cmd/pkgserver: remove get endpoint count field

cmd/pkgserver: search endpoint
cmd/pkgserver: pagination bugfix
2026-03-13 20:51:08 -05:00 · 2026-03-13 20:51:08 -05:00 · 2026-03-13 20:51:08 -05:00 · 2026-03-13 20:51:08 -05:00 · 2026-03-13 20:51:08 -05:00 · 2026-03-13 20:51:08 -05:00
42 changed files with 1611 additions and 708 deletions
--- a/.gitignore
+++ b/.gitignore
@@ -27,6 +27,10 @@ go.work.sum

 # go generate
 /cmd/hakurei/LICENSE
+/cmd/pkgserver/.sass-cache
+/cmd/pkgserver/ui/static/*.js
+/cmd/pkgserver/ui/static/*.css*
+/cmd/pkgserver/ui/static/*.css.map
 /internal/pkg/testdata/testtool
 /internal/rosa/hakurei_current.tar.gz

--- a/README.md
+++ b/README.md
@@ -1,5 +1,5 @@
 <p align="center">
-  <a href="https://git.gensokyo.uk/rosa/hakurei">
+  <a href="https://git.gensokyo.uk/security/hakurei">
    <picture>
      <img src="https://basement.gensokyo.uk/images/yukari1.png" width="200px" alt="Yukari">
    </picture>
@@ -8,16 +8,16 @@

 <p align="center">
  <a href="https://pkg.go.dev/hakurei.app"><img src="https://pkg.go.dev/badge/hakurei.app.svg" alt="Go Reference" /></a>
-  <a href="https://git.gensokyo.uk/rosa/hakurei/actions"><img src="https://git.gensokyo.uk/rosa/hakurei/actions/workflows/test.yml/badge.svg?branch=staging&style=flat-square" alt="Gitea Workflow Status" /></a>
+  <a href="https://git.gensokyo.uk/security/hakurei/actions"><img src="https://git.gensokyo.uk/security/hakurei/actions/workflows/test.yml/badge.svg?branch=staging&style=flat-square" alt="Gitea Workflow Status" /></a>
  <br/>
-  <a href="https://git.gensokyo.uk/rosa/hakurei/releases"><img src="https://img.shields.io/gitea/v/release/rosa/hakurei?gitea_url=https%3A%2F%2Fgit.gensokyo.uk&color=purple" alt="Release" /></a>
+  <a href="https://git.gensokyo.uk/security/hakurei/releases"><img src="https://img.shields.io/gitea/v/release/security/hakurei?gitea_url=https%3A%2F%2Fgit.gensokyo.uk&color=purple" alt="Release" /></a>
  <a href="https://goreportcard.com/report/hakurei.app"><img src="https://goreportcard.com/badge/hakurei.app" alt="Go Report Card" /></a>
  <a href="https://hakurei.app"><img src="https://img.shields.io/website?url=https%3A%2F%2Fhakurei.app" alt="Website" /></a>
 </p>

 Hakurei is a tool for running sandboxed desktop applications as dedicated
 subordinate users on the Linux kernel. It implements the application container
-of [planterette (WIP)](https://git.gensokyo.uk/rosa/planterette), a
+of [planterette (WIP)](https://git.gensokyo.uk/security/planterette), a
 self-contained Android-like package manager with modern security features.

 Interaction with hakurei happens entirely through structures described by
@@ -62,4 +62,4 @@ are very likely to be rejected.
 ## NixOS Module (deprecated)

 The NixOS module is in maintenance mode and will be removed once planterette is
-feature-complete. Full module documentation can be found [here](options.md).
+feature-complete. Full module documentation can be found [here](options.md).
--- a/cmd/earlyinit/main.go
+++ b/cmd/earlyinit/main.go
@@ -4,7 +4,6 @@ import (
 	"log"
 	"os"
 	"runtime"
-	"strings"
 	. "syscall"
 )

@@ -13,22 +12,6 @@ func main() {
 	log.SetFlags(0)
 	log.SetPrefix("earlyinit: ")

-	var (
-		option map[string]string
-		flags  []string
-	)
-	if len(os.Args) > 1 {
-		option = make(map[string]string)
-		for _, s := range os.Args[1:] {
-			key, value, ok := strings.Cut(s, "=")
-			if !ok {
-				flags = append(flags, s)
-				continue
-			}
-			option[key] = value
-		}
-	}
-
 	if err := Mount(
 		"devtmpfs",
 		"/dev/",
@@ -72,56 +55,4 @@ func main() {
 		}
 	}

