TODO: actually write tests lol

cmd/pkgserver/ui_test: implement skipping from DSL
cmd/pkgserver/ui_test: add JSON reporter for go test integration
2026-04-09 11:46:25 +10:00 · 2026-04-09 11:46:25 +10:00 · 2026-04-09 11:46:25 +10:00 · 2026-04-09 11:46:25 +10:00 · 2026-04-09 11:46:25 +10:00 · 2026-04-09 11:46:25 +10:00
219 changed files with 4408 additions and 7780 deletions
--- a/.gitignore
+++ b/.gitignore
@@ -7,8 +7,12 @@

 # go generate
 /cmd/hakurei/LICENSE
-/cmd/mbf/internal/pkgserver/ui/static
-/internal/pkg/internal/testtool/testtool
+/cmd/pkgserver/.sass-cache
+/cmd/pkgserver/ui/static/*.js
+/cmd/pkgserver/ui/static/*.css*
+/cmd/pkgserver/ui/static/*.css.map
+/cmd/pkgserver/ui_test/static
+/internal/pkg/testdata/testtool
 /internal/rosa/hakurei_current.tar.gz

 # cmd/dist default destination
--- a/all.sh
+++ b/all.sh
@@ -1,3 +1,6 @@
 #!/bin/sh -e

-HAKUREI_DIST_MAKE='' exec "$(dirname -- "$0")/cmd/dist/dist.sh"
+TOOLCHAIN_VERSION="$(go version)"
+cd "$(dirname -- "$0")/"
+echo "# Building cmd/dist using ${TOOLCHAIN_VERSION}."
+go run -v --tags=dist ./cmd/dist
--- a/check/absolute.go
+++ b/check/absolute.go
@@ -2,7 +2,7 @@
 package check

 import (
-	"encoding"
+	"encoding/json"
 	"errors"
 	"fmt"
 	"path/filepath"
@@ -30,16 +30,6 @@ func (e AbsoluteError) Is(target error) bool {
 // Absolute holds a pathname checked to be absolute.
 type Absolute struct{ pathname unique.Handle[string] }

-var (
-	_ encoding.TextAppender    = new(Absolute)
-	_ encoding.TextMarshaler   = new(Absolute)
-	_ encoding.TextUnmarshaler = new(Absolute)
-
-	_ encoding.BinaryAppender    = new(Absolute)
-	_ encoding.BinaryMarshaler   = new(Absolute)
-	_ encoding.BinaryUnmarshaler = new(Absolute)
-)
-
 // ok returns whether [Absolute] is not the zero value.
 func (a *Absolute) ok() bool { return a != nil && *a != (Absolute{}) }

@@ -94,16 +84,13 @@ func (a *Absolute) Append(elem ...string) *Absolute {
 // Dir calls [filepath.Dir] with [Absolute] as its argument.
 func (a *Absolute) Dir() *Absolute { return unsafeAbs(filepath.Dir(a.String())) }

-// AppendText appends the checked pathname.
-func (a *Absolute) AppendText(data []byte) ([]byte, error) {
-	return append(data, a.String()...), nil
+// GobEncode returns the checked pathname.
+func (a *Absolute) GobEncode() ([]byte, error) {
+	return []byte(a.String()), nil
 }

-// MarshalText returns the checked pathname.
-func (a *Absolute) MarshalText() ([]byte, error) { return a.AppendText(nil) }
-
-// UnmarshalText stores data if it represents an absolute pathname.
-func (a *Absolute) UnmarshalText(data []byte) error {
+// GobDecode stores data if it represents an absolute pathname.
+func (a *Absolute) GobDecode(data []byte) error {
 	pathname := string(data)
 	if !filepath.IsAbs(pathname) {
 		return AbsoluteError(pathname)
@@ -112,9 +99,23 @@ func (a *Absolute) UnmarshalText(data []byte) error {
 	return nil
 }

-func (a *Absolute) AppendBinary(data []byte) ([]byte, error) { return a.AppendText(data) }
-func (a *Absolute) MarshalBinary() ([]byte, error)           { return a.MarshalText() }
-func (a *Absolute) UnmarshalBinary(data []byte) error        { return a.UnmarshalText(data) }
+// MarshalJSON returns a JSON representation of the checked pathname.
+func (a *Absolute) MarshalJSON() ([]byte, error) {
+	return json.Marshal(a.String())
+}
+
+// UnmarshalJSON stores data if it represents an absolute pathname.
+func (a *Absolute) UnmarshalJSON(data []byte) error {
+	var pathname string
+	if err := json.Unmarshal(data, &pathname); err != nil {
+		return err
+	}
+	if !filepath.IsAbs(pathname) {
+		return AbsoluteError(pathname)
+	}
+	a.pathname = unique.Make(pathname)
+	return nil
+}

 // SortAbs calls [slices.SortFunc] for a slice of [Absolute].
 func SortAbs(x []*Absolute) {
--- a/check/absolute_test.go
+++ b/check/absolute_test.go
@@ -170,20 +170,20 @@ func TestCodecAbsolute(t *testing.T) {

 		{"good", MustAbs("/etc"),
 			nil,
-			"\t\x7f\x06\x01\x02\xff\x82\x00\x00\x00\b\xff\x80\x00\x04/etc",
-			",\xff\x83\x03\x01\x01\x06sCheck\x01\xff\x84\x00\x01\x02\x01\bPathname\x01\xff\x80\x00\x01\x05Magic\x01\x06\x00\x00\x00\t\x7f\x06\x01\x02\xff\x82\x00\x00\x00\x0f\xff\x84\x01\x04/etc\x01\xfc\xc0\xed\x00\x00\x00",
+			"\t\x7f\x05\x01\x02\xff\x82\x00\x00\x00\b\xff\x80\x00\x04/etc",
+			",\xff\x83\x03\x01\x01\x06sCheck\x01\xff\x84\x00\x01\x02\x01\bPathname\x01\xff\x80\x00\x01\x05Magic\x01\x06\x00\x00\x00\t\x7f\x05\x01\x02\xff\x82\x00\x00\x00\x0f\xff\x84\x01\x04/etc\x01\xfc\xc0\xed\x00\x00\x00",

 			`"/etc"`, `{"val":"/etc","magic":3236757504}`},
 		{"not absolute", nil,
 			AbsoluteError("etc"),
-			"\t\x7f\x06\x01\x02\xff\x82\x00\x00\x00\a\xff\x80\x00\x03etc",
-			",\xff\x83\x03\x01\x01\x06sCheck\x01\xff\x84\x00\x01\x02\x01\bPathname\x01\xff\x80\x00\x01\x05Magic\x01\x06\x00\x00\x00\t\x7f\x06\x01\x02\xff\x82\x00\x00\x00\x0f\xff\x84\x01\x03etc\x01\xfb\x01\x81\xda\x00\x00\x00",
+			"\t\x7f\x05\x01\x02\xff\x82\x00\x00\x00\a\xff\x80\x00\x03etc",
+			",\xff\x83\x03\x01\x01\x06sCheck\x01\xff\x84\x00\x01\x02\x01\bPathname\x01\xff\x80\x00\x01\x05Magic\x01\x06\x00\x00\x00\t\x7f\x05\x01\x02\xff\x82\x00\x00\x00\x0f\xff\x84\x01\x03etc\x01\xfb\x01\x81\xda\x00\x00\x00",

 			`"etc"`, `{"val":"etc","magic":3236757504}`},
 		{"zero", nil,
 			new(AbsoluteError),
-			"\t\x7f\x06\x01\x02\xff\x82\x00\x00\x00\x04\xff\x80\x00\x00",
-			",\xff\x83\x03\x01\x01\x06sCheck\x01\xff\x84\x00\x01\x02\x01\bPathname\x01\xff\x80\x00\x01\x05Magic\x01\x06\x00\x00\x00\t\x7f\x06\x01\x02\xff\x82\x00\x00\x00\f\xff\x84\x01\x00\x01\xfb\x01\x81\xda\x00\x00\x00",
+			"\t\x7f\x05\x01\x02\xff\x82\x00\x00\x00\x04\xff\x80\x00\x00",
+			",\xff\x83\x03\x01\x01\x06sCheck\x01\xff\x84\x00\x01\x02\x01\bPathname\x01\xff\x80\x00\x01\x05Magic\x01\x06\x00\x00\x00\t\x7f\x05\x01\x02\xff\x82\x00\x00\x00\f\xff\x84\x01\x00\x01\xfb\x01\x81\xda\x00\x00\x00",
 			`""`, `{"val":"","magic":3236757504}`},
 	}

@@ -347,6 +347,15 @@ func TestCodecAbsolute(t *testing.T) {
 			})
 		})
 	}
+
+	t.Run("json passthrough", func(t *testing.T) {
+		t.Parallel()
+
+		wantErr := "invalid character ':' looking for beginning of value"
+		if err := new(Absolute).UnmarshalJSON([]byte(":3")); err == nil || err.Error() != wantErr {
+			t.Errorf("UnmarshalJSON: error = %v, want %s", err, wantErr)
+		}
+	})
 }

 func TestAbsoluteWrap(t *testing.T) {
--- a/check/overlay.go
+++ b/check/overlay.go
@@ -4,23 +4,15 @@ import "strings"

 const (
 	// SpecialOverlayEscape is the escape string for overlay mount options.
-	//
-	// Deprecated: This is no longer used and will be removed in 0.5.
 	SpecialOverlayEscape = `\`
 	// SpecialOverlayOption is the separator string between overlay mount options.
-	//
-	// Deprecated: This is no longer used and will be removed in 0.5.
 	SpecialOverlayOption = ","
 	// SpecialOverlayPath is the separator string between overlay paths.
-	//
-	// Deprecated: This is no longer used and will be removed in 0.5.
 	SpecialOverlayPath = ":"
 )

 // EscapeOverlayDataSegment escapes a string for formatting into the data
 // argument of an overlay mount system call.
-//
-// Deprecated: This is no longer used and will be removed in 0.5.
 func EscapeOverlayDataSegment(s string) string {
 	if s == "" {
 		return ""
--- a/cmd/dist/dist.sh
+++ b/cmd/dist/dist.sh
@@ -1,10 +0,0 @@
-#!/bin/sh -e
-
-TOOLCHAIN_VERSION="$(go version)"
-cd "$(dirname -- "$0")/../.."
-echo "Building cmd/dist using ${TOOLCHAIN_VERSION}."
-FLAGS=''
-if test -n "$VERBOSE"; then
-    FLAGS="$FLAGS -v"
-fi
-go run $FLAGS --tags=dist ./cmd/dist
--- a/cmd/dist/main.go
+++ b/cmd/dist/main.go
@@ -42,19 +42,14 @@ func mustRun(ctx context.Context, name string, arg ...string) {
 var comp []byte

 func main() {
+	fmt.Println()
 	log.SetFlags(0)
-	log.SetPrefix("")
+	log.SetPrefix("# ")

-	verbose := os.Getenv("VERBOSE") != ""
-	runTests := os.Getenv("HAKUREI_DIST_MAKE") == ""
 	version := getenv("HAKUREI_VERSION", "untagged")
 	prefix := getenv("PREFIX", "/usr")
 	destdir := getenv("DESTDIR", "dist")

-	if verbose {
-		log.Println()
-	}
-
 	if err := os.MkdirAll(destdir, 0755); err != nil {
 		log.Fatal(err)
 	}
@@ -81,17 +76,12 @@ func main() {
 	ctx, cancel := signal.NotifyContext(context.Background(), os.Interrupt)
 	defer cancel()

-	verboseFlag := "-v"
-	if !verbose {
-		verboseFlag = "-buildvcs=false"
-	}
-
-	log.Printf("Building hakurei for %s/%s.", runtime.GOOS, runtime.GOARCH)
+	log.Println("Building hakurei.")
 	mustRun(ctx, "go", "generate", "./...")
 	mustRun(
 		ctx, "go", "build",
 		"-trimpath",
-		verboseFlag, "-o", s,
+		"-v", "-o", s,
 		"-ldflags=-s -w "+
 			"-buildid= -linkmode external -extldflags=-static "+
 			"-X hakurei.app/internal/info.buildVersion="+version+" "+
@@ -100,19 +90,17 @@ func main() {
 			"-X main.hakureiPath="+prefix+"/bin/hakurei",
 		"./...",
 	)
-	log.Println()
+	fmt.Println()

-	if runTests {
-		log.Println("##### Testing Hakurei.")
+	log.Println("Testing Hakurei.")
 	mustRun(
 		ctx, "go", "test",
 		"-ldflags=-buildid= -linkmode external -extldflags=-static",
 		"./...",
 	)
-		log.Println()
-	}
+	fmt.Println()

-	log.Println("##### Creating distribution.")
+	log.Println("Creating distribution.")
 	const suffix = ".tar.gz"
 	distName := "hakurei-" + version + "-" + runtime.GOARCH
 	var f *os.File
@@ -133,7 +121,7 @@ func main() {
 	}()

 	h := sha512.New()
-	gw, _ := gzip.NewWriterLevel(io.MultiWriter(f, h), gzip.BestCompression)
+	gw := gzip.NewWriter(io.MultiWriter(f, h))
 	tw := tar.NewWriter(gw)

 	mustWriteHeader := func(name string, size int64, mode os.FileMode) {
--- a/cmd/hakurei/command.go
+++ b/cmd/hakurei/command.go
@@ -39,7 +39,6 @@ var errSuccess = errors.New("success")
 func buildCommand(ctx context.Context, msg message.Msg, early *earlyHardeningErrs, out io.Writer) command.Command {
 	var (
 		flagVerbose bool
-		flagInsecure bool
 		flagJSON    bool
 	)
 	c := command.New(out, log.Printf, "hakurei", func([]string) error {
@@ -58,7 +57,6 @@ func buildCommand(ctx context.Context, msg message.Msg, early *earlyHardeningErr
 		return nil
 	}).
 		Flag(&flagVerbose, "v", command.BoolFlag(false), "Increase log verbosity").
-		Flag(&flagInsecure, "insecure", command.BoolFlag(false), "Allow use of insecure compatibility options").
 		Flag(&flagJSON, "json", command.BoolFlag(false), "Serialise output in JSON when applicable")

 	c.Command("shim", command.UsageInternal, func([]string) error { outcome.Shim(msg); return errSuccess })
@@ -77,12 +75,7 @@ func buildCommand(ctx context.Context, msg message.Msg, early *earlyHardeningErr
 				config.Container.Args = append(config.Container.Args, args[1:]...)
 			}

-			var flags int
-			if flagInsecure {
-				flags |= hst.VAllowInsecure
-			}
-
-			outcome.Main(ctx, msg, config, flags, flagIdentifierFile)
+			outcome.Main(ctx, msg, config, flagIdentifierFile)
 			panic("unreachable")
 		}).
 			Flag(&flagIdentifierFile, "identifier-fd", command.IntFlag(-1),
@@ -152,7 +145,7 @@ func buildCommand(ctx context.Context, msg message.Msg, early *earlyHardeningErr
 				}
 			}

-			var et hst.Enablements
+			var et hst.Enablement
 			if flagWayland {
 				et |= hst.EWayland
 			}
@@ -170,7 +163,7 @@ func buildCommand(ctx context.Context, msg message.Msg, early *earlyHardeningErr
 				ID:          flagID,
 				Identity:    flagIdentity,
 				Groups:      flagGroups,
-				Enablements: &et,
+				Enablements: hst.NewEnablements(et),

 				Container: &hst.ContainerConfig{
 					Filesystem: []hst.FilesystemConfigJSON{
@@ -289,7 +282,7 @@ func buildCommand(ctx context.Context, msg message.Msg, early *earlyHardeningErr
 				}
 			}

-			outcome.Main(ctx, msg, &config, 0, -1)
+			outcome.Main(ctx, msg, &config, -1)
 			panic("unreachable")
 		}).
 			Flag(&flagDBusConfigSession, "dbus-config", command.StringFlag("builtin"),
--- a/cmd/hakurei/command_test.go
+++ b/cmd/hakurei/command_test.go
@@ -20,7 +20,7 @@ func TestHelp(t *testing.T) {
 	}{
 		{
 			"main", []string{}, `
-Usage:	hakurei [-h | --help] [-v] [--insecure] [--json] COMMAND [OPTIONS]
+Usage:	hakurei [-h | --help] [-v] [--json] COMMAND [OPTIONS]

 Commands:
    run         Load and start container from configuration file
--- a/cmd/hakurei/print.go
+++ b/cmd/hakurei/print.go
@@ -56,7 +56,7 @@ func printShowInstance(
 	t := newPrinter(output)
 	defer t.MustFlush()

-	if err := config.Validate(hst.VAllowInsecure); err != nil {
+	if err := config.Validate(); err != nil {
 		valid = false
 		if m, ok := message.GetMessage(err); ok {
 			mustPrint(output, "Error: "+m+"!\n\n")
--- a/cmd/hakurei/print_test.go
+++ b/cmd/hakurei/print_test.go
@@ -32,7 +32,7 @@ var (
 		PID:     0xbeef,
 		ShimPID: 0xcafe,
 		Config: &hst.Config{
-			Enablements: new(hst.EWayland | hst.EPipeWire),
+			Enablements: hst.NewEnablements(hst.EWayland | hst.EPipeWire),
 			Identity:    1,
 			Container: &hst.ContainerConfig{
 				Shell: check.MustAbs("/bin/sh"),
--- a/cmd/mbf/cache.go
+++ b/cmd/mbf/cache.go
@@ -1,135 +0,0 @@
-package main
-
-import (
-	"context"
-	"os"
-	"path/filepath"
-	"testing"
-
-	"hakurei.app/check"
-	"hakurei.app/container"
-	"hakurei.app/internal/pkg"
-	"hakurei.app/message"
-)
-
-// cache refers to an instance of [pkg.Cache] that might be open.
-type cache struct {
-	ctx context.Context
-	msg message.Msg
-
-	// Should generally not be used directly.
-	c *pkg.Cache
-
-	cures, jobs int
-	// Primarily to work around missing landlock LSM.
-	hostAbstract bool
-	// Set SCHED_IDLE.
-	idle bool
-	// Unset [pkg.CSuppressInit].
-	verboseInit bool
-	// Loaded artifact of [rosa.QEMU].
-	qemu pkg.Artifact
-
-	base string
-}
-
-// open opens the underlying [pkg.Cache].
-func (cache *cache) open() (err error) {
-	if cache.c != nil {
-		return os.ErrInvalid
-	}
-
-	var base *check.Absolute
-	if cache.base, err = filepath.Abs(cache.base); err != nil {
-		return
-	} else if base, err = check.NewAbs(cache.base); err != nil {
-		return
-	}
-
-	var flags int
-	if cache.idle {
-		flags |= pkg.CSchedIdle
-	}
-	if cache.hostAbstract {
-		flags |= pkg.CHostAbstract
-	}
-	if !cache.verboseInit {
-		flags |= pkg.CSuppressInit
-	}
-
-	done := make(chan struct{})
-	defer close(done)
-	go func() {
-		select {
-		case <-cache.ctx.Done():
-			if testing.Testing() {
-				return
-			}
-			os.Exit(2)
-
-		case <-done:
-			return
-		}
-	}()
-
-	cache.msg.Verbosef("opening cache at %s", base)
-	cache.c, err = pkg.Open(
-		cache.ctx,
-		cache.msg,
-		flags,
-		cache.cures,
-		cache.jobs,
-		base,
-	)
-	if err != nil {
-		return
-	}
-	done <- struct{}{}
-
-	if cache.qemu != nil {
-		var pathname *check.Absolute
-		pathname, _, err = cache.c.Cure(cache.qemu)
-		if err != nil {
-			cache.c.Close()
-			return
-		}
-
-		pkg.RegisterArch("riscv64", container.BinfmtEntry{
-			Offset: 0,
-			Magic:  "\x7fELF\x02\x01\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\xf3\x00",
-			Mask:   "\xff\xff\xff\xff\xff\xff\xff\x00\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xff\xff\xff",
-			Interpreter: pathname.Append(
-				"system/bin",
-				"qemu-riscv64",
-			),
-		})
-		pkg.RegisterArch("arm64", container.BinfmtEntry{
-			Offset: 0,
-			Magic:  "\x7fELF\x02\x01\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\xb7\x00",
-			Mask:   "\xff\xff\xff\xff\xff\xff\xff\xfc\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xff\xff\xff",
-			Interpreter: pathname.Append(
-				"system/bin",
-				"qemu-aarch64",
-			),
-		})
-	}
-
-	return
-}
-
-// Close closes the underlying [pkg.Cache] if it is open.
-func (cache *cache) Close() {
-	if cache.c != nil {
-		cache.c.Close()
-	}
-}
-
-// Do calls f on the underlying cache and returns its error value.
-func (cache *cache) Do(f func(cache *pkg.Cache) error) error {
-	if cache.c == nil {
-		if err := cache.open(); err != nil {
-			return err
-		}
-	}
-	return f(cache.c)
-}
--- a/cmd/mbf/cache_test.go
+++ b/cmd/mbf/cache_test.go
@@ -1,37 +0,0 @@
-package main
-
-import (
-	"log"
-	"os"
-	"testing"
-
-	"hakurei.app/internal/pkg"
-	"hakurei.app/message"
-)
-
-func TestCache(t *testing.T) {
-	t.Parallel()
-
-	cm := cache{
-		ctx:  t.Context(),
-		msg:  message.New(log.New(os.Stderr, "check: ", 0)),
-		base: t.TempDir(),
-
-		hostAbstract: true, idle: true,
-	}
-	defer cm.Close()
-	cm.Close()
-
-	if err := cm.open(); err != nil {
-		t.Fatalf("open: error = %v", err)
-	}
-	if err := cm.open(); err != os.ErrInvalid {
-		t.Errorf("(duplicate) open: error = %v", err)
-	}
-
-	if err := cm.Do(func(cache *pkg.Cache) error {
-		return cache.Scrub(0)
-	}); err != nil {
-		t.Errorf("Scrub: error = %v", err)
-	}
-}
--- a/cmd/mbf/daemon.go
+++ b/cmd/mbf/daemon.go
@@ -1,354 +0,0 @@
-package main
-
-import (
-	"context"
-	"encoding/binary"
-	"errors"
-	"io"
-	"log"
-	"math"
-	"net"
-	"os"
-	"sync"
-	"syscall"
-	"testing"
-	"time"
-	"unique"
-
-	"hakurei.app/check"
-	"hakurei.app/internal/pkg"
-)
-
-// daemonTimeout is the maximum amount of time cureFromIR will wait on I/O.
-const daemonTimeout = 30 * time.Second
-
-// daemonDeadline returns the deadline corresponding to daemonTimeout, or the
-// zero value when running in a test.
-func daemonDeadline() time.Time {
-	if testing.Testing() {
-		return time.Time{}
-	}
-	return time.Now().Add(daemonTimeout)
-}
-
-const (
-	// remoteNoReply notifies that the client will not receive a cure reply.
-	remoteNoReply = 1 << iota
-)
-
-// cureFromIR services an IR curing request.
-func cureFromIR(
-	cache *pkg.Cache,
-	conn net.Conn,
-	flags uint64,
-) (pkg.Artifact, error) {
-	a, decodeErr := cache.NewDecoder(conn).Decode()
-	if decodeErr != nil {
-		_, err := conn.Write([]byte("\x00" + decodeErr.Error()))
-		return nil, errors.Join(decodeErr, err, conn.Close())
-	}
-
-	pathname, _, cureErr := cache.Cure(a)
-	if flags&remoteNoReply != 0 {
-		return a, errors.Join(cureErr, conn.Close())
-	}
-	if err := conn.SetWriteDeadline(daemonDeadline()); err != nil {
-		return a, errors.Join(cureErr, err, conn.Close())
-	}
-	if cureErr != nil {
-		_, err := conn.Write([]byte("\x00" + cureErr.Error()))
-		return a, errors.Join(cureErr, err, conn.Close())
-	}
-	_, err := conn.Write([]byte(pathname.String()))
-	if testing.Testing() && errors.Is(err, io.ErrClosedPipe) {
-		return a, nil
-	}
-	return a, errors.Join(err, conn.Close())
-}
-
-const (
-	// specialCancel is a message consisting of a single identifier referring
-	// to a curing artifact to be cancelled.
-	specialCancel = iota
-	// specialAbort requests for all pending cures to be aborted. It has no
-	// message body.
-	specialAbort
-
-	// remoteSpecial denotes a special message with custom layout.
-	remoteSpecial = math.MaxUint64
-)
-
-// writeSpecialHeader writes the header of a remoteSpecial message.
-func writeSpecialHeader(conn net.Conn, kind uint64) error {
-	var sh [16]byte
-	binary.LittleEndian.PutUint64(sh[:], remoteSpecial)
-	binary.LittleEndian.PutUint64(sh[8:], kind)
-	if n, err := conn.Write(sh[:]); err != nil {
-		return err
-	} else if n != len(sh) {
-		return io.ErrShortWrite
-	}
-	return nil
-}
-
-// cancelIdent reads an identifier from conn and cancels the corresponding cure.
-func cancelIdent(
-	cache *pkg.Cache,
-	conn net.Conn,
-) (*pkg.ID, bool, error) {
-	var ident pkg.ID
-	if _, err := io.ReadFull(conn, ident[:]); err != nil {
-		return nil, false, errors.Join(err, conn.Close())
-	}
-	ok := cache.Cancel(unique.Make(ident))
-	return &ident, ok, conn.Close()
-}
-
-// serve services connections from a [net.UnixListener].
-func serve(
-	ctx context.Context,
-	log *log.Logger,
-	cm *cache,
-	ul *net.UnixListener,
-) error {
-	ul.SetUnlinkOnClose(true)
-	if cm.c == nil {
-		if err := cm.open(); err != nil {
-			return errors.Join(err, ul.Close())
-		}
-	}
-
-	var wg sync.WaitGroup
-	defer wg.Wait()
-
-	wg.Go(func() {
-		for {
-			if ctx.Err() != nil {
-				break
-			}
-
-			conn, err := ul.AcceptUnix()
-			if err != nil {
-				if !errors.Is(err, os.ErrDeadlineExceeded) {
-					log.Println(err)
-				}
-				continue
-			}
-			wg.Go(func() {
-				done := make(chan struct{})
-				defer close(done)
-				go func() {
-					select {
-					case <-ctx.Done():
-						_ = conn.SetDeadline(time.Now())
-
-					case <-done:
-						return
-					}
-				}()
-
-				if _err := conn.SetReadDeadline(daemonDeadline()); _err != nil {
-					log.Println(_err)
-					if _err = conn.Close(); _err != nil {
-						log.Println(_err)
-					}
-					return
-				}
-
-				var word [8]byte
-				if _, _err := io.ReadFull(conn, word[:]); _err != nil {
-					log.Println(_err)
-					if _err = conn.Close(); _err != nil {
-						log.Println(_err)
-					}
-					return
-				}
-				flags := binary.LittleEndian.Uint64(word[:])
-
-				if flags == remoteSpecial {
-					if _, _err := io.ReadFull(conn, word[:]); _err != nil {
-						log.Println(_err)
-						if _err = conn.Close(); _err != nil {
-							log.Println(_err)
-						}
-						return
-					}
-					switch special := binary.LittleEndian.Uint64(word[:]); special {
-					default:
-						log.Printf("invalid special %d", special)
-
-					case specialCancel:
-						if id, ok, _err := cancelIdent(cm.c, conn); _err != nil {
-							log.Println(_err)
-						} else if !ok {
-							log.Println(
-								"attempting to cancel invalid artifact",
-								pkg.Encode(*id),
-							)
-						} else {
-							log.Println(
-								"cancelled artifact",
-								pkg.Encode(*id),
-							)
-						}
-
-					case specialAbort:
-						log.Println("aborting all pending cures")
-						cm.c.Abort()
-						if _err := conn.Close(); _err != nil {
-							log.Println(_err)
-						}
-					}
-
-					return
-				}
-
-				if a, _err := cureFromIR(cm.c, conn, flags); _err != nil {
-					log.Println(_err)
-				} else {
-					log.Printf(
-						"fulfilled artifact %s",
-						pkg.Encode(cm.c.Ident(a).Value()),
-					)
-				}
-			})
-		}
-	})
-
-	<-ctx.Done()
-	if err := ul.SetDeadline(time.Now()); err != nil {
-		return errors.Join(err, ul.Close())
-	}
-	wg.Wait()
-	return ul.Close()
-}
-
-// dial wraps [net.DialUnix] with a context.
-func dial(ctx context.Context, addr *net.UnixAddr) (
-	done chan<- struct{},
-	conn *net.UnixConn,
-	err error,
-) {
-	conn, err = net.DialUnix("unix", nil, addr)
-	if err != nil {
-		return
-	}
-
-	d := make(chan struct{})
-	done = d
-	go func() {
-		select {
-		case <-ctx.Done():
-			_ = conn.SetDeadline(time.Now())
-
-		case <-d:
-			return
-		}
-	}()
-	return
-}
-
-// cureRemote cures a [pkg.Artifact] on a daemon.
-func cureRemote(
-	ctx context.Context,
-	addr *net.UnixAddr,
-	a pkg.Artifact,
-	flags uint64,
-) (*check.Absolute, error) {
-	if flags == remoteSpecial {
-		return nil, syscall.EINVAL
-	}
-
-	done, conn, err := dial(ctx, addr)
-	if err != nil {
-		return nil, err
-	}
-	defer close(done)
-
-	if n, flagErr := conn.Write(binary.LittleEndian.AppendUint64(nil, flags)); flagErr != nil {
-		return nil, errors.Join(flagErr, conn.Close())
-	} else if n != 8 {
-		return nil, errors.Join(io.ErrShortWrite, conn.Close())
-	}
-
-	if err = pkg.NewIR().EncodeAll(conn, a); err != nil {
-		return nil, errors.Join(err, conn.Close())
-	} else if err = conn.CloseWrite(); err != nil {
-		return nil, errors.Join(err, conn.Close())
-	}
-
-	if flags&remoteNoReply != 0 {
-		return nil, conn.Close()
-	}
-
-	payload, recvErr := io.ReadAll(conn)
-	if err = errors.Join(recvErr, conn.Close()); err != nil {
-		if errors.Is(err, os.ErrDeadlineExceeded) {
-			if cancelErr := ctx.Err(); cancelErr != nil {
-				err = cancelErr
-			}
-		}
-		return nil, err
-	}
-
-	if len(payload) > 0 && payload[0] == 0 {
-		return nil, errors.New(string(payload[1:]))
-	}
-
-	var p *check.Absolute
-	p, err = check.NewAbs(string(payload))
-	return p, err
-}
-
-// cancelRemote cancels a [pkg.Artifact] curing on a daemon.
-func cancelRemote(
-	ctx context.Context,
-	addr *net.UnixAddr,
-	a pkg.Artifact,
-	wait bool,
-) error {
-	done, conn, err := dial(ctx, addr)
-	if err != nil {
-		return err
-	}
-	defer close(done)
-
-	if err = writeSpecialHeader(conn, specialCancel); err != nil {
-		return errors.Join(err, conn.Close())
-	}
-
-	var n int
-	id := pkg.NewIR().Ident(a).Value()
-	if n, err = conn.Write(id[:]); err != nil {
-		return errors.Join(err, conn.Close())
-	} else if n != len(id) {
-		return errors.Join(io.ErrShortWrite, conn.Close())
-	}
-	if wait {
-		if _, err = conn.Read(make([]byte, 1)); err == io.EOF {
-			err = nil
-		}
-	}
-	return errors.Join(err, conn.Close())
-}
-
-// abortRemote aborts all [pkg.Artifact] curing on a daemon.
-func abortRemote(
-	ctx context.Context,
-	addr *net.UnixAddr,
-	wait bool,
-) error {
-	done, conn, err := dial(ctx, addr)
-	if err != nil {
-		return err
-	}
-	defer close(done)
-
-	err = writeSpecialHeader(conn, specialAbort)
-	if wait && err == nil {
-		if _, err = conn.Read(make([]byte, 1)); err == io.EOF {
-			err = nil
-		}
-	}
-	return errors.Join(err, conn.Close())
-}
--- a/cmd/mbf/daemon_test.go
+++ b/cmd/mbf/daemon_test.go
@@ -1,146 +0,0 @@
-package main
-
-import (
-	"bytes"
-	"context"
-	"errors"
-	"io"
-	"log"
-	"net"
-	"os"
-	"path/filepath"
-	"slices"
-	"strings"
-	"testing"
-	"time"
-
-	"hakurei.app/check"
-	"hakurei.app/internal/pkg"
-	"hakurei.app/message"
-)
-
-func TestNoReply(t *testing.T) {
-	t.Parallel()
-	if !daemonDeadline().IsZero() {
-		t.Fatal("daemonDeadline did not return the zero value")
-	}
-
-	c, err := pkg.Open(
-		t.Context(),
-		message.New(log.New(os.Stderr, "cir: ", 0)),
-		0, 0, 0,
-		check.MustAbs(t.TempDir()),
-	)
-	if err != nil {
-		t.Fatalf("Open: error = %v", err)
-	}
-	defer c.Close()
-
-	client, server := net.Pipe()
-	done := make(chan struct{})
-	go func() {
-		defer close(done)
-		go func() {
-			<-t.Context().Done()
-			if _err := client.SetDeadline(time.Now()); _err != nil && !errors.Is(_err, io.ErrClosedPipe) {
-				panic(_err)
-			}
-		}()
-
-		if _err := c.EncodeAll(
-			client,
-			pkg.NewFile("check", []byte{0}),
-		); _err != nil {
-			panic(_err)
-		} else if _err = client.Close(); _err != nil {
-			panic(_err)
-		}
-	}()
-
-	a, cureErr := cureFromIR(c, server, remoteNoReply)
-	if cureErr != nil {
-		t.Fatalf("cureFromIR: error = %v", cureErr)
-	}
-
-	<-done
-	wantIdent := pkg.MustDecode("fiZf-ZY_Yq6qxJNrHbMiIPYCsGkUiKCRsZrcSELXTqZWtCnESlHmzV5ThhWWGGYG")
-	if gotIdent := c.Ident(a).Value(); gotIdent != wantIdent {
-		t.Errorf(
-			"cureFromIR: %s, want %s",
-			pkg.Encode(gotIdent), pkg.Encode(wantIdent),
-		)
-	}
-}
-
-func TestDaemon(t *testing.T) {
-	t.Parallel()
-
-	var buf bytes.Buffer
-	logger := log.New(&buf, "daemon: ", 0)
-
-	addr := net.UnixAddr{
-		Name: filepath.Join(t.TempDir(), "daemon"),
-		Net:  "unix",
-	}
-
-	ctx, cancel := context.WithCancel(t.Context())
-	defer cancel()
-
-	cm := cache{
-		ctx:  ctx,
-		msg:  message.New(logger),
-		base: t.TempDir(),
-	}
-	defer cm.Close()
-
-	ul, err := net.ListenUnix("unix", &addr)
-	if err != nil {
-		t.Fatalf("ListenUnix: error = %v", err)
-	}
-
-	done := make(chan struct{})
-	go func() {
-		defer close(done)
-		if _err := serve(ctx, logger, &cm, ul); _err != nil {
-			panic(_err)
-		}
-	}()
-
-	if err = cancelRemote(ctx, &addr, pkg.NewFile("nonexistent", nil), true); err != nil {
-		t.Fatalf("cancelRemote: error = %v", err)
-	}
-
-	if err = abortRemote(ctx, &addr, true); err != nil {
-		t.Fatalf("abortRemote: error = %v", err)
-	}
-
-	// keep this last for synchronisation
-	var p *check.Absolute
-	p, err = cureRemote(ctx, &addr, pkg.NewFile("check", []byte{0}), 0)
-	if err != nil {
-		t.Fatalf("cureRemote: error = %v", err)
-	}
-
-	cancel()
-	<-done
-
-	const want = "fiZf-ZY_Yq6qxJNrHbMiIPYCsGkUiKCRsZrcSELXTqZWtCnESlHmzV5ThhWWGGYG"
-	if got := filepath.Base(p.String()); got != want {
-		t.Errorf("cureRemote: %s, want %s", got, want)
-	}
-
-	wantLog := []string{
-		"",
-		"daemon: aborting all pending cures",
-		"daemon: attempting to cancel invalid artifact kQm9fmnCmXST1-MMmxzcau2oKZCXXrlZydo4PkeV5hO_2PKfeC8t98hrbV_ZZx_j",
-		"daemon: fulfilled artifact fiZf-ZY_Yq6qxJNrHbMiIPYCsGkUiKCRsZrcSELXTqZWtCnESlHmzV5ThhWWGGYG",
-	}
-	gotLog := strings.Split(buf.String(), "\n")
-	slices.Sort(gotLog)
-	if !slices.Equal(gotLog, wantLog) {
-		t.Errorf(
-			"serve: logged\n%s\nwant\n%s",
-			strings.Join(gotLog, "\n"), strings.Join(wantLog, "\n"),
-		)
-	}
-}
--- a/cmd/mbf/info.go
+++ b/cmd/mbf/info.go
@@ -1,114 +0,0 @@
-package main
-
-import (
-	"errors"
-	"fmt"
-	"io"
-	"os"
-	"strings"
-
-	"hakurei.app/internal/pkg"
-	"hakurei.app/internal/rosa"
-)
-
-// commandInfo implements the info subcommand.
-func commandInfo(
-	cm *cache,
-	args []string,
-	w io.Writer,
-	writeStatus bool,
-	r *rosa.Report,
-) (err error) {
-	if len(args) == 0 {
-		return errors.New("info requires at least 1 argument")
-	}
-
-	// recovered by HandleAccess
-	mustPrintln := func(a ...any) {
-		if _, _err := fmt.Fprintln(w, a...); _err != nil {
-			panic(_err)
-		}
-	}
-	mustPrint := func(a ...any) {
-		if _, _err := fmt.Fprint(w, a...); _err != nil {
-			panic(_err)
-		}
-	}
-
-	for i, name := range args {
-		if p, ok := rosa.ResolveName(name); !ok {
-			return fmt.Errorf("unknown artifact %q", name)
-		} else {
-			var suffix string
-			if version := rosa.Std.Version(p); version != rosa.Unversioned {
-				suffix += "-" + version
-			}
-			mustPrintln("name        : " + name + suffix)
-
-			meta := rosa.GetMetadata(p)
-			mustPrintln("description : " + meta.Description)
-			if meta.Website != "" {
-				mustPrintln("website     : " +
-					strings.TrimSuffix(meta.Website, "/"))
-			}
-			if len(meta.Dependencies) > 0 {
-				mustPrint("depends on  :")
-				for _, d := range meta.Dependencies {
-					s := rosa.GetMetadata(d).Name
-					if version := rosa.Std.Version(d); version != rosa.Unversioned {
-						s += "-" + version
-					}
-					mustPrint(" " + s)
-				}
-				mustPrintln()
-			}
-
-			const statusPrefix = "status      : "
-			if writeStatus {
-				if r == nil {
-					var f io.ReadSeekCloser
-					err = cm.Do(func(cache *pkg.Cache) (err error) {
-						f, err = cache.OpenStatus(rosa.Std.Load(p))
-						return
-					})
-					if err != nil {
-						if errors.Is(err, os.ErrNotExist) {
-							mustPrintln(
-								statusPrefix + "not yet cured",
-							)
-						} else {
-							return
-						}
-					} else {
-						mustPrint(statusPrefix)
-						_, err = io.Copy(w, f)
-						if err = errors.Join(err, f.Close()); err != nil {
-							return
-						}
-					}
-				} else if err = cm.Do(func(cache *pkg.Cache) (err error) {
-					status, n := r.ArtifactOf(cache.Ident(rosa.Std.Load(p)))
-					if status == nil {
-						mustPrintln(
-							statusPrefix + "not in report",
-						)
-					} else {
-						mustPrintln("size        :", n)
-						mustPrint(statusPrefix)
-						if _, err = w.Write(status); err != nil {
-							return
-						}
-					}
-					return
-				}); err != nil {
-					return
-				}
-			}
-
-			if i != len(args)-1 {
-				mustPrintln()
-			}
-		}
-	}
-	return nil
-}
--- a/cmd/mbf/info_test.go
+++ b/cmd/mbf/info_test.go
@@ -1,181 +0,0 @@
-package main
-
-import (
-	"context"
-	"fmt"
-	"log"
-	"os"
-	"path/filepath"
-	"reflect"
-	"strings"
-	"syscall"
-	"testing"
-	"unsafe"
-
-	"hakurei.app/internal/pkg"
-	"hakurei.app/internal/rosa"
-	"hakurei.app/message"
-)
-
-func TestInfo(t *testing.T) {
-	t.Parallel()
-
-	testCases := []struct {
-		name    string
-		args    []string
-		status  map[string]string
-		report  string
-		want    string
-		wantErr any
-	}{
-		{"qemu", []string{"qemu"}, nil, "", `
-name        : qemu-` + rosa.Std.Version(rosa.QEMU) + `
-description : a generic and open source machine emulator and virtualizer
-website     : https://www.qemu.org
-depends on  : glib-` + rosa.Std.Version(rosa.GLib) + ` zstd-` + rosa.Std.Version(rosa.Zstd) + `
-`, nil},
-
-		{"multi", []string{"hakurei", "hakurei-dist"}, nil, "", `
-name        : hakurei-` + rosa.Std.Version(rosa.Hakurei) + `
-description : low-level userspace tooling for Rosa OS
-website     : https://hakurei.app
-
-name        : hakurei-dist-` + rosa.Std.Version(rosa.HakureiDist) + `
-description : low-level userspace tooling for Rosa OS (distribution tarball)
-website     : https://hakurei.app
-`, nil},
-
-		{"nonexistent", []string{"zlib", "\x00"}, nil, "", `
-name        : zlib-` + rosa.Std.Version(rosa.Zlib) + `
-description : lossless data-compression library
-website     : https://zlib.net
-
-`, fmt.Errorf("unknown artifact %q", "\x00")},
-
-		{"status cache", []string{"zlib", "zstd"}, map[string]string{
-			"zstd":    "internal/pkg (amd64) on satori\n",
-			"hakurei": "internal/pkg (amd64) on satori\n\n",
-		}, "", `
-name        : zlib-` + rosa.Std.Version(rosa.Zlib) + `
-description : lossless data-compression library
-website     : https://zlib.net
-status      : not yet cured
-
-name        : zstd-` + rosa.Std.Version(rosa.Zstd) + `
-description : a fast compression algorithm
-website     : https://facebook.github.io/zstd
-status      : internal/pkg (amd64) on satori
-`, nil},
-
-		{"status cache perm", []string{"zlib"}, map[string]string{
-			"zlib": "\x00",
-		}, "", `
-name        : zlib-` + rosa.Std.Version(rosa.Zlib) + `
-description : lossless data-compression library
-website     : https://zlib.net
-`, func(cm *cache) error {
-			return &os.PathError{
-				Op:   "open",
-				Path: filepath.Join(cm.base, "status", pkg.Encode(cm.c.Ident(rosa.Std.Load(rosa.Zlib)).Value())),
-				Err:  syscall.EACCES,
-			}
-		}},
-
-		{"status report", []string{"zlib"}, nil, strings.Repeat("\x00", len(pkg.Checksum{})+8), `
-name        : zlib-` + rosa.Std.Version(rosa.Zlib) + `
-description : lossless data-compression library
-website     : https://zlib.net
-status      : not in report
-`, nil},
-	}
-	for _, tc := range testCases {
-		t.Run(tc.name, func(t *testing.T) {
-			t.Parallel()
-
-			var (
-				cm  *cache
-				buf strings.Builder
-				r   *rosa.Report
-			)
-
-			if tc.status != nil || tc.report != "" {
-				cm = &cache{
-					ctx:  context.Background(),
-					msg:  message.New(log.New(os.Stderr, "info: ", 0)),
-					base: t.TempDir(),
-				}
-				defer cm.Close()
-			}
-
-			if tc.report != "" {
-				pathname := filepath.Join(t.TempDir(), "report")
-				err := os.WriteFile(
-					pathname,
-					unsafe.Slice(unsafe.StringData(tc.report), len(tc.report)),
-					0400,
-				)
-				if err != nil {
-					t.Fatal(err)
-				}
-
-				r, err = rosa.OpenReport(pathname)
-				if err != nil {
-					t.Fatal(err)
-				}
-				defer func() {
-					if err = r.Close(); err != nil {
-						t.Fatal(err)
-					}
-				}()
-			}
-
-			if tc.status != nil {
-				for name, status := range tc.status {
-					p, ok := rosa.ResolveName(name)
-					if !ok {
-						t.Fatalf("invalid name %q", name)
-					}
-					perm := os.FileMode(0400)
-					if status == "\x00" {
-						perm = 0
-					}
-					if err := cm.Do(func(cache *pkg.Cache) error {
-						return os.WriteFile(filepath.Join(
-							cm.base,
-							"status",
-							pkg.Encode(cache.Ident(rosa.Std.Load(p)).Value()),
-						), unsafe.Slice(unsafe.StringData(status), len(status)), perm)
-					}); err != nil {
-						t.Fatalf("Do: error = %v", err)
-					}
-				}
-			}
-
-			var wantErr error
-			switch c := tc.wantErr.(type) {
-			case error:
-				wantErr = c
-			case func(cm *cache) error:
-				wantErr = c(cm)
-			default:
-				if tc.wantErr != nil {
-					t.Fatalf("invalid wantErr %#v", tc.wantErr)
-				}
-			}
-
-			if err := commandInfo(
-				cm,
-				tc.args,
-				&buf,
-				cm != nil,
-				r,
-			); !reflect.DeepEqual(err, wantErr) {
-				t.Fatalf("commandInfo: error = %v, want %v", err, wantErr)
-			}
-
-			if got := buf.String(); got != strings.TrimPrefix(tc.want, "\n") {
-				t.Errorf("commandInfo:\n%s\nwant\n%s", got, tc.want)
-			}
-		})
-	}
-}
--- a/cmd/mbf/internal/pkgserver/ui/index.html
+++ b/cmd/mbf/internal/pkgserver/ui/index.html
@@ -1,57 +0,0 @@
-<!DOCTYPE html>
-<html lang="en">
-<head>
-    <meta charset="UTF-8">
-    <meta name="viewport" content="width=device-width, initial-scale=1.0">
-    <link rel="stylesheet" href="style.css">
-    <title>Hakurei PkgServer</title>
-    <script src="index.js"></script>
-</head>
-<body>
-<h1>Hakurei PkgServer</h1>
-<div class="top-controls" id="top-controls-regular">
-    <p>Showing entries <span id="entry-counter"></span>.</p>
-    <span id="search-bar">
-        <label for="search">Search: </label>
-        <input type="text" name="search" id="search"/>
-        <button onclick="doSearch()">Find</button>
-        <label for="include-desc">Include descriptions: </label>
-        <input type="checkbox" name="include-desc" id="include-desc" checked/>
-    </span>
-    <div><label for="count">Entries per page: </label><select name="count" id="count">
-        <option value="10">10</option>
-        <option value="20">20</option>
-        <option value="30">30</option>
-        <option value="50">50</option>
-    </select></div>
-    <div><label for="sort">Sort by: </label><select name="sort" id="sort">
-        <option value="0">Definition (ascending)</option>
-        <option value="1">Definition (descending)</option>
-        <option value="2">Name (ascending)</option>
-        <option value="3">Name (descending)</option>
-        <option value="4">Size (ascending)</option>
-        <option value="5">Size (descending)</option>
-    </select></div>
-</div>
-<div class="top-controls" id="search-top-controls" hidden>
-    <p>Showing search results <span id="search-entry-counter"></span> for query "<span id="search-query"></span>".</p>
-    <button onclick="exitSearch()">Back</button>
-    <div><label for="search-count">Entries per page: </label><select name="search-count" id="search-count">
-        <option value="10">10</option>
-        <option value="20">20</option>
-        <option value="30">30</option>
-        <option value="50">50</option>
-    </select></div>
-    <p>Sorted by best match</p>
-</div>
-<div class="page-controls"><a href="javascript:prevPage()">&laquo; Previous</a> <input type="text" class="page-number" value="1"/> <a href="javascript:nextPage()">Next &raquo;</a></div>
-<table id="pkg-list">
-    <tr><td>Loading...</td></tr>
-</table>
-<div class="page-controls"><a href="javascript:prevPage()">&laquo; Previous</a> <input type="text" class="page-number" value="1"/> <a href="javascript:nextPage()">Next &raquo;</a></div>
-<footer>
-    <p>&copy;<a href="https://hakurei.app/">Hakurei</a> (<span id="hakurei-version">unknown</span>). Licensed under the MIT license.</p>
-</footer>
-<script>main();</script>
-</body>
-</html>
--- a/cmd/mbf/internal/pkgserver/ui/index.ts
+++ b/cmd/mbf/internal/pkgserver/ui/index.ts
@@ -1,331 +0,0 @@
-interface PackageIndexEntry {
-    name: string
-    size?: number
-    description?: string
-    website?: string
-    version?: string
-    report?: boolean
-}
-
-function entryToHTML(entry: PackageIndexEntry | SearchResult): HTMLTableRowElement {
-    let v = entry.version != null ? `<span>${escapeHtml(entry.version)}</span>` : ""
-    let s = entry.size != null && entry.size > 0 ? `<p>Size: ${toByteSizeString(entry.size)} (${entry.size})</p>` : ""
-    let n: string
-    let d: string
-    if ('name_matches' in entry) {
-        n = `<h2>${nameMatches(entry as SearchResult)} ${v}</h2>`
-    } else {
-        n = `<h2>${escapeHtml(entry.name)} ${v}</h2>`
-    }
-    if ('desc_matches' in entry && STATE.getIncludeDescriptions()) {
-        d = descMatches(entry as SearchResult)
-    } else {
-        d = (entry as PackageIndexEntry).description != null ? `<p>${escapeHtml((entry as PackageIndexEntry).description)}</p>` : ""
-    }
-    let w = entry.website != null ? `<a href="${encodeURI(entry.website)}">Website</a>` : ""
-    let r = entry.report ? `Log (<a href=\"${encodeURI('/api/v1/status/' + entry.name)}\">View</a> | <a href=\"${encodeURI('/status/' + entry.name)}\">Download</a>)` : ""
-    let row = <HTMLTableRowElement>(document.createElement('tr'))
-    row.innerHTML = `<td>
-            ${n}
-            ${d}
-            ${s}
-            ${w}
-            ${r}
-        </td>`
-    return row
-}
-
-function nameMatches(sr: SearchResult): string {
-    return markMatches(sr.name, sr.name_matches)
-}
-
-function descMatches(sr: SearchResult): string {
-    return markMatches(sr.description!, sr.desc_matches)
-}
-
-function markMatches(str: string, indices: [number, number][]): string {
-    if (indices == null) {
-        return str
-    }
-    let out: string = ""
-    let j = 0
-    for (let i = 0; i < str.length; i++) {
-        if (j < indices.length) {
-            if (i === indices[j][0]) {
-                out += `<mark>${escapeHtmlChar(str[i])}`
-                continue
-            }
-            if (i === indices[j][1]) {
-                out += `</mark>${escapeHtmlChar(str[i])}`
-                j++
-                continue
-            }
-        }
-        out += escapeHtmlChar(str[i])
-    }
-    if (indices[j] !== undefined) {
-        out += "</mark>"
-    }
-    return out
-}
-
-function toByteSizeString(bytes: number): string {
-    if (bytes == null) return `unspecified`
-    if (bytes < 1024) return `${bytes}B`
-    if (bytes < Math.pow(1024, 2)) return `${(bytes / 1024).toFixed(2)}kiB`
-    if (bytes < Math.pow(1024, 3)) return `${(bytes / Math.pow(1024, 2)).toFixed(2)}MiB`
-    if (bytes < Math.pow(1024, 4)) return `${(bytes / Math.pow(1024, 3)).toFixed(2)}GiB`
-    if (bytes < Math.pow(1024, 5)) return `${(bytes / Math.pow(1024, 4)).toFixed(2)}TiB`
-    return "not only is it big, it's large"
-}
-
-const API_VERSION = 1
-const ENDPOINT = `/api/v${API_VERSION}`
-
-interface InfoPayload {
-    count?: number
-    hakurei_version?: string
-}
-
-async function infoRequest(): Promise<InfoPayload> {
-    const res = await fetch(`${ENDPOINT}/info`)
-    const payload = await res.json()
-    return payload as InfoPayload
-}
-
-interface GetPayload {
-    values?: PackageIndexEntry[]
-}
-
-enum SortOrders {
-    DeclarationAscending,
-    DeclarationDescending,
-    NameAscending,
-    NameDescending
-}
-
-async function getRequest(limit: number, index: number, sort: SortOrders): Promise<GetPayload> {
-    const res = await fetch(`${ENDPOINT}/get?limit=${limit}&index=${index}&sort=${sort.valueOf()}`)
-    const payload = await res.json()
-    return payload as GetPayload
-}
-
-interface SearchResult extends PackageIndexEntry {
-    name_matches: [number, number][]
-    desc_matches: [number, number][]
-    score: number
-}
-
-interface SearchPayload {
-    count?: number
-    values?: SearchResult[]
-}
-
-async function searchRequest(limit: number, index: number, search: string, desc: boolean): Promise<SearchPayload> {
-    const res = await fetch(`${ENDPOINT}/search?limit=${limit}&index=${index}&search=${encodeURIComponent(search)}&desc=${desc}`)
-    if (!res.ok) {
-        exitSearch()
-        alert("invalid search query!")
-        return Promise.reject(res.statusText)
-    }
-    const payload = await res.json()
-    return payload as SearchPayload
-}
-
-class State {
-    entriesPerPage: number = 10
-    entryIndex: number = 0
-    maxTotal: number = 0
-    maxEntries: number = 0
-    sort: SortOrders = SortOrders.DeclarationAscending
-    search: boolean = false
-
-    getEntriesPerPage(): number {
-        return this.entriesPerPage
-    }
-
-    setEntriesPerPage(entriesPerPage: number) {
-        this.entriesPerPage = entriesPerPage
-        this.setEntryIndex(Math.floor(this.getEntryIndex() / entriesPerPage) * entriesPerPage)
-    }
-
-    getEntryIndex(): number {
-        return this.entryIndex
-    }
-
-    setEntryIndex(entryIndex: number) {
-        this.entryIndex = entryIndex
-        this.updatePage()
-        this.updateRange()
-        this.updateListings()
-    }
-
-    getMaxTotal(): number {
-        return this.maxTotal
-    }
-
-    setMaxTotal(max: number) {
-        this.maxTotal = max
-    }
-
-    getSortOrder(): SortOrders {
-        return this.sort
-    }
-
-    setSortOrder(sortOrder: SortOrders) {
-        this.sort = sortOrder
-        this.setEntryIndex(0)
-    }
-
-    updatePage() {
-        let page = Math.ceil(((this.getEntryIndex() + this.getEntriesPerPage()) - 1) / this.getEntriesPerPage())
-        for (let e of document.getElementsByClassName("page-number")) {
-            (e as HTMLInputElement).value = String(page)
-        }
-    }
-
-    updateRange() {
-        let max = Math.min(this.getEntryIndex() + this.getEntriesPerPage(), this.getMaxTotal())
-        document.getElementById("entry-counter")!.textContent = `${this.getEntryIndex() + 1}-${max} of ${this.getMaxTotal()}`
-        if (this.search) {
-            document.getElementById("search-entry-counter")!.textContent = `${this.getEntryIndex() + 1}-${max} of ${this.maxTotal}/${this.maxEntries}`
-            document.getElementById("search-query")!.innerHTML = `<code>${escapeHtml(this.getSearchQuery())}</code>`
-        }
-    }
-
-    getSearchQuery(): string {
-        let queryString = document.getElementById("search")!;
-        return (queryString as HTMLInputElement).value
-    }
-
-    getIncludeDescriptions(): boolean {
-        let includeDesc = document.getElementById("include-desc")!;
-        return (includeDesc as HTMLInputElement).checked
-    }
-
-    updateListings() {
-        if (this.search) {
-            searchRequest(this.getEntriesPerPage(), this.getEntryIndex(), this.getSearchQuery(), this.getIncludeDescriptions())
-                .then(res => {
-                    let table = document.getElementById("pkg-list")!
-                    table.innerHTML = ''
-                    for (let row of res.values!) {
-                        table.appendChild(entryToHTML(row))
-                    }
-                    STATE.maxTotal = res.count!
-                    STATE.updateRange()
-                    if(res.count! < 1) {
-                        exitSearch()
-                        alert("no results found!")
-                    }
-                })
-        } else {
-            getRequest(this.getEntriesPerPage(), this.getEntryIndex(), this.getSortOrder())
-                .then(res => {
-                    let table = document.getElementById("pkg-list")!
-                    table.innerHTML = ''
-                    for (let row of res.values!) {
-                        table.appendChild(entryToHTML(row))
-                    }
-                })
-        }
-    }
-}
-
-let STATE: State
-
-
-function lastPageIndex(): number {
-    return Math.floor(STATE.getMaxTotal() / STATE.getEntriesPerPage()) * STATE.getEntriesPerPage()
-}
-
-function setPage(page: number) {
-    STATE.setEntryIndex(Math.max(0, Math.min(STATE.getEntriesPerPage() * (page - 1), lastPageIndex())))
-}
-
-
-function escapeHtml(str?: string): string {
-    let out: string = ''
-    if (str == undefined) return ""
-    for (let i = 0; i < str.length; i++) {
-        out += escapeHtmlChar(str[i])
-    }
-    return out
-}
-
-function escapeHtmlChar(char: string): string {
-    if (char.length != 1) return char
-    switch (char[0]) {
-        case '&':
-            return "&amp;"
-        case '<':
-            return "&lt;"
-        case '>':
-            return "&gt;"
-        case '"':
-            return "&quot;"
-        case "'":
-            return "&apos;"
-        default:
-            return char
-    }
-}
-
-function firstPage() {
-    STATE.setEntryIndex(0)
-}
-
-function prevPage() {
-    let index = STATE.getEntryIndex()
-    STATE.setEntryIndex(Math.max(0, index - STATE.getEntriesPerPage()))
-}
-
-function lastPage() {
-    STATE.setEntryIndex(lastPageIndex())
-}
-
-function nextPage() {
-    let index = STATE.getEntryIndex()
-    STATE.setEntryIndex(Math.min(lastPageIndex(), index + STATE.getEntriesPerPage()))
-}
-
-function doSearch() {
-    document.getElementById("top-controls-regular")!.toggleAttribute("hidden");
-    document.getElementById("search-top-controls")!.toggleAttribute("hidden");
-    STATE.search = true;
-    STATE.setEntryIndex(0);
-}
-
-function exitSearch() {
-    document.getElementById("top-controls-regular")!.toggleAttribute("hidden");
-    document.getElementById("search-top-controls")!.toggleAttribute("hidden");
-    STATE.search = false;
-    STATE.setMaxTotal(STATE.maxEntries)
-    STATE.setEntryIndex(0)
-}
-
-function main() {
-    STATE = new State()
-    infoRequest()
-        .then(res => {
-            STATE.maxEntries = res.count!
-            STATE.setMaxTotal(STATE.maxEntries)
-            document.getElementById("hakurei-version")!.textContent = res.hakurei_version!
-            STATE.updateRange()
-            STATE.updateListings()
-        })
-    for (let e of document.getElementsByClassName("page-number")) {
-        e.addEventListener("change", (_) => {
-            setPage(parseInt((e as HTMLInputElement).value))
-        })
-    }
-    document.getElementById("count")?.addEventListener("change", (event) => {
-        STATE.setEntriesPerPage(parseInt((event.target as HTMLSelectElement).value))
-    })
-    document.getElementById("sort")?.addEventListener("change", (event) => {
-        STATE.setSortOrder(parseInt((event.target as HTMLSelectElement).value))
-    })
-    document.getElementById("search")?.addEventListener("keyup", (event) => {
-        if (event.key === 'Enter') doSearch()
-    })
-}
--- a/cmd/mbf/internal/pkgserver/ui/style.css
+++ b/cmd/mbf/internal/pkgserver/ui/style.css
@@ -1,21 +0,0 @@
-.page-number {
-  width: 2em;
-  text-align: center;
-}
-.page-number {
-  width: 2em;
-  text-align: center;
-}
-
-@media (prefers-color-scheme: dark) {
-  html {
-    background-color: #2c2c2c;
-    color: ghostwhite;
-  }
-}
-@media (prefers-color-scheme: light) {
-  html {
-    background-color: #d3d3d3;
-    color: black;
-  }
-}
--- a/cmd/mbf/internal/pkgserver/ui/tsconfig.json
+++ b/cmd/mbf/internal/pkgserver/ui/tsconfig.json
@@ -1,8 +0,0 @@
-{
-  "compilerOptions": {
-    "target": "ES2024",
-    "strict": true,
-    "alwaysStrict": true,
-    "outDir": "static"
-  }
-}
--- a/cmd/mbf/internal/pkgserver/ui/ui.go
+++ b/cmd/mbf/internal/pkgserver/ui/ui.go
@@ -1,9 +0,0 @@
-// Package ui holds the static web UI.
-package ui
-
-import "net/http"
-
-// Register arranges for mux to serve the embedded frontend.
-func Register(mux *http.ServeMux) {
-	mux.Handle("GET /", http.FileServer(http.FS(static)))
-}
--- a/cmd/mbf/internal/pkgserver/ui/ui_full.go
+++ b/cmd/mbf/internal/pkgserver/ui/ui_full.go
@@ -1,21 +0,0 @@
-//go:build frontend
-
-package ui
-
-import (
-	"embed"
-	"io/fs"
-)
-
-//go:generate tsc
-//go:generate cp index.html style.css static
-//go:embed static
-var _static embed.FS
-
-var static = func() fs.FS {
-	if f, err := fs.Sub(_static, "static"); err != nil {
-		panic(err)
-	} else {
-		return f
-	}
-}()
--- a/cmd/mbf/main.go
+++ b/cmd/mbf/main.go
@@ -14,18 +14,16 @@ package main

