release: 0.3.6

Signed-off-by: Ophestra <cat@gensokyo.uk>
cmd/mbf: create report with reasonable perm
2026-03-07 16:32:04 +09:00 · 2026-03-07 16:16:47 +09:00 · 2026-03-07 16:05:16 +09:00 · 2026-03-07 16:03:06 +09:00 · 2026-03-07 14:31:03 +09:00 · 2026-03-07 13:43:38 +09:00
167 changed files with 44341 additions and 1869 deletions
--- a/.gitea/workflows/test.yml
+++ b/.gitea/workflows/test.yml
@@ -89,23 +89,6 @@ jobs:
          path: result/*
          retention-days: 1
  hpkg:
    name: Hpkg
    runs-on: nix
    steps:
      - name: Checkout
        uses: actions/checkout@v4
      - name: Run NixOS test
        run: nix build --out-link "result" --print-out-paths --print-build-logs .#checks.x86_64-linux.hpkg
      - name: Upload test output
        uses: actions/upload-artifact@v3
        with:
          name: "hpkg-vm-output"
          path: result/*
          retention-days: 1
  check:
    name: Flake checks
    needs:
@@ -114,7 +97,6 @@ jobs:
      - sandbox
      - sandbox-race
      - sharefs
      - hpkg
    runs-on: nix
    steps:
      - name: Checkout
--- a/.github/workflows/README
+++ b/.github/workflows/README
@@ -1,5 +0,0 @@
 DO NOT ADD NEW ACTIONS HERE
 This port is solely for releasing to the github mirror and serves no purpose during development.
 All development happens at https://git.gensokyo.uk/security/hakurei. If you wish to contribute,
 request for an account on git.gensokyo.uk.
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -1,46 +0,0 @@
 name: Release
 on:
  push:
    tags:
      - 'v*'
 jobs:
  release:
    name: Create release
    runs-on: ubuntu-latest
    permissions:
      packages: write
      contents: write
    steps:
      - name: Checkout
        uses: actions/checkout@v4
      - name: Install Nix
        uses: nixbuild/nix-quick-install-action@v32
        with:
          nix_conf: |
            keep-env-derivations = true
            keep-outputs = true
      - name: Restore and cache Nix store
        uses: nix-community/cache-nix-action@v6
        with:
          primary-key: build-${{ runner.os }}-${{ hashFiles('**/*.nix') }}
          restore-prefixes-first-match: build-${{ runner.os }}-
          gc-max-store-size-linux: 1G
          purge: true
          purge-prefixes: build-${{ runner.os }}-
          purge-created: 60
          purge-primary-key: never
      - name: Build for release
        run: nix build --print-out-paths --print-build-logs .#dist
      - name: Release
        uses: softprops/action-gh-release@v2
        with:
          files: |-
            result/hakurei-**
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -1,48 +0,0 @@
 name: Test
 on:
  - push
 jobs:
  dist:
    name: Create distribution
    runs-on: ubuntu-latest
    permissions:
      actions: write
    steps:
      - name: Checkout
        uses: actions/checkout@v4
      - name: Install Nix
        uses: nixbuild/nix-quick-install-action@v32
        with:
          nix_conf: |
            keep-env-derivations = true
            keep-outputs = true
      - name: Restore and cache Nix store
        uses: nix-community/cache-nix-action@v6
        with:
          primary-key: build-${{ runner.os }}-${{ hashFiles('**/*.nix') }}
          restore-prefixes-first-match: build-${{ runner.os }}-
          gc-max-store-size-linux: 1G
          purge: true
          purge-prefixes: build-${{ runner.os }}-
          purge-created: 60
          purge-primary-key: never
      - name: Build for test
        id: build-test
        run: >-
          export HAKUREI_REV="$(git rev-parse --short HEAD)" &&
          sed -i.old 's/version = /version = "0.0.0-'$HAKUREI_REV'"; # version = /' package.nix &&
          nix build --print-out-paths --print-build-logs .#dist &&
          mv package.nix.old package.nix &&
          echo "rev=$HAKUREI_REV" >> $GITHUB_OUTPUT
      - name: Upload test build
        uses: actions/upload-artifact@v4
        with:
          name: "hakurei-${{ steps.build-test.outputs.rev }}"
          path: result/*
          retention-days: 1
--- a/.gitignore
+++ b/.gitignore
@@ -27,6 +27,8 @@ go.work.sum
 # go generate
 /cmd/hakurei/LICENSE
 /internal/pkg/testdata/testtool
 /internal/rosa/hakurei_current.tar.gz
 # release
 /dist/hakurei-*
--- a/README.md
+++ b/README.md
@@ -15,164 +15,51 @@
  <a href="https://hakurei.app"><img src="https://img.shields.io/website?url=https%3A%2F%2Fhakurei.app" alt="Website" /></a>
 </p>
-Hakurei is a tool for running sandboxed graphical applications as dedicated subordinate users on the Linux kernel.