-	// staying in rootfs, these are no longer used
-	must(os.Remove("/root"))
-	must(os.Remove("/init"))
-
-	must(os.Mkdir("/proc", 0))
-	mustSyscall("mount proc", Mount(
-		"proc",
-		"/proc",
-		"proc",
-		MS_NOSUID|MS_NOEXEC|MS_NODEV,
-		"hidepid=1",
-	))
-
-	must(os.Mkdir("/sys", 0))
-	mustSyscall("mount sysfs", Mount(
-		"sysfs",
-		"/sys",
-		"sysfs",
-		0,
-		"",
-	))
-
-	// after top level has been set up
-	mustSyscall("remount root", Mount(
-		"",
-		"/",
-		"",
-		MS_REMOUNT|MS_BIND|
-			MS_RDONLY|MS_NODEV|MS_NOSUID|MS_NOEXEC,
-		"",
-	))
-
-	must(os.WriteFile(
-		"/sys/module/firmware_class/parameters/path",
-		[]byte("/system/lib/firmware"),
-		0,
-	))
-
-}
-
-// mustSyscall calls [log.Fatalln] if err is non-nil.
-func mustSyscall(action string, err error) {
-	if err != nil {
-		log.Fatalln("cannot "+action+":", err)
-	}
-}
-
-// must calls [log.Fatal] with err if it is non-nil.
-func must(err error) {
-	if err != nil {
-		log.Fatal(err)
-	}
 }
--- a/cmd/pkgserver/api.go
+++ b/cmd/pkgserver/api.go
@@ -0,0 +1,176 @@
+package main
+
+import (
+	"encoding/json"
+	"log"
+	"net/http"
+	"net/url"
+	"path"
+	"strconv"
+	"sync"
+
+	"hakurei.app/internal/info"
+	"hakurei.app/internal/rosa"
+)
+
+// for lazy initialisation of serveInfo
+var (
+	infoPayload struct {
+		// Current package count.
+		Count int `json:"count"`
+		// Hakurei version, set at link time.
+		HakureiVersion string `json:"hakurei_version"`
+	}
+	infoPayloadOnce sync.Once
+)
+
+// handleInfo writes constant system information.
+func handleInfo(w http.ResponseWriter, _ *http.Request) {
+	infoPayloadOnce.Do(func() {
+		infoPayload.Count = int(rosa.PresetUnexportedStart)
+		infoPayload.HakureiVersion = info.Version()
+	})
+	// TODO(mae): cache entire response if no additional fields are planned
+	writeAPIPayload(w, infoPayload)
+}
+
+// newStatusHandler returns a [http.HandlerFunc] that offers status files for
+// viewing or download, if available.
+func (index *packageIndex) newStatusHandler(disposition bool) http.HandlerFunc {
+	return func(w http.ResponseWriter, r *http.Request) {
+		m, ok := index.names[path.Base(r.URL.Path)]
+		if !ok || !m.HasReport {
+			http.NotFound(w, r)
+			return
+		}
+
+		contentType := "text/plain; charset=utf-8"
+		if disposition {
+			contentType = "application/octet-stream"
+
+			// quoting like this is unsound, but okay, because metadata is hardcoded
+			contentDisposition := `attachment; filename="`
+			contentDisposition += m.Name + "-"
+			if m.Version != "" {
+				contentDisposition += m.Version + "-"
+			}
+			contentDisposition += m.ids + `.log"`
+			w.Header().Set("Content-Disposition", contentDisposition)
+		}
+		w.Header().Set("Content-Type", contentType)
+		w.Header().Set("Cache-Control", "no-cache, no-store, must-revalidate")
+		if err := func() (err error) {
+			defer index.handleAccess(&err)()
+			_, err = w.Write(m.status)
+			return
+		}(); err != nil {
+			log.Println(err)
+			http.Error(
+				w, "cannot deliver status, contact maintainers",
+				http.StatusInternalServerError,
+			)
+		}
+	}
+}
+
+// handleGet writes a slice of metadata with specified order.
+func (index *packageIndex) handleGet(w http.ResponseWriter, r *http.Request) {
+	q := r.URL.Query()
+	limit, err := strconv.Atoi(q.Get("limit"))
+	if err != nil || limit > 100 || limit < 1 {
+		http.Error(
+			w, "limit must be an integer between 1 and 100",
+			http.StatusBadRequest,
+		)
+		return
+	}
+	i, err := strconv.Atoi(q.Get("index"))
+	if err != nil || i >= len(index.sorts[0]) || i < 0 {
+		http.Error(
+			w, "index must be an integer between 0 and "+
+				strconv.Itoa(int(rosa.PresetUnexportedStart-1)),
+			http.StatusBadRequest,
+		)
+		return
+	}
+	sort, err := strconv.Atoi(q.Get("sort"))
+	if err != nil || sort >= len(index.sorts) || sort < 0 {
+		http.Error(
+			w, "sort must be an integer between 0 and "+
+				strconv.Itoa(sortOrderEnd),
+			http.StatusBadRequest,
+		)
+		return
+	}
+	values := index.sorts[sort][i:min(i+limit, len(index.sorts[sort]))]
+	writeAPIPayload(w, &struct {
+		Values []*metadata `json:"values"`
+	}{values})
+}
+
+func (index *packageIndex) handleSearch(w http.ResponseWriter, r *http.Request) {
+	q := r.URL.Query()
+	limit, err := strconv.Atoi(q.Get("limit"))
+	if err != nil || limit > 100 || limit < 1 {
+		http.Error(
+			w, "limit must be an integer between 1 and 100",
+			http.StatusBadRequest,
+		)
+		return
+	}
+	i, err := strconv.Atoi(q.Get("index"))
+	if err != nil || i >= len(index.sorts[0]) || i < 0 {
+		http.Error(
+			w, "index must be an integer between 0 and "+
+				strconv.Itoa(int(rosa.PresetUnexportedStart-1)),
+			http.StatusBadRequest,
+		)
+		return
+	}
+	search, err := url.PathUnescape(q.Get("search"))
+	if len(search) > 100 || err != nil {
+		http.Error(
+			w, "search must be a string between 0 and 100 characters long",
+			http.StatusBadRequest,
+		)
+		return
+	}
+	desc := q.Get("desc") == "true"
+	n, res, err := index.performSearchQuery(limit, i, search, desc)
+	if err != nil {
+		http.Error(w, err.Error(), http.StatusInternalServerError)
+	}
+	writeAPIPayload(w, &struct {
+		Count   int            `json:"count"`
+		Results []searchResult `json:"results"`
+	}{n, res})
+}
+
+// apiVersion is the name of the current API revision, as part of the pattern.
+const apiVersion = "v1"
+
+// registerAPI registers API handler functions.
+func (index *packageIndex) registerAPI(mux *http.ServeMux) {
+	mux.HandleFunc("GET /api/"+apiVersion+"/info", handleInfo)
+	mux.HandleFunc("GET /api/"+apiVersion+"/get", index.handleGet)
+	mux.HandleFunc("GET /api/"+apiVersion+"/search", index.handleSearch)
+	mux.HandleFunc("GET /api/"+apiVersion+"/status/", index.newStatusHandler(false))
+	mux.HandleFunc("GET /status/", index.newStatusHandler(true))
+}
+
+// writeAPIPayload sets headers common to API responses and encodes payload as
+// JSON for the response body.
+func writeAPIPayload(w http.ResponseWriter, payload any) {
+	w.Header().Set("Content-Type", "application/json; charset=utf-8")
+	w.Header().Set("Cache-Control", "no-cache, no-store, must-revalidate")
+	w.Header().Set("Pragma", "no-cache")
+	w.Header().Set("Expires", "0")
+
+	if err := json.NewEncoder(w).Encode(payload); err != nil {
+		log.Println(err)
+		http.Error(
+			w, "cannot encode payload, contact maintainers",
+			http.StatusInternalServerError,
+		)
+	}
+}
--- a/cmd/pkgserver/api_test.go
+++ b/cmd/pkgserver/api_test.go
@@ -0,0 +1,183 @@
+package main
+
+import (
+	"net/http"
+	"net/http/httptest"
+	"slices"
+	"strconv"
+	"testing"
+
+	"hakurei.app/internal/info"
+	"hakurei.app/internal/rosa"
+)
+
+// prefix is prepended to every API path.
+const prefix = "/api/" + apiVersion + "/"
+
+func TestAPIInfo(t *testing.T) {
+	t.Parallel()
+
+	w := httptest.NewRecorder()
+	handleInfo(w, httptest.NewRequestWithContext(
+		t.Context(),
+		http.MethodGet,
+		prefix+"info",
+		nil,
+	))
+
+	resp := w.Result()
+	checkStatus(t, resp, http.StatusOK)
+	checkAPIHeader(t, w.Header())
+
+	checkPayload(t, resp, struct {
+		Count          int    `json:"count"`
+		HakureiVersion string `json:"hakurei_version"`
+	}{int(rosa.PresetUnexportedStart), info.Version()})
+}
+
+func TestAPIGet(t *testing.T) {
+	t.Parallel()
+	const target = prefix + "get"
+
+	index := newIndex(t)
+	newRequest := func(suffix string) *httptest.ResponseRecorder {
+		w := httptest.NewRecorder()
+		index.handleGet(w, httptest.NewRequestWithContext(
+			t.Context(),
+			http.MethodGet,
+			target+suffix,
+			nil,
+		))
+		return w
+	}
+
+	checkValidate := func(t *testing.T, suffix string, vmin, vmax int, wantErr string) {
+		t.Run("invalid", func(t *testing.T) {
+			t.Parallel()
+
+			w := newRequest("?" + suffix + "=invalid")
+			resp := w.Result()
+			checkError(t, resp, wantErr, http.StatusBadRequest)
+		})
+
+		t.Run("min", func(t *testing.T) {
+			t.Parallel()
+
+			w := newRequest("?" + suffix + "=" + strconv.Itoa(vmin-1))
+			resp := w.Result()
+			checkError(t, resp, wantErr, http.StatusBadRequest)
+
+			w = newRequest("?" + suffix + "=" + strconv.Itoa(vmin))
+			resp = w.Result()
+			checkStatus(t, resp, http.StatusOK)
+		})
+
+		t.Run("max", func(t *testing.T) {
+			t.Parallel()
+
+			w := newRequest("?" + suffix + "=" + strconv.Itoa(vmax+1))
+			resp := w.Result()
+			checkError(t, resp, wantErr, http.StatusBadRequest)
+
+			w = newRequest("?" + suffix + "=" + strconv.Itoa(vmax))
+			resp = w.Result()
+			checkStatus(t, resp, http.StatusOK)
+		})
+	}
+
+	t.Run("limit", func(t *testing.T) {
+		t.Parallel()
+		checkValidate(
+			t, "index=0&sort=0&limit", 1, 100,
+			"limit must be an integer between 1 and 100",
+		)
+	})
+
+	t.Run("index", func(t *testing.T) {
+		t.Parallel()
+		checkValidate(
+			t, "limit=1&sort=0&index", 0, int(rosa.PresetUnexportedStart-1),
+			"index must be an integer between 0 and "+strconv.Itoa(int(rosa.PresetUnexportedStart-1)),
+		)
+	})
+
+	t.Run("sort", func(t *testing.T) {
+		t.Parallel()
+		checkValidate(
+			t, "index=0&limit=1&sort", 0, int(sortOrderEnd),
+			"sort must be an integer between 0 and "+strconv.Itoa(int(sortOrderEnd)),
+		)
+	})
+
+	checkWithSuffix := func(name, suffix string, want []*metadata) {
+		t.Run(name, func(t *testing.T) {
+			t.Parallel()
+
+			w := newRequest(suffix)
+			resp := w.Result()
+			checkStatus(t, resp, http.StatusOK)
+			checkAPIHeader(t, w.Header())
+			checkPayloadFunc(t, resp, func(got *struct {
+				Count  int         `json:"count"`
+				Values []*metadata `json:"values"`
+			}) bool {
+				return got.Count == len(want) &&
+					slices.EqualFunc(got.Values, want, func(a, b *metadata) bool {
+						return (a.Version == b.Version ||
+							a.Version == rosa.Unversioned ||
+							b.Version == rosa.Unversioned) &&
+							a.HasReport == b.HasReport &&
+							a.Name == b.Name &&
+							a.Description == b.Description &&
+							a.Website == b.Website
+					})
+			})
+
+		})
+	}
+
+	checkWithSuffix("declarationAscending", "?limit=2&index=0&sort=0", []*metadata{
+		{
+			Metadata: rosa.GetMetadata(0),
+			Version:  rosa.Std.Version(0),
+		},
+		{
+			Metadata: rosa.GetMetadata(1),
+			Version:  rosa.Std.Version(1),
+		},
+	})
+	checkWithSuffix("declarationAscending offset", "?limit=3&index=5&sort=0", []*metadata{
+		{
+			Metadata: rosa.GetMetadata(5),
+			Version:  rosa.Std.Version(5),
+		},
+		{
+			Metadata: rosa.GetMetadata(6),
+			Version:  rosa.Std.Version(6),
+		},
+		{
+			Metadata: rosa.GetMetadata(7),
+			Version:  rosa.Std.Version(7),
+		},
+	})
+	checkWithSuffix("declarationDescending", "?limit=3&index=0&sort=1", []*metadata{
+		{
+			Metadata: rosa.GetMetadata(rosa.PresetUnexportedStart - 1),
+			Version:  rosa.Std.Version(rosa.PresetUnexportedStart - 1),
+		},
+		{
+			Metadata: rosa.GetMetadata(rosa.PresetUnexportedStart - 2),
+			Version:  rosa.Std.Version(rosa.PresetUnexportedStart - 2),
+		},
+		{
+			Metadata: rosa.GetMetadata(rosa.PresetUnexportedStart - 3),
+			Version:  rosa.Std.Version(rosa.PresetUnexportedStart - 3),
+		},
+	})
+	checkWithSuffix("declarationDescending offset", "?limit=1&index=37&sort=1", []*metadata{
+		{
+			Metadata: rosa.GetMetadata(rosa.PresetUnexportedStart - 38),
+			Version:  rosa.Std.Version(rosa.PresetUnexportedStart - 38),
+		},
+	})
+}
--- a/cmd/pkgserver/index.go
+++ b/cmd/pkgserver/index.go
@@ -0,0 +1,105 @@
+package main
+
+import (
+	"cmp"
+	"errors"
+	"slices"
+	"strings"
+
+	"hakurei.app/internal/pkg"
+	"hakurei.app/internal/rosa"
+)
+
+const (
+	declarationAscending = iota
+	declarationDescending
+	nameAscending
+	nameDescending
+	sizeAscending
+	sizeDescending
+
+	sortOrderEnd = iota - 1
+)
+
+// packageIndex refers to metadata by name and various sort orders.
+type packageIndex struct {
+	sorts  [sortOrderEnd + 1][rosa.PresetUnexportedStart]*metadata
+	names  map[string]*metadata
+	search searchCache
+	// Taken from [rosa.Report] if available.
+	handleAccess func(*error) func()
+}
+
+// metadata holds [rosa.Metadata] extended with additional information.
+type metadata struct {
+	p rosa.PArtifact
+	*rosa.Metadata
+
+	// Populated via [rosa.Toolchain.Version], [rosa.Unversioned] is equivalent
+	// to the zero value. Otherwise, the zero value is invalid.
+	Version string `json:"version,omitempty"`
+	// Output data size, available if present in report.
+	Size int64 `json:"size,omitempty"`
+	// Whether the underlying [pkg.Artifact] is present in the report.
+	HasReport bool `json:"report"`
+
+	// Ident string encoded ahead of time.
+	ids string
+	// Backed by [rosa.Report], access must be prepared by HandleAccess.
+	status []byte
+}
+
+// populate deterministically populates packageIndex, optionally with a report.
+func (index *packageIndex) populate(cache *pkg.Cache, report *rosa.Report) (err error) {
+	if report != nil {
+		defer report.HandleAccess(&err)()
+		index.handleAccess = report.HandleAccess
+	}
+
+	var work [rosa.PresetUnexportedStart]*metadata
+	index.names = make(map[string]*metadata)
+	for p := range rosa.PresetUnexportedStart {
+		m := metadata{
+			p: p,
+
+			Metadata: rosa.GetMetadata(p),
+			Version:  rosa.Std.Version(p),
+		}
+		if m.Version == "" {
+			return errors.New("invalid version from " + m.Name)
+		}
+		if m.Version == rosa.Unversioned {
+			m.Version = ""
+		}
+
+		if cache != nil && report != nil {
+			id := cache.Ident(rosa.Std.Load(p))
+			m.ids = pkg.Encode(id.Value())
+			m.status, m.Size = report.ArtifactOf(id)
+			m.HasReport = m.Size >= 0
+		}
+
+		work[p] = &m
+		index.names[m.Name] = &m
+	}
+
+	index.sorts[declarationAscending] = work
+	index.sorts[declarationDescending] = work
+	slices.Reverse(index.sorts[declarationDescending][:])
+
+	index.sorts[nameAscending] = work
+	slices.SortFunc(index.sorts[nameAscending][:], func(a, b *metadata) int {
+		return strings.Compare(a.Name, b.Name)
+	})
+	index.sorts[nameDescending] = index.sorts[nameAscending]
+	slices.Reverse(index.sorts[nameDescending][:])
+
+	index.sorts[sizeAscending] = work
+	slices.SortFunc(index.sorts[sizeAscending][:], func(a, b *metadata) int {
+		return cmp.Compare(a.Size, b.Size)
+	})
+	index.sorts[sizeDescending] = index.sorts[sizeAscending]
+	slices.Reverse(index.sorts[sizeDescending][:])
+
+	return
+}
--- a/cmd/pkgserver/main.go
+++ b/cmd/pkgserver/main.go
@@ -0,0 +1,114 @@
+package main
+
+import (
+	"context"
+	"errors"
+	"log"
+	"net/http"
+	"os"
+	"os/signal"
+	"syscall"
+	"time"
+
+	"hakurei.app/command"
+	"hakurei.app/container/check"
+	"hakurei.app/internal/pkg"
+	"hakurei.app/internal/rosa"
+	"hakurei.app/message"
+)
+
+const shutdownTimeout = 15 * time.Second
+
+func main() {
+	log.SetFlags(0)
+	log.SetPrefix("pkgserver: ")
+
+	var (
+		flagBaseDir string
+		flagAddr    string
+	)
+
+	ctx, stop := signal.NotifyContext(context.Background(), syscall.SIGINT, syscall.SIGTERM, syscall.SIGHUP)
+	defer stop()
+	msg := message.New(log.Default())
+
+	c := command.New(os.Stderr, log.Printf, "pkgserver", func(args []string) error {
+		var (
+			cache  *pkg.Cache
+			report *rosa.Report
+		)
+		switch len(args) {
+		case 0:
+			break
+
+		case 1:
+			baseDir, err := check.NewAbs(flagBaseDir)
+			if err != nil {
+				return err
+			}
+
+			cache, err = pkg.Open(ctx, msg, 0, baseDir)
+			if err != nil {
+				return err
+			}
+			defer cache.Close()
+
+			report, err = rosa.OpenReport(args[0])
+			if err != nil {
+				return err
+			}
+
