internal/rosa/go: run bootstrap toolchain tests

The objdump test will be re-enabled after fixing llvm search paths. Signed-off-by: Ophestra <cat@gensokyo.uk>
internal/rosa/llvm: fix broken test patch
2026-01-22 07:05:48 +09:00 · 2026-01-22 06:42:04 +09:00 · 2026-01-22 05:42:23 +09:00 · 2026-01-22 04:21:06 +09:00 · 2026-01-22 04:06:48 +09:00 · 2026-01-22 03:37:46 +09:00
50 changed files with 7814 additions and 41 deletions
--- a/.gitignore
+++ b/.gitignore
@@ -27,6 +27,7 @@ go.work.sum

 # go generate
 /cmd/hakurei/LICENSE
+/internal/pkg/testdata/testtool

 # release
 /dist/hakurei-*
--- a/cmd/mbf/main.go
+++ b/cmd/mbf/main.go
@@ -0,0 +1,178 @@
+package main
+
+import (
+	"context"
+	"errors"
+	"fmt"
+	"log"
+	"os"
+	"os/signal"
+	"path/filepath"
+	"runtime"
+	"syscall"
+	"unique"
+
+	"hakurei.app/command"
+	"hakurei.app/container"
+	"hakurei.app/container/check"
+	"hakurei.app/internal/pkg"
+	"hakurei.app/internal/rosa"
+	"hakurei.app/message"
+)
+
+func main() {
+	container.TryArgv0(nil)
+
+	log.SetFlags(0)
+	log.SetPrefix("mbf: ")
+	msg := message.New(log.Default())
+
+	if os.Geteuid() == 0 {
+		log.Fatal("this program must not run as root")
+	}
+
+	var cache *pkg.Cache
+	ctx, stop := signal.NotifyContext(context.Background(),
+		syscall.SIGINT, syscall.SIGTERM, syscall.SIGHUP)
+	defer stop()
+	defer func() {
+		if cache != nil {
+			cache.Close()
+		}
+
+		if r := recover(); r != nil {
+			fmt.Println(r)
+			log.Fatal("consider scrubbing the on-disk cache")
+		}
+	}()
+
+	var (
+		flagVerbose bool
+		flagCures   int
+		flagBase    string
+		flagTShift  int
+	)
+	c := command.New(os.Stderr, log.Printf, "mbf", func([]string) (err error) {
+		msg.SwapVerbose(flagVerbose)
+
+		var base *check.Absolute
+		if flagBase, err = filepath.Abs(flagBase); err != nil {
+			return
+		} else if base, err = check.NewAbs(flagBase); err != nil {
+			return
+		}
+		if cache, err = pkg.Open(ctx, msg, flagCures, base); err == nil {
+			if flagTShift < 0 || flagTShift > 31 {
+				flagTShift = 31
+			}
+			cache.SetThreshold(1 << flagTShift)
+		}
+		return
+	}).Flag(
+		&flagVerbose,
+		"v", command.BoolFlag(false),
+		"Print cure messages to the console",
+	).Flag(
+		&flagCures,
+		"cures", command.IntFlag(0),
+		"Maximum number of dependencies to cure at any given time",
+	).Flag(
+		&flagBase,
+		"d", command.StringFlag("cache"),
+		"Directory to store cured artifacts",
+	).Flag(
+		&flagTShift,
+		"tshift", command.IntFlag(31),
+		"Dependency graph size exponent, to the power of 2",
+	)
+
+	{
+		var flagShifts int
+		c.NewCommand(
+			"scrub", "Examine the on-disk cache for errors",
+			func(args []string) error {
+				if len(args) > 0 {
+					return errors.New("scrub expects no arguments")
+				}
+				if flagShifts < 0 || flagShifts > 31 {
+					flagShifts = 12
+				}
+				return cache.Scrub(runtime.NumCPU() << flagShifts)
+			},
+		).Flag(
+			&flagShifts,
+			"shift", command.IntFlag(12),
+			"Scrub parallelism size exponent, to the power of 2",
+		)
+	}
+
+	c.NewCommand(
+		"stage3",
+		"Check for toolchain 3-stage non-determinism",
+		func(args []string) (err error) {
+			_, _, _, stage2 := (rosa.Std - 1).NewLLVM()
+			_, _, _, stage3 := rosa.Std.NewLLVM()
+			var (
+				pathname *check.Absolute
+				checksum [2]unique.Handle[pkg.Checksum]
+			)
+
+			if pathname, checksum[0], err = cache.Cure(stage2); err != nil {
+				return err
+			}
+			log.Println("stage2:", pathname)
+			if pathname, checksum[1], err = cache.Cure(stage3); err != nil {
+				return err
+			}
+			log.Println("stage3:", pathname)
+
+			if checksum[0] != checksum[1] {
+				err = &pkg.ChecksumMismatchError{
+					Got:  checksum[0].Value(),
+					Want: checksum[1].Value(),
+				}
+			}
+			return
+		},
+	)
+
+	c.NewCommand(
+		"cure",
+		"Cure the named artifact and show its path",
+		func(args []string) error {
+			if len(args) != 1 {
+				return errors.New("cure requires 1 argument")
+			}
+			var a pkg.Artifact
+			switch args[0] {
+			case "busybox":
+				a = rosa.Std.NewBusybox()
+			case "musl":
+				a = rosa.Std.NewMusl(nil)
+			case "git":
+				a = rosa.Std.NewGit()
+			case "go":
+				a = rosa.Std.NewGo()
+			case "rsync":
+				a = rosa.Std.NewRsync()
+
+			default:
+				return fmt.Errorf("unsupported artifact %q", args[0])
+			}
+
+			pathname, _, err := cache.Cure(a)
+			if err == nil {
+				log.Println(pathname)
+			}
+			return err
+
+		},
+	)
+
+	c.MustParse(os.Args[1:], func(err error) {
+		if cache != nil {
+			cache.Close()
+		}
+		log.Fatal(err)
+	})
+}
--- a/container/capability.go
+++ b/container/capability.go
@@ -14,6 +14,7 @@ const (

 	CAP_SYS_ADMIN    = 0x15
 	CAP_SETPCAP      = 0x8
+	CAP_NET_ADMIN    = 0xc
 	CAP_DAC_OVERRIDE = 0x1
 )

--- a/container/check/absolute.go
+++ b/container/check/absolute.go
@@ -9,46 +9,60 @@ import (
 	"slices"
 	"strings"
 	"syscall"
+	"unique"
 )

 // AbsoluteError is returned by [NewAbs] and holds the invalid pathname.
-type AbsoluteError struct{ Pathname string }
+type AbsoluteError string

-func (e *AbsoluteError) Error() string { return fmt.Sprintf("path %q is not absolute", e.Pathname) }
-func (e *AbsoluteError) Is(target error) bool {
-	var ce *AbsoluteError
+func (e AbsoluteError) Error() string {
+	return fmt.Sprintf("path %q is not absolute", string(e))
+}
+
+func (e AbsoluteError) Is(target error) bool {
+	var ce AbsoluteError
 	if !errors.As(target, &ce) {
 		return errors.Is(target, syscall.EINVAL)
 	}
-	return *e == *ce
+	return e == ce
 }

 // Absolute holds a pathname checked to be absolute.
-type Absolute struct{ pathname string }
+type Absolute struct{ pathname unique.Handle[string] }
+
+// ok returns whether [Absolute] is not the zero value.
+func (a *Absolute) ok() bool { return a != nil && *a != (Absolute{}) }

 // unsafeAbs returns [check.Absolute] on any string value.
-func unsafeAbs(pathname string) *Absolute { return &Absolute{pathname} }
+func unsafeAbs(pathname string) *Absolute {
+	return &Absolute{unique.Make(pathname)}
+}

+// String returns the checked pathname.
 func (a *Absolute) String() string {
-	if a.pathname == "" {
+	if !a.ok() {
 		panic("attempted use of zero Absolute")
 	}
+	return a.pathname.Value()
+}
+
+// Handle returns the underlying [unique.Handle].
+func (a *Absolute) Handle() unique.Handle[string] {
 	return a.pathname
 }

+// Is efficiently compares the underlying pathname.
 func (a *Absolute) Is(v *Absolute) bool {
 	if a == nil && v == nil {
 		return true
 	}
-	return a != nil && v != nil &&
-		a.pathname != "" && v.pathname != "" &&
-		a.pathname == v.pathname
+	return a.ok() && v.ok() && a.pathname == v.pathname
 }

 // NewAbs checks pathname and returns a new [Absolute] if pathname is absolute.
 func NewAbs(pathname string) (*Absolute, error) {
 	if !path.IsAbs(pathname) {
-		return nil, &AbsoluteError{pathname}
+		return nil, AbsoluteError(pathname)
 	}
 	return unsafeAbs(pathname), nil
 }
@@ -70,35 +84,49 @@ func (a *Absolute) Append(elem ...string) *Absolute {
 // Dir calls [path.Dir] with [Absolute] as its argument.
 func (a *Absolute) Dir() *Absolute { return unsafeAbs(path.Dir(a.String())) }

-func (a *Absolute) GobEncode() ([]byte, error) { return []byte(a.String()), nil }
+// GobEncode returns the checked pathname.
+func (a *Absolute) GobEncode() ([]byte, error) {
+	return []byte(a.String()), nil
+}
+
+// GobDecode stores data if it represents an absolute pathname.
 func (a *Absolute) GobDecode(data []byte) error {
 	pathname := string(data)
 	if !path.IsAbs(pathname) {
-		return &AbsoluteError{pathname}
+		return AbsoluteError(pathname)
 	}
-	a.pathname = pathname
+	a.pathname = unique.Make(pathname)
 	return nil
 }

-func (a *Absolute) MarshalJSON() ([]byte, error) { return json.Marshal(a.String()) }
+// MarshalJSON returns a JSON representation of the checked pathname.
+func (a *Absolute) MarshalJSON() ([]byte, error) {
+	return json.Marshal(a.String())
+}
+
+// UnmarshalJSON stores data if it represents an absolute pathname.
 func (a *Absolute) UnmarshalJSON(data []byte) error {
 	var pathname string
 	if err := json.Unmarshal(data, &pathname); err != nil {
 		return err
 	}
 	if !path.IsAbs(pathname) {
-		return &AbsoluteError{pathname}
+		return AbsoluteError(pathname)
 	}
-	a.pathname = pathname
+	a.pathname = unique.Make(pathname)
 	return nil
 }

 // SortAbs calls [slices.SortFunc] for a slice of [Absolute].
 func SortAbs(x []*Absolute) {
-	slices.SortFunc(x, func(a, b *Absolute) int { return strings.Compare(a.String(), b.String()) })
+	slices.SortFunc(x, func(a, b *Absolute) int {
+		return strings.Compare(a.String(), b.String())
+	})
 }

 // CompactAbs calls [slices.CompactFunc] for a slice of [Absolute].
 func CompactAbs(s []*Absolute) []*Absolute {
-	return slices.CompactFunc(s, func(a *Absolute, b *Absolute) bool { return a.String() == b.String() })
+	return slices.CompactFunc(s, func(a *Absolute, b *Absolute) bool {
+		return a.Is(b)
+	})
 }
--- a/container/check/absolute_test.go
+++ b/container/check/absolute_test.go
@@ -31,8 +31,8 @@ func TestAbsoluteError(t *testing.T) {
 	}{
 		{"EINVAL", new(AbsoluteError), syscall.EINVAL, true},
 		{"not EINVAL", new(AbsoluteError), syscall.EBADE, false},
-		{"ne val", new(AbsoluteError), &AbsoluteError{Pathname: "etc"}, false},
-		{"equals", &AbsoluteError{Pathname: "etc"}, &AbsoluteError{Pathname: "etc"}, true},
+		{"ne val", new(AbsoluteError), AbsoluteError("etc"), false},
+		{"equals", AbsoluteError("etc"), AbsoluteError("etc"), true},
 	}

 	for _, tc := range testCases {
@@ -45,7 +45,7 @@ func TestAbsoluteError(t *testing.T) {
 		t.Parallel()

 		want := `path "etc" is not absolute`
-		if got := (&AbsoluteError{Pathname: "etc"}).Error(); got != want {
+		if got := (AbsoluteError("etc")).Error(); got != want {
 			t.Errorf("Error: %q, want %q", got, want)
 		}
 	})
@@ -62,8 +62,8 @@ func TestNewAbs(t *testing.T) {
 		wantErr  error
 	}{
 		{"good", "/etc", MustAbs("/etc"), nil},
-		{"not absolute", "etc", nil, &AbsoluteError{Pathname: "etc"}},
-		{"zero", "", nil, &AbsoluteError{Pathname: ""}},
+		{"not absolute", "etc", nil, AbsoluteError("etc")},
+		{"zero", "", nil, AbsoluteError("")},
 	}

 	for _, tc := range testCases {
@@ -84,7 +84,7 @@ func TestNewAbs(t *testing.T) {
 		t.Parallel()

 		defer func() {
-			wantPanic := &AbsoluteError{Pathname: "etc"}
+			wantPanic := AbsoluteError("etc")

 			if r := recover(); !reflect.DeepEqual(r, wantPanic) {
 				t.Errorf("MustAbs: panic = %v; want %v", r, wantPanic)
@@ -175,7 +175,7 @@ func TestCodecAbsolute(t *testing.T) {

 			`"/etc"`, `{"val":"/etc","magic":3236757504}`},
 		{"not absolute", nil,
-			&AbsoluteError{Pathname: "etc"},
+			AbsoluteError("etc"),
 			"\t\x7f\x05\x01\x02\xff\x82\x00\x00\x00\a\xff\x80\x00\x03etc",
 			",\xff\x83\x03\x01\x01\x06sCheck\x01\xff\x84\x00\x01\x02\x01\bPathname\x01\xff\x80\x00\x01\x05Magic\x01\x06\x00\x00\x00\t\x7f\x05\x01\x02\xff\x82\x00\x00\x00\x0f\xff\x84\x01\x03etc\x01\xfb\x01\x81\xda\x00\x00\x00",

--- a/container/container.go
+++ b/container/container.go
@@ -263,6 +263,8 @@ func (p *Container) Start() error {
 			CAP_SYS_ADMIN,
 			// drop capabilities
 			CAP_SETPCAP,
+			// bring up loopback interface
+			CAP_NET_ADMIN,
 			// overlay access to upperdir and workdir
 			CAP_DAC_OVERRIDE,
 		},
--- a/container/dispatcher.go
+++ b/container/dispatcher.go
@@ -61,6 +61,8 @@ type syscallDispatcher interface {
 	mountTmpfs(fsname, target string, flags uintptr, size int, perm os.FileMode) error
 	// ensureFile provides ensureFile.
 	ensureFile(name string, perm, pperm os.FileMode) error
+	// mustLoopback provides mustLoopback.
+	mustLoopback(msg message.Msg)

 	// seccompLoad provides [seccomp.Load].
 	seccompLoad(rules []std.NativeRule, flags seccomp.ExportFlag) error
@@ -164,6 +166,7 @@ func (k direct) mountTmpfs(fsname, target string, flags uintptr, size int, perm
 func (direct) ensureFile(name string, perm, pperm os.FileMode) error {
 	return ensureFile(name, perm, pperm)
 }
+func (direct) mustLoopback(msg message.Msg) { mustLoopback(msg) }

 func (direct) seccompLoad(rules []std.NativeRule, flags seccomp.ExportFlag) error {
 	return seccomp.Load(rules, flags)
--- a/container/dispatcher_test.go
+++ b/container/dispatcher_test.go
@@ -465,6 +465,8 @@ func (k *kstub) ensureFile(name string, perm, pperm os.FileMode) error {
 		stub.CheckArg(k.Stub, "pperm", pperm, 2))
 }

+func (*kstub) mustLoopback(message.Msg) { /* noop */ }
+
 func (k *kstub) seccompLoad(rules []std.NativeRule, flags seccomp.ExportFlag) error {
 	k.Helper()
 	return k.Expects("seccompLoad").Error(
--- a/container/errors.go
+++ b/container/errors.go
@@ -18,7 +18,7 @@ func messageFromError(err error) (m string, ok bool) {
 	if m, ok = messagePrefixP[os.PathError]("cannot ", err); ok {
 		return
 	}
-	if m, ok = messagePrefixP[check.AbsoluteError](zeroString, err); ok {
+	if m, ok = messagePrefix[check.AbsoluteError](zeroString, err); ok {
 		return
 	}
 	if m, ok = messagePrefix[OpRepeatError](zeroString, err); ok {
--- a/container/errors_test.go
+++ b/container/errors_test.go
@@ -37,7 +37,7 @@ func TestMessageFromError(t *testing.T) {
 			Err:  stub.UniqueError(0xdeadbeef),
 		}, "cannot mount /sysroot: unique error 3735928559 injected by the test suite", true},

-		{"absolute", &check.AbsoluteError{Pathname: "etc/mtab"},
+		{"absolute", check.AbsoluteError("etc/mtab"),
 			`path "etc/mtab" is not absolute`, true},

 		{"repeat", OpRepeatError("autoetc"),
--- a/container/fhs/abs.go
+++ b/container/fhs/abs.go
@@ -26,6 +26,8 @@ var (
 	// AbsRunUser is [RunUser] as [check.Absolute].
 	AbsRunUser = unsafeAbs(RunUser)

+	// AbsUsr is [Usr] as [check.Absolute].
+	AbsUsr = unsafeAbs(Usr)
 	// AbsUsrBin is [UsrBin] as [check.Absolute].
 	AbsUsrBin = unsafeAbs(UsrBin)

--- a/container/init.go
+++ b/container/init.go
@@ -170,6 +170,10 @@ func initEntrypoint(k syscallDispatcher, msg message.Msg) {
 		offsetSetup = int(setupFd + 1)
 	}

+	if !params.HostNet {
+		k.mustLoopback(msg)
+	}
+
 	// write uid/gid map here so parent does not need to set dumpable
 	if err := k.setDumpable(SUID_DUMP_USER); err != nil {
 		k.fatalf(msg, "cannot set SUID_DUMP_USER: %v", err)
--- a/container/initoverlay_test.go
+++ b/container/initoverlay_test.go
@@ -312,7 +312,10 @@ func TestMountOverlayOp(t *testing.T) {
 			},
 		}},

-		{"ephemeral", new(Ops).OverlayEphemeral(check.MustAbs("/nix/store"), check.MustAbs("/mnt-root/nix/.ro-store")), Ops{
+		{"ephemeral", new(Ops).OverlayEphemeral(
+			check.MustAbs("/nix/store"),
+			check.MustAbs("/mnt-root/nix/.ro-store"),
+		), Ops{
 			&MountOverlayOp{
 				Target: check.MustAbs("/nix/store"),
 				Lower:  []*check.Absolute{check.MustAbs("/mnt-root/nix/.ro-store")},
@@ -320,7 +323,10 @@ func TestMountOverlayOp(t *testing.T) {
 			},
 		}},

-		{"readonly", new(Ops).OverlayReadonly(check.MustAbs("/nix/store"), check.MustAbs("/mnt-root/nix/.ro-store")), Ops{
+		{"readonly", new(Ops).OverlayReadonly(
+			check.MustAbs("/nix/store"),
+			check.MustAbs("/mnt-root/nix/.ro-store"),
+		), Ops{
 			&MountOverlayOp{
 				Target: check.MustAbs("/nix/store"),
 				Lower:  []*check.Absolute{check.MustAbs("/mnt-root/nix/.ro-store")},
--- a/container/initsymlink.go
+++ b/container/initsymlink.go
@@ -31,7 +31,7 @@ func (l *SymlinkOp) Valid() bool { return l != nil && l.Target != nil && l.LinkN
 func (l *SymlinkOp) early(_ *setupState, k syscallDispatcher) error {
 	if l.Dereference {
 		if !path.IsAbs(l.LinkName) {
-			return &check.AbsoluteError{Pathname: l.LinkName}
+			return check.AbsoluteError(l.LinkName)
 		}
 		if name, err := k.readlink(l.LinkName); err != nil {
 			return err
--- a/container/initsymlink_test.go
+++ b/container/initsymlink_test.go
@@ -23,7 +23,7 @@ func TestSymlinkOp(t *testing.T) {
 			Target:      check.MustAbs("/etc/mtab"),
 			LinkName:    "etc/mtab",
 			Dereference: true,
-		}, nil, &check.AbsoluteError{Pathname: "etc/mtab"}, nil, nil},
+		}, nil, check.AbsoluteError("etc/mtab"), nil, nil},

 		{"readlink", &Params{ParentPerm: 0755}, &SymlinkOp{
 			Target:      check.MustAbs("/etc/mtab"),
--- a/container/netlink.go
+++ b/container/netlink.go
@@ -0,0 +1,269 @@
+package container
+
+import (
+	"encoding/binary"
+	"errors"
+	"net"
+	"os"
+	. "syscall"
+	"unsafe"
+
+	"hakurei.app/container/std"
+	"hakurei.app/message"
+)
+
+// rtnetlink represents a NETLINK_ROUTE socket.
+type rtnetlink struct {
+	// Sent as part of rtnetlink messages.
+	pid uint32
+	// AF_NETLINK socket.
+	fd int
+	// Whether the socket is open.
+	ok bool
+	// Message sequence number.
+	seq uint32
+}
+
+// open creates the underlying NETLINK_ROUTE socket.
+func (s *rtnetlink) open() (err error) {
+	if s.ok || s.fd < 0 {
+		return os.ErrInvalid
+	}
+
+	s.pid = uint32(Getpid())
+	if s.fd, err = Socket(
+		AF_NETLINK,
+		SOCK_RAW|SOCK_CLOEXEC,
+		NETLINK_ROUTE,
+	); err != nil {
+		return os.NewSyscallError("socket", err)
+	} else if err = Bind(s.fd, &SockaddrNetlink{
+		Family: AF_NETLINK,
+		Pid:    s.pid,
+	}); err != nil {
+		_ = s.close()
+		return os.NewSyscallError("bind", err)
+	} else {
+		s.ok = true
+		return nil
+	}
+}
+
+// close closes the underlying NETLINK_ROUTE socket.
+func (s *rtnetlink) close() error {
+	if !s.ok {
+		return os.ErrInvalid
+	}
+
+	s.ok = false
+	err := Close(s.fd)
+	s.fd = -1
+	return err
+}
+
+// roundtrip sends a netlink message and handles the reply.
+func (s *rtnetlink) roundtrip(data []byte) error {
+	if !s.ok {
+		return os.ErrInvalid
+	}
+
+	defer func() { s.seq++ }()
+
+	if err := Sendto(s.fd, data, 0, &SockaddrNetlink{
+		Family: AF_NETLINK,
+	}); err != nil {
+		return os.NewSyscallError("sendto", err)
+	}
+	buf := make([]byte, Getpagesize())
+
+done:
+	for {
+		p := buf
+		if n, _, err := Recvfrom(s.fd, p, 0); err != nil {
+			return os.NewSyscallError("recvfrom", err)
+		} else if n < NLMSG_HDRLEN {
+			return errors.ErrUnsupported
+		} else {
+			p = p[:n]
+		}
+
+		if msgs, err := ParseNetlinkMessage(p); err != nil {
+			return err
+		} else {
+			for _, m := range msgs {
+				if m.Header.Seq != s.seq || m.Header.Pid != s.pid {
+					return errors.ErrUnsupported
+				}
+				if m.Header.Type == NLMSG_DONE {
+					break done
+				}
+				if m.Header.Type == NLMSG_ERROR {
+					if len(m.Data) >= 4 {
+						errno := Errno(-std.ScmpInt(binary.NativeEndian.Uint32(m.Data)))
+						if errno == 0 {
+							return nil
+						}
+						return errno
+					}
+					return errors.ErrUnsupported
+				}
+			}
+		}
+	}
+
+	return nil
+}
+
+// mustRoundtrip calls roundtrip and terminates via msg for a non-nil error.
+func (s *rtnetlink) mustRoundtrip(msg message.Msg, data []byte) {
+	err := s.roundtrip(data)
+	if err == nil {
+		return
+	}
+	if closeErr := Close(s.fd); closeErr != nil {
+		msg.Verbosef("cannot close: %v", err)
+	}
+
+	switch err.(type) {
+	case *os.SyscallError:
+		msg.GetLogger().Fatalf("cannot %v", err)
+
+	case Errno:
+		msg.GetLogger().Fatalf("RTNETLINK answers: %v", err)
+
+	default:
+		msg.GetLogger().Fatalln("RTNETLINK answers with unexpected message")
+	}
+}
+
+// newaddrLo represents a RTM_NEWADDR message with two addresses.
+type newaddrLo struct {
+	header NlMsghdr
+	data   IfAddrmsg
+
+	r0 RtAttr
+	a0 [4]byte // in_addr
+	r1 RtAttr
+	a1 [4]byte // in_addr
+}
+
+// sizeofNewaddrLo is the expected size of newaddrLo.
+const sizeofNewaddrLo = NLMSG_HDRLEN + SizeofIfAddrmsg + (SizeofRtAttr+4)*2
+
+// newaddrLo returns the address of a populated newaddrLo.
+func (s *rtnetlink) newaddrLo(lo int) *newaddrLo {
+	return &newaddrLo{NlMsghdr{
+		Len:   sizeofNewaddrLo,
+		Type:  RTM_NEWADDR,
+		Flags: NLM_F_REQUEST | NLM_F_ACK | NLM_F_CREATE | NLM_F_EXCL,
+		Seq:   s.seq,
+		Pid:   s.pid,
+	}, IfAddrmsg{
+		Family:    AF_INET,
+		Prefixlen: 8,
+		Flags:     IFA_F_PERMANENT,
+		Scope:     RT_SCOPE_HOST,
+		Index:     uint32(lo),
+	}, RtAttr{
+		Len:  uint16(SizeofRtAttr + len(newaddrLo{}.a0)),
+		Type: IFA_LOCAL,
+	}, [4]byte{127, 0, 0, 1}, RtAttr{
+		Len:  uint16(SizeofRtAttr + len(newaddrLo{}.a1)),
+		Type: IFA_ADDRESS,
+	}, [4]byte{127, 0, 0, 1}}
+}
+
+func (msg *newaddrLo) toWireFormat() []byte {
+	var buf [sizeofNewaddrLo]byte
+
+	*(*uint32)(unsafe.Pointer(&buf[0:4][0])) = msg.header.Len
+	*(*uint16)(unsafe.Pointer(&buf[4:6][0])) = msg.header.Type
+	*(*uint16)(unsafe.Pointer(&buf[6:8][0])) = msg.header.Flags
+	*(*uint32)(unsafe.Pointer(&buf[8:12][0])) = msg.header.Seq
+	*(*uint32)(unsafe.Pointer(&buf[12:16][0])) = msg.header.Pid
+
+	buf[16] = msg.data.Family
+	buf[17] = msg.data.Prefixlen
+	buf[18] = msg.data.Flags
+	buf[19] = msg.data.Scope
+	*(*uint32)(unsafe.Pointer(&buf[20:24][0])) = msg.data.Index
+
+	*(*uint16)(unsafe.Pointer(&buf[24:26][0])) = msg.r0.Len
+	*(*uint16)(unsafe.Pointer(&buf[26:28][0])) = msg.r0.Type
+	copy(buf[28:32], msg.a0[:])
+	*(*uint16)(unsafe.Pointer(&buf[32:34][0])) = msg.r1.Len
+	*(*uint16)(unsafe.Pointer(&buf[34:36][0])) = msg.r1.Type
+	copy(buf[36:40], msg.a1[:])
+
+	return buf[:]
+}
+
+// newlinkLo represents a RTM_NEWLINK message.
+type newlinkLo struct {
+	header NlMsghdr
+	data   IfInfomsg
+}
+
+// sizeofNewlinkLo is the expected size of newlinkLo.
+const sizeofNewlinkLo = NLMSG_HDRLEN + SizeofIfInfomsg
+
+// newlinkLo returns the address of a populated newlinkLo.
+func (s *rtnetlink) newlinkLo(lo int) *newlinkLo {
+	return &newlinkLo{NlMsghdr{
+		Len:   sizeofNewlinkLo,
+		Type:  RTM_NEWLINK,
+		Flags: NLM_F_REQUEST | NLM_F_ACK,
+		Seq:   s.seq,
+		Pid:   s.pid,
+	}, IfInfomsg{
+		Family: AF_UNSPEC,
+		Index:  int32(lo),
+		Flags:  IFF_UP,
+		Change: IFF_UP,
+	}}
+}
+
+func (msg *newlinkLo) toWireFormat() []byte {
+	var buf [sizeofNewlinkLo]byte
+
+	*(*uint32)(unsafe.Pointer(&buf[0:4][0])) = msg.header.Len
+	*(*uint16)(unsafe.Pointer(&buf[4:6][0])) = msg.header.Type
+	*(*uint16)(unsafe.Pointer(&buf[6:8][0])) = msg.header.Flags
+	*(*uint32)(unsafe.Pointer(&buf[8:12][0])) = msg.header.Seq
+	*(*uint32)(unsafe.Pointer(&buf[12:16][0])) = msg.header.Pid
+
+	buf[16] = msg.data.Family
+	*(*uint16)(unsafe.Pointer(&buf[18:20][0])) = msg.data.Type
+	*(*int32)(unsafe.Pointer(&buf[20:24][0])) = msg.data.Index
+	*(*uint32)(unsafe.Pointer(&buf[24:28][0])) = msg.data.Flags
+	*(*uint32)(unsafe.Pointer(&buf[28:32][0])) = msg.data.Change
+
+	return buf[:]
+}
+
+// mustLoopback creates the loopback address and brings the lo interface up.
+// mustLoopback calls a fatal method of the underlying [log.Logger] of m with a
+// user-facing error message if RTNETLINK behaves unexpectedly.
+func mustLoopback(msg message.Msg) {
+	log := msg.GetLogger()
+
+	var lo int
+	if ifi, err := net.InterfaceByName("lo"); err != nil {
+		log.Fatalln(err)
+	} else {
+		lo = ifi.Index
+	}
+
+	var s rtnetlink
+	if err := s.open(); err != nil {
+		log.Fatalln(err)
+	}
+	defer func() {
+		if err := s.close(); err != nil {
+			msg.Verbosef("cannot close netlink: %v", err)
+		}
+	}()
+
+	s.mustRoundtrip(msg, s.newaddrLo(lo).toWireFormat())
+	s.mustRoundtrip(msg, s.newlinkLo(lo).toWireFormat())
+}
--- a/container/netlink_test.go
+++ b/container/netlink_test.go
@@ -0,0 +1,72 @@
+package container
+
+import (
+	"testing"
+	"unsafe"
+)
+
+func TestSizeof(t *testing.T) {
+	if got := unsafe.Sizeof(newaddrLo{}); got != sizeofNewaddrLo {
+		t.Fatalf("newaddrLo: sizeof = %#x, want %#x", got, sizeofNewaddrLo)
+	}
+
+	if got := unsafe.Sizeof(newlinkLo{}); got != sizeofNewlinkLo {
+		t.Fatalf("newlinkLo: sizeof = %#x, want %#x", got, sizeofNewlinkLo)
+	}
+}
+
+func TestRtnetlinkMessage(t *testing.T) {
+	t.Parallel()
+
+	testCases := []struct {
+		name string
+		msg  interface{ toWireFormat() []byte }
+		want []byte
+	}{
+		{"newaddrLo", (&rtnetlink{pid: 1, seq: 0}).newaddrLo(1), []byte{
+			/* Len   */ 0x28, 0, 0, 0,
+			/* Type  */ 0x14, 0,
+			/* Flags */ 5, 6,
+			/* Seq   */ 0, 0, 0, 0,
+			/* Pid   */ 1, 0, 0, 0,
+
+			/* Family    */ 2,
+			/* Prefixlen */ 8,
+			/* Flags     */ 0x80,
+			/* Scope     */ 0xfe,
+			/* Index     */ 1, 0, 0, 0,
+
+			/* Len     */ 8, 0,
+			/* Type    */ 2, 0,
+			/* in_addr */ 127, 0, 0, 1,
+
+			/* Len     */ 8, 0,
+			/* Type    */ 1, 0,
+			/* in_addr */ 127, 0, 0, 1,
+		}},
+
+		{"newlinkLo", (&rtnetlink{pid: 1, seq: 1}).newlinkLo(1), []byte{
+			/* Len   */ 0x20, 0, 0, 0,
+			/* Type  */ 0x10, 0,
+			/* Flags */ 5, 0,
+			/* Seq   */ 1, 0, 0, 0,
+			/* Pid   */ 1, 0, 0, 0,
+
+			/* Family */ 0,
+			/* pad    */ 0,
+			/* Type   */ 0, 0,
+			/* Index  */ 1, 0, 0, 0,
+			/* Flags  */ 1, 0, 0, 0,
+			/* Change */ 1, 0, 0, 0,
+		}},
+	}
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			t.Parallel()
+
+			if got := tc.msg.toWireFormat(); string(got) != string(tc.want) {
+				t.Fatalf("toWireFormat: %#v, want %#v", got, tc.want)
+			}
+		})
+	}
+}
--- a/go.mod
+++ b/go.mod
@@ -1,3 +1,3 @@
 module hakurei.app