 import (
 	"context"
-	"crypto/sha512"
 	"errors"
 	"fmt"
 	"io"
 	"log"
-	"net"
-	"net/http"
 	"os"
 	"os/signal"
 	"path/filepath"
 	"runtime"
 	"strconv"
+	"strings"
 	"sync"
 	"sync/atomic"
 	"syscall"
@@ -42,9 +40,6 @@ import (
 	"hakurei.app/internal/pkg"
 	"hakurei.app/internal/rosa"
 	"hakurei.app/message"
-
-	"hakurei.app/cmd/mbf/internal/pkgserver"
-	"hakurei.app/cmd/mbf/internal/pkgserver/ui"
 )

 func main() {
@@ -58,141 +53,77 @@ func main() {
 		log.Fatal("this program must not run as root")
 	}

+	var cache *pkg.Cache
 	ctx, stop := signal.NotifyContext(context.Background(),
 		syscall.SIGINT, syscall.SIGTERM, syscall.SIGHUP)
 	defer stop()
+	defer func() {
+		if cache != nil {
+			cache.Close()
+		}

-	var cm cache
-	defer func() { cm.Close() }()
+		if r := recover(); r != nil {
+			fmt.Println(r)
+			log.Fatal("consider scrubbing the on-disk cache")
+		}
+	}()

 	var (
 		flagQuiet bool
-		flagQEMU  bool
-		flagArch  string
-		flagCheck bool
-		flagLTO   bool
+		flagCures int
+		flagBase  string
+		flagIdle  bool

-		flagCrossOverride int
-
-		addr net.UnixAddr
+		flagHostAbstract bool
 	)
-	c := command.New(os.Stderr, log.Printf, "mbf", func([]string) error {
+	c := command.New(os.Stderr, log.Printf, "mbf", func([]string) (err error) {
 		msg.SwapVerbose(!flagQuiet)
-		cm.ctx, cm.msg = ctx, msg
-		cm.base = os.ExpandEnv(cm.base)
-		if cm.base == "" {
-			cm.base = "cache"
+
+		flagBase = os.ExpandEnv(flagBase)
+		if flagBase == "" {
+			flagBase = "cache"
 		}

-		addr.Net = "unix"
-		addr.Name = os.ExpandEnv(addr.Name)
-		if addr.Name == "" {
-			addr.Name = filepath.Join(cm.base, "daemon")
+		var base *check.Absolute
+		if flagBase, err = filepath.Abs(flagBase); err != nil {
+			return
+		} else if base, err = check.NewAbs(flagBase); err != nil {
+			return
 		}

 		var flags int
-		if !flagCheck {
-			flags |= rosa.OptSkipCheck
+		if flagIdle {
+			flags |= pkg.CSchedIdle
 		}
-		if !flagLTO {
-			flags |= rosa.OptLLVMNoLTO
-		}
-		rosa.DropCaches("", flags)
-		cross := flagArch != "" && flagArch != runtime.GOARCH
-		if flagQEMU || cross {
-			cm.qemu = rosa.Std.Load(rosa.QEMU)
+		if flagHostAbstract {
+			flags |= pkg.CHostAbstract
 		}
+		cache, err = pkg.Open(ctx, msg, flags, flagCures, base)

-		if cross {
-			if flagCrossOverride != -1 {
-				flags = flagCrossOverride
-			}
-
-			rosa.DropCaches(flagArch, flags)
-			if !rosa.HasStage0() {
-				return pkg.UnsupportedArchError(flagArch)
-			}
-		}
-
-		return nil
+		return
 	}).Flag(
 		&flagQuiet,
 		"q", command.BoolFlag(false),
 		"Do not print cure messages",
 	).Flag(
-		&flagQEMU,
-		"register", command.BoolFlag(false),
-		"Enable additional target architectures",
-	).Flag(
-		&flagArch,
-		"arch", command.StringFlag(runtime.GOARCH),
-		"Target architecture",
-	).Flag(
-		&flagLTO,
-		"lto", command.BoolFlag(false),
-		"Enable LTO in stage2 and stage3 LLVM toolchains",
-	).Flag(
-		&flagCheck,
-		"check", command.BoolFlag(true),
-		"Run test suites",
-	).Flag(
-		&flagCrossOverride,
-		"cross-flags", command.IntFlag(-1),
-		"Override non-native target preset flags",
-	).Flag(
-		&cm.verboseInit,
-		"v", command.BoolFlag(false),
-		"Do not suppress verbose output from init",
-	).Flag(
-		&cm.cures,
+		&flagCures,
 		"cures", command.IntFlag(0),
 		"Maximum number of dependencies to cure at any given time",
 	).Flag(
-		&cm.jobs,
-		"jobs", command.IntFlag(0),
-		"Preferred number of jobs to run, when applicable",
-	).Flag(
-		&cm.base,
+		&flagBase,
 		"d", command.StringFlag("$MBF_CACHE_DIR"),
 		"Directory to store cured artifacts",
 	).Flag(
-		&cm.idle,
+		&flagIdle,
 		"sched-idle", command.BoolFlag(false),
 		"Set SCHED_IDLE scheduling policy",
 	).Flag(
-		&cm.hostAbstract,
+		&flagHostAbstract,
 		"host-abstract", command.BoolFlag(
 			os.Getenv("MBF_HOST_ABSTRACT") != "",
 		),
 		"Do not restrict networked cure containers from connecting to host "+
 			"abstract UNIX sockets",
-	).Flag(
-		&addr.Name,
-		"socket", command.StringFlag("$MBF_DAEMON_SOCKET"),
-		"Pathname of socket to bind to",
-	)
-
-	c.NewCommand(
-		"checksum", "Compute checksum of data read from standard input",
-		func([]string) error {
-			done := make(chan struct{})
-			defer close(done)
-			go func() {
-				select {
-				case <-ctx.Done():
-					os.Exit(1)
-				case <-done:
-					return
-				}
-			}()
-
-			h := sha512.New384()
-			if _, err := io.Copy(h, os.Stdin); err != nil {
-				return err
-			}
-			log.Println(pkg.Encode(pkg.Checksum(h.Sum(nil))))
-			return nil
-		},
 	)

 	{
@@ -206,9 +137,7 @@ func main() {
 				if flagShifts < 0 || flagShifts > 31 {
 					flagShifts = 12
 				}
-				return cm.Do(func(cache *pkg.Cache) error {
 				return cache.Scrub(runtime.NumCPU() << flagShifts)
-				})
 			},
 		).Flag(
 			&flagShifts,
@@ -219,7 +148,6 @@ func main() {

 	{
 		var (
-			flagBind   string
 			flagStatus bool
 			flagReport string
 		)
@@ -227,7 +155,9 @@ func main() {
 			"info",
 			"Display out-of-band metadata of an artifact",
 			func(args []string) (err error) {
-				const shutdownTimeout = 15 * time.Second
+				if len(args) == 0 {
+					return errors.New("info requires at least 1 argument")
+				}

 				var r *rosa.Report
 				if flagReport != "" {
@@ -242,42 +172,84 @@ func main() {
 					defer r.HandleAccess(&err)()
 				}

-				if flagBind == "" {
-					return commandInfo(&cm, args, os.Stdout, flagStatus, r)
+				for i, name := range args {
+					if p, ok := rosa.ResolveName(name); !ok {
+						return fmt.Errorf("unknown artifact %q", name)
+					} else {
+						var suffix string
+						if version := rosa.Std.Version(p); version != rosa.Unversioned {
+							suffix += "-" + version
+						}
+						fmt.Println("name        : " + name + suffix)
+
+						meta := rosa.GetMetadata(p)
+						fmt.Println("description : " + meta.Description)
+						if meta.Website != "" {
+							fmt.Println("website     : " +
+								strings.TrimSuffix(meta.Website, "/"))
+						}
+						if len(meta.Dependencies) > 0 {
+							fmt.Print("depends on  :")
+							for _, d := range meta.Dependencies {
+								s := rosa.GetMetadata(d).Name
+								if version := rosa.Std.Version(d); version != rosa.Unversioned {
+									s += "-" + version
+								}
+								fmt.Print(" " + s)
+							}
+							fmt.Println()
 						}

-				var mux http.ServeMux
-				ui.Register(&mux)
-				if err = pkgserver.Register(ctx, &mux, r); err != nil {
+						const statusPrefix = "status      : "
+						if flagStatus {
+							if r == nil {
+								var f io.ReadSeekCloser
+								f, err = cache.OpenStatus(rosa.Std.Load(p))
+								if err != nil {
+									if errors.Is(err, os.ErrNotExist) {
+										fmt.Println(
+											statusPrefix + "not yet cured",
+										)
+									} else {
 										return
 									}
-
-				server := http.Server{Addr: flagBind, Handler: &mux}
-				go func() {
-					<-ctx.Done()
-					cc, cancel := context.WithTimeout(context.Background(), shutdownTimeout)
-					defer cancel()
-					if _err := server.Shutdown(cc); _err != nil {
-						log.Fatal(_err)
-					}
-				}()
-
-				msg.Verbosef("listening on %q", flagBind)
-				err = server.ListenAndServe()
-				if errors.Is(err, http.ErrServerClosed) {
-					err = nil
-				}
+								} else {
+									fmt.Print(statusPrefix)
+									_, err = io.Copy(os.Stdout, f)
+									if err = errors.Join(err, f.Close()); err != nil {
 										return
+									}
+								}
+							} else {
+								status, n := r.ArtifactOf(cache.Ident(rosa.Std.Load(p)))
+								if status == nil {
+									fmt.Println(
+										statusPrefix + "not in report",
+									)
+								} else {
+									fmt.Println("size        :", n)
+									fmt.Print(statusPrefix)
+									if _, err = os.Stdout.Write(status); err != nil {
+										return
+									}
+								}
+							}
+						}
+
+						if i != len(args)-1 {
+							fmt.Println()
+						}
+					}
+				}
+				return nil
 			},
-		).Flag(
-			&flagBind,
-			"bind", command.StringFlag(""),
-			"TCP address for the server to listen on",
-		).Flag(
+		).
+			Flag(
 				&flagStatus,
 				"status", command.BoolFlag(false),
 				"Display cure status if available",
-		).Flag(
+			).
+			Flag(
 				&flagReport,
 				"report", command.StringFlag(""),
 				"Load cure status from this report file instead of cache",
@@ -315,9 +287,7 @@ func main() {
 			if ext.Isatty(int(w.Fd())) {
 				return errors.New("output appears to be a terminal")
 			}
-			return cm.Do(func(cache *pkg.Cache) error {
 			return rosa.WriteReport(msg, w, cache)
-			})
 		},
 	)

@@ -380,26 +350,14 @@ func main() {
 					" package(s) are out of date"))
 			}
 			return errors.Join(errs...)
-		}).Flag(
+		}).
+			Flag(
 				&flagJobs,
 				"j", command.IntFlag(32),
 				"Maximum number of simultaneous connections",
 			)
 	}

-	c.NewCommand(
-		"daemon",
-		"Service artifact IR with Rosa OS extensions",
-		func(args []string) error {
-			ul, err := net.ListenUnix("unix", &addr)
-			if err != nil {
-				return err
-			}
-			log.Printf("listening on pathname socket at %s", addr.Name)
-			return serve(ctx, log.Default(), &cm, ul)
-		},
-	)
-
 	{
 		var (
 			flagGentoo   string
@@ -424,37 +382,25 @@ func main() {
 					rosa.SetGentooStage3(flagGentoo, checksum)
 				}

+				_, _, _, stage1 := (t - 2).NewLLVM()
+				_, _, _, stage2 := (t - 1).NewLLVM()
+				_, _, _, stage3 := t.NewLLVM()
 				var (
 					pathname *check.Absolute
 					checksum [2]unique.Handle[pkg.Checksum]
 				)

-				if err = cm.Do(func(cache *pkg.Cache) (err error) {
-					pathname, _, err = cache.Cure(
-						(t - 2).Load(rosa.LLVM),
-					)
-					return
-				}); err != nil {
-					return
+				if pathname, _, err = cache.Cure(stage1); err != nil {
+					return err
 				}
 				log.Println("stage1:", pathname)

-				if err = cm.Do(func(cache *pkg.Cache) (err error) {
-					pathname, checksum[0], err = cache.Cure(
-						(t - 1).Load(rosa.LLVM),
-					)
-					return
-				}); err != nil {
-					return
+				if pathname, checksum[0], err = cache.Cure(stage2); err != nil {
+					return err
 				}
 				log.Println("stage2:", pathname)
-				if err = cm.Do(func(cache *pkg.Cache) (err error) {
-					pathname, checksum[1], err = cache.Cure(
-						t.Load(rosa.LLVM),
-					)
-					return
-				}); err != nil {
-					return
+				if pathname, checksum[1], err = cache.Cure(stage3); err != nil {
+					return err
 				}
 				log.Println("stage3:", pathname)

@@ -471,28 +417,28 @@ func main() {
 				}

 				if flagStage0 {
-					if err = cm.Do(func(cache *pkg.Cache) (err error) {
-						pathname, _, err = cache.Cure(
+					if pathname, _, err = cache.Cure(
 						t.Load(rosa.Stage0),
-						)
-						return
-					}); err != nil {
-						return
+					); err != nil {
+						return err
 					}
 					log.Println(pathname)
 				}

 				return
 			},
-		).Flag(
+		).
+			Flag(
 				&flagGentoo,
 				"gentoo", command.StringFlag(""),
 				"Bootstrap from a Gentoo stage3 tarball",
-		).Flag(
+			).
+			Flag(
 				&flagChecksum,
 				"checksum", command.StringFlag(""),
 				"Checksum of Gentoo stage3 tarball",
-		).Flag(
+			).
+			Flag(
 				&flagStage0,
 				"stage0", command.BoolFlag(false),
 				"Create bootstrap stage0 tarball",
@@ -504,11 +450,6 @@ func main() {
 			flagDump   string
 			flagEnter  bool
 			flagExport string
-			flagRemote  bool
-			flagNoReply bool
-
-			flagBoot bool
-			flagStd  bool
 		)
 		c.NewCommand(
 			"cure",
@@ -522,20 +463,9 @@ func main() {
 					return fmt.Errorf("unknown artifact %q", args[0])
 				}

-				t := rosa.Std
-				if flagBoot {
-					t -= 2
-				} else if flagStd {
-					t -= 1
-				}
-
 				switch {
 				default:
-					var pathname *check.Absolute
-					err := cm.Do(func(cache *pkg.Cache) (err error) {
-						pathname, _, err = cache.Cure(t.Load(p))
-						return
-					})
+					pathname, _, err := cache.Cure(rosa.Std.Load(p))
 					if err != nil {
 						return err
 					}
@@ -575,7 +505,7 @@ func main() {
 						return err
 					}

-					if err = pkg.NewIR().EncodeAll(f, rosa.Std.Load(p)); err != nil {
+					if err = cache.EncodeAll(f, rosa.Std.Load(p)); err != nil {
 						_ = f.Close()
 						return err
 					}
@@ -583,76 +513,33 @@ func main() {
 					return f.Close()

 				case flagEnter:
-					return cm.Do(func(cache *pkg.Cache) error {
 					return cache.EnterExec(
 						ctx,
-							t.Load(p),
+						rosa.Std.Load(p),
 						true, os.Stdin, os.Stdout, os.Stderr,
 						rosa.AbsSystem.Append("bin", "mksh"),
 						"sh",
 					)
-					})
-
-				case flagRemote:
-					var flags uint64
-					if flagNoReply {
-						flags |= remoteNoReply
-					}
-					a := t.Load(p)
-					pathname, err := cureRemote(ctx, &addr, a, flags)
-					if !flagNoReply && err == nil {
-						log.Println(pathname)
-					}
-
-					if errors.Is(err, context.Canceled) {
-						cc, cancel := context.WithDeadline(context.Background(), daemonDeadline())
-						defer cancel()
-
-						if _err := cancelRemote(cc, &addr, a, false); _err != nil {
-							log.Println(err)
-						}
-					}
-
-					return err
 				}
 			},
-		).Flag(
+		).
+			Flag(
 				&flagDump,
 				"dump", command.StringFlag(""),
 				"Write IR to specified pathname and terminate",
-		).Flag(
+			).
+			Flag(
 				&flagExport,
 				"export", command.StringFlag(""),
 				"Export cured artifact to specified pathname",
-		).Flag(
+			).
+			Flag(
 				&flagEnter,
 				"enter", command.BoolFlag(false),
 				"Enter cure container with an interactive shell",
-		).Flag(
-			&flagRemote,
-			"daemon", command.BoolFlag(false),
-			"Cure artifact on the daemon",
-		).Flag(
-			&flagNoReply,
-			"no-reply", command.BoolFlag(false),
-			"Do not receive a reply from the daemon",
-		).Flag(
-			&flagBoot,
-			"boot", command.BoolFlag(false),
-			"Build on the stage0 toolchain",
-		).Flag(
-			&flagStd,
-			"std", command.BoolFlag(false),
-			"Build on the intermediate toolchain",
 			)
 	}

-	c.NewCommand(
-		"abort",
-		"Abort all pending cures on the daemon",
-		func([]string) error { return abortRemote(ctx, &addr, false) },
-	)
-
 	{
 		var (
 			flagNet     bool
@@ -664,7 +551,7 @@ func main() {
 			"shell",
 			"Interactive shell in the specified Rosa OS environment",
 			func(args []string) error {
-				presets := make([]rosa.PArtifact, len(args)+3)
+				presets := make([]rosa.PArtifact, len(args))
 				for i, arg := range args {
 					p, ok := rosa.ResolveName(arg)
 					if !ok {
@@ -672,24 +559,21 @@ func main() {
 					}
 					presets[i] = p
 				}
-
-				base := rosa.LLVM
-				if !flagWithToolchain {
-					base = rosa.Musl
-				}
-				presets = append(presets,
-					base,
-					rosa.Mksh,
-					rosa.Toybox,
-				)
-
 				root := make(pkg.Collect, 0, 6+len(args))
 				root = rosa.Std.AppendPresets(root, presets...)

-				if err := cm.Do(func(cache *pkg.Cache) error {
-					_, _, err := cache.Cure(&root)
-					return err
-				}); err == nil {
+				if flagWithToolchain {
+					musl, compilerRT, runtimes, clang := (rosa.Std - 1).NewLLVM()
+					root = append(root, musl, compilerRT, runtimes, clang)
+				} else {
+					root = append(root, rosa.Std.Load(rosa.Musl))
+				}
+				root = append(root,
+					rosa.Std.Load(rosa.Mksh),
+					rosa.Std.Load(rosa.Toybox),
+				)
+
+				if _, _, err := cache.Cure(&root); err == nil {
 					return errors.New("unreachable")
 				} else if !pkg.IsCollected(err) {
 					return err
@@ -701,23 +585,12 @@ func main() {
 				}
 				cured := make(map[pkg.Artifact]cureRes)
 				for _, a := range root {
-					if err := cm.Do(func(cache *pkg.Cache) error {
 					pathname, checksum, err := cache.Cure(a)
-						if err == nil {
+					if err != nil {
+						return err
+					}
 					cured[a] = cureRes{pathname, checksum}
 				}
-						return err
-					}); err != nil {
-						return err
-					}
-				}
-
-				// explicitly open for direct error-free use from this point
-				if cm.c == nil {
-					if err := cm.open(); err != nil {
-						return err
-					}
-				}

 				layers := pkg.PromoteLayers(root, func(a pkg.Artifact) (
 					*check.Absolute,
@@ -726,7 +599,7 @@ func main() {
 					res := cured[a]
 					return res.pathname, res.checksum
 				}, func(i int, d pkg.Artifact) {
-					r := pkg.Encode(cm.c.Ident(d).Value())
+					r := pkg.Encode(cache.Ident(d).Value())
 					if s, ok := d.(fmt.Stringer); ok {
 						if name := s.String(); name != "" {
 							r += "-" + name
@@ -745,7 +618,6 @@ func main() {
 				z.Hostname = "localhost"
 				z.Uid, z.Gid = (1<<10)-1, (1<<10)-1
 				z.Stdin, z.Stdout, z.Stderr = os.Stdin, os.Stdout, os.Stderr
-				z.Quiet = !cm.verboseInit
 				if s, ok := os.LookupEnv("TERM"); ok {
 					z.Env = append(z.Env, "TERM="+s)
 				}
@@ -791,15 +663,18 @@ func main() {
 				}
 				return z.Wait()
 			},
-		).Flag(
+		).
+			Flag(
 				&flagNet,
 				"net", command.BoolFlag(false),
 				"Share host net namespace",
-		).Flag(
+			).
+			Flag(
 				&flagSession,
 				"session", command.BoolFlag(true),
 				"Retain session",
-		).Flag(
+			).
+			Flag(
 				&flagWithToolchain,
 				"with-toolchain", command.BoolFlag(false),
 				"Include the stage2 LLVM toolchain",
@@ -814,7 +689,9 @@ func main() {
 	)

 	c.MustParse(os.Args[1:], func(err error) {
-		cm.Close()
+		if cache != nil {
+			cache.Close()
+		}
 		if w, ok := err.(interface{ Unwrap() []error }); !ok {
 			log.Fatal(err)
 		} else {
--- a/cmd/mbf/main_test.go
+++ b/cmd/mbf/main_test.go
@@ -1,47 +0,0 @@
-package main
-
-import (
-	"net"
-	"os"
-	"testing"
-
-	"hakurei.app/internal/rosa"
-)
-
-func TestMain(m *testing.M) {
-	rosa.DropCaches("", rosa.OptLLVMNoLTO)
-	os.Exit(m.Run())
-}
-
-func TestCureAll(t *testing.T) {
-	t.Parallel()
-	const env = "ROSA_TEST_DAEMON"
-
-	if !testing.Verbose() {
-		t.Skip("verbose flag not set")
-	}
-
-	pathname, ok := os.LookupEnv(env)
-	if !ok {
-		t.Skip(env + " not set")
-	}
-
-	addr := net.UnixAddr{Net: "unix", Name: pathname}
-	t.Cleanup(func() {
-		if t.Failed() {
-			if err := abortRemote(t.Context(), &addr, false); err != nil {
-				t.Fatal(err)
-			}
-		}
-	})
-
-	for i := range rosa.PresetEnd {
-		p := rosa.PArtifact(i)
-		t.Run(rosa.GetMetadata(p).Name, func(t *testing.T) {
-			_, err := cureRemote(t.Context(), &addr, rosa.Std.Load(p), 0)
-			if err != nil {
-				t.Error(err)
-			}
-		})
-	}
-}
--- a/cmd/mbf/internal/pkgserver/api.go
+++ b/cmd/mbf/internal/pkgserver/api.go
@@ -1,8 +1,6 @@
-// Package pkgserver implements the package metadata service backend.
-package pkgserver
+package main

 import (
-	"context"
 	"encoding/json"
 	"log"
 	"net/http"
@@ -10,7 +8,6 @@ import (
 	"path"
 	"strconv"
 	"sync"
-	"time"

 	"hakurei.app/internal/info"
 	"hakurei.app/internal/rosa"
@@ -130,7 +127,7 @@ func (index *packageIndex) handleSearch(w http.ResponseWriter, r *http.Request)
 		)
 		return
 	}
-	search, err := url.QueryUnescape(q.Get("search"))
+	search, err := url.PathUnescape(q.Get("search"))
 	if len(search) > 100 || err != nil {
 		http.Error(
 			w, "search must be a string between 0 and 100 characters long",
@@ -145,7 +142,7 @@ func (index *packageIndex) handleSearch(w http.ResponseWriter, r *http.Request)
 	}
 	writeAPIPayload(w, &struct {
 		Count   int            `json:"count"`
-		Values []searchResult `json:"values"`
+		Results []searchResult `json:"results"`
 	}{n, res})
 }

@@ -161,29 +158,6 @@ func (index *packageIndex) registerAPI(mux *http.ServeMux) {
 	mux.HandleFunc("GET /status/", index.newStatusHandler(true))
 }

-// Register arranges for mux to service API requests.
-func Register(ctx context.Context, mux *http.ServeMux, report *rosa.Report) error {
-	var index packageIndex
-	index.search = make(searchCache)
-	if err := index.populate(report); err != nil {
-		return err
-	}
-	ticker := time.NewTicker(1 * time.Minute)
-	go func() {
-		for {
-			select {
-			case <-ctx.Done():
-				ticker.Stop()
-				return
-			case <-ticker.C:
-				index.search.clean()
-			}
-		}
-	}()
-	index.registerAPI(mux)
-	return nil
-}
-
 // writeAPIPayload sets headers common to API responses and encodes payload as
 // JSON for the response body.
 func writeAPIPayload(w http.ResponseWriter, payload any) {
--- a/cmd/mbf/internal/pkgserver/api_test.go
+++ b/cmd/mbf/internal/pkgserver/api_test.go
@@ -1,4 +1,4 @@
-package pkgserver
+package main

 import (
 	"net/http"
@@ -118,9 +118,11 @@ func TestAPIGet(t *testing.T) {
 			checkStatus(t, resp, http.StatusOK)
 			checkAPIHeader(t, w.Header())
 			checkPayloadFunc(t, resp, func(got *struct {
+				Count  int         `json:"count"`
 				Values []*metadata `json:"values"`
 			}) bool {
-				return slices.EqualFunc(got.Values, want, func(a, b *metadata) bool {
+				return got.Count == len(want) &&
+					slices.EqualFunc(got.Values, want, func(a, b *metadata) bool {
 						return (a.Version == b.Version ||
 							a.Version == rosa.Unversioned ||
 							b.Version == rosa.Unversioned) &&
@@ -134,15 +136,15 @@ func TestAPIGet(t *testing.T) {
 		})
 	}

-	checkWithSuffix("declarationAscending", "?limit=2&index=1&sort=0", []*metadata{
+	checkWithSuffix("declarationAscending", "?limit=2&index=0&sort=0", []*metadata{
+		{
+			Metadata: rosa.GetMetadata(0),
+			Version:  rosa.Std.Version(0),
+		},
 		{
 			Metadata: rosa.GetMetadata(1),
 			Version:  rosa.Std.Version(1),
 		},
-		{
-			Metadata: rosa.GetMetadata(2),
-			Version:  rosa.Std.Version(2),
-		},
 	})
 	checkWithSuffix("declarationAscending offset", "?limit=3&index=5&sort=0", []*metadata{
 		{
--- a/cmd/mbf/internal/pkgserver/index.go
+++ b/cmd/mbf/internal/pkgserver/index.go
@@ -1,4 +1,4 @@
-package pkgserver
+package main

 import (
 	"cmp"
@@ -50,7 +50,7 @@ type metadata struct {
 }

 // populate deterministically populates packageIndex, optionally with a report.
-func (index *packageIndex) populate(report *rosa.Report) (err error) {
+func (index *packageIndex) populate(cache *pkg.Cache, report *rosa.Report) (err error) {
 	if report != nil {
 		defer report.HandleAccess(&err)()
 		index.handleAccess = report.HandleAccess
@@ -58,7 +58,6 @@ func (index *packageIndex) populate(report *rosa.Report) (err error) {

 	var work [rosa.PresetUnexportedStart]*metadata
 	index.names = make(map[string]*metadata)
-	ir := pkg.NewIR()
 	for p := range rosa.PresetUnexportedStart {
 		m := metadata{
 			p: p,
@@ -73,8 +72,8 @@ func (index *packageIndex) populate(report *rosa.Report) (err error) {
 			m.Version = ""
 		}

-		if report != nil {
-			id := ir.Ident(rosa.Std.Load(p))
+		if cache != nil && report != nil {
+			id := cache.Ident(rosa.Std.Load(p))
 			m.ids = pkg.Encode(id.Value())
 			m.status, m.Size = report.ArtifactOf(id)
 			m.HasReport = m.Size >= 0
--- a/cmd/pkgserver/main.go
+++ b/cmd/pkgserver/main.go
@@ -0,0 +1,115 @@
+package main
+
+import (
+	"context"
+	"errors"
+	"log"
+	"net/http"
+	"os"
+	"os/signal"
+	"syscall"
+	"time"
+
+	"hakurei.app/command"
+	"hakurei.app/container/check"
+	"hakurei.app/internal/pkg"
+	"hakurei.app/internal/rosa"
+	"hakurei.app/message"
+)
+
+const shutdownTimeout = 15 * time.Second
+
+func main() {
+	log.SetFlags(0)
+	log.SetPrefix("pkgserver: ")
+
+	var (
+		flagBaseDir string
+		flagAddr    string
+	)
+
+	ctx, stop := signal.NotifyContext(context.Background(), syscall.SIGINT, syscall.SIGTERM, syscall.SIGHUP)
+	defer stop()
+	msg := message.New(log.Default())
+
+	c := command.New(os.Stderr, log.Printf, "pkgserver", func(args []string) error {
+		var (
+			cache  *pkg.Cache
+			report *rosa.Report
+		)
+		switch len(args) {
+		case 0:
+			break
+
+		case 1:
+			baseDir, err := check.NewAbs(flagBaseDir)
+			if err != nil {
+				return err
+			}
+
+			cache, err = pkg.Open(ctx, msg, 0, baseDir)
+			if err != nil {
+				return err
+			}
+			defer cache.Close()
+
+			report, err = rosa.OpenReport(args[0])
+			if err != nil {
+				return err
+			}
+
+		default:
+			return errors.New("pkgserver requires 1 argument")
+
+		}
+
+		var index packageIndex
+		index.search = make(searchCache)
+		if err := index.populate(cache, report); err != nil {
+			return err
+		}
+		ticker := time.NewTicker(1 * time.Minute)
+		go func() {
+			for {
+				select {
+				case <-ctx.Done():
+					ticker.Stop()
+					return
+				case <-ticker.C:
+					index.search.clean()
+				}
+			}
+		}()
+		var mux http.ServeMux
+		uiRoutes(&mux)
+		testUIRoutes(&mux)
+		index.registerAPI(&mux)
+		server := http.Server{
+			Addr:    flagAddr,
+			Handler: &mux,
+		}
+		go func() {
+			<-ctx.Done()
+			c, cancel := context.WithTimeout(context.Background(), shutdownTimeout)
+			defer cancel()
+			if err := server.Shutdown(c); err != nil {
+				log.Fatal(err)
+			}
+		}()
+		return server.ListenAndServe()
+	}).Flag(
+		&flagBaseDir,
+		"b", command.StringFlag(""),
+		"base directory for cache",
+	).Flag(
+		&flagAddr,
+		"addr", command.StringFlag(":8067"),
+		"TCP network address to listen on",
+	)
+	c.MustParse(os.Args[1:], func(err error) {
+		if errors.Is(err, http.ErrServerClosed) {
+			os.Exit(0)
+		}
+		log.Fatal(err)
+	})
+}
--- a/cmd/mbf/internal/pkgserver/index_test.go
+++ b/cmd/mbf/internal/pkgserver/index_test.go
@@ -1,4 +1,4 @@
-package pkgserver
+package main

 import (
 	"bytes"
@@ -15,7 +15,7 @@ func newIndex(t *testing.T) *packageIndex {
 	t.Helper()

 	var index packageIndex
-	if err := index.populate(nil); err != nil {
+	if err := index.populate(nil, nil); err != nil {
 		t.Fatalf("populate: error = %v", err)
 	}
 	return &index
--- a/cmd/mbf/internal/pkgserver/search.go
+++ b/cmd/mbf/internal/pkgserver/search.go
@@ -1,4 +1,4 @@
-package pkgserver
+package main

 import (
 	"cmp"
@@ -22,13 +22,9 @@ type searchCacheEntry struct {
 }

 func (index *packageIndex) performSearchQuery(limit int, i int, search string, desc bool) (int, []searchResult, error) {
-	query := search
-	if desc {
-		query += ";withDesc"
-	}
-	entry, ok := index.search[query]
-	if ok && len(entry.results) > 0 {
-		return len(entry.results), entry.results[min(i, len(entry.results)-1):min(i+limit, len(entry.results))], nil
+	entry, ok := index.search[search]
+	if ok {
+		return len(entry.results), entry.results[i:min(i+limit, len(entry.results))], nil
 	}

 	regex, err := regexp.Compile(search)
@@ -63,7 +59,7 @@ func (index *packageIndex) performSearchQuery(limit int, i int, search string, d
 		results: res,
 		expiry:  expiry,
 	}
-	index.search[query] = entry
+	index.search[search] = entry

 	return len(res), res[i:min(i+limit, len(entry.results))], nil
 }
--- a/cmd/pkgserver/test_ui.go
+++ b/cmd/pkgserver/test_ui.go
@@ -0,0 +1,35 @@
+//go:build frontend && frontend_test
+
+package main
+
+import (
+	"embed"
+	"io/fs"
+	"net/http"
+)
+
+// Always remove ui_test/ui; if the previous tsc run failed, the rm never
+// executes.
+
+//go:generate sh -c "rm -r ui_test/ui/ 2>/dev/null || true"
+//go:generate mkdir ui_test/ui
+//go:generate sh -c "cp ui/static/*.ts ui_test/ui/"
+//go:generate tsc --outDir ui_test/static -p ui_test
+//go:generate rm -r ui_test/ui/
+//go:generate sass ui_test/lib/ui.scss ui_test/static/style.css
+//go:generate cp ui_test/lib/ui.html ui_test/static/index.html
+//go:generate sh -c "cd ui_test/lib && cp *.svg ../static/"
+//go:embed ui_test/static
+var _staticTest embed.FS
+
+var staticTest = func() fs.FS {
+	if f, err := fs.Sub(_staticTest, "ui_test/static"); err != nil {
+		panic(err)
+	} else {
+		return f
+	}
+}()
+
+func testUIRoutes(mux *http.ServeMux) {
+	mux.Handle("GET /test/", http.StripPrefix("/test", http.FileServer(http.FS(staticTest))))
+}
--- a/cmd/pkgserver/test_ui_stub.go
+++ b/cmd/pkgserver/test_ui_stub.go
@@ -0,0 +1,7 @@
+//go:build !(frontend && frontend_test)
+
+package main
+
+import "net/http"
+
+func testUIRoutes(mux *http.ServeMux) {}
--- a/cmd/pkgserver/ui.go
+++ b/cmd/pkgserver/ui.go
@@ -0,0 +1,38 @@
+package main
+
+import "net/http"
+
+func serveWebUI(w http.ResponseWriter, r *http.Request) {
+	w.Header().Set("Cache-Control", "no-cache, no-store, must-revalidate")
+	w.Header().Set("Pragma", "no-cache")
+	w.Header().Set("Expires", "0")
+	w.Header().Set("X-Content-Type-Options", "nosniff")
+	w.Header().Set("X-XSS-Protection", "1")
+	w.Header().Set("X-Frame-Options", "DENY")
+
+	http.ServeFileFS(w, r, content, "ui/index.html")
+}
+func serveStaticContent(w http.ResponseWriter, r *http.Request) {
+	switch r.URL.Path {
+	case "/static/style.css":
+		darkTheme := r.CookiesNamed("dark_theme")
+		if len(darkTheme) > 0 && darkTheme[0].Value == "true" {
+			http.ServeFileFS(w, r, content, "ui/static/dark.css")
+		} else {
+			http.ServeFileFS(w, r, content, "ui/static/light.css")
+		}
+	case "/favicon.ico":
+		http.ServeFileFS(w, r, content, "ui/static/favicon.ico")
+	case "/static/index.js":
+		http.ServeFileFS(w, r, content, "ui/static/index.js")
+	default:
+		http.NotFound(w, r)
+
+	}
+}
+
+func uiRoutes(mux *http.ServeMux) {
+	mux.HandleFunc("GET /{$}", serveWebUI)
+	mux.HandleFunc("GET /favicon.ico", serveStaticContent)
+	mux.HandleFunc("GET /static/", serveStaticContent)
+}
--- a/cmd/pkgserver/ui/index.html
+++ b/cmd/pkgserver/ui/index.html
@@ -0,0 +1,35 @@
+<!DOCTYPE html>
+<html lang="en">
+<head>
+    <meta charset="UTF-8">
+    <link rel="stylesheet" href="static/style.css">
+    <title>Hakurei PkgServer</title>
+    <script src="static/index.js"></script>
+</head>
+<body>
+<h1>Hakurei PkgServer</h1>
+
+<table id="pkg-list">
+    <tr><td>Loading...</td></tr>
+</table>
+<p>Showing entries <span id="entry-counter"></span>.</p>
+<span class="bottom-nav"><a href="javascript:prevPage()">&laquo; Previous</a> <span id="page-number">1</span> <a href="javascript:nextPage()">Next &raquo;</a></span>
+<span><label for="count">Entries per page: </label><select name="count" id="count">
+    <option value="10">10</option>
+    <option value="20">20</option>
+    <option value="30">30</option>
+    <option value="50">50</option>
+</select></span>
+<span><label for="sort">Sort by: </label><select name="sort" id="sort">
+    <option value="0">Definition (ascending)</option>
+    <option value="1">Definition (descending)</option>
+    <option value="2">Name (ascending)</option>
+    <option value="3">Name (descending)</option>
+    <option value="4">Size (ascending)</option>
+    <option value="5">Size (descending)</option>
+</select></span>
+</body>
+<footer>
+    <p>&copy;<a href="https://hakurei.app/">Hakurei</a> (<span id="hakurei-version">unknown</span>). Licensed under the MIT license.</p>
+</footer>
+</html>
--- a/cmd/pkgserver/ui/static/_common.scss
+++ b/cmd/pkgserver/ui/static/_common.scss
--- a/cmd/pkgserver/ui/static/dark.scss
+++ b/cmd/pkgserver/ui/static/dark.scss
@@ -0,0 +1,6 @@
+@use 'common';
+
+html {
+  background-color: #2c2c2c;
+  color: ghostwhite;
+}
--- a/cmd/pkgserver/ui/static/favicon.ico
+++ b/cmd/pkgserver/ui/static/favicon.ico
--- a/cmd/pkgserver/ui/static/index.ts
+++ b/cmd/pkgserver/ui/static/index.ts
@@ -0,0 +1,161 @@
+function assertGetElementById(id: string): HTMLElement {
+    let elem = document.getElementById(id)
+    if(elem == null) throw new ReferenceError(`element with ID '${id}' missing from DOM`)
+    return elem
+}
+
+interface PackageIndexEntry {
+    name: string
+    size: number | null
+    description: string | null
+    website: string | null
+    version: string | null
+    report:  boolean
+}
+function toHTML(entry: PackageIndexEntry): HTMLTableRowElement {
+    let v = entry.version != null ? `<span>${escapeHtml(entry.version)}</span>` : ""
+    let s = entry.size != null ? `<p>Size: ${toByteSizeString(entry.size)} (${entry.size})</p>` : ""
+    let d = entry.description != null ? `<p>${escapeHtml(entry.description)}</p>` : ""
+    let w = entry.website != null ? `<a href="${encodeURI(entry.website)}">Website</a>` : ""
+    let r = entry.report ? `Log (<a href=\"${encodeURI('/api/v1/status/' + entry.name)}\">View</a> | <a href=\"${encodeURI('/status/' + entry.name)}\">Download</a>)` : ""
+    let row = <HTMLTableRowElement>(document.createElement('tr'))
+    row.innerHTML = `<td>
+            <h2>${escapeHtml(entry.name)} ${v}</h2>
+            ${d}
+            ${s}
+            ${w}
+            ${r}
+        </td>`
+    return row
+}
+
+function toByteSizeString(bytes: number): string {
+    if(bytes == null || bytes < 1024) return `${bytes}B`
+    if(bytes < Math.pow(1024, 2)) return `${(bytes/1024).toFixed(2)}kiB`
+    if(bytes < Math.pow(1024, 3)) return `${(bytes/Math.pow(1024, 2)).toFixed(2)}MiB`
+    if(bytes < Math.pow(1024, 4)) return `${(bytes/Math.pow(1024, 3)).toFixed(2)}GiB`
+    if(bytes < Math.pow(1024, 5)) return `${(bytes/Math.pow(1024, 4)).toFixed(2)}TiB`
+    return "not only is it big, it's large"
+}
+
+const API_VERSION = 1
+const ENDPOINT = `/api/v${API_VERSION}`
+interface InfoPayload {
+    count: number
+    hakurei_version: string
+}
+
+async function infoRequest(): Promise<InfoPayload> {
+    const res = await fetch(`${ENDPOINT}/info`)
+    const payload = await res.json()
+    return payload
+}
+interface GetPayload {
+    values: PackageIndexEntry[]
+}
+
+enum SortOrders {
+    DeclarationAscending,
+    DeclarationDescending,
+    NameAscending,
+    NameDescending
+}
+async function getRequest(limit: number, index: number, sort: SortOrders): Promise<GetPayload> {
+    const res = await fetch(`${ENDPOINT}/get?limit=${limit}&index=${index}&sort=${sort.valueOf()}`)
+    const payload = await res.json()
+    return payload
+}
+class State {
+    entriesPerPage: number = 10
+    entryIndex: number = 0
+    maxEntries: number = 0
+    sort: SortOrders = SortOrders.DeclarationAscending
+
+    getEntriesPerPage(): number {
+        return this.entriesPerPage
+    }
+    setEntriesPerPage(entriesPerPage: number) {
+        this.entriesPerPage = entriesPerPage
+        this.setEntryIndex(Math.floor(this.getEntryIndex() / entriesPerPage) * entriesPerPage)
+    }
+    getEntryIndex(): number {
+        return this.entryIndex
+    }
+    setEntryIndex(entryIndex: number) {
+        this.entryIndex = entryIndex
+        this.updatePage()
+        this.updateRange()
+        this.updateListings()
+    }
+    getMaxEntries(): number {
+        return this.maxEntries
+    }
+    setMaxEntries(max: number) {
+        this.maxEntries = max
+    }
+    getSortOrder(): SortOrders {
+        return this.sort
+    }
+    setSortOrder(sortOrder: SortOrders) {
+        this.sort = sortOrder
+        this.setEntryIndex(0)
+    }
+    updatePage() {
+        let page = Math.ceil(((this.getEntryIndex() + this.getEntriesPerPage()) - 1) / this.getEntriesPerPage())
+        assertGetElementById("page-number").innerText = String(page)
+    }
+    updateRange() {
+        let max = Math.min(this.getEntryIndex() + this.getEntriesPerPage(), this.getMaxEntries())
+        assertGetElementById("entry-counter").innerText = `${this.getEntryIndex() + 1}-${max} of ${this.getMaxEntries()}`
+    }
+    updateListings() {
+        getRequest(this.getEntriesPerPage(), this.getEntryIndex(), this.getSortOrder())
+            .then(res => {
+                let table = assertGetElementById("pkg-list")
+                table.innerHTML = ''
+                res.values.forEach((row) => {
+                    table.appendChild(toHTML(row))
+                })
+            })
+    }
+
+}
+
+let STATE: State
+
+function prevPage() {
+    let index = STATE.getEntryIndex()
+    STATE.setEntryIndex(Math.max(0, index - STATE.getEntriesPerPage()))
+}
+function nextPage() {
+    let index = STATE.getEntryIndex()
+    STATE.setEntryIndex(Math.min((Math.ceil(STATE.getMaxEntries() / STATE.getEntriesPerPage()) * STATE.getEntriesPerPage()) - STATE.getEntriesPerPage(), index + STATE.getEntriesPerPage()))
+}
+
+function escapeHtml(str: string): string {
+    if(str === undefined) return ""
+    return str
+        .replace(/&/g, '&amp;')
+        .replace(/</g, '&lt;')
+        .replace(/>/g, '&gt;')
+        .replace(/"/g, '&quot;')
+        .replace(/'/g, '&apos;')
+}
+
+document.addEventListener("DOMContentLoaded", () => {
+    STATE = new State()
+    infoRequest()
+        .then(res => {
+            STATE.setMaxEntries(res.count)
+            assertGetElementById("hakurei-version").innerText = res.hakurei_version
+            STATE.updateRange()
+            STATE.updateListings()
+        })
+
+    assertGetElementById("count").addEventListener("change", (event) => {
+        STATE.setEntriesPerPage(parseInt((event.target as HTMLSelectElement).value))
+    })
+    assertGetElementById("sort").addEventListener("change", (event) => {
+        STATE.setSortOrder(parseInt((event.target as HTMLSelectElement).value))
+    })
+})
--- a/cmd/pkgserver/ui/static/light.scss
+++ b/cmd/pkgserver/ui/static/light.scss
@@ -0,0 +1,6 @@
+@use 'common';
+
+html {
+  background-color: #d3d3d3;
+  color: black;
+}
--- a/cmd/pkgserver/ui/static/tsconfig.json
+++ b/cmd/pkgserver/ui/static/tsconfig.json
@@ -0,0 +1,6 @@
+{
+  "compilerOptions": {
+    "strict": true,
+    "target": "ES2024"
+  }
+}
--- a/cmd/pkgserver/ui_full.go
+++ b/cmd/pkgserver/ui_full.go
@@ -0,0 +1,9 @@
+//go:build frontend
+
+package main
+
+import "embed"
+
+//go:generate sh -c "sass ui/static/dark.scss ui/static/dark.css && sass ui/static/light.scss ui/static/light.css && tsc -p ui/static"
+//go:embed ui/*
+var content embed.FS
--- a/cmd/mbf/internal/pkgserver/ui/ui_stub.go
+++ b/cmd/mbf/internal/pkgserver/ui/ui_stub.go
@@ -1,7 +1,7 @@
 //go:build !frontend

-package ui
+package main

 import "testing/fstest"