+		default:
+			return errors.New("pkgserver requires 1 argument")
+
+		}
+
+		var index packageIndex
+		index.search = make(searchCache)
+		if err := index.populate(cache, report); err != nil {
+			return err
+		}
+		ticker := time.NewTicker(1 * time.Minute)
+		go func() {
+			for {
+				select {
+				case <-ctx.Done():
+					ticker.Stop()
+					return
+				case <-ticker.C:
+					index.search.clean()
+				}
+			}
+		}()
+		var mux http.ServeMux
+		uiRoutes(&mux)
+		index.registerAPI(&mux)
+		server := http.Server{
+			Addr:    flagAddr,
+			Handler: &mux,
+		}
+		go func() {
+			<-ctx.Done()
+			c, cancel := context.WithTimeout(context.Background(), shutdownTimeout)
+			defer cancel()
+			if err := server.Shutdown(c); err != nil {
+				log.Fatal(err)
+			}
+		}()
+		return server.ListenAndServe()
+	}).Flag(
+		&flagBaseDir,
+		"b", command.StringFlag(""),
+		"base directory for cache",
+	).Flag(
+		&flagAddr,
+		"addr", command.StringFlag(":8067"),
+		"TCP network address to listen on",
+	)
+	c.MustParse(os.Args[1:], func(err error) {
+		if errors.Is(err, http.ErrServerClosed) {
+			os.Exit(0)
+		}
+		log.Fatal(err)
+	})
+}
--- a/cmd/pkgserver/main_test.go
+++ b/cmd/pkgserver/main_test.go
@@ -0,0 +1,96 @@
+package main
+
+import (
+	"bytes"
+	"encoding/json"
+	"fmt"
+	"io"
+	"net/http"
+	"reflect"
+	"testing"
+)
+
+// newIndex returns the address of a newly populated packageIndex.
+func newIndex(t *testing.T) *packageIndex {
+	t.Helper()
+
+	var index packageIndex
+	if err := index.populate(nil, nil); err != nil {
+		t.Fatalf("populate: error = %v", err)
+	}
+	return &index
+}
+
+// checkStatus checks response status code.
+func checkStatus(t *testing.T, resp *http.Response, want int) {
+	t.Helper()
+
+	if resp.StatusCode != want {
+		t.Errorf(
+			"StatusCode: %s, want %s",
+			http.StatusText(resp.StatusCode),
+			http.StatusText(want),
+		)
+	}
+}
+
+// checkHeader checks the value of a header entry.
+func checkHeader(t *testing.T, h http.Header, key, want string) {
+	t.Helper()
+
+	if got := h.Get(key); got != want {
+		t.Errorf("%s: %q, want %q", key, got, want)
+	}
+}
+
+// checkAPIHeader checks common entries set for API endpoints.
+func checkAPIHeader(t *testing.T, h http.Header) {
+	t.Helper()
+
+	checkHeader(t, h, "Content-Type", "application/json; charset=utf-8")
+	checkHeader(t, h, "Cache-Control", "no-cache, no-store, must-revalidate")
+	checkHeader(t, h, "Pragma", "no-cache")
+	checkHeader(t, h, "Expires", "0")
+}
+
+// checkPayloadFunc checks the JSON response of an API endpoint by passing it to f.
+func checkPayloadFunc[T any](
+	t *testing.T,
+	resp *http.Response,
+	f func(got *T) bool,
+) {
+	t.Helper()
+
+	var got T
+	r := io.Reader(resp.Body)
+	if testing.Verbose() {
+		var buf bytes.Buffer
+		r = io.TeeReader(r, &buf)
+		defer func() { t.Helper(); t.Log(buf.String()) }()
+	}
+	if err := json.NewDecoder(r).Decode(&got); err != nil {
+		t.Fatalf("Decode: error = %v", err)
+	}
+
+	if !f(&got) {
+		t.Errorf("Body: %#v", got)
+	}
+}
+
+// checkPayload checks the JSON response of an API endpoint.
+func checkPayload[T any](t *testing.T, resp *http.Response, want T) {
+	t.Helper()
+
+	checkPayloadFunc(t, resp, func(got *T) bool {
+		return reflect.DeepEqual(got, &want)
+	})
+}
+
+func checkError(t *testing.T, resp *http.Response, error string, code int) {
+	t.Helper()
+
+	checkStatus(t, resp, code)
+	if got, _ := io.ReadAll(resp.Body); string(got) != fmt.Sprintln(error) {
+		t.Errorf("Body: %q, want %q", string(got), error)
+	}
+}
--- a/cmd/pkgserver/search.go
+++ b/cmd/pkgserver/search.go
@@ -0,0 +1,77 @@
+package main
+
+import (
+	"cmp"
+	"maps"
+	"regexp"
+	"slices"
+	"time"
+)
+
+type searchCache map[string]searchCacheEntry
+type searchResult struct {
+	NameIndices [][]int `json:"name_matches"`
+	DescIndices [][]int `json:"desc_matches,omitempty"`
+	Score       float64 `json:"score"`
+	*metadata
+}
+type searchCacheEntry struct {
+	query   string
+	results []searchResult
+	expiry  time.Time
+}
+
+func (index *packageIndex) performSearchQuery(limit int, i int, search string, desc bool) (int, []searchResult, error) {
+	entry, ok := index.search[search]
+	if ok {
+		return len(entry.results), entry.results[i:min(i+limit, len(entry.results))], nil
+	}
+
+	regex, err := regexp.Compile(search)
+	if err != nil {
+		return 0, make([]searchResult, 0), err
+	}
+	res := make([]searchResult, 0)
+	for p := range maps.Values(index.names) {
+		nameIndices := regex.FindAllIndex([]byte(p.Name), -1)
+		var descIndices [][]int = nil
+		if desc {
+			descIndices = regex.FindAllIndex([]byte(p.Description), -1)
+		}
+		if nameIndices == nil && descIndices == nil {
+			continue
+		}
+		score := float64(indexsum(nameIndices)) / (float64(len(nameIndices)) + 1)
+		if desc {
+			score += float64(indexsum(descIndices)) / (float64(len(descIndices)) + 1) / 10.0
+		}
+		res = append(res, searchResult{
+			NameIndices: nameIndices,
+			DescIndices: descIndices,
+			Score:       score,
+			metadata:    p,
+		})
+	}
+	slices.SortFunc(res[:], func(a, b searchResult) int { return -cmp.Compare(a.Score, b.Score) })
+	expiry := time.Now().Add(1 * time.Minute)
+	entry = searchCacheEntry{
+		query:   search,
+		results: res,
+		expiry:  expiry,
+	}
+	index.search[search] = entry
+
+	return len(res), res[i:min(i+limit, len(entry.results))], nil
+}
+func (s *searchCache) clean() {
+	maps.DeleteFunc(*s, func(_ string, v searchCacheEntry) bool {
+		return v.expiry.Before(time.Now())
+	})
+}
+func indexsum(in [][]int) int {
+	sum := 0
+	for i := 0; i < len(in); i++ {
+		sum += in[i][1] - in[i][0]
+	}
+	return sum
+}
--- a/cmd/pkgserver/ui.go
+++ b/cmd/pkgserver/ui.go
@@ -0,0 +1,38 @@
+package main
+
+import "net/http"
+
+func serveWebUI(w http.ResponseWriter, r *http.Request) {
+	w.Header().Set("Cache-Control", "no-cache, no-store, must-revalidate")
+	w.Header().Set("Pragma", "no-cache")
+	w.Header().Set("Expires", "0")
+	w.Header().Set("X-Content-Type-Options", "nosniff")
+	w.Header().Set("X-XSS-Protection", "1")
+	w.Header().Set("X-Frame-Options", "DENY")
+
+	http.ServeFileFS(w, r, content, "ui/index.html")
+}
+func serveStaticContent(w http.ResponseWriter, r *http.Request) {
+	switch r.URL.Path {
+	case "/static/style.css":
+		darkTheme := r.CookiesNamed("dark_theme")
+		if len(darkTheme) > 0 && darkTheme[0].Value == "true" {
+			http.ServeFileFS(w, r, content, "ui/static/dark.css")
+		} else {
+			http.ServeFileFS(w, r, content, "ui/static/light.css")
+		}
+	case "/favicon.ico":
+		http.ServeFileFS(w, r, content, "ui/static/favicon.ico")
+	case "/static/index.js":
+		http.ServeFileFS(w, r, content, "ui/static/index.js")
+	default:
+		http.NotFound(w, r)
+
+	}
+}
+
+func uiRoutes(mux *http.ServeMux) {
+	mux.HandleFunc("GET /{$}", serveWebUI)
+	mux.HandleFunc("GET /favicon.ico", serveStaticContent)
+	mux.HandleFunc("GET /static/", serveStaticContent)
+}
--- a/cmd/pkgserver/ui/index.html
+++ b/cmd/pkgserver/ui/index.html
@@ -0,0 +1,35 @@
+<!DOCTYPE html>
+<html lang="en">
+<head>
+    <meta charset="UTF-8">
+    <link rel="stylesheet" href="static/style.css">
+    <title>Hakurei PkgServer</title>
+    <script src="static/index.js"></script>
+</head>
+<body>
+<h1>Hakurei PkgServer</h1>
+
+<table id="pkg-list">
+    <tr><td>Loading...</td></tr>
+</table>
+<p>Showing entries <span id="entry-counter"></span>.</p>
+<span class="bottom-nav"><a href="javascript:prevPage()">&laquo; Previous</a> <span id="page-number">1</span> <a href="javascript:nextPage()">Next &raquo;</a></span>
+<span><label for="count">Entries per page: </label><select name="count" id="count">
+    <option value="10">10</option>
+    <option value="20">20</option>
+    <option value="30">30</option>
+    <option value="50">50</option>
+</select></span>
+<span><label for="sort">Sort by: </label><select name="sort" id="sort">
+    <option value="0">Definition (ascending)</option>
+    <option value="1">Definition (descending)</option>
+    <option value="2">Name (ascending)</option>
+    <option value="3">Name (descending)</option>
+    <option value="4">Size (ascending)</option>
+    <option value="5">Size (descending)</option>
+</select></span>
+</body>
+<footer>
+    <p>&copy;<a href="https://hakurei.app/">Hakurei</a> (<span id="hakurei-version">unknown</span>). Licensed under the MIT license.</p>
+</footer>
+</html>
--- a/cmd/pkgserver/ui/static/_common.scss
+++ b/cmd/pkgserver/ui/static/_common.scss
--- a/cmd/pkgserver/ui/static/dark.scss
+++ b/cmd/pkgserver/ui/static/dark.scss
@@ -0,0 +1,6 @@
+@use 'common';
+
+html {
+  background-color: #2c2c2c;
+  color: ghostwhite;
+}
--- a/cmd/pkgserver/ui/static/favicon.ico
+++ b/cmd/pkgserver/ui/static/favicon.ico
--- a/cmd/pkgserver/ui/static/index.ts
+++ b/cmd/pkgserver/ui/static/index.ts
@@ -0,0 +1,155 @@
+class PackageIndexEntry {
+    name: string
+    size: number | null
+    description: string | null
+    website: string | null
+    version: string | null
+    report:  boolean
+}
+function toHTML(entry: PackageIndexEntry): HTMLTableRowElement {
+    let v = entry.version != null ? `<span>${escapeHtml(entry.version)}</span>` : ""
+    let s = entry.size != null ? `<p>Size: ${toByteSizeString(entry.size)} (${entry.size})</p>` : ""
+    let d = entry.description != null ? `<p>${escapeHtml(entry.description)}</p>` : ""
+    let w = entry.website != null ? `<a href="${encodeURI(entry.website)}">Website</a>` : ""
+    let r = entry.report ? `Log (<a href=\"${encodeURI('/api/v1/status/' + entry.name)}\">View</a> | <a href=\"${encodeURI('/status/' + entry.name)}\">Download</a>)` : ""
+    let row = <HTMLTableRowElement>(document.createElement('tr'))
+    row.innerHTML = `<td>
+            <h2>${escapeHtml(entry.name)} ${v}</h2>
+            ${d}
+            ${s}
+            ${w}
+            ${r}
+        </td>`
+    return row
+}
+
+function toByteSizeString(bytes: number): string {
+    if(bytes == null || bytes < 1024) return `${bytes}B`
+    if(bytes < Math.pow(1024, 2)) return `${(bytes/1024).toFixed(2)}kiB`
+    if(bytes < Math.pow(1024, 3)) return `${(bytes/Math.pow(1024, 2)).toFixed(2)}MiB`
+    if(bytes < Math.pow(1024, 4)) return `${(bytes/Math.pow(1024, 3)).toFixed(2)}GiB`
+    if(bytes < Math.pow(1024, 5)) return `${(bytes/Math.pow(1024, 4)).toFixed(2)}TiB`
+    return "not only is it big, it's large"
+}
+
+const API_VERSION = 1
+const ENDPOINT = `/api/v${API_VERSION}`
+class InfoPayload {
+    count: number
+    hakurei_version: string
+}
+
+async function infoRequest(): Promise<InfoPayload> {
+    const res = await fetch(`${ENDPOINT}/info`)
+    const payload = await res.json()
+    return payload as InfoPayload
+}
+class GetPayload {
+    values: PackageIndexEntry[]
+}
+
+enum SortOrders {
+    DeclarationAscending,
+    DeclarationDescending,
+    NameAscending,
+    NameDescending
+}
+async function getRequest(limit: number, index: number, sort: SortOrders): Promise<GetPayload> {
+    const res = await fetch(`${ENDPOINT}/get?limit=${limit}&index=${index}&sort=${sort.valueOf()}`)
+    const payload = await res.json()
+    return payload as GetPayload
+}
+class State {
+    entriesPerPage: number = 10
+    entryIndex: number = 0
+    maxEntries: number = 0
+    sort: SortOrders = SortOrders.DeclarationAscending
+
+    getEntriesPerPage(): number {
+        return this.entriesPerPage
+    }
+    setEntriesPerPage(entriesPerPage: number) {
+        this.entriesPerPage = entriesPerPage
+        this.setEntryIndex(Math.floor(this.getEntryIndex() / entriesPerPage) * entriesPerPage)
+    }
+    getEntryIndex(): number {
+        return this.entryIndex
+    }
+    setEntryIndex(entryIndex: number) {
+        this.entryIndex = entryIndex
+        this.updatePage()
+        this.updateRange()
+        this.updateListings()
+    }
+    getMaxEntries(): number {
+        return this.maxEntries
+    }
+    setMaxEntries(max: number) {
+        this.maxEntries = max
+    }
+    getSortOrder(): SortOrders {
+        return this.sort
+    }
+    setSortOrder(sortOrder: SortOrders) {
+        this.sort = sortOrder
+        this.setEntryIndex(0)
+    }
+    updatePage() {
+        let page = Math.ceil(((this.getEntryIndex() + this.getEntriesPerPage()) - 1) / this.getEntriesPerPage())
+        document.getElementById("page-number").innerText = String(page)
+    }
+    updateRange() {
+        let max = Math.min(this.getEntryIndex() + this.getEntriesPerPage(), this.getMaxEntries())
+        document.getElementById("entry-counter").innerText = `${this.getEntryIndex() + 1}-${max} of ${this.getMaxEntries()}`
+    }
+    updateListings() {
+        getRequest(this.getEntriesPerPage(), this.getEntryIndex(), this.getSortOrder())
+            .then(res => {
+                let table = document.getElementById("pkg-list")
+                table.innerHTML = ''
+                res.values.forEach((row) => {
+                    table.appendChild(toHTML(row))
+                })
+            })
+    }
+
+}
+
+let STATE: State
+
+function prevPage() {
+    let index = STATE.getEntryIndex()
+    STATE.setEntryIndex(Math.max(0, index - STATE.getEntriesPerPage()))
+}
+function nextPage() {
+    let index = STATE.getEntryIndex()
+    STATE.setEntryIndex(Math.min((Math.ceil(STATE.getMaxEntries() / STATE.getEntriesPerPage()) * STATE.getEntriesPerPage()) - STATE.getEntriesPerPage(), index + STATE.getEntriesPerPage()))
+}
+
+function escapeHtml(str: string): string {
+    if(str === undefined) return ""
+    return str
+        .replace(/&/g, '&amp;')
+        .replace(/</g, '&lt;')
+        .replace(/>/g, '&gt;')
+        .replace(/"/g, '&quot;')
+        .replace(/'/g, '&apos;')
+}
+
+document.addEventListener("DOMContentLoaded", () => {
+    STATE = new State()
+    infoRequest()
+        .then(res => {
+            STATE.setMaxEntries(res.count)
+            document.getElementById("hakurei-version").innerText = res.hakurei_version
+            STATE.updateRange()
+            STATE.updateListings()
+        })
+
+    document.getElementById("count").addEventListener("change", (event) => {
+        STATE.setEntriesPerPage(parseInt((event.target as HTMLSelectElement).value))
+    })
+    document.getElementById("sort").addEventListener("change", (event) => {
+        STATE.setSortOrder(parseInt((event.target as HTMLSelectElement).value))
+    })
+})
--- a/cmd/pkgserver/ui/static/light.scss
+++ b/cmd/pkgserver/ui/static/light.scss
@@ -0,0 +1,6 @@
+@use 'common';
+
+html {
+  background-color: #d3d3d3;
+  color: black;
+}
--- a/cmd/pkgserver/ui/static/tsconfig.json
+++ b/cmd/pkgserver/ui/static/tsconfig.json
@@ -0,0 +1,5 @@
+{
+  "compilerOptions": {
+    "target": "ES2024"
+  }
+}
--- a/cmd/pkgserver/ui_full.go
+++ b/cmd/pkgserver/ui_full.go
@@ -0,0 +1,9 @@
+//go:build frontend
+
+package main
+
+import "embed"
+
+//go:generate sh -c "sass ui/static/dark.scss ui/static/dark.css && sass ui/static/light.scss ui/static/light.css && tsc -p ui/static"
+//go:embed ui/*
+var content embed.FS
--- a/cmd/pkgserver/ui_stub.go
+++ b/cmd/pkgserver/ui_stub.go
@@ -0,0 +1,7 @@
+//go:build !frontend
+
+package main
+
+import "testing/fstest"
+
+var content fstest.MapFS
--- a/container/dispatcher.go
+++ b/container/dispatcher.go
@@ -3,7 +3,6 @@ package container
 import (
 	"io"
 	"io/fs"
-	"net"
 	"os"
 	"os/exec"
 	"os/signal"
@@ -13,7 +12,6 @@ import (