-go 1.24
+go 1.25
--- a/internal/outcome/sppulse_test.go
+++ b/internal/outcome/sppulse_test.go
@@ -108,7 +108,7 @@ func TestSpPulseOp(t *testing.T) {
 			call("lookupEnv", stub.ExpectArgs{"PULSE_COOKIE"}, "proc/nonexistent/cookie", nil),
 		}, nil, nil, &hst.AppError{
 			Step: "locate PulseAudio cookie",
-			Err:  &check.AbsoluteError{Pathname: "proc/nonexistent/cookie"},
+			Err:  check.AbsoluteError("proc/nonexistent/cookie"),
 		}, nil, nil, nil, nil, nil},

 		{"cookie loadFile", func(bool, bool) outcomeOp {
@@ -272,7 +272,7 @@ func TestDiscoverPulseCookie(t *testing.T) {
 			call("verbose", stub.ExpectArgs{[]any{(*check.Absolute)(nil)}}, nil, nil),
 		}}, &hst.AppError{
 			Step: "locate PulseAudio cookie",
-			Err:  &check.AbsoluteError{Pathname: "proc/nonexistent/pulse-cookie"},
+			Err:  check.AbsoluteError("proc/nonexistent/pulse-cookie"),
 		}},

 		{"success override", fCheckPathname, stub.Expect{Calls: []stub.Call{
@@ -286,7 +286,7 @@ func TestDiscoverPulseCookie(t *testing.T) {
 			call("verbose", stub.ExpectArgs{[]any{(*check.Absolute)(nil)}}, nil, nil),
 		}}, &hst.AppError{
 			Step: "locate PulseAudio cookie",
-			Err:  &check.AbsoluteError{Pathname: "proc/nonexistent/home"},
+			Err:  check.AbsoluteError("proc/nonexistent/home"),
 		}},

 		{"home stat", fCheckPathname, stub.Expect{Calls: []stub.Call{
@@ -321,7 +321,7 @@ func TestDiscoverPulseCookie(t *testing.T) {
 			call("verbose", stub.ExpectArgs{[]any{(*check.Absolute)(nil)}}, nil, nil),
 		}}, &hst.AppError{
 			Step: "locate PulseAudio cookie",
-			Err:  &check.AbsoluteError{Pathname: "proc/nonexistent/xdg"},
+			Err:  check.AbsoluteError("proc/nonexistent/xdg"),
 		}},

