_matches' in entry) {
+        n = `<h2>${nameMatches(entry as SearchResult)} ${v}</h2>`
+    } else {
+        n = `<h2>${escapeHtml(entry.name)} ${v}</h2>`
+    }
+    if ('desc_matches' in entry && STATE.getIncludeDescriptions()) {
+        d = descMatches(entry as SearchResult)
+    } else {
+        d = (entry as PackageIndexEntry).description != null ? `<p>${escapeHtml((entry as PackageIndexEntry).description)}</p>` : ""
+    }
+    let w = entry.website != null ? `<a href="${encodeURI(entry.website)}">Website</a>` : ""
+    let r = entry.report ? `Log (<a href=\"${encodeURI('/api/v1/status/' + entry.name)}\">View</a> | <a href=\"${encodeURI('/status/' + entry.name)}\">Download</a>)` : ""
+    let row = <HTMLTableRowElement>(document.createElement('tr'))
+    row.innerHTML = `<td>
+            ${n}
+            ${d}
+            ${s}
+            ${w}
+            ${r}
+        </td>`
+    return row
+}
+
+function nameMatches(sr: SearchResult): string {
+    return markMatches(sr.name, sr.name_matches)
+}
+
+function descMatches(sr: SearchResult): string {
+    return markMatches(sr.description!, sr.desc_matches)
+}
+
+function markMatches(str: string, indices: [number, number][]): string {
+    if (indices == null) {
+        return str
+    }
+    let out: string = ""
+    let j = 0
+    for (let i = 0; i < str.length; i++) {
+        if (j < indices.length) {
+            if (i === indices[j][0]) {
+                out += `<mark>${escapeHtmlChar(str[i])}`
+                continue
+            }
+            if (i === indices[j][1]) {
+                out += `</mark>${escapeHtmlChar(str[i])}`
+                j++
+                continue
+            }
+        }
+        out += escapeHtmlChar(str[i])
+    }
+    if (indices[j] !== undefined) {
+        out += "</mark>"
+    }
+    return out
+}
+
+function toByteSizeString(bytes: number): string {
+    if (bytes == null) return `unspecified`
+    if (bytes < 1024) return `${bytes}B`
+    if (bytes < Math.pow(1024, 2)) return `${(bytes / 1024).toFixed(2)}kiB`
+    if (bytes < Math.pow(1024, 3)) return `${(bytes / Math.pow(1024, 2)).toFixed(2)}MiB`
+    if (bytes < Math.pow(1024, 4)) return `${(bytes / Math.pow(1024, 3)).toFixed(2)}GiB`
+    if (bytes < Math.pow(1024, 5)) return `${(bytes / Math.pow(1024, 4)).toFixed(2)}TiB`
+    return "not only is it big, it's large"
+}
+
+const API_VERSION = 1
+const ENDPOINT = `/api/v${API_VERSION}`
+
+interface InfoPayload {
+    count?: number
+    hakurei_version?: string
+}
+
+async function infoRequest(): Promise<InfoPayload> {
+    const res = await fetch(`${ENDPOINT}/info`)
+    const payload = await res.json()
+    return payload as InfoPayload
+}
+
+interface GetPayload {
+    values?: PackageIndexEntry[]
+}
+
+enum SortOrders {
+    DeclarationAscending,
+    DeclarationDescending,
+    NameAscending,
+    NameDescending
+}
+
+async function getRequest(limit: number, index: number, sort: SortOrders): Promise<GetPayload> {
+    const res = await fetch(`${ENDPOINT}/get?limit=${limit}&index=${index}&sort=${sort.valueOf()}`)
+    const payload = await res.json()
+    return payload as GetPayload
+}
+
+interface SearchResult extends PackageIndexEntry {
+    name_matches: [number, number][]
+    desc_matches: [number, number][]
+    score: number
+}
+
+interface SearchPayload {
+    count?: number
+    values?: SearchResult[]
+}
+
+async function searchRequest(limit: number, index: number, search: string, desc: boolean): Promise<SearchPayload> {
+    const res = await fetch(`${ENDPOINT}/search?limit=${limit}&index=${index}&search=${encodeURIComponent(search)}&desc=${desc}`)
+    if (!res.ok) {
+        exitSearch()
+        alert("invalid search query!")
+        return Promise.reject(res.statusText)
+    }
+    const payload = await res.json()
+    return payload as SearchPayload
+}
+
+class State {
+    entriesPerPage: number = 10
+    entryIndex: number = 0
+    maxTotal: number = 0
+    maxEntries: number = 0
+    sort: SortOrders = SortOrders.DeclarationAscending
+    search: boolean = false
+
+    getEntriesPerPage(): number {
+        return this.entriesPerPage
+    }
+
+    setEntriesPerPage(entriesPerPage: number) {
+        this.entriesPerPage = entriesPerPage
+        this.setEntryIndex(Math.floor(this.getEntryIndex() / entriesPerPage) * entriesPerPage)
+    }
+
+    getEntryIndex(): number {
+        return this.entryIndex
+    }
+
+    setEntryIndex(entryIndex: number) {
+        this.entryIndex = entryIndex
+        this.updatePage()
+        this.updateRange()
+        this.updateListings()
+    }
+
+    getMaxTotal(): number {
+        return this.maxTotal
+    }
+
+    setMaxTotal(max: number) {
+        this.maxTotal = max
+    }
+
+    getSortOrder(): SortOrders {
+        return this.sort
+    }
+
+    setSortOrder(sortOrder: SortOrders) {
+        this.sort = sortOrder
+        this.setEntryIndex(0)
+    }
+
+    updatePage() {
+        let page = Math.ceil(((this.getEntryIndex() + this.getEntriesPerPage()) - 1) / this.getEntriesPerPage())
+        for (let e of document.getElementsByClassName("page-number")) {
+            (e as HTMLInputElement).value = String(page)
+        }
+    }
+
+    updateRange() {
+        let max = Math.min(this.getEntryIndex() + this.getEntriesPerPage(), this.getMaxTotal())
+        document.getElementById("entry-counter")!.textContent = `${this.getEntryIndex() + 1}-${max} of ${this.getMaxTotal()}`
+        if (this.search) {
+            document.getElementById("search-entry-counter")!.textContent = `${this.getEntryIndex() + 1}-${max} of ${this.maxTotal}/${this.maxEntries}`
+            document.getElementById("search-query")!.innerHTML = `<code>${escapeHtml(this.getSearchQuery())}</code>`
+        }
+    }
+
+    getSearchQuery(): string {
+        let queryString = document.getElementById("search")!;
+        return (queryString as HTMLInputElement).value
+    }
+
+    getIncludeDescriptions(): boolean {
+        let includeDesc = document.getElementById("include-desc")!;
+        return (includeDesc as HTMLInputElement).checked
+    }
+
+    updateListings() {
+        if (this.search) {
+            searchRequest(this.getEntriesPerPage(), this.getEntryIndex(), this.getSearchQuery(), this.getIncludeDescriptions())
+                .then(res => {
+                    let table = document.getElementById("pkg-list")!
+                    table.innerHTML = ''
+                    for (let row of res.values!) {
+                        table.appendChild(entryToHTML(row))
+                    }
+                    STATE.maxTotal = res.count!
+                    STATE.updateRange()
+                    if(res.count! < 1) {
+                        exitSearch()
+                        alert("no results found!")
+                    }
+                })
+        } else {
+            getRequest(this.getEntriesPerPage(), this.getEntryIndex(), this.getSortOrder())
+                .then(res => {
+                    let table = document.getElementById("pkg-list")!
+                    table.innerHTML = ''
+                    for (let row of res.values!) {
+                        table.appendChild(entryToHTML(row))
+                    }
+                })
+        }
+    }
+}
+
+let STATE: State
+
+
+function lastPageIndex(): number {
+    return Math.floor(STATE.getMaxTotal() / STATE.getEntriesPerPage()) * STATE.getEntriesPerPage()
+}
+
+function setPage(page: number) {
+    STATE.setEntryIndex(Math.max(0, Math.min(STATE.getEntriesPerPage() * (page - 1), lastPageIndex())))
+}
+
+
+function escapeHtml(str?: string): string {
+    let out: string = ''
+    if (str == undefined) return ""
+    for (let i = 0; i < str.length; i++) {
+        out += escapeHtmlChar(str[i])
+    }
+    return out
+}
+
+function escapeHtmlChar(char: string): string {
+    if (char.length != 1) return char
+    switch (char[0]) {
+        case '&':
+            return "&amp;"
+        case '<':
+            return "&lt;"
+        case '>':
+            return "&gt;"
+        case '"':
+            return "&quot;"
+        case "'":
+            return "&apos;"
+        default:
+            return char
+    }
+}
+
+function firstPage() {
+    STATE.setEntryIndex(0)
+}
+
+function prevPage() {
+    let index = STATE.getEntryIndex()
+    STATE.setEntryIndex(Math.max(0, index - STATE.getEntriesPerPage()))
+}
+
+function lastPage() {
+    STATE.setEntryIndex(lastPageIndex())
+}
+
+function nextPage() {
+    let index = STATE.getEntryIndex()
+    STATE.setEntryIndex(Math.min(lastPageIndex(), index + STATE.getEntriesPerPage()))
+}
+
+function doSearch() {
+    document.getElementById("top-controls-regular")!.toggleAttribute("hidden");
+    document.getElementById("search-top-controls")!.toggleAttribute("hidden");
+    STATE.search = true;
+    STATE.setEntryIndex(0);
+}
+
+function exitSearch() {
+    document.getElementById("top-controls-regular")!.toggleAttribute("hidden");
+    document.getElementById("search-top-controls")!.toggleAttribute("hidden");
+    STATE.search = false;
+    STATE.setMaxTotal(STATE.maxEntries)
+    STATE.setEntryIndex(0)
+}
+
+function main() {
+    STATE = new State()
+    infoRequest()
+        .then(res => {
+            STATE.maxEntries = res.count!
+            STATE.setMaxTotal(STATE.maxEntries)
+            document.getElementById("hakurei-version")!.textContent = res.hakurei_version!
+            STATE.updateRange()
+            STATE.updateListings()
+        })
+    for (let e of document.getElementsByClassName("page-number")) {
+        e.addEventListener("change", (_) => {
+            setPage(parseInt((e as HTMLInputElement).value))
+        })
+    }
+    document.getElementById("count")?.addEventListener("change", (event) => {
+        STATE.setEntriesPerPage(parseInt((event.target as HTMLSelectElement).value))
+    })
+    document.getElementById("sort")?.addEventListener("change", (event) => {
+        STATE.setSortOrder(parseInt((event.target as HTMLSelectElement).value))
+    })
+    document.getElementById("search")?.addEventListener("keyup", (event) => {
+        if (event.key === 'Enter') doSearch()
+    })
+}
--- a/cmd/mbf/internal/pkgserver/ui/style.css
+++ b/cmd/mbf/internal/pkgserver/ui/style.css
@@ -0,0 +1,21 @@
+.page-number {
+  width: 2em;
+  text-align: center;
+}
+.page-number {
+  width: 2em;
+  text-align: center;
+}
+
+@media (prefers-color-scheme: dark) {
+  html {
+    background-color: #2c2c2c;
+    color: ghostwhite;
+  }
+}
+@media (prefers-color-scheme: light) {
+  html {
+    background-color: #d3d3d3;
+    color: black;
+  }
+}
--- a/cmd/mbf/internal/pkgserver/ui/tsconfig.json
+++ b/cmd/mbf/internal/pkgserver/ui/tsconfig.json
@@ -0,0 +1,8 @@
+{
+  "compilerOptions": {
+    "target": "ES2024",
+    "strict": true,
+    "alwaysStrict": true,
+    "outDir": "static"
+  }
+}
--- a/cmd/mbf/internal/pkgserver/ui/ui.go
+++ b/cmd/mbf/internal/pkgserver/ui/ui.go
@@ -0,0 +1,9 @@
+// Package ui holds the static web UI.
+package ui
+
+import "net/http"
+
+// Register arranges for mux to serve the embedded frontend.
+func Register(mux *http.ServeMux) {
+	mux.Handle("GET /", http.FileServer(http.FS(static)))
+}
--- a/cmd/mbf/internal/pkgserver/ui/ui_full.go
+++ b/cmd/mbf/internal/pkgserver/ui/ui_full.go
@@ -0,0 +1,21 @@
+//go:build frontend
+
+package ui
+
+import (
+	"embed"
+	"io/fs"
+)
+
+//go:generate tsc
+//go:generate cp index.html style.css static
+//go:embed static
+var _static embed.FS
+
+var static = func() fs.FS {
+	if f, err := fs.Sub(_static, "static"); err != nil {
+		panic(err)
+	} else {
+		return f
+	}
+}()
--- a/cmd/mbf/internal/pkgserver/ui/ui_stub.go
+++ b/cmd/mbf/internal/pkgserver/ui/ui_stub.go
@@ -0,0 +1,7 @@
+//go:build !frontend
+
+package ui
+
+import "testing/fstest"
+
+var static fstest.MapFS
--- a/cmd/mbf/main.go
+++ b/cmd/mbf/main.go
@@ -20,6 +20,7 @@ import (
 	"io"
 	"log"
 	"net"
+	"net/http"
 	"os"
 	"os/signal"
 	"path/filepath"
@@ -41,6 +42,9 @@ import (
 	"hakurei.app/internal/pkg"
 	"hakurei.app/internal/rosa"
 	"hakurei.app/message"
+
+	"hakurei.app/cmd/mbf/internal/pkgserver"
+	"hakurei.app/cmd/mbf/internal/pkgserver/ui"
 )

 func main() {
@@ -54,34 +58,90 @@ func main() {
 		log.Fatal("this program must not run as root")
 	}

+	defer func() {
+		r := recover()
+		if r == nil {
+			return
+		}
+
+		switch r.(type) {
+		case rosa.LoadError, pkg.IRStringError:
+			log.Fatal(r)
+		default:
+			panic(r)
+		}
+	}()
+
 	ctx, stop := signal.NotifyContext(context.Background(),
 		syscall.SIGINT, syscall.SIGTERM, syscall.SIGHUP)
 	defer stop()

 	var cm cache
-	defer func() {
-		cm.Close()
-
-		if r := recover(); r != nil {
-			fmt.Println(r)
-			log.Fatal("consider scrubbing the on-disk cache")
-		}
-	}()
+	defer func() { cm.Close() }()

 	var (
 		flagQuiet bool
+		flagQEMU  bool
+		flagArch  string
+		flagCheck bool
+		flagLTO   bool
+		flagPT    bool
+
+		flagSourcePath    string
+		flagCrossOverride int

 		addr net.UnixAddr
 	)
 	c := command.New(os.Stderr, log.Printf, "mbf", func([]string) error {
+		if !rosa.Native().HasStageEarly() {
+			return pkg.UnsupportedArchError(runtime.GOARCH)
+		}
+
+		if flagPT {
+			log.Println("parsed in", rosa.ParseTime())
+		}
+
 		msg.SwapVerbose(!flagQuiet)
 		cm.ctx, cm.msg = ctx, msg
 		cm.base = os.ExpandEnv(cm.base)
+		if cm.base == "" {
+			cm.base = "cache"
+		}

 		addr.Net = "unix"
 		addr.Name = os.ExpandEnv(addr.Name)
 		if addr.Name == "" {
-			addr.Name = "daemon"
+			addr.Name = filepath.Join(cm.base, "daemon")
+		}
+
+		var flags int
+		if !flagCheck {
+			flags |= rosa.OptSkipCheck
+		}
+		if !flagLTO {
+			flags |= rosa.OptLLVMNoLTO
+		}
+		rosa.Native().DropCaches("", flags)
+		cross := flagArch != "" && flagArch != runtime.GOARCH
+		if flagQEMU || cross {
+			_, cm.qemu = rosa.Native().Std().MustLoad(rosa.H("qemu"))
+		}
+
+		if cross {
+			if flagCrossOverride != -1 {
+				flags = flagCrossOverride
+			}
+
+			rosa.Native().DropCaches(flagArch, flags)
+			if !rosa.Native().HasStageEarly() {
+				return pkg.UnsupportedArchError(flagArch)
+			}
+		}
+
+		if flagSourcePath != "" {
+			if err := rosa.Native().SetSource(os.DirFS(flagSourcePath)); err != nil {
+				return err
+			}
 		}

 		return nil
@@ -89,6 +149,30 @@ func main() {
 		&flagQuiet,
 		"q", command.BoolFlag(false),
 		"Do not print cure messages",
+	).Flag(
+		&flagQEMU,
+		"register", command.BoolFlag(false),
+		"Enable additional target architectures",
+	).Flag(
+		&flagArch,
+		"arch", command.StringFlag(runtime.GOARCH),
+		"Target architecture",
+	).Flag(
+		&flagLTO,
+		"lto", command.BoolFlag(false),
+		"Enable LTO in stage2 and stage3 LLVM toolchains",
+	).Flag(
+		&flagCheck,
+		"check", command.BoolFlag(true),
+		"Run test suites",
+	).Flag(
+		&flagCrossOverride,
+		"cross-flags", command.IntFlag(-1),
+		"Override non-native target preset flags",
+	).Flag(
+		&cm.verboseInit,
+		"v", command.BoolFlag(false),
+		"Do not suppress verbose output from init",
 	).Flag(
 		&cm.cures,
 		"cures", command.IntFlag(0),
@@ -116,12 +200,30 @@ func main() {
 		&addr.Name,
 		"socket", command.StringFlag("$MBF_DAEMON_SOCKET"),
 		"Pathname of socket to bind to",
+	).Flag(
+		&flagPT,
+		"parse-time", command.BoolFlag(false),
+		"Print duration of the initial azalea parse",
+	).Flag(
+		&flagSourcePath,
+		"source", command.StringFlag(""),
+		"Override hakurei source tree",
 	)

 	c.NewCommand(
 		"checksum", "Compute checksum of data read from standard input",
 		func([]string) error {
-			go func() { <-ctx.Done(); os.Exit(1) }()
+			done := make(chan struct{})
+			defer close(done)
+			go func() {
+				select {
+				case <-ctx.Done():
+					os.Exit(1)
+				case <-done:
+					return
+				}
+			}()
+
 			h := sha512.New384()
 			if _, err := io.Copy(h, os.Stdin); err != nil {
 				return err
@@ -155,6 +257,7 @@ func main() {

 	{
 		var (
+			flagBind   string
 			flagStatus bool
 			flagReport string
 		)
@@ -162,8 +265,52 @@ func main() {
 			"info",
 			"Display out-of-band metadata of an artifact",
 			func(args []string) (err error) {
-				return commandInfo(&cm, args, os.Stdout, flagStatus, flagReport)
+				const shutdownTimeout = 15 * time.Second
+
+				var r *rosa.Report
+				if flagReport != "" {
+					if r, err = rosa.OpenReport(flagReport); err != nil {
+						return err
+					}
+					defer func() {
+						if closeErr := r.Close(); err == nil {
+							err = closeErr
+						}
+					}()
+					defer r.HandleAccess(&err)()
+				}
+
+				if flagBind == "" {
+					return commandInfo(&cm, args, os.Stdout, flagStatus, r)
+				}
+
+				var mux http.ServeMux
+				ui.Register(&mux)
+				if err = pkgserver.Register(ctx, &mux, r); err != nil {
+					return
+				}
+
+				server := http.Server{Addr: flagBind, Handler: &mux}
+				go func() {
+					<-ctx.Done()
+					cc, cancel := context.WithTimeout(context.Background(), shutdownTimeout)
+					defer cancel()
+					if _err := server.Shutdown(cc); _err != nil {
+						log.Fatal(_err)
+					}
+				}()
+
+				msg.Verbosef("listening on %q", flagBind)
+				err = server.ListenAndServe()
+				if errors.Is(err, http.ErrServerClosed) {
+					err = nil
+				}
+				return
 			},
+		).Flag(
+			&flagBind,
+			"bind", command.StringFlag(""),
+			"TCP address for the server to listen on",
 		).Flag(
 			&flagStatus,
 			"status", command.BoolFlag(false),
@@ -222,12 +369,12 @@ func main() {
 				n atomic.Uint64
 			)

-			w := make(chan rosa.PArtifact)
+			w := make(chan rosa.ArtifactH)
 			var wg sync.WaitGroup
 			for range max(flagJobs, 1) {
 				wg.Go(func() {
 					for p := range w {
-						meta := rosa.GetMetadata(p)
+						meta, _ := rosa.Native().Std().MustLoad(p)
 						if meta.ID == 0 {
 							continue
 						}
@@ -240,12 +387,9 @@ func main() {
 							continue
 						}

-						if current, latest :=
-							rosa.Std.Version(p),
-							meta.GetLatest(v); current != latest {
-
+						if latest := meta.GetLatest(v); meta.Version != latest {
 							n.Add(1)
-							log.Printf("%s %s < %s", meta.Name, current, latest)
+							log.Printf("%s %s < %s", meta.Name, meta.Version, latest)
 							continue
 						}

@@ -255,9 +399,9 @@ func main() {
 			}

 		done:
-			for i := range rosa.PresetEnd {
+			for _, p := range rosa.Native().CollectAll() {
 				select {
-				case w <- rosa.PArtifact(i):
+				case w <- p:
 					break
 				case <-ctx.Done():
 					break done
@@ -295,16 +439,14 @@ func main() {
 		var (
 			flagGentoo   string
 			flagChecksum string
-
-			flagStage0 bool
 		)
 		c.NewCommand(
 			"stage3",
 			"Check for toolchain 3-stage non-determinism",
 			func(args []string) (err error) {
-				t := rosa.Std
+				s := rosa.Std
 				if flagGentoo != "" {
-					t -= 3 // magic number to discourage misuse
+					s -= 3 // magic number to discourage misuse

 					var checksum pkg.Checksum
 					if len(flagChecksum) != 0 {
@@ -312,7 +454,7 @@ func main() {
 							return
 						}
 					}
-					rosa.SetGentooStage3(flagGentoo, checksum)
+					rosa.Native().SetGentooStage3(flagGentoo, checksum)
 				}

 				var (
@@ -320,10 +462,10 @@ func main() {
 					checksum [2]unique.Handle[pkg.Checksum]
 				)

+				_llvm := rosa.H("llvm")
 				if err = cm.Do(func(cache *pkg.Cache) (err error) {
-					pathname, _, err = cache.Cure(
-						(t - 2).Load(rosa.Clang),
-					)
+					_, llvm := rosa.Native().New(s - 2).Load(_llvm)
+					pathname, _, err = cache.Cure(llvm)
 					return
 				}); err != nil {
 					return
@@ -331,18 +473,16 @@ func main() {
 				log.Println("stage1:", pathname)

 				if err = cm.Do(func(cache *pkg.Cache) (err error) {
-					pathname, checksum[0], err = cache.Cure(
-						(t - 1).Load(rosa.Clang),
-					)
+					_, llvm := rosa.Native().New(s - 1).Load(_llvm)
+					pathname, checksum[0], err = cache.Cure(llvm)
 					return
 				}); err != nil {
 					return
 				}
 				log.Println("stage2:", pathname)
 				if err = cm.Do(func(cache *pkg.Cache) (err error) {
-					pathname, checksum[1], err = cache.Cure(
-						t.Load(rosa.Clang),
-					)
+					_, llvm := rosa.Native().New(s).Load(_llvm)
+					pathname, checksum[1], err = cache.Cure(llvm)
 					return
 				}); err != nil {
 					return
@@ -360,19 +500,6 @@ func main() {
 						"("+pkg.Encode(checksum[0].Value())+")",
 					)
 				}
-
-				if flagStage0 {
-					if err = cm.Do(func(cache *pkg.Cache) (err error) {
-						pathname, _, err = cache.Cure(
-							t.Load(rosa.Stage0),
-						)
-						return
-					}); err != nil {
-						return
-					}
-					log.Println(pathname)
-				}
-
 				return
 			},
 		).Flag(
@@ -383,10 +510,6 @@ func main() {
 			&flagChecksum,
 			"checksum", command.StringFlag(""),
 			"Checksum of Gentoo stage3 tarball",
-		).Flag(
-			&flagStage0,
-			"stage0", command.BoolFlag(false),
-			"Create bootstrap stage0 tarball",
 		)
 	}

@@ -397,6 +520,11 @@ func main() {
 			flagExport  string
 			flagRemote  bool
 			flagNoReply bool
+			flagFaults  bool
+			flagPop     bool
+
+			flagBoot bool
+			flagStd  bool
 		)
 		c.NewCommand(
 			"cure",
@@ -405,8 +533,16 @@ func main() {
 				if len(args) != 1 {
 					return errors.New("cure requires 1 argument")
 				}
-				p, ok := rosa.ResolveName(args[0])
-				if !ok {
+
+				t := rosa.Std
+				if flagBoot {
+					t -= 2
+				} else if flagStd {
+					t -= 1
+				}
+
+				_, a := rosa.Native().New(t).Load(rosa.ArtifactH(unique.Make(args[0])))
+				if a == nil {
 					return fmt.Errorf("unknown artifact %q", args[0])
 				}

@@ -414,7 +550,7 @@ func main() {
 				default:
 					var pathname *check.Absolute
 					err := cm.Do(func(cache *pkg.Cache) (err error) {
-						pathname, _, err = cache.Cure(rosa.Std.Load(p))
+						pathname, _, err = cache.Cure(a)
 						return
 					})
 					if err != nil {
@@ -456,7 +592,7 @@ func main() {
 						return err
 					}

-					if err = pkg.NewIR().EncodeAll(f, rosa.Std.Load(p)); err != nil {
+					if err = pkg.NewIR().EncodeAll(f, a); err != nil {
 						_ = f.Close()
 						return err
 					}
@@ -467,7 +603,7 @@ func main() {
 					return cm.Do(func(cache *pkg.Cache) error {
 						return cache.EnterExec(
 							ctx,
-							rosa.Std.Load(p),
+							a,
 							true, os.Stdin, os.Stdout, os.Stderr,
 							rosa.AbsSystem.Append("bin", "mksh"),
 							"sh",
@@ -479,7 +615,6 @@ func main() {
 					if flagNoReply {
 						flags |= remoteNoReply
 					}
-					a := rosa.Std.Load(p)
 					pathname, err := cureRemote(ctx, &addr, a, flags)
 					if !flagNoReply && err == nil {
 						log.Println(pathname)
@@ -489,12 +624,55 @@ func main() {
 						cc, cancel := context.WithDeadline(context.Background(), daemonDeadline())
 						defer cancel()

-						if _err := cancelRemote(cc, &addr, a); _err != nil {
+						if _err := cancelRemote(cc, &addr, a, false); _err != nil {
 							log.Println(err)
 						}
 					}

 					return err
+
+				case flagFaults:
+					var faults []pkg.Fault
+					if err := cm.Do(func(cache *pkg.Cache) (err error) {
+						faults, err = cache.ReadFaults(a)
+						return
+					}); err != nil {
+						return err
+					}
+
+					for _, fault := range faults {
+						log.Printf("%s: %s ago", fault.String(), time.Since(fault.Time()))
+					}
+					return nil
+
+				case flagPop:
+					var faults []pkg.Fault
+					if err := cm.Do(func(cache *pkg.Cache) (err error) {
+						faults, err = cache.ReadFaults(a)
+						return
+					}); err != nil {
+						return err
+					}
+
+					if len(faults) == 0 {
+						return errors.New("no fault entries found")
+					}
+					fault := faults[len(faults)-1]
+					r, err := fault.Open()
+					if err != nil {
+						return err
+					}
+					if _, err = io.Copy(os.Stdout, r); err != nil {
+						_ = r.Close()
+						return err
+					}
+					fmt.Println()
+					if err = r.Close(); err != nil {
+						return err
+					}
+
+					log.Printf("faulting cure terminated %s ago", time.Since(fault.Time()))
+					return fault.Destroy()
 				}
 			},
 		).Flag(
@@ -517,13 +695,52 @@ func main() {
 			&flagNoReply,
 			"no-reply", command.BoolFlag(false),
 			"Do not receive a reply from the daemon",
+		).Flag(
+			&flagBoot,
+			"boot", command.BoolFlag(false),
+			"Build on the stage0 toolchain",
+		).Flag(
+			&flagStd,
+			"std", command.BoolFlag(false),
+			"Build on the intermediate toolchain",
+		).Flag(
+			&flagFaults,
+			"faults", command.BoolFlag(false),
+			"Display fault entries of the specified artifact",
+		).Flag(
+			&flagPop,
+			"pop", command.BoolFlag(false),
+			"Display and destroy the most recent fault entry",
 		)
 	}

+	c.NewCommand(
+		"clear",
+		"Remove all fault entries from the cache",
+		func([]string) error {
+			return cm.Do(func(*pkg.Cache) error {
+				pathname := filepath.Join(cm.base, "fault")
+				dents, err := os.ReadDir(pathname)
+				if err != nil {
+					return err
+				}
+
+				for _, dent := range dents {
+					msg.Verbosef("destroying entry %s", dent.Name())
+					if err = os.Remove(filepath.Join(pathname, dent.Name())); err != nil {
+						return err
+					}
+				}
+				log.Printf("destroyed %d fault entries", len(dents))
+				return nil
+			})
+		},
+	)
+
 	c.NewCommand(
 		"abort",
 		"Abort all pending cures on the daemon",
-		func([]string) error { return abortRemote(ctx, &addr) },
+		func([]string) error { return abortRemote(ctx, &addr, false) },
 	)

 	{
@@ -537,27 +754,26 @@ func main() {
 			"shell",
 			"Interactive shell in the specified Rosa OS environment",
 			func(args []string) error {
-				presets := make([]rosa.PArtifact, len(args)+3)
+				handles := make([]rosa.ArtifactH, len(args), len(args)+3)
 				for i, arg := range args {
-					p, ok := rosa.ResolveName(arg)
-					if !ok {
+					handles[i] = rosa.ArtifactH(unique.Make(arg))
+					if meta, _ := rosa.Native().Std().Load(handles[i]); meta == nil {
 						return fmt.Errorf("unknown artifact %q", arg)
 					}
-					presets[i] = p
 				}

-				base := rosa.Clang
+				base := rosa.H("llvm")
 				if !flagWithToolchain {
-					base = rosa.Musl
+					base = rosa.H("musl")
 				}
-				presets = append(presets,
+				handles = append(handles,
 					base,
-					rosa.Mksh,
-					rosa.Toybox,
+					rosa.H("mksh"),
+					rosa.H("toybox"),
 				)

 				root := make(pkg.Collect, 0, 6+len(args))
-				root = rosa.Std.AppendPresets(root, presets...)
+				root = rosa.Native().Std().Append(root, handles...)

 				if err := cm.Do(func(cache *pkg.Cache) error {
 					_, _, err := cache.Cure(&root)
@@ -618,6 +834,7 @@ func main() {
 				z.Hostname = "localhost"
 				z.Uid, z.Gid = (1<<10)-1, (1<<10)-1
 				z.Stdin, z.Stdout, z.Stderr = os.Stdin, os.Stdout, os.Stderr
+				z.Quiet = !cm.verboseInit
 				if s, ok := os.LookupEnv("TERM"); ok {
 					z.Env = append(z.Env, "TERM="+s)
 				}
--- a/cmd/mbf/main_test.go
+++ b/cmd/mbf/main_test.go
@@ -0,0 +1,47 @@
+package main
+
+import (
+	"net"
+	"os"
+	"testing"
+
+	"hakurei.app/internal/rosa"
+)
+
+func TestMain(m *testing.M) {
+	rosa.Native().DropCaches("", rosa.OptLLVMNoLTO)
+	os.Exit(m.Run())
+}
+
+func TestCureAll(t *testing.T) {
+	t.Parallel()
+	const env = "ROSA_TEST_DAEMON"
+
+	if !testing.Verbose() {
+		t.Skip("verbose flag not set")
+	}
+
+	pathname, ok := os.LookupEnv(env)
+	if !ok {
+		t.Skip(env + " not set")
+	}
+
+	addr := net.UnixAddr{Net: "unix", Name: pathname}
+	t.Cleanup(func() {
+		if t.Failed() {
+			if err := abortRemote(t.Context(), &addr, false); err != nil {
+				t.Fatal(err)
+			}
+		}
+	})
+
+	for _, handle := range rosa.Native().Collect() {
+		_, a := rosa.Native().Std().MustLoad(handle)
+		t.Run(handle.String(), func(t *testing.T) {
+			_, err := cureRemote(t.Context(), &addr, a, 0)
+			if err != nil {
+				t.Error(err)
+			}
+		})
+	}
+}
--- a/cmd/sharefs/test/configuration.nix
+++ b/cmd/sharefs/test/configuration.nix
@@ -20,11 +20,14 @@
  };

  virtualisation = {
+    # Hopefully reduces spurious test failures:
+    memorySize = if pkgs.stdenv.hostPlatform.is32bit then 2046 else 8192;
+
    diskSize = 6 * 1024;

    qemu.options = [
      # Increase test performance:
-      "-smp 8"
+      "-smp 16"
    ];
  };

--- a/cmd/sharefs/test/default.nix
+++ b/cmd/sharefs/test/default.nix
@@ -28,7 +28,7 @@ testers.nixosTest {
        # For go tests:
        (pkgs.writeShellScriptBin "sharefs-workload-hakurei-tests" ''
          cp -r "${self.packages.${system}.hakurei.src}" "/sdcard/hakurei" && cd "/sdcard/hakurei"
-          ${fhs}/bin/hakurei-fhs -c 'CC="clang -O3 -Werror" go test ./...'
+          ${fhs}/bin/hakurei-fhs -c 'ROSA_SKIP_BINFMT=1 CC="clang -O3 -Werror" go test ./...'
        '')
      ];

--- a/container/binfmt.go
+++ b/container/binfmt.go
@@ -0,0 +1,46 @@
+package container
+
+import (
+	"strings"
+	"unsafe"
+
+	"hakurei.app/check"
+)
+
+// escapeBinfmt escapes magic/mask sequences in a [BinfmtEntry].
+func escapeBinfmt(buf *strings.Builder, s string) string {
+	const lowerhex = "0123456789abcdef"
+
+	buf.Reset()
+	for _, c := range unsafe.Slice(unsafe.StringData(s), len(s)) {
+		switch c {
+		case 0, '\\', ':':
+			buf.WriteString(`\x`)
+			buf.WriteByte(lowerhex[c>>4])
+			buf.WriteByte(lowerhex[c&0xf])
+
+		default:
+			buf.WriteByte(c)
+		}
+	}
+	return buf.String()
+}
+
+// BinfmtEntry is an entry to be registered by the init process.
+type BinfmtEntry struct {
+	// The offset of the magic/mask in the file, counted in bytes.
+	Offset byte
+	// The byte sequence binfmt_misc is matching for.
+	Magic string
+	// An (optional, defaults to all 0xff) mask.
+	Mask string
+	// The program that should be invoked with the binary as first argument.
+	Interpreter *check.Absolute
+}
+
+// Valid returns whether e can be registered into the kernel.
+func (e *BinfmtEntry) Valid() bool {
+	return e != nil &&
+		int(e.Offset)+max(len(e.Magic), len(e.Mask)) < 128 &&
+		e.Interpreter != nil && len(e.Interpreter.String()) < 128
+}
--- a/container/binfmt_test.go
+++ b/container/binfmt_test.go
@@ -0,0 +1,62 @@
+package container
+
+import (
+	"strings"
+	"testing"
+
+	"hakurei.app/fhs"
+)
+
+func TestEscapeBinfmt(t *testing.T) {
+	t.Parallel()
+
+	testCases := []struct {
+		name  string
+		magic string
+		want  string
+	}{
+		{"packed DOS applications", "\x0eDEX", "\x0eDEX"},
+
+		{"riscv64 magic",
+			"\x7fELF\x02\x01\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\xf3\x00",
+			"\x7fELF\x02\x01\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\x02\\x00\xf3\\x00"},
+		{"riscv64 mask",
+			"\xff\xff\xff\xff\xff\xff\xff\x00\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xff\xff\xff",
+			"\xff\xff\xff\xff\xff\xff\xff\\x00\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xff\xff\xff"},
+	}
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			t.Parallel()
+
+			got := escapeBinfmt(new(strings.Builder), tc.magic)
+			if got != tc.want {
+				t.Errorf("escapeBinfmt: %q, want %q", got, tc.want)
+			}
+		})
+	}
+}
+
+func TestBinfmtEntry(t *testing.T) {
+	t.Parallel()
+
+	testCases := []struct {
+		name  string
+		e     BinfmtEntry
+		valid bool
+	}{
+		{"zero", BinfmtEntry{}, false},
+		{"large offset", BinfmtEntry{Offset: 128}, false},
+		{"long magic", BinfmtEntry{Magic: strings.Repeat("\x00", 128)}, false},
+		{"long mask", BinfmtEntry{Mask: strings.Repeat("\x00", 128)}, false},
+		{"valid", BinfmtEntry{Interpreter: fhs.AbsRoot}, true},
+	}
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			t.Parallel()
+
+			if tc.e.Valid() != tc.valid {
+				t.Errorf("Valid: %v", !tc.valid)
+			}
+		})
+	}
+}
--- a/container/capability.go
+++ b/container/capability.go
@@ -18,6 +18,7 @@ const (
 	CAP_SETPCAP      = 0x8
 	CAP_NET_ADMIN    = 0xc
 	CAP_DAC_OVERRIDE = 0x1
+	CAP_SETFCAP      = 0x1f
 )

 type (
--- a/container/container.go
+++ b/container/container.go
@@ -67,6 +67,9 @@ type (
 		// Copied to the underlying [exec.Cmd].
 		WaitDelay time.Duration

+		// Suppress verbose output of init.
+		Quiet bool
+
 		cmd *exec.Cmd
 		ctx context.Context
 		msg message.Msg
@@ -88,12 +91,20 @@ type (
 		// Time to wait for processes lingering after the initial process terminates.
 		AdoptWaitDelay time.Duration

+		// Map uid/gid 0 in the init process. Requires [FstypeProc] attached to
+		// [fhs.Proc] in the container filesystem.
+		InitAsRoot bool
 		// Mapped Uid in user namespace.
 		Uid int
 		// Mapped Gid in user namespace.
 		Gid int
 		// Hostname value in UTS namespace.
 		Hostname string
+		// Register binfmt_misc entries.
+		Binfmt []BinfmtEntry
+		// Alternative pathname to attach binfmt_misc filesystem. The zero value
+		// requires [FstypeProc] to be made available at [fhs.Proc].
+		BinfmtPath *check.Absolute
 		// Sequential container setup ops.
 		*Ops

@@ -213,6 +224,9 @@ func (p *Container) Start() error {
 	if p.cmd.Process != nil {
 		return errors.New("container: already started")
 	}
+	if !p.InitAsRoot && len(p.Binfmt) > 0 {
+		return errors.New("container: init as root required, but not enabled")
+	}

 	if err := ensureCloseOnExec(); err != nil {
 		return err
@@ -283,6 +297,18 @@ func (p *Container) Start() error {
 	if !p.HostNet {
 		p.cmd.SysProcAttr.Cloneflags |= CLONE_NEWNET
 	}
+	if p.InitAsRoot {
+		p.cmd.SysProcAttr.AmbientCaps = append(p.cmd.SysProcAttr.AmbientCaps,
+			// mappings during init as root
+			CAP_SETFCAP,
+		)
+
+		if !p.SeccompDisable &&
+			len(p.SeccompRules) == 0 &&
+			p.SeccompPresets&std.PresetDenyNS != 0 {
+			return errors.New("container: as root requires late namespace creation")
+		}
+	}

 	// place setup pipe before user supplied extra files, this is later restored by init
 	if r, w, err := os.Pipe(); err != nil {
@@ -342,8 +368,6 @@ func (p *Container) Start() error {
 						Err:    ENOSYS,
 						Origin: true,
 					}
-				} else {
-					p.msg.Verbosef("landlock abi version %d", abi)
 				}

 				if rulesetFd, err := rulesetAttr.Create(0); err != nil {
@@ -353,7 +377,6 @@ func (p *Container) Start() error {
 						Err:   err,
 					}
 				} else {
-					p.msg.Verbosef("enforcing landlock ruleset %s", rulesetAttr)
 					if err = landlock.RestrictSelf(rulesetFd, 0); err != nil {
 						_ = Close(rulesetFd)
 						return &StartError{
@@ -410,7 +433,6 @@ func (p *Container) Start() error {
 				}
 			}

-			p.msg.Verbose("starting container init")
 			if err := p.cmd.Start(); err != nil {
 				return &StartError{
 					Step:        "start container init",
@@ -481,7 +503,6 @@ func (p *Container) Serve() (err error) {
 			}

 		case <-done:
-			p.msg.Verbose("setup payload took", time.Since(t))
 			return
 		}
 	}(p.setup[1])
@@ -491,7 +512,7 @@ func (p *Container) Serve() (err error) {
 		Getuid(),
 		Getgid(),
 		len(p.ExtraFiles),
-		p.msg.IsVerbose(),
+		p.msg.IsVerbose() && !p.Quiet,
 	})
 }

--- a/container/container_test.go
+++ b/container/container_test.go
@@ -16,6 +16,8 @@ import (
 	"strings"
 	"syscall"
 	"testing"
+	"time"
+	"unsafe"

 	"hakurei.app/check"
 	"hakurei.app/command"
@@ -233,6 +235,9 @@ func earlyMnt(mnt ...*vfs.MountInfoEntry) func(*testing.T, context.Context) []*v
 	return func(*testing.T, context.Context) []*vfs.MountInfoEntry { return mnt }
 }

+//go:linkname toHost hakurei.app/container.toHost
+func toHost(name string) string
+
 var containerTestCases = []struct {
 	name    string
 	filter  bool
@@ -332,13 +337,15 @@ var containerTestCases = []struct {
 		func(t *testing.T, ctx context.Context) []*vfs.MountInfoEntry {
 			return []*vfs.MountInfoEntry{
 				ent("/", hst.PrivateTmp, "rw", "overlay", "overlay",
-					"rw,lowerdir="+
-						container.InternalToHostOvlEscape(ctx.Value(testVal("lower0")).(*check.Absolute).String())+":"+
-						container.InternalToHostOvlEscape(ctx.Value(testVal("lower1")).(*check.Absolute).String())+
+					"rw"+
+						",lowerdir+="+
+						toHost(ctx.Value(testVal("lower0")).(*check.Absolute).String())+
+						",lowerdir+="+
+						toHost(ctx.Value(testVal("lower1")).(*check.Absolute).String())+
 						",upperdir="+
-						container.InternalToHostOvlEscape(ctx.Value(testVal("upper")).(*check.Absolute).String())+
+						toHost(ctx.Value(testVal("upper")).(*check.Absolute).String())+
 						",workdir="+
-						container.InternalToHostOvlEscape(ctx.Value(testVal("work")).(*check.Absolute).String())+
+						toHost(ctx.Value(testVal("work")).(*check.Absolute).String())+
 						",redirect_dir=nofollow,uuid=on,userxattr"),
 			}
 		},
@@ -388,9 +395,11 @@ var containerTestCases = []struct {
 		func(t *testing.T, ctx context.Context) []*vfs.MountInfoEntry {
 			return []*vfs.MountInfoEntry{
 				ent("/", hst.PrivateTmp, "rw", "overlay", "overlay",
-					"ro,lowerdir="+
-						container.InternalToHostOvlEscape(ctx.Value(testVal("lower0")).(*check.Absolute).String())+":"+
-						container.InternalToHostOvlEscape(ctx.Value(testVal("lower1")).(*check.Absolute).String())+
+					"ro"+
+						",lowerdir+="+
+						toHost(ctx.Value(testVal("lower0")).(*check.Absolute).String())+
+						",lowerdir+="+
+						toHost(ctx.Value(testVal("lower1")).(*check.Absolute).String())+
 						",redirect_dir=nofollow,userxattr"),
 			}
 		},
@@ -400,39 +409,11 @@ var containerTestCases = []struct {
 func TestContainer(t *testing.T) {
 	t.Parallel()

-	t.Run("cancel", testContainerCancel(nil, func(t *testing.T, c *container.Container) {
-		wantErr := context.Canceled
-		wantExitCode := 0
-		if err := c.Wait(); !reflect.DeepEqual(err, wantErr) {
-			if m, ok := container.InternalMessageFromError(err); ok {
-				t.Error(m)
-			}
-			t.Errorf("Wait: error = %#v, want %#v", err, wantErr)
-		}
-		if ps := c.ProcessState(); ps == nil {
-			t.Errorf("ProcessState unexpectedly returned nil")
-		} else if code := ps.ExitCode(); code != wantExitCode {
-			t.Errorf("ExitCode: %d, want %d", code, wantExitCode)
-		}
-	}))
-
-	t.Run("forward", testContainerCancel(func(c *container.Container) {
-		c.ForwardCancel = true
-	}, func(t *testing.T, c *container.Container) {
-		var exitError *exec.ExitError
-		if err := c.Wait(); !errors.As(err, &exitError) {
-			if m, ok := container.InternalMessageFromError(err); ok {
-				t.Error(m)
-			}
-			t.Errorf("Wait: error = %v", err)
-		}
-		if code := exitError.ExitCode(); code != blockExitCodeInterrupt {
-			t.Errorf("ExitCode: %d, want %d", code, blockExitCodeInterrupt)
-		}
-	}))
-
+	var suffix string
+runTests:
 	for i, tc := range containerTestCases {
-		t.Run(tc.name, func(t *testing.T) {
+		_suffix := suffix
+		t.Run(tc.name+_suffix, func(t *testing.T) {
 			t.Parallel()

 			wantOps, wantOpsCtx := tc.ops(t)
@@ -456,6 +437,8 @@ func TestContainer(t *testing.T) {
 			c.SeccompDisable = !tc.filter
 			c.RetainSession = tc.session
 			c.HostNet = tc.net
+			c.InitAsRoot = _suffix != ""
+			c.Env = append(c.Env, "HAKUREI_TEST_SUFFIX="+_suffix)
 			if info.CanDegrade {
 				if _, err := landlock.GetABI(); err != nil {
 					if !errors.Is(err, syscall.ENOSYS) {
@@ -465,6 +448,9 @@ func TestContainer(t *testing.T) {
 					t.Log("Landlock LSM is unavailable, enabling HostAbstract")
 				}
 			}
+			if c.InitAsRoot {
+				c.SeccompPresets &= ^std.PresetDenyNS
+			}

 			c.
 				Readonly(check.MustAbs(pathReadonly), 0755).
@@ -533,6 +519,11 @@ func TestContainer(t *testing.T) {
 			}
 		})
 	}
+
+	if suffix == "" {
+		suffix = " as root"
+		goto runTests
+	}
 }

 func ent(root, target, vfsOptstr, fsType, source, fsOptstr string) *vfs.MountInfoEntry {
@@ -555,49 +546,118 @@ func hostnameFromTestCase(name string) string {
 }

 func testContainerCancel(
+	t *testing.T,
 	containerExtra func(c *container.Container),
-	waitCheck func(t *testing.T, c *container.Container),
-) func(t *testing.T) {
-	return func(t *testing.T) {
-		t.Parallel()
-		ctx, cancel := context.WithCancel(t.Context())
+	waitCheck func(ps *os.ProcessState, waitErr error),
+) {
+	ctx, cancel := context.WithCancel(t.Context())

-		c := helperNewContainer(ctx, "block")
-		c.Stdout, c.Stderr = os.Stdout, os.Stderr
-		if containerExtra != nil {
-			containerExtra(c)
-		}
-
-		ready := make(chan struct{})
-		if r, w, err := os.Pipe(); err != nil {
-			t.Fatalf("cannot pipe: %v", err)
-		} else {
-			c.ExtraFiles = append(c.ExtraFiles, w)
-			go func() {
-				defer close(ready)
-				if _, err = r.Read(make([]byte, 1)); err != nil {
-					panic(err.Error())
-				}
-			}()
-		}
-
-		if err := c.Start(); err != nil {
-			if m, ok := container.InternalMessageFromError(err); ok {
-				t.Fatal(m)
-			} else {
-				t.Fatalf("cannot start container: %v", err)
-			}
-		} else if err = c.Serve(); err != nil {
-			if m, ok := container.InternalMessageFromError(err); ok {
-				t.Error(m)
-			} else {
-				t.Errorf("cannot serve setup params: %v", err)
-			}
-		}
-		<-ready
-		cancel()
-		waitCheck(t, c)
+	c := helperNewContainer(ctx, "block")
+	c.Stdout, c.Stderr = os.Stdout, os.Stderr
+	if containerExtra != nil {
+		containerExtra(c)
 	}
+
+	ready := make(chan struct{})
+	var waitErr error
+	r, w, err := os.Pipe()
+	if err != nil {
+		t.Fatalf("cannot pipe: %v", err)
+	}
+
+	c.ExtraFiles = append(c.ExtraFiles, w)
+	go func() {
+		defer close(ready)
+		if _, _err := r.Read(make([]byte, 1)); _err != nil {
+			panic(_err)
+		}
+	}()
+
+	if err = c.Start(); err != nil {
+		if m, ok := container.InternalMessageFromError(err); ok {
+			t.Fatal(m)
+		} else {
+			t.Fatalf("cannot start container: %v", err)
+		}
+	}
+
+	done := make(chan struct{})
+	go func() {
+		defer close(done)
+		waitErr = c.Wait()
+		_ = r.SetReadDeadline(time.Now())
+	}()
+
+	if err = c.Serve(); err != nil {
+		if m, ok := container.InternalMessageFromError(err); ok {
+			t.Error(m)
+		} else {
+			t.Errorf("cannot serve setup params: %v", err)
+		}
+	}
+	<-ready
+	cancel()
+	<-done
+	waitCheck(c.ProcessState(), waitErr)
+}
+
+func TestForward(t *testing.T) {
+	t.Parallel()
+
+	f := func(ps *os.ProcessState, waitErr error) {
+		var exitError *exec.ExitError
+		if !errors.As(waitErr, &exitError) {
+			if m, ok := container.InternalMessageFromError(waitErr); ok {
+				t.Error(m)
+			}
+			t.Errorf("Wait: error = %v", waitErr)
+		}
+		if code := exitError.ExitCode(); code != blockExitCodeInterrupt {
+			t.Errorf("ExitCode: %d, want %d", code, blockExitCodeInterrupt)
+		}
+	}
+	t.Run("direct", func(t *testing.T) {
+		t.Parallel()
+		testContainerCancel(t, func(c *container.Container) {
+			c.ForwardCancel = true
+		}, f)
+	})
+	t.Run("as root", func(t *testing.T) {
+		testContainerCancel(t, func(c *container.Container) {
+			c.ForwardCancel = true
+			c.InitAsRoot = true
+			c.Proc(fhs.AbsProc)
+		}, f)
+	})
+}
+
+func TestCancel(t *testing.T) {
+	t.Parallel()
+
+	f := func(ps *os.ProcessState, waitErr error) {
+		wantErr := context.Canceled
+		if !reflect.DeepEqual(waitErr, wantErr) {
+			if m, ok := container.InternalMessageFromError(waitErr); ok {
+				t.Error(m)
+			}
+			t.Errorf("Wait: error = %#v, want %#v", waitErr, wantErr)
+		}
+		if ps == nil {
+			t.Errorf("ProcessState unexpectedly returned nil")
+		} else if code := ps.ExitCode(); code != 0 {
+			t.Errorf("ExitCode: %d, want %d", code, 0)
+		}
+	}
+	t.Run("direct", func(t *testing.T) {
+		t.Parallel()
+		testContainerCancel(t, nil, f)
+	})
+	t.Run("as root", func(t *testing.T) {
+		testContainerCancel(t, func(c *container.Container) {
+			c.InitAsRoot = true
+			c.Proc(fhs.AbsProc)
+		}, f)
+	})
 }

 func TestContainerString(t *testing.T) {
@@ -633,6 +693,8 @@ func init() {
 		})

 		c.Command("container", command.UsageInternal, func(args []string) error {
+			asRoot := os.Getenv("HAKUREI_TEST_SUFFIX") == " as root"
+
 			if len(args) != 1 {
 				return syscall.EINVAL
 			}
@@ -650,6 +712,66 @@ func init() {
 				return fmt.Errorf("gid: %d, want %d", gid, tc.gid)
 			}

+			// no attack surface increase during as root due to no_new_privs
+			var wantBounding uintptr = 1
+			asRootNot := " not"
+			if !asRoot {
+				wantBounding = 0
+				asRootNot = ""
+			}
+
+			const (
+				PR_CAP_AMBIENT        = 0x2f
+				PR_CAP_AMBIENT_IS_SET = 0x1
+			)
+			for i := range container.LastCap(nil) + 1 {
+				r, _, errno := syscall.Syscall(
+					syscall.SYS_PRCTL,
+					PR_CAP_AMBIENT,
+					PR_CAP_AMBIENT_IS_SET,
+					i,
+				)
+				if errno != 0 {
+					return os.NewSyscallError("prctl", errno)
+				}
+				if r != 0 {
+					return fmt.Errorf("capability %d in ambient set", i)
+				}
+
+				r, _, errno = syscall.Syscall(
+					syscall.SYS_PRCTL,
+					syscall.PR_CAPBSET_READ,
+					i,
+					0,
+				)
+				if errno != 0 {
+					return os.NewSyscallError("prctl", errno)
+				}
+				if r != wantBounding {
+					return fmt.Errorf("capability %d%s in bounding set", i, asRootNot)
+				}
+			}
+
+			const _LINUX_CAPABILITY_VERSION_3 = 0x20080522
+			var capData struct {
+				effective   uint32
+				permitted   uint32
+				inheritable uint32
+			}
+			if _, _, errno := syscall.Syscall(syscall.SYS_CAPGET, uintptr(unsafe.Pointer(&struct {
+				version uint32
+				pid     int32
+			}{_LINUX_CAPABILITY_VERSION_3, 0})), uintptr(unsafe.Pointer(&capData)), 0); errno != 0 {
+				return os.NewSyscallError("capget", errno)
+			}
+
+			if max(capData.effective, capData.permitted, capData.inheritable) != 0 {
+				return fmt.Errorf(
+					"effective = %d, permitted = %d, inheritable = %d",
+					capData.effective, capData.permitted, capData.inheritable,
+				)
+			}
+
 			wantHost := hostnameFromTestCase(tc.name)
 			if host, err := os.Hostname(); err != nil {
 				return fmt.Errorf("cannot get hostname: %v", err)
@@ -767,7 +889,7 @@ func TestMain(m *testing.M) {
 		}
 		c.MustParse(os.Args[1:], func(err error) {
 			if err != nil {
-				log.Fatal(err.Error())
+				log.Fatal(err)
 			}
 		})
 		return
--- a/container/dispatcher.go
+++ b/container/dispatcher.go
@@ -65,6 +65,8 @@ type syscallDispatcher interface {
 	remount(msg message.Msg, target string, flags uintptr) error
 	// mountTmpfs provides mountTmpfs.
 	mountTmpfs(fsname, target string, flags uintptr, size int, perm os.FileMode) error
+	// mountOverlay provides mountOverlay.
+	mountOverlay(target string, options [][2]string) error
 	// ensureFile provides ensureFile.
 	ensureFile(name string, perm, pperm os.FileMode) error
 	// mustLoopback provides mustLoopback.
@@ -169,6 +171,9 @@ func (direct) remount(msg message.Msg, target string, flags uintptr) error {
 func (k direct) mountTmpfs(fsname, target string, flags uintptr, size int, perm os.FileMode) error {
 	return mountTmpfs(k, fsname, target, flags, size, perm)
 }
+func (k direct) mountOverlay(target string, options [][2]string) error {
+	return mountOverlay(target, options)
+}
 func (direct) ensureFile(name string, perm, pperm os.FileMode) error {
 	return ensureFile(name, perm, pperm)
 }
--- a/container/dispatcher_test.go
+++ b/container/dispatcher_test.go
@@ -468,6 +468,14 @@ func (k *kstub) mountTmpfs(fsname, target string, flags uintptr, size int, perm
 		stub.CheckArg(k.Stub, "perm", perm, 4))
 }