-var static fstest.MapFS
+var content fstest.MapFS
--- a/cmd/pkgserver/ui_test/all_tests.ts
+++ b/cmd/pkgserver/ui_test/all_tests.ts
@@ -0,0 +1,2 @@
+// Import all test files to register their test suites.
+import "./index_test.js";
--- a/cmd/pkgserver/ui_test/lib/cli.ts
+++ b/cmd/pkgserver/ui_test/lib/cli.ts
@@ -0,0 +1,48 @@
+#!/usr/bin/env node
+
+// Many editors have terminal emulators built in, so running tests with NodeJS
+// provides faster iteration, especially for those acclimated to test-driven
+// development.
+
+import "../all_tests.js";
+import { StreamReporter, GLOBAL_REGISTRAR } from "./test.js";
+
+// TypeScript doesn't like process and Deno as their type definitions aren't
+// installed, but doesn't seem to complain if they're accessed through
+// globalThis.
+const process: any = (globalThis as any).process;
+const Deno: any = (globalThis as any).Deno;
+
+function getArgs(): string[] {
+    if (process) {
+        const [runtime, program, ...args] = process.argv;
+        return args;
+    }
+    if (Deno) return Deno.args;
+    return [];
+}
+
+function exit(code?: number): never {
+    if (Deno) Deno.exit(code);
+    if (process) process.exit(code);
+    throw `exited with code ${code ?? 0}`;
+}
+
+const args = getArgs();
+let verbose = false;
+if (args.length > 1) {
+    console.error("Too many arguments");
+    exit(1);
+}
+if (args.length === 1) {
+    if (args[0] === "-v" || args[0] === "--verbose" || args[0] === "-verbose") {
+        verbose = true;
+    } else if (args[0] !== "--") {
+        console.error(`Unknown argument '${args[0]}'`);
+        exit(1);
+    }
+}
+
+let reporter = new StreamReporter({ writeln: console.log }, verbose);
+GLOBAL_REGISTRAR.run(reporter);
+exit(reporter.succeeded() ? 0 : 1);
--- a/cmd/pkgserver/ui_test/lib/failure-closed.svg
+++ b/cmd/pkgserver/ui_test/lib/failure-closed.svg
@@ -0,0 +1,13 @@
+<?xml version="1.0"?>
+<!-- See failure-open.svg for an explanation of the view box dimensions. -->
+<svg xmlns="http://www.w3.org/2000/svg" width="20" viewBox="-20,-20 160 130">
+    <!-- This triangle should match success-closed.svg, fill and stroke color notwithstanding. -->
+    <polygon points="0,0 100,50 0,100" fill="red" stroke="red" stroke-width="15" stroke-linejoin="round"/>
+    <!--
+     ! y-coordinates go before x-coordinates here to highlight the difference
+     ! (or, lack thereof) between these numbers and the ones in failure-open.svg;
+     ! try a textual diff. Make sure to keep the numbers in sync!
+     -->
+    <line y1="30" x1="10" y2="70" x2="50" stroke="white" stroke-width="16"/>
+    <line y1="30" x1="50" y2="70" x2="10" stroke="white" stroke-width="16"/>
+</svg>
--- a/cmd/pkgserver/ui_test/lib/failure-open.svg
+++ b/cmd/pkgserver/ui_test/lib/failure-open.svg
@@ -0,0 +1,35 @@
+<?xml version="1.0"?>
+<!--
+ ! This view box is a bit weird: the strokes assume they're working in a view
+ ! box that spans from the (0,0) to (100,100), and indeed that is convenient
+ ! conceptualizing the strokes, but the stroke itself has a considerable width
+ ! that gets clipped by restrictive view box dimensions. Hence, the view is
+ ! shifted from (0,0)–(100,100) to (-20,-20)–(120,120), to make room for the
+ ! clipped stroke, while leaving behind an illusion of working in a view box
+ ! spanning from (0,0) to (100,100).
+ !
+ ! However, the resulting SVG is too close to the summary text, and CSS
+ ! properties to add padding do not seem to work with `content:` (likely because
+ ! they're anonymous replaced elements); thus, the width of the view is
+ ! increased considerably to provide padding in the SVG itself, while leaving
+ ! the strokes oblivious.
+ !
+ ! It gets worse: the summary text isn't vertically aligned with the icon! As
+ ! a flexbox cannot be used in a summary to align the marker with the text, the
+ ! simplest and most effective solution is to reduce the height of the view box
+ ! from 140 to 130, thereby removing some of the bottom padding present.
+ !
+ ! All six SVGs use the same view box (and indeed, they refer to this comment)
+ ! so that they all appear to be the same size and position relative to each
+ ! other on the DOM—indeed, the view box dimensions, alongside the width,
+ ! directly control their placement on the DOM.
+ !
+ ! TL;DR: CSS is janky, overflow is weird, and SVG is awesome!
+ -->
+<svg xmlns="http://www.w3.org/2000/svg" width="20" viewBox="-20,-20 160 130">
+    <!-- This triangle should match success-open.svg, fill and stroke color notwithstanding. -->
+    <polygon points="0,0 100,0 50,100" fill="red" stroke="red" stroke-width="15" stroke-linejoin="round"/>
+    <!-- See the comment in failure-closed.svg before modifying this. -->
+    <line x1="30" y1="10" x2="70" y2="50" stroke="white" stroke-width="16"/>
+    <line x1="30" y1="50" x2="70" y2="10" stroke="white" stroke-width="16"/>
+</svg>
--- a/cmd/pkgserver/ui_test/lib/go_test_entrypoint.ts
+++ b/cmd/pkgserver/ui_test/lib/go_test_entrypoint.ts
@@ -0,0 +1,3 @@
+import "../all_tests.js";
+import { GoTestReporter, GLOBAL_REGISTRAR } from "./test.js";
+GLOBAL_REGISTRAR.run(new GoTestReporter());
--- a/cmd/pkgserver/ui_test/lib/skip-closed.svg
+++ b/cmd/pkgserver/ui_test/lib/skip-closed.svg
@@ -0,0 +1,21 @@
+<?xml version="1.0"?>
+<!-- See failure-open.svg for an explanation of the view box dimensions. -->
+<svg xmlns="http://www.w3.org/2000/svg" width="20" viewBox="-20,-20 160 130">
+    <!-- This triangle should match success-closed.svg, fill and stroke color notwithstanding. -->
+    <polygon points="0,0 100,50 0,100" fill="blue" stroke="blue" stroke-width="15" stroke-linejoin="round"/>
+    <!--
+     ! This path is extremely similar to the one in skip-open.svg; before
+     ! making minor modifications, diff the two to understand how they should
+     ! remain in sync.
+     -->
+    <path
+        d="M 50,50
+           A 23,23 270,1,1 30,30
+           l -10,20
+           m 10,-20
+           l -20,-10"
+        fill="none"
+        stroke="white"
+        stroke-width="12"
+        stroke-linejoin="round"/>
+</svg>
--- a/cmd/pkgserver/ui_test/lib/skip-open.svg
+++ b/cmd/pkgserver/ui_test/lib/skip-open.svg
@@ -0,0 +1,21 @@
+<?xml version="1.0"?>
+<!-- See failure-open.svg for an explanation of the view box dimensions. -->
+<svg xmlns="http://www.w3.org/2000/svg" width="20" viewBox="-20,-20 160 130">
+    <!-- This triangle should match success-open.svg, fill and stroke color notwithstanding. -->
+    <polygon points="0,0 100,0 50,100" fill="blue" stroke="blue" stroke-width="15" stroke-linejoin="round"/>
+    <!--
+     ! This path is extremely similar to the one in skip-closed.svg; before
+     ! making minor modifications, diff the two to understand how they should
+     ! remain in sync.
+     -->
+    <path
+        d="M 50,50
+           A 23,23 270,1,1 70,30
+           l 10,-20
+           m -10,20
+           l -20,-10"
+        fill="none"
+        stroke="white"
+        stroke-width="12"
+        stroke-linejoin="round"/>
+</svg>
--- a/cmd/pkgserver/ui_test/lib/success-closed.svg
+++ b/cmd/pkgserver/ui_test/lib/success-closed.svg
@@ -0,0 +1,16 @@
+<?xml version="1.0"?>
+<!-- See failure-open.svg for an explanation of the view box dimensions. -->
+<svg xmlns="http://www.w3.org/2000/svg" width="20" viewBox="-20,-20 160 130">
+    <style>
+    .adaptive-stroke {
+        stroke: black;
+    }
+    @media (prefers-color-scheme: dark) {
+        .adaptive-stroke {
+            stroke: ghostwhite;
+        }
+    }
+    </style>
+    <!-- When updating this triangle, also update the other five SVGs. -->
+    <polygon points="0,0 100,50 0,100" fill="none" class="adaptive-stroke" stroke-width="15" stroke-linejoin="round"/>
+</svg>
--- a/cmd/pkgserver/ui_test/lib/success-open.svg
+++ b/cmd/pkgserver/ui_test/lib/success-open.svg
@@ -0,0 +1,16 @@
+<?xml version="1.0"?>
+<!-- See failure-open.svg for an explanation of the view box dimensions. -->
+<svg xmlns="http://www.w3.org/2000/svg" width="20" viewBox="-20,-20 160 130">
+    <style>
+    .adaptive-stroke {
+        stroke: black;
+    }
+    @media (prefers-color-scheme: dark) {
+        .adaptive-stroke {
+            stroke: ghostwhite;
+        }
+    }
+    </style>
+    <!-- When updating this triangle, also update the other five SVGs. -->
+    <polygon points="0,0 100,0 50,100" fill="none" class="adaptive-stroke" stroke-width="15" stroke-linejoin="round"/>
+</svg>
--- a/cmd/pkgserver/ui_test/lib/test.ts
+++ b/cmd/pkgserver/ui_test/lib/test.ts
@@ -0,0 +1,403 @@
+// =============================================================================
+// DSL
+
+type TestTree = TestGroup | Test;
+type TestGroup = { name: string; children: TestTree[] };
+type Test = { name: string; test: (t: TestController) => void };
+
+export class TestRegistrar {
+    #suites: TestGroup[];
+
+    constructor() {
+        this.#suites = [];
+    }
+
+    suite(name: string, children: TestTree[]) {
+        checkDuplicates(name, children);
+        this.#suites.push({ name, children });
+    }
+
+    run(reporter: Reporter) {
+        reporter.register(this.#suites);
+        for (const suite of this.#suites) {
+            for (const c of suite.children) runTests(reporter, [suite.name], c);
+        }
+        reporter.finalize();
+    }
+}
+
+export let GLOBAL_REGISTRAR = new TestRegistrar();
+
+// Register a suite in the global registrar.
+export function suite(name: string, children: TestTree[]) {
+    GLOBAL_REGISTRAR.suite(name, children);
+}
+
+export function group(name: string, children: TestTree[]): TestTree {
+    checkDuplicates(name, children);
+    return { name, children };
+}
+export const context = group;
+export const describe = group;
+
+export function test(name: string, test: (t: TestController) => void): TestTree {
+    return { name, test };
+}
+
+function checkDuplicates(parent: string, names: { name: string }[]) {
+    let seen = new Set<string>();
+    for (const { name } of names) {
+        if (seen.has(name)) {
+            throw new RangeError(`duplicate name '${name}' in '${parent}'`);
+        }
+        seen.add(name);
+    }
+}
+
+export type TestState = "success" | "failure" | "skip";
+
+class AbortSentinel {}
+
+export class TestController {
+    #state: TestState;
+    logs: string[];
+
+    constructor() {
+        this.#state = "success";
+        this.logs = [];
+    }
+
+    getState(): TestState {
+        return this.#state;
+    }
+
+    fail() {
+        this.#state = "failure";
+    }
+
+    failed(): boolean {
+        return this.#state === "failure";
+    }
+
+    failNow(): never {
+        this.fail();
+        throw new AbortSentinel();
+    }
+
+    log(message: string) {
+        this.logs.push(message);
+    }
+
+    error(message: string) {
+        this.log(message);
+        this.fail();
+    }
+
+    fatal(message: string): never {
+        this.log(message);
+        this.failNow();
+    }
+
+    skip(message?: string): never {
+        if (message != null) this.log(message);
+        if (this.#state !== "failure") this.#state = "skip";
+        throw new AbortSentinel();
+    }
+
+    skipped(): boolean {
+        return this.#state === "skip";
+    }
+}
+
+// =============================================================================
+// Execution
+
+export interface TestResult {
+    state: TestState;
+    logs: string[];
+}
+
+function runTests(reporter: Reporter, parents: string[], node: TestTree) {
+    const path = [...parents, node.name];
+    if ("children" in node) {
+        for (const c of node.children) runTests(reporter, path, c);
+        return;
+    }
+    let controller = new TestController();
+    try {
+        node.test(controller);
+    } catch (e) {
+        if (!(e instanceof AbortSentinel)) {
+            controller.error(extractExceptionString(e));
+        }
+    }
+    reporter.update(path, { state: controller.getState(), logs: controller.logs });
+}
+
+function extractExceptionString(e: any): string {
+    // String() instead of .toString() as null and undefined don't have
+    // properties.
+    const s = String(e);
+    if (!(e instanceof Error && e.stack)) return s;
+    // v8 (Chromium, NodeJS) includes the error message, while Firefox and
+    // WebKit do not.
+    if (e.stack.startsWith(s)) return e.stack;
+    return `${s}\n${e.stack}`;
+}
+
+// =============================================================================
+// Reporting
+
+export interface Reporter {
+    register(suites: TestGroup[]): void;
+    update(path: string[], result: TestResult): void;
+    finalize(): void;
+}
+
+export class NoOpReporter implements Reporter {
+    suites: TestGroup[];
+    results: ({ path: string[] } & TestResult)[];
+    finalized: boolean;
+
+    constructor() {
+        this.suites = [];
+        this.results = [];
+        this.finalized = false;
+    }
+
+    register(suites: TestGroup[]) {
+        this.suites = suites;
+    }
+
+    update(path: string[], result: TestResult) {
+        this.results.push({ path, ...result });
+    }
+
+    finalize() {
+        this.finalized = true;
+    }
+}
+
+export interface Stream {
+    writeln(s: string): void;
+}
+
+const SEP = " ❯ ";
+
+export class StreamReporter implements Reporter {
+    stream: Stream;
+    verbose: boolean;
+    #successes: ({ path: string[] } & TestResult)[];
+    #failures: ({ path: string[] } & TestResult)[];
+    #skips: ({ path: string[] } & TestResult)[];
+
+    constructor(stream: Stream, verbose: boolean = false) {
+        this.stream = stream;
+        this.verbose = verbose;
+        this.#successes = [];
+        this.#failures = [];
+        this.#skips = [];
+    }
+
+    succeeded(): boolean {
+        return this.#successes.length > 0 && this.#failures.length === 0;
+    }
+
+    register(suites: TestGroup[]) {}
+
+    update(path: string[], result: TestResult) {
+        if (path.length === 0) throw new RangeError("path is empty");
+        const pathStr = path.join(SEP);
+        switch (result.state) {
+        case "success":
+            this.#successes.push({ path, ...result });
+            if (this.verbose) this.stream.writeln(`✅️ ${pathStr}`);
+            break;
+        case "failure":
+            this.#failures.push({ path, ...result });
+            this.stream.writeln(`⚠️ ${pathStr}`);
+            break;
+        case "skip":
+            this.#skips.push({ path, ...result });
+            this.stream.writeln(`⏭️ ${pathStr}`);
+            break;
+        }
+    }
+
+    finalize() {
+        if (this.verbose) this.#displaySection("successes", this.#successes, true);
+        this.#displaySection("failures", this.#failures);
+        this.#displaySection("skips", this.#skips);
+        this.stream.writeln("");
+        this.stream.writeln(
+            `${this.#successes.length} succeeded, ${this.#failures.length} failed` +
+                (this.#skips.length ? `, ${this.#skips.length} skipped` : ""),
+        );
+    }
+
+    #displaySection(name: string, data: ({ path: string[] } & TestResult)[], ignoreEmpty: boolean = false) {
+        if (!data.length) return;
+
+        // Transform [{ path: ["a", "b", "c"] }, { path: ["a", "b", "d"] }]
+        // into { "a ❯ b": ["c", "d"] }.
+        let pathMap = new Map<string, ({ name: string } & TestResult)[]>();
+        for (const t of data) {
+            if (t.path.length === 0) throw new RangeError("path is empty");
+            const key = t.path.slice(0, -1).join(SEP);
+            if (!pathMap.has(key)) pathMap.set(key, []);
+            pathMap.get(key)!.push({ name: t.path.at(-1)!, ...t });
+        }
+
+        this.stream.writeln("");
+        this.stream.writeln(name.toUpperCase());
+        this.stream.writeln("=".repeat(name.length));
+
+        for (let [path, tests] of pathMap) {
+            if (ignoreEmpty) tests = tests.filter((t) => t.logs.length);
+            if (tests.length === 0) continue;
+            if (tests.length === 1) {
+                this.#writeOutput(tests[0], path ? `${path}${SEP}` : "", false);
+            } else {
+                this.stream.writeln(path);
+                for (const t of tests) this.#writeOutput(t, "  - ", true);
+            }
+        }
+    }
+
+    #writeOutput(test: { name: string } & TestResult, prefix: string, nested: boolean) {
+        let output = "";
+        if (test.logs.length) {
+            // Individual logs might span multiple lines, so join them together
+            // then split it again.
+            const logStr = test.logs.join("\n");
+            const lines = logStr.split("\n");
+            if (lines.length <= 1) {
+                output = `: ${logStr}`;
+            } else {
+                const padding = nested ? "      " : "  ";
+                output = ":\n" + lines.map((line) => padding + line).join("\n");
+            }
+        }
+        this.stream.writeln(`${prefix}${test.name}${output}`);
+    }
+}
+
+function assertGetElementById(id: string): HTMLElement {
+    let elem = document.getElementById(id);
+    if (elem == null) throw new ReferenceError(`element with ID '${id}' missing from DOM`);
+    return elem;
+}
+
+export class DOMReporter implements Reporter {
+    register(suites: TestGroup[]) {}
+
+    update(path: string[], result: TestResult) {
+        if (path.length === 0) throw new RangeError("path is empty");
+        if (result.state === "skip") {
+            assertGetElementById("skip-counter-text").hidden = false;
+        }
+        const counter = assertGetElementById(`${result.state}-counter`);
+        counter.innerText = (Number(counter.innerText) + 1).toString();
+
+        let parent = assertGetElementById("root");
+        for (const node of path) {
+            let child: HTMLDetailsElement | null = null;
+            let summary: HTMLElement | null = null;
+            let d: Element;
+            outer: for (d of parent.children) {
+                if (!(d instanceof HTMLDetailsElement)) continue;
+                for (const s of d.children) {
+                    if (!(s instanceof HTMLElement)) continue;
+                    if (!(s.tagName === "SUMMARY" && s.innerText === node)) continue;
+                    child = d;
+                    summary = s;
+                    break outer;
+                }
+            }
+            if (!child) {
+                child = document.createElement("details");
+                child.className = "test-node";
+                child.ariaRoleDescription = "test";
+                summary = document.createElement("summary");
+                summary.appendChild(document.createTextNode(node));
+                summary.ariaRoleDescription = "test name";
+                child.appendChild(summary);
+                parent.appendChild(child);
+            }
+            if (!summary) throw new Error("unreachable as assigned above");
+
+            switch (result.state) {
+            case "failure":
+                child.open = true;
+                child.classList.add("failure");
+                child.classList.remove("skip");
+                child.classList.remove("success");
+                // The summary marker does not appear in the AOM, so setting its
+                // alt text is fruitless; label the summary itself instead.
+                summary.setAttribute("aria-labelledby", "failure-description");
+                break;
+            case "skip":
+                if (child.classList.contains("failure")) break;
+                child.classList.add("skip");
+                child.classList.remove("success");
+                summary.setAttribute("aria-labelledby", "skip-description");
+                break;
+            case "success":
+                if (child.classList.contains("failure") || child.classList.contains("skip")) break;
+                child.classList.add("success");
+                summary.setAttribute("aria-labelledby", "success-description");
+                break;
+            }
+
+            parent = child;
+        }
+
+        const p = document.createElement("p");
+        p.classList.add("test-desc");
+        if (result.logs.length) {
+            const pre = document.createElement("pre");
+            pre.appendChild(document.createTextNode(result.logs.join("\n")));
+            p.appendChild(pre);
+        } else {
+            p.classList.add("italic");
+            p.appendChild(document.createTextNode("No output."));
+        }
+        parent.appendChild(p);
+    }
+
+    finalize() {}
+}
+
+interface GoNode {
+    name: string;
+    subtests?: GoNode[];
+}
+
+// Used to display results via `go test`, via some glue code from the Go side.
+export class GoTestReporter implements Reporter {
+    register(suites: TestGroup[]) {
+        console.log(JSON.stringify(suites.map(GoTestReporter.serialize)));
+    }
+
+    // Convert a test tree into the one expected by the Go code.
+    static serialize(node: TestTree): GoNode {
+        return {
+            name: node.name,
+            subtests: "children" in node ? node.children.map(GoTestReporter.serialize) : undefined,
+        };
+    }
+
+    update(path: string[], result: TestResult) {
+        let state: number;
+        switch (result.state) {
+            case "success": state = 0; break;
+            case "failure": state = 1; break;
+            case "skip": state = 2; break;
+        }
+        console.log(JSON.stringify({ path, state, logs: result.logs }));
+    }
+
+    finalize() {
+        console.log("null");
+    }
+}
--- a/cmd/pkgserver/ui_test/lib/ui.html
+++ b/cmd/pkgserver/ui_test/lib/ui.html
@@ -0,0 +1,39 @@
+<!DOCTYPE html>
+<html lang="en">
+<head>
+    <meta charset="UTF-8">
+    <meta name="viewport" content="width=device-width, initial-scale=1.0">
+    <link rel="stylesheet" href="/test/style.css">
+    <title>PkgServer Tests</title>
+</head>
+<body>
+<noscript>
+    I hate JavaScript as much as you, but this page runs tests written in
+    JavaScript to test the functionality of code written in JavaScript, so it
+    wouldn't make sense for it to work without JavaScript. <strong>Please turn
+    JavaScript on!</strong>
+</noscript>
+
+<h1>PkgServer Tests</h1>
+
+<main>
+<p id="counters">
+    <span id="success-counter">0</span> succeeded, <span id="failure-counter">0</span>
+    failed<span id="skip-counter-text" hidden>, <span id="skip-counter">0</span> skipped</span>.
+</p>
+
+<p hidden id="success-description">Successful test</p>
+<p hidden id="failure-description">Failed test</p>
+<p hidden id="skip-description">Partially or fully skipped test</p>
+
+<div id="root">
+</div>
+
+<script type="module">
+    import "/test/all_tests.js";
+    import { DOMReporter, GLOBAL_REGISTRAR } from "/test/lib/test.js";
+    GLOBAL_REGISTRAR.run(new DOMReporter());
+</script>
+</main>
+</body>
+</html>
--- a/cmd/pkgserver/ui_test/lib/ui.scss
+++ b/cmd/pkgserver/ui_test/lib/ui.scss
@@ -0,0 +1,88 @@
+/*
+ * If updating the theme colors, also update them in success-closed.svg and
+ * success-open.svg!
+ */
+
+:root {
+    --bg: #d3d3d3;
+    --fg: black;
+}
+
+@media (prefers-color-scheme: dark) {
+    :root {
+        --bg: #2c2c2c;
+        --fg: ghostwhite;
+    }
+}
+
+html {
+    background-color: var(--bg);
+    color: var(--fg);
+}
+
+h1, p, summary, noscript {
+    font-family: sans-serif;
+}
+
+noscript {
+    font-size: 16pt;
+}
+
+.root {
+    margin: 1rem 0;
+}
+
+details.test-node {
+    margin-left: 1rem;
+    padding: 0.2rem 0.5rem;
+    border-left: 2px dashed var(--fg);
+    > summary {
+        cursor: pointer;
+    }
+    &.success > summary::marker {
+        /*
+         * WebKit only supports color and font-size properties in ::marker [1],
+         * and its ::-webkit-details-marker only supports hiding the marker
+         * entirely [2], contrary to mdn's example [3]; thus, set a color as
+         * a fallback: while it may not be accessible for colorblind
+         * individuals, it's better than no indication of a test's state for
+         * anyone, as that there's no other way to include an indication in the
+         * marker on WebKit.
+         *
+         * [1]: https://developer.mozilla.org/en-US/docs/Web/CSS/Reference/Selectors/::marker#browser_compatibility
+         * [2]: https://developer.mozilla.org/en-US/docs/Web/HTML/Reference/Elements/summary#default_style
+         * [3]: https://developer.mozilla.org/en-US/docs/Web/HTML/Reference/Elements/summary#changing_the_summarys_icon
+         */
+        color: var(--fg);
+        content: url("/test/success-closed.svg") / "success";
+    }
+    &.success[open] > summary::marker {
+        content: url("/test/success-open.svg") / "success";
+    }
+    &.failure > summary::marker {
+        color: red;
+        content: url("/test/failure-closed.svg") / "failure";
+    }
+    &.failure[open] > summary::marker {
+        content: url("/test/failure-open.svg") / "failure";
+    }
+    &.skip > summary::marker {
+        color: blue;
+        content: url("/test/skip-closed.svg") / "skip";
+    }
+    &.skip[open] > summary::marker {
+        content: url("/test/skip-open.svg") / "skip";
+    }
+}
+
+p.test-desc {
+    margin: 0 0 0 1rem;
+    padding: 2px 0;
+    > pre {
+        margin: 0;
+    }
+}
+
+.italic {
+    font-style: italic;
+}
--- a/cmd/pkgserver/ui_test/tsconfig.json
+++ b/cmd/pkgserver/ui_test/tsconfig.json
@@ -0,0 +1,6 @@
+{
+  "compilerOptions": {
+    "strict": true,
+    "target": "ES2024"
+  }
+}
--- a/cmd/sharefs/test/configuration.nix
+++ b/cmd/sharefs/test/configuration.nix
@@ -20,14 +20,11 @@
  };

  virtualisation = {
-    # Hopefully reduces spurious test failures:
-    memorySize = if pkgs.stdenv.hostPlatform.is32bit then 2046 else 8192;
-
    diskSize = 6 * 1024;

    qemu.options = [
      # Increase test performance:
-      "-smp 16"
+      "-smp 8"
    ];
  };

--- a/cmd/sharefs/test/default.nix
+++ b/cmd/sharefs/test/default.nix
@@ -28,7 +28,7 @@ testers.nixosTest {
        # For go tests:
        (pkgs.writeShellScriptBin "sharefs-workload-hakurei-tests" ''
          cp -r "${self.packages.${system}.hakurei.src}" "/sdcard/hakurei" && cd "/sdcard/hakurei"
-          ${fhs}/bin/hakurei-fhs -c 'ROSA_SKIP_BINFMT=1 CC="clang -O3 -Werror" go test ./...'
+          ${fhs}/bin/hakurei-fhs -c 'CC="clang -O3 -Werror" go test ./...'
        '')
      ];

--- a/container/binfmt.go
+++ b/container/binfmt.go
@@ -1,46 +0,0 @@
-package container
-
-import (
-	"strings"
-	"unsafe"
-
-	"hakurei.app/check"
-)
-
-// escapeBinfmt escapes magic/mask sequences in a [BinfmtEntry].
-func escapeBinfmt(buf *strings.Builder, s string) string {
-	const lowerhex = "0123456789abcdef"
-
-	buf.Reset()
-	for _, c := range unsafe.Slice(unsafe.StringData(s), len(s)) {
-		switch c {
-		case 0, '\\', ':':
-			buf.WriteString(`\x`)
-			buf.WriteByte(lowerhex[c>>4])
-			buf.WriteByte(lowerhex[c&0xf])
-
-		default:
-			buf.WriteByte(c)
-		}
-	}
-	return buf.String()
-}
-
-// BinfmtEntry is an entry to be registered by the init process.
-type BinfmtEntry struct {
-	// The offset of the magic/mask in the file, counted in bytes.
-	Offset byte
-	// The byte sequence binfmt_misc is matching for.
-	Magic string
-	// An (optional, defaults to all 0xff) mask.
-	Mask string
-	// The program that should be invoked with the binary as first argument.
-	Interpreter *check.Absolute
-}
-
-// Valid returns whether e can be registered into the kernel.
-func (e *BinfmtEntry) Valid() bool {
-	return e != nil &&
-		int(e.Offset)+max(len(e.Magic), len(e.Mask)) < 128 &&
-		e.Interpreter != nil && len(e.Interpreter.String()) < 128
-}
--- a/container/binfmt_test.go
+++ b/container/binfmt_test.go
@@ -1,62 +0,0 @@
-package container
-
-import (
-	"strings"
-	"testing"
-
-	"hakurei.app/fhs"
-)
-
-func TestEscapeBinfmt(t *testing.T) {
-	t.Parallel()
-
-	testCases := []struct {
-		name  string
-		magic string
-		want  string
-	}{
-		{"packed DOS applications", "\x0eDEX", "\x0eDEX"},
-
-		{"riscv64 magic",
-			"\x7fELF\x02\x01\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\xf3\x00",
-			"\x7fELF\x02\x01\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\x02\\x00\xf3\\x00"},
-		{"riscv64 mask",
-			"\xff\xff\xff\xff\xff\xff\xff\x00\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xff\xff\xff",
-			"\xff\xff\xff\xff\xff\xff\xff\\x00\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xff\xff\xff"},
-	}
-	for _, tc := range testCases {
-		t.Run(tc.name, func(t *testing.T) {
-			t.Parallel()
-
-			got := escapeBinfmt(new(strings.Builder), tc.magic)
-			if got != tc.want {
-				t.Errorf("escapeBinfmt: %q, want %q", got, tc.want)
-			}
-		})
-	}
-}
-
-func TestBinfmtEntry(t *testing.T) {
-	t.Parallel()
-
-	testCases := []struct {
-		name  string
-		e     BinfmtEntry
-		valid bool
-	}{
-		{"zero", BinfmtEntry{}, false},
-		{"large offset", BinfmtEntry{Offset: 128}, false},
-		{"long magic", BinfmtEntry{Magic: strings.Repeat("\x00", 128)}, false},
-		{"long mask", BinfmtEntry{Mask: strings.Repeat("\x00", 128)}, false},
-		{"valid", BinfmtEntry{Interpreter: fhs.AbsRoot}, true},
-	}
-	for _, tc := range testCases {
-		t.Run(tc.name, func(t *testing.T) {
-			t.Parallel()
-
-			if tc.e.Valid() != tc.valid {
-				t.Errorf("Valid: %v", !tc.valid)
-			}
-		})
-	}
-}
--- a/container/capability.go
+++ b/container/capability.go
@@ -18,7 +18,6 @@ const (
 	CAP_SETPCAP      = 0x8
 	CAP_NET_ADMIN    = 0xc
 	CAP_DAC_OVERRIDE = 0x1
-	CAP_SETFCAP      = 0x1f
 )

 type (
--- a/container/container.go
+++ b/container/container.go
@@ -21,7 +21,6 @@ import (
 	"hakurei.app/container/std"
 	"hakurei.app/ext"
 	"hakurei.app/fhs"
-	"hakurei.app/internal/landlock"
 	"hakurei.app/message"
 )

@@ -67,9 +66,6 @@ type (
 		// Copied to the underlying [exec.Cmd].
 		WaitDelay time.Duration

-		// Suppress verbose output of init.
-		Quiet bool
-
 		cmd *exec.Cmd
 		ctx context.Context
 		msg message.Msg
@@ -91,20 +87,12 @@ type (
 		// Time to wait for processes lingering after the initial process terminates.
 		AdoptWaitDelay time.Duration

-		// Map uid/gid 0 in the init process. Requires [FstypeProc] attached to
-		// [fhs.Proc] in the container filesystem.
-		InitAsRoot bool
 		// Mapped Uid in user namespace.
 		Uid int
 		// Mapped Gid in user namespace.
 		Gid int
 		// Hostname value in UTS namespace.
 		Hostname string
-		// Register binfmt_misc entries.
-		Binfmt []BinfmtEntry
-		// Alternative pathname to attach binfmt_misc filesystem. The zero value
-		// requires [FstypeProc] to be made available at [fhs.Proc].
-		BinfmtPath *check.Absolute
 		// Sequential container setup ops.
 		*Ops

@@ -224,9 +212,6 @@ func (p *Container) Start() error {
 	if p.cmd.Process != nil {
 		return errors.New("container: already started")
 	}
-	if !p.InitAsRoot && len(p.Binfmt) > 0 {
-		return errors.New("container: init as root required, but not enabled")
-	}

 	if err := ensureCloseOnExec(); err != nil {
 		return err
@@ -297,18 +282,6 @@ func (p *Container) Start() error {
 	if !p.HostNet {
 		p.cmd.SysProcAttr.Cloneflags |= CLONE_NEWNET
 	}
-	if p.InitAsRoot {
-		p.cmd.SysProcAttr.AmbientCaps = append(p.cmd.SysProcAttr.AmbientCaps,
-			// mappings during init as root
-			CAP_SETFCAP,
-		)
-
-		if !p.SeccompDisable &&
-			len(p.SeccompRules) == 0 &&
-			p.SeccompPresets&std.PresetDenyNS != 0 {
-			return errors.New("container: as root requires late namespace creation")
-		}
-	}

 	// place setup pipe before user supplied extra files, this is later restored by init
 	if r, w, err := os.Pipe(); err != nil {
@@ -334,7 +307,7 @@ func (p *Container) Start() error {
 		done <- func() error {
 			// PR_SET_NO_NEW_PRIVS: thread-directed but acts on all processes
 			// created from the calling thread
-			if err := setNoNewPrivs(); err != nil {
+			if err := SetNoNewPrivs(); err != nil {
 				return &StartError{
 					Fatal: true,
 					Step:  "prctl(PR_SET_NO_NEW_PRIVS)",
@@ -344,14 +317,12 @@ func (p *Container) Start() error {

 			// landlock: depends on per-thread state but acts on a process group
 			{
-				rulesetAttr := &landlock.RulesetAttr{
-					Scoped: landlock.LANDLOCK_SCOPE_SIGNAL,
-				}
+				rulesetAttr := &RulesetAttr{Scoped: LANDLOCK_SCOPE_SIGNAL}
 				if !p.HostAbstract {
-					rulesetAttr.Scoped |= landlock.LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET
+					rulesetAttr.Scoped |= LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET
 				}

-				if abi, err := landlock.GetABI(); err != nil {
+				if abi, err := LandlockGetABI(); err != nil {
 					if p.HostAbstract || !p.HostNet {
 						// landlock can be skipped here as it restricts access
 						// to resources already covered by namespaces (pid, net)
@@ -368,6 +339,8 @@ func (p *Container) Start() error {
 						Err:    ENOSYS,
 						Origin: true,
 					}
+				} else {
+					p.msg.Verbosef("landlock abi version %d", abi)
 				}

 				if rulesetFd, err := rulesetAttr.Create(0); err != nil {
@@ -377,7 +350,8 @@ func (p *Container) Start() error {
 						Err:   err,
 					}
 				} else {
-					if err = landlock.RestrictSelf(rulesetFd, 0); err != nil {
+					p.msg.Verbosef("enforcing landlock ruleset %s", rulesetAttr)
+					if err = LandlockRestrictSelf(rulesetFd, 0); err != nil {
 						_ = Close(rulesetFd)
 						return &StartError{
 							Fatal: true,
@@ -433,6 +407,7 @@ func (p *Container) Start() error {
 				}
 			}

+			p.msg.Verbose("starting container init")
 			if err := p.cmd.Start(); err != nil {
 				return &StartError{
 					Step:        "start container init",
@@ -503,6 +478,7 @@ func (p *Container) Serve() (err error) {
 			}

 		case <-done:
+			p.msg.Verbose("setup payload took", time.Since(t))
 			return
 		}
 	}(p.setup[1])
@@ -512,7 +488,7 @@ func (p *Container) Serve() (err error) {
 		Getuid(),
 		Getgid(),
 		len(p.ExtraFiles),
-		p.msg.IsVerbose() && !p.Quiet,
+		p.msg.IsVerbose(),
 	})
 }

--- a/container/container_test.go
+++ b/container/container_test.go
@@ -16,8 +16,6 @@ import (
 	"strings"
 	"syscall"
 	"testing"
-	"time"
-	"unsafe"

 	"hakurei.app/check"
 	"hakurei.app/command"
@@ -28,7 +26,6 @@ import (
 	"hakurei.app/fhs"
 	"hakurei.app/hst"
 	"hakurei.app/internal/info"
-	"hakurei.app/internal/landlock"
 	"hakurei.app/internal/params"
 	"hakurei.app/ldd"
 	"hakurei.app/message"
@@ -235,9 +232,6 @@ func earlyMnt(mnt ...*vfs.MountInfoEntry) func(*testing.T, context.Context) []*v
 	return func(*testing.T, context.Context) []*vfs.MountInfoEntry { return mnt }
 }

-//go:linkname toHost hakurei.app/container.toHost
-func toHost(name string) string
-
 var containerTestCases = []struct {
 	name    string
 	filter  bool
@@ -337,15 +331,13 @@ var containerTestCases = []struct {
 		func(t *testing.T, ctx context.Context) []*vfs.MountInfoEntry {
 			return []*vfs.MountInfoEntry{
 				ent("/", hst.PrivateTmp, "rw", "overlay", "overlay",
-					"rw"+
-						",lowerdir+="+
-						toHost(ctx.Value(testVal("lower0")).(*check.Absolute).String())+
-						",lowerdir+="+
-						toHost(ctx.Value(testVal("lower1")).(*check.Absolute).String())+
+					"rw,lowerdir="+
+						container.InternalToHostOvlEscape(ctx.Value(testVal("lower0")).(*check.Absolute).String())+":"+
+						container.InternalToHostOvlEscape(ctx.Value(testVal("lower1")).(*check.Absolute).String())+
 						",upperdir="+
-						toHost(ctx.Value(testVal("upper")).(*check.Absolute).String())+
+						container.InternalToHostOvlEscape(ctx.Value(testVal("upper")).(*check.Absolute).String())+
 						",workdir="+
-						toHost(ctx.Value(testVal("work")).(*check.Absolute).String())+
+						container.InternalToHostOvlEscape(ctx.Value(testVal("work")).(*check.Absolute).String())+
 						",redirect_dir=nofollow,uuid=on,userxattr"),
 			}
 		},
@@ -395,11 +387,9 @@ var containerTestCases = []struct {
 		func(t *testing.T, ctx context.Context) []*vfs.MountInfoEntry {
 			return []*vfs.MountInfoEntry{
 				ent("/", hst.PrivateTmp, "rw", "overlay", "overlay",
-					"ro"+
-						",lowerdir+="+
-						toHost(ctx.Value(testVal("lower0")).(*check.Absolute).String())+
-						",lowerdir+="+
-						toHost(ctx.Value(testVal("lower1")).(*check.Absolute).String())+
+					"ro,lowerdir="+
+						container.InternalToHostOvlEscape(ctx.Value(testVal("lower0")).(*check.Absolute).String())+":"+
+						container.InternalToHostOvlEscape(ctx.Value(testVal("lower1")).(*check.Absolute).String())+
 						",redirect_dir=nofollow,userxattr"),
 			}
 		},
@@ -409,11 +399,39 @@ var containerTestCases = []struct {
 func TestContainer(t *testing.T) {
 	t.Parallel()

-	var suffix string
-runTests:
+	t.Run("cancel", testContainerCancel(nil, func(t *testing.T, c *container.Container) {
+		wantErr := context.Canceled
+		wantExitCode := 0
+		if err := c.Wait(); !reflect.DeepEqual(err, wantErr) {
+			if m, ok := container.InternalMessageFromError(err); ok {
+				t.Error(m)
+			}
+			t.Errorf("Wait: error = %#v, want %#v", err, wantErr)
+		}
+		if ps := c.ProcessState(); ps == nil {
+			t.Errorf("ProcessState unexpectedly returned nil")
+		} else if code := ps.ExitCode(); code != wantExitCode {
+			t.Errorf("ExitCode: %d, want %d", code, wantExitCode)
+		}
+	}))
+
+	t.Run("forward", testContainerCancel(func(c *container.Container) {
+		c.ForwardCancel = true
+	}, func(t *testing.T, c *container.Container) {
+		var exitError *exec.ExitError
+		if err := c.Wait(); !errors.As(err, &exitError) {
+			if m, ok := container.InternalMessageFromError(err); ok {
+				t.Error(m)
+			}
+			t.Errorf("Wait: error = %v", err)
+		}
+		if code := exitError.ExitCode(); code != blockExitCodeInterrupt {
+			t.Errorf("ExitCode: %d, want %d", code, blockExitCodeInterrupt)
+		}
+	}))
+
 	for i, tc := range containerTestCases {
-		_suffix := suffix
-		t.Run(tc.name+_suffix, func(t *testing.T) {
+		t.Run(tc.name, func(t *testing.T) {
 			t.Parallel()

 			wantOps, wantOpsCtx := tc.ops(t)
@@ -437,10 +455,8 @@ runTests:
 			c.SeccompDisable = !tc.filter
 			c.RetainSession = tc.session
 			c.HostNet = tc.net
-			c.InitAsRoot = _suffix != ""
-			c.Env = append(c.Env, "HAKUREI_TEST_SUFFIX="+_suffix)
 			if info.CanDegrade {
-				if _, err := landlock.GetABI(); err != nil {
+				if _, err := container.LandlockGetABI(); err != nil {
 					if !errors.Is(err, syscall.ENOSYS) {
 						t.Fatalf("LandlockGetABI: error = %v", err)
 					}
@@ -448,9 +464,6 @@ runTests:
 					t.Log("Landlock LSM is unavailable, enabling HostAbstract")
 				}
 			}
-			if c.InitAsRoot {
-				c.SeccompPresets &= ^std.PresetDenyNS
-			}

 			c.
 				Readonly(check.MustAbs(pathReadonly), 0755).
@@ -519,11 +532,6 @@ runTests:
 			}
 		})
 	}
-
-	if suffix == "" {
-		suffix = " as root"
-		goto runTests
-	}
 }

 func ent(root, target, vfsOptstr, fsType, source, fsOptstr string) *vfs.MountInfoEntry {
@@ -546,10 +554,11 @@ func hostnameFromTestCase(name string) string {
 }

 func testContainerCancel(
-	t *testing.T,
 	containerExtra func(c *container.Container),
-	waitCheck func(ps *os.ProcessState, waitErr error),
-) {
+	waitCheck func(t *testing.T, c *container.Container),
+) func(t *testing.T) {
+	return func(t *testing.T) {
+		t.Parallel()
 		ctx, cancel := context.WithCancel(t.Context())

 		c := helperNewContainer(ctx, "block")
@@ -559,36 +568,25 @@ func testContainerCancel(
 		}

 		ready := make(chan struct{})
-	var waitErr error
-	r, w, err := os.Pipe()
-	if err != nil {
+		if r, w, err := os.Pipe(); err != nil {
 			t.Fatalf("cannot pipe: %v", err)
-	}
-
+		} else {
 			c.ExtraFiles = append(c.ExtraFiles, w)
 			go func() {
 				defer close(ready)
-		if _, _err := r.Read(make([]byte, 1)); _err != nil {
-			panic(_err)
+				if _, err = r.Read(make([]byte, 1)); err != nil {
+					panic(err.Error())
 				}
 			}()
+		}

-	if err = c.Start(); err != nil {
+		if err := c.Start(); err != nil {
 			if m, ok := container.InternalMessageFromError(err); ok {
 				t.Fatal(m)
 			} else {
 				t.Fatalf("cannot start container: %v", err)
 			}
-	}
-
-	done := make(chan struct{})
-	go func() {
-		defer close(done)
-		waitErr = c.Wait()
-		_ = r.SetReadDeadline(time.Now())
-	}()
-
-	if err = c.Serve(); err != nil {
+		} else if err = c.Serve(); err != nil {
 			if m, ok := container.InternalMessageFromError(err); ok {
 				t.Error(m)
 			} else {
@@ -597,67 +595,8 @@ func testContainerCancel(
 		}
 		<-ready
 		cancel()
-	<-done
-	waitCheck(c.ProcessState(), waitErr)
+		waitCheck(t, c)
 	}
-
-func TestForward(t *testing.T) {
-	t.Parallel()
-
-	f := func(ps *os.ProcessState, waitErr error) {
-		var exitError *exec.ExitError
-		if !errors.As(waitErr, &exitError) {
-			if m, ok := container.InternalMessageFromError(waitErr); ok {
-				t.Error(m)
-			}
-			t.Errorf("Wait: error = %v", waitErr)
-		}
-		if code := exitError.ExitCode(); code != blockExitCodeInterrupt {
-			t.Errorf("ExitCode: %d, want %d", code, blockExitCodeInterrupt)
-		}
-	}
-	t.Run("direct", func(t *testing.T) {
-		t.Parallel()
-		testContainerCancel(t, func(c *container.Container) {
-			c.ForwardCancel = true
-		}, f)
-	})
-	t.Run("as root", func(t *testing.T) {
-		testContainerCancel(t, func(c *container.Container) {
-			c.ForwardCancel = true
-			c.InitAsRoot = true
-			c.Proc(fhs.AbsProc)
-		}, f)
-	})
-}
-
-func TestCancel(t *testing.T) {
-	t.Parallel()
-
-	f := func(ps *os.ProcessState, waitErr error) {
-		wantErr := context.Canceled
-		if !reflect.DeepEqual(waitErr, wantErr) {
-			if m, ok := container.InternalMessageFromError(waitErr); ok {
-				t.Error(m)
-			}
-			t.Errorf("Wait: error = %#v, want %#v", waitErr, wantErr)
-		}
-		if ps == nil {
-			t.Errorf("ProcessState unexpectedly returned nil")
-		} else if code := ps.ExitCode(); code != 0 {
-			t.Errorf("ExitCode: %d, want %d", code, 0)
-		}
-	}
-	t.Run("direct", func(t *testing.T) {
-		t.Parallel()
-		testContainerCancel(t, nil, f)
-	})
-	t.Run("as root", func(t *testing.T) {
-		testContainerCancel(t, func(c *container.Container) {
-			c.InitAsRoot = true
-			c.Proc(fhs.AbsProc)
-		}, f)
-	})
 }

 func TestContainerString(t *testing.T) {
@@ -693,8 +632,6 @@ func init() {
 		})

 		c.Command("container", command.UsageInternal, func(args []string) error {
-			asRoot := os.Getenv("HAKUREI_TEST_SUFFIX") == " as root"
-
 			if len(args) != 1 {
 				return syscall.EINVAL
 			}
@@ -712,66 +649,6 @@ func init() {
 				return fmt.Errorf("gid: %d, want %d", gid, tc.gid)
 			}

-			// no attack surface increase during as root due to no_new_privs
-			var wantBounding uintptr = 1
-			asRootNot := " not"
-			if !asRoot {
-				wantBounding = 0
-				asRootNot = ""
-			}
-
-			const (
-				PR_CAP_AMBIENT        = 0x2f
-				PR_CAP_AMBIENT_IS_SET = 0x1
-			)
-			for i := range container.LastCap(nil) + 1 {
-				r, _, errno := syscall.Syscall(
-					syscall.SYS_PRCTL,
-					PR_CAP_AMBIENT,
-					PR_CAP_AMBIENT_IS_SET,
-					i,
-				)
-				if errno != 0 {
-					return os.NewSyscallError("prctl", errno)
-				}
-				if r != 0 {
-					return fmt.Errorf("capability %d in ambient set", i)
-				}
-
-				r, _, errno = syscall.Syscall(
-					syscall.SYS_PRCTL,
-					syscall.PR_CAPBSET_READ,
-					i,
-					0,
-				)
-				if errno != 0 {
-					return os.NewSyscallError("prctl", errno)
-				}
-				if r != wantBounding {
-					return fmt.Errorf("capability %d%s in bounding set", i, asRootNot)
-				}
-			}
-
-			const _LINUX_CAPABILITY_VERSION_3 = 0x20080522
-			var capData struct {
-				effective   uint32
-				permitted   uint32
-				inheritable uint32
-			}
-			if _, _, errno := syscall.Syscall(syscall.SYS_CAPGET, uintptr(unsafe.Pointer(&struct {
-				version uint32
-				pid     int32
-			}{_LINUX_CAPABILITY_VERSION_3, 0})), uintptr(unsafe.Pointer(&capData)), 0); errno != 0 {
-				return os.NewSyscallError("capget", errno)
-			}
-
-			if max(capData.effective, capData.permitted, capData.inheritable) != 0 {
-				return fmt.Errorf(
-					"effective = %d, permitted = %d, inheritable = %d",
-					capData.effective, capData.permitted, capData.inheritable,
-				)
-			}
-
 			wantHost := hostnameFromTestCase(tc.name)
 			if host, err := os.Hostname(); err != nil {
 				return fmt.Errorf("cannot get hostname: %v", err)
@@ -889,7 +766,7 @@ func TestMain(m *testing.M) {
 		}
 		c.MustParse(os.Args[1:], func(err error) {
 			if err != nil {
-				log.Fatal(err)
+				log.Fatal(err.Error())
 			}
 		})
 		return
--- a/container/dispatcher.go
+++ b/container/dispatcher.go
@@ -65,8 +65,6 @@ type syscallDispatcher interface {
 	remount(msg message.Msg, target string, flags uintptr) error
 	// mountTmpfs provides mountTmpfs.
 	mountTmpfs(fsname, target string, flags uintptr, size int, perm os.FileMode) error
-	// mountOverlay provides mountOverlay.
-	mountOverlay(target string, options [][2]string) error
 	// ensureFile provides ensureFile.
 	ensureFile(name string, perm, pperm os.FileMode) error
 	// mustLoopback provides mustLoopback.
@@ -150,7 +148,7 @@ func (direct) lockOSThread() { runtime.LockOSThread() }

 func (direct) setPtracer(pid uintptr) error       { return ext.SetPtracer(pid) }
 func (direct) setDumpable(dumpable uintptr) error { return ext.SetDumpable(dumpable) }
-func (direct) setNoNewPrivs() error               { return setNoNewPrivs() }
+func (direct) setNoNewPrivs() error               { return SetNoNewPrivs() }

 func (direct) lastcap(msg message.Msg) uintptr                 { return LastCap(msg) }
 func (direct) capset(hdrp *capHeader, datap *[2]capData) error { return capset(hdrp, datap) }
@@ -171,9 +169,6 @@ func (direct) remount(msg message.Msg, target string, flags uintptr) error {
 func (k direct) mountTmpfs(fsname, target string, flags uintptr, size int, perm os.FileMode) error {
 	return mountTmpfs(k, fsname, target, flags, size, perm)
 }
-func (k direct) mountOverlay(target string, options [][2]string) error {
-	return mountOverlay(target, options)
-}
 func (direct) ensureFile(name string, perm, pperm os.FileMode) error {
 	return ensureFile(name, perm, pperm)
 }
--- a/container/dispatcher_test.go
+++ b/container/dispatcher_test.go
@@ -468,14 +468,6 @@ func (k *kstub) mountTmpfs(fsname, target string, flags uintptr, size int, perm
 		stub.CheckArg(k.Stub, "perm", perm, 4))
 }

-func (k *kstub) mountOverlay(target string, options [][2]string) error {
-	k.Helper()
-	return k.Expects("mountOverlay").Error(
-		stub.CheckArg(k.Stub, "target", target, 0),
-		stub.CheckArgReflect(k.Stub, "options", options, 1),
-	)
-}
-
 func (k *kstub) ensureFile(name string, perm, pperm os.FileMode) error {
 	k.Helper()
 	return k.Expects("ensureFile").Error(
--- a/container/errors.go
+++ b/container/errors.go
@@ -118,10 +118,6 @@ func errnoFallback(op, path string, err error) (syscall.Errno, *os.PathError) {

 // mount wraps syscall.Mount for error handling.
 func mount(source, target, fstype string, flags uintptr, data string) error {
-	if max(len(source), len(target), len(data))+1 > os.Getpagesize() {
-		return &MountError{source, target, fstype, flags, data, syscall.ENOMEM}
-	}
-
 	err := syscall.Mount(source, target, fstype, flags, data)
 	if err == nil {
 		return nil
--- a/container/init.go
+++ b/container/init.go
@@ -11,13 +11,11 @@ import (
 	"path/filepath"
 	"slices"
 	"strconv"
-	"strings"
 	"sync"
 	"sync/atomic"
 	. "syscall"
 	"time"

-	"hakurei.app/check"
 	"hakurei.app/container/seccomp"
 	"hakurei.app/ext"
 	"hakurei.app/fhs"
@@ -184,33 +182,23 @@ func initEntrypoint(k syscallDispatcher, msg message.Msg) {
 		cancel()
 	}

-	uid, gid := param.Uid, param.Gid
-	if param.InitAsRoot {
-		uid, gid = 0, 0
-	}
-
 	// write uid/gid map here so parent does not need to set dumpable
 	if err := k.setDumpable(ext.SUID_DUMP_USER); err != nil {
 		k.fatalf(msg, "cannot set SUID_DUMP_USER: %v", err)
 	}
-	if err := k.writeFile(
-		fhs.Proc+"self/uid_map",
-		[]byte(strconv.Itoa(uid)+" "+strconv.Itoa(param.HostUid)+" 1\n"),
-		0,
-	); err != nil {
+	if err := k.writeFile(fhs.Proc+"self/uid_map",
+		append([]byte{}, strconv.Itoa(param.Uid)+" "+strconv.Itoa(param.HostUid)+" 1\n"...),
+		0); err != nil {
 		k.fatalf(msg, "%v", err)
 	}
-	if err := k.writeFile(
-		fhs.Proc+"self/setgroups",
+	if err := k.writeFile(fhs.Proc+"self/setgroups",
 		[]byte("deny\n"),
-		0,
-	); err != nil && !os.IsNotExist(err) {
+		0); err != nil && !os.IsNotExist(err) {
 		k.fatalf(msg, "%v", err)
 	}
 	if err := k.writeFile(fhs.Proc+"self/gid_map",
-		[]byte(strconv.Itoa(gid)+" "+strconv.Itoa(param.HostGid)+" 1\n"),
-		0,
-	); err != nil {
+		append([]byte{}, strconv.Itoa(param.Gid)+" "+strconv.Itoa(param.HostGid)+" 1\n"...),
+		0); err != nil {
 		k.fatalf(msg, "%v", err)
 	}
 	if err := k.setDumpable(ext.SUID_DUMP_DISABLE); err != nil {
@@ -235,23 +223,6 @@ func initEntrypoint(k syscallDispatcher, msg message.Msg) {
 	state := &setupState{process: make(map[int]WaitStatus), Params: &param.Params, Msg: msg, Context: ctx}
 	defer cancel()

-	if err := k.mount(SourceTmpfsRootfs, intermediateHostPath, FstypeTmpfs, MS_NODEV|MS_NOSUID, zeroString); err != nil {
-		k.fatalf(msg, "cannot mount intermediate root: %v", optionalErrorUnwrap(err))
-	}
-	if err := k.chdir(intermediateHostPath); err != nil {
-		k.fatalf(msg, "cannot enter intermediate host path: %v", err)
-	}
-
-	if len(param.Binfmt) > 0 {
-		for i, e := range param.Binfmt {
-			if pathname, err := k.evalSymlinks(e.Interpreter.String()); err != nil {
-				k.fatal(msg, err)
-			} else if param.Binfmt[i].Interpreter, err = check.NewAbs(pathname); err != nil {
-				k.fatal(msg, err)
-			}
-		}
-	}
-
 	/* early is called right before pivot_root into intermediate root;
 	this step is mostly for gathering information that would otherwise be
 	difficult to obtain via library functions after pivot_root, and
@@ -271,6 +242,13 @@ func initEntrypoint(k syscallDispatcher, msg message.Msg) {
 		}
 	}