 		{"xdg stat", fCheckPathname, stub.Expect{Calls: []stub.Call{
--- a/internal/pkg/dir.go
+++ b/internal/pkg/dir.go
@@ -0,0 +1,211 @@
+package pkg
+
+import (
+	"crypto/sha512"
+	"encoding/binary"
+	"errors"
+	"io"
+	"io/fs"
+	"math"
+	"os"
+	"path/filepath"
+	"syscall"
+
+	"hakurei.app/container/check"
+)
+
+// FlatEntry is a directory entry to be encoded for [Flatten].
+type FlatEntry struct {
+	Mode fs.FileMode // file mode bits
+	Path string      // pathname of the file
+	Data []byte      // file content or symlink destination
+}
+
+/*
+| mode uint32 | path_sz uint32 |
+|        data_sz uint64        |
+|         path string          |
+|         data []byte          |
+*/
+
+// wordSize is the boundary which binary segments are always aligned to.
+const wordSize = 8
+
+// alignSize returns the padded size for aligning sz.
+func alignSize(sz int) int {
+	return sz + (wordSize-(sz)%wordSize)%wordSize
+}
+
+// Encode encodes the entry for transmission or hashing.
+func (ent *FlatEntry) Encode(w io.Writer) (n int, err error) {
+	pPathSize := alignSize(len(ent.Path))
+	if pPathSize > math.MaxUint32 {
+		return 0, syscall.E2BIG
+	}
+	pDataSize := alignSize(len(ent.Data))
+
+	payload := make([]byte, wordSize*2+pPathSize+pDataSize)
+	binary.LittleEndian.PutUint32(payload, uint32(ent.Mode))
+	binary.LittleEndian.PutUint32(payload[wordSize/2:], uint32(len(ent.Path)))
+	binary.LittleEndian.PutUint64(payload[wordSize:], uint64(len(ent.Data)))
+	copy(payload[wordSize*2:], ent.Path)
+	copy(payload[wordSize*2+pPathSize:], ent.Data)
+	return w.Write(payload)
+}
+
+// ErrInsecurePath is returned by [FlatEntry.Decode] if validation is requested
+// and a nonlocal path is encountered in the stream.
+var ErrInsecurePath = errors.New("insecure file path")
+
+// Decode decodes the entry from its representation produced by Encode.
+func (ent *FlatEntry) Decode(r io.Reader, validate bool) (n int, err error) {
+	var nr int
+
+	header := make([]byte, wordSize*2)
+	nr, err = r.Read(header)
+	n += nr
+	if err != nil {
+		if errors.Is(err, io.EOF) && n != 0 {
+			err = io.ErrUnexpectedEOF
+		}
+		return
+	}
+
+	ent.Mode = fs.FileMode(binary.LittleEndian.Uint32(header))
+	pathSize := int(binary.LittleEndian.Uint32(header[wordSize/2:]))
+	pPathSize := alignSize(pathSize)
+	dataSize := int(binary.LittleEndian.Uint64(header[wordSize:]))
+	pDataSize := alignSize(dataSize)
+
+	buf := make([]byte, pPathSize+pDataSize)
+	nr, err = r.Read(buf)
+	n += nr
+	if err != nil {
+		if errors.Is(err, io.EOF) {
+			if nr != len(buf) {
+				err = io.ErrUnexpectedEOF
+				return
+			}
+		} else {
+			return
+		}
+	}
+
+	ent.Path = string(buf[:pathSize])
+	if ent.Mode.IsDir() {
+		ent.Data = nil
+	} else {
+		ent.Data = buf[pPathSize : pPathSize+dataSize]
+	}
+
+	if validate && !filepath.IsLocal(ent.Path) {
+		err = ErrInsecurePath
+	}
+
+	return
+}
+
+// DirScanner provides an efficient interface for reading a stream of encoded
+// [FlatEntry]. Successive calls to the Scan method will step through the
+// entries in the stream.
+type DirScanner struct {
+	// Underlying reader to scan [FlatEntry] representations from.
+	r io.Reader
+
+	// First non-EOF I/O error, returned by the Err method.
+	err error
+
+	// Entry to store results in. Its address is returned by the Entry method
+	// and is updated on every call to Scan.
+	ent FlatEntry
+
+	// Validate pathnames during decoding.
+	validate bool
+}
+
+// NewDirScanner returns the address of a new instance of [DirScanner] reading
+// from r. The caller must no longer read from r after this function returns.
+func NewDirScanner(r io.Reader, validate bool) *DirScanner {
+	return &DirScanner{r: r, validate: validate}
+}
+
+// Err returns the first non-EOF I/O error.
+func (s *DirScanner) Err() error {
+	if errors.Is(s.err, io.EOF) {
+		return nil
+	}
+	return s.err
+}
+
+// Entry returns the address to the [FlatEntry] value storing the last result.
+func (s *DirScanner) Entry() *FlatEntry { return &s.ent }
+
+// Scan advances to the next [FlatEntry].
+func (s *DirScanner) Scan() bool {
+	if s.err != nil {
+		return false
+	}
+
+	var n int
+	n, s.err = s.ent.Decode(s.r, s.validate)
+	if errors.Is(s.err, io.EOF) {
+		return n != 0
+	}
+	return s.err == nil
+}
+
+// Flatten writes a deterministic representation of the contents of fsys to w.
+// The resulting data can be hashed to produce a deterministic checksum for the
+// directory.
+func Flatten(fsys fs.FS, root string, w io.Writer) (n int, err error) {
+	var nr int
+	err = fs.WalkDir(fsys, root, func(path string, d fs.DirEntry, err error) error {
+		if err != nil {
+			return err
+		}
+
+		var fi fs.FileInfo
+		fi, err = d.Info()
+		if err != nil {
+			return err
+		}
+
+		ent := FlatEntry{
+			Path: path,
+			Mode: fi.Mode(),
+		}
+		if ent.Mode.IsRegular() {
+			if ent.Data, err = fs.ReadFile(fsys, path); err != nil {
+				return err
+			}
+		} else if ent.Mode&fs.ModeSymlink != 0 {
+			var newpath string
+			if newpath, err = fs.ReadLink(fsys, path); err != nil {
+				return err
+			}
+			ent.Data = []byte(newpath)
+		} else if !ent.Mode.IsDir() {
+			return InvalidFileModeError(ent.Mode)
+		}
+
+		nr, err = ent.Encode(w)
+		n += nr
+		return err
+	})
+	return
+}
+
+// HashFS returns a checksum produced by hashing the result of [Flatten].
+func HashFS(buf *Checksum, fsys fs.FS, root string) error {
+	h := sha512.New384()
+	if _, err := Flatten(fsys, root, h); err != nil {
+		return err
+	}
+	h.Sum(buf[:0])
+	return nil
+}
+
+// HashDir returns a checksum produced by hashing the result of [Flatten].
+func HashDir(buf *Checksum, pathname *check.Absolute) error {
+	return HashFS(buf, os.DirFS(pathname.String()), ".")
+}
--- a/internal/pkg/dir_test.go
+++ b/internal/pkg/dir_test.go
@@ -0,0 +1,570 @@
+package pkg_test
+
+import (
+	"bytes"
+	"io/fs"
+	"reflect"
+	"testing"
+	"testing/fstest"
+
+	"hakurei.app/internal/pkg"
+)
+
+func TestFlatten(t *testing.T) {
+	t.Parallel()
+
+	testCases := []struct {
+		name    string
+		fsys    fs.FS
+		entries []pkg.FlatEntry
+		sum     pkg.Checksum
+		err     error
+	}{
+		{"bad type", fstest.MapFS{
+			".":       {Mode: fs.ModeDir | 0700},
+			"invalid": {Mode: fs.ModeCharDevice | 0400},
+		}, nil, pkg.Checksum{}, pkg.InvalidFileModeError(
+			fs.ModeCharDevice | 0400,
+		)},
+
+		{"empty", fstest.MapFS{
+			".":          {Mode: fs.ModeDir | 0700},
+			"checksum":   {Mode: fs.ModeDir | 0700},
+			"identifier": {Mode: fs.ModeDir | 0700},
+			"work":       {Mode: fs.ModeDir | 0700},
+		}, []pkg.FlatEntry{
+			{Mode: fs.ModeDir | 0700, Path: "."},
+			{Mode: fs.ModeDir | 0700, Path: "checksum"},
+			{Mode: fs.ModeDir | 0700, Path: "identifier"},
+			{Mode: fs.ModeDir | 0700, Path: "work"},
+		}, pkg.MustDecode("E4vEZKhCcL2gPZ2Tt59FS3lDng-d_2SKa2i5G_RbDfwGn6EemptFaGLPUDiOa94C"), nil},
+
+		{"sample cache file", fstest.MapFS{
+			".": {Mode: fs.ModeDir | 0700},
+
+			"checksum": {Mode: fs.ModeDir | 0700},
+			"checksum/vsAhtPNo4waRNOASwrQwcIPTqb3SBuJOXw2G4T1mNmVZM-wrQTRllmgXqcIIoRcX": {Mode: 0400, Data: []byte{0}},
+			"checksum/0bSFPu5Tnd-2Jj0Mv6co23PW2t3BmHc7eLFj9TgY3eIBg8zislo7xZYNBqovVLcq": {Mode: 0400, Data: []byte{0, 0, 0, 0, 0xad, 0xb, 0, 4, 0xfe, 0xfe, 0, 0, 0xfe, 0xca, 0, 0}},
+
+			"identifier": {Mode: fs.ModeDir | 0700},
+			"identifier/vsAhtPNo4waRNOASwrQwcIPTqb3SBuJOXw2G4T1mNmVZM-wrQTRllmgXqcIIoRcX": {Mode: fs.ModeSymlink | 0777, Data: []byte("../checksum/vsAhtPNo4waRNOASwrQwcIPTqb3SBuJOXw2G4T1mNmVZM-wrQTRllmgXqcIIoRcX")},
+			"identifier/0bSFPu5Tnd-2Jj0Mv6co23PW2t3BmHc7eLFj9TgY3eIBg8zislo7xZYNBqovVLcq": {Mode: fs.ModeSymlink | 0777, Data: []byte("../checksum/0bSFPu5Tnd-2Jj0Mv6co23PW2t3BmHc7eLFj9TgY3eIBg8zislo7xZYNBqovVLcq")},
+			"identifier/cafebabecafebabecafebabecafebabecafebabecafebabecafebabecafebabe": {Mode: fs.ModeSymlink | 0777, Data: []byte("../checksum/0bSFPu5Tnd-2Jj0Mv6co23PW2t3BmHc7eLFj9TgY3eIBg8zislo7xZYNBqovVLcq")},
+			"identifier/deadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef": {Mode: fs.ModeSymlink | 0777, Data: []byte("../checksum/0bSFPu5Tnd-2Jj0Mv6co23PW2t3BmHc7eLFj9TgY3eIBg8zislo7xZYNBqovVLcq")},
+
+			"work": {Mode: fs.ModeDir | 0700},
+		}, []pkg.FlatEntry{
+			{Mode: fs.ModeDir | 0700, Path: "."},
+
+			{Mode: fs.ModeDir | 0700, Path: "checksum"},
+			{Mode: 0400, Path: "checksum/0bSFPu5Tnd-2Jj0Mv6co23PW2t3BmHc7eLFj9TgY3eIBg8zislo7xZYNBqovVLcq", Data: []byte{0, 0, 0, 0, 0xad, 0xb, 0, 4, 0xfe, 0xfe, 0, 0, 0xfe, 0xca, 0, 0}},
+			{Mode: 0400, Path: "checksum/vsAhtPNo4waRNOASwrQwcIPTqb3SBuJOXw2G4T1mNmVZM-wrQTRllmgXqcIIoRcX", Data: []byte{0}},
+
+			{Mode: fs.ModeDir | 0700, Path: "identifier"},
+			{Mode: fs.ModeSymlink | 0777, Path: "identifier/0bSFPu5Tnd-2Jj0Mv6co23PW2t3BmHc7eLFj9TgY3eIBg8zislo7xZYNBqovVLcq", Data: []byte("../checksum/0bSFPu5Tnd-2Jj0Mv6co23PW2t3BmHc7eLFj9TgY3eIBg8zislo7xZYNBqovVLcq")},
+			{Mode: fs.ModeSymlink | 0777, Path: "identifier/cafebabecafebabecafebabecafebabecafebabecafebabecafebabecafebabe", Data: []byte("../checksum/0bSFPu5Tnd-2Jj0Mv6co23PW2t3BmHc7eLFj9TgY3eIBg8zislo7xZYNBqovVLcq")},
+			{Mode: fs.ModeSymlink | 0777, Path: "identifier/deadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef", Data: []byte("../checksum/0bSFPu5Tnd-2Jj0Mv6co23PW2t3BmHc7eLFj9TgY3eIBg8zislo7xZYNBqovVLcq")},
+			{Mode: fs.ModeSymlink | 0777, Path: "identifier/vsAhtPNo4waRNOASwrQwcIPTqb3SBuJOXw2G4T1mNmVZM-wrQTRllmgXqcIIoRcX", Data: []byte("../checksum/vsAhtPNo4waRNOASwrQwcIPTqb3SBuJOXw2G4T1mNmVZM-wrQTRllmgXqcIIoRcX")},
+
+			{Mode: fs.ModeDir | 0700, Path: "work"},
+		}, pkg.MustDecode("St9rlE-mGZ5gXwiv_hzQ_B8bZP-UUvSNmf4nHUZzCMOumb6hKnheZSe0dmnuc4Q2"), nil},
+
+		{"sample http get cure", fstest.MapFS{
+			".": {Mode: fs.ModeDir | 0700},
+
+			"checksum": {Mode: fs.ModeDir | 0700},
+			"checksum/fLYGIMHgN1louE-JzITJZJo2SDniPu-IHBXubtvQWFO-hXnDVKNuscV7-zlyr5fU": {Mode: 0400, Data: []byte("\x7f\xe1\x69\xa2\xdd\x63\x96\x26\x83\x79\x61\x8b\xf0\x3f\xd5\x16\x9a\x39\x3a\xdb\xcf\xb1\xbc\x8d\x33\xff\x75\xee\x62\x56\xa9\xf0\x27\xac\x13\x94\x69")},
+
+			"identifier": {Mode: fs.ModeDir | 0700},
+			"identifier/NqVORkT6L9HX6Za7kT2zcibY10qFqBaxEjPiYFrBQX-ZFr3yxCzJxbKOP0zVjeWb": {Mode: fs.ModeSymlink | 0777, Data: []byte("../checksum/fLYGIMHgN1louE-JzITJZJo2SDniPu-IHBXubtvQWFO-hXnDVKNuscV7-zlyr5fU")},
+
+			"work": {Mode: fs.ModeDir | 0700},
+		}, []pkg.FlatEntry{
+			{Mode: fs.ModeDir | 0700, Path: "."},
+
+			{Mode: fs.ModeDir | 0700, Path: "checksum"},
+			{Mode: 0400, Path: "checksum/fLYGIMHgN1louE-JzITJZJo2SDniPu-IHBXubtvQWFO-hXnDVKNuscV7-zlyr5fU", Data: []byte("\x7f\xe1\x69\xa2\xdd\x63\x96\x26\x83\x79\x61\x8b\xf0\x3f\xd5\x16\x9a\x39\x3a\xdb\xcf\xb1\xbc\x8d\x33\xff\x75\xee\x62\x56\xa9\xf0\x27\xac\x13\x94\x69")},
+
+			{Mode: fs.ModeDir | 0700, Path: "identifier"},
+			{Mode: fs.ModeSymlink | 0777, Path: "identifier/NqVORkT6L9HX6Za7kT2zcibY10qFqBaxEjPiYFrBQX-ZFr3yxCzJxbKOP0zVjeWb", Data: []byte("../checksum/fLYGIMHgN1louE-JzITJZJo2SDniPu-IHBXubtvQWFO-hXnDVKNuscV7-zlyr5fU")},
+
+			{Mode: fs.ModeDir | 0700, Path: "work"},
+		}, pkg.MustDecode("bqtn69RkV5E7V7GhhgCFjcvbxmaqrO8DywamM4Tyjf10F6EJBHjXiIa_tFRtF4iN"), nil},
+
+		{"sample directory step simple", fstest.MapFS{
+			".": {Mode: fs.ModeDir | 0500},
+
+			"check": {Mode: 0400, Data: []byte{0, 0}},
+
+			"lib":            {Mode: fs.ModeDir | 0700},
+			"lib/libedac.so": {Mode: fs.ModeSymlink | 0777, Data: []byte("/proc/nonexistent/libedac.so")},
+
+			"lib/pkgconfig": {Mode: fs.ModeDir | 0700},
+		}, []pkg.FlatEntry{
+			{Mode: fs.ModeDir | 0500, Path: "."},
+
+			{Mode: 0400, Path: "check", Data: []byte{0, 0}},
+
+			{Mode: fs.ModeDir | 0700, Path: "lib"},
+			{Mode: fs.ModeSymlink | 0777, Path: "lib/libedac.so", Data: []byte("/proc/nonexistent/libedac.so")},
+
+			{Mode: fs.ModeDir | 0700, Path: "lib/pkgconfig"},
+		}, pkg.MustDecode("qRN6in76LndiiOZJheHkwyW8UT1N5-f-bXvHfDvwrMw2fSkOoZdh8pWE1qhLk65b"), nil},
+
+		{"sample directory step garbage", fstest.MapFS{
+			".": {Mode: fs.ModeDir | 0500},
+
+			"lib":       {Mode: fs.ModeDir | 0500},
+			"lib/check": {Mode: 0400, Data: []byte{}},
+
+			"lib/pkgconfig": {Mode: fs.ModeDir | 0500},
+		}, []pkg.FlatEntry{
+			{Mode: fs.ModeDir | 0500, Path: "."},
+
+			{Mode: fs.ModeDir | 0500, Path: "lib"},
+			{Mode: 0400, Path: "lib/check", Data: []byte{}},
+
+			{Mode: fs.ModeDir | 0500, Path: "lib/pkgconfig"},
+		}, pkg.MustDecode("CUx-3hSbTWPsbMfDhgalG4Ni_GmR9TnVX8F99tY_P5GtkYvczg9RrF5zO0jX9XYT"), nil},
+
+		{"sample directory", fstest.MapFS{
+			".": {Mode: fs.ModeDir | 0700},
+
+			"checksum": {Mode: fs.ModeDir | 0700},
+			"checksum/qRN6in76LndiiOZJheHkwyW8UT1N5-f-bXvHfDvwrMw2fSkOoZdh8pWE1qhLk65b":                {Mode: fs.ModeDir | 0500},
+			"checksum/qRN6in76LndiiOZJheHkwyW8UT1N5-f-bXvHfDvwrMw2fSkOoZdh8pWE1qhLk65b/check":          {Mode: 0400, Data: []byte{0, 0}},
+			"checksum/qRN6in76LndiiOZJheHkwyW8UT1N5-f-bXvHfDvwrMw2fSkOoZdh8pWE1qhLk65b/lib":            {Mode: fs.ModeDir | 0700},
+			"checksum/qRN6in76LndiiOZJheHkwyW8UT1N5-f-bXvHfDvwrMw2fSkOoZdh8pWE1qhLk65b/lib/pkgconfig":  {Mode: fs.ModeDir | 0700},
+			"checksum/qRN6in76LndiiOZJheHkwyW8UT1N5-f-bXvHfDvwrMw2fSkOoZdh8pWE1qhLk65b/lib/libedac.so": {Mode: fs.ModeSymlink | 0777, Data: []byte("/proc/nonexistent/libedac.so")},
+
+			"identifier": {Mode: fs.ModeDir | 0700},
+			"identifier/HnySzeLQvSBZuTUcvfmLEX_OmH4yJWWH788NxuLuv7kVn8_uPM6Ks4rqFWM2NZJY": {Mode: fs.ModeSymlink | 0777, Data: []byte("../checksum/qRN6in76LndiiOZJheHkwyW8UT1N5-f-bXvHfDvwrMw2fSkOoZdh8pWE1qhLk65b")},
+			"identifier/Zx5ZG9BAwegNT3zQwCySuI2ktCXxNgxirkGLFjW4FW06PtojYVaCdtEw8yuntPLa": {Mode: fs.ModeSymlink | 0777, Data: []byte("../checksum/qRN6in76LndiiOZJheHkwyW8UT1N5-f-bXvHfDvwrMw2fSkOoZdh8pWE1qhLk65b")},
+
+			"work": {Mode: fs.ModeDir | 0700},
+		}, []pkg.FlatEntry{
+			{Mode: fs.ModeDir | 0700, Path: "."},
+
+			{Mode: fs.ModeDir | 0700, Path: "checksum"},
+			{Mode: fs.ModeDir | 0500, Path: "checksum/qRN6in76LndiiOZJheHkwyW8UT1N5-f-bXvHfDvwrMw2fSkOoZdh8pWE1qhLk65b"},
+			{Mode: 0400, Path: "checksum/qRN6in76LndiiOZJheHkwyW8UT1N5-f-bXvHfDvwrMw2fSkOoZdh8pWE1qhLk65b/check", Data: []byte{0, 0}},
+			{Mode: fs.ModeDir | 0700, Path: "checksum/qRN6in76LndiiOZJheHkwyW8UT1N5-f-bXvHfDvwrMw2fSkOoZdh8pWE1qhLk65b/lib"},
+			{Mode: fs.ModeSymlink | 0777, Path: "checksum/qRN6in76LndiiOZJheHkwyW8UT1N5-f-bXvHfDvwrMw2fSkOoZdh8pWE1qhLk65b/lib/libedac.so", Data: []byte("/proc/nonexistent/libedac.so")},
+			{Mode: fs.ModeDir | 0700, Path: "checksum/qRN6in76LndiiOZJheHkwyW8UT1N5-f-bXvHfDvwrMw2fSkOoZdh8pWE1qhLk65b/lib/pkgconfig"},
+
+			{Mode: fs.ModeDir | 0700, Path: "identifier"},
+			{Mode: fs.ModeSymlink | 0777, Path: "identifier/HnySzeLQvSBZuTUcvfmLEX_OmH4yJWWH788NxuLuv7kVn8_uPM6Ks4rqFWM2NZJY", Data: []byte("../checksum/qRN6in76LndiiOZJheHkwyW8UT1N5-f-bXvHfDvwrMw2fSkOoZdh8pWE1qhLk65b")},
+			{Mode: fs.ModeSymlink | 0777, Path: "identifier/Zx5ZG9BAwegNT3zQwCySuI2ktCXxNgxirkGLFjW4FW06PtojYVaCdtEw8yuntPLa", Data: []byte("../checksum/qRN6in76LndiiOZJheHkwyW8UT1N5-f-bXvHfDvwrMw2fSkOoZdh8pWE1qhLk65b")},
+
+			{Mode: fs.ModeDir | 0700, Path: "work"},
+		}, pkg.MustDecode("WVpvsVqVKg9Nsh744x57h51AuWUoUR2nnh8Md-EYBQpk6ziyTuUn6PLtF2e0Eu_d"), nil},
+
+		{"sample tar step unpack", fstest.MapFS{
+			".": {Mode: fs.ModeDir | 0500},
+
+			"checksum": {Mode: fs.ModeDir | 0500},
+			"checksum/1TL00Qb8dcqayX7wTO8WNaraHvY6b-KCsctLDTrb64QBCmxj_-byK1HdIUwMaFEP":                {Mode: fs.ModeDir | 0500},
+			"checksum/1TL00Qb8dcqayX7wTO8WNaraHvY6b-KCsctLDTrb64QBCmxj_-byK1HdIUwMaFEP/check":          {Mode: 0400, Data: []byte{0, 0}},
+			"checksum/1TL00Qb8dcqayX7wTO8WNaraHvY6b-KCsctLDTrb64QBCmxj_-byK1HdIUwMaFEP/lib":            {Mode: fs.ModeDir | 0500},
+			"checksum/1TL00Qb8dcqayX7wTO8WNaraHvY6b-KCsctLDTrb64QBCmxj_-byK1HdIUwMaFEP/lib/pkgconfig":  {Mode: fs.ModeDir | 0500},
+			"checksum/1TL00Qb8dcqayX7wTO8WNaraHvY6b-KCsctLDTrb64QBCmxj_-byK1HdIUwMaFEP/lib/libedac.so": {Mode: fs.ModeSymlink | 0777, Data: []byte("/proc/nonexistent/libedac.so")},
+
+			"identifier": {Mode: fs.ModeDir | 0500},
+			"identifier/HnySzeLQvSBZuTUcvfmLEX_OmH4yJWWH788NxuLuv7kVn8_uPM6Ks4rqFWM2NZJY": {Mode: fs.ModeSymlink | 0777, Data: []byte("../checksum/1TL00Qb8dcqayX7wTO8WNaraHvY6b-KCsctLDTrb64QBCmxj_-byK1HdIUwMaFEP")},
+			"identifier/Zx5ZG9BAwegNT3zQwCySuI2ktCXxNgxirkGLFjW4FW06PtojYVaCdtEw8yuntPLa": {Mode: fs.ModeSymlink | 0777, Data: []byte("../checksum/1TL00Qb8dcqayX7wTO8WNaraHvY6b-KCsctLDTrb64QBCmxj_-byK1HdIUwMaFEP")},
+
+			"work": {Mode: fs.ModeDir | 0500},
+		}, []pkg.FlatEntry{
+			{Mode: fs.ModeDir | 0500, Path: "."},
+
+			{Mode: fs.ModeDir | 0500, Path: "checksum"},
+			{Mode: fs.ModeDir | 0500, Path: "checksum/1TL00Qb8dcqayX7wTO8WNaraHvY6b-KCsctLDTrb64QBCmxj_-byK1HdIUwMaFEP"},
+			{Mode: 0400, Path: "checksum/1TL00Qb8dcqayX7wTO8WNaraHvY6b-KCsctLDTrb64QBCmxj_-byK1HdIUwMaFEP/check", Data: []byte{0, 0}},
+			{Mode: fs.ModeDir | 0500, Path: "checksum/1TL00Qb8dcqayX7wTO8WNaraHvY6b-KCsctLDTrb64QBCmxj_-byK1HdIUwMaFEP/lib"},
+			{Mode: fs.ModeSymlink | 0777, Path: "checksum/1TL00Qb8dcqayX7wTO8WNaraHvY6b-KCsctLDTrb64QBCmxj_-byK1HdIUwMaFEP/lib/libedac.so", Data: []byte("/proc/nonexistent/libedac.so")},
+			{Mode: fs.ModeDir | 0500, Path: "checksum/1TL00Qb8dcqayX7wTO8WNaraHvY6b-KCsctLDTrb64QBCmxj_-byK1HdIUwMaFEP/lib/pkgconfig"},
+
+			{Mode: fs.ModeDir | 0500, Path: "identifier"},
+			{Mode: fs.ModeSymlink | 0777, Path: "identifier/HnySzeLQvSBZuTUcvfmLEX_OmH4yJWWH788NxuLuv7kVn8_uPM6Ks4rqFWM2NZJY", Data: []byte("../checksum/1TL00Qb8dcqayX7wTO8WNaraHvY6b-KCsctLDTrb64QBCmxj_-byK1HdIUwMaFEP")},
+			{Mode: fs.ModeSymlink | 0777, Path: "identifier/Zx5ZG9BAwegNT3zQwCySuI2ktCXxNgxirkGLFjW4FW06PtojYVaCdtEw8yuntPLa", Data: []byte("../checksum/1TL00Qb8dcqayX7wTO8WNaraHvY6b-KCsctLDTrb64QBCmxj_-byK1HdIUwMaFEP")},
+
+			{Mode: fs.ModeDir | 0500, Path: "work"},
+		}, pkg.MustDecode("cTw0h3AmYe7XudSoyEMByduYXqGi-N5ZkTZ0t9K5elsu3i_jNIVF5T08KR1roBFM"), nil},
+
+		{"sample tar", fstest.MapFS{
+			".": {Mode: fs.ModeDir | 0700},
+
+			"checksum": {Mode: fs.ModeDir | 0700},
+			"checksum/cTw0h3AmYe7XudSoyEMByduYXqGi-N5ZkTZ0t9K5elsu3i_jNIVF5T08KR1roBFM":                                                                                          {Mode: fs.ModeDir | 0500},
+			"checksum/cTw0h3AmYe7XudSoyEMByduYXqGi-N5ZkTZ0t9K5elsu3i_jNIVF5T08KR1roBFM/checksum":                                                                                 {Mode: fs.ModeDir | 0500},
+			"checksum/cTw0h3AmYe7XudSoyEMByduYXqGi-N5ZkTZ0t9K5elsu3i_jNIVF5T08KR1roBFM/checksum/1TL00Qb8dcqayX7wTO8WNaraHvY6b-KCsctLDTrb64QBCmxj_-byK1HdIUwMaFEP":                {Mode: fs.ModeDir | 0500},
+			"checksum/cTw0h3AmYe7XudSoyEMByduYXqGi-N5ZkTZ0t9K5elsu3i_jNIVF5T08KR1roBFM/checksum/1TL00Qb8dcqayX7wTO8WNaraHvY6b-KCsctLDTrb64QBCmxj_-byK1HdIUwMaFEP/check":          {Mode: 0400, Data: []byte{0, 0}},
+			"checksum/cTw0h3AmYe7XudSoyEMByduYXqGi-N5ZkTZ0t9K5elsu3i_jNIVF5T08KR1roBFM/checksum/1TL00Qb8dcqayX7wTO8WNaraHvY6b-KCsctLDTrb64QBCmxj_-byK1HdIUwMaFEP/lib":            {Mode: fs.ModeDir | 0500},
+			"checksum/cTw0h3AmYe7XudSoyEMByduYXqGi-N5ZkTZ0t9K5elsu3i_jNIVF5T08KR1roBFM/checksum/1TL00Qb8dcqayX7wTO8WNaraHvY6b-KCsctLDTrb64QBCmxj_-byK1HdIUwMaFEP/lib/libedac.so": {Mode: fs.ModeSymlink | 0777, Data: []byte("/proc/nonexistent/libedac.so")},
+			"checksum/cTw0h3AmYe7XudSoyEMByduYXqGi-N5ZkTZ0t9K5elsu3i_jNIVF5T08KR1roBFM/checksum/1TL00Qb8dcqayX7wTO8WNaraHvY6b-KCsctLDTrb64QBCmxj_-byK1HdIUwMaFEP/lib/pkgconfig":  {Mode: fs.ModeDir | 0500},
+			"checksum/cTw0h3AmYe7XudSoyEMByduYXqGi-N5ZkTZ0t9K5elsu3i_jNIVF5T08KR1roBFM/identifier":                                                                               {Mode: fs.ModeDir | 0500},
+			"checksum/cTw0h3AmYe7XudSoyEMByduYXqGi-N5ZkTZ0t9K5elsu3i_jNIVF5T08KR1roBFM/identifier/HnySzeLQvSBZuTUcvfmLEX_OmH4yJWWH788NxuLuv7kVn8_uPM6Ks4rqFWM2NZJY":              {Mode: fs.ModeSymlink | 0777, Data: []byte("../checksum/1TL00Qb8dcqayX7wTO8WNaraHvY6b-KCsctLDTrb64QBCmxj_-byK1HdIUwMaFEP")},
+			"checksum/cTw0h3AmYe7XudSoyEMByduYXqGi-N5ZkTZ0t9K5elsu3i_jNIVF5T08KR1roBFM/identifier/Zx5ZG9BAwegNT3zQwCySuI2ktCXxNgxirkGLFjW4FW06PtojYVaCdtEw8yuntPLa":              {Mode: fs.ModeSymlink | 0777, Data: []byte("../checksum/1TL00Qb8dcqayX7wTO8WNaraHvY6b-KCsctLDTrb64QBCmxj_-byK1HdIUwMaFEP")},
+			"checksum/cTw0h3AmYe7XudSoyEMByduYXqGi-N5ZkTZ0t9K5elsu3i_jNIVF5T08KR1roBFM/work":                                                                                     {Mode: fs.ModeDir | 0500},
+
+			"identifier": {Mode: fs.ModeDir | 0700},
+			"identifier/-P_1iw6yVq_letMHncqcExSE0bYcDhYI5OdY6b1wKASf-Corufvj__XTBUq2Qd2a": {Mode: fs.ModeSymlink | 0777, Data: []byte("../checksum/cTw0h3AmYe7XudSoyEMByduYXqGi-N5ZkTZ0t9K5elsu3i_jNIVF5T08KR1roBFM")},
+			"identifier/0_rRxIqbX9LK9L_KDbuafotFz6HFkonNgO9gXhK1asM_Y1Pxn0amg756vRTo6m74": {Mode: fs.ModeSymlink | 0777, Data: []byte("../checksum/cTw0h3AmYe7XudSoyEMByduYXqGi-N5ZkTZ0t9K5elsu3i_jNIVF5T08KR1roBFM")},
+
+			"temp": {Mode: fs.ModeDir | 0700},
+			"work": {Mode: fs.ModeDir | 0700},
+		}, []pkg.FlatEntry{
+			{Mode: fs.ModeDir | 0700, Path: "."},
+
+			{Mode: fs.ModeDir | 0700, Path: "checksum"},
+			{Mode: fs.ModeDir | 0500, Path: "checksum/cTw0h3AmYe7XudSoyEMByduYXqGi-N5ZkTZ0t9K5elsu3i_jNIVF5T08KR1roBFM"},
+			{Mode: fs.ModeDir | 0500, Path: "checksum/cTw0h3AmYe7XudSoyEMByduYXqGi-N5ZkTZ0t9K5elsu3i_jNIVF5T08KR1roBFM/checksum"},
+			{Mode: fs.ModeDir | 0500, Path: "checksum/cTw0h3AmYe7XudSoyEMByduYXqGi-N5ZkTZ0t9K5elsu3i_jNIVF5T08KR1roBFM/checksum/1TL00Qb8dcqayX7wTO8WNaraHvY6b-KCsctLDTrb64QBCmxj_-byK1HdIUwMaFEP"},
+			{Mode: 0400, Path: "checksum/cTw0h3AmYe7XudSoyEMByduYXqGi-N5ZkTZ0t9K5elsu3i_jNIVF5T08KR1roBFM/checksum/1TL00Qb8dcqayX7wTO8WNaraHvY6b-KCsctLDTrb64QBCmxj_-byK1HdIUwMaFEP/check", Data: []byte{0, 0}},
+			{Mode: fs.ModeDir | 0500, Path: "checksum/cTw0h3AmYe7XudSoyEMByduYXqGi-N5ZkTZ0t9K5elsu3i_jNIVF5T08KR1roBFM/checksum/1TL00Qb8dcqayX7wTO8WNaraHvY6b-KCsctLDTrb64QBCmxj_-byK1HdIUwMaFEP/lib"},
+			{Mode: fs.ModeSymlink | 0777, Path: "checksum/cTw0h3AmYe7XudSoyEMByduYXqGi-N5ZkTZ0t9K5elsu3i_jNIVF5T08KR1roBFM/checksum/1TL00Qb8dcqayX7wTO8WNaraHvY6b-KCsctLDTrb64QBCmxj_-byK1HdIUwMaFEP/lib/libedac.so", Data: []byte("/proc/nonexistent/libedac.so")},
+			{Mode: fs.ModeDir | 0500, Path: "checksum/cTw0h3AmYe7XudSoyEMByduYXqGi-N5ZkTZ0t9K5elsu3i_jNIVF5T08KR1roBFM/checksum/1TL00Qb8dcqayX7wTO8WNaraHvY6b-KCsctLDTrb64QBCmxj_-byK1HdIUwMaFEP/lib/pkgconfig"},
+			{Mode: fs.ModeDir | 0500, Path: "checksum/cTw0h3AmYe7XudSoyEMByduYXqGi-N5ZkTZ0t9K5elsu3i_jNIVF5T08KR1roBFM/identifier"},
+			{Mode: fs.ModeSymlink | 0777, Path: "checksum/cTw0h3AmYe7XudSoyEMByduYXqGi-N5ZkTZ0t9K5elsu3i_jNIVF5T08KR1roBFM/identifier/HnySzeLQvSBZuTUcvfmLEX_OmH4yJWWH788NxuLuv7kVn8_uPM6Ks4rqFWM2NZJY", Data: []byte("../checksum/1TL00Qb8dcqayX7wTO8WNaraHvY6b-KCsctLDTrb64QBCmxj_-byK1HdIUwMaFEP")},
+			{Mode: fs.ModeSymlink | 0777, Path: "checksum/cTw0h3AmYe7XudSoyEMByduYXqGi-N5ZkTZ0t9K5elsu3i_jNIVF5T08KR1roBFM/identifier/Zx5ZG9BAwegNT3zQwCySuI2ktCXxNgxirkGLFjW4FW06PtojYVaCdtEw8yuntPLa", Data: []byte("../checksum/1TL00Qb8dcqayX7wTO8WNaraHvY6b-KCsctLDTrb64QBCmxj_-byK1HdIUwMaFEP")},
+			{Mode: fs.ModeDir | 0500, Path: "checksum/cTw0h3AmYe7XudSoyEMByduYXqGi-N5ZkTZ0t9K5elsu3i_jNIVF5T08KR1roBFM/work"},
+
+			{Mode: fs.ModeDir | 0700, Path: "identifier"},
+			{Mode: fs.ModeSymlink | 0777, Path: "identifier/-P_1iw6yVq_letMHncqcExSE0bYcDhYI5OdY6b1wKASf-Corufvj__XTBUq2Qd2a", Data: []byte("../checksum/cTw0h3AmYe7XudSoyEMByduYXqGi-N5ZkTZ0t9K5elsu3i_jNIVF5T08KR1roBFM")},
+			{Mode: fs.ModeSymlink | 0777, Path: "identifier/0_rRxIqbX9LK9L_KDbuafotFz6HFkonNgO9gXhK1asM_Y1Pxn0amg756vRTo6m74", Data: []byte("../checksum/cTw0h3AmYe7XudSoyEMByduYXqGi-N5ZkTZ0t9K5elsu3i_jNIVF5T08KR1roBFM")},
+
+			{Mode: fs.ModeDir | 0700, Path: "temp"},
+			{Mode: fs.ModeDir | 0700, Path: "work"},
+		}, pkg.MustDecode("sxbgyX-bPoezbha214n2lbQhiVfTUBkhZ0EX6zI7mmkMdrCdwuMwhMBJphLQsy94"), nil},
+
+		{"sample tar expand step unpack", fstest.MapFS{
+			".": {Mode: fs.ModeDir | 0500},
+
+			"libedac.so": {Mode: fs.ModeSymlink | 0777, Data: []byte("/proc/nonexistent/libedac.so")},
+		}, []pkg.FlatEntry{
+			{Mode: fs.ModeDir | 0500, Path: "."},
+
+			{Mode: fs.ModeSymlink | 0777, Path: "libedac.so", Data: []byte("/proc/nonexistent/libedac.so")},
+		}, pkg.MustDecode("CH3AiUrCCcVOjOYLaMKKK1Da78989JtfHeIsxMzWOQFiN4mrCLDYpoDxLWqJWCUN"), nil},
+
+		{"sample tar expand", fstest.MapFS{
+			".": {Mode: fs.ModeDir | 0700},
+
+			"checksum": {Mode: fs.ModeDir | 0700},