+func (k *kstub) mountOverlay(target string, options [][2]string) error {
+	k.Helper()
+	return k.Expects("mountOverlay").Error(
+		stub.CheckArg(k.Stub, "target", target, 0),
+		stub.CheckArgReflect(k.Stub, "options", options, 1),
+	)
+}
+
 func (k *kstub) ensureFile(name string, perm, pperm os.FileMode) error {
 	k.Helper()
 	return k.Expects("ensureFile").Error(
--- a/container/errors.go
+++ b/container/errors.go
@@ -118,6 +118,10 @@ func errnoFallback(op, path string, err error) (syscall.Errno, *os.PathError) {

 // mount wraps syscall.Mount for error handling.
 func mount(source, target, fstype string, flags uintptr, data string) error {
+	if max(len(source), len(target), len(data))+1 > os.Getpagesize() {
+		return &MountError{source, target, fstype, flags, data, syscall.ENOMEM}
+	}
+
 	err := syscall.Mount(source, target, fstype, flags, data)
 	if err == nil {
 		return nil
--- a/container/init.go
+++ b/container/init.go
@@ -11,11 +11,13 @@ import (
 	"path/filepath"
 	"slices"
 	"strconv"
+	"strings"
 	"sync"
 	"sync/atomic"
 	. "syscall"
 	"time"

+	"hakurei.app/check"
 	"hakurei.app/container/seccomp"
 	"hakurei.app/ext"
 	"hakurei.app/fhs"
@@ -182,23 +184,33 @@ func initEntrypoint(k syscallDispatcher, msg message.Msg) {
 		cancel()
 	}

+	uid, gid := param.Uid, param.Gid
+	if param.InitAsRoot {
+		uid, gid = 0, 0
+	}
+
 	// write uid/gid map here so parent does not need to set dumpable
 	if err := k.setDumpable(ext.SUID_DUMP_USER); err != nil {
 		k.fatalf(msg, "cannot set SUID_DUMP_USER: %v", err)
 	}
-	if err := k.writeFile(fhs.Proc+"self/uid_map",
-		append([]byte{}, strconv.Itoa(param.Uid)+" "+strconv.Itoa(param.HostUid)+" 1\n"...),
-		0); err != nil {
+	if err := k.writeFile(
+		fhs.Proc+"self/uid_map",
+		[]byte(strconv.Itoa(uid)+" "+strconv.Itoa(param.HostUid)+" 1\n"),
+		0,
+	); err != nil {
 		k.fatalf(msg, "%v", err)
 	}
-	if err := k.writeFile(fhs.Proc+"self/setgroups",
+	if err := k.writeFile(
+		fhs.Proc+"self/setgroups",
 		[]byte("deny\n"),
-		0); err != nil && !os.IsNotExist(err) {
+		0,
+	); err != nil && !os.IsNotExist(err) {
 		k.fatalf(msg, "%v", err)
 	}
 	if err := k.writeFile(fhs.Proc+"self/gid_map",
-		append([]byte{}, strconv.Itoa(param.Gid)+" "+strconv.Itoa(param.HostGid)+" 1\n"...),
-		0); err != nil {
+		[]byte(strconv.Itoa(gid)+" "+strconv.Itoa(param.HostGid)+" 1\n"),
+		0,
+	); err != nil {
 		k.fatalf(msg, "%v", err)
 	}
 	if err := k.setDumpable(ext.SUID_DUMP_DISABLE); err != nil {
@@ -223,6 +235,23 @@ func initEntrypoint(k syscallDispatcher, msg message.Msg) {
 	state := &setupState{process: make(map[int]WaitStatus), Params: &param.Params, Msg: msg, Context: ctx}
 	defer cancel()

+	if err := k.mount(SourceTmpfsRootfs, intermediateHostPath, FstypeTmpfs, MS_NODEV|MS_NOSUID, zeroString); err != nil {
+		k.fatalf(msg, "cannot mount intermediate root: %v", optionalErrorUnwrap(err))
+	}
+	if err := k.chdir(intermediateHostPath); err != nil {
+		k.fatalf(msg, "cannot enter intermediate host path: %v", err)
+	}
+
+	if len(param.Binfmt) > 0 {
+		for i, e := range param.Binfmt {
+			if pathname, err := k.evalSymlinks(e.Interpreter.String()); err != nil {
+				k.fatal(msg, err)
+			} else if param.Binfmt[i].Interpreter, err = check.NewAbs(pathname); err != nil {
+				k.fatal(msg, err)
+			}
+		}
+	}
+
 	/* early is called right before pivot_root into intermediate root;
 	this step is mostly for gathering information that would otherwise be
 	difficult to obtain via library functions after pivot_root, and
@@ -242,13 +271,6 @@ func initEntrypoint(k syscallDispatcher, msg message.Msg) {
 		}
 	}

-	if err := k.mount(SourceTmpfsRootfs, intermediateHostPath, FstypeTmpfs, MS_NODEV|MS_NOSUID, zeroString); err != nil {
-		k.fatalf(msg, "cannot mount intermediate root: %v", optionalErrorUnwrap(err))
-	}
-	if err := k.chdir(intermediateHostPath); err != nil {
-		k.fatalf(msg, "cannot enter intermediate host path: %v", err)
-	}
-
 	if err := k.mkdir(sysrootDir, 0755); err != nil {
 		k.fatalf(msg, "%v", err)
 	}
@@ -285,6 +307,48 @@ func initEntrypoint(k syscallDispatcher, msg message.Msg) {
 		}
 	}

+	if len(param.Binfmt) > 0 {
+		const interpreter = "/interpreter"
+
+		if param.BinfmtPath == nil {
+			param.BinfmtPath = fhs.AbsProcSys.Append("fs/binfmt_misc")
+		}
+		binfmt := sysrootPath + param.BinfmtPath.String()
+		if err := k.mkdirAll(binfmt, 0); err != nil {
+			k.fatal(msg, err)
+		}
+		if err := k.mount(
+			SourceBinfmtMisc,
+			binfmt,
+			FstypeBinfmtMisc,
+			MS_NOSUID|MS_NOEXEC|MS_NODEV,
+			zeroString,
+		); err != nil {
+			k.fatal(msg, err)
+		}
+
+		var buf strings.Builder
+		buf.Grow(1920)
+
+		register := binfmt + "/register"
+		for i, e := range param.Binfmt {
+			if err := k.symlink(hostPath+e.Interpreter.String(), interpreter); err != nil {
+				k.fatal(msg, err)
+			} else if err = k.writeFile(register, []byte(":"+
+				strconv.Itoa(i)+":"+
+				"M:"+
+				strconv.Itoa(int(e.Offset))+":"+
+				escapeBinfmt(&buf, e.Magic)+":"+
+				escapeBinfmt(&buf, e.Mask)+":"+
+				interpreter+":"+
+				"F"), 0); err != nil {
+				k.fatal(msg, err)
+			} else if err = k.remove(interpreter); err != nil {
+				k.fatal(msg, err)
+			}
+		}
+	}
+
 	// setup requiring host root complete at this point
 	if err := k.mount(hostDir, hostDir, zeroString, MS_SILENT|MS_REC|MS_PRIVATE, zeroString); err != nil {
 		k.fatalf(msg, "cannot make host root rprivate: %v", optionalErrorUnwrap(err))
@@ -323,11 +387,19 @@ func initEntrypoint(k syscallDispatcher, msg message.Msg) {
 		}
 	}

+	var keepCaps []uintptr
+	if param.Privileged {
+		keepCaps = append(keepCaps, CAP_SYS_ADMIN, CAP_SETPCAP)
+	}
+	if param.InitAsRoot {
+		keepCaps = append(keepCaps, CAP_SETFCAP)
+	}
+
 	if err := k.capAmbientClearAll(); err != nil {
 		k.fatalf(msg, "cannot clear the ambient capability set: %v", err)
 	}
-	for i := uintptr(0); i <= lastcap; i++ {
-		if param.Privileged && i == CAP_SYS_ADMIN {
+	for i := range lastcap + 1 {
+		if slices.Contains(keepCaps, i) {
 			continue
 		}
 		if err := k.capBoundingSetDrop(i); err != nil {
@@ -336,20 +408,23 @@ func initEntrypoint(k syscallDispatcher, msg message.Msg) {
 	}

 	var keep [2]uint32
-	if param.Privileged {
-		keep[capToIndex(CAP_SYS_ADMIN)] |= capToMask(CAP_SYS_ADMIN)
-
-		if err := k.capAmbientRaise(CAP_SYS_ADMIN); err != nil {
-			k.fatalf(msg, "cannot raise CAP_SYS_ADMIN: %v", err)
-		}
+	for _, c := range keepCaps {
+		keep[capToIndex(c)] |= capToMask(c)
 	}
+
 	if err := k.capset(
 		&capHeader{_LINUX_CAPABILITY_VERSION_3, 0},
-		&[2]capData{{0, keep[0], keep[0]}, {0, keep[1], keep[1]}},
+		&[2]capData{{keep[0], keep[0], keep[0]}, {keep[1], keep[1], keep[1]}},
 	); err != nil {
 		k.fatalf(msg, "cannot capset: %v", err)
 	}

+	for _, c := range keepCaps {
+		if err := k.capAmbientRaise(c); err != nil {
+			k.fatalf(msg, "cannot raise %#x: %v", c, err)
+		}
+	}
+
 	if !param.SeccompDisable {
 		rules := param.SeccompRules
 		if len(rules) == 0 { // non-empty rules slice always overrides presets
@@ -474,6 +549,14 @@ func initEntrypoint(k syscallDispatcher, msg message.Msg) {
 	cmd.ExtraFiles = extraFiles
 	cmd.Dir = param.Dir.String()

+	if param.InitAsRoot {
+		cmd.SysProcAttr = &SysProcAttr{
+			Cloneflags:  CLONE_NEWUSER,
+			UidMappings: []SysProcIDMap{{ContainerID: param.Uid, HostID: 0, Size: 1}},
+			GidMappings: []SysProcIDMap{{ContainerID: param.Gid, HostID: 0, Size: 1}},
+		}
+	}
+
 	msg.Verbosef("starting initial process %s", param.Path)
 	if err := k.start(cmd); err != nil {
 		k.fatalf(msg, "%v", err)
--- a/container/init_test.go
+++ b/container/init_test.go
@@ -332,6 +332,8 @@ func TestInitEntrypoint(t *testing.T) {
 				call("sethostname", stub.ExpectArgs{[]byte("hakurei-check")}, nil, nil),
 				call("lastcap", stub.ExpectArgs{}, uintptr(40), nil),
 				call("mount", stub.ExpectArgs{"", "/", "", uintptr(0x8c000), ""}, nil, nil),
+				call("mount", stub.ExpectArgs{"rootfs", "/proc/self/fd", "tmpfs", uintptr(6), ""}, nil, nil),
+				call("chdir", stub.ExpectArgs{"/proc/self/fd"}, nil, nil),
 				/* begin early */
 				call("fatalf", stub.ExpectArgs{"invalid op at index %d", []any{0}}, nil, nil),
 				/* end early */
@@ -370,6 +372,8 @@ func TestInitEntrypoint(t *testing.T) {
 				call("sethostname", stub.ExpectArgs{[]byte("hakurei-check")}, nil, nil),
 				call("lastcap", stub.ExpectArgs{}, uintptr(40), nil),
 				call("mount", stub.ExpectArgs{"", "/", "", uintptr(0x8c000), ""}, nil, nil),
+				call("mount", stub.ExpectArgs{"rootfs", "/proc/self/fd", "tmpfs", uintptr(6), ""}, nil, nil),
+				call("chdir", stub.ExpectArgs{"/proc/self/fd"}, nil, nil),
 				/* begin early */
 				call("fatalf", stub.ExpectArgs{"invalid op at index %d", []any{0}}, nil, nil),
 				/* end early */
@@ -408,6 +412,8 @@ func TestInitEntrypoint(t *testing.T) {
 				call("sethostname", stub.ExpectArgs{[]byte("hakurei-check")}, nil, nil),
 				call("lastcap", stub.ExpectArgs{}, uintptr(40), nil),
 				call("mount", stub.ExpectArgs{"", "/", "", uintptr(0x8c000), ""}, nil, nil),
+				call("mount", stub.ExpectArgs{"rootfs", "/proc/self/fd", "tmpfs", uintptr(6), ""}, nil, nil),
+				call("chdir", stub.ExpectArgs{"/proc/self/fd"}, nil, nil),
 				/* begin early */
 				call("evalSymlinks", stub.ExpectArgs{"/"}, "/", stub.UniqueError(61)),
 				call("fatalf", stub.ExpectArgs{"cannot prepare op at index %d: %v", []any{0, stub.UniqueError(61)}}, nil, nil),
@@ -447,6 +453,8 @@ func TestInitEntrypoint(t *testing.T) {
 				call("sethostname", stub.ExpectArgs{[]byte("hakurei-check")}, nil, nil),
 				call("lastcap", stub.ExpectArgs{}, uintptr(40), nil),
 				call("mount", stub.ExpectArgs{"", "/", "", uintptr(0x8c000), ""}, nil, nil),
+				call("mount", stub.ExpectArgs{"rootfs", "/proc/self/fd", "tmpfs", uintptr(6), ""}, nil, nil),
+				call("chdir", stub.ExpectArgs{"/proc/self/fd"}, nil, nil),
 				/* begin early */
 				call("evalSymlinks", stub.ExpectArgs{"/"}, "/", &os.PathError{Op: "readlink", Path: "/", Err: stub.UniqueError(60)}),
 				call("fatal", stub.ExpectArgs{[]any{"cannot readlink /: unique error 60 injected by the test suite"}}, nil, nil),
@@ -486,9 +494,6 @@ func TestInitEntrypoint(t *testing.T) {
 				call("sethostname", stub.ExpectArgs{[]byte("hakurei-check")}, nil, nil),
 				call("lastcap", stub.ExpectArgs{}, uintptr(40), nil),
 				call("mount", stub.ExpectArgs{"", "/", "", uintptr(0x8c000), ""}, nil, nil),
-				/* begin early */
-				call("evalSymlinks", stub.ExpectArgs{"/"}, "/", nil),
-				/* end early */
 				call("mount", stub.ExpectArgs{"rootfs", "/proc/self/fd", "tmpfs", uintptr(6), ""}, nil, stub.UniqueError(58)),
 				call("fatalf", stub.ExpectArgs{"cannot mount intermediate root: %v", []any{stub.UniqueError(58)}}, nil, nil),
 			},
@@ -526,9 +531,6 @@ func TestInitEntrypoint(t *testing.T) {
 				call("sethostname", stub.ExpectArgs{[]byte("hakurei-check")}, nil, nil),
 				call("lastcap", stub.ExpectArgs{}, uintptr(40), nil),
 				call("mount", stub.ExpectArgs{"", "/", "", uintptr(0x8c000), ""}, nil, nil),
-				/* begin early */
-				call("evalSymlinks", stub.ExpectArgs{"/"}, "/", nil),
-				/* end early */
 				call("mount", stub.ExpectArgs{"rootfs", "/proc/self/fd", "tmpfs", uintptr(6), ""}, nil, nil),
 				call("chdir", stub.ExpectArgs{"/proc/self/fd"}, nil, stub.UniqueError(56)),
 				call("fatalf", stub.ExpectArgs{"cannot enter intermediate host path: %v", []any{stub.UniqueError(56)}}, nil, nil),
@@ -567,11 +569,11 @@ func TestInitEntrypoint(t *testing.T) {
 				call("sethostname", stub.ExpectArgs{[]byte("hakurei-check")}, nil, nil),
 				call("lastcap", stub.ExpectArgs{}, uintptr(40), nil),
 				call("mount", stub.ExpectArgs{"", "/", "", uintptr(0x8c000), ""}, nil, nil),
+				call("mount", stub.ExpectArgs{"rootfs", "/proc/self/fd", "tmpfs", uintptr(6), ""}, nil, nil),
+				call("chdir", stub.ExpectArgs{"/proc/self/fd"}, nil, nil),
 				/* begin early */
 				call("evalSymlinks", stub.ExpectArgs{"/"}, "/", nil),
 				/* end early */
-				call("mount", stub.ExpectArgs{"rootfs", "/proc/self/fd", "tmpfs", uintptr(6), ""}, nil, nil),
-				call("chdir", stub.ExpectArgs{"/proc/self/fd"}, nil, nil),
 				call("mkdir", stub.ExpectArgs{"sysroot", os.FileMode(0755)}, nil, stub.UniqueError(54)),
 				call("fatalf", stub.ExpectArgs{"%v", []any{stub.UniqueError(54)}}, nil, nil),
 			},
@@ -609,11 +611,11 @@ func TestInitEntrypoint(t *testing.T) {
 				call("sethostname", stub.ExpectArgs{[]byte("hakurei-check")}, nil, nil),
 				call("lastcap", stub.ExpectArgs{}, uintptr(40), nil),
 				call("mount", stub.ExpectArgs{"", "/", "", uintptr(0x8c000), ""}, nil, nil),
+				call("mount", stub.ExpectArgs{"rootfs", "/proc/self/fd", "tmpfs", uintptr(6), ""}, nil, nil),
+				call("chdir", stub.ExpectArgs{"/proc/self/fd"}, nil, nil),
 				/* begin early */
 				call("evalSymlinks", stub.ExpectArgs{"/"}, "/", nil),
 				/* end early */
-				call("mount", stub.ExpectArgs{"rootfs", "/proc/self/fd", "tmpfs", uintptr(6), ""}, nil, nil),
-				call("chdir", stub.ExpectArgs{"/proc/self/fd"}, nil, nil),
 				call("mkdir", stub.ExpectArgs{"sysroot", os.FileMode(0755)}, nil, nil),
 				call("mount", stub.ExpectArgs{"sysroot", "sysroot", "", uintptr(0xd000), ""}, nil, stub.UniqueError(52)),
 				call("fatalf", stub.ExpectArgs{"cannot bind sysroot: %v", []any{stub.UniqueError(52)}}, nil, nil),
@@ -652,11 +654,11 @@ func TestInitEntrypoint(t *testing.T) {
 				call("sethostname", stub.ExpectArgs{[]byte("hakurei-check")}, nil, nil),
 				call("lastcap", stub.ExpectArgs{}, uintptr(40), nil),
 				call("mount", stub.ExpectArgs{"", "/", "", uintptr(0x8c000), ""}, nil, nil),
+				call("mount", stub.ExpectArgs{"rootfs", "/proc/self/fd", "tmpfs", uintptr(6), ""}, nil, nil),
+				call("chdir", stub.ExpectArgs{"/proc/self/fd"}, nil, nil),
 				/* begin early */
 				call("evalSymlinks", stub.ExpectArgs{"/"}, "/", nil),
 				/* end early */
-				call("mount", stub.ExpectArgs{"rootfs", "/proc/self/fd", "tmpfs", uintptr(6), ""}, nil, nil),
-				call("chdir", stub.ExpectArgs{"/proc/self/fd"}, nil, nil),
 				call("mkdir", stub.ExpectArgs{"sysroot", os.FileMode(0755)}, nil, nil),
 				call("mount", stub.ExpectArgs{"sysroot", "sysroot", "", uintptr(0xd000), ""}, nil, nil),
 				call("mkdir", stub.ExpectArgs{"host", os.FileMode(0755)}, nil, stub.UniqueError(50)),
@@ -696,11 +698,11 @@ func TestInitEntrypoint(t *testing.T) {
 				call("sethostname", stub.ExpectArgs{[]byte("hakurei-check")}, nil, nil),
 				call("lastcap", stub.ExpectArgs{}, uintptr(40), nil),
 				call("mount", stub.ExpectArgs{"", "/", "", uintptr(0x8c000), ""}, nil, nil),
+				call("mount", stub.ExpectArgs{"rootfs", "/proc/self/fd", "tmpfs", uintptr(6), ""}, nil, nil),
+				call("chdir", stub.ExpectArgs{"/proc/self/fd"}, nil, nil),
 				/* begin early */
 				call("evalSymlinks", stub.ExpectArgs{"/"}, "/", nil),
 				/* end early */
-				call("mount", stub.ExpectArgs{"rootfs", "/proc/self/fd", "tmpfs", uintptr(6), ""}, nil, nil),
-				call("chdir", stub.ExpectArgs{"/proc/self/fd"}, nil, nil),
 				call("mkdir", stub.ExpectArgs{"sysroot", os.FileMode(0755)}, nil, nil),
 				call("mount", stub.ExpectArgs{"sysroot", "sysroot", "", uintptr(0xd000), ""}, nil, nil),
 				call("mkdir", stub.ExpectArgs{"host", os.FileMode(0755)}, nil, nil),
@@ -741,11 +743,11 @@ func TestInitEntrypoint(t *testing.T) {
 				call("sethostname", stub.ExpectArgs{[]byte("hakurei-check")}, nil, nil),
 				call("lastcap", stub.ExpectArgs{}, uintptr(40), nil),
 				call("mount", stub.ExpectArgs{"", "/", "", uintptr(0x8c000), ""}, nil, nil),
+				call("mount", stub.ExpectArgs{"rootfs", "/proc/self/fd", "tmpfs", uintptr(6), ""}, nil, nil),
+				call("chdir", stub.ExpectArgs{"/proc/self/fd"}, nil, nil),
 				/* begin early */
 				call("evalSymlinks", stub.ExpectArgs{"/"}, "/", nil),
 				/* end early */
-				call("mount", stub.ExpectArgs{"rootfs", "/proc/self/fd", "tmpfs", uintptr(6), ""}, nil, nil),
-				call("chdir", stub.ExpectArgs{"/proc/self/fd"}, nil, nil),
 				call("mkdir", stub.ExpectArgs{"sysroot", os.FileMode(0755)}, nil, nil),
 				call("mount", stub.ExpectArgs{"sysroot", "sysroot", "", uintptr(0xd000), ""}, nil, nil),
 				call("mkdir", stub.ExpectArgs{"host", os.FileMode(0755)}, nil, nil),
@@ -787,11 +789,11 @@ func TestInitEntrypoint(t *testing.T) {
 				call("sethostname", stub.ExpectArgs{[]byte("hakurei-check")}, nil, nil),
 				call("lastcap", stub.ExpectArgs{}, uintptr(40), nil),
 				call("mount", stub.ExpectArgs{"", "/", "", uintptr(0x8c000), ""}, nil, nil),
+				call("mount", stub.ExpectArgs{"rootfs", "/proc/self/fd", "tmpfs", uintptr(6), ""}, nil, nil),
+				call("chdir", stub.ExpectArgs{"/proc/self/fd"}, nil, nil),
 				/* begin early */
 				call("evalSymlinks", stub.ExpectArgs{"/"}, "/", nil),
 				/* end early */
-				call("mount", stub.ExpectArgs{"rootfs", "/proc/self/fd", "tmpfs", uintptr(6), ""}, nil, nil),
-				call("chdir", stub.ExpectArgs{"/proc/self/fd"}, nil, nil),
 				call("mkdir", stub.ExpectArgs{"sysroot", os.FileMode(0755)}, nil, nil),
 				call("mount", stub.ExpectArgs{"sysroot", "sysroot", "", uintptr(0xd000), ""}, nil, nil),
 				call("mkdir", stub.ExpectArgs{"host", os.FileMode(0755)}, nil, nil),
@@ -842,11 +844,11 @@ func TestInitEntrypoint(t *testing.T) {
 				call("sethostname", stub.ExpectArgs{[]byte("hakurei-check")}, nil, nil),
 				call("lastcap", stub.ExpectArgs{}, uintptr(40), nil),
 				call("mount", stub.ExpectArgs{"", "/", "", uintptr(0x8c000), ""}, nil, nil),
+				call("mount", stub.ExpectArgs{"rootfs", "/proc/self/fd", "tmpfs", uintptr(6), ""}, nil, nil),
+				call("chdir", stub.ExpectArgs{"/proc/self/fd"}, nil, nil),
 				/* begin early */
 				call("evalSymlinks", stub.ExpectArgs{"/"}, "/", nil),
 				/* end early */
-				call("mount", stub.ExpectArgs{"rootfs", "/proc/self/fd", "tmpfs", uintptr(6), ""}, nil, nil),
-				call("chdir", stub.ExpectArgs{"/proc/self/fd"}, nil, nil),
 				call("mkdir", stub.ExpectArgs{"sysroot", os.FileMode(0755)}, nil, nil),
 				call("mount", stub.ExpectArgs{"sysroot", "sysroot", "", uintptr(0xd000), ""}, nil, nil),
 				call("mkdir", stub.ExpectArgs{"host", os.FileMode(0755)}, nil, nil),
@@ -897,11 +899,11 @@ func TestInitEntrypoint(t *testing.T) {
 				call("sethostname", stub.ExpectArgs{[]byte("hakurei-check")}, nil, nil),
 				call("lastcap", stub.ExpectArgs{}, uintptr(40), nil),
 				call("mount", stub.ExpectArgs{"", "/", "", uintptr(0x8c000), ""}, nil, nil),
+				call("mount", stub.ExpectArgs{"rootfs", "/proc/self/fd", "tmpfs", uintptr(6), ""}, nil, nil),
+				call("chdir", stub.ExpectArgs{"/proc/self/fd"}, nil, nil),
 				/* begin early */
 				call("evalSymlinks", stub.ExpectArgs{"/"}, "/", nil),
 				/* end early */
-				call("mount", stub.ExpectArgs{"rootfs", "/proc/self/fd", "tmpfs", uintptr(6), ""}, nil, nil),
-				call("chdir", stub.ExpectArgs{"/proc/self/fd"}, nil, nil),
 				call("mkdir", stub.ExpectArgs{"sysroot", os.FileMode(0755)}, nil, nil),
 				call("mount", stub.ExpectArgs{"sysroot", "sysroot", "", uintptr(0xd000), ""}, nil, nil),
 				call("mkdir", stub.ExpectArgs{"host", os.FileMode(0755)}, nil, nil),
@@ -953,11 +955,11 @@ func TestInitEntrypoint(t *testing.T) {
 				call("sethostname", stub.ExpectArgs{[]byte("hakurei-check")}, nil, nil),
 				call("lastcap", stub.ExpectArgs{}, uintptr(40), nil),
 				call("mount", stub.ExpectArgs{"", "/", "", uintptr(0x8c000), ""}, nil, nil),
+				call("mount", stub.ExpectArgs{"rootfs", "/proc/self/fd", "tmpfs", uintptr(6), ""}, nil, nil),
+				call("chdir", stub.ExpectArgs{"/proc/self/fd"}, nil, nil),
 				/* begin early */
 				call("evalSymlinks", stub.ExpectArgs{"/"}, "/", nil),
 				/* end early */
-				call("mount", stub.ExpectArgs{"rootfs", "/proc/self/fd", "tmpfs", uintptr(6), ""}, nil, nil),
-				call("chdir", stub.ExpectArgs{"/proc/self/fd"}, nil, nil),
 				call("mkdir", stub.ExpectArgs{"sysroot", os.FileMode(0755)}, nil, nil),
 				call("mount", stub.ExpectArgs{"sysroot", "sysroot", "", uintptr(0xd000), ""}, nil, nil),
 				call("mkdir", stub.ExpectArgs{"host", os.FileMode(0755)}, nil, nil),
@@ -1010,11 +1012,11 @@ func TestInitEntrypoint(t *testing.T) {
 				call("sethostname", stub.ExpectArgs{[]byte("hakurei-check")}, nil, nil),
 				call("lastcap", stub.ExpectArgs{}, uintptr(40), nil),
 				call("mount", stub.ExpectArgs{"", "/", "", uintptr(0x8c000), ""}, nil, nil),
+				call("mount", stub.ExpectArgs{"rootfs", "/proc/self/fd", "tmpfs", uintptr(6), ""}, nil, nil),
+				call("chdir", stub.ExpectArgs{"/proc/self/fd"}, nil, nil),
 				/* begin early */
 				call("evalSymlinks", stub.ExpectArgs{"/"}, "/", nil),
 				/* end early */
-				call("mount", stub.ExpectArgs{"rootfs", "/proc/self/fd", "tmpfs", uintptr(6), ""}, nil, nil),
-				call("chdir", stub.ExpectArgs{"/proc/self/fd"}, nil, nil),
 				call("mkdir", stub.ExpectArgs{"sysroot", os.FileMode(0755)}, nil, nil),
 				call("mount", stub.ExpectArgs{"sysroot", "sysroot", "", uintptr(0xd000), ""}, nil, nil),
 				call("mkdir", stub.ExpectArgs{"host", os.FileMode(0755)}, nil, nil),
@@ -1069,11 +1071,11 @@ func TestInitEntrypoint(t *testing.T) {
 				call("sethostname", stub.ExpectArgs{[]byte("hakurei-check")}, nil, nil),
 				call("lastcap", stub.ExpectArgs{}, uintptr(40), nil),
 				call("mount", stub.ExpectArgs{"", "/", "", uintptr(0x8c000), ""}, nil, nil),
+				call("mount", stub.ExpectArgs{"rootfs", "/proc/self/fd", "tmpfs", uintptr(6), ""}, nil, nil),
+				call("chdir", stub.ExpectArgs{"/proc/self/fd"}, nil, nil),
 				/* begin early */
 				call("evalSymlinks", stub.ExpectArgs{"/"}, "/", nil),
 				/* end early */
-				call("mount", stub.ExpectArgs{"rootfs", "/proc/self/fd", "tmpfs", uintptr(6), ""}, nil, nil),
-				call("chdir", stub.ExpectArgs{"/proc/self/fd"}, nil, nil),
 				call("mkdir", stub.ExpectArgs{"sysroot", os.FileMode(0755)}, nil, nil),
 				call("mount", stub.ExpectArgs{"sysroot", "sysroot", "", uintptr(0xd000), ""}, nil, nil),
 				call("mkdir", stub.ExpectArgs{"host", os.FileMode(0755)}, nil, nil),
@@ -1129,11 +1131,11 @@ func TestInitEntrypoint(t *testing.T) {
 				call("sethostname", stub.ExpectArgs{[]byte("hakurei-check")}, nil, nil),
 				call("lastcap", stub.ExpectArgs{}, uintptr(40), nil),
 				call("mount", stub.ExpectArgs{"", "/", "", uintptr(0x8c000), ""}, nil, nil),
+				call("mount", stub.ExpectArgs{"rootfs", "/proc/self/fd", "tmpfs", uintptr(6), ""}, nil, nil),
+				call("chdir", stub.ExpectArgs{"/proc/self/fd"}, nil, nil),
 				/* begin early */
 				call("evalSymlinks", stub.ExpectArgs{"/"}, "/", nil),
 				/* end early */
-				call("mount", stub.ExpectArgs{"rootfs", "/proc/self/fd", "tmpfs", uintptr(6), ""}, nil, nil),
-				call("chdir", stub.ExpectArgs{"/proc/self/fd"}, nil, nil),
 				call("mkdir", stub.ExpectArgs{"sysroot", os.FileMode(0755)}, nil, nil),
 				call("mount", stub.ExpectArgs{"sysroot", "sysroot", "", uintptr(0xd000), ""}, nil, nil),
 				call("mkdir", stub.ExpectArgs{"host", os.FileMode(0755)}, nil, nil),
@@ -1190,11 +1192,11 @@ func TestInitEntrypoint(t *testing.T) {
 				call("sethostname", stub.ExpectArgs{[]byte("hakurei-check")}, nil, nil),
 				call("lastcap", stub.ExpectArgs{}, uintptr(40), nil),
 				call("mount", stub.ExpectArgs{"", "/", "", uintptr(0x8c000), ""}, nil, nil),
+				call("mount", stub.ExpectArgs{"rootfs", "/proc/self/fd", "tmpfs", uintptr(6), ""}, nil, nil),
+				call("chdir", stub.ExpectArgs{"/proc/self/fd"}, nil, nil),
 				/* begin early */
 				call("evalSymlinks", stub.ExpectArgs{"/"}, "/", nil),
 				/* end early */
-				call("mount", stub.ExpectArgs{"rootfs", "/proc/self/fd", "tmpfs", uintptr(6), ""}, nil, nil),
-				call("chdir", stub.ExpectArgs{"/proc/self/fd"}, nil, nil),
 				call("mkdir", stub.ExpectArgs{"sysroot", os.FileMode(0755)}, nil, nil),
 				call("mount", stub.ExpectArgs{"sysroot", "sysroot", "", uintptr(0xd000), ""}, nil, nil),
 				call("mkdir", stub.ExpectArgs{"host", os.FileMode(0755)}, nil, nil),
@@ -1252,11 +1254,11 @@ func TestInitEntrypoint(t *testing.T) {
 				call("sethostname", stub.ExpectArgs{[]byte("hakurei-check")}, nil, nil),
 				call("lastcap", stub.ExpectArgs{}, uintptr(40), nil),
 				call("mount", stub.ExpectArgs{"", "/", "", uintptr(0x8c000), ""}, nil, nil),
+				call("mount", stub.ExpectArgs{"rootfs", "/proc/self/fd", "tmpfs", uintptr(6), ""}, nil, nil),
+				call("chdir", stub.ExpectArgs{"/proc/self/fd"}, nil, nil),
 				/* begin early */
 				call("evalSymlinks", stub.ExpectArgs{"/"}, "/", nil),
 				/* end early */
-				call("mount", stub.ExpectArgs{"rootfs", "/proc/self/fd", "tmpfs", uintptr(6), ""}, nil, nil),
-				call("chdir", stub.ExpectArgs{"/proc/self/fd"}, nil, nil),
 				call("mkdir", stub.ExpectArgs{"sysroot", os.FileMode(0755)}, nil, nil),
 				call("mount", stub.ExpectArgs{"sysroot", "sysroot", "", uintptr(0xd000), ""}, nil, nil),
 				call("mkdir", stub.ExpectArgs{"host", os.FileMode(0755)}, nil, nil),
@@ -1315,11 +1317,11 @@ func TestInitEntrypoint(t *testing.T) {
 				call("sethostname", stub.ExpectArgs{[]byte("hakurei-check")}, nil, nil),
 				call("lastcap", stub.ExpectArgs{}, uintptr(40), nil),
 				call("mount", stub.ExpectArgs{"", "/", "", uintptr(0x8c000), ""}, nil, nil),
+				call("mount", stub.ExpectArgs{"rootfs", "/proc/self/fd", "tmpfs", uintptr(6), ""}, nil, nil),
+				call("chdir", stub.ExpectArgs{"/proc/self/fd"}, nil, nil),
 				/* begin early */
 				call("evalSymlinks", stub.ExpectArgs{"/"}, "/", nil),
 				/* end early */
-				call("mount", stub.ExpectArgs{"rootfs", "/proc/self/fd", "tmpfs", uintptr(6), ""}, nil, nil),
-				call("chdir", stub.ExpectArgs{"/proc/self/fd"}, nil, nil),
 				call("mkdir", stub.ExpectArgs{"sysroot", os.FileMode(0755)}, nil, nil),
 				call("mount", stub.ExpectArgs{"sysroot", "sysroot", "", uintptr(0xd000), ""}, nil, nil),
 				call("mkdir", stub.ExpectArgs{"host", os.FileMode(0755)}, nil, nil),
@@ -1379,11 +1381,11 @@ func TestInitEntrypoint(t *testing.T) {
 				call("sethostname", stub.ExpectArgs{[]byte("hakurei-check")}, nil, nil),
 				call("lastcap", stub.ExpectArgs{}, uintptr(40), nil),
 				call("mount", stub.ExpectArgs{"", "/", "", uintptr(0x8c000), ""}, nil, nil),
+				call("mount", stub.ExpectArgs{"rootfs", "/proc/self/fd", "tmpfs", uintptr(6), ""}, nil, nil),
+				call("chdir", stub.ExpectArgs{"/proc/self/fd"}, nil, nil),
 				/* begin early */
 				call("evalSymlinks", stub.ExpectArgs{"/"}, "/", nil),
 				/* end early */
-				call("mount", stub.ExpectArgs{"rootfs", "/proc/self/fd", "tmpfs", uintptr(6), ""}, nil, nil),
-				call("chdir", stub.ExpectArgs{"/proc/self/fd"}, nil, nil),
 				call("mkdir", stub.ExpectArgs{"sysroot", os.FileMode(0755)}, nil, nil),
 				call("mount", stub.ExpectArgs{"sysroot", "sysroot", "", uintptr(0xd000), ""}, nil, nil),
 				call("mkdir", stub.ExpectArgs{"host", os.FileMode(0755)}, nil, nil),
@@ -1444,11 +1446,11 @@ func TestInitEntrypoint(t *testing.T) {
 				call("sethostname", stub.ExpectArgs{[]byte("hakurei-check")}, nil, nil),
 				call("lastcap", stub.ExpectArgs{}, uintptr(40), nil),
 				call("mount", stub.ExpectArgs{"", "/", "", uintptr(0x8c000), ""}, nil, nil),
+				call("mount", stub.ExpectArgs{"rootfs", "/proc/self/fd", "tmpfs", uintptr(6), ""}, nil, nil),
+				call("chdir", stub.ExpectArgs{"/proc/self/fd"}, nil, nil),
 				/* begin early */
 				call("evalSymlinks", stub.ExpectArgs{"/"}, "/", nil),
 				/* end early */
-				call("mount", stub.ExpectArgs{"rootfs", "/proc/self/fd", "tmpfs", uintptr(6), ""}, nil, nil),
-				call("chdir", stub.ExpectArgs{"/proc/self/fd"}, nil, nil),
 				call("mkdir", stub.ExpectArgs{"sysroot", os.FileMode(0755)}, nil, nil),
 				call("mount", stub.ExpectArgs{"sysroot", "sysroot", "", uintptr(0xd000), ""}, nil, nil),
 				call("mkdir", stub.ExpectArgs{"host", os.FileMode(0755)}, nil, nil),
@@ -1510,11 +1512,11 @@ func TestInitEntrypoint(t *testing.T) {
 				call("sethostname", stub.ExpectArgs{[]byte("hakurei-check")}, nil, nil),
 				call("lastcap", stub.ExpectArgs{}, uintptr(40), nil),
 				call("mount", stub.ExpectArgs{"", "/", "", uintptr(0x8c000), ""}, nil, nil),
+				call("mount", stub.ExpectArgs{"rootfs", "/proc/self/fd", "tmpfs", uintptr(6), ""}, nil, nil),
+				call("chdir", stub.ExpectArgs{"/proc/self/fd"}, nil, nil),
 				/* begin early */
 				call("evalSymlinks", stub.ExpectArgs{"/"}, "/", nil),
 				/* end early */
-				call("mount", stub.ExpectArgs{"rootfs", "/proc/self/fd", "tmpfs", uintptr(6), ""}, nil, nil),
-				call("chdir", stub.ExpectArgs{"/proc/self/fd"}, nil, nil),
 				call("mkdir", stub.ExpectArgs{"sysroot", os.FileMode(0755)}, nil, nil),
 				call("mount", stub.ExpectArgs{"sysroot", "sysroot", "", uintptr(0xd000), ""}, nil, nil),
 				call("mkdir", stub.ExpectArgs{"host", os.FileMode(0755)}, nil, nil),
@@ -1584,11 +1586,11 @@ func TestInitEntrypoint(t *testing.T) {
 				call("sethostname", stub.ExpectArgs{[]byte("hakurei-check")}, nil, nil),
 				call("lastcap", stub.ExpectArgs{}, uintptr(40), nil),
 				call("mount", stub.ExpectArgs{"", "/", "", uintptr(0x8c000), ""}, nil, nil),
+				call("mount", stub.ExpectArgs{"rootfs", "/proc/self/fd", "tmpfs", uintptr(6), ""}, nil, nil),
+				call("chdir", stub.ExpectArgs{"/proc/self/fd"}, nil, nil),
 				/* begin early */
 				call("evalSymlinks", stub.ExpectArgs{"/"}, "/", nil),
 				/* end early */
-				call("mount", stub.ExpectArgs{"rootfs", "/proc/self/fd", "tmpfs", uintptr(6), ""}, nil, nil),
-				call("chdir", stub.ExpectArgs{"/proc/self/fd"}, nil, nil),
 				call("mkdir", stub.ExpectArgs{"sysroot", os.FileMode(0755)}, nil, nil),
 				call("mount", stub.ExpectArgs{"sysroot", "sysroot", "", uintptr(0xd000), ""}, nil, nil),
 				call("mkdir", stub.ExpectArgs{"host", os.FileMode(0755)}, nil, nil),
@@ -1622,7 +1624,6 @@ func TestInitEntrypoint(t *testing.T) {
 				call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x5)}, nil, nil),
 				call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x6)}, nil, nil),
 				call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x7)}, nil, nil),
-				call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x8)}, nil, nil),
 				call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x9)}, nil, nil),
 				call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0xa)}, nil, nil),
 				call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0xb)}, nil, nil),
@@ -1654,8 +1655,9 @@ func TestInitEntrypoint(t *testing.T) {
 				call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x26)}, nil, nil),
 				call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x27)}, nil, nil),
 				call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x28)}, nil, nil),
+				call("capset", stub.ExpectArgs{&capHeader{_LINUX_CAPABILITY_VERSION_3, 0}, &[2]capData{{0x200100, 0x200100, 0x200100}, {0, 0, 0}}}, nil, nil),
 				call("capAmbientRaise", stub.ExpectArgs{uintptr(0x15)}, nil, stub.UniqueError(19)),
-				call("fatalf", stub.ExpectArgs{"cannot raise CAP_SYS_ADMIN: %v", []any{stub.UniqueError(19)}}, nil, nil),
+				call("fatalf", stub.ExpectArgs{"cannot raise %#x: %v", []any{uintptr(0x15), stub.UniqueError(19)}}, nil, nil),
 			},
 		}, nil},

@@ -1691,11 +1693,11 @@ func TestInitEntrypoint(t *testing.T) {
 				call("sethostname", stub.ExpectArgs{[]byte("hakurei-check")}, nil, nil),
 				call("lastcap", stub.ExpectArgs{}, uintptr(40), nil),
 				call("mount", stub.ExpectArgs{"", "/", "", uintptr(0x8c000), ""}, nil, nil),
+				call("mount", stub.ExpectArgs{"rootfs", "/proc/self/fd", "tmpfs", uintptr(6), ""}, nil, nil),
+				call("chdir", stub.ExpectArgs{"/proc/self/fd"}, nil, nil),
 				/* begin early */
 				call("evalSymlinks", stub.ExpectArgs{"/"}, "/", nil),
 				/* end early */
-				call("mount", stub.ExpectArgs{"rootfs", "/proc/self/fd", "tmpfs", uintptr(6), ""}, nil, nil),
-				call("chdir", stub.ExpectArgs{"/proc/self/fd"}, nil, nil),
 				call("mkdir", stub.ExpectArgs{"sysroot", os.FileMode(0755)}, nil, nil),
 				call("mount", stub.ExpectArgs{"sysroot", "sysroot", "", uintptr(0xd000), ""}, nil, nil),
 				call("mkdir", stub.ExpectArgs{"host", os.FileMode(0755)}, nil, nil),
@@ -1729,7 +1731,6 @@ func TestInitEntrypoint(t *testing.T) {
 				call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x5)}, nil, nil),
 				call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x6)}, nil, nil),
 				call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x7)}, nil, nil),
-				call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x8)}, nil, nil),
 				call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x9)}, nil, nil),
 				call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0xa)}, nil, nil),
 				call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0xb)}, nil, nil),
@@ -1761,8 +1762,7 @@ func TestInitEntrypoint(t *testing.T) {
 				call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x26)}, nil, nil),
 				call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x27)}, nil, nil),
 				call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x28)}, nil, nil),
-				call("capAmbientRaise", stub.ExpectArgs{uintptr(0x15)}, nil, nil),
-				call("capset", stub.ExpectArgs{&capHeader{_LINUX_CAPABILITY_VERSION_3, 0}, &[2]capData{{0, 0x200000, 0x200000}, {0, 0, 0}}}, nil, stub.UniqueError(17)),
+				call("capset", stub.ExpectArgs{&capHeader{_LINUX_CAPABILITY_VERSION_3, 0}, &[2]capData{{0x200100, 0x200100, 0x200100}, {0, 0, 0}}}, nil, stub.UniqueError(17)),
 				call("fatalf", stub.ExpectArgs{"cannot capset: %v", []any{stub.UniqueError(17)}}, nil, nil),
 			},
 		}, nil},
@@ -1799,11 +1799,11 @@ func TestInitEntrypoint(t *testing.T) {
 				call("sethostname", stub.ExpectArgs{[]byte("hakurei-check")}, nil, nil),
 				call("lastcap", stub.ExpectArgs{}, uintptr(40), nil),
 				call("mount", stub.ExpectArgs{"", "/", "", uintptr(0x8c000), ""}, nil, nil),
+				call("mount", stub.ExpectArgs{"rootfs", "/proc/self/fd", "tmpfs", uintptr(6), ""}, nil, nil),
+				call("chdir", stub.ExpectArgs{"/proc/self/fd"}, nil, nil),
 				/* begin early */
 				call("evalSymlinks", stub.ExpectArgs{"/"}, "/", nil),
 				/* end early */
-				call("mount", stub.ExpectArgs{"rootfs", "/proc/self/fd", "tmpfs", uintptr(6), ""}, nil, nil),
-				call("chdir", stub.ExpectArgs{"/proc/self/fd"}, nil, nil),
 				call("mkdir", stub.ExpectArgs{"sysroot", os.FileMode(0755)}, nil, nil),
 				call("mount", stub.ExpectArgs{"sysroot", "sysroot", "", uintptr(0xd000), ""}, nil, nil),
 				call("mkdir", stub.ExpectArgs{"host", os.FileMode(0755)}, nil, nil),
@@ -1837,7 +1837,6 @@ func TestInitEntrypoint(t *testing.T) {
 				call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x5)}, nil, nil),
 				call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x6)}, nil, nil),
 				call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x7)}, nil, nil),
-				call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x8)}, nil, nil),
 				call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x9)}, nil, nil),
 				call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0xa)}, nil, nil),
 				call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0xb)}, nil, nil),
@@ -1869,8 +1868,9 @@ func TestInitEntrypoint(t *testing.T) {
 				call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x26)}, nil, nil),
 				call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x27)}, nil, nil),
 				call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x28)}, nil, nil),
+				call("capset", stub.ExpectArgs{&capHeader{_LINUX_CAPABILITY_VERSION_3, 0}, &[2]capData{{0x200100, 0x200100, 0x200100}, {0, 0, 0}}}, nil, nil),
 				call("capAmbientRaise", stub.ExpectArgs{uintptr(0x15)}, nil, nil),
-				call("capset", stub.ExpectArgs{&capHeader{_LINUX_CAPABILITY_VERSION_3, 0}, &[2]capData{{0, 0x200000, 0x200000}, {0, 0, 0}}}, nil, nil),
+				call("capAmbientRaise", stub.ExpectArgs{uintptr(0x8)}, nil, nil),
 				call("verbosef", stub.ExpectArgs{"resolving presets %#x", []any{std.FilterPreset(0xf)}}, nil, nil),
 				call("seccompLoad", stub.ExpectArgs{seccomp.Preset(0xf, 0), seccomp.ExportFlag(0)}, nil, stub.UniqueError(15)),
 				call("fatalf", stub.ExpectArgs{"cannot load syscall filter: %v", []any{stub.UniqueError(15)}}, nil, nil),
@@ -1908,11 +1908,11 @@ func TestInitEntrypoint(t *testing.T) {
 				call("sethostname", stub.ExpectArgs{[]byte("hakurei-check")}, nil, nil),
 				call("lastcap", stub.ExpectArgs{}, uintptr(40), nil),
 				call("mount", stub.ExpectArgs{"", "/", "", uintptr(0x8c000), ""}, nil, nil),
+				call("mount", stub.ExpectArgs{"rootfs", "/proc/self/fd", "tmpfs", uintptr(6), ""}, nil, nil),
+				call("chdir", stub.ExpectArgs{"/proc/self/fd"}, nil, nil),
 				/* begin early */
 				call("evalSymlinks", stub.ExpectArgs{"/"}, "/", nil),
 				/* end early */
-				call("mount", stub.ExpectArgs{"rootfs", "/proc/self/fd", "tmpfs", uintptr(6), ""}, nil, nil),
-				call("chdir", stub.ExpectArgs{"/proc/self/fd"}, nil, nil),
 				call("mkdir", stub.ExpectArgs{"sysroot", os.FileMode(0755)}, nil, nil),
 				call("mount", stub.ExpectArgs{"sysroot", "sysroot", "", uintptr(0xd000), ""}, nil, nil),
 				call("mkdir", stub.ExpectArgs{"host", os.FileMode(0755)}, nil, nil),
@@ -2032,11 +2032,11 @@ func TestInitEntrypoint(t *testing.T) {
 				call("sethostname", stub.ExpectArgs{[]byte("hakurei-check")}, nil, nil),
 				call("lastcap", stub.ExpectArgs{}, uintptr(4), nil),
 				call("mount", stub.ExpectArgs{"", "/", "", uintptr(0x8c000), ""}, nil, nil),
+				call("mount", stub.ExpectArgs{"rootfs", "/proc/self/fd", "tmpfs", uintptr(6), ""}, nil, nil),
+				call("chdir", stub.ExpectArgs{"/proc/self/fd"}, nil, nil),
 				/* begin early */
 				call("evalSymlinks", stub.ExpectArgs{"/"}, "/", nil),
 				/* end early */
-				call("mount", stub.ExpectArgs{"rootfs", "/proc/self/fd", "tmpfs", uintptr(6), ""}, nil, nil),
-				call("chdir", stub.ExpectArgs{"/proc/self/fd"}, nil, nil),
 				call("mkdir", stub.ExpectArgs{"sysroot", os.FileMode(0755)}, nil, nil),
 				call("mount", stub.ExpectArgs{"sysroot", "sysroot", "", uintptr(0xd000), ""}, nil, nil),
 				call("mkdir", stub.ExpectArgs{"host", os.FileMode(0755)}, nil, nil),
@@ -2132,11 +2132,11 @@ func TestInitEntrypoint(t *testing.T) {
 				call("sethostname", stub.ExpectArgs{[]byte("hakurei-check")}, nil, nil),
 				call("lastcap", stub.ExpectArgs{}, uintptr(4), nil),
 				call("mount", stub.ExpectArgs{"", "/", "", uintptr(0x8c000), ""}, nil, nil),
+				call("mount", stub.ExpectArgs{"rootfs", "/proc/self/fd", "tmpfs", uintptr(6), ""}, nil, nil),
+				call("chdir", stub.ExpectArgs{"/proc/self/fd"}, nil, nil),
 				/* begin early */
 				call("evalSymlinks", stub.ExpectArgs{"/"}, "/", nil),
 				/* end early */
-				call("mount", stub.ExpectArgs{"rootfs", "/proc/self/fd", "tmpfs", uintptr(6), ""}, nil, nil),
-				call("chdir", stub.ExpectArgs{"/proc/self/fd"}, nil, nil),
 				call("mkdir", stub.ExpectArgs{"sysroot", os.FileMode(0755)}, nil, nil),
 				call("mount", stub.ExpectArgs{"sysroot", "sysroot", "", uintptr(0xd000), ""}, nil, nil),
 				call("mkdir", stub.ExpectArgs{"host", os.FileMode(0755)}, nil, nil),
@@ -2232,11 +2232,11 @@ func TestInitEntrypoint(t *testing.T) {
 				call("sethostname", stub.ExpectArgs{[]byte("hakurei-check")}, nil, nil),
 				call("lastcap", stub.ExpectArgs{}, uintptr(4), nil),
 				call("mount", stub.ExpectArgs{"", "/", "", uintptr(0x8c000), ""}, nil, nil),
+				call("mount", stub.ExpectArgs{"rootfs", "/proc/self/fd", "tmpfs", uintptr(6), ""}, nil, nil),
+				call("chdir", stub.ExpectArgs{"/proc/self/fd"}, nil, nil),
 				/* begin early */
 				call("evalSymlinks", stub.ExpectArgs{"/"}, "/", nil),
 				/* end early */
-				call("mount", stub.ExpectArgs{"rootfs", "/proc/self/fd", "tmpfs", uintptr(6), ""}, nil, nil),
-				call("chdir", stub.ExpectArgs{"/proc/self/fd"}, nil, nil),
 				call("mkdir", stub.ExpectArgs{"sysroot", os.FileMode(0755)}, nil, nil),
 				call("mount", stub.ExpectArgs{"sysroot", "sysroot", "", uintptr(0xd000), ""}, nil, nil),
 				call("mkdir", stub.ExpectArgs{"host", os.FileMode(0755)}, nil, nil),
@@ -2323,11 +2323,11 @@ func TestInitEntrypoint(t *testing.T) {
 				call("sethostname", stub.ExpectArgs{[]byte("hakurei-check")}, nil, nil),
 				call("lastcap", stub.ExpectArgs{}, uintptr(4), nil),
 				call("mount", stub.ExpectArgs{"", "/", "", uintptr(0x8c000), ""}, nil, nil),
+				call("mount", stub.ExpectArgs{"rootfs", "/proc/self/fd", "tmpfs", uintptr(6), ""}, nil, nil),
+				call("chdir", stub.ExpectArgs{"/proc/self/fd"}, nil, nil),
 				/* begin early */
 				call("evalSymlinks", stub.ExpectArgs{"/"}, "/", nil),
 				/* end early */
-				call("mount", stub.ExpectArgs{"rootfs", "/proc/self/fd", "tmpfs", uintptr(6), ""}, nil, nil),
-				call("chdir", stub.ExpectArgs{"/proc/self/fd"}, nil, nil),
 				call("mkdir", stub.ExpectArgs{"sysroot", os.FileMode(0755)}, nil, nil),
 				call("mount", stub.ExpectArgs{"sysroot", "sysroot", "", uintptr(0xd000), ""}, nil, nil),
 				call("mkdir", stub.ExpectArgs{"host", os.FileMode(0755)}, nil, nil),
@@ -2418,11 +2418,11 @@ func TestInitEntrypoint(t *testing.T) {
 				call("sethostname", stub.ExpectArgs{[]byte("hakurei-check")}, nil, nil),
 				call("lastcap", stub.ExpectArgs{}, uintptr(4), nil),
 				call("mount", stub.ExpectArgs{"", "/", "", uintptr(0x8c000), ""}, nil, nil),
+				call("mount", stub.ExpectArgs{"rootfs", "/proc/self/fd", "tmpfs", uintptr(6), ""}, nil, nil),
+				call("chdir", stub.ExpectArgs{"/proc/self/fd"}, nil, nil),
 				/* begin early */
 				call("evalSymlinks", stub.ExpectArgs{"/"}, "/", nil),
 				/* end early */
-				call("mount", stub.ExpectArgs{"rootfs", "/proc/self/fd", "tmpfs", uintptr(6), ""}, nil, nil),
-				call("chdir", stub.ExpectArgs{"/proc/self/fd"}, nil, nil),
 				call("mkdir", stub.ExpectArgs{"sysroot", os.FileMode(0755)}, nil, nil),
 				call("mount", stub.ExpectArgs{"sysroot", "sysroot", "", uintptr(0xd000), ""}, nil, nil),
 				call("mkdir", stub.ExpectArgs{"host", os.FileMode(0755)}, nil, nil),
@@ -2520,11 +2520,11 @@ func TestInitEntrypoint(t *testing.T) {
 				call("sethostname", stub.ExpectArgs{[]byte("hakurei-check")}, nil, nil),
 				call("lastcap", stub.ExpectArgs{}, uintptr(40), nil),
 				call("mount", stub.ExpectArgs{"", "/", "", uintptr(0x8c000), ""}, nil, nil),
+				call("mount", stub.ExpectArgs{"rootfs", "/proc/self/fd", "tmpfs", uintptr(6), ""}, nil, nil),
+				call("chdir", stub.ExpectArgs{"/proc/self/fd"}, nil, nil),
 				/* begin early */
 				call("evalSymlinks", stub.ExpectArgs{"/"}, "/", nil),
 				/* end early */
-				call("mount", stub.ExpectArgs{"rootfs", "/proc/self/fd", "tmpfs", uintptr(6), ""}, nil, nil),
-				call("chdir", stub.ExpectArgs{"/proc/self/fd"}, nil, nil),
 				call("mkdir", stub.ExpectArgs{"sysroot", os.FileMode(0755)}, nil, nil),
 				call("mount", stub.ExpectArgs{"sysroot", "sysroot", "", uintptr(0xd000), ""}, nil, nil),
 				call("mkdir", stub.ExpectArgs{"host", os.FileMode(0755)}, nil, nil),
@@ -2659,11 +2659,11 @@ func TestInitEntrypoint(t *testing.T) {
 				call("sethostname", stub.ExpectArgs{[]byte("hakurei-check")}, nil, nil),
 				call("lastcap", stub.ExpectArgs{}, uintptr(40), nil),
 				call("mount", stub.ExpectArgs{"", "/", "", uintptr(0x8c000), ""}, nil, nil),
+				call("mount", stub.ExpectArgs{"rootfs", "/proc/self/fd", "tmpfs", uintptr(6), ""}, nil, nil),
+				call("chdir", stub.ExpectArgs{"/proc/self/fd"}, nil, nil),
 				/* begin early */
 				call("evalSymlinks", stub.ExpectArgs{"/"}, "/", nil),
 				/* end early */
-				call("mount", stub.ExpectArgs{"rootfs", "/proc/self/fd", "tmpfs", uintptr(6), ""}, nil, nil),
-				call("chdir", stub.ExpectArgs{"/proc/self/fd"}, nil, nil),
 				call("mkdir", stub.ExpectArgs{"sysroot", os.FileMode(0755)}, nil, nil),
 				call("mount", stub.ExpectArgs{"sysroot", "sysroot", "", uintptr(0xd000), ""}, nil, nil),
 				call("mkdir", stub.ExpectArgs{"host", os.FileMode(0755)}, nil, nil),
@@ -2697,7 +2697,6 @@ func TestInitEntrypoint(t *testing.T) {
 				call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x5)}, nil, nil),
 				call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x6)}, nil, nil),
 				call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x7)}, nil, nil),
-				call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x8)}, nil, nil),
 				call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x9)}, nil, nil),
 				call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0xa)}, nil, nil),
 				call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0xb)}, nil, nil),
@@ -2729,8 +2728,9 @@ func TestInitEntrypoint(t *testing.T) {
 				call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x26)}, nil, nil),
 				call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x27)}, nil, nil),
 				call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x28)}, nil, nil),
+				call("capset", stub.ExpectArgs{&capHeader{_LINUX_CAPABILITY_VERSION_3, 0}, &[2]capData{{0x200100, 0x200100, 0x200100}, {0, 0, 0}}}, nil, nil),
 				call("capAmbientRaise", stub.ExpectArgs{uintptr(0x15)}, nil, nil),
-				call("capset", stub.ExpectArgs{&capHeader{_LINUX_CAPABILITY_VERSION_3, 0}, &[2]capData{{0, 0x200000, 0x200000}, {0, 0, 0}}}, nil, nil),
+				call("capAmbientRaise", stub.ExpectArgs{uintptr(0x8)}, nil, nil),
 				call("verbosef", stub.ExpectArgs{"resolving presets %#x", []any{std.FilterPreset(0xf)}}, nil, nil),
 				call("seccompLoad", stub.ExpectArgs{seccomp.Preset(0xf, 0), seccomp.ExportFlag(0)}, nil, nil),
 				call("verbosef", stub.ExpectArgs{"%d filter rules loaded", []any{73}}, nil, nil),
--- a/container/initoverlay.go
+++ b/container/initoverlay.go
@@ -4,9 +4,9 @@ import (
 	"encoding/gob"
 	"fmt"
 	"slices"
-	"strings"