+	if err := k.mount(SourceTmpfsRootfs, intermediateHostPath, FstypeTmpfs, MS_NODEV|MS_NOSUID, zeroString); err != nil {
+		k.fatalf(msg, "cannot mount intermediate root: %v", optionalErrorUnwrap(err))
+	}
+	if err := k.chdir(intermediateHostPath); err != nil {
+		k.fatalf(msg, "cannot enter intermediate host path: %v", err)
+	}
+
 	if err := k.mkdir(sysrootDir, 0755); err != nil {
 		k.fatalf(msg, "%v", err)
 	}
@@ -307,48 +285,6 @@ func initEntrypoint(k syscallDispatcher, msg message.Msg) {
 		}
 	}

-	if len(param.Binfmt) > 0 {
-		const interpreter = "/interpreter"
-
-		if param.BinfmtPath == nil {
-			param.BinfmtPath = fhs.AbsProcSys.Append("fs/binfmt_misc")
-		}
-		binfmt := sysrootPath + param.BinfmtPath.String()
-		if err := k.mkdirAll(binfmt, 0); err != nil {
-			k.fatal(msg, err)
-		}
-		if err := k.mount(
-			SourceBinfmtMisc,
-			binfmt,
-			FstypeBinfmtMisc,
-			MS_NOSUID|MS_NOEXEC|MS_NODEV,
-			zeroString,
-		); err != nil {
-			k.fatal(msg, err)
-		}
-
-		var buf strings.Builder
-		buf.Grow(1920)
-
-		register := binfmt + "/register"
-		for i, e := range param.Binfmt {
-			if err := k.symlink(hostPath+e.Interpreter.String(), interpreter); err != nil {
-				k.fatal(msg, err)
-			} else if err = k.writeFile(register, []byte(":"+
-				strconv.Itoa(i)+":"+
-				"M:"+
-				strconv.Itoa(int(e.Offset))+":"+
-				escapeBinfmt(&buf, e.Magic)+":"+
-				escapeBinfmt(&buf, e.Mask)+":"+
-				interpreter+":"+
-				"F"), 0); err != nil {
-				k.fatal(msg, err)
-			} else if err = k.remove(interpreter); err != nil {
-				k.fatal(msg, err)
-			}
-		}
-	}
-
 	// setup requiring host root complete at this point
 	if err := k.mount(hostDir, hostDir, zeroString, MS_SILENT|MS_REC|MS_PRIVATE, zeroString); err != nil {
 		k.fatalf(msg, "cannot make host root rprivate: %v", optionalErrorUnwrap(err))
@@ -387,19 +323,11 @@ func initEntrypoint(k syscallDispatcher, msg message.Msg) {
 		}
 	}

-	var keepCaps []uintptr
-	if param.Privileged {
-		keepCaps = append(keepCaps, CAP_SYS_ADMIN, CAP_SETPCAP)
-	}
-	if param.InitAsRoot {
-		keepCaps = append(keepCaps, CAP_SETFCAP)
-	}
-
 	if err := k.capAmbientClearAll(); err != nil {
 		k.fatalf(msg, "cannot clear the ambient capability set: %v", err)
 	}
-	for i := range lastcap + 1 {
-		if slices.Contains(keepCaps, i) {
+	for i := uintptr(0); i <= lastcap; i++ {
+		if param.Privileged && i == CAP_SYS_ADMIN {
 			continue
 		}
 		if err := k.capBoundingSetDrop(i); err != nil {
@@ -408,23 +336,20 @@ func initEntrypoint(k syscallDispatcher, msg message.Msg) {
 	}

 	var keep [2]uint32
-	for _, c := range keepCaps {
-		keep[capToIndex(c)] |= capToMask(c)
-	}
+	if param.Privileged {
+		keep[capToIndex(CAP_SYS_ADMIN)] |= capToMask(CAP_SYS_ADMIN)

+		if err := k.capAmbientRaise(CAP_SYS_ADMIN); err != nil {
+			k.fatalf(msg, "cannot raise CAP_SYS_ADMIN: %v", err)
+		}
+	}
 	if err := k.capset(
 		&capHeader{_LINUX_CAPABILITY_VERSION_3, 0},
-		&[2]capData{{keep[0], keep[0], keep[0]}, {keep[1], keep[1], keep[1]}},
+		&[2]capData{{0, keep[0], keep[0]}, {0, keep[1], keep[1]}},
 	); err != nil {
 		k.fatalf(msg, "cannot capset: %v", err)
 	}

-	for _, c := range keepCaps {
-		if err := k.capAmbientRaise(c); err != nil {
-			k.fatalf(msg, "cannot raise %#x: %v", c, err)
-		}
-	}
-
 	if !param.SeccompDisable {
 		rules := param.SeccompRules
 		if len(rules) == 0 { // non-empty rules slice always overrides presets
@@ -549,14 +474,6 @@ func initEntrypoint(k syscallDispatcher, msg message.Msg) {
 	cmd.ExtraFiles = extraFiles
 	cmd.Dir = param.Dir.String()

-	if param.InitAsRoot {
-		cmd.SysProcAttr = &SysProcAttr{
-			Cloneflags:  CLONE_NEWUSER,
-			UidMappings: []SysProcIDMap{{ContainerID: param.Uid, HostID: 0, Size: 1}},
-			GidMappings: []SysProcIDMap{{ContainerID: param.Gid, HostID: 0, Size: 1}},
-		}
-	}
-
 	msg.Verbosef("starting initial process %s", param.Path)
 	if err := k.start(cmd); err != nil {
 		k.fatalf(msg, "%v", err)
--- a/container/init_test.go
+++ b/container/init_test.go
@@ -332,8 +332,6 @@ func TestInitEntrypoint(t *testing.T) {
 				call("sethostname", stub.ExpectArgs{[]byte("hakurei-check")}, nil, nil),
 				call("lastcap", stub.ExpectArgs{}, uintptr(40), nil),
 				call("mount", stub.ExpectArgs{"", "/", "", uintptr(0x8c000), ""}, nil, nil),
-				call("mount", stub.ExpectArgs{"rootfs", "/proc/self/fd", "tmpfs", uintptr(6), ""}, nil, nil),
-				call("chdir", stub.ExpectArgs{"/proc/self/fd"}, nil, nil),
 				/* begin early */
 				call("fatalf", stub.ExpectArgs{"invalid op at index %d", []any{0}}, nil, nil),
 				/* end early */
@@ -372,8 +370,6 @@ func TestInitEntrypoint(t *testing.T) {
 				call("sethostname", stub.ExpectArgs{[]byte("hakurei-check")}, nil, nil),
 				call("lastcap", stub.ExpectArgs{}, uintptr(40), nil),
 				call("mount", stub.ExpectArgs{"", "/", "", uintptr(0x8c000), ""}, nil, nil),
-				call("mount", stub.ExpectArgs{"rootfs", "/proc/self/fd", "tmpfs", uintptr(6), ""}, nil, nil),
-				call("chdir", stub.ExpectArgs{"/proc/self/fd"}, nil, nil),
 				/* begin early */
 				call("fatalf", stub.ExpectArgs{"invalid op at index %d", []any{0}}, nil, nil),
 				/* end early */
@@ -412,8 +408,6 @@ func TestInitEntrypoint(t *testing.T) {
 				call("sethostname", stub.ExpectArgs{[]byte("hakurei-check")}, nil, nil),
 				call("lastcap", stub.ExpectArgs{}, uintptr(40), nil),
 				call("mount", stub.ExpectArgs{"", "/", "", uintptr(0x8c000), ""}, nil, nil),
-				call("mount", stub.ExpectArgs{"rootfs", "/proc/self/fd", "tmpfs", uintptr(6), ""}, nil, nil),
-				call("chdir", stub.ExpectArgs{"/proc/self/fd"}, nil, nil),
 				/* begin early */
 				call("evalSymlinks", stub.ExpectArgs{"/"}, "/", stub.UniqueError(61)),
 				call("fatalf", stub.ExpectArgs{"cannot prepare op at index %d: %v", []any{0, stub.UniqueError(61)}}, nil, nil),
@@ -453,8 +447,6 @@ func TestInitEntrypoint(t *testing.T) {
 				call("sethostname", stub.ExpectArgs{[]byte("hakurei-check")}, nil, nil),
 				call("lastcap", stub.ExpectArgs{}, uintptr(40), nil),
 				call("mount", stub.ExpectArgs{"", "/", "", uintptr(0x8c000), ""}, nil, nil),
-				call("mount", stub.ExpectArgs{"rootfs", "/proc/self/fd", "tmpfs", uintptr(6), ""}, nil, nil),
-				call("chdir", stub.ExpectArgs{"/proc/self/fd"}, nil, nil),
 				/* begin early */
 				call("evalSymlinks", stub.ExpectArgs{"/"}, "/", &os.PathError{Op: "readlink", Path: "/", Err: stub.UniqueError(60)}),
 				call("fatal", stub.ExpectArgs{[]any{"cannot readlink /: unique error 60 injected by the test suite"}}, nil, nil),
@@ -494,6 +486,9 @@ func TestInitEntrypoint(t *testing.T) {
 				call("sethostname", stub.ExpectArgs{[]byte("hakurei-check")}, nil, nil),
 				call("lastcap", stub.ExpectArgs{}, uintptr(40), nil),
 				call("mount", stub.ExpectArgs{"", "/", "", uintptr(0x8c000), ""}, nil, nil),
+				/* begin early */
+				call("evalSymlinks", stub.ExpectArgs{"/"}, "/", nil),
+				/* end early */
 				call("mount", stub.ExpectArgs{"rootfs", "/proc/self/fd", "tmpfs", uintptr(6), ""}, nil, stub.UniqueError(58)),
 				call("fatalf", stub.ExpectArgs{"cannot mount intermediate root: %v", []any{stub.UniqueError(58)}}, nil, nil),
 			},
@@ -531,6 +526,9 @@ func TestInitEntrypoint(t *testing.T) {
 				call("sethostname", stub.ExpectArgs{[]byte("hakurei-check")}, nil, nil),
 				call("lastcap", stub.ExpectArgs{}, uintptr(40), nil),
 				call("mount", stub.ExpectArgs{"", "/", "", uintptr(0x8c000), ""}, nil, nil),
+				/* begin early */
+				call("evalSymlinks", stub.ExpectArgs{"/"}, "/", nil),
+				/* end early */
 				call("mount", stub.ExpectArgs{"rootfs", "/proc/self/fd", "tmpfs", uintptr(6), ""}, nil, nil),
 				call("chdir", stub.ExpectArgs{"/proc/self/fd"}, nil, stub.UniqueError(56)),
 				call("fatalf", stub.ExpectArgs{"cannot enter intermediate host path: %v", []any{stub.UniqueError(56)}}, nil, nil),
@@ -569,11 +567,11 @@ func TestInitEntrypoint(t *testing.T) {
 				call("sethostname", stub.ExpectArgs{[]byte("hakurei-check")}, nil, nil),
 				call("lastcap", stub.ExpectArgs{}, uintptr(40), nil),
 				call("mount", stub.ExpectArgs{"", "/", "", uintptr(0x8c000), ""}, nil, nil),
-				call("mount", stub.ExpectArgs{"rootfs", "/proc/self/fd", "tmpfs", uintptr(6), ""}, nil, nil),
-				call("chdir", stub.ExpectArgs{"/proc/self/fd"}, nil, nil),
 				/* begin early */
 				call("evalSymlinks", stub.ExpectArgs{"/"}, "/", nil),
 				/* end early */
+				call("mount", stub.ExpectArgs{"rootfs", "/proc/self/fd", "tmpfs", uintptr(6), ""}, nil, nil),
+				call("chdir", stub.ExpectArgs{"/proc/self/fd"}, nil, nil),
 				call("mkdir", stub.ExpectArgs{"sysroot", os.FileMode(0755)}, nil, stub.UniqueError(54)),
 				call("fatalf", stub.ExpectArgs{"%v", []any{stub.UniqueError(54)}}, nil, nil),
 			},
@@ -611,11 +609,11 @@ func TestInitEntrypoint(t *testing.T) {
 				call("sethostname", stub.ExpectArgs{[]byte("hakurei-check")}, nil, nil),
 				call("lastcap", stub.ExpectArgs{}, uintptr(40), nil),
 				call("mount", stub.ExpectArgs{"", "/", "", uintptr(0x8c000), ""}, nil, nil),
-				call("mount", stub.ExpectArgs{"rootfs", "/proc/self/fd", "tmpfs", uintptr(6), ""}, nil, nil),
-				call("chdir", stub.ExpectArgs{"/proc/self/fd"}, nil, nil),
 				/* begin early */
 				call("evalSymlinks", stub.ExpectArgs{"/"}, "/", nil),
 				/* end early */
+				call("mount", stub.ExpectArgs{"rootfs", "/proc/self/fd", "tmpfs", uintptr(6), ""}, nil, nil),
+				call("chdir", stub.ExpectArgs{"/proc/self/fd"}, nil, nil),
 				call("mkdir", stub.ExpectArgs{"sysroot", os.FileMode(0755)}, nil, nil),
 				call("mount", stub.ExpectArgs{"sysroot", "sysroot", "", uintptr(0xd000), ""}, nil, stub.UniqueError(52)),
 				call("fatalf", stub.ExpectArgs{"cannot bind sysroot: %v", []any{stub.UniqueError(52)}}, nil, nil),
@@ -654,11 +652,11 @@ func TestInitEntrypoint(t *testing.T) {
 				call("sethostname", stub.ExpectArgs{[]byte("hakurei-check")}, nil, nil),
 				call("lastcap", stub.ExpectArgs{}, uintptr(40), nil),
 				call("mount", stub.ExpectArgs{"", "/", "", uintptr(0x8c000), ""}, nil, nil),
-				call("mount", stub.ExpectArgs{"rootfs", "/proc/self/fd", "tmpfs", uintptr(6), ""}, nil, nil),
-				call("chdir", stub.ExpectArgs{"/proc/self/fd"}, nil, nil),
 				/* begin early */
 				call("evalSymlinks", stub.ExpectArgs{"/"}, "/", nil),
 				/* end early */
+				call("mount", stub.ExpectArgs{"rootfs", "/proc/self/fd", "tmpfs", uintptr(6), ""}, nil, nil),
+				call("chdir", stub.ExpectArgs{"/proc/self/fd"}, nil, nil),
 				call("mkdir", stub.ExpectArgs{"sysroot", os.FileMode(0755)}, nil, nil),
 				call("mount", stub.ExpectArgs{"sysroot", "sysroot", "", uintptr(0xd000), ""}, nil, nil),
 				call("mkdir", stub.ExpectArgs{"host", os.FileMode(0755)}, nil, stub.UniqueError(50)),
@@ -698,11 +696,11 @@ func TestInitEntrypoint(t *testing.T) {
 				call("sethostname", stub.ExpectArgs{[]byte("hakurei-check")}, nil, nil),
 				call("lastcap", stub.ExpectArgs{}, uintptr(40), nil),
 				call("mount", stub.ExpectArgs{"", "/", "", uintptr(0x8c000), ""}, nil, nil),
-				call("mount", stub.ExpectArgs{"rootfs", "/proc/self/fd", "tmpfs", uintptr(6), ""}, nil, nil),
-				call("chdir", stub.ExpectArgs{"/proc/self/fd"}, nil, nil),
 				/* begin early */
 				call("evalSymlinks", stub.ExpectArgs{"/"}, "/", nil),
 				/* end early */
+				call("mount", stub.ExpectArgs{"rootfs", "/proc/self/fd", "tmpfs", uintptr(6), ""}, nil, nil),
+				call("chdir", stub.ExpectArgs{"/proc/self/fd"}, nil, nil),
 				call("mkdir", stub.ExpectArgs{"sysroot", os.FileMode(0755)}, nil, nil),
 				call("mount", stub.ExpectArgs{"sysroot", "sysroot", "", uintptr(0xd000), ""}, nil, nil),
 				call("mkdir", stub.ExpectArgs{"host", os.FileMode(0755)}, nil, nil),
@@ -743,11 +741,11 @@ func TestInitEntrypoint(t *testing.T) {
 				call("sethostname", stub.ExpectArgs{[]byte("hakurei-check")}, nil, nil),
 				call("lastcap", stub.ExpectArgs{}, uintptr(40), nil),
 				call("mount", stub.ExpectArgs{"", "/", "", uintptr(0x8c000), ""}, nil, nil),
-				call("mount", stub.ExpectArgs{"rootfs", "/proc/self/fd", "tmpfs", uintptr(6), ""}, nil, nil),
-				call("chdir", stub.ExpectArgs{"/proc/self/fd"}, nil, nil),
 				/* begin early */
 				call("evalSymlinks", stub.ExpectArgs{"/"}, "/", nil),
 				/* end early */
+				call("mount", stub.ExpectArgs{"rootfs", "/proc/self/fd", "tmpfs", uintptr(6), ""}, nil, nil),
+				call("chdir", stub.ExpectArgs{"/proc/self/fd"}, nil, nil),
 				call("mkdir", stub.ExpectArgs{"sysroot", os.FileMode(0755)}, nil, nil),
 				call("mount", stub.ExpectArgs{"sysroot", "sysroot", "", uintptr(0xd000), ""}, nil, nil),
 				call("mkdir", stub.ExpectArgs{"host", os.FileMode(0755)}, nil, nil),
@@ -789,11 +787,11 @@ func TestInitEntrypoint(t *testing.T) {
 				call("sethostname", stub.ExpectArgs{[]byte("hakurei-check")}, nil, nil),
 				call("lastcap", stub.ExpectArgs{}, uintptr(40), nil),
 				call("mount", stub.ExpectArgs{"", "/", "", uintptr(0x8c000), ""}, nil, nil),
-				call("mount", stub.ExpectArgs{"rootfs", "/proc/self/fd", "tmpfs", uintptr(6), ""}, nil, nil),
-				call("chdir", stub.ExpectArgs{"/proc/self/fd"}, nil, nil),
 				/* begin early */
 				call("evalSymlinks", stub.ExpectArgs{"/"}, "/", nil),
 				/* end early */
+				call("mount", stub.ExpectArgs{"rootfs", "/proc/self/fd", "tmpfs", uintptr(6), ""}, nil, nil),
+				call("chdir", stub.ExpectArgs{"/proc/self/fd"}, nil, nil),
 				call("mkdir", stub.ExpectArgs{"sysroot", os.FileMode(0755)}, nil, nil),
 				call("mount", stub.ExpectArgs{"sysroot", "sysroot", "", uintptr(0xd000), ""}, nil, nil),
 				call("mkdir", stub.ExpectArgs{"host", os.FileMode(0755)}, nil, nil),
@@ -844,11 +842,11 @@ func TestInitEntrypoint(t *testing.T) {
 				call("sethostname", stub.ExpectArgs{[]byte("hakurei-check")}, nil, nil),
 				call("lastcap", stub.ExpectArgs{}, uintptr(40), nil),
 				call("mount", stub.ExpectArgs{"", "/", "", uintptr(0x8c000), ""}, nil, nil),
-				call("mount", stub.ExpectArgs{"rootfs", "/proc/self/fd", "tmpfs", uintptr(6), ""}, nil, nil),
-				call("chdir", stub.ExpectArgs{"/proc/self/fd"}, nil, nil),
 				/* begin early */
 				call("evalSymlinks", stub.ExpectArgs{"/"}, "/", nil),
 				/* end early */
+				call("mount", stub.ExpectArgs{"rootfs", "/proc/self/fd", "tmpfs", uintptr(6), ""}, nil, nil),
+				call("chdir", stub.ExpectArgs{"/proc/self/fd"}, nil, nil),
 				call("mkdir", stub.ExpectArgs{"sysroot", os.FileMode(0755)}, nil, nil),
 				call("mount", stub.ExpectArgs{"sysroot", "sysroot", "", uintptr(0xd000), ""}, nil, nil),
 				call("mkdir", stub.ExpectArgs{"host", os.FileMode(0755)}, nil, nil),
@@ -899,11 +897,11 @@ func TestInitEntrypoint(t *testing.T) {
 				call("sethostname", stub.ExpectArgs{[]byte("hakurei-check")}, nil, nil),
 				call("lastcap", stub.ExpectArgs{}, uintptr(40), nil),
 				call("mount", stub.ExpectArgs{"", "/", "", uintptr(0x8c000), ""}, nil, nil),
-				call("mount", stub.ExpectArgs{"rootfs", "/proc/self/fd", "tmpfs", uintptr(6), ""}, nil, nil),
-				call("chdir", stub.ExpectArgs{"/proc/self/fd"}, nil, nil),
 				/* begin early */
 				call("evalSymlinks", stub.ExpectArgs{"/"}, "/", nil),
 				/* end early */
+				call("mount", stub.ExpectArgs{"rootfs", "/proc/self/fd", "tmpfs", uintptr(6), ""}, nil, nil),
+				call("chdir", stub.ExpectArgs{"/proc/self/fd"}, nil, nil),
 				call("mkdir", stub.ExpectArgs{"sysroot", os.FileMode(0755)}, nil, nil),
 				call("mount", stub.ExpectArgs{"sysroot", "sysroot", "", uintptr(0xd000), ""}, nil, nil),
 				call("mkdir", stub.ExpectArgs{"host", os.FileMode(0755)}, nil, nil),
@@ -955,11 +953,11 @@ func TestInitEntrypoint(t *testing.T) {
 				call("sethostname", stub.ExpectArgs{[]byte("hakurei-check")}, nil, nil),
 				call("lastcap", stub.ExpectArgs{}, uintptr(40), nil),
 				call("mount", stub.ExpectArgs{"", "/", "", uintptr(0x8c000), ""}, nil, nil),
-				call("mount", stub.ExpectArgs{"rootfs", "/proc/self/fd", "tmpfs", uintptr(6), ""}, nil, nil),
-				call("chdir", stub.ExpectArgs{"/proc/self/fd"}, nil, nil),
 				/* begin early */
 				call("evalSymlinks", stub.ExpectArgs{"/"}, "/", nil),
 				/* end early */
+				call("mount", stub.ExpectArgs{"rootfs", "/proc/self/fd", "tmpfs", uintptr(6), ""}, nil, nil),
+				call("chdir", stub.ExpectArgs{"/proc/self/fd"}, nil, nil),
 				call("mkdir", stub.ExpectArgs{"sysroot", os.FileMode(0755)}, nil, nil),
 				call("mount", stub.ExpectArgs{"sysroot", "sysroot", "", uintptr(0xd000), ""}, nil, nil),
 				call("mkdir", stub.ExpectArgs{"host", os.FileMode(0755)}, nil, nil),
@@ -1012,11 +1010,11 @@ func TestInitEntrypoint(t *testing.T) {
 				call("sethostname", stub.ExpectArgs{[]byte("hakurei-check")}, nil, nil),
 				call("lastcap", stub.ExpectArgs{}, uintptr(40), nil),
 				call("mount", stub.ExpectArgs{"", "/", "", uintptr(0x8c000), ""}, nil, nil),
-				call("mount", stub.ExpectArgs{"rootfs", "/proc/self/fd", "tmpfs", uintptr(6), ""}, nil, nil),
-				call("chdir", stub.ExpectArgs{"/proc/self/fd"}, nil, nil),
 				/* begin early */
 				call("evalSymlinks", stub.ExpectArgs{"/"}, "/", nil),
 				/* end early */
+				call("mount", stub.ExpectArgs{"rootfs", "/proc/self/fd", "tmpfs", uintptr(6), ""}, nil, nil),
+				call("chdir", stub.ExpectArgs{"/proc/self/fd"}, nil, nil),
 				call("mkdir", stub.ExpectArgs{"sysroot", os.FileMode(0755)}, nil, nil),
 				call("mount", stub.ExpectArgs{"sysroot", "sysroot", "", uintptr(0xd000), ""}, nil, nil),
 				call("mkdir", stub.ExpectArgs{"host", os.FileMode(0755)}, nil, nil),
@@ -1071,11 +1069,11 @@ func TestInitEntrypoint(t *testing.T) {
 				call("sethostname", stub.ExpectArgs{[]byte("hakurei-check")}, nil, nil),
 				call("lastcap", stub.ExpectArgs{}, uintptr(40), nil),
 				call("mount", stub.ExpectArgs{"", "/", "", uintptr(0x8c000), ""}, nil, nil),
-				call("mount", stub.ExpectArgs{"rootfs", "/proc/self/fd", "tmpfs", uintptr(6), ""}, nil, nil),
-				call("chdir", stub.ExpectArgs{"/proc/self/fd"}, nil, nil),
 				/* begin early */
 				call("evalSymlinks", stub.ExpectArgs{"/"}, "/", nil),
 				/* end early */
+				call("mount", stub.ExpectArgs{"rootfs", "/proc/self/fd", "tmpfs", uintptr(6), ""}, nil, nil),
+				call("chdir", stub.ExpectArgs{"/proc/self/fd"}, nil, nil),
 				call("mkdir", stub.ExpectArgs{"sysroot", os.FileMode(0755)}, nil, nil),
 				call("mount", stub.ExpectArgs{"sysroot", "sysroot", "", uintptr(0xd000), ""}, nil, nil),
 				call("mkdir", stub.ExpectArgs{"host", os.FileMode(0755)}, nil, nil),
@@ -1131,11 +1129,11 @@ func TestInitEntrypoint(t *testing.T) {
 				call("sethostname", stub.ExpectArgs{[]byte("hakurei-check")}, nil, nil),
 				call("lastcap", stub.ExpectArgs{}, uintptr(40), nil),
 				call("mount", stub.ExpectArgs{"", "/", "", uintptr(0x8c000), ""}, nil, nil),
-				call("mount", stub.ExpectArgs{"rootfs", "/proc/self/fd", "tmpfs", uintptr(6), ""}, nil, nil),
-				call("chdir", stub.ExpectArgs{"/proc/self/fd"}, nil, nil),
 				/* begin early */
 				call("evalSymlinks", stub.ExpectArgs{"/"}, "/", nil),
 				/* end early */
+				call("mount", stub.ExpectArgs{"rootfs", "/proc/self/fd", "tmpfs", uintptr(6), ""}, nil, nil),
+				call("chdir", stub.ExpectArgs{"/proc/self/fd"}, nil, nil),
 				call("mkdir", stub.ExpectArgs{"sysroot", os.FileMode(0755)}, nil, nil),
 				call("mount", stub.ExpectArgs{"sysroot", "sysroot", "", uintptr(0xd000), ""}, nil, nil),
 				call("mkdir", stub.ExpectArgs{"host", os.FileMode(0755)}, nil, nil),
@@ -1192,11 +1190,11 @@ func TestInitEntrypoint(t *testing.T) {
 				call("sethostname", stub.ExpectArgs{[]byte("hakurei-check")}, nil, nil),
 				call("lastcap", stub.ExpectArgs{}, uintptr(40), nil),
 				call("mount", stub.ExpectArgs{"", "/", "", uintptr(0x8c000), ""}, nil, nil),
-				call("mount", stub.ExpectArgs{"rootfs", "/proc/self/fd", "tmpfs", uintptr(6), ""}, nil, nil),
-				call("chdir", stub.ExpectArgs{"/proc/self/fd"}, nil, nil),
 				/* begin early */
 				call("evalSymlinks", stub.ExpectArgs{"/"}, "/", nil),
 				/* end early */
+				call("mount", stub.ExpectArgs{"rootfs", "/proc/self/fd", "tmpfs", uintptr(6), ""}, nil, nil),
+				call("chdir", stub.ExpectArgs{"/proc/self/fd"}, nil, nil),
 				call("mkdir", stub.ExpectArgs{"sysroot", os.FileMode(0755)}, nil, nil),
 				call("mount", stub.ExpectArgs{"sysroot", "sysroot", "", uintptr(0xd000), ""}, nil, nil),
 				call("mkdir", stub.ExpectArgs{"host", os.FileMode(0755)}, nil, nil),
@@ -1254,11 +1252,11 @@ func TestInitEntrypoint(t *testing.T) {
 				call("sethostname", stub.ExpectArgs{[]byte("hakurei-check")}, nil, nil),
 				call("lastcap", stub.ExpectArgs{}, uintptr(40), nil),
 				call("mount", stub.ExpectArgs{"", "/", "", uintptr(0x8c000), ""}, nil, nil),
-				call("mount", stub.ExpectArgs{"rootfs", "/proc/self/fd", "tmpfs", uintptr(6), ""}, nil, nil),
-				call("chdir", stub.ExpectArgs{"/proc/self/fd"}, nil, nil),
 				/* begin early */
 				call("evalSymlinks", stub.ExpectArgs{"/"}, "/", nil),
 				/* end early */
+				call("mount", stub.ExpectArgs{"rootfs", "/proc/self/fd", "tmpfs", uintptr(6), ""}, nil, nil),
+				call("chdir", stub.ExpectArgs{"/proc/self/fd"}, nil, nil),
 				call("mkdir", stub.ExpectArgs{"sysroot", os.FileMode(0755)}, nil, nil),
 				call("mount", stub.ExpectArgs{"sysroot", "sysroot", "", uintptr(0xd000), ""}, nil, nil),
 				call("mkdir", stub.ExpectArgs{"host", os.FileMode(0755)}, nil, nil),
@@ -1317,11 +1315,11 @@ func TestInitEntrypoint(t *testing.T) {
 				call("sethostname", stub.ExpectArgs{[]byte("hakurei-check")}, nil, nil),
 				call("lastcap", stub.ExpectArgs{}, uintptr(40), nil),
 				call("mount", stub.ExpectArgs{"", "/", "", uintptr(0x8c000), ""}, nil, nil),
-				call("mount", stub.ExpectArgs{"rootfs", "/proc/self/fd", "tmpfs", uintptr(6), ""}, nil, nil),
-				call("chdir", stub.ExpectArgs{"/proc/self/fd"}, nil, nil),
 				/* begin early */
 				call("evalSymlinks", stub.ExpectArgs{"/"}, "/", nil),
 				/* end early */
+				call("mount", stub.ExpectArgs{"rootfs", "/proc/self/fd", "tmpfs", uintptr(6), ""}, nil, nil),
+				call("chdir", stub.ExpectArgs{"/proc/self/fd"}, nil, nil),
 				call("mkdir", stub.ExpectArgs{"sysroot", os.FileMode(0755)}, nil, nil),
 				call("mount", stub.ExpectArgs{"sysroot", "sysroot", "", uintptr(0xd000), ""}, nil, nil),
 				call("mkdir", stub.ExpectArgs{"host", os.FileMode(0755)}, nil, nil),
@@ -1381,11 +1379,11 @@ func TestInitEntrypoint(t *testing.T) {
 				call("sethostname", stub.ExpectArgs{[]byte("hakurei-check")}, nil, nil),
 				call("lastcap", stub.ExpectArgs{}, uintptr(40), nil),
 				call("mount", stub.ExpectArgs{"", "/", "", uintptr(0x8c000), ""}, nil, nil),
-				call("mount", stub.ExpectArgs{"rootfs", "/proc/self/fd", "tmpfs", uintptr(6), ""}, nil, nil),
-				call("chdir", stub.ExpectArgs{"/proc/self/fd"}, nil, nil),
 				/* begin early */
 				call("evalSymlinks", stub.ExpectArgs{"/"}, "/", nil),
 				/* end early */
+				call("mount", stub.ExpectArgs{"rootfs", "/proc/self/fd", "tmpfs", uintptr(6), ""}, nil, nil),
+				call("chdir", stub.ExpectArgs{"/proc/self/fd"}, nil, nil),
 				call("mkdir", stub.ExpectArgs{"sysroot", os.FileMode(0755)}, nil, nil),
 				call("mount", stub.ExpectArgs{"sysroot", "sysroot", "", uintptr(0xd000), ""}, nil, nil),
 				call("mkdir", stub.ExpectArgs{"host", os.FileMode(0755)}, nil, nil),
@@ -1446,11 +1444,11 @@ func TestInitEntrypoint(t *testing.T) {
 				call("sethostname", stub.ExpectArgs{[]byte("hakurei-check")}, nil, nil),
 				call("lastcap", stub.ExpectArgs{}, uintptr(40), nil),
 				call("mount", stub.ExpectArgs{"", "/", "", uintptr(0x8c000), ""}, nil, nil),
-				call("mount", stub.ExpectArgs{"rootfs", "/proc/self/fd", "tmpfs", uintptr(6), ""}, nil, nil),
-				call("chdir", stub.ExpectArgs{"/proc/self/fd"}, nil, nil),
 				/* begin early */
 				call("evalSymlinks", stub.ExpectArgs{"/"}, "/", nil),
 				/* end early */
+				call("mount", stub.ExpectArgs{"rootfs", "/proc/self/fd", "tmpfs", uintptr(6), ""}, nil, nil),
+				call("chdir", stub.ExpectArgs{"/proc/self/fd"}, nil, nil),
 				call("mkdir", stub.ExpectArgs{"sysroot", os.FileMode(0755)}, nil, nil),
 				call("mount", stub.ExpectArgs{"sysroot", "sysroot", "", uintptr(0xd000), ""}, nil, nil),
 				call("mkdir", stub.ExpectArgs{"host", os.FileMode(0755)}, nil, nil),
@@ -1512,11 +1510,11 @@ func TestInitEntrypoint(t *testing.T) {
 				call("sethostname", stub.ExpectArgs{[]byte("hakurei-check")}, nil, nil),
 				call("lastcap", stub.ExpectArgs{}, uintptr(40), nil),
 				call("mount", stub.ExpectArgs{"", "/", "", uintptr(0x8c000), ""}, nil, nil),
-				call("mount", stub.ExpectArgs{"rootfs", "/proc/self/fd", "tmpfs", uintptr(6), ""}, nil, nil),
-				call("chdir", stub.ExpectArgs{"/proc/self/fd"}, nil, nil),
 				/* begin early */
 				call("evalSymlinks", stub.ExpectArgs{"/"}, "/", nil),
 				/* end early */
+				call("mount", stub.ExpectArgs{"rootfs", "/proc/self/fd", "tmpfs", uintptr(6), ""}, nil, nil),
+				call("chdir", stub.ExpectArgs{"/proc/self/fd"}, nil, nil),
 				call("mkdir", stub.ExpectArgs{"sysroot", os.FileMode(0755)}, nil, nil),
 				call("mount", stub.ExpectArgs{"sysroot", "sysroot", "", uintptr(0xd000), ""}, nil, nil),
 				call("mkdir", stub.ExpectArgs{"host", os.FileMode(0755)}, nil, nil),
@@ -1586,11 +1584,11 @@ func TestInitEntrypoint(t *testing.T) {
 				call("sethostname", stub.ExpectArgs{[]byte("hakurei-check")}, nil, nil),
 				call("lastcap", stub.ExpectArgs{}, uintptr(40), nil),
 				call("mount", stub.ExpectArgs{"", "/", "", uintptr(0x8c000), ""}, nil, nil),
-				call("mount", stub.ExpectArgs{"rootfs", "/proc/self/fd", "tmpfs", uintptr(6), ""}, nil, nil),
-				call("chdir", stub.ExpectArgs{"/proc/self/fd"}, nil, nil),
 				/* begin early */
 				call("evalSymlinks", stub.ExpectArgs{"/"}, "/", nil),
 				/* end early */
+				call("mount", stub.ExpectArgs{"rootfs", "/proc/self/fd", "tmpfs", uintptr(6), ""}, nil, nil),
+				call("chdir", stub.ExpectArgs{"/proc/self/fd"}, nil, nil),
 				call("mkdir", stub.ExpectArgs{"sysroot", os.FileMode(0755)}, nil, nil),
 				call("mount", stub.ExpectArgs{"sysroot", "sysroot", "", uintptr(0xd000), ""}, nil, nil),
 				call("mkdir", stub.ExpectArgs{"host", os.FileMode(0755)}, nil, nil),
@@ -1624,6 +1622,7 @@ func TestInitEntrypoint(t *testing.T) {
 				call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x5)}, nil, nil),
 				call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x6)}, nil, nil),
 				call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x7)}, nil, nil),
+				call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x8)}, nil, nil),
 				call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x9)}, nil, nil),
 				call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0xa)}, nil, nil),
 				call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0xb)}, nil, nil),
@@ -1655,9 +1654,8 @@ func TestInitEntrypoint(t *testing.T) {
 				call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x26)}, nil, nil),
 				call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x27)}, nil, nil),
 				call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x28)}, nil, nil),
-				call("capset", stub.ExpectArgs{&capHeader{_LINUX_CAPABILITY_VERSION_3, 0}, &[2]capData{{0x200100, 0x200100, 0x200100}, {0, 0, 0}}}, nil, nil),
 				call("capAmbientRaise", stub.ExpectArgs{uintptr(0x15)}, nil, stub.UniqueError(19)),
-				call("fatalf", stub.ExpectArgs{"cannot raise %#x: %v", []any{uintptr(0x15), stub.UniqueError(19)}}, nil, nil),
+				call("fatalf", stub.ExpectArgs{"cannot raise CAP_SYS_ADMIN: %v", []any{stub.UniqueError(19)}}, nil, nil),
 			},
 		}, nil},

@@ -1693,11 +1691,11 @@ func TestInitEntrypoint(t *testing.T) {
 				call("sethostname", stub.ExpectArgs{[]byte("hakurei-check")}, nil, nil),
 				call("lastcap", stub.ExpectArgs{}, uintptr(40), nil),
 				call("mount", stub.ExpectArgs{"", "/", "", uintptr(0x8c000), ""}, nil, nil),
-				call("mount", stub.ExpectArgs{"rootfs", "/proc/self/fd", "tmpfs", uintptr(6), ""}, nil, nil),
-				call("chdir", stub.ExpectArgs{"/proc/self/fd"}, nil, nil),
 				/* begin early */
 				call("evalSymlinks", stub.ExpectArgs{"/"}, "/", nil),
 				/* end early */
+				call("mount", stub.ExpectArgs{"rootfs", "/proc/self/fd", "tmpfs", uintptr(6), ""}, nil, nil),
+				call("chdir", stub.ExpectArgs{"/proc/self/fd"}, nil, nil),
 				call("mkdir", stub.ExpectArgs{"sysroot", os.FileMode(0755)}, nil, nil),
 				call("mount", stub.ExpectArgs{"sysroot", "sysroot", "", uintptr(0xd000), ""}, nil, nil),
 				call("mkdir", stub.ExpectArgs{"host", os.FileMode(0755)}, nil, nil),
@@ -1731,6 +1729,7 @@ func TestInitEntrypoint(t *testing.T) {
 				call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x5)}, nil, nil),
 				call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x6)}, nil, nil),
 				call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x7)}, nil, nil),
+				call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x8)}, nil, nil),
 				call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x9)}, nil, nil),
 				call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0xa)}, nil, nil),
 				call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0xb)}, nil, nil),
@@ -1762,7 +1761,8 @@ func TestInitEntrypoint(t *testing.T) {
 				call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x26)}, nil, nil),
 				call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x27)}, nil, nil),
 				call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x28)}, nil, nil),
-				call("capset", stub.ExpectArgs{&capHeader{_LINUX_CAPABILITY_VERSION_3, 0}, &[2]capData{{0x200100, 0x200100, 0x200100}, {0, 0, 0}}}, nil, stub.UniqueError(17)),
+				call("capAmbientRaise", stub.ExpectArgs{uintptr(0x15)}, nil, nil),
+				call("capset", stub.ExpectArgs{&capHeader{_LINUX_CAPABILITY_VERSION_3, 0}, &[2]capData{{0, 0x200000, 0x200000}, {0, 0, 0}}}, nil, stub.UniqueError(17)),
 				call("fatalf", stub.ExpectArgs{"cannot capset: %v", []any{stub.UniqueError(17)}}, nil, nil),
 			},
 		}, nil},
@@ -1799,11 +1799,11 @@ func TestInitEntrypoint(t *testing.T) {
 				call("sethostname", stub.ExpectArgs{[]byte("hakurei-check")}, nil, nil),
 				call("lastcap", stub.ExpectArgs{}, uintptr(40), nil),
 				call("mount", stub.ExpectArgs{"", "/", "", uintptr(0x8c000), ""}, nil, nil),
-				call("mount", stub.ExpectArgs{"rootfs", "/proc/self/fd", "tmpfs", uintptr(6), ""}, nil, nil),
-				call("chdir", stub.ExpectArgs{"/proc/self/fd"}, nil, nil),
 				/* begin early */
 				call("evalSymlinks", stub.ExpectArgs{"/"}, "/", nil),
 				/* end early */
+				call("mount", stub.ExpectArgs{"rootfs", "/proc/self/fd", "tmpfs", uintptr(6), ""}, nil, nil),
+				call("chdir", stub.ExpectArgs{"/proc/self/fd"}, nil, nil),
 				call("mkdir", stub.ExpectArgs{"sysroot", os.FileMode(0755)}, nil, nil),
 				call("mount", stub.ExpectArgs{"sysroot", "sysroot", "", uintptr(0xd000), ""}, nil, nil),
 				call("mkdir", stub.ExpectArgs{"host", os.FileMode(0755)}, nil, nil),
@@ -1837,6 +1837,7 @@ func TestInitEntrypoint(t *testing.T) {
 				call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x5)}, nil, nil),
 				call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x6)}, nil, nil),
 				call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x7)}, nil, nil),
+				call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x8)}, nil, nil),
 				call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x9)}, nil, nil),
 				call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0xa)}, nil, nil),
 				call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0xb)}, nil, nil),
@@ -1868,9 +1869,8 @@ func TestInitEntrypoint(t *testing.T) {
 				call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x26)}, nil, nil),
 				call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x27)}, nil, nil),
 				call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x28)}, nil, nil),
-				call("capset", stub.ExpectArgs{&capHeader{_LINUX_CAPABILITY_VERSION_3, 0}, &[2]capData{{0x200100, 0x200100, 0x200100}, {0, 0, 0}}}, nil, nil),
 				call("capAmbientRaise", stub.ExpectArgs{uintptr(0x15)}, nil, nil),
-				call("capAmbientRaise", stub.ExpectArgs{uintptr(0x8)}, nil, nil),
+				call("capset", stub.ExpectArgs{&capHeader{_LINUX_CAPABILITY_VERSION_3, 0}, &[2]capData{{0, 0x200000, 0x200000}, {0, 0, 0}}}, nil, nil),
 				call("verbosef", stub.ExpectArgs{"resolving presets %#x", []any{std.FilterPreset(0xf)}}, nil, nil),
 				call("seccompLoad", stub.ExpectArgs{seccomp.Preset(0xf, 0), seccomp.ExportFlag(0)}, nil, stub.UniqueError(15)),
 				call("fatalf", stub.ExpectArgs{"cannot load syscall filter: %v", []any{stub.UniqueError(15)}}, nil, nil),
@@ -1908,11 +1908,11 @@ func TestInitEntrypoint(t *testing.T) {
 				call("sethostname", stub.ExpectArgs{[]byte("hakurei-check")}, nil, nil),
 				call("lastcap", stub.ExpectArgs{}, uintptr(40), nil),
 				call("mount", stub.ExpectArgs{"", "/", "", uintptr(0x8c000), ""}, nil, nil),
-				call("mount", stub.ExpectArgs{"rootfs", "/proc/self/fd", "tmpfs", uintptr(6), ""}, nil, nil),
-				call("chdir", stub.ExpectArgs{"/proc/self/fd"}, nil, nil),
 				/* begin early */
 				call("evalSymlinks", stub.ExpectArgs{"/"}, "/", nil),
 				/* end early */
+				call("mount", stub.ExpectArgs{"rootfs", "/proc/self/fd", "tmpfs", uintptr(6), ""}, nil, nil),
+				call("chdir", stub.ExpectArgs{"/proc/self/fd"}, nil, nil),
 				call("mkdir", stub.ExpectArgs{"sysroot", os.FileMode(0755)}, nil, nil),
 				call("mount", stub.ExpectArgs{"sysroot", "sysroot", "", uintptr(0xd000), ""}, nil, nil),
 				call("mkdir", stub.ExpectArgs{"host", os.FileMode(0755)}, nil, nil),
@@ -2032,11 +2032,11 @@ func TestInitEntrypoint(t *testing.T) {
 				call("sethostname", stub.ExpectArgs{[]byte("hakurei-check")}, nil, nil),
 				call("lastcap", stub.ExpectArgs{}, uintptr(4), nil),
 				call("mount", stub.ExpectArgs{"", "/", "", uintptr(0x8c000), ""}, nil, nil),
-				call("mount", stub.ExpectArgs{"rootfs", "/proc/self/fd", "tmpfs", uintptr(6), ""}, nil, nil),
-				call("chdir", stub.ExpectArgs{"/proc/self/fd"}, nil, nil),
 				/* begin early */
 				call("evalSymlinks", stub.ExpectArgs{"/"}, "/", nil),
 				/* end early */
+				call("mount", stub.ExpectArgs{"rootfs", "/proc/self/fd", "tmpfs", uintptr(6), ""}, nil, nil),
+				call("chdir", stub.ExpectArgs{"/proc/self/fd"}, nil, nil),
 				call("mkdir", stub.ExpectArgs{"sysroot", os.FileMode(0755)}, nil, nil),
 				call("mount", stub.ExpectArgs{"sysroot", "sysroot", "", uintptr(0xd000), ""}, nil, nil),
 				call("mkdir", stub.ExpectArgs{"host", os.FileMode(0755)}, nil, nil),
@@ -2132,11 +2132,11 @@ func TestInitEntrypoint(t *testing.T) {
 				call("sethostname", stub.ExpectArgs{[]byte("hakurei-check")}, nil, nil),
 				call("lastcap", stub.ExpectArgs{}, uintptr(4), nil),
 				call("mount", stub.ExpectArgs{"", "/", "", uintptr(0x8c000), ""}, nil, nil),
-				call("mount", stub.ExpectArgs{"rootfs", "/proc/self/fd", "tmpfs", uintptr(6), ""}, nil, nil),
-				call("chdir", stub.ExpectArgs{"/proc/self/fd"}, nil, nil),
 				/* begin early */
 				call("evalSymlinks", stub.ExpectArgs{"/"}, "/", nil),
 				/* end early */
+				call("mount", stub.ExpectArgs{"rootfs", "/proc/self/fd", "tmpfs", uintptr(6), ""}, nil, nil),
+				call("chdir", stub.ExpectArgs{"/proc/self/fd"}, nil, nil),
 				call("mkdir", stub.ExpectArgs{"sysroot", os.FileMode(0755)}, nil, nil),
 				call("mount", stub.ExpectArgs{"sysroot", "sysroot", "", uintptr(0xd000), ""}, nil, nil),
 				call("mkdir", stub.ExpectArgs{"host", os.FileMode(0755)}, nil, nil),
@@ -2232,11 +2232,11 @@ func TestInitEntrypoint(t *testing.T) {
 				call("sethostname", stub.ExpectArgs{[]byte("hakurei-check")}, nil, nil),
 				call("lastcap", stub.ExpectArgs{}, uintptr(4), nil),
 				call("mount", stub.ExpectArgs{"", "/", "", uintptr(0x8c000), ""}, nil, nil),
-				call("mount", stub.ExpectArgs{"rootfs", "/proc/self/fd", "tmpfs", uintptr(6), ""}, nil, nil),
-				call("chdir", stub.ExpectArgs{"/proc/self/fd"}, nil, nil),
 				/* begin early */
 				call("evalSymlinks", stub.ExpectArgs{"/"}, "/", nil),
 				/* end early */
+				call("mount", stub.ExpectArgs{"rootfs", "/proc/self/fd", "tmpfs", uintptr(6), ""}, nil, nil),
+				call("chdir", stub.ExpectArgs{"/proc/self/fd"}, nil, nil),
 				call("mkdir", stub.ExpectArgs{"sysroot", os.FileMode(0755)}, nil, nil),
 				call("mount", stub.ExpectArgs{"sysroot", "sysroot", "", uintptr(0xd000), ""}, nil, nil),
 				call("mkdir", stub.ExpectArgs{"host", os.FileMode(0755)}, nil, nil),
@@ -2323,11 +2323,11 @@ func TestInitEntrypoint(t *testing.T) {
 				call("sethostname", stub.ExpectArgs{[]byte("hakurei-check")}, nil, nil),
 				call("lastcap", stub.ExpectArgs{}, uintptr(4), nil),
 				call("mount", stub.ExpectArgs{"", "/", "", uintptr(0x8c000), ""}, nil, nil),
-				call("mount", stub.ExpectArgs{"rootfs", "/proc/self/fd", "tmpfs", uintptr(6), ""}, nil, nil),
-				call("chdir", stub.ExpectArgs{"/proc/self/fd"}, nil, nil),
 				/* begin early */
 				call("evalSymlinks", stub.ExpectArgs{"/"}, "/", nil),
 				/* end early */
+				call("mount", stub.ExpectArgs{"rootfs", "/proc/self/fd", "tmpfs", uintptr(6), ""}, nil, nil),
+				call("chdir", stub.ExpectArgs{"/proc/self/fd"}, nil, nil),
 				call("mkdir", stub.ExpectArgs{"sysroot", os.FileMode(0755)}, nil, nil),
 				call("mount", stub.ExpectArgs{"sysroot", "sysroot", "", uintptr(0xd000), ""}, nil, nil),
 				call("mkdir", stub.ExpectArgs{"host", os.FileMode(0755)}, nil, nil),
@@ -2418,11 +2418,11 @@ func TestInitEntrypoint(t *testing.T) {
 				call("sethostname", stub.ExpectArgs{[]byte("hakurei-check")}, nil, nil),
 				call("lastcap", stub.ExpectArgs{}, uintptr(4), nil),
 				call("mount", stub.ExpectArgs{"", "/", "", uintptr(0x8c000), ""}, nil, nil),
-				call("mount", stub.ExpectArgs{"rootfs", "/proc/self/fd", "tmpfs", uintptr(6), ""}, nil, nil),
-				call("chdir", stub.ExpectArgs{"/proc/self/fd"}, nil, nil),
 				/* begin early */
 				call("evalSymlinks", stub.ExpectArgs{"/"}, "/", nil),
 				/* end early */
+				call("mount", stub.ExpectArgs{"rootfs", "/proc/self/fd", "tmpfs", uintptr(6), ""}, nil, nil),
+				call("chdir", stub.ExpectArgs{"/proc/self/fd"}, nil, nil),
 				call("mkdir", stub.ExpectArgs{"sysroot", os.FileMode(0755)}, nil, nil),
 				call("mount", stub.ExpectArgs{"sysroot", "sysroot", "", uintptr(0xd000), ""}, nil, nil),
 				call("mkdir", stub.ExpectArgs{"host", os.FileMode(0755)}, nil, nil),
@@ -2520,11 +2520,11 @@ func TestInitEntrypoint(t *testing.T) {
 				call("sethostname", stub.ExpectArgs{[]byte("hakurei-check")}, nil, nil),
 				call("lastcap", stub.ExpectArgs{}, uintptr(40), nil),
 				call("mount", stub.ExpectArgs{"", "/", "", uintptr(0x8c000), ""}, nil, nil),
-				call("mount", stub.ExpectArgs{"rootfs", "/proc/self/fd", "tmpfs", uintptr(6), ""}, nil, nil),
-				call("chdir", stub.ExpectArgs{"/proc/self/fd"}, nil, nil),
 				/* begin early */
 				call("evalSymlinks", stub.ExpectArgs{"/"}, "/", nil),
 				/* end early */
+				call("mount", stub.ExpectArgs{"rootfs", "/proc/self/fd", "tmpfs", uintptr(6), ""}, nil, nil),
+				call("chdir", stub.ExpectArgs{"/proc/self/fd"}, nil, nil),
 				call("mkdir", stub.ExpectArgs{"sysroot", os.FileMode(0755)}, nil, nil),
 				call("mount", stub.ExpectArgs{"sysroot", "sysroot", "", uintptr(0xd000), ""}, nil, nil),
 				call("mkdir", stub.ExpectArgs{"host", os.FileMode(0755)}, nil, nil),
@@ -2659,11 +2659,11 @@ func TestInitEntrypoint(t *testing.T) {
 				call("sethostname", stub.ExpectArgs{[]byte("hakurei-check")}, nil, nil),
 				call("lastcap", stub.ExpectArgs{}, uintptr(40), nil),
 				call("mount", stub.ExpectArgs{"", "/", "", uintptr(0x8c000), ""}, nil, nil),
-				call("mount", stub.ExpectArgs{"rootfs", "/proc/self/fd", "tmpfs", uintptr(6), ""}, nil, nil),
-				call("chdir", stub.ExpectArgs{"/proc/self/fd"}, nil, nil),
 				/* begin early */
 				call("evalSymlinks", stub.ExpectArgs{"/"}, "/", nil),
 				/* end early */
+				call("mount", stub.ExpectArgs{"rootfs", "/proc/self/fd", "tmpfs", uintptr(6), ""}, nil, nil),
+				call("chdir", stub.ExpectArgs{"/proc/self/fd"}, nil, nil),
 				call("mkdir", stub.ExpectArgs{"sysroot", os.FileMode(0755)}, nil, nil),
 				call("mount", stub.ExpectArgs{"sysroot", "sysroot", "", uintptr(0xd000), ""}, nil, nil),
 				call("mkdir", stub.ExpectArgs{"host", os.FileMode(0755)}, nil, nil),
@@ -2697,6 +2697,7 @@ func TestInitEntrypoint(t *testing.T) {
 				call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x5)}, nil, nil),
 				call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x6)}, nil, nil),
 				call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x7)}, nil, nil),
+				call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x8)}, nil, nil),
 				call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x9)}, nil, nil),
 				call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0xa)}, nil, nil),
 				call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0xb)}, nil, nil),
@@ -2728,9 +2729,8 @@ func TestInitEntrypoint(t *testing.T) {
 				call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x26)}, nil, nil),
 				call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x27)}, nil, nil),
 				call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x28)}, nil, nil),
-				call("capset", stub.ExpectArgs{&capHeader{_LINUX_CAPABILITY_VERSION_3, 0}, &[2]capData{{0x200100, 0x200100, 0x200100}, {0, 0, 0}}}, nil, nil),
 				call("capAmbientRaise", stub.ExpectArgs{uintptr(0x15)}, nil, nil),
-				call("capAmbientRaise", stub.ExpectArgs{uintptr(0x8)}, nil, nil),
+				call("capset", stub.ExpectArgs{&capHeader{_LINUX_CAPABILITY_VERSION_3, 0}, &[2]capData{{0, 0x200000, 0x200000}, {0, 0, 0}}}, nil, nil),
 				call("verbosef", stub.ExpectArgs{"resolving presets %#x", []any{std.FilterPreset(0xf)}}, nil, nil),
 				call("seccompLoad", stub.ExpectArgs{seccomp.Preset(0xf, 0), seccomp.ExportFlag(0)}, nil, nil),
 				call("verbosef", stub.ExpectArgs{"%d filter rules loaded", []any{73}}, nil, nil),
--- a/container/initoverlay.go
+++ b/container/initoverlay.go
@@ -4,9 +4,9 @@ import (
 	"encoding/gob"
 	"fmt"
 	"slices"
+	"strings"