+			"checksum/CH3AiUrCCcVOjOYLaMKKK1Da78989JtfHeIsxMzWOQFiN4mrCLDYpoDxLWqJWCUN":            {Mode: fs.ModeDir | 0500},
+			"checksum/CH3AiUrCCcVOjOYLaMKKK1Da78989JtfHeIsxMzWOQFiN4mrCLDYpoDxLWqJWCUN/libedac.so": {Mode: fs.ModeSymlink | 0777, Data: []byte("/proc/nonexistent/libedac.so")},
+
+			"identifier": {Mode: fs.ModeDir | 0700},
+			"identifier/-P_1iw6yVq_letMHncqcExSE0bYcDhYI5OdY6b1wKASf-Corufvj__XTBUq2Qd2a": {Mode: fs.ModeSymlink | 0777, Data: []byte("../checksum/CH3AiUrCCcVOjOYLaMKKK1Da78989JtfHeIsxMzWOQFiN4mrCLDYpoDxLWqJWCUN")},
+			"identifier/0_rRxIqbX9LK9L_KDbuafotFz6HFkonNgO9gXhK1asM_Y1Pxn0amg756vRTo6m74": {Mode: fs.ModeSymlink | 0777, Data: []byte("../checksum/CH3AiUrCCcVOjOYLaMKKK1Da78989JtfHeIsxMzWOQFiN4mrCLDYpoDxLWqJWCUN")},
+
+			"temp": {Mode: fs.ModeDir | 0700},
+			"work": {Mode: fs.ModeDir | 0700},
+		}, []pkg.FlatEntry{
+			{Mode: fs.ModeDir | 0700, Path: "."},
+
+			{Mode: fs.ModeDir | 0700, Path: "checksum"},
+			{Mode: fs.ModeDir | 0500, Path: "checksum/CH3AiUrCCcVOjOYLaMKKK1Da78989JtfHeIsxMzWOQFiN4mrCLDYpoDxLWqJWCUN"},
+			{Mode: fs.ModeSymlink | 0777, Path: "checksum/CH3AiUrCCcVOjOYLaMKKK1Da78989JtfHeIsxMzWOQFiN4mrCLDYpoDxLWqJWCUN/libedac.so", Data: []byte("/proc/nonexistent/libedac.so")},
+
+			{Mode: fs.ModeDir | 0700, Path: "identifier"},
+			{Mode: fs.ModeSymlink | 0777, Path: "identifier/-P_1iw6yVq_letMHncqcExSE0bYcDhYI5OdY6b1wKASf-Corufvj__XTBUq2Qd2a", Data: []byte("../checksum/CH3AiUrCCcVOjOYLaMKKK1Da78989JtfHeIsxMzWOQFiN4mrCLDYpoDxLWqJWCUN")},
+			{Mode: fs.ModeSymlink | 0777, Path: "identifier/0_rRxIqbX9LK9L_KDbuafotFz6HFkonNgO9gXhK1asM_Y1Pxn0amg756vRTo6m74", Data: []byte("../checksum/CH3AiUrCCcVOjOYLaMKKK1Da78989JtfHeIsxMzWOQFiN4mrCLDYpoDxLWqJWCUN")},
+
+			{Mode: fs.ModeDir | 0700, Path: "temp"},
+			{Mode: fs.ModeDir | 0700, Path: "work"},
+		}, pkg.MustDecode("4I8wx_h7NSJTlG5lbuz-GGEXrOg0GYC3M_503LYEBhv5XGWXfNIdIY9Q3eVSYldX"), nil},
+
+		{"testtool", fstest.MapFS{
+			".": {Mode: fs.ModeDir | 0500},
+
+			"check": {Mode: 0400, Data: []byte{0}},
+		}, []pkg.FlatEntry{
+			{Mode: fs.ModeDir | 0500, Path: "."},
+
+			{Mode: 0400, Path: "check", Data: []byte{0}},
+		}, pkg.MustDecode("GPa4aBakdSJd7Tz7LYj_VJFoojzyZinmVcG3k6M5xI6CZ821J5sXLhLDDuS47gi9"), nil},
+
+		{"sample exec container", fstest.MapFS{
+			".": {Mode: fs.ModeDir | 0700},
+
+			"checksum": {Mode: fs.ModeDir | 0700},
+			"checksum/GPa4aBakdSJd7Tz7LYj_VJFoojzyZinmVcG3k6M5xI6CZ821J5sXLhLDDuS47gi9":       {Mode: fs.ModeDir | 0500},
+			"checksum/GPa4aBakdSJd7Tz7LYj_VJFoojzyZinmVcG3k6M5xI6CZ821J5sXLhLDDuS47gi9/check": {Mode: 0400, Data: []byte{0}},
+			"checksum/MGWmEfjut2QE2xPJwTsmUzpff4BN_FEnQ7T0j7gvUCCiugJQNwqt9m151fm9D1yU":       {Mode: fs.ModeDir | 0500},
+			"checksum/OLBgp1GsljhM2TJ-sbHjaiH9txEUvgdDTAzHv2P24donTt6_529l-9Ua0vFImLlb":       {Mode: 0400, Data: []byte{}},
+
+			"identifier": {Mode: fs.ModeDir | 0700},
+			"identifier/U2cbgVgEtjfRuvHfE1cQnZ3t8yoexULQyo_VLgvxAVJSsobMcNaFIsuDWtmt7kzK": {Mode: fs.ModeSymlink | 0777, Data: []byte("../checksum/GPa4aBakdSJd7Tz7LYj_VJFoojzyZinmVcG3k6M5xI6CZ821J5sXLhLDDuS47gi9")},
+			"identifier/_gAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA": {Mode: fs.ModeSymlink | 0777, Data: []byte("../checksum/OLBgp1GsljhM2TJ-sbHjaiH9txEUvgdDTAzHv2P24donTt6_529l-9Ua0vFImLlb")},
+			"identifier/nfeISfLeFDr1k-g3hpE1oZ440kTqDdfF8TDpoLdbTPqaMMIl95oiqcvqjRkMjubA": {Mode: fs.ModeSymlink | 0777, Data: []byte("../checksum/MGWmEfjut2QE2xPJwTsmUzpff4BN_FEnQ7T0j7gvUCCiugJQNwqt9m151fm9D1yU")},
+
+			"temp": {Mode: fs.ModeDir | 0700},
+			"work": {Mode: fs.ModeDir | 0700},
+		}, []pkg.FlatEntry{
+			{Mode: fs.ModeDir | 0700, Path: "."},
+
+			{Mode: fs.ModeDir | 0700, Path: "checksum"},
+			{Mode: fs.ModeDir | 0500, Path: "checksum/GPa4aBakdSJd7Tz7LYj_VJFoojzyZinmVcG3k6M5xI6CZ821J5sXLhLDDuS47gi9"},
+			{Mode: 0400, Path: "checksum/GPa4aBakdSJd7Tz7LYj_VJFoojzyZinmVcG3k6M5xI6CZ821J5sXLhLDDuS47gi9/check", Data: []byte{0}},
+			{Mode: fs.ModeDir | 0500, Path: "checksum/MGWmEfjut2QE2xPJwTsmUzpff4BN_FEnQ7T0j7gvUCCiugJQNwqt9m151fm9D1yU"},
+			{Mode: 0400, Path: "checksum/OLBgp1GsljhM2TJ-sbHjaiH9txEUvgdDTAzHv2P24donTt6_529l-9Ua0vFImLlb", Data: []byte{}},
+
+			{Mode: fs.ModeDir | 0700, Path: "identifier"},
+			{Mode: fs.ModeSymlink | 0777, Path: "identifier/U2cbgVgEtjfRuvHfE1cQnZ3t8yoexULQyo_VLgvxAVJSsobMcNaFIsuDWtmt7kzK", Data: []byte("../checksum/GPa4aBakdSJd7Tz7LYj_VJFoojzyZinmVcG3k6M5xI6CZ821J5sXLhLDDuS47gi9")},
+			{Mode: fs.ModeSymlink | 0777, Path: "identifier/_gAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA", Data: []byte("../checksum/OLBgp1GsljhM2TJ-sbHjaiH9txEUvgdDTAzHv2P24donTt6_529l-9Ua0vFImLlb")},
+			{Mode: fs.ModeSymlink | 0777, Path: "identifier/nfeISfLeFDr1k-g3hpE1oZ440kTqDdfF8TDpoLdbTPqaMMIl95oiqcvqjRkMjubA", Data: []byte("../checksum/MGWmEfjut2QE2xPJwTsmUzpff4BN_FEnQ7T0j7gvUCCiugJQNwqt9m151fm9D1yU")},
+
+			{Mode: fs.ModeDir | 0700, Path: "temp"},
+			{Mode: fs.ModeDir | 0700, Path: "work"},
+		}, pkg.MustDecode("UiV6kMz7KrTsc_yphiyQzFLqjRanHxUOwrBMtkKuWo4mOO6WgPFAcoUEeSp7eVIW"), nil},
+
+		{"testtool net", fstest.MapFS{
+			".": {Mode: fs.ModeDir | 0500},
+
+			"check": {Mode: 0400, Data: []byte("net")},
+		}, []pkg.FlatEntry{
+			{Mode: fs.ModeDir | 0500, Path: "."},
+
+			{Mode: 0400, Path: "check", Data: []byte("net")},
+		}, pkg.MustDecode("a1F_i9PVQI4qMcoHgTQkORuyWLkC1GLIxOhDt2JpU1NGAxWc5VJzdlfRK-PYBh3W"), nil},
+
+		{"sample exec net container", fstest.MapFS{
+			".": {Mode: fs.ModeDir | 0700},
+
+			"checksum": {Mode: fs.ModeDir | 0700},
+			"checksum/MGWmEfjut2QE2xPJwTsmUzpff4BN_FEnQ7T0j7gvUCCiugJQNwqt9m151fm9D1yU":       {Mode: fs.ModeDir | 0500},
+			"checksum/OLBgp1GsljhM2TJ-sbHjaiH9txEUvgdDTAzHv2P24donTt6_529l-9Ua0vFImLlb":       {Mode: 0400, Data: []byte{}},
+			"checksum/a1F_i9PVQI4qMcoHgTQkORuyWLkC1GLIxOhDt2JpU1NGAxWc5VJzdlfRK-PYBh3W":       {Mode: fs.ModeDir | 0500},
+			"checksum/a1F_i9PVQI4qMcoHgTQkORuyWLkC1GLIxOhDt2JpU1NGAxWc5VJzdlfRK-PYBh3W/check": {Mode: 0400, Data: []byte("net")},
+
+			"identifier": {Mode: fs.ModeDir | 0700},
+			"identifier/_gAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA": {Mode: fs.ModeSymlink | 0777, Data: []byte("../checksum/OLBgp1GsljhM2TJ-sbHjaiH9txEUvgdDTAzHv2P24donTt6_529l-9Ua0vFImLlb")},
+			"identifier/QdsJhGgnk5N2xdUNGcndXQxFKifxf1V_2t9X8CQ-pDcg24x6mGJC_BiLfGbs6Qml": {Mode: fs.ModeSymlink | 0777, Data: []byte("../checksum/a1F_i9PVQI4qMcoHgTQkORuyWLkC1GLIxOhDt2JpU1NGAxWc5VJzdlfRK-PYBh3W")},
+			"identifier/nfeISfLeFDr1k-g3hpE1oZ440kTqDdfF8TDpoLdbTPqaMMIl95oiqcvqjRkMjubA": {Mode: fs.ModeSymlink | 0777, Data: []byte("../checksum/MGWmEfjut2QE2xPJwTsmUzpff4BN_FEnQ7T0j7gvUCCiugJQNwqt9m151fm9D1yU")},
+
+			"temp": {Mode: fs.ModeDir | 0700},
+			"work": {Mode: fs.ModeDir | 0700},
+		}, []pkg.FlatEntry{
+			{Mode: fs.ModeDir | 0700, Path: "."},
+
+			{Mode: fs.ModeDir | 0700, Path: "checksum"},
+			{Mode: fs.ModeDir | 0500, Path: "checksum/MGWmEfjut2QE2xPJwTsmUzpff4BN_FEnQ7T0j7gvUCCiugJQNwqt9m151fm9D1yU"},
+			{Mode: 0400, Path: "checksum/OLBgp1GsljhM2TJ-sbHjaiH9txEUvgdDTAzHv2P24donTt6_529l-9Ua0vFImLlb", Data: []byte{}},
+			{Mode: fs.ModeDir | 0500, Path: "checksum/a1F_i9PVQI4qMcoHgTQkORuyWLkC1GLIxOhDt2JpU1NGAxWc5VJzdlfRK-PYBh3W"},
+			{Mode: 0400, Path: "checksum/a1F_i9PVQI4qMcoHgTQkORuyWLkC1GLIxOhDt2JpU1NGAxWc5VJzdlfRK-PYBh3W/check", Data: []byte("net")},
+
+			{Mode: fs.ModeDir | 0700, Path: "identifier"},
+			{Mode: fs.ModeSymlink | 0777, Path: "identifier/QdsJhGgnk5N2xdUNGcndXQxFKifxf1V_2t9X8CQ-pDcg24x6mGJC_BiLfGbs6Qml", Data: []byte("../checksum/a1F_i9PVQI4qMcoHgTQkORuyWLkC1GLIxOhDt2JpU1NGAxWc5VJzdlfRK-PYBh3W")},
+			{Mode: fs.ModeSymlink | 0777, Path: "identifier/_gAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA", Data: []byte("../checksum/OLBgp1GsljhM2TJ-sbHjaiH9txEUvgdDTAzHv2P24donTt6_529l-9Ua0vFImLlb")},
+			{Mode: fs.ModeSymlink | 0777, Path: "identifier/nfeISfLeFDr1k-g3hpE1oZ440kTqDdfF8TDpoLdbTPqaMMIl95oiqcvqjRkMjubA", Data: []byte("../checksum/MGWmEfjut2QE2xPJwTsmUzpff4BN_FEnQ7T0j7gvUCCiugJQNwqt9m151fm9D1yU")},
+
+			{Mode: fs.ModeDir | 0700, Path: "temp"},
+			{Mode: fs.ModeDir | 0700, Path: "work"},
+		}, pkg.MustDecode("ek4K-0d4iRSArkY2TCs3WK34DbiYeOmhE_4vsJTSu_6roY4ZF3YG6eKRooal-i1o"), nil},
+
+		{"sample exec container overlay root", fstest.MapFS{
+			".": {Mode: fs.ModeDir | 0700},
+
+			"checksum": {Mode: fs.ModeDir | 0700},
+			"checksum/GPa4aBakdSJd7Tz7LYj_VJFoojzyZinmVcG3k6M5xI6CZ821J5sXLhLDDuS47gi9":       {Mode: fs.ModeDir | 0500},
+			"checksum/GPa4aBakdSJd7Tz7LYj_VJFoojzyZinmVcG3k6M5xI6CZ821J5sXLhLDDuS47gi9/check": {Mode: 0400, Data: []byte{0}},
+			"checksum/MGWmEfjut2QE2xPJwTsmUzpff4BN_FEnQ7T0j7gvUCCiugJQNwqt9m151fm9D1yU":       {Mode: fs.ModeDir | 0500},
+
+			"identifier": {Mode: fs.ModeDir | 0700},
+			"identifier/5ey2wpmMpj483YYa7ZZQciYLA2cx3_l167JCqWW4Pd-5DVp81dj9EsBtVTwYptF6": {Mode: fs.ModeSymlink | 0777, Data: []byte("../checksum/GPa4aBakdSJd7Tz7LYj_VJFoojzyZinmVcG3k6M5xI6CZ821J5sXLhLDDuS47gi9")},
+			"identifier/nfeISfLeFDr1k-g3hpE1oZ440kTqDdfF8TDpoLdbTPqaMMIl95oiqcvqjRkMjubA": {Mode: fs.ModeSymlink | 0777, Data: []byte("../checksum/MGWmEfjut2QE2xPJwTsmUzpff4BN_FEnQ7T0j7gvUCCiugJQNwqt9m151fm9D1yU")},
+
+			"temp": {Mode: fs.ModeDir | 0700},
+			"work": {Mode: fs.ModeDir | 0700},
+		}, []pkg.FlatEntry{
+			{Mode: fs.ModeDir | 0700, Path: "."},
+
+			{Mode: fs.ModeDir | 0700, Path: "checksum"},
+			{Mode: fs.ModeDir | 0500, Path: "checksum/GPa4aBakdSJd7Tz7LYj_VJFoojzyZinmVcG3k6M5xI6CZ821J5sXLhLDDuS47gi9"},
+			{Mode: 0400, Path: "checksum/GPa4aBakdSJd7Tz7LYj_VJFoojzyZinmVcG3k6M5xI6CZ821J5sXLhLDDuS47gi9/check", Data: []byte{0}},
+			{Mode: fs.ModeDir | 0500, Path: "checksum/MGWmEfjut2QE2xPJwTsmUzpff4BN_FEnQ7T0j7gvUCCiugJQNwqt9m151fm9D1yU"},
+
+			{Mode: fs.ModeDir | 0700, Path: "identifier"},
+			{Mode: fs.ModeSymlink | 0777, Path: "identifier/5ey2wpmMpj483YYa7ZZQciYLA2cx3_l167JCqWW4Pd-5DVp81dj9EsBtVTwYptF6", Data: []byte("../checksum/GPa4aBakdSJd7Tz7LYj_VJFoojzyZinmVcG3k6M5xI6CZ821J5sXLhLDDuS47gi9")},
+			{Mode: fs.ModeSymlink | 0777, Path: "identifier/nfeISfLeFDr1k-g3hpE1oZ440kTqDdfF8TDpoLdbTPqaMMIl95oiqcvqjRkMjubA", Data: []byte("../checksum/MGWmEfjut2QE2xPJwTsmUzpff4BN_FEnQ7T0j7gvUCCiugJQNwqt9m151fm9D1yU")},
+
+			{Mode: fs.ModeDir | 0700, Path: "temp"},
+			{Mode: fs.ModeDir | 0700, Path: "work"},
+		}, pkg.MustDecode("VIqqpf0ip9jcyw63i6E8lCMGUcLivQBe4Bevt3WusNac-1MSy5bzB647qGUBzl-W"), nil},
+
+		{"sample exec container overlay work", fstest.MapFS{
+			".": {Mode: fs.ModeDir | 0700},
+
+			"checksum": {Mode: fs.ModeDir | 0700},
+			"checksum/GPa4aBakdSJd7Tz7LYj_VJFoojzyZinmVcG3k6M5xI6CZ821J5sXLhLDDuS47gi9":       {Mode: fs.ModeDir | 0500},
+			"checksum/GPa4aBakdSJd7Tz7LYj_VJFoojzyZinmVcG3k6M5xI6CZ821J5sXLhLDDuS47gi9/check": {Mode: 0400, Data: []byte{0}},
+			"checksum/MGWmEfjut2QE2xPJwTsmUzpff4BN_FEnQ7T0j7gvUCCiugJQNwqt9m151fm9D1yU":       {Mode: fs.ModeDir | 0500},
+
+			"identifier": {Mode: fs.ModeDir | 0700},
+			"identifier/acaDzHZv40dZaz4cGAXayqbRMgbEOuiuiUijZL8IgDQvyeCNMFE3onBMYfny-kXA": {Mode: fs.ModeSymlink | 0777, Data: []byte("../checksum/GPa4aBakdSJd7Tz7LYj_VJFoojzyZinmVcG3k6M5xI6CZ821J5sXLhLDDuS47gi9")},
+			"identifier/nfeISfLeFDr1k-g3hpE1oZ440kTqDdfF8TDpoLdbTPqaMMIl95oiqcvqjRkMjubA": {Mode: fs.ModeSymlink | 0777, Data: []byte("../checksum/MGWmEfjut2QE2xPJwTsmUzpff4BN_FEnQ7T0j7gvUCCiugJQNwqt9m151fm9D1yU")},
+
+			"temp": {Mode: fs.ModeDir | 0700},
+			"work": {Mode: fs.ModeDir | 0700},
+		}, []pkg.FlatEntry{
+			{Mode: fs.ModeDir | 0700, Path: "."},
+
+			{Mode: fs.ModeDir | 0700, Path: "checksum"},
+			{Mode: fs.ModeDir | 0500, Path: "checksum/GPa4aBakdSJd7Tz7LYj_VJFoojzyZinmVcG3k6M5xI6CZ821J5sXLhLDDuS47gi9"},
+			{Mode: 0400, Path: "checksum/GPa4aBakdSJd7Tz7LYj_VJFoojzyZinmVcG3k6M5xI6CZ821J5sXLhLDDuS47gi9/check", Data: []byte{0}},
+			{Mode: fs.ModeDir | 0500, Path: "checksum/MGWmEfjut2QE2xPJwTsmUzpff4BN_FEnQ7T0j7gvUCCiugJQNwqt9m151fm9D1yU"},
+
+			{Mode: fs.ModeDir | 0700, Path: "identifier"},
+			{Mode: fs.ModeSymlink | 0777, Path: "identifier/acaDzHZv40dZaz4cGAXayqbRMgbEOuiuiUijZL8IgDQvyeCNMFE3onBMYfny-kXA", Data: []byte("../checksum/GPa4aBakdSJd7Tz7LYj_VJFoojzyZinmVcG3k6M5xI6CZ821J5sXLhLDDuS47gi9")},
+			{Mode: fs.ModeSymlink | 0777, Path: "identifier/nfeISfLeFDr1k-g3hpE1oZ440kTqDdfF8TDpoLdbTPqaMMIl95oiqcvqjRkMjubA", Data: []byte("../checksum/MGWmEfjut2QE2xPJwTsmUzpff4BN_FEnQ7T0j7gvUCCiugJQNwqt9m151fm9D1yU")},
+
+			{Mode: fs.ModeDir | 0700, Path: "temp"},
+			{Mode: fs.ModeDir | 0700, Path: "work"},
+		}, pkg.MustDecode("q8x2zQg4YZbKpPqKlEBj_uxXD9vOBaZ852qOuIsl9QdO73I_UMNpuUoPLtunxUYl"), nil},
+
+		{"sample exec container multiple layers", fstest.MapFS{
+			".": {Mode: fs.ModeDir | 0700},
+
+			"checksum": {Mode: fs.ModeDir | 0700},
+			"checksum/GPa4aBakdSJd7Tz7LYj_VJFoojzyZinmVcG3k6M5xI6CZ821J5sXLhLDDuS47gi9":       {Mode: fs.ModeDir | 0500},
+			"checksum/GPa4aBakdSJd7Tz7LYj_VJFoojzyZinmVcG3k6M5xI6CZ821J5sXLhLDDuS47gi9/check": {Mode: 0400, Data: []byte{0}},
+			"checksum/MGWmEfjut2QE2xPJwTsmUzpff4BN_FEnQ7T0j7gvUCCiugJQNwqt9m151fm9D1yU":       {Mode: fs.ModeDir | 0500},
+			"checksum/OLBgp1GsljhM2TJ-sbHjaiH9txEUvgdDTAzHv2P24donTt6_529l-9Ua0vFImLlb":       {Mode: 0400, Data: []byte{}},
+			"checksum/nY_CUdiaUM1OL4cPr5TS92FCJ3rCRV7Hm5oVTzAvMXwC03_QnTRfQ5PPs7mOU9fK":       {Mode: fs.ModeDir | 0500},
+			"checksum/nY_CUdiaUM1OL4cPr5TS92FCJ3rCRV7Hm5oVTzAvMXwC03_QnTRfQ5PPs7mOU9fK/check": {Mode: 0400, Data: []byte("layers")},
+
+			"identifier": {Mode: fs.ModeDir | 0700},
+			"identifier/_gAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA": {Mode: fs.ModeSymlink | 0777, Data: []byte("../checksum/OLBgp1GsljhM2TJ-sbHjaiH9txEUvgdDTAzHv2P24donTt6_529l-9Ua0vFImLlb")},
+			"identifier/nfeISfLeFDr1k-g3hpE1oZ440kTqDdfF8TDpoLdbTPqaMMIl95oiqcvqjRkMjubA": {Mode: fs.ModeSymlink | 0777, Data: []byte("../checksum/MGWmEfjut2QE2xPJwTsmUzpff4BN_FEnQ7T0j7gvUCCiugJQNwqt9m151fm9D1yU")},
+			"identifier/rXLKjjYfGSyoWmuvEJooHkvGJIZaC0IAWnKGvtPZkM15gBxAgW7mIXcxRVNOXAr4": {Mode: fs.ModeSymlink | 0777, Data: []byte("../checksum/nY_CUdiaUM1OL4cPr5TS92FCJ3rCRV7Hm5oVTzAvMXwC03_QnTRfQ5PPs7mOU9fK")},
+			"identifier/tfjrsVuBuFgzWgwz-yPppFtylYuC1VFWnKhyBiHbWTGkyz8lt7Ee9QXWaIHPXs4x": {Mode: fs.ModeSymlink | 0777, Data: []byte("../checksum/GPa4aBakdSJd7Tz7LYj_VJFoojzyZinmVcG3k6M5xI6CZ821J5sXLhLDDuS47gi9")},
+
+			"temp": {Mode: fs.ModeDir | 0700},
+			"work": {Mode: fs.ModeDir | 0700},
+		}, []pkg.FlatEntry{
+			{Mode: fs.ModeDir | 0700, Path: "."},
+
+			{Mode: fs.ModeDir | 0700, Path: "checksum"},
+			{Mode: fs.ModeDir | 0500, Path: "checksum/GPa4aBakdSJd7Tz7LYj_VJFoojzyZinmVcG3k6M5xI6CZ821J5sXLhLDDuS47gi9"},
+			{Mode: 0400, Path: "checksum/GPa4aBakdSJd7Tz7LYj_VJFoojzyZinmVcG3k6M5xI6CZ821J5sXLhLDDuS47gi9/check", Data: []byte{0}},
+			{Mode: fs.ModeDir | 0500, Path: "checksum/MGWmEfjut2QE2xPJwTsmUzpff4BN_FEnQ7T0j7gvUCCiugJQNwqt9m151fm9D1yU"},
+			{Mode: 0400, Path: "checksum/OLBgp1GsljhM2TJ-sbHjaiH9txEUvgdDTAzHv2P24donTt6_529l-9Ua0vFImLlb", Data: []byte{}},
+			{Mode: fs.ModeDir | 0500, Path: "checksum/nY_CUdiaUM1OL4cPr5TS92FCJ3rCRV7Hm5oVTzAvMXwC03_QnTRfQ5PPs7mOU9fK"},
+			{Mode: 0400, Path: "checksum/nY_CUdiaUM1OL4cPr5TS92FCJ3rCRV7Hm5oVTzAvMXwC03_QnTRfQ5PPs7mOU9fK/check", Data: []byte("layers")},
+
+			{Mode: fs.ModeDir | 0700, Path: "identifier"},
+			{Mode: fs.ModeSymlink | 0777, Path: "identifier/_gAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA", Data: []byte("../checksum/OLBgp1GsljhM2TJ-sbHjaiH9txEUvgdDTAzHv2P24donTt6_529l-9Ua0vFImLlb")},
+			{Mode: fs.ModeSymlink | 0777, Path: "identifier/nfeISfLeFDr1k-g3hpE1oZ440kTqDdfF8TDpoLdbTPqaMMIl95oiqcvqjRkMjubA", Data: []byte("../checksum/MGWmEfjut2QE2xPJwTsmUzpff4BN_FEnQ7T0j7gvUCCiugJQNwqt9m151fm9D1yU")},
+			{Mode: fs.ModeSymlink | 0777, Path: "identifier/rXLKjjYfGSyoWmuvEJooHkvGJIZaC0IAWnKGvtPZkM15gBxAgW7mIXcxRVNOXAr4", Data: []byte("../checksum/nY_CUdiaUM1OL4cPr5TS92FCJ3rCRV7Hm5oVTzAvMXwC03_QnTRfQ5PPs7mOU9fK")},
+			{Mode: fs.ModeSymlink | 0777, Path: "identifier/tfjrsVuBuFgzWgwz-yPppFtylYuC1VFWnKhyBiHbWTGkyz8lt7Ee9QXWaIHPXs4x", Data: []byte("../checksum/GPa4aBakdSJd7Tz7LYj_VJFoojzyZinmVcG3k6M5xI6CZ821J5sXLhLDDuS47gi9")},
+
+			{Mode: fs.ModeDir | 0700, Path: "temp"},
+			{Mode: fs.ModeDir | 0700, Path: "work"},
+		}, pkg.MustDecode("SITnQ6PTV12PAQQjIuLUxkvsXQiC9Gq_HJQlcb4BPL5YnRHnx8lsW7PRM9YMLBsx"), nil},
+
+		{"sample exec container layer promotion", fstest.MapFS{
+			".": {Mode: fs.ModeDir | 0700},
+
+			"checksum": {Mode: fs.ModeDir | 0700},
+			"checksum/GPa4aBakdSJd7Tz7LYj_VJFoojzyZinmVcG3k6M5xI6CZ821J5sXLhLDDuS47gi9":       {Mode: fs.ModeDir | 0500},
+			"checksum/GPa4aBakdSJd7Tz7LYj_VJFoojzyZinmVcG3k6M5xI6CZ821J5sXLhLDDuS47gi9/check": {Mode: 0400, Data: []byte{0}},
+			"checksum/MGWmEfjut2QE2xPJwTsmUzpff4BN_FEnQ7T0j7gvUCCiugJQNwqt9m151fm9D1yU":       {Mode: fs.ModeDir | 0500},
+
+			"identifier": {Mode: fs.ModeDir | 0700},
+			"identifier/1tQZOGmVk_JkpyiG84AKW_BXmlK_MvHUbh5WtMuthGbHUq7i7nL1bvdF-LoJbqNh": {Mode: fs.ModeSymlink | 0777, Data: []byte("../checksum/MGWmEfjut2QE2xPJwTsmUzpff4BN_FEnQ7T0j7gvUCCiugJQNwqt9m151fm9D1yU")},
+			"identifier/O-6VjlIUxc4PYLf5v35uhIeL8kkYCbHYklqlmDjFPXe0m4j6GkUDg5qwTzBRESnf": {Mode: fs.ModeSymlink | 0777, Data: []byte("../checksum/GPa4aBakdSJd7Tz7LYj_VJFoojzyZinmVcG3k6M5xI6CZ821J5sXLhLDDuS47gi9")},
+			"identifier/nfeISfLeFDr1k-g3hpE1oZ440kTqDdfF8TDpoLdbTPqaMMIl95oiqcvqjRkMjubA": {Mode: fs.ModeSymlink | 0777, Data: []byte("../checksum/MGWmEfjut2QE2xPJwTsmUzpff4BN_FEnQ7T0j7gvUCCiugJQNwqt9m151fm9D1yU")},
+
+			"temp": {Mode: fs.ModeDir | 0700},
+			"work": {Mode: fs.ModeDir | 0700},
+		}, []pkg.FlatEntry{
+			{Mode: fs.ModeDir | 0700, Path: "."},
+
+			{Mode: fs.ModeDir | 0700, Path: "checksum"},
+			{Mode: fs.ModeDir | 0500, Path: "checksum/GPa4aBakdSJd7Tz7LYj_VJFoojzyZinmVcG3k6M5xI6CZ821J5sXLhLDDuS47gi9"},
+			{Mode: 0400, Path: "checksum/GPa4aBakdSJd7Tz7LYj_VJFoojzyZinmVcG3k6M5xI6CZ821J5sXLhLDDuS47gi9/check", Data: []byte{0}},
+			{Mode: fs.ModeDir | 0500, Path: "checksum/MGWmEfjut2QE2xPJwTsmUzpff4BN_FEnQ7T0j7gvUCCiugJQNwqt9m151fm9D1yU"},
+
+			{Mode: fs.ModeDir | 0700, Path: "identifier"},
+			{Mode: fs.ModeSymlink | 0777, Path: "identifier/1tQZOGmVk_JkpyiG84AKW_BXmlK_MvHUbh5WtMuthGbHUq7i7nL1bvdF-LoJbqNh", Data: []byte("../checksum/MGWmEfjut2QE2xPJwTsmUzpff4BN_FEnQ7T0j7gvUCCiugJQNwqt9m151fm9D1yU")},
+			{Mode: fs.ModeSymlink | 0777, Path: "identifier/O-6VjlIUxc4PYLf5v35uhIeL8kkYCbHYklqlmDjFPXe0m4j6GkUDg5qwTzBRESnf", Data: []byte("../checksum/GPa4aBakdSJd7Tz7LYj_VJFoojzyZinmVcG3k6M5xI6CZ821J5sXLhLDDuS47gi9")},
+			{Mode: fs.ModeSymlink | 0777, Path: "identifier/nfeISfLeFDr1k-g3hpE1oZ440kTqDdfF8TDpoLdbTPqaMMIl95oiqcvqjRkMjubA", Data: []byte("../checksum/MGWmEfjut2QE2xPJwTsmUzpff4BN_FEnQ7T0j7gvUCCiugJQNwqt9m151fm9D1yU")},
+
+			{Mode: fs.ModeDir | 0700, Path: "temp"},
+			{Mode: fs.ModeDir | 0700, Path: "work"},
+		}, pkg.MustDecode("fuC20BhMKr86TYzNPP2A-9P7mGLvdcOiG10exlhRvZm8ySI7csf0LhW3im_26l1N"), nil},
+
+		{"sample file short", fstest.MapFS{
+			".": {Mode: fs.ModeDir | 0700},
+
+			"checksum": {Mode: fs.ModeDir | 0700},
+			"checksum/vsAhtPNo4waRNOASwrQwcIPTqb3SBuJOXw2G4T1mNmVZM-wrQTRllmgXqcIIoRcX": {Mode: 0400, Data: []byte{0}},
+
+			"identifier": {Mode: fs.ModeDir | 0700},
+			"identifier/lIx_W4M7tVOcQ8jh08EJOfXf4brRmkEEjvUa7c17vVUzlmtUxlhhrgqmc9aZhjbn": {Mode: fs.ModeSymlink | 0777, Data: []byte("../checksum/vsAhtPNo4waRNOASwrQwcIPTqb3SBuJOXw2G4T1mNmVZM-wrQTRllmgXqcIIoRcX")},
+
+			"work": {Mode: fs.ModeDir | 0700},
+		}, []pkg.FlatEntry{
+			{Mode: fs.ModeDir | 0700, Path: "."},
+			{Mode: fs.ModeDir | 0700, Path: "checksum"},
+			{Mode: 0400, Path: "checksum/vsAhtPNo4waRNOASwrQwcIPTqb3SBuJOXw2G4T1mNmVZM-wrQTRllmgXqcIIoRcX", Data: []byte{0}},
+
+			{Mode: fs.ModeDir | 0700, Path: "identifier"},
+			{Mode: fs.ModeSymlink | 0777, Path: "identifier/lIx_W4M7tVOcQ8jh08EJOfXf4brRmkEEjvUa7c17vVUzlmtUxlhhrgqmc9aZhjbn", Data: []byte("../checksum/vsAhtPNo4waRNOASwrQwcIPTqb3SBuJOXw2G4T1mNmVZM-wrQTRllmgXqcIIoRcX")},
+
+			{Mode: fs.ModeDir | 0700, Path: "work"},
+		}, pkg.MustDecode("hnrfmJtivNKcgtETsKnU9gP_OwPgpNY3DSUJnmxnmeOODSO-YBvEBiTgieY4AAd7"), nil},
+	}
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			t.Parallel()
+
+			t.Run("roundtrip", func(t *testing.T) {
+				t.Parallel()
+
+				var buf bytes.Buffer
+				if _, err := pkg.Flatten(
+					tc.fsys,
+					".",
+					&buf,
+				); !reflect.DeepEqual(err, tc.err) {
+					t.Fatalf("Flatten: error = %v, want %v", err, tc.err)
+				} else if tc.err != nil {
+					return
+				}
+
+				s := pkg.NewDirScanner(bytes.NewReader(buf.Bytes()), true)
+				var got []pkg.FlatEntry
+				for s.Scan() {
+					got = append(got, *s.Entry())
+				}
+				if err := s.Err(); err != nil {
+					t.Fatalf("Err: error = %v", err)
+				}
+
+				if !reflect.DeepEqual(got, tc.entries) {
+					t.Fatalf("Scan: %#v, want %#v", got, tc.entries)
+				}
+			})
+
+			if tc.err != nil {
+				return
+			}
+
+			t.Run("hash", func(t *testing.T) {
+				t.Parallel()
+
+				var got pkg.Checksum
+				if err := pkg.HashFS(&got, tc.fsys, "."); err != nil {
+					t.Fatalf("HashFS: error = %v", err)
+				} else if got != tc.sum {
+					t.Fatalf("HashFS: %v", &pkg.ChecksumMismatchError{
+						Got:  got,
+						Want: tc.sum,
+					})
+				}
+			})
+		})
+	}
+}
--- a/internal/pkg/exec.go
+++ b/internal/pkg/exec.go
@@ -0,0 +1,400 @@
+package pkg
+
+import (
+	"bufio"
+	"context"
+	"errors"
+	"fmt"
+	"io"
+	"os"
+	"os/exec"
+	"path"
+	"slices"
+	"strconv"
+	"syscall"
+	"time"
+	"unique"
+
+	"hakurei.app/container"
+	"hakurei.app/container/check"
+	"hakurei.app/container/fhs"
+	"hakurei.app/container/std"
+	"hakurei.app/message"
+)
+
+// AbsWork is the container pathname [CureContext.GetWorkDir] is mounted on.
+var AbsWork = fhs.AbsRoot.Append("work/")
+
+// ExecPath is a slice of [Artifact] and the [check.Absolute] pathname to make
+// it available at under in the container.
+type ExecPath struct {
+	// Pathname in the container mount namespace.
+	P *check.Absolute
+	// Artifacts to mount on the pathname, must contain at least one [Artifact].
+	// If there are multiple entries or W is true, P is set up as an overlay
+	// mount, and entries of A must not implement [File].
+	A []Artifact
+	// Whether to make the mount point writable via the temp directory.
+	W bool
+}
+
+// layers returns pathnames collected from A deduplicated by checksum.
+func (p *ExecPath) layers(f *FContext) []*check.Absolute {
+	msg := f.GetMessage()
+
+	layers := make([]*check.Absolute, 0, len(p.A))
+	checksums := make(map[unique.Handle[Checksum]]struct{}, len(p.A))
+	for i := range p.A {
+		d := p.A[len(p.A)-1-i]
+		pathname, checksum := f.GetArtifact(d)
+		if _, ok := checksums[checksum]; ok {
+			if msg.IsVerbose() {
+				msg.Verbosef(
+					"promoted layer %d as %s",
+					len(p.A)-1-i, reportName(d, f.cache.Ident(d)),
+				)
+			}
+			continue
+		}
+		checksums[checksum] = struct{}{}
+		layers = append(layers, pathname)
+	}
+	slices.Reverse(layers)
+	return layers
+}
+
+// Path returns a populated [ExecPath].
+func Path(pathname *check.Absolute, writable bool, a ...Artifact) ExecPath {
+	return ExecPath{pathname, a, writable}
+}
+
+// MustPath is like [Path], but takes a string pathname via [check.MustAbs].
+func MustPath(pathname string, writable bool, a ...Artifact) ExecPath {
+	return ExecPath{check.MustAbs(pathname), a, writable}
+}
+
+const (
+	// ExecTimeoutDefault replaces out of range [NewExec] timeout values.
+	ExecTimeoutDefault = 15 * time.Minute
+	// ExecTimeoutMax is the arbitrary upper bound of [NewExec] timeout.
+	ExecTimeoutMax = 48 * time.Hour
+)
+
+// An execArtifact is an [Artifact] that produces output by running a program
+// part of another [Artifact] in a [container] to produce its output.
+//
+// Methods of execArtifact does not modify any struct field or underlying arrays
+// referred to by slices.
+type execArtifact struct {
+	// Caller-supplied user-facing reporting name, guaranteed to be nonzero
+	// during initialisation.
+	name string
+	// Caller-supplied inner mount points.
+	paths []ExecPath
+
+	// Passed through to [container.Params].
+	dir *check.Absolute
+	// Passed through to [container.Params].
+	env []string
+	// Passed through to [container.Params].
+	path *check.Absolute
+	// Passed through to [container.Params].
+	args []string
+
+	// Duration the initial process is allowed to run. The zero value is
+	// equivalent to execTimeoutDefault. This value is never encoded in Params
+	// because it cannot affect outcome.