 	"hakurei.app/check"
+	"hakurei.app/ext"
 	"hakurei.app/fhs"
 )

@@ -150,7 +150,7 @@ func (o *MountOverlayOp) early(_ *setupState, k syscallDispatcher) error {
 			if v, err := k.evalSymlinks(o.Upper.String()); err != nil {
 				return err
 			} else {
-				o.upper = check.EscapeOverlayDataSegment(toHost(v))
+				o.upper = toHost(v)
 			}
 		}

@@ -158,7 +158,7 @@ func (o *MountOverlayOp) early(_ *setupState, k syscallDispatcher) error {
 			if v, err := k.evalSymlinks(o.Work.String()); err != nil {
 				return err
 			} else {
-				o.work = check.EscapeOverlayDataSegment(toHost(v))
+				o.work = toHost(v)
 			}
 		}
 	}
@@ -168,12 +168,39 @@ func (o *MountOverlayOp) early(_ *setupState, k syscallDispatcher) error {
 		if v, err := k.evalSymlinks(a.String()); err != nil {
 			return err
 		} else {
-			o.lower[i] = check.EscapeOverlayDataSegment(toHost(v))
+			o.lower[i] = toHost(v)
 		}
 	}
 	return nil
 }

+// mountOverlay sets up an overlay mount via [ext.FS].
+func mountOverlay(target string, options [][2]string) error {
+	fs, err := ext.OpenFS(SourceOverlay, 0)
+	if err != nil {
+		return err
+	}
+	if err = fs.SetString("source", SourceOverlay); err != nil {
+		_ = fs.Close()
+		return err
+	}
+	for _, option := range options {
+		if err = fs.SetString(option[0], option[1]); err != nil {
+			_ = fs.Close()
+			return err
+		}
+	}
+	if err = fs.SetFlag(OptionOverlayUserxattr); err != nil {
+		_ = fs.Close()
+		return err
+	}
+	if err = fs.Mount(target, 0); err != nil {
+		_ = fs.Close()
+		return err
+	}
+	return fs.Close()
+}
+
 func (o *MountOverlayOp) apply(state *setupState, k syscallDispatcher) error {
 	target := o.Target.String()
 	if !o.noPrefix {
@@ -194,7 +221,7 @@ func (o *MountOverlayOp) apply(state *setupState, k syscallDispatcher) error {
 		}
 	}

-	options := make([]string, 0, 4)
+	options := make([][2]string, 0, 2+len(o.lower))

 	if o.upper == zeroString && o.work == zeroString { // readonly
 		if len(o.Lower) < 2 {
@@ -205,15 +232,16 @@ func (o *MountOverlayOp) apply(state *setupState, k syscallDispatcher) error {
 		if len(o.Lower) == 0 {
 			return &OverlayArgumentError{OverlayEmptyLower, zeroString}
 		}
-		options = append(options,
-			OptionOverlayUpperdir+"="+o.upper,
-			OptionOverlayWorkdir+"="+o.work)
+		options = append(options, [][2]string{
+			{OptionOverlayUpperdir, o.upper},
+			{OptionOverlayWorkdir, o.work},
+		}...)
+	}
+	for _, lower := range o.lower {
+		options = append(options, [2]string{OptionOverlayLowerdir + "+", lower})
 	}
-	options = append(options,
-		OptionOverlayLowerdir+"="+strings.Join(o.lower, check.SpecialOverlayPath),
-		OptionOverlayUserxattr)

-	return k.mount(SourceOverlay, target, FstypeOverlay, 0, strings.Join(options, check.SpecialOverlayOption))
+	return k.mountOverlay(target, options)
 }

 func (o *MountOverlayOp) late(*setupState, syscallDispatcher) error { return nil }
--- a/container/initoverlay_test.go
+++ b/container/initoverlay_test.go
@@ -97,13 +97,12 @@ func TestMountOverlayOp(t *testing.T) {
 			call("mkdirAll", stub.ExpectArgs{"/sysroot", os.FileMode(0705)}, nil, nil),
 			call("mkdirTemp", stub.ExpectArgs{"/", "overlay.upper.*"}, "overlay.upper.32768", nil),
 			call("mkdirTemp", stub.ExpectArgs{"/", "overlay.work.*"}, "overlay.work.32768", nil),
-			call("mount", stub.ExpectArgs{"overlay", "/sysroot", "overlay", uintptr(0), "" +
-				"upperdir=overlay.upper.32768," +
-				"workdir=overlay.work.32768," +
-				"lowerdir=" +
-				`/host/var/lib/planterette/base/debian\:f92c9052:` +
-				`/host/var/lib/planterette/app/org.chromium.Chromium@debian\:f92c9052,` +
-				"userxattr"}, nil, nil),
+			call("mountOverlay", stub.ExpectArgs{"/sysroot", [][2]string{
+				{"upperdir", "overlay.upper.32768"},
+				{"workdir", "overlay.work.32768"},
+				{"lowerdir+", `/host/var/lib/planterette/base/debian:f92c9052`},
+				{"lowerdir+", `/host/var/lib/planterette/app/org.chromium.Chromium@debian:f92c9052`},
+			}}, nil, nil),
 		}, nil},

 		{"short lower ro", &Params{ParentPerm: 0755}, &MountOverlayOp{
@@ -129,11 +128,10 @@ func TestMountOverlayOp(t *testing.T) {
 			call("evalSymlinks", stub.ExpectArgs{"/mnt-root/nix/.ro-store0"}, "/mnt-root/nix/.ro-store0", nil),
 		}, nil, []stub.Call{
 			call("mkdirAll", stub.ExpectArgs{"/nix/store", os.FileMode(0755)}, nil, nil),
-			call("mount", stub.ExpectArgs{"overlay", "/nix/store", "overlay", uintptr(0), "" +
-				"lowerdir=" +
-				"/host/mnt-root/nix/.ro-store:" +
-				"/host/mnt-root/nix/.ro-store0," +
-				"userxattr"}, nil, nil),
+			call("mountOverlay", stub.ExpectArgs{"/nix/store", [][2]string{
+				{"lowerdir+", "/host/mnt-root/nix/.ro-store"},
+				{"lowerdir+", "/host/mnt-root/nix/.ro-store0"},
+			}}, nil, nil),
 		}, nil},

 		{"success ro", &Params{ParentPerm: 0755}, &MountOverlayOp{
@@ -147,11 +145,10 @@ func TestMountOverlayOp(t *testing.T) {
 			call("evalSymlinks", stub.ExpectArgs{"/mnt-root/nix/.ro-store0"}, "/mnt-root/nix/.ro-store0", nil),
 		}, nil, []stub.Call{
 			call("mkdirAll", stub.ExpectArgs{"/sysroot/nix/store", os.FileMode(0755)}, nil, nil),
-			call("mount", stub.ExpectArgs{"overlay", "/sysroot/nix/store", "overlay", uintptr(0), "" +
-				"lowerdir=" +
-				"/host/mnt-root/nix/.ro-store:" +
-				"/host/mnt-root/nix/.ro-store0," +
-				"userxattr"}, nil, nil),
+			call("mountOverlay", stub.ExpectArgs{"/sysroot/nix/store", [][2]string{
+				{"lowerdir+", "/host/mnt-root/nix/.ro-store"},
+				{"lowerdir+", "/host/mnt-root/nix/.ro-store0"},
+			}}, nil, nil),
 		}, nil},

 		{"nil lower", &Params{ParentPerm: 0700}, &MountOverlayOp{
@@ -219,7 +216,11 @@ func TestMountOverlayOp(t *testing.T) {
 			call("evalSymlinks", stub.ExpectArgs{"/mnt-root/nix/.ro-store"}, "/mnt-root/nix/ro-store", nil),
 		}, nil, []stub.Call{
 			call("mkdirAll", stub.ExpectArgs{"/sysroot/nix/store", os.FileMode(0700)}, nil, nil),
-			call("mount", stub.ExpectArgs{"overlay", "/sysroot/nix/store", "overlay", uintptr(0), "upperdir=/host/mnt-root/nix/.rw-store/.upper,workdir=/host/mnt-root/nix/.rw-store/.work,lowerdir=/host/mnt-root/nix/ro-store,userxattr"}, nil, stub.UniqueError(0)),
+			call("mountOverlay", stub.ExpectArgs{"/sysroot/nix/store", [][2]string{
+				{"upperdir", "/host/mnt-root/nix/.rw-store/.upper"},
+				{"workdir", "/host/mnt-root/nix/.rw-store/.work"},
+				{"lowerdir+", "/host/mnt-root/nix/ro-store"},
+			}}, nil, stub.UniqueError(0)),
 		}, stub.UniqueError(0)},

 		{"success single layer", &Params{ParentPerm: 0700}, &MountOverlayOp{
@@ -233,11 +234,11 @@ func TestMountOverlayOp(t *testing.T) {
 			call("evalSymlinks", stub.ExpectArgs{"/mnt-root/nix/.ro-store"}, "/mnt-root/nix/ro-store", nil),
 		}, nil, []stub.Call{
 			call("mkdirAll", stub.ExpectArgs{"/sysroot/nix/store", os.FileMode(0700)}, nil, nil),
-			call("mount", stub.ExpectArgs{"overlay", "/sysroot/nix/store", "overlay", uintptr(0), "" +
-				"upperdir=/host/mnt-root/nix/.rw-store/.upper," +
-				"workdir=/host/mnt-root/nix/.rw-store/.work," +
-				"lowerdir=/host/mnt-root/nix/ro-store," +
-				"userxattr"}, nil, nil),
+			call("mountOverlay", stub.ExpectArgs{"/sysroot/nix/store", [][2]string{
+				{"upperdir", "/host/mnt-root/nix/.rw-store/.upper"},
+				{"workdir", "/host/mnt-root/nix/.rw-store/.work"},
+				{"lowerdir+", "/host/mnt-root/nix/ro-store"},
+			}}, nil, nil),
 		}, nil},

 		{"success", &Params{ParentPerm: 0700}, &MountOverlayOp{
@@ -261,16 +262,15 @@ func TestMountOverlayOp(t *testing.T) {
 			call("evalSymlinks", stub.ExpectArgs{"/mnt-root/nix/.ro-store3"}, "/mnt-root/nix/ro-store3", nil),
 		}, nil, []stub.Call{
 			call("mkdirAll", stub.ExpectArgs{"/sysroot/nix/store", os.FileMode(0700)}, nil, nil),
-			call("mount", stub.ExpectArgs{"overlay", "/sysroot/nix/store", "overlay", uintptr(0), "" +
-				"upperdir=/host/mnt-root/nix/.rw-store/.upper," +
-				"workdir=/host/mnt-root/nix/.rw-store/.work," +
-				"lowerdir=" +
-				"/host/mnt-root/nix/ro-store:" +
-				"/host/mnt-root/nix/ro-store0:" +
-				"/host/mnt-root/nix/ro-store1:" +
-				"/host/mnt-root/nix/ro-store2:" +
-				"/host/mnt-root/nix/ro-store3," +
-				"userxattr"}, nil, nil),
+			call("mountOverlay", stub.ExpectArgs{"/sysroot/nix/store", [][2]string{
+				{"upperdir", "/host/mnt-root/nix/.rw-store/.upper"},
+				{"workdir", "/host/mnt-root/nix/.rw-store/.work"},
+				{"lowerdir+", "/host/mnt-root/nix/ro-store"},
+				{"lowerdir+", "/host/mnt-root/nix/ro-store0"},
+				{"lowerdir+", "/host/mnt-root/nix/ro-store1"},
+				{"lowerdir+", "/host/mnt-root/nix/ro-store2"},
+				{"lowerdir+", "/host/mnt-root/nix/ro-store3"},
+			}}, nil, nil),
 		}, nil},
 	})

--- a/container/mount.go
+++ b/container/mount.go
@@ -40,6 +40,9 @@ const (
 	// SourceMqueue is used when mounting mqueue.
 	// Note that any source value is allowed when fstype is [FstypeMqueue].
 	SourceMqueue = "mqueue"
+	// SourceBinfmtMisc is used when mounting binfmt_misc.
+	// Note that any source value is allowed when fstype is [SourceBinfmtMisc].
+	SourceBinfmtMisc = "binfmt_misc"
 	// SourceOverlay is used when mounting overlay.
 	// Note that any source value is allowed when fstype is [FstypeOverlay].
 	SourceOverlay = "overlay"
@@ -70,6 +73,9 @@ const (
 	// FstypeMqueue represents the mqueue pseudo-filesystem.
 	// This filesystem type is usually mounted on /dev/mqueue.
 	FstypeMqueue = "mqueue"
+	// FstypeBinfmtMisc represents the binfmt_misc pseudo-filesystem.
+	// This filesystem type is usually mounted on /proc/sys/fs/binfmt_misc.
+	FstypeBinfmtMisc = "binfmt_misc"
 	// FstypeOverlay represents the overlay pseudo-filesystem.
 	// This filesystem type can be mounted anywhere in the container filesystem.
 	FstypeOverlay = "overlay"
--- a/container/path_test.go
+++ b/container/path_test.go
@@ -10,7 +10,6 @@ import (
 	"testing"
 	"unsafe"

-	"hakurei.app/check"
 	"hakurei.app/vfs"
 )

@@ -50,9 +49,6 @@ func TestToHost(t *testing.T) {
 	}
 }

-// InternalToHostOvlEscape exports toHost passed to [check.EscapeOverlayDataSegment].
-func InternalToHostOvlEscape(s string) string { return check.EscapeOverlayDataSegment(toHost(s)) }
-
 func TestCreateFile(t *testing.T) {
 	t.Run("nonexistent", func(t *testing.T) {
 		t.Run("mkdir", func(t *testing.T) {
--- a/ext/fs.go
+++ b/ext/fs.go
@@ -0,0 +1,267 @@
+package ext
+
+import (
+	"os"
+	"runtime"
+	"syscall"
+	"unsafe"
+)
+
+// include/uapi/linux/mount.h
+
+/*
+ * move_mount() flags.
+ */
+const (
+	MOVE_MOUNT_F_SYMLINKS   = 1 << iota /* Follow symlinks on from path */
+	MOVE_MOUNT_F_AUTOMOUNTS             /* Follow automounts on from path */
+	MOVE_MOUNT_F_EMPTY_PATH             /* Empty from path permitted */
+	_
+	MOVE_MOUNT_T_SYMLINKS   /* Follow symlinks on to path */
+	MOVE_MOUNT_T_AUTOMOUNTS /* Follow automounts on to path */
+	MOVE_MOUNT_T_EMPTY_PATH /* Empty to path permitted */
+	_
+	MOVE_MOUNT_SET_GROUP /* Set sharing group instead */
+	MOVE_MOUNT_BENEATH   /* Mount beneath top mount */
+)
+
+/*
+ * fsopen() flags.
+ */
+const (
+	FSOPEN_CLOEXEC = 1 << iota
+)
+
+/*
+ * fspick() flags.
+ */
+const (
+	FSPICK_CLOEXEC = 1 << iota
+	FSPICK_SYMLINK_NOFOLLOW
+	FSPICK_NO_AUTOMOUNT
+	FSPICK_EMPTY_PATH
+)
+
+/*
+ * The type of fsconfig() call made.
+ */
+const (
+	FSCONFIG_SET_FLAG        = iota /* Set parameter, supplying no value */
+	FSCONFIG_SET_STRING             /* Set parameter, supplying a string value */
+	FSCONFIG_SET_BINARY             /* Set parameter, supplying a binary blob value */
+	FSCONFIG_SET_PATH               /* Set parameter, supplying an object by path */
+	FSCONFIG_SET_PATH_EMPTY         /* Set parameter, supplying an object by (empty) path */
+	FSCONFIG_SET_FD                 /* Set parameter, supplying an object by fd */
+	FSCONFIG_CMD_CREATE             /* Create new or reuse existing superblock */
+	FSCONFIG_CMD_RECONFIGURE        /* Invoke superblock reconfiguration */
+	FSCONFIG_CMD_CREATE_EXCL        /* Create new superblock, fail if reusing existing superblock */
+)
+
+/*
+ * fsmount() flags.
+ */
+const (
+	FSMOUNT_CLOEXEC = 1 << iota
+)
+
+/*
+ * Mount attributes.
+ */
+const (
+	MOUNT_ATTR_RDONLY      = 0x00000001 /* Mount read-only */
+	MOUNT_ATTR_NOSUID      = 0x00000002 /* Ignore suid and sgid bits */
+	MOUNT_ATTR_NODEV       = 0x00000004 /* Disallow access to device special files */
+	MOUNT_ATTR_NOEXEC      = 0x00000008 /* Disallow program execution */
+	MOUNT_ATTR__ATIME      = 0x00000070 /* Setting on how atime should be updated */
+	MOUNT_ATTR_RELATIME    = 0x00000000 /* - Update atime relative to mtime/ctime. */
+	MOUNT_ATTR_NOATIME     = 0x00000010 /* - Do not update access times. */
+	MOUNT_ATTR_STRICTATIME = 0x00000020 /* - Always perform atime updates */
+	MOUNT_ATTR_NODIRATIME  = 0x00000080 /* Do not update directory access times */
+	MOUNT_ATTR_IDMAP       = 0x00100000 /* Idmap mount to @userns_fd in struct mount_attr. */
+	MOUNT_ATTR_NOSYMFOLLOW = 0x00200000 /* Do not follow symlinks */
+)
+
+// FS provides low-level wrappers around the suite of file-descriptor-based
+// mount facilities in Linux.
+type FS struct {
+	fd uintptr
+	c  runtime.Cleanup
+}
+
+// newFS allocates a new [FS] for the specified fd.
+func newFS(fd uintptr) *FS {
+	fs := FS{fd: fd}
+	fs.c = runtime.AddCleanup(&fs, func(fd uintptr) {
+		_ = syscall.Close(int(fd))
+	}, fd)
+	return &fs
+}
+
+// Close closes the underlying filesystem context.
+func (fs *FS) Close() error {
+	if fs == nil {
+		return syscall.EINVAL
+	}
+	err := syscall.Close(int(fs.fd))
+	fs.c.Stop()
+	return err
+}
+
+// OpenFS creates a new filesystem context.
+func OpenFS(fsname string, flags int) (fs *FS, err error) {
+	var s *byte
+	s, err = syscall.BytePtrFromString(fsname)
+	if err != nil {
+		return
+	}
+	fd, _, errno := syscall.Syscall(
+		SYS_FSOPEN,
+		uintptr(unsafe.Pointer(s)),
+		uintptr(flags|FSOPEN_CLOEXEC),
+		0,
+	)
+	if errno != 0 {
+		err = os.NewSyscallError("fsopen", errno)
+	} else {
+		fs = newFS(fd)
+	}
+	return
+}
+
+// PickFS selects filesystem for reconfiguration.
+func PickFS(dirfd int, pathname string, flags int) (fs *FS, err error) {
+	var s *byte
+	s, err = syscall.BytePtrFromString(pathname)
+	if err != nil {
+		return
+	}
+	fd, _, errno := syscall.Syscall(
+		SYS_FSPICK,
+		uintptr(dirfd),
+		uintptr(unsafe.Pointer(s)),
+		uintptr(flags|FSPICK_CLOEXEC),
+	)
+	if errno != 0 {
+		err = os.NewSyscallError("fspick", errno)
+	} else {
+		fs = newFS(fd)
+	}
+	return
+}
+
+// config configures new or existing filesystem context.
+func (fs *FS) config(cmd uint, key *byte, value unsafe.Pointer, aux int) (err error) {
+	_, _, errno := syscall.Syscall6(
+		SYS_FSCONFIG,
+		fs.fd,
+		uintptr(cmd),
+		uintptr(unsafe.Pointer(key)),
+		uintptr(value),
+		uintptr(aux),
+		0,
+	)
+	if errno != 0 {
+		err = os.NewSyscallError("fsconfig", errno)
+	}
+	return
+}
+
+// SetFlag sets the flag parameter named by key. ([FSCONFIG_SET_FLAG])
+func (fs *FS) SetFlag(key string) (err error) {
+	var s *byte
+	s, err = syscall.BytePtrFromString(key)
+	if err != nil {
+		return
+	}
+
+	return fs.config(FSCONFIG_SET_FLAG, s, nil, 0)
+}
+
+// SetString sets the string parameter named by key to the value specified by
+// value. ([FSCONFIG_SET_STRING])
+func (fs *FS) SetString(key, value string) (err error) {
+	var s0 *byte
+	s0, err = syscall.BytePtrFromString(key)
+	if err != nil {
+		return
+	}
+
+	var s1 *byte
+	s1, err = syscall.BytePtrFromString(value)
+	if err != nil {
+		return
+	}
+
+	return fs.config(FSCONFIG_SET_STRING, s0, unsafe.Pointer(s1), 0)
+}
+
+// mount instantiates mount object from filesystem context.
+func (fs *FS) mount(flags, attrFlags int) (fsfd int, err error) {
+	r, _, errno := syscall.Syscall(
+		SYS_FSMOUNT,
+		fs.fd,
+		uintptr(flags|FSMOUNT_CLOEXEC),
+		uintptr(attrFlags),
+	)
+	fsfd = int(r)
+	if errno != 0 {
+		err = os.NewSyscallError("fsmount", errno)
+	}
+	return
+}
+
+// MoveMount moves or attaches mount object to filesystem.
+func MoveMount(
+	fromDirfd int,
+	fromPathname string,
+	toDirfd int,
+	toPathname string,
+	flags int,
+) (err error) {
+	var s0 *byte
+	s0, err = syscall.BytePtrFromString(fromPathname)
+	if err != nil {
+		return
+	}
+
+	var s1 *byte
+	s1, err = syscall.BytePtrFromString(toPathname)
+	if err != nil {
+		return
+	}
+
+	_, _, errno := syscall.Syscall6(
+		SYS_MOVE_MOUNT,
+		uintptr(fromDirfd),
+		uintptr(unsafe.Pointer(s0)),
+		uintptr(toDirfd),
+		uintptr(unsafe.Pointer(s1)),
+		uintptr(flags),
+		0,
+	)
+	if errno != 0 {
+		err = os.NewSyscallError("move_mount", errno)
+	}
+	return
+}
+
+// Mount attaches the underlying filesystem context to the specified pathname.
+func (fs *FS) Mount(pathname string, attrFlags int) error {
+	if err := fs.config(FSCONFIG_CMD_CREATE_EXCL, nil, nil, 0); err != nil {
+		return err
+	}
+	fd, err := fs.mount(0, attrFlags)
+	if err != nil {
+		return err
+	}
+	err = MoveMount(
+		fd, "",
+		-1, pathname,
+		MOVE_MOUNT_F_EMPTY_PATH,
+	)
+	closeErr := syscall.Close(fd)
+	if err == nil {
+		err = closeErr
+	}
+	return err
+}
--- a/fhs/abs.go
+++ b/fhs/abs.go
@@ -42,6 +42,8 @@ var (
 	AbsDevShm = unsafeAbs(DevShm)
 	// AbsProc is [Proc] as [check.Absolute].
 	AbsProc = unsafeAbs(Proc)
+	// AbsProcSys is [ProcSys] as [check.Absolute].
+	AbsProcSys = unsafeAbs(ProcSys)
 	// AbsProcSelfExe is [ProcSelfExe] as [check.Absolute].
 	AbsProcSelfExe = unsafeAbs(ProcSelfExe)
 	// AbsSys is [Sys] as [check.Absolute].
--- a/flake.nix
+++ b/flake.nix
@@ -139,7 +139,6 @@
                GOCACHE="$(mktemp -d)" \
                PATH="${pkgs.pkgsStatic.musl.bin}/bin:$PATH" \
                DESTDIR="$out" \
-                HAKUREI_VERSION="v${hakurei.version}" \
                  ./all.sh
              '';
        }
--- a/internal/pkg/dir_test.go
+++ b/internal/pkg/dir_test.go
@@ -64,78 +64,6 @@ func TestFlatten(t *testing.T) {
 			{Mode: fs.ModeDir | 0700, Path: "work"},
 		}, pkg.MustDecode("E4vEZKhCcL2gPZ2Tt59FS3lDng-d_2SKa2i5G_RbDfwGn6EemptFaGLPUDiOa94C"), nil},

-		{"sample cache file", fstest.MapFS{
-			".": {Mode: fs.ModeDir | 0700},
-
-			"checksum": {Mode: fs.ModeDir | 0700},
-			"checksum/vsAhtPNo4waRNOASwrQwcIPTqb3SBuJOXw2G4T1mNmVZM-wrQTRllmgXqcIIoRcX": {Mode: 0400, Data: []byte{0}},
-			"checksum/0bSFPu5Tnd-2Jj0Mv6co23PW2t3BmHc7eLFj9TgY3eIBg8zislo7xZYNBqovVLcq": {Mode: 0400, Data: []byte{0, 0, 0, 0, 0xad, 0xb, 0, 4, 0xfe, 0xfe, 0, 0, 0xfe, 0xca, 0, 0}},
-
-			"identifier": {Mode: fs.ModeDir | 0700},
-			"identifier/vsAhtPNo4waRNOASwrQwcIPTqb3SBuJOXw2G4T1mNmVZM-wrQTRllmgXqcIIoRcX": {Mode: fs.ModeSymlink | 0777, Data: []byte("../checksum/vsAhtPNo4waRNOASwrQwcIPTqb3SBuJOXw2G4T1mNmVZM-wrQTRllmgXqcIIoRcX")},
-			"identifier/0bSFPu5Tnd-2Jj0Mv6co23PW2t3BmHc7eLFj9TgY3eIBg8zislo7xZYNBqovVLcq": {Mode: fs.ModeSymlink | 0777, Data: []byte("../checksum/0bSFPu5Tnd-2Jj0Mv6co23PW2t3BmHc7eLFj9TgY3eIBg8zislo7xZYNBqovVLcq")},
-			"identifier/cafebabecafebabecafebabecafebabecafebabecafebabecafebabecafebabe": {Mode: fs.ModeSymlink | 0777, Data: []byte("../checksum/0bSFPu5Tnd-2Jj0Mv6co23PW2t3BmHc7eLFj9TgY3eIBg8zislo7xZYNBqovVLcq")},
-			"identifier/deadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef": {Mode: fs.ModeSymlink | 0777, Data: []byte("../checksum/0bSFPu5Tnd-2Jj0Mv6co23PW2t3BmHc7eLFj9TgY3eIBg8zislo7xZYNBqovVLcq")},
-
-			"work": {Mode: fs.ModeDir | 0700},
-		}, []pkg.FlatEntry{
-			{Mode: fs.ModeDir | 0700, Path: "."},
-
-			{Mode: fs.ModeDir | 0700, Path: "checksum"},
-			{Mode: 0400, Path: "checksum/0bSFPu5Tnd-2Jj0Mv6co23PW2t3BmHc7eLFj9TgY3eIBg8zislo7xZYNBqovVLcq", Data: []byte{0, 0, 0, 0, 0xad, 0xb, 0, 4, 0xfe, 0xfe, 0, 0, 0xfe, 0xca, 0, 0}},
-			{Mode: 0400, Path: "checksum/vsAhtPNo4waRNOASwrQwcIPTqb3SBuJOXw2G4T1mNmVZM-wrQTRllmgXqcIIoRcX", Data: []byte{0}},
-
-			{Mode: fs.ModeDir | 0700, Path: "identifier"},
-			{Mode: fs.ModeSymlink | 0777, Path: "identifier/0bSFPu5Tnd-2Jj0Mv6co23PW2t3BmHc7eLFj9TgY3eIBg8zislo7xZYNBqovVLcq", Data: []byte("../checksum/0bSFPu5Tnd-2Jj0Mv6co23PW2t3BmHc7eLFj9TgY3eIBg8zislo7xZYNBqovVLcq")},
-			{Mode: fs.ModeSymlink | 0777, Path: "identifier/cafebabecafebabecafebabecafebabecafebabecafebabecafebabecafebabe", Data: []byte("../checksum/0bSFPu5Tnd-2Jj0Mv6co23PW2t3BmHc7eLFj9TgY3eIBg8zislo7xZYNBqovVLcq")},
-			{Mode: fs.ModeSymlink | 0777, Path: "identifier/deadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef", Data: []byte("../checksum/0bSFPu5Tnd-2Jj0Mv6co23PW2t3BmHc7eLFj9TgY3eIBg8zislo7xZYNBqovVLcq")},
-			{Mode: fs.ModeSymlink | 0777, Path: "identifier/vsAhtPNo4waRNOASwrQwcIPTqb3SBuJOXw2G4T1mNmVZM-wrQTRllmgXqcIIoRcX", Data: []byte("../checksum/vsAhtPNo4waRNOASwrQwcIPTqb3SBuJOXw2G4T1mNmVZM-wrQTRllmgXqcIIoRcX")},
-
-			{Mode: fs.ModeDir | 0700, Path: "work"},
-		}, pkg.MustDecode("St9rlE-mGZ5gXwiv_hzQ_B8bZP-UUvSNmf4nHUZzCMOumb6hKnheZSe0dmnuc4Q2"), nil},
-
-		{"sample http get cure", fstest.MapFS{
-			".": {Mode: fs.ModeDir | 0700},
-
-			"checksum": {Mode: fs.ModeDir | 0700},
-			"checksum/fLYGIMHgN1louE-JzITJZJo2SDniPu-IHBXubtvQWFO-hXnDVKNuscV7-zlyr5fU": {Mode: 0400, Data: []byte("\x7f\xe1\x69\xa2\xdd\x63\x96\x26\x83\x79\x61\x8b\xf0\x3f\xd5\x16\x9a\x39\x3a\xdb\xcf\xb1\xbc\x8d\x33\xff\x75\xee\x62\x56\xa9\xf0\x27\xac\x13\x94\x69")},
-
-			"identifier": {Mode: fs.ModeDir | 0700},
-			"identifier/oM-2pUlk-mOxK1t3aMWZer69UdOQlAXiAgMrpZ1476VoOqpYVP1aGFS9_HYy-D8_": {Mode: fs.ModeSymlink | 0777, Data: []byte("../checksum/fLYGIMHgN1louE-JzITJZJo2SDniPu-IHBXubtvQWFO-hXnDVKNuscV7-zlyr5fU")},
-
-			"work": {Mode: fs.ModeDir | 0700},
-		}, []pkg.FlatEntry{
-			{Mode: fs.ModeDir | 0700, Path: "."},
-
-			{Mode: fs.ModeDir | 0700, Path: "checksum"},
-			{Mode: 0400, Path: "checksum/fLYGIMHgN1louE-JzITJZJo2SDniPu-IHBXubtvQWFO-hXnDVKNuscV7-zlyr5fU", Data: []byte("\x7f\xe1\x69\xa2\xdd\x63\x96\x26\x83\x79\x61\x8b\xf0\x3f\xd5\x16\x9a\x39\x3a\xdb\xcf\xb1\xbc\x8d\x33\xff\x75\xee\x62\x56\xa9\xf0\x27\xac\x13\x94\x69")},
-
-			{Mode: fs.ModeDir | 0700, Path: "identifier"},
-			{Mode: fs.ModeSymlink | 0777, Path: "identifier/oM-2pUlk-mOxK1t3aMWZer69UdOQlAXiAgMrpZ1476VoOqpYVP1aGFS9_HYy-D8_", Data: []byte("../checksum/fLYGIMHgN1louE-JzITJZJo2SDniPu-IHBXubtvQWFO-hXnDVKNuscV7-zlyr5fU")},
-
-			{Mode: fs.ModeDir | 0700, Path: "work"},
-		}, pkg.MustDecode("L_0RFHpr9JUS4Zp14rz2dESSRvfLzpvqsLhR1-YjQt8hYlmEdVl7vI3_-v8UNPKs"), nil},
-
-		{"sample directory step simple", fstest.MapFS{
-			".": {Mode: fs.ModeDir | 0500},
-
-			"check": {Mode: 0400, Data: []byte{0, 0}},
-
-			"lib":            {Mode: fs.ModeDir | 0700},
-			"lib/libedac.so": {Mode: fs.ModeSymlink | 0777, Data: []byte("/proc/nonexistent/libedac.so")},
-
-			"lib/pkgconfig": {Mode: fs.ModeDir | 0700},
-		}, []pkg.FlatEntry{
-			{Mode: fs.ModeDir | 0500, Path: "."},
-
-			{Mode: 0400, Path: "check", Data: []byte{0, 0}},
-
-			{Mode: fs.ModeDir | 0700, Path: "lib"},
-			{Mode: fs.ModeSymlink | 0777, Path: "lib/libedac.so", Data: []byte("/proc/nonexistent/libedac.so")},
-
-			{Mode: fs.ModeDir | 0700, Path: "lib/pkgconfig"},
-		}, pkg.MustDecode("qRN6in76LndiiOZJheHkwyW8UT1N5-f-bXvHfDvwrMw2fSkOoZdh8pWE1qhLk65b"), nil},
-
 		{"sample directory step garbage", fstest.MapFS{
 			".": {Mode: fs.ModeDir | 0500},