 	"hakurei.app/container/seccomp"
 	"hakurei.app/container/std"
-	"hakurei.app/internal/netlink"
 	"hakurei.app/message"
 )

@@ -169,47 +167,7 @@ func (k direct) mountTmpfs(fsname, target string, flags uintptr, size int, perm
 func (direct) ensureFile(name string, perm, pperm os.FileMode) error {
 	return ensureFile(name, perm, pperm)
 }
-func (direct) mustLoopback(msg message.Msg) {
-	var lo int
-	if ifi, err := net.InterfaceByName("lo"); err != nil {
-		msg.GetLogger().Fatalln(err)
-	} else {
-		lo = ifi.Index
-	}
-
-	c, err := netlink.DialRoute()
-	if err != nil {
-		msg.GetLogger().Fatalln(err)
-	}
-
-	must := func(err error) {
-		if err == nil {
-			return
-		}
-		if closeErr := c.Close(); closeErr != nil {
-			msg.Verbosef("cannot close RTNETLINK: %v", closeErr)
-		}
-
-		switch err.(type) {
-		case *os.SyscallError:
-			msg.GetLogger().Fatalf("cannot %v", err)
-
-		case syscall.Errno:
-			msg.GetLogger().Fatalf("RTNETLINK answers: %v", err)
-
-		default:
-			msg.GetLogger().Fatalf("RTNETLINK answers with malformed message")
-		}
-	}
-	must(c.SendNewaddrLo(uint32(lo)))
-	must(c.SendIfInfomsg(syscall.RTM_NEWLINK, 0, &syscall.IfInfomsg{
-		Family: syscall.AF_UNSPEC,
-		Index:  int32(lo),
-		Flags:  syscall.IFF_UP,
-		Change: syscall.IFF_UP,
-	}))
-	must(c.Close())
-}
+func (direct) mustLoopback(msg message.Msg) { mustLoopback(msg) }

 func (direct) seccompLoad(rules []std.NativeRule, flags seccomp.ExportFlag) error {
 	return seccomp.Load(rules, flags)
--- a/container/netlink.go
+++ b/container/netlink.go
@@ -0,0 +1,269 @@
+package container
+
+import (
+	"encoding/binary"
+	"errors"
+	"net"
+	"os"
+	. "syscall"
+	"unsafe"
+
+	"hakurei.app/container/std"
+	"hakurei.app/message"
+)
+
+// rtnetlink represents a NETLINK_ROUTE socket.
+type rtnetlink struct {
+	// Sent as part of rtnetlink messages.
+	pid uint32
+	// AF_NETLINK socket.
+	fd int
+	// Whether the socket is open.
+	ok bool
+	// Message sequence number.
+	seq uint32
+}
+
+// open creates the underlying NETLINK_ROUTE socket.
+func (s *rtnetlink) open() (err error) {
+	if s.ok || s.fd < 0 {
+		return os.ErrInvalid
+	}
+
+	s.pid = uint32(Getpid())
+	if s.fd, err = Socket(
+		AF_NETLINK,
+		SOCK_RAW|SOCK_CLOEXEC,
+		NETLINK_ROUTE,
+	); err != nil {
+		return os.NewSyscallError("socket", err)
+	} else if err = Bind(s.fd, &SockaddrNetlink{
+		Family: AF_NETLINK,
+		Pid:    s.pid,
+	}); err != nil {
+		_ = s.close()
+		return os.NewSyscallError("bind", err)
+	} else {
+		s.ok = true
+		return nil
+	}
+}
+
+// close closes the underlying NETLINK_ROUTE socket.
+func (s *rtnetlink) close() error {
+	if !s.ok {
+		return os.ErrInvalid
+	}
+
+	s.ok = false
+	err := Close(s.fd)
+	s.fd = -1
+	return err
+}
+
+// roundtrip sends a netlink message and handles the reply.
+func (s *rtnetlink) roundtrip(data []byte) error {
+	if !s.ok {
+		return os.ErrInvalid
+	}
+
+	defer func() { s.seq++ }()
+
+	if err := Sendto(s.fd, data, 0, &SockaddrNetlink{
+		Family: AF_NETLINK,
+	}); err != nil {
+		return os.NewSyscallError("sendto", err)
+	}
+	buf := make([]byte, Getpagesize())
+
+done:
+	for {
+		p := buf
+		if n, _, err := Recvfrom(s.fd, p, 0); err != nil {
+			return os.NewSyscallError("recvfrom", err)
+		} else if n < NLMSG_HDRLEN {
+			return errors.ErrUnsupported
+		} else {
+			p = p[:n]
+		}
+
+		if msgs, err := ParseNetlinkMessage(p); err != nil {
+			return err
+		} else {
+			for _, m := range msgs {
+				if m.Header.Seq != s.seq || m.Header.Pid != s.pid {
+					return errors.ErrUnsupported
+				}
+				if m.Header.Type == NLMSG_DONE {
+					break done
+				}
+				if m.Header.Type == NLMSG_ERROR {
+					if len(m.Data) >= 4 {
+						errno := Errno(-std.Int(binary.NativeEndian.Uint32(m.Data)))
+						if errno == 0 {
+							return nil
+						}
+						return errno
+					}
+					return errors.ErrUnsupported
+				}
+			}
+		}
+	}
+
+	return nil
+}
+
+// mustRoundtrip calls roundtrip and terminates via msg for a non-nil error.
+func (s *rtnetlink) mustRoundtrip(msg message.Msg, data []byte) {
+	err := s.roundtrip(data)
+	if err == nil {
+		return
+	}
+	if closeErr := Close(s.fd); closeErr != nil {
+		msg.Verbosef("cannot close: %v", err)
+	}
+
+	switch err.(type) {
+	case *os.SyscallError:
+		msg.GetLogger().Fatalf("cannot %v", err)
+
+	case Errno:
+		msg.GetLogger().Fatalf("RTNETLINK answers: %v", err)
+
+	default:
+		msg.GetLogger().Fatalln("RTNETLINK answers with unexpected message")
+	}
+}
+
+// newaddrLo represents a RTM_NEWADDR message with two addresses.
+type newaddrLo struct {
+	header NlMsghdr
+	data   IfAddrmsg
+
+	r0 RtAttr
+	a0 [4]byte // in_addr
+	r1 RtAttr
+	a1 [4]byte // in_addr
+}
+
+// sizeofNewaddrLo is the expected size of newaddrLo.
+const sizeofNewaddrLo = NLMSG_HDRLEN + SizeofIfAddrmsg + (SizeofRtAttr+4)*2
+
+// newaddrLo returns the address of a populated newaddrLo.
+func (s *rtnetlink) newaddrLo(lo int) *newaddrLo {
+	return &newaddrLo{NlMsghdr{
+		Len:   sizeofNewaddrLo,
+		Type:  RTM_NEWADDR,
+		Flags: NLM_F_REQUEST | NLM_F_ACK | NLM_F_CREATE | NLM_F_EXCL,
+		Seq:   s.seq,
+		Pid:   s.pid,
+	}, IfAddrmsg{
+		Family:    AF_INET,
+		Prefixlen: 8,
+		Flags:     IFA_F_PERMANENT,
+		Scope:     RT_SCOPE_HOST,
+		Index:     uint32(lo),
+	}, RtAttr{
+		Len:  uint16(SizeofRtAttr + len(newaddrLo{}.a0)),
+		Type: IFA_LOCAL,
+	}, [4]byte{127, 0, 0, 1}, RtAttr{
+		Len:  uint16(SizeofRtAttr + len(newaddrLo{}.a1)),
+		Type: IFA_ADDRESS,
+	}, [4]byte{127, 0, 0, 1}}
+}
+
+func (msg *newaddrLo) toWireFormat() []byte {
+	var buf [sizeofNewaddrLo]byte
+
+	*(*uint32)(unsafe.Pointer(&buf[0:4][0])) = msg.header.Len
+	*(*uint16)(unsafe.Pointer(&buf[4:6][0])) = msg.header.Type
+	*(*uint16)(unsafe.Pointer(&buf[6:8][0])) = msg.header.Flags
+	*(*uint32)(unsafe.Pointer(&buf[8:12][0])) = msg.header.Seq
+	*(*uint32)(unsafe.Pointer(&buf[12:16][0])) = msg.header.Pid
+
+	buf[16] = msg.data.Family
+	buf[17] = msg.data.Prefixlen
+	buf[18] = msg.data.Flags
+	buf[19] = msg.data.Scope
+	*(*uint32)(unsafe.Pointer(&buf[20:24][0])) = msg.data.Index
+
+	*(*uint16)(unsafe.Pointer(&buf[24:26][0])) = msg.r0.Len
+	*(*uint16)(unsafe.Pointer(&buf[26:28][0])) = msg.r0.Type
+	copy(buf[28:32], msg.a0[:])
+	*(*uint16)(unsafe.Pointer(&buf[32:34][0])) = msg.r1.Len
+	*(*uint16)(unsafe.Pointer(&buf[34:36][0])) = msg.r1.Type
+	copy(buf[36:40], msg.a1[:])
+
+	return buf[:]
+}
+
+// newlinkLo represents a RTM_NEWLINK message.
+type newlinkLo struct {
+	header NlMsghdr
+	data   IfInfomsg
+}
+
+// sizeofNewlinkLo is the expected size of newlinkLo.
+const sizeofNewlinkLo = NLMSG_HDRLEN + SizeofIfInfomsg
+
+// newlinkLo returns the address of a populated newlinkLo.
+func (s *rtnetlink) newlinkLo(lo int) *newlinkLo {
+	return &newlinkLo{NlMsghdr{
+		Len:   sizeofNewlinkLo,
+		Type:  RTM_NEWLINK,
+		Flags: NLM_F_REQUEST | NLM_F_ACK,
+		Seq:   s.seq,
+		Pid:   s.pid,
+	}, IfInfomsg{
+		Family: AF_UNSPEC,
+		Index:  int32(lo),
+		Flags:  IFF_UP,
+		Change: IFF_UP,
+	}}
+}
+
+func (msg *newlinkLo) toWireFormat() []byte {
+	var buf [sizeofNewlinkLo]byte
+
+	*(*uint32)(unsafe.Pointer(&buf[0:4][0])) = msg.header.Len
+	*(*uint16)(unsafe.Pointer(&buf[4:6][0])) = msg.header.Type
+	*(*uint16)(unsafe.Pointer(&buf[6:8][0])) = msg.header.Flags
+	*(*uint32)(unsafe.Pointer(&buf[8:12][0])) = msg.header.Seq
+	*(*uint32)(unsafe.Pointer(&buf[12:16][0])) = msg.header.Pid
+
+	buf[16] = msg.data.Family
+	*(*uint16)(unsafe.Pointer(&buf[18:20][0])) = msg.data.Type
+	*(*int32)(unsafe.Pointer(&buf[20:24][0])) = msg.data.Index
+	*(*uint32)(unsafe.Pointer(&buf[24:28][0])) = msg.data.Flags
+	*(*uint32)(unsafe.Pointer(&buf[28:32][0])) = msg.data.Change
+
+	return buf[:]
+}
+
+// mustLoopback creates the loopback address and brings the lo interface up.
+// mustLoopback calls a fatal method of the underlying [log.Logger] of m with a
+// user-facing error message if RTNETLINK behaves unexpectedly.
+func mustLoopback(msg message.Msg) {
+	log := msg.GetLogger()
+
+	var lo int
+	if ifi, err := net.InterfaceByName("lo"); err != nil {
+		log.Fatalln(err)
+	} else {
+		lo = ifi.Index
+	}
+
+	var s rtnetlink
+	if err := s.open(); err != nil {
+		log.Fatalln(err)
+	}
+	defer func() {
+		if err := s.close(); err != nil {
+			msg.Verbosef("cannot close netlink: %v", err)
+		}
+	}()
+
+	s.mustRoundtrip(msg, s.newaddrLo(lo).toWireFormat())
+	s.mustRoundtrip(msg, s.newlinkLo(lo).toWireFormat())
+}
--- a/container/netlink_test.go
+++ b/container/netlink_test.go
@@ -0,0 +1,72 @@
+package container
+
+import (
+	"testing"
+	"unsafe"
+)
+
+func TestSizeof(t *testing.T) {
+	if got := unsafe.Sizeof(newaddrLo{}); got != sizeofNewaddrLo {
+		t.Fatalf("newaddrLo: sizeof = %#x, want %#x", got, sizeofNewaddrLo)
+	}
+
+	if got := unsafe.Sizeof(newlinkLo{}); got != sizeofNewlinkLo {
+		t.Fatalf("newlinkLo: sizeof = %#x, want %#x", got, sizeofNewlinkLo)
+	}
+}
+
+func TestRtnetlinkMessage(t *testing.T) {
+	t.Parallel()
+
+	testCases := []struct {
+		name string
+		msg  interface{ toWireFormat() []byte }
+		want []byte
+	}{
+		{"newaddrLo", (&rtnetlink{pid: 1, seq: 0}).newaddrLo(1), []byte{
+			/* Len   */ 0x28, 0, 0, 0,
+			/* Type  */ 0x14, 0,
+			/* Flags */ 5, 6,
+			/* Seq   */ 0, 0, 0, 0,
+			/* Pid   */ 1, 0, 0, 0,
+
+			/* Family    */ 2,
+			/* Prefixlen */ 8,
+			/* Flags     */ 0x80,
+			/* Scope     */ 0xfe,
+			/* Index     */ 1, 0, 0, 0,
+
+			/* Len     */ 8, 0,
+			/* Type    */ 2, 0,
+			/* in_addr */ 127, 0, 0, 1,
+
+			/* Len     */ 8, 0,
+			/* Type    */ 1, 0,
+			/* in_addr */ 127, 0, 0, 1,
+		}},
+
+		{"newlinkLo", (&rtnetlink{pid: 1, seq: 1}).newlinkLo(1), []byte{
+			/* Len   */ 0x20, 0, 0, 0,
+			/* Type  */ 0x10, 0,
+			/* Flags */ 5, 0,
+			/* Seq   */ 1, 0, 0, 0,
+			/* Pid   */ 1, 0, 0, 0,
+
+			/* Family */ 0,
+			/* pad    */ 0,
+			/* Type   */ 0, 0,
+			/* Index  */ 1, 0, 0, 0,
+			/* Flags  */ 1, 0, 0, 0,
+			/* Change */ 1, 0, 0, 0,
+		}},
+	}
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			t.Parallel()
+
+			if got := tc.msg.toWireFormat(); string(got) != string(tc.want) {
+				t.Fatalf("toWireFormat: %#v, want %#v", got, tc.want)
+			}
+		})
+	}
+}
--- a/hst/config.go
+++ b/hst/config.go
@@ -82,7 +82,7 @@ type Config struct {
 	//
 	// Do not set this to true, it is insecure under any configuration.
 	//
-	// [the /.flatpak-info hack]: https://git.gensokyo.uk/rosa/hakurei/issues/21
+	// [the /.flatpak-info hack]: https://git.gensokyo.uk/security/hakurei/issues/21
 	DirectPipeWire bool `json:"direct_pipewire,omitempty"`