+	timeout time.Duration
+}
+
+var _ fmt.Stringer = new(execArtifact)
+
+// execNetArtifact is like execArtifact but implements [KnownChecksum] and has
+// its resulting container keep the host net namespace.
+type execNetArtifact struct {
+	checksum Checksum
+
+	execArtifact
+}
+
+var _ KnownChecksum = new(execNetArtifact)
+
+// Checksum returns the caller-supplied checksum.
+func (a *execNetArtifact) Checksum() Checksum { return a.checksum }
+
+// Kind returns the hardcoded [Kind] constant.
+func (a *execNetArtifact) Kind() Kind { return KindExecNet }
+
+// Params is [Checksum] concatenated with [KindExec] params.
+func (a *execNetArtifact) Params(ctx *IContext) {
+	ctx.GetHash().Write(a.checksum[:])
+	a.execArtifact.Params(ctx)
+}
+
+// Cure cures the [Artifact] in the container described by the caller. The
+// container retains host networking.
+func (a *execNetArtifact) Cure(f *FContext) error {
+	return a.cure(f, true)
+}
+
+// NewExec returns a new [Artifact] that executes the program path in a
+// container with specified paths bind mounted read-only in order. A private
+// instance of /proc and /dev is made available to the container.
+//
+// The working and temporary directories are both created and mounted writable
+// on [AbsWork] and [fhs.AbsTmp] respectively. If one or more paths target
+// [AbsWork], the final entry is set up as a writable overlay mount on /work for
+// which the upperdir is the host side work directory. In this configuration,
+// the W field is ignored, and the program must avoid causing whiteout files to
+// be created. Cure fails if upperdir ends up with entries other than directory,
+// regular or symlink.
+//
+// If checksum is non-nil, the resulting [Artifact] implements [KnownChecksum]
+// and its container runs in the host net namespace.
+//
+// The container is allowed to run for the specified duration before the initial
+// process and all processes originating from it is terminated. A zero or
+// negative timeout value is equivalent tp [ExecTimeoutDefault], a timeout value
+// greater than [ExecTimeoutMax] is equivalent to [ExecTimeoutMax].
+//
+// The user-facing name is not accessible from the container and does not
+// affect curing outcome. Because of this, it is omitted from parameter data
+// for computing identifier.
+func NewExec(
+	name string,
+	checksum *Checksum,
+	timeout time.Duration,
+
+	dir *check.Absolute,
+	env []string,
+	pathname *check.Absolute,
+	args []string,
+
+	paths ...ExecPath,
+) Artifact {
+	if name == "" {
+		name = "exec-" + path.Base(pathname.String())
+	}
+	if timeout <= 0 {
+		timeout = ExecTimeoutDefault
+	}
+	if timeout > ExecTimeoutMax {
+		timeout = ExecTimeoutMax
+	}
+	a := execArtifact{name, paths, dir, env, pathname, args, timeout}
+	if checksum == nil {
+		return &a
+	}
+	return &execNetArtifact{*checksum, a}
+}
+
+// Kind returns the hardcoded [Kind] constant.
+func (a *execArtifact) Kind() Kind { return KindExec }
+
+// Params writes paths, executable pathname and args.
+func (a *execArtifact) Params(ctx *IContext) {
+	h := ctx.GetHash()
+
+	_0, _1 := []byte{0}, []byte{1}
+	for _, p := range a.paths {
+		if p.W {
+			h.Write(_1)
+		} else {
+			h.Write(_0)
+		}
+		if p.P != nil {
+			h.Write([]byte(p.P.String()))
+		} else {
+			h.Write([]byte("invalid P\x00"))
+		}
+		h.Write(_0)
+		for _, d := range p.A {
+			ctx.WriteIdent(d)
+		}
+		h.Write(_0)
+	}
+	h.Write(_0)
+	h.Write([]byte(a.dir.String()))
+	h.Write(_0)
+	for _, e := range a.env {
+		h.Write([]byte(e))
+	}
+	h.Write(_0)
+	h.Write([]byte(a.path.String()))
+	h.Write(_0)
+	for _, arg := range a.args {
+		h.Write([]byte(arg))
+	}
+}
+
+// Dependencies returns a slice of all artifacts collected from caller-supplied
+// [ExecPath].
+func (a *execArtifact) Dependencies() []Artifact {
+	artifacts := make([][]Artifact, 0, len(a.paths))
+	for _, p := range a.paths {
+		artifacts = append(artifacts, p.A)
+	}
+	return slices.Concat(artifacts...)
+}
+
+// String returns the caller-supplied reporting name.
+func (a *execArtifact) String() string { return a.name }
+
+// Cure cures the [Artifact] in the container described by the caller.
+func (a *execArtifact) Cure(f *FContext) (err error) {
+	return a.cure(f, false)
+}
+
+const (
+	// execWaitDelay is passed through to [container.Params].
+	execWaitDelay = time.Nanosecond
+)
+
+// scanVerbose prefixes program output for a verbose [message.Msg].
+func scanVerbose(
+	msg message.Msg,
+	done chan<- struct{},
+	prefix string,
+	r io.Reader,
+) {
+	defer close(done)
+	s := bufio.NewScanner(r)
+	for s.Scan() {
+		msg.Verbose(prefix, s.Text())
+	}
+	if err := s.Err(); err != nil && !errors.Is(err, os.ErrClosed) {
+		msg.Verbose("*"+prefix, err)
+	}
+}
+
+// cure is like Cure but allows optional host net namespace. This is used for
+// the [KnownChecksum] variant where networking is allowed.
+func (a *execArtifact) cure(f *FContext, hostNet bool) (err error) {
+	overlayWorkIndex := -1
+	for i, p := range a.paths {
+		if p.P == nil || len(p.A) == 0 {
+			return os.ErrInvalid
+		}
+		if p.P.Is(AbsWork) {
+			overlayWorkIndex = i
+		}
+	}
+
+	var artifactCount int
+	for _, p := range a.paths {
+		artifactCount += len(p.A)
+	}
+
+	ctx, cancel := context.WithTimeout(f.Unwrap(), a.timeout)
+	defer cancel()
+
+	z := container.New(ctx, f.GetMessage())
+	z.WaitDelay = execWaitDelay
+	z.SeccompPresets |= std.PresetStrict & ^std.PresetDenyNS
+	z.ParentPerm = 0700
+	z.HostNet = hostNet
+	z.Hostname = "cure"
+	if z.HostNet {
+		z.Hostname = "cure-net"
+	}
+	z.Uid, z.Gid = (1<<10)-1, (1<<10)-1
+	if msg := f.GetMessage(); msg.IsVerbose() {
+		var stdout, stderr io.ReadCloser
+		if stdout, err = z.StdoutPipe(); err != nil {
+			return
+		}
+		if stderr, err = z.StderrPipe(); err != nil {
+			_ = stdout.Close()
+			return
+		}
+		defer func() {
+			if err != nil && !errors.As(err, new(*exec.ExitError)) {
+				_ = stdout.Close()
+				_ = stderr.Close()
+			}
+		}()
+
+		stdoutDone, stderrDone := make(chan struct{}), make(chan struct{})
+		go scanVerbose(msg, stdoutDone, "("+a.name+":1)", stdout)
+		go scanVerbose(msg, stderrDone, "("+a.name+":2)", stderr)
+		defer func() { <-stdoutDone; <-stderrDone }()
+	}
+
+	z.Dir, z.Env, z.Path, z.Args = a.dir, a.env, a.path, a.args
+	z.Grow(len(a.paths) + 4)
+
+	temp, work := f.GetTempDir(), f.GetWorkDir()
+	for i, b := range a.paths {
+		if i == overlayWorkIndex {
+			if err = os.MkdirAll(work.String(), 0700); err != nil {
+				return
+			}
+			tempWork := temp.Append(".work")
+			if err = os.MkdirAll(tempWork.String(), 0700); err != nil {
+				return
+			}
+			z.Overlay(
+				AbsWork,
+				work,
+				tempWork,
+				b.layers(f)...,
+			)
+			continue
+		}
+
+		if a.paths[i].W {
+			tempUpper, tempWork := temp.Append(
+				".upper", strconv.Itoa(i),
+			), temp.Append(
+				".work", strconv.Itoa(i),
+			)
+			if err = os.MkdirAll(tempUpper.String(), 0700); err != nil {
+				return
+			}
+			if err = os.MkdirAll(tempWork.String(), 0700); err != nil {
+				return
+			}
+			z.Overlay(b.P, tempUpper, tempWork, b.layers(f)...)
+		} else if len(b.A) == 1 {
+			pathname, _ := f.GetArtifact(b.A[0])
+			z.Bind(pathname, b.P, 0)
+		} else {
+			z.OverlayReadonly(b.P, b.layers(f)...)
+		}
+	}
+	if overlayWorkIndex < 0 {
+		z.Bind(
+			work,
+			AbsWork,
+			std.BindWritable|std.BindEnsure,
+		)
+	}
+	z.Bind(
+		f.GetTempDir(),
+		fhs.AbsTmp,
+		std.BindWritable|std.BindEnsure,
+	)
+	z.Proc(fhs.AbsProc).Dev(fhs.AbsDev, true)
+
+	if err = z.Start(); err != nil {
+		return
+	}
+	if err = z.Serve(); err != nil {
+		return
+	}
+	if err = z.Wait(); err != nil {
+		return
+	}
+
+	// do not allow empty directories to succeed
+	for {
+		err = syscall.Rmdir(work.String())
+		if err != syscall.EINTR {
+			break
+		}
+	}
+	if err != nil && errors.Is(err, syscall.ENOTEMPTY) {
+		err = nil
+	}
+	return
+}
--- a/internal/pkg/exec_test.go
+++ b/internal/pkg/exec_test.go
@@ -0,0 +1,337 @@
+package pkg_test
+
+//go:generate env CGO_ENABLED=0 go build -tags testtool -o testdata/testtool ./testdata
+
+import (
+	_ "embed"
+	"encoding/gob"
+	"errors"
+	"net"
+	"os"
+	"os/exec"
+	"slices"
+	"testing"
+	"unique"
+
+	"hakurei.app/container/check"
+	"hakurei.app/container/stub"
+	"hakurei.app/hst"
+	"hakurei.app/internal/pkg"
+)
+
+// testtoolBin is the container test tool binary made available to the
+// execArtifact for testing its curing environment.
+//
+//go:embed testdata/testtool
+var testtoolBin []byte
+
+func TestExec(t *testing.T) {
+	t.Parallel()
+
+	wantChecksumOffline := pkg.MustDecode(
+		"GPa4aBakdSJd7Tz7LYj_VJFoojzyZinmVcG3k6M5xI6CZ821J5sXLhLDDuS47gi9",
+	)
+
+	checkWithCache(t, []cacheTestCase{
+		{"offline", nil, func(t *testing.T, base *check.Absolute, c *pkg.Cache) {
+			c.SetStrict(true)
+			testtool, testtoolDestroy := newTesttool()
+
+			cureMany(t, c, []cureStep{
+				{"container", pkg.NewExec(
+					"exec-offline", nil, 0,
+					pkg.AbsWork,
+					[]string{"HAKUREI_TEST=1"},
+					check.MustAbs("/opt/bin/testtool"),
+					[]string{"testtool"},
+
+					pkg.MustPath("/file", false, newStubFile(
+						pkg.KindHTTPGet,
+						pkg.ID{0xfe, 0},
+						nil,
+						nil, nil,
+					)),
+					pkg.MustPath("/.hakurei", false, &stubArtifact{
+						kind:   pkg.KindTar,
+						params: []byte("empty directory"),
+						cure: func(t *pkg.TContext) error {
+							return os.MkdirAll(t.GetWorkDir().String(), 0700)
+						},
+					}),
+					pkg.MustPath("/opt", false, testtool),
+				), ignorePathname, wantChecksumOffline, nil},
+
+				{"error passthrough", pkg.NewExec(
+					"", nil, 0,
+					pkg.AbsWork,
+					[]string{"HAKUREI_TEST=1"},
+					check.MustAbs("/opt/bin/testtool"),
+					[]string{"testtool"},
+
+					pkg.MustPath("/proc/nonexistent", false, &stubArtifact{
+						kind:   pkg.KindTar,
+						params: []byte("doomed artifact"),
+						cure: func(t *pkg.TContext) error {
+							return stub.UniqueError(0xcafe)
+						},
+					}),
+				), nil, pkg.Checksum{}, &pkg.DependencyCureError{
+					{
+						Ident: unique.Make(pkg.ID(pkg.MustDecode(
+							"CWEoJqnSBpWf8uryC2qnIe3O1a_FZWUWZGbiVPsQFGW7pvDHiSwoK3QCU9-uxN87",
+						))),
+						Err: stub.UniqueError(0xcafe),
+					},
+				}},
+
+				{"invalid paths", pkg.NewExec(
+					"", nil, 0,
+					pkg.AbsWork,
+					[]string{"HAKUREI_TEST=1"},
+					check.MustAbs("/opt/bin/testtool"),
+					[]string{"testtool"},
+
+					pkg.ExecPath{},
+				), nil, pkg.Checksum{}, os.ErrInvalid},
+			})
+
+			// check init failure passthrough
+			var exitError *exec.ExitError
+			if _, _, err := c.Cure(pkg.NewExec(
+				"", nil, 0,
+				pkg.AbsWork,
+				nil,
+				check.MustAbs("/opt/bin/testtool"),
+				[]string{"testtool"},
+			)); !errors.As(err, &exitError) ||
+				exitError.ExitCode() != hst.ExitFailure {
+				t.Fatalf("Cure: error = %v, want init exit status 1", err)
+			}
+
+			testtoolDestroy(t, base, c)
+		}, pkg.MustDecode("UiV6kMz7KrTsc_yphiyQzFLqjRanHxUOwrBMtkKuWo4mOO6WgPFAcoUEeSp7eVIW")},
+
+		{"net", nil, func(t *testing.T, base *check.Absolute, c *pkg.Cache) {
+			c.SetStrict(true)
+			testtool, testtoolDestroy := newTesttool()
+
+			wantChecksum := pkg.MustDecode(
+				"a1F_i9PVQI4qMcoHgTQkORuyWLkC1GLIxOhDt2JpU1NGAxWc5VJzdlfRK-PYBh3W",
+			)
+			cureMany(t, c, []cureStep{
+				{"container", pkg.NewExec(
+					"exec-net", &wantChecksum, 0,
+					pkg.AbsWork,
+					[]string{"HAKUREI_TEST=1"},
+					check.MustAbs("/opt/bin/testtool"),
+					[]string{"testtool", "net"},
+
+					pkg.MustPath("/file", false, newStubFile(
+						pkg.KindHTTPGet,
+						pkg.ID{0xfe, 0},
+						nil,
+						nil, nil,
+					)),
+					pkg.MustPath("/.hakurei", false, &stubArtifact{
+						kind:   pkg.KindTar,
+						params: []byte("empty directory"),
+						cure: func(t *pkg.TContext) error {
+							return os.MkdirAll(t.GetWorkDir().String(), 0700)
+						},
+					}),
+					pkg.MustPath("/opt", false, testtool),
+				), ignorePathname, wantChecksum, nil},
+			})
+
+			testtoolDestroy(t, base, c)
+		}, pkg.MustDecode("ek4K-0d4iRSArkY2TCs3WK34DbiYeOmhE_4vsJTSu_6roY4ZF3YG6eKRooal-i1o")},
+
+		{"overlay root", nil, func(t *testing.T, base *check.Absolute, c *pkg.Cache) {
+			c.SetStrict(true)
+			testtool, testtoolDestroy := newTesttool()
+
+			cureMany(t, c, []cureStep{
+				{"container", pkg.NewExec(
+					"exec-overlay-root", nil, 0,
+					pkg.AbsWork,
+					[]string{"HAKUREI_TEST=1", "HAKUREI_ROOT=1"},
+					check.MustAbs("/opt/bin/testtool"),
+					[]string{"testtool"},
+
+					pkg.MustPath("/", true, &stubArtifact{
+						kind:   pkg.KindTar,
+						params: []byte("empty directory"),
+						cure: func(t *pkg.TContext) error {
+							return os.MkdirAll(t.GetWorkDir().String(), 0700)
+						},
+					}),
+					pkg.MustPath("/opt", false, testtool),
+				), ignorePathname, wantChecksumOffline, nil},
+			})
+
+			testtoolDestroy(t, base, c)
+		}, pkg.MustDecode("VIqqpf0ip9jcyw63i6E8lCMGUcLivQBe4Bevt3WusNac-1MSy5bzB647qGUBzl-W")},
+
+		{"overlay work", nil, func(t *testing.T, base *check.Absolute, c *pkg.Cache) {
+			c.SetStrict(true)
+			testtool, testtoolDestroy := newTesttool()
+
+			cureMany(t, c, []cureStep{
+				{"container", pkg.NewExec(
+					"exec-overlay-work", nil, 0,
+					pkg.AbsWork,
+					[]string{"HAKUREI_TEST=1", "HAKUREI_ROOT=1"},
+					check.MustAbs("/work/bin/testtool"),
+					[]string{"testtool"},
+
+					pkg.MustPath("/", true, &stubArtifact{
+						kind:   pkg.KindTar,
+						params: []byte("empty directory"),
+						cure: func(t *pkg.TContext) error {
+							return os.MkdirAll(t.GetWorkDir().String(), 0700)
+						},
+					}), pkg.MustPath("/work/", false, &stubArtifact{
+						kind:   pkg.KindTar,
+						params: []byte("empty directory"),
+						cure: func(t *pkg.TContext) error {
+							return os.MkdirAll(t.GetWorkDir().String(), 0700)
+						},
+					}), pkg.Path(pkg.AbsWork, false /* ignored */, testtool),
+				), ignorePathname, wantChecksumOffline, nil},
+			})
+
+			testtoolDestroy(t, base, c)
+		}, pkg.MustDecode("q8x2zQg4YZbKpPqKlEBj_uxXD9vOBaZ852qOuIsl9QdO73I_UMNpuUoPLtunxUYl")},
+
+		{"multiple layers", nil, func(t *testing.T, base *check.Absolute, c *pkg.Cache) {
+			c.SetStrict(true)
+			testtool, testtoolDestroy := newTesttool()
+
+			cureMany(t, c, []cureStep{
+				{"container", pkg.NewExec(
+					"exec-multiple-layers", nil, 0,
+					pkg.AbsWork,
+					[]string{"HAKUREI_TEST=1", "HAKUREI_ROOT=1"},
+					check.MustAbs("/opt/bin/testtool"),
+					[]string{"testtool", "layers"},
+
+					pkg.MustPath("/", true, &stubArtifact{
+						kind:   pkg.KindTar,
+						params: []byte("empty directory"),
+						cure: func(t *pkg.TContext) error {
+							return os.MkdirAll(t.GetWorkDir().String(), 0700)
+						},
+					}, &stubArtifactF{
+						kind:   pkg.KindExec,
+						params: []byte("test sample with dependencies"),
+
+						deps: slices.Repeat([]pkg.Artifact{newStubFile(
+							pkg.KindHTTPGet,
+							pkg.ID{0xfe, 0},
+							nil,
+							nil, nil,
+						), &stubArtifact{
+							kind:   pkg.KindTar,
+							params: []byte("empty directory"),
+
+							// this is queued and might run instead of the other
+							// one so do not leave it as nil
+							cure: func(t *pkg.TContext) error {
+								return os.MkdirAll(t.GetWorkDir().String(), 0700)
+							},
+						}}, 1<<5 /* concurrent cache hits */), cure: func(f *pkg.FContext) error {
+							work := f.GetWorkDir()
+							if err := os.MkdirAll(work.String(), 0700); err != nil {
+								return err
+							}
+							return os.WriteFile(work.Append("check").String(), []byte("layers"), 0400)
+						},
+					}),
+					pkg.MustPath("/opt", false, testtool),
+				), ignorePathname, wantChecksumOffline, nil},
+			})
+
+			testtoolDestroy(t, base, c)
+		}, pkg.MustDecode("SITnQ6PTV12PAQQjIuLUxkvsXQiC9Gq_HJQlcb4BPL5YnRHnx8lsW7PRM9YMLBsx")},
+
+		{"overlay layer promotion", nil, func(t *testing.T, base *check.Absolute, c *pkg.Cache) {
+			c.SetStrict(true)
+			testtool, testtoolDestroy := newTesttool()
+
+			cureMany(t, c, []cureStep{
+				{"container", pkg.NewExec(
+					"exec-layer-promotion", nil, 0,
+					pkg.AbsWork,
+					[]string{"HAKUREI_TEST=1", "HAKUREI_ROOT=1"},
+					check.MustAbs("/opt/bin/testtool"),
+					[]string{"testtool", "promote"},
+
+					pkg.MustPath("/", true, &stubArtifact{
+						kind:   pkg.KindTar,
+						params: []byte("another empty directory"),
+						cure: func(t *pkg.TContext) error {
+							return os.MkdirAll(t.GetWorkDir().String(), 0700)
+						},
+					}, &stubArtifact{
+						kind:   pkg.KindTar,
+						params: []byte("empty directory"),
+						cure: func(t *pkg.TContext) error {
+							return os.MkdirAll(t.GetWorkDir().String(), 0700)
+						},
+					}),
+					pkg.MustPath("/opt", false, testtool),
+				), ignorePathname, wantChecksumOffline, nil},
+			})
+
+			testtoolDestroy(t, base, c)
+		}, pkg.MustDecode("fuC20BhMKr86TYzNPP2A-9P7mGLvdcOiG10exlhRvZm8ySI7csf0LhW3im_26l1N")},
+	})
+}
+
+// newTesttool returns an [Artifact] that cures into testtoolBin. The returned
+// function must be called at the end of the test but not deferred.
+func newTesttool() (
+	testtool pkg.Artifact,
+	testtoolDestroy func(t *testing.T, base *check.Absolute, c *pkg.Cache),
+) {
+	// testtoolBin is built during go:generate and is not deterministic
+	testtool = overrideIdent{pkg.ID{0xfe, 0xff}, &stubArtifact{
+		kind: pkg.KindTar,
+		cure: func(t *pkg.TContext) error {
+			work := t.GetWorkDir()
+			if err := os.MkdirAll(
+				work.Append("bin").String(),
+				0700,
+			); err != nil {
+				return err
+			}
+
+			if ift, err := net.Interfaces(); err != nil {
+				return err
+			} else {
+				var f *os.File
+				if f, err = os.Create(t.GetWorkDir().Append(
+					"ift",
+				).String()); err != nil {
+					return err
+				} else {
+					err = gob.NewEncoder(f).Encode(ift)
+					closeErr := f.Close()
+					if err != nil {
+						return err
+					}
+					if closeErr != nil {
+						return closeErr
+					}
+				}
+			}
+
+			return os.WriteFile(t.GetWorkDir().Append(
+				"bin",
+				"testtool",
+			).String(), testtoolBin, 0500)
+		},
+	}}
+	testtoolDestroy = newDestroyArtifactFunc(testtool)
+	return
+}
--- a/internal/pkg/file.go
+++ b/internal/pkg/file.go
@@ -0,0 +1,55 @@
+package pkg
+
+import (
+	"context"
+	"crypto/sha512"
+	"fmt"
+)
+
+// A fileArtifact is an [Artifact] that cures into data known ahead of time.
+type fileArtifact []byte
+
+var _ KnownChecksum = new(fileArtifact)
+
+// fileArtifactNamed embeds fileArtifact alongside a caller-supplied name.
+type fileArtifactNamed struct {
+	fileArtifact
+	// Caller-supplied user-facing reporting name.
+	name string
+}
+
+var _ fmt.Stringer = new(fileArtifactNamed)
+var _ KnownChecksum = new(fileArtifactNamed)
+
+// String returns the caller-supplied reporting name.
+func (a *fileArtifactNamed) String() string { return a.name }
+
+// NewFile returns a [File] that cures into a caller-supplied byte slice.
+//
+// Caller must not modify data after NewFile returns.
+func NewFile(name string, data []byte) File {
+	f := fileArtifact(data)
+	if name != "" {
+		return &fileArtifactNamed{f, name}
+	}
+	return &f
+}
+
+// Kind returns the hardcoded [Kind] constant.
+func (a *fileArtifact) Kind() Kind { return KindFile }
+
+// Params writes the result of Cure.
+func (a *fileArtifact) Params(ctx *IContext) { ctx.GetHash().Write(*a) }
+
+// Dependencies returns a nil slice.
+func (a *fileArtifact) Dependencies() []Artifact { return nil }
+
+// Checksum computes and returns the checksum of caller-supplied data.
+func (a *fileArtifact) Checksum() Checksum {
+	h := sha512.New384()
+	h.Write(*a)
+	return Checksum(h.Sum(nil))
+}
+
+// Cure returns the caller-supplied data.
+func (a *fileArtifact) Cure(context.Context) ([]byte, error) { return *a, nil }
--- a/internal/pkg/file_test.go
+++ b/internal/pkg/file_test.go
@@ -0,0 +1,29 @@
+package pkg_test
+
+import (
+	"testing"
+
+	"hakurei.app/container/check"
+	"hakurei.app/internal/pkg"
+)
+
+func TestFile(t *testing.T) {
+	t.Parallel()
+
+	checkWithCache(t, []cacheTestCase{
+		{"file", nil, func(t *testing.T, base *check.Absolute, c *pkg.Cache) {
+			c.SetStrict(true)
+
+			cureMany(t, c, []cureStep{
+				{"short", pkg.NewFile("null", []byte{0}), base.Append(
+					"identifier",
+					"lIx_W4M7tVOcQ8jh08EJOfXf4brRmkEEjvUa7c17vVUzlmtUxlhhrgqmc9aZhjbn",
+				), pkg.MustDecode(
+					"vsAhtPNo4waRNOASwrQwcIPTqb3SBuJOXw2G4T1mNmVZM-wrQTRllmgXqcIIoRcX",
+				), nil},
+			})
+		}, pkg.MustDecode(
+			"hnrfmJtivNKcgtETsKnU9gP_OwPgpNY3DSUJnmxnmeOODSO-YBvEBiTgieY4AAd7",
+		)},
+	})
+}
--- a/internal/pkg/net.go
+++ b/internal/pkg/net.go
@@ -0,0 +1,126 @@
+package pkg
+
+import (
+	"context"
+	"crypto/sha512"
+	"fmt"
+	"io"
+	"net/http"
+	"path"
+	"sync"
+)
+
+// An httpArtifact is an [Artifact] backed by a [http] url string. The method is
+// hardcoded as [http.MethodGet]. Request body is not allowed because it cannot
+// be deterministically represented by Params.
+type httpArtifact struct {
+	// Caller-supplied url string.
+	url string
+
+	// Caller-supplied checksum of the response body. This is validated during
+	// curing and the first call to Data.
+	checksum Checksum
+
+	// doFunc is the Do method of [http.Client] supplied by the caller.
+	doFunc func(req *http.Request) (*http.Response, error)
+
+	// Response body read to EOF.
+	data []byte
+
+	// Synchronises access to data.
+	mu sync.Mutex
+}
+
+var _ KnownChecksum = new(httpArtifact)
+var _ fmt.Stringer = new(httpArtifact)
+
+// NewHTTPGet returns a new [File] backed by the supplied client. A GET request
+// is set up for url. If c is nil, [http.DefaultClient] is used instead.
+func NewHTTPGet(
+	c *http.Client,
+	url string,
+	checksum Checksum,
+) File {
+	if c == nil {
+		c = http.DefaultClient
+	}
+	return &httpArtifact{url: url, checksum: checksum, doFunc: c.Do}
+}
+
+// Kind returns the hardcoded [Kind] constant.
+func (a *httpArtifact) Kind() Kind { return KindHTTPGet }
+
+// Params writes the backing url string. Client is not represented as it does
+// not affect [Cache.Cure] outcome.
+func (a *httpArtifact) Params(ctx *IContext) {
+	ctx.GetHash().Write([]byte(a.url))
+}
+
+// Dependencies returns a nil slice.
+func (a *httpArtifact) Dependencies() []Artifact { return nil }
+
+// Checksum returns the caller-supplied checksum.
+func (a *httpArtifact) Checksum() Checksum { return a.checksum }
+
+// String returns [path.Base] over the backing url.
+func (a *httpArtifact) String() string { return path.Base(a.url) }
+
+// ResponseStatusError is returned for a response returned by an [http.Client]
+// with a status code other than [http.StatusOK].
+type ResponseStatusError int
+
+func (e ResponseStatusError) Error() string {
+	return "the requested URL returned non-OK status: " + http.StatusText(int(e))
+}
+
+// do sends the caller-supplied request on the caller-supplied [http.Client]
+// and reads its response body to EOF and returns the resulting bytes.
+func (a *httpArtifact) do(ctx context.Context) (data []byte, err error) {
+	var req *http.Request
+	req, err = http.NewRequestWithContext(ctx, http.MethodGet, a.url, nil)
+	if err != nil {
+		return
+	}
+
+	var resp *http.Response
+	if resp, err = a.doFunc(req); err != nil {
+		return
+	}
+
+	if resp.StatusCode != http.StatusOK {
+		_ = resp.Body.Close()
+		return nil, ResponseStatusError(resp.StatusCode)
+	}
+
+	if data, err = io.ReadAll(resp.Body); err != nil {
+		_ = resp.Body.Close()
+		return
+	}
+
+	err = resp.Body.Close()
+	return
+}
+
+// Cure completes the http request and returns the resulting response body read
+// to EOF. Data does not interact with the filesystem.
+func (a *httpArtifact) Cure(ctx context.Context) (data []byte, err error) {
+	a.mu.Lock()
+	defer a.mu.Unlock()
+
+	if a.data != nil {
+		// validated by cache or a previous call to Data
+		return a.data, nil
+	}
+
+	if data, err = a.do(ctx); err != nil {
+		return
+	}
+
+	h := sha512.New384()
+	h.Write(data)
+	if got := (Checksum)(h.Sum(nil)); got != a.checksum {
+		return nil, &ChecksumMismatchError{got, a.checksum}
+	}
+	a.data = data
+	return
+}
--- a/internal/pkg/net_test.go
+++ b/internal/pkg/net_test.go
@@ -0,0 +1,118 @@
+package pkg_test
+
+import (
+	"crypto/sha512"
+	"net/http"
+	"reflect"
+	"testing"
+	"testing/fstest"
+	"unique"
+
+	"hakurei.app/container/check"
+	"hakurei.app/internal/pkg"
+)
+
+func TestHTTPGet(t *testing.T) {
+	t.Parallel()
+