+Hakurei is a tool for running sandboxed desktop applications as dedicated
-It implements the application container of [planterette (WIP)](https://git.gensokyo.uk/security/planterette),
+subordinate users on the Linux kernel. It implements the application container
-a self-contained Android-like package manager with modern security features.
+of [planterette (WIP)](https://git.gensokyo.uk/security/planterette), a
 self-contained Android-like package manager with modern security features.
-## NixOS Module usage
+Interaction with hakurei happens entirely through structures described by
 package [hst](https://pkg.go.dev/hakurei.app/hst). No native API is available
 due to internal details of uid isolation.
-The NixOS module currently requires home-manager to configure subordinate users. Full module documentation can be found [here](options.md).
+## Notable Packages
-To use the module, import it into your configuration with
+Package [container](https://pkg.go.dev/hakurei.app/container) is general purpose
 container tooling. It is used by the hakurei shim process running as the target
 subordinate user to set up the application container. It has a single dependency,
 [libseccomp](https://github.com/seccomp/libseccomp), to create BPF programs
 for the [system call filter](https://www.kernel.org/doc/html/latest/userspace-api/seccomp_filter.html).
-```nix
+Package [internal/pkg](https://pkg.go.dev/hakurei.app/internal/pkg) provides
-{
+infrastructure for hermetic builds. This replaces the legacy nix-based testing
-  inputs = {
+framework and serves as the build system of Rosa OS, currently developed under
-    nixpkgs.url = "github:NixOS/nixpkgs/nixos-24.11";
+package [internal/rosa](https://pkg.go.dev/hakurei.app/internal/rosa).
-    hakurei = {
+## Dependencies
      url = "git+https://git.gensokyo.uk/security/hakurei";
-      # Optional but recommended to limit the size of your system closure.
+`container` depends on:
      inputs.nixpkgs.follows = "nixpkgs";
    };
  };
-  outputs = { self, nixpkgs, hakurei, ... }:
+- [libseccomp](https://github.com/seccomp/libseccomp) to generate BPF programs.
  {
    nixosConfigurations.hakurei = nixpkgs.lib.nixosSystem {
      system = "x86_64-linux";
      modules = [
        hakurei.nixosModules.hakurei
      ];
    };
  };
 }
 ```
-This adds the `environment.hakurei` option:
+`cmd/hakurei` depends on:
-```nix
+- [acl](https://savannah.nongnu.org/projects/acl/) to export sockets to
-{ pkgs, ... }:
+  subordinate users.
 - [wayland](https://gitlab.freedesktop.org/wayland/wayland) to set up
  [security-context-v1](https://wayland.app/protocols/security-context-v1).
 - [xcb](https://xcb.freedesktop.org/) to grant and revoke subordinate users
  access to the X server.
-{
+`cmd/sharefs` depends on:
  environment.hakurei = {
    enable = true;
    stateDir = "/var/lib/hakurei";
    users = {
      alice = 0;
      nixos = 10;
    };
-    commonPaths = [
+- [fuse](https://github.com/libfuse/libfuse) to implement the filesystem.
      {
        src = "/sdcard";
        write = true;
      }
    ];
-    extraHomeConfig = {
+New dependencies will generally not be added. Patches adding new dependencies
-      home.stateVersion = "23.05";
+are very likely to be rejected.