@@ -151,421 +79,6 @@ func TestFlatten(t *testing.T) {

 			{Mode: fs.ModeDir | 0500, Path: "lib/pkgconfig"},
 		}, pkg.MustDecode("CUx-3hSbTWPsbMfDhgalG4Ni_GmR9TnVX8F99tY_P5GtkYvczg9RrF5zO0jX9XYT"), nil},
-
-		{"sample directory", fstest.MapFS{
-			".": {Mode: fs.ModeDir | 0700},
-
-			"checksum": {Mode: fs.ModeDir | 0700},
-			"checksum/qRN6in76LndiiOZJheHkwyW8UT1N5-f-bXvHfDvwrMw2fSkOoZdh8pWE1qhLk65b":                {Mode: fs.ModeDir | 0500},
-			"checksum/qRN6in76LndiiOZJheHkwyW8UT1N5-f-bXvHfDvwrMw2fSkOoZdh8pWE1qhLk65b/check":          {Mode: 0400, Data: []byte{0, 0}},
-			"checksum/qRN6in76LndiiOZJheHkwyW8UT1N5-f-bXvHfDvwrMw2fSkOoZdh8pWE1qhLk65b/lib":            {Mode: fs.ModeDir | 0700},
-			"checksum/qRN6in76LndiiOZJheHkwyW8UT1N5-f-bXvHfDvwrMw2fSkOoZdh8pWE1qhLk65b/lib/pkgconfig":  {Mode: fs.ModeDir | 0700},
-			"checksum/qRN6in76LndiiOZJheHkwyW8UT1N5-f-bXvHfDvwrMw2fSkOoZdh8pWE1qhLk65b/lib/libedac.so": {Mode: fs.ModeSymlink | 0777, Data: []byte("/proc/nonexistent/libedac.so")},
-
-			"identifier": {Mode: fs.ModeDir | 0700},
-			"identifier/HnySzeLQvSBZuTUcvfmLEX_OmH4yJWWH788NxuLuv7kVn8_uPM6Ks4rqFWM2NZJY": {Mode: fs.ModeSymlink | 0777, Data: []byte("../checksum/qRN6in76LndiiOZJheHkwyW8UT1N5-f-bXvHfDvwrMw2fSkOoZdh8pWE1qhLk65b")},
-			"identifier/Zx5ZG9BAwegNT3zQwCySuI2ktCXxNgxirkGLFjW4FW06PtojYVaCdtEw8yuntPLa": {Mode: fs.ModeSymlink | 0777, Data: []byte("../checksum/qRN6in76LndiiOZJheHkwyW8UT1N5-f-bXvHfDvwrMw2fSkOoZdh8pWE1qhLk65b")},
-
-			"work": {Mode: fs.ModeDir | 0700},
-		}, []pkg.FlatEntry{
-			{Mode: fs.ModeDir | 0700, Path: "."},
-
-			{Mode: fs.ModeDir | 0700, Path: "checksum"},
-			{Mode: fs.ModeDir | 0500, Path: "checksum/qRN6in76LndiiOZJheHkwyW8UT1N5-f-bXvHfDvwrMw2fSkOoZdh8pWE1qhLk65b"},
-			{Mode: 0400, Path: "checksum/qRN6in76LndiiOZJheHkwyW8UT1N5-f-bXvHfDvwrMw2fSkOoZdh8pWE1qhLk65b/check", Data: []byte{0, 0}},
-			{Mode: fs.ModeDir | 0700, Path: "checksum/qRN6in76LndiiOZJheHkwyW8UT1N5-f-bXvHfDvwrMw2fSkOoZdh8pWE1qhLk65b/lib"},
-			{Mode: fs.ModeSymlink | 0777, Path: "checksum/qRN6in76LndiiOZJheHkwyW8UT1N5-f-bXvHfDvwrMw2fSkOoZdh8pWE1qhLk65b/lib/libedac.so", Data: []byte("/proc/nonexistent/libedac.so")},
-			{Mode: fs.ModeDir | 0700, Path: "checksum/qRN6in76LndiiOZJheHkwyW8UT1N5-f-bXvHfDvwrMw2fSkOoZdh8pWE1qhLk65b/lib/pkgconfig"},
-
-			{Mode: fs.ModeDir | 0700, Path: "identifier"},
-			{Mode: fs.ModeSymlink | 0777, Path: "identifier/HnySzeLQvSBZuTUcvfmLEX_OmH4yJWWH788NxuLuv7kVn8_uPM6Ks4rqFWM2NZJY", Data: []byte("../checksum/qRN6in76LndiiOZJheHkwyW8UT1N5-f-bXvHfDvwrMw2fSkOoZdh8pWE1qhLk65b")},
-			{Mode: fs.ModeSymlink | 0777, Path: "identifier/Zx5ZG9BAwegNT3zQwCySuI2ktCXxNgxirkGLFjW4FW06PtojYVaCdtEw8yuntPLa", Data: []byte("../checksum/qRN6in76LndiiOZJheHkwyW8UT1N5-f-bXvHfDvwrMw2fSkOoZdh8pWE1qhLk65b")},
-
-			{Mode: fs.ModeDir | 0700, Path: "work"},
-		}, pkg.MustDecode("WVpvsVqVKg9Nsh744x57h51AuWUoUR2nnh8Md-EYBQpk6ziyTuUn6PLtF2e0Eu_d"), nil},
-
-		{"sample no assume checksum", fstest.MapFS{
-			".": {Mode: fs.ModeDir | 0700},
-
-			"checksum": {Mode: fs.ModeDir | 0700},
-			"checksum/Aubi5EG4_Y8DhL9bQ3Q4HFBhLRF7X5gt9D3CNCQfT-TeBtlRXc7Zi_JYZEMoCC7M":       {Mode: fs.ModeDir | 0500},
-			"checksum/Aubi5EG4_Y8DhL9bQ3Q4HFBhLRF7X5gt9D3CNCQfT-TeBtlRXc7Zi_JYZEMoCC7M/check": {Mode: 0400, Data: []byte{}},
-
-			"identifier": {Mode: fs.ModeDir | 0700},
-			"identifier/_wAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA": {Mode: fs.ModeSymlink | 0777, Data: []byte("../checksum/Aubi5EG4_Y8DhL9bQ3Q4HFBhLRF7X5gt9D3CNCQfT-TeBtlRXc7Zi_JYZEMoCC7M")},
-			"identifier/_wEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA": {Mode: fs.ModeSymlink | 0777, Data: []byte("../checksum/Aubi5EG4_Y8DhL9bQ3Q4HFBhLRF7X5gt9D3CNCQfT-TeBtlRXc7Zi_JYZEMoCC7M")},
-
-			"work": {Mode: fs.ModeDir | 0700},
-		}, []pkg.FlatEntry{
-			{Mode: fs.ModeDir | 0700, Path: "."},
-
-			{Mode: fs.ModeDir | 0700, Path: "checksum"},
-			{Mode: fs.ModeDir | 0500, Path: "checksum/Aubi5EG4_Y8DhL9bQ3Q4HFBhLRF7X5gt9D3CNCQfT-TeBtlRXc7Zi_JYZEMoCC7M"},
-			{Mode: 0400, Path: "checksum/Aubi5EG4_Y8DhL9bQ3Q4HFBhLRF7X5gt9D3CNCQfT-TeBtlRXc7Zi_JYZEMoCC7M/check", Data: []byte{}},
-
-			{Mode: fs.ModeDir | 0700, Path: "identifier"},
-			{Mode: fs.ModeSymlink | 0777, Path: "identifier/_wAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA", Data: []byte("../checksum/Aubi5EG4_Y8DhL9bQ3Q4HFBhLRF7X5gt9D3CNCQfT-TeBtlRXc7Zi_JYZEMoCC7M")},
-			{Mode: fs.ModeSymlink | 0777, Path: "identifier/_wEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA", Data: []byte("../checksum/Aubi5EG4_Y8DhL9bQ3Q4HFBhLRF7X5gt9D3CNCQfT-TeBtlRXc7Zi_JYZEMoCC7M")},
-
-			{Mode: fs.ModeDir | 0700, Path: "work"},
-		}, pkg.MustDecode("OC290t23aimNo2Rp2pPwan5GI2KRLRdOwYxXQMD9jw0QROgHnNXWodoWdV0hwu2w"), nil},
-
-		{"sample tar step unpack", fstest.MapFS{
-			".": {Mode: fs.ModeDir | 0500},
-
-			"checksum": {Mode: fs.ModeDir | 0500},
-			"checksum/1TL00Qb8dcqayX7wTO8WNaraHvY6b-KCsctLDTrb64QBCmxj_-byK1HdIUwMaFEP":                {Mode: fs.ModeDir | 0500},
-			"checksum/1TL00Qb8dcqayX7wTO8WNaraHvY6b-KCsctLDTrb64QBCmxj_-byK1HdIUwMaFEP/check":          {Mode: 0400, Data: []byte{0, 0}},
-			"checksum/1TL00Qb8dcqayX7wTO8WNaraHvY6b-KCsctLDTrb64QBCmxj_-byK1HdIUwMaFEP/lib":            {Mode: fs.ModeDir | 0500},
-			"checksum/1TL00Qb8dcqayX7wTO8WNaraHvY6b-KCsctLDTrb64QBCmxj_-byK1HdIUwMaFEP/lib/pkgconfig":  {Mode: fs.ModeDir | 0500},
-			"checksum/1TL00Qb8dcqayX7wTO8WNaraHvY6b-KCsctLDTrb64QBCmxj_-byK1HdIUwMaFEP/lib/libedac.so": {Mode: fs.ModeSymlink | 0777, Data: []byte("/proc/nonexistent/libedac.so")},
-
-			"identifier": {Mode: fs.ModeDir | 0500},
-			"identifier/HnySzeLQvSBZuTUcvfmLEX_OmH4yJWWH788NxuLuv7kVn8_uPM6Ks4rqFWM2NZJY": {Mode: fs.ModeSymlink | 0777, Data: []byte("../checksum/1TL00Qb8dcqayX7wTO8WNaraHvY6b-KCsctLDTrb64QBCmxj_-byK1HdIUwMaFEP")},
-			"identifier/Zx5ZG9BAwegNT3zQwCySuI2ktCXxNgxirkGLFjW4FW06PtojYVaCdtEw8yuntPLa": {Mode: fs.ModeSymlink | 0777, Data: []byte("../checksum/1TL00Qb8dcqayX7wTO8WNaraHvY6b-KCsctLDTrb64QBCmxj_-byK1HdIUwMaFEP")},
-
-			"work": {Mode: fs.ModeDir | 0500},
-		}, []pkg.FlatEntry{
-			{Mode: fs.ModeDir | 0500, Path: "."},
-
-			{Mode: fs.ModeDir | 0500, Path: "checksum"},
-			{Mode: fs.ModeDir | 0500, Path: "checksum/1TL00Qb8dcqayX7wTO8WNaraHvY6b-KCsctLDTrb64QBCmxj_-byK1HdIUwMaFEP"},
-			{Mode: 0400, Path: "checksum/1TL00Qb8dcqayX7wTO8WNaraHvY6b-KCsctLDTrb64QBCmxj_-byK1HdIUwMaFEP/check", Data: []byte{0, 0}},
-			{Mode: fs.ModeDir | 0500, Path: "checksum/1TL00Qb8dcqayX7wTO8WNaraHvY6b-KCsctLDTrb64QBCmxj_-byK1HdIUwMaFEP/lib"},
-			{Mode: fs.ModeSymlink | 0777, Path: "checksum/1TL00Qb8dcqayX7wTO8WNaraHvY6b-KCsctLDTrb64QBCmxj_-byK1HdIUwMaFEP/lib/libedac.so", Data: []byte("/proc/nonexistent/libedac.so")},
-			{Mode: fs.ModeDir | 0500, Path: "checksum/1TL00Qb8dcqayX7wTO8WNaraHvY6b-KCsctLDTrb64QBCmxj_-byK1HdIUwMaFEP/lib/pkgconfig"},
-
-			{Mode: fs.ModeDir | 0500, Path: "identifier"},
-			{Mode: fs.ModeSymlink | 0777, Path: "identifier/HnySzeLQvSBZuTUcvfmLEX_OmH4yJWWH788NxuLuv7kVn8_uPM6Ks4rqFWM2NZJY", Data: []byte("../checksum/1TL00Qb8dcqayX7wTO8WNaraHvY6b-KCsctLDTrb64QBCmxj_-byK1HdIUwMaFEP")},
-			{Mode: fs.ModeSymlink | 0777, Path: "identifier/Zx5ZG9BAwegNT3zQwCySuI2ktCXxNgxirkGLFjW4FW06PtojYVaCdtEw8yuntPLa", Data: []byte("../checksum/1TL00Qb8dcqayX7wTO8WNaraHvY6b-KCsctLDTrb64QBCmxj_-byK1HdIUwMaFEP")},
-
-			{Mode: fs.ModeDir | 0500, Path: "work"},
-		}, pkg.MustDecode("cTw0h3AmYe7XudSoyEMByduYXqGi-N5ZkTZ0t9K5elsu3i_jNIVF5T08KR1roBFM"), nil},
-
-		{"sample tar", fstest.MapFS{
-			".": {Mode: fs.ModeDir | 0700},
-
-			"checksum": {Mode: fs.ModeDir | 0700},
-			"checksum/cTw0h3AmYe7XudSoyEMByduYXqGi-N5ZkTZ0t9K5elsu3i_jNIVF5T08KR1roBFM":                                                                                          {Mode: fs.ModeDir | 0500},
-			"checksum/cTw0h3AmYe7XudSoyEMByduYXqGi-N5ZkTZ0t9K5elsu3i_jNIVF5T08KR1roBFM/checksum":                                                                                 {Mode: fs.ModeDir | 0500},
-			"checksum/cTw0h3AmYe7XudSoyEMByduYXqGi-N5ZkTZ0t9K5elsu3i_jNIVF5T08KR1roBFM/checksum/1TL00Qb8dcqayX7wTO8WNaraHvY6b-KCsctLDTrb64QBCmxj_-byK1HdIUwMaFEP":                {Mode: fs.ModeDir | 0500},
-			"checksum/cTw0h3AmYe7XudSoyEMByduYXqGi-N5ZkTZ0t9K5elsu3i_jNIVF5T08KR1roBFM/checksum/1TL00Qb8dcqayX7wTO8WNaraHvY6b-KCsctLDTrb64QBCmxj_-byK1HdIUwMaFEP/check":          {Mode: 0400, Data: []byte{0, 0}},
-			"checksum/cTw0h3AmYe7XudSoyEMByduYXqGi-N5ZkTZ0t9K5elsu3i_jNIVF5T08KR1roBFM/checksum/1TL00Qb8dcqayX7wTO8WNaraHvY6b-KCsctLDTrb64QBCmxj_-byK1HdIUwMaFEP/lib":            {Mode: fs.ModeDir | 0500},
-			"checksum/cTw0h3AmYe7XudSoyEMByduYXqGi-N5ZkTZ0t9K5elsu3i_jNIVF5T08KR1roBFM/checksum/1TL00Qb8dcqayX7wTO8WNaraHvY6b-KCsctLDTrb64QBCmxj_-byK1HdIUwMaFEP/lib/libedac.so": {Mode: fs.ModeSymlink | 0777, Data: []byte("/proc/nonexistent/libedac.so")},
-			"checksum/cTw0h3AmYe7XudSoyEMByduYXqGi-N5ZkTZ0t9K5elsu3i_jNIVF5T08KR1roBFM/checksum/1TL00Qb8dcqayX7wTO8WNaraHvY6b-KCsctLDTrb64QBCmxj_-byK1HdIUwMaFEP/lib/pkgconfig":  {Mode: fs.ModeDir | 0500},
-			"checksum/cTw0h3AmYe7XudSoyEMByduYXqGi-N5ZkTZ0t9K5elsu3i_jNIVF5T08KR1roBFM/identifier":                                                                               {Mode: fs.ModeDir | 0500},
-			"checksum/cTw0h3AmYe7XudSoyEMByduYXqGi-N5ZkTZ0t9K5elsu3i_jNIVF5T08KR1roBFM/identifier/HnySzeLQvSBZuTUcvfmLEX_OmH4yJWWH788NxuLuv7kVn8_uPM6Ks4rqFWM2NZJY":              {Mode: fs.ModeSymlink | 0777, Data: []byte("../checksum/1TL00Qb8dcqayX7wTO8WNaraHvY6b-KCsctLDTrb64QBCmxj_-byK1HdIUwMaFEP")},
-			"checksum/cTw0h3AmYe7XudSoyEMByduYXqGi-N5ZkTZ0t9K5elsu3i_jNIVF5T08KR1roBFM/identifier/Zx5ZG9BAwegNT3zQwCySuI2ktCXxNgxirkGLFjW4FW06PtojYVaCdtEw8yuntPLa":              {Mode: fs.ModeSymlink | 0777, Data: []byte("../checksum/1TL00Qb8dcqayX7wTO8WNaraHvY6b-KCsctLDTrb64QBCmxj_-byK1HdIUwMaFEP")},
-			"checksum/cTw0h3AmYe7XudSoyEMByduYXqGi-N5ZkTZ0t9K5elsu3i_jNIVF5T08KR1roBFM/work":                                                                                     {Mode: fs.ModeDir | 0500},
-
-			"identifier": {Mode: fs.ModeDir | 0700},
-			"identifier/W5S65DEhawz_WKaok5NjUKLmnD9dNl5RPauNJjcOVcB3VM4eGhSaLGmXbL8vZpiw": {Mode: fs.ModeSymlink | 0777, Data: []byte("../checksum/cTw0h3AmYe7XudSoyEMByduYXqGi-N5ZkTZ0t9K5elsu3i_jNIVF5T08KR1roBFM")},
-			"identifier/rg7F1D5hwv6o4xctjD5zDq4i5MD0mArTsUIWfhUbik8xC6Bsyt3mjXXOm3goojTz": {Mode: fs.ModeSymlink | 0777, Data: []byte("../checksum/cTw0h3AmYe7XudSoyEMByduYXqGi-N5ZkTZ0t9K5elsu3i_jNIVF5T08KR1roBFM")},
-
-			"temp": {Mode: fs.ModeDir | 0700},
-			"work": {Mode: fs.ModeDir | 0700},
-		}, []pkg.FlatEntry{
-			{Mode: fs.ModeDir | 0700, Path: "."},
-
-			{Mode: fs.ModeDir | 0700, Path: "checksum"},
-			{Mode: fs.ModeDir | 0500, Path: "checksum/cTw0h3AmYe7XudSoyEMByduYXqGi-N5ZkTZ0t9K5elsu3i_jNIVF5T08KR1roBFM"},
-			{Mode: fs.ModeDir | 0500, Path: "checksum/cTw0h3AmYe7XudSoyEMByduYXqGi-N5ZkTZ0t9K5elsu3i_jNIVF5T08KR1roBFM/checksum"},
-			{Mode: fs.ModeDir | 0500, Path: "checksum/cTw0h3AmYe7XudSoyEMByduYXqGi-N5ZkTZ0t9K5elsu3i_jNIVF5T08KR1roBFM/checksum/1TL00Qb8dcqayX7wTO8WNaraHvY6b-KCsctLDTrb64QBCmxj_-byK1HdIUwMaFEP"},
-			{Mode: 0400, Path: "checksum/cTw0h3AmYe7XudSoyEMByduYXqGi-N5ZkTZ0t9K5elsu3i_jNIVF5T08KR1roBFM/checksum/1TL00Qb8dcqayX7wTO8WNaraHvY6b-KCsctLDTrb64QBCmxj_-byK1HdIUwMaFEP/check", Data: []byte{0, 0}},
-			{Mode: fs.ModeDir | 0500, Path: "checksum/cTw0h3AmYe7XudSoyEMByduYXqGi-N5ZkTZ0t9K5elsu3i_jNIVF5T08KR1roBFM/checksum/1TL00Qb8dcqayX7wTO8WNaraHvY6b-KCsctLDTrb64QBCmxj_-byK1HdIUwMaFEP/lib"},
-			{Mode: fs.ModeSymlink | 0777, Path: "checksum/cTw0h3AmYe7XudSoyEMByduYXqGi-N5ZkTZ0t9K5elsu3i_jNIVF5T08KR1roBFM/checksum/1TL00Qb8dcqayX7wTO8WNaraHvY6b-KCsctLDTrb64QBCmxj_-byK1HdIUwMaFEP/lib/libedac.so", Data: []byte("/proc/nonexistent/libedac.so")},
-			{Mode: fs.ModeDir | 0500, Path: "checksum/cTw0h3AmYe7XudSoyEMByduYXqGi-N5ZkTZ0t9K5elsu3i_jNIVF5T08KR1roBFM/checksum/1TL00Qb8dcqayX7wTO8WNaraHvY6b-KCsctLDTrb64QBCmxj_-byK1HdIUwMaFEP/lib/pkgconfig"},
-			{Mode: fs.ModeDir | 0500, Path: "checksum/cTw0h3AmYe7XudSoyEMByduYXqGi-N5ZkTZ0t9K5elsu3i_jNIVF5T08KR1roBFM/identifier"},
-			{Mode: fs.ModeSymlink | 0777, Path: "checksum/cTw0h3AmYe7XudSoyEMByduYXqGi-N5ZkTZ0t9K5elsu3i_jNIVF5T08KR1roBFM/identifier/HnySzeLQvSBZuTUcvfmLEX_OmH4yJWWH788NxuLuv7kVn8_uPM6Ks4rqFWM2NZJY", Data: []byte("../checksum/1TL00Qb8dcqayX7wTO8WNaraHvY6b-KCsctLDTrb64QBCmxj_-byK1HdIUwMaFEP")},
-			{Mode: fs.ModeSymlink | 0777, Path: "checksum/cTw0h3AmYe7XudSoyEMByduYXqGi-N5ZkTZ0t9K5elsu3i_jNIVF5T08KR1roBFM/identifier/Zx5ZG9BAwegNT3zQwCySuI2ktCXxNgxirkGLFjW4FW06PtojYVaCdtEw8yuntPLa", Data: []byte("../checksum/1TL00Qb8dcqayX7wTO8WNaraHvY6b-KCsctLDTrb64QBCmxj_-byK1HdIUwMaFEP")},
-			{Mode: fs.ModeDir | 0500, Path: "checksum/cTw0h3AmYe7XudSoyEMByduYXqGi-N5ZkTZ0t9K5elsu3i_jNIVF5T08KR1roBFM/work"},
-
-			{Mode: fs.ModeDir | 0700, Path: "identifier"},
-			{Mode: fs.ModeSymlink | 0777, Path: "identifier/W5S65DEhawz_WKaok5NjUKLmnD9dNl5RPauNJjcOVcB3VM4eGhSaLGmXbL8vZpiw", Data: []byte("../checksum/cTw0h3AmYe7XudSoyEMByduYXqGi-N5ZkTZ0t9K5elsu3i_jNIVF5T08KR1roBFM")},
-			{Mode: fs.ModeSymlink | 0777, Path: "identifier/rg7F1D5hwv6o4xctjD5zDq4i5MD0mArTsUIWfhUbik8xC6Bsyt3mjXXOm3goojTz", Data: []byte("../checksum/cTw0h3AmYe7XudSoyEMByduYXqGi-N5ZkTZ0t9K5elsu3i_jNIVF5T08KR1roBFM")},
-
-			{Mode: fs.ModeDir | 0700, Path: "temp"},
-			{Mode: fs.ModeDir | 0700, Path: "work"},
-		}, pkg.MustDecode("NQTlc466JmSVLIyWklm_u8_g95jEEb98PxJU-kjwxLpfdjwMWJq0G8ze9R4Vo1Vu"), nil},
-
-		{"sample tar expand step unpack", fstest.MapFS{
-			".": {Mode: fs.ModeDir | 0500},
-
-			"libedac.so": {Mode: fs.ModeSymlink | 0777, Data: []byte("/proc/nonexistent/libedac.so")},
-		}, []pkg.FlatEntry{
-			{Mode: fs.ModeDir | 0500, Path: "."},
-
-			{Mode: fs.ModeSymlink | 0777, Path: "libedac.so", Data: []byte("/proc/nonexistent/libedac.so")},
-		}, pkg.MustDecode("CH3AiUrCCcVOjOYLaMKKK1Da78989JtfHeIsxMzWOQFiN4mrCLDYpoDxLWqJWCUN"), nil},
-
-		{"sample tar expand", fstest.MapFS{
-			".": {Mode: fs.ModeDir | 0700},
-
-			"checksum": {Mode: fs.ModeDir | 0700},
-			"checksum/CH3AiUrCCcVOjOYLaMKKK1Da78989JtfHeIsxMzWOQFiN4mrCLDYpoDxLWqJWCUN":            {Mode: fs.ModeDir | 0500},
-			"checksum/CH3AiUrCCcVOjOYLaMKKK1Da78989JtfHeIsxMzWOQFiN4mrCLDYpoDxLWqJWCUN/libedac.so": {Mode: fs.ModeSymlink | 0777, Data: []byte("/proc/nonexistent/libedac.so")},
-
-			"identifier": {Mode: fs.ModeDir | 0700},
-			"identifier/W5S65DEhawz_WKaok5NjUKLmnD9dNl5RPauNJjcOVcB3VM4eGhSaLGmXbL8vZpiw": {Mode: fs.ModeSymlink | 0777, Data: []byte("../checksum/CH3AiUrCCcVOjOYLaMKKK1Da78989JtfHeIsxMzWOQFiN4mrCLDYpoDxLWqJWCUN")},
-			"identifier/_v1blm2h-_KA-dVaawdpLas6MjHc6rbhhFS8JWwx8iJxZGUu8EBbRrhr5AaZ9PJL": {Mode: fs.ModeSymlink | 0777, Data: []byte("../checksum/CH3AiUrCCcVOjOYLaMKKK1Da78989JtfHeIsxMzWOQFiN4mrCLDYpoDxLWqJWCUN")},
-
-			"temp": {Mode: fs.ModeDir | 0700},
-			"work": {Mode: fs.ModeDir | 0700},
-		}, []pkg.FlatEntry{
-			{Mode: fs.ModeDir | 0700, Path: "."},
-
-			{Mode: fs.ModeDir | 0700, Path: "checksum"},
-			{Mode: fs.ModeDir | 0500, Path: "checksum/CH3AiUrCCcVOjOYLaMKKK1Da78989JtfHeIsxMzWOQFiN4mrCLDYpoDxLWqJWCUN"},
-			{Mode: fs.ModeSymlink | 0777, Path: "checksum/CH3AiUrCCcVOjOYLaMKKK1Da78989JtfHeIsxMzWOQFiN4mrCLDYpoDxLWqJWCUN/libedac.so", Data: []byte("/proc/nonexistent/libedac.so")},
-
-			{Mode: fs.ModeDir | 0700, Path: "identifier"},
-			{Mode: fs.ModeSymlink | 0777, Path: "identifier/W5S65DEhawz_WKaok5NjUKLmnD9dNl5RPauNJjcOVcB3VM4eGhSaLGmXbL8vZpiw", Data: []byte("../checksum/CH3AiUrCCcVOjOYLaMKKK1Da78989JtfHeIsxMzWOQFiN4mrCLDYpoDxLWqJWCUN")},
-			{Mode: fs.ModeSymlink | 0777, Path: "identifier/_v1blm2h-_KA-dVaawdpLas6MjHc6rbhhFS8JWwx8iJxZGUu8EBbRrhr5AaZ9PJL", Data: []byte("../checksum/CH3AiUrCCcVOjOYLaMKKK1Da78989JtfHeIsxMzWOQFiN4mrCLDYpoDxLWqJWCUN")},
-
-			{Mode: fs.ModeDir | 0700, Path: "temp"},
-			{Mode: fs.ModeDir | 0700, Path: "work"},
-		}, pkg.MustDecode("hSoSSgCYTNonX3Q8FjvjD1fBl-E-BQyA6OTXro2OadXqbST4tZ-akGXszdeqphRe"), nil},
-
-		{"testtool", fstest.MapFS{
-			".": {Mode: fs.ModeDir | 0500},
-
-			"check": {Mode: 0400, Data: []byte{0}},
-		}, []pkg.FlatEntry{
-			{Mode: fs.ModeDir | 0500, Path: "."},
-
-			{Mode: 0400, Path: "check", Data: []byte{0}},
-		}, pkg.MustDecode("GPa4aBakdSJd7Tz7LYj_VJFoojzyZinmVcG3k6M5xI6CZ821J5sXLhLDDuS47gi9"), nil},
-
-		{"sample exec container", fstest.MapFS{
-			".": {Mode: fs.ModeDir | 0700},
-
-			"checksum": {Mode: fs.ModeDir | 0700},
-			"checksum/GPa4aBakdSJd7Tz7LYj_VJFoojzyZinmVcG3k6M5xI6CZ821J5sXLhLDDuS47gi9":       {Mode: fs.ModeDir | 0500},
-			"checksum/GPa4aBakdSJd7Tz7LYj_VJFoojzyZinmVcG3k6M5xI6CZ821J5sXLhLDDuS47gi9/check": {Mode: 0400, Data: []byte{0}},
-			"checksum/MGWmEfjut2QE2xPJwTsmUzpff4BN_FEnQ7T0j7gvUCCiugJQNwqt9m151fm9D1yU":       {Mode: fs.ModeDir | 0500},
-			"checksum/OLBgp1GsljhM2TJ-sbHjaiH9txEUvgdDTAzHv2P24donTt6_529l-9Ua0vFImLlb":       {Mode: 0400, Data: []byte{}},
-
-			"identifier": {Mode: fs.ModeDir | 0700},
-			"identifier/_gAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA": {Mode: fs.ModeSymlink | 0777, Data: []byte("../checksum/OLBgp1GsljhM2TJ-sbHjaiH9txEUvgdDTAzHv2P24donTt6_529l-9Ua0vFImLlb")},
-			"identifier/dztPS6jRjiZtCF4_p8AzfnxGp6obkhrgFVsxdodbKWUoAEVtDz3MykepJB4kI_ks": {Mode: fs.ModeSymlink | 0777, Data: []byte("../checksum/GPa4aBakdSJd7Tz7LYj_VJFoojzyZinmVcG3k6M5xI6CZ821J5sXLhLDDuS47gi9")},
-			"identifier/vjz1MHPcGBKV7sjcs8jQP3cqxJ1hgPTiQBMCEHP9BGXjGxd-tJmEmXKaStObo5gK": {Mode: fs.ModeSymlink | 0777, Data: []byte("../checksum/MGWmEfjut2QE2xPJwTsmUzpff4BN_FEnQ7T0j7gvUCCiugJQNwqt9m151fm9D1yU")},
-
-			"temp": {Mode: fs.ModeDir | 0700},
-			"work": {Mode: fs.ModeDir | 0700},
-		}, []pkg.FlatEntry{
-			{Mode: fs.ModeDir | 0700, Path: "."},
-
-			{Mode: fs.ModeDir | 0700, Path: "checksum"},
-			{Mode: fs.ModeDir | 0500, Path: "checksum/GPa4aBakdSJd7Tz7LYj_VJFoojzyZinmVcG3k6M5xI6CZ821J5sXLhLDDuS47gi9"},
-			{Mode: 0400, Path: "checksum/GPa4aBakdSJd7Tz7LYj_VJFoojzyZinmVcG3k6M5xI6CZ821J5sXLhLDDuS47gi9/check", Data: []byte{0}},
-			{Mode: fs.ModeDir | 0500, Path: "checksum/MGWmEfjut2QE2xPJwTsmUzpff4BN_FEnQ7T0j7gvUCCiugJQNwqt9m151fm9D1yU"},
-			{Mode: 0400, Path: "checksum/OLBgp1GsljhM2TJ-sbHjaiH9txEUvgdDTAzHv2P24donTt6_529l-9Ua0vFImLlb", Data: []byte{}},
-
-			{Mode: fs.ModeDir | 0700, Path: "identifier"},
-			{Mode: fs.ModeSymlink | 0777, Path: "identifier/_gAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA", Data: []byte("../checksum/OLBgp1GsljhM2TJ-sbHjaiH9txEUvgdDTAzHv2P24donTt6_529l-9Ua0vFImLlb")},
-			{Mode: fs.ModeSymlink | 0777, Path: "identifier/dztPS6jRjiZtCF4_p8AzfnxGp6obkhrgFVsxdodbKWUoAEVtDz3MykepJB4kI_ks", Data: []byte("../checksum/GPa4aBakdSJd7Tz7LYj_VJFoojzyZinmVcG3k6M5xI6CZ821J5sXLhLDDuS47gi9")},
-			{Mode: fs.ModeSymlink | 0777, Path: "identifier/vjz1MHPcGBKV7sjcs8jQP3cqxJ1hgPTiQBMCEHP9BGXjGxd-tJmEmXKaStObo5gK", Data: []byte("../checksum/MGWmEfjut2QE2xPJwTsmUzpff4BN_FEnQ7T0j7gvUCCiugJQNwqt9m151fm9D1yU")},
-
-			{Mode: fs.ModeDir | 0700, Path: "temp"},
-			{Mode: fs.ModeDir | 0700, Path: "work"},
-		}, pkg.MustDecode("Q5DluWQCAeohLoiGRImurwFp3vdz9IfQCoj7Fuhh73s4KQPRHpEQEnHTdNHmB8Fx"), nil},
-
-		{"testtool net", fstest.MapFS{
-			".": {Mode: fs.ModeDir | 0500},
-
-			"check": {Mode: 0400, Data: []byte("net")},
-		}, []pkg.FlatEntry{
-			{Mode: fs.ModeDir | 0500, Path: "."},
-
-			{Mode: 0400, Path: "check", Data: []byte("net")},
-		}, pkg.MustDecode("a1F_i9PVQI4qMcoHgTQkORuyWLkC1GLIxOhDt2JpU1NGAxWc5VJzdlfRK-PYBh3W"), nil},
-
-		{"sample exec net container", fstest.MapFS{
-			".": {Mode: fs.ModeDir | 0700},
-
-			"checksum": {Mode: fs.ModeDir | 0700},
-			"checksum/MGWmEfjut2QE2xPJwTsmUzpff4BN_FEnQ7T0j7gvUCCiugJQNwqt9m151fm9D1yU":       {Mode: fs.ModeDir | 0500},
-			"checksum/OLBgp1GsljhM2TJ-sbHjaiH9txEUvgdDTAzHv2P24donTt6_529l-9Ua0vFImLlb":       {Mode: 0400, Data: []byte{}},
-			"checksum/a1F_i9PVQI4qMcoHgTQkORuyWLkC1GLIxOhDt2JpU1NGAxWc5VJzdlfRK-PYBh3W":       {Mode: fs.ModeDir | 0500},
-			"checksum/a1F_i9PVQI4qMcoHgTQkORuyWLkC1GLIxOhDt2JpU1NGAxWc5VJzdlfRK-PYBh3W/check": {Mode: 0400, Data: []byte("net")},
-
-			"identifier": {Mode: fs.ModeDir | 0700},
-			"identifier/G8qPxD9puvvoOVV7lrT80eyDeIl3G_CCFoKw12c8mCjMdG1zF7NEPkwYpNubClK3": {Mode: fs.ModeSymlink | 0777, Data: []byte("../checksum/a1F_i9PVQI4qMcoHgTQkORuyWLkC1GLIxOhDt2JpU1NGAxWc5VJzdlfRK-PYBh3W")},
-			"identifier/_gAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA": {Mode: fs.ModeSymlink | 0777, Data: []byte("../checksum/OLBgp1GsljhM2TJ-sbHjaiH9txEUvgdDTAzHv2P24donTt6_529l-9Ua0vFImLlb")},
-			"identifier/vjz1MHPcGBKV7sjcs8jQP3cqxJ1hgPTiQBMCEHP9BGXjGxd-tJmEmXKaStObo5gK": {Mode: fs.ModeSymlink | 0777, Data: []byte("../checksum/MGWmEfjut2QE2xPJwTsmUzpff4BN_FEnQ7T0j7gvUCCiugJQNwqt9m151fm9D1yU")},
-
-			"temp": {Mode: fs.ModeDir | 0700},
-			"work": {Mode: fs.ModeDir | 0700},
-		}, []pkg.FlatEntry{
-			{Mode: fs.ModeDir | 0700, Path: "."},
-
-			{Mode: fs.ModeDir | 0700, Path: "checksum"},
-			{Mode: fs.ModeDir | 0500, Path: "checksum/MGWmEfjut2QE2xPJwTsmUzpff4BN_FEnQ7T0j7gvUCCiugJQNwqt9m151fm9D1yU"},
-			{Mode: 0400, Path: "checksum/OLBgp1GsljhM2TJ-sbHjaiH9txEUvgdDTAzHv2P24donTt6_529l-9Ua0vFImLlb", Data: []byte{}},
-			{Mode: fs.ModeDir | 0500, Path: "checksum/a1F_i9PVQI4qMcoHgTQkORuyWLkC1GLIxOhDt2JpU1NGAxWc5VJzdlfRK-PYBh3W"},
-			{Mode: 0400, Path: "checksum/a1F_i9PVQI4qMcoHgTQkORuyWLkC1GLIxOhDt2JpU1NGAxWc5VJzdlfRK-PYBh3W/check", Data: []byte("net")},
-
-			{Mode: fs.ModeDir | 0700, Path: "identifier"},
-			{Mode: fs.ModeSymlink | 0777, Path: "identifier/G8qPxD9puvvoOVV7lrT80eyDeIl3G_CCFoKw12c8mCjMdG1zF7NEPkwYpNubClK3", Data: []byte("../checksum/a1F_i9PVQI4qMcoHgTQkORuyWLkC1GLIxOhDt2JpU1NGAxWc5VJzdlfRK-PYBh3W")},
-			{Mode: fs.ModeSymlink | 0777, Path: "identifier/_gAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA", Data: []byte("../checksum/OLBgp1GsljhM2TJ-sbHjaiH9txEUvgdDTAzHv2P24donTt6_529l-9Ua0vFImLlb")},
-			{Mode: fs.ModeSymlink | 0777, Path: "identifier/vjz1MHPcGBKV7sjcs8jQP3cqxJ1hgPTiQBMCEHP9BGXjGxd-tJmEmXKaStObo5gK", Data: []byte("../checksum/MGWmEfjut2QE2xPJwTsmUzpff4BN_FEnQ7T0j7gvUCCiugJQNwqt9m151fm9D1yU")},
-
-			{Mode: fs.ModeDir | 0700, Path: "temp"},
-			{Mode: fs.ModeDir | 0700, Path: "work"},
-		}, pkg.MustDecode("bPYvvqxpfV7xcC1EptqyKNK1klLJgYHMDkzBcoOyK6j_Aj5hb0mXNPwTwPSK5F6Z"), nil},
-
-		{"sample exec container overlay root", fstest.MapFS{
-			".": {Mode: fs.ModeDir | 0700},
-
-			"checksum": {Mode: fs.ModeDir | 0700},
-			"checksum/GPa4aBakdSJd7Tz7LYj_VJFoojzyZinmVcG3k6M5xI6CZ821J5sXLhLDDuS47gi9":       {Mode: fs.ModeDir | 0500},
-			"checksum/GPa4aBakdSJd7Tz7LYj_VJFoojzyZinmVcG3k6M5xI6CZ821J5sXLhLDDuS47gi9/check": {Mode: 0400, Data: []byte{0}},
-			"checksum/MGWmEfjut2QE2xPJwTsmUzpff4BN_FEnQ7T0j7gvUCCiugJQNwqt9m151fm9D1yU":       {Mode: fs.ModeDir | 0500},
-
-			"identifier": {Mode: fs.ModeDir | 0700},
-			"identifier/RdMA-mubnrHuu3Ky1wWyxauSYCO0ZH_zCPUj3uDHqkfwv5sGcByoF_g5PjlGiClb": {Mode: fs.ModeSymlink | 0777, Data: []byte("../checksum/GPa4aBakdSJd7Tz7LYj_VJFoojzyZinmVcG3k6M5xI6CZ821J5sXLhLDDuS47gi9")},
-			"identifier/vjz1MHPcGBKV7sjcs8jQP3cqxJ1hgPTiQBMCEHP9BGXjGxd-tJmEmXKaStObo5gK": {Mode: fs.ModeSymlink | 0777, Data: []byte("../checksum/MGWmEfjut2QE2xPJwTsmUzpff4BN_FEnQ7T0j7gvUCCiugJQNwqt9m151fm9D1yU")},
-
-			"temp": {Mode: fs.ModeDir | 0700},
-			"work": {Mode: fs.ModeDir | 0700},
-		}, []pkg.FlatEntry{
-			{Mode: fs.ModeDir | 0700, Path: "."},
-
-			{Mode: fs.ModeDir | 0700, Path: "checksum"},
-			{Mode: fs.ModeDir | 0500, Path: "checksum/GPa4aBakdSJd7Tz7LYj_VJFoojzyZinmVcG3k6M5xI6CZ821J5sXLhLDDuS47gi9"},
-			{Mode: 0400, Path: "checksum/GPa4aBakdSJd7Tz7LYj_VJFoojzyZinmVcG3k6M5xI6CZ821J5sXLhLDDuS47gi9/check", Data: []byte{0}},
-			{Mode: fs.ModeDir | 0500, Path: "checksum/MGWmEfjut2QE2xPJwTsmUzpff4BN_FEnQ7T0j7gvUCCiugJQNwqt9m151fm9D1yU"},
-
-			{Mode: fs.ModeDir | 0700, Path: "identifier"},
-			{Mode: fs.ModeSymlink | 0777, Path: "identifier/RdMA-mubnrHuu3Ky1wWyxauSYCO0ZH_zCPUj3uDHqkfwv5sGcByoF_g5PjlGiClb", Data: []byte("../checksum/GPa4aBakdSJd7Tz7LYj_VJFoojzyZinmVcG3k6M5xI6CZ821J5sXLhLDDuS47gi9")},
-			{Mode: fs.ModeSymlink | 0777, Path: "identifier/vjz1MHPcGBKV7sjcs8jQP3cqxJ1hgPTiQBMCEHP9BGXjGxd-tJmEmXKaStObo5gK", Data: []byte("../checksum/MGWmEfjut2QE2xPJwTsmUzpff4BN_FEnQ7T0j7gvUCCiugJQNwqt9m151fm9D1yU")},
-
-			{Mode: fs.ModeDir | 0700, Path: "temp"},
-			{Mode: fs.ModeDir | 0700, Path: "work"},
-		}, pkg.MustDecode("PO2DSSCa4yoSgEYRcCSZfQfwow1yRigL3Ry-hI0RDI4aGuFBha-EfXeSJnG_5_Rl"), nil},
-
-		{"sample exec container overlay work", fstest.MapFS{
-			".": {Mode: fs.ModeDir | 0700},
-
-			"checksum": {Mode: fs.ModeDir | 0700},
-			"checksum/GPa4aBakdSJd7Tz7LYj_VJFoojzyZinmVcG3k6M5xI6CZ821J5sXLhLDDuS47gi9":       {Mode: fs.ModeDir | 0500},
-			"checksum/GPa4aBakdSJd7Tz7LYj_VJFoojzyZinmVcG3k6M5xI6CZ821J5sXLhLDDuS47gi9/check": {Mode: 0400, Data: []byte{0}},
-			"checksum/MGWmEfjut2QE2xPJwTsmUzpff4BN_FEnQ7T0j7gvUCCiugJQNwqt9m151fm9D1yU":       {Mode: fs.ModeDir | 0500},
-
-			"identifier": {Mode: fs.ModeDir | 0700},
-			"identifier/5hlaukCirnXE4W_RSLJFOZN47Z5RiHnacXzdFp_70cLgiJUGR6cSb_HaFftkzi0-": {Mode: fs.ModeSymlink | 0777, Data: []byte("../checksum/GPa4aBakdSJd7Tz7LYj_VJFoojzyZinmVcG3k6M5xI6CZ821J5sXLhLDDuS47gi9")},
-			"identifier/vjz1MHPcGBKV7sjcs8jQP3cqxJ1hgPTiQBMCEHP9BGXjGxd-tJmEmXKaStObo5gK": {Mode: fs.ModeSymlink | 0777, Data: []byte("../checksum/MGWmEfjut2QE2xPJwTsmUzpff4BN_FEnQ7T0j7gvUCCiugJQNwqt9m151fm9D1yU")},
-
-			"temp": {Mode: fs.ModeDir | 0700},
-			"work": {Mode: fs.ModeDir | 0700},
-		}, []pkg.FlatEntry{
-			{Mode: fs.ModeDir | 0700, Path: "."},
-
-			{Mode: fs.ModeDir | 0700, Path: "checksum"},
-			{Mode: fs.ModeDir | 0500, Path: "checksum/GPa4aBakdSJd7Tz7LYj_VJFoojzyZinmVcG3k6M5xI6CZ821J5sXLhLDDuS47gi9"},
-			{Mode: 0400, Path: "checksum/GPa4aBakdSJd7Tz7LYj_VJFoojzyZinmVcG3k6M5xI6CZ821J5sXLhLDDuS47gi9/check", Data: []byte{0}},
-			{Mode: fs.ModeDir | 0500, Path: "checksum/MGWmEfjut2QE2xPJwTsmUzpff4BN_FEnQ7T0j7gvUCCiugJQNwqt9m151fm9D1yU"},
-
-			{Mode: fs.ModeDir | 0700, Path: "identifier"},
-			{Mode: fs.ModeSymlink | 0777, Path: "identifier/5hlaukCirnXE4W_RSLJFOZN47Z5RiHnacXzdFp_70cLgiJUGR6cSb_HaFftkzi0-", Data: []byte("../checksum/GPa4aBakdSJd7Tz7LYj_VJFoojzyZinmVcG3k6M5xI6CZ821J5sXLhLDDuS47gi9")},
-			{Mode: fs.ModeSymlink | 0777, Path: "identifier/vjz1MHPcGBKV7sjcs8jQP3cqxJ1hgPTiQBMCEHP9BGXjGxd-tJmEmXKaStObo5gK", Data: []byte("../checksum/MGWmEfjut2QE2xPJwTsmUzpff4BN_FEnQ7T0j7gvUCCiugJQNwqt9m151fm9D1yU")},
-
-			{Mode: fs.ModeDir | 0700, Path: "temp"},
-			{Mode: fs.ModeDir | 0700, Path: "work"},
-		}, pkg.MustDecode("iaRt6l_Wm2n-h5UsDewZxQkCmjZjyL8r7wv32QT2kyV55-Lx09Dq4gfg9BiwPnKs"), nil},
-
-		{"sample exec container multiple layers", fstest.MapFS{
-			".": {Mode: fs.ModeDir | 0700},
-
-			"checksum": {Mode: fs.ModeDir | 0700},
-			"checksum/GPa4aBakdSJd7Tz7LYj_VJFoojzyZinmVcG3k6M5xI6CZ821J5sXLhLDDuS47gi9":       {Mode: fs.ModeDir | 0500},
-			"checksum/GPa4aBakdSJd7Tz7LYj_VJFoojzyZinmVcG3k6M5xI6CZ821J5sXLhLDDuS47gi9/check": {Mode: 0400, Data: []byte{0}},
-			"checksum/MGWmEfjut2QE2xPJwTsmUzpff4BN_FEnQ7T0j7gvUCCiugJQNwqt9m151fm9D1yU":       {Mode: fs.ModeDir | 0500},
-			"checksum/OLBgp1GsljhM2TJ-sbHjaiH9txEUvgdDTAzHv2P24donTt6_529l-9Ua0vFImLlb":       {Mode: 0400, Data: []byte{}},
-			"checksum/nY_CUdiaUM1OL4cPr5TS92FCJ3rCRV7Hm5oVTzAvMXwC03_QnTRfQ5PPs7mOU9fK":       {Mode: fs.ModeDir | 0500},
-			"checksum/nY_CUdiaUM1OL4cPr5TS92FCJ3rCRV7Hm5oVTzAvMXwC03_QnTRfQ5PPs7mOU9fK/check": {Mode: 0400, Data: []byte("layers")},
-
-			"identifier": {Mode: fs.ModeDir | 0700},
-			"identifier/_gAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA": {Mode: fs.ModeSymlink | 0777, Data: []byte("../checksum/OLBgp1GsljhM2TJ-sbHjaiH9txEUvgdDTAzHv2P24donTt6_529l-9Ua0vFImLlb")},
-			"identifier/B-kc5iJMx8GtlCua4dz6BiJHnDAOUfPjgpbKq4e-QEn0_CZkSYs3fOA1ve06qMs2": {Mode: fs.ModeSymlink | 0777, Data: []byte("../checksum/nY_CUdiaUM1OL4cPr5TS92FCJ3rCRV7Hm5oVTzAvMXwC03_QnTRfQ5PPs7mOU9fK")},
-			"identifier/p1t_drXr34i-jZNuxDMLaMOdL6tZvQqhavNafGynGqxOZoXAUTSn7kqNh3Ovv3DT": {Mode: fs.ModeSymlink | 0777, Data: []byte("../checksum/GPa4aBakdSJd7Tz7LYj_VJFoojzyZinmVcG3k6M5xI6CZ821J5sXLhLDDuS47gi9")},
-			"identifier/vjz1MHPcGBKV7sjcs8jQP3cqxJ1hgPTiQBMCEHP9BGXjGxd-tJmEmXKaStObo5gK": {Mode: fs.ModeSymlink | 0777, Data: []byte("../checksum/MGWmEfjut2QE2xPJwTsmUzpff4BN_FEnQ7T0j7gvUCCiugJQNwqt9m151fm9D1yU")},
-
-			"temp": {Mode: fs.ModeDir | 0700},
-			"work": {Mode: fs.ModeDir | 0700},
-		}, []pkg.FlatEntry{
-			{Mode: fs.ModeDir | 0700, Path: "."},
-
-			{Mode: fs.ModeDir | 0700, Path: "checksum"},
-			{Mode: fs.ModeDir | 0500, Path: "checksum/GPa4aBakdSJd7Tz7LYj_VJFoojzyZinmVcG3k6M5xI6CZ821J5sXLhLDDuS47gi9"},
-			{Mode: 0400, Path: "checksum/GPa4aBakdSJd7Tz7LYj_VJFoojzyZinmVcG3k6M5xI6CZ821J5sXLhLDDuS47gi9/check", Data: []byte{0}},
-			{Mode: fs.ModeDir | 0500, Path: "checksum/MGWmEfjut2QE2xPJwTsmUzpff4BN_FEnQ7T0j7gvUCCiugJQNwqt9m151fm9D1yU"},
-			{Mode: 0400, Path: "checksum/OLBgp1GsljhM2TJ-sbHjaiH9txEUvgdDTAzHv2P24donTt6_529l-9Ua0vFImLlb", Data: []byte{}},
-			{Mode: fs.ModeDir | 0500, Path: "checksum/nY_CUdiaUM1OL4cPr5TS92FCJ3rCRV7Hm5oVTzAvMXwC03_QnTRfQ5PPs7mOU9fK"},
-			{Mode: 0400, Path: "checksum/nY_CUdiaUM1OL4cPr5TS92FCJ3rCRV7Hm5oVTzAvMXwC03_QnTRfQ5PPs7mOU9fK/check", Data: []byte("layers")},
-
-			{Mode: fs.ModeDir | 0700, Path: "identifier"},
-			{Mode: fs.ModeSymlink | 0777, Path: "identifier/B-kc5iJMx8GtlCua4dz6BiJHnDAOUfPjgpbKq4e-QEn0_CZkSYs3fOA1ve06qMs2", Data: []byte("../checksum/nY_CUdiaUM1OL4cPr5TS92FCJ3rCRV7Hm5oVTzAvMXwC03_QnTRfQ5PPs7mOU9fK")},
-			{Mode: fs.ModeSymlink | 0777, Path: "identifier/_gAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA", Data: []byte("../checksum/OLBgp1GsljhM2TJ-sbHjaiH9txEUvgdDTAzHv2P24donTt6_529l-9Ua0vFImLlb")},
-			{Mode: fs.ModeSymlink | 0777, Path: "identifier/p1t_drXr34i-jZNuxDMLaMOdL6tZvQqhavNafGynGqxOZoXAUTSn7kqNh3Ovv3DT", Data: []byte("../checksum/GPa4aBakdSJd7Tz7LYj_VJFoojzyZinmVcG3k6M5xI6CZ821J5sXLhLDDuS47gi9")},
-			{Mode: fs.ModeSymlink | 0777, Path: "identifier/vjz1MHPcGBKV7sjcs8jQP3cqxJ1hgPTiQBMCEHP9BGXjGxd-tJmEmXKaStObo5gK", Data: []byte("../checksum/MGWmEfjut2QE2xPJwTsmUzpff4BN_FEnQ7T0j7gvUCCiugJQNwqt9m151fm9D1yU")},
-
-			{Mode: fs.ModeDir | 0700, Path: "temp"},
-			{Mode: fs.ModeDir | 0700, Path: "work"},
-		}, pkg.MustDecode("O2YzyR7IUGU5J2CADy0hUZ3A5NkP_Vwzs4UadEdn2oMZZVWRtH0xZGJ3HXiimTnZ"), nil},
-
-		{"sample exec container layer promotion", fstest.MapFS{
-			".": {Mode: fs.ModeDir | 0700},
-
-			"checksum": {Mode: fs.ModeDir | 0700},
-			"checksum/GPa4aBakdSJd7Tz7LYj_VJFoojzyZinmVcG3k6M5xI6CZ821J5sXLhLDDuS47gi9":       {Mode: fs.ModeDir | 0500},
-			"checksum/GPa4aBakdSJd7Tz7LYj_VJFoojzyZinmVcG3k6M5xI6CZ821J5sXLhLDDuS47gi9/check": {Mode: 0400, Data: []byte{0}},
-			"checksum/MGWmEfjut2QE2xPJwTsmUzpff4BN_FEnQ7T0j7gvUCCiugJQNwqt9m151fm9D1yU":       {Mode: fs.ModeDir | 0500},
-
-			"identifier": {Mode: fs.ModeDir | 0700},
-			"identifier/kvJIqZo5DKFOxC2ZQ-8_nPaQzEAz9cIm3p6guO-uLqm-xaiPu7oRkSnsu411jd_U": {Mode: fs.ModeSymlink | 0777, Data: []byte("../checksum/MGWmEfjut2QE2xPJwTsmUzpff4BN_FEnQ7T0j7gvUCCiugJQNwqt9m151fm9D1yU")},
-			"identifier/vjz1MHPcGBKV7sjcs8jQP3cqxJ1hgPTiQBMCEHP9BGXjGxd-tJmEmXKaStObo5gK": {Mode: fs.ModeSymlink | 0777, Data: []byte("../checksum/MGWmEfjut2QE2xPJwTsmUzpff4BN_FEnQ7T0j7gvUCCiugJQNwqt9m151fm9D1yU")},
-			"identifier/xXTIYcXmgJWNLC91c417RRrNM9cjELwEZHpGvf8Fk_GNP5agRJp_SicD0w9aMeLJ": {Mode: fs.ModeSymlink | 0777, Data: []byte("../checksum/GPa4aBakdSJd7Tz7LYj_VJFoojzyZinmVcG3k6M5xI6CZ821J5sXLhLDDuS47gi9")},
-
-			"temp": {Mode: fs.ModeDir | 0700},
-			"work": {Mode: fs.ModeDir | 0700},
-		}, []pkg.FlatEntry{
-			{Mode: fs.ModeDir | 0700, Path: "."},
-
-			{Mode: fs.ModeDir | 0700, Path: "checksum"},
-			{Mode: fs.ModeDir | 0500, Path: "checksum/GPa4aBakdSJd7Tz7LYj_VJFoojzyZinmVcG3k6M5xI6CZ821J5sXLhLDDuS47gi9"},
-			{Mode: 0400, Path: "checksum/GPa4aBakdSJd7Tz7LYj_VJFoojzyZinmVcG3k6M5xI6CZ821J5sXLhLDDuS47gi9/check", Data: []byte{0}},
-			{Mode: fs.ModeDir | 0500, Path: "checksum/MGWmEfjut2QE2xPJwTsmUzpff4BN_FEnQ7T0j7gvUCCiugJQNwqt9m151fm9D1yU"},
-
-			{Mode: fs.ModeDir | 0700, Path: "identifier"},
-			{Mode: fs.ModeSymlink | 0777, Path: "identifier/kvJIqZo5DKFOxC2ZQ-8_nPaQzEAz9cIm3p6guO-uLqm-xaiPu7oRkSnsu411jd_U", Data: []byte("../checksum/MGWmEfjut2QE2xPJwTsmUzpff4BN_FEnQ7T0j7gvUCCiugJQNwqt9m151fm9D1yU")},
-			{Mode: fs.ModeSymlink | 0777, Path: "identifier/vjz1MHPcGBKV7sjcs8jQP3cqxJ1hgPTiQBMCEHP9BGXjGxd-tJmEmXKaStObo5gK", Data: []byte("../checksum/MGWmEfjut2QE2xPJwTsmUzpff4BN_FEnQ7T0j7gvUCCiugJQNwqt9m151fm9D1yU")},
-			{Mode: fs.ModeSymlink | 0777, Path: "identifier/xXTIYcXmgJWNLC91c417RRrNM9cjELwEZHpGvf8Fk_GNP5agRJp_SicD0w9aMeLJ", Data: []byte("../checksum/GPa4aBakdSJd7Tz7LYj_VJFoojzyZinmVcG3k6M5xI6CZ821J5sXLhLDDuS47gi9")},
-
-			{Mode: fs.ModeDir | 0700, Path: "temp"},
-			{Mode: fs.ModeDir | 0700, Path: "work"},
-		}, pkg.MustDecode("3EaW6WibLi9gl03_UieiFPaFcPy5p4x3JPxrnLJxGaTI-bh3HU9DK9IMx7c3rrNm"), nil},
-
-		{"sample file short", fstest.MapFS{
-			".": {Mode: fs.ModeDir | 0700},
-
-			"checksum": {Mode: fs.ModeDir | 0700},
-			"checksum/vsAhtPNo4waRNOASwrQwcIPTqb3SBuJOXw2G4T1mNmVZM-wrQTRllmgXqcIIoRcX": {Mode: 0400, Data: []byte{0}},
-
-			"identifier": {Mode: fs.ModeDir | 0700},
-			"identifier/3376ALA7hIUm2LbzH2fDvRezgzod1eTK_G6XjyOgbM2u-6swvkFaF0BOwSl_juBi": {Mode: fs.ModeSymlink | 0777, Data: []byte("../checksum/vsAhtPNo4waRNOASwrQwcIPTqb3SBuJOXw2G4T1mNmVZM-wrQTRllmgXqcIIoRcX")},
-
-			"work": {Mode: fs.ModeDir | 0700},
-		}, []pkg.FlatEntry{
-			{Mode: fs.ModeDir | 0700, Path: "."},
-			{Mode: fs.ModeDir | 0700, Path: "checksum"},
-			{Mode: 0400, Path: "checksum/vsAhtPNo4waRNOASwrQwcIPTqb3SBuJOXw2G4T1mNmVZM-wrQTRllmgXqcIIoRcX", Data: []byte{0}},
-
-			{Mode: fs.ModeDir | 0700, Path: "identifier"},
-			{Mode: fs.ModeSymlink | 0777, Path: "identifier/3376ALA7hIUm2LbzH2fDvRezgzod1eTK_G6XjyOgbM2u-6swvkFaF0BOwSl_juBi", Data: []byte("../checksum/vsAhtPNo4waRNOASwrQwcIPTqb3SBuJOXw2G4T1mNmVZM-wrQTRllmgXqcIIoRcX")},
-
-			{Mode: fs.ModeDir | 0700, Path: "work"},
-		}, pkg.MustDecode("iR6H5OIsyOW4EwEgtm9rGzGF6DVtyHLySEtwnFE8bnus9VJcoCbR4JIek7Lw-vwT"), nil},
 	}
 	for _, tc := range testCases {
 		t.Run(tc.name, func(t *testing.T) {
--- a/internal/pkg/exec.go
+++ b/internal/pkg/exec.go
@@ -9,8 +9,10 @@ import (
 	"os"
 	"os/exec"
 	"path/filepath"
+	"runtime"
 	"slices"
 	"strconv"
+	"sync"
 	"syscall"
 	"time"
 	"unique"
@@ -94,6 +96,32 @@ func MustPath(pathname string, writable bool, a ...Artifact) ExecPath {
 	return ExecPath{check.MustAbs(pathname), a, writable}
 }

+var (
+	binfmt   map[string]container.BinfmtEntry
+	binfmtMu sync.RWMutex
+)
+
+// RegisterArch arranges for [KindExec] and [KindExecNet] to support a new
+// architecture via a binfmt_misc entry. Each architecture must be registered
+// at most once.
+func RegisterArch(arch string, e container.BinfmtEntry) {
+	if arch == "" {
+		panic(UnsupportedArchError(arch))
+	}
+
+	binfmtMu.Lock()
+	defer binfmtMu.Unlock()
+
+	if binfmt == nil {
+		binfmt = make(map[string]container.BinfmtEntry)
+	}
+
+	if _, ok := binfmt[arch]; ok {
+		panic("attempting to register " + strconv.Quote(arch) + " twice")
+	}
+	binfmt[arch] = e
+}
+
 const (
 	// ExecTimeoutDefault replaces out of range [NewExec] timeout values.
 	ExecTimeoutDefault = 15 * time.Minute
@@ -110,6 +138,8 @@ type execArtifact struct {
 	// Caller-supplied user-facing reporting name, guaranteed to be nonzero
 	// during initialisation.
 	name string
+	// Target architecture.
+	arch string
 	// Caller-supplied inner mount points.
 	paths []ExecPath

@@ -132,28 +162,40 @@ type execArtifact struct {

 var _ fmt.Stringer = new(execArtifact)

-// execNetArtifact is like execArtifact but implements [KnownChecksum] and has
-// its resulting container keep the host net namespace.
-type execNetArtifact struct {
+// execMeasuredArtifact is like execArtifact but implements [KnownChecksum] and
+// has its resulting container optionally keep the host net namespace.
+type execMeasuredArtifact struct {
 	checksum Checksum

+	// Whether to keep host net namespace.
+	hostNet bool
+
 	execArtifact
 }

-var _ KnownChecksum = new(execNetArtifact)
+var _ KnownChecksum = new(execMeasuredArtifact)

 // Checksum returns the caller-supplied checksum.
-func (a *execNetArtifact) Checksum() Checksum { return a.checksum }
+func (a *execMeasuredArtifact) Checksum() Checksum { return a.checksum }

-// Kind returns the hardcoded [Kind] constant.
-func (*execNetArtifact) Kind() Kind { return KindExecNet }
+// Kind returns [KindExecNet], or [KindExec] if hostNet is false.
+func (a *execMeasuredArtifact) Kind() Kind {
+	if a == nil || a.hostNet {
+		return KindExecNet
+	}
+	return KindExec
+}

 // Cure cures the [Artifact] in the container described by the caller. The
-// container retains host networking.
-func (a *execNetArtifact) Cure(f *FContext) error {
-	return a.cure(f, true)
+// container optionally retains host networking.
+func (a *execMeasuredArtifact) Cure(f *FContext) error {
+	return a.cure(f, a.hostNet)
 }

+// ErrNetChecksum is panicked by [NewExec] if host net namespace is requested
+// with a nil checksum.
+var ErrNetChecksum = errors.New("attempting to keep net namespace without checksum")
+
 // NewExec returns a new [Artifact] that executes the program path in a
 // container with specified paths bind mounted read-only in order. A private
 // instance of /proc and /dev is made available to the container.
@@ -167,7 +209,7 @@ func (a *execNetArtifact) Cure(f *FContext) error {
 // regular or symlink.
 //
 // If checksum is non-nil, the resulting [Artifact] implements [KnownChecksum]
-// and its container runs in the host net namespace.
+// and its container optionally runs in the host net namespace.
 //
 // The container is allowed to run for the specified duration before the initial
 // process and all processes originating from it is terminated. A zero or
@@ -178,10 +220,10 @@ func (a *execNetArtifact) Cure(f *FContext) error {
 // container and does not affect curing outcome. Because of this, it is omitted
 // from parameter data for computing identifier.
 func NewExec(
-	name string,
+	name, arch string,
 	checksum *Checksum,
 	timeout time.Duration,
-	exclusive bool,
+	hostNet, exclusive bool,

 	dir *check.Absolute,
 	env []string,
@@ -193,17 +235,23 @@ func NewExec(
 	if name == "" {
 		name = "exec-" + filepath.Base(pathname.String())
 	}
+	if arch == "" {
+		arch = runtime.GOARCH
+	}
 	if timeout <= 0 {
 		timeout = ExecTimeoutDefault
 	}
 	if timeout > ExecTimeoutMax {
 		timeout = ExecTimeoutMax
 	}
-	a := execArtifact{name, paths, dir, env, pathname, args, timeout, exclusive}
+	a := execArtifact{name, arch, paths, dir, env, pathname, args, timeout, exclusive}
 	if checksum == nil {
+		if hostNet {
+			panic(ErrNetChecksum)
+		}
 		return &a
 	}
-	return &execNetArtifact{*checksum, a}
+	return &execMeasuredArtifact{*checksum, hostNet, a}
 }

 // Kind returns the hardcoded [Kind] constant.
@@ -211,6 +259,7 @@ func (*execArtifact) Kind() Kind { return KindExec }

 // Params writes paths, executable pathname and args.
 func (a *execArtifact) Params(ctx *IContext) {
+	ctx.WriteString(a.arch)
 	ctx.WriteString(a.name)

 	ctx.WriteUint32(uint32(len(a.paths)))
@@ -257,11 +306,26 @@ func (a *execArtifact) Params(ctx *IContext) {
 	}
 }

+// UnsupportedArchError describes an unsupported or invalid architecture.
+type UnsupportedArchError string
+
+func (e UnsupportedArchError) Error() string {
+	if e == "" {
+		return "invalid architecture name"
+	}
+	return "unsupported architecture " + string(e)
+}
+
 // readExecArtifact interprets IR values and returns the address of execArtifact
 // or execNetArtifact.
 func readExecArtifact(r *IRReader, net bool) Artifact {
 	r.DiscardAll()

+	arch := r.ReadString()
+	if arch == "" {
+		panic(UnsupportedArchError(arch))
+	}
+
 	name := r.ReadString()

 	sz := r.ReadUint32()
@@ -312,22 +376,17 @@ func readExecArtifact(r *IRReader, net bool) Artifact {
 	exclusive := r.ReadUint32() != 0

 	checksum, ok := r.Finalise()
-
 	var checksumP *Checksum
-	if net {
-		if !ok {
-			panic(ErrExpectedChecksum)
-		}
-		checksumVal := checksum.Value()
-		checksumP = &checksumVal
-	} else {
-		if ok {
-			panic(ErrUnexpectedChecksum)
-		}
+	if ok {
+		checksumP = new(checksum.Value())
+	}
+
+	if net && !ok {
+		panic(ErrExpectedChecksum)
 	}

 	return NewExec(
-		name, checksumP, timeout, exclusive, dir, env, pathname, args, paths...,
+		name, arch, checksumP, timeout, net, exclusive, dir, env, pathname, args, paths...,
 	)
 }

@@ -436,11 +495,23 @@ func (a *execArtifact) makeContainer(
 	if z.HostNet {
 		z.Hostname = "cure-net"
 	}
+	z.Quiet = flags&CSuppressInit != 0
 	z.Uid, z.Gid = (1<<10)-1, (1<<10)-1
 	z.Dir, z.Path, z.Args = a.dir, a.path, a.args
 	z.Env = slices.Concat(a.env, []string{EnvJobs + "=" + strconv.Itoa(jobs)})
 	z.Grow(len(a.paths) + 4)

+	if a.arch != runtime.GOARCH {
+		binfmtMu.RLock()
+		e, ok := binfmt[a.arch]
+		binfmtMu.RUnlock()
+		if !ok {
+			return nil, UnsupportedArchError(a.arch)
+		}
+		z.Binfmt = []container.BinfmtEntry{e}
+		z.InitAsRoot = true
+	}
+
 	for i, b := range a.paths {
 		if i == overlayWorkIndex {
 			if err = os.MkdirAll(work.String(), 0700); err != nil {
@@ -527,9 +598,9 @@ func (c *Cache) EnterExec(
 	case *execArtifact:
 		e = f

-	case *execNetArtifact:
+	case *execMeasuredArtifact:
 		e = &f.execArtifact
-		hostNet = true
+		hostNet = f.hostNet

 	default:
 		return ErrNotExec
@@ -630,12 +701,6 @@ func (a *execArtifact) cure(f *FContext, hostNet bool) (err error) {
 			_ = stdout.Close()
 			return
 		}
-		defer func() {
-			if err != nil && !errors.As(err, new(*exec.ExitError)) {
-				_ = stdout.Close()
-				_ = stderr.Close()
-			}
-		}()

 		brStdout, brStderr := f.cache.getReader(stdout), f.cache.getReader(stderr)
 		stdoutDone, stderrDone := make(chan struct{}), make(chan struct{})
@@ -650,6 +715,11 @@ func (a *execArtifact) cure(f *FContext, hostNet bool) (err error) {
 			io.TeeReader(brStderr, status),
 		)
 		defer func() {
+			if err != nil && !errors.As(err, new(*exec.ExitError)) {
+				_ = stdout.Close()
+				_ = stderr.Close()
+			}
+
 			<-stdoutDone
 			<-stderrDone
 			f.cache.putReader(brStdout)
--- a/internal/pkg/exec_test.go
+++ b/internal/pkg/exec_test.go
@@ -1,44 +1,70 @@
 package pkg_test

-//go:generate env CGO_ENABLED=0 go build -tags testtool -o testdata/testtool ./testdata
-
 import (
+	"bytes"
 	_ "embed"
 	"encoding/gob"
 	"errors"
+	"io/fs"
 	"net"
 	"os"
 	"os/exec"
+	"path/filepath"
 	"slices"
 	"testing"
-	"unique"

 	"hakurei.app/check"
+	"hakurei.app/container"
 	"hakurei.app/hst"
+	"hakurei.app/internal/info"
 	"hakurei.app/internal/pkg"
 	"hakurei.app/internal/stub"
+
+	"hakurei.app/internal/pkg/internal/testtool/expected"
 )

 // testtoolBin is the container test tool binary made available to the
 // execArtifact for testing its curing environment.
 //
-//go:embed testdata/testtool
+//go:generate env CGO_ENABLED=0 go build -tags testtool -o internal/testtool ./internal/testtool
+//go:embed internal/testtool/testtool
 var testtoolBin []byte

+func init() {
+	pathname, err := filepath.Abs("internal/testtool/testtool")
+	if err != nil {
+		panic(err)
+	}
+	pkg.RegisterArch("cafe", container.BinfmtEntry{
+		Magic:       expected.Magic,
+		Interpreter: check.MustAbs(pathname),
+	})
+}
+
 func TestExec(t *testing.T) {
 	t.Parallel()