+	const testdata = "\x7f\xe1\x69\xa2\xdd\x63\x96\x26\x83\x79\x61\x8b\xf0\x3f\xd5\x16\x9a\x39\x3a\xdb\xcf\xb1\xbc\x8d\x33\xff\x75\xee\x62\x56\xa9\xf0\x27\xac\x13\x94\x69"
+
+	testdataChecksum := func() unique.Handle[pkg.Checksum] {
+		h := sha512.New384()
+		h.Write([]byte(testdata))
+		return unique.Make(pkg.Checksum(h.Sum(nil)))
+	}()
+
+	var transport http.Transport
+	client := http.Client{Transport: &transport}
+	transport.RegisterProtocol("file", http.NewFileTransportFS(fstest.MapFS{
+		"testdata": {Data: []byte(testdata), Mode: 0400},
+	}))
+
+	checkWithCache(t, []cacheTestCase{
+		{"direct", nil, func(t *testing.T, base *check.Absolute, c *pkg.Cache) {
+			f := pkg.NewHTTPGet(
+				&client,
+				"file:///testdata",
+				testdataChecksum.Value(),
+			)
+			if got, err := f.Cure(t.Context()); err != nil {
+				t.Fatalf("Cure: error = %v", err)
+			} else if string(got) != testdata {
+				t.Fatalf("Cure: %x, want %x", got, testdata)
+			}
+
+			// check direct validation
+			f = pkg.NewHTTPGet(
+				&client,
+				"file:///testdata",
+				pkg.Checksum{},
+			)
+			wantErrMismatch := &pkg.ChecksumMismatchError{
+				Got: testdataChecksum.Value(),
+			}
+			if _, err := f.Cure(t.Context()); !reflect.DeepEqual(err, wantErrMismatch) {
+				t.Fatalf("Cure: error = %#v, want %#v", err, wantErrMismatch)
+			}
+
+			// check direct response error
+			f = pkg.NewHTTPGet(
+				&client,
+				"file:///nonexistent",
+				pkg.Checksum{},
+			)
+			wantErrNotFound := pkg.ResponseStatusError(http.StatusNotFound)
+			if _, err := f.Cure(t.Context()); !reflect.DeepEqual(err, wantErrNotFound) {
+				t.Fatalf("Cure: error = %#v, want %#v", err, wantErrNotFound)
+			}
+		}, pkg.MustDecode("E4vEZKhCcL2gPZ2Tt59FS3lDng-d_2SKa2i5G_RbDfwGn6EemptFaGLPUDiOa94C")},
+
+		{"cure", nil, func(t *testing.T, base *check.Absolute, c *pkg.Cache) {
+			f := pkg.NewHTTPGet(
+				&client,
+				"file:///testdata",
+				testdataChecksum.Value(),
+			)
+			wantPathname := base.Append(
+				"identifier",
+				"NqVORkT6L9HX6Za7kT2zcibY10qFqBaxEjPiYFrBQX-ZFr3yxCzJxbKOP0zVjeWb",
+			)
+			if pathname, checksum, err := c.Cure(f); err != nil {
+				t.Fatalf("Cure: error = %v", err)
+			} else if !pathname.Is(wantPathname) {
+				t.Fatalf("Cure: %q, want %q", pathname, wantPathname)
+			} else if checksum != testdataChecksum {
+				t.Fatalf("Cure: %x, want %x", checksum.Value(), testdataChecksum.Value())
+			}
+
+			if got, err := f.Cure(t.Context()); err != nil {
+				t.Fatalf("Cure: error = %v", err)
+			} else if string(got) != testdata {
+				t.Fatalf("Cure: %x, want %x", got, testdata)
+			}
+
+			// check load from cache
+			f = pkg.NewHTTPGet(
+				&client,
+				"file:///testdata",
+				testdataChecksum.Value(),
+			)
+			if got, err := f.Cure(t.Context()); err != nil {
+				t.Fatalf("Cure: error = %v", err)
+			} else if string(got) != testdata {
+				t.Fatalf("Cure: %x, want %x", got, testdata)
+			}
+
+			// check error passthrough
+			f = pkg.NewHTTPGet(
+				&client,
+				"file:///nonexistent",
+				pkg.Checksum{},
+			)
+			wantErrNotFound := pkg.ResponseStatusError(http.StatusNotFound)
+			if _, _, err := c.Cure(f); !reflect.DeepEqual(err, wantErrNotFound) {
+				t.Fatalf("Pathname: error = %#v, want %#v", err, wantErrNotFound)
+			}
+		}, pkg.MustDecode("bqtn69RkV5E7V7GhhgCFjcvbxmaqrO8DywamM4Tyjf10F6EJBHjXiIa_tFRtF4iN")},
+	})
+}
--- a/internal/pkg/pkg.go
+++ b/internal/pkg/pkg.go
--- a/internal/pkg/pkg_test.go
+++ b/internal/pkg/pkg_test.go
--- a/internal/pkg/tar.go
+++ b/internal/pkg/tar.go
@@ -0,0 +1,238 @@
+package pkg
+
+import (
+	"archive/tar"
+	"compress/bzip2"
+	"compress/gzip"
+	"encoding/binary"
+	"errors"
+	"fmt"
+	"io"
+	"io/fs"
+	"net/http"
+	"os"
+
+	"hakurei.app/container/check"
+)
+
+const (
+	// TarUncompressed denotes an uncompressed tarball.
+	TarUncompressed = iota
+	// TarGzip denotes a tarball compressed via [gzip].
+	TarGzip
+	// TarBzip2 denotes a tarball compressed via [bzip2].
+	TarBzip2
+)
+
+// A tarArtifact is an [Artifact] unpacking a tarball backed by a [File].
+type tarArtifact struct {
+	// Caller-supplied backing tarball.
+	f Artifact
+	// Compression on top of the tarball.
+	compression uint64
+}
+
+// tarArtifactNamed embeds tarArtifact for a [fmt.Stringer] tarball.
+type tarArtifactNamed struct {
+	tarArtifact
+	// Copied from tarArtifact.f.
+	name string
+}
+
+var _ fmt.Stringer = new(tarArtifactNamed)
+
+// String returns the name of the underlying [Artifact] suffixed with unpack.
+func (a *tarArtifactNamed) String() string { return a.name + "-unpack" }
+
+// NewTar returns a new [Artifact] backed by the supplied [Artifact] and
+// compression method. The source [Artifact] must be compatible with
+// [TContext.Open].
+func NewTar(a Artifact, compression uint64) Artifact {
+	ta := tarArtifact{a, compression}
+	if s, ok := a.(fmt.Stringer); ok {
+		if name := s.String(); name != "" {
+			return &tarArtifactNamed{ta, name}
+		}
+	}
+	return &ta
+}
+
+// NewHTTPGetTar is abbreviation for NewHTTPGet passed to NewTar.
+func NewHTTPGetTar(
+	hc *http.Client,
+	url string,
+	checksum Checksum,
+	compression uint64,
+) Artifact {
+	return NewTar(NewHTTPGet(hc, url, checksum), compression)
+}
+
+// Kind returns the hardcoded [Kind] constant.
+func (a *tarArtifact) Kind() Kind { return KindTar }
+
+// Params writes compression encoded in little endian.
+func (a *tarArtifact) Params(ctx *IContext) {
+	ctx.GetHash().Write(binary.LittleEndian.AppendUint64(nil, a.compression))
+}
+
+// Dependencies returns a slice containing the backing file.
+func (a *tarArtifact) Dependencies() []Artifact {
+	return []Artifact{a.f}
+}
+
+// A DisallowedTypeflagError describes a disallowed typeflag encountered while
+// unpacking a tarball.
+type DisallowedTypeflagError byte
+
+func (e DisallowedTypeflagError) Error() string {
+	return "disallowed typeflag '" + string(e) + "'"
+}
+
+// Cure cures the [Artifact], producing a directory located at work.
+func (a *tarArtifact) Cure(t *TContext) (err error) {
+	temp := t.GetTempDir()
+	var tr io.ReadCloser
+	if tr, err = t.Open(a.f); err != nil {
+		return
+	}
+
+	defer func(f io.ReadCloser) {
+		closeErr := tr.Close()
+		if err == nil {
+			err = closeErr
+		}
+
+		closeErr = f.Close()
+		if err == nil {
+			err = closeErr
+		}
+	}(tr)
+	tr = io.NopCloser(tr)
+
+	switch a.compression {
+	case TarUncompressed:
+		break
+
+	case TarGzip:
+		if tr, err = gzip.NewReader(tr); err != nil {
+			return
+		}
+		break
+
+	case TarBzip2:
+		tr = io.NopCloser(bzip2.NewReader(tr))
+		break
+
+	default:
+		return os.ErrInvalid
+	}
+
+	type dirTargetPerm struct {
+		path *check.Absolute
+		mode fs.FileMode
+	}
+	var madeDirectories []dirTargetPerm
+
+	if err = os.MkdirAll(temp.String(), 0700); err != nil {
+		return
+	}
+
+	var header *tar.Header
+	r := tar.NewReader(tr)
+	for header, err = r.Next(); err == nil; header, err = r.Next() {
+		typeflag := header.Typeflag
+		if typeflag == 0 {
+			if len(header.Name) > 0 && header.Name[len(header.Name)-1] == '/' {
+				typeflag = tar.TypeDir
+			} else {
+				typeflag = tar.TypeReg
+			}
+		}
+
+		pathname := temp.Append(header.Name)
+		if typeflag >= '0' && typeflag <= '9' && typeflag != tar.TypeDir {
+			if err = os.MkdirAll(pathname.Dir().String(), 0700); err != nil {
+				return
+			}
+		}
+
+		switch typeflag {
+		case tar.TypeReg:
+			var f *os.File
+			if f, err = os.OpenFile(
+				pathname.String(),
+				os.O_CREATE|os.O_EXCL|os.O_WRONLY,
+				header.FileInfo().Mode()&0500,
+			); err != nil {
+				return
+			}
+			if _, err = io.Copy(f, r); err != nil {
+				_ = f.Close()
+				return
+			} else if err = f.Close(); err != nil {
+				return
+			}
+			break
+
+		case tar.TypeLink:
+			if err = os.Link(header.Linkname, pathname.String()); err != nil {
+				return
+			}
+			break
+
+		case tar.TypeSymlink:
+			if err = os.Symlink(header.Linkname, pathname.String()); err != nil {
+				return
+			}
+			break
+
+		case tar.TypeDir:
+			madeDirectories = append(madeDirectories, dirTargetPerm{
+				path: pathname,
+				mode: header.FileInfo().Mode(),
+			})
+			if err = os.MkdirAll(pathname.String(), 0700); err != nil {
+				return
+			}
+			break
+
+		case tar.TypeXGlobalHeader:
+			continue // ignore
+
+		default:
+			return DisallowedTypeflagError(typeflag)
+		}
+	}
+	if errors.Is(err, io.EOF) {
+		err = nil
+	}
+	if err == nil {
+		for _, e := range madeDirectories {
+			if err = os.Chmod(e.path.String(), e.mode&0500); err != nil {
+				return
+			}
+		}
+	} else {
+		return
+	}
+
+	if err = os.Chmod(temp.String(), 0700); err != nil {
+		return
+	}
+
+	var entries []os.DirEntry
+	if entries, err = os.ReadDir(temp.String()); err != nil {
+		return
+	}
+
+	if len(entries) == 1 && entries[0].IsDir() {
+		p := temp.Append(entries[0].Name())
+		if err = os.Chmod(p.String(), 0700); err != nil {
+			return
+		}
+		err = os.Rename(p.String(), t.GetWorkDir().String())
+	} else {
+		err = os.Rename(temp.String(), t.GetWorkDir().String())
+	}
+	return
+}
--- a/internal/pkg/tar_test.go
+++ b/internal/pkg/tar_test.go
@@ -0,0 +1,203 @@
+package pkg_test
+
+import (
+	"archive/tar"
+	"bytes"
+	"compress/gzip"
+	"crypto/sha512"
+	"errors"
+	"io/fs"
+	"net/http"
+	"os"
+	"testing"
+	"testing/fstest"
+
+	"hakurei.app/container/check"
+	"hakurei.app/container/stub"
+	"hakurei.app/internal/pkg"
+)
+
+func TestTar(t *testing.T) {
+	t.Parallel()
+
+	checkWithCache(t, []cacheTestCase{
+		{"http", nil, func(t *testing.T, base *check.Absolute, c *pkg.Cache) {
+			checkTarHTTP(t, base, c, fstest.MapFS{
+				".": {Mode: fs.ModeDir | 0700},
+
+				"checksum": {Mode: fs.ModeDir | 0700},
+				"checksum/1TL00Qb8dcqayX7wTO8WNaraHvY6b-KCsctLDTrb64QBCmxj_-byK1HdIUwMaFEP":                {Mode: fs.ModeDir | 0700},
+				"checksum/1TL00Qb8dcqayX7wTO8WNaraHvY6b-KCsctLDTrb64QBCmxj_-byK1HdIUwMaFEP/check":          {Mode: 0400, Data: []byte{0, 0}},
+				"checksum/1TL00Qb8dcqayX7wTO8WNaraHvY6b-KCsctLDTrb64QBCmxj_-byK1HdIUwMaFEP/lib":            {Mode: fs.ModeDir | 0700},
+				"checksum/1TL00Qb8dcqayX7wTO8WNaraHvY6b-KCsctLDTrb64QBCmxj_-byK1HdIUwMaFEP/lib/pkgconfig":  {Mode: fs.ModeDir | 0700},
+				"checksum/1TL00Qb8dcqayX7wTO8WNaraHvY6b-KCsctLDTrb64QBCmxj_-byK1HdIUwMaFEP/lib/libedac.so": {Mode: fs.ModeSymlink | 0777, Data: []byte("/proc/nonexistent/libedac.so")},
+
+				"identifier": {Mode: fs.ModeDir | 0700},
+				"identifier/HnySzeLQvSBZuTUcvfmLEX_OmH4yJWWH788NxuLuv7kVn8_uPM6Ks4rqFWM2NZJY": {Mode: fs.ModeSymlink | 0777, Data: []byte("../checksum/1TL00Qb8dcqayX7wTO8WNaraHvY6b-KCsctLDTrb64QBCmxj_-byK1HdIUwMaFEP")},
+				"identifier/Zx5ZG9BAwegNT3zQwCySuI2ktCXxNgxirkGLFjW4FW06PtojYVaCdtEw8yuntPLa": {Mode: fs.ModeSymlink | 0777, Data: []byte("../checksum/1TL00Qb8dcqayX7wTO8WNaraHvY6b-KCsctLDTrb64QBCmxj_-byK1HdIUwMaFEP")},
+
+				"work": {Mode: fs.ModeDir | 0700},
+			}, pkg.MustDecode(
+				"cTw0h3AmYe7XudSoyEMByduYXqGi-N5ZkTZ0t9K5elsu3i_jNIVF5T08KR1roBFM",
+			))
+		}, pkg.MustDecode("sxbgyX-bPoezbha214n2lbQhiVfTUBkhZ0EX6zI7mmkMdrCdwuMwhMBJphLQsy94")},
+
+		{"http expand", nil, func(t *testing.T, base *check.Absolute, c *pkg.Cache) {
+			checkTarHTTP(t, base, c, fstest.MapFS{
+				".": {Mode: fs.ModeDir | 0700},
+
+				"lib":            {Mode: fs.ModeDir | 0700},
+				"lib/libedac.so": {Mode: fs.ModeSymlink | 0777, Data: []byte("/proc/nonexistent/libedac.so")},
+			}, pkg.MustDecode(
+				"CH3AiUrCCcVOjOYLaMKKK1Da78989JtfHeIsxMzWOQFiN4mrCLDYpoDxLWqJWCUN",
+			))
+		}, pkg.MustDecode("4I8wx_h7NSJTlG5lbuz-GGEXrOg0GYC3M_503LYEBhv5XGWXfNIdIY9Q3eVSYldX")},
+	})
+}
+
+func checkTarHTTP(
+	t *testing.T,
+	base *check.Absolute,
+	c *pkg.Cache,
+	testdataFsys fs.FS,
+	wantChecksum pkg.Checksum,
+) {
+	var testdata string
+	{
+		var buf bytes.Buffer
+		w := tar.NewWriter(&buf)
+		if err := w.AddFS(testdataFsys); err != nil {
+			t.Fatalf("AddFS: error = %v", err)
+		}
+		if err := w.Close(); err != nil {
+			t.Fatalf("Close: error = %v", err)
+		}
+
+		var zbuf bytes.Buffer
+		gw := gzip.NewWriter(&zbuf)
+		if _, err := gw.Write(buf.Bytes()); err != nil {
+			t.Fatalf("Write: error = %v", err)
+		}
+		if err := gw.Close(); err != nil {
+			t.Fatalf("Close: error = %v", err)
+		}
+		testdata = zbuf.String()
+	}
+
+	testdataChecksum := func() pkg.Checksum {
+		h := sha512.New384()
+		h.Write([]byte(testdata))
+		return (pkg.Checksum)(h.Sum(nil))
+	}()
+
+	var transport http.Transport
+	client := http.Client{Transport: &transport}
+	transport.RegisterProtocol("file", http.NewFileTransportFS(fstest.MapFS{
+		"testdata": {Data: []byte(testdata), Mode: 0400},
+	}))
+
+	wantIdent := func() pkg.ID {
+		h := sha512.New384()
+		h.Write([]byte{byte(pkg.KindTar), 0, 0, 0, 0, 0, 0, 0})
+		h.Write([]byte{pkg.TarGzip, 0, 0, 0, 0, 0, 0, 0})
+		h.Write([]byte{byte(pkg.KindHTTPGet), 0, 0, 0, 0, 0, 0, 0})
+
+		h0 := sha512.New384()
+		h0.Write([]byte{byte(pkg.KindHTTPGet), 0, 0, 0, 0, 0, 0, 0})
+		h0.Write([]byte("file:///testdata"))
+		h.Write(h0.Sum(nil))
+		return pkg.ID(h.Sum(nil))
+	}()
+
+	a := pkg.NewHTTPGetTar(
+		&client,
+		"file:///testdata",
+		testdataChecksum,
+		pkg.TarGzip,
+	)
+
+	tarDir := stubArtifact{
+		kind:   pkg.KindExec,
+		params: []byte("directory containing a single regular file"),
+		cure: func(t *pkg.TContext) error {
+			work := t.GetWorkDir()
+			if err := os.MkdirAll(work.String(), 0700); err != nil {
+				return err
+			}
+			return os.WriteFile(
+				work.Append("sample.tar.gz").String(),
+				[]byte(testdata),
+				0400,
+			)
+		},
+	}
+	tarDirMulti := stubArtifact{
+		kind:   pkg.KindExec,
+		params: []byte("directory containing a multiple entries"),
+		cure: func(t *pkg.TContext) error {
+			work := t.GetWorkDir()
+			if err := os.MkdirAll(work.Append(
+				"garbage",
+			).String(), 0700); err != nil {
+				return err
+			}
+			return os.WriteFile(
+				work.Append("sample.tar.gz").String(),
+				[]byte(testdata),
+				0400,
+			)
+		},
+	}
+	tarDirType := stubArtifact{
+		kind:   pkg.KindExec,
+		params: []byte("directory containing a symbolic link"),
+		cure: func(t *pkg.TContext) error {
+			work := t.GetWorkDir()
+			if err := os.MkdirAll(work.String(), 0700); err != nil {
+				return err
+			}
+			return os.Symlink(
+				work.String(),
+				work.Append("sample.tar.gz").String(),
+			)
+		},
+	}
+	// destroy these to avoid including it in flatten test case
+	defer newDestroyArtifactFunc(&tarDir)(t, base, c)
+	defer newDestroyArtifactFunc(&tarDirMulti)(t, base, c)
+	defer newDestroyArtifactFunc(&tarDirType)(t, base, c)
+
+	cureMany(t, c, []cureStep{
+		{"file", a, base.Append(
+			"identifier",
+			pkg.Encode(wantIdent),
+		), wantChecksum, nil},
+
+		{"directory", pkg.NewTar(
+			&tarDir,
+			pkg.TarGzip,
+		), ignorePathname, wantChecksum, nil},
+
+		{"multiple entries", pkg.NewTar(
+			&tarDirMulti,
+			pkg.TarGzip,
+		), nil, pkg.Checksum{}, errors.New(
+			"input directory does not contain a single regular file",
+		)},
+
+		{"bad type", pkg.NewTar(
+			&tarDirType,
+			pkg.TarGzip,
+		), nil, pkg.Checksum{}, errors.New(
+			"input directory does not contain a single regular file",
+		)},
+
+		{"error passthrough", pkg.NewTar(&stubArtifact{
+			kind:   pkg.KindExec,
+			params: []byte("doomed artifact"),
+			cure: func(t *pkg.TContext) error {
+				return stub.UniqueError(0xcafe)
+			},
+		}, pkg.TarGzip), nil, pkg.Checksum{}, stub.UniqueError(0xcafe)},
+	})
+}
--- a/internal/pkg/testdata/main.go
+++ b/internal/pkg/testdata/main.go
@@ -0,0 +1,268 @@
+//go:build testtool
+
+package main
+
+import (
+	"encoding/gob"
+	"log"
+	"net"
+	"os"
+	"path"
+	"reflect"
+	"slices"
+	"strings"
+
+	"hakurei.app/container/check"
+	"hakurei.app/container/fhs"
+	"hakurei.app/container/vfs"
+)
+
+func main() {
+	log.SetFlags(0)
+	log.SetPrefix("testtool: ")
+
+	var hostNet, layers, promote bool
+	if len(os.Args) == 2 && os.Args[0] == "testtool" {
+		switch os.Args[1] {
+		case "net":
+			hostNet = true
+			log.SetPrefix("testtool(net): ")
+			break
+
+		case "layers":
+			layers = true
+			log.SetPrefix("testtool(layers): ")
+			break
+
+		case "promote":
+			promote = true
+			log.SetPrefix("testtool(promote): ")
+
+		default:
+			log.Fatalf("Args: %q", os.Args)
+			return
+		}
+	} else if wantArgs := []string{"testtool"}; !slices.Equal(os.Args, wantArgs) {
+		log.Fatalf("Args: %q, want %q", os.Args, wantArgs)
+	}
+
+	var overlayRoot bool
+	wantEnv := []string{"HAKUREI_TEST=1"}
+	if len(os.Environ()) == 2 {
+		overlayRoot = true
+		if !layers && !promote {
+			log.SetPrefix("testtool(overlay root): ")
+		}
+		wantEnv = []string{"HAKUREI_TEST=1", "HAKUREI_ROOT=1"}
+	}
+	if !slices.Equal(wantEnv, os.Environ()) {
+		log.Fatalf("Environ: %q, want %q", os.Environ(), wantEnv)
+	}
+
+	var overlayWork bool
+	const (
+		wantExec     = "/opt/bin/testtool"
+		wantExecWork = "/work/bin/testtool"
+	)
+	var iftPath string
+	if got, err := os.Executable(); err != nil {
+		log.Fatalf("Executable: error = %v", err)
+	} else {
+		iftPath = path.Join(path.Dir(path.Dir(got)), "ift")
+
+		if got != wantExec {
+			switch got {
+			case wantExecWork:
+				overlayWork = true
+				log.SetPrefix("testtool(overlay work): ")
+
+			default:
+				log.Fatalf("Executable: %q, want %q", got, wantExec)
+			}
+		}
+	}
+
+	wantHostname := "cure"
+	if hostNet {
+		wantHostname += "-net"
+	}
+
+	if hostname, err := os.Hostname(); err != nil {
+		log.Fatalf("Hostname: error = %v", err)
+	} else if hostname != wantHostname {
+		log.Fatalf("Hostname: %q, want %q", hostname, wantHostname)
+	}
+
+	var m *vfs.MountInfo
+	if f, err := os.Open(fhs.Proc + "self/mountinfo"); err != nil {
+		log.Fatalf("Open: error = %v", err)
+	} else {
+		err = vfs.NewMountInfoDecoder(f).Decode(&m)
+		closeErr := f.Close()
+		if err != nil {
+			log.Fatalf("Decode: error = %v", err)
+		}
+		if closeErr != nil {
+			log.Fatalf("Close: error = %v", err)
+		}
+	}
+
+	if ift, err := net.Interfaces(); err != nil {
+		log.Fatal(err)
+	} else if !hostNet {
+		if len(ift) != 1 || ift[0].Name != "lo" {
+			log.Fatalln("got interfaces", strings.Join(slices.Collect(func(yield func(ifn string) bool) {
+				for _, ifi := range ift {
+					if !yield(ifi.Name) {
+						break
+					}
+				}
+			}), ", "))
+		}
+	} else {
+		var iftParent []net.Interface
+
+		var r *os.File
+		if r, err = os.Open(iftPath); err != nil {
+			log.Fatal(err)
+		} else {
+			err = gob.NewDecoder(r).Decode(&iftParent)
+			closeErr := r.Close()
+			if err != nil {
+				log.Fatal(err)
+			}
+			if closeErr != nil {
+				log.Fatal(closeErr)
+			}
+		}
+
+		if !reflect.DeepEqual(ift, iftParent) {
+			log.Fatalf("Interfaces: %#v, want %#v", ift, iftParent)
+		}
+	}
+
+	const checksumEmptyDir = "MGWmEfjut2QE2xPJwTsmUzpff4BN_FEnQ7T0j7gvUCCiugJQNwqt9m151fm9D1yU"
+	ident := "U2cbgVgEtjfRuvHfE1cQnZ3t8yoexULQyo_VLgvxAVJSsobMcNaFIsuDWtmt7kzK"
+	log.Println(m)
+	next := func() { m = m.Next; log.Println(m) }
+
+	if overlayRoot {
+		ident = "5ey2wpmMpj483YYa7ZZQciYLA2cx3_l167JCqWW4Pd-5DVp81dj9EsBtVTwYptF6"
+
+		if m.Root != "/" || m.Target != "/" ||
+			m.Source != "overlay" || m.FsType != "overlay" {
+			log.Fatal("unexpected root mount entry")
+		}
+		var lowerdir string
+		for _, o := range strings.Split(m.FsOptstr, ",") {
+			const lowerdirKey = "lowerdir="
+			if strings.HasPrefix(o, lowerdirKey) {
+				lowerdir = o[len(lowerdirKey):]
+			}
+		}
+		if !layers {
+			if path.Base(lowerdir) != checksumEmptyDir {
+				log.Fatal("unexpected artifact checksum")
+			}
+		} else {
+			ident = "tfjrsVuBuFgzWgwz-yPppFtylYuC1VFWnKhyBiHbWTGkyz8lt7Ee9QXWaIHPXs4x"
+
+			lowerdirsEscaped := strings.Split(lowerdir, ":")
+			lowerdirs := lowerdirsEscaped[:0]
+			// ignore the option separator since it does not appear in ident
+			for i, e := range lowerdirsEscaped {
+				if len(e) > 0 &&
+					e[len(e)-1] == check.SpecialOverlayEscape[0] &&
+					(len(e) == 1 || e[len(e)-2] != check.SpecialOverlayEscape[0]) {
+					// ignore escaped pathname separator since it does not
+					// appear in ident
+
+					e = e[:len(e)-1]
+					if len(lowerdirsEscaped) != i {
+						lowerdirsEscaped[i+1] = e + lowerdirsEscaped[i+1]
+						continue
+					}
+				}
+				lowerdirs = append(lowerdirs, e)
+			}
+
+			if len(lowerdirs) != 2 ||
+				path.Base(lowerdirs[0]) != "MGWmEfjut2QE2xPJwTsmUzpff4BN_FEnQ7T0j7gvUCCiugJQNwqt9m151fm9D1yU" ||
+				path.Base(lowerdirs[1]) != "nY_CUdiaUM1OL4cPr5TS92FCJ3rCRV7Hm5oVTzAvMXwC03_QnTRfQ5PPs7mOU9fK" {
+				log.Fatalf("unexpected lowerdirs %s", strings.Join(lowerdirs, ", "))
+			}
+		}
+	} else {
+		if hostNet {
+			ident = "QdsJhGgnk5N2xdUNGcndXQxFKifxf1V_2t9X8CQ-pDcg24x6mGJC_BiLfGbs6Qml"
+		}
+
+		if m.Root != "/sysroot" || m.Target != "/" {
+			log.Fatal("unexpected root mount entry")
+		}
+
+		next()
+		if path.Base(m.Root) != "OLBgp1GsljhM2TJ-sbHjaiH9txEUvgdDTAzHv2P24donTt6_529l-9Ua0vFImLlb" {
+			log.Fatal("unexpected file artifact checksum")
+		}
+
+		next()
+		if path.Base(m.Root) != checksumEmptyDir {
+			log.Fatal("unexpected artifact checksum")
+		}
+	}
+
+	if promote {
+		ident = "O-6VjlIUxc4PYLf5v35uhIeL8kkYCbHYklqlmDjFPXe0m4j6GkUDg5qwTzBRESnf"
+	}
+
+	next() // testtool artifact
+
+	next()
+	if overlayWork {
+		ident = "acaDzHZv40dZaz4cGAXayqbRMgbEOuiuiUijZL8IgDQvyeCNMFE3onBMYfny-kXA"
+		if m.Root != "/" || m.Target != "/work" ||
+			m.Source != "overlay" || m.FsType != "overlay" {
+			log.Fatal("unexpected work mount entry")
+		}
+	} else {
+		if path.Base(m.Root) != ident || m.Target != "/work" {
+			log.Fatal("unexpected work mount entry")
+		}
+	}
+
+	next()
+	if path.Base(m.Root) != ident || m.Target != "/tmp" {
+		log.Fatal("unexpected temp mount entry")
+	}
+
+	next()
+	if m.Root != "/" || m.Target != "/proc" || m.Source != "proc" || m.FsType != "proc" {
+		log.Fatal("unexpected proc mount entry")
+	}
+
+	next()
+	if m.Root != "/" || m.Target != "/dev" || m.Source != "devtmpfs" || m.FsType != "tmpfs" {
+		log.Fatal("unexpected dev mount entry")
+	}
+
+	for i := 0; i < 9; i++ { // private /dev entries
+		next()
+	}
+
+	if m.Next != nil {
+		log.Println("unexpected extra mount entries")
+		for m.Next != nil {
+			next()
+		}
+		os.Exit(1)
+	}
+
+	checkData := []byte{0}
+	if hostNet {
+		checkData = []byte("net")
+	}
+	if err := os.WriteFile("check", checkData, 0400); err != nil {
+		log.Fatal(err)
+	}
+}
--- a/internal/rosa/busybox.go
+++ b/internal/rosa/busybox.go
@@ -0,0 +1,360 @@
+package rosa
+
+import (
+	"fmt"
+	"io"
+	"net/http"
+	"os"
+	"slices"
+	"strings"
+	"time"
+
+	"hakurei.app/container/fhs"
+	"hakurei.app/internal/pkg"
+)
+
+// busyboxBin is a busybox binary distribution installed under bin/busybox.
+type busyboxBin struct {
+	// Underlying busybox binary.
+	bin pkg.File
+}
+
+// Kind returns the hardcoded [pkg.Kind] value.
+func (a busyboxBin) Kind() pkg.Kind { return kindBusyboxBin }
+
+// Params is a noop.
+func (a busyboxBin) Params(*pkg.IContext) {}
+
+// Dependencies returns the underlying busybox [pkg.File].
+func (a busyboxBin) Dependencies() []pkg.Artifact {
+	return []pkg.Artifact{a.bin}
+}
+
+// String returns the reporting name of the underlying file prefixed with expand.
+func (a busyboxBin) String() string {
+	return "expand-" + a.bin.(fmt.Stringer).String()
+}
+
+// Cure installs the underlying busybox [pkg.File] to bin/busybox.
+func (a busyboxBin) Cure(t *pkg.TContext) (err error) {
+	var r io.ReadCloser
+	if r, err = t.Open(a.bin); err != nil {
+		return
+	}
+	defer func() {
+		closeErr := r.Close()
+		if err == nil {
+			err = closeErr
+		}
+	}()
+
+	binDir := t.GetWorkDir().Append("bin")
+	if err = os.MkdirAll(binDir.String(), 0700); err != nil {
+		return
+	}
+
+	var w *os.File
+	if w, err = os.OpenFile(
+		binDir.Append("busybox").String(),
+		os.O_WRONLY|os.O_CREATE|os.O_EXCL,
+		0500,
+	); err != nil {
+		return
+	}
+	defer func() {
+		closeErr := w.Close()
+		if err == nil {
+			err = closeErr
+		}
+	}()
+
+	_, err = io.Copy(w, r)
+	return
+}
+
+// newBusyboxBin returns a [pkg.Artifact] containing a busybox installation from
+// the https://busybox.net/downloads/binaries/ binary release.
+func newBusyboxBin() pkg.Artifact {
+	const (
+		version  = "1.35.0"
+		checksum = "L7OBIsPu9enNHn7FqpBT1kOg_mCLNmetSeNMA3i4Y60Z5jTgnlX3qX3zcQtLx5AB"
+	)
+	return pkg.NewExec(
+		"busybox-bin-"+version, nil, pkg.ExecTimeoutMax, fhs.AbsRoot, []string{
+			"PATH=/system/bin",
+		},
+		AbsSystem.Append("bin", "busybox"),
+		[]string{"hush", "-c", "" +
+			"busybox mkdir -p /work/system/bin/ && " +
+			"busybox cp /system/bin/busybox /work/system/bin/ && " +