    };
-    apps = {
+## NixOS Module (deprecated)
      "org.chromium.Chromium" = {
        name = "chromium";
        identity = 1;
        packages = [ pkgs.chromium ];
        userns = true;
        mapRealUid = true;
        dbus = {
          system = {
            filter = true;
            talk = [
              "org.bluez"
              "org.freedesktop.Avahi"
              "org.freedesktop.UPower"
            ];
          };
          session =
            f:
            f {
              talk = [
                "org.freedesktop.FileManager1"
                "org.freedesktop.Notifications"
                "org.freedesktop.ScreenSaver"
                "org.freedesktop.secrets"
                "org.kde.kwalletd5"
                "org.kde.kwalletd6"
              ];
              own = [
                "org.chromium.Chromium.*"
                "org.mpris.MediaPlayer2.org.chromium.Chromium.*"
                "org.mpris.MediaPlayer2.chromium.*"
              ];
              call = { };
              broadcast = { };
            };
        };
      };
-      "org.claws_mail.Claws-Mail" = {
+The NixOS module is in maintenance mode and will be removed once planterette is
-        name = "claws-mail";
+feature-complete. Full module documentation can be found [here](options.md).
        identity = 2;
        packages = [ pkgs.claws-mail ];
        gpu = false;
        capability.pulse = false;
      };
      "org.weechat" = {
        name = "weechat";
        identity = 3;
        shareUid = true;
        packages = [ pkgs.weechat ];
        capability = {
          wayland = false;
          x11 = false;
          dbus = true;
          pulse = false;
        };
      };
      "dev.vencord.Vesktop" = {
        name = "discord";
        identity = 3;
        shareUid = true;
        packages = [ pkgs.vesktop ];
        share = pkgs.vesktop;
        command = "vesktop --ozone-platform-hint=wayland";
        userns = true;
        mapRealUid = true;
        capability.x11 = true;
        dbus = {
          session =
            f:
            f {
              talk = [ "org.kde.StatusNotifierWatcher" ];
              own = [ ];
              call = { };
              broadcast = { };
            };
          system.filter = true;
        };
      };
      "io.looking-glass" = {
        name = "looking-glass-client";
        identity = 4;
        useCommonPaths = false;
        groups = [ "plugdev" ];
        extraPaths = [
          {
            src = "/dev/shm/looking-glass";
            write = true;
          }
        ];
        extraConfig = {
          programs.looking-glass-client.enable = true;
        };
      };
    };
  };
 }
 ```
--- a/cmd/earlyinit/main.go
+++ b/cmd/earlyinit/main.go
@@ -0,0 +1,58 @@
 package main
 import (
 	"log"
 	"os"
 	"runtime"
 	. "syscall"
 )
 func main() {
 	runtime.LockOSThread()
 	log.SetFlags(0)
 	log.SetPrefix("earlyinit: ")
 	if err := Mount(
 		"devtmpfs",
 		"/dev/",
 		"devtmpfs",
 		MS_NOSUID|MS_NOEXEC,
 		"",
 	); err != nil {
 		log.Fatalf("cannot mount devtmpfs: %v", err)
 	}
 	// The kernel might be unable to set up the console. When that happens,
 	// printk is called with "Warning: unable to open an initial console."
 	// and the init runs with no files. The checkfds runtime function
 	// populates 0-2 by opening /dev/null for them.
 	//
 	// This check replaces 1 and 2 with /dev/kmsg to improve the chance
 	// of output being visible to the user.
 	if fi, err := os.Stdout.Stat(); err == nil {
 		if stat, ok := fi.Sys().(*Stat_t); ok {
 			if stat.Rdev == 0x103 {
 				var fd int
 				if fd, err = Open(
 					"/dev/kmsg",
 					O_WRONLY|O_CLOEXEC,
 					0,
 				); err != nil {
 					log.Fatalf("cannot open kmsg: %v", err)
 				}
 				if err = Dup3(fd, Stdout, 0); err != nil {
 					log.Fatalf("cannot open stdout: %v", err)
 				}
 				if err = Dup3(fd, Stderr, 0); err != nil {
 					log.Fatalf("cannot open stderr: %v", err)
 				}
 				if err = Close(fd); err != nil {
 					log.Printf("cannot close kmsg: %v", err)
 				}
 			}
 		}
 	}
 }
--- a/cmd/hpkg/README
+++ b/cmd/hpkg/README
@@ -1,7 +0,0 @@
 This program is a proof of concept and is now deprecated. It is only kept
 around for API demonstration purposes and to make the most out of the test
 suite.
 This program is replaced by planterette, which can be found at
 https://git.gensokyo.uk/security/planterette. Development effort should be
 focused there instead.