 	// Direct access to PulseAudio socket, no attempt is made to establish
--- a/internal/netlink/netlink.go
+++ b/internal/netlink/netlink.go
@@ -1,186 +0,0 @@
-// Package netlink is a partial implementation of the netlink protocol.
-package netlink
-
-import (
-	"fmt"
-	"os"
-	"sync"
-	"syscall"
-	"unsafe"
-)
-
-// AF_NETLINK socket is never shared
-var (
-	nlPid     uint32
-	nlPidOnce sync.Once
-)
-
-// getpid returns a cached pid value.
-func getpid() uint32 {
-	nlPidOnce.Do(func() { nlPid = uint32(os.Getpid()) })
-	return nlPid
-}
-
-// A conn represents resources associated to a netlink socket.
-type conn struct {
-	// AF_NETLINK socket.
-	fd int
-	// Kernel module or netlink group to communicate with.
-	family int
-	// Message sequence number.
-	seq uint32
-	// For pending outgoing message.
-	typ, flags uint16
-	// Outgoing position in buf.
-	pos int
-	// A page holding incoming and outgoing messages.
-	buf []byte
-}
-
-// dial returns the address of a newly connected conn of specified family.
-func dial(family int) (*conn, error) {
-	var c conn
-	if fd, err := syscall.Socket(
-		syscall.AF_NETLINK,
-		syscall.SOCK_RAW|syscall.SOCK_CLOEXEC,
-		family,
-	); err != nil {
-		return nil, os.NewSyscallError("socket", err)
-	} else if err = syscall.Bind(fd, &syscall.SockaddrNetlink{
-		Family: syscall.AF_NETLINK,
-		Pid:    getpid(),
-	}); err != nil {
-		_ = syscall.Close(fd)
-		return nil, os.NewSyscallError("bind", err)
-	} else {
-		c.fd, c.family = fd, family
-	}
-	c.pos = syscall.NLMSG_HDRLEN
-	c.buf = make([]byte, os.Getpagesize())
-	return &c, nil
-}
-
-// Close closes the underlying socket.
-func (c *conn) Close() error {
-	if c.buf == nil {
-		return syscall.EINVAL
-	}
-	c.buf = nil
-	return syscall.Close(c.fd)
-}
-
-// Msg is type constraint for types sent over the wire via netlink.
-//
-// No pointer types or compound types containing pointers may appear here.
-type Msg interface {
-	syscall.NlMsghdr | syscall.NlMsgerr |
-		syscall.IfAddrmsg | RtAttrMsg[InAddr] |
-		syscall.IfInfomsg
-}
-
-// As returns data as the specified netlink message type.
-func As[M Msg](data []byte) *M {
-	var v M
-	if unsafe.Sizeof(v) != uintptr(len(data)) {
-		return nil
-	}
-	return (*M)(unsafe.Pointer(unsafe.SliceData(data)))
-}
-
-// add queues a value to be sent by conn.
-func add[M Msg](c *conn, p *M) bool {
-	pos := c.pos
-	c.pos += int(unsafe.Sizeof(*p))
-	if c.pos > len(c.buf) {
-		c.pos = pos
-		return false
-	}
-	*(*M)(unsafe.Pointer(&c.buf[pos])) = *p
-	return true
-}
-
-// InconsistentError describes a reply from the kernel that is not consistent
-// with the internal state tracked by this package.
-type InconsistentError struct {
-	// Offending header.
-	syscall.NlMsghdr
-	// Expected message sequence.
-	Seq uint32
-	// Expected pid.
-	Pid uint32
-}
-
-func (*InconsistentError) Unwrap() error { return os.ErrInvalid }
-func (e *InconsistentError) Error() string {
-	s := "netlink socket has inconsistent state"
-	switch {
-	case e.Seq != e.NlMsghdr.Seq:
-		s += fmt.Sprintf(": seq %d != %d", e.Seq, e.NlMsghdr.Seq)
-	case e.Pid != e.NlMsghdr.Pid:
-		s += fmt.Sprintf(": pid %d != %d", e.Pid, e.NlMsghdr.Pid)
-	}
-	return s
-}
-
-// pending returns the valid slice of buf and initialises pos.
-func (c *conn) pending() []byte {
-	buf := c.buf[:c.pos]
-	c.pos = syscall.NLMSG_HDRLEN
-
-	*(*syscall.NlMsghdr)(unsafe.Pointer(unsafe.SliceData(buf))) = syscall.NlMsghdr{
-		Len:   uint32(len(buf)),
-		Type:  c.typ,
-		Flags: c.flags,
-		Seq:   c.seq,
-		Pid:   getpid(),
-	}
-	return buf
-}
-
-// Complete indicates the completion of a roundtrip.
-type Complete struct{}
-
-// Error returns a hardcoded string that should never be displayed to the user.
-func (Complete) Error() string { return "returning from roundtrip" }
-
-// Roundtrip sends the pending message and handles the reply.
-func (c *conn) Roundtrip(f func(msg *syscall.NetlinkMessage) error) error {
-	if c.buf == nil {
-		return syscall.EINVAL
-	}
-	defer func() { c.seq++ }()
-
-	if err := syscall.Sendto(c.fd, c.pending(), 0, &syscall.SockaddrNetlink{
-		Family: syscall.AF_NETLINK,
-	}); err != nil {
-		return os.NewSyscallError("sendto", err)
-	}
-
-	for {
-		buf := c.buf
-		if n, _, err := syscall.Recvfrom(c.fd, buf, 0); err != nil {
-			return os.NewSyscallError("recvfrom", err)
-		} else if n < syscall.NLMSG_HDRLEN {
-			return syscall.EBADE
-		} else {
-			buf = buf[:n]
-		}
-
-		msgs, err := syscall.ParseNetlinkMessage(buf)
-		if err != nil {
-			return err
-		}
-
-		for _, msg := range msgs {
-			if msg.Header.Seq != c.seq || msg.Header.Pid != getpid() {
-				return &InconsistentError{msg.Header, c.seq, getpid()}
-			}
-			if err = f(&msg); err != nil {
-				if err == (Complete{}) {
-					return nil
-				}
-				return err
-			}
-		}
-	}
-}
--- a/internal/netlink/netlink_test.go
+++ b/internal/netlink/netlink_test.go
@@ -1,36 +0,0 @@
-package netlink
-
-import (
-	"os"
-	"syscall"
-	"testing"
-)
-
-func init() { nlPidOnce.Do(func() {}); nlPid = 1 }
-
-type payloadTestCase struct {
-	name string
-	f    func(c *conn)
-	want []byte
-}
-
-// checkPayload runs multiple payloadTestCase against a stub conn and checks
-// the outgoing message written to its buffer page.
-func checkPayload(t *testing.T, testCases []payloadTestCase) {
-	t.Helper()
-
-	for _, tc := range testCases {
-		t.Run(tc.name, func(t *testing.T) {
-			t.Parallel()
-
-			c := conn{
-				pos: syscall.NLMSG_HDRLEN,
-				buf: make([]byte, os.Getpagesize()),
-			}
-			tc.f(&c)
-			if got := c.pending(); string(got) != string(tc.want) {
-				t.Errorf("pending: %#v, want %#v", got, tc.want)
-			}
-		})
-	}
-}
--- a/internal/netlink/rtnl.go
+++ b/internal/netlink/rtnl.go
@@ -1,132 +0,0 @@
-package netlink
-
-import (
-	"syscall"
-	"unsafe"
-)
-
-// RouteConn represents a NETLINK_ROUTE socket.
-type RouteConn struct{ *conn }
-
-// DialRoute returns the address of a newly connected [RouteConn].
-func DialRoute() (*RouteConn, error) {
-	c, err := dial(syscall.NETLINK_ROUTE)
-	if err != nil {
-		return nil, err
-	}
-	return &RouteConn{c}, nil
-}
-
-// rtnlConsume consumes a message from rtnetlink.
-func rtnlConsume(msg *syscall.NetlinkMessage) error {
-	switch msg.Header.Type {
-	case syscall.NLMSG_DONE:
-		return Complete{}
-
-	case syscall.NLMSG_ERROR:
-		if e := As[syscall.NlMsgerr](msg.Data); e != nil {
-			if e.Error == 0 {
-				return Complete{}
-			}
-			return syscall.Errno(-e.Error)
-		}
-		return syscall.EBADE
-
-	default:
-		return nil
-	}
-}
-
-// InAddr is equivalent to struct in_addr.
-type InAddr [4]byte
-
-// RtAttrMsg holds syscall.RtAttr alongside its payload.
-type RtAttrMsg[D any] struct {
-	syscall.RtAttr
-	Data D
-}
-
-// populate populates the Len field of the embedded syscall.RtAttr.
-func (attr *RtAttrMsg[M]) populate() {
-	attr.Len = syscall.SizeofRtAttr + uint16(unsafe.Sizeof(attr.Data))
-}
-
-// writeIfAddrmsg writes an ifaddrmsg structure to conn.
-func (c *RouteConn) writeIfAddrmsg(
-	typ, flags uint16,
-	msg *syscall.IfAddrmsg,
-	attrs ...RtAttrMsg[InAddr],
-) bool {
-	c.typ, c.flags = typ, syscall.NLM_F_REQUEST|syscall.NLM_F_ACK|flags
-	if !add(c.conn, msg) {
-		return false
-	}
-	for _, attr := range attrs {
-		attr.populate()
-		if !add(c.conn, &attr) {
-			return false
-		}
-	}
-	return true
-}
-
-// SendIfAddrmsg sends an ifaddrmsg structure to rtnetlink.
-func (c *RouteConn) SendIfAddrmsg(
-	typ, flags uint16,
-	msg *syscall.IfAddrmsg,
-	attrs ...RtAttrMsg[InAddr],
-) error {
-	if !c.writeIfAddrmsg(typ, flags, msg, attrs...) {
-		return syscall.ENOMEM
-	}
-	return c.Roundtrip(rtnlConsume)
-}
-
-// writeNewaddrLo writes a RTM_NEWADDR message for the loopback address.
-func (c *RouteConn) writeNewaddrLo(lo uint32) bool {
-	return c.writeIfAddrmsg(
-		syscall.RTM_NEWADDR,
-		syscall.NLM_F_CREATE|syscall.NLM_F_EXCL,
-		&syscall.IfAddrmsg{
-			Family:    syscall.AF_INET,
-			Prefixlen: 8,
-			Flags:     syscall.IFA_F_PERMANENT,
-			Scope:     syscall.RT_SCOPE_HOST,
-			Index:     lo,
-		},
-		RtAttrMsg[InAddr]{syscall.RtAttr{
-			Type: syscall.IFA_LOCAL,
-		}, InAddr{127, 0, 0, 1}},
-		RtAttrMsg[InAddr]{syscall.RtAttr{
-			Type: syscall.IFA_ADDRESS,
-		}, InAddr{127, 0, 0, 1}},
-	)
-}
-
-// SendNewaddrLo sends a RTM_NEWADDR message for the loopback address to the kernel.
-func (c *RouteConn) SendNewaddrLo(lo uint32) error {
-	if !c.writeNewaddrLo(lo) {
-		return syscall.ENOMEM
-	}
-	return c.Roundtrip(rtnlConsume)
-}
-
-// writeIfInfomsg writes an ifinfomsg structure to conn.
-func (c *RouteConn) writeIfInfomsg(
-	typ, flags uint16,
-	msg *syscall.IfInfomsg,
-) bool {
-	c.typ, c.flags = typ, syscall.NLM_F_REQUEST|syscall.NLM_F_ACK|flags
-	return add(c.conn, msg)
-}
-
-// SendIfInfomsg sends an ifinfomsg structure to rtnetlink.
-func (c *RouteConn) SendIfInfomsg(
-	typ, flags uint16,
-	msg *syscall.IfInfomsg,
-) error {
-	if !c.writeIfInfomsg(typ, flags, msg) {
-		return syscall.ENOMEM
-	}
-	return c.Roundtrip(rtnlConsume)
-}
--- a/internal/netlink/rtnl_test.go
+++ b/internal/netlink/rtnl_test.go
@@ -1,62 +0,0 @@
-package netlink
-
-import (
-	"syscall"
-	"testing"
-)
-
-func TestPayloadRTNETLINK(t *testing.T) {
-	t.Parallel()
-
-	checkPayload(t, []payloadTestCase{
-		{"RTM_NEWADDR lo", func(c *conn) {
-			(&RouteConn{c}).writeNewaddrLo(1)
-		}, []byte{
-			/* Len   */ 0x28, 0, 0, 0,
-			/* Type  */ 0x14, 0,
-			/* Flags */ 5, 6,
-			/* Seq   */ 0, 0, 0, 0,
-			/* Pid   */ 1, 0, 0, 0,
-
-			/* Family    */ 2,
-			/* Prefixlen */ 8,
-			/* Flags     */ 0x80,
-			/* Scope     */ 0xfe,
-			/* Index     */ 1, 0, 0, 0,
-
-			/* Len     */ 8, 0,
-			/* Type    */ 2, 0,
-			/* in_addr */ 127, 0, 0, 1,
-
-			/* Len     */ 8, 0,
-			/* Type    */ 1, 0,
-			/* in_addr */ 127, 0, 0, 1,
-		}},
-
-		{"RTM_NEWLINK", func(c *conn) {
-			c.seq++
-			(&RouteConn{c}).writeIfInfomsg(
-				syscall.RTM_NEWLINK, 0,
-				&syscall.IfInfomsg{
-					Family: syscall.AF_UNSPEC,
-					Index:  1,
-					Flags:  syscall.IFF_UP,
-					Change: syscall.IFF_UP,
-				},
-			)
-		}, []byte{
-			/* Len   */ 0x20, 0, 0, 0,
-			/* Type  */ 0x10, 0,
-			/* Flags */ 5, 0,
-			/* Seq   */ 1, 0, 0, 0,
-			/* Pid   */ 1, 0, 0, 0,
-
-			/* Family */ 0,
-			/* pad    */ 0,
-			/* Type   */ 0, 0,
-			/* Index  */ 1, 0, 0, 0,
-			/* Flags  */ 1, 0, 0, 0,
-			/* Change */ 1, 0, 0, 0,
-		}},
-	})
-}
--- a/internal/rosa/all.go
+++ b/internal/rosa/all.go
@@ -20,10 +20,8 @@ const (
 	LLVMRuntimes
 	LLVMClang