 	"hakurei.app/check"
-	"hakurei.app/ext"
 	"hakurei.app/fhs"
 )

@@ -150,7 +150,7 @@ func (o *MountOverlayOp) early(_ *setupState, k syscallDispatcher) error {
 			if v, err := k.evalSymlinks(o.Upper.String()); err != nil {
 				return err
 			} else {
-				o.upper = toHost(v)
+				o.upper = check.EscapeOverlayDataSegment(toHost(v))
 			}
 		}

@@ -158,7 +158,7 @@ func (o *MountOverlayOp) early(_ *setupState, k syscallDispatcher) error {
 			if v, err := k.evalSymlinks(o.Work.String()); err != nil {
 				return err
 			} else {
-				o.work = toHost(v)
+				o.work = check.EscapeOverlayDataSegment(toHost(v))
 			}
 		}
 	}
@@ -168,39 +168,12 @@ func (o *MountOverlayOp) early(_ *setupState, k syscallDispatcher) error {
 		if v, err := k.evalSymlinks(a.String()); err != nil {
 			return err
 		} else {
-			o.lower[i] = toHost(v)
+			o.lower[i] = check.EscapeOverlayDataSegment(toHost(v))
 		}
 	}
 	return nil
 }

-// mountOverlay sets up an overlay mount via [ext.FS].
-func mountOverlay(target string, options [][2]string) error {
-	fs, err := ext.OpenFS(SourceOverlay, 0)
-	if err != nil {
-		return err
-	}
-	if err = fs.SetString("source", SourceOverlay); err != nil {
-		_ = fs.Close()
-		return err
-	}
-	for _, option := range options {
-		if err = fs.SetString(option[0], option[1]); err != nil {
-			_ = fs.Close()
-			return err
-		}
-	}
-	if err = fs.SetFlag(OptionOverlayUserxattr); err != nil {
-		_ = fs.Close()
-		return err
-	}
-	if err = fs.Mount(target, 0); err != nil {
-		_ = fs.Close()
-		return err
-	}
-	return fs.Close()
-}
-
 func (o *MountOverlayOp) apply(state *setupState, k syscallDispatcher) error {
 	target := o.Target.String()
 	if !o.noPrefix {
@@ -221,7 +194,7 @@ func (o *MountOverlayOp) apply(state *setupState, k syscallDispatcher) error {
 		}
 	}

-	options := make([][2]string, 0, 2+len(o.lower))
+	options := make([]string, 0, 4)

 	if o.upper == zeroString && o.work == zeroString { // readonly
 		if len(o.Lower) < 2 {
@@ -232,16 +205,15 @@ func (o *MountOverlayOp) apply(state *setupState, k syscallDispatcher) error {
 		if len(o.Lower) == 0 {
 			return &OverlayArgumentError{OverlayEmptyLower, zeroString}
 		}
-		options = append(options, [][2]string{
-			{OptionOverlayUpperdir, o.upper},
-			{OptionOverlayWorkdir, o.work},
-		}...)
-	}
-	for _, lower := range o.lower {
-		options = append(options, [2]string{OptionOverlayLowerdir + "+", lower})
+		options = append(options,
+			OptionOverlayUpperdir+"="+o.upper,
+			OptionOverlayWorkdir+"="+o.work)
 	}
+	options = append(options,
+		OptionOverlayLowerdir+"="+strings.Join(o.lower, check.SpecialOverlayPath),
+		OptionOverlayUserxattr)

-	return k.mountOverlay(target, options)
+	return k.mount(SourceOverlay, target, FstypeOverlay, 0, strings.Join(options, check.SpecialOverlayOption))
 }

 func (o *MountOverlayOp) late(*setupState, syscallDispatcher) error { return nil }
--- a/container/initoverlay_test.go
+++ b/container/initoverlay_test.go
@@ -97,12 +97,13 @@ func TestMountOverlayOp(t *testing.T) {
 			call("mkdirAll", stub.ExpectArgs{"/sysroot", os.FileMode(0705)}, nil, nil),
 			call("mkdirTemp", stub.ExpectArgs{"/", "overlay.upper.*"}, "overlay.upper.32768", nil),
 			call("mkdirTemp", stub.ExpectArgs{"/", "overlay.work.*"}, "overlay.work.32768", nil),
-			call("mountOverlay", stub.ExpectArgs{"/sysroot", [][2]string{
-				{"upperdir", "overlay.upper.32768"},
-				{"workdir", "overlay.work.32768"},
-				{"lowerdir+", `/host/var/lib/planterette/base/debian:f92c9052`},
-				{"lowerdir+", `/host/var/lib/planterette/app/org.chromium.Chromium@debian:f92c9052`},
-			}}, nil, nil),
+			call("mount", stub.ExpectArgs{"overlay", "/sysroot", "overlay", uintptr(0), "" +
+				"upperdir=overlay.upper.32768," +
+				"workdir=overlay.work.32768," +
+				"lowerdir=" +
+				`/host/var/lib/planterette/base/debian\:f92c9052:` +
+				`/host/var/lib/planterette/app/org.chromium.Chromium@debian\:f92c9052,` +
+				"userxattr"}, nil, nil),
 		}, nil},

 		{"short lower ro", &Params{ParentPerm: 0755}, &MountOverlayOp{
@@ -128,10 +129,11 @@ func TestMountOverlayOp(t *testing.T) {
 			call("evalSymlinks", stub.ExpectArgs{"/mnt-root/nix/.ro-store0"}, "/mnt-root/nix/.ro-store0", nil),
 		}, nil, []stub.Call{
 			call("mkdirAll", stub.ExpectArgs{"/nix/store", os.FileMode(0755)}, nil, nil),
-			call("mountOverlay", stub.ExpectArgs{"/nix/store", [][2]string{
-				{"lowerdir+", "/host/mnt-root/nix/.ro-store"},
-				{"lowerdir+", "/host/mnt-root/nix/.ro-store0"},
-			}}, nil, nil),
+			call("mount", stub.ExpectArgs{"overlay", "/nix/store", "overlay", uintptr(0), "" +
+				"lowerdir=" +
+				"/host/mnt-root/nix/.ro-store:" +
+				"/host/mnt-root/nix/.ro-store0," +
+				"userxattr"}, nil, nil),
 		}, nil},

 		{"success ro", &Params{ParentPerm: 0755}, &MountOverlayOp{
@@ -145,10 +147,11 @@ func TestMountOverlayOp(t *testing.T) {
 			call("evalSymlinks", stub.ExpectArgs{"/mnt-root/nix/.ro-store0"}, "/mnt-root/nix/.ro-store0", nil),
 		}, nil, []stub.Call{
 			call("mkdirAll", stub.ExpectArgs{"/sysroot/nix/store", os.FileMode(0755)}, nil, nil),
-			call("mountOverlay", stub.ExpectArgs{"/sysroot/nix/store", [][2]string{
-				{"lowerdir+", "/host/mnt-root/nix/.ro-store"},
-				{"lowerdir+", "/host/mnt-root/nix/.ro-store0"},
-			}}, nil, nil),
+			call("mount", stub.ExpectArgs{"overlay", "/sysroot/nix/store", "overlay", uintptr(0), "" +
+				"lowerdir=" +
+				"/host/mnt-root/nix/.ro-store:" +
+				"/host/mnt-root/nix/.ro-store0," +
+				"userxattr"}, nil, nil),
 		}, nil},

 		{"nil lower", &Params{ParentPerm: 0700}, &MountOverlayOp{
@@ -216,11 +219,7 @@ func TestMountOverlayOp(t *testing.T) {
 			call("evalSymlinks", stub.ExpectArgs{"/mnt-root/nix/.ro-store"}, "/mnt-root/nix/ro-store", nil),
 		}, nil, []stub.Call{
 			call("mkdirAll", stub.ExpectArgs{"/sysroot/nix/store", os.FileMode(0700)}, nil, nil),
-			call("mountOverlay", stub.ExpectArgs{"/sysroot/nix/store", [][2]string{
-				{"upperdir", "/host/mnt-root/nix/.rw-store/.upper"},
-				{"workdir", "/host/mnt-root/nix/.rw-store/.work"},
-				{"lowerdir+", "/host/mnt-root/nix/ro-store"},
-			}}, nil, stub.UniqueError(0)),
+			call("mount", stub.ExpectArgs{"overlay", "/sysroot/nix/store", "overlay", uintptr(0), "upperdir=/host/mnt-root/nix/.rw-store/.upper,workdir=/host/mnt-root/nix/.rw-store/.work,lowerdir=/host/mnt-root/nix/ro-store,userxattr"}, nil, stub.UniqueError(0)),
 		}, stub.UniqueError(0)},

 		{"success single layer", &Params{ParentPerm: 0700}, &MountOverlayOp{
@@ -234,11 +233,11 @@ func TestMountOverlayOp(t *testing.T) {
 			call("evalSymlinks", stub.ExpectArgs{"/mnt-root/nix/.ro-store"}, "/mnt-root/nix/ro-store", nil),
 		}, nil, []stub.Call{
 			call("mkdirAll", stub.ExpectArgs{"/sysroot/nix/store", os.FileMode(0700)}, nil, nil),
-			call("mountOverlay", stub.ExpectArgs{"/sysroot/nix/store", [][2]string{
-				{"upperdir", "/host/mnt-root/nix/.rw-store/.upper"},
-				{"workdir", "/host/mnt-root/nix/.rw-store/.work"},
-				{"lowerdir+", "/host/mnt-root/nix/ro-store"},
-			}}, nil, nil),
+			call("mount", stub.ExpectArgs{"overlay", "/sysroot/nix/store", "overlay", uintptr(0), "" +
+				"upperdir=/host/mnt-root/nix/.rw-store/.upper," +
+				"workdir=/host/mnt-root/nix/.rw-store/.work," +
+				"lowerdir=/host/mnt-root/nix/ro-store," +
+				"userxattr"}, nil, nil),
 		}, nil},

 		{"success", &Params{ParentPerm: 0700}, &MountOverlayOp{
@@ -262,15 +261,16 @@ func TestMountOverlayOp(t *testing.T) {
 			call("evalSymlinks", stub.ExpectArgs{"/mnt-root/nix/.ro-store3"}, "/mnt-root/nix/ro-store3", nil),
 		}, nil, []stub.Call{
 			call("mkdirAll", stub.ExpectArgs{"/sysroot/nix/store", os.FileMode(0700)}, nil, nil),
-			call("mountOverlay", stub.ExpectArgs{"/sysroot/nix/store", [][2]string{
-				{"upperdir", "/host/mnt-root/nix/.rw-store/.upper"},
-				{"workdir", "/host/mnt-root/nix/.rw-store/.work"},
-				{"lowerdir+", "/host/mnt-root/nix/ro-store"},
-				{"lowerdir+", "/host/mnt-root/nix/ro-store0"},
-				{"lowerdir+", "/host/mnt-root/nix/ro-store1"},
-				{"lowerdir+", "/host/mnt-root/nix/ro-store2"},
-				{"lowerdir+", "/host/mnt-root/nix/ro-store3"},
-			}}, nil, nil),
+			call("mount", stub.ExpectArgs{"overlay", "/sysroot/nix/store", "overlay", uintptr(0), "" +
+				"upperdir=/host/mnt-root/nix/.rw-store/.upper," +
+				"workdir=/host/mnt-root/nix/.rw-store/.work," +
+				"lowerdir=" +
+				"/host/mnt-root/nix/ro-store:" +
+				"/host/mnt-root/nix/ro-store0:" +
+				"/host/mnt-root/nix/ro-store1:" +
+				"/host/mnt-root/nix/ro-store2:" +
+				"/host/mnt-root/nix/ro-store3," +
+				"userxattr"}, nil, nil),
 		}, nil},
 	})

--- a/internal/landlock/landlock.go
+++ b/internal/landlock/landlock.go
@@ -1,4 +1,4 @@
-package landlock
+package container

 import (
 	"strings"
@@ -14,11 +14,11 @@ const (
 	LANDLOCK_CREATE_RULESET_VERSION = 1 << iota
 )

-// AccessFS is bitmask of handled filesystem actions.
-type AccessFS uint64
+// LandlockAccessFS is bitmask of handled filesystem actions.
+type LandlockAccessFS uint64

 const (
-	LANDLOCK_ACCESS_FS_EXECUTE AccessFS = 1 << iota
+	LANDLOCK_ACCESS_FS_EXECUTE LandlockAccessFS = 1 << iota
 	LANDLOCK_ACCESS_FS_WRITE_FILE
 	LANDLOCK_ACCESS_FS_READ_FILE
 	LANDLOCK_ACCESS_FS_READ_DIR
@@ -38,8 +38,8 @@ const (
 	_LANDLOCK_ACCESS_FS_DELIM
 )

-// String returns a space-separated string of [AccessFS] flags.
-func (f AccessFS) String() string {
+// String returns a space-separated string of [LandlockAccessFS] flags.
+func (f LandlockAccessFS) String() string {
 	switch f {
 	case LANDLOCK_ACCESS_FS_EXECUTE:
 		return "execute"
@@ -90,8 +90,8 @@ func (f AccessFS) String() string {
 		return "fs_ioctl_dev"

 	default:
-		var c []AccessFS
-		for i := AccessFS(1); i < _LANDLOCK_ACCESS_FS_DELIM; i <<= 1 {
+		var c []LandlockAccessFS
+		for i := LandlockAccessFS(1); i < _LANDLOCK_ACCESS_FS_DELIM; i <<= 1 {
 			if f&i != 0 {
 				c = append(c, i)
 			}
@@ -107,18 +107,18 @@ func (f AccessFS) String() string {
 	}
 }

-// AccessNet is bitmask of handled network actions.
-type AccessNet uint64
+// LandlockAccessNet is bitmask of handled network actions.
+type LandlockAccessNet uint64

 const (
-	LANDLOCK_ACCESS_NET_BIND_TCP AccessNet = 1 << iota
+	LANDLOCK_ACCESS_NET_BIND_TCP LandlockAccessNet = 1 << iota
 	LANDLOCK_ACCESS_NET_CONNECT_TCP

 	_LANDLOCK_ACCESS_NET_DELIM
 )

-// String returns a space-separated string of [AccessNet] flags.
-func (f AccessNet) String() string {
+// String returns a space-separated string of [LandlockAccessNet] flags.
+func (f LandlockAccessNet) String() string {
 	switch f {
 	case LANDLOCK_ACCESS_NET_BIND_TCP:
 		return "bind_tcp"
@@ -127,8 +127,8 @@ func (f AccessNet) String() string {
 		return "connect_tcp"

 	default:
-		var c []AccessNet
-		for i := AccessNet(1); i < _LANDLOCK_ACCESS_NET_DELIM; i <<= 1 {
+		var c []LandlockAccessNet
+		for i := LandlockAccessNet(1); i < _LANDLOCK_ACCESS_NET_DELIM; i <<= 1 {
 			if f&i != 0 {
 				c = append(c, i)
 			}
@@ -144,18 +144,18 @@ func (f AccessNet) String() string {
 	}
 }

-// Scope is bitmask of scopes restricting a Landlock domain from accessing outside resources.
-type Scope uint64
+// LandlockScope is bitmask of scopes restricting a Landlock domain from accessing outside resources.
+type LandlockScope uint64

 const (
-	LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET Scope = 1 << iota
+	LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET LandlockScope = 1 << iota
 	LANDLOCK_SCOPE_SIGNAL

 	_LANDLOCK_SCOPE_DELIM
 )

-// String returns a space-separated string of [Scope] flags.
-func (f Scope) String() string {
+// String returns a space-separated string of [LandlockScope] flags.
+func (f LandlockScope) String() string {
 	switch f {
 	case LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET:
 		return "abstract_unix_socket"
@@ -164,8 +164,8 @@ func (f Scope) String() string {
 		return "signal"

 	default:
-		var c []Scope
-		for i := Scope(1); i < _LANDLOCK_SCOPE_DELIM; i <<= 1 {
+		var c []LandlockScope
+		for i := LandlockScope(1); i < _LANDLOCK_SCOPE_DELIM; i <<= 1 {
 			if f&i != 0 {
 				c = append(c, i)
 			}
@@ -184,12 +184,12 @@ func (f Scope) String() string {
 // RulesetAttr is equivalent to struct landlock_ruleset_attr.
 type RulesetAttr struct {
 	// Bitmask of handled filesystem actions.
-	HandledAccessFS AccessFS
+	HandledAccessFS LandlockAccessFS
 	// Bitmask of handled network actions.
-	HandledAccessNet AccessNet
+	HandledAccessNet LandlockAccessNet
 	// Bitmask of scopes restricting a Landlock domain from accessing outside
 	// resources (e.g. IPCs).
-	Scoped Scope
+	Scoped LandlockScope
 }

 // String returns a user-facing description of [RulesetAttr].
@@ -239,13 +239,13 @@ func (rulesetAttr *RulesetAttr) Create(flags uintptr) (fd int, err error) {
 	return fd, nil
 }

-// GetABI returns the ABI version supported by the kernel.
-func GetABI() (int, error) {
+// LandlockGetABI returns the ABI version supported by the kernel.
+func LandlockGetABI() (int, error) {
 	return (*RulesetAttr)(nil).Create(LANDLOCK_CREATE_RULESET_VERSION)
 }

-// RestrictSelf applies a loaded ruleset to the calling thread.
-func RestrictSelf(rulesetFd int, flags uintptr) error {
+// LandlockRestrictSelf applies a loaded ruleset to the calling thread.
+func LandlockRestrictSelf(rulesetFd int, flags uintptr) error {
 	r, _, errno := syscall.Syscall(
 		ext.SYS_LANDLOCK_RESTRICT_SELF,
 		uintptr(rulesetFd),
--- a/container/landlock_test.go
+++ b/container/landlock_test.go
@@ -0,0 +1,65 @@
+package container_test
+
+import (
+	"testing"
+	"unsafe"
+
+	"hakurei.app/container"
+)
+
+func TestLandlockString(t *testing.T) {
+	t.Parallel()
+
+	testCases := []struct {
+		name        string
+		rulesetAttr *container.RulesetAttr
+		want        string
+	}{
+		{"nil", nil, "NULL"},
+		{"zero", new(container.RulesetAttr), "0"},
+		{"some", &container.RulesetAttr{Scoped: container.LANDLOCK_SCOPE_SIGNAL}, "scoped: signal"},
+		{"set", &container.RulesetAttr{
+			HandledAccessFS:  container.LANDLOCK_ACCESS_FS_MAKE_SYM | container.LANDLOCK_ACCESS_FS_IOCTL_DEV | container.LANDLOCK_ACCESS_FS_WRITE_FILE,
+			HandledAccessNet: container.LANDLOCK_ACCESS_NET_BIND_TCP,
+			Scoped:           container.LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET | container.LANDLOCK_SCOPE_SIGNAL,
+		}, "fs: write_file make_sym fs_ioctl_dev, net: bind_tcp, scoped: abstract_unix_socket signal"},
+		{"all", &container.RulesetAttr{
+			HandledAccessFS: container.LANDLOCK_ACCESS_FS_EXECUTE |
+				container.LANDLOCK_ACCESS_FS_WRITE_FILE |
+				container.LANDLOCK_ACCESS_FS_READ_FILE |
+				container.LANDLOCK_ACCESS_FS_READ_DIR |
+				container.LANDLOCK_ACCESS_FS_REMOVE_DIR |
+				container.LANDLOCK_ACCESS_FS_REMOVE_FILE |
+				container.LANDLOCK_ACCESS_FS_MAKE_CHAR |
+				container.LANDLOCK_ACCESS_FS_MAKE_DIR |
+				container.LANDLOCK_ACCESS_FS_MAKE_REG |
+				container.LANDLOCK_ACCESS_FS_MAKE_SOCK |
+				container.LANDLOCK_ACCESS_FS_MAKE_FIFO |
+				container.LANDLOCK_ACCESS_FS_MAKE_BLOCK |
+				container.LANDLOCK_ACCESS_FS_MAKE_SYM |
+				container.LANDLOCK_ACCESS_FS_REFER |
+				container.LANDLOCK_ACCESS_FS_TRUNCATE |
+				container.LANDLOCK_ACCESS_FS_IOCTL_DEV,
+			HandledAccessNet: container.LANDLOCK_ACCESS_NET_BIND_TCP |
+				container.LANDLOCK_ACCESS_NET_CONNECT_TCP,
+			Scoped: container.LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET |
+				container.LANDLOCK_SCOPE_SIGNAL,
+		}, "fs: execute write_file read_file read_dir remove_dir remove_file make_char make_dir make_reg make_sock make_fifo make_block make_sym fs_refer fs_truncate fs_ioctl_dev, net: bind_tcp connect_tcp, scoped: abstract_unix_socket signal"},
+	}
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			t.Parallel()
+			if got := tc.rulesetAttr.String(); got != tc.want {
+				t.Errorf("String: %s, want %s", got, tc.want)
+			}
+		})
+	}
+}
+
+func TestLandlockAttrSize(t *testing.T) {
+	t.Parallel()
+	want := 24
+	if got := unsafe.Sizeof(container.RulesetAttr{}); got != uintptr(want) {
+		t.Errorf("Sizeof: %d, want %d", got, want)
+	}
+}
--- a/container/mount.go
+++ b/container/mount.go
@@ -40,9 +40,6 @@ const (
 	// SourceMqueue is used when mounting mqueue.
 	// Note that any source value is allowed when fstype is [FstypeMqueue].
 	SourceMqueue = "mqueue"
-	// SourceBinfmtMisc is used when mounting binfmt_misc.
-	// Note that any source value is allowed when fstype is [SourceBinfmtMisc].
-	SourceBinfmtMisc = "binfmt_misc"
 	// SourceOverlay is used when mounting overlay.
 	// Note that any source value is allowed when fstype is [FstypeOverlay].
 	SourceOverlay = "overlay"
@@ -73,9 +70,6 @@ const (
 	// FstypeMqueue represents the mqueue pseudo-filesystem.
 	// This filesystem type is usually mounted on /dev/mqueue.
 	FstypeMqueue = "mqueue"
-	// FstypeBinfmtMisc represents the binfmt_misc pseudo-filesystem.
-	// This filesystem type is usually mounted on /proc/sys/fs/binfmt_misc.
-	FstypeBinfmtMisc = "binfmt_misc"
 	// FstypeOverlay represents the overlay pseudo-filesystem.
 	// This filesystem type can be mounted anywhere in the container filesystem.
 	FstypeOverlay = "overlay"
--- a/container/path_test.go
+++ b/container/path_test.go
@@ -10,6 +10,7 @@ import (
 	"testing"
 	"unsafe"

+	"hakurei.app/check"
 	"hakurei.app/vfs"
 )

@@ -49,6 +50,9 @@ func TestToHost(t *testing.T) {
 	}
 }

+// InternalToHostOvlEscape exports toHost passed to [check.EscapeOverlayDataSegment].
+func InternalToHostOvlEscape(s string) string { return check.EscapeOverlayDataSegment(toHost(s)) }
+
 func TestCreateFile(t *testing.T) {
 	t.Run("nonexistent", func(t *testing.T) {
 		t.Run("mkdir", func(t *testing.T) {
--- a/container/syscall.go
+++ b/container/syscall.go
@@ -7,8 +7,8 @@ import (
 	"hakurei.app/ext"
 )

-// setNoNewPrivs sets the calling thread's no_new_privs attribute.
-func setNoNewPrivs() error {
+// SetNoNewPrivs sets the calling thread's no_new_privs attribute.
+func SetNoNewPrivs() error {
 	return ext.Prctl(PR_SET_NO_NEW_PRIVS, 1, 0)
 }

--- a/ext/fs.go
+++ b/ext/fs.go
@@ -1,267 +0,0 @@
-package ext
-
-import (
-	"os"
-	"runtime"
-	"syscall"
-	"unsafe"
-)
-
-// include/uapi/linux/mount.h
-
-/*
- * move_mount() flags.
- */
-const (
-	MOVE_MOUNT_F_SYMLINKS   = 1 << iota /* Follow symlinks on from path */
-	MOVE_MOUNT_F_AUTOMOUNTS             /* Follow automounts on from path */
-	MOVE_MOUNT_F_EMPTY_PATH             /* Empty from path permitted */
-	_
-	MOVE_MOUNT_T_SYMLINKS   /* Follow symlinks on to path */
-	MOVE_MOUNT_T_AUTOMOUNTS /* Follow automounts on to path */
-	MOVE_MOUNT_T_EMPTY_PATH /* Empty to path permitted */
-	_
-	MOVE_MOUNT_SET_GROUP /* Set sharing group instead */
-	MOVE_MOUNT_BENEATH   /* Mount beneath top mount */
-)
-
-/*
- * fsopen() flags.
- */
-const (
-	FSOPEN_CLOEXEC = 1 << iota
-)
-
-/*
- * fspick() flags.
- */
-const (
-	FSPICK_CLOEXEC = 1 << iota
-	FSPICK_SYMLINK_NOFOLLOW
-	FSPICK_NO_AUTOMOUNT
-	FSPICK_EMPTY_PATH
-)
-
-/*
- * The type of fsconfig() call made.
- */
-const (
-	FSCONFIG_SET_FLAG        = iota /* Set parameter, supplying no value */
-	FSCONFIG_SET_STRING             /* Set parameter, supplying a string value */
-	FSCONFIG_SET_BINARY             /* Set parameter, supplying a binary blob value */
-	FSCONFIG_SET_PATH               /* Set parameter, supplying an object by path */
-	FSCONFIG_SET_PATH_EMPTY         /* Set parameter, supplying an object by (empty) path */
-	FSCONFIG_SET_FD                 /* Set parameter, supplying an object by fd */
-	FSCONFIG_CMD_CREATE             /* Create new or reuse existing superblock */
-	FSCONFIG_CMD_RECONFIGURE        /* Invoke superblock reconfiguration */
-	FSCONFIG_CMD_CREATE_EXCL        /* Create new superblock, fail if reusing existing superblock */
-)
-
-/*
- * fsmount() flags.
- */
-const (
-	FSMOUNT_CLOEXEC = 1 << iota
-)
-
-/*
- * Mount attributes.
- */
-const (
-	MOUNT_ATTR_RDONLY      = 0x00000001 /* Mount read-only */
-	MOUNT_ATTR_NOSUID      = 0x00000002 /* Ignore suid and sgid bits */
-	MOUNT_ATTR_NODEV       = 0x00000004 /* Disallow access to device special files */
-	MOUNT_ATTR_NOEXEC      = 0x00000008 /* Disallow program execution */
-	MOUNT_ATTR__ATIME      = 0x00000070 /* Setting on how atime should be updated */
-	MOUNT_ATTR_RELATIME    = 0x00000000 /* - Update atime relative to mtime/ctime. */
-	MOUNT_ATTR_NOATIME     = 0x00000010 /* - Do not update access times. */
-	MOUNT_ATTR_STRICTATIME = 0x00000020 /* - Always perform atime updates */
-	MOUNT_ATTR_NODIRATIME  = 0x00000080 /* Do not update directory access times */
-	MOUNT_ATTR_IDMAP       = 0x00100000 /* Idmap mount to @userns_fd in struct mount_attr. */
-	MOUNT_ATTR_NOSYMFOLLOW = 0x00200000 /* Do not follow symlinks */
-)
-
-// FS provides low-level wrappers around the suite of file-descriptor-based
-// mount facilities in Linux.
-type FS struct {
-	fd uintptr
-	c  runtime.Cleanup
-}
-
-// newFS allocates a new [FS] for the specified fd.
-func newFS(fd uintptr) *FS {
-	fs := FS{fd: fd}
-	fs.c = runtime.AddCleanup(&fs, func(fd uintptr) {
-		_ = syscall.Close(int(fd))
-	}, fd)
-	return &fs
-}
-
-// Close closes the underlying filesystem context.
-func (fs *FS) Close() error {
-	if fs == nil {
-		return syscall.EINVAL
-	}
-	err := syscall.Close(int(fs.fd))
-	fs.c.Stop()
-	return err
-}
-
-// OpenFS creates a new filesystem context.
-func OpenFS(fsname string, flags int) (fs *FS, err error) {
-	var s *byte
-	s, err = syscall.BytePtrFromString(fsname)
-	if err != nil {
-		return
-	}
-	fd, _, errno := syscall.Syscall(
-		SYS_FSOPEN,
-		uintptr(unsafe.Pointer(s)),
-		uintptr(flags|FSOPEN_CLOEXEC),
-		0,
-	)
-	if errno != 0 {
-		err = os.NewSyscallError("fsopen", errno)
-	} else {
-		fs = newFS(fd)
-	}
-	return
-}
-
-// PickFS selects filesystem for reconfiguration.
-func PickFS(dirfd int, pathname string, flags int) (fs *FS, err error) {
-	var s *byte
-	s, err = syscall.BytePtrFromString(pathname)
-	if err != nil {
-		return
-	}
-	fd, _, errno := syscall.Syscall(
-		SYS_FSPICK,
-		uintptr(dirfd),
-		uintptr(unsafe.Pointer(s)),
-		uintptr(flags|FSPICK_CLOEXEC),
-	)
-	if errno != 0 {
-		err = os.NewSyscallError("fspick", errno)
-	} else {
-		fs = newFS(fd)
-	}
-	return
-}
-
-// config configures new or existing filesystem context.
-func (fs *FS) config(cmd uint, key *byte, value unsafe.Pointer, aux int) (err error) {
-	_, _, errno := syscall.Syscall6(
-		SYS_FSCONFIG,
-		fs.fd,
-		uintptr(cmd),
-		uintptr(unsafe.Pointer(key)),
-		uintptr(value),
-		uintptr(aux),
-		0,
-	)
-	if errno != 0 {
-		err = os.NewSyscallError("fsconfig", errno)
-	}
-	return
-}
-
-// SetFlag sets the flag parameter named by key. ([FSCONFIG_SET_FLAG])
-func (fs *FS) SetFlag(key string) (err error) {
-	var s *byte
-	s, err = syscall.BytePtrFromString(key)
-	if err != nil {
-		return
-	}
-
-	return fs.config(FSCONFIG_SET_FLAG, s, nil, 0)
-}
-
-// SetString sets the string parameter named by key to the value specified by
-// value. ([FSCONFIG_SET_STRING])
-func (fs *FS) SetString(key, value string) (err error) {
-	var s0 *byte
-	s0, err = syscall.BytePtrFromString(key)
-	if err != nil {
-		return
-	}
-
-	var s1 *byte
-	s1, err = syscall.BytePtrFromString(value)
-	if err != nil {
-		return
-	}
-
-	return fs.config(FSCONFIG_SET_STRING, s0, unsafe.Pointer(s1), 0)
-}
-
-// mount instantiates mount object from filesystem context.
-func (fs *FS) mount(flags, attrFlags int) (fsfd int, err error) {
-	r, _, errno := syscall.Syscall(
-		SYS_FSMOUNT,
-		fs.fd,
-		uintptr(flags|FSMOUNT_CLOEXEC),
-		uintptr(attrFlags),
-	)
-	fsfd = int(r)
-	if errno != 0 {
-		err = os.NewSyscallError("fsmount", errno)
-	}
-	return
-}
-
-// MoveMount moves or attaches mount object to filesystem.
-func MoveMount(
-	fromDirfd int,
-	fromPathname string,
-	toDirfd int,
-	toPathname string,
-	flags int,
-) (err error) {
-	var s0 *byte
-	s0, err = syscall.BytePtrFromString(fromPathname)
-	if err != nil {
-		return
-	}
-
-	var s1 *byte
-	s1, err = syscall.BytePtrFromString(toPathname)
-	if err != nil {
-		return
-	}
-
-	_, _, errno := syscall.Syscall6(
-		SYS_MOVE_MOUNT,
-		uintptr(fromDirfd),
-		uintptr(unsafe.Pointer(s0)),
-		uintptr(toDirfd),
-		uintptr(unsafe.Pointer(s1)),
-		uintptr(flags),
-		0,
-	)
-	if errno != 0 {
-		err = os.NewSyscallError("move_mount", errno)
-	}
-	return
-}
-
-// Mount attaches the underlying filesystem context to the specified pathname.
-func (fs *FS) Mount(pathname string, attrFlags int) error {
-	if err := fs.config(FSCONFIG_CMD_CREATE_EXCL, nil, nil, 0); err != nil {
-		return err
-	}
-	fd, err := fs.mount(0, attrFlags)
-	if err != nil {
-		return err
-	}
-	err = MoveMount(
-		fd, "",
-		-1, pathname,
-		MOVE_MOUNT_F_EMPTY_PATH,
-	)
-	closeErr := syscall.Close(fd)
-	if err == nil {
-		err = closeErr
-	}
-	return err
-}
--- a/fhs/abs.go
+++ b/fhs/abs.go
@@ -42,8 +42,6 @@ var (
 	AbsDevShm = unsafeAbs(DevShm)
 	// AbsProc is [Proc] as [check.Absolute].
 	AbsProc = unsafeAbs(Proc)
-	// AbsProcSys is [ProcSys] as [check.Absolute].
-	AbsProcSys = unsafeAbs(ProcSys)
 	// AbsProcSelfExe is [ProcSelfExe] as [check.Absolute].
 	AbsProcSelfExe = unsafeAbs(ProcSelfExe)
 	// AbsSys is [Sys] as [check.Absolute].
--- a/hst/config.go
+++ b/hst/config.go
@@ -140,29 +140,21 @@ var (
 	ErrInsecure = errors.New("configuration is insecure")
 )

-const (
-	// VAllowInsecure allows use of compatibility options considered insecure
-	// under any configuration, to work around ecosystem-wide flaws.
-	VAllowInsecure = 1 << iota
-)
-
 // Validate checks [Config] and returns [AppError] if an invalid value is encountered.
-func (config *Config) Validate(flags int) error {
-	const step = "validate configuration"
-
+func (config *Config) Validate() error {
 	if config == nil {
-		return &AppError{Step: step, Err: ErrConfigNull,
+		return &AppError{Step: "validate configuration", Err: ErrConfigNull,
 			Msg: "invalid configuration"}
 	}

 	// this is checked again in hsu
 	if config.Identity < IdentityStart || config.Identity > IdentityEnd {
-		return &AppError{Step: step, Err: ErrIdentityBounds,
+		return &AppError{Step: "validate configuration", Err: ErrIdentityBounds,
 			Msg: "identity " + strconv.Itoa(config.Identity) + " out of range"}
 	}

 	if config.SchedPolicy < 0 || config.SchedPolicy > ext.SCHED_LAST {
-		return &AppError{Step: step, Err: ErrSchedPolicyBounds,
+		return &AppError{Step: "validate configuration", Err: ErrSchedPolicyBounds,
 			Msg: "scheduling policy " +
 				strconv.Itoa(int(config.SchedPolicy)) +
 				" out of range"}
@@ -176,51 +168,34 @@ func (config *Config) Validate(flags int) error {
 	}

 	if config.Container == nil {
-		return &AppError{Step: step, Err: ErrConfigNull,
+		return &AppError{Step: "validate configuration", Err: ErrConfigNull,
 			Msg: "configuration missing container state"}
 	}
 	if config.Container.Home == nil {
-		return &AppError{Step: step, Err: ErrConfigNull,
+		return &AppError{Step: "validate configuration", Err: ErrConfigNull,
 			Msg: "container configuration missing path to home directory"}
 	}
 	if config.Container.Shell == nil {
-		return &AppError{Step: step, Err: ErrConfigNull,
+		return &AppError{Step: "validate configuration", Err: ErrConfigNull,
 			Msg: "container configuration missing path to shell"}
 	}
 	if config.Container.Path == nil {
-		return &AppError{Step: step, Err: ErrConfigNull,
+		return &AppError{Step: "validate configuration", Err: ErrConfigNull,
 			Msg: "container configuration missing path to initial program"}
 	}

 	for key := range config.Container.Env {
 		if strings.IndexByte(key, '=') != -1 || strings.IndexByte(key, 0) != -1 {
-			return &AppError{Step: step, Err: ErrEnviron,
+			return &AppError{Step: "validate configuration", Err: ErrEnviron,
 				Msg: "invalid environment variable " + strconv.Quote(key)}
 		}
 	}

-	et := config.Enablements.Unwrap()
-	if !config.DirectPulse && et&EPulse != 0 {
-		return &AppError{Step: step, Err: ErrInsecure,
+	if et := config.Enablements.Unwrap(); !config.DirectPulse && et&EPulse != 0 {
+		return &AppError{Step: "validate configuration", Err: ErrInsecure,
 			Msg: "enablement PulseAudio is insecure and no longer supported"}
 	}

-	if flags&VAllowInsecure == 0 {
-		switch {
-		case et&EWayland != 0 && config.DirectWayland:
-			return &AppError{Step: step, Err: ErrInsecure,
-				Msg: "direct_wayland is insecure and no longer supported"}
-
-		case et&EPipeWire != 0 && config.DirectPipeWire:
-			return &AppError{Step: step, Err: ErrInsecure,
-				Msg: "direct_pipewire is insecure and no longer supported"}
-
-		case et&EPulse != 0 && config.DirectPulse:
-			return &AppError{Step: step, Err: ErrInsecure,
-				Msg: "direct_pulse is insecure and no longer supported"}
-		}
-	}
-
 	return nil
 }

--- a/hst/config_test.go
+++ b/hst/config_test.go
@@ -14,109 +14,65 @@ func TestConfigValidate(t *testing.T) {
 	testCases := []struct {
 		name    string
 		config  *hst.Config
-		flags   int
 		wantErr error
 	}{
-		{"nil", nil, 0, &hst.AppError{Step: "validate configuration", Err: hst.ErrConfigNull,
+		{"nil", nil, &hst.AppError{Step: "validate configuration", Err: hst.ErrConfigNull,
 			Msg: "invalid configuration"}},
-
-		{"identity lower", &hst.Config{Identity: -1}, 0, &hst.AppError{Step: "validate configuration", Err: hst.ErrIdentityBounds,
+		{"identity lower", &hst.Config{Identity: -1}, &hst.AppError{Step: "validate configuration", Err: hst.ErrIdentityBounds,
 			Msg: "identity -1 out of range"}},
-		{"identity upper", &hst.Config{Identity: 10000}, 0, &hst.AppError{Step: "validate configuration", Err: hst.ErrIdentityBounds,
+		{"identity upper", &hst.Config{Identity: 10000}, &hst.AppError{Step: "validate configuration", Err: hst.ErrIdentityBounds,
 			Msg: "identity 10000 out of range"}},
-
-		{"sched lower", &hst.Config{SchedPolicy: -1}, 0, &hst.AppError{Step: "validate configuration", Err: hst.ErrSchedPolicyBounds,
+		{"sched lower", &hst.Config{SchedPolicy: -1}, &hst.AppError{Step: "validate configuration", Err: hst.ErrSchedPolicyBounds,
 			Msg: "scheduling policy -1 out of range"}},
-		{"sched upper", &hst.Config{SchedPolicy: 0xcafe}, 0, &hst.AppError{Step: "validate configuration", Err: hst.ErrSchedPolicyBounds,
+		{"sched upper", &hst.Config{SchedPolicy: 0xcafe}, &hst.AppError{Step: "validate configuration", Err: hst.ErrSchedPolicyBounds,
 			Msg: "scheduling policy 51966 out of range"}},
-
-		{"dbus session", &hst.Config{SessionBus: &hst.BusConfig{See: []string{""}}}, 0,
+		{"dbus session", &hst.Config{SessionBus: &hst.BusConfig{See: []string{""}}},
 			&hst.BadInterfaceError{Interface: "", Segment: "session"}},
-		{"dbus system", &hst.Config{SystemBus: &hst.BusConfig{See: []string{""}}}, 0,
+		{"dbus system", &hst.Config{SystemBus: &hst.BusConfig{See: []string{""}}},
 			&hst.BadInterfaceError{Interface: "", Segment: "system"}},
-
-		{"container", &hst.Config{}, 0, &hst.AppError{Step: "validate configuration", Err: hst.ErrConfigNull,
+		{"container", &hst.Config{}, &hst.AppError{Step: "validate configuration", Err: hst.ErrConfigNull,
 			Msg: "configuration missing container state"}},
-		{"home", &hst.Config{Container: &hst.ContainerConfig{}}, 0, &hst.AppError{Step: "validate configuration", Err: hst.ErrConfigNull,
+		{"home", &hst.Config{Container: &hst.ContainerConfig{}}, &hst.AppError{Step: "validate configuration", Err: hst.ErrConfigNull,
 			Msg: "container configuration missing path to home directory"}},
 		{"shell", &hst.Config{Container: &hst.ContainerConfig{
 			Home: fhs.AbsTmp,
-		}}, 0, &hst.AppError{Step: "validate configuration", Err: hst.ErrConfigNull,
+		}}, &hst.AppError{Step: "validate configuration", Err: hst.ErrConfigNull,
 			Msg: "container configuration missing path to shell"}},
 		{"path", &hst.Config{Container: &hst.ContainerConfig{
 			Home:  fhs.AbsTmp,
 			Shell: fhs.AbsTmp,
-		}}, 0, &hst.AppError{Step: "validate configuration", Err: hst.ErrConfigNull,
+		}}, &hst.AppError{Step: "validate configuration", Err: hst.ErrConfigNull,
 			Msg: "container configuration missing path to initial program"}},
-
 		{"env equals", &hst.Config{Container: &hst.ContainerConfig{
 			Home:  fhs.AbsTmp,
 			Shell: fhs.AbsTmp,
 			Path:  fhs.AbsTmp,
 			Env:   map[string]string{"TERM=": ""},
-		}}, 0, &hst.AppError{Step: "validate configuration", Err: hst.ErrEnviron,
+		}}, &hst.AppError{Step: "validate configuration", Err: hst.ErrEnviron,
 			Msg: `invalid environment variable "TERM="`}},
 		{"env NUL", &hst.Config{Container: &hst.ContainerConfig{
 			Home:  fhs.AbsTmp,
 			Shell: fhs.AbsTmp,
 			Path:  fhs.AbsTmp,
 			Env:   map[string]string{"TERM\x00": ""},
-		}}, 0, &hst.AppError{Step: "validate configuration", Err: hst.ErrEnviron,
+		}}, &hst.AppError{Step: "validate configuration", Err: hst.ErrEnviron,
 			Msg: `invalid environment variable "TERM\x00"`}},
-
-		{"insecure pulse", &hst.Config{Enablements: new(hst.EPulse), Container: &hst.ContainerConfig{
+		{"insecure pulse", &hst.Config{Enablements: hst.NewEnablements(hst.EPulse), Container: &hst.ContainerConfig{
 			Home:  fhs.AbsTmp,
 			Shell: fhs.AbsTmp,
 			Path:  fhs.AbsTmp,
-		}}, 0, &hst.AppError{Step: "validate configuration", Err: hst.ErrInsecure,
+		}}, &hst.AppError{Step: "validate configuration", Err: hst.ErrInsecure,
 			Msg: "enablement PulseAudio is insecure and no longer supported"}},
-
-		{"direct wayland", &hst.Config{Enablements: new(hst.EWayland), DirectWayland: true, Container: &hst.ContainerConfig{
-			Home:  fhs.AbsTmp,
-			Shell: fhs.AbsTmp,
-			Path:  fhs.AbsTmp,
-		}}, 0, &hst.AppError{Step: "validate configuration", Err: hst.ErrInsecure,
-			Msg: "direct_wayland is insecure and no longer supported"}},
-		{"direct wayland allow", &hst.Config{Enablements: new(hst.EWayland), DirectWayland: true, Container: &hst.ContainerConfig{
-			Home:  fhs.AbsTmp,
-			Shell: fhs.AbsTmp,
-			Path:  fhs.AbsTmp,
-		}}, hst.VAllowInsecure, nil},
-
-		{"direct pipewire", &hst.Config{Enablements: new(hst.EPipeWire), DirectPipeWire: true, Container: &hst.ContainerConfig{
-			Home:  fhs.AbsTmp,
-			Shell: fhs.AbsTmp,
-			Path:  fhs.AbsTmp,
-		}}, 0, &hst.AppError{Step: "validate configuration", Err: hst.ErrInsecure,
-			Msg: "direct_pipewire is insecure and no longer supported"}},
-		{"direct pipewire allow", &hst.Config{Enablements: new(hst.EPipeWire), DirectPipeWire: true, Container: &hst.ContainerConfig{
-			Home:  fhs.AbsTmp,
-			Shell: fhs.AbsTmp,
-			Path:  fhs.AbsTmp,
-		}}, hst.VAllowInsecure, nil},
-
-		{"direct pulse", &hst.Config{Enablements: new(hst.EPulse), DirectPulse: true, Container: &hst.ContainerConfig{
-			Home:  fhs.AbsTmp,
-			Shell: fhs.AbsTmp,
-			Path:  fhs.AbsTmp,
-		}}, 0, &hst.AppError{Step: "validate configuration", Err: hst.ErrInsecure,
-			Msg: "direct_pulse is insecure and no longer supported"}},
-		{"direct pulse allow", &hst.Config{Enablements: new(hst.EPulse), DirectPulse: true, Container: &hst.ContainerConfig{
-			Home:  fhs.AbsTmp,
-			Shell: fhs.AbsTmp,
-			Path:  fhs.AbsTmp,
-		}}, hst.VAllowInsecure, nil},
-
 		{"valid", &hst.Config{Container: &hst.ContainerConfig{
 			Home:  fhs.AbsTmp,
 			Shell: fhs.AbsTmp,
 			Path:  fhs.AbsTmp,
-		}}, 0, nil},
+		}}, nil},
 	}
 	for _, tc := range testCases {
 		t.Run(tc.name, func(t *testing.T) {
 			t.Parallel()
-			if err := tc.config.Validate(tc.flags); !reflect.DeepEqual(err, tc.wantErr) {
+			if err := tc.config.Validate(); !reflect.DeepEqual(err, tc.wantErr) {
 				t.Errorf("Validate: error = %#v, want %#v", err, tc.wantErr)
 			}
 		})
--- a/hst/enablement.go
+++ b/hst/enablement.go
@@ -7,12 +7,12 @@ import (
 	"syscall"
 )

-// Enablements denotes optional host service to export to the target user.
-type Enablements byte
+// Enablement represents an optional host service to export to the target user.
+type Enablement byte

 const (
 	// EWayland exposes a Wayland pathname socket via security-context-v1.
-	EWayland Enablements = 1 << iota
+	EWayland Enablement = 1 << iota
 	// EX11 adds the target user via X11 ChangeHosts and exposes the X11
 	// pathname socket.
 	EX11
@@ -28,8 +28,8 @@ const (
 	EM
 )

-// String returns a string representation of the flags set on [Enablements].
-func (e Enablements) String() string {
+// String returns a string representation of the flags set on [Enablement].
+func (e Enablement) String() string {
 	switch e {
 	case 0:
 		return "(no enablements)"
@@ -47,7 +47,7 @@ func (e Enablements) String() string {
 		buf := new(strings.Builder)
 		buf.Grow(32)

-		for i := Enablements(1); i < EM; i <<= 1 {
+		for i := Enablement(1); i < EM; i <<= 1 {
 			if e&i != 0 {
 				buf.WriteString(", " + i.String())
 			}
@@ -60,6 +60,12 @@ func (e Enablements) String() string {
 	}
 }

+// NewEnablements returns the address of [Enablement] as [Enablements].
+func NewEnablements(e Enablement) *Enablements { return (*Enablements)(&e) }
+
+// Enablements is the [json] adapter for [Enablement].
+type Enablements Enablement
+
 // enablementsJSON is the [json] representation of [Enablements].
 type enablementsJSON = struct {
 	Wayland  bool `json:"wayland,omitempty"`
@@ -69,21 +75,24 @@ type enablementsJSON = struct {
 	Pulse    bool `json:"pulse,omitempty"`
 }

-// Unwrap returns the value pointed to by e.
-func (e *Enablements) Unwrap() Enablements {
+// Unwrap returns the underlying [Enablement].
+func (e *Enablements) Unwrap() Enablement {
 	if e == nil {
 		return 0
 	}
-	return *e
+	return Enablement(*e)
 }

-func (e Enablements) MarshalJSON() ([]byte, error) {
+func (e *Enablements) MarshalJSON() ([]byte, error) {
+	if e == nil {
+		return nil, syscall.EINVAL
+	}
 	return json.Marshal(&enablementsJSON{
-		Wayland:  e&EWayland != 0,
-		X11:      e&EX11 != 0,
-		DBus:     e&EDBus != 0,
-		PipeWire: e&EPipeWire != 0,
-		Pulse:    e&EPulse != 0,
+		Wayland:  Enablement(*e)&EWayland != 0,
+		X11:      Enablement(*e)&EX11 != 0,
+		DBus:     Enablement(*e)&EDBus != 0,
+		PipeWire: Enablement(*e)&EPipeWire != 0,
+		Pulse:    Enablement(*e)&EPulse != 0,
 	})
 }

@@ -97,21 +106,22 @@ func (e *Enablements) UnmarshalJSON(data []byte) error {
 		return err
 	}

-	*e = 0
+	var ve Enablement
 	if v.Wayland {
-		*e |= EWayland
+		ve |= EWayland
 	}
 	if v.X11 {
-		*e |= EX11
+		ve |= EX11
 	}
 	if v.DBus {
-		*e |= EDBus
+		ve |= EDBus
 	}
 	if v.PipeWire {
-		*e |= EPipeWire
+		ve |= EPipeWire
 	}
 	if v.Pulse {
-		*e |= EPulse
+		ve |= EPulse
 	}
+	*e = Enablements(ve)
 	return nil
 }
--- a/hst/enablement_test.go
+++ b/hst/enablement_test.go
@@ -13,7 +13,7 @@ func TestEnablementString(t *testing.T) {
 	t.Parallel()

 	testCases := []struct {
-		flags hst.Enablements
+		flags hst.Enablement
 		want  string
 	}{
 		{0, "(no enablements)"},
@@ -59,13 +59,13 @@ func TestEnablements(t *testing.T) {
 		sData string
 	}{
 		{"nil", nil, "null", `{"value":null,"magic":3236757504}`},
-		{"zero", new(hst.Enablements(0)), `{}`, `{"value":{},"magic":3236757504}`},
-		{"wayland", new(hst.EWayland), `{"wayland":true}`, `{"value":{"wayland":true},"magic":3236757504}`},
-		{"x11", new(hst.EX11), `{"x11":true}`, `{"value":{"x11":true},"magic":3236757504}`},
-		{"dbus", new(hst.EDBus), `{"dbus":true}`, `{"value":{"dbus":true},"magic":3236757504}`},
-		{"pipewire", new(hst.EPipeWire), `{"pipewire":true}`, `{"value":{"pipewire":true},"magic":3236757504}`},
-		{"pulse", new(hst.EPulse), `{"pulse":true}`, `{"value":{"pulse":true},"magic":3236757504}`},
-		{"all", new(hst.EM - 1), `{"wayland":true,"x11":true,"dbus":true,"pipewire":true,"pulse":true}`, `{"value":{"wayland":true,"x11":true,"dbus":true,"pipewire":true,"pulse":true},"magic":3236757504}`},
+		{"zero", hst.NewEnablements(0), `{}`, `{"value":{},"magic":3236757504}`},
+		{"wayland", hst.NewEnablements(hst.EWayland), `{"wayland":true}`, `{"value":{"wayland":true},"magic":3236757504}`},
+		{"x11", hst.NewEnablements(hst.EX11), `{"x11":true}`, `{"value":{"x11":true},"magic":3236757504}`},
+		{"dbus", hst.NewEnablements(hst.EDBus), `{"dbus":true}`, `{"value":{"dbus":true},"magic":3236757504}`},
+		{"pipewire", hst.NewEnablements(hst.EPipeWire), `{"pipewire":true}`, `{"value":{"pipewire":true},"magic":3236757504}`},
+		{"pulse", hst.NewEnablements(hst.EPulse), `{"pulse":true}`, `{"value":{"pulse":true},"magic":3236757504}`},
+		{"all", hst.NewEnablements(hst.EM - 1), `{"wayland":true,"x11":true,"dbus":true,"pipewire":true,"pulse":true}`, `{"value":{"wayland":true,"x11":true,"dbus":true,"pipewire":true,"pulse":true},"magic":3236757504}`},
 	}

 	for _, tc := range testCases {
@@ -137,7 +137,7 @@ func TestEnablements(t *testing.T) {
 		})

 		t.Run("val", func(t *testing.T) {
-			if got := new(hst.EWayland | hst.EPulse).Unwrap(); got != hst.EWayland|hst.EPulse {
+			if got := hst.NewEnablements(hst.EWayland | hst.EPulse).Unwrap(); got != hst.EWayland|hst.EPulse {
 				t.Errorf("Unwrap: %v", got)
 			}
 		})
@@ -146,6 +146,9 @@ func TestEnablements(t *testing.T) {
 	t.Run("passthrough", func(t *testing.T) {
 		t.Parallel()