-	wantChecksumOffline := pkg.MustDecode(
-		"GPa4aBakdSJd7Tz7LYj_VJFoojzyZinmVcG3k6M5xI6CZ821J5sXLhLDDuS47gi9",
-	)
+	wantOffline := expectsFS{
+		".": {Mode: fs.ModeDir | 0500},
+
+		"check": {Mode: 0400, Data: []byte{0}},
+	}
+	wantOfflineEncode := pkg.Encode(wantOffline.hash())
+	failingArtifact := &stubArtifact{
+		kind:   pkg.KindTar,
+		params: []byte("doomed artifact"),
+		cure: func(t *pkg.TContext) error {
+			return stub.UniqueError(0xcafe)
+		},
+	}

 	checkWithCache(t, []cacheTestCase{
-		{"offline", pkg.CValidateKnown, nil, func(t *testing.T, base *check.Absolute, c *pkg.Cache) {
+		{"offline", pkg.CValidateKnown | checkDestroySubstitutes, nil, func(t *testing.T, base *check.Absolute, c *pkg.Cache) {
 			testtool, testtoolDestroy := newTesttool()

 			cureMany(t, c, []cureStep{
 				{"container", pkg.NewExec(
-					"exec-offline", nil, 0, false,
+					"exec-offline", "", new(wantOffline.hash()), 0, false, false,
 					pkg.AbsWork,
 					[]string{"HAKUREI_TEST=1"},
 					check.MustAbs("/opt/bin/testtool"),
@@ -58,67 +84,128 @@ func TestExec(t *testing.T) {
 						},
 					}),
 					pkg.MustPath("/opt", false, testtool),
-				), ignorePathname, wantChecksumOffline, nil},
+				), ignorePathname, wantOffline, nil},

-				{"error passthrough", pkg.NewExec(
-					"", nil, 0, true,
+				{"substitution", pkg.NewExec(
+					"exec-offline", "", new(wantOffline.hash()), 0, false, false,
 					pkg.AbsWork,
 					[]string{"HAKUREI_TEST=1"},
 					check.MustAbs("/opt/bin/testtool"),
 					[]string{"testtool"},

-					pkg.MustPath("/proc/nonexistent", false, &stubArtifact{
+					pkg.MustPath("/file", false, newStubFile(
+						pkg.KindHTTPGet,
+						pkg.ID{0xfe, 0},
+						nil,
+						nil, nil,
+					)),
+					// substitution miss fails in testtool due to differing idents
+					pkg.MustPath("/.hakurei", false, &stubArtifact{
 						kind:   pkg.KindTar,
-						params: []byte("doomed artifact"),
+						params: []byte("empty directory (substituted)"),
 						cure: func(t *pkg.TContext) error {
-							return stub.UniqueError(0xcafe)
+							return os.MkdirAll(t.GetWorkDir().String(), 0700)
 						},
 					}),
-				), nil, pkg.Checksum{}, &pkg.DependencyCureError{
+					pkg.MustPath("/opt", false, testtool),
+				), ignorePathname, wantOffline, nil},
+
+				{"error passthrough", pkg.NewExec(
+					"", "", nil, 0, false, true,
+					pkg.AbsWork,
+					[]string{"HAKUREI_TEST=1"},
+					check.MustAbs("/opt/bin/testtool"),
+					[]string{"testtool"},
+
+					pkg.MustPath("/proc/nonexistent", false, failingArtifact),
+				), nil, nil, &pkg.DependencyCureError{
 					{
-						Ident: unique.Make(pkg.ID(pkg.MustDecode(
-							"Sowo6oZRmG6xVtUaxB6bDWZhVsqAJsIJWUp0OPKlE103cY0lodx7dem8J-qQF0Z1",
-						))),
+						A:   failingArtifact,
 						Err: stub.UniqueError(0xcafe),
 					},
 				}},

 				{"invalid paths", pkg.NewExec(
-					"", nil, 0, false,
+					"", "", nil, 0, false, false,
 					pkg.AbsWork,
 					[]string{"HAKUREI_TEST=1"},
 					check.MustAbs("/opt/bin/testtool"),
 					[]string{"testtool"},

 					pkg.ExecPath{},
-				), nil, pkg.Checksum{}, pkg.ErrInvalidPaths},
+				), nil, nil, pkg.ErrInvalidPaths},
 			})

 			// check init failure passthrough
-			var exitError *exec.ExitError
-			if _, _, err := c.Cure(pkg.NewExec(
-				"", nil, 0, false,
+			initFailureArtifact := pkg.NewExec(
+				"", "", nil, 0, false, false,
 				pkg.AbsWork,
 				nil,
 				check.MustAbs("/opt/bin/testtool"),
 				[]string{"testtool"},
-			)); !errors.As(err, &exitError) ||
+			)
+			var exitError *exec.ExitError
+			if _, _, err := c.Cure(initFailureArtifact); !errors.As(err, &exitError) ||
 				exitError.ExitCode() != hst.ExitFailure {
 				t.Fatalf("Cure: error = %v, want init exit status 1", err)
 			}

-			testtoolDestroy(t, base, c)
-		}, pkg.MustDecode("Q5DluWQCAeohLoiGRImurwFp3vdz9IfQCoj7Fuhh73s4KQPRHpEQEnHTdNHmB8Fx")},
+			var faultStatus []byte
+			if faults, err := c.ReadFaults(initFailureArtifact); err != nil {
+				t.Fatal(err)
+			} else if len(faults) != 1 {
+				t.Fatalf("ReadFaults: %v", faults)
+			} else if faultStatus, err = os.ReadFile(faults[0].String()); err != nil {
+				t.Fatal(err)
+			} else if err = faults[0].Destroy(); err != nil {
+				t.Fatal(err)
+			} else {
+				t.Logf("destroyed expected fault at %s", faults[0].Time().UTC())
+			}

-		{"net", pkg.CValidateKnown, nil, func(t *testing.T, base *check.Absolute, c *pkg.Cache) {
+			if !bytes.HasPrefix(faultStatus, []byte(
+				"internal/pkg ",
+			)) || !bytes.Contains(faultStatus, []byte(
+				"\ninit: fork/exec /opt/bin/testtool: no such file or directory\n",
+			)) {
+				t.Errorf("unexpected status:\n%s", string(faultStatus))
+			}
+
+			destroyStatus(t, base, 2, 1)
+			testtoolDestroy(t, base, c)
+		}, expectsFS{
+			".": {Mode: fs.ModeDir | 0700},
+
+			"checksum":                                 {Mode: fs.ModeDir | 0700},
+			"checksum/" + wantOfflineEncode:            {Mode: fs.ModeDir | 0500},
+			"checksum/" + wantOfflineEncode + "/check": {Mode: 0400, Data: []byte{0}},
+			"checksum/MGWmEfjut2QE2xPJwTsmUzpff4BN_FEnQ7T0j7gvUCCiugJQNwqt9m151fm9D1yU": {Mode: fs.ModeDir | 0500},
+			"checksum/OLBgp1GsljhM2TJ-sbHjaiH9txEUvgdDTAzHv2P24donTt6_529l-9Ua0vFImLlb": {Mode: 0400, Data: []byte{}},
+
+			"identifier": {Mode: fs.ModeDir | 0700},
+			"identifier/QwS7SmiatdqryQYgESdGw7Yw2PcpNf0vNfpvUA0t92BTlKiUjfCrXyMW17G2X77X": {Mode: fs.ModeSymlink | 0777, Data: []byte("../checksum/MGWmEfjut2QE2xPJwTsmUzpff4BN_FEnQ7T0j7gvUCCiugJQNwqt9m151fm9D1yU")},
+			"identifier/_gAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA": {Mode: fs.ModeSymlink | 0777, Data: []byte("../checksum/OLBgp1GsljhM2TJ-sbHjaiH9txEUvgdDTAzHv2P24donTt6_529l-9Ua0vFImLlb")},
+			"identifier/" + expected.Offline:                                              {Mode: fs.ModeSymlink | 0777, Data: []byte("../checksum/" + wantOfflineEncode)},
+			"identifier/" + expected.OfflineS:                                             {Mode: fs.ModeSymlink | 0777, Data: []byte("../checksum/" + wantOfflineEncode)},
+			"identifier/vjz1MHPcGBKV7sjcs8jQP3cqxJ1hgPTiQBMCEHP9BGXjGxd-tJmEmXKaStObo5gK": {Mode: fs.ModeSymlink | 0777, Data: []byte("../checksum/MGWmEfjut2QE2xPJwTsmUzpff4BN_FEnQ7T0j7gvUCCiugJQNwqt9m151fm9D1yU")},
+
+			"substitute": {Mode: fs.ModeDir | 0700},
+
+			"temp": {Mode: fs.ModeDir | 0700},
+			"work": {Mode: fs.ModeDir | 0700},
+		}},
+
+		{"net", pkg.CValidateKnown | checkDestroySubstitutes, nil, func(t *testing.T, base *check.Absolute, c *pkg.Cache) {
 			testtool, testtoolDestroy := newTesttool()

-			wantChecksum := pkg.MustDecode(
-				"a1F_i9PVQI4qMcoHgTQkORuyWLkC1GLIxOhDt2JpU1NGAxWc5VJzdlfRK-PYBh3W",
-			)
+			wantNet := expectsFS{
+				".": {Mode: fs.ModeDir | 0500},
+
+				"check": {Mode: 0400, Data: []byte("net")},
+			}
 			cureMany(t, c, []cureStep{
 				{"container", pkg.NewExec(
-					"exec-net", &wantChecksum, 0, false,
+					"exec-net", "", new(wantNet.hash()), 0, true, false,
 					pkg.AbsWork,
 					[]string{"HAKUREI_TEST=1"},
 					check.MustAbs("/opt/bin/testtool"),
@@ -138,18 +225,37 @@ func TestExec(t *testing.T) {
 						},
 					}),
 					pkg.MustPath("/opt", false, testtool),
-				), ignorePathname, wantChecksum, nil},
+				), ignorePathname, wantNet, nil},
 			})

+			destroyStatus(t, base, 2, 0)
 			testtoolDestroy(t, base, c)
-		}, pkg.MustDecode("bPYvvqxpfV7xcC1EptqyKNK1klLJgYHMDkzBcoOyK6j_Aj5hb0mXNPwTwPSK5F6Z")},
+		}, expectsFS{
+			".": {Mode: fs.ModeDir | 0700},

-		{"overlay root", pkg.CValidateKnown, nil, func(t *testing.T, base *check.Absolute, c *pkg.Cache) {
+			"checksum": {Mode: fs.ModeDir | 0700},
+			"checksum/MGWmEfjut2QE2xPJwTsmUzpff4BN_FEnQ7T0j7gvUCCiugJQNwqt9m151fm9D1yU":       {Mode: fs.ModeDir | 0500},
+			"checksum/OLBgp1GsljhM2TJ-sbHjaiH9txEUvgdDTAzHv2P24donTt6_529l-9Ua0vFImLlb":       {Mode: 0400, Data: []byte{}},
+			"checksum/a1F_i9PVQI4qMcoHgTQkORuyWLkC1GLIxOhDt2JpU1NGAxWc5VJzdlfRK-PYBh3W":       {Mode: fs.ModeDir | 0500},
+			"checksum/a1F_i9PVQI4qMcoHgTQkORuyWLkC1GLIxOhDt2JpU1NGAxWc5VJzdlfRK-PYBh3W/check": {Mode: 0400, Data: []byte("net")},
+
+			"identifier":                 {Mode: fs.ModeDir | 0700},
+			"identifier/" + expected.Net: {Mode: fs.ModeSymlink | 0777, Data: []byte("../checksum/a1F_i9PVQI4qMcoHgTQkORuyWLkC1GLIxOhDt2JpU1NGAxWc5VJzdlfRK-PYBh3W")},
+			"identifier/_gAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA": {Mode: fs.ModeSymlink | 0777, Data: []byte("../checksum/OLBgp1GsljhM2TJ-sbHjaiH9txEUvgdDTAzHv2P24donTt6_529l-9Ua0vFImLlb")},
+			"identifier/vjz1MHPcGBKV7sjcs8jQP3cqxJ1hgPTiQBMCEHP9BGXjGxd-tJmEmXKaStObo5gK": {Mode: fs.ModeSymlink | 0777, Data: []byte("../checksum/MGWmEfjut2QE2xPJwTsmUzpff4BN_FEnQ7T0j7gvUCCiugJQNwqt9m151fm9D1yU")},
+
+			"substitute": {Mode: fs.ModeDir | 0700},
+
+			"temp": {Mode: fs.ModeDir | 0700},
+			"work": {Mode: fs.ModeDir | 0700},
+		}},
+
+		{"overlay root", pkg.CValidateKnown | checkDestroySubstitutes, nil, func(t *testing.T, base *check.Absolute, c *pkg.Cache) {
 			testtool, testtoolDestroy := newTesttool()

 			cureMany(t, c, []cureStep{
 				{"container", pkg.NewExec(
-					"exec-overlay-root", nil, 0, false,
+					"exec-overlay-root", "", nil, 0, false, false,
 					pkg.AbsWork,
 					[]string{"HAKUREI_TEST=1", "HAKUREI_ROOT=1"},
 					check.MustAbs("/opt/bin/testtool"),
@@ -163,18 +269,35 @@ func TestExec(t *testing.T) {
 						},
 					}),
 					pkg.MustPath("/opt", false, testtool),
-				), ignorePathname, wantChecksumOffline, nil},
+				), ignorePathname, wantOffline, nil},
 			})

+			destroyStatus(t, base, 2, 0)
 			testtoolDestroy(t, base, c)
-		}, pkg.MustDecode("PO2DSSCa4yoSgEYRcCSZfQfwow1yRigL3Ry-hI0RDI4aGuFBha-EfXeSJnG_5_Rl")},
+		}, expectsFS{
+			".": {Mode: fs.ModeDir | 0700},

-		{"overlay work", pkg.CValidateKnown, nil, func(t *testing.T, base *check.Absolute, c *pkg.Cache) {
+			"checksum":                                 {Mode: fs.ModeDir | 0700},
+			"checksum/" + wantOfflineEncode:            {Mode: fs.ModeDir | 0500},
+			"checksum/" + wantOfflineEncode + "/check": {Mode: 0400, Data: []byte{0}},
+			"checksum/MGWmEfjut2QE2xPJwTsmUzpff4BN_FEnQ7T0j7gvUCCiugJQNwqt9m151fm9D1yU": {Mode: fs.ModeDir | 0500},
+
+			"identifier":                     {Mode: fs.ModeDir | 0700},
+			"identifier/" + expected.OvlRoot: {Mode: fs.ModeSymlink | 0777, Data: []byte("../checksum/" + wantOfflineEncode)},
+			"identifier/vjz1MHPcGBKV7sjcs8jQP3cqxJ1hgPTiQBMCEHP9BGXjGxd-tJmEmXKaStObo5gK": {Mode: fs.ModeSymlink | 0777, Data: []byte("../checksum/MGWmEfjut2QE2xPJwTsmUzpff4BN_FEnQ7T0j7gvUCCiugJQNwqt9m151fm9D1yU")},
+
+			"substitute": {Mode: fs.ModeDir | 0700},
+
+			"temp": {Mode: fs.ModeDir | 0700},
+			"work": {Mode: fs.ModeDir | 0700},
+		}},
+
+		{"overlay work", pkg.CValidateKnown | checkDestroySubstitutes, nil, func(t *testing.T, base *check.Absolute, c *pkg.Cache) {
 			testtool, testtoolDestroy := newTesttool()

 			cureMany(t, c, []cureStep{
 				{"container", pkg.NewExec(
-					"exec-overlay-work", nil, 0, false,
+					"exec-overlay-work", "", nil, 0, false, false,
 					pkg.AbsWork,
 					[]string{"HAKUREI_TEST=1", "HAKUREI_ROOT=1"},
 					check.MustAbs("/work/bin/testtool"),
@@ -193,18 +316,35 @@ func TestExec(t *testing.T) {
 							return os.MkdirAll(t.GetWorkDir().String(), 0700)
 						},
 					}), pkg.Path(pkg.AbsWork, false /* ignored */, testtool),
-				), ignorePathname, wantChecksumOffline, nil},
+				), ignorePathname, wantOffline, nil},
 			})

+			destroyStatus(t, base, 2, 0)
 			testtoolDestroy(t, base, c)
-		}, pkg.MustDecode("iaRt6l_Wm2n-h5UsDewZxQkCmjZjyL8r7wv32QT2kyV55-Lx09Dq4gfg9BiwPnKs")},
+		}, expectsFS{
+			".": {Mode: fs.ModeDir | 0700},

-		{"multiple layers", pkg.CValidateKnown, nil, func(t *testing.T, base *check.Absolute, c *pkg.Cache) {
+			"checksum":                                 {Mode: fs.ModeDir | 0700},
+			"checksum/" + wantOfflineEncode:            {Mode: fs.ModeDir | 0500},
+			"checksum/" + wantOfflineEncode + "/check": {Mode: 0400, Data: []byte{0}},
+			"checksum/MGWmEfjut2QE2xPJwTsmUzpff4BN_FEnQ7T0j7gvUCCiugJQNwqt9m151fm9D1yU": {Mode: fs.ModeDir | 0500},
+
+			"identifier":                  {Mode: fs.ModeDir | 0700},
+			"identifier/" + expected.Work: {Mode: fs.ModeSymlink | 0777, Data: []byte("../checksum/" + wantOfflineEncode)},
+			"identifier/vjz1MHPcGBKV7sjcs8jQP3cqxJ1hgPTiQBMCEHP9BGXjGxd-tJmEmXKaStObo5gK": {Mode: fs.ModeSymlink | 0777, Data: []byte("../checksum/MGWmEfjut2QE2xPJwTsmUzpff4BN_FEnQ7T0j7gvUCCiugJQNwqt9m151fm9D1yU")},
+
+			"substitute": {Mode: fs.ModeDir | 0700},
+
+			"temp": {Mode: fs.ModeDir | 0700},
+			"work": {Mode: fs.ModeDir | 0700},
+		}},
+
+		{"multiple layers", pkg.CValidateKnown | checkDestroySubstitutes, nil, func(t *testing.T, base *check.Absolute, c *pkg.Cache) {
 			testtool, testtoolDestroy := newTesttool()

 			cureMany(t, c, []cureStep{
 				{"container", pkg.NewExec(
-					"exec-multiple-layers", nil, 0, false,
+					"exec-multiple-layers", "", nil, 0, false, false,
 					pkg.AbsWork,
 					[]string{"HAKUREI_TEST=1", "HAKUREI_ROOT=1"},
 					check.MustAbs("/opt/bin/testtool"),
@@ -245,18 +385,40 @@ func TestExec(t *testing.T) {
 						},
 					}),
 					pkg.MustPath("/opt", false, testtool),
-				), ignorePathname, wantChecksumOffline, nil},
+				), ignorePathname, wantOffline, nil},
 			})

+			destroyStatus(t, base, 2, 0)
 			testtoolDestroy(t, base, c)
-		}, pkg.MustDecode("O2YzyR7IUGU5J2CADy0hUZ3A5NkP_Vwzs4UadEdn2oMZZVWRtH0xZGJ3HXiimTnZ")},
+		}, expectsFS{
+			".": {Mode: fs.ModeDir | 0700},

-		{"overlay layer promotion", pkg.CValidateKnown, nil, func(t *testing.T, base *check.Absolute, c *pkg.Cache) {
+			"checksum":                                 {Mode: fs.ModeDir | 0700},
+			"checksum/" + wantOfflineEncode:            {Mode: fs.ModeDir | 0500},
+			"checksum/" + wantOfflineEncode + "/check": {Mode: 0400, Data: []byte{0}},
+			"checksum/MGWmEfjut2QE2xPJwTsmUzpff4BN_FEnQ7T0j7gvUCCiugJQNwqt9m151fm9D1yU":       {Mode: fs.ModeDir | 0500},
+			"checksum/OLBgp1GsljhM2TJ-sbHjaiH9txEUvgdDTAzHv2P24donTt6_529l-9Ua0vFImLlb":       {Mode: 0400, Data: []byte{}},
+			"checksum/nY_CUdiaUM1OL4cPr5TS92FCJ3rCRV7Hm5oVTzAvMXwC03_QnTRfQ5PPs7mOU9fK":       {Mode: fs.ModeDir | 0500},
+			"checksum/nY_CUdiaUM1OL4cPr5TS92FCJ3rCRV7Hm5oVTzAvMXwC03_QnTRfQ5PPs7mOU9fK/check": {Mode: 0400, Data: []byte("layers")},
+
+			"identifier": {Mode: fs.ModeDir | 0700},
+			"identifier/_gAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA": {Mode: fs.ModeSymlink | 0777, Data: []byte("../checksum/OLBgp1GsljhM2TJ-sbHjaiH9txEUvgdDTAzHv2P24donTt6_529l-9Ua0vFImLlb")},
+			"identifier/B-kc5iJMx8GtlCua4dz6BiJHnDAOUfPjgpbKq4e-QEn0_CZkSYs3fOA1ve06qMs2": {Mode: fs.ModeSymlink | 0777, Data: []byte("../checksum/nY_CUdiaUM1OL4cPr5TS92FCJ3rCRV7Hm5oVTzAvMXwC03_QnTRfQ5PPs7mOU9fK")},
+			"identifier/" + expected.Layers:                                               {Mode: fs.ModeSymlink | 0777, Data: []byte("../checksum/" + wantOfflineEncode)},
+			"identifier/vjz1MHPcGBKV7sjcs8jQP3cqxJ1hgPTiQBMCEHP9BGXjGxd-tJmEmXKaStObo5gK": {Mode: fs.ModeSymlink | 0777, Data: []byte("../checksum/MGWmEfjut2QE2xPJwTsmUzpff4BN_FEnQ7T0j7gvUCCiugJQNwqt9m151fm9D1yU")},
+
+			"substitute": {Mode: fs.ModeDir | 0700},
+
+			"temp": {Mode: fs.ModeDir | 0700},
+			"work": {Mode: fs.ModeDir | 0700},
+		}},
+
+		{"overlay layer promotion", pkg.CValidateKnown | checkDestroySubstitutes, nil, func(t *testing.T, base *check.Absolute, c *pkg.Cache) {
 			testtool, testtoolDestroy := newTesttool()

 			cureMany(t, c, []cureStep{
 				{"container", pkg.NewExec(
-					"exec-layer-promotion", nil, 0, true,
+					"exec-layer-promotion", "", nil, 0, false, true,
 					pkg.AbsWork,
 					[]string{"HAKUREI_TEST=1", "HAKUREI_ROOT=1"},
 					check.MustAbs("/opt/bin/testtool"),
@@ -276,11 +438,96 @@ func TestExec(t *testing.T) {
 						},
 					}),
 					pkg.MustPath("/opt", false, testtool),
-				), ignorePathname, wantChecksumOffline, nil},
+				), ignorePathname, wantOffline, nil},
 			})

+			destroyStatus(t, base, 2, 0)
 			testtoolDestroy(t, base, c)
-		}, pkg.MustDecode("3EaW6WibLi9gl03_UieiFPaFcPy5p4x3JPxrnLJxGaTI-bh3HU9DK9IMx7c3rrNm")},
+		}, expectsFS{
+			".": {Mode: fs.ModeDir | 0700},
+
+			"checksum":                                 {Mode: fs.ModeDir | 0700},
+			"checksum/" + wantOfflineEncode:            {Mode: fs.ModeDir | 0500},
+			"checksum/" + wantOfflineEncode + "/check": {Mode: 0400, Data: []byte{0}},
+			"checksum/MGWmEfjut2QE2xPJwTsmUzpff4BN_FEnQ7T0j7gvUCCiugJQNwqt9m151fm9D1yU": {Mode: fs.ModeDir | 0500},
+
+			"identifier": {Mode: fs.ModeDir | 0700},
+			"identifier/kvJIqZo5DKFOxC2ZQ-8_nPaQzEAz9cIm3p6guO-uLqm-xaiPu7oRkSnsu411jd_U": {Mode: fs.ModeSymlink | 0777, Data: []byte("../checksum/MGWmEfjut2QE2xPJwTsmUzpff4BN_FEnQ7T0j7gvUCCiugJQNwqt9m151fm9D1yU")},
+			"identifier/vjz1MHPcGBKV7sjcs8jQP3cqxJ1hgPTiQBMCEHP9BGXjGxd-tJmEmXKaStObo5gK": {Mode: fs.ModeSymlink | 0777, Data: []byte("../checksum/MGWmEfjut2QE2xPJwTsmUzpff4BN_FEnQ7T0j7gvUCCiugJQNwqt9m151fm9D1yU")},
+			"identifier/" + expected.Promote:                                              {Mode: fs.ModeSymlink | 0777, Data: []byte("../checksum/" + wantOfflineEncode)},
+
+			"substitute": {Mode: fs.ModeDir | 0700},
+
+			"temp": {Mode: fs.ModeDir | 0700},
+			"work": {Mode: fs.ModeDir | 0700},
+		}},
+
+		{"binfmt", pkg.CValidateKnown | checkDestroySubstitutes, nil, func(t *testing.T, base *check.Absolute, c *pkg.Cache) {
+			if info.CanDegrade && os.Getenv("ROSA_SKIP_BINFMT") != "" {
+				t.Skip("binfmt_misc test explicitly skipped")
+			}
+
+			cureMany(t, c, []cureStep{
+				{"container", pkg.NewExec(
+					"exec-binfmt", "cafe", nil, 0, false, true,
+					pkg.AbsWork,
+					[]string{"HAKUREI_TEST=1", "HAKUREI_BINFMT=1"},
+					check.MustAbs("/opt/bin/sample"),
+					[]string{"sample"},
+
+					pkg.MustPath("/", true, &stubArtifact{
+						kind:   pkg.KindTar,
+						params: []byte("empty directory"),
+						cure: func(t *pkg.TContext) error {
+							return os.MkdirAll(t.GetWorkDir().String(), 0700)
+						},
+					}),
+					pkg.MustPath("/opt", false, overrideIdent{pkg.ID{0xfe, 0xff}, &stubArtifact{
+						kind: pkg.KindTar,
+						cure: func(t *pkg.TContext) error {
+							work := t.GetWorkDir()
+							if err := os.MkdirAll(
+								work.Append("bin").String(),
+								0700,
+							); err != nil {
+								return err
+							}
+
+							return os.WriteFile(t.GetWorkDir().Append(
+								"bin",
+								"sample",
+							).String(), []byte(expected.Full), 0500)
+						},
+					}}),
+				), ignorePathname, expectsFS{
+					".": {Mode: fs.ModeDir | 0500},
+
+					"check": {Mode: 0400, Data: []byte("binfmt")},
+				}, nil},
+			})
+
+			destroyStatus(t, base, 2, 0)
+		}, expectsFS{
+			".": {Mode: fs.ModeDir | 0700},
+
+			"checksum": {Mode: fs.ModeDir | 0700},
+			"checksum/5aevg3YpDxjqQZ-pdvXK7YqgkL5JKqcoStYQxeD96kuYar6K2mRQWMHib6NQRnpV":            {Mode: fs.ModeDir | 0500},
+			"checksum/5aevg3YpDxjqQZ-pdvXK7YqgkL5JKqcoStYQxeD96kuYar6K2mRQWMHib6NQRnpV/bin":        {Mode: fs.ModeDir | 0700},
+			"checksum/5aevg3YpDxjqQZ-pdvXK7YqgkL5JKqcoStYQxeD96kuYar6K2mRQWMHib6NQRnpV/bin/sample": {Mode: 0500, Data: []byte("\xca\xfe\xba\xbe\xfd\xfd:3")},
+			"checksum/MGWmEfjut2QE2xPJwTsmUzpff4BN_FEnQ7T0j7gvUCCiugJQNwqt9m151fm9D1yU":            {Mode: fs.ModeDir | 0500},
+			"checksum/UnDo4B5KneEUY5b4vRUk_y9MWgkWuw2N8f8a2XayO686xXur-aZmX2-7n_8tKMe3":            {Mode: fs.ModeDir | 0500},
+			"checksum/UnDo4B5KneEUY5b4vRUk_y9MWgkWuw2N8f8a2XayO686xXur-aZmX2-7n_8tKMe3/check":      {Mode: 0400, Data: []byte("binfmt")},
+
+			"identifier": {Mode: fs.ModeDir | 0700},
+			"identifier/6VQTJ1lI5BmVuI1YFYJ8ClO3MRORvTTrcWFDcUU-l5Ga8EofxCxGlSTYN-u8dKj_": {Mode: fs.ModeSymlink | 0777, Data: []byte("../checksum/UnDo4B5KneEUY5b4vRUk_y9MWgkWuw2N8f8a2XayO686xXur-aZmX2-7n_8tKMe3")},
+			"identifier/_v8AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA": {Mode: fs.ModeSymlink | 0777, Data: []byte("../checksum/5aevg3YpDxjqQZ-pdvXK7YqgkL5JKqcoStYQxeD96kuYar6K2mRQWMHib6NQRnpV")},
+			"identifier/vjz1MHPcGBKV7sjcs8jQP3cqxJ1hgPTiQBMCEHP9BGXjGxd-tJmEmXKaStObo5gK": {Mode: fs.ModeSymlink | 0777, Data: []byte("../checksum/MGWmEfjut2QE2xPJwTsmUzpff4BN_FEnQ7T0j7gvUCCiugJQNwqt9m151fm9D1yU")},
+
+			"substitute": {Mode: fs.ModeDir | 0700},
+
+			"temp": {Mode: fs.ModeDir | 0700},
+			"work": {Mode: fs.ModeDir | 0700},
+		}},
 	})
 }

--- a/internal/pkg/file_test.go
+++ b/internal/pkg/file_test.go
@@ -1,6 +1,7 @@
 package pkg_test

 import (
+	"io/fs"
 	"testing"

 	"hakurei.app/check"
@@ -10,18 +11,27 @@ import (
 func TestFile(t *testing.T) {
 	t.Parallel()

+	want := expectsFile{0}
 	checkWithCache(t, []cacheTestCase{
 		{"file", pkg.CValidateKnown, nil, func(t *testing.T, base *check.Absolute, c *pkg.Cache) {
 			cureMany(t, c, []cureStep{
 				{"short", pkg.NewFile("null", []byte{0}), base.Append(
 					"identifier",
 					"3376ALA7hIUm2LbzH2fDvRezgzod1eTK_G6XjyOgbM2u-6swvkFaF0BOwSl_juBi",
-				), pkg.MustDecode(
-					"vsAhtPNo4waRNOASwrQwcIPTqb3SBuJOXw2G4T1mNmVZM-wrQTRllmgXqcIIoRcX",
-				), nil},
+				), want, nil},
 			})
-		}, pkg.MustDecode(
-			"iR6H5OIsyOW4EwEgtm9rGzGF6DVtyHLySEtwnFE8bnus9VJcoCbR4JIek7Lw-vwT",
-		)},
+		}, expectsFS{
+			".": {Mode: fs.ModeDir | 0700},
+
+			"checksum":                            {Mode: fs.ModeDir | 0700},
+			"checksum/" + pkg.Encode(want.hash()): {Mode: 0400, Data: []byte{0}},
+
+			"identifier": {Mode: fs.ModeDir | 0700},
+			"identifier/3376ALA7hIUm2LbzH2fDvRezgzod1eTK_G6XjyOgbM2u-6swvkFaF0BOwSl_juBi": {Mode: fs.ModeSymlink | 0777, Data: []byte("../checksum/vsAhtPNo4waRNOASwrQwcIPTqb3SBuJOXw2G4T1mNmVZM-wrQTRllmgXqcIIoRcX")},
+
+			"substitute": {Mode: fs.ModeDir | 0700},
+
+			"work": {Mode: fs.ModeDir | 0700},
+		}},
 	})
 }
--- a/internal/pkg/internal/testtool/expected/expected.go
+++ b/internal/pkg/internal/testtool/expected/expected.go
@@ -0,0 +1,9 @@
+// Package expected contains data shared between test helper and test harness.
+package expected
+
+const (
+	// Magic are magic bytes in the binfmt test case.
+	Magic = "\xca\xfe\xba\xbe\xfd\xfd"
+	// Full is the full content of the binfmt test case executable.
+	Full = Magic + ":3"
+)
--- a/internal/pkg/internal/testtool/expected/sum_amd64.go
+++ b/internal/pkg/internal/testtool/expected/sum_amd64.go
@@ -0,0 +1,11 @@
+package expected
+
+const (
+	Offline  = "q5ktDTq0miP-VvB2blxqXQeaRXCUWgP_KbC18KNtUDtyoaI_h5mHmGuPMArVEBDs"
+	OfflineS = "IY91PCtOpCYy21AaIK0c9f8-Z6fb2_2ewoHWkt4dxoLf0GOrWqS8yAGFLV84b1Dw"
+	OvlRoot  = "NacZGXwuRkTvcHaG08a22ujJ8qCWN0RSoFlRSR5FSt0ZcBbJ28FRvkYsHEtX7G8i"
+	Layers   = "WBJDrATtX6rIE5yAu8ePX3WmDF0Tt9kFiue0m3cRnyRoVx1my8a67fh3CAW486oP"
+	Net      = "CmYtj2sNB3LHtqiDuck_Lz3MjLLIiwyP8N4NDitQ1Icvv__LVP9p8tm-sHeQaKKp"
+	Promote  = "TX3eCloaQFkV-SZIH6Jg6E5WKH--rcXY1P0jnZKmLFKWrNqnOzd4G9eIBh6i5ywN"
+	Work     = "OuNiLSC68pZhAOr1YQ4WbV1tzASA0nxLEBcK7lO7MqxDY_j8dmP_C612RTuF23Lu"
+)
--- a/internal/pkg/internal/testtool/expected/sum_arm64.go
+++ b/internal/pkg/internal/testtool/expected/sum_arm64.go
@@ -0,0 +1,11 @@
+package expected
+
+const (
+	Offline  = "WapqyoPxbWSnq07dWHt71mHaJXq99pAjJfFlELlJljSiZMhTFqqlzU1_mN86shSj"
+	OfflineS = "ibQZHcdXgNQ1OiMX1FrburBbGPVvKEHvPilbQCkm_0oV0BQCHomyyTbYNrFMGIwl"
+	OvlRoot  = "V9anFOiRvjGfAeBhLl14AL8TKdWZyD0WTPYe4fS9mOBw8iW5Lmarvt6TG6MV8uWm"
+	Layers   = "tKx7JNRoSBdK_7MdzI-nwTNV2wmiPzwYdcd17oLmXKL_iLmUzUiA79qTqdrTasrv"
+	Net      = "aXyDLzBCJ9XltXZIfetEVsEkrqHfcXuD5XE_FcUnYbN3emwL55N6P8LlHzNfGnM5"
+	Promote  = "3k4V16n96Lq04gjFSKmm4sFjyQ883FFBNXgTy9s_DjeTwxT3pg_iacEh8yMb_S4m"
+	Work     = "6Q49MhFWRE3Ne6MycwAotgl1GtoU5WCHqJNWG2byYZCY-zX-IxPrWiKk7bKkNzhE"
+)
--- a/internal/pkg/internal/testtool/expected/sum_riscv64.go
+++ b/internal/pkg/internal/testtool/expected/sum_riscv64.go
@@ -0,0 +1,11 @@
+package expected
+
+const (
+	Offline  = "Z6yXE5gOJScL3srmnVMWgCXccDiUNZ5snSrf6RkXuU1_U0rX_kGVwsfHUgNG_awd"
+	OfflineS = "zN16xv6LKRJRipUJwupyxg2rZcvf-qpsMn_qCxUmgxlTSuNwYI70ZEb7dHW5k0gO"
+	OvlRoot  = "zYXJHFRLuxvUhuisZEXgGgVvdQd6piMfp5jmtT6jdVjvC2gICXquOq-UTwlrSD5I"
+	Layers   = "_F8EDazHbcLeT0sVSQXRN_kn9IjduqJcDYgzXpsT-hpKU4EBcZ0PISN2zchpqMbm"
+	Net      = "CA_FAaSIYJgapBEHV40doxpH23PdUEy_6s1TZc7wfSPN0XYqwGpMceXXDSabGveO"
+	Promote  = "_3LPrLp--4h9k4GsNNApu9hHtAafq-GUhfU6d4hJKBDKT3bz_szOsvkXxc5sK53d"
+	Work     = "FEgHeiCD_WT4wsfB-9kDH5n6cRWCEYtJmXdKZgmUUukAOoXumH_hLlosXREC-tqq"
+)
--- a/internal/pkg/internal/testtool/main.go
+++ b/internal/pkg/internal/testtool/main.go
@@ -14,15 +14,29 @@ import (
 	"strconv"
 	"strings"

-	"hakurei.app/check"
 	"hakurei.app/fhs"
 	"hakurei.app/vfs"
+
+	"hakurei.app/internal/pkg/internal/testtool/expected"
 )

 func main() {
 	log.SetFlags(0)
 	log.SetPrefix("testtool: ")

+	if os.Getenv("HAKUREI_BINFMT") == "1" {
+		wantArgs := []string{"/interpreter", "/opt/bin/sample"}
+		if !slices.Equal(os.Args, wantArgs) {
+			log.Fatalf("Args: %q, want %q", os.Args, wantArgs)
+		}
+
+		if err := os.WriteFile("check", []byte("binfmt"), 0400); err != nil {
+			log.Fatal(err)
+		}
+
+		return
+	}
+
 	environ := slices.DeleteFunc(slices.Clone(os.Environ()), func(s string) bool {
 		return s == "CURE_JOBS="+strconv.Itoa(runtime.NumCPU())
 	})
@@ -148,59 +162,40 @@ func main() {
 	}

 	const checksumEmptyDir = "MGWmEfjut2QE2xPJwTsmUzpff4BN_FEnQ7T0j7gvUCCiugJQNwqt9m151fm9D1yU"
-	ident := "dztPS6jRjiZtCF4_p8AzfnxGp6obkhrgFVsxdodbKWUoAEVtDz3MykepJB4kI_ks"
+	ident := expected.Offline
 	log.Println(m)
 	next := func() { m = m.Next; log.Println(m) }

 	if overlayRoot {
-		ident = "RdMA-mubnrHuu3Ky1wWyxauSYCO0ZH_zCPUj3uDHqkfwv5sGcByoF_g5PjlGiClb"
+		ident = expected.OvlRoot

 		if m.Root != "/" || m.Target != "/" ||
 			m.Source != "overlay" || m.FsType != "overlay" {
 			log.Fatal("unexpected root mount entry")
 		}
-		var lowerdir string
+		var lowerdir []string
 		for _, o := range strings.Split(m.FsOptstr, ",") {
-			const lowerdirKey = "lowerdir="
+			const lowerdirKey = "lowerdir+="
 			if strings.HasPrefix(o, lowerdirKey) {
-				lowerdir = o[len(lowerdirKey):]
+				lowerdir = append(lowerdir, o[len(lowerdirKey):])
 			}
 		}
 		if !layers {
-			if filepath.Base(lowerdir) != checksumEmptyDir {
+			if len(lowerdir) != 1 || filepath.Base(lowerdir[0]) != checksumEmptyDir {
 				log.Fatal("unexpected artifact checksum")
 			}
 		} else {
-			ident = "p1t_drXr34i-jZNuxDMLaMOdL6tZvQqhavNafGynGqxOZoXAUTSn7kqNh3Ovv3DT"
+			ident = expected.Layers

-			lowerdirsEscaped := strings.Split(lowerdir, ":")
-			lowerdirs := lowerdirsEscaped[:0]
-			// ignore the option separator since it does not appear in ident
-			for i, e := range lowerdirsEscaped {
-				if len(e) > 0 &&
-					e[len(e)-1] == check.SpecialOverlayEscape[0] &&
-					(len(e) == 1 || e[len(e)-2] != check.SpecialOverlayEscape[0]) {
-					// ignore escaped pathname separator since it does not
-					// appear in ident
-
-					e = e[:len(e)-1]
-					if len(lowerdirsEscaped) != i {
-						lowerdirsEscaped[i+1] = e + lowerdirsEscaped[i+1]
-						continue
-					}
-				}
-				lowerdirs = append(lowerdirs, e)
-			}
-
-			if len(lowerdirs) != 2 ||
-				filepath.Base(lowerdirs[0]) != "MGWmEfjut2QE2xPJwTsmUzpff4BN_FEnQ7T0j7gvUCCiugJQNwqt9m151fm9D1yU" ||
-				filepath.Base(lowerdirs[1]) != "nY_CUdiaUM1OL4cPr5TS92FCJ3rCRV7Hm5oVTzAvMXwC03_QnTRfQ5PPs7mOU9fK" {
-				log.Fatalf("unexpected lowerdirs %s", strings.Join(lowerdirs, ", "))
+			if len(lowerdir) != 2 ||
+				filepath.Base(lowerdir[0]) != "MGWmEfjut2QE2xPJwTsmUzpff4BN_FEnQ7T0j7gvUCCiugJQNwqt9m151fm9D1yU" ||
+				filepath.Base(lowerdir[1]) != "nY_CUdiaUM1OL4cPr5TS92FCJ3rCRV7Hm5oVTzAvMXwC03_QnTRfQ5PPs7mOU9fK" {
+				log.Fatalf("unexpected lowerdirs %s", strings.Join(lowerdir, ", "))
 			}
 		}
 	} else {
 		if hostNet {
-			ident = "G8qPxD9puvvoOVV7lrT80eyDeIl3G_CCFoKw12c8mCjMdG1zF7NEPkwYpNubClK3"
+			ident = expected.Net
 		}

 		if m.Root != "/sysroot" || m.Target != "/" {
@@ -219,14 +214,14 @@ func main() {
 	}

 	if promote {
-		ident = "xXTIYcXmgJWNLC91c417RRrNM9cjELwEZHpGvf8Fk_GNP5agRJp_SicD0w9aMeLJ"
+		ident = expected.Promote
 	}

 	next() // testtool artifact

 	next()
 	if overlayWork {
-		ident = "5hlaukCirnXE4W_RSLJFOZN47Z5RiHnacXzdFp_70cLgiJUGR6cSb_HaFftkzi0-"
+		ident = expected.Work
 		if m.Root != "/" || m.Target != "/work" ||
 			m.Source != "overlay" || m.FsType != "overlay" {
 			log.Fatal("unexpected work mount entry")
--- a/internal/pkg/ir.go
+++ b/internal/pkg/ir.go
@@ -76,6 +76,9 @@ type IContext struct {
 	// Written to by various methods, should be zeroed after [Artifact.Params]
 	// returns and must not be exposed directly.
 	w io.Writer
+	// Optional [Artifact] to cureRes cache, replaces [IRKindIdent] with
+	// checksum values if non-nil.
+	inputs map[Artifact]cureRes
 }

 // irZero is a zero IR word.
@@ -163,7 +166,15 @@ func (i *IContext) WriteIdent(a Artifact) {
 	defer i.ic.putIdentBuf(buf)

 	IRKindIdent.encodeHeader(0).put(buf[:])
-	*(*ID)(buf[wordSize:]) = i.ic.Ident(a).Value()
+	if i.inputs != nil {
+		res, ok := i.inputs[a]
+		if !ok {
+			panic(InvalidLookupError(i.ic.Ident(a).Value()))
+		}
+		*(*ID)(buf[wordSize:]) = res.checksum.Value()
+	} else {
+		*(*ID)(buf[wordSize:]) = i.ic.Ident(a).Value()
+	}
 	i.mustWrite(buf[:])
 }

@@ -207,19 +218,44 @@ func (i *IContext) WriteString(s string) {
 // Encode writes a deterministic, efficient representation of a to w and returns
 // the first non-nil error encountered while writing to w.
 func (ic *irCache) Encode(w io.Writer, a Artifact) (err error) {
+	return ic.encode(w, a, nil)
+}
+
+// encode implements Encode but replaces identifiers with their cured checksums
+// for a non-nil ident. Caller must acquire Cache.identMu.
+func (ic *irCache) encode(
+	w io.Writer,
+	a Artifact,
+	inputs map[Artifact]cureRes,
+) (err error) {
 	deps := a.Dependencies()
 	idents := make([]*extIdent, len(deps))
-	for i, d := range deps {
-		dbuf, did := ic.unsafeIdent(d, true)
-		if dbuf == nil {
-			dbuf = ic.getIdentBuf()
-			binary.LittleEndian.PutUint64(dbuf[:], uint64(d.Kind()))
-			*(*ID)(dbuf[wordSize:]) = did.Value()
-		} else {
-			ic.storeIdent(d, dbuf)
+	if inputs == nil {
+		for i, d := range deps {
+			dbuf, did := ic.unsafeIdent(d, true)
+			if dbuf == nil {
+				dbuf = ic.getIdentBuf()
+				binary.LittleEndian.PutUint64(dbuf[:], uint64(d.Kind()))
+				*(*ID)(dbuf[wordSize:]) = did.Value()
+			} else {
+				ic.storeIdent(d, dbuf)
+			}
+			defer ic.putIdentBuf(dbuf)
+			idents[i] = dbuf
+		}
+	} else {
+		for i, d := range deps {
+			res, ok := inputs[d]
+			if !ok {
+				return InvalidLookupError(ic.Ident(d).Value())
+			}
+
+			dbuf := ic.getIdentBuf()
+			binary.LittleEndian.PutUint64(dbuf[:], uint64(d.Kind()))
+			*(*ID)(dbuf[wordSize:]) = res.checksum.Value()
+			defer ic.putIdentBuf(dbuf)
+			idents[i] = dbuf
 		}
-		defer ic.putIdentBuf(dbuf)
-		idents[i] = dbuf
 	}
 	slices.SortFunc(idents, func(a, b *extIdent) int {
 		return bytes.Compare(a[:], b[:])
@@ -244,7 +280,7 @@ func (ic *irCache) Encode(w io.Writer, a Artifact) (err error) {
 	}

 	func() {
-		i := IContext{ic, w}
+		i := IContext{ic, w, inputs}

 		defer panicToError(&err)
 		defer func() { i.ic, i.w = nil, nil }()
@@ -432,6 +468,12 @@ func (e InvalidKindError) Error() string {
 // register is not safe for concurrent use. register must not be called after
 // the first instance of [Cache] has been opened.
 func register(k Kind, f IRReadFunc) {
+	openMu.Lock()
+	defer openMu.Unlock()
+
+	if opened {
+		panic("attempting to register after open")
+	}
 	if _, ok := irArtifact[k]; ok {
 		panic("attempting to register " + strconv.Itoa(int(k)) + " twice")
 	}
--- a/internal/pkg/ir_test.go
+++ b/internal/pkg/ir_test.go
@@ -3,6 +3,7 @@ package pkg_test
 import (
 	"bytes"
 	"io"
+	"io/fs"
 	"reflect"
 	"testing"

@@ -38,7 +39,7 @@ func TestIRRoundtrip(t *testing.T) {
 		)},

 		{"exec offline", pkg.NewExec(
-			"exec-offline", nil, 0, false,
+			"exec-offline", "", nil, 0, false, false,
 			pkg.AbsWork,
 			[]string{"HAKUREI_TEST=1"},
 			check.MustAbs("/opt/bin/testtool"),
@@ -58,9 +59,9 @@ func TestIRRoundtrip(t *testing.T) {
 		)},

 		{"exec net", pkg.NewExec(
-			"exec-net",
+			"exec-net", "",
 			(*pkg.Checksum)(bytes.Repeat([]byte{0xfc}, len(pkg.Checksum{}))),
-			0, false,
+			0, false, false,
 			pkg.AbsWork,
 			[]string{"HAKUREI_TEST=1"},
 			check.MustAbs("/opt/bin/testtool"),
@@ -79,6 +80,28 @@ func TestIRRoundtrip(t *testing.T) {
 			)),
 		)},

+		{"exec measured", pkg.NewExec(
+			"exec-measured", "",
+			(*pkg.Checksum)(bytes.Repeat([]byte{0xfd}, len(pkg.Checksum{}))),
+			0, false, false,
+			pkg.AbsWork,
+			[]string{"HAKUREI_TEST=1"},
+			check.MustAbs("/opt/bin/testtool"),
+			[]string{"testtool", "measured"},
+
+			pkg.MustPath("/file", false, pkg.NewFile("file", []byte(
+				"stub file",
+			))), pkg.MustPath("/.hakurei", false, pkg.NewHTTPGetTar(
+				nil, "file:///hakurei.tar",
+				pkg.Checksum(bytes.Repeat([]byte{0xfd}, len(pkg.Checksum{}))),
+				pkg.TarUncompressed,
+			)), pkg.MustPath("/opt", false, pkg.NewHTTPGetTar(
+				nil, "file:///testtool.tar.gz",
+				pkg.Checksum(bytes.Repeat([]byte{0xfd}, len(pkg.Checksum{}))),
+				pkg.TarGzip,
+			)),
+		)},
+
 		{"file anonymous", pkg.NewFile("", []byte{0})},
 		{"file", pkg.NewFile("stub", []byte("stub"))},
 	}
@@ -105,9 +128,13 @@ func TestIRRoundtrip(t *testing.T) {
 				if err := <-done; err != nil {
 					t.Fatalf("EncodeAll: error = %v", err)
 				}
-			}, pkg.MustDecode(
-				"E4vEZKhCcL2gPZ2Tt59FS3lDng-d_2SKa2i5G_RbDfwGn6EemptFaGLPUDiOa94C",
-			),
+			}, expectsFS{
+				".":          {Mode: fs.ModeDir | 0700},
+				"checksum":   {Mode: fs.ModeDir | 0700},
+				"identifier": {Mode: fs.ModeDir | 0700},
+				"substitute": {Mode: fs.ModeDir | 0700},
+				"work":       {Mode: fs.ModeDir | 0700},
+			},
 		}
 	}
 	checkWithCache(t, testCasesCache)
--- a/internal/pkg/net_test.go
+++ b/internal/pkg/net_test.go
@@ -3,6 +3,7 @@ package pkg_test
 import (
 	"crypto/sha512"
 	"io"
+	"io/fs"
 	"net/http"
 	"reflect"
 	"testing"
@@ -85,7 +86,13 @@ func TestHTTPGet(t *testing.T) {
 			if _, err := f.Cure(r); !reflect.DeepEqual(err, wantErrNotFound) {
 				t.Fatalf("Cure: error = %#v, want %#v", err, wantErrNotFound)
 			}
-		}, pkg.MustDecode("E4vEZKhCcL2gPZ2Tt59FS3lDng-d_2SKa2i5G_RbDfwGn6EemptFaGLPUDiOa94C")},
+		}, expectsFS{
+			".":          {Mode: fs.ModeDir | 0700},
+			"checksum":   {Mode: fs.ModeDir | 0700},
+			"identifier": {Mode: fs.ModeDir | 0700},
+			"substitute": {Mode: fs.ModeDir | 0700},
+			"work":       {Mode: fs.ModeDir | 0700},
+		}},

 		{"cure", pkg.CValidateKnown, nil, func(t *testing.T, base *check.Absolute, c *pkg.Cache) {
 			r := newRContext(t, c)
@@ -144,6 +151,18 @@ func TestHTTPGet(t *testing.T) {
 			if _, _, err := c.Cure(f); !reflect.DeepEqual(err, wantErrNotFound) {
 				t.Fatalf("Pathname: error = %#v, want %#v", err, wantErrNotFound)
 			}
-		}, pkg.MustDecode("L_0RFHpr9JUS4Zp14rz2dESSRvfLzpvqsLhR1-YjQt8hYlmEdVl7vI3_-v8UNPKs")},
+		}, expectsFS{
+			".": {Mode: fs.ModeDir | 0700},
+
+			"checksum": {Mode: fs.ModeDir | 0700},
+			"checksum/fLYGIMHgN1louE-JzITJZJo2SDniPu-IHBXubtvQWFO-hXnDVKNuscV7-zlyr5fU": {Mode: 0400, Data: []byte("\x7f\xe1\x69\xa2\xdd\x63\x96\x26\x83\x79\x61\x8b\xf0\x3f\xd5\x16\x9a\x39\x3a\xdb\xcf\xb1\xbc\x8d\x33\xff\x75\xee\x62\x56\xa9\xf0\x27\xac\x13\x94\x69")},
+
+			"identifier": {Mode: fs.ModeDir | 0700},
+			"identifier/oM-2pUlk-mOxK1t3aMWZer69UdOQlAXiAgMrpZ1476VoOqpYVP1aGFS9_HYy-D8_": {Mode: fs.ModeSymlink | 0777, Data: []byte("../checksum/fLYGIMHgN1louE-JzITJZJo2SDniPu-IHBXubtvQWFO-hXnDVKNuscV7-zlyr5fU")},
+
+			"substitute": {Mode: fs.ModeDir | 0700},
+
+			"work": {Mode: fs.ModeDir | 0700},
+		}},
 	})
 }
--- a/internal/pkg/pkg.go
+++ b/internal/pkg/pkg.go
@@ -4,6 +4,7 @@ package pkg
 import (
 	"bufio"
 	"bytes"
+	"cmp"
 	"context"
 	"crypto/sha512"
 	"encoding/base64"
@@ -15,14 +16,17 @@ import (
 	"io/fs"
 	"maps"
 	"os"
+	"os/signal"
 	"path/filepath"
 	"runtime"
 	"slices"
+	"strconv"
 	"strings"
 	"sync"
 	"sync/atomic"
 	"syscall"
 	"testing"
+	"time"
 	"unique"
 	"unsafe"

@@ -70,6 +74,64 @@ func MustDecode(s string) (checksum Checksum) {
 	return
 }

+var (
+	// extension is a string uniquely identifying a set of custom [Artifact]
+	// implementations registered by calling [Register].
+	extension string
+
+	// openMu synchronises access to global state for initialisation.
+	openMu sync.Mutex
+	// opened is false if [Open] was never called.
+	opened bool
+)
+
+// Extension returns a string uniquely identifying the currently registered set
+// of custom [Artifact], or the zero value if none was registered.
+func Extension() string { return extension }
+
+// ValidExtension returns whether s is valid for use in a call to SetExtension.
+func ValidExtension(s string) bool {
+	if l := len(s); l == 0 || l > 128 {
+		return false
+	}
+	for _, v := range s {
+		if v < 'a' || v > 'z' {
+			return false
+		}
+	}
+	return true
+}
+
+// ErrInvalidExtension is returned for a variant identification string for which
+// [ValidExtension] returns false.
+var ErrInvalidExtension = errors.New("invalid extension variant identification string")
+
+// SetExtension sets the extension variant identification string. SetExtension
+// must be called before [Open] if custom [Artifact] implementations had been
+// recorded by calling [Register].
+//
+// The variant identification string must be between 1 and 128 bytes long and
+// consists of only bytes between 'a' and 'z'.
+//
+// SetExtension is not safe for concurrent use. SetExtension is called at most
+// once and must not be called after the first instance of Cache has been opened.
+func SetExtension(s string) {
+	openMu.Lock()
+	defer openMu.Unlock()
+
+	if opened {
+		panic("attempting to set extension after open")
+	}
+	if extension != "" {
+		panic("attempting to set extension twice")
+	}
+	if !ValidExtension(s) {
+		panic(ErrInvalidExtension)
+	}
+	extension = s
+	statusHeader = makeStatusHeader(s)
+}
+
 // common holds elements and receives methods shared between different contexts.
 type common struct {
 	// Context specific to this [Artifact]. The toplevel context in [Cache] must
@@ -93,7 +155,7 @@ type TContext struct {
 	// Target [Artifact] encoded identifier.
 	ids string
 	// Pathname status was created at.
-	statusPath *check.Absolute
+	statusPath, statusSPath *check.Absolute
 	// File statusHeader and logs are written to.
 	status *os.File
 	// Error value during prepareStatus.
@@ -102,19 +164,27 @@ type TContext struct {
 	common
 }