--- a/cmd/hpkg/app.go
+++ b/cmd/hpkg/app.go
@@ -1,173 +0,0 @@
 package main
 import (
 	"encoding/json"
 	"log"
 	"os"
 	"hakurei.app/container/check"
 	"hakurei.app/container/fhs"
 	"hakurei.app/hst"
 )
 type appInfo struct {
 	Name    string `json:"name"`
 	Version string `json:"version"`
 	// passed through to [hst.Config]
 	ID string `json:"id"`
 	// passed through to [hst.Config]
 	Identity int `json:"identity"`
 	// passed through to [hst.Config]
 	Groups []string `json:"groups,omitempty"`
 	// passed through to [hst.Config]
 	Devel bool `json:"devel,omitempty"`
 	// passed through to [hst.Config]
 	Userns bool `json:"userns,omitempty"`
 	// passed through to [hst.Config]
 	HostNet bool `json:"net,omitempty"`
 	// passed through to [hst.Config]
 	HostAbstract bool `json:"abstract,omitempty"`
 	// passed through to [hst.Config]
 	Device bool `json:"dev,omitempty"`
 	// passed through to [hst.Config]
 	Tty bool `json:"tty,omitempty"`
 	// passed through to [hst.Config]
 	MapRealUID bool `json:"map_real_uid,omitempty"`
 	// passed through to [hst.Config]
 	DirectWayland bool `json:"direct_wayland,omitempty"`
 	// passed through to [hst.Config]
 	SystemBus *hst.BusConfig `json:"system_bus,omitempty"`
 	// passed through to [hst.Config]
 	SessionBus *hst.BusConfig `json:"session_bus,omitempty"`
 	// passed through to [hst.Config]
 	Enablements *hst.Enablements `json:"enablements,omitempty"`
 	// passed through to [hst.Config]
 	Multiarch bool `json:"multiarch,omitempty"`
 	// passed through to [hst.Config]
 	Bluetooth bool `json:"bluetooth,omitempty"`
 	// allow gpu access within sandbox
 	GPU bool `json:"gpu"`
 	// store path to nixGL mesa wrappers
 	Mesa string `json:"mesa,omitempty"`
 	// store path to nixGL source
 	NixGL string `json:"nix_gl,omitempty"`
 	// store path to activate-and-exec script
 	Launcher *check.Absolute `json:"launcher"`
 	// store path to /run/current-system
 	CurrentSystem *check.Absolute `json:"current_system"`
 	// store path to home-manager activation package
 	ActivationPackage string `json:"activation_package"`
 }
 func (app *appInfo) toHst(pathSet *appPathSet, pathname *check.Absolute, argv []string, flagDropShell bool) *hst.Config {
 	config := &hst.Config{
 		ID: app.ID,
 		Enablements: app.Enablements,
 		SystemBus:     app.SystemBus,
 		SessionBus:    app.SessionBus,
 		DirectWayland: app.DirectWayland,
 		Identity: app.Identity,
 		Groups:   app.Groups,
 		Container: &hst.ContainerConfig{
 			Hostname: formatHostname(app.Name),
 			Filesystem: []hst.FilesystemConfigJSON{
 				{FilesystemConfig: &hst.FSBind{Target: fhs.AbsEtc, Source: pathSet.cacheDir.Append("etc"), Special: true}},
 				{FilesystemConfig: &hst.FSBind{Source: pathSet.nixPath.Append("store"), Target: pathNixStore}},
 				{FilesystemConfig: &hst.FSLink{Target: pathCurrentSystem, Linkname: app.CurrentSystem.String()}},
 				{FilesystemConfig: &hst.FSLink{Target: pathBin, Linkname: pathSwBin.String()}},
 				{FilesystemConfig: &hst.FSLink{Target: fhs.AbsUsrBin, Linkname: pathSwBin.String()}},
 				{FilesystemConfig: &hst.FSBind{Source: pathSet.metaPath, Target: hst.AbsPrivateTmp.Append("app")}},
 				{FilesystemConfig: &hst.FSBind{Source: fhs.AbsEtc.Append("resolv.conf"), Optional: true}},
 				{FilesystemConfig: &hst.FSBind{Source: fhs.AbsSys.Append("block"), Optional: true}},
 				{FilesystemConfig: &hst.FSBind{Source: fhs.AbsSys.Append("bus"), Optional: true}},
 				{FilesystemConfig: &hst.FSBind{Source: fhs.AbsSys.Append("class"), Optional: true}},
 				{FilesystemConfig: &hst.FSBind{Source: fhs.AbsSys.Append("dev"), Optional: true}},
 				{FilesystemConfig: &hst.FSBind{Source: fhs.AbsSys.Append("devices"), Optional: true}},
 				{FilesystemConfig: &hst.FSBind{Target: pathDataData.Append(app.ID), Source: pathSet.homeDir, Write: true, Ensure: true}},
 			},
 			Username: "hakurei",
 			Shell:    pathShell,