+			"busybox --install -s /work/system/bin/"},
+		pkg.Path(AbsSystem, true, busyboxBin{pkg.NewHTTPGet(
+			&http.Client{Transport: &http.Transport{
+				// busybox website is really slow to respond
+				TLSHandshakeTimeout: 2 * time.Minute,
+			}},
+			"https://busybox.net/downloads/binaries/"+
+				version+"-"+linuxArch()+"-linux-musl/busybox",
+			mustDecode(checksum),
+		)}),
+	)
+}
+
+// NewBusybox returns a [pkg.Artifact] containing a dynamically linked busybox
+// installation usable within the [Toolchain] it is compiled against.
+func (t Toolchain) NewBusybox() pkg.Artifact {
+	const (
+		version  = "1.37.0"
+		checksum = "Ial94Tnt7esJ_YEeb0AxunVL6MGYFyOw7Rtu2o87CXCi1TLrc6rlznVsN1rZk7it"
+	)
+
+	extra := []pkg.Artifact{
+		t.NewMake(),
+		t.NewKernelHeaders(),
+	}
+	var env []string
+
+	if t == toolchainStage3 {
+		extra = nil
+		env = append(env, "EXTRA_LDFLAGS=-static")
+	}
+
+	return t.New("busybox-"+version, extra, nil, slices.Concat([]string{
+		"ROSA_BUSYBOX_ENABLE=" + strings.Join([]string{
+			"STATIC",
+			"PIE",
+		}, " "),
+		"ROSA_BUSYBOX_DISABLE=" + strings.Join([]string{
+			"FEATURE_IPV6",
+			"FEATURE_PREFER_IPV4_ADDRESS",
+			"FEATURE_HWIB",
+			"ARP",
+			"ARPING",
+			"BRCTL",
+			"FEATURE_BRCTL_FANCY",
+			"FEATURE_BRCTL_SHOW",
+			"DNSD",
+			"ETHER_WAKE",
+			"FTPD",
+			"FEATURE_FTPD_WRITE",
+			"FEATURE_FTPD_ACCEPT_BROKEN_LIST",
+			"FEATURE_FTPD_AUTHENTICATION",
+			"FTPGET",
+			"FTPPUT",
+			"FEATURE_FTPGETPUT_LONG_OPTIONS",
+			"HOSTNAME",
+			"DNSDOMAINNAME",
+			"HTTPD",
+			"FEATURE_HTTPD_PORT_DEFAULT",
+			"FEATURE_HTTPD_RANGES",
+			"FEATURE_HTTPD_SETUID",
+			"FEATURE_HTTPD_BASIC_AUTH",
+			"FEATURE_HTTPD_AUTH_MD5",
+			"FEATURE_HTTPD_CGI",
+			"FEATURE_HTTPD_CONFIG_WITH_SCRIPT_INTERPR",
+			"FEATURE_HTTPD_SET_REMOTE_PORT_TO_ENV",
+			"FEATURE_HTTPD_ENCODE_URL_STR",
+			"FEATURE_HTTPD_ERROR_PAGES",
+			"FEATURE_HTTPD_PROXY",
+			"FEATURE_HTTPD_GZIP",
+			"FEATURE_HTTPD_ETAG",
+			"FEATURE_HTTPD_LAST_MODIFIED",
+			"FEATURE_HTTPD_DATE",
+			"FEATURE_HTTPD_ACL_IP",
+			"IFCONFIG",
+			"FEATURE_IFCONFIG_STATUS",
+			"FEATURE_IFCONFIG_SLIP",
+			"FEATURE_IFCONFIG_MEMSTART_IOADDR_IRQ",
+			"FEATURE_IFCONFIG_HW",
+			"FEATURE_IFCONFIG_BROADCAST_PLUS",
+			"IFENSLAVE",
+			"IFPLUGD",
+			"IFUP",
+			"IFDOWN",
+			"IFUPDOWN_IFSTATE_PATH",
+			"FEATURE_IFUPDOWN_IP",
+			"FEATURE_IFUPDOWN_IPV4",
+			"FEATURE_IFUPDOWN_IPV6",
+			"FEATURE_IFUPDOWN_MAPPING",
+			"INETD",
+			"FEATURE_INETD_SUPPORT_BUILTIN_ECHO",
+			"FEATURE_INETD_SUPPORT_BUILTIN_DISCARD",
+			"FEATURE_INETD_SUPPORT_BUILTIN_TIME",
+			"FEATURE_INETD_SUPPORT_BUILTIN_DAYTIME",
+			"FEATURE_INETD_SUPPORT_BUILTIN_CHARGEN",
+			"IP",
+			"IPADDR",
+			"IPLINK",
+			"IPROUTE",
+			"IPTUNNEL",
+			"IPRULE",
+			"IPNEIGH",
+			"FEATURE_IP_ADDRESS",
+			"FEATURE_IP_LINK",
+			"FEATURE_IP_LINK_CAN",
+			"FEATURE_IP_ROUTE",
+			"FEATURE_IP_ROUTE_DIR",
+			"FEATURE_IP_TUNNEL",
+			"FEATURE_IP_RULE",
+			"FEATURE_IP_NEIGH",
+			"IPCALC",
+			"FEATURE_IPCALC_LONG_OPTIONS",
+			"FEATURE_IPCALC_FANCY",
+			"FAKEIDENTD",
+			"NAMEIF",
+			"FEATURE_NAMEIF_EXTENDED",
+			"NBDCLIENT",
+			"NC",
+			"NC_SERVER",
+			"NC_EXTRA",
+			"NC_110_COMPAT",
+			"NETSTAT",
+			"FEATURE_NETSTAT_WIDE",
+			"FEATURE_NETSTAT_PRG",
+			"NSLOOKUP",
+			"FEATURE_NSLOOKUP_BIG",
+			"FEATURE_NSLOOKUP_LONG_OPTIONS",
+			"NTPD",
+			"FEATURE_NTPD_SERVER",
+			"FEATURE_NTPD_CONF",
+			"FEATURE_NTP_AUTH",
+			"PING",
+			"PING6",
+			"FEATURE_FANCY_PING",
+			"PSCAN",
+			"ROUTE",
+			"SLATTACH",
+			"SSL_CLIENT",
+			"TC",
+			"FEATURE_TC_INGRESS",
+			"TCPSVD",
+			"UDPSVD",
+			"TELNET",
+			"FEATURE_TELNET_TTYPE",
+			"FEATURE_TELNET_AUTOLOGIN",
+			"FEATURE_TELNET_WIDTH",
+			"TELNETD",
+			"FEATURE_TELNETD_STANDALONE",
+			"FEATURE_TELNETD_PORT_DEFAULT",
+			"FEATURE_TELNETD_INETD_WAIT",
+			"TFTP",
+			"FEATURE_TFTP_PROGRESS_BAR",
+			"FEATURE_TFTP_HPA_COMPAT",
+			"TFTPD",
+			"FEATURE_TFTP_GET",
+			"FEATURE_TFTP_PUT",
+			"FEATURE_TFTP_BLOCKSIZE",
+			"TLS",
+			"TRACEROUTE",
+			"TRACEROUTE6",
+			"FEATURE_TRACEROUTE_VERBOSE",
+			"FEATURE_TRACEROUTE_USE_ICMP",
+			"TUNCTL",
+			"FEATURE_TUNCTL_UG",
+			"VCONFIG",
+			"WGET",
+			"FEATURE_WGET_LONG_OPTIONS",
+			"FEATURE_WGET_STATUSBAR",
+			"FEATURE_WGET_FTP",
+			"FEATURE_WGET_AUTHENTICATION",
+			"FEATURE_WGET_TIMEOUT",
+			"FEATURE_WGET_HTTPS",
+			"FEATURE_WGET_OPENSSL",
+			"WHOIS",
+			"ZCIP",
+			"UDHCPD",
+			"FEATURE_UDHCPD_BOOTP",
+			"FEATURE_UDHCPD_WRITE_LEASES_EARLY",
+			"DHCPD_LEASES_FILE",
+			"DUMPLEASES",
+			"DHCPRELAY",
+			"UDHCPC",
+			"FEATURE_UDHCPC_ARPING",
+			"FEATURE_UDHCPC_SANITIZEOPT",
+			"UDHCPC_DEFAULT_SCRIPT",
+			"UDHCPC6_DEFAULT_SCRIPT",
+			"UDHCPC6",
+			"FEATURE_UDHCPC6_RFC3646",
+			"FEATURE_UDHCPC6_RFC4704",
+			"FEATURE_UDHCPC6_RFC4833",
+			"FEATURE_UDHCPC6_RFC5970",
+		}, " "),
+	}, env), `
+config_enable() {
+	for ent in "$@"; do
+		sed "s/^# CONFIG_${ent}.*/CONFIG_${ent}=y/" -i .config
+		shift
+	done
+}
+
+config_disable() {
+	for ent in "$@"; do
+		sed "s/^CONFIG_${ent}=y/# CONFIG_${ent} is not set/" -i .config
+		shift
+	done
+}
+
+cat > /bin/gcc << EOF
+exec clang \
+	-Wno-ignored-optimization-argument \
+	${ROSA_CFLAGS} \
+	${LDFLAGS} \
+	\$@
+EOF
+chmod +x /bin/gcc
+
+cd /usr/src/busybox
+chmod +w editors editors/awk.c
+patch -p 1 < /usr/src/patches/awk-fix-literal-backslash.patch
+
+cd "$(mktemp -d)"
+make \
+	KBUILD_SRC=/usr/src/busybox \
+	-f /usr/src/busybox/Makefile \
+	defconfig
+
+config_enable $ROSA_BUSYBOX_ENABLE
+config_disable $ROSA_BUSYBOX_DISABLE
+ln -s ../system/bin/pwd /bin/pwd || true
+make CFLAGS_busybox="${LDFLAGS} ${EXTRA_LDFLAGS}" "-j$(nproc)"
+
+mkdir -p /system/bin/ /work/bin/
+cp busybox /system/bin/
+
+mkdir -pv /work/system/bin/
+busybox --install -s /work/system/bin/
+cp -v busybox /work/system/bin/
+ln -vs ../system/bin/hush /work/bin/sh
+mkdir -vp /work/usr/bin/
+ln -vs ../../system/bin/busybox /work/usr/bin/env
+`, pkg.Path(AbsUsrSrc.Append("busybox"), true, pkg.NewHTTPGetTar(
+		&http.Client{Transport: &http.Transport{
+			// busybox website is really slow to respond
+			TLSHandshakeTimeout: 2 * time.Minute,
+		}},
+		"https://busybox.net/downloads/busybox-"+version+".tar.bz2",
+		mustDecode(checksum),
+		pkg.TarBzip2,
+	)), pkg.Path(
+		AbsUsrSrc.Append("patches", "awk-fix-literal-backslash.patch"), false,
+		pkg.NewFile("awk-fix-literal-backslash.patch", []byte(`diff --git a/editors/awk.c b/editors/awk.c
+index 64e752f4b..40f5ba7f7 100644
+--- a/editors/awk.c
+++ b/editors/awk.c
+@@ -2636,8 +2636,13 @@ static int awk_sub(node *rn, const char *repl, int nm, var *src, var *dest /*,in
+ 					resbuf = qrealloc(resbuf, residx + replen + n, &resbufsize);
+ 					memcpy(resbuf + residx, sp + pmatch[j].rm_so - start_ofs, n);
+ 					residx += n;
+-				} else
+				} else {
+/* '\\' and '&' following a backslash keep its original meaning, any other
+ * occurrence of a '\\' should be treated as literal */
+					if (bslash && c != '\\' && c != '&')
+						resbuf[residx++] = '\\';
+ 					resbuf[residx++] = c;
+				}
+ 				bslash = 0;
+ 			}
+ 		}`)),
+	))
+}
--- a/internal/rosa/cmake.go
+++ b/internal/rosa/cmake.go
@@ -0,0 +1,130 @@
+package rosa
+
+import (
+	"slices"
+	"strings"
+
+	"hakurei.app/container/check"
+	"hakurei.app/internal/pkg"
+)
+
+// NewCMake returns a [pkg.Artifact] containing an installation of CMake.
+func (t Toolchain) NewCMake() pkg.Artifact {
+	const (
+		version  = "4.2.1"
+		checksum = "Y3OdbMsob6Xk2y1DCME6z4Fryb5_TkFD7knRT8dTNIRtSqbiCJyyDN9AxggN_I75"
+	)
+	return t.New("cmake-"+version, []pkg.Artifact{
+		t.NewMake(),
+		t.NewKernelHeaders(),
+	}, nil, nil, `
+# expected to be writable in the copy made during bootstrap
+chmod -R +w /usr/src/cmake/Tests
+
+cd "$(mktemp -d)"
+/usr/src/cmake/bootstrap \
+	--prefix=/system \
+	--parallel="$(nproc)" \
+	-- \
+	-DCMAKE_USE_OPENSSL=OFF
+make "-j$(nproc)"
+make DESTDIR=/work install
+`, pkg.Path(AbsUsrSrc.Append("cmake"), true,
+		pkg.NewHTTPGetTar(
+			nil, "https://github.com/Kitware/CMake/releases/download/"+
+				"v"+version+"/cmake-"+version+".tar.gz",
+			mustDecode(checksum),
+			pkg.TarGzip,
+		)))
+}
+
+// CMakeAttr holds the project-specific attributes that will be applied to a new
+// [pkg.Artifact] compiled via CMake.
+type CMakeAttr struct {
+	// Path elements joined with source.
+	Append []string
+	// Use source tree as scratch space.
+	Writable bool
+	// Dependencies concatenated with the build system itself.
+	Extra []pkg.Artifact
+
+	// CMake CACHE entries.
+	Cache [][2]string
+	// Additional environment variables.
+	Env []string
+	// Runs before cmake.
+	ScriptEarly string
+	// Runs after cmake.
+	Script string
+
+	// Override the default installation prefix [AbsSystem].
+	Prefix *check.Absolute
+}
+
+// NewViaCMake returns a [pkg.Artifact] for compiling and installing via CMake.
+func (t Toolchain) NewViaCMake(
+	name, version, variant string,
+	source pkg.Artifact,
+	attr *CMakeAttr,
+) pkg.Artifact {
+	if name == "" || version == "" || variant == "" {
+		panic("names must be non-empty")
+	}
+	if attr == nil {
+		attr = &CMakeAttr{
+			Cache: [][2]string{
+				{"CMAKE_BUILD_TYPE", "Release"},
+			},
+		}
+	}
+	if len(attr.Cache) == 0 {
+		panic("CACHE must be non-empty")
+	}
+
+	cmakeExtras := []pkg.Artifact{
+		t.NewCMake(),
+		t.NewNinja(),
+	}
+	if t == toolchainStage3 {
+		cmakeExtras = nil
+	}
+
+	scriptEarly := attr.ScriptEarly
+	if attr.Writable {
+		scriptEarly = `
+chmod -R +w "${ROSA_SOURCE}"
+` + scriptEarly
+	}
+
+	prefix := attr.Prefix
+	if prefix == nil {
+		prefix = AbsSystem
+	}
+
+	sourcePath := AbsUsrSrc.Append(name)
+	return t.New(name+"-"+variant+"-"+version, slices.Concat(
+		attr.Extra,
+		cmakeExtras,
+	), nil, slices.Concat([]string{
+		"ROSA_SOURCE=" + sourcePath.String(),
+		"ROSA_CMAKE_SOURCE=" + sourcePath.Append(attr.Append...).String(),
+		"ROSA_INSTALL_PREFIX=/work" + prefix.String(),
+	}, attr.Env), scriptEarly+`
+mkdir /cure && cd /cure
+cmake -G Ninja \
+	-DCMAKE_C_COMPILER_TARGET="${ROSA_TRIPLE}" \
+	-DCMAKE_CXX_COMPILER_TARGET="${ROSA_TRIPLE}" \
+	-DCMAKE_ASM_COMPILER_TARGET="${ROSA_TRIPLE}" \
+	`+strings.Join(slices.Collect(func(yield func(string) bool) {
+		for _, v := range attr.Cache {
+			if !yield("-D" + v[0] + "=" + v[1]) {
+				return
+			}
+		}
+	}), " \\\n\t")+` \
+	-DCMAKE_INSTALL_PREFIX="${ROSA_INSTALL_PREFIX}" \
+	"${ROSA_CMAKE_SOURCE}"
+cmake --build .
+cmake --install .
+`+attr.Script, pkg.Path(sourcePath, attr.Writable, source))
+}
--- a/internal/rosa/etc.go
+++ b/internal/rosa/etc.go
@@ -0,0 +1,115 @@
+package rosa
+
+import (
+	"errors"
+	"io"
+	"os"
+	"syscall"
+
+	"hakurei.app/internal/pkg"
+)
+
+// cureEtc contains deterministic elements of /etc, made available as part of
+// [Toolchain]. This silences test suites expecting certain standard files to be
+// available in /etc.
+type cureEtc struct {
+	// Optional via newIANAEtc.
+	iana pkg.Artifact
+}
+
+// Cure writes hardcoded configuration to files under etc.
+func (a cureEtc) Cure(t *pkg.FContext) (err error) {
+	etc := t.GetWorkDir().Append("etc")
+	if err = os.MkdirAll(etc.String(), 0700); err != nil {
+		return
+	}
+	for _, f := range [][2]string{
+		{"hosts", "127.0.0.1 localhost cure cure-net\n"},
+		{"passwd", `root:x:0:0:System administrator:/proc/nonexistent:/bin/sh
+cure:x:1023:1023:Cure:/usr/src:/bin/sh
+nobody:x:65534:65534:Overflow user:/proc/nonexistent:/system/bin/false
+`},
+		{"group", `root:x:0:
+cure:x:1023:
+nobody:x:65534:
+`},
+	} {
+		if err = os.WriteFile(
+			etc.Append(f[0]).String(),
+			[]byte(f[1]),
+			0400,
+		); err != nil {
+			return
+		}
+	}
+
+	if a.iana != nil {
+		iana, _ := t.GetArtifact(a.iana)
+
+		buf := make([]byte, syscall.Getpagesize()<<3)
+		for _, name := range []string{
+			"protocols",
+			"services",
+		} {
+			var dst, src *os.File
+			if dst, err = os.OpenFile(
+				etc.Append(name).String(),
+				syscall.O_CREAT|syscall.O_EXCL|syscall.O_WRONLY,
+				0400,
+			); err != nil {
+				return
+			}
+
+			if src, err = os.Open(
+				iana.Append(name).String(),
+			); err != nil {
+				_ = dst.Close()
+				return
+			}
+
+			_, err = io.CopyBuffer(dst, src, buf)
+			closeErrs := [...]error{
+				dst.Close(),
+				src.Close(),
+			}
+			if err != nil {
+				return
+			} else if err = errors.Join(closeErrs[:]...); err != nil {
+				return
+			}
+		}
+	}
+
+	return os.Chmod(etc.String(), 0500)
+}
+
+// Kind returns the hardcoded [pkg.Kind] value.
+func (cureEtc) Kind() pkg.Kind { return kindEtc }
+
+// Params is a noop.
+func (cureEtc) Params(*pkg.IContext) {}
+
+// Dependencies returns a slice containing the backing iana-etc release.
+func (a cureEtc) Dependencies() []pkg.Artifact {
+	if a.iana != nil {
+		return []pkg.Artifact{a.iana}
+	}
+	return nil
+}
+
+// String returns a hardcoded reporting name.
+func (cureEtc) String() string { return "cure-etc" }
+
+// newIANAEtc returns an unpacked iana-etc release.
+func newIANAEtc() pkg.Artifact {
+	const (
+		version  = "20251215"
+		checksum = "kvKz0gW_rGG5QaNK9ZWmWu1IEgYAdmhj_wR7DYrh3axDfIql_clGRHmelP7525NJ"
+	)
+	return pkg.NewHTTPGetTar(
+		nil, "https://github.com/Mic92/iana-etc/releases/download/"+
+			version+"/iana-etc-"+version+".tar.gz",
+		mustDecode(checksum),
+		pkg.TarGzip,
+	)
+}
--- a/internal/rosa/git.go
+++ b/internal/rosa/git.go
@@ -0,0 +1,37 @@
+package rosa
+
+import (
+	"hakurei.app/internal/pkg"
+)
+
+// NewGit returns a [pkg.Artifact] containing an installation of git.
+func (t Toolchain) NewGit() pkg.Artifact {
+	const (
+		version  = "2.52.0"
+		checksum = "uH3J1HAN_c6PfGNJd2OBwW4zo36n71wmkdvityYnrh8Ak0D1IifiAvEWz9Vi9DmS"
+	)
+	extra := []pkg.Artifact{
+		t.NewMake(),
+		t.NewPerl(),
+		t.NewM4(),
+		t.NewAutoconf(),
+		t.NewGettext(),
+
+		t.NewZlib(),
+	}
+	if t == toolchainStage3 {
+		extra = nil
+	}
+	return t.New("git-"+version, extra, nil, nil, `
+chmod -R +w /usr/src/git && cd /usr/src/git
+make configure
+./configure --prefix=/system
+make "-j$(nproc)" all
+make DESTDIR=/work install
+`, pkg.Path(AbsUsrSrc.Append("git"), true, pkg.NewHTTPGetTar(
+		nil, "https://www.kernel.org/pub/software/scm/git/"+
+			"git-"+version+".tar.gz",
+		mustDecode(checksum),
+		pkg.TarGzip,
+	)))
+}
--- a/internal/rosa/gnu.go
+++ b/internal/rosa/gnu.go
@@ -0,0 +1,196 @@
+package rosa
+
+import "hakurei.app/internal/pkg"
+
+// NewMake returns a [pkg.Artifact] containing an installation of GNU Make.
+func (t Toolchain) NewMake() pkg.Artifact {
+	const (
+		version  = "4.4.1"
+		checksum = "YS_B07ZcAy9PbaK5_vKGj64SrxO2VMpnMKfc9I0Q9IC1rn0RwOH7802pJoj2Mq4a"
+	)
+	return t.New("make-"+version, nil, nil, nil, `
+cd "$(mktemp -d)"
+/usr/src/make/configure \
+	--prefix=/system \
+	--build="${ROSA_TRIPLE}" \
+	--disable-dependency-tracking
+./build.sh
+./make DESTDIR=/work install check
+`, pkg.Path(AbsUsrSrc.Append("make"), false, pkg.NewHTTPGetTar(
+		nil,
+		"https://ftp.gnu.org/gnu/make/make-"+version+".tar.gz",
+		mustDecode(checksum),
+		pkg.TarGzip,
+	)))
+}
+
+// NewM4 returns a [pkg.Artifact] containing an installation of GNU M4.
+func (t Toolchain) NewM4() pkg.Artifact {
+	const (
+		version  = "1.4.20"
+		checksum = "RT0_L3m4Co86bVBY3lCFAEs040yI1WdeNmRylFpah8IZovTm6O4wI7qiHJN3qsW9"
+	)
+	return t.New("m4-"+version, []pkg.Artifact{
+		t.NewMake(),
+	}, nil, nil, `
+cd /usr/src/m4
+chmod +w tests/test-c32ispunct.sh && echo '#!/bin/sh' > tests/test-c32ispunct.sh
+
+cd "$(mktemp -d)"
+/usr/src/m4/configure \
+	--prefix=/system \
+	--build="${ROSA_TRIPLE}"
+make "-j$(nproc)" check
+make DESTDIR=/work install
+`, pkg.Path(AbsUsrSrc.Append("m4"), true, pkg.NewHTTPGetTar(
+		nil,
+		"https://ftp.gnu.org/gnu/m4/m4-"+version+".tar.bz2",
+		mustDecode(checksum),
+		pkg.TarBzip2,
+	)))
+}
+
+// NewAutoconf returns a [pkg.Artifact] containing an installation of GNU Autoconf.
+func (t Toolchain) NewAutoconf() pkg.Artifact {
+	const (
+		version  = "2.72"
+		checksum = "-c5blYkC-xLDer3TWEqJTyh1RLbOd1c5dnRLKsDnIrg_wWNOLBpaqMY8FvmUFJ33"
+	)
+	return t.New("autoconf-"+version, []pkg.Artifact{
+		t.NewMake(),
+		t.NewM4(),
+		t.NewPerl(),
+	}, nil, nil, `
+cd "$(mktemp -d)"
+/usr/src/autoconf/configure \
+	--prefix=/system \
+	--build="${ROSA_TRIPLE}"
+make "-j$(nproc)" check
+make DESTDIR=/work install
+`, pkg.Path(AbsUsrSrc.Append("autoconf"), false, pkg.NewHTTPGetTar(
+		nil,
+		"https://ftp.gnu.org/gnu/autoconf/autoconf-"+version+".tar.gz",
+		mustDecode(checksum),
+		pkg.TarGzip,
+	)))
+}
+
+// NewGettext returns a [pkg.Artifact] containing an installation of GNU gettext.
+func (t Toolchain) NewGettext() pkg.Artifact {
+	const (
+		version  = "0.26"
+		checksum = "IMu7yDZX7xL5UO1ZxXc-iBMbY9LLEUlOroyuSlHMZwg9MKtxG7HIm8F2LheDua0y"
+	)
+	return t.New("gettext-"+version, []pkg.Artifact{
+		t.NewMake(),
+	}, nil, nil, `
+cd /usr/src/gettext
+test_disable() { chmod +w "$2" && echo "$1" > "$2"; }
+
+test_disable '#!/bin/sh' gettext-tools/tests/msgcat-22
+test_disable '#!/bin/sh' gettext-tools/tests/msgconv-2
+test_disable '#!/bin/sh' gettext-tools/tests/msgconv-8
+test_disable '#!/bin/sh' gettext-tools/tests/xgettext-python-3
+test_disable '#!/bin/sh' gettext-tools/tests/msgmerge-compendium-6
+test_disable '#!/bin/sh' gettext-tools/tests/gettextpo-1
+test_disable '#!/bin/sh' gettext-tools/tests/format-c-5
+test_disable '#!/bin/sh' gettext-tools/gnulib-tests/test-c32ispunct.sh
+test_disable 'int main(){return 0;}' gettext-tools/gnulib-tests/test-stdcountof-h.c
+
+cd "$(mktemp -d)"
+/usr/src/gettext/configure \
+	--prefix=/system \
+	--build="${ROSA_TRIPLE}"
+make "-j$(nproc)" check
+make DESTDIR=/work install
+`, pkg.Path(AbsUsrSrc.Append("gettext"), true, pkg.NewHTTPGetTar(
+		nil,
+		"https://ftp.gnu.org/pub/gnu/gettext/gettext-"+version+".tar.gz",
+		mustDecode(checksum),
+		pkg.TarGzip,
+	)))
+}
+
+// NewDiffutils returns a [pkg.Artifact] containing an installation of GNU diffutils.
+func (t Toolchain) NewDiffutils() pkg.Artifact {
+	const (
+		version  = "3.12"
+		checksum = "9J5VAq5oA7eqwzS1Yvw-l3G5o-TccUrNQR3PvyB_lgdryOFAfxtvQfKfhdpquE44"
+	)
+	return t.New("diffutils-"+version, []pkg.Artifact{
+		t.NewMake(),
+	}, nil, nil, `
+cd /usr/src/diffutils
+test_disable() { chmod +w "$2" && echo "$1" > "$2"; }
+
+test_disable '#!/bin/sh' gnulib-tests/test-c32ispunct.sh
+test_disable 'int main(){return 0;}' gnulib-tests/test-c32ispunct.c
+
+cd "$(mktemp -d)"
+/usr/src/diffutils/configure \
+	--prefix=/system \
+	--build="${ROSA_TRIPLE}"
+make "-j$(nproc)" check
+make DESTDIR=/work install
+`, pkg.Path(AbsUsrSrc.Append("diffutils"), true, pkg.NewHTTPGetTar(
+		nil,
+		"https://ftp.gnu.org/gnu/diffutils/diffutils-"+version+".tar.gz",
+		mustDecode(checksum),
+		pkg.TarGzip,
+	)))
+}
+
+// NewBash returns a [pkg.Artifact] containing an installation of GNU Bash.
+func (t Toolchain) NewBash() pkg.Artifact {
+	const (
+		version  = "5.3"
+		checksum = "4LQ_GRoB_ko-Ih8QPf_xRKA02xAm_TOxQgcJLmFDT6udUPxTAWrsj-ZNeuTusyDq"
+	)
+	return t.New("bash-"+version, []pkg.Artifact{
+		t.NewMake(),
+	}, nil, nil, `
+cd "$(mktemp -d)"
+/usr/src/bash/configure \
+	--prefix=/system \
+	--build="${ROSA_TRIPLE}" \
+	--without-bash-malloc
+make "-j$(nproc)" check
+make DESTDIR=/work install
+`, pkg.Path(AbsUsrSrc.Append("bash"), true, pkg.NewHTTPGetTar(
+		nil,
+		"https://ftp.gnu.org/gnu/bash/bash-"+version+".tar.gz",
+		mustDecode(checksum),
+		pkg.TarGzip,
+	)))
+}
+
+// NewCoreutils returns a [pkg.Artifact] containing an installation of GNU Coreutils.
+func (t Toolchain) NewCoreutils() pkg.Artifact {
+	const (
+		version  = "9.9"
+		checksum = "B1_TaXj1j5aiVIcazLWu8Ix03wDV54uo2_iBry4qHG6Y-9bjDpUPlkNLmU_3Nvw6"
+	)
+	return t.New("coreutils-"+version, []pkg.Artifact{
+		t.NewMake(),
+		t.NewPerl(),
+
+		t.NewKernelHeaders(),
+	}, nil, nil, `
+cd /usr/src/coreutils
+test_disable() { chmod +w "$2" && echo "$1" > "$2"; }
+
+test_disable '#!/bin/sh' gnulib-tests/test-c32ispunct.sh
+
+cd "$(mktemp -d)"
+/usr/src/coreutils/configure \
+	--prefix=/system \
+	--build="${ROSA_TRIPLE}"
+make "-j$(nproc)" check
+make DESTDIR=/work install
+`, pkg.Path(AbsUsrSrc.Append("coreutils"), true, pkg.NewHTTPGetTar(
+		nil,
+		"https://ftp.gnu.org/gnu/coreutils/coreutils-"+version+".tar.gz",
+		mustDecode(checksum),
+		pkg.TarGzip,
+	)))
+}
--- a/internal/rosa/go.go
+++ b/internal/rosa/go.go
@@ -0,0 +1,92 @@
+package rosa
+
+import (
+	"slices"
+
+	"hakurei.app/internal/pkg"
+)
+
+// newGoBootstrap returns the Go bootstrap toolchain.
+func (t Toolchain) newGoBootstrap() pkg.Artifact {
+	const checksum = "8o9JL_ToiQKadCTb04nvBDkp8O1xiWOolAxVEqaTGodieNe4lOFEjlOxN3bwwe23"
+	return t.New("go1.4-bootstrap", []pkg.Artifact{
+		t.NewBash(),
+	}, nil, []string{
+		"CGO_ENABLED=0",
+	}, `
+mkdir -p /var/tmp
+cp -r /usr/src/go1.4-bootstrap /work
+cd /work/go1.4-bootstrap/src
+chmod -R +w ..
+
+ln -s ../system/bin/busybox /bin/pwd
+cat << EOF > /bin/hostname
+#!/bin/sh
+echo cure
+EOF
+chmod +x /bin/hostname
+
+rm \
+	cmd/objdump/objdump_test.go \
+	syscall/creds_test.go \
+	net/multicast_test.go
+
+CC="${CC} ${LDFLAGS}" ./all.bash
+`, pkg.Path(AbsUsrSrc.Append("go1.4-bootstrap"), false, pkg.NewHTTPGetTar(
+		nil, "https://dl.google.com/go/go1.4-bootstrap-20171003.tar.gz",
+		mustDecode(checksum),
+		pkg.TarGzip,
+	)))
+}
+
+// newGo returns a specific version of the Go toolchain.
+func (t Toolchain) newGo(
+	version, checksum string,
+	boot pkg.Artifact,
+	env ...string,
+) pkg.Artifact {
+	return t.New("go"+version, []pkg.Artifact{
+		boot,
+	}, nil, slices.Concat([]string{
+		"GOCACHE=/tmp/gocache",
+		"GOROOT_BOOTSTRAP=/system/go",
+		"CGO_" + ldflags(false) + " -O2 -g",
+	}, env), `
+mkdir /work/system
+cp -r /usr/src/go /work/system
+cd /work/system/go/src
+chmod -R +w ..
+sed -i 's/bash run.bash/sh run.bash/' all.bash
+sh make.bash
+`, pkg.Path(AbsUsrSrc.Append("go"), false, pkg.NewHTTPGetTar(
+		nil, "https://go.dev/dl/go"+version+".src.tar.gz",
+		mustDecode(checksum),
+		pkg.TarGzip,
+	)))
+}
+
+// NewGo returns a [pkg.Artifact] containing the Go toolchain.
+func (t Toolchain) NewGo() pkg.Artifact {
+	go119 := t.newGo(
+		"1.19",
+		"9_e0aFHsIkVxWVGsp9T2RvvjOc3p4n9o9S8tkNe9Cvgzk_zI2FhRQB7ioQkeAAro",
+		t.newGoBootstrap(),
+		"GOROOT_BOOTSTRAP=/go1.4-bootstrap",
+	)
+	go121 := t.newGo(
+		"1.21.13",
+		"YtrDka402BOAEwywx03Vz4QlVwoBiguJHzG7PuythMCPHXS8CVMLvzmvgEbu4Tzu",
+		go119,
+	)
+	go123 := t.newGo(
+		"1.23.12",
+		"wcI32bl1tkqbgcelGtGWPI4RtlEddd-PTd76Eb-k7nXA5LbE9yTNdIL9QSOOxMOs",
+		go121,
+	)
+	go125 := t.newGo(
+		"1.25.6",
+		"x0z430qoDvQbbw_fftjW0rh_GSoh0VJhPzttWk_0hj9yz9AKOjuwRMupF_Q0dbt7",
+		go123,
+	)
+	return go125
+}
--- a/internal/rosa/kernel.go
+++ b/internal/rosa/kernel.go
@@ -0,0 +1,41 @@
+package rosa
+
+import (
+	"slices"
+
+	"hakurei.app/internal/pkg"
+)
+
+// newKernel is a helper for interacting with Kbuild.
+func (t Toolchain) newKernel(
+	script string,
+	extra ...pkg.Artifact,
+) pkg.Artifact {
+	const (
+		version  = "6.18.5"
+		checksum = "-V1e1WWl7HuePkmm84sSKF7nLuHfUs494uNMzMqXEyxcNE_PUE0FICL0oGWn44mM"
+	)
+	return t.New("kernel-"+version, slices.Concat([]pkg.Artifact{
+		t.NewMake(),
+	}, extra), nil, nil, `
+export LLVM=1
+export HOSTCFLAGS="${ROSA_CFLAGS}"
+export HOSTLDFLAGS="${LDFLAGS}"
+chmod -R +w /usr/src/linux && cd /usr/src/linux
+`+script, pkg.Path(AbsUsrSrc.Append("linux"), true, pkg.NewHTTPGetTar(
+		nil,
+		"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/"+
+			"snapshot/linux-"+version+".tar.gz",
+		mustDecode(checksum),
+		pkg.TarGzip,
+	)))
+}
+
+// NewKernelHeaders returns a [pkg.Artifact] containing kernel headers.
+func (t Toolchain) NewKernelHeaders() pkg.Artifact {
+	return t.newKernel(`
+make "-j$(nproc)" \
+	INSTALL_HDR_PATH=/work/system \
+	headers_install
+`, t.NewRsync())
+}
--- a/internal/rosa/libffi.go
+++ b/internal/rosa/libffi.go
@@ -0,0 +1,28 @@
+package rosa
+
+import "hakurei.app/internal/pkg"
+
+// NewLibffi returns a [pkg.Artifact] containing an installation of libffi.
+func (t Toolchain) NewLibffi() pkg.Artifact {
+	const (
+		version  = "3.4.5"
+		checksum = "apIJzypF4rDudeRoI_n3K7N-zCeBLTbQlHRn9NSAZqdLAWA80mR0gXPTpHsL7oMl"
+	)
+	return t.New("libffi-"+version, []pkg.Artifact{
+		t.NewMake(),
+		t.NewKernelHeaders(),
+	}, nil, nil, `
+cd "$(mktemp -d)"
+/usr/src/libffi/configure \
+	--prefix=/system \
+	--build="${ROSA_TRIPLE}"
+make "-j$(nproc)" check
+make DESTDIR=/work install
+`, pkg.Path(AbsUsrSrc.Append("libffi"), false, pkg.NewHTTPGetTar(