+		if _, err := (*hst.Enablements)(nil).MarshalJSON(); !errors.Is(err, syscall.EINVAL) {
+			t.Errorf("MarshalJSON: error = %v", err)
+		}
 		if err := (*hst.Enablements)(nil).UnmarshalJSON(nil); !errors.Is(err, syscall.EINVAL) {
 			t.Errorf("UnmarshalJSON: error = %v", err)
 		}
--- a/hst/hst.go
+++ b/hst/hst.go
@@ -72,7 +72,7 @@ func Template() *Config {
 	return &Config{
 		ID: "org.chromium.Chromium",

-		Enablements: new(EWayland | EDBus | EPipeWire),
+		Enablements: NewEnablements(EWayland | EDBus | EPipeWire),

 		SessionBus: &BusConfig{
 			See: nil,
--- a/internal/landlock/landlock_test.go
+++ b/internal/landlock/landlock_test.go
@@ -1,65 +0,0 @@
-package landlock_test
-
-import (
-	"testing"
-	"unsafe"
-
-	"hakurei.app/internal/landlock"
-)
-
-func TestLandlockString(t *testing.T) {
-	t.Parallel()
-
-	testCases := []struct {
-		name        string
-		rulesetAttr *landlock.RulesetAttr
-		want        string
-	}{
-		{"nil", nil, "NULL"},
-		{"zero", new(landlock.RulesetAttr), "0"},
-		{"some", &landlock.RulesetAttr{Scoped: landlock.LANDLOCK_SCOPE_SIGNAL}, "scoped: signal"},
-		{"set", &landlock.RulesetAttr{
-			HandledAccessFS:  landlock.LANDLOCK_ACCESS_FS_MAKE_SYM | landlock.LANDLOCK_ACCESS_FS_IOCTL_DEV | landlock.LANDLOCK_ACCESS_FS_WRITE_FILE,
-			HandledAccessNet: landlock.LANDLOCK_ACCESS_NET_BIND_TCP,
-			Scoped:           landlock.LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET | landlock.LANDLOCK_SCOPE_SIGNAL,
-		}, "fs: write_file make_sym fs_ioctl_dev, net: bind_tcp, scoped: abstract_unix_socket signal"},
-		{"all", &landlock.RulesetAttr{
-			HandledAccessFS: landlock.LANDLOCK_ACCESS_FS_EXECUTE |
-				landlock.LANDLOCK_ACCESS_FS_WRITE_FILE |
-				landlock.LANDLOCK_ACCESS_FS_READ_FILE |
-				landlock.LANDLOCK_ACCESS_FS_READ_DIR |
-				landlock.LANDLOCK_ACCESS_FS_REMOVE_DIR |
-				landlock.LANDLOCK_ACCESS_FS_REMOVE_FILE |
-				landlock.LANDLOCK_ACCESS_FS_MAKE_CHAR |
-				landlock.LANDLOCK_ACCESS_FS_MAKE_DIR |
-				landlock.LANDLOCK_ACCESS_FS_MAKE_REG |
-				landlock.LANDLOCK_ACCESS_FS_MAKE_SOCK |
-				landlock.LANDLOCK_ACCESS_FS_MAKE_FIFO |
-				landlock.LANDLOCK_ACCESS_FS_MAKE_BLOCK |
-				landlock.LANDLOCK_ACCESS_FS_MAKE_SYM |
-				landlock.LANDLOCK_ACCESS_FS_REFER |
-				landlock.LANDLOCK_ACCESS_FS_TRUNCATE |
-				landlock.LANDLOCK_ACCESS_FS_IOCTL_DEV,
-			HandledAccessNet: landlock.LANDLOCK_ACCESS_NET_BIND_TCP |
-				landlock.LANDLOCK_ACCESS_NET_CONNECT_TCP,
-			Scoped: landlock.LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET |
-				landlock.LANDLOCK_SCOPE_SIGNAL,
-		}, "fs: execute write_file read_file read_dir remove_dir remove_file make_char make_dir make_reg make_sock make_fifo make_block make_sym fs_refer fs_truncate fs_ioctl_dev, net: bind_tcp connect_tcp, scoped: abstract_unix_socket signal"},
-	}
-	for _, tc := range testCases {
-		t.Run(tc.name, func(t *testing.T) {
-			t.Parallel()
-			if got := tc.rulesetAttr.String(); got != tc.want {
-				t.Errorf("String: %s, want %s", got, tc.want)
-			}
-		})
-	}
-}
-
-func TestLandlockAttrSize(t *testing.T) {
-	t.Parallel()
-	want := 24
-	if got := unsafe.Sizeof(landlock.RulesetAttr{}); got != uintptr(want) {
-		t.Errorf("Sizeof: %d, want %d", got, want)
-	}
-}
--- a/internal/outcome/finalise.go
+++ b/internal/outcome/finalise.go
@@ -32,14 +32,7 @@ type outcome struct {
 	syscallDispatcher
 }

-// finalise prepares an outcome for main.
-func (k *outcome) finalise(
-	ctx context.Context,
-	msg message.Msg,
-	id *hst.ID,
-	config *hst.Config,
-	flags int,
-) error {
+func (k *outcome) finalise(ctx context.Context, msg message.Msg, id *hst.ID, config *hst.Config) error {
 	if ctx == nil || id == nil {
 		// unreachable
 		panic("invalid call to finalise")
@@ -50,7 +43,7 @@ func (k *outcome) finalise(
 	}
 	k.ctx = ctx

-	if err := config.Validate(flags); err != nil {
+	if err := config.Validate(); err != nil {
 		return err
 	}

--- a/internal/outcome/outcome.go
+++ b/internal/outcome/outcome.go
@@ -194,7 +194,7 @@ type outcomeStateSys struct {
 	// Copied from [hst.Config]. Safe for read by outcomeOp.toSystem.
 	appId string
 	// Copied from [hst.Config]. Safe for read by outcomeOp.toSystem.
-	et hst.Enablements
+	et hst.Enablement

 	// Copied from [hst.Config]. Safe for read by spWaylandOp.toSystem only.
 	directWayland bool
--- a/internal/outcome/process.go
+++ b/internal/outcome/process.go
@@ -297,12 +297,12 @@ func (k *outcome) main(msg message.Msg, identifierFd int) {
 					// accumulate enablements of remaining instances
 					var (
 						// alive enablement bits
-						rt hst.Enablements
+						rt hst.Enablement
 						// alive instance count
 						n int
 					)
 					for eh := range entries {
-						var et hst.Enablements
+						var et hst.Enablement
 						if et, err = eh.Load(nil); err != nil {
 							perror(err, "read state header of instance "+eh.ID.String())
 						} else {
--- a/internal/outcome/run.go
+++ b/internal/outcome/run.go
@@ -18,13 +18,7 @@ import (
 func IsPollDescriptor(fd uintptr) bool

 // Main runs an app according to [hst.Config] and terminates. Main does not return.
-func Main(
-	ctx context.Context,
-	msg message.Msg,
-	config *hst.Config,
-	flags int,
-	fd int,
-) {
+func Main(ctx context.Context, msg message.Msg, config *hst.Config, fd int) {
 	// avoids runtime internals or standard streams
 	if fd >= 0 {
 		if IsPollDescriptor(uintptr(fd)) || fd < 3 {
@@ -40,7 +34,7 @@ func Main(
 	k := outcome{syscallDispatcher: direct{msg}}

 	finaliseTime := time.Now()
-	if err := k.finalise(ctx, msg, &id, config, flags); err != nil {
+	if err := k.finalise(ctx, msg, &id, config); err != nil {
 		printMessageError(msg.GetLogger().Fatalln, "cannot seal app:", err)
 		panic("unreachable")
 	}
--- a/internal/outcome/run_test.go
+++ b/internal/outcome/run_test.go
@@ -288,7 +288,7 @@ func TestOutcomeRun(t *testing.T) {
 				},
 				Filter: true,
 			},
-			Enablements: new(hst.EWayland | hst.EDBus | hst.EPipeWire | hst.EPulse),
+			Enablements: hst.NewEnablements(hst.EWayland | hst.EDBus | hst.EPipeWire | hst.EPulse),

 			Container: &hst.ContainerConfig{
 				Filesystem: []hst.FilesystemConfigJSON{
@@ -427,7 +427,7 @@ func TestOutcomeRun(t *testing.T) {
 			DirectPipeWire: true,

 			ID:          "org.chromium.Chromium",
-			Enablements: new(hst.EWayland | hst.EDBus | hst.EPipeWire | hst.EPulse),
+			Enablements: hst.NewEnablements(hst.EWayland | hst.EDBus | hst.EPipeWire | hst.EPulse),
 			Container: &hst.ContainerConfig{
 				Env: nil,
 				Filesystem: []hst.FilesystemConfigJSON{
--- a/internal/outcome/sppulse_test.go
+++ b/internal/outcome/sppulse_test.go
@@ -21,7 +21,7 @@ func TestSpPulseOp(t *testing.T) {
 	newConfig := func() *hst.Config {
 		config := hst.Template()
 		config.DirectPulse = true
-		config.Enablements = new(hst.EPulse)
+		config.Enablements = hst.NewEnablements(hst.EPulse)
 		return config
 	}

--- a/internal/pkg/dir_test.go
+++ b/internal/pkg/dir_test.go
@@ -64,6 +64,78 @@ func TestFlatten(t *testing.T) {
 			{Mode: fs.ModeDir | 0700, Path: "work"},
 		}, pkg.MustDecode("E4vEZKhCcL2gPZ2Tt59FS3lDng-d_2SKa2i5G_RbDfwGn6EemptFaGLPUDiOa94C"), nil},

+		{"sample cache file", fstest.MapFS{
+			".": {Mode: fs.ModeDir | 0700},
+
+			"checksum": {Mode: fs.ModeDir | 0700},
+			"checksum/vsAhtPNo4waRNOASwrQwcIPTqb3SBuJOXw2G4T1mNmVZM-wrQTRllmgXqcIIoRcX": {Mode: 0400, Data: []byte{0}},
+			"checksum/0bSFPu5Tnd-2Jj0Mv6co23PW2t3BmHc7eLFj9TgY3eIBg8zislo7xZYNBqovVLcq": {Mode: 0400, Data: []byte{0, 0, 0, 0, 0xad, 0xb, 0, 4, 0xfe, 0xfe, 0, 0, 0xfe, 0xca, 0, 0}},
+
+			"identifier": {Mode: fs.ModeDir | 0700},
+			"identifier/vsAhtPNo4waRNOASwrQwcIPTqb3SBuJOXw2G4T1mNmVZM-wrQTRllmgXqcIIoRcX": {Mode: fs.ModeSymlink | 0777, Data: []byte("../checksum/vsAhtPNo4waRNOASwrQwcIPTqb3SBuJOXw2G4T1mNmVZM-wrQTRllmgXqcIIoRcX")},
+			"identifier/0bSFPu5Tnd-2Jj0Mv6co23PW2t3BmHc7eLFj9TgY3eIBg8zislo7xZYNBqovVLcq": {Mode: fs.ModeSymlink | 0777, Data: []byte("../checksum/0bSFPu5Tnd-2Jj0Mv6co23PW2t3BmHc7eLFj9TgY3eIBg8zislo7xZYNBqovVLcq")},
+			"identifier/cafebabecafebabecafebabecafebabecafebabecafebabecafebabecafebabe": {Mode: fs.ModeSymlink | 0777, Data: []byte("../checksum/0bSFPu5Tnd-2Jj0Mv6co23PW2t3BmHc7eLFj9TgY3eIBg8zislo7xZYNBqovVLcq")},
+			"identifier/deadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef": {Mode: fs.ModeSymlink | 0777, Data: []byte("../checksum/0bSFPu5Tnd-2Jj0Mv6co23PW2t3BmHc7eLFj9TgY3eIBg8zislo7xZYNBqovVLcq")},
+
+			"work": {Mode: fs.ModeDir | 0700},
+		}, []pkg.FlatEntry{
+			{Mode: fs.ModeDir | 0700, Path: "."},
+
+			{Mode: fs.ModeDir | 0700, Path: "checksum"},
+			{Mode: 0400, Path: "checksum/0bSFPu5Tnd-2Jj0Mv6co23PW2t3BmHc7eLFj9TgY3eIBg8zislo7xZYNBqovVLcq", Data: []byte{0, 0, 0, 0, 0xad, 0xb, 0, 4, 0xfe, 0xfe, 0, 0, 0xfe, 0xca, 0, 0}},
+			{Mode: 0400, Path: "checksum/vsAhtPNo4waRNOASwrQwcIPTqb3SBuJOXw2G4T1mNmVZM-wrQTRllmgXqcIIoRcX", Data: []byte{0}},
+
+			{Mode: fs.ModeDir | 0700, Path: "identifier"},
+			{Mode: fs.ModeSymlink | 0777, Path: "identifier/0bSFPu5Tnd-2Jj0Mv6co23PW2t3BmHc7eLFj9TgY3eIBg8zislo7xZYNBqovVLcq", Data: []byte("../checksum/0bSFPu5Tnd-2Jj0Mv6co23PW2t3BmHc7eLFj9TgY3eIBg8zislo7xZYNBqovVLcq")},
+			{Mode: fs.ModeSymlink | 0777, Path: "identifier/cafebabecafebabecafebabecafebabecafebabecafebabecafebabecafebabe", Data: []byte("../checksum/0bSFPu5Tnd-2Jj0Mv6co23PW2t3BmHc7eLFj9TgY3eIBg8zislo7xZYNBqovVLcq")},
+			{Mode: fs.ModeSymlink | 0777, Path: "identifier/deadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef", Data: []byte("../checksum/0bSFPu5Tnd-2Jj0Mv6co23PW2t3BmHc7eLFj9TgY3eIBg8zislo7xZYNBqovVLcq")},
+			{Mode: fs.ModeSymlink | 0777, Path: "identifier/vsAhtPNo4waRNOASwrQwcIPTqb3SBuJOXw2G4T1mNmVZM-wrQTRllmgXqcIIoRcX", Data: []byte("../checksum/vsAhtPNo4waRNOASwrQwcIPTqb3SBuJOXw2G4T1mNmVZM-wrQTRllmgXqcIIoRcX")},
+
+			{Mode: fs.ModeDir | 0700, Path: "work"},
+		}, pkg.MustDecode("St9rlE-mGZ5gXwiv_hzQ_B8bZP-UUvSNmf4nHUZzCMOumb6hKnheZSe0dmnuc4Q2"), nil},
+
+		{"sample http get cure", fstest.MapFS{
+			".": {Mode: fs.ModeDir | 0700},
+
+			"checksum": {Mode: fs.ModeDir | 0700},
+			"checksum/fLYGIMHgN1louE-JzITJZJo2SDniPu-IHBXubtvQWFO-hXnDVKNuscV7-zlyr5fU": {Mode: 0400, Data: []byte("\x7f\xe1\x69\xa2\xdd\x63\x96\x26\x83\x79\x61\x8b\xf0\x3f\xd5\x16\x9a\x39\x3a\xdb\xcf\xb1\xbc\x8d\x33\xff\x75\xee\x62\x56\xa9\xf0\x27\xac\x13\x94\x69")},
+
+			"identifier": {Mode: fs.ModeDir | 0700},
+			"identifier/oM-2pUlk-mOxK1t3aMWZer69UdOQlAXiAgMrpZ1476VoOqpYVP1aGFS9_HYy-D8_": {Mode: fs.ModeSymlink | 0777, Data: []byte("../checksum/fLYGIMHgN1louE-JzITJZJo2SDniPu-IHBXubtvQWFO-hXnDVKNuscV7-zlyr5fU")},
+
+			"work": {Mode: fs.ModeDir | 0700},
+		}, []pkg.FlatEntry{
+			{Mode: fs.ModeDir | 0700, Path: "."},
+
+			{Mode: fs.ModeDir | 0700, Path: "checksum"},
+			{Mode: 0400, Path: "checksum/fLYGIMHgN1louE-JzITJZJo2SDniPu-IHBXubtvQWFO-hXnDVKNuscV7-zlyr5fU", Data: []byte("\x7f\xe1\x69\xa2\xdd\x63\x96\x26\x83\x79\x61\x8b\xf0\x3f\xd5\x16\x9a\x39\x3a\xdb\xcf\xb1\xbc\x8d\x33\xff\x75\xee\x62\x56\xa9\xf0\x27\xac\x13\x94\x69")},
+
+			{Mode: fs.ModeDir | 0700, Path: "identifier"},
+			{Mode: fs.ModeSymlink | 0777, Path: "identifier/oM-2pUlk-mOxK1t3aMWZer69UdOQlAXiAgMrpZ1476VoOqpYVP1aGFS9_HYy-D8_", Data: []byte("../checksum/fLYGIMHgN1louE-JzITJZJo2SDniPu-IHBXubtvQWFO-hXnDVKNuscV7-zlyr5fU")},
+
+			{Mode: fs.ModeDir | 0700, Path: "work"},
+		}, pkg.MustDecode("L_0RFHpr9JUS4Zp14rz2dESSRvfLzpvqsLhR1-YjQt8hYlmEdVl7vI3_-v8UNPKs"), nil},
+
+		{"sample directory step simple", fstest.MapFS{
+			".": {Mode: fs.ModeDir | 0500},
+
+			"check": {Mode: 0400, Data: []byte{0, 0}},
+
+			"lib":            {Mode: fs.ModeDir | 0700},
+			"lib/libedac.so": {Mode: fs.ModeSymlink | 0777, Data: []byte("/proc/nonexistent/libedac.so")},
+
+			"lib/pkgconfig": {Mode: fs.ModeDir | 0700},
+		}, []pkg.FlatEntry{
+			{Mode: fs.ModeDir | 0500, Path: "."},
+
+			{Mode: 0400, Path: "check", Data: []byte{0, 0}},
+
+			{Mode: fs.ModeDir | 0700, Path: "lib"},
+			{Mode: fs.ModeSymlink | 0777, Path: "lib/libedac.so", Data: []byte("/proc/nonexistent/libedac.so")},
+
+			{Mode: fs.ModeDir | 0700, Path: "lib/pkgconfig"},
+		}, pkg.MustDecode("qRN6in76LndiiOZJheHkwyW8UT1N5-f-bXvHfDvwrMw2fSkOoZdh8pWE1qhLk65b"), nil},
+
 		{"sample directory step garbage", fstest.MapFS{
 			".": {Mode: fs.ModeDir | 0500},

@@ -79,6 +151,421 @@ func TestFlatten(t *testing.T) {

 			{Mode: fs.ModeDir | 0500, Path: "lib/pkgconfig"},
 		}, pkg.MustDecode("CUx-3hSbTWPsbMfDhgalG4Ni_GmR9TnVX8F99tY_P5GtkYvczg9RrF5zO0jX9XYT"), nil},
+
+		{"sample directory", fstest.MapFS{
+			".": {Mode: fs.ModeDir | 0700},
+
+			"checksum": {Mode: fs.ModeDir | 0700},
+			"checksum/qRN6in76LndiiOZJheHkwyW8UT1N5-f-bXvHfDvwrMw2fSkOoZdh8pWE1qhLk65b":                {Mode: fs.ModeDir | 0500},
+			"checksum/qRN6in76LndiiOZJheHkwyW8UT1N5-f-bXvHfDvwrMw2fSkOoZdh8pWE1qhLk65b/check":          {Mode: 0400, Data: []byte{0, 0}},
+			"checksum/qRN6in76LndiiOZJheHkwyW8UT1N5-f-bXvHfDvwrMw2fSkOoZdh8pWE1qhLk65b/lib":            {Mode: fs.ModeDir | 0700},
+			"checksum/qRN6in76LndiiOZJheHkwyW8UT1N5-f-bXvHfDvwrMw2fSkOoZdh8pWE1qhLk65b/lib/pkgconfig":  {Mode: fs.ModeDir | 0700},
+			"checksum/qRN6in76LndiiOZJheHkwyW8UT1N5-f-bXvHfDvwrMw2fSkOoZdh8pWE1qhLk65b/lib/libedac.so": {Mode: fs.ModeSymlink | 0777, Data: []byte("/proc/nonexistent/libedac.so")},
+
+			"identifier": {Mode: fs.ModeDir | 0700},
+			"identifier/HnySzeLQvSBZuTUcvfmLEX_OmH4yJWWH788NxuLuv7kVn8_uPM6Ks4rqFWM2NZJY": {Mode: fs.ModeSymlink | 0777, Data: []byte("../checksum/qRN6in76LndiiOZJheHkwyW8UT1N5-f-bXvHfDvwrMw2fSkOoZdh8pWE1qhLk65b")},
+			"identifier/Zx5ZG9BAwegNT3zQwCySuI2ktCXxNgxirkGLFjW4FW06PtojYVaCdtEw8yuntPLa": {Mode: fs.ModeSymlink | 0777, Data: []byte("../checksum/qRN6in76LndiiOZJheHkwyW8UT1N5-f-bXvHfDvwrMw2fSkOoZdh8pWE1qhLk65b")},
+
+			"work": {Mode: fs.ModeDir | 0700},
+		}, []pkg.FlatEntry{
+			{Mode: fs.ModeDir | 0700, Path: "."},
+
+			{Mode: fs.ModeDir | 0700, Path: "checksum"},
+			{Mode: fs.ModeDir | 0500, Path: "checksum/qRN6in76LndiiOZJheHkwyW8UT1N5-f-bXvHfDvwrMw2fSkOoZdh8pWE1qhLk65b"},
+			{Mode: 0400, Path: "checksum/qRN6in76LndiiOZJheHkwyW8UT1N5-f-bXvHfDvwrMw2fSkOoZdh8pWE1qhLk65b/check", Data: []byte{0, 0}},
+			{Mode: fs.ModeDir | 0700, Path: "checksum/qRN6in76LndiiOZJheHkwyW8UT1N5-f-bXvHfDvwrMw2fSkOoZdh8pWE1qhLk65b/lib"},
+			{Mode: fs.ModeSymlink | 0777, Path: "checksum/qRN6in76LndiiOZJheHkwyW8UT1N5-f-bXvHfDvwrMw2fSkOoZdh8pWE1qhLk65b/lib/libedac.so", Data: []byte("/proc/nonexistent/libedac.so")},
+			{Mode: fs.ModeDir | 0700, Path: "checksum/qRN6in76LndiiOZJheHkwyW8UT1N5-f-bXvHfDvwrMw2fSkOoZdh8pWE1qhLk65b/lib/pkgconfig"},
+
+			{Mode: fs.ModeDir | 0700, Path: "identifier"},
+			{Mode: fs.ModeSymlink | 0777, Path: "identifier/HnySzeLQvSBZuTUcvfmLEX_OmH4yJWWH788NxuLuv7kVn8_uPM6Ks4rqFWM2NZJY", Data: []byte("../checksum/qRN6in76LndiiOZJheHkwyW8UT1N5-f-bXvHfDvwrMw2fSkOoZdh8pWE1qhLk65b")},
+			{Mode: fs.ModeSymlink | 0777, Path: "identifier/Zx5ZG9BAwegNT3zQwCySuI2ktCXxNgxirkGLFjW4FW06PtojYVaCdtEw8yuntPLa", Data: []byte("../checksum/qRN6in76LndiiOZJheHkwyW8UT1N5-f-bXvHfDvwrMw2fSkOoZdh8pWE1qhLk65b")},
+
+			{Mode: fs.ModeDir | 0700, Path: "work"},
+		}, pkg.MustDecode("WVpvsVqVKg9Nsh744x57h51AuWUoUR2nnh8Md-EYBQpk6ziyTuUn6PLtF2e0Eu_d"), nil},
+
+		{"sample no assume checksum", fstest.MapFS{
+			".": {Mode: fs.ModeDir | 0700},
+
+			"checksum": {Mode: fs.ModeDir | 0700},
+			"checksum/Aubi5EG4_Y8DhL9bQ3Q4HFBhLRF7X5gt9D3CNCQfT-TeBtlRXc7Zi_JYZEMoCC7M":       {Mode: fs.ModeDir | 0500},
+			"checksum/Aubi5EG4_Y8DhL9bQ3Q4HFBhLRF7X5gt9D3CNCQfT-TeBtlRXc7Zi_JYZEMoCC7M/check": {Mode: 0400, Data: []byte{}},
+
+			"identifier": {Mode: fs.ModeDir | 0700},
+			"identifier/_wAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA": {Mode: fs.ModeSymlink | 0777, Data: []byte("../checksum/Aubi5EG4_Y8DhL9bQ3Q4HFBhLRF7X5gt9D3CNCQfT-TeBtlRXc7Zi_JYZEMoCC7M")},
+			"identifier/_wEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA": {Mode: fs.ModeSymlink | 0777, Data: []byte("../checksum/Aubi5EG4_Y8DhL9bQ3Q4HFBhLRF7X5gt9D3CNCQfT-TeBtlRXc7Zi_JYZEMoCC7M")},
+
+			"work": {Mode: fs.ModeDir | 0700},
+		}, []pkg.FlatEntry{
+			{Mode: fs.ModeDir | 0700, Path: "."},
+
+			{Mode: fs.ModeDir | 0700, Path: "checksum"},
+			{Mode: fs.ModeDir | 0500, Path: "checksum/Aubi5EG4_Y8DhL9bQ3Q4HFBhLRF7X5gt9D3CNCQfT-TeBtlRXc7Zi_JYZEMoCC7M"},
+			{Mode: 0400, Path: "checksum/Aubi5EG4_Y8DhL9bQ3Q4HFBhLRF7X5gt9D3CNCQfT-TeBtlRXc7Zi_JYZEMoCC7M/check", Data: []byte{}},
+
+			{Mode: fs.ModeDir | 0700, Path: "identifier"},
+			{Mode: fs.ModeSymlink | 0777, Path: "identifier/_wAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA", Data: []byte("../checksum/Aubi5EG4_Y8DhL9bQ3Q4HFBhLRF7X5gt9D3CNCQfT-TeBtlRXc7Zi_JYZEMoCC7M")},
+			{Mode: fs.ModeSymlink | 0777, Path: "identifier/_wEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA", Data: []byte("../checksum/Aubi5EG4_Y8DhL9bQ3Q4HFBhLRF7X5gt9D3CNCQfT-TeBtlRXc7Zi_JYZEMoCC7M")},
+
+			{Mode: fs.ModeDir | 0700, Path: "work"},
+		}, pkg.MustDecode("OC290t23aimNo2Rp2pPwan5GI2KRLRdOwYxXQMD9jw0QROgHnNXWodoWdV0hwu2w"), nil},
+
+		{"sample tar step unpack", fstest.MapFS{
+			".": {Mode: fs.ModeDir | 0500},
+
+			"checksum": {Mode: fs.ModeDir | 0500},
+			"checksum/1TL00Qb8dcqayX7wTO8WNaraHvY6b-KCsctLDTrb64QBCmxj_-byK1HdIUwMaFEP":                {Mode: fs.ModeDir | 0500},
+			"checksum/1TL00Qb8dcqayX7wTO8WNaraHvY6b-KCsctLDTrb64QBCmxj_-byK1HdIUwMaFEP/check":          {Mode: 0400, Data: []byte{0, 0}},
+			"checksum/1TL00Qb8dcqayX7wTO8WNaraHvY6b-KCsctLDTrb64QBCmxj_-byK1HdIUwMaFEP/lib":            {Mode: fs.ModeDir | 0500},
+			"checksum/1TL00Qb8dcqayX7wTO8WNaraHvY6b-KCsctLDTrb64QBCmxj_-byK1HdIUwMaFEP/lib/pkgconfig":  {Mode: fs.ModeDir | 0500},
+			"checksum/1TL00Qb8dcqayX7wTO8WNaraHvY6b-KCsctLDTrb64QBCmxj_-byK1HdIUwMaFEP/lib/libedac.so": {Mode: fs.ModeSymlink | 0777, Data: []byte("/proc/nonexistent/libedac.so")},
+
+			"identifier": {Mode: fs.ModeDir | 0500},
+			"identifier/HnySzeLQvSBZuTUcvfmLEX_OmH4yJWWH788NxuLuv7kVn8_uPM6Ks4rqFWM2NZJY": {Mode: fs.ModeSymlink | 0777, Data: []byte("../checksum/1TL00Qb8dcqayX7wTO8WNaraHvY6b-KCsctLDTrb64QBCmxj_-byK1HdIUwMaFEP")},
+			"identifier/Zx5ZG9BAwegNT3zQwCySuI2ktCXxNgxirkGLFjW4FW06PtojYVaCdtEw8yuntPLa": {Mode: fs.ModeSymlink | 0777, Data: []byte("../checksum/1TL00Qb8dcqayX7wTO8WNaraHvY6b-KCsctLDTrb64QBCmxj_-byK1HdIUwMaFEP")},
+
+			"work": {Mode: fs.ModeDir | 0500},
+		}, []pkg.FlatEntry{
+			{Mode: fs.ModeDir | 0500, Path: "."},
+
+			{Mode: fs.ModeDir | 0500, Path: "checksum"},
+			{Mode: fs.ModeDir | 0500, Path: "checksum/1TL00Qb8dcqayX7wTO8WNaraHvY6b-KCsctLDTrb64QBCmxj_-byK1HdIUwMaFEP"},
+			{Mode: 0400, Path: "checksum/1TL00Qb8dcqayX7wTO8WNaraHvY6b-KCsctLDTrb64QBCmxj_-byK1HdIUwMaFEP/check", Data: []byte{0, 0}},
+			{Mode: fs.ModeDir | 0500, Path: "checksum/1TL00Qb8dcqayX7wTO8WNaraHvY6b-KCsctLDTrb64QBCmxj_-byK1HdIUwMaFEP/lib"},
+			{Mode: fs.ModeSymlink | 0777, Path: "checksum/1TL00Qb8dcqayX7wTO8WNaraHvY6b-KCsctLDTrb64QBCmxj_-byK1HdIUwMaFEP/lib/libedac.so", Data: []byte("/proc/nonexistent/libedac.so")},
+			{Mode: fs.ModeDir | 0500, Path: "checksum/1TL00Qb8dcqayX7wTO8WNaraHvY6b-KCsctLDTrb64QBCmxj_-byK1HdIUwMaFEP/lib/pkgconfig"},
+
+			{Mode: fs.ModeDir | 0500, Path: "identifier"},
+			{Mode: fs.ModeSymlink | 0777, Path: "identifier/HnySzeLQvSBZuTUcvfmLEX_OmH4yJWWH788NxuLuv7kVn8_uPM6Ks4rqFWM2NZJY", Data: []byte("../checksum/1TL00Qb8dcqayX7wTO8WNaraHvY6b-KCsctLDTrb64QBCmxj_-byK1HdIUwMaFEP")},
+			{Mode: fs.ModeSymlink | 0777, Path: "identifier/Zx5ZG9BAwegNT3zQwCySuI2ktCXxNgxirkGLFjW4FW06PtojYVaCdtEw8yuntPLa", Data: []byte("../checksum/1TL00Qb8dcqayX7wTO8WNaraHvY6b-KCsctLDTrb64QBCmxj_-byK1HdIUwMaFEP")},
+
+			{Mode: fs.ModeDir | 0500, Path: "work"},
+		}, pkg.MustDecode("cTw0h3AmYe7XudSoyEMByduYXqGi-N5ZkTZ0t9K5elsu3i_jNIVF5T08KR1roBFM"), nil},
+
+		{"sample tar", fstest.MapFS{
+			".": {Mode: fs.ModeDir | 0700},
+
+			"checksum": {Mode: fs.ModeDir | 0700},
+			"checksum/cTw0h3AmYe7XudSoyEMByduYXqGi-N5ZkTZ0t9K5elsu3i_jNIVF5T08KR1roBFM":                                                                                          {Mode: fs.ModeDir | 0500},
+			"checksum/cTw0h3AmYe7XudSoyEMByduYXqGi-N5ZkTZ0t9K5elsu3i_jNIVF5T08KR1roBFM/checksum":                                                                                 {Mode: fs.ModeDir | 0500},
+			"checksum/cTw0h3AmYe7XudSoyEMByduYXqGi-N5ZkTZ0t9K5elsu3i_jNIVF5T08KR1roBFM/checksum/1TL00Qb8dcqayX7wTO8WNaraHvY6b-KCsctLDTrb64QBCmxj_-byK1HdIUwMaFEP":                {Mode: fs.ModeDir | 0500},
+			"checksum/cTw0h3AmYe7XudSoyEMByduYXqGi-N5ZkTZ0t9K5elsu3i_jNIVF5T08KR1roBFM/checksum/1TL00Qb8dcqayX7wTO8WNaraHvY6b-KCsctLDTrb64QBCmxj_-byK1HdIUwMaFEP/check":          {Mode: 0400, Data: []byte{0, 0}},
+			"checksum/cTw0h3AmYe7XudSoyEMByduYXqGi-N5ZkTZ0t9K5elsu3i_jNIVF5T08KR1roBFM/checksum/1TL00Qb8dcqayX7wTO8WNaraHvY6b-KCsctLDTrb64QBCmxj_-byK1HdIUwMaFEP/lib":            {Mode: fs.ModeDir | 0500},
+			"checksum/cTw0h3AmYe7XudSoyEMByduYXqGi-N5ZkTZ0t9K5elsu3i_jNIVF5T08KR1roBFM/checksum/1TL00Qb8dcqayX7wTO8WNaraHvY6b-KCsctLDTrb64QBCmxj_-byK1HdIUwMaFEP/lib/libedac.so": {Mode: fs.ModeSymlink | 0777, Data: []byte("/proc/nonexistent/libedac.so")},
+			"checksum/cTw0h3AmYe7XudSoyEMByduYXqGi-N5ZkTZ0t9K5elsu3i_jNIVF5T08KR1roBFM/checksum/1TL00Qb8dcqayX7wTO8WNaraHvY6b-KCsctLDTrb64QBCmxj_-byK1HdIUwMaFEP/lib/pkgconfig":  {Mode: fs.ModeDir | 0500},
+			"checksum/cTw0h3AmYe7XudSoyEMByduYXqGi-N5ZkTZ0t9K5elsu3i_jNIVF5T08KR1roBFM/identifier":                                                                               {Mode: fs.ModeDir | 0500},
+			"checksum/cTw0h3AmYe7XudSoyEMByduYXqGi-N5ZkTZ0t9K5elsu3i_jNIVF5T08KR1roBFM/identifier/HnySzeLQvSBZuTUcvfmLEX_OmH4yJWWH788NxuLuv7kVn8_uPM6Ks4rqFWM2NZJY":              {Mode: fs.ModeSymlink | 0777, Data: []byte("../checksum/1TL00Qb8dcqayX7wTO8WNaraHvY6b-KCsctLDTrb64QBCmxj_-byK1HdIUwMaFEP")},
+			"checksum/cTw0h3AmYe7XudSoyEMByduYXqGi-N5ZkTZ0t9K5elsu3i_jNIVF5T08KR1roBFM/identifier/Zx5ZG9BAwegNT3zQwCySuI2ktCXxNgxirkGLFjW4FW06PtojYVaCdtEw8yuntPLa":              {Mode: fs.ModeSymlink | 0777, Data: []byte("../checksum/1TL00Qb8dcqayX7wTO8WNaraHvY6b-KCsctLDTrb64QBCmxj_-byK1HdIUwMaFEP")},
+			"checksum/cTw0h3AmYe7XudSoyEMByduYXqGi-N5ZkTZ0t9K5elsu3i_jNIVF5T08KR1roBFM/work":                                                                                     {Mode: fs.ModeDir | 0500},
+
+			"identifier": {Mode: fs.ModeDir | 0700},
+			"identifier/W5S65DEhawz_WKaok5NjUKLmnD9dNl5RPauNJjcOVcB3VM4eGhSaLGmXbL8vZpiw": {Mode: fs.ModeSymlink | 0777, Data: []byte("../checksum/cTw0h3AmYe7XudSoyEMByduYXqGi-N5ZkTZ0t9K5elsu3i_jNIVF5T08KR1roBFM")},
+			"identifier/rg7F1D5hwv6o4xctjD5zDq4i5MD0mArTsUIWfhUbik8xC6Bsyt3mjXXOm3goojTz": {Mode: fs.ModeSymlink | 0777, Data: []byte("../checksum/cTw0h3AmYe7XudSoyEMByduYXqGi-N5ZkTZ0t9K5elsu3i_jNIVF5T08KR1roBFM")},
+
+			"temp": {Mode: fs.ModeDir | 0700},
+			"work": {Mode: fs.ModeDir | 0700},
+		}, []pkg.FlatEntry{
+			{Mode: fs.ModeDir | 0700, Path: "."},
+
+			{Mode: fs.ModeDir | 0700, Path: "checksum"},
+			{Mode: fs.ModeDir | 0500, Path: "checksum/cTw0h3AmYe7XudSoyEMByduYXqGi-N5ZkTZ0t9K5elsu3i_jNIVF5T08KR1roBFM"},
+			{Mode: fs.ModeDir | 0500, Path: "checksum/cTw0h3AmYe7XudSoyEMByduYXqGi-N5ZkTZ0t9K5elsu3i_jNIVF5T08KR1roBFM/checksum"},
+			{Mode: fs.ModeDir | 0500, Path: "checksum/cTw0h3AmYe7XudSoyEMByduYXqGi-N5ZkTZ0t9K5elsu3i_jNIVF5T08KR1roBFM/checksum/1TL00Qb8dcqayX7wTO8WNaraHvY6b-KCsctLDTrb64QBCmxj_-byK1HdIUwMaFEP"},
+			{Mode: 0400, Path: "checksum/cTw0h3AmYe7XudSoyEMByduYXqGi-N5ZkTZ0t9K5elsu3i_jNIVF5T08KR1roBFM/checksum/1TL00Qb8dcqayX7wTO8WNaraHvY6b-KCsctLDTrb64QBCmxj_-byK1HdIUwMaFEP/check", Data: []byte{0, 0}},
+			{Mode: fs.ModeDir | 0500, Path: "checksum/cTw0h3AmYe7XudSoyEMByduYXqGi-N5ZkTZ0t9K5elsu3i_jNIVF5T08KR1roBFM/checksum/1TL00Qb8dcqayX7wTO8WNaraHvY6b-KCsctLDTrb64QBCmxj_-byK1HdIUwMaFEP/lib"},
+			{Mode: fs.ModeSymlink | 0777, Path: "checksum/cTw0h3AmYe7XudSoyEMByduYXqGi-N5ZkTZ0t9K5elsu3i_jNIVF5T08KR1roBFM/checksum/1TL00Qb8dcqayX7wTO8WNaraHvY6b-KCsctLDTrb64QBCmxj_-byK1HdIUwMaFEP/lib/libedac.so", Data: []byte("/proc/nonexistent/libedac.so")},
+			{Mode: fs.ModeDir | 0500, Path: "checksum/cTw0h3AmYe7XudSoyEMByduYXqGi-N5ZkTZ0t9K5elsu3i_jNIVF5T08KR1roBFM/checksum/1TL00Qb8dcqayX7wTO8WNaraHvY6b-KCsctLDTrb64QBCmxj_-byK1HdIUwMaFEP/lib/pkgconfig"},
+			{Mode: fs.ModeDir | 0500, Path: "checksum/cTw0h3AmYe7XudSoyEMByduYXqGi-N5ZkTZ0t9K5elsu3i_jNIVF5T08KR1roBFM/identifier"},
+			{Mode: fs.ModeSymlink | 0777, Path: "checksum/cTw0h3AmYe7XudSoyEMByduYXqGi-N5ZkTZ0t9K5elsu3i_jNIVF5T08KR1roBFM/identifier/HnySzeLQvSBZuTUcvfmLEX_OmH4yJWWH788NxuLuv7kVn8_uPM6Ks4rqFWM2NZJY", Data: []byte("../checksum/1TL00Qb8dcqayX7wTO8WNaraHvY6b-KCsctLDTrb64QBCmxj_-byK1HdIUwMaFEP")},
+			{Mode: fs.ModeSymlink | 0777, Path: "checksum/cTw0h3AmYe7XudSoyEMByduYXqGi-N5ZkTZ0t9K5elsu3i_jNIVF5T08KR1roBFM/identifier/Zx5ZG9BAwegNT3zQwCySuI2ktCXxNgxirkGLFjW4FW06PtojYVaCdtEw8yuntPLa", Data: []byte("../checksum/1TL00Qb8dcqayX7wTO8WNaraHvY6b-KCsctLDTrb64QBCmxj_-byK1HdIUwMaFEP")},
+			{Mode: fs.ModeDir | 0500, Path: "checksum/cTw0h3AmYe7XudSoyEMByduYXqGi-N5ZkTZ0t9K5elsu3i_jNIVF5T08KR1roBFM/work"},
+
+			{Mode: fs.ModeDir | 0700, Path: "identifier"},
+			{Mode: fs.ModeSymlink | 0777, Path: "identifier/W5S65DEhawz_WKaok5NjUKLmnD9dNl5RPauNJjcOVcB3VM4eGhSaLGmXbL8vZpiw", Data: []byte("../checksum/cTw0h3AmYe7XudSoyEMByduYXqGi-N5ZkTZ0t9K5elsu3i_jNIVF5T08KR1roBFM")},
+			{Mode: fs.ModeSymlink | 0777, Path: "identifier/rg7F1D5hwv6o4xctjD5zDq4i5MD0mArTsUIWfhUbik8xC6Bsyt3mjXXOm3goojTz", Data: []byte("../checksum/cTw0h3AmYe7XudSoyEMByduYXqGi-N5ZkTZ0t9K5elsu3i_jNIVF5T08KR1roBFM")},
+
+			{Mode: fs.ModeDir | 0700, Path: "temp"},
+			{Mode: fs.ModeDir | 0700, Path: "work"},
+		}, pkg.MustDecode("NQTlc466JmSVLIyWklm_u8_g95jEEb98PxJU-kjwxLpfdjwMWJq0G8ze9R4Vo1Vu"), nil},
+
+		{"sample tar expand step unpack", fstest.MapFS{
+			".": {Mode: fs.ModeDir | 0500},
+
+			"libedac.so": {Mode: fs.ModeSymlink | 0777, Data: []byte("/proc/nonexistent/libedac.so")},
+		}, []pkg.FlatEntry{
+			{Mode: fs.ModeDir | 0500, Path: "."},
+
+			{Mode: fs.ModeSymlink | 0777, Path: "libedac.so", Data: []byte("/proc/nonexistent/libedac.so")},
+		}, pkg.MustDecode("CH3AiUrCCcVOjOYLaMKKK1Da78989JtfHeIsxMzWOQFiN4mrCLDYpoDxLWqJWCUN"), nil},
+
+		{"sample tar expand", fstest.MapFS{
+			".": {Mode: fs.ModeDir | 0700},
+
+			"checksum": {Mode: fs.ModeDir | 0700},
+			"checksum/CH3AiUrCCcVOjOYLaMKKK1Da78989JtfHeIsxMzWOQFiN4mrCLDYpoDxLWqJWCUN":            {Mode: fs.ModeDir | 0500},
+			"checksum/CH3AiUrCCcVOjOYLaMKKK1Da78989JtfHeIsxMzWOQFiN4mrCLDYpoDxLWqJWCUN/libedac.so": {Mode: fs.ModeSymlink | 0777, Data: []byte("/proc/nonexistent/libedac.so")},
+
+			"identifier": {Mode: fs.ModeDir | 0700},
+			"identifier/W5S65DEhawz_WKaok5NjUKLmnD9dNl5RPauNJjcOVcB3VM4eGhSaLGmXbL8vZpiw": {Mode: fs.ModeSymlink | 0777, Data: []byte("../checksum/CH3AiUrCCcVOjOYLaMKKK1Da78989JtfHeIsxMzWOQFiN4mrCLDYpoDxLWqJWCUN")},
+			"identifier/_v1blm2h-_KA-dVaawdpLas6MjHc6rbhhFS8JWwx8iJxZGUu8EBbRrhr5AaZ9PJL": {Mode: fs.ModeSymlink | 0777, Data: []byte("../checksum/CH3AiUrCCcVOjOYLaMKKK1Da78989JtfHeIsxMzWOQFiN4mrCLDYpoDxLWqJWCUN")},
+
+			"temp": {Mode: fs.ModeDir | 0700},
+			"work": {Mode: fs.ModeDir | 0700},
+		}, []pkg.FlatEntry{
+			{Mode: fs.ModeDir | 0700, Path: "."},
+
+			{Mode: fs.ModeDir | 0700, Path: "checksum"},
+			{Mode: fs.ModeDir | 0500, Path: "checksum/CH3AiUrCCcVOjOYLaMKKK1Da78989JtfHeIsxMzWOQFiN4mrCLDYpoDxLWqJWCUN"},
+			{Mode: fs.ModeSymlink | 0777, Path: "checksum/CH3AiUrCCcVOjOYLaMKKK1Da78989JtfHeIsxMzWOQFiN4mrCLDYpoDxLWqJWCUN/libedac.so", Data: []byte("/proc/nonexistent/libedac.so")},
+
+			{Mode: fs.ModeDir | 0700, Path: "identifier"},
+			{Mode: fs.ModeSymlink | 0777, Path: "identifier/W5S65DEhawz_WKaok5NjUKLmnD9dNl5RPauNJjcOVcB3VM4eGhSaLGmXbL8vZpiw", Data: []byte("../checksum/CH3AiUrCCcVOjOYLaMKKK1Da78989JtfHeIsxMzWOQFiN4mrCLDYpoDxLWqJWCUN")},
+			{Mode: fs.ModeSymlink | 0777, Path: "identifier/_v1blm2h-_KA-dVaawdpLas6MjHc6rbhhFS8JWwx8iJxZGUu8EBbRrhr5AaZ9PJL", Data: []byte("../checksum/CH3AiUrCCcVOjOYLaMKKK1Da78989JtfHeIsxMzWOQFiN4mrCLDYpoDxLWqJWCUN")},
+
+			{Mode: fs.ModeDir | 0700, Path: "temp"},
+			{Mode: fs.ModeDir | 0700, Path: "work"},
+		}, pkg.MustDecode("hSoSSgCYTNonX3Q8FjvjD1fBl-E-BQyA6OTXro2OadXqbST4tZ-akGXszdeqphRe"), nil},
+
+		{"testtool", fstest.MapFS{
+			".": {Mode: fs.ModeDir | 0500},
+
+			"check": {Mode: 0400, Data: []byte{0}},
+		}, []pkg.FlatEntry{
+			{Mode: fs.ModeDir | 0500, Path: "."},
+
+			{Mode: 0400, Path: "check", Data: []byte{0}},
+		}, pkg.MustDecode("GPa4aBakdSJd7Tz7LYj_VJFoojzyZinmVcG3k6M5xI6CZ821J5sXLhLDDuS47gi9"), nil},
+
+		{"sample exec container", fstest.MapFS{
+			".": {Mode: fs.ModeDir | 0700},
+
+			"checksum": {Mode: fs.ModeDir | 0700},
+			"checksum/GPa4aBakdSJd7Tz7LYj_VJFoojzyZinmVcG3k6M5xI6CZ821J5sXLhLDDuS47gi9":       {Mode: fs.ModeDir | 0500},
+			"checksum/GPa4aBakdSJd7Tz7LYj_VJFoojzyZinmVcG3k6M5xI6CZ821J5sXLhLDDuS47gi9/check": {Mode: 0400, Data: []byte{0}},
+			"checksum/MGWmEfjut2QE2xPJwTsmUzpff4BN_FEnQ7T0j7gvUCCiugJQNwqt9m151fm9D1yU":       {Mode: fs.ModeDir | 0500},
+			"checksum/OLBgp1GsljhM2TJ-sbHjaiH9txEUvgdDTAzHv2P24donTt6_529l-9Ua0vFImLlb":       {Mode: 0400, Data: []byte{}},
+
+			"identifier": {Mode: fs.ModeDir | 0700},
+			"identifier/_gAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA": {Mode: fs.ModeSymlink | 0777, Data: []byte("../checksum/OLBgp1GsljhM2TJ-sbHjaiH9txEUvgdDTAzHv2P24donTt6_529l-9Ua0vFImLlb")},
+			"identifier/dztPS6jRjiZtCF4_p8AzfnxGp6obkhrgFVsxdodbKWUoAEVtDz3MykepJB4kI_ks": {Mode: fs.ModeSymlink | 0777, Data: []byte("../checksum/GPa4aBakdSJd7Tz7LYj_VJFoojzyZinmVcG3k6M5xI6CZ821J5sXLhLDDuS47gi9")},
+			"identifier/vjz1MHPcGBKV7sjcs8jQP3cqxJ1hgPTiQBMCEHP9BGXjGxd-tJmEmXKaStObo5gK": {Mode: fs.ModeSymlink | 0777, Data: []byte("../checksum/MGWmEfjut2QE2xPJwTsmUzpff4BN_FEnQ7T0j7gvUCCiugJQNwqt9m151fm9D1yU")},
+
+			"temp": {Mode: fs.ModeDir | 0700},
+			"work": {Mode: fs.ModeDir | 0700},
+		}, []pkg.FlatEntry{
+			{Mode: fs.ModeDir | 0700, Path: "."},
+
+			{Mode: fs.ModeDir | 0700, Path: "checksum"},
+			{Mode: fs.ModeDir | 0500, Path: "checksum/GPa4aBakdSJd7Tz7LYj_VJFoojzyZinmVcG3k6M5xI6CZ821J5sXLhLDDuS47gi9"},
+			{Mode: 0400, Path: "checksum/GPa4aBakdSJd7Tz7LYj_VJFoojzyZinmVcG3k6M5xI6CZ821J5sXLhLDDuS47gi9/check", Data: []byte{0}},
+			{Mode: fs.ModeDir | 0500, Path: "checksum/MGWmEfjut2QE2xPJwTsmUzpff4BN_FEnQ7T0j7gvUCCiugJQNwqt9m151fm9D1yU"},
+			{Mode: 0400, Path: "checksum/OLBgp1GsljhM2TJ-sbHjaiH9txEUvgdDTAzHv2P24donTt6_529l-9Ua0vFImLlb", Data: []byte{}},
+
+			{Mode: fs.ModeDir | 0700, Path: "identifier"},
+			{Mode: fs.ModeSymlink | 0777, Path: "identifier/_gAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA", Data: []byte("../checksum/OLBgp1GsljhM2TJ-sbHjaiH9txEUvgdDTAzHv2P24donTt6_529l-9Ua0vFImLlb")},
+			{Mode: fs.ModeSymlink | 0777, Path: "identifier/dztPS6jRjiZtCF4_p8AzfnxGp6obkhrgFVsxdodbKWUoAEVtDz3MykepJB4kI_ks", Data: []byte("../checksum/GPa4aBakdSJd7Tz7LYj_VJFoojzyZinmVcG3k6M5xI6CZ821J5sXLhLDDuS47gi9")},
+			{Mode: fs.ModeSymlink | 0777, Path: "identifier/vjz1MHPcGBKV7sjcs8jQP3cqxJ1hgPTiQBMCEHP9BGXjGxd-tJmEmXKaStObo5gK", Data: []byte("../checksum/MGWmEfjut2QE2xPJwTsmUzpff4BN_FEnQ7T0j7gvUCCiugJQNwqt9m151fm9D1yU")},
+
+			{Mode: fs.ModeDir | 0700, Path: "temp"},
+			{Mode: fs.ModeDir | 0700, Path: "work"},
+		}, pkg.MustDecode("Q5DluWQCAeohLoiGRImurwFp3vdz9IfQCoj7Fuhh73s4KQPRHpEQEnHTdNHmB8Fx"), nil},
+
+		{"testtool net", fstest.MapFS{
+			".": {Mode: fs.ModeDir | 0500},
+
+			"check": {Mode: 0400, Data: []byte("net")},
+		}, []pkg.FlatEntry{
+			{Mode: fs.ModeDir | 0500, Path: "."},
+
+			{Mode: 0400, Path: "check", Data: []byte("net")},
+		}, pkg.MustDecode("a1F_i9PVQI4qMcoHgTQkORuyWLkC1GLIxOhDt2JpU1NGAxWc5VJzdlfRK-PYBh3W"), nil},
+
+		{"sample exec net container", fstest.MapFS{
+			".": {Mode: fs.ModeDir | 0700},
+
+			"checksum": {Mode: fs.ModeDir | 0700},
+			"checksum/MGWmEfjut2QE2xPJwTsmUzpff4BN_FEnQ7T0j7gvUCCiugJQNwqt9m151fm9D1yU":       {Mode: fs.ModeDir | 0500},
+			"checksum/OLBgp1GsljhM2TJ-sbHjaiH9txEUvgdDTAzHv2P24donTt6_529l-9Ua0vFImLlb":       {Mode: 0400, Data: []byte{}},
+			"checksum/a1F_i9PVQI4qMcoHgTQkORuyWLkC1GLIxOhDt2JpU1NGAxWc5VJzdlfRK-PYBh3W":       {Mode: fs.ModeDir | 0500},
+			"checksum/a1F_i9PVQI4qMcoHgTQkORuyWLkC1GLIxOhDt2JpU1NGAxWc5VJzdlfRK-PYBh3W/check": {Mode: 0400, Data: []byte("net")},
+
+			"identifier": {Mode: fs.ModeDir | 0700},
+			"identifier/G8qPxD9puvvoOVV7lrT80eyDeIl3G_CCFoKw12c8mCjMdG1zF7NEPkwYpNubClK3": {Mode: fs.ModeSymlink | 0777, Data: []byte("../checksum/a1F_i9PVQI4qMcoHgTQkORuyWLkC1GLIxOhDt2JpU1NGAxWc5VJzdlfRK-PYBh3W")},
+			"identifier/_gAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA": {Mode: fs.ModeSymlink | 0777, Data: []byte("../checksum/OLBgp1GsljhM2TJ-sbHjaiH9txEUvgdDTAzHv2P24donTt6_529l-9Ua0vFImLlb")},
+			"identifier/vjz1MHPcGBKV7sjcs8jQP3cqxJ1hgPTiQBMCEHP9BGXjGxd-tJmEmXKaStObo5gK": {Mode: fs.ModeSymlink | 0777, Data: []byte("../checksum/MGWmEfjut2QE2xPJwTsmUzpff4BN_FEnQ7T0j7gvUCCiugJQNwqt9m151fm9D1yU")},
+
+			"temp": {Mode: fs.ModeDir | 0700},
+			"work": {Mode: fs.ModeDir | 0700},
+		}, []pkg.FlatEntry{
+			{Mode: fs.ModeDir | 0700, Path: "."},
+
+			{Mode: fs.ModeDir | 0700, Path: "checksum"},
+			{Mode: fs.ModeDir | 0500, Path: "checksum/MGWmEfjut2QE2xPJwTsmUzpff4BN_FEnQ7T0j7gvUCCiugJQNwqt9m151fm9D1yU"},
+			{Mode: 0400, Path: "checksum/OLBgp1GsljhM2TJ-sbHjaiH9txEUvgdDTAzHv2P24donTt6_529l-9Ua0vFImLlb", Data: []byte{}},
+			{Mode: fs.ModeDir | 0500, Path: "checksum/a1F_i9PVQI4qMcoHgTQkORuyWLkC1GLIxOhDt2JpU1NGAxWc5VJzdlfRK-PYBh3W"},
+			{Mode: 0400, Path: "checksum/a1F_i9PVQI4qMcoHgTQkORuyWLkC1GLIxOhDt2JpU1NGAxWc5VJzdlfRK-PYBh3W/check", Data: []byte("net")},
+
+			{Mode: fs.ModeDir | 0700, Path: "identifier"},
+			{Mode: fs.ModeSymlink | 0777, Path: "identifier/G8qPxD9puvvoOVV7lrT80eyDeIl3G_CCFoKw12c8mCjMdG1zF7NEPkwYpNubClK3", Data: []byte("../checksum/a1F_i9PVQI4qMcoHgTQkORuyWLkC1GLIxOhDt2JpU1NGAxWc5VJzdlfRK-PYBh3W")},
+			{Mode: fs.ModeSymlink | 0777, Path: "identifier/_gAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA", Data: []byte("../checksum/OLBgp1GsljhM2TJ-sbHjaiH9txEUvgdDTAzHv2P24donTt6_529l-9Ua0vFImLlb")},
+			{Mode: fs.ModeSymlink | 0777, Path: "identifier/vjz1MHPcGBKV7sjcs8jQP3cqxJ1hgPTiQBMCEHP9BGXjGxd-tJmEmXKaStObo5gK", Data: []byte("../checksum/MGWmEfjut2QE2xPJwTsmUzpff4BN_FEnQ7T0j7gvUCCiugJQNwqt9m151fm9D1yU")},
+
+			{Mode: fs.ModeDir | 0700, Path: "temp"},
+			{Mode: fs.ModeDir | 0700, Path: "work"},
+		}, pkg.MustDecode("bPYvvqxpfV7xcC1EptqyKNK1klLJgYHMDkzBcoOyK6j_Aj5hb0mXNPwTwPSK5F6Z"), nil},
+
+		{"sample exec container overlay root", fstest.MapFS{
+			".": {Mode: fs.ModeDir | 0700},
+
+			"checksum": {Mode: fs.ModeDir | 0700},
+			"checksum/GPa4aBakdSJd7Tz7LYj_VJFoojzyZinmVcG3k6M5xI6CZ821J5sXLhLDDuS47gi9":       {Mode: fs.ModeDir | 0500},
+			"checksum/GPa4aBakdSJd7Tz7LYj_VJFoojzyZinmVcG3k6M5xI6CZ821J5sXLhLDDuS47gi9/check": {Mode: 0400, Data: []byte{0}},
+			"checksum/MGWmEfjut2QE2xPJwTsmUzpff4BN_FEnQ7T0j7gvUCCiugJQNwqt9m151fm9D1yU":       {Mode: fs.ModeDir | 0500},
+
+			"identifier": {Mode: fs.ModeDir | 0700},
+			"identifier/RdMA-mubnrHuu3Ky1wWyxauSYCO0ZH_zCPUj3uDHqkfwv5sGcByoF_g5PjlGiClb": {Mode: fs.ModeSymlink | 0777, Data: []byte("../checksum/GPa4aBakdSJd7Tz7LYj_VJFoojzyZinmVcG3k6M5xI6CZ821J5sXLhLDDuS47gi9")},
+			"identifier/vjz1MHPcGBKV7sjcs8jQP3cqxJ1hgPTiQBMCEHP9BGXjGxd-tJmEmXKaStObo5gK": {Mode: fs.ModeSymlink | 0777, Data: []byte("../checksum/MGWmEfjut2QE2xPJwTsmUzpff4BN_FEnQ7T0j7gvUCCiugJQNwqt9m151fm9D1yU")},
+
+			"temp": {Mode: fs.ModeDir | 0700},
+			"work": {Mode: fs.ModeDir | 0700},
+		}, []pkg.FlatEntry{
+			{Mode: fs.ModeDir | 0700, Path: "."},
+
+			{Mode: fs.ModeDir | 0700, Path: "checksum"},
+			{Mode: fs.ModeDir | 0500, Path: "checksum/GPa4aBakdSJd7Tz7LYj_VJFoojzyZinmVcG3k6M5xI6CZ821J5sXLhLDDuS47gi9"},
+			{Mode: 0400, Path: "checksum/GPa4aBakdSJd7Tz7LYj_VJFoojzyZinmVcG3k6M5xI6CZ821J5sXLhLDDuS47gi9/check", Data: []byte{0}},
+			{Mode: fs.ModeDir | 0500, Path: "checksum/MGWmEfjut2QE2xPJwTsmUzpff4BN_FEnQ7T0j7gvUCCiugJQNwqt9m151fm9D1yU"},
+
+			{Mode: fs.ModeDir | 0700, Path: "identifier"},
+			{Mode: fs.ModeSymlink | 0777, Path: "identifier/RdMA-mubnrHuu3Ky1wWyxauSYCO0ZH_zCPUj3uDHqkfwv5sGcByoF_g5PjlGiClb", Data: []byte("../checksum/GPa4aBakdSJd7Tz7LYj_VJFoojzyZinmVcG3k6M5xI6CZ821J5sXLhLDDuS47gi9")},
+			{Mode: fs.ModeSymlink | 0777, Path: "identifier/vjz1MHPcGBKV7sjcs8jQP3cqxJ1hgPTiQBMCEHP9BGXjGxd-tJmEmXKaStObo5gK", Data: []byte("../checksum/MGWmEfjut2QE2xPJwTsmUzpff4BN_FEnQ7T0j7gvUCCiugJQNwqt9m151fm9D1yU")},
+
+			{Mode: fs.ModeDir | 0700, Path: "temp"},
+			{Mode: fs.ModeDir | 0700, Path: "work"},
+		}, pkg.MustDecode("PO2DSSCa4yoSgEYRcCSZfQfwow1yRigL3Ry-hI0RDI4aGuFBha-EfXeSJnG_5_Rl"), nil},
+
+		{"sample exec container overlay work", fstest.MapFS{
+			".": {Mode: fs.ModeDir | 0700},
+
+			"checksum": {Mode: fs.ModeDir | 0700},
+			"checksum/GPa4aBakdSJd7Tz7LYj_VJFoojzyZinmVcG3k6M5xI6CZ821J5sXLhLDDuS47gi9":       {Mode: fs.ModeDir | 0500},
+			"checksum/GPa4aBakdSJd7Tz7LYj_VJFoojzyZinmVcG3k6M5xI6CZ821J5sXLhLDDuS47gi9/check": {Mode: 0400, Data: []byte{0}},
+			"checksum/MGWmEfjut2QE2xPJwTsmUzpff4BN_FEnQ7T0j7gvUCCiugJQNwqt9m151fm9D1yU":       {Mode: fs.ModeDir | 0500},
+
+			"identifier": {Mode: fs.ModeDir | 0700},
+			"identifier/5hlaukCirnXE4W_RSLJFOZN47Z5RiHnacXzdFp_70cLgiJUGR6cSb_HaFftkzi0-": {Mode: fs.ModeSymlink | 0777, Data: []byte("../checksum/GPa4aBakdSJd7Tz7LYj_VJFoojzyZinmVcG3k6M5xI6CZ821J5sXLhLDDuS47gi9")},
+			"identifier/vjz1MHPcGBKV7sjcs8jQP3cqxJ1hgPTiQBMCEHP9BGXjGxd-tJmEmXKaStObo5gK": {Mode: fs.ModeSymlink | 0777, Data: []byte("../checksum/MGWmEfjut2QE2xPJwTsmUzpff4BN_FEnQ7T0j7gvUCCiugJQNwqt9m151fm9D1yU")},
+
+			"temp": {Mode: fs.ModeDir | 0700},
+			"work": {Mode: fs.ModeDir | 0700},
+		}, []pkg.FlatEntry{
+			{Mode: fs.ModeDir | 0700, Path: "."},
+
+			{Mode: fs.ModeDir | 0700, Path: "checksum"},
+			{Mode: fs.ModeDir | 0500, Path: "checksum/GPa4aBakdSJd7Tz7LYj_VJFoojzyZinmVcG3k6M5xI6CZ821J5sXLhLDDuS47gi9"},
+			{Mode: 0400, Path: "checksum/GPa4aBakdSJd7Tz7LYj_VJFoojzyZinmVcG3k6M5xI6CZ821J5sXLhLDDuS47gi9/check", Data: []byte{0}},
+			{Mode: fs.ModeDir | 0500, Path: "checksum/MGWmEfjut2QE2xPJwTsmUzpff4BN_FEnQ7T0j7gvUCCiugJQNwqt9m151fm9D1yU"},
+
+			{Mode: fs.ModeDir | 0700, Path: "identifier"},
+			{Mode: fs.ModeSymlink | 0777, Path: "identifier/5hlaukCirnXE4W_RSLJFOZN47Z5RiHnacXzdFp_70cLgiJUGR6cSb_HaFftkzi0-", Data: []byte("../checksum/GPa4aBakdSJd7Tz7LYj_VJFoojzyZinmVcG3k6M5xI6CZ821J5sXLhLDDuS47gi9")},
+			{Mode: fs.ModeSymlink | 0777, Path: "identifier/vjz1MHPcGBKV7sjcs8jQP3cqxJ1hgPTiQBMCEHP9BGXjGxd-tJmEmXKaStObo5gK", Data: []byte("../checksum/MGWmEfjut2QE2xPJwTsmUzpff4BN_FEnQ7T0j7gvUCCiugJQNwqt9m151fm9D1yU")},
+
+			{Mode: fs.ModeDir | 0700, Path: "temp"},
+			{Mode: fs.ModeDir | 0700, Path: "work"},
+		}, pkg.MustDecode("iaRt6l_Wm2n-h5UsDewZxQkCmjZjyL8r7wv32QT2kyV55-Lx09Dq4gfg9BiwPnKs"), nil},
+
+		{"sample exec container multiple layers", fstest.MapFS{
+			".": {Mode: fs.ModeDir | 0700},
+
+			"checksum": {Mode: fs.ModeDir | 0700},
+			"checksum/GPa4aBakdSJd7Tz7LYj_VJFoojzyZinmVcG3k6M5xI6CZ821J5sXLhLDDuS47gi9":       {Mode: fs.ModeDir | 0500},
+			"checksum/GPa4aBakdSJd7Tz7LYj_VJFoojzyZinmVcG3k6M5xI6CZ821J5sXLhLDDuS47gi9/check": {Mode: 0400, Data: []byte{0}},
+			"checksum/MGWmEfjut2QE2xPJwTsmUzpff4BN_FEnQ7T0j7gvUCCiugJQNwqt9m151fm9D1yU":       {Mode: fs.ModeDir | 0500},
+			"checksum/OLBgp1GsljhM2TJ-sbHjaiH9txEUvgdDTAzHv2P24donTt6_529l-9Ua0vFImLlb":       {Mode: 0400, Data: []byte{}},
+			"checksum/nY_CUdiaUM1OL4cPr5TS92FCJ3rCRV7Hm5oVTzAvMXwC03_QnTRfQ5PPs7mOU9fK":       {Mode: fs.ModeDir | 0500},
+			"checksum/nY_CUdiaUM1OL4cPr5TS92FCJ3rCRV7Hm5oVTzAvMXwC03_QnTRfQ5PPs7mOU9fK/check": {Mode: 0400, Data: []byte("layers")},
+
+			"identifier": {Mode: fs.ModeDir | 0700},
+			"identifier/_gAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA": {Mode: fs.ModeSymlink | 0777, Data: []byte("../checksum/OLBgp1GsljhM2TJ-sbHjaiH9txEUvgdDTAzHv2P24donTt6_529l-9Ua0vFImLlb")},
+			"identifier/B-kc5iJMx8GtlCua4dz6BiJHnDAOUfPjgpbKq4e-QEn0_CZkSYs3fOA1ve06qMs2": {Mode: fs.ModeSymlink | 0777, Data: []byte("../checksum/nY_CUdiaUM1OL4cPr5TS92FCJ3rCRV7Hm5oVTzAvMXwC03_QnTRfQ5PPs7mOU9fK")},
+			"identifier/p1t_drXr34i-jZNuxDMLaMOdL6tZvQqhavNafGynGqxOZoXAUTSn7kqNh3Ovv3DT": {Mode: fs.ModeSymlink | 0777, Data: []byte("../checksum/GPa4aBakdSJd7Tz7LYj_VJFoojzyZinmVcG3k6M5xI6CZ821J5sXLhLDDuS47gi9")},
+			"identifier/vjz1MHPcGBKV7sjcs8jQP3cqxJ1hgPTiQBMCEHP9BGXjGxd-tJmEmXKaStObo5gK": {Mode: fs.ModeSymlink | 0777, Data: []byte("../checksum/MGWmEfjut2QE2xPJwTsmUzpff4BN_FEnQ7T0j7gvUCCiugJQNwqt9m151fm9D1yU")},
+
+			"temp": {Mode: fs.ModeDir | 0700},
+			"work": {Mode: fs.ModeDir | 0700},
+		}, []pkg.FlatEntry{
+			{Mode: fs.ModeDir | 0700, Path: "."},
+
+			{Mode: fs.ModeDir | 0700, Path: "checksum"},
+			{Mode: fs.ModeDir | 0500, Path: "checksum/GPa4aBakdSJd7Tz7LYj_VJFoojzyZinmVcG3k6M5xI6CZ821J5sXLhLDDuS47gi9"},
+			{Mode: 0400, Path: "checksum/GPa4aBakdSJd7Tz7LYj_VJFoojzyZinmVcG3k6M5xI6CZ821J5sXLhLDDuS47gi9/check", Data: []byte{0}},
+			{Mode: fs.ModeDir | 0500, Path: "checksum/MGWmEfjut2QE2xPJwTsmUzpff4BN_FEnQ7T0j7gvUCCiugJQNwqt9m151fm9D1yU"},
+			{Mode: 0400, Path: "checksum/OLBgp1GsljhM2TJ-sbHjaiH9txEUvgdDTAzHv2P24donTt6_529l-9Ua0vFImLlb", Data: []byte{}},
+			{Mode: fs.ModeDir | 0500, Path: "checksum/nY_CUdiaUM1OL4cPr5TS92FCJ3rCRV7Hm5oVTzAvMXwC03_QnTRfQ5PPs7mOU9fK"},
+			{Mode: 0400, Path: "checksum/nY_CUdiaUM1OL4cPr5TS92FCJ3rCRV7Hm5oVTzAvMXwC03_QnTRfQ5PPs7mOU9fK/check", Data: []byte("layers")},
+
+			{Mode: fs.ModeDir | 0700, Path: "identifier"},
+			{Mode: fs.ModeSymlink | 0777, Path: "identifier/B-kc5iJMx8GtlCua4dz6BiJHnDAOUfPjgpbKq4e-QEn0_CZkSYs3fOA1ve06qMs2", Data: []byte("../checksum/nY_CUdiaUM1OL4cPr5TS92FCJ3rCRV7Hm5oVTzAvMXwC03_QnTRfQ5PPs7mOU9fK")},
+			{Mode: fs.ModeSymlink | 0777, Path: "identifier/_gAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA", Data: []byte("../checksum/OLBgp1GsljhM2TJ-sbHjaiH9txEUvgdDTAzHv2P24donTt6_529l-9Ua0vFImLlb")},
+			{Mode: fs.ModeSymlink | 0777, Path: "identifier/p1t_drXr34i-jZNuxDMLaMOdL6tZvQqhavNafGynGqxOZoXAUTSn7kqNh3Ovv3DT", Data: []byte("../checksum/GPa4aBakdSJd7Tz7LYj_VJFoojzyZinmVcG3k6M5xI6CZ821J5sXLhLDDuS47gi9")},
+			{Mode: fs.ModeSymlink | 0777, Path: "identifier/vjz1MHPcGBKV7sjcs8jQP3cqxJ1hgPTiQBMCEHP9BGXjGxd-tJmEmXKaStObo5gK", Data: []byte("../checksum/MGWmEfjut2QE2xPJwTsmUzpff4BN_FEnQ7T0j7gvUCCiugJQNwqt9m151fm9D1yU")},
+
+			{Mode: fs.ModeDir | 0700, Path: "temp"},
+			{Mode: fs.ModeDir | 0700, Path: "work"},
+		}, pkg.MustDecode("O2YzyR7IUGU5J2CADy0hUZ3A5NkP_Vwzs4UadEdn2oMZZVWRtH0xZGJ3HXiimTnZ"), nil},
+
+		{"sample exec container layer promotion", fstest.MapFS{
+			".": {Mode: fs.ModeDir | 0700},
+
+			"checksum": {Mode: fs.ModeDir | 0700},
+			"checksum/GPa4aBakdSJd7Tz7LYj_VJFoojzyZinmVcG3k6M5xI6CZ821J5sXLhLDDuS47gi9":       {Mode: fs.ModeDir | 0500},
+			"checksum/GPa4aBakdSJd7Tz7LYj_VJFoojzyZinmVcG3k6M5xI6CZ821J5sXLhLDDuS47gi9/check": {Mode: 0400, Data: []byte{0}},
+			"checksum/MGWmEfjut2QE2xPJwTsmUzpff4BN_FEnQ7T0j7gvUCCiugJQNwqt9m151fm9D1yU":       {Mode: fs.ModeDir | 0500},
+
+			"identifier": {Mode: fs.ModeDir | 0700},
+			"identifier/kvJIqZo5DKFOxC2ZQ-8_nPaQzEAz9cIm3p6guO-uLqm-xaiPu7oRkSnsu411jd_U": {Mode: fs.ModeSymlink | 0777, Data: []byte("../checksum/MGWmEfjut2QE2xPJwTsmUzpff4BN_FEnQ7T0j7gvUCCiugJQNwqt9m151fm9D1yU")},
+			"identifier/vjz1MHPcGBKV7sjcs8jQP3cqxJ1hgPTiQBMCEHP9BGXjGxd-tJmEmXKaStObo5gK": {Mode: fs.ModeSymlink | 0777, Data: []byte("../checksum/MGWmEfjut2QE2xPJwTsmUzpff4BN_FEnQ7T0j7gvUCCiugJQNwqt9m151fm9D1yU")},
+			"identifier/xXTIYcXmgJWNLC91c417RRrNM9cjELwEZHpGvf8Fk_GNP5agRJp_SicD0w9aMeLJ": {Mode: fs.ModeSymlink | 0777, Data: []byte("../checksum/GPa4aBakdSJd7Tz7LYj_VJFoojzyZinmVcG3k6M5xI6CZ821J5sXLhLDDuS47gi9")},
+
+			"temp": {Mode: fs.ModeDir | 0700},
+			"work": {Mode: fs.ModeDir | 0700},
+		}, []pkg.FlatEntry{
+			{Mode: fs.ModeDir | 0700, Path: "."},
+
+			{Mode: fs.ModeDir | 0700, Path: "checksum"},
+			{Mode: fs.ModeDir | 0500, Path: "checksum/GPa4aBakdSJd7Tz7LYj_VJFoojzyZinmVcG3k6M5xI6CZ821J5sXLhLDDuS47gi9"},
+			{Mode: 0400, Path: "checksum/GPa4aBakdSJd7Tz7LYj_VJFoojzyZinmVcG3k6M5xI6CZ821J5sXLhLDDuS47gi9/check", Data: []byte{0}},
+			{Mode: fs.ModeDir | 0500, Path: "checksum/MGWmEfjut2QE2xPJwTsmUzpff4BN_FEnQ7T0j7gvUCCiugJQNwqt9m151fm9D1yU"},
+
+			{Mode: fs.ModeDir | 0700, Path: "identifier"},
+			{Mode: fs.ModeSymlink | 0777, Path: "identifier/kvJIqZo5DKFOxC2ZQ-8_nPaQzEAz9cIm3p6guO-uLqm-xaiPu7oRkSnsu411jd_U", Data: []byte("../checksum/MGWmEfjut2QE2xPJwTsmUzpff4BN_FEnQ7T0j7gvUCCiugJQNwqt9m151fm9D1yU")},
+			{Mode: fs.ModeSymlink | 0777, Path: "identifier/vjz1MHPcGBKV7sjcs8jQP3cqxJ1hgPTiQBMCEHP9BGXjGxd-tJmEmXKaStObo5gK", Data: []byte("../checksum/MGWmEfjut2QE2xPJwTsmUzpff4BN_FEnQ7T0j7gvUCCiugJQNwqt9m151fm9D1yU")},
+			{Mode: fs.ModeSymlink | 0777, Path: "identifier/xXTIYcXmgJWNLC91c417RRrNM9cjELwEZHpGvf8Fk_GNP5agRJp_SicD0w9aMeLJ", Data: []byte("../checksum/GPa4aBakdSJd7Tz7LYj_VJFoojzyZinmVcG3k6M5xI6CZ821J5sXLhLDDuS47gi9")},
+
+			{Mode: fs.ModeDir | 0700, Path: "temp"},
+			{Mode: fs.ModeDir | 0700, Path: "work"},
+		}, pkg.MustDecode("3EaW6WibLi9gl03_UieiFPaFcPy5p4x3JPxrnLJxGaTI-bh3HU9DK9IMx7c3rrNm"), nil},
+
+		{"sample file short", fstest.MapFS{
+			".": {Mode: fs.ModeDir | 0700},
+
+			"checksum": {Mode: fs.ModeDir | 0700},
+			"checksum/vsAhtPNo4waRNOASwrQwcIPTqb3SBuJOXw2G4T1mNmVZM-wrQTRllmgXqcIIoRcX": {Mode: 0400, Data: []byte{0}},
+
+			"identifier": {Mode: fs.ModeDir | 0700},
+			"identifier/3376ALA7hIUm2LbzH2fDvRezgzod1eTK_G6XjyOgbM2u-6swvkFaF0BOwSl_juBi": {Mode: fs.ModeSymlink | 0777, Data: []byte("../checksum/vsAhtPNo4waRNOASwrQwcIPTqb3SBuJOXw2G4T1mNmVZM-wrQTRllmgXqcIIoRcX")},
+
+			"work": {Mode: fs.ModeDir | 0700},
+		}, []pkg.FlatEntry{
+			{Mode: fs.ModeDir | 0700, Path: "."},
+			{Mode: fs.ModeDir | 0700, Path: "checksum"},
+			{Mode: 0400, Path: "checksum/vsAhtPNo4waRNOASwrQwcIPTqb3SBuJOXw2G4T1mNmVZM-wrQTRllmgXqcIIoRcX", Data: []byte{0}},
+
+			{Mode: fs.ModeDir | 0700, Path: "identifier"},
+			{Mode: fs.ModeSymlink | 0777, Path: "identifier/3376ALA7hIUm2LbzH2fDvRezgzod1eTK_G6XjyOgbM2u-6swvkFaF0BOwSl_juBi", Data: []byte("../checksum/vsAhtPNo4waRNOASwrQwcIPTqb3SBuJOXw2G4T1mNmVZM-wrQTRllmgXqcIIoRcX")},
+
+			{Mode: fs.ModeDir | 0700, Path: "work"},
+		}, pkg.MustDecode("iR6H5OIsyOW4EwEgtm9rGzGF6DVtyHLySEtwnFE8bnus9VJcoCbR4JIek7Lw-vwT"), nil},
 	}
 	for _, tc := range testCases {
 		t.Run(tc.name, func(t *testing.T) {
--- a/internal/pkg/exec.go
+++ b/internal/pkg/exec.go
@@ -9,10 +9,8 @@ import (
 	"os"
 	"os/exec"
 	"path/filepath"
-	"runtime"
 	"slices"
 	"strconv"
-	"sync"
 	"syscall"
 	"time"
 	"unique"
@@ -29,11 +27,6 @@ import (
 // AbsWork is the container pathname [TContext.GetWorkDir] is mounted on.
 var AbsWork = fhs.AbsRoot.Append("work/")