 			Home:     pathDataData.Append(app.ID),
 			Path: pathname,
 			Args: argv,
 		},
 		ExtraPerms: []hst.ExtraPermConfig{
 			{Path: dataHome, Execute: true},
 			{Ensure: true, Path: pathSet.baseDir, Read: true, Write: true, Execute: true},
 		},
 	}
 	if app.Devel {
 		config.Container.Flags |= hst.FDevel
 	}
 	if app.Userns {
 		config.Container.Flags |= hst.FUserns
 	}
 	if app.HostNet {
 		config.Container.Flags |= hst.FHostNet
 	}
 	if app.HostAbstract {
 		config.Container.Flags |= hst.FHostAbstract
 	}
 	if app.Device {
 		config.Container.Flags |= hst.FDevice
 	}
 	if app.Tty || flagDropShell {
 		config.Container.Flags |= hst.FTty
 	}
 	if app.MapRealUID {
 		config.Container.Flags |= hst.FMapRealUID
 	}
 	if app.Multiarch {
 		config.Container.Flags |= hst.FMultiarch
 	}
 	config.Container.Flags |= hst.FShareRuntime | hst.FShareTmpdir
 	return config
 }
 func loadAppInfo(name string, beforeFail func()) *appInfo {
 	bundle := new(appInfo)
 	if f, err := os.Open(name); err != nil {
 		beforeFail()
 		log.Fatalf("cannot open bundle: %v", err)
 	} else if err = json.NewDecoder(f).Decode(&bundle); err != nil {
 		beforeFail()
 		log.Fatalf("cannot parse bundle metadata: %v", err)
 	} else if err = f.Close(); err != nil {
 		log.Printf("cannot close bundle metadata: %v", err)
 		// not fatal
 	}
 	if bundle.ID == "" {
 		beforeFail()
 		log.Fatal("application identifier must not be empty")
 	}
 	if bundle.Launcher == nil {
 		beforeFail()
 		log.Fatal("launcher must not be empty")
 	}
 	if bundle.CurrentSystem == nil {
 		beforeFail()
 		log.Fatal("current-system must not be empty")
 	}
 	return bundle
 }
 func formatHostname(name string) string {
 	if h, err := os.Hostname(); err != nil {
 		log.Printf("cannot get hostname: %v", err)
 		return "hakurei-" + name
 	} else {
 		return h + "-" + name
 	}
 }
--- a/cmd/hpkg/build.nix
+++ b/cmd/hpkg/build.nix
@@ -1,256 +0,0 @@
 {
  nixpkgsFor,
  system,
  nixpkgs,
  home-manager,
 }:
 {
  lib,
  stdenv,
  closureInfo,
  writeScript,
  runtimeShell,
  writeText,
  symlinkJoin,
  vmTools,
  runCommand,
  fetchFromGitHub,
  zstd,
  nix,
  sqlite,
  name ? throw "name is required",
  version ? throw "version is required",
  pname ? "${name}-${version}",
  modules ? [ ],
  nixosModules ? [ ],
  script ? ''
    exec "$SHELL" "$@"
  '',
  id ? name,
  identity ? throw "identity is required",
  groups ? [ ],
  userns ? false,
  net ? true,
  dev ? false,
  no_new_session ? false,
  map_real_uid ? false,
  direct_wayland ? false,
  system_bus ? null,
  session_bus ? null,
  allow_wayland ? true,
  allow_x11 ? false,
  allow_dbus ? true,
  allow_audio ? true,
  gpu ? allow_wayland || allow_x11,
 }:
 let
  inherit (lib) optionals;
  homeManagerConfiguration = home-manager.lib.homeManagerConfiguration {
    pkgs = nixpkgsFor.${system};
    modules = modules ++ [
      {
        home = {
          username = "hakurei";
          homeDirectory = "/data/data/${id}";
          stateVersion = "22.11";
        };
      }
    ];
  };
  launcher = writeScript "hakurei-${pname}" ''
    #!${runtimeShell} -el
    ${script}
  '';
  extraNixOSConfig =
    { pkgs, ... }:
    {
      environment = {
        etc.nixpkgs.source = nixpkgs.outPath;
        systemPackages = [ pkgs.nix ];
      };
      imports = nixosModules;
    };
  nixos = nixpkgs.lib.nixosSystem {
    inherit system;
    modules = [
      extraNixOSConfig
      { nix.settings.experimental-features = [ "flakes" ]; }
      { nix.settings.experimental-features = [ "nix-command" ]; }
      { boot.isContainer = true; }
      { system.stateVersion = "22.11"; }
    ];
  };
  etc = vmTools.runInLinuxVM (
    runCommand "etc" { } ''
      mkdir -p /etc
      ${nixos.config.system.build.etcActivationCommands}
      # remove unused files
      rm -rf /etc/sudoers
      mkdir -p $out
      tar -C /etc -cf "$out/etc.tar" .