-// statusHeader is the header written to all status files in dirStatus.
-var statusHeader = func() string {
+// makeStatusHeader creates the header written to every status file. This should
+// not be called directly, its result is stored in statusHeader and will not
+// change after the first [Cache] is opened.
+func makeStatusHeader(extension string) string {
 	s := programName
 	if v := info.Version(); v != info.FallbackVersion {
 		s += " " + v
 	}
+	if extension != "" {
+		s += " with " + extension + " extensions"
+	}
 	s += " (" + runtime.GOARCH + ")"
 	if name, err := os.Hostname(); err == nil {
 		s += " on " + name
 	}
 	s += "\n\n"
 	return s
-}()
+}
+
+// statusHeader is the header written to all status files in dirStatus.
+var statusHeader = makeStatusHeader("")

 // prepareStatus initialises the status file once.
 func (t *TContext) prepareStatus() error {
@@ -180,7 +250,19 @@ func (t *TContext) destroy(errP *error) {
 			*errP = errors.Join(*errP, err)
 		}
 		if *errP != nil {
-			*errP = errors.Join(*errP, os.Remove(t.statusPath.String()))
+			*errP = errors.Join(*errP, os.Rename(
+				t.statusPath.String(), t.cache.base.Append(
+					dirFault,
+					t.ids+"."+strconv.FormatUint(uint64(
+						time.Now().UnixNano(),
+					), 10),
+				).String(),
+			))
+			if t.statusSPath != nil {
+				t.cache.checksumMu.Lock()
+				*errP = errors.Join(*errP, os.Remove(t.statusSPath.String()))
+				t.cache.checksumMu.Unlock()
+			}
 		}
 		t.status = nil
 	}
@@ -427,6 +509,9 @@ const (
 	// KindFile is the kind of [Artifact] returned by [NewFile].
 	KindFile

+	// _kindEnd is the total number of kinds and does not denote a kind.
+	_kindEnd
+
 	// KindCustomOffset is the first [Kind] value reserved for implementations
 	// not from this package.
 	KindCustomOffset = 1 << 31
@@ -438,30 +523,34 @@ const (
 )

 const (
-	// fileLock is the file name appended to Cache.base for guaranteeing
-	// exclusive access to the cache directory.
+	// fileLock is the lock file for exclusive access to the cache directory.
 	fileLock = "lock"
+	// fileVariant is a file holding the variant identification string set by a
+	// prior call to [SetExtension].
+	fileVariant = "variant"

-	// dirIdentifier is the directory name appended to Cache.base for storing
-	// artifacts named after their [ID].
+	// dirSubstitute holds symlinks to artifacts by checksum, named after their
+	// substitute identifier.
+	dirSubstitute = "substitute"
+	// dirIdentifier holds symlinks to artifacts by checksum,  named after their
+	// IR-based identifier.
 	dirIdentifier = "identifier"
-	// dirChecksum is the directory name appended to Cache.base for storing
-	// artifacts named after their [Checksum].
+	// dirChecksum holds artifacts named after their [Checksum].
 	dirChecksum = "checksum"
-	// dirStatus is the directory name appended to Cache.base for storing
-	// artifact metadata and logs named after their [ID].
+	// dirStatus holds artifact metadata and logs named after their IR-based
+	// identifier. For [FloodArtifact], the same file is also available under
+	// its substitute identifier.
 	dirStatus = "status"
+	// dirFault holds status files of faulted cures.
+	dirFault = "fault"

-	// dirWork is the directory name appended to Cache.base for working
-	// pathnames set up during [Cache.Cure].
+	// dirWork holds working pathnames set up during [Cache.Cure].
 	dirWork = "work"
-	// dirTemp is the directory name appended to Cache.base for scratch space
-	// pathnames allocated during [Cache.Cure].
+	// dirTemp holds scratch space allocated during [Cache.Cure].
 	dirTemp = "temp"

-	// dirExecScratch is the directory name appended to Cache.base for scratch
-	// space setting up the container started by [Cache.EnterExec]. Exclusivity
-	// via Cache.inExec.
+	// dirExecScratch is scratch space set up for the container started by
+	// [Cache.EnterExec]. Exclusivity via Cache.inExec.
 	dirExecScratch = "scratch"

 	// checksumLinknamePrefix is prepended to the encoded [Checksum] value
@@ -540,6 +629,17 @@ const (
 	// impurity due to [KindExecNet] being [KnownChecksum]. This flag exists
 	// to support kernels without Landlock LSM enabled.
 	CHostAbstract
+
+	// CPromoteVariant allows [pkg.Open] to promote an unextended on-disk cache
+	// to the current extension variant. This is a one-way operation.
+	CPromoteVariant
+
+	// CSuppressInit arranges for verbose output of the container init to be
+	// suppressed regardless of [message.Msg] state.
+	CSuppressInit
+
+	// CIgnoreSubstitutes disables content-based dependency substitution.
+	CIgnoreSubstitutes
 )

 // toplevel holds [context.WithCancel] over caller-supplied context, where all
@@ -595,6 +695,11 @@ type Cache struct {
 	// Synchronises access to dirChecksum.
 	checksumMu sync.RWMutex

+	// Presence of an alternative in the cache. Keys are not valid identifiers
+	// and must not be used as such.
+	substitute map[unique.Handle[ID]]unique.Handle[Checksum]
+	// Synchronises access to substitute and corresponding filesystem entries.
+	substituteMu sync.RWMutex
 	// Identifier to content pair cache.
 	ident map[unique.Handle[ID]]unique.Handle[Checksum]
 	// Identifier to error pair for unrecoverably faulted [Artifact].
@@ -805,11 +910,14 @@ func (c *Cache) Scrub(checks int) error {
 		checks = runtime.NumCPU()
 	}

+	c.substituteMu.Lock()
+	defer c.substituteMu.Unlock()
 	c.identMu.Lock()
 	defer c.identMu.Unlock()
 	c.checksumMu.Lock()
 	defer c.checksumMu.Unlock()

+	c.substitute = make(map[unique.Handle[ID]]unique.Handle[Checksum])
 	c.ident = make(map[unique.Handle[ID]]unique.Handle[Checksum])
 	c.identErr = make(map[unique.Handle[ID]]error)
 	c.artifact.Clear()
@@ -917,47 +1025,52 @@ func (c *Cache) Scrub(checks int) error {
 		wg.Wait()
 	}

-	dir = c.base.Append(dirIdentifier)
-	if entries, readdirErr := os.ReadDir(dir.String()); readdirErr != nil {
-		addErr(dir, readdirErr)
-	} else {
-		wg.Add(len(entries))
-		for _, ent := range entries {
-			w <- checkEntry{ent, func(ent os.DirEntry, want *Checksum) bool {
-				got := p.Get().(*Checksum)
-				defer p.Put(got)
+	for _, suffix := range []string{
+		dirSubstitute,
+		dirIdentifier,
+	} {
+		dir = c.base.Append(suffix)
+		if entries, readdirErr := os.ReadDir(dir.String()); readdirErr != nil {
+			addErr(dir, readdirErr)
+		} else {
+			wg.Add(len(entries))
+			for _, ent := range entries {
+				w <- checkEntry{ent, func(ent os.DirEntry, want *Checksum) bool {
+					got := p.Get().(*Checksum)
+					defer p.Put(got)

-				pathname := dir.Append(ent.Name())
-				if linkname, err := os.Readlink(
-					pathname.String(),
-				); err != nil {
-					seMu.Lock()
-					se.Errs[pathname.Handle()] = append(se.Errs[pathname.Handle()], err)
-					se.DanglingIdentifiers = append(se.DanglingIdentifiers, *want)
-					seMu.Unlock()
-					return false
-				} else if err = Decode(got, filepath.Base(linkname)); err != nil {
-					seMu.Lock()
-					lnp := dir.Append(linkname)
-					se.Errs[lnp.Handle()] = append(se.Errs[lnp.Handle()], err)
-					se.DanglingIdentifiers = append(se.DanglingIdentifiers, *want)
-					seMu.Unlock()
-					return false
-				}
-
-				if _, err := os.Stat(pathname.String()); err != nil {
-					if !errors.Is(err, os.ErrNotExist) {
-						addErr(pathname, err)
+					pathname := dir.Append(ent.Name())
+					if linkname, err := os.Readlink(
+						pathname.String(),
+					); err != nil {
+						seMu.Lock()
+						se.Errs[pathname.Handle()] = append(se.Errs[pathname.Handle()], err)
+						se.DanglingIdentifiers = append(se.DanglingIdentifiers, *want)
+						seMu.Unlock()
+						return false
+					} else if err = Decode(got, filepath.Base(linkname)); err != nil {
+						seMu.Lock()
+						lnp := dir.Append(linkname)
+						se.Errs[lnp.Handle()] = append(se.Errs[lnp.Handle()], err)
+						se.DanglingIdentifiers = append(se.DanglingIdentifiers, *want)
+						seMu.Unlock()
+						return false
 					}
-					seMu.Lock()
-					se.DanglingIdentifiers = append(se.DanglingIdentifiers, *want)
-					seMu.Unlock()
-					return false
-				}
-				return true
-			}}
+
+					if _, err := os.Stat(pathname.String()); err != nil {
+						if !errors.Is(err, os.ErrNotExist) {
+							addErr(pathname, err)
+						}
+						seMu.Lock()
+						se.DanglingIdentifiers = append(se.DanglingIdentifiers, *want)
+						seMu.Unlock()
+						return false
+					}
+					return true
+				}}
+			}
+			wg.Wait()
 		}
-		wg.Wait()
 	}

 	dir = c.base.Append(dirStatus)
@@ -1105,6 +1218,52 @@ func (c *Cache) finaliseIdent(
 	close(done)
 }

+// zeroChecksum is a zero [Checksum] handle, used for comparison only.
+var zeroChecksum unique.Handle[Checksum]
+
+// loadSubstitute returns a checksum corresponding to a substitute identifier,
+// or zeroChecksum if an alternative is not available.
+func (c *Cache) loadSubstitute(
+	substitute unique.Handle[ID],
+) (unique.Handle[Checksum], error) {
+	c.substituteMu.RLock()
+	if checksum, ok := c.substitute[substitute]; ok {
+		c.substituteMu.RUnlock()
+		return checksum, nil
+	}
+
+	linkname, err := os.Readlink(c.base.Append(
+		dirSubstitute,
+		Encode(substitute.Value()),
+	).String())
+	c.substituteMu.RUnlock()
+
+	if err != nil {
+		if !errors.Is(err, os.ErrNotExist) {
+			return zeroChecksum, err
+		}
+
+		c.substituteMu.Lock()
+		c.substitute[substitute] = zeroChecksum
+		c.substituteMu.Unlock()
+		return zeroChecksum, nil
+	}
+
+	var checksum unique.Handle[Checksum]
+	buf := c.getIdentBuf()
+	err = Decode((*Checksum)(buf[:]), filepath.Base(linkname))
+	if err == nil {
+		checksum = unique.Make(Checksum(buf[:]))
+
+		c.substituteMu.Lock()
+		c.substitute[substitute] = checksum
+		c.substituteMu.Unlock()
+	}
+	c.putIdentBuf(buf)
+
+	return checksum, err
+}
+
 // Done returns a channel that is closed when the ongoing cure of an [Artifact]
 // referred to by the specified identifier completes. Done may return nil if
 // no ongoing cure of the specified identifier exists.
@@ -1339,8 +1498,8 @@ func (c *Cache) Cure(a Artifact) (

 // CureError wraps a non-nil error returned attempting to cure an [Artifact].
 type CureError struct {
-	Ident unique.Handle[ID]
-	Err   error
+	A   Artifact
+	Err error
 }

 // Unwrap returns the underlying error.
@@ -1353,40 +1512,63 @@ func (e *CureError) Error() string { return e.Err.Error() }
 type DependencyCureError []*CureError

 // unwrapM recursively expands underlying errors into a caller-supplied map.
-func (e *DependencyCureError) unwrapM(me map[unique.Handle[ID]]*CureError) {
+func (e *DependencyCureError) unwrapM(
+	ctx context.Context,
+	ir *IRCache,
+	me map[unique.Handle[ID]]*CureError,
+) {
 	for _, err := range *e {
-		if _, ok := me[err.Ident]; ok {
+		if ctx.Err() != nil {
+			break
+		}
+
+		id := ir.Ident(err.A)
+		if _, ok := me[id]; ok {
 			continue
 		}
 		if _e, ok := err.Err.(*DependencyCureError); ok {
-			_e.unwrapM(me)
+			_e.unwrapM(ctx, ir, me)
 			continue
 		}
-		me[err.Ident] = err
+		me[id] = err
 	}
 }

 // unwrap recursively expands and deduplicates underlying errors.
-func (e *DependencyCureError) unwrap() DependencyCureError {
+func (e *DependencyCureError) unwrap(
+	ctx context.Context,
+	ir *IRCache,
+) DependencyCureError {
 	me := make(map[unique.Handle[ID]]*CureError)
-	e.unwrapM(me)
-	errs := slices.AppendSeq(
-		make(DependencyCureError, 0, len(me)),
-		maps.Values(me),
-	)
+	e.unwrapM(ctx, ir, me)
+	type ent struct {
+		id  unique.Handle[ID]
+		err *CureError
+	}
+	errs := make([]*ent, 0, len(me))
+	for id, err := range me {
+		errs = append(errs, &ent{id, err})
+	}

 	var identBuf [2]ID
-	slices.SortFunc(errs, func(a, b *CureError) int {
-		identBuf[0], identBuf[1] = a.Ident.Value(), b.Ident.Value()
+	slices.SortFunc(errs, func(a, b *ent) int {
+		identBuf[0], identBuf[1] = a.id.Value(), b.id.Value()
 		return slices.Compare(identBuf[0][:], identBuf[1][:])
 	})

-	return errs
+	_errs := make(DependencyCureError, len(errs))
+	for i, v := range errs {
+		_errs[i] = v.err
+	}
+	return _errs
 }

 // Unwrap returns a deduplicated slice of underlying errors.
 func (e *DependencyCureError) Unwrap() []error {
-	errs := e.unwrap()
+	ctx, cancel := signal.NotifyContext(context.Background(), os.Interrupt)
+	defer cancel()
+
+	errs := e.unwrap(ctx, NewIR())
 	_errs := make([]error, len(errs))
 	for i, err := range errs {
 		_errs[i] = err
@@ -1396,14 +1578,23 @@ func (e *DependencyCureError) Unwrap() []error {

 // Error returns a user-facing multiline error message.
 func (e *DependencyCureError) Error() string {
-	errs := e.unwrap()
+	ctx, cancel := signal.NotifyContext(context.Background(), os.Interrupt)
+	defer cancel()
+
+	ir := NewIR()
+	errs := e.unwrap(ctx, ir)
 	if len(errs) == 0 {
 		return "invalid dependency cure outcome"
 	}
 	var buf strings.Builder
 	buf.WriteString("errors curing dependencies:")
 	for _, err := range errs {
-		buf.WriteString("\n\t" + Encode(err.Ident.Value()) + ": " + err.Error())
+		buf.WriteString("\n\t" +
+			reportName(err.A, ir.Ident(err.A)) + ": " +
+			err.Error())
+	}
+	if ctx.Err() != nil {
+		buf.WriteString("\nerror resolution cancelled")
 	}
 	return buf.String()
 }
@@ -1573,16 +1764,44 @@ func (c *Cache) cure(a Artifact, curesExempt bool) (
 		return
 	}

-	var checksums string
+	var (
+		checksums   string
+		substitute  unique.Handle[ID]
+		alternative *check.Absolute
+	)
 	defer func() {
 		if err == nil && checksums != "" {
+			linkname := checksumLinknamePrefix + checksums
+
 			err = os.Symlink(
-				checksumLinknamePrefix+checksums,
+				linkname,
 				pathname.String(),
 			)
 			if err == nil {
 				err = zeroTimes(pathname.String())
 			}
+
+			if err == nil && alternative != nil {
+				c.substituteMu.Lock()
+				err = os.Symlink(
+					linkname,
+					alternative.String(),
+				)
+				if errors.Is(err, os.ErrExist) {
+					c.msg.Verbosef(
+						"creating alternative over %s for artifact %s",
+						Encode(substitute.Value()), ids,
+					)
+					err = nil
+				}
+				if err == nil {
+					err = zeroTimes(alternative.String())
+				}
+				if err == nil && checksum != zeroChecksum {
+					c.substitute[substitute] = checksum
+				}
+				c.substituteMu.Unlock()
+			}
 		}
 	}()

@@ -1709,6 +1928,9 @@ func (c *Cache) cure(a Artifact, curesExempt bool) (
 		}
 		c.exitCure(a, curesExempt)
 		if err != nil {
+			if c.msg.IsVerbose() {
+				c.msg.Verbosef("cure file %s: %v", reportName(f, id), err)
+			}
 			return
 		}

@@ -1740,7 +1962,7 @@ func (c *Cache) cure(a Artifact, curesExempt bool) (
 	t := TContext{
 		c.base.Append(dirWork, ids),
 		c.base.Append(dirTemp, ids),
-		ids, nil, nil, nil,
+		ids, nil, nil, nil, nil,
 		common{ctx, c},
 	}
 	switch ca := a.(type) {
@@ -1752,6 +1974,9 @@ func (c *Cache) cure(a Artifact, curesExempt bool) (
 		err = ca.Cure(&t)
 		c.exitCure(a, curesExempt)
 		if err != nil {
+			if c.msg.IsVerbose() {
+				c.msg.Verbosef("cure trivial %s: %v", reportName(ca, id), err)
+			}
 			return
 		}
 		break
@@ -1779,13 +2004,75 @@ func (c *Cache) cure(a Artifact, curesExempt bool) (
 			f.deps[deps[i]] = p
 		}

+		sh := sha512.New384()
+		err = c.encode(sh, a, f.deps)
+		if err != nil {
+			return
+		}
+
+		buf := c.getIdentBuf()
+		sh.Sum(buf[wordSize:wordSize])
+		substitute = unique.Make(ID(buf[wordSize:]))
+		substitutes := Encode(substitute.Value())
+		c.putIdentBuf(buf)
+		alternative = c.base.Append(
+			dirSubstitute,
+			substitutes,
+		)
+
+		if c.flags&CIgnoreSubstitutes == 0 {
+			var substituteChecksum unique.Handle[Checksum]
+			substituteChecksum, err = c.loadSubstitute(substitute)
+			if err != nil {
+				return
+			}
+			if substituteChecksum != zeroChecksum {
+				checksum = substituteChecksum
+				checksums = Encode(checksum.Value())
+				checksumPathname = c.base.Append(
+					dirChecksum,
+					checksums,
+				)
+				if _, err = os.Lstat(c.base.Append(
+					dirStatus,
+					substitutes,
+				).String()); err == nil {
+					err = os.Symlink(substitutes, c.base.Append(
+						dirStatus,
+						ids,
+					).String())
+				} else if errors.Is(err, os.ErrNotExist) {
+					err = nil
+				}
+				return
+			}
+		}
+
 		defer f.destroy(&err)
 		if err = c.enterCure(a, curesExempt); err != nil {
 			return
 		}
 		err = ca.Cure(&f)
+		if err == nil && f.status != nil {
+			statusS := c.base.Append(
+				dirStatus,
+				substitutes,
+			)
+			c.checksumMu.Lock()
+			err = os.Link(c.base.Append(
+				dirStatus,
+				ids,
+			).String(), statusS.String())
+			c.checksumMu.Unlock()
+			if err == nil {
+				f.statusSPath = statusS
+			}
+		}
 		c.exitCure(a, curesExempt)
 		if err != nil {
+			if c.msg.IsVerbose() {
+				c.msg.Verbosef("cure %s: %v", reportName(ca, id), err)
+			}
 			return
 		}
 		break
@@ -1834,6 +2121,9 @@ func (c *Cache) cure(a Artifact, curesExempt bool) (
 			Got:  gotChecksum,
 			Want: checksum.Value(),
 		}
+		if c.msg.IsVerbose() {
+			c.msg.Verbosef("validate %s: %v", reportName(a, id), err)
+		}
 		return
 	}

@@ -1876,7 +2166,7 @@ func (pending *pendingArtifactDep) cure(c *Cache) {
 	}

 	pending.errsMu.Lock()
-	*pending.errs = append(*pending.errs, &CureError{c.Ident(pending.a), err})
+	*pending.errs = append(*pending.errs, &CureError{pending.a, err})
 	pending.errsMu.Unlock()
 }

@@ -1892,6 +2182,52 @@ func (c *Cache) OpenStatus(a Artifact) (r io.ReadSeekCloser, err error) {
 	return
 }

+// Fault holds the pathname and termination time of an [Artifact] fault entry.
+type Fault struct {
+	*check.Absolute
+	t uint64
+}
+
+// Time returns the instant in time where the fault occurred.
+func (f Fault) Time() time.Time { return time.Unix(0, int64(f.t)) }
+
+// Open opens the underlying entry for reading.
+func (f Fault) Open() (io.ReadCloser, error) { return os.Open(f.Absolute.String()) }
+
+// Destroy removes the underlying fault entry.
+func (f Fault) Destroy() error { return os.Remove(f.Absolute.String()) }
+
+// ReadFaults returns fault entries for an [Artifact].
+func (c *Cache) ReadFaults(a Artifact) (faults []Fault, err error) {
+	prefix := Encode(c.Ident(a).Value()) + "."
+	var dents []os.DirEntry
+	if dents, err = os.ReadDir(c.base.Append(dirFault).String()); err != nil {
+		return
+	}
+
+	for _, dent := range dents {
+		name := dent.Name()
+		if !strings.HasPrefix(name, prefix) {
+			continue
+		}
+		var t uint64
+		t, err = strconv.ParseUint(name[len(prefix):], 10, 64)
+		if err != nil {
+			return
+		}
+
+		faults = append(faults, Fault{c.base.Append(
+			dirFault,
+			name,
+		), t})
+	}
+
+	slices.SortFunc(faults, func(a, b Fault) int {
+		return cmp.Compare(a.t, b.t)
+	})
+	return
+}
+
 // Abort cancels all pending cures and waits for them to clean up, but does not
 // close the cache.
 func (c *Cache) Abort() {
@@ -1930,6 +2266,20 @@ func (c *Cache) Close() {
 	c.unlock()
 }

+// UnsupportedVariantError describes an on-disk cache with an extension variant
+// identification string that differs from the value returned by [Extension].
+type UnsupportedVariantError string
+
+func (e UnsupportedVariantError) Error() string {
+	return "unsupported variant " + strconv.Quote(string(e))
+}
+
+var (
+	// ErrWouldPromote is returned by [Open] if the [CPromoteVariant] bit is not
+	// set and the on-disk cache requires variant promotion.
+	ErrWouldPromote = errors.New("operation would promote unextended cache")
+)
+
 // Open returns the address of a newly opened instance of [Cache].
 //
 // Concurrent cures of a [FloodArtifact] dependency graph is limited to the
@@ -1961,6 +2311,14 @@ func open(
 	base *check.Absolute,
 	lock bool,
 ) (*Cache, error) {
+	openMu.Lock()
+	defer openMu.Unlock()
+	opened = true
+
+	if extension == "" && len(irArtifact) != int(_kindEnd) {
+		panic("attempting to open cache with incomplete variant setup")
+	}
+
 	if cures < 1 {
 		cures = runtime.NumCPU()
 	}
@@ -1969,13 +2327,17 @@ func open(
 	}

 	for _, name := range []string{
+		dirSubstitute,
 		dirIdentifier,
 		dirChecksum,
 		dirStatus,
+		dirFault,
 		dirWork,
 	} {
-		if err := os.MkdirAll(base.Append(name).String(), 0700); err != nil &&
-			!errors.Is(err, os.ErrExist) {
+		if err := os.MkdirAll(
+			base.Append(name).String(),
+			0700,
+		); err != nil && !errors.Is(err, os.ErrExist) {
 			return nil, err
 		}
 	}
@@ -1992,6 +2354,7 @@ func open(

 		irCache: zeroIRCache(),

+		substitute:   make(map[unique.Handle[ID]]unique.Handle[Checksum]),
 		ident:        make(map[unique.Handle[ID]]unique.Handle[Checksum]),
 		identErr:     make(map[unique.Handle[ID]]error),
 		identPending: make(map[unique.Handle[ID]]*pendingCure),
@@ -2013,6 +2376,45 @@ func open(
 		c.unlock = func() {}
 	}

+	variantPath := base.Append(fileVariant).String()
+	if p, err := os.ReadFile(variantPath); err != nil {
+		if !errors.Is(err, os.ErrNotExist) {
+			c.unlock()
+			return nil, err
+		}
+		// nonexistence implies newly created cache, or a cache predating
+		// variant identification strings, in which case it is silently promoted
+		if err = os.WriteFile(
+			variantPath,
+			[]byte(extension),
+			0400,
+		); err != nil {
+			c.unlock()
+			return nil, err
+		}
+	} else if s := string(p); s == "" {
+		if extension != "" {
+			if flags&CPromoteVariant == 0 {
+				c.unlock()
+				return nil, ErrWouldPromote
+			}
+			if err = os.WriteFile(
+				variantPath,
+				[]byte(extension),
+				0400,
+			); err != nil {
+				c.unlock()
+				return nil, err
+			}
+		}
+	} else if !ValidExtension(s) {
+		c.unlock()
+		return nil, ErrInvalidExtension
+	} else if s != extension {
+		c.unlock()
+		return nil, UnsupportedVariantError(s)
+	}
+
 	return &c, nil
 }

--- a/internal/pkg/pkg_test.go
+++ b/internal/pkg/pkg_test.go
--- a/internal/pkg/tar_test.go
+++ b/internal/pkg/tar_test.go
@@ -20,6 +20,31 @@ import (
 func TestTar(t *testing.T) {
 	t.Parallel()

+	want := expectsFS{
+		".": {Mode: fs.ModeDir | 0500},
+
+		"checksum": {Mode: fs.ModeDir | 0500},
+		"checksum/1TL00Qb8dcqayX7wTO8WNaraHvY6b-KCsctLDTrb64QBCmxj_-byK1HdIUwMaFEP":                {Mode: fs.ModeDir | 0500},
+		"checksum/1TL00Qb8dcqayX7wTO8WNaraHvY6b-KCsctLDTrb64QBCmxj_-byK1HdIUwMaFEP/check":          {Mode: 0400, Data: []byte{0, 0}},
+		"checksum/1TL00Qb8dcqayX7wTO8WNaraHvY6b-KCsctLDTrb64QBCmxj_-byK1HdIUwMaFEP/lib":            {Mode: fs.ModeDir | 0500},
+		"checksum/1TL00Qb8dcqayX7wTO8WNaraHvY6b-KCsctLDTrb64QBCmxj_-byK1HdIUwMaFEP/lib/pkgconfig":  {Mode: fs.ModeDir | 0500},
+		"checksum/1TL00Qb8dcqayX7wTO8WNaraHvY6b-KCsctLDTrb64QBCmxj_-byK1HdIUwMaFEP/lib/libedac.so": {Mode: fs.ModeSymlink | 0777, Data: []byte("/proc/nonexistent/libedac.so")},
+
+		"identifier": {Mode: fs.ModeDir | 0500},
+		"identifier/HnySzeLQvSBZuTUcvfmLEX_OmH4yJWWH788NxuLuv7kVn8_uPM6Ks4rqFWM2NZJY": {Mode: fs.ModeSymlink | 0777, Data: []byte("../checksum/1TL00Qb8dcqayX7wTO8WNaraHvY6b-KCsctLDTrb64QBCmxj_-byK1HdIUwMaFEP")},
+		"identifier/Zx5ZG9BAwegNT3zQwCySuI2ktCXxNgxirkGLFjW4FW06PtojYVaCdtEw8yuntPLa": {Mode: fs.ModeSymlink | 0777, Data: []byte("../checksum/1TL00Qb8dcqayX7wTO8WNaraHvY6b-KCsctLDTrb64QBCmxj_-byK1HdIUwMaFEP")},
+
+		"work": {Mode: fs.ModeDir | 0500},
+	}
+	wantEncode := pkg.Encode(want.hash())
+
+	wantExpand := expectsFS{
+		".": {Mode: fs.ModeDir | 0500},
+
+		"libedac.so": {Mode: fs.ModeSymlink | 0777, Data: []byte("/proc/nonexistent/libedac.so")},
+	}
+	wantExpandEncode := pkg.Encode(wantExpand.hash())
+
 	checkWithCache(t, []cacheTestCase{
 		{"http", 0, nil, func(t *testing.T, base *check.Absolute, c *pkg.Cache) {
 			checkTarHTTP(t, base, c, fstest.MapFS{
@@ -37,10 +62,32 @@ func TestTar(t *testing.T) {
 				"identifier/Zx5ZG9BAwegNT3zQwCySuI2ktCXxNgxirkGLFjW4FW06PtojYVaCdtEw8yuntPLa": {Mode: fs.ModeSymlink | 0777, Data: []byte("../checksum/1TL00Qb8dcqayX7wTO8WNaraHvY6b-KCsctLDTrb64QBCmxj_-byK1HdIUwMaFEP")},

 				"work": {Mode: fs.ModeDir | 0700},
-			}, pkg.MustDecode(
-				"cTw0h3AmYe7XudSoyEMByduYXqGi-N5ZkTZ0t9K5elsu3i_jNIVF5T08KR1roBFM",
-			))
-		}, pkg.MustDecode("NQTlc466JmSVLIyWklm_u8_g95jEEb98PxJU-kjwxLpfdjwMWJq0G8ze9R4Vo1Vu")},
+			}, want)
+		}, expectsFS{
+			".": {Mode: fs.ModeDir | 0700},
+
+			"checksum":                             {Mode: fs.ModeDir | 0700},
+			"checksum/" + wantEncode:               {Mode: fs.ModeDir | 0500},
+			"checksum/" + wantEncode + "/checksum": {Mode: fs.ModeDir | 0500},
+			"checksum/" + wantEncode + "/checksum/1TL00Qb8dcqayX7wTO8WNaraHvY6b-KCsctLDTrb64QBCmxj_-byK1HdIUwMaFEP":                {Mode: fs.ModeDir | 0500},
+			"checksum/" + wantEncode + "/checksum/1TL00Qb8dcqayX7wTO8WNaraHvY6b-KCsctLDTrb64QBCmxj_-byK1HdIUwMaFEP/check":          {Mode: 0400, Data: []byte{0, 0}},
+			"checksum/" + wantEncode + "/checksum/1TL00Qb8dcqayX7wTO8WNaraHvY6b-KCsctLDTrb64QBCmxj_-byK1HdIUwMaFEP/lib":            {Mode: fs.ModeDir | 0500},
+			"checksum/" + wantEncode + "/checksum/1TL00Qb8dcqayX7wTO8WNaraHvY6b-KCsctLDTrb64QBCmxj_-byK1HdIUwMaFEP/lib/libedac.so": {Mode: fs.ModeSymlink | 0777, Data: []byte("/proc/nonexistent/libedac.so")},
+			"checksum/" + wantEncode + "/checksum/1TL00Qb8dcqayX7wTO8WNaraHvY6b-KCsctLDTrb64QBCmxj_-byK1HdIUwMaFEP/lib/pkgconfig":  {Mode: fs.ModeDir | 0500},
+			"checksum/" + wantEncode + "/identifier": {Mode: fs.ModeDir | 0500},
+			"checksum/" + wantEncode + "/identifier/HnySzeLQvSBZuTUcvfmLEX_OmH4yJWWH788NxuLuv7kVn8_uPM6Ks4rqFWM2NZJY": {Mode: fs.ModeSymlink | 0777, Data: []byte("../checksum/1TL00Qb8dcqayX7wTO8WNaraHvY6b-KCsctLDTrb64QBCmxj_-byK1HdIUwMaFEP")},
+			"checksum/" + wantEncode + "/identifier/Zx5ZG9BAwegNT3zQwCySuI2ktCXxNgxirkGLFjW4FW06PtojYVaCdtEw8yuntPLa": {Mode: fs.ModeSymlink | 0777, Data: []byte("../checksum/1TL00Qb8dcqayX7wTO8WNaraHvY6b-KCsctLDTrb64QBCmxj_-byK1HdIUwMaFEP")},
+			"checksum/" + wantEncode + "/work": {Mode: fs.ModeDir | 0500},
+
+			"identifier": {Mode: fs.ModeDir | 0700},
+			"identifier/W5S65DEhawz_WKaok5NjUKLmnD9dNl5RPauNJjcOVcB3VM4eGhSaLGmXbL8vZpiw": {Mode: fs.ModeSymlink | 0777, Data: []byte("../checksum/" + wantEncode)},
+			"identifier/rg7F1D5hwv6o4xctjD5zDq4i5MD0mArTsUIWfhUbik8xC6Bsyt3mjXXOm3goojTz": {Mode: fs.ModeSymlink | 0777, Data: []byte("../checksum/" + wantEncode)},
+
+			"substitute": {Mode: fs.ModeDir | 0700},
+
+			"temp": {Mode: fs.ModeDir | 0700},
+			"work": {Mode: fs.ModeDir | 0700},
+		}},

 		{"http expand", 0, nil, func(t *testing.T, base *check.Absolute, c *pkg.Cache) {
 			checkTarHTTP(t, base, c, fstest.MapFS{
@@ -48,10 +95,23 @@ func TestTar(t *testing.T) {

 				"lib":            {Mode: fs.ModeDir | 0700},
 				"lib/libedac.so": {Mode: fs.ModeSymlink | 0777, Data: []byte("/proc/nonexistent/libedac.so")},
-			}, pkg.MustDecode(
-				"CH3AiUrCCcVOjOYLaMKKK1Da78989JtfHeIsxMzWOQFiN4mrCLDYpoDxLWqJWCUN",
-			))
-		}, pkg.MustDecode("hSoSSgCYTNonX3Q8FjvjD1fBl-E-BQyA6OTXro2OadXqbST4tZ-akGXszdeqphRe")},
+			}, wantExpand)
+		}, expectsFS{
+			".": {Mode: fs.ModeDir | 0700},
+
+			"checksum":                     {Mode: fs.ModeDir | 0700},
+			"checksum/" + wantExpandEncode: {Mode: fs.ModeDir | 0500},
+			"checksum/" + wantExpandEncode + "/libedac.so": {Mode: fs.ModeSymlink | 0777, Data: []byte("/proc/nonexistent/libedac.so")},
+
+			"identifier": {Mode: fs.ModeDir | 0700},
+			"identifier/W5S65DEhawz_WKaok5NjUKLmnD9dNl5RPauNJjcOVcB3VM4eGhSaLGmXbL8vZpiw": {Mode: fs.ModeSymlink | 0777, Data: []byte("../checksum/" + wantExpandEncode)},
+			"identifier/_v1blm2h-_KA-dVaawdpLas6MjHc6rbhhFS8JWwx8iJxZGUu8EBbRrhr5AaZ9PJL": {Mode: fs.ModeSymlink | 0777, Data: []byte("../checksum/" + wantExpandEncode)},
+
+			"substitute": {Mode: fs.ModeDir | 0700},
+
+			"temp": {Mode: fs.ModeDir | 0700},
+			"work": {Mode: fs.ModeDir | 0700},
+		}},
 	})
 }

@@ -60,7 +120,7 @@ func checkTarHTTP(
 	base *check.Absolute,
 	c *pkg.Cache,
 	testdataFsys fs.FS,
-	wantChecksum pkg.Checksum,
+	want expectsKnown,
 ) {
 	var testdata string
 	{
@@ -194,24 +254,24 @@ func checkTarHTTP(
 		{"file", a, base.Append(
 			"identifier",
 			pkg.Encode(wantIdent),
-		), wantChecksum, nil},
+		), want, nil},

 		{"directory", pkg.NewTar(
 			&tarDir,
 			pkg.TarGzip,
-		), ignorePathname, wantChecksum, nil},
+		), ignorePathname, want, nil},

 		{"multiple entries", pkg.NewTar(
 			&tarDirMulti,
 			pkg.TarGzip,
-		), nil, pkg.Checksum{}, errors.New(
+		), nil, nil, errors.New(
 			"input directory does not contain a single regular file",
 		)},

 		{"bad type", pkg.NewTar(
 			&tarDirType,
 			pkg.TarGzip,
-		), nil, pkg.Checksum{}, errors.New(
+		), nil, nil, errors.New(
 			"input directory does not contain a single regular file",
 		)},