-	// EarlyInit is the Rosa OS init program.
+	// EarlyInit is the Rosa OS initramfs init program.
 	EarlyInit
-	// ImageSystem is the Rosa OS /system image.
-	ImageSystem
 	// ImageInitramfs is the Rosa OS initramfs archive.
 	ImageInitramfs

@@ -112,11 +110,21 @@ const (
 	PkgConfig
 	Procps
 	Python
+	PythonCfgv
+	PythonDiscovery
+	PythonDistlib
+	PythonFilelock
+	PythonIdentify
 	PythonIniConfig
+	PythonNodeenv
 	PythonPackaging
+	PythonPlatformdirs
 	PythonPluggy
+	PythonPreCommit
 	PythonPyTest
+	PythonPyYAML
 	PythonPygments
+	PythonVirtualenv
 	QEMU
 	Rdfind
 	Rsync
--- a/internal/rosa/curl.go
+++ b/internal/rosa/curl.go
@@ -12,11 +12,24 @@ func (t Toolchain) newCurl() (pkg.Artifact, string) {
 		mustDecode(checksum),
 		pkg.TarBzip2,
 	), &PackageAttr{
-		// remove broken test
-		Writable: true,
-		ScriptEarly: `
-chmod +w tests/data && rm tests/data/test459
-`,
+		Patches: [][2]string{
+			{"test459-misplaced-line-break", `diff --git a/tests/data/test459 b/tests/data/test459
+index 7a2e1db7b3..cc716aa65a 100644
+--- a/tests/data/test459
+++ b/tests/data/test459
+@@ -54,8 +54,8 @@ Content-Type: application/x-www-form-urlencoded
+ arg
+ </protocol>
+ <stderr mode="text">
+-Warning: %LOGDIR/config:1 Option 'data' uses argument with unquoted whitespace.%SP
+-Warning: This may cause side-effects. Consider double quotes.
+Warning: %LOGDIR/config:1 Option 'data' uses argument with unquoted%SP
+Warning: whitespace. This may cause side-effects. Consider double quotes.
+ </stderr>
+ </verify>
+ </testcase>
+`},
+		},
 	}, &MakeHelper{
 		Configure: [][2]string{
 			{"with-openssl"},
--- a/internal/rosa/hakurei_release.go
+++ b/internal/rosa/hakurei_release.go
@@ -4,13 +4,13 @@ package rosa

 import "hakurei.app/internal/pkg"

-const hakureiVersion = "0.3.7"
+const hakureiVersion = "0.3.6"

 // hakureiSource is the source code of a hakurei release.
 var hakureiSource = pkg.NewHTTPGetTar(
-	nil, "https://git.gensokyo.uk/rosa/hakurei/archive/"+
+	nil, "https://git.gensokyo.uk/security/hakurei/archive/"+
 		"v"+hakureiVersion+".tar.gz",
-	mustDecode("Xh_sdITOATEAQN5_UuaOyrWsgboxorqRO9bml3dGm8GAxF8NFpB7MqhSZgjJxAl2"),
+	mustDecode("Yul9J2yV0x453lQP9KUnG_wEJo_DbKMNM7xHJGt4rITCSeX9VRK2J4kzAxcv_0-b"),
 	pkg.TarGzip,
 )

--- a/internal/rosa/images.go
+++ b/internal/rosa/images.go
@@ -1,9 +1,6 @@
 package rosa

-import (
-	"hakurei.app/container/fhs"
-	"hakurei.app/internal/pkg"
-)
+import "hakurei.app/internal/pkg"

 func init() {
 	artifactsM[EarlyInit] = Metadata{
@@ -27,36 +24,12 @@ echo
 	}
 }

-func (t Toolchain) newImageSystem() (pkg.Artifact, string) {
-	return t.New("system.img", TNoToolchain, t.AppendPresets(nil,
-		SquashfsTools,
-	), nil, nil, `
-mksquashfs /mnt/system /work/system.img
-`, pkg.Path(fhs.AbsRoot.Append("mnt"), false, t.AppendPresets(nil,
-		Musl,
-		Mksh,
-		Toybox,
-
-		Kmod,
-		Kernel,
-		Firmware,
-	)...)), Unversioned
-}
-func init() {
-	artifactsM[ImageSystem] = Metadata{
-		Name:        "system-image",
-		Description: "Rosa OS system image",
-
-		f: Toolchain.newImageSystem,
-	}
-}
-
 func (t Toolchain) newImageInitramfs() (pkg.Artifact, string) {
-	return t.New("initramfs", TNoToolchain, t.AppendPresets(nil,
-		Zstd,
-		EarlyInit,
-		GenInitCPIO,
-	), nil, nil, `
+	return t.New("initramfs", TNoToolchain, []pkg.Artifact{
+		t.Load(Zstd),
+		t.Load(EarlyInit),
+		t.Load(GenInitCPIO),
+	}, nil, nil, `
 gen_init_cpio -t 4294967295 -c /usr/src/initramfs | zstd > /work/initramfs.zst
 `, pkg.Path(AbsUsrSrc.Append("initramfs"), false, pkg.NewFile("initramfs", []byte(`
 dir /dev 0755 0 0
--- a/internal/rosa/kernel.go
+++ b/internal/rosa/kernel.go
@@ -2,12 +2,12 @@ package rosa

 import "hakurei.app/internal/pkg"

-const kernelVersion = "6.12.77"
+const kernelVersion = "6.12.76"

 var kernelSource = pkg.NewHTTPGetTar(
 	nil, "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/"+
 		"snapshot/linux-"+kernelVersion+".tar.gz",
-	mustDecode("_MyFL0MqqNwAJx4fP8L9FkUayXIqEJto5trAPr_9UJvaT5TK1tvlU8leS82Hw2uw"),
+	mustDecode("h0UATNznQbzplvthAqNLjVF-DJQHzGyhiy4za-9Ig9tOIpnoH9mWHbEjASV6lOl2"),
 	pkg.TarGzip,
 )

--- a/internal/rosa/kernel_amd64.config
+++ b/internal/rosa/kernel_amd64.config
@@ -2,15 +2,15 @@
 # Automatically generated file; DO NOT EDIT.
 # Linux/x86 6.12.76 Kernel Configuration
 #
-CONFIG_CC_VERSION_TEXT="clang version 22.1.1"
+CONFIG_CC_VERSION_TEXT="clang version 22.1.0"
 CONFIG_GCC_VERSION=0
 CONFIG_CC_IS_CLANG=y
-CONFIG_CLANG_VERSION=220101
+CONFIG_CLANG_VERSION=220100
 CONFIG_AS_IS_LLVM=y
-CONFIG_AS_VERSION=220101
+CONFIG_AS_VERSION=220100
 CONFIG_LD_VERSION=0
 CONFIG_LD_IS_LLD=y
-CONFIG_LLD_VERSION=220101
+CONFIG_LLD_VERSION=220100
 CONFIG_RUSTC_VERSION=0
 CONFIG_RUSTC_LLVM_VERSION=0
 CONFIG_CC_HAS_ASM_GOTO_OUTPUT=y
@@ -2402,7 +2402,7 @@ CONFIG_PREVENT_FIRMWARE_BUILD=y
 #
 # Firmware loader
 #
-CONFIG_FW_LOADER=y
+CONFIG_FW_LOADER=m
 CONFIG_FW_LOADER_DEBUG=y
 CONFIG_FW_LOADER_PAGED_BUF=y
 CONFIG_FW_LOADER_SYSFS=y
@@ -2749,7 +2749,7 @@ CONFIG_BLK_DEV_NULL_BLK=m
 CONFIG_BLK_DEV_FD=m
 # CONFIG_BLK_DEV_FD_RAWCMD is not set
 CONFIG_CDROM=m
-CONFIG_BLK_DEV_PCIESSD_MTIP32XX=y
+CONFIG_BLK_DEV_PCIESSD_MTIP32XX=m
 CONFIG_ZRAM=m
 # CONFIG_ZRAM_BACKEND_LZ4 is not set
 # CONFIG_ZRAM_BACKEND_LZ4HC is not set
@@ -2775,9 +2775,9 @@ CONFIG_CDROM_PKTCDVD=m
 CONFIG_CDROM_PKTCDVD_BUFFERS=8
 # CONFIG_CDROM_PKTCDVD_WCACHE is not set
 CONFIG_ATA_OVER_ETH=m
-CONFIG_XEN_BLKDEV_FRONTEND=y
-# CONFIG_XEN_BLKDEV_BACKEND is not set
-CONFIG_VIRTIO_BLK=y
+CONFIG_XEN_BLKDEV_FRONTEND=m
+CONFIG_XEN_BLKDEV_BACKEND=m
+CONFIG_VIRTIO_BLK=m
 CONFIG_BLK_DEV_RBD=m
 CONFIG_BLK_DEV_UBLK=m
 CONFIG_BLKDEV_UBLK_LEGACY_OPCODES=y
@@ -2788,12 +2788,13 @@ CONFIG_BLK_DEV_RNBD_SERVER=m
 #
 # NVME Support
 #
-CONFIG_NVME_KEYRING=y
-CONFIG_NVME_AUTH=y
-CONFIG_NVME_CORE=y
-CONFIG_BLK_DEV_NVME=y
+CONFIG_NVME_KEYRING=m
+CONFIG_NVME_AUTH=m
+CONFIG_NVME_CORE=m
+CONFIG_BLK_DEV_NVME=m
 CONFIG_NVME_MULTIPATH=y
 # CONFIG_NVME_VERBOSE_ERRORS is not set
+CONFIG_NVME_HWMON=y
 CONFIG_NVME_FABRICS=m
 CONFIG_NVME_RDMA=m
 CONFIG_NVME_FC=m
@@ -2910,10 +2911,10 @@ CONFIG_KEBA_CP500=m
 #
 # SCSI device support
 #
-CONFIG_SCSI_MOD=y
+CONFIG_SCSI_MOD=m
 CONFIG_RAID_ATTRS=m
-CONFIG_SCSI_COMMON=y
-CONFIG_SCSI=y
+CONFIG_SCSI_COMMON=m
+CONFIG_SCSI=m
 CONFIG_SCSI_DMA=y
 CONFIG_SCSI_NETLINK=y
 CONFIG_SCSI_PROC_FS=y
@@ -2921,7 +2922,7 @@ CONFIG_SCSI_PROC_FS=y
 #
 # SCSI support type (disk, tape, CD-ROM)
 #
-CONFIG_BLK_DEV_SD=y
+CONFIG_BLK_DEV_SD=m
 CONFIG_CHR_DEV_ST=m
 CONFIG_BLK_DEV_SR=m
 CONFIG_CHR_DEV_SG=m
@@ -3041,7 +3042,7 @@ CONFIG_SCSI_DEBUG=m
 CONFIG_SCSI_PMCRAID=m
 CONFIG_SCSI_PM8001=m
 CONFIG_SCSI_BFA_FC=m
-CONFIG_SCSI_VIRTIO=y
+CONFIG_SCSI_VIRTIO=m
 CONFIG_SCSI_CHELSIO_FCOE=m
 CONFIG_SCSI_LOWLEVEL_PCMCIA=y
 CONFIG_PCMCIA_AHA152X=m
@@ -3051,7 +3052,7 @@ CONFIG_PCMCIA_SYM53C500=m
 # CONFIG_SCSI_DH is not set
 # end of SCSI device support

-CONFIG_ATA=y
+CONFIG_ATA=m
 CONFIG_SATA_HOST=y
 CONFIG_PATA_TIMINGS=y
 CONFIG_ATA_VERBOSE_ERROR=y
@@ -3063,39 +3064,39 @@ CONFIG_SATA_PMP=y
 #
 # Controllers with non-SFF native interface
 #
-CONFIG_SATA_AHCI=y
+CONFIG_SATA_AHCI=m
 CONFIG_SATA_MOBILE_LPM_POLICY=3
-CONFIG_SATA_AHCI_PLATFORM=y
-CONFIG_AHCI_DWC=y
-CONFIG_AHCI_CEVA=y
+CONFIG_SATA_AHCI_PLATFORM=m
+CONFIG_AHCI_DWC=m
+CONFIG_AHCI_CEVA=m
 CONFIG_SATA_INIC162X=m
-CONFIG_SATA_ACARD_AHCI=y
-CONFIG_SATA_SIL24=y
+CONFIG_SATA_ACARD_AHCI=m
+CONFIG_SATA_SIL24=m
 CONFIG_ATA_SFF=y

 #
 # SFF controllers with custom DMA interface
 #
-CONFIG_PDC_ADMA=y
-CONFIG_SATA_QSTOR=y
+CONFIG_PDC_ADMA=m
+CONFIG_SATA_QSTOR=m
 CONFIG_SATA_SX4=m
 CONFIG_ATA_BMDMA=y

 #
 # SATA SFF controllers with BMDMA
 #
-CONFIG_ATA_PIIX=y
-CONFIG_SATA_DWC=y
+CONFIG_ATA_PIIX=m
+CONFIG_SATA_DWC=m
 # CONFIG_SATA_DWC_OLD_DMA is not set
-CONFIG_SATA_MV=y
-CONFIG_SATA_NV=y
-CONFIG_SATA_PROMISE=y
-CONFIG_SATA_SIL=y
-CONFIG_SATA_SIS=y
-CONFIG_SATA_SVW=y
-CONFIG_SATA_ULI=y
-CONFIG_SATA_VIA=y
-CONFIG_SATA_VITESSE=y
+CONFIG_SATA_MV=m
+CONFIG_SATA_NV=m
+CONFIG_SATA_PROMISE=m
+CONFIG_SATA_SIL=m
+CONFIG_SATA_SIS=m
+CONFIG_SATA_SVW=m
+CONFIG_SATA_ULI=m
+CONFIG_SATA_VIA=m
+CONFIG_SATA_VITESSE=m