    ''
  );
  extendSessionDefault = id: ext: {
    filter = true;
    talk = [ "org.freedesktop.Notifications" ] ++ ext.talk;
    own =
      (optionals (id != null) [
        "${id}.*"
        "org.mpris.MediaPlayer2.${id}.*"
      ])
      ++ ext.own;
    inherit (ext) call broadcast;
  };
  nixGL = fetchFromGitHub {
    owner = "nix-community";
    repo = "nixGL";
    rev = "310f8e49a149e4c9ea52f1adf70cdc768ec53f8a";
    hash = "sha256-lnzZQYG0+EXl/6NkGpyIz+FEOc/DSEG57AP1VsdeNrM=";
  };
  mesaWrappers =
    let
      isIntelX86Platform = system == "x86_64-linux";
      nixGLPackages = import (nixGL + "/default.nix") {
        pkgs = nixpkgs.legacyPackages.${system};
        enable32bits = isIntelX86Platform;
        enableIntelX86Extensions = isIntelX86Platform;
      };
    in
    symlinkJoin {
      name = "nixGL-mesa";
      paths = with nixGLPackages; [
        nixGLIntel
        nixVulkanIntel
      ];
    };
  info = builtins.toJSON {
    inherit
      name
      version
      id
      identity
      launcher
      groups
      userns
      net
      dev
      no_new_session
      map_real_uid
      direct_wayland
      system_bus
      gpu
      ;
    session_bus =
      if session_bus != null then
        (session_bus (extendSessionDefault id))
      else
        (extendSessionDefault id {
          talk = [ ];
          own = [ ];
          call = { };
          broadcast = { };
        });
    enablements = {
      wayland = allow_wayland;
      x11 = allow_x11;
      dbus = allow_dbus;
      pipewire = allow_audio;
    };
    mesa = if gpu then mesaWrappers else null;
    nix_gl = if gpu then nixGL else null;
    current_system = nixos.config.system.build.toplevel;
    activation_package = homeManagerConfiguration.activationPackage;
  };
 in
 stdenv.mkDerivation {
  name = "${pname}.pkg";
  inherit version;
  __structuredAttrs = true;
  nativeBuildInputs = [
    zstd
    nix
    sqlite
  ];
  buildCommand = ''
    NIX_ROOT="$(mktemp -d)"
    export USER="nobody"
    # create bootstrap store
    bootstrapClosureInfo="${
      closureInfo {
        rootPaths = [
          nix
          nixos.config.system.build.toplevel
        ];
      }
    }"
    echo "copying bootstrap store paths..."
    mkdir -p "$NIX_ROOT/nix/store"
    xargs -n 1 -a "$bootstrapClosureInfo/store-paths" cp -at "$NIX_ROOT/nix/store/"
    NIX_REMOTE="local?root=$NIX_ROOT" nix-store --load-db < "$bootstrapClosureInfo/registration"
    NIX_REMOTE="local?root=$NIX_ROOT" nix-store --optimise
    sqlite3 "$NIX_ROOT/nix/var/nix/db/db.sqlite" "UPDATE ValidPaths SET registrationTime = ''${SOURCE_DATE_EPOCH}"
    chmod -R +r "$NIX_ROOT/nix/var"
    # create binary cache
    closureInfo="${
      closureInfo {
        rootPaths = [
          homeManagerConfiguration.activationPackage
          launcher
        ]
        ++ optionals gpu [
          mesaWrappers
          nixGL
        ];
      }
    }"
    echo "copying application paths..."