-// EnvJobs is the name of the environment variable holding a decimal
-// representation of the preferred job count. Its value must not affect cure
-// outcome.
-const EnvJobs = "CURE_JOBS"
-
 // ExecPath is a slice of [Artifact] and the [check.Absolute] pathname to make
 // it available at under in the container.
 type ExecPath struct {
@@ -96,32 +89,6 @@ func MustPath(pathname string, writable bool, a ...Artifact) ExecPath {
 	return ExecPath{check.MustAbs(pathname), a, writable}
 }

-var (
-	binfmt   map[string]container.BinfmtEntry
-	binfmtMu sync.RWMutex
-)
-
-// RegisterArch arranges for [KindExec] and [KindExecNet] to support a new
-// architecture via a binfmt_misc entry. Each architecture must be registered
-// at most once.
-func RegisterArch(arch string, e container.BinfmtEntry) {
-	if arch == "" {
-		panic(UnsupportedArchError(arch))
-	}
-
-	binfmtMu.Lock()
-	defer binfmtMu.Unlock()
-
-	if binfmt == nil {
-		binfmt = make(map[string]container.BinfmtEntry)
-	}
-
-	if _, ok := binfmt[arch]; ok {
-		panic("attempting to register " + strconv.Quote(arch) + " twice")
-	}
-	binfmt[arch] = e
-}
-
 const (
 	// ExecTimeoutDefault replaces out of range [NewExec] timeout values.
 	ExecTimeoutDefault = 15 * time.Minute
@@ -138,8 +105,6 @@ type execArtifact struct {
 	// Caller-supplied user-facing reporting name, guaranteed to be nonzero
 	// during initialisation.
 	name string
-	// Target architecture.
-	arch string
 	// Caller-supplied inner mount points.
 	paths []ExecPath

@@ -208,7 +173,7 @@ func (a *execNetArtifact) Cure(f *FContext) error {
 // container and does not affect curing outcome. Because of this, it is omitted
 // from parameter data for computing identifier.
 func NewExec(
-	name, arch string,
+	name string,
 	checksum *Checksum,
 	timeout time.Duration,
 	exclusive bool,
@@ -223,16 +188,13 @@ func NewExec(
 	if name == "" {
 		name = "exec-" + filepath.Base(pathname.String())
 	}
-	if arch == "" {
-		arch = runtime.GOARCH
-	}
 	if timeout <= 0 {
 		timeout = ExecTimeoutDefault
 	}
 	if timeout > ExecTimeoutMax {
 		timeout = ExecTimeoutMax
 	}
-	a := execArtifact{name, arch, paths, dir, env, pathname, args, timeout, exclusive}
+	a := execArtifact{name, paths, dir, env, pathname, args, timeout, exclusive}
 	if checksum == nil {
 		return &a
 	}
@@ -244,7 +206,6 @@ func (*execArtifact) Kind() Kind { return KindExec }

 // Params writes paths, executable pathname and args.
 func (a *execArtifact) Params(ctx *IContext) {
-	ctx.WriteString(a.arch)
 	ctx.WriteString(a.name)

 	ctx.WriteUint32(uint32(len(a.paths)))
@@ -291,26 +252,11 @@ func (a *execArtifact) Params(ctx *IContext) {
 	}
 }

-// UnsupportedArchError describes an unsupported or invalid architecture.
-type UnsupportedArchError string
-
-func (e UnsupportedArchError) Error() string {
-	if e == "" {
-		return "invalid architecture name"
-	}
-	return "unsupported architecture " + string(e)
-}
-
 // readExecArtifact interprets IR values and returns the address of execArtifact
 // or execNetArtifact.
 func readExecArtifact(r *IRReader, net bool) Artifact {
 	r.DiscardAll()

-	arch := r.ReadString()
-	if arch == "" {
-		panic(UnsupportedArchError(arch))
-	}
-
 	name := r.ReadString()

 	sz := r.ReadUint32()
@@ -376,7 +322,7 @@ func readExecArtifact(r *IRReader, net bool) Artifact {
 	}

 	return NewExec(
-		name, arch, checksumP, timeout, exclusive, dir, env, pathname, args, paths...,
+		name, checksumP, timeout, exclusive, dir, env, pathname, args, paths...,
 	)
 }

@@ -451,7 +397,7 @@ const SeccompPresets = std.PresetStrict &
 func (a *execArtifact) makeContainer(
 	ctx context.Context,
 	msg message.Msg,
-	flags, jobs int,
+	flags int,
 	hostNet bool,
 	temp, work *check.Absolute,
 	getArtifact GetArtifactFunc,
@@ -485,22 +431,10 @@ func (a *execArtifact) makeContainer(
 	if z.HostNet {
 		z.Hostname = "cure-net"
 	}
-	z.Quiet = flags&CSuppressInit != 0
 	z.Uid, z.Gid = (1<<10)-1, (1<<10)-1
-	z.Dir, z.Path, z.Args = a.dir, a.path, a.args
-	z.Env = slices.Concat(a.env, []string{EnvJobs + "=" + strconv.Itoa(jobs)})
-	z.Grow(len(a.paths) + 4)

-	if a.arch != runtime.GOARCH {
-		binfmtMu.RLock()
-		e, ok := binfmt[a.arch]
-		binfmtMu.RUnlock()
-		if !ok {
-			return nil, UnsupportedArchError(a.arch)
-		}
-		z.Binfmt = []container.BinfmtEntry{e}
-		z.InitAsRoot = true
-	}
+	z.Dir, z.Env, z.Path, z.Args = a.dir, a.env, a.path, a.args
+	z.Grow(len(a.paths) + 4)

 	for i, b := range a.paths {
 		if i == overlayWorkIndex {
@@ -629,7 +563,6 @@ func (c *Cache) EnterExec(
 	z, err = e.makeContainer(
 		ctx, c.msg,
 		c.flags,
-		c.jobs,
 		hostNet,
 		temp, work,
 		func(a Artifact) (*check.Absolute, unique.Handle[Checksum]) {
@@ -669,7 +602,7 @@ func (a *execArtifact) cure(f *FContext, hostNet bool) (err error) {
 	msg := f.GetMessage()
 	var z *container.Container
 	if z, err = a.makeContainer(
-		ctx, msg, f.cache.flags, f.GetJobs(), hostNet,
+		ctx, msg, f.cache.flags, hostNet,
 		f.GetTempDir(), f.GetWorkDir(),
 		f.GetArtifact,
 		f.cache.Ident,
@@ -691,6 +624,12 @@ func (a *execArtifact) cure(f *FContext, hostNet bool) (err error) {
 			_ = stdout.Close()
 			return
 		}
+		defer func() {
+			if err != nil && !errors.As(err, new(*exec.ExitError)) {
+				_ = stdout.Close()
+				_ = stderr.Close()
+			}
+		}()

 		brStdout, brStderr := f.cache.getReader(stdout), f.cache.getReader(stderr)
 		stdoutDone, stderrDone := make(chan struct{}), make(chan struct{})
@@ -705,11 +644,6 @@ func (a *execArtifact) cure(f *FContext, hostNet bool) (err error) {
 			io.TeeReader(brStderr, status),
 		)
 		defer func() {
-			if err != nil && !errors.As(err, new(*exec.ExitError)) {
-				_ = stdout.Close()
-				_ = stderr.Close()
-			}
-
 			<-stdoutDone
 			<-stderrDone
 			f.cache.putReader(brStdout)
--- a/internal/pkg/exec_test.go
+++ b/internal/pkg/exec_test.go
@@ -1,55 +1,36 @@
 package pkg_test

+//go:generate env CGO_ENABLED=0 go build -tags testtool -o testdata/testtool ./testdata
+
 import (
 	_ "embed"
 	"encoding/gob"
 	"errors"
-	"io/fs"
 	"net"
 	"os"
 	"os/exec"
-	"path/filepath"
 	"slices"
 	"testing"
 	"unique"

 	"hakurei.app/check"
-	"hakurei.app/container"
 	"hakurei.app/hst"
-	"hakurei.app/internal/info"
 	"hakurei.app/internal/pkg"
 	"hakurei.app/internal/stub"
-
-	"hakurei.app/internal/pkg/internal/testtool/expected"
 )

 // testtoolBin is the container test tool binary made available to the
 // execArtifact for testing its curing environment.
 //
-//go:generate env CGO_ENABLED=0 go build -tags testtool -o internal/testtool ./internal/testtool
-//go:embed internal/testtool/testtool
+//go:embed testdata/testtool
 var testtoolBin []byte

-func init() {
-	pathname, err := filepath.Abs("internal/testtool/testtool")
-	if err != nil {
-		panic(err)
-	}
-	pkg.RegisterArch("cafe", container.BinfmtEntry{
-		Magic:       expected.Magic,
-		Interpreter: check.MustAbs(pathname),
-	})
-}
-
 func TestExec(t *testing.T) {
 	t.Parallel()

-	wantOffline := expectsFS{
-		".": {Mode: fs.ModeDir | 0500},
-
-		"check": {Mode: 0400, Data: []byte{0}},
-	}
-	wantOfflineEncode := pkg.Encode(wantOffline.hash())
+	wantChecksumOffline := pkg.MustDecode(
+		"GPa4aBakdSJd7Tz7LYj_VJFoojzyZinmVcG3k6M5xI6CZ821J5sXLhLDDuS47gi9",
+	)

 	checkWithCache(t, []cacheTestCase{
 		{"offline", pkg.CValidateKnown, nil, func(t *testing.T, base *check.Absolute, c *pkg.Cache) {
@@ -57,7 +38,7 @@ func TestExec(t *testing.T) {

 			cureMany(t, c, []cureStep{
 				{"container", pkg.NewExec(
-					"exec-offline", "", nil, 0, false,
+					"exec-offline", nil, 0, false,
 					pkg.AbsWork,
 					[]string{"HAKUREI_TEST=1"},
 					check.MustAbs("/opt/bin/testtool"),
@@ -77,10 +58,10 @@ func TestExec(t *testing.T) {
 						},
 					}),
 					pkg.MustPath("/opt", false, testtool),
-				), ignorePathname, wantOffline, nil},
+				), ignorePathname, wantChecksumOffline, nil},

 				{"error passthrough", pkg.NewExec(
-					"", "", nil, 0, true,
+					"", nil, 0, true,
 					pkg.AbsWork,
 					[]string{"HAKUREI_TEST=1"},
 					check.MustAbs("/opt/bin/testtool"),
@@ -93,7 +74,7 @@ func TestExec(t *testing.T) {
 							return stub.UniqueError(0xcafe)
 						},
 					}),
-				), nil, nil, &pkg.DependencyCureError{
+				), nil, pkg.Checksum{}, &pkg.DependencyCureError{
 					{
 						Ident: unique.Make(pkg.ID(pkg.MustDecode(
 							"Sowo6oZRmG6xVtUaxB6bDWZhVsqAJsIJWUp0OPKlE103cY0lodx7dem8J-qQF0Z1",
@@ -103,20 +84,20 @@ func TestExec(t *testing.T) {
 				}},

 				{"invalid paths", pkg.NewExec(
-					"", "", nil, 0, false,
+					"", nil, 0, false,
 					pkg.AbsWork,
 					[]string{"HAKUREI_TEST=1"},
 					check.MustAbs("/opt/bin/testtool"),
 					[]string{"testtool"},

 					pkg.ExecPath{},
-				), nil, nil, pkg.ErrInvalidPaths},
+				), nil, pkg.Checksum{}, pkg.ErrInvalidPaths},
 			})

 			// check init failure passthrough
 			var exitError *exec.ExitError
 			if _, _, err := c.Cure(pkg.NewExec(
-				"", "", nil, 0, false,
+				"", nil, 0, false,
 				pkg.AbsWork,
 				nil,
 				check.MustAbs("/opt/bin/testtool"),
@@ -127,35 +108,17 @@ func TestExec(t *testing.T) {
 			}

 			testtoolDestroy(t, base, c)
-		}, expectsFS{
-			".": {Mode: fs.ModeDir | 0700},
-
-			"checksum":                                 {Mode: fs.ModeDir | 0700},
-			"checksum/" + wantOfflineEncode:            {Mode: fs.ModeDir | 0500},
-			"checksum/" + wantOfflineEncode + "/check": {Mode: 0400, Data: []byte{0}},
-			"checksum/MGWmEfjut2QE2xPJwTsmUzpff4BN_FEnQ7T0j7gvUCCiugJQNwqt9m151fm9D1yU": {Mode: fs.ModeDir | 0500},
-			"checksum/OLBgp1GsljhM2TJ-sbHjaiH9txEUvgdDTAzHv2P24donTt6_529l-9Ua0vFImLlb": {Mode: 0400, Data: []byte{}},
-
-			"identifier": {Mode: fs.ModeDir | 0700},
-			"identifier/_gAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA": {Mode: fs.ModeSymlink | 0777, Data: []byte("../checksum/OLBgp1GsljhM2TJ-sbHjaiH9txEUvgdDTAzHv2P24donTt6_529l-9Ua0vFImLlb")},
-			"identifier/" + expected.Offline:                                              {Mode: fs.ModeSymlink | 0777, Data: []byte("../checksum/" + wantOfflineEncode)},
-			"identifier/vjz1MHPcGBKV7sjcs8jQP3cqxJ1hgPTiQBMCEHP9BGXjGxd-tJmEmXKaStObo5gK": {Mode: fs.ModeSymlink | 0777, Data: []byte("../checksum/MGWmEfjut2QE2xPJwTsmUzpff4BN_FEnQ7T0j7gvUCCiugJQNwqt9m151fm9D1yU")},
-
-			"temp": {Mode: fs.ModeDir | 0700},
-			"work": {Mode: fs.ModeDir | 0700},
-		}},
+		}, pkg.MustDecode("Q5DluWQCAeohLoiGRImurwFp3vdz9IfQCoj7Fuhh73s4KQPRHpEQEnHTdNHmB8Fx")},

 		{"net", pkg.CValidateKnown, nil, func(t *testing.T, base *check.Absolute, c *pkg.Cache) {
 			testtool, testtoolDestroy := newTesttool()

-			wantNet := expectsFS{
-				".": {Mode: fs.ModeDir | 0500},
-
-				"check": {Mode: 0400, Data: []byte("net")},
-			}
+			wantChecksum := pkg.MustDecode(
+				"a1F_i9PVQI4qMcoHgTQkORuyWLkC1GLIxOhDt2JpU1NGAxWc5VJzdlfRK-PYBh3W",
+			)
 			cureMany(t, c, []cureStep{
 				{"container", pkg.NewExec(
-					"exec-net", "", new(wantNet.hash()), 0, false,
+					"exec-net", &wantChecksum, 0, false,
 					pkg.AbsWork,
 					[]string{"HAKUREI_TEST=1"},
 					check.MustAbs("/opt/bin/testtool"),
@@ -175,34 +138,18 @@ func TestExec(t *testing.T) {
 						},
 					}),
 					pkg.MustPath("/opt", false, testtool),
-				), ignorePathname, wantNet, nil},
+				), ignorePathname, wantChecksum, nil},
 			})

 			testtoolDestroy(t, base, c)
-		}, expectsFS{
-			".": {Mode: fs.ModeDir | 0700},
-
-			"checksum": {Mode: fs.ModeDir | 0700},
-			"checksum/MGWmEfjut2QE2xPJwTsmUzpff4BN_FEnQ7T0j7gvUCCiugJQNwqt9m151fm9D1yU":       {Mode: fs.ModeDir | 0500},
-			"checksum/OLBgp1GsljhM2TJ-sbHjaiH9txEUvgdDTAzHv2P24donTt6_529l-9Ua0vFImLlb":       {Mode: 0400, Data: []byte{}},
-			"checksum/a1F_i9PVQI4qMcoHgTQkORuyWLkC1GLIxOhDt2JpU1NGAxWc5VJzdlfRK-PYBh3W":       {Mode: fs.ModeDir | 0500},
-			"checksum/a1F_i9PVQI4qMcoHgTQkORuyWLkC1GLIxOhDt2JpU1NGAxWc5VJzdlfRK-PYBh3W/check": {Mode: 0400, Data: []byte("net")},
-
-			"identifier":                 {Mode: fs.ModeDir | 0700},
-			"identifier/" + expected.Net: {Mode: fs.ModeSymlink | 0777, Data: []byte("../checksum/a1F_i9PVQI4qMcoHgTQkORuyWLkC1GLIxOhDt2JpU1NGAxWc5VJzdlfRK-PYBh3W")},
-			"identifier/_gAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA": {Mode: fs.ModeSymlink | 0777, Data: []byte("../checksum/OLBgp1GsljhM2TJ-sbHjaiH9txEUvgdDTAzHv2P24donTt6_529l-9Ua0vFImLlb")},
-			"identifier/vjz1MHPcGBKV7sjcs8jQP3cqxJ1hgPTiQBMCEHP9BGXjGxd-tJmEmXKaStObo5gK": {Mode: fs.ModeSymlink | 0777, Data: []byte("../checksum/MGWmEfjut2QE2xPJwTsmUzpff4BN_FEnQ7T0j7gvUCCiugJQNwqt9m151fm9D1yU")},
-
-			"temp": {Mode: fs.ModeDir | 0700},
-			"work": {Mode: fs.ModeDir | 0700},
-		}},
+		}, pkg.MustDecode("bPYvvqxpfV7xcC1EptqyKNK1klLJgYHMDkzBcoOyK6j_Aj5hb0mXNPwTwPSK5F6Z")},

 		{"overlay root", pkg.CValidateKnown, nil, func(t *testing.T, base *check.Absolute, c *pkg.Cache) {
 			testtool, testtoolDestroy := newTesttool()

 			cureMany(t, c, []cureStep{
 				{"container", pkg.NewExec(
-					"exec-overlay-root", "", nil, 0, false,
+					"exec-overlay-root", nil, 0, false,
 					pkg.AbsWork,
 					[]string{"HAKUREI_TEST=1", "HAKUREI_ROOT=1"},
 					check.MustAbs("/opt/bin/testtool"),
@@ -216,32 +163,18 @@ func TestExec(t *testing.T) {
 						},
 					}),
 					pkg.MustPath("/opt", false, testtool),
-				), ignorePathname, wantOffline, nil},
+				), ignorePathname, wantChecksumOffline, nil},
 			})

 			testtoolDestroy(t, base, c)
-		}, expectsFS{
-			".": {Mode: fs.ModeDir | 0700},
-
-			"checksum":                                 {Mode: fs.ModeDir | 0700},
-			"checksum/" + wantOfflineEncode:            {Mode: fs.ModeDir | 0500},
-			"checksum/" + wantOfflineEncode + "/check": {Mode: 0400, Data: []byte{0}},
-			"checksum/MGWmEfjut2QE2xPJwTsmUzpff4BN_FEnQ7T0j7gvUCCiugJQNwqt9m151fm9D1yU": {Mode: fs.ModeDir | 0500},
-
-			"identifier":                     {Mode: fs.ModeDir | 0700},
-			"identifier/" + expected.OvlRoot: {Mode: fs.ModeSymlink | 0777, Data: []byte("../checksum/" + wantOfflineEncode)},
-			"identifier/vjz1MHPcGBKV7sjcs8jQP3cqxJ1hgPTiQBMCEHP9BGXjGxd-tJmEmXKaStObo5gK": {Mode: fs.ModeSymlink | 0777, Data: []byte("../checksum/MGWmEfjut2QE2xPJwTsmUzpff4BN_FEnQ7T0j7gvUCCiugJQNwqt9m151fm9D1yU")},
-
-			"temp": {Mode: fs.ModeDir | 0700},
-			"work": {Mode: fs.ModeDir | 0700},
-		}},
+		}, pkg.MustDecode("PO2DSSCa4yoSgEYRcCSZfQfwow1yRigL3Ry-hI0RDI4aGuFBha-EfXeSJnG_5_Rl")},

 		{"overlay work", pkg.CValidateKnown, nil, func(t *testing.T, base *check.Absolute, c *pkg.Cache) {
 			testtool, testtoolDestroy := newTesttool()

 			cureMany(t, c, []cureStep{
 				{"container", pkg.NewExec(
-					"exec-overlay-work", "", nil, 0, false,
+					"exec-overlay-work", nil, 0, false,
 					pkg.AbsWork,
 					[]string{"HAKUREI_TEST=1", "HAKUREI_ROOT=1"},
 					check.MustAbs("/work/bin/testtool"),
@@ -260,32 +193,18 @@ func TestExec(t *testing.T) {
 							return os.MkdirAll(t.GetWorkDir().String(), 0700)
 						},
 					}), pkg.Path(pkg.AbsWork, false /* ignored */, testtool),
-				), ignorePathname, wantOffline, nil},
+				), ignorePathname, wantChecksumOffline, nil},
 			})

 			testtoolDestroy(t, base, c)
-		}, expectsFS{
-			".": {Mode: fs.ModeDir | 0700},
-
-			"checksum":                                 {Mode: fs.ModeDir | 0700},
-			"checksum/" + wantOfflineEncode:            {Mode: fs.ModeDir | 0500},
-			"checksum/" + wantOfflineEncode + "/check": {Mode: 0400, Data: []byte{0}},
-			"checksum/MGWmEfjut2QE2xPJwTsmUzpff4BN_FEnQ7T0j7gvUCCiugJQNwqt9m151fm9D1yU": {Mode: fs.ModeDir | 0500},
-
-			"identifier":                  {Mode: fs.ModeDir | 0700},
-			"identifier/" + expected.Work: {Mode: fs.ModeSymlink | 0777, Data: []byte("../checksum/" + wantOfflineEncode)},
-			"identifier/vjz1MHPcGBKV7sjcs8jQP3cqxJ1hgPTiQBMCEHP9BGXjGxd-tJmEmXKaStObo5gK": {Mode: fs.ModeSymlink | 0777, Data: []byte("../checksum/MGWmEfjut2QE2xPJwTsmUzpff4BN_FEnQ7T0j7gvUCCiugJQNwqt9m151fm9D1yU")},
-
-			"temp": {Mode: fs.ModeDir | 0700},
-			"work": {Mode: fs.ModeDir | 0700},
-		}},
+		}, pkg.MustDecode("iaRt6l_Wm2n-h5UsDewZxQkCmjZjyL8r7wv32QT2kyV55-Lx09Dq4gfg9BiwPnKs")},

 		{"multiple layers", pkg.CValidateKnown, nil, func(t *testing.T, base *check.Absolute, c *pkg.Cache) {
 			testtool, testtoolDestroy := newTesttool()

 			cureMany(t, c, []cureStep{
 				{"container", pkg.NewExec(
-					"exec-multiple-layers", "", nil, 0, false,
+					"exec-multiple-layers", nil, 0, false,
 					pkg.AbsWork,
 					[]string{"HAKUREI_TEST=1", "HAKUREI_ROOT=1"},
 					check.MustAbs("/opt/bin/testtool"),
@@ -326,37 +245,18 @@ func TestExec(t *testing.T) {
 						},
 					}),
 					pkg.MustPath("/opt", false, testtool),
-				), ignorePathname, wantOffline, nil},
+				), ignorePathname, wantChecksumOffline, nil},
 			})

 			testtoolDestroy(t, base, c)
-		}, expectsFS{
-			".": {Mode: fs.ModeDir | 0700},
-
-			"checksum":                                 {Mode: fs.ModeDir | 0700},
-			"checksum/" + wantOfflineEncode:            {Mode: fs.ModeDir | 0500},
-			"checksum/" + wantOfflineEncode + "/check": {Mode: 0400, Data: []byte{0}},
-			"checksum/MGWmEfjut2QE2xPJwTsmUzpff4BN_FEnQ7T0j7gvUCCiugJQNwqt9m151fm9D1yU":       {Mode: fs.ModeDir | 0500},
-			"checksum/OLBgp1GsljhM2TJ-sbHjaiH9txEUvgdDTAzHv2P24donTt6_529l-9Ua0vFImLlb":       {Mode: 0400, Data: []byte{}},
-			"checksum/nY_CUdiaUM1OL4cPr5TS92FCJ3rCRV7Hm5oVTzAvMXwC03_QnTRfQ5PPs7mOU9fK":       {Mode: fs.ModeDir | 0500},
-			"checksum/nY_CUdiaUM1OL4cPr5TS92FCJ3rCRV7Hm5oVTzAvMXwC03_QnTRfQ5PPs7mOU9fK/check": {Mode: 0400, Data: []byte("layers")},
-
-			"identifier": {Mode: fs.ModeDir | 0700},
-			"identifier/_gAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA": {Mode: fs.ModeSymlink | 0777, Data: []byte("../checksum/OLBgp1GsljhM2TJ-sbHjaiH9txEUvgdDTAzHv2P24donTt6_529l-9Ua0vFImLlb")},
-			"identifier/B-kc5iJMx8GtlCua4dz6BiJHnDAOUfPjgpbKq4e-QEn0_CZkSYs3fOA1ve06qMs2": {Mode: fs.ModeSymlink | 0777, Data: []byte("../checksum/nY_CUdiaUM1OL4cPr5TS92FCJ3rCRV7Hm5oVTzAvMXwC03_QnTRfQ5PPs7mOU9fK")},
-			"identifier/" + expected.Layers:                                               {Mode: fs.ModeSymlink | 0777, Data: []byte("../checksum/" + wantOfflineEncode)},
-			"identifier/vjz1MHPcGBKV7sjcs8jQP3cqxJ1hgPTiQBMCEHP9BGXjGxd-tJmEmXKaStObo5gK": {Mode: fs.ModeSymlink | 0777, Data: []byte("../checksum/MGWmEfjut2QE2xPJwTsmUzpff4BN_FEnQ7T0j7gvUCCiugJQNwqt9m151fm9D1yU")},
-
-			"temp": {Mode: fs.ModeDir | 0700},
-			"work": {Mode: fs.ModeDir | 0700},
-		}},
+		}, pkg.MustDecode("O2YzyR7IUGU5J2CADy0hUZ3A5NkP_Vwzs4UadEdn2oMZZVWRtH0xZGJ3HXiimTnZ")},

 		{"overlay layer promotion", pkg.CValidateKnown, nil, func(t *testing.T, base *check.Absolute, c *pkg.Cache) {
 			testtool, testtoolDestroy := newTesttool()

 			cureMany(t, c, []cureStep{
 				{"container", pkg.NewExec(
-					"exec-layer-promotion", "", nil, 0, true,
+					"exec-layer-promotion", nil, 0, true,
 					pkg.AbsWork,
 					[]string{"HAKUREI_TEST=1", "HAKUREI_ROOT=1"},
 					check.MustAbs("/opt/bin/testtool"),
@@ -376,89 +276,11 @@ func TestExec(t *testing.T) {
 						},
 					}),
 					pkg.MustPath("/opt", false, testtool),
-				), ignorePathname, wantOffline, nil},
+				), ignorePathname, wantChecksumOffline, nil},
 			})

 			testtoolDestroy(t, base, c)
-		}, expectsFS{
-			".": {Mode: fs.ModeDir | 0700},
-
-			"checksum":                                 {Mode: fs.ModeDir | 0700},
-			"checksum/" + wantOfflineEncode:            {Mode: fs.ModeDir | 0500},
-			"checksum/" + wantOfflineEncode + "/check": {Mode: 0400, Data: []byte{0}},
-			"checksum/MGWmEfjut2QE2xPJwTsmUzpff4BN_FEnQ7T0j7gvUCCiugJQNwqt9m151fm9D1yU": {Mode: fs.ModeDir | 0500},
-
-			"identifier": {Mode: fs.ModeDir | 0700},
-			"identifier/kvJIqZo5DKFOxC2ZQ-8_nPaQzEAz9cIm3p6guO-uLqm-xaiPu7oRkSnsu411jd_U": {Mode: fs.ModeSymlink | 0777, Data: []byte("../checksum/MGWmEfjut2QE2xPJwTsmUzpff4BN_FEnQ7T0j7gvUCCiugJQNwqt9m151fm9D1yU")},
-			"identifier/vjz1MHPcGBKV7sjcs8jQP3cqxJ1hgPTiQBMCEHP9BGXjGxd-tJmEmXKaStObo5gK": {Mode: fs.ModeSymlink | 0777, Data: []byte("../checksum/MGWmEfjut2QE2xPJwTsmUzpff4BN_FEnQ7T0j7gvUCCiugJQNwqt9m151fm9D1yU")},
-			"identifier/" + expected.Promote:                                              {Mode: fs.ModeSymlink | 0777, Data: []byte("../checksum/" + wantOfflineEncode)},
-
-			"temp": {Mode: fs.ModeDir | 0700},
-			"work": {Mode: fs.ModeDir | 0700},
-		}},
-
-		{"binfmt", pkg.CValidateKnown, nil, func(t *testing.T, base *check.Absolute, c *pkg.Cache) {
-			if info.CanDegrade && os.Getenv("ROSA_SKIP_BINFMT") != "" {
-				t.Skip("binfmt_misc test explicitly skipped")
-			}
-
-			cureMany(t, c, []cureStep{
-				{"container", pkg.NewExec(
-					"exec-binfmt", "cafe", nil, 0, true,
-					pkg.AbsWork,
-					[]string{"HAKUREI_TEST=1", "HAKUREI_BINFMT=1"},
-					check.MustAbs("/opt/bin/sample"),
-					[]string{"sample"},
-
-					pkg.MustPath("/", true, &stubArtifact{
-						kind:   pkg.KindTar,
-						params: []byte("empty directory"),
-						cure: func(t *pkg.TContext) error {
-							return os.MkdirAll(t.GetWorkDir().String(), 0700)
-						},
-					}),
-					pkg.MustPath("/opt", false, overrideIdent{pkg.ID{0xfe, 0xff}, &stubArtifact{
-						kind: pkg.KindTar,
-						cure: func(t *pkg.TContext) error {
-							work := t.GetWorkDir()
-							if err := os.MkdirAll(
-								work.Append("bin").String(),
-								0700,
-							); err != nil {
-								return err
-							}
-
-							return os.WriteFile(t.GetWorkDir().Append(
-								"bin",
-								"sample",
-							).String(), []byte(expected.Full), 0500)
-						},
-					}}),
-				), ignorePathname, expectsFS{
-					".": {Mode: fs.ModeDir | 0500},
-
-					"check": {Mode: 0400, Data: []byte("binfmt")},
-				}, nil},
-			})
-		}, expectsFS{
-			".": {Mode: fs.ModeDir | 0700},
-
-			"checksum": {Mode: fs.ModeDir | 0700},
-			"checksum/5aevg3YpDxjqQZ-pdvXK7YqgkL5JKqcoStYQxeD96kuYar6K2mRQWMHib6NQRnpV":            {Mode: fs.ModeDir | 0500},
-			"checksum/5aevg3YpDxjqQZ-pdvXK7YqgkL5JKqcoStYQxeD96kuYar6K2mRQWMHib6NQRnpV/bin":        {Mode: fs.ModeDir | 0700},
-			"checksum/5aevg3YpDxjqQZ-pdvXK7YqgkL5JKqcoStYQxeD96kuYar6K2mRQWMHib6NQRnpV/bin/sample": {Mode: 0500, Data: []byte("\xca\xfe\xba\xbe\xfd\xfd:3")},
-			"checksum/MGWmEfjut2QE2xPJwTsmUzpff4BN_FEnQ7T0j7gvUCCiugJQNwqt9m151fm9D1yU":            {Mode: fs.ModeDir | 0500},
-			"checksum/UnDo4B5KneEUY5b4vRUk_y9MWgkWuw2N8f8a2XayO686xXur-aZmX2-7n_8tKMe3":            {Mode: fs.ModeDir | 0500},
-			"checksum/UnDo4B5KneEUY5b4vRUk_y9MWgkWuw2N8f8a2XayO686xXur-aZmX2-7n_8tKMe3/check":      {Mode: 0400, Data: []byte("binfmt")},
-
-			"identifier": {Mode: fs.ModeDir | 0700},
-			"identifier/6VQTJ1lI5BmVuI1YFYJ8ClO3MRORvTTrcWFDcUU-l5Ga8EofxCxGlSTYN-u8dKj_": {Mode: fs.ModeSymlink | 0777, Data: []byte("../checksum/UnDo4B5KneEUY5b4vRUk_y9MWgkWuw2N8f8a2XayO686xXur-aZmX2-7n_8tKMe3")},
-			"identifier/_v8AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA": {Mode: fs.ModeSymlink | 0777, Data: []byte("../checksum/5aevg3YpDxjqQZ-pdvXK7YqgkL5JKqcoStYQxeD96kuYar6K2mRQWMHib6NQRnpV")},
-			"identifier/vjz1MHPcGBKV7sjcs8jQP3cqxJ1hgPTiQBMCEHP9BGXjGxd-tJmEmXKaStObo5gK": {Mode: fs.ModeSymlink | 0777, Data: []byte("../checksum/MGWmEfjut2QE2xPJwTsmUzpff4BN_FEnQ7T0j7gvUCCiugJQNwqt9m151fm9D1yU")},
-
-			"temp": {Mode: fs.ModeDir | 0700},
-			"work": {Mode: fs.ModeDir | 0700},
-		}},
+		}, pkg.MustDecode("3EaW6WibLi9gl03_UieiFPaFcPy5p4x3JPxrnLJxGaTI-bh3HU9DK9IMx7c3rrNm")},
 	})
 }