+		nil,
+		"https://github.com/libffi/libffi/releases/download/"+
+			"v"+version+"/libffi-"+version+".tar.gz",
+		mustDecode(checksum),
+		pkg.TarGzip,
+	)))
+}
--- a/internal/rosa/llvm.go
+++ b/internal/rosa/llvm.go
@@ -0,0 +1,361 @@
+package rosa
+
+import (
+	"runtime"
+	"slices"
+	"strconv"
+	"strings"
+
+	"hakurei.app/container/check"
+	"hakurei.app/internal/pkg"
+)
+
+// llvmAttr holds the attributes that will be applied to a new [pkg.Artifact]
+// containing a LLVM variant.
+type llvmAttr struct {
+	flags int
+
+	// Concatenated with default environment for CMakeAttr.Env.
+	env []string
+	// Concatenated with generated entries for CMakeAttr.Cache.
+	cmake [][2]string
+	// Override CMakeAttr.Append.
+	append []string
+	// Concatenated with default dependencies for CMakeAttr.Extra.
+	extra []pkg.Artifact
+	// Concatenated with default fixup for CMakeAttr.Script.
+	script string
+	// Passed through to CMakeAttr.Prefix.
+	prefix *check.Absolute
+
+	// Patch name and body pairs.
+	patches [][2]string
+}
+
+const (
+	llvmProjectClang = 1 << iota
+	llvmProjectLld
+
+	llvmProjectAll = 1<<iota - 1
+
+	llvmRuntimeCompilerRT = 1 << iota
+	llvmRuntimeLibunwind
+	llvmRuntimeLibc
+	llvmRuntimeLibcxx
+	llvmRuntimeLibcxxABI
+
+	llvmAll        = 1<<iota - 1
+	llvmRuntimeAll = llvmAll - (2 * llvmProjectAll) - 1
+)
+
+// llvmFlagName resolves a llvmAttr.flags project or runtime flag to its name.
+func llvmFlagName(flag int) string {
+	switch flag {
+	case llvmProjectClang:
+		return "clang"
+	case llvmProjectLld:
+		return "lld"
+
+	case llvmRuntimeCompilerRT:
+		return "compiler-rt"
+	case llvmRuntimeLibunwind:
+		return "libunwind"
+	case llvmRuntimeLibc:
+		return "libc"
+	case llvmRuntimeLibcxx:
+		return "libcxx"
+	case llvmRuntimeLibcxxABI:
+		return "libcxxabi"
+
+	default:
+		panic("invalid flag " + strconv.Itoa(flag))
+	}
+}
+
+// newLLVM returns a [pkg.Artifact] containing a LLVM variant.
+func (t Toolchain) newLLVM(variant string, attr *llvmAttr) pkg.Artifact {
+	const (
+		version  = "21.1.8"
+		checksum = "8SUpqDkcgwOPsqHVtmf9kXfFeVmjVxl4LMn-qSE1AI_Xoeju-9HaoPNGtidyxyka"
+	)
+	if attr == nil {
+		panic("LLVM attr must be non-nil")
+	}
+
+	var projects, runtimes []string
+	for i := 1; i < llvmProjectAll; i <<= 1 {
+		if attr.flags&i != 0 {
+			projects = append(projects, llvmFlagName(i))
+		}
+	}
+	for i := (llvmProjectAll + 1) << 1; i < llvmRuntimeAll; i <<= 1 {
+		if attr.flags&i != 0 {
+			runtimes = append(runtimes, llvmFlagName(i))
+		}
+	}
+
+	var script, scriptEarly string
+
+	cache := [][2]string{
+		{"CMAKE_BUILD_TYPE", "Release"},
+
+		{"LLVM_HOST_TRIPLE", `"${ROSA_TRIPLE}"`},
+		{"LLVM_DEFAULT_TARGET_TRIPLE", `"${ROSA_TRIPLE}"`},
+	}
+	if len(projects) > 0 {
+		cache = append(cache,
+			[2]string{"LLVM_ENABLE_PROJECTS", `"${ROSA_LLVM_PROJECTS}"`})
+	}
+	if len(runtimes) > 0 {
+		cache = append(cache,
+			[2]string{"LLVM_ENABLE_RUNTIMES", `"${ROSA_LLVM_RUNTIMES}"`})
+	}
+
+	cmakeAppend := []string{"llvm"}
+	if attr.append != nil {
+		cmakeAppend = attr.append
+	} else {
+		cache = append(cache,
+			[2]string{"LLVM_ENABLE_LIBCXX", "ON"},
+			[2]string{"LLVM_USE_LINKER", "lld"},
+
+			[2]string{"LLVM_INSTALL_BINUTILS_SYMLINKS", "ON"},
+			[2]string{"LLVM_INSTALL_CCTOOLS_SYMLINKS", "ON"},
+		)
+	}
+
+	extra := []pkg.Artifact{
+		t.NewLibffi(),
+		t.NewPython(),
+		t.NewPerl(),
+		t.NewDiffutils(),
+		t.NewBash(),
+		t.NewCoreutils(),
+
+		t.NewKernelHeaders(),
+	}
+	if t == toolchainStage3 {
+		extra = nil
+	}
+
+	if attr.flags&llvmProjectClang != 0 {
+		cache = append(cache,
+			[2]string{"CLANG_DEFAULT_CXX_STDLIB", "libc++"},
+			[2]string{"CLANG_DEFAULT_RTLIB", "compiler-rt"},
+		)
+	}
+	if attr.flags&llvmProjectLld != 0 {
+		script += `
+ln -s ld.lld /work/system/bin/ld
+`
+	}
+	if attr.flags&llvmRuntimeCompilerRT != 0 {
+		if attr.append == nil {
+			cache = append(cache,
+				[2]string{"COMPILER_RT_USE_LLVM_UNWINDER", "ON"})
+		}
+	}
+	if attr.flags&llvmRuntimeLibunwind != 0 {
+		cache = append(cache,
+			[2]string{"LIBUNWIND_USE_COMPILER_RT", "ON"})
+	}
+	if attr.flags&llvmRuntimeLibcxx != 0 {
+		cache = append(cache,
+			[2]string{"LIBCXX_HAS_MUSL_LIBC", "ON"},
+			[2]string{"LIBCXX_USE_COMPILER_RT", "ON"},
+		)
+
+		if t > toolchainStage3 {
+			// libcxxabi fails to compile if c++ headers not prefixed in /usr
+			// is found by the compiler, and doing this is easier than
+			// overriding CXXFLAGS; not using mv here to avoid chown failures
+			scriptEarly += `
+cp -r /system/include /usr/include && rm -rf /system/include
+`
+		}
+	}
+	if attr.flags&llvmRuntimeLibcxxABI != 0 {
+		cache = append(cache,
+			[2]string{"LIBCXXABI_USE_COMPILER_RT", "ON"},
+			[2]string{"LIBCXXABI_USE_LLVM_UNWINDER", "ON"},
+		)
+	}
+
+	source := pkg.NewHTTPGetTar(
+		nil, "https://github.com/llvm/llvm-project/archive/refs/tags/"+
+			"llvmorg-"+version+".tar.gz",
+		mustDecode(checksum),
+		pkg.TarGzip,
+	)
+
+	patches := make([]pkg.ExecPath, len(attr.patches)+1)
+	for i, p := range attr.patches {
+		patches[i+1] = pkg.Path(
+			AbsUsrSrc.Append("llvm-patches", p[0]+".patch"), false,
+			pkg.NewFile(p[0], []byte(p[1])),
+		)
+	}
+	patches[0] = pkg.Path(AbsUsrSrc.Append("llvmorg"), false, source)
+	if len(patches) > 1 {
+		source = t.New(
+			"llvmorg-patched", nil, nil, nil, `
+cp -r /usr/src/llvmorg/. /work/.
+chmod -R +w /work && cd /work
+cat /usr/src/llvm-patches/* | patch -p 1
+`, patches...,
+		)
+	}
+
+	return t.NewViaCMake("llvm", version, variant, source, &CMakeAttr{
+		Cache:  slices.Concat(cache, attr.cmake),
+		Append: cmakeAppend,
+		Extra:  slices.Concat(attr.extra, extra),
+		Prefix: attr.prefix,
+
+		Env: slices.Concat([]string{
+			"ROSA_LLVM_PROJECTS=" + strings.Join(projects, ";"),
+			"ROSA_LLVM_RUNTIMES=" + strings.Join(runtimes, ";"),
+		}, attr.env),
+		ScriptEarly: scriptEarly, Script: script + attr.script,
+	})
+}
+
+// NewLLVM returns LLVM toolchain across multiple [pkg.Artifact].
+func (t Toolchain) NewLLVM() (musl, compilerRT, runtimes, clang pkg.Artifact) {
+	var target string
+	switch runtime.GOARCH {
+	case "386", "amd64":
+		target = "X86"
+
+	default:
+		panic("unsupported target " + runtime.GOARCH)
+	}
+
+	minimalDeps := [][2]string{
+		{"LLVM_ENABLE_ZLIB", "OFF"},
+		{"LLVM_ENABLE_ZSTD", "OFF"},
+		{"LLVM_ENABLE_LIBXML2", "OFF"},
+	}
+
+	compilerRT = t.newLLVM("compiler-rt", &llvmAttr{
+		env: []string{
+			ldflags(false),
+		},
+		cmake: [][2]string{
+			// libc++ not yet available
+			{"CMAKE_CXX_COMPILER_TARGET", ""},
+
+			{"COMPILER_RT_BUILD_BUILTINS", "ON"},
+			{"COMPILER_RT_DEFAULT_TARGET_ONLY", "ON"},
+			{"LLVM_ENABLE_PER_TARGET_RUNTIME_DIR", "ON"},
+
+			// does not work without libunwind
+			{"COMPILER_RT_BUILD_CTX_PROFILE", "OFF"},
+			{"COMPILER_RT_BUILD_LIBFUZZER", "OFF"},
+			{"COMPILER_RT_BUILD_MEMPROF", "OFF"},
+			{"COMPILER_RT_BUILD_PROFILE", "OFF"},
+			{"COMPILER_RT_BUILD_SANITIZERS", "OFF"},
+			{"COMPILER_RT_BUILD_XRAY", "OFF"},
+		},
+		append: []string{"compiler-rt"},
+		extra: []pkg.Artifact{t.NewMusl(&MuslAttr{
+			Headers: true,
+			Env: []string{
+				"CC=clang",
+			},
+		})},
+		script: `
+mkdir -p "${ROSA_INSTALL_PREFIX}/lib/clang/21/lib/"
+ln -s \
+	"../../../${ROSA_TRIPLE}" \
+	"${ROSA_INSTALL_PREFIX}/lib/clang/21/lib/"
+
+ln -s \
+	"clang_rt.crtbegin-$(uname -m).o" \
+	"${ROSA_INSTALL_PREFIX}/lib/${ROSA_TRIPLE}/crtbeginS.o"
+ln -s \
+	"clang_rt.crtend-$(uname -m).o" \
+	"${ROSA_INSTALL_PREFIX}/lib/${ROSA_TRIPLE}/crtendS.o"
+`,
+	})
+
+	musl = t.NewMusl(&MuslAttr{
+		Extra: []pkg.Artifact{compilerRT},
+		Env: []string{
+			ldflags(false),
+			"CC=clang",
+			"LIBCC=/system/lib/clang/21/lib/" +
+				triplet() + "/libclang_rt.builtins.a",
+			"AR=ar",
+			"RANLIB=ranlib",
+		},
+	})
+
+	runtimes = t.newLLVM("runtimes", &llvmAttr{
+		env: []string{
+			ldflags(false),
+		},
+		flags: llvmRuntimeLibunwind | llvmRuntimeLibcxx | llvmRuntimeLibcxxABI,
+		cmake: slices.Concat([][2]string{
+			// libc++ not yet available
+			{"CMAKE_CXX_COMPILER_WORKS", "ON"},
+
+			{"LIBCXX_HAS_ATOMIC_LIB", "OFF"},
+			{"LIBCXXABI_HAS_CXA_THREAD_ATEXIT_IMPL", "OFF"},
+		}, minimalDeps),
+		append: []string{"runtimes"},
+		extra: []pkg.Artifact{
+			compilerRT,
+			musl,
+		},
+	})
+
+	clang = t.newLLVM("clang", &llvmAttr{
+		flags: llvmProjectClang | llvmProjectLld,
+		env: []string{
+			"CFLAGS=" + cflags,
+			"CXXFLAGS=" + cxxflags(),
+			ldflags(false),
+		},
+		cmake: slices.Concat([][2]string{
+			{"LLVM_TARGETS_TO_BUILD", target},
+			{"CMAKE_CROSSCOMPILING", "OFF"},
+			{"CXX_SUPPORTS_CUSTOM_LINKER", "ON"},
+		}, minimalDeps),
+		extra: []pkg.Artifact{
+			musl,
+			compilerRT,
+			runtimes,
+			t.NewGit(),
+		},
+		script: `
+ninja check-all
+`,
+
+		patches: [][2]string{
+			{"xfail-broken-tests", `diff --git a/clang/test/Driver/hexagon-toolchain-linux.c b/clang/test/Driver/hexagon-toolchain-linux.c
+index e791353cca07..4efaf3948054 100644
+--- a/clang/test/Driver/hexagon-toolchain-linux.c
+++ b/clang/test/Driver/hexagon-toolchain-linux.c
+@@ -1,3 +1,5 @@
+// XFAIL: target={{.*-rosa-linux-musl}}
+
+ // UNSUPPORTED: system-windows
+
+ // -----------------------------------------------------------------------------
+diff --git a/clang/test/Modules/timestamps.c b/clang/test/Modules/timestamps.c
+index 50fdce630255..4b4465a75617 100644
+--- a/clang/test/Modules/timestamps.c
+++ b/clang/test/Modules/timestamps.c
+@@ -1,3 +1,5 @@
+// XFAIL: target={{.*-rosa-linux-musl}}
+
+ /// Verify timestamps that gets embedded in the module
+ #include <c-header.h>
+
+`},
+		},
+	})
+
+	return
+}
--- a/internal/rosa/musl.go
+++ b/internal/rosa/musl.go
@@ -0,0 +1,67 @@
+package rosa
+
+import (
+	"slices"
+
+	"hakurei.app/internal/pkg"
+)
+
+// MuslAttr holds the attributes that will be applied to musl.
+type MuslAttr struct {
+	// Install headers only.
+	Headers bool
+	// Environment variables concatenated with defaults.
+	Env []string
+	// Dependencies concatenated with defaults.
+	Extra []pkg.Artifact
+}
+
+// NewMusl returns a [pkg.Artifact] containing an installation of musl libc.
+func (t Toolchain) NewMusl(attr *MuslAttr) pkg.Artifact {
+	const (
+		version  = "1.2.5"
+		checksum = "y6USdIeSdHER_Fw2eT2CNjqShEye85oEg2jnOur96D073ukmIpIqDOLmECQroyDb"
+	)
+
+	if attr == nil {
+		attr = new(MuslAttr)
+	}
+
+	target := "install"
+	script := `
+mv -v /work/lib/* /work/system/lib
+rmdir -v /work/lib/
+`
+	if attr.Headers {
+		target = "install-headers"
+		script = ""
+	}
+
+	extra := []pkg.Artifact{
+		t.NewMake(),
+	}
+	if t == toolchainStage3 {
+		extra = nil
+	}
+
+	return t.New("musl-"+version, slices.Concat(
+		attr.Extra,
+		extra,
+	), nil, slices.Concat([]string{
+		"ROSA_MUSL_TARGET=" + target,
+	}, attr.Env), `
+# expected to be writable in copies
+chmod -R +w /usr/src/musl/
+
+cd "$(mktemp -d)"
+/usr/src/musl/configure \
+	--prefix=/system \
+	--target="${ROSA_TRIPLE}"
+make "-j$(nproc)" DESTDIR=/work "${ROSA_MUSL_TARGET}"
+`+script, pkg.Path(AbsUsrSrc.Append("musl"), true, pkg.NewHTTPGetTar(
+		nil,
+		"https://musl.libc.org/releases/musl-"+version+".tar.gz",
+		mustDecode(checksum),
+		pkg.TarGzip,
+	)))
+}
--- a/internal/rosa/ninja.go
+++ b/internal/rosa/ninja.go
@@ -0,0 +1,35 @@
+package rosa
+
+import "hakurei.app/internal/pkg"
+
+// NewNinja returns a [pkg.Artifact] containing an installation of Ninja.
+func (t Toolchain) NewNinja() pkg.Artifact {
+	const (
+		version  = "1.13.2"
+		checksum = "ygKWMa0YV2lWKiFro5hnL-vcKbc_-RACZuPu0Io8qDvgQlZ0dxv7hPNSFkt4214v"
+	)
+	return t.New("ninja-"+version, []pkg.Artifact{
+		t.NewCMake(),
+		t.NewPython(),
+	}, nil, nil, `
+chmod -R +w /usr/src/ninja/
+mkdir -p /work/system/bin/ && cd /work/system/bin/
+python3 /usr/src/ninja/configure.py \
+	--bootstrap \
+	--gtest-source-dir=/usr/src/googletest
+./ninja all
+./ninja_test
+`, pkg.Path(AbsUsrSrc.Append("googletest"), false,
+		pkg.NewHTTPGetTar(
+			nil, "https://github.com/google/googletest/releases/download/"+
+				"v1.16.0/googletest-1.16.0.tar.gz",
+			mustDecode("NjLGvSbgPy_B-y-o1hdanlzEzaYeStFcvFGxpYV3KYlhrWWFRcugYhM3ZMzOA9B_"),
+			pkg.TarGzip,
+		)), pkg.Path(AbsUsrSrc.Append("ninja"), true,
+		pkg.NewHTTPGetTar(
+			nil, "https://github.com/ninja-build/ninja/archive/refs/tags/"+
+				"v"+version+".tar.gz",
+			mustDecode(checksum),
+			pkg.TarGzip,
+		)))
+}
--- a/internal/rosa/perl.go
+++ b/internal/rosa/perl.go
@@ -0,0 +1,32 @@
+package rosa
+
+import "hakurei.app/internal/pkg"
+
+// NewPerl returns a [pkg.Artifact] containing an installation of perl.
+func (t Toolchain) NewPerl() pkg.Artifact {
+	const (
+		version  = "5.42.0"
+		checksum = "2KR7Jbpk-ZVn1a30LQRwbgUvg2AXlPQZfzrqCr31qD5-yEsTwVQ_W76eZH-EdxM9"
+	)
+	return t.New("perl-"+version, []pkg.Artifact{
+		t.NewMake(),
+	}, nil, nil, `
+chmod -R +w /usr/src/perl && cd /usr/src/perl
+
+./Configure \
+	-des \
+	-Dprefix=/system \
+	-Dcc="${CC}" \
+	-Dcflags='--std=gnu99' \
+	-Dldflags="${LDFLAGS}" \
+	-Doptimize='-O2 -fno-strict-aliasing' \
+	-Duseithreads
+make "-j$(nproc)" # test
+make DESTDIR=/work install
+`, pkg.Path(AbsUsrSrc.Append("perl"), true, pkg.NewHTTPGetTar(
+		nil,
+		"https://www.cpan.org/src/5.0/perl-"+version+".tar.gz",
+		mustDecode(checksum),
+		pkg.TarGzip,
+	)))
+}
--- a/internal/rosa/python.go
+++ b/internal/rosa/python.go
@@ -0,0 +1,60 @@
+package rosa
+
+import (
+	"strings"
+
+	"hakurei.app/internal/pkg"
+)
+
+// NewPython returns a [pkg.Artifact] containing an installation of Python.
+func (t Toolchain) NewPython() pkg.Artifact {
+	const (
+		version  = "3.14.2"
+		checksum = "7nZunVMGj0viB-CnxpcRego2C90X5wFsMTgsoewd5z-KSZY2zLuqaBwG-14zmKys"
+	)
+	skipTests := []string{
+		// requires internet access (http://www.pythontest.net/)
+		"test_asyncio",
+		"test_socket",
+		"test_urllib2",
+		"test_urllibnet",
+		"test_urllib2net",
+
+		// makes assumptions about uid_map/gid_map
+		"test_os",
+		"test_subprocess",
+
+		// somehow picks up mtime of source code
+		"test_zipfile",
+
+		// requires gcc
+		"test_ctypes",
+
+		// breaks on llvm
+		"test_dbm_gnu",
+	}
+	return t.New("python-"+version, []pkg.Artifact{
+		t.NewMake(),
+		t.NewZlib(),
+		t.NewLibffi(),
+	}, nil, []string{
+		"EXTRATESTOPTS=-j0 -x " + strings.Join(skipTests, " -x "),
+	}, `
+# test_synopsis_sourceless assumes this is writable and checks __pycache__
+chmod -R +w /usr/src/python/
+
+export HOME="$(mktemp -d)"
+cd "$(mktemp -d)"
+/usr/src/python/configure \
+	--prefix=/system
+make "-j$(nproc)"
+make test
+make DESTDIR=/work install
+`, pkg.Path(AbsUsrSrc.Append("python"), true,
+		pkg.NewHTTPGetTar(
+			nil, "https://www.python.org/ftp/python/"+version+
+				"/Python-"+version+".tgz",
+			mustDecode(checksum),
+			pkg.TarGzip,
+		)))
+}
--- a/internal/rosa/rosa.go
+++ b/internal/rosa/rosa.go
@@ -0,0 +1,260 @@
+// Package rosa provides Rosa OS toolchain artifacts and miscellaneous software.
+package rosa
+
+import (
+	"log"
+	"runtime"
+	"slices"
+	"strconv"
+	"strings"
+
+	"hakurei.app/container/fhs"
+	"hakurei.app/internal/pkg"
+)
+
+const (
+	// kindEtc is the kind of [pkg.Artifact] of cureEtc.
+	kindEtc = iota + pkg.KindCustomOffset
+
+	// kindBusyboxBin is the kind of [pkg.Artifact] of busyboxBin.
+	kindBusyboxBin
+)
+
+// mustDecode is like [pkg.MustDecode], but replaces the zero value and prints
+// a warning.
+func mustDecode(s string) pkg.Checksum {
+	var fallback = pkg.Checksum{}
+	if s == "" {
+		log.Println(
+			"falling back to",
+			pkg.Encode(fallback),
+			"for unpopulated checksum",
+		)
+		return fallback
+	}
+	return pkg.MustDecode(s)
+}
+
+var (
+	// AbsUsrSrc is the conventional directory to place source code under.
+	AbsUsrSrc = fhs.AbsUsr.Append("src")
+
+	// AbsSystem is the Rosa OS installation prefix.
+	AbsSystem = fhs.AbsRoot.Append("system")
+)
+
+// linuxArch returns the architecture name used by linux corresponding to
+// [runtime.GOARCH].
+func linuxArch() string {
+	switch runtime.GOARCH {
+	case "amd64":
+		return "x86_64"
+
+	default:
+		panic("unsupported target " + runtime.GOARCH)
+	}
+}
+
+// triplet returns the Rosa OS host triple corresponding to [runtime.GOARCH].
+func triplet() string {
+	return linuxArch() + "-rosa-linux-musl"
+}
+
+const (
+	// EnvTriplet holds the return value of triplet.
+	EnvTriplet = "ROSA_TRIPLE"
+	// EnvRefCFLAGS holds toolchain-specific reference CFLAGS.
+	EnvRefCFLAGS = "ROSA_CFLAGS"
+	// EnvRefCXXFLAGS holds toolchain-specific reference CXXFLAGS.
+	EnvRefCXXFLAGS = "ROSA_CXXFLAGS"
+)
+
+// ldflags returns LDFLAGS corresponding to triplet.
+func ldflags(static bool) string {
+	s := "LDFLAGS=" +
+		"-fuse-ld=lld " +
+		"-L/system/lib -Wl,-rpath=/system/lib " +
+		"-L/system/lib/" + triplet() + " " +
+		"-Wl,-rpath=/system/lib/" + triplet() + " " +
+		"-rtlib=compiler-rt " +
+		"-unwindlib=libunwind " +
+		"-Wl,--as-needed"
+	if !static {
+		s += " -Wl,--dynamic-linker=/system/lib/ld-musl-x86_64.so.1"
+	}
+	return s
+}
+
+// cflags is reference CFLAGS for the Rosa OS toolchain.
+const cflags = "-Qunused-arguments " +
+	"-isystem/system/include"
+
+// cxxflags returns reference CXXFLAGS for the Rosa OS toolchain corresponding
+// to [runtime.GOARCH].
+func cxxflags() string {
+	return "--start-no-unused-arguments " +
+		"-stdlib=libc++ " +
+		"--end-no-unused-arguments " +
+		"-isystem/system/include/c++/v1 " +
+		"-isystem/system/include/" + triplet() + "/c++/v1 " +
+		"-isystem/system/include "
+}
+
+// Toolchain denotes the infrastructure to compile a [pkg.Artifact] on.
+type Toolchain uintptr
+
+const (
+	// toolchainBusybox denotes a busybox installation from the busyboxBin
+	// binary distribution. This is for decompressing unsupported formats.
+	toolchainBusybox Toolchain = iota
+
+	// toolchainStage3 denotes the Gentoo stage3 toolchain. Special care must be
+	// taken to compile correctly against this toolchain.
+	toolchainStage3
+
+	// toolchainIntermediate denotes the intermediate toolchain compiled against
+	// toolchainStage3. This toolchain should be functionally identical to [Std]
+	// and is used to bootstrap [Std].
+	toolchainIntermediate
+
+	// Std denotes the standard Rosa OS toolchain.
+	Std
+)
+
+// lastIndexFunc is like [strings.LastIndexFunc] but for [slices].
+func lastIndexFunc[S ~[]E, E any](s S, f func(E) bool) (i int) {
+	if i = slices.IndexFunc(s, f); i < 0 {
+		return
+	}
+	if i0 := lastIndexFunc[S](s[i+1:], f); i0 >= 0 {
+		i = i0
+	}
+	return
+}
+
+// fixupEnviron fixes up PATH, prepends extras and returns the resulting slice.
+func fixupEnviron(env, extras []string, paths ...string) []string {
+	const pathPrefix = "PATH="
+	pathVal := strings.Join(paths, ":")
+
+	if i := lastIndexFunc(env, func(s string) bool {
+		return strings.HasPrefix(s, pathPrefix)
+	}); i < 0 {
+		env = append(env, pathPrefix+pathVal)
+	} else {
+		if len(env[i]) == len(pathPrefix) {
+			env[i] = pathPrefix + pathVal
+		} else {
+			env[i] += ":" + pathVal
+		}
+	}
+
+	return append(extras, env...)
+}
+
+// absCureScript is the absolute pathname [Toolchain.New] places the fixed-up
+// build script under.
+var absCureScript = fhs.AbsUsrBin.Append(".cure-script")
+
+// New returns a [pkg.Artifact] compiled on this toolchain.
+func (t Toolchain) New(
+	name string,
+	extra []pkg.Artifact,
+	checksum *pkg.Checksum,
+	env []string,
+	script string,
+
+	paths ...pkg.ExecPath,
+) pkg.Artifact {
+	const lcMessages = "LC_MESSAGES=C.UTF-8"
+
+	var (
+		path    = AbsSystem.Append("bin", "busybox")
+		args    = []string{"hush", absCureScript.String()}
+		support []pkg.Artifact
+	)
+	switch t {
+	case toolchainBusybox:
+		support = slices.Concat([]pkg.Artifact{newBusyboxBin()}, extra)
+		env = fixupEnviron(env, nil, "/system/bin")
+
+	case toolchainStage3:
+		const (
+			version  = "20260111T160052Z"
+			checksum = "c5_FwMnRN8RZpTdBLGYkL4RR8ampdaZN2JbkgrFLe8-QHQAVQy08APVvIL6eT7KW"
+		)
+		path = fhs.AbsRoot.Append("bin", "bash")
+		args[0] = "bash"
+		support = slices.Concat([]pkg.Artifact{
+			cureEtc{},
+			toolchainBusybox.New("stage3-"+version, nil, nil, nil, `
+tar -C /work -xf /usr/src/stage3.tar.xz
+rm -rf /work/dev/ /work/proc/
+ln -vs ../usr/bin /work/bin
+`, pkg.Path(AbsUsrSrc.Append("stage3.tar.xz"), false,
+				pkg.NewHTTPGet(
+					nil, "https://distfiles.gentoo.org/releases/"+
+						runtime.GOARCH+"/autobuilds/"+version+
+						"/stage3-"+runtime.GOARCH+"-musl-llvm-"+version+".tar.xz",
+					mustDecode(checksum),
+				),
+			)),
+		}, extra)
+		env = fixupEnviron(env, []string{
+			EnvTriplet + "=" + triplet(),
+			lcMessages,
+
+			EnvRefCFLAGS + "=" + cflags,
+			EnvRefCXXFLAGS + "=" + cxxflags(),
+			ldflags(true),
+		}, "/system/bin",
+			"/usr/bin",
+			"/usr/lib/llvm/21/bin",
+		)
+
+	case toolchainIntermediate, Std:
+		boot := t - 1
+		musl, compilerRT, runtimes, clang := boot.NewLLVM()
+		support = slices.Concat(extra, []pkg.Artifact{
+			cureEtc{newIANAEtc()},
+			musl,
+			compilerRT,
+			runtimes,
+			clang,
+			boot.NewBusybox(),
+		})
+		env = fixupEnviron(env, []string{
+			EnvTriplet + "=" + triplet(),
+			lcMessages,
+
+			// autotools projects act up with CFLAGS
+			"CC=clang " + cflags,
+			EnvRefCFLAGS + "=" + cflags,
+			"CXX=clang++ " + cxxflags(),
+			EnvRefCXXFLAGS + "=" + cxxflags(),
+			ldflags(false),
+
+			"AR=ar",
+			"RANLIB=ranlib",
+			"LIBCC=/system/lib/clang/21/lib/" + triplet() +
+				"/libclang_rt.builtins.a",
+		}, "/system/bin", "/bin")
+
+	default:
+		panic("unsupported toolchain " + strconv.Itoa(int(t)))
+	}
+
+	return pkg.NewExec(
+		name, checksum, pkg.ExecTimeoutMax,
+		fhs.AbsRoot, env,
+		path, args,
+
+		slices.Concat([]pkg.ExecPath{pkg.Path(
+			fhs.AbsRoot, true,
+			support...,
+		), pkg.Path(
+			absCureScript, false,
+			pkg.NewFile(".cure-script", []byte("set -e\n"+script)),
+		)}, paths)...,
+	)
+}
--- a/internal/rosa/rsync.go
+++ b/internal/rosa/rsync.go
@@ -0,0 +1,29 @@
+package rosa
+
+import "hakurei.app/internal/pkg"
+
+// NewRsync returns a [pkg.Artifact] containing an installation of rsync.
+func (t Toolchain) NewRsync() pkg.Artifact {
+	const (
+		version  = "3.4.1"
+		checksum = "VBlTsBWd9z3r2-ex7GkWeWxkUc5OrlgDzikAC0pK7ufTjAJ0MbmC_N04oSVTGPiv"
+	)
+	return t.New("rsync-"+version, []pkg.Artifact{
+		t.NewMake(),
+	}, nil, nil, `
+cd "$(mktemp -d)"
+/usr/src/rsync/configure --prefix=/system \
+	--build="${ROSA_TRIPLE}" \
+	--disable-openssl \
+	--disable-xxhash \
+	--disable-zstd \
+	--disable-lz4
+make "-j${nproc}"
+make DESTDIR=/work install
+`, pkg.Path(AbsUsrSrc.Append("rsync"), false, pkg.NewHTTPGetTar(
+		nil,
+		"https://download.samba.org/pub/rsync/src/rsync-"+version+".tar.gz",
+		mustDecode(checksum),
+		pkg.TarGzip,
+	)))
+}
--- a/internal/rosa/zlib.go
+++ b/internal/rosa/zlib.go
@@ -0,0 +1,25 @@
+package rosa
+
+import "hakurei.app/internal/pkg"
+
+// NewZlib returns a new [pkg.Artifact] containing an installation of zlib.
+func (t Toolchain) NewZlib() pkg.Artifact {
+	const (
+		version  = "1.3.1"
+		checksum = "E-eIpNzE8oJ5DsqH4UuA_0GDKuQF5csqI8ooDx2w7Vx-woJ2mb-YtSbEyIMN44mH"
+	)
+	return t.New("zlib-"+version, []pkg.Artifact{
+		t.NewMake(),
+	}, nil, nil, `
+cd "$(mktemp -d)"
+CFLAGS="${CFLAGS} -fPIC" /usr/src/zlib/configure \
+	--prefix /system
+make "-j$(nproc)" test
+make DESTDIR=/work install
+`, pkg.Path(AbsUsrSrc.Append("zlib"), true,
+		pkg.NewHTTPGetTar(
+			nil, "https://zlib.net/zlib-"+version+".tar.gz",
+			mustDecode(checksum),
+			pkg.TarGzip,
+		)))
+}
--- a/ldd/ldd_test.go
+++ b/ldd/ldd_test.go
@@ -36,7 +36,7 @@ libzstd.so.1 = /usr/lib/libzstd.so.1 (0x7ff71bfd2000)

 		{"path not absolute", `
 libzstd.so.1 => usr/lib/libzstd.so.1 (0x7ff71bfd2000)
-`, &check.AbsoluteError{Pathname: "usr/lib/libzstd.so.1"}},
+`, check.AbsoluteError("usr/lib/libzstd.so.1")},

 		{"unexpected segments", `
 meow libzstd.so.1 => /usr/lib/libzstd.so.1 (0x7ff71bfd2000)
--- a/options.nix
+++ b/options.nix
@@ -1,8 +1,15 @@
 packages:
-{ lib, pkgs, ... }:
+{
+  lib,
+  pkgs,
+  config,
+  ...
+}:

 let
  inherit (lib) types mkOption mkEnableOption;
+
+  cfg = config.environment.hakurei;
 in

 {
@@ -43,7 +50,10 @@ in
      sharefs = {
        package = mkOption {
          type = types.package;
-          default = packages.${pkgs.stdenv.hostPlatform.system}.sharefs;
+          default = pkgs.linkFarm "sharefs" {
+            "bin/sharefs" = "${cfg.package}/libexec/sharefs";
+            "bin/mount.fuse.sharefs" = "${cfg.package}/libexec/sharefs";
+          };
          description = "The sharefs package to use.";
        };