    TMP_STORE="$(mktemp -d)"
    mkdir -p "$TMP_STORE/nix/store"
    xargs -n 1 -a "$closureInfo/store-paths" cp -at "$TMP_STORE/nix/store/"
    NIX_REMOTE="local?root=$TMP_STORE" nix-store --load-db < "$closureInfo/registration"
    sqlite3 "$TMP_STORE/nix/var/nix/db/db.sqlite" "UPDATE ValidPaths SET registrationTime = ''${SOURCE_DATE_EPOCH}"
    NIX_REMOTE="local?root=$TMP_STORE" nix --offline --extra-experimental-features nix-command \
        --verbose --log-format raw-with-logs \
        copy --all --no-check-sigs --to \
        "file://$NIX_ROOT/res?compression=zstd&compression-level=19&parallel-compression=true"
    # package /etc
    mkdir -p "$NIX_ROOT/etc"
    tar -C "$NIX_ROOT/etc" -xf "${etc}/etc.tar"
    # write metadata
    cp "${writeText "bundle.json" info}" "$NIX_ROOT/bundle.json"
    # create an intermediate file to improve zstd performance
    INTER="$(mktemp)"
    tar -C "$NIX_ROOT" -cf "$INTER" .
    zstd -T0 -19 -fo "$out" "$INTER"
  '';
 }
--- a/cmd/hpkg/main.go
+++ b/cmd/hpkg/main.go
@@ -1,335 +0,0 @@
 package main
 import (
 	"context"
 	"encoding/json"
 	"errors"
 	"log"
 	"os"
 	"os/signal"
 	"path"
 	"syscall"
 	"hakurei.app/command"
 	"hakurei.app/container/check"
 	"hakurei.app/container/fhs"
 	"hakurei.app/hst"
 	"hakurei.app/message"
 )
 var (
 	errSuccess = errors.New("success")
 )
 func main() {
 	log.SetPrefix("hpkg: ")
 	log.SetFlags(0)
 	msg := message.New(log.Default())
 	if err := os.Setenv("SHELL", pathShell.String()); err != nil {
 		log.Fatalf("cannot set $SHELL: %v", err)
 	}
 	if os.Geteuid() == 0 {
 		log.Fatal("this program must not run as root")
 	}
 	ctx, stop := signal.NotifyContext(context.Background(),
 		syscall.SIGINT, syscall.SIGTERM)
 	defer stop() // unreachable
 	var (
 		flagVerbose   bool
 		flagDropShell bool
 	)
 	c := command.New(os.Stderr, log.Printf, "hpkg", func([]string) error { msg.SwapVerbose(flagVerbose); return nil }).
 		Flag(&flagVerbose, "v", command.BoolFlag(false), "Print debug messages to the console").
 		Flag(&flagDropShell, "s", command.BoolFlag(false), "Drop to a shell in place of next hakurei action")
 	{
 		var (
 			flagDropShellActivate bool
 		)
 		c.NewCommand("install", "Install an application from its package", func(args []string) error {
 			if len(args) != 1 {
 				log.Println("invalid argument")
 				return syscall.EINVAL
 			}
 			pkgPath := args[0]
 			if !path.IsAbs(pkgPath) {
 				if dir, err := os.Getwd(); err != nil {
 					log.Printf("cannot get current directory: %v", err)
 					return err
 				} else {
 					pkgPath = path.Join(dir, pkgPath)
 				}
 			}
 			/*
 				Look up paths to programs started by hpkg.
 				This is done here to ease error handling as cleanup is not yet required.
 			*/
 			var (
 				_     = lookPath("zstd")
 				tar   = lookPath("tar")
 				chmod = lookPath("chmod")
 				rm    = lookPath("rm")
 			)
 			/*
 				Extract package and set up for cleanup.
 			*/
 			var workDir *check.Absolute
 			if p, err := os.MkdirTemp("", "hpkg.*"); err != nil {
 				log.Printf("cannot create temporary directory: %v", err)
 				return err
 			} else if workDir, err = check.NewAbs(p); err != nil {
 				log.Printf("invalid temporary directory: %v", err)
 				return err
 			}
 			cleanup := func() {
 				// should be faster than a native implementation
 				mustRun(msg, chmod, "-R", "+w", workDir.String())
 				mustRun(msg, rm, "-rf", workDir.String())
 			}
 			beforeRunFail.Store(&cleanup)
 			mustRun(msg, tar, "-C", workDir.String(), "-xf", pkgPath)
 			/*
 				Parse bundle and app metadata, do pre-install checks.