--- a/internal/pkg/file_test.go
+++ b/internal/pkg/file_test.go
@@ -1,7 +1,6 @@
 package pkg_test

 import (
-	"io/fs"
 	"testing"

 	"hakurei.app/check"
@@ -11,25 +10,18 @@ import (
 func TestFile(t *testing.T) {
 	t.Parallel()

-	want := expectsFile{0}
 	checkWithCache(t, []cacheTestCase{
 		{"file", pkg.CValidateKnown, nil, func(t *testing.T, base *check.Absolute, c *pkg.Cache) {
 			cureMany(t, c, []cureStep{
 				{"short", pkg.NewFile("null", []byte{0}), base.Append(
 					"identifier",
 					"3376ALA7hIUm2LbzH2fDvRezgzod1eTK_G6XjyOgbM2u-6swvkFaF0BOwSl_juBi",
-				), want, nil},
+				), pkg.MustDecode(
+					"vsAhtPNo4waRNOASwrQwcIPTqb3SBuJOXw2G4T1mNmVZM-wrQTRllmgXqcIIoRcX",
+				), nil},
 			})
-		}, expectsFS{
-			".": {Mode: fs.ModeDir | 0700},
-
-			"checksum":                            {Mode: fs.ModeDir | 0700},
-			"checksum/" + pkg.Encode(want.hash()): {Mode: 0400, Data: []byte{0}},
-
-			"identifier": {Mode: fs.ModeDir | 0700},
-			"identifier/3376ALA7hIUm2LbzH2fDvRezgzod1eTK_G6XjyOgbM2u-6swvkFaF0BOwSl_juBi": {Mode: fs.ModeSymlink | 0777, Data: []byte("../checksum/vsAhtPNo4waRNOASwrQwcIPTqb3SBuJOXw2G4T1mNmVZM-wrQTRllmgXqcIIoRcX")},
-
-			"work": {Mode: fs.ModeDir | 0700},
-		}},
+		}, pkg.MustDecode(
+			"iR6H5OIsyOW4EwEgtm9rGzGF6DVtyHLySEtwnFE8bnus9VJcoCbR4JIek7Lw-vwT",
+		)},
 	})
 }
--- a/internal/pkg/internal/testtool/expected/expected.go
+++ b/internal/pkg/internal/testtool/expected/expected.go
@@ -1,9 +0,0 @@
-// Package expected contains data shared between test helper and test harness.
-package expected
-
-const (
-	// Magic are magic bytes in the binfmt test case.
-	Magic = "\xca\xfe\xba\xbe\xfd\xfd"
-	// Full is the full content of the binfmt test case executable.
-	Full = Magic + ":3"
-)
--- a/internal/pkg/internal/testtool/expected/sum_amd64.go
+++ b/internal/pkg/internal/testtool/expected/sum_amd64.go
@@ -1,10 +0,0 @@
-package expected
-
-const (
-	Offline = "oe7Uv1u5BwxcuX3HLQzZRg1Q5oetJo6jWiKGMOeqLiqBkaVgyKzvx82N81_IzUAz"
-	OvlRoot = "NacZGXwuRkTvcHaG08a22ujJ8qCWN0RSoFlRSR5FSt0ZcBbJ28FRvkYsHEtX7G8i"
-	Layers  = "WBJDrATtX6rIE5yAu8ePX3WmDF0Tt9kFiue0m3cRnyRoVx1my8a67fh3CAW486oP"
-	Net     = "CmYtj2sNB3LHtqiDuck_Lz3MjLLIiwyP8N4NDitQ1Icvv__LVP9p8tm-sHeQaKKp"
-	Promote = "TX3eCloaQFkV-SZIH6Jg6E5WKH--rcXY1P0jnZKmLFKWrNqnOzd4G9eIBh6i5ywN"
-	Work    = "OuNiLSC68pZhAOr1YQ4WbV1tzASA0nxLEBcK7lO7MqxDY_j8dmP_C612RTuF23Lu"
-)
--- a/internal/pkg/ir.go
+++ b/internal/pkg/ir.go
@@ -3,6 +3,7 @@ package pkg
 import (
 	"bufio"
 	"bytes"
+	"context"
 	"crypto/sha512"
 	"encoding/binary"
 	"errors"
@@ -10,7 +11,6 @@ import (
 	"io"
 	"slices"
 	"strconv"
-	"sync"
 	"syscall"
 	"unique"
 	"unsafe"
@@ -39,45 +39,22 @@ func panicToError(errP *error) {
 	}
 }

-// irCache implements [IRCache].
-type irCache struct {
-	// Artifact to [unique.Handle] of identifier cache.
-	artifact sync.Map
-	// Identifier free list, must not be accessed directly.
-	identPool sync.Pool
-}
-
-// zeroIRCache returns the initialised value of irCache.
-func zeroIRCache() irCache {
-	return irCache{
-		identPool: sync.Pool{New: func() any { return new(extIdent) }},
-	}
-}
-
-// IRCache provides memory management and caching primitives for IR and
-// identifier operations against [Artifact] implementations.
-//
-// The zero value is not safe for use.
-type IRCache struct{ irCache }
-
-// NewIR returns the address of a new [IRCache].
-func NewIR() *IRCache {
-	return &IRCache{zeroIRCache()}
-}
-
 // IContext is passed to [Artifact.Params] and provides methods for writing
 // values to the IR writer. It does not expose the underlying [io.Writer].
 //
 // IContext is valid until [Artifact.Params] returns.
 type IContext struct {
-	// Address of underlying irCache, should be zeroed or made unusable after
+	// Address of underlying [Cache], should be zeroed or made unusable after
 	// [Artifact.Params] returns and must not be exposed directly.
-	ic *irCache
+	cache *Cache
 	// Written to by various methods, should be zeroed after [Artifact.Params]
 	// returns and must not be exposed directly.
 	w io.Writer
 }

+// Unwrap returns the underlying [context.Context].
+func (i *IContext) Unwrap() context.Context { return i.cache.ctx }
+
 // irZero is a zero IR word.
 var irZero [wordSize]byte

@@ -159,11 +136,11 @@ func (i *IContext) mustWrite(p []byte) {
 // WriteIdent is not defined for an [Artifact] not part of the slice returned by
 // [Artifact.Dependencies].
 func (i *IContext) WriteIdent(a Artifact) {
-	buf := i.ic.getIdentBuf()
-	defer i.ic.putIdentBuf(buf)
+	buf := i.cache.getIdentBuf()
+	defer i.cache.putIdentBuf(buf)

 	IRKindIdent.encodeHeader(0).put(buf[:])
-	*(*ID)(buf[wordSize:]) = i.ic.Ident(a).Value()
+	*(*ID)(buf[wordSize:]) = i.cache.Ident(a).Value()
 	i.mustWrite(buf[:])
 }

@@ -206,19 +183,19 @@ func (i *IContext) WriteString(s string) {

 // Encode writes a deterministic, efficient representation of a to w and returns
 // the first non-nil error encountered while writing to w.
-func (ic *irCache) Encode(w io.Writer, a Artifact) (err error) {
+func (c *Cache) Encode(w io.Writer, a Artifact) (err error) {
 	deps := a.Dependencies()
 	idents := make([]*extIdent, len(deps))
 	for i, d := range deps {
-		dbuf, did := ic.unsafeIdent(d, true)
+		dbuf, did := c.unsafeIdent(d, true)
 		if dbuf == nil {
-			dbuf = ic.getIdentBuf()
+			dbuf = c.getIdentBuf()
 			binary.LittleEndian.PutUint64(dbuf[:], uint64(d.Kind()))
 			*(*ID)(dbuf[wordSize:]) = did.Value()
 		} else {
-			ic.storeIdent(d, dbuf)
+			c.storeIdent(d, dbuf)
 		}
-		defer ic.putIdentBuf(dbuf)
+		defer c.putIdentBuf(dbuf)
 		idents[i] = dbuf
 	}
 	slices.SortFunc(idents, func(a, b *extIdent) int {
@@ -244,10 +221,10 @@ func (ic *irCache) Encode(w io.Writer, a Artifact) (err error) {
 	}

 	func() {
-		i := IContext{ic, w}
+		i := IContext{c, w}

 		defer panicToError(&err)
-		defer func() { i.ic, i.w = nil, nil }()
+		defer func() { i.cache, i.w = nil, nil }()

 		a.Params(&i)
 	}()
@@ -256,7 +233,7 @@ func (ic *irCache) Encode(w io.Writer, a Artifact) (err error) {
 	}

 	var f IREndFlag
-	kcBuf := ic.getIdentBuf()
+	kcBuf := c.getIdentBuf()
 	sz := wordSize
 	if kc, ok := a.(KnownChecksum); ok {
 		f |= IREndKnownChecksum
@@ -266,13 +243,13 @@ func (ic *irCache) Encode(w io.Writer, a Artifact) (err error) {
 	IRKindEnd.encodeHeader(uint32(f)).put(kcBuf[:])

 	_, err = w.Write(kcBuf[:sz])
-	ic.putIdentBuf(kcBuf)
+	c.putIdentBuf(kcBuf)
 	return
 }

 // encodeAll implements EncodeAll by recursively encoding dependencies and
 // performs deduplication by value via the encoded map.
-func (ic *irCache) encodeAll(
+func (c *Cache) encodeAll(
 	w io.Writer,
 	a Artifact,
 	encoded map[Artifact]struct{},
@@ -282,13 +259,13 @@ func (ic *irCache) encodeAll(
 	}

 	for _, d := range a.Dependencies() {
-		if err = ic.encodeAll(w, d, encoded); err != nil {
+		if err = c.encodeAll(w, d, encoded); err != nil {
 			return
 		}
 	}

 	encoded[a] = struct{}{}
-	return ic.Encode(w, a)
+	return c.Encode(w, a)
 }

 // EncodeAll writes a self-describing IR stream of a to w and returns the first
@@ -306,8 +283,8 @@ func (ic *irCache) encodeAll(
 // the ident cache, nor does it contribute identifiers it computes back to the
 // ident cache. Because of this, multiple invocations of EncodeAll will have
 // similar cost and does not amortise when combined with a call to Cure.
-func (ic *irCache) EncodeAll(w io.Writer, a Artifact) error {
-	return ic.encodeAll(w, a, make(map[Artifact]struct{}))
+func (c *Cache) EncodeAll(w io.Writer, a Artifact) error {
+	return c.encodeAll(w, a, make(map[Artifact]struct{}))
 }

 // ErrRemainingIR is returned for a [IRReadFunc] that failed to call
@@ -432,12 +409,6 @@ func (e InvalidKindError) Error() string {
 // register is not safe for concurrent use. register must not be called after
 // the first instance of [Cache] has been opened.
 func register(k Kind, f IRReadFunc) {
-	openMu.Lock()
-	defer openMu.Unlock()
-
-	if opened {
-		panic("attempting to register after open")
-	}
 	if _, ok := irArtifact[k]; ok {
 		panic("attempting to register " + strconv.Itoa(int(k)) + " twice")
 	}
--- a/internal/pkg/ir_test.go
+++ b/internal/pkg/ir_test.go
@@ -3,7 +3,6 @@ package pkg_test
 import (
 	"bytes"
 	"io"
-	"io/fs"
 	"reflect"
 	"testing"

@@ -39,7 +38,7 @@ func TestIRRoundtrip(t *testing.T) {
 		)},

 		{"exec offline", pkg.NewExec(
-			"exec-offline", "", nil, 0, false,
+			"exec-offline", nil, 0, false,
 			pkg.AbsWork,
 			[]string{"HAKUREI_TEST=1"},
 			check.MustAbs("/opt/bin/testtool"),
@@ -59,7 +58,7 @@ func TestIRRoundtrip(t *testing.T) {
 		)},

 		{"exec net", pkg.NewExec(
-			"exec-net", "",
+			"exec-net",
 			(*pkg.Checksum)(bytes.Repeat([]byte{0xfc}, len(pkg.Checksum{}))),
 			0, false,
 			pkg.AbsWork,
@@ -106,12 +105,9 @@ func TestIRRoundtrip(t *testing.T) {
 				if err := <-done; err != nil {
 					t.Fatalf("EncodeAll: error = %v", err)
 				}
-			}, expectsFS{
-				".":          {Mode: fs.ModeDir | 0700},
-				"checksum":   {Mode: fs.ModeDir | 0700},
-				"identifier": {Mode: fs.ModeDir | 0700},
-				"work":       {Mode: fs.ModeDir | 0700},
-			},
+			}, pkg.MustDecode(
+				"E4vEZKhCcL2gPZ2Tt59FS3lDng-d_2SKa2i5G_RbDfwGn6EemptFaGLPUDiOa94C",
+			),
 		}
 	}
 	checkWithCache(t, testCasesCache)
--- a/internal/pkg/net_test.go
+++ b/internal/pkg/net_test.go
@@ -3,12 +3,12 @@ package pkg_test
 import (
 	"crypto/sha512"
 	"io"
-	"io/fs"
 	"net/http"
 	"reflect"
 	"testing"
 	"testing/fstest"
 	"unique"
+	"unsafe"

 	"hakurei.app/check"
 	"hakurei.app/internal/pkg"
@@ -33,14 +33,20 @@ func TestHTTPGet(t *testing.T) {

 	checkWithCache(t, []cacheTestCase{
 		{"direct", pkg.CValidateKnown, nil, func(t *testing.T, base *check.Absolute, c *pkg.Cache) {
-			r := newRContext(t, c)
+			var r pkg.RContext
+			rCacheVal := reflect.ValueOf(&r).Elem().FieldByName("cache")
+			reflect.NewAt(
+				rCacheVal.Type(),
+				unsafe.Pointer(rCacheVal.UnsafeAddr()),
+			).Elem().Set(reflect.ValueOf(c))
+
 			f := pkg.NewHTTPGet(
 				&client,
 				"file:///testdata",
 				testdataChecksum.Value(),
 			)
 			var got []byte
-			if rc, err := f.Cure(r); err != nil {
+			if rc, err := f.Cure(&r); err != nil {
 				t.Fatalf("Cure: error = %v", err)
 			} else if got, err = io.ReadAll(rc); err != nil {
 				t.Fatalf("ReadAll: error = %v", err)
@@ -59,7 +65,7 @@ func TestHTTPGet(t *testing.T) {
 			wantErrMismatch := &pkg.ChecksumMismatchError{
 				Got: testdataChecksum.Value(),
 			}
-			if rc, err := f.Cure(r); err != nil {
+			if rc, err := f.Cure(&r); err != nil {
 				t.Fatalf("Cure: error = %v", err)
 			} else if got, err = io.ReadAll(rc); err != nil {
 				t.Fatalf("ReadAll: error = %v", err)
@@ -70,7 +76,7 @@ func TestHTTPGet(t *testing.T) {
 			}

 			// check fallback validation
-			if rc, err := f.Cure(r); err != nil {
+			if rc, err := f.Cure(&r); err != nil {
 				t.Fatalf("Cure: error = %v", err)
 			} else if err = rc.Close(); !reflect.DeepEqual(err, wantErrMismatch) {
 				t.Fatalf("Close: error = %#v, want %#v", err, wantErrMismatch)
@@ -83,18 +89,18 @@ func TestHTTPGet(t *testing.T) {
 				pkg.Checksum{},
 			)
 			wantErrNotFound := pkg.ResponseStatusError(http.StatusNotFound)
-			if _, err := f.Cure(r); !reflect.DeepEqual(err, wantErrNotFound) {
+			if _, err := f.Cure(&r); !reflect.DeepEqual(err, wantErrNotFound) {
 				t.Fatalf("Cure: error = %#v, want %#v", err, wantErrNotFound)
 			}
-		}, expectsFS{
-			".":          {Mode: fs.ModeDir | 0700},
-			"checksum":   {Mode: fs.ModeDir | 0700},
-			"identifier": {Mode: fs.ModeDir | 0700},
-			"work":       {Mode: fs.ModeDir | 0700},
-		}},
+		}, pkg.MustDecode("E4vEZKhCcL2gPZ2Tt59FS3lDng-d_2SKa2i5G_RbDfwGn6EemptFaGLPUDiOa94C")},

 		{"cure", pkg.CValidateKnown, nil, func(t *testing.T, base *check.Absolute, c *pkg.Cache) {
-			r := newRContext(t, c)
+			var r pkg.RContext
+			rCacheVal := reflect.ValueOf(&r).Elem().FieldByName("cache")
+			reflect.NewAt(
+				rCacheVal.Type(),
+				unsafe.Pointer(rCacheVal.UnsafeAddr()),
+			).Elem().Set(reflect.ValueOf(c))

 			f := pkg.NewHTTPGet(
 				&client,
@@ -114,7 +120,7 @@ func TestHTTPGet(t *testing.T) {
 			}

 			var got []byte
-			if rc, err := f.Cure(r); err != nil {
+			if rc, err := f.Cure(&r); err != nil {
 				t.Fatalf("Cure: error = %v", err)
 			} else if got, err = io.ReadAll(rc); err != nil {
 				t.Fatalf("ReadAll: error = %v", err)
@@ -130,7 +136,7 @@ func TestHTTPGet(t *testing.T) {
 				"file:///testdata",
 				testdataChecksum.Value(),
 			)
-			if rc, err := f.Cure(r); err != nil {
+			if rc, err := f.Cure(&r); err != nil {
 				t.Fatalf("Cure: error = %v", err)
 			} else if got, err = io.ReadAll(rc); err != nil {
 				t.Fatalf("ReadAll: error = %v", err)
@@ -150,16 +156,6 @@ func TestHTTPGet(t *testing.T) {
 			if _, _, err := c.Cure(f); !reflect.DeepEqual(err, wantErrNotFound) {
 				t.Fatalf("Pathname: error = %#v, want %#v", err, wantErrNotFound)
 			}
-		}, expectsFS{
-			".": {Mode: fs.ModeDir | 0700},
-
-			"checksum": {Mode: fs.ModeDir | 0700},
-			"checksum/fLYGIMHgN1louE-JzITJZJo2SDniPu-IHBXubtvQWFO-hXnDVKNuscV7-zlyr5fU": {Mode: 0400, Data: []byte("\x7f\xe1\x69\xa2\xdd\x63\x96\x26\x83\x79\x61\x8b\xf0\x3f\xd5\x16\x9a\x39\x3a\xdb\xcf\xb1\xbc\x8d\x33\xff\x75\xee\x62\x56\xa9\xf0\x27\xac\x13\x94\x69")},
-
-			"identifier": {Mode: fs.ModeDir | 0700},
-			"identifier/oM-2pUlk-mOxK1t3aMWZer69UdOQlAXiAgMrpZ1476VoOqpYVP1aGFS9_HYy-D8_": {Mode: fs.ModeSymlink | 0777, Data: []byte("../checksum/fLYGIMHgN1louE-JzITJZJo2SDniPu-IHBXubtvQWFO-hXnDVKNuscV7-zlyr5fU")},
-
-			"work": {Mode: fs.ModeDir | 0700},
-		}},
+		}, pkg.MustDecode("L_0RFHpr9JUS4Zp14rz2dESSRvfLzpvqsLhR1-YjQt8hYlmEdVl7vI3_-v8UNPKs")},
 	})
 }
--- a/internal/pkg/pkg.go
+++ b/internal/pkg/pkg.go
@@ -18,7 +18,6 @@ import (
 	"path/filepath"
 	"runtime"
 	"slices"
-	"strconv"
 	"strings"
 	"sync"
 	"sync/atomic"
@@ -71,70 +70,8 @@ func MustDecode(s string) (checksum Checksum) {
 	return
 }

-var (
-	// extension is a string uniquely identifying a set of custom [Artifact]
-	// implementations registered by calling [Register].
-	extension string
-
-	// openMu synchronises access to global state for initialisation.
-	openMu sync.Mutex
-	// opened is false if [Open] was never called.
-	opened bool
-)
-
-// Extension returns a string uniquely identifying the currently registered set
-// of custom [Artifact], or the zero value if none was registered.
-func Extension() string { return extension }
-
-// ValidExtension returns whether s is valid for use in a call to SetExtension.
-func ValidExtension(s string) bool {
-	if l := len(s); l == 0 || l > 128 {
-		return false
-	}
-	for _, v := range s {
-		if v < 'a' || v > 'z' {
-			return false
-		}
-	}
-	return true
-}
-
-// ErrInvalidExtension is returned for a variant identification string for which
-// [ValidExtension] returns false.
-var ErrInvalidExtension = errors.New("invalid extension variant identification string")
-
-// SetExtension sets the extension variant identification string. SetExtension
-// must be called before [Open] if custom [Artifact] implementations had been
-// recorded by calling [Register].
-//
-// The variant identification string must be between 1 and 128 bytes long and
-// consists of only bytes between 'a' and 'z'.
-//
-// SetExtension is not safe for concurrent use. SetExtension is called at most
-// once and must not be called after the first instance of Cache has been opened.
-func SetExtension(s string) {
-	openMu.Lock()
-	defer openMu.Unlock()
-
-	if opened {
-		panic("attempting to set extension after open")
-	}
-	if extension != "" {
-		panic("attempting to set extension twice")
-	}
-	if !ValidExtension(s) {
-		panic(ErrInvalidExtension)
-	}
-	extension = s
-	statusHeader = makeStatusHeader(s)
-}
-
 // common holds elements and receives methods shared between different contexts.
 type common struct {
-	// Context specific to this [Artifact]. The toplevel context in [Cache] must
-	// not be exposed directly.
-	ctx context.Context
-
 	// Address of underlying [Cache], should be zeroed or made unusable after
 	// Cure returns and must not be exposed directly.
 	cache *Cache
@@ -161,27 +98,19 @@ type TContext struct {
 	common
 }

-// makeStatusHeader creates the header written to every status file. This should
-// not be called directly, its result is stored in statusHeader and will not
-// change after the first [Cache] is opened.
-func makeStatusHeader(extension string) string {
+// statusHeader is the header written to all status files in dirStatus.
+var statusHeader = func() string {
 	s := programName
 	if v := info.Version(); v != info.FallbackVersion {
 		s += " " + v
 	}
-	if extension != "" {
-		s += " with " + extension + " extensions"
-	}
 	s += " (" + runtime.GOARCH + ")"
 	if name, err := os.Hostname(); err == nil {
 		s += " on " + name
 	}
 	s += "\n\n"
 	return s
-}
-
-// statusHeader is the header written to all status files in dirStatus.
-var statusHeader = makeStatusHeader("")
+}()

 // prepareStatus initialises the status file once.
 func (t *TContext) prepareStatus() error {
@@ -254,15 +183,11 @@ func (t *TContext) destroy(errP *error) {
 }

 // Unwrap returns the underlying [context.Context].
-func (c *common) Unwrap() context.Context { return c.ctx }
+func (c *common) Unwrap() context.Context { return c.cache.ctx }

 // GetMessage returns [message.Msg] held by the underlying [Cache].
 func (c *common) GetMessage() message.Msg { return c.cache.msg }

-// GetJobs returns the preferred number of jobs to run, when applicable. Its
-// value must not affect cure outcome.
-func (c *common) GetJobs() int { return c.cache.jobs }
-
 // GetWorkDir returns a pathname to a directory which [Artifact] is expected to
 // write its output to. This is not the final resting place of the [Artifact]
 // and this pathname should not be directly referred to in the final contents.
@@ -282,11 +207,11 @@ func (t *TContext) GetTempDir() *check.Absolute { return t.temp }
 // [ChecksumMismatchError], or the underlying implementation may block on Close.
 func (c *common) Open(a Artifact) (r io.ReadCloser, err error) {
 	if f, ok := a.(FileArtifact); ok {
-		return c.cache.openFile(c.ctx, f)
+		return c.cache.openFile(f)
 	}

 	var pathname *check.Absolute
-	if pathname, _, err = c.cache.cure(a, true); err != nil {
+	if pathname, _, err = c.cache.Cure(a); err != nil {
 		return
 	}

@@ -447,9 +372,6 @@ type KnownChecksum interface {
 }

 // FileArtifact refers to an [Artifact] backed by a single file.
-//
-// FileArtifact does not support fine-grained cancellation. Its context is
-// inherited from the first [TrivialArtifact] or [FloodArtifact] that opens it.
 type FileArtifact interface {
 	// Cure returns [io.ReadCloser] of the full contents of [FileArtifact]. If
 	// [FileArtifact] implements [KnownChecksum], Cure is responsible for
@@ -494,9 +416,6 @@ const (
 	// KindFile is the kind of [Artifact] returned by [NewFile].
 	KindFile

-	// _kindEnd is the total number of kinds and does not denote a kind.
-	_kindEnd
-
 	// KindCustomOffset is the first [Kind] value reserved for implementations
 	// not from this package.
 	KindCustomOffset = 1 << 31
@@ -511,9 +430,6 @@ const (
 	// fileLock is the file name appended to Cache.base for guaranteeing
 	// exclusive access to the cache directory.
 	fileLock = "lock"
-	// fileVariant is the file name appended to Cache.base holding the variant
-	// identification string set by a prior call to [SetExtension].
-	fileVariant = "variant"

 	// dirIdentifier is the directory name appended to Cache.base for storing
 	// artifacts named after their [ID].
@@ -613,40 +529,8 @@ const (
 	// impurity due to [KindExecNet] being [KnownChecksum]. This flag exists
 	// to support kernels without Landlock LSM enabled.
 	CHostAbstract
-
-	// CPromoteVariant allows [pkg.Open] to promote an unextended on-disk cache
-	// to the current extension variant. This is a one-way operation.
-	CPromoteVariant
-
-	// CSuppressInit arranges for verbose output of the container init to be
-	// suppressed regardless of [message.Msg] state.
-	CSuppressInit
 )

-// toplevel holds [context.WithCancel] over caller-supplied context, where all
-// [Artifact] context are derived from.
-type toplevel struct {
-	ctx    context.Context
-	cancel context.CancelFunc
-}
-
-// newToplevel returns the address of a new toplevel via ctx.
-func newToplevel(ctx context.Context) *toplevel {
-	var t toplevel
-	t.ctx, t.cancel = context.WithCancel(ctx)
-	return &t
-}
-
-// pendingCure provides synchronisation and cancellation for pending cures.
-type pendingCure struct {
-	// Closed on cure completion.
-	done <-chan struct{}
-	// Error outcome, safe to access after done is closed.
-	err error
-	// Cancels the corresponding cure.
-	cancel context.CancelFunc
-}
-
 // Cache is a support layer that implementations of [Artifact] can use to store
 // cured [Artifact] data in a content addressed fashion.
 type Cache struct {
@@ -654,10 +538,11 @@ type Cache struct {
 	// implementation and receives an equal amount of elements after.
 	cures chan struct{}

-	// Parent context which toplevel was derived from.
-	parent context.Context
-	// For deriving curing context, must not be accessed directly.
-	toplevel atomic.Pointer[toplevel]
+	// [context.WithCancel] over caller-supplied context, used by [Artifact] and
+	// all dependency curing goroutines.
+	ctx context.Context
+	// Cancels ctx.
+	cancel context.CancelFunc
 	// For waiting on dependency curing goroutines.
 	wg sync.WaitGroup
 	// Reports new cures and passed to [Artifact].
@@ -667,11 +552,11 @@ type Cache struct {
 	base *check.Absolute
 	// Immutable cure options set by [Open].
 	flags int
-	// Immutable job count, when applicable.
-	jobs int

-	// Must not be exposed directly.
-	irCache
+	// Artifact to [unique.Handle] of identifier cache.
+	artifact sync.Map
+	// Identifier free list, must not be accessed directly.
+	identPool sync.Pool

 	// Synchronises access to dirChecksum.
 	checksumMu sync.RWMutex
@@ -681,11 +566,9 @@ type Cache struct {
 	// Identifier to error pair for unrecoverably faulted [Artifact].
 	identErr map[unique.Handle[ID]]error
 	// Pending identifiers, accessed through Cure for entries not in ident.
-	identPending map[unique.Handle[ID]]*pendingCure
+	identPending map[unique.Handle[ID]]<-chan struct{}
 	// Synchronises access to ident and corresponding filesystem entries.
 	identMu sync.RWMutex
-	// Synchronises entry into Abort and Cure.
-	abortMu sync.RWMutex

 	// Synchronises entry into exclusive artifacts for the cure method.
 	exclMu sync.Mutex
@@ -694,10 +577,8 @@ type Cache struct {

 	// Unlocks the on-filesystem cache. Must only be called from Close.
 	unlock func()
-	// Whether [Cache] is considered closed.
-	closed bool
-	// Synchronises calls to Abort and Close.
-	closeMu sync.Mutex
+	// Synchronises calls to Close.
+	closeOnce sync.Once

 	// Whether EnterExec has not yet returned.
 	inExec atomic.Bool
@@ -707,24 +588,24 @@ type Cache struct {
 type extIdent [wordSize + len(ID{})]byte

 // getIdentBuf returns the address of an extIdent for Ident.
-func (ic *irCache) getIdentBuf() *extIdent { return ic.identPool.Get().(*extIdent) }
+func (c *Cache) getIdentBuf() *extIdent { return c.identPool.Get().(*extIdent) }

 // putIdentBuf adds buf to identPool.
-func (ic *irCache) putIdentBuf(buf *extIdent) { ic.identPool.Put(buf) }
+func (c *Cache) putIdentBuf(buf *extIdent) { c.identPool.Put(buf) }

 // storeIdent adds an [Artifact] to the artifact cache.
-func (ic *irCache) storeIdent(a Artifact, buf *extIdent) unique.Handle[ID] {
+func (c *Cache) storeIdent(a Artifact, buf *extIdent) unique.Handle[ID] {
 	idu := unique.Make(ID(buf[wordSize:]))
-	ic.artifact.Store(a, idu)
+	c.artifact.Store(a, idu)
 	return idu
 }

 // Ident returns the identifier of an [Artifact].
-func (ic *irCache) Ident(a Artifact) unique.Handle[ID] {
-	buf, idu := ic.unsafeIdent(a, false)
+func (c *Cache) Ident(a Artifact) unique.Handle[ID] {
+	buf, idu := c.unsafeIdent(a, false)
 	if buf != nil {
-		idu = ic.storeIdent(a, buf)
-		ic.putIdentBuf(buf)
+		idu = c.storeIdent(a, buf)
+		c.putIdentBuf(buf)
 	}
 	return idu
 }
@@ -732,17 +613,17 @@ func (ic *irCache) Ident(a Artifact) unique.Handle[ID] {
 // unsafeIdent implements Ident but returns the underlying buffer for a newly
 // computed identifier. Callers must return this buffer to identPool. encodeKind
 // is only a hint, kind may still be encoded in the buffer.
-func (ic *irCache) unsafeIdent(a Artifact, encodeKind bool) (
+func (c *Cache) unsafeIdent(a Artifact, encodeKind bool) (
 	buf *extIdent,
 	idu unique.Handle[ID],
 ) {
-	if id, ok := ic.artifact.Load(a); ok {
+	if id, ok := c.artifact.Load(a); ok {
 		idu = id.(unique.Handle[ID])
 		return
 	}

 	if ki, ok := a.(KnownIdent); ok {
-		buf = ic.getIdentBuf()
+		buf = c.getIdentBuf()
 		if encodeKind {
 			binary.LittleEndian.PutUint64(buf[:], uint64(a.Kind()))
 		}
@@ -750,9 +631,9 @@ func (ic *irCache) unsafeIdent(a Artifact, encodeKind bool) (
 		return
 	}

-	buf = ic.getIdentBuf()
+	buf = c.getIdentBuf()
 	h := sha512.New384()
-	if err := ic.Encode(h, a); err != nil {
+	if err := c.Encode(h, a); err != nil {
 		// unreachable
 		panic(err)
 	}
@@ -1121,11 +1002,7 @@ func (c *Cache) Scrub(checks int) error {
 // loadOrStoreIdent attempts to load a cached [Artifact] by its identifier or
 // wait for a pending [Artifact] to cure. If neither is possible, the current
 // identifier is stored in identPending and a non-nil channel is returned.
-//
-// Since identErr is treated as grow-only, loadOrStoreIdent must not be entered
-// without holding a read lock on abortMu.
 func (c *Cache) loadOrStoreIdent(id unique.Handle[ID]) (
-	ctx context.Context,
 	done chan<- struct{},
 	checksum unique.Handle[Checksum],
 	err error,
@@ -1142,23 +1019,20 @@ func (c *Cache) loadOrStoreIdent(id unique.Handle[ID]) (
 		return
 	}

-	var pending *pendingCure
-	if pending, ok = c.identPending[id]; ok {
+	var notify <-chan struct{}
+	if notify, ok = c.identPending[id]; ok {
 		c.identMu.Unlock()
-		<-pending.done
+		<-notify
 		c.identMu.RLock()
 		if checksum, ok = c.ident[id]; !ok {
-			err = pending.err
+			err = c.identErr[id]
 		}
 		c.identMu.RUnlock()
 		return
 	}

 	d := make(chan struct{})
-	pending = &pendingCure{done: d}
-	ctx, pending.cancel = context.WithCancel(c.toplevel.Load().ctx)
-	c.wg.Add(1)
-	c.identPending[id] = pending
+	c.identPending[id] = d
 	c.identMu.Unlock()
 	done = d
 	return
@@ -1174,62 +1048,21 @@ func (c *Cache) finaliseIdent(
 ) {
 	c.identMu.Lock()
 	if err != nil {
-		c.identPending[id].err = err
 		c.identErr[id] = err
 	} else {
 		c.ident[id] = checksum
 	}
 	delete(c.identPending, id)
 	c.identMu.Unlock()
-	c.wg.Done()

 	close(done)
 }

-// Done returns a channel that is closed when the ongoing cure of an [Artifact]
-// referred to by the specified identifier completes. Done may return nil if
-// no ongoing cure of the specified identifier exists.
-func (c *Cache) Done(id unique.Handle[ID]) <-chan struct{} {
-	c.identMu.RLock()
-	pending, ok := c.identPending[id]
-	c.identMu.RUnlock()
-	if !ok || pending == nil {
-		return nil
-	}
-	return pending.done
-}
-
-// Cancel cancels the ongoing cure of an [Artifact] referred to by the specified
-// identifier. Cancel returns whether the [context.CancelFunc] has been killed.
-// Cancel returns after the cure is complete.
-func (c *Cache) Cancel(id unique.Handle[ID]) bool {
-	c.identMu.RLock()
-	pending, ok := c.identPending[id]
-	c.identMu.RUnlock()
-	if !ok || pending == nil || pending.cancel == nil {
-		return false
-	}
-	pending.cancel()
-	<-pending.done
-
-	c.abortMu.Lock()
-	c.identMu.Lock()
-	delete(c.identErr, id)
-	c.identMu.Unlock()
-	c.abortMu.Unlock()
-	return true
-}
-
 // openFile tries to load [FileArtifact] from [Cache], and if that fails,
 // obtains it via [FileArtifact.Cure] instead. Notably, it does not cure
 // [FileArtifact] to the filesystem. If err is nil, the caller is responsible
 // for closing the resulting [io.ReadCloser].
-//
-// The context must originate from loadOrStoreIdent to enable cancellation.
-func (c *Cache) openFile(
-	ctx context.Context,
-	f FileArtifact,
-) (r io.ReadCloser, err error) {
+func (c *Cache) openFile(f FileArtifact) (r io.ReadCloser, err error) {
 	if kc, ok := f.(KnownChecksum); c.flags&CAssumeChecksum != 0 && ok {
 		c.checksumMu.RLock()
 		r, err = os.Open(c.base.Append(
@@ -1260,7 +1093,7 @@ func (c *Cache) openFile(
 				}
 			}()
 		}
-		return f.Cure(&RContext{common{ctx, c}})
+		return f.Cure(&RContext{common{c}})
 	}
 	return
 }
@@ -1408,11 +1241,12 @@ func (c *Cache) Cure(a Artifact) (
 	checksum unique.Handle[Checksum],
 	err error,
 ) {
-	c.abortMu.RLock()
-	defer c.abortMu.RUnlock()
-
-	if err = c.toplevel.Load().ctx.Err(); err != nil {
+	select {
+	case <-c.ctx.Done():
+		err = c.ctx.Err()
 		return
+
+	default:
 	}

 	return c.cure(a, true)
@@ -1498,16 +1332,15 @@ func (c *Cache) enterCure(a Artifact, curesExempt bool) error {
 		return nil
 	}

-	ctx := c.toplevel.Load().ctx
 	select {
 	case c.cures <- struct{}{}:
 		return nil

-	case <-ctx.Done():
+	case <-c.ctx.Done():
 		if a.IsExclusive() {
 			c.exclMu.Unlock()
 		}
-		return ctx.Err()
+		return c.ctx.Err()
 	}
 }

@@ -1605,8 +1438,7 @@ func (r *RContext) NewMeasuredReader(
 	return r.cache.newMeasuredReader(rc, checksum)
 }

-// cure implements Cure without acquiring a read lock on abortMu. cure must not
-// be entered during Abort.
+// cure implements Cure without checking the full dependency graph.
 func (c *Cache) cure(a Artifact, curesExempt bool) (
 	pathname *check.Absolute,
 	checksum unique.Handle[Checksum],
@@ -1625,11 +1457,8 @@ func (c *Cache) cure(a Artifact, curesExempt bool) (
 		}
 	}()

-	var (
-		ctx  context.Context
-		done chan<- struct{}
-	)
-	ctx, done, checksum, err = c.loadOrStoreIdent(id)
+	var done chan<- struct{}
+	done, checksum, err = c.loadOrStoreIdent(id)
 	if done == nil {
 		return
 	} else {
@@ -1742,7 +1571,7 @@ func (c *Cache) cure(a Artifact, curesExempt bool) (
 		if err = c.enterCure(a, curesExempt); err != nil {
 			return
 		}
-		r, err = f.Cure(&RContext{common{ctx, c}})
+		r, err = f.Cure(&RContext{common{c}})
 		if err == nil {
 			if checksumPathname == nil || c.flags&CValidateKnown != 0 {
 				h := sha512.New384()
@@ -1822,7 +1651,7 @@ func (c *Cache) cure(a Artifact, curesExempt bool) (
 		c.base.Append(dirWork, ids),
 		c.base.Append(dirTemp, ids),
 		ids, nil, nil, nil,
-		common{ctx, c},
+		common{c},
 	}
 	switch ca := a.(type) {
 	case TrivialArtifact:
@@ -1973,65 +1802,23 @@ func (c *Cache) OpenStatus(a Artifact) (r io.ReadSeekCloser, err error) {
 	return
 }

-// Abort cancels all pending cures and waits for them to clean up, but does not
-// close the cache.
-func (c *Cache) Abort() {
-	c.closeMu.Lock()
-	defer c.closeMu.Unlock()
-
-	if c.closed {
-		return
-	}
-
-	c.toplevel.Load().cancel()
-	c.abortMu.Lock()
-	defer c.abortMu.Unlock()
-
-	// holding abortMu, identPending stays empty
-	c.wg.Wait()
-	c.identMu.Lock()
-	c.toplevel.Store(newToplevel(c.parent))
-	clear(c.identErr)
-	c.identMu.Unlock()
-}
-
 // Close cancels all pending cures and waits for them to clean up.
 func (c *Cache) Close() {
-	c.closeMu.Lock()
-	defer c.closeMu.Unlock()
-
-	if c.closed {
-		return
-	}
-
-	c.closed = true
-	c.toplevel.Load().cancel()
+	c.closeOnce.Do(func() {
+		c.cancel()
 		c.wg.Wait()
 		close(c.cures)
 		c.unlock()
+	})
 }

-// UnsupportedVariantError describes an on-disk cache with an extension variant
-// identification string that differs from the value returned by [Extension].
-type UnsupportedVariantError string
-
-func (e UnsupportedVariantError) Error() string {
-	return "unsupported variant " + strconv.Quote(string(e))
-}
-
-var (
-	// ErrWouldPromote is returned by [Open] if the [CPromoteVariant] bit is not
-	// set and the on-disk cache requires variant promotion.
-	ErrWouldPromote = errors.New("operation would promote unextended cache")
-)
-
 // Open returns the address of a newly opened instance of [Cache].
 //
 // Concurrent cures of a [FloodArtifact] dependency graph is limited to the
 // caller-supplied value, however direct calls to [Cache.Cure] is not subject
 // to this limitation.
 //
-// A cures or jobs value of 0 or lower is equivalent to the value returned by
+// A cures value of 0 or lower is equivalent to the value returned by
 // [runtime.NumCPU].
 //
 // A successful call to Open guarantees exclusive access to the on-filesystem
@@ -2041,10 +1828,10 @@ var (
 func Open(
 	ctx context.Context,
 	msg message.Msg,
-	flags, cures, jobs int,
+	flags, cures int,
 	base *check.Absolute,
 ) (*Cache, error) {
-	return open(ctx, msg, flags, cures, jobs, base, true)
+	return open(ctx, msg, flags, cures, base, true)
 }

 // open implements Open but allows omitting the [lockedfile] lock when called
@@ -2052,24 +1839,13 @@ func Open(
 func open(
 	ctx context.Context,
 	msg message.Msg,
-	flags, cures, jobs int,
+	flags, cures int,
 	base *check.Absolute,
 	lock bool,
 ) (*Cache, error) {
-	openMu.Lock()
-	defer openMu.Unlock()
-	opened = true
-
-	if extension == "" && len(irArtifact) != int(_kindEnd) {
-		panic("attempting to open cache with incomplete variant setup")
-	}
-
 	if cures < 1 {
 		cures = runtime.NumCPU()
 	}
-	if jobs < 1 {
-		jobs = runtime.NumCPU()
-	}

 	for _, name := range []string{
 		dirIdentifier,
@@ -2077,34 +1853,29 @@ func open(
 		dirStatus,
 		dirWork,
 	} {
-		if err := os.MkdirAll(
-			base.Append(name).String(),
-			0700,
-		); err != nil && !errors.Is(err, os.ErrExist) {
+		if err := os.MkdirAll(base.Append(name).String(), 0700); err != nil &&
+			!errors.Is(err, os.ErrExist) {
 			return nil, err
 		}
 	}

 	c := Cache{
-		parent: ctx,
-
 		cures: make(chan struct{}, cures),
 		flags: flags,
-		jobs:  jobs,

 		msg:  msg,
 		base: base,

-		irCache: zeroIRCache(),
+		identPool: sync.Pool{New: func() any { return new(extIdent) }},

 		ident:        make(map[unique.Handle[ID]]unique.Handle[Checksum]),
 		identErr:     make(map[unique.Handle[ID]]error),
-		identPending: make(map[unique.Handle[ID]]*pendingCure),
+		identPending: make(map[unique.Handle[ID]]<-chan struct{}),

 		brPool: sync.Pool{New: func() any { return new(bufio.Reader) }},
 		bwPool: sync.Pool{New: func() any { return new(bufio.Writer) }},
 	}
-	c.toplevel.Store(newToplevel(ctx))
+	c.ctx, c.cancel = context.WithCancel(ctx)

 	if lock || !testing.Testing() {
 		if unlock, err := lockedfile.MutexAt(
@@ -2118,45 +1889,6 @@ func open(
 		c.unlock = func() {}
 	}

-	variantPath := base.Append(fileVariant).String()
-	if p, err := os.ReadFile(variantPath); err != nil {
-		if !errors.Is(err, os.ErrNotExist) {
-			c.unlock()
-			return nil, err
-		}
-		// nonexistence implies newly created cache, or a cache predating
-		// variant identification strings, in which case it is silently promoted
-		if err = os.WriteFile(
-			variantPath,
-			[]byte(extension),
-			0400,
-		); err != nil {
-			c.unlock()
-			return nil, err
-		}
-	} else if s := string(p); s == "" {
-		if extension != "" {
-			if flags&CPromoteVariant == 0 {
-				c.unlock()
-				return nil, ErrWouldPromote
-			}
-			if err = os.WriteFile(
-				variantPath,
-				[]byte(extension),
-				0400,
-			); err != nil {
-				c.unlock()
-				return nil, err
-			}
-		}
-	} else if !ValidExtension(s) {
-		c.unlock()
-		return nil, ErrInvalidExtension
-	} else if s != extension {
-		c.unlock()
-		return nil, UnsupportedVariantError(s)
-	}
-
 	return &c, nil
 }

--- a/internal/pkg/pkg_test.go
+++ b/internal/pkg/pkg_test.go
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
Kat	38728cd627	TODO: actually write tests lol	2026-04-09 11:46:25 +10:00
Kat	ce7483c648	cmd/pkgserver/ui_test: implement skipping from DSL	2026-04-09 11:46:25 +10:00
Kat	cb61f19ee1	cmd/pkgserver/ui_test: add JSON reporter for go test integration	2026-04-09 11:46:25 +10:00
Kat	e993094ab5	cmd/pkgserver/ui_test: implement DSL and runner	2026-04-09 11:46:25 +10:00
Kat	77cf1b8d80	cmd/pkgserver/ui_test: add DOM reporter	2026-04-09 11:46:25 +10:00
Kat	b83191c028	cmd/pkgserver/ui_test: add basic CLI reporter	2026-04-09 11:46:25 +10:00
Kat	0183064f25	cmd/pkgserver: enable TypeScript's strict mode	2026-04-09 11:46:25 +10:00
mae	0db8da9cba	cmd/pkgserver: remove get endpoint count field	2026-04-08 20:26:38 -05:00
mae	4ae5468cf6	cmd/pkgserver: search endpoint	2026-04-08 20:26:38 -05:00
mae	226b86fe38	cmd/pkgserver: pagination bugfix	2026-04-08 20:26:38 -05:00
Ophestra	23b5d0dd3e	cmd/pkgserver: guard sass/ts behind build tag Packaging nodejs and ruby is an immense burden for the Rosa OS base system, and these files diff poorly. Signed-off-by: Ophestra <cat@gensokyo.uk>	2026-04-08 20:26:38 -05:00
mae	ba06769c5f	cmd/pkgserver: add size	2026-04-08 20:26:38 -05:00
Ophestra	28e84f0445	cmd/pkgserver: expose size and store pre-encoded ident This change also handles SIGSEGV correctly in newStatusHandler, and makes serving status fully zero copy. Signed-off-by: Ophestra <cat@gensokyo.uk>	2026-04-08 20:26:38 -05:00
Ophestra	51ae9496e9	cmd/pkgserver: look up status by name once This has far less overhead. Signed-off-by: Ophestra <cat@gensokyo.uk>	2026-04-08 20:26:38 -05:00
Ophestra	3cd8abc451	cmd/pkgserver: refer to preset in index This enables referencing back to internal/rosa through an entry obtained via the index. Signed-off-by: Ophestra <cat@gensokyo.uk>	2026-04-08 20:26:38 -05:00
Ophestra	edf4d0d32a	cmd/pkgserver: handle unversioned value This omits the field for an unversioned artifact, and only does so once on startup. Signed-off-by: Ophestra <cat@gensokyo.uk>	2026-04-08 20:26:38 -05:00
Ophestra	97657ad9fc	cmd/pkgserver: determine disposition route in mux This removes duplicate checks and uses the more sound check in mux. Signed-off-by: Ophestra <cat@gensokyo.uk>	2026-04-08 20:26:38 -05:00
Ophestra	81344a1c8a	cmd/pkgserver: format get error messages This improves source code readability on smaller displays. Signed-off-by: Ophestra <cat@gensokyo.uk>	2026-04-08 20:26:38 -05:00
Ophestra	50514edc00	cmd/pkgserver: constant string in pattern This resolves patterns at compile time. Signed-off-by: Ophestra <cat@gensokyo.uk>	2026-04-08 20:26:38 -05:00
Ophestra	7affd5735a	cmd/pkgserver: satisfy handler signature in method This is somewhat cleaner. Signed-off-by: Ophestra <cat@gensokyo.uk>	2026-04-08 20:26:38 -05:00
Ophestra	0a2d9dbe42	cmd/pkgserver: log instead of write encoding error This message is unlikely to be useful to the user, and output may be partially written at this point, causing the error to be even less intelligible. Signed-off-by: Ophestra <cat@gensokyo.uk>	2026-04-08 20:26:38 -05:00
Ophestra	049f212a02	cmd/pkgserver: appropriately mark test helpers This improves usefulness of test log messages. Signed-off-by: Ophestra <cat@gensokyo.uk>	2026-04-08 20:26:38 -05:00
Ophestra	ccecaee7ca	cmd/pkgserver: do not omit report field Signed-off-by: Ophestra <cat@gensokyo.uk>	2026-04-08 20:26:38 -05:00
Ophestra	365602c9b6	cmd/pkgserver: gracefully shut down on signal Signed-off-by: Ophestra <cat@gensokyo.uk>	2026-04-08 20:26:38 -05:00
Ophestra	85e066ccc4	cmd/pkgserver: specify full addr string in flag This allows greater flexibility. Signed-off-by: Ophestra <cat@gensokyo.uk>	2026-04-08 20:26:38 -05:00
Ophestra	ffe37ae439	cmd/pkgserver: make report argument optional This allows serving metadata only without a populated report. This also removes the out-of-bounds read on args when no arguments are passed. Signed-off-by: Ophestra <cat@gensokyo.uk>	2026-04-08 20:26:38 -05:00
Ophestra	222a2aa8b4	cmd/pkgserver: embed internal/rosa metadata This change also cleans up and reduces some unnecessary copies. Signed-off-by: Ophestra <cat@gensokyo.uk>	2026-04-08 20:26:38 -05:00
Ophestra	29384553bf	cmd/pkgserver: do not assume default mux This helps with testing. Signed-off-by: Ophestra <cat@gensokyo.uk>	2026-04-08 20:26:37 -05:00
Ophestra	cb0c652b18	cmd/pkgserver: create index without report This is useful for testing, where report testdata is not available. Signed-off-by: Ophestra <cat@gensokyo.uk>	2026-04-08 20:26:37 -05:00
mae	5552598bc4	cmd/pkgserver: add sort orders, change pagination rules	2026-04-08 20:26:37 -05:00
mae	3db5603e78	cmd/pkgserver: add /status endpoint	2026-04-08 20:26:37 -05:00
mae	08d120a84d	cmd/pkgserver: minimum viable frontend	2026-04-08 20:26:37 -05:00
mae	1ecdcdc243	cmd/pkgserver: api versioning	2026-04-08 20:26:37 -05:00
mae	e425c3b769	cmd/pkgserver: add get endpoint	2026-04-08 20:26:37 -05:00
mae	3d8b89e1ab	cmd/pkgserver: add count endpoint and restructure	2026-04-08 20:26:37 -05:00
mae	b2777de621	cmd/pkgserver: add status endpoint	2026-04-08 20:26:37 -05:00
mae	529a641fcd	cmd/pkgserver: add createPackageIndex	2026-04-08 20:26:37 -05:00
mae	0e34ec3093	cmd/pkgserver: add command handler	2026-04-08 20:26:37 -05:00
mae	31b2d5431c	cmd/pkgserver: replace favicon	2026-04-08 20:26:37 -05:00
mae	d6954e6bdb	cmd/pkgserver: pagination	2026-04-08 20:26:37 -05:00
mae	1cda0d83c3	cmd/pkgserver: basic web ui	2026-04-08 20:26:37 -05:00