@@ -221,6 +281,6 @@ func checkTarHTTP(
 			cure: func(t *pkg.TContext) error {
 				return stub.UniqueError(0xcafe)
 			},
-		}, pkg.TarGzip), nil, pkg.Checksum{}, stub.UniqueError(0xcafe)},
+		}, pkg.TarGzip), nil, nil, stub.UniqueError(0xcafe)},
 	})
 }
--- a/internal/rosa/acl.go
+++ b/internal/rosa/acl.go
@@ -1,110 +0,0 @@
-package rosa
-
-import "hakurei.app/internal/pkg"
-
-func (t Toolchain) newAttr() (pkg.Artifact, string) {
-	const (
-		version  = "2.5.2"
-		checksum = "YWEphrz6vg1sUMmHHVr1CRo53pFXRhq_pjN-AlG8UgwZK1y6m7zuDhxqJhD0SV0l"
-	)
-	return t.NewPackage("attr", version, newTar(
-		"https://download.savannah.nongnu.org/releases/attr/"+
-			"attr-"+version+".tar.gz",
-		checksum,
-		pkg.TarGzip,
-	), &PackageAttr{
-		Patches: []KV{
-			{"libgen-basename", `From 8a80d895dfd779373363c3a4b62ecce5a549efb2 Mon Sep 17 00:00:00 2001
-From: "Haelwenn (lanodan) Monnier" <contact@hacktivis.me>
-Date: Sat, 30 Mar 2024 10:17:10 +0100
-Subject: tools/attr.c: Add missing libgen.h include for basename(3)
-
-Fixes compilation issue with musl and modern C99 compilers.
-
-See: https://bugs.gentoo.org/926294
---
- tools/attr.c | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/tools/attr.c b/tools/attr.c
-index f12e4af..6a3c1e9 100644
--- a/tools/attr.c
-+++ b/tools/attr.c
-@@ -28,6 +28,7 @@
- #include <errno.h>
- #include <string.h>
- #include <locale.h>
-+#include <libgen.h>
- 
- #include <attr/attributes.h>
- 
-- 
-cgit v1.1`},
-
-			{"musl-errno", `diff --git a/test/attr.test b/test/attr.test
-index 6ce2f9b..e9bde92 100644
--- a/test/attr.test
-+++ b/test/attr.test
-@@ -11,7 +11,7 @@ Try various valid and invalid names
- 
- 	$ touch f
- 	$ setfattr -n user -v value f
-	> setfattr: f: Operation not supported
-+	> setfattr: f: Not supported
- 	
- 	$ setfattr -n user. -v value f
- 	> setfattr: f: Invalid argument
-`},
-		},
-
-		ScriptEarly: `
-ln -s ../../system/bin/perl /usr/bin
-`,
-	}, (*MakeHelper)(nil),
-		Perl,
-	), version
-}
-func init() {
-	artifactsM[Attr] = Metadata{
-		f: Toolchain.newAttr,
-
-		Name:        "attr",
-		Description: "Commands for Manipulating Filesystem Extended Attributes",
-		Website:     "https://savannah.nongnu.org/projects/attr/",
-
-		ID: 137,
-	}
-}
-
-func (t Toolchain) newACL() (pkg.Artifact, string) {
-	const (
-		version  = "2.3.2"
-		checksum = "-fY5nwH4K8ZHBCRXrzLdguPkqjKI6WIiGu4dBtrZ1o0t6AIU73w8wwJz_UyjIS0P"
-	)
-	return t.NewPackage("acl", version, newTar(
-		"https://download.savannah.nongnu.org/releases/acl/"+
-			"acl-"+version+".tar.gz",
-		checksum,
-		pkg.TarGzip,
-	), nil, &MakeHelper{
-		// makes assumptions about uid_map/gid_map
-		SkipCheck: true,
-	},
-		Attr,
-	), version
-}
-func init() {
-	artifactsM[ACL] = Metadata{
-		f: Toolchain.newACL,
-
-		Name:        "acl",
-		Description: "Commands for Manipulating POSIX Access Control Lists",
-		Website:     "https://savannah.nongnu.org/projects/acl/",
-
-		Dependencies: P{
-			Attr,
-		},
-
-		ID: 16,
-	}
-}
--- a/internal/rosa/all.go
+++ b/internal/rosa/all.go
@@ -1,363 +0,0 @@
-package rosa
-
-import (
-	"context"
-	"encoding/json"
-	"errors"
-	"fmt"
-	"net/http"
-	"strconv"
-	"sync"
-
-	"hakurei.app/internal/pkg"
-)
-
-// PArtifact is a lazily-initialised [pkg.Artifact] preset.
-type PArtifact int
-
-const (
-	CompilerRT PArtifact = iota
-	LLVMRuntimes
-	Clang
-
-	// EarlyInit is the Rosa OS init program.
-	EarlyInit
-	// ImageSystem is the Rosa OS /system image.
-	ImageSystem
-	// ImageInitramfs is the Rosa OS initramfs archive.
-	ImageInitramfs
-
-	// Kernel is the generic Rosa OS Linux kernel.
-	Kernel
-	// KernelHeaders is an installation of kernel headers for [Kernel].
-	KernelHeaders
-	// KernelSource is a writable kernel source tree installed to [AbsUsrSrc].
-	KernelSource
-	// Firmware is firmware blobs for use with the Linux kernel.
-	Firmware
-
-	ACL
-	ArgpStandalone
-	Attr
-	Autoconf
-	Automake
-	BC
-	Bash
-	Binutils
-	Bison
-	Bzip2
-	CMake
-	Connman
-	Coreutils
-	Curl
-	DBus
-	DTC
-	Diffutils
-	Elfutils
-	Fakeroot
-	Findutils
-	Flex
-	Fuse
-	GMP
-	GLib
-	Gawk
-	GenInitCPIO
-	Gettext
-	Git
-	Glslang
-	GnuTLS
-	Go
-	Gperf
-	Grep
-	Gzip
-	Hakurei
-	HakureiDist
-	IPTables
-	Kmod
-	LibXau
-	Libbsd
-	Libcap
-	Libclc
-	Libdrm
-	Libev
-	Libexpat
-	Libffi
-	Libgd
-	Libglvnd
-	Libiconv
-	Libmd
-	Libmnl
-	Libpciaccess
-	Libnftnl
-	Libpsl
-	Libseccomp
-	Libtasn1
-	Libtool
-	Libucontext
-	Libunistring
-	Libxml2
-	Libxslt
-	M4
-	MPC
-	MPFR
-	Make
-	Meson
-	Mksh
-	MuslFts
-	MuslObstack
-	NSS
-	NSSCACert
-	Ncurses
-	Nettle
-	Ninja
-	OpenSSL
-	P11Kit
-	PCRE2
-	Parallel
-	Patch
-	Perl
-	PerlLocaleGettext
-	PerlMIMECharset
-	PerlModuleBuild
-	PerlPodParser
-	PerlSGMLS
-	PerlTermReadKey
-	PerlTextCharWidth
-	PerlTextWrapI18N
-	PerlUnicodeLineBreak
-	PerlYAMLTiny
-	PkgConfig
-	Procps
-	Python
-	PythonIniConfig
-	PythonMako
-	PythonMarkupSafe
-	PythonPackaging
-	PythonPluggy
-	PythonPyTest
-	PythonPyYAML
-	PythonPygments
-	QEMU
-	Rdfind
-	Readline
-	Rsync
-	Sed
-	Setuptools
-	SPIRVHeaders
-	SPIRVTools
-	SquashfsTools
-	Strace
-	TamaGo
-	Tar
-	Texinfo
-	Toybox
-	toyboxEarly
-	Unzip
-	UtilLinux
-	Wayland
-	WaylandProtocols
-	XCB
-	XCBProto
-	XDGDBusProxy
-	XZ
-	Xproto
-	Zlib
-	Zstd
-
-	// PresetUnexportedStart is the first unexported preset.
-	PresetUnexportedStart
-
-	llvmSource = iota - 1
-	buildcatrust
-	utilMacros
-
-	// Musl is a standalone libc that does not depend on the toolchain.
-	Musl
-
-	// gcc is a hacked-to-pieces GCC toolchain meant for use in intermediate
-	// stages only. This preset and its direct output must never be exposed.
-	gcc
-
-	// nettle3 is an older version of [Nettle].
-	nettle3
-
-	// Stage0 is a tarball containing all compile-time dependencies of artifacts
-	// part of the [Std] toolchain.
-	Stage0
-
-	// PresetEnd is the total number of presets and does not denote a preset.
-	PresetEnd
-)
-
-// P represents multiple [PArtifact] and is stable through JSON.
-type P []PArtifact
-
-// MarshalJSON represents [PArtifact] by their [Metadata.Name].
-func (s P) MarshalJSON() ([]byte, error) {
-	names := make([]string, len(s))
-	for i, p := range s {
-		names[i] = GetMetadata(p).Name
-	}
-	return json.Marshal(names)
-}
-
-// UnmarshalJSON resolves the value created by MarshalJSON back to [P].
-func (s *P) UnmarshalJSON(data []byte) error {
-	var names []string
-	if err := json.Unmarshal(data, &names); err != nil {
-		return err
-	}
-
-	*s = make(P, len(names))
-	for i, name := range names {
-		if p, ok := ResolveName(name); !ok {
-			return fmt.Errorf("unknown artifact %q", name)
-		} else {
-			(*s)[i] = p
-		}
-	}
-	return nil
-}
-
-// Metadata is stage-agnostic information of a [PArtifact] not directly
-// representable in the resulting [pkg.Artifact].
-type Metadata struct {
-	f func(t Toolchain) (a pkg.Artifact, version string)
-
-	// Unique package name.
-	Name string `json:"name"`
-	// Short user-facing description.
-	Description string `json:"description"`
-	// Project home page.
-	Website string `json:"website,omitempty"`
-
-	// Runtime dependencies.
-	Dependencies P `json:"dependencies"`
-
-	// Project identifier on [Anitya].
-	//
-	// [Anitya]: https://release-monitoring.org/
-	ID int `json:"-"`
-
-	// Optional custom version checking behaviour.
-	latest func(v *Versions) string
-}
-
-// GetLatest returns the latest version described by v.
-func (meta *Metadata) GetLatest(v *Versions) string {
-	if meta.latest != nil {
-		return meta.latest(v)
-	}
-	return v.Latest
-}
-
-// Unversioned denotes an unversioned [PArtifact].
-const Unversioned = "\x00"
-
-// UnpopulatedIDError is returned by [Metadata.GetLatest] for an instance of
-// [Metadata] where ID is not populated.
-type UnpopulatedIDError struct{}
-
-func (UnpopulatedIDError) Unwrap() error { return errors.ErrUnsupported }
-func (UnpopulatedIDError) Error() string { return "Anitya ID is not populated" }
-
-// Versions are package versions returned by Anitya.
-type Versions struct {
-	// The latest version for the project, as determined by the version sorting algorithm.
-	Latest string `json:"latest_version"`
-	// List of all versions that aren’t flagged as pre-release.
-	Stable []string `json:"stable_versions"`
-	// List of all versions stored, sorted from newest to oldest.
-	All []string `json:"versions"`
-}
-
-// getStable returns the first Stable version, or Latest if that is unavailable.
-func (v *Versions) getStable() string {
-	if len(v.Stable) == 0 {
-		return v.Latest
-	}
-	return v.Stable[0]
-}
-
-// GetVersions returns versions fetched from Anitya.
-func (meta *Metadata) GetVersions(ctx context.Context) (*Versions, error) {
-	if meta.ID == 0 {
-		return nil, UnpopulatedIDError{}
-	}
-
-	var resp *http.Response
-	if req, err := http.NewRequestWithContext(
-		ctx,
-		http.MethodGet,
-		"https://release-monitoring.org/api/v2/versions/?project_id="+
-			strconv.Itoa(meta.ID),
-		nil,
-	); err != nil {
-		return nil, err
-	} else {
-		req.Header.Set("User-Agent", "Rosa/1.1")
-		if resp, err = http.DefaultClient.Do(req); err != nil {
-			return nil, err
-		}
-	}
-
-	var v Versions
-	err := json.NewDecoder(resp.Body).Decode(&v)
-	return &v, errors.Join(err, resp.Body.Close())
-}
-
-var (
-	// artifactsM is an array of [PArtifact] metadata.
-	artifactsM [PresetEnd]Metadata
-
-	// artifacts stores the result of Metadata.f.
-	artifacts [_toolchainEnd][len(artifactsM)]struct {
-		a pkg.Artifact
-		v string
-	}
-	// artifactsOnce is for lazy initialisation of artifacts.
-	artifactsOnce [_toolchainEnd][len(artifactsM)]sync.Once
-)
-
-// zero zeros the value pointed to by p.
-func zero[T any](p *T) { var v T; *p = v }
-
-// DropCaches arranges for all cached [pkg.Artifact] to be freed some time after
-// it returns. Must not be used concurrently with any other function from this
-// package.
-func DropCaches() {
-	zero(&artifacts)
-	zero(&artifactsOnce)
-}
-
-// GetMetadata returns [Metadata] of a [PArtifact].
-func GetMetadata(p PArtifact) *Metadata { return &artifactsM[p] }
-
-// construct constructs a [pkg.Artifact] corresponding to a [PArtifact] once.
-func (t Toolchain) construct(p PArtifact) {
-	artifactsOnce[t][p].Do(func() {
-		artifacts[t][p].a, artifacts[t][p].v = artifactsM[p].f(t)
-	})
-}
-
-// Load returns the resulting [pkg.Artifact] of [PArtifact].
-func (t Toolchain) Load(p PArtifact) pkg.Artifact {
-	t.construct(p)
-	return artifacts[t][p].a
-}
-
-// Version returns the version string of [PArtifact].
-func (t Toolchain) Version(p PArtifact) string {
-	t.construct(p)
-	return artifacts[t][p].v
-}
-
-// ResolveName returns a [PArtifact] by name.
-func ResolveName(name string) (p PArtifact, ok bool) {
-	for i := range PresetUnexportedStart {
-		if name == artifactsM[i].Name {
-			return i, true
-		}
-	}
-	return 0, false
-}
--- a/internal/rosa/all_test.go
+++ b/internal/rosa/all_test.go
@@ -1,78 +0,0 @@
-package rosa_test
-
-import (
-	"testing"
-
-	"hakurei.app/internal/rosa"
-)
-
-func TestLoad(t *testing.T) {
-	t.Parallel()
-
-	for i := range rosa.PresetEnd {
-		p := rosa.PArtifact(i)
-		t.Run(rosa.GetMetadata(p).Name, func(t *testing.T) {
-			t.Parallel()
-
-			rosa.Std.Load(p)
-		})
-	}
-}
-
-func BenchmarkAll(b *testing.B) {
-	for b.Loop() {
-		for i := range rosa.PresetEnd {
-			rosa.Std.Load(rosa.PArtifact(i))
-		}
-
-		b.StopTimer()
-		rosa.DropCaches()
-		b.StartTimer()
-	}
-}
-
-func TestResolveName(t *testing.T) {
-	t.Parallel()
-
-	for i := range rosa.PresetUnexportedStart {
-		p := i
-		name := rosa.GetMetadata(p).Name
-		t.Run(name, func(t *testing.T) {
-			t.Parallel()
-
-			if got, ok := rosa.ResolveName(name); !ok {
-				t.Fatal("ResolveName: ok = false")
-			} else if got != p {
-				t.Fatalf("ResolveName: %d, want %d", got, p)
-			}
-		})
-	}
-}
-func TestResolveNameUnexported(t *testing.T) {
-	t.Parallel()
-
-	for i := rosa.PresetUnexportedStart; i < rosa.PresetEnd; i++ {
-		p := i
-		name := rosa.GetMetadata(p).Name
-		t.Run(name, func(t *testing.T) {
-			t.Parallel()
-
-			if got, ok := rosa.ResolveName(name); ok {
-				t.Fatalf("ResolveName: resolved unexported preset %d", got)
-			}
-		})
-	}
-}
-
-func TestUnique(t *testing.T) {
-	t.Parallel()
-
-	names := make(map[string]struct{})
-	for i := range rosa.PresetEnd {
-		name := rosa.GetMetadata(rosa.PArtifact(i)).Name
-		if _, ok := names[name]; ok {
-			t.Fatalf("name %s is not unique", name)
-		}
-		names[name] = struct{}{}
-	}
-}
--- a/internal/rosa/argp-standalone.go
+++ b/internal/rosa/argp-standalone.go
@@ -1,36 +0,0 @@
-package rosa
-
-import "hakurei.app/internal/pkg"
-
-func (t Toolchain) newArgpStandalone() (pkg.Artifact, string) {
-	const (
-		version  = "1.3"
-		checksum = "vtW0VyO2pJ-hPyYmDI2zwSLS8QL0sPAUKC1t3zNYbwN2TmsaE-fADhaVtNd3eNFl"
-	)
-	return t.NewPackage("argp-standalone", version, newTar(
-		"http://www.lysator.liu.se/~nisse/misc/"+
-			"argp-standalone-"+version+".tar.gz",
-		checksum,
-		pkg.TarGzip,
-	), &PackageAttr{
-		Env: []string{
-			"CC=cc -std=gnu89 -fPIC",
-		},
-	}, &MakeHelper{
-		Install: `
-install -D -m644 /usr/src/argp-standalone/argp.h /work/system/include/argp.h
-install -D -m755 libargp.a /work/system/lib/libargp.a
-`,
-	},
-		Diffutils,
-	), version
-}
-func init() {
-	artifactsM[ArgpStandalone] = Metadata{
-		f: Toolchain.newArgpStandalone,
-
-		Name:        "argp-standalone",
-		Description: "hierarchical argument parsing library broken out from glibc",
-		Website:     "http://www.lysator.liu.se/~nisse/misc/",
-	}
-}
--- a/internal/rosa/azalea/azalea.go
+++ b/internal/rosa/azalea/azalea.go
@@ -0,0 +1,348 @@
+// Package azalea implements a proof-of-concept, domain-specific language for
+// Rosa OS software packaging.
+package azalea
+
+import (
+	"errors"
+	"io"
+	"strconv"
+	"text/scanner"
+)
+
+// idents are runes accepted in an identifier.
+var idents = [...]bool{
+	'0': true, '1': true, '2': true, '3': true, '4': true, '5': true, '6': true,
+	'7': true, '8': true, '9': true,
+
+	'A': true, 'B': true, 'C': true, 'D': true, 'E': true, 'F': true, 'G': true,
+	'H': true, 'I': true, 'J': true, 'K': true, 'L': true, 'M': true, 'N': true,
+	'O': true, 'P': true, 'Q': true, 'R': true, 'S': true, 'T': true, 'U': true,
+	'V': true, 'W': true, 'X': true, 'Y': true, 'Z': true,
+
+	'a': true, 'b': true, 'c': true, 'd': true, 'e': true, 'f': true, 'g': true,
+	'h': true, 'i': true, 'j': true, 'k': true, 'l': true, 'm': true, 'n': true,
+	'o': true, 'p': true, 'q': true, 'r': true, 's': true, 't': true, 'u': true,
+	'v': true, 'w': true, 'x': true, 'y': true, 'z': true,
+
+	'-': true, '_': true,
+}
+
+// TokenError describes an unexpected token.
+type TokenError [2]rune
+
+func (e TokenError) Error() string {
+	return "expected " + scanner.TokenString(e[0]) +
+		", found " + scanner.TokenString(e[1])
+}
+
+// ExprError is an unexpected token encountered while parsing an expression.
+type ExprError rune
+
+func (e ExprError) Error() string {
+	return "unexpected token " + scanner.TokenString(rune(e))
+}
+
+// must1 returns v, or panics if err is not nil.
+func must1[T any](v T, err error) T {
+	if err != nil {
+		panic(err)
+	}
+	return v
+}
+
+// parser retains the current token.
+type parser struct {
+	s   scanner.Scanner
+	tok rune
+}
+
+// scan advances the underlying scanner to the next token, storing its result.
+func (p *parser) scan() rune { p.tok = p.s.Scan(); return p.tok }
+
+// expects panics with [TokenError] for an unexpected tok.
+func (p *parser) expects(expects rune) {
+	if p.tok != expects {
+		panic(TokenError{expects, p.tok})
+	}
+}
+
+// scanAs advances the scanner for an expected token.
+func (p *parser) scanAs(expects rune) { p.scan(); p.expects(expects) }
+
+// An Int is the value represented by an integer literal.
+type Int int64
+
+func (v Int) GoString() string {
+	return "azalea.Int(" + strconv.FormatInt(int64(v), 10) + ")"
+}
+
+// parseInt parses the current token as a base 10 representation of a 64-bit
+// signed integer.
+func (p *parser) parseInt() Int {
+	v, err := strconv.ParseInt(p.s.TokenText(), 10, 64)
+	return must1(Int(v), err)
+}
+
+// A String holds the unquoted content of a string literal.
+type String string
+
+func (v String) GoString() string {
+	return "azalea.String(" + strconv.Quote(string(v)) + ")"
+}
+
+// parseString parses the current token as a string.
+func (p *parser) parseString() String {
+	s, err := strconv.Unquote(p.s.TokenText())
+	return must1(String(s), err)
+}
+
+// An Ident holds the name of an identifier.
+type Ident string
+
+func (v Ident) GoString() string {
+	return "azalea.Ident(" + strconv.Quote(string(v)) + ")"
+}
+
+// A Val are statements joined by the '+' operator. Only the [String] type
+// supports concatenation.
+type Val []any
+
+// parseVal parses until the end of the [Val].
+func (p *parser) parseVal() (v Val) {
+	v = append(v, p.parseExpr())
+	for p.tok == '+' {
+		p.scan()
+		v = append(v, p.parseExpr())
+	}
+	return
+}
+
+// An Array holds statements in an array.
+type Array []Val
+
+// A KV holds a key/value pair.
+type KV struct {
+	K String
+	V Val
+}
+
+// An Arg represents an argument of [Func].
+type Arg struct {
+	K []Ident
+	V Val
+	R bool
+}
+
+// Func is a function call or package declaration.
+type Func struct {
+	// Function or package identifier.
+	Ident Ident
+	// Whether this is a package declaration.
+	Package bool
+	// Key-value arguments.
+	Args []Arg
+}
+
+// parseExpr parses the current expression.
+func (p *parser) parseExpr() any {
+	switch p.tok {
+	case scanner.Int:
+		v := p.parseInt()
+		p.scan()
+		return v
+
+	case scanner.String, scanner.RawString:
+		v := p.parseString()
+		p.scan()
+		return v
+
+	case scanner.Ident:
+		var v Func
+		v.Ident = Ident(p.s.TokenText())
+		if v.Package = v.Ident == "package"; v.Package {
+			p.scanAs(scanner.Ident)
+			v.Ident = Ident(p.s.TokenText())
+		}
+
+		p.scan()
+		switch p.tok {
+		case '{':
+			for {
+				p.scan()
+				switch p.tok {
+				case '}':
+					p.scan()
+					return v
+
+				case scanner.Ident:
+					break
+
+				default:
+					panic(TokenError{scanner.Ident, p.tok})
+				}
+
+				arg := Arg{K: []Ident{Ident(p.s.TokenText())}}
+				delim := true
+			arg:
+				for {
+					p.scan()
+					switch p.tok {
+					case ',':
+						if delim {
+							delim = false
+							continue
+						}
+						panic(ExprError(p.tok))
+
+					case scanner.Ident:
+						if delim {
+							panic(TokenError{',', p.tok})
+						}
+						delim = true
+						arg.K = append(arg.K, Ident(p.s.TokenText()))
+
+					default:
+						break arg
+					}
+				}
+				switch p.tok {
+				case '=':
+					break
+
+				case '*':
+					arg.R = true
+					p.scanAs('=')
+
+				default:
+					panic(TokenError{'=', p.tok})
+				}
+				p.scan()
+				arg.V = p.parseVal()
+				v.Args = append(v.Args, arg)
+				p.expects(';')
+			}
+
+		default:
+			return v.Ident
+		}
+
+	case '{':
+		var v []KV
+		for {
+			p.scan()
+			switch p.tok {
+			case '}':
+				p.scan()
+				return v
+
+			case scanner.String:
+				pair := KV{K: p.parseString()}
+				p.scan()
+				switch p.tok {
+				case ';':
+					break
+
+				case ':':
+					p.scan()
+					pair.V = p.parseVal()
+					p.expects(';')
+					break
+
+				default:
+					panic(ExprError(p.tok))
+				}
+				v = append(v, pair)
+
+			default:
+				panic(ExprError(p.tok))
+			}
+		}
+
+	case '[':
+		var (
+			v     Array
+			delim bool
+		)
+		p.scan()
+		for {
+			switch p.tok {
+			case ',':
+				if delim {
+					p.scan()
+					delim = false
+					continue
+				}
+				panic(ExprError(','))
+			case ']':
+				p.scan()
+				return v
+			case scanner.EOF:
+				panic(ExprError(scanner.EOF))
+			default:
+				if delim {
+					panic(TokenError{',', p.tok})
+				}
+				delim = true
+				break
+			}
+			v = append(v, p.parseVal())
+		}
+
+	default:
+		panic(ExprError(p.tok))
+	}
+}
+
+// ScanError is the error count parsing all expressions.
+type ScanError int
+
+func (ScanError) Error() string {
+	return "aborting due to scanning errors"
+}
+
+// Parse parses expressions from r.
+func Parse(r io.Reader) (e []any, err error) {
+	var p parser
+	p.s.Init(r)
+
+	p.s.Mode = scanner.ScanIdents |
+		scanner.ScanInts |
+		scanner.ScanStrings |
+		scanner.ScanRawStrings |
+		scanner.ScanComments |
+		scanner.SkipComments
+	p.s.IsIdentRune = func(ch rune, i int) bool {
+		if i == 0 && ch >= '0' && ch <= '9' {
+			return false
+		}
+		return ch > 0 && ch < rune(len(idents)) && idents[ch]
+	}
+
+	defer func() {
+		v := recover()
+		if v == nil {
+			return
+		}
+
+		_err, ok := v.(error)
+		if !ok {
+			panic(v)
+		}
+
+		if err == nil {
+			err = _err
+			return
+		}
+		err = errors.Join(err, _err)
+	}()
+
+	p.scan()
+	for p.tok != scanner.EOF {
+		e = append(e, p.parseExpr())
+	}
+
+	if p.s.ErrorCount != 0 {
+		err = ScanError(p.s.ErrorCount)
+	}
+	return
+}
--- a/internal/rosa/azalea/azalea_test.go
+++ b/internal/rosa/azalea/azalea_test.go
@@ -0,0 +1,169 @@
+package azalea_test
+
+import (
+	_ "embed"
+	"reflect"
+	"strings"
+	"testing"
+	"text/scanner"
+
+	. "hakurei.app/internal/rosa/azalea"
+)
+
+//go:embed testdata/gcc.az
+var sample string
+
+func TestParse(t *testing.T) {
+	t.Parallel()
+
+	testCases := []struct {
+		name string
+		data string
+		want []any
+		err  error
+	}{
+		{"invalid", "}", nil, ExprError('}')},
+		{"bad sep", "f{v?}", nil, TokenError{'=', '?'}},
+		{"bad ident", "f{9}", nil, TokenError{scanner.Ident, scanner.Int}},
+		{"share bad sep", "f { v,,v = v; }", nil, ExprError(',')},
+		{"share missing sep", "f { v v }", nil, TokenError{',', scanner.Ident}},
+
+		{"ident", `v`, []any{Ident("v")}, nil},
+		{"concat", `f { v = v+"\xfd"+p{}+9; }`, []any{Func{
+			Ident: "f",
+
+			Args: []Arg{{K: []Ident{"v"}, V: Val{
+				Ident("v"),
+				String("\xfd"),
+				Func{Ident: "p"},
+				Int(9),
+			}}},
+		}}, nil},
+		{"truncated string concat", `f { v = v+; }`, nil,
+			ExprError(';')},
+
+		{"empty pairs", `{}`, []any{[]KV(nil)}, nil},
+		{"short kv", `{"\x00":v;}`, []any{[]KV{
+			{K: "\x00", V: Val{Ident("v")}},
+		}}, nil},
+		{"truncated kv", `{"\x00"`, nil, ExprError(scanner.EOF)},
+		{"ident kv", `{v="";}`, nil, ExprError(scanner.Ident)},
+
+		{"empty array", `[]`, []any{Array(nil)}, nil},
+		{"integer array", `[9]`, []any{Array{{Int(9)}}}, nil},
+		{"short array", `[ "\x00" ]`, []any{
+			Array{{String("\x00")}},
+		}, nil},
+		{"short array delim", `[ "\x00", ]`, []any{
+			Array{{String("\x00")}},
+		}, nil},
+		{"missing array value", `[ "\x00", , v ]`, nil, ExprError(',')},
+		{"missing array delimiter", `[ v0 v1 ]`, nil, TokenError{',', scanner.Ident}},
+		{"truncated array", `[ "\x00"`, nil,
+			ExprError(scanner.EOF)},
+
+		{"gcc", sample, []any{Func{
+			Ident:   Ident("gcc"),
+			Package: true,
+
+			Args: []Arg{
+				{K: []Ident{Ident("description")}, V: Val{String("The GNU Compiler Collection")}},
+				{K: []Ident{Ident("website")}, V: Val{String("https://www.gnu.org/software/gcc")}},
+				{K: []Ident{Ident("anitya")}, V: Val{Int(6502)}},
+
+				{K: []Ident{Ident("version")}, V: Val{String("16.1.0")}, R: true},
+				{K: []Ident{Ident("source")}, V: Val{Func{
+					Ident: Ident("remoteTar"),
+
+					Args: []Arg{
+						{K: []Ident{Ident("url")}, V: Val{
+							String("https://ftp.tsukuba.wide.ad.jp/software/gcc/releases/"),
+							String("gcc-"),
+							Ident("version"),
+							String("/gcc-"),
+							Ident("version"),
+							String(".tar.gz"),
+						}},
+						{K: []Ident{Ident("checksum")}, V: Val{String("4ASoWbxaA2FW7PAB0zzHDPC5XnNhyaAyjtDPpGzceSLeYnEIXsNYZR3PA_Zu5P0K")}},
+						{K: []Ident{Ident("compress")}, V: Val{Ident("gzip")}},
+					},
+				}}},
+				{K: []Ident{Ident("patches")}, V: Val{Array{
+					{String("musl-off64_t-loff_t.patch")},
+					{String("musl-legacy-lfs.patch")},
+				}}},
+
+				{K: []Ident{Ident("exclusive")}, V: Val{Ident("true")}},
+
+				{K: []Ident{Ident("exec")}, V: Val{Func{
+					Ident: Ident("make"),
+
+					Args: []Arg{
+						{K: []Ident{Ident("configure")}, V: Val{[]KV{
+							{K: String("disable-multilib")},
+							{K: String("enable-default-pie")},
+							{K: String("disable-nls")},
+							{K: String("with-gnu-as")},
+							{K: String("with-gnu-ld")},
+							{K: String("with-system-zlib")},
+							{K: String("enable-languages"), V: Val{String("c,c++,go")}},
+							{K: String("with-native-system-header-dir"), V: Val{String("/system/include")}},
+							{K: String("with-multilib-list"), V: Val{Func{
+								Ident: Ident("arch"),
+
+								Args: []Arg{
+									{K: []Ident{Ident("amd64"), Ident("arm64")}, V: Val{String("''")}},
+									{K: []Ident{Ident("default")}, V: Val{Ident("unset")}},
+								},
+							}}},
+						}}},
+						{K: []Ident{Ident("make")}, V: Val{Array{
+							{String("BOOT_CFLAGS='-O2 -g'")},
+							{
+								Func{Ident: Ident("noop"), Args: []Arg{{K: []Ident{Ident("key")}, V: Val{Ident("value")}}}},
+								String("\x00"),
+							},
+							{String("bootstrap")},
+						}}},
+
+						{K: []Ident{Ident("skip-check")}, V: Val{Ident("true")}},
+					},
+				}}},
+
+				{K: []Ident{Ident("inputs")}, V: Val{Array{
+					{Ident("binutils")},
+					{Ident("mpc")},
+					{Ident("zlib")},
+					{Ident("libucontext")},
+					{Ident("kernel-headers")},
+				}}},
+			},
+		}}, nil},
+	}
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			t.Parallel()
+
+			p, err := Parse(strings.NewReader(tc.data))
+			if !reflect.DeepEqual(p, tc.want) {
+				t.Errorf("Parse: %#v, want %#v", p, tc.want)
+			}
+			if !reflect.DeepEqual(err, tc.err) {
+				t.Errorf("Parse: error = %v, want %v", err, tc.err)
+			}
+		})
+	}
+}
+
+func BenchmarkParse(b *testing.B) {
+	r := strings.NewReader(sample)
+	for b.Loop() {
+		if _, err := Parse(r); err != nil {
+			b.Fatal(err)
+		}
+
+		b.StopTimer()
+		r.Reset(sample)
+		b.StartTimer()
+	}
+}
--- a/internal/rosa/azalea/evaluate.go
+++ b/internal/rosa/azalea/evaluate.go
@@ -0,0 +1,392 @@
+package azalea
+
+import (
+	"errors"
+	"fmt"
+	"maps"
+	"reflect"
+	"slices"
+	"unique"
+)
+
+// Value are types supported by the language.
+type Value interface {
+	bool | int64 | string | []string | []int64 | [][2]string
+}
+
+type (
+	// FArg is an argument passed to [F].
+	FArg struct {
+		K unique.Handle[Ident]
+		V any
+		R bool
+	}
+	// FArgs are arguments passed to [F].
+	FArgs []FArg
+
+	// PF implements the package declaration function.
+	PF func(name Ident, args FArgs) (v any, set bool, err error)
+
+	// F is the implementation of a [Func].
+	F struct {
+		F func(args FArgs) (v any, set bool, err error)
+		V map[unique.Handle[Ident]]any
+	}
+)
+
+// Apply applies named arguments and rejects unused arguments.
+func (args FArgs) Apply(v map[unique.Handle[Ident]]any) error {
+	for _, arg := range args {
+		if arg.V == nil {
+			// unset
+			continue
+		}
+
+		r, ok := v[arg.K]
+		if !ok {
+			if arg.R {
+				continue
+			}
+			return UndefinedError(arg.K.Value())
+		}
+		err := storeE(r, arg.V)
+		if err != nil {
+			return err
+		}
+	}
+	return nil
+}
+
+// A Frame refers to local variables and debugging information.
+type Frame struct {
+	// Local constants.
+	Val map[unique.Handle[Ident]]any
+	// Functions.
+	Func map[unique.Handle[Ident]]F
+}
+
+// UnsupportedExprError is an expression with invalid concrete type.
+type UnsupportedExprError struct{ E any }
+
+func (e UnsupportedExprError) Error() string {
+	return fmt.Sprintf("unsupported expression %#v", e.E)
+}
+
+// UndefinedError is an identifier not defined in any stack frame visible to the
+// expression containing it.
+type UndefinedError Ident
+
+func (e UndefinedError) Error() string {
+	return "undefined: " + string(e)
+}
+
+// evaluate is evaluateAny with a type parameter.
+func evaluate[T Value](d PF, s []Frame, expr any, rp *T) bool {
+	return evaluateAny(d, s, expr, rp)
+}
+
+// evaluateArray evaluates expr and returns its values as a slice.
+func evaluateArray[T Value](d PF, s []Frame, expr Array) []T {
+	r := make([]T, 0, len(expr))
+	for i := range expr {
+		var _r T
+		if evaluate(d, s, expr[i], &_r) {
+			r = append(r, _r)
+		}
+	}
+	return r
+}
+
+// TypeError is an unexpected type during evaluation.
+type TypeError struct {
+	Concrete, Asserted reflect.Type
+}
+
+func (e TypeError) Error() string {
+	return fmt.Sprintf("expected %s, got %s", e.Asserted, e.Concrete)
+}
+
+func (e TypeError) Is(err error) bool {
+	var v TypeError
+	return errors.As(err, &v) &&
+		e.Asserted == v.Asserted &&
+		e.Concrete == v.Concrete
+}
+
+// storeE is a convenience function to set the value of a result pointer.
+func storeE(rp any, r any) error {
+	pv := reflect.ValueOf(rp).Elem()
+	v := reflect.ValueOf(r)
+	pt, vt := pv.Type(), v.Type()
+	if !vt.AssignableTo(pt) {
+		return TypeError{vt, pt}
+	}
+	pv.Set(v)
+	return nil
+}
+
+// store is like storeE, but panics if error is non-nil.
+func store[T Value](rp any, r T) {
+	err := storeE(rp, r)
+	if err != nil {
+		panic(err)
+	}
+}
+
+// EvaluationError is an error and the expression it occurred in.
+type EvaluationError struct {
+	Expr any
+	Err  error
+}
+
+// Unwrap returns the underlying error.
+func (e EvaluationError) Unwrap() error { return e.Err }
+
+// Error returns a very long error description that should not be presented
+// to the user directly.
+func (e EvaluationError) Error() string {
+	return fmt.Sprintf("expression %#v: %v", e.Expr, e.Err)
+}
+
+var (
+	// IdentInputs is a special array argument in a package declaration whose
+	// values of [Ident] are kept as is when passed to a [PF].
+	IdentInputs = unique.Make(Ident("inputs"))
+	// IdentRuntime has the same semantics as [IdentInputs].
+	IdentRuntime = unique.Make(Ident("runtime"))
+	// IdentExtra has the same semantics as [IdentInputs].
+	IdentExtra = unique.Make(Ident("extra"))
+	// IdentSource is a special argument in a package declaration where an
+	// assignment of a [Val] with a single [Ident] passes through the evaluator.
+	IdentSource = unique.Make(Ident("source"))
+
+	// ErrInvalidSpecial is panicked for a special [PF] argument sharing its
+	// value or set for R.
+	ErrInvalidSpecial = errors.New("special must not be common or bound to scope")
+)
+
+// evaluateAny implements [Evaluate].
+func evaluateAny(d PF, s []Frame, expr, rp any) bool {
+	defer func() {
+		r := recover()
+		if r == nil {
+			return
+		}
+
+		err, ok := r.(error)
+		if !ok {
+			panic(r)
+		}
+
+		if _, ok = err.(EvaluationError); ok {
+			panic(err)
+		}
+		panic(EvaluationError{expr, err})
+	}()
+
+	switch e := expr.(type) {
+	case Int:
+		store(rp, int64(e))
+		return true
+
+	case String:
+		store(rp, string(e))
+		return true
+
+	case Ident:
+		var (
+			v  any
+			ok bool
+		)
+		for i := range s {
+			v, ok = s[len(s)-1-i].Val[unique.Make(e)]
+			if ok {
+				break
+			}
+		}
+		if !ok {
+			panic(UndefinedError(e))
+		}
+		if err := storeE(rp, v); err != nil {
+			panic(err)
+		}
+		return true
+
+	case Val:
+		if len(e) == 1 {
+			switch v := e[0].(type) {
+			case Ident:
+				switch v {
+				case "unset":
+					return false
+				case "true":
+					store(rp, true)
+					return true
+				case "false":
+					store(rp, false)
+					return true
+				default:
+					return evaluateAny(d, s, v, rp)
+				}
+
+			default:
+				return evaluateAny(d, s, e[0], rp)
+			}
+		}
+		var v string
+		for i := range e {
+			var _r string
+			if evaluate(d, s, e[i], &_r) {
+				v += _r
+			}
+		}
+		store(rp, v)
+		return true
+
+	case Array:
+		if len(e) > 0 && len(e[0]) == 1 {
+			if _, ok := e[0][0].(Int); ok {
+				store(rp, evaluateArray[int64](d, s, e))
+				return true
+			}
+		}
+		store(rp, evaluateArray[string](d, s, e))
+		return true
+
+	case []KV:
+		r := make([][2]string, 0, len(e))
+		for i := range e {
+			var _r string
+			if e[i].V == nil || evaluate(d, s, e[i].V, &_r) {
+				r = append(r, [2]string{string(e[i].K), _r})
+			}
+		}
+		store(rp, r)
+		return true
+
+	case Func:
+		var (
+			f  F
+			ok bool
+		)
+		if !e.Package {
+			for i := range s {
+				f, ok = s[len(s)-1-i].Func[unique.Make(e.Ident)]
+				if ok {
+					break
+				}
+			}
+			if !ok {
+				panic(UndefinedError(e.Ident))
+			}
+		}
+
+		argc := len(e.Args)
+		for _, arg := range e.Args {
+			argc += len(arg.K) - 1
+		}
+		fargs := make([]FArg, 0, len(e.Args))
+		s = append(s, Frame{})
+		fp := &s[len(s)-1]
+		if !e.Package {
+			fp.Val = maps.Clone(f.V)
+		}
+
+	args:
+		for _, arg := range e.Args {
+			names := make([]unique.Handle[Ident], len(arg.K))
+			for i, name := range arg.K {
+				names[i] = unique.Make(name)
+			}
+
+			farg := FArg{R: arg.R}
+			if e.Package {
+				for _, special := range [...]unique.Handle[Ident]{
+					IdentInputs,
+					IdentRuntime,
+					IdentExtra,
+				} {
+					if slices.Contains(names, special) {
+						if len(names) != 1 || len(arg.V) != 1 || arg.R {
+							panic(ErrInvalidSpecial)
+						}
+						farg.K = names[0]
+						if err := storeE(&farg.V, arg.V[0]); err != nil {
+							panic(err)
+						}
+						fargs = append(fargs, farg)
+						continue args
+					}
+				}
+
+				if slices.Contains(names, IdentSource) {
+					if len(names) != 1 || len(arg.V) != 1 || arg.R {
+						panic(ErrInvalidSpecial)
+					}
+					if _, ok = arg.V[0].(Ident); ok {
+						farg.K = names[0]
+						if err := storeE(&farg.V, arg.V[0]); err != nil {
+							panic(err)
+						}
+						fargs = append(fargs, farg)
+						continue args
+					}
+				}
+			}
+
+			if !evaluateAny(d, s, arg.V, &farg.V) {
+				farg.V = nil
+			}
+			for _, name := range names {
+				farg.K = name
+				fargs = append(fargs, farg)
+
+				if arg.R && farg.V != nil {
+					if fp.Val == nil {
+						fp.Val = make(map[unique.Handle[Ident]]any)
+					}
+					(*fp).Val[name] = farg.V
+				}
+			}
+		}
+
+		var (
+			v   any
+			err error
+		)
+		if !e.Package {
+			v, ok, err = f.F(fargs)
+		} else {
+			v, ok, err = d(e.Ident, fargs)
+		}
+		if err != nil {
+			panic(err)
+		} else if v != nil {
+			if err = storeE(rp, v); err != nil {
+				panic(err)
+			}
+		}
+		return ok
+
+	default:
+		panic(UnsupportedExprError{expr})
+	}
+}
+
+// Evaluate evaluates a statement and returns its value.
+func Evaluate[T any](d PF, s []Frame, expr any) (v T, set bool, err error) {
+	defer func() {
+		r := recover()
+		if r == nil {
+			return
+		}
+
+		_err, ok := r.(error)
+		if !ok {
+			panic(r)
+		}
+		err = _err
+	}()
+	set = evaluateAny(d, s, expr, &v)
+	return
+}
--- a/internal/rosa/azalea/evaluate_test.go
+++ b/internal/rosa/azalea/evaluate_test.go
@@ -0,0 +1,407 @@
+package azalea_test
+
+import (
+	"errors"
+	"fmt"
+	"reflect"
+	"strings"
+	"testing"
+	"unique"
+
+	. "hakurei.app/internal/rosa/azalea"
+)
+
+// makeStackCheck creates a stack with a single frame with a single function "f"
+// which calls the check function internally.
+func makeStackCheck(check func(args FArgs) (any, error)) []Frame {
+	return []Frame{{Func: map[unique.Handle[Ident]]F{
+		unique.Make(Ident("f")): {F: func(
+			args FArgs,
+		) (v any, set bool, err error) {
+			set = true
+			v, err = check(args)
+			return
+		}},
+	}}}
+}
+
+// checkArgs is like makeStackCheck, but the resulting function asserts that its
+// args match the expected value.
+func checkArgs(want FArgs) []Frame {
+	return makeStackCheck(func(args FArgs) (any, error) {
+		if !reflect.DeepEqual(args, want) {
+			return nil, fmt.Errorf("%#v, want %#v", args, want)
+		}
+		return "\xfd", nil
+	})
+}
+
+func TestEvaluate(t *testing.T) {
+	t.Parallel()
+
+	testCases := []struct {
+		name string
+		data string
+		s    []Frame
+		want any
+		err  error
+	}{
+		{"apply unset", `f { v = unset; }`, makeStackCheck(func(
+			args FArgs,
+		) (v any, err error) {
+			v = "\xfd"
+			err = args.Apply(map[unique.Handle[Ident]]any{
+				unique.Make(Ident("v")): &v,
+			})
+			return
+		}), "\xfd", nil},
+
+		{"apply bad type", `f { v = 9; }`, makeStackCheck(func(
+			args FArgs,
+		) (v any, err error) {
+			v = "\xfd"
+			err = args.Apply(map[unique.Handle[Ident]]any{
+				unique.Make(Ident("v")): &v,
+			})
+			return
+		}), "", TypeError{
+			Concrete: reflect.TypeFor[int64](),
+			Asserted: reflect.TypeFor[string](),
+		}},
+
+		{"apply undefined", `f { v = 9; }`, makeStackCheck(func(
+			args FArgs,
+		) (v any, err error) {
+			v = "\xfd"
+			err = args.Apply(map[unique.Handle[Ident]]any{})
+			return
+		}), "", EvaluationError{
+			Expr: Func{
+				Ident: Ident("f"),
+				Args: []Arg{
+					{K: []Ident{"v"}, V: Val{Int(9)}},
+				},
+			},
+			Err: UndefinedError("v"),
+		}},
+
+		{"apply bound undefined", `f { _v* = "\x00"; v = _v; }`, makeStackCheck(func(
+			args FArgs,
+		) (v any, err error) {
+			v = "\xfd"
+			err = args.Apply(map[unique.Handle[Ident]]any{
+				unique.Make(Ident("v")): &v,
+			})
+			return
+		}), "\x00", nil},
+
+		{"undefined function", `f {}`, nil, "", EvaluationError{
+			Expr: Func{Ident: "f"},
+			Err:  UndefinedError("f"),
+		}},
+
+		{"error wrap deep", `f { v = nil; }`, makeStackCheck(func(
+			FArgs,
+		) (any, error) {
+			panic("unreachable")
+		}), "", EvaluationError{
+			Expr: Ident("nil"),
+			Err:  UndefinedError("nil"),
+		}},
+
+		{"common inputs", `package name { inputs, v = []; }`, nil, "", EvaluationError{
+			Expr: Func{
+				Ident:   Ident("name"),
+				Package: true,
+
+				Args: []Arg{
+					{K: []Ident{
+						"inputs",
+						"v",
+					}, V: Val{Array(nil)}},
+				},
+			},
+			Err: ErrInvalidSpecial,
+		}},
+
+		{"bound inputs", `package name { inputs* = []; }`, nil, "", EvaluationError{
+			Expr: Func{
+				Ident:   Ident("name"),
+				Package: true,
+
+				Args: []Arg{
+					{K: []Ident{"inputs"}, V: Val{Array(nil)}, R: true},
+				},
+			},
+			Err: ErrInvalidSpecial,
+		}},
+
+		{"bound runtime", `package name { runtime* = []; }`, nil, "", EvaluationError{
+			Expr: Func{
+				Ident:   Ident("name"),
+				Package: true,
+
+				Args: []Arg{
+					{K: []Ident{"runtime"}, V: Val{Array(nil)}, R: true},
+				},
+			},
+			Err: ErrInvalidSpecial,
+		}},
+
+		{"concat inputs", `package name { inputs = ""+""; }`, nil, "", EvaluationError{
+			Expr: Func{
+				Ident:   Ident("name"),
+				Package: true,
+
+				Args: []Arg{
+					{K: []Ident{"inputs"}, V: Val{String(""), String("")}},
+				},
+			},
+			Err: ErrInvalidSpecial,
+		}},
+
+		{"concat source", `package name { source = ""+""; }`, nil, "", EvaluationError{
+			Expr: Func{
+				Ident:   Ident("name"),
+				Package: true,
+
+				Args: []Arg{
+					{K: []Ident{"source"}, V: Val{String(""), String("")}},
+				},
+			},
+			Err: ErrInvalidSpecial,
+		}},
+
+		{"source handle", `package name { source = name; }`, nil, FArgs{
+			{K: unique.Make(Ident("source")), V: Ident("name")},
+		}, nil},
+
+		{"integer array", `f { v = [ 0 ]; _v = [ 0, 9 ]; }`, checkArgs(FArgs{
+			{K: unique.Make(Ident("v")), V: []int64{0}},
+			{K: unique.Make(Ident("_v")), V: []int64{0, 9}},
+		}), "\xfd", nil},
+	}
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			t.Parallel()
+
+			var expr Func
+			if e, err := Parse(strings.NewReader(tc.data)); err != nil {
+				t.Fatal(err)
+			} else if len(e) != 1 {
+				t.Fatalf("got expression %#v", e)
+			} else {
+				expr = e[0].(Func)
+			}
+			const rPackage = "\xff\xff\xff\xff"
+			r, set, err := Evaluate[string](func(
+				name Ident,
+				args FArgs,
+			) (v any, set bool, err error) {
+				v = rPackage
+				if !reflect.DeepEqual(args, tc.want) {
+					err = fmt.Errorf("%#v, want %#v", args, tc.want)
+				}
+				set = true
+				return
+			}, tc.s, expr)
+			if set != (err == nil) {
+				t.Error("Evaluate: unexpected unset")
+			}
+
+			if r != rPackage && r != tc.want {
+				t.Errorf("Evaluate: %q, want %q", r, tc.want)
+			}
+
+			var errEquals bool
+			if errors.As(err, new(TypeError)) {
+				errEquals = errors.Is(err, tc.err)
+			} else {
+				errEquals = reflect.DeepEqual(err, tc.err)
+			}
+			if !errEquals {
+				t.Errorf("Evaluate: error = %v, want %v", err, tc.err)
+			}
+		})
+	}
+}
+
+func TestEvaluateGCC(t *testing.T) {
+	t.Parallel()
+
+	var gcc Func
+	if e, err := Parse(strings.NewReader(sample)); err != nil {
+		t.Fatal(err)
+	} else {
+		gcc = e[0].(Func)
+	}
+
+	var got [3]FArgs
+	if r, set, err := Evaluate[string](func(
+		name Ident,
+		args FArgs,
+	) (v any, set bool, err error) {
+		v = "\x00"
+		set = true
+		got[0] = args
+		return
+	}, []Frame{{
+		Func: map[unique.Handle[Ident]]F{
+			unique.Make(Ident("remoteTar")): {F: func(
+				args FArgs,
+			) (v any, set bool, err error) {
+				var url, checksum string
+				var compress int
+				if err = args.Apply(map[unique.Handle[Ident]]any{
+					unique.Make(Ident("url")):      &url,
+					unique.Make(Ident("checksum")): &checksum,
+					unique.Make(Ident("compress")): &compress,
+				}); err != nil {
+					return
+				}
+
+				if compress != 0xcafe {
+					err = fmt.Errorf("unexpected compress %#v", compress)
+				}
+				set = true
+				v = url + "?checksum=" + checksum
+				return
+			}, V: map[unique.Handle[Ident]]any{
+				unique.Make(Ident("gzip")): 0xcafe,
+			}},
+
+			unique.Make(Ident("make")): {F: func(
+				args FArgs,
+			) (v any, set bool, err error) {
+				v = args
+				set = true
+				return
+			}},
+
+			unique.Make(Ident("arch")): {F: func(
+				args FArgs,
+			) (v any, set bool, err error) {
+				set = false
+				got[1] = args
+				return
+			}},
+
+			unique.Make(Ident("noop")): {F: func(
+				args FArgs,
+			) (v any, set bool, err error) {
+				set = false
+				set = true
+				got[2] = args
+				return
+			}, V: map[unique.Handle[Ident]]any{
+				unique.Make(Ident("value")): "\xfd",
+			}},
+		},
+	}}, gcc); err != nil {
+		t.Fatal(err)
+	} else if r != "\x00" {
+		t.Fatalf("package: %q", r)
+	} else if !set {
+		t.Fatal("package: unset")
+	}
+
+	want := [...]FArgs{
+		{
+			{K: unique.Make(Ident("description")), V: "The GNU Compiler Collection"},
+			{K: unique.Make(Ident("website")), V: "https://www.gnu.org/software/gcc"},
+			{K: unique.Make(Ident("anitya")), V: int64(6502)},
+
+			{K: unique.Make(Ident("version")), V: "16.1.0", R: true},
+			{K: unique.Make(Ident("source")), V: "https://ftp.tsukuba.wide.ad.jp/software/gcc/releases/gcc-16.1.0/gcc-16.1.0.tar.gz?checksum=4ASoWbxaA2FW7PAB0zzHDPC5XnNhyaAyjtDPpGzceSLeYnEIXsNYZR3PA_Zu5P0K"},
+			{K: unique.Make(Ident("patches")), V: []string{"musl-off64_t-loff_t.patch", "musl-legacy-lfs.patch"}},
+
+			{K: unique.Make(Ident("exclusive")), V: true},
+			{K: unique.Make(Ident("exec")), V: FArgs{
+				{K: unique.Make(Ident("configure")), V: [][2]string{
+					{"disable-multilib", ""},
+					{"enable-default-pie", ""},
+					{"disable-nls", ""},
+					{"with-gnu-as", ""},
+					{"with-gnu-ld", ""},
+					{"with-system-zlib", ""},
+					{"enable-languages", "c,c++,go"},
+					{"with-native-system-header-dir", "/system/include"},
+				}},
+				{K: unique.Make(Ident("make")), V: []string{
+					"BOOT_CFLAGS='-O2 -g'",
+					"\x00",
+					"bootstrap",
+				}},
+				{K: unique.Make(Ident("skip-check")), V: true},
+			}},
+
+			{K: unique.Make(Ident("inputs")), V: Array{
+				{Ident("binutils")},
+				{Ident("mpc")},
+				{Ident("zlib")},
+				{Ident("libucontext")},
+				{Ident("kernel-headers")},
+			}},
+		},
+		{
+			{K: unique.Make(Ident("amd64")), V: "''"},
+			{K: unique.Make(Ident("arm64")), V: "''"},
+			{K: unique.Make(Ident("default"))},
+		},
+		{{K: unique.Make(Ident("key")), V: "\xfd"}},
+	}
+	if !reflect.DeepEqual(got, want) {
+		t.Errorf("package: args = %#v, want %#v", got, want)
+	}
+}
+
+func BenchmarkEvaluate(b *testing.B) {
+	var gcc Func
+	if e, err := Parse(strings.NewReader(sample)); err != nil {
+		b.Fatal(err)
+	} else {
+		gcc = e[0].(Func)
+	}
+
+	s := []Frame{{
+		Func: map[unique.Handle[Ident]]F{
+			unique.Make(Ident("remoteTar")): {F: func(
+				FArgs,
+			) (v any, set bool, err error) {
+				return
+			}, V: map[unique.Handle[Ident]]any{
+				unique.Make(Ident("gzip")): 0xcafe,
+			}},
+
+			unique.Make(Ident("make")): {F: func(
+				FArgs,
+			) (v any, set bool, err error) {
+				return
+			}},
+
+			unique.Make(Ident("arch")): {F: func(
+				FArgs,
+			) (v any, set bool, err error) {
+				return
+			}},
+
+			unique.Make(Ident("noop")): {F: func(
+				FArgs,
+			) (v any, set bool, err error) {
+				return
+			}, V: map[unique.Handle[Ident]]any{
+				unique.Make(Ident("value")): "\xfd",
+			}},
+		},
+	}}
+	for b.Loop() {
+		if _, _, err := Evaluate[string](func(
+			Ident,
+			FArgs,
+		) (v any, set bool, err error) {
+			return
+		}, s, gcc); err != nil {
+			b.Fatal(err)
+		}
+	}
+}
--- a/internal/rosa/azalea/testdata/gcc.az
+++ b/internal/rosa/azalea/testdata/gcc.az
@@ -0,0 +1,57 @@
+package gcc {
+	description = "The GNU Compiler Collection";
+	website = "https://www.gnu.org/software/gcc";
+	anitya = 6502;
+
+	version* = "16.1.0";
+	source = remoteTar {
+		url = "https://ftp.tsukuba.wide.ad.jp/software/gcc/releases/"+
+			"gcc-"+version+"/gcc-"+version+".tar.gz";
+		checksum = "4ASoWbxaA2FW7PAB0zzHDPC5XnNhyaAyjtDPpGzceSLeYnEIXsNYZR3PA_Zu5P0K";
+		compress = gzip;
+	};
+	patches = [
+		"musl-off64_t-loff_t.patch",
+		"musl-legacy-lfs.patch",
+	];
+
+	// GCC spends most of its time in its many configure scripts, however
+	// it also saturates the CPU for a consequential amount of time.
+	exclusive = true;
+
+	exec = make {
+		configure = {
+			"disable-multilib";
+			"enable-default-pie";
+			"disable-nls";
+			"with-gnu-as";
+			"with-gnu-ld";
+			"with-system-zlib";
+			"enable-languages": "c,c++,go";
+			"with-native-system-header-dir": "/system/include";
+			"with-multilib-list": arch {
+				amd64, arm64 = "''";
+				default = unset;
+			};
+		};
+		make = [
+			"BOOT_CFLAGS='-O2 -g'",
+			noop { key = value; } + "\x00",
+			"bootstrap",
+		];
+
+		// This toolchain is hacked to pieces, it is not expected to ever work
+		// well in its current state. That does not matter as long as the
+		// toolchain it produces passes its own test suite.
+		skip-check = true;
+	};
+
+	inputs = [
+		binutils,
+
+		mpc,
+		zlib,
+		libucontext,
+		kernel-headers,
+	];
+}
--- a/internal/rosa/builtins.go
+++ b/internal/rosa/builtins.go
@@ -0,0 +1,106 @@
+package rosa
+
+import (
+	"path"
+	"slices"
+	"strconv"
+	"strings"
+
+	"hakurei.app/internal/pkg"
+)
+
+const (
+	// jobsE is expression for preferred job count set by [pkg].
+	jobsE = `"$` + pkg.EnvJobs + `"`
+	// jobsFlagE is expression for flag with preferred job count.
+	jobsFlagE = `"-j$` + pkg.EnvJobs + `"`
+	// jobsLE is expression for twice of preferred job count set by [pkg].
+	jobsLE = `"$(expr ` + jobsE + ` '*' 2)"`
+	// jobsLFlagE is expression for flag with double of preferred job count.
+	jobsLFlagE = `"-j$(expr ` + jobsE + ` '*' 2)"`
+)
+
+// newTar wraps [pkg.NewHTTPGetTar] with a simpler function signature.
+func newTar(url, checksum string, compression uint32) pkg.Artifact {
+	return pkg.NewHTTPGetTar(nil, url, mustDecode(checksum), compression)
+}
+
+// newFromCPAN is a helper for downloading release from CPAN.
+func newFromCPAN(author, name, version, checksum string) pkg.Artifact {
+	return newTar(
+		"https://cpan.metacpan.org/authors/id/"+
+			author[:1]+"/"+author[:2]+"/"+author+"/"+
+			name+"-"+version+".tar.gz",
+		checksum,
+		pkg.TarGzip,
+	)
+}
+
+// newFromGitLab is a helper for downloading source from GitLab.
+func newFromGitLab(domain, suffix, ref, checksum string) pkg.Artifact {
+	return newTar(
+		"https://"+domain+"/"+suffix+"/-/archive/"+
+			ref+"/"+path.Base(suffix)+"-"+
+			strings.ReplaceAll(ref, "/", "-")+".tar.bz2",
+		checksum,
+		pkg.TarBzip2,
+	)
+}
+
+// newFromGitHub is a helper for downloading source from Microsoft Github.
+func newFromGitHub(suffix, tag, checksum string) pkg.Artifact {
+	return newTar(
+		"https://github.com/"+suffix+
+			"/archive/refs/tags/"+tag+".tar.gz",
+		checksum,
+		pkg.TarGzip,
+	)
+}
+
+// newFromGitHubRelease is a helper for downloading release tarball from
+// Microsoft Github.
+func newFromGitHubRelease(
+	suffix, tag, name, checksum string,
+	compression uint32,
+) pkg.Artifact {
+	return newTar(
+		"https://github.com/"+suffix+
+			"/releases/download/"+tag+"/"+name,
+		checksum,
+		compression,
+	)
+}
+
+// skipGNUTests generates a string for skipping specific tests by number in a
+// GNU test suite. This is nontrivial because the test suite does not support
+// excluding tests in any way, so ranges for all but the skipped tests have to
+// be specified instead.
+//
+// For example, to skip test 764, ranges around the skipped test must be
+// specified:
+//
+//	1-763 765-
+//
+// Tests are numbered starting from 1. The resulting string is unquoted.
+func skipGNUTests(tests ...int64) string {
+	tests = slices.Clone(tests)
+	slices.Sort(tests)
+
+	var buf strings.Builder
+
+	if tests[0] != 1 {
+		buf.WriteString("1-")
+	}
+
+	for i, n := range tests {
+		if n != 1 && (i == 0 || tests[i-1] != n-1) {
+			buf.WriteString(strconv.Itoa(int(n - 1)))
+			buf.WriteString(" ")
+		}
+		if i == len(tests)-1 || tests[i+1] != n+1 {
+			buf.WriteString(strconv.Itoa(int(n + 1)))
+			buf.WriteString("-")
+		}
+	}
+	return buf.String()
+}
--- a/internal/rosa/builtins_test.go
+++ b/internal/rosa/builtins_test.go
@@ -0,0 +1,35 @@
+package rosa
+
+import (
+	"slices"
+	"strconv"
+	"strings"
+	"testing"
+)
+
+func TestSkipGNUTests(t *testing.T) {
+	t.Parallel()
+
+	testCases := []struct {
+		tests []int64
+		want  string
+	}{
+		{[]int64{764}, "1-763 765-"},
+		{[]int64{764, 0xcafe, 37, 9}, "1-8 10-36 38-763 765-51965 51967-"},
+		{[]int64{1, 2, 0xbed}, "3-3052 3054-"},
+		{[]int64{3, 4}, "1-2 5-"},
+	}
+	for _, tc := range testCases {
+		t.Run(strings.Join(slices.Collect(func(yield func(string) bool) {
+			for _, n := range tc.tests {
+				yield(strconv.Itoa(int(n)))
+			}
+		}), ","), func(t *testing.T) {
+			t.Parallel()
+
+			if got := skipGNUTests(tc.tests...); got != tc.want {
+				t.Errorf("skipGNUTests: %q, want %q", got, tc.want)
+			}
+		})
+	}
+}
--- a/internal/rosa/busybox.go
+++ b/internal/rosa/busybox.go
@@ -5,7 +5,6 @@ import (
 	"io"
 	"net/http"
 	"os"
-	"runtime"
 	"time"

 	"hakurei.app/fhs"
@@ -27,7 +26,7 @@ func (a busyboxBin) Params(*pkg.IContext) {}
 // IsExclusive returns false: Cure performs a trivial filesystem write.
 func (busyboxBin) IsExclusive() bool { return false }

-// Dependencies returns the underlying busybox [pkg.File].
+// Dependencies returns the underlying busybox [pkg.FileArtifact].
 func (a busyboxBin) Dependencies() []pkg.Artifact {
 	return []pkg.Artifact{a.bin}
 }
@@ -86,13 +85,13 @@ func (a busyboxBin) Cure(t *pkg.TContext) (err error) {

 // newBusyboxBin returns a [pkg.Artifact] containing a busybox installation from
 // the https://busybox.net/downloads/binaries/ binary release.
-func newBusyboxBin() pkg.Artifact {
+func (s *S) newBusyboxBin() pkg.Artifact {
 	var version, url, checksum string
-	switch runtime.GOARCH {
+	switch s.arch {
 	case "amd64":
 		version = "1.35.0"
 		url = "https://busybox.net/downloads/binaries/" +
-			version + "-" + linuxArch() + "-linux-musl/busybox"
+			version + "-" + s.linuxArch() + "-linux-musl/busybox"
 		checksum = "L7OBIsPu9enNHn7FqpBT1kOg_mCLNmetSeNMA3i4Y60Z5jTgnlX3qX3zcQtLx5AB"
 	case "arm64":
 		version = "1.31.0"
@@ -101,11 +100,11 @@ func newBusyboxBin() pkg.Artifact {
 		checksum = "npJjBO7iwhjW6Kx2aXeSxf8kXhVgTCDChOZTTsI8ZfFfa3tbsklxRiidZQdrVERg"

 	default:
-		panic("unsupported target " + runtime.GOARCH)
+		panic("unsupported target " + s.arch)
 	}

 	return pkg.NewExec(
-		"busybox-bin-"+version, nil, pkg.ExecTimeoutMax, false,
+		"busybox-bin-"+version, s.arch, nil, pkg.ExecTimeoutMax, false, false,
 		fhs.AbsRoot, []string{
 			"PATH=/system/bin",
 		},
--- a/internal/rosa/bzip2.go
+++ b/internal/rosa/bzip2.go
@@ -1,38 +0,0 @@
-package rosa
-
-import "hakurei.app/internal/pkg"
-
-func (t Toolchain) newBzip2() (pkg.Artifact, string) {
-	const (
-		version  = "1.0.8"
-		checksum = "cTLykcco7boom-s05H1JVsQi1AtChYL84nXkg_92Dm1Xt94Ob_qlMg_-NSguIK-c"
-	)
-	return t.NewPackage("bzip2", version, newTar(
-		"https://sourceware.org/pub/bzip2/bzip2-"+version+".tar.gz",
-		checksum,
-		pkg.TarGzip,
-	), &PackageAttr{
-		Writable:    true,
-		EnterSource: true,
-	}, &MakeHelper{
-		// uses source tree as scratch space
-		SkipConfigure: true,
-		SkipCheck:     true,
-		InPlace:       true,
-		Make: []string{
-			"CC=cc",
-		},
-		Install: "make PREFIX=/work/system install",
-	}), version
-}
-func init() {
-	artifactsM[Bzip2] = Metadata{
-		f: Toolchain.newBzip2,
-
-		Name:        "bzip2",
-		Description: "a freely available, patent free, high-quality data compressor",
-		Website:     "https://sourceware.org/bzip2/",
-
-		ID: 237,
-	}
-}
--- a/internal/rosa/cmake.go
+++ b/internal/rosa/cmake.go
@@ -4,141 +4,42 @@ import (
 	"path/filepath"
 	"slices"
 	"strings"
-
-	"hakurei.app/internal/pkg"
 )

-func (t Toolchain) newCMake() (pkg.Artifact, string) {
-	const (
-		version  = "4.3.1"
-		checksum = "RHpzZiM1kJ5bwLjo9CpXSeHJJg3hTtV9QxBYpQoYwKFtRh5YhGWpShrqZCSOzQN6"
-	)
-	return t.NewPackage("cmake", version, newFromGitHubRelease(
-		"Kitware/CMake",
-		"v"+version,
-		"cmake-"+version+".tar.gz",
-		checksum,
-		pkg.TarGzip,
-	), &PackageAttr{
-		// test suite expects writable source tree
-		Writable: true,
+var (
+	_cmake = H("cmake")
+	_ninja = H("ninja")
+)

-		// expected to be writable in the copy made during bootstrap
-		Chmod: true,
-
-		Patches: []KV{
-			{"bootstrap-test-no-openssl", `diff --git a/Tests/BootstrapTest.cmake b/Tests/BootstrapTest.cmake
-index 137de78bc1..b4da52e664 100644
--- a/Tests/BootstrapTest.cmake
-+++ b/Tests/BootstrapTest.cmake
-@@ -9,7 +9,7 @@ if(NOT nproc EQUAL 0)
- endif()
- message(STATUS "running bootstrap: ${bootstrap} ${ninja_arg} ${parallel_arg}")
- execute_process(
-  COMMAND ${bootstrap} ${ninja_arg} ${parallel_arg}
-+  COMMAND ${bootstrap} ${ninja_arg} ${parallel_arg} -- -DCMAKE_USE_OPENSSL=OFF
-   WORKING_DIRECTORY "${bin_dir}"
-   RESULT_VARIABLE result
-   )
-`},
-
-			{"disable-broken-tests-musl", `diff --git a/Tests/CMakeLists.txt b/Tests/CMakeLists.txt
-index 2ead810437..f85cbb8b1c 100644
--- a/Tests/CMakeLists.txt
-+++ b/Tests/CMakeLists.txt
-@@ -384,7 +384,6 @@ if(BUILD_TESTING)
-     add_subdirectory(CMakeLib)
-   endif()
-   add_subdirectory(CMakeOnly)
-  add_subdirectory(RunCMake)
- 
-   add_subdirectory(FindPackageModeMakefileTest)
- 
-@@ -528,9 +527,6 @@ if(BUILD_TESTING)
-                                  -DCMake_TEST_CUDA:BOOL=${CMake_TEST_CUDA}
-                                  -DCMake_INSTALL_NAME_TOOL_BUG:BOOL=${CMake_INSTALL_NAME_TOOL_BUG}
-                                  )
-  ADD_TEST_MACRO(ExportImport ExportImport)
-  set_property(TEST ExportImport APPEND
-    PROPERTY LABELS "CUDA")
-   ADD_TEST_MACRO(Unset Unset)
-   ADD_TEST_MACRO(PolicyScope PolicyScope)
-   ADD_TEST_MACRO(EmptyLibrary EmptyLibrary)
-@@ -624,7 +620,6 @@ if(BUILD_TESTING)
-   # run test for BundleUtilities on supported platforms/compilers
-   if((MSVC OR
-       MINGW OR
-      CMAKE_SYSTEM_NAME MATCHES "Linux" OR
-       CMAKE_SYSTEM_NAME MATCHES "Darwin")
-     AND NOT CMAKE_GENERATOR STREQUAL "Watcom WMake")
- 
-@@ -3095,10 +3090,6 @@ if(BUILD_TESTING)
-     "${CMake_SOURCE_DIR}/Tests/CTestTestFdSetSize/test.cmake.in"
-     "${CMake_BINARY_DIR}/Tests/CTestTestFdSetSize/test.cmake"
-     @ONLY ESCAPE_QUOTES)
-  add_test(CTestTestFdSetSize ${CMAKE_CTEST_COMMAND}
-    -S "${CMake_BINARY_DIR}/Tests/CTestTestFdSetSize/test.cmake" -j20 -V --timeout 120
-    --output-log "${CMake_BINARY_DIR}/Tests/CTestTestFdSetSize/testOutput.log"
-    )
- 
-   if(CMAKE_TESTS_CDASH_SERVER)
-     set(regex "^([^:]+)://([^/]+)(.*)$")
-`},
-		},
-	}, &MakeHelper{
-		OmitDefaults: true,
-
-		ConfigureName: "/usr/src/cmake/bootstrap",
-		Configure: []KV{
-			{"prefix", "/system"},
-			{"parallel", jobsE},
-			{"--"},
-			{"-DCMAKE_USE_OPENSSL", "OFF"},
-			{"-DCMake_TEST_NO_NETWORK", "ON"},
-		},
-		Check: []string{
-			"CTEST_OUTPUT_ON_FAILURE=1",
-			"CTEST_PARALLEL_LEVEL=128",
-			"test",
-		},
-	},
-		KernelHeaders,
-	), version
-}
-func init() {
-	artifactsM[CMake] = Metadata{
-		f: Toolchain.newCMake,
-
-		Name:        "cmake",
-		Description: "cross-platform, open-source build system",
-		Website:     "https://cmake.org/",
-
-		ID: 306,
-	}
-}
-
-// CMakeHelper is the [CMake] build system helper.
+// CMakeHelper builds and tests a CMake project with specified CACHE entries.
 type CMakeHelper struct {
 	// Path elements joined with source.
 	Append []string

+	// Value of CMAKE_BUILD_TYPE. The zero value is equivalent to "Release".
+	BuildType string
 	// CMake CACHE entries.
 	Cache []KV
 	// Runs after install.
 	Script string

+	// Replaces the default test command.
+	Test string
+	// Whether to skip running tests.
+	SkipTest bool
+
 	// Whether to generate Makefile instead.
 	Make bool
 }

 var _ Helper = new(CMakeHelper)

-// extra returns a hardcoded slice of [CMake] and [Ninja].
+// extra returns the cmake handle alongside either ninja or make.
 func (attr *CMakeHelper) extra(int) P {
 	if attr != nil && attr.Make {
-		return P{CMake, Make}
+		return P{_cmake, _make}
 	}
-	return P{CMake, Ninja}
+	return P{_cmake, _ninja}
 }

 // wantsChmod returns false.
@@ -150,29 +51,36 @@ func (*CMakeHelper) wantsWrite() bool { return false }
 // scriptEarly returns the zero value.
 func (*CMakeHelper) scriptEarly() string { return "" }

-// createDir returns true.
-func (*CMakeHelper) createDir() bool { return true }
-
 // wantsDir returns a hardcoded, deterministic pathname.
-func (*CMakeHelper) wantsDir() string { return "/cure/" }
+func (*CMakeHelper) wantsDir() (string, bool) { return "/cure/", true }