 			*/
 			bundle := loadAppInfo(path.Join(workDir.String(), "bundle.json"), cleanup)
 			pathSet := pathSetByApp(bundle.ID)
 			a := bundle
 			if s, err := os.Stat(pathSet.metaPath.String()); err != nil {
 				if !os.IsNotExist(err) {
 					cleanup()
 					log.Printf("cannot access %q: %v", pathSet.metaPath, err)
 					return err
 				}
 				// did not modify app, clean installation condition met later
 			} else if s.IsDir() {
 				cleanup()
 				log.Printf("metadata path %q is not a file", pathSet.metaPath)
 				return syscall.EBADMSG
 			} else {
 				a = loadAppInfo(pathSet.metaPath.String(), cleanup)
 				if a.ID != bundle.ID {
 					cleanup()
 					log.Printf("app %q claims to have identifier %q",
 						bundle.ID, a.ID)
 					return syscall.EBADE
 				}
 				// sec: should verify credentials
 			}
 			if a != bundle {
 				// do not try to re-install
 				if a.NixGL == bundle.NixGL &&
 					a.CurrentSystem == bundle.CurrentSystem &&
 					a.Launcher == bundle.Launcher &&
 					a.ActivationPackage == bundle.ActivationPackage {
 					cleanup()
 					log.Printf("package %q is identical to local application %q",
 						pkgPath, a.ID)
 					return errSuccess
 				}
 				// identity determines uid
 				if a.Identity != bundle.Identity {
 					cleanup()
 					log.Printf("package %q identity %d differs from installed %d",
 						pkgPath, bundle.Identity, a.Identity)
 					return syscall.EBADE
 				}
 				// sec: should compare version string
 				msg.Verbosef("installing application %q version %q over local %q",
 					bundle.ID, bundle.Version, a.Version)
 			} else {
 				msg.Verbosef("application %q clean installation", bundle.ID)
 				// sec: should install credentials
 			}
 			/*
 				Setup steps for files owned by the target user.
 			*/
 			withCacheDir(ctx, msg, "install", []string{
 				// export inner bundle path in the environment
 				"export BUNDLE=" + hst.PrivateTmp + "/bundle",
 				// replace inner /etc
 				"mkdir -p etc",
 				"chmod -R +w etc",
 				"rm -rf etc",
 				"cp -dRf $BUNDLE/etc etc",
 				// replace inner /nix
 				"mkdir -p nix",
 				"chmod -R +w nix",
 				"rm -rf nix",
 				"cp -dRf /nix nix",
 				// copy from binary cache
 				"nix copy --offline --no-check-sigs --all --from file://$BUNDLE/res --to $PWD",
 				// deduplicate nix store
 				"nix store --offline --store $PWD optimise",
 				// make cache directory world-readable for autoetc
 				"chmod 0755 .",
 			}, workDir, bundle, pathSet, flagDropShell, cleanup)
 			if bundle.GPU {
 				withCacheDir(ctx, msg, "mesa-wrappers", []string{
 					// link nixGL mesa wrappers
 					"mkdir -p nix/.nixGL",
 					"ln -s " + bundle.Mesa + "/bin/nixGLIntel nix/.nixGL/nixGL",
 					"ln -s " + bundle.Mesa + "/bin/nixVulkanIntel nix/.nixGL/nixVulkan",
 				}, workDir, bundle, pathSet, false, cleanup)
 			}
 			/*
 				Activate home-manager generation.
 			*/
 			withNixDaemon(ctx, msg, "activate", []string{
 				// clean up broken links
 				"mkdir -p .local/state/{nix,home-manager}",
 				"chmod -R +w .local/state/{nix,home-manager}",
 				"rm -rf .local/state/{nix,home-manager}",
 				// run activation script
 				bundle.ActivationPackage + "/activate",
 			}, false, func(config *hst.Config) *hst.Config { return config },
 				bundle, pathSet, flagDropShellActivate, cleanup)
 			/*
 				Installation complete. Write metadata to block re-installs or downgrades.
 			*/
 			// serialise metadata to ensure consistency
 			if f, err := os.OpenFile(pathSet.metaPath.String()+"~", os.O_CREATE|os.O_WRONLY|os.O_TRUNC, 0644); err != nil {
 				cleanup()
 				log.Printf("cannot create metadata file: %v", err)
 				return err
 			} else if err = json.NewEncoder(f).Encode(bundle); err != nil {
 				cleanup()
 				log.Printf("cannot write metadata: %v", err)
 				return err
 			} else if err = f.Close(); err != nil {
 				log.Printf("cannot close metadata file: %v", err)
 				// not fatal
 			}
 			if err := os.Rename(pathSet.metaPath.String()+"~", pathSet.metaPath.String()); err != nil {
 