 #
 # PATA SFF controllers with BMDMA
@@ -3129,7 +3130,7 @@ CONFIG_PATA_RDC=m
 CONFIG_PATA_SCH=m
 CONFIG_PATA_SERVERWORKS=m
 CONFIG_PATA_SIL680=m
-CONFIG_PATA_SIS=y
+CONFIG_PATA_SIS=m
 CONFIG_PATA_TOSHIBA=m
 CONFIG_PATA_TRIFLEX=m
 CONFIG_PATA_VIA=m
@@ -3171,8 +3172,8 @@ CONFIG_PATA_PARPORT_ON26=m
 #
 # Generic fallback / legacy drivers
 #
-CONFIG_PATA_ACPI=y
-CONFIG_ATA_GENERIC=y
+CONFIG_PATA_ACPI=m
+CONFIG_ATA_GENERIC=m
 CONFIG_PATA_LEGACY=m
 CONFIG_MD=y
 CONFIG_BLK_DEV_MD=m
@@ -9620,11 +9621,11 @@ CONFIG_EFI_SECRET=m
 CONFIG_SEV_GUEST=m
 CONFIG_TDX_GUEST_DRIVER=m
 CONFIG_VIRTIO_ANCHOR=y
-CONFIG_VIRTIO=y
-CONFIG_VIRTIO_PCI_LIB=y
-CONFIG_VIRTIO_PCI_LIB_LEGACY=y
+CONFIG_VIRTIO=m
+CONFIG_VIRTIO_PCI_LIB=m
+CONFIG_VIRTIO_PCI_LIB_LEGACY=m
 CONFIG_VIRTIO_MENU=y
-CONFIG_VIRTIO_PCI=y
+CONFIG_VIRTIO_PCI=m
 CONFIG_VIRTIO_PCI_ADMIN_LEGACY=y
 CONFIG_VIRTIO_PCI_LEGACY=y
 CONFIG_VIRTIO_VDPA=m
--- a/internal/rosa/kernel_arm64.config
+++ b/internal/rosa/kernel_arm64.config
@@ -2,15 +2,15 @@
 # Automatically generated file; DO NOT EDIT.
 # Linux/arm64 6.12.76 Kernel Configuration
 #
-CONFIG_CC_VERSION_TEXT="clang version 22.1.1"
+CONFIG_CC_VERSION_TEXT="clang version 22.1.0"
 CONFIG_GCC_VERSION=0
 CONFIG_CC_IS_CLANG=y
-CONFIG_CLANG_VERSION=220101
+CONFIG_CLANG_VERSION=220100
 CONFIG_AS_IS_LLVM=y
-CONFIG_AS_VERSION=220101
+CONFIG_AS_VERSION=220100
 CONFIG_LD_VERSION=0
 CONFIG_LD_IS_LLD=y
-CONFIG_LLD_VERSION=220101
+CONFIG_LLD_VERSION=220100
 CONFIG_RUSTC_VERSION=0
 CONFIG_RUSTC_LLVM_VERSION=0
 CONFIG_CC_HAS_ASM_GOTO_OUTPUT=y
@@ -2384,7 +2384,7 @@ CONFIG_PREVENT_FIRMWARE_BUILD=y
 #
 # Firmware loader
 #
-CONFIG_FW_LOADER=y
+CONFIG_FW_LOADER=m
 CONFIG_FW_LOADER_DEBUG=y
 CONFIG_FW_LOADER_PAGED_BUF=y
 CONFIG_FW_LOADER_SYSFS=y
@@ -2849,8 +2849,8 @@ CONFIG_CDROM_PKTCDVD=m
 CONFIG_CDROM_PKTCDVD_BUFFERS=8
 # CONFIG_CDROM_PKTCDVD_WCACHE is not set
 CONFIG_ATA_OVER_ETH=m
-CONFIG_XEN_BLKDEV_FRONTEND=y
-# CONFIG_XEN_BLKDEV_BACKEND is not set
+CONFIG_XEN_BLKDEV_FRONTEND=m
+CONFIG_XEN_BLKDEV_BACKEND=m
 CONFIG_VIRTIO_BLK=m
 CONFIG_BLK_DEV_RBD=m
 CONFIG_BLK_DEV_UBLK=m
@@ -2862,12 +2862,13 @@ CONFIG_BLK_DEV_RNBD_SERVER=m
 #
 # NVME Support
 #
-CONFIG_NVME_KEYRING=y
-CONFIG_NVME_AUTH=y
-CONFIG_NVME_CORE=y
-CONFIG_BLK_DEV_NVME=y
+CONFIG_NVME_KEYRING=m
+CONFIG_NVME_AUTH=m
+CONFIG_NVME_CORE=m
+CONFIG_BLK_DEV_NVME=m
 CONFIG_NVME_MULTIPATH=y
 # CONFIG_NVME_VERBOSE_ERRORS is not set
+CONFIG_NVME_HWMON=y
 CONFIG_NVME_FABRICS=m
 CONFIG_NVME_RDMA=m
 CONFIG_NVME_FC=m
@@ -2976,10 +2977,10 @@ CONFIG_KEBA_CP500=m
 #
 # SCSI device support
 #
-CONFIG_SCSI_MOD=y
+CONFIG_SCSI_MOD=m
 CONFIG_RAID_ATTRS=m
-CONFIG_SCSI_COMMON=y
-CONFIG_SCSI=y
+CONFIG_SCSI_COMMON=m
+CONFIG_SCSI=m
 CONFIG_SCSI_DMA=y
 CONFIG_SCSI_NETLINK=y
 CONFIG_SCSI_PROC_FS=y
@@ -2987,7 +2988,7 @@ CONFIG_SCSI_PROC_FS=y
 #
 # SCSI support type (disk, tape, CD-ROM)
 #
-CONFIG_BLK_DEV_SD=y
+CONFIG_BLK_DEV_SD=m
 CONFIG_CHR_DEV_ST=m
 CONFIG_BLK_DEV_SR=m
 CONFIG_CHR_DEV_SG=m
@@ -3107,7 +3108,7 @@ CONFIG_SCSI_DEBUG=m
 CONFIG_SCSI_PMCRAID=m
 CONFIG_SCSI_PM8001=m
 CONFIG_SCSI_BFA_FC=m
-CONFIG_SCSI_VIRTIO=y
+CONFIG_SCSI_VIRTIO=m
 CONFIG_SCSI_CHELSIO_FCOE=m
 CONFIG_SCSI_LOWLEVEL_PCMCIA=y
 CONFIG_PCMCIA_AHA152X=m
@@ -3117,7 +3118,7 @@ CONFIG_PCMCIA_SYM53C500=m
 # CONFIG_SCSI_DH is not set
 # end of SCSI device support

-CONFIG_ATA=y
+CONFIG_ATA=m
 CONFIG_SATA_HOST=y
 CONFIG_PATA_TIMINGS=y
 CONFIG_ATA_VERBOSE_ERROR=y
@@ -3129,23 +3130,23 @@ CONFIG_SATA_PMP=y
 #
 # Controllers with non-SFF native interface
 #
-CONFIG_SATA_AHCI=y
+CONFIG_SATA_AHCI=m
 CONFIG_SATA_MOBILE_LPM_POLICY=3
-CONFIG_SATA_AHCI_PLATFORM=y
-CONFIG_AHCI_BRCM=y
-CONFIG_AHCI_DWC=y
+CONFIG_SATA_AHCI_PLATFORM=m
+CONFIG_AHCI_BRCM=m
+CONFIG_AHCI_DWC=m
 CONFIG_AHCI_IMX=m
-CONFIG_AHCI_CEVA=y
-CONFIG_AHCI_MTK=y
-CONFIG_AHCI_MVEBU=y
-CONFIG_AHCI_SUNXI=y
-CONFIG_AHCI_TEGRA=y
+CONFIG_AHCI_CEVA=m
+CONFIG_AHCI_MTK=m
+CONFIG_AHCI_MVEBU=m
+CONFIG_AHCI_SUNXI=m
+CONFIG_AHCI_TEGRA=m
 CONFIG_AHCI_XGENE=m
-CONFIG_AHCI_QORIQ=y
-CONFIG_SATA_AHCI_SEATTLE=y
+CONFIG_AHCI_QORIQ=m
+CONFIG_SATA_AHCI_SEATTLE=m
 CONFIG_SATA_INIC162X=m
-CONFIG_SATA_ACARD_AHCI=y
-CONFIG_SATA_SIL24=y
+CONFIG_SATA_ACARD_AHCI=m
+CONFIG_SATA_SIL24=m
 CONFIG_ATA_SFF=y

 #
@@ -3159,19 +3160,19 @@ CONFIG_ATA_BMDMA=y
 #
 # SATA SFF controllers with BMDMA
 #
-CONFIG_ATA_PIIX=y
-CONFIG_SATA_DWC=y
+CONFIG_ATA_PIIX=m
+CONFIG_SATA_DWC=m
 # CONFIG_SATA_DWC_OLD_DMA is not set
-CONFIG_SATA_MV=y
-CONFIG_SATA_NV=y
-CONFIG_SATA_PROMISE=y
-CONFIG_SATA_RCAR=y
-CONFIG_SATA_SIL=y
-CONFIG_SATA_SIS=y
-CONFIG_SATA_SVW=y
-CONFIG_SATA_ULI=y
-CONFIG_SATA_VIA=y
-CONFIG_SATA_VITESSE=y
+CONFIG_SATA_MV=m
+CONFIG_SATA_NV=m
+CONFIG_SATA_PROMISE=m
+CONFIG_SATA_RCAR=m
+CONFIG_SATA_SIL=m
+CONFIG_SATA_SIS=m
+CONFIG_SATA_SVW=m
+CONFIG_SATA_ULI=m
+CONFIG_SATA_VIA=m
+CONFIG_SATA_VITESSE=m

 #
 # PATA SFF controllers with BMDMA
@@ -3206,7 +3207,7 @@ CONFIG_PATA_RDC=m
 CONFIG_PATA_SCH=m
 CONFIG_PATA_SERVERWORKS=m
 CONFIG_PATA_SIL680=m
-CONFIG_PATA_SIS=y
+CONFIG_PATA_SIS=m
 CONFIG_PATA_TOSHIBA=m
 CONFIG_PATA_TRIFLEX=m
 CONFIG_PATA_VIA=m
@@ -3248,8 +3249,8 @@ CONFIG_PATA_PARPORT_ON26=m
 #
 # Generic fallback / legacy drivers
 #
-CONFIG_PATA_ACPI=y
-CONFIG_ATA_GENERIC=y
+CONFIG_PATA_ACPI=m
+CONFIG_ATA_GENERIC=m
 CONFIG_PATA_LEGACY=m
 CONFIG_MD=y
 CONFIG_BLK_DEV_MD=m
@@ -10435,11 +10436,11 @@ CONFIG_VMGENID=m
 CONFIG_NITRO_ENCLAVES=m
 CONFIG_ARM_PKVM_GUEST=y
 CONFIG_VIRTIO_ANCHOR=y
-CONFIG_VIRTIO=y
-CONFIG_VIRTIO_PCI_LIB=y
-CONFIG_VIRTIO_PCI_LIB_LEGACY=y
+CONFIG_VIRTIO=m
+CONFIG_VIRTIO_PCI_LIB=m
+CONFIG_VIRTIO_PCI_LIB_LEGACY=m
 CONFIG_VIRTIO_MENU=y
-CONFIG_VIRTIO_PCI=y
+CONFIG_VIRTIO_PCI=m
 CONFIG_VIRTIO_PCI_LEGACY=y
 CONFIG_VIRTIO_VDPA=m
 CONFIG_VIRTIO_PMEM=m
--- a/internal/rosa/llvm.go
+++ b/internal/rosa/llvm.go
@@ -73,8 +73,14 @@ func llvmFlagName(flag int) string {
 	}
 }

+const (
+	llvmVersionMajor = "22"
+	llvmVersion      = llvmVersionMajor + ".1.1"
+)
+
 // newLLVMVariant returns a [pkg.Artifact] containing a LLVM variant.
 func (t Toolchain) newLLVMVariant(variant string, attr *llvmAttr) pkg.Artifact {
+	const checksum = "bQvV6D8AZvQykg7-uQb_saTbVavnSo1ykNJ3g57F5iE-evU3HuOYtcRnVIXTK76e"

 	if attr == nil {
 		panic("LLVM attr must be non-nil")
@@ -163,7 +169,7 @@ ln -s ld.lld /work/system/bin/ld
 	return t.NewPackage("llvm", llvmVersion, pkg.NewHTTPGetTar(
 		nil, "https://github.com/llvm/llvm-project/archive/refs/tags/"+
 			"llvmorg-"+llvmVersion+".tar.gz",
-		mustDecode(llvmChecksum),
+		mustDecode(checksum),
 		pkg.TarGzip,
 	), &PackageAttr{
 		Patches:   attr.patches,
@@ -310,7 +316,7 @@ ln -s clang++ /work/system/bin/c++
 ninja check-all
 `,

-		patches: slices.Concat([][2]string{
+		patches: [][2]string{
 			{"add-rosa-vendor", `diff --git a/llvm/include/llvm/TargetParser/Triple.h b/llvm/include/llvm/TargetParser/Triple.h
 index 9c83abeeb3b1..5acfe5836a23 100644
 --- a/llvm/include/llvm/TargetParser/Triple.h
@@ -482,7 +488,7 @@ index 64324a3f8b01..15ce70b68217 100644
                                    "/System/Library/Frameworks"};
 