 // script generates the cure script.
-func (attr *CMakeHelper) script(name string) string {
+func (attr *CMakeHelper) script(t Toolchain, name string) string {
 	if attr == nil {
-		attr = &CMakeHelper{
-			Cache: []KV{
-				{"CMAKE_BUILD_TYPE", "Release"},
-			},
-		}
-	}
-	if len(attr.Cache) == 0 {
-		panic("CACHE must be non-empty")
+		attr = new(CMakeHelper)
 	}

 	generate := "Ninja"
+	test := "ninja " + jobsFlagE + " test"
 	if attr.Make {
 		generate = "'Unix Makefiles'"
+		test = "make " + jobsFlagE + " test"
 	}
+	if attr.Test != "" {
+		test = attr.Test
+	}
+
+	script := attr.Script
+	if !attr.SkipTest && t.opts&OptSkipCheck == 0 {
+		script += "\n" + test
+	}
+
+	cache := make([]KV, 1, 1+len(attr.Cache))
+	cache[0] = KV{"CMAKE_BUILD_TYPE", "Release"}
+	if attr.BuildType != "" {
+		cache[0][1] = attr.BuildType
+	}
+	cache = append(cache, attr.Cache...)

 	return `
 cmake -G ` + generate + ` \
@@ -181,7 +89,7 @@ cmake -G ` + generate + ` \
 	-DCMAKE_ASM_COMPILER_TARGET="${ROSA_TRIPLE}" \
 	-DCMAKE_INSTALL_LIBDIR=lib \
 	` + strings.Join(slices.Collect(func(yield func(string) bool) {
-		for _, v := range attr.Cache {
+		for _, v := range cache {
 			if !yield("-D" + v[0] + "=" + v[1]) {
 				return
 			}
@@ -191,5 +99,5 @@ cmake -G ` + generate + ` \
 	'/usr/src/` + name + `/` + filepath.Join(attr.Append...) + `'
 cmake --build . --parallel=` + jobsE + `
 cmake --install . --prefix=/work/system
-` + attr.Script
+` + script
 }
--- a/internal/rosa/curl.go
+++ b/internal/rosa/curl.go
@@ -1,56 +0,0 @@
-package rosa
-
-import "hakurei.app/internal/pkg"
-
-func (t Toolchain) newCurl() (pkg.Artifact, string) {
-	const (
-		version  = "8.19.0"
-		checksum = "YHuVLVVp8q_Y7-JWpID5ReNjq2Zk6t7ArHB6ngQXilp_R5l3cubdxu3UKo-xDByv"
-	)
-	return t.NewPackage("curl", version, newTar(
-		"https://curl.se/download/curl-"+version+".tar.bz2",
-		checksum,
-		pkg.TarBzip2,
-	), &PackageAttr{
-		// remove broken test
-		Writable: true,
-		ScriptEarly: `
-chmod +w tests/data && rm -f tests/data/test459
-`,
-	}, &MakeHelper{
-		Configure: []KV{
-			{"with-openssl"},
-			{"with-ca-bundle", "/system/etc/ssl/certs/ca-bundle.crt"},
-
-			{"disable-smb"},
-		},
-		Check: []string{
-			"TFLAGS=" + jobsLFlagE,
-			"test-nonflaky",
-		},
-	},
-		Perl,
-		Python,
-		PkgConfig,
-		Diffutils,
-
-		Libpsl,
-		OpenSSL,
-	), version
-}
-func init() {
-	artifactsM[Curl] = Metadata{
-		f: Toolchain.newCurl,
-
-		Name:        "curl",
-		Description: "command line tool and library for transferring data with URLs",
-		Website:     "https://curl.se/",
-
-		Dependencies: P{
-			Libpsl,
-			OpenSSL,
-		},
-
-		ID: 381,
-	}
-}
--- a/internal/rosa/dbus.go
+++ b/internal/rosa/dbus.go
@@ -1,81 +0,0 @@
-package rosa
-
-import "hakurei.app/internal/pkg"
-
-func (t Toolchain) newDBus() (pkg.Artifact, string) {
-	const (
-		version  = "1.16.2"
-		checksum = "INwOuNdrDG7XW5ilW_vn8JSxEa444rRNc5ho97i84I1CNF09OmcFcV-gzbF4uCyg"
-	)
-	return t.NewPackage("dbus", version, newFromGitLab(
-		"gitlab.freedesktop.org",
-		"dbus/dbus",
-		"dbus-"+version,
-		checksum,
-	), &PackageAttr{
-		// OSError: [Errno 30] Read-only file system: '/usr/src/dbus/subprojects/packagecache'
-		Writable: true,
-		// PermissionError: [Errno 13] Permission denied: '/usr/src/dbus/subprojects/packagecache'
-		Chmod: true,
-	}, &MesonHelper{
-		Setup: []KV{
-			{"Depoll", "enabled"},
-			{"Dinotify", "enabled"},
-			{"Dx11_autolaunch", "disabled"},
-		},
-	},
-		GLib,
-		Libexpat,
-	), version
-}
-func init() {
-	artifactsM[DBus] = Metadata{
-		f: Toolchain.newDBus,
-
-		Name:        "dbus",
-		Description: "a message bus system",
-		Website:     "https://www.freedesktop.org/wiki/Software/dbus/",
-
-		Dependencies: P{
-			GLib,
-			Libexpat,
-		},
-
-		ID: 5356,
-	}
-}
-
-func (t Toolchain) newXDGDBusProxy() (pkg.Artifact, string) {
-	const (
-		version  = "0.1.7"
-		checksum = "UW5Pe-TP-XAaN-kTbxrkOQ7eYdmlAQlr2pdreLtPT0uwdAz-7rzDP8V_8PWuZBup"
-	)
-	return t.NewPackage("xdg-dbus-proxy", version, newFromGitHub(
-		"flatpak/xdg-dbus-proxy",
-		version,
-		checksum,
-	), nil, &MesonHelper{
-		Setup: []KV{
-			{"Dman", "disabled"},
-		},
-	},
-		DBus,
-
-		GLib,
-	), version
-}
-func init() {
-	artifactsM[XDGDBusProxy] = Metadata{
-		f: Toolchain.newXDGDBusProxy,
-
-		Name:        "xdg-dbus-proxy",
-		Description: "a filtering proxy for D-Bus connections",
-		Website:     "https://github.com/flatpak/xdg-dbus-proxy",
-
-		Dependencies: P{
-			GLib,
-		},
-
-		ID: 58434,
-	}
-}
--- a/internal/rosa/dtc.go
+++ b/internal/rosa/dtc.go
@@ -1,43 +0,0 @@
-package rosa
-
-import "hakurei.app/internal/pkg"
-
-func (t Toolchain) newDTC() (pkg.Artifact, string) {
-	const (
-		version  = "1.7.2"
-		checksum = "vUoiRynPyYRexTpS6USweT5p4SVHvvVJs8uqFkkVD-YnFjwf6v3elQ0-Etrh00Dt"
-	)
-	return t.NewPackage("dtc", version, newTar(
-		"https://git.kernel.org/pub/scm/utils/dtc/dtc.git/snapshot/"+
-			"dtc-v"+version+".tar.gz",
-		checksum,
-		pkg.TarGzip,
-	), &PackageAttr{
-		// works around buggy test:
-		// fdtdump-runtest.sh /usr/src/dtc/tests/fdtdump.dts
-		Writable: true,
-		Chmod:    true,
-	}, &MesonHelper{
-		Setup: []KV{
-			{"Dyaml", "disabled"},
-			{"Dstatic-build", "true"},
-		},
-	},
-		Flex,
-		Bison,
-		M4,
-		Coreutils,
-		Diffutils,
-	), version
-}
-func init() {
-	artifactsM[DTC] = Metadata{
-		f: Toolchain.newDTC,
-
-		Name:        "dtc",
-		Description: "The Device Tree Compiler",
-		Website:     "https://git.kernel.org/pub/scm/utils/dtc/dtc.git/",
-
-		ID: 16911,
-	}
-}
--- a/internal/rosa/elfutils.go
+++ b/internal/rosa/elfutils.go
@@ -1,59 +0,0 @@
-package rosa
-
-import "hakurei.app/internal/pkg"
-
-func (t Toolchain) newElfutils() (pkg.Artifact, string) {
-	const (
-		version  = "0.195"
-		checksum = "JrGnBD38w8Mj0ZxDw3fKlRBFcLvRKu8rcYnX35R9yTlUSYnzTazyLboG-a2CsJlu"
-	)
-	return t.NewPackage("elfutils", version, newTar(
-		"https://sourceware.org/elfutils/ftp/"+
-			version+"/elfutils-"+version+".tar.bz2",
-		checksum,
-		pkg.TarBzip2,
-	), &PackageAttr{
-		Env: []string{
-			"CC=cc" +
-				// nonstandard glibc extension
-				" -DFNM_EXTMATCH=0",
-		},
-	}, &MakeHelper{
-		// nonstandard glibc extension
-		SkipCheck: true,
-
-		Configure: []KV{
-			{"enable-deterministic-archives"},
-		},
-	},
-		M4,
-		PkgConfig,
-
-		Zlib,
-		Bzip2,
-		Zstd,
-		ArgpStandalone,
-		MuslFts,
-		MuslObstack,
-		KernelHeaders,
-	), version
-}
-func init() {
-	artifactsM[Elfutils] = Metadata{
-		f: Toolchain.newElfutils,
-
-		Name:        "elfutils",
-		Description: "utilities and libraries to handle ELF files and DWARF data",
-		Website:     "https://sourceware.org/elfutils/",
-
-		Dependencies: P{
-			Zlib,
-			Bzip2,
-			Zstd,
-			MuslFts,
-			MuslObstack,
-		},
-
-		ID: 5679,
-	}
-}
--- a/internal/rosa/fakeroot.go
+++ b/internal/rosa/fakeroot.go
@@ -1,58 +0,0 @@
-package rosa
-
-import "hakurei.app/internal/pkg"
-
-func (t Toolchain) newFakeroot() (pkg.Artifact, string) {
-	const (
-		version  = "1.37.2"
-		checksum = "4ve-eDqVspzQ6VWDhPS0NjW3aSenBJcPAJq_BFT7OOFgUdrQzoTBxZWipDAGWxF8"
-	)
-	return t.NewPackage("fakeroot", version, newFromGitLab(
-		"salsa.debian.org",
-		"clint/fakeroot",
-		"upstream/"+version,
-		checksum,
-	), &PackageAttr{
-		Patches: []KV{
-			{"remove-broken-docs", `diff --git a/doc/Makefile.am b/doc/Makefile.am
-index f135ad9..85c784c 100644
--- a/doc/Makefile.am
-+++ b/doc/Makefile.am
-@@ -1,5 +1,4 @@
- AUTOMAKE_OPTIONS=foreign
-SUBDIRS = de es fr nl pt ro sv
- 
- man_MANS = faked.1 fakeroot.1
- 
-`},
-		},
-
-		Env: []string{
-			"CONFIG_SHELL=/bin/sh",
-		},
-	}, &MakeHelper{
-		Generate: "./bootstrap",
-
-		// makes assumptions about /etc/passwd
-		SkipCheck: true,
-	},
-		Automake,
-		Libtool,
-		PkgConfig,
-
-		Attr,
-		Libcap,
-		KernelHeaders,
-	), version
-}
-func init() {
-	artifactsM[Fakeroot] = Metadata{
-		f: Toolchain.newFakeroot,
-
-		Name:        "fakeroot",
-		Description: "tool for simulating superuser privileges",
-		Website:     "https://salsa.debian.org/clint/fakeroot",
-
-		ID: 12048,
-	}
-}
--- a/internal/rosa/flex.go
+++ b/internal/rosa/flex.go
@@ -1,32 +0,0 @@
-package rosa
-
-import (
-	"hakurei.app/internal/pkg"
-)
-
-func (t Toolchain) newFlex() (pkg.Artifact, string) {
-	const (
-		version  = "2.6.4"
-		checksum = "p9POjQU7VhgOf3x5iFro8fjhy0NOanvA7CTeuWS_veSNgCixIJshTrWVkc5XLZkB"
-	)
-	return t.NewPackage("flex", version, newFromGitHubRelease(
-		"westes/flex",
-		"v"+version,
-		"flex-"+version+".tar.gz",
-		checksum,
-		pkg.TarGzip,
-	), nil, (*MakeHelper)(nil),
-		M4,
-	), version
-}
-func init() {
-	artifactsM[Flex] = Metadata{
-		f: Toolchain.newFlex,
-
-		Name:        "flex",
-		Description: "scanner generator for lexing in C and C++",
-		Website:     "https://github.com/westes/flex/",
-
-		ID: 819,
-	}
-}
--- a/internal/rosa/fuse.go
+++ b/internal/rosa/fuse.go
@@ -1,43 +0,0 @@
-package rosa
-
-import "hakurei.app/internal/pkg"
-
-func (t Toolchain) newFuse() (pkg.Artifact, string) {
-	const (
-		version  = "3.18.2"
-		checksum = "iL-7b7eUtmlVSf5cSq0dzow3UiqSjBmzV3cI_ENPs1tXcHdktkG45j1V12h-4jZe"
-	)
-	return t.NewPackage("fuse", version, newFromGitHubRelease(
-		"libfuse/libfuse",
-		"fuse-"+version,
-		"fuse-"+version+".tar.gz",
-		checksum,
-		pkg.TarGzip,
-	), nil, &MesonHelper{
-		Setup: []KV{
-			{"Ddefault_library", "both"},
-			{"Dtests", "true"},
-			{"Duseroot", "false"},
-			{"Dinitscriptdir", "/system/etc"},
-		},
-
-		ScriptCompiled: "python3 -m pytest test/",
-		// this project uses pytest
-		SkipTest: true,
-	},
-		PythonPyTest,
-
-		KernelHeaders,
-	), version
-}
-func init() {
-	artifactsM[Fuse] = Metadata{
-		f: Toolchain.newFuse,
-
-		Name:        "fuse",
-		Description: "the reference implementation of the Linux FUSE interface",
-		Website:     "https://github.com/libfuse/libfuse/",
-
-		ID: 861,
-	}
-}
--- a/internal/rosa/git.go
+++ b/internal/rosa/git.go
@@ -7,88 +7,10 @@ import (
 	"hakurei.app/internal/pkg"
 )

-func (t Toolchain) newGit() (pkg.Artifact, string) {
-	const (
-		version  = "2.53.0"
-		checksum = "rlqSTeNgSeVKJA7nvzGqddFH8q3eFEPB4qRZft-4zth8wTHnbTbm7J90kp_obHGm"
-	)
-	return t.NewPackage("git", version, newTar(
-		"https://www.kernel.org/pub/software/scm/git/"+
-			"git-"+version+".tar.gz",
-		checksum,
-		pkg.TarGzip,
-	), &PackageAttr{
-		ScriptEarly: `
-ln -s ../../system/bin/perl /usr/bin/ || true
-`,
-
-		// uses source tree as scratch space
-		EnterSource: true,
-	}, &MakeHelper{
-		InPlace:  true,
-		Generate: "make configure",
-		ScriptMakeEarly: `
-function disable_test {
-	local test=$1 pattern=${2:-''}
-	if [ $# -eq 1 ]; then
-		rm "t/${test}.sh"
-	else
-		sed -i "t/${test}.sh" \
-			-e "/^\s*test_expect_.*$pattern/,/^\s*' *\$/{s/^/: #/}"
-	fi
-}
-
-disable_test t5319-multi-pack-index
-disable_test t1305-config-include
-disable_test t3900-i18n-commit
-disable_test t3507-cherry-pick-conflict
-disable_test t4201-shortlog
-disable_test t5303-pack-corruption-resilience
-disable_test t4301-merge-tree-write-tree
-disable_test t8005-blame-i18n
-disable_test t9350-fast-export
-disable_test t9300-fast-import
-disable_test t0211-trace2-perf
-disable_test t1517-outside-repo
-disable_test t2200-add-update
-`,
-		Check: []string{
-			"-C t",
-			`GIT_PROVE_OPTS="--jobs 32 --failures"`,
-			"prove",
-		},
-		Install: `make \
-	` + jobsFlagE + ` \
-	DESTDIR=/work \
-	NO_INSTALL_HARDLINKS=1 \
-	install`,
-	},
-		Diffutils,
-		Autoconf,
-		Gettext,
-
-		Zlib,
-		Curl,
-		Libexpat,
-	), version
-}
-func init() {
-	artifactsM[Git] = Metadata{
-		f: Toolchain.newGit,
-
-		Name:        "git",
-		Description: "distributed version control system",
-		Website:     "https://www.git-scm.com/",
-
-		Dependencies: P{
-			Zlib,
-			Curl,
-			Libexpat,
-		},
-
-		ID: 5350,
-	}
-}
+var (
+	_git       = H("git")
+	_nssCACert = H("nss-cacert")
+)

 // NewViaGit returns a [pkg.Artifact] for cloning a git repository.
 func (t Toolchain) NewViaGit(
@@ -98,9 +20,9 @@ func (t Toolchain) NewViaGit(
 	return t.New(strings.TrimSuffix(
 		path.Base(url),
 		".git",
-	)+"-src-"+path.Base(rev), 0, t.AppendPresets(nil,
-		NSSCACert,
-		Git,
+	)+"-src-"+path.Base(rev), THostNet, t.Append(nil,
+		_nssCACert,
+		_git,
 	), &checksum, nil, `
 git \
 	-c advice.detachedHead=false \
@@ -114,8 +36,3 @@ git \
 rm -rf /work/.git
 `, resolvconf())
 }
-
-// newTagRemote is a helper around NewViaGit for a tag on a git remote.
-func (t Toolchain) newTagRemote(url, tag, checksum string) pkg.Artifact {
-	return t.NewViaGit(url, "refs/tags/"+tag, mustDecode(checksum))
-}
--- a/internal/rosa/glslang.go
+++ b/internal/rosa/glslang.go
@@ -1,130 +0,0 @@
-package rosa
-
-import (
-	"slices"
-	"strings"
-
-	"hakurei.app/internal/pkg"
-)
-
-func (t Toolchain) newSPIRVHeaders() (pkg.Artifact, string) {
-	const (
-		version  = "1.4.341.0"
-		checksum = "0PL43-19Iaw4k7_D8J8BvoJ-iLgCVSYZ2ThgDPGfAJwIJFtre7l0cnQtLjcY-JvD"
-	)
-	return t.NewPackage("spirv-headers", version, newFromGitHub(
-		"KhronosGroup/SPIRV-Headers",
-		"vulkan-sdk-"+version,
-		checksum,
-	), nil, &CMakeHelper{
-		Cache: []KV{
-			{"CMAKE_BUILD_TYPE", "Release"},
-		},
-	}), version
-}
-func init() {
-	artifactsM[SPIRVHeaders] = Metadata{
-		f: Toolchain.newSPIRVHeaders,
-
-		Name:        "spirv-headers",
-		Description: "machine-readable files for the SPIR-V Registry",
-		Website:     "https://github.com/KhronosGroup/SPIRV-Headers",
-
-		ID: 230542,
-
-		// upstream changed version scheme, anitya incapable of filtering them
-		latest: func(v *Versions) string {
-			for _, s := range v.Stable {
-				fields := strings.SplitN(s, ".", 4)
-				if len(fields) != 4 {
-					continue
-				}
-				if slices.ContainsFunc(fields, func(f string) bool {
-					return slices.ContainsFunc([]byte(f), func(d byte) bool {
-						return d < '0' || d > '9'
-					})
-				}) {
-					continue
-				}
-				return s
-			}
-			return v.Latest
-		},
-	}
-}
-
-func (t Toolchain) newSPIRVTools() (pkg.Artifact, string) {
-	const (
-		version  = "2026.1"
-		checksum = "ZSQPQx8NltCDzQLk4qlaVxyWRWeI_JtsjEpeFt3kezTanl9DTHfLixSUCezMFBjv"
-	)
-	return t.NewPackage("spirv-tools", version, newFromGitHub(
-		"KhronosGroup/SPIRV-Tools",
-		"v"+version,
-		checksum,
-	), nil, &CMakeHelper{
-		Cache: []KV{
-			{"CMAKE_BUILD_TYPE", "Release"},
-			{"SPIRV-Headers_SOURCE_DIR", "/system"},
-		},
-	},
-		Python,
-
-		SPIRVHeaders,
-	), version
-}
-func init() {
-	artifactsM[SPIRVTools] = Metadata{
-		f: Toolchain.newSPIRVTools,
-
-		Name:        "spirv-tools",
-		Description: "an API and commands for processing SPIR-V modules",
-		Website:     "https://github.com/KhronosGroup/SPIRV-Tools",
-
-		Dependencies: P{
-			SPIRVHeaders,
-		},
-
-		ID: 14894,
-	}
-}
-
-func (t Toolchain) newGlslang() (pkg.Artifact, string) {
-	const (
-		version  = "16.2.0"
-		checksum = "6_UuF9reLRDaVkgO-9IfB3kMwme3lQZM8LL8YsJwPdUFkrjzxJtf2A9X3w9nFxj2"
-	)
-	return t.NewPackage("glslang", version, newFromGitHub(
-		"KhronosGroup/glslang",
-		version,
-		checksum,
-	), &PackageAttr{
-		// test suite writes to source
-		Writable: true,
-		Chmod:    true,
-	}, &CMakeHelper{
-		Cache: []KV{
-			{"CMAKE_BUILD_TYPE", "Release"},
-			{"BUILD_SHARED_LIBS", "ON"},
-			{"ALLOW_EXTERNAL_SPIRV_TOOLS", "ON"},
-		},
-		Script: "ctest",
-	},
-		Python,
-		Bash,
-		Diffutils,
-
-		SPIRVTools,
-	), version
-}
-func init() {
-	artifactsM[Glslang] = Metadata{
-		f: Toolchain.newGlslang,
-
-		Name:        "glslang",
-		Description: "reference front end for GLSL/ESSL",
-		Website:     "https://github.com/KhronosGroup/glslang",
-
-		ID: 205796,
-	}
-}
--- a/internal/rosa/gnu.go
+++ b/internal/rosa/gnu.go
--- a/internal/rosa/go.go
+++ b/internal/rosa/go.go
@@ -1,91 +1,116 @@
 package rosa

 import (
-	"runtime"
 	"slices"

 	"hakurei.app/internal/pkg"
 )

-// newGoBootstrap returns the Go bootstrap toolchain.
-func (t Toolchain) newGoBootstrap() pkg.Artifact {
-	const checksum = "8o9JL_ToiQKadCTb04nvBDkp8O1xiWOolAxVEqaTGodieNe4lOFEjlOxN3bwwe23"
-	return t.New("go1.4-bootstrap", 0, []pkg.Artifact{
-		t.Load(Bash),
-	}, nil, []string{
-		"CGO_ENABLED=0",
-	}, `
-mkdir -p /var/tmp/ /work/system/
-cp -r /usr/src/go /work/system/
-cd /work/system/go/src
-chmod -R +w ..
-
-./make.bash
-`, pkg.Path(AbsUsrSrc.Append("go"), false, newTar(
-		"https://dl.google.com/go/go1.4-bootstrap-20171003.tar.gz",
-		checksum,
-		pkg.TarGzip,
-	)))
-}
-
 // newGo returns a specific version of the Go toolchain.
 func (t Toolchain) newGo(
 	version, checksum string,
 	env []string,
 	script string,
-	extra ...pkg.Artifact,
+	boot ...pkg.Artifact,
 ) pkg.Artifact {
-	return t.New("go"+version, 0, slices.Concat([]pkg.Artifact{
-		t.Load(Bash),
-	}, extra), nil, slices.Concat([]string{
-		"CC=cc",
-		"GOCACHE=/tmp/gocache",
-		"GOROOT_BOOTSTRAP=/system/go",
-		"TMPDIR=/dev/shm/go",
-	}, env), `
-mkdir /work/system "${TMPDIR}"
-cp -r /usr/src/go /work/system
-cd /work/system/go/src
+	return t.NewPackage("go", version, newTar(
+		"https://go.dev/dl/go"+version+".src.tar.gz",
+		checksum,
+		pkg.TarGzip,
+	), &PackageAttr{
+		EnterSource: true,
+		Env: slices.Concat([]string{
+			"CC=cc",
+			"GOCACHE=/tmp/gocache",
+			"GOROOT_BOOTSTRAP=/system/go",
+			"TMPDIR=/dev/shm/go",
+		}, env),
+
+		Extra: boot,
+	}, &GenericHelper{
+		InPlace: true,
+		Build: `
+mkdir /work/system/ "${TMPDIR}"
+cp -r . /work/system/go
+cd /work/system/go/src/
 chmod -R +w ..
-`+script+`
-./all.bash
+` + script + `
+set +u
+. ./make.bash "$@" --no-banner
+set -u
+`,
+		Check: "bash run.bash --no-rebuild\n",
+		Install: `
+../bin/go tool dist banner # print build info

 mkdir /work/system/bin
 ln -s \
 	../go/bin/go \
 	../go/bin/gofmt \
 	/work/system/bin
-`, pkg.Path(AbsUsrSrc.Append("go"), false, newTar(
-		"https://go.dev/dl/go"+version+".src.tar.gz",
-		checksum,
-		pkg.TarGzip,
-	)))
+`,
+	},
+		_bash,
+	)
 }

-func (t Toolchain) newGoLatest() (pkg.Artifact, string) {
-	var (
-		bootstrapEnv   []string
-		bootstrapExtra []pkg.Artifact
-
-		finalEnv []string
+func init() {
+	const (
+		version  = "1.26.3"
+		checksum = "lEiFocZFnN5fKvZzmwVdqc9pYUjAuhzqZGbuiOqxUP4XdcY8yECisKcqsQ_eNn1N"
 	)
-	switch runtime.GOARCH {
-	case "amd64":
-		bootstrapExtra = append(bootstrapExtra, t.newGoBootstrap())
+	meta := Metadata{
+		Name:        "go",
+		Description: "the Go programming language toolchain",
+		Website:     "https://go.dev",
+		Version:     version,

-	case "arm64", "riscv64":
-		bootstrapEnv = append(bootstrapEnv, "GOROOT_BOOTSTRAP=/system")
-		bootstrapExtra = t.AppendPresets(bootstrapExtra, gcc)
-		finalEnv = append(finalEnv, "CGO_ENABLED=0")
-
-	default:
-		panic("unsupported target " + runtime.GOARCH)
+		ID: 1227,
 	}
+	native.MustRegister(meta.Name, func(t Toolchain) (*Metadata, pkg.Artifact) {
+		var (
+			bootstrapEnv   []string
+			bootstrapEarly []pkg.Artifact

-	go119 := t.newGo(
-		"1.19",
-		"9_e0aFHsIkVxWVGsp9T2RvvjOc3p4n9o9S8tkNe9Cvgzk_zI2FhRQB7ioQkeAAro",
-		append(bootstrapEnv, "CGO_ENABLED=0"), `
+			finalEnv []string
+		)
+		switch t.arch {
+		case "amd64":
+			bootstrapEarly = []pkg.Artifact{t.NewPackage("go", "1.4-bootstrap", newTar(
+				"https://dl.google.com/go/go1.4-bootstrap-20171003.tar.gz",
+				"8o9JL_ToiQKadCTb04nvBDkp8O1xiWOolAxVEqaTGodieNe4lOFEjlOxN3bwwe23",
+				pkg.TarGzip,
+			), &PackageAttr{
+				EnterSource: true,
+				Env: []string{
+					"CGO_ENABLED=0",
+				},
+			}, &GenericHelper{
+				InPlace: true,
+				Build: `
+mkdir /work/system/
+cp -r . /work/system/go
+cd /work/system/go/src/
+mkdir -p /var/tmp/
+./make.bash
+`,
+			},
+				_bash,
+			)}
+
+		case "arm64", "riscv64":
+			bootstrapEnv = append(bootstrapEnv, "GOROOT_BOOTSTRAP=/system")
+			bootstrapEarly = t.Append(bootstrapEarly, H("gcc"))
+			finalEnv = append(finalEnv, "CGO_ENABLED=0")
+
+		default:
+			panic("unsupported target " + t.arch)
+		}
+
+		go119 := t.newGo(
+			"1.19",
+			"9_e0aFHsIkVxWVGsp9T2RvvjOc3p4n9o9S8tkNe9Cvgzk_zI2FhRQB7ioQkeAAro",
+			append(bootstrapEnv, "CGO_ENABLED=0"), `
 rm \
 	crypto/tls/handshake_client_test.go \
 	cmd/pprof/pprof_test.go \
@@ -96,15 +121,15 @@ sed -i \
 echo \
 	'type syscallDescriptor = int' >> \
 	os/rawconn_test.go
-`, bootstrapExtra...)
+`, bootstrapEarly...)

-	go121 := t.newGo(
-		"1.21.13",
-		"YtrDka402BOAEwywx03Vz4QlVwoBiguJHzG7PuythMCPHXS8CVMLvzmvgEbu4Tzu",
-		[]string{"CGO_ENABLED=0"}, `
+		go121 := t.newGo(
+			"1.21.13",
+			"YtrDka402BOAEwywx03Vz4QlVwoBiguJHzG7PuythMCPHXS8CVMLvzmvgEbu4Tzu",
+			[]string{"CGO_ENABLED=0"}, `
 sed -i \
-	's,/lib/ld-musl-`+linuxArch()+`.so.1,/system/bin/linker,' \
-	cmd/link/internal/`+runtime.GOARCH+`/obj.go
+	's,/lib/ld-musl-`+t.linuxArch()+`.so.1,/system/bin/linker,' \
+	cmd/link/internal/`+t.arch+`/obj.go

 rm \
 	crypto/tls/handshake_client_test.go \
@@ -114,57 +139,49 @@ echo \
 	'type syscallDescriptor = int' >> \
 	os/rawconn_test.go
 `, go119,
-	)
+		)

-	go123 := t.newGo(
-		"1.23.12",
-		"wcI32bl1tkqbgcelGtGWPI4RtlEddd-PTd76Eb-k7nXA5LbE9yTNdIL9QSOOxMOs",
-		[]string{"CGO_ENABLED=0"}, `
+		go123 := t.newGo(
+			"1.23.12",
+			"wcI32bl1tkqbgcelGtGWPI4RtlEddd-PTd76Eb-k7nXA5LbE9yTNdIL9QSOOxMOs",
+			[]string{"CGO_ENABLED=0"}, `
 sed -i \
-	's,/lib/ld-musl-`+linuxArch()+`.so.1,/system/bin/linker,' \
-	cmd/link/internal/`+runtime.GOARCH+`/obj.go
+	's,/lib/ld-musl-`+t.linuxArch()+`.so.1,/system/bin/linker,' \
+	cmd/link/internal/`+t.arch+`/obj.go
 `, go121,
-	)
+		)

-	go125 := t.newGo(
-		"1.25.7",
-		"fyylHdBVRUobnBjYj3NKBaYPUw3kGmo2mEELiZonOYurPfbarNU1x77B99Fjut7Q",
-		[]string{"CGO_ENABLED=0"}, `
+		go125 := t.newGo(
+			"1.25.10",
+			"TwKwatkpwal-j9U2sDSRPEdM3YesI4Gm88YgGV59wtU-L85K9gA7UPy9SCxn6PMb",
+			[]string{"CGO_ENABLED=0"}, `
 sed -i \
-	's,/lib/ld-musl-`+linuxArch()+`.so.1,/system/bin/linker,' \
-	cmd/link/internal/`+runtime.GOARCH+`/obj.go
+	's,/lib/ld-musl-`+t.linuxArch()+`.so.1,/system/bin/linker,' \
+	cmd/link/internal/`+t.arch+`/obj.go

 rm \
 	os/root_unix_test.go \
 	net/smtp/smtp_test.go
 `, go123,
-	)
+		)

-	const (
-		version  = "1.26.2"
-		checksum = "v-6BE89_1g3xYf-9oIYpJKFXlo3xKHYJj2_VGkaUq8ZVkIVQmLwrto-xGG03OISH"
-	)
-	return t.newGo(
-		version,
-		checksum,
-		finalEnv, `
+		return &meta, t.newGo(
+			version,
+			checksum,
+			finalEnv, `
 sed -i \
-	's,/lib/ld-musl-`+linuxArch()+`.so.1,/system/bin/linker,' \
-	cmd/link/internal/`+runtime.GOARCH+`/obj.go
+	's,/lib/ld-musl-`+t.linuxArch()+`.so.1,/system/bin/linker,' \
+	cmd/link/internal/`+t.arch+`/obj.go
+sed -i \
+	's/cpu.X86.HasAVX512VBMI/& \&\& cpu.X86.HasPOPCNT/' \
+	internal/runtime/gc/scan/scan_amd64.go

 rm \
-	os/root_unix_test.go
+	os/root_unix_test.go \
+	cmd/cgo/internal/testsanitizers/tsan_test.go \
+	cmd/cgo/internal/testsanitizers/cshared_test.go
 `, go125,
-	), version
-}
-func init() {
-	artifactsM[Go] = Metadata{
-		f: Toolchain.newGoLatest,
+		)

-		Name:        "go",
-		Description: "the Go programming language toolchain",
-		Website:     "https://go.dev/",
-
-		ID: 1227,
-	}
+	})
 }
--- a/internal/rosa/gtk.go
+++ b/internal/rosa/gtk.go
@@ -1,60 +0,0 @@
-package rosa
-
-import (
-	"hakurei.app/fhs"
-	"hakurei.app/internal/pkg"
-)
-
-func (t Toolchain) newGLib() (pkg.Artifact, string) {
-	const (
-		version  = "2.88.0"
-		checksum = "T79Cg4z6j-sDZ2yIwvbY4ccRv2-fbwbqgcw59F5NQ6qJT6z4v261vbYp3dHO6Ma3"
-	)
-	return t.NewPackage("glib", version, t.newTagRemote(
-		"https://gitlab.gnome.org/GNOME/glib.git",
-		version, checksum,
-	), &PackageAttr{
-		Paths: []pkg.ExecPath{
-			pkg.Path(fhs.AbsEtc.Append(
-				"machine-id",
-			), false, pkg.NewFile(
-				"glib-machine-id",
-				[]byte("ffffffffffffffffffffffffffffffff\n"),
-			)),
-			pkg.Path(AbsSystem.Append(
-				"var/lib/dbus/machine-id",
-			), false, pkg.NewFile(
-				"glib-machine-id",
-				[]byte("fefefefefefefefefefefefefefefefe\n"),
-			)),
-		},
-	}, &MesonHelper{
-		Setup: []KV{
-			{"Ddefault_library", "both"},
-		},
-	},
-		PythonPackaging,
-		Bash,
-
-		PCRE2,
-		Libffi,
-		Zlib,
-	), version
-}
-func init() {
-	artifactsM[GLib] = Metadata{
-		f: Toolchain.newGLib,
-
-		Name:        "glib",
-		Description: "the GNU library of miscellaneous stuff",
-		Website:     "https://developer.gnome.org/glib/",
-
-		Dependencies: P{
-			PCRE2,
-			Libffi,
-			Zlib,
-		},
-
-		ID: 10024,
-	}
-}
--- a/internal/rosa/hakurei.go
+++ b/internal/rosa/hakurei.go
@@ -1,110 +0,0 @@
-package rosa
-
-import "hakurei.app/internal/pkg"
-
-func (t Toolchain) newHakurei(
-	suffix, script string,
-	withHostname bool,
-) pkg.Artifact {
-	hostname := `
-echo '# Building test helper (hostname).'
-go build -v -o /bin/hostname /usr/src/hostname/main.go
-echo
-`
-	if !withHostname {
-		hostname = ""
-	}
-
-	return t.New("hakurei"+suffix+"-"+hakureiVersion, 0, t.AppendPresets(nil,
-		Go,
-		PkgConfig,
-
-		// dist tarball
-		Gzip,
-
-		// statically linked
-		Libseccomp,
-		ACL,
-		Fuse,
-		XCB,
-		Wayland,
-		WaylandProtocols,
-
-		KernelHeaders,
-	), nil, []string{
-		"CGO_ENABLED=1",
-		"GOCACHE=/tmp/gocache",
-		"CC=clang -O3 -Werror",
-	}, hostname+`
-cd /usr/src/hakurei
-
-HAKUREI_VERSION='v`+hakureiVersion+`'
-`+script, pkg.Path(AbsUsrSrc.Append("hakurei"), true, t.NewPatchedSource(
-		"hakurei", hakureiVersion, hakureiSource, false, hakureiPatches...,
-	)), pkg.Path(AbsUsrSrc.Append("hostname", "main.go"), false, pkg.NewFile(
-		"hostname.go",
-		[]byte(`
-package main
-
-import "os"
-
-func main() {
-	if name, err := os.Hostname(); err != nil {
-		panic(err)
-	} else {
-		os.Stdout.WriteString(name)
-	}
-}
-`),
-	)))
-}
-func init() {
-	artifactsM[Hakurei] = Metadata{
-		f: func(t Toolchain) (pkg.Artifact, string) {
-			return t.newHakurei("", `
-mkdir -p /work/system/libexec/hakurei/
-
-echo '# Building hakurei.'
-go generate -v ./...
-go build -trimpath -v -tags=rosa -o /work/system/libexec/hakurei -ldflags="-s -w
-	-buildid=
-	-linkmode external
-	-extldflags=-static
-	-X hakurei.app/internal/info.buildVersion=${HAKUREI_VERSION}
-	-X hakurei.app/internal/info.hakureiPath=/system/bin/hakurei
-	-X hakurei.app/internal/info.hsuPath=/system/bin/hsu
-	-X main.hakureiPath=/system/bin/hakurei
-" ./...
-echo
-
-echo '# Testing hakurei.'
-go test -ldflags='-buildid= -linkmode external -extldflags=-static' ./...
-echo
-
-mkdir -p /work/system/bin/
-(cd /work/system/libexec/hakurei && mv \
-	hakurei \
-	sharefs \
-	../../bin/)
-`, true), hakureiVersion
-		},
-
-		Name:        "hakurei",
-		Description: "low-level userspace tooling for Rosa OS",
-		Website:     "https://hakurei.app/",
-
-		ID: 388834,
-	}
-	artifactsM[HakureiDist] = Metadata{
-		f: func(t Toolchain) (pkg.Artifact, string) {
-			return t.newHakurei("-dist", `
-export HAKUREI_VERSION
-DESTDIR=/work /usr/src/hakurei/all.sh
-`, true), hakureiVersion
-		},
-
-		Name:        "hakurei-dist",
-		Description: "low-level userspace tooling for Rosa OS (distribution tarball)",
-		Website:     "https://hakurei.app/",
-	}
-}
--- a/internal/rosa/hakurei_current.go
+++ b/internal/rosa/hakurei_current.go
@@ -1,26 +0,0 @@
-//go:build current
-
-package rosa
-
-import (
-	_ "embed"
-
-	"hakurei.app/internal/pkg"
-)
-
-const hakureiVersion = "1.0-current"
-
-// hakureiSourceTarball is a compressed tarball of the hakurei source code.
-//
-//go:generate tar -zc -C ../.. --exclude .git --exclude *.tar.gz -f hakurei_current.tar.gz .
-//go:embed hakurei_current.tar.gz
-var hakureiSourceTarball []byte
-
-// hakureiSource is the source code at the time this package is compiled.
-var hakureiSource = pkg.NewTar(pkg.NewFile(
-	"hakurei-current.tar.gz",
-	hakureiSourceTarball,
-), pkg.TarGzip)
-
-// hakureiPatches are patches applied against the compile-time source tree.
-var hakureiPatches []KV
--- a/internal/rosa/hakurei_release.go
+++ b/internal/rosa/hakurei_release.go
@@ -1,18 +0,0 @@
-//go:build !current
-
-package rosa
-
-import "hakurei.app/internal/pkg"
-
-const hakureiVersion = "0.4.0"
-
-// hakureiSource is the source code of a hakurei release.
-var hakureiSource = newTar(
-	"https://git.gensokyo.uk/rosa/hakurei/archive/"+
-		"v"+hakureiVersion+".tar.gz",
-	"wfQ9DqCW0Fw9o91wj-I55waoqzB-UqzzuC0_2h-P-1M78SgZ1WHSPCDJMth6EyC2",
-	pkg.TarGzip,
-)
-
-// hakureiPatches are patches applied against a hakurei release.
-var hakureiPatches []KV
--- a/internal/rosa/images.go
+++ b/internal/rosa/images.go
@@ -1,75 +0,0 @@
-package rosa
-
-import (
-	"hakurei.app/fhs"
-	"hakurei.app/internal/pkg"
-)
-
-func init() {
-	artifactsM[EarlyInit] = Metadata{
-		Name:        "earlyinit",
-		Description: "Rosa OS initramfs init program",
-
-		f: func(t Toolchain) (pkg.Artifact, string) {
-			return t.newHakurei("-early-init", `
-mkdir -p /work/system/libexec/hakurei/
-
-echo '# Building earlyinit.'
-go build -trimpath -v -o /work/system/libexec/hakurei -ldflags="-s -w
-	-buildid=
-	-linkmode external
-	-extldflags=-static
-	-X hakurei.app/internal/info.buildVersion=${HAKUREI_VERSION}
-" ./cmd/earlyinit
-echo
-`, false), Unversioned
-		},
-	}
-}
-
-func (t Toolchain) newImageSystem() (pkg.Artifact, string) {
-	return t.New("system.img", TNoToolchain, t.AppendPresets(nil,
-		SquashfsTools,
-	), nil, nil, `
-mksquashfs /mnt/system /work/system.img
-`, pkg.Path(fhs.AbsRoot.Append("mnt"), false, t.AppendPresets(nil,
-		Musl,
-		Mksh,
-		Toybox,
-
-		Kmod,
-		Kernel,
-		Firmware,
-	)...)), Unversioned
-}
-func init() {
-	artifactsM[ImageSystem] = Metadata{
-		Name:        "system-image",
-		Description: "Rosa OS system image",
-
-		f: Toolchain.newImageSystem,
-	}
-}
-
-func (t Toolchain) newImageInitramfs() (pkg.Artifact, string) {
-	return t.New("initramfs", TNoToolchain, t.AppendPresets(nil,
-		Zstd,
-		EarlyInit,
-		GenInitCPIO,
-	), nil, nil, `
-gen_init_cpio -t 4294967295 -c /usr/src/initramfs | zstd > /work/initramfs.zst
-`, pkg.Path(AbsUsrSrc.Append("initramfs"), false, pkg.NewFile("initramfs", []byte(`
-dir /dev 0755 0 0
-nod /dev/null 0666 0 0 c 1 3
-nod /dev/console 0600 0 0 c 5 1
-file /init /system/libexec/hakurei/earlyinit 0555 0 0
-`)))), Unversioned
-}
-func init() {
-	artifactsM[ImageInitramfs] = Metadata{
-		Name:        "initramfs-image",
-		Description: "Rosa OS initramfs image",
-
-		f: Toolchain.newImageInitramfs,
-	}
-}
--- a/internal/rosa/kernel_amd64.go
+++ b/internal/rosa/kernel_amd64.go
@@ -1,8 +0,0 @@
-package rosa
-
-import _ "embed"
-
-//go:embed kernel_amd64.config
-var kernelConfig []byte
-
-const kernelName = "bzImage"
--- a/internal/rosa/kernel_arm64.go
+++ b/internal/rosa/kernel_arm64.go
@@ -1,8 +0,0 @@
-package rosa
-
-import _ "embed"
-
-//go:embed kernel_arm64.config
-var kernelConfig []byte
-
-const kernelName = "vmlinuz.efi"
--- a/internal/rosa/kernel_riscv64.go
+++ b/internal/rosa/kernel_riscv64.go
@@ -1,8 +0,0 @@
-package rosa
-
-import _ "embed"
-
-//go:embed kernel_riscv64.config
-var kernelConfig []byte
-
-const kernelName = "bzImage"
--- a/internal/rosa/kmod.go
+++ b/internal/rosa/kmod.go
@@ -1,50 +0,0 @@
-package rosa
-
-import "hakurei.app/internal/pkg"
-
-func (t Toolchain) newKmod() (pkg.Artifact, string) {
-	const (
-		version  = "34.2"
-		checksum = "0K7POeTKxMhExsaTsnKAC6LUNsRSfe6sSZxWONPbOu-GI_pXOw3toU_BIoqfBhJV"
-	)
-	return t.NewPackage("kmod", version, newTar(
-		"https://www.kernel.org/pub/linux/utils/kernel/"+
-			"kmod/kmod-"+version+".tar.gz",
-		checksum,
-		pkg.TarGzip,
-	), nil, &MesonHelper{
-		Setup: []KV{
-			{"Dmoduledir", "/system/lib/modules"},
-			{"Dsysconfdir", "/system/etc"},
-			{"Dbashcompletiondir", "no"},
-			{"Dfishcompletiondir", "no"},
-			{"Dxz", "disabled"},
-			{"Dmanpages", "false"},
-		},
-
-		// makes assumptions about the running kernel
-		SkipTest: true,
-	},
-		Zlib,
-		Zstd,
-		OpenSSL,
-		KernelHeaders,
-	), version
-}
-func init() {
-	artifactsM[Kmod] = Metadata{
-		f: Toolchain.newKmod,
-
-		Name:        "kmod",
-		Description: "a set of tools to handle common tasks with Linux kernel modules",
-		Website:     "https://git.kernel.org/pub/scm/utils/kernel/kmod/kmod.git",
-
-		Dependencies: P{
-			Zlib,
-			Zstd,
-			OpenSSL,
-		},
-
-		ID: 1517,
-	}
-}
--- a/internal/rosa/libbsd.go
+++ b/internal/rosa/libbsd.go
@@ -1,62 +0,0 @@
-package rosa
-
-import "hakurei.app/internal/pkg"
-
-func (t Toolchain) newLibmd() (pkg.Artifact, string) {
-	const (
-		version  = "1.1.0"
-		checksum = "9apYqPPZm0j5HQT8sCsVIhnVIqRD7XgN7kPIaTwTqnTuUq5waUAMq4M7ev8CODJ1"
-	)
-	return t.NewPackage("libmd", version, t.newTagRemote(
-		"https://git.hadrons.org/git/libmd.git",
-		version, checksum,
-	), nil, &MakeHelper{
-		Generate: "echo '" + version + "' > .dist-version && ./autogen",
-		ScriptMakeEarly: `
-install -D /usr/src/libmd/src/helper.c src/helper.c
-`,
-	},
-		Automake,
-		Libtool,
-	), version
-}
-func init() {
-	artifactsM[Libmd] = Metadata{
-		f: Toolchain.newLibmd,
-
-		Name:        "libmd",
-		Description: "Message Digest functions from BSD systems",
-		Website:     "https://www.hadrons.org/software/libmd/",
-
-		ID: 15525,
-	}
-}
-
-func (t Toolchain) newLibbsd() (pkg.Artifact, string) {
-	const (
-		version  = "0.12.2"
-		checksum = "NVS0xFLTwSP8JiElEftsZ-e1_C-IgJhHrHE77RwKt5178M7r087waO-zYx2_dfGX"
-	)
-	return t.NewPackage("libbsd", version, t.newTagRemote(
-		"https://gitlab.freedesktop.org/libbsd/libbsd.git",
-		version, checksum,
-	), nil, &MakeHelper{
-		Generate: "echo '" + version + "' > .dist-version && ./autogen",
-	},
-		Automake,
-		Libtool,
-
-		Libmd,
-	), version
-}
-func init() {
-	artifactsM[Libbsd] = Metadata{
-		f: Toolchain.newLibbsd,
-
-		Name:        "libbsd",
-		Description: "provides useful functions commonly found on BSD systems",
-		Website:     "https://libbsd.freedesktop.org/",
-
-		ID: 1567,
-	}
-}
--- a/internal/rosa/libcap.go
+++ b/internal/rosa/libcap.go
@@ -1,54 +0,0 @@
-package rosa
-
-import "hakurei.app/internal/pkg"
-
-func (t Toolchain) newLibcap() (pkg.Artifact, string) {
-	const (
-		version  = "2.78"
-		checksum = "wFdUkBhFMD9InPnrBZyegWrlPSAg_9JiTBC-eSFyWWlmbzL2qjh2mKxr9Kx2a8ut"
-	)
-	return t.NewPackage("libcap", version, newTar(
-		"https://git.kernel.org/pub/scm/libs/libcap/libcap.git/"+
-			"snapshot/libcap-"+version+".tar.gz",
-		checksum,
-		pkg.TarGzip,
-	), &PackageAttr{
-		// uses source tree as scratch space
-		Writable: true,
-		Chmod:    true,
-
-		Env: []string{
-			"prefix=/system",
-			"lib=lib",
-		},
-		ScriptEarly: `
-ln -s ../system/bin/bash /bin/
-`,
-	}, &MakeHelper{
-		SkipConfigure: true,
-		InPlace:       true,
-
-		Make: []string{
-			"CC=cc",
-			"all",
-		},
-		Check: []string{
-			"CC=cc",
-			"test",
-		},
-	},
-		Bash,
-		Diffutils,
-	), version
-}
-func init() {
-	artifactsM[Libcap] = Metadata{
-		f: Toolchain.newLibcap,
-
-		Name:        "libcap",
-		Description: "a library for getting and setting POSIX.1e draft 15 capabilities",
-		Website:     "https://sites.google.com/site/fullycapable/",
-
-		ID: 1569,
-	}
-}
--- a/internal/rosa/libev.go
+++ b/internal/rosa/libev.go
@@ -1,26 +0,0 @@
-package rosa
-
-import "hakurei.app/internal/pkg"
-
-func (t Toolchain) newLibev() (pkg.Artifact, string) {
-	const (
-		version  = "4.33"
-		checksum = "774eSXV_4k8PySRprUDChbEwsw-kzjIFnJ3MpNOl5zDpamBRvC3BqPyRxvkwcL6_"
-	)
-	return t.NewPackage("libev", version, newTar(
-		"https://dist.schmorp.de/libev/Attic/libev-"+version+".tar.gz",
-		checksum,
-		pkg.TarGzip,
-	), nil, (*MakeHelper)(nil)), version
-}
-func init() {
-	artifactsM[Libev] = Metadata{
-		f: Toolchain.newLibev,
-
-		Name:        "libev",
-		Description: "a full-featured and high-performance event loop",
-		Website:     "http://libev.schmorp.de/",
-
-		ID: 1605,
-	}
-}
--- a/internal/rosa/libexpat.go
+++ b/internal/rosa/libexpat.go
@@ -1,34 +0,0 @@
-package rosa
-
-import (
-	"strings"
-
-	"hakurei.app/internal/pkg"
-)
-
-func (t Toolchain) newLibexpat() (pkg.Artifact, string) {
-	const (
-		version  = "2.7.5"
-		checksum = "vTRUjjg-qbHSXUBYKXgzVHkUO7UNyuhrkSYrE7ikApQm0g-OvQ8tspw4w55M-1Tp"
-	)
-	return t.NewPackage("libexpat", version, newFromGitHubRelease(
-		"libexpat/libexpat",
-		"R_"+strings.ReplaceAll(version, ".", "_"),
-		"expat-"+version+".tar.bz2",
-		checksum,
-		pkg.TarBzip2,
-	), nil, (*MakeHelper)(nil),
-		Bash,
-	), version
-}
-func init() {
-	artifactsM[Libexpat] = Metadata{
-		f: Toolchain.newLibexpat,
-
-		Name:        "libexpat",
-		Description: "a stream-oriented XML parser library",
-		Website:     "https://libexpat.github.io/",
-
-		ID: 770,
-	}
-}
--- a/internal/rosa/libffi.go
+++ b/internal/rosa/libffi.go
@@ -1,30 +0,0 @@
-package rosa
-
-import "hakurei.app/internal/pkg"
-
-func (t Toolchain) newLibffi() (pkg.Artifact, string) {
-	const (
-		version  = "3.5.2"
-		checksum = "2_Q-ZNBBbVhltfL5zEr0wljxPegUimTK4VeMSiwJEGksls3n4gj3lV0Ly3vviSFH"
-	)
-	return t.NewPackage("libffi", version, newFromGitHubRelease(
-		"libffi/libffi",
-		"v"+version,
-		"libffi-"+version+".tar.gz",
-		checksum,
-		pkg.TarGzip,
-	), nil, (*MakeHelper)(nil),
-		KernelHeaders,
-	), version
-}
-func init() {
-	artifactsM[Libffi] = Metadata{
-		f: Toolchain.newLibffi,
-
-		Name:        "libffi",
-		Description: "a portable, high level programming interface to various calling conventions",
-		Website:     "https://sourceware.org/libffi/",
-
-		ID: 1611,
-	}
-}
--- a/internal/rosa/libgd.go
+++ b/internal/rosa/libgd.go
@@ -1,40 +0,0 @@
-package rosa
-
-import "hakurei.app/internal/pkg"
-
-func (t Toolchain) newLibgd() (pkg.Artifact, string) {
-	const (
-		version  = "2.3.3"
-		checksum = "8T-sh1_FJT9K9aajgxzh8ot6vWIF-xxjcKAHvTak9MgGUcsFfzP8cAvvv44u2r36"
-	)
-	return t.NewPackage("libgd", version, newFromGitHubRelease(
-		"libgd/libgd",
-		"gd-"+version,
-		"libgd-"+version+".tar.gz", checksum,
-		pkg.TarGzip,
-	), &PackageAttr{
-		Env: []string{
-			"TMPDIR=/dev/shm/gd",
-		},
-		ScriptEarly: `
-mkdir /dev/shm/gd
-`,
-	}, (*MakeHelper)(nil),
-		Zlib,
-	), version
-}
-func init() {
-	artifactsM[Libgd] = Metadata{
-		f: Toolchain.newLibgd,
-
-		Name:        "libgd",
-		Description: "an open source code library for the dynamic creation of images",
-		Website:     "https://libgd.github.io/",
-
-		Dependencies: P{
-			Zlib,
-		},
-
-		ID: 880,
-	}
-}
--- a/internal/rosa/libpsl.go
+++ b/internal/rosa/libpsl.go
@@ -1,37 +0,0 @@
-package rosa
-
-import "hakurei.app/internal/pkg"
-
-func (t Toolchain) newLibpsl() (pkg.Artifact, string) {
-	const (
-		version  = "0.21.5"
-		checksum = "XjfxSzh7peG2Vg4vJlL8z4JZJLcXqbuP6pLWkrGCmRxlnYUFTKNBqWGHCxEOlCad"
-	)
-	return t.NewPackage("libpsl", version, newFromGitHubRelease(
-		"rockdaboot/libpsl",
-		version,
-		"libpsl-"+version+".tar.gz",
-		checksum,
-		pkg.TarGzip,
-	), &PackageAttr{
-		Writable: true,
-		ScriptEarly: `
-test_disable() { chmod +w "$2" && echo "$1" > "$2"; }
-
-test_disable 'int main(){return 0;}' tests/test-is-public-builtin.c
-`,
-	}, (*MakeHelper)(nil),
-		Python,
-	), version
-}
-func init() {
-	artifactsM[Libpsl] = Metadata{
-		f: Toolchain.newLibpsl,
-
-		Name:        "libpsl",
-		Description: "provides functions to work with the Mozilla Public Suffix List",
-		Website:     "https://rockdaboot.github.io/libpsl/",
-
-		ID: 7305,
-	}
-}
--- a/Show More
+++ b/Show More