 `},
-		}, clangPatches),
+		},
 	})

 	return
--- a/internal/rosa/llvm_amd64.go
+++ b/internal/rosa/llvm_amd64.go
@@ -1,4 +0,0 @@
-package rosa
-
-// clangPatches are patches applied to the LLVM source tree for building clang.
-var clangPatches [][2]string
--- a/internal/rosa/llvm_arm64.go
+++ b/internal/rosa/llvm_arm64.go
@@ -1,12 +0,0 @@
-package rosa
-
-// clangPatches are patches applied to the LLVM source tree for building clang.
-var clangPatches [][2]string
-
-// one version behind, latest fails 5 tests with 2 flaky on arm64
-const (
-	llvmVersionMajor = "21"
-	llvmVersion      = llvmVersionMajor + ".1.8"
-
-	llvmChecksum = "8SUpqDkcgwOPsqHVtmf9kXfFeVmjVxl4LMn-qSE1AI_Xoeju-9HaoPNGtidyxyka"
-)
--- a/internal/rosa/llvm_latest.go
+++ b/internal/rosa/llvm_latest.go
@@ -1,11 +0,0 @@
-//go:build !arm64
-
-package rosa
-
-// latest version of LLVM, conditional to temporarily avoid broken new releases
-const (
-	llvmVersionMajor = "22"
-	llvmVersion      = llvmVersionMajor + ".1.1"
-
-	llvmChecksum = "bQvV6D8AZvQykg7-uQb_saTbVavnSo1ykNJ3g57F5iE-evU3HuOYtcRnVIXTK76e"
-)
--- a/internal/rosa/meson.go
+++ b/internal/rosa/meson.go
@@ -9,8 +9,8 @@ import (

 func (t Toolchain) newMeson() (pkg.Artifact, string) {
 	const (
-		version  = "1.10.2"
-		checksum = "18VmKUVKuXCwtawkYCeYHseC3cKpi86OhnIPaV878wjY0rkXH8XnQwUyymnxFgcl"
+		version  = "1.10.1"
+		checksum = "w895BXF_icncnXatT_OLCFe2PYEtg4KrKooMgUYdN-nQVvbFX3PvYWHGEpogsHtd"
 	)
 	return t.New("meson-"+version, 0, []pkg.Artifact{
 		t.Load(Zlib),
--- a/internal/rosa/python.go
+++ b/internal/rosa/python.go
@@ -195,4 +195,103 @@ func init() {
 		PythonPluggy,
 		PythonPygments,
 	)
+
+	artifactsM[PythonCfgv] = newViaPip(
+		"cfgv",
+		"validate configuration and produce human readable error messages",
+		"3.5.0", "py2.py3", "none", "any",
+		"yFKTyVRlmnLKAxvvge15kAd_GOP1Xh3fZ0NFImO5pBdD5e0zj3GRmA6Q1HdtLTYO",
+		"https://files.pythonhosted.org/packages/"+
+			"db/3c/33bac158f8ab7f89b2e59426d5fe2e4f63f7ed25df84c036890172b412b5/",
+	)
+
+	artifactsM[PythonIdentify] = newViaPip(
+		"identify",
+		"file identification library for Python",
+		"2.6.17", "py2.py3", "none", "any",
+		"9RxK3igO-Pxxof5AuCAGiF_L1SWi4SpuSF1fWNXCzE2D4oTRSob-9VpFMLlybrSv",
+		"https://files.pythonhosted.org/packages/"+
+			"40/66/71c1227dff78aaeb942fed29dd5651f2aec166cc7c9aeea3e8b26a539b7d/",
+	)
+
+	artifactsM[PythonNodeenv] = newViaPip(
+		"nodeenv",
+		"a tool to create isolated node.js environments",
+		"1.10.0", "py2.py3", "none", "any",
+		"ihUb4-WQXYIhYOOKSsXlKIzjzQieOYl6ojro9H-0DFzGheaRTtuyZgsCmriq58sq",
+		"https://files.pythonhosted.org/packages/"+
+			"88/b2/d0896bdcdc8d28a7fc5717c305f1a861c26e18c05047949fb371034d98bd/",
+	)
+
+	artifactsM[PythonPyYAML] = newViaPip(
+		"pyyaml",
+		"a complete YAML 1.1 parser",
+		"6.0.3", "cp314", "cp314", "musllinux_1_2_x86_64",
+		"4_jhCFpUNtyrFp2HOMqUisR005u90MHId53eS7rkUbcGXkoaJ7JRsY21dREHEfGN",
+		"https://files.pythonhosted.org/packages/"+
+			"d7/ce/af88a49043cd2e265be63d083fc75b27b6ed062f5f9fd6cdc223ad62f03e/",
+	)
+
+	artifactsM[PythonDistlib] = newViaPip(
+		"distlib",
+		"used as the basis for third-party packaging tools",
+		"0.4.0", "py2.py3", "none", "any",
+		"lGLLfYVhUhXOTw_84zULaH2K8n6pk1OOVXmJfGavev7N42msbtHoq-XY5D_xULI_",
+		"https://files.pythonhosted.org/packages/"+
+			"33/6b/e0547afaf41bf2c42e52430072fa5658766e3d65bd4b03a563d1b6336f57/",
+	)
+
+	artifactsM[PythonFilelock] = newViaPip(
+		"filelock",
+		"a platform-independent file locking library for Python",
+		"3.25.0", "py3", "none", "any",
+		"0gSQIYNUEjOs1JBxXjGwfLnwFPFINwqyU_Zqgj7fT_EGafv_HaD5h3Xv2Rq_qQ44",
+		"https://files.pythonhosted.org/packages/"+
+			"f9/0b/de6f54d4a8bedfe8645c41497f3c18d749f0bd3218170c667bf4b81d0cdd/",
+	)
+
+	artifactsM[PythonPlatformdirs] = newViaPip(
+		"platformdirs",
+		"a Python package for determining platform-specific directories",
+		"4.9.4", "py3", "none", "any",
+		"JGNpMCX2JMn-7c9bk3QzOSNDgJRR_5lH-jIqfy0zXMZppRCdLsTNbdp4V7QFwxOI",
+		"https://files.pythonhosted.org/packages/"+
+			"63/d7/97f7e3a6abb67d8080dd406fd4df842c2be0efaf712d1c899c32a075027c/",
+	)
+
+	artifactsM[PythonDiscovery] = newViaPip(
+		"python_discovery",
+		"looks for a python installation",
+		"1.1.1", "py3", "none", "any",
+		"Jk_qGMfZYm0fdNOSvMdVQZuQbJlqu3NWRm7T2fRtiBXmHLQyOdJE3ypI_it1OJR0",
+		"https://files.pythonhosted.org/packages/"+
+			"75/0f/2bf7e3b5a4a65f623cb820feb5793e243fad58ae561015ee15a6152f67a2/",
+		PythonFilelock,
+		PythonPlatformdirs,
+	)
+
+	artifactsM[PythonVirtualenv] = newViaPip(
+		"virtualenv",
+		"a tool for creating isolated virtual python environments",
+		"21.1.0", "py3", "none", "any",
+		"SLvdr3gJZ7GTS-kiRyq2RvJdrQ8SZYC1pglbViWCMLCuAIcbLNjVEUJZ4hDtKUxm",
+		"https://files.pythonhosted.org/packages/"+
+			"78/55/896b06bf93a49bec0f4ae2a6f1ed12bd05c8860744ac3a70eda041064e4d/",
+		PythonDistlib,
+		PythonDiscovery,
+	)
+
+	artifactsM[PythonPreCommit] = newViaPip(
+		"pre_commit",
+		"a framework for managing and maintaining multi-language pre-commit hooks",
+		"4.5.1", "py2.py3", "none", "any",
+		"9G2Hv5JpvXFZVfw4pv_KAsmHD6bvot9Z0YBDmW6JeJizqTA4xEQCKel-pCERqQFK",
+		"https://files.pythonhosted.org/packages/"+
+			"5d/19/fd3ef348460c80af7bb4669ea7926651d1f95c23ff2df18b9d24bab4f3fa/",
+		PythonCfgv,
+		PythonIdentify,
+		PythonNodeenv,
+		PythonPyYAML,
+		PythonVirtualenv,
+	)
 }
--- a/internal/rosa/tamago.go
+++ b/internal/rosa/tamago.go
@@ -17,7 +17,6 @@ func (t Toolchain) newTamaGo() (pkg.Artifact, string) {
 	), nil, []string{
 		"CC=cc",
 		"GOCACHE=/tmp/gocache",
-		"CGO_ENABLED=0",
 	}, `
 mkdir /work/system # "${TMPDIR}"
 cp -r /usr/src/tamago /work/system
--- a/package.nix
+++ b/package.nix
@@ -30,7 +30,7 @@

 buildGo126Module rec {
  pname = "hakurei";
-  version = "0.3.7";
+  version = "0.3.6";

  srcFiltered = builtins.path {
    name = "${pname}-src";
Author	SHA1	Message	Date
mae	c7e195fe64	cmd/pkgserver: remove get endpoint count field	2026-03-13 20:51:08 -05:00
mae	d5db9add98	cmd/pkgserver: search endpoint	2026-03-13 20:51:08 -05:00
mae	ab8abdc82b	cmd/pkgserver: pagination bugfix	2026-03-13 20:51:08 -05:00
Ophestra	770fd46510	cmd/pkgserver: guard sass/ts behind build tag Packaging nodejs and ruby is an immense burden for the Rosa OS base system, and these files diff poorly. Signed-off-by: Ophestra <cat@gensokyo.uk>	2026-03-13 20:51:08 -05:00
mae	99f1c6aab4	cmd/pkgserver: add size	2026-03-13 20:51:08 -05:00
Ophestra	9ee629d402	cmd/pkgserver: expose size and store pre-encoded ident This change also handles SIGSEGV correctly in newStatusHandler, and makes serving status fully zero copy. Signed-off-by: Ophestra <cat@gensokyo.uk>	2026-03-13 20:51:08 -05:00
Ophestra	f475dde8b9	cmd/pkgserver: look up status by name once This has far less overhead. Signed-off-by: Ophestra <cat@gensokyo.uk>	2026-03-13 20:51:08 -05:00
Ophestra	c43a0c41b6	cmd/pkgserver: refer to preset in index This enables referencing back to internal/rosa through an entry obtained via the index. Signed-off-by: Ophestra <cat@gensokyo.uk>	2026-03-13 20:51:08 -05:00
Ophestra	55827f1a85	cmd/pkgserver: handle unversioned value This omits the field for an unversioned artifact, and only does so once on startup. Signed-off-by: Ophestra <cat@gensokyo.uk>	2026-03-13 20:51:08 -05:00
Ophestra	721bdddfa1	cmd/pkgserver: determine disposition route in mux This removes duplicate checks and uses the more sound check in mux. Signed-off-by: Ophestra <cat@gensokyo.uk>	2026-03-13 20:51:08 -05:00
Ophestra	fb18e599dd	cmd/pkgserver: format get error messages This improves source code readability on smaller displays. Signed-off-by: Ophestra <cat@gensokyo.uk>	2026-03-13 20:51:08 -05:00
Ophestra	ec9005c794	cmd/pkgserver: constant string in pattern This resolves patterns at compile time. Signed-off-by: Ophestra <cat@gensokyo.uk>	2026-03-13 20:51:08 -05:00
Ophestra	c6d35b4003	cmd/pkgserver: satisfy handler signature in method This is somewhat cleaner. Signed-off-by: Ophestra <cat@gensokyo.uk>	2026-03-13 20:51:08 -05:00
Ophestra	6401533cc2	cmd/pkgserver: log instead of write encoding error This message is unlikely to be useful to the user, and output may be partially written at this point, causing the error to be even less intelligible. Signed-off-by: Ophestra <cat@gensokyo.uk>	2026-03-13 20:51:08 -05:00
Ophestra	5d6c401beb	cmd/pkgserver: appropriately mark test helpers This improves usefulness of test log messages. Signed-off-by: Ophestra <cat@gensokyo.uk>	2026-03-13 20:51:08 -05:00
Ophestra	0a2d6aec14	cmd/pkgserver: do not omit report field Signed-off-by: Ophestra <cat@gensokyo.uk>	2026-03-13 20:51:08 -05:00
Ophestra	67b11335d6	cmd/pkgserver: gracefully shut down on signal Signed-off-by: Ophestra <cat@gensokyo.uk>	2026-03-13 20:51:08 -05:00
Ophestra	ef3bd1b60a	cmd/pkgserver: specify full addr string in flag This allows greater flexibility. Signed-off-by: Ophestra <cat@gensokyo.uk>	2026-03-13 20:51:08 -05:00
Ophestra	beae7c89db	cmd/pkgserver: make report argument optional This allows serving metadata only without a populated report. This also removes the out-of-bounds read on args when no arguments are passed. Signed-off-by: Ophestra <cat@gensokyo.uk>	2026-03-13 20:51:08 -05:00
Ophestra	ed26d1a1c2	cmd/pkgserver: embed internal/rosa metadata This change also cleans up and reduces some unnecessary copies. Signed-off-by: Ophestra <cat@gensokyo.uk>	2026-03-13 20:51:08 -05:00
Ophestra	faa0006d47	cmd/pkgserver: do not assume default mux This helps with testing. Signed-off-by: Ophestra <cat@gensokyo.uk>	2026-03-13 20:51:08 -05:00
Ophestra	796ddbc977	cmd/pkgserver: create index without report This is useful for testing, where report testdata is not available. Signed-off-by: Ophestra <cat@gensokyo.uk>	2026-03-13 20:51:08 -05:00
mae	98ab020160	cmd/pkgserver: add sort orders, change pagination rules	2026-03-13 20:51:08 -05:00
mae	26a346036d	cmd/pkgserver: add /status endpoint	2026-03-13 20:51:08 -05:00
mae	4ac9c72132	cmd/pkgserver: minimum viable frontend	2026-03-13 20:51:08 -05:00
mae	c39c07d440	cmd/pkgserver: api versioning	2026-03-13 20:51:08 -05:00
mae	b3fa0fe271	cmd/pkgserver: add get endpoint	2026-03-13 20:51:08 -05:00
mae	92a90582bb	cmd/pkgserver: add count endpoint and restructure	2026-03-13 20:51:08 -05:00
mae	2e5ac56bdf	cmd/pkgserver: add status endpoint	2026-03-13 20:51:08 -05:00
mae	75133e0234	cmd/pkgserver: add createPackageIndex	2026-03-13 20:51:08 -05:00
mae	c120d4de4f	cmd/pkgserver: add command handler	2026-03-13 20:51:08 -05:00
mae	d6af8edb4a	cmd/pkgserver: replace favicon	2026-03-13 20:51:08 -05:00
mae	da25d609d5	cmd/pkgserver: pagination	2026-03-13 20:51:08 -05:00
mae	95ceed0de0	cmd/pkgserver: basic web ui	2026-03-13 20:51:08 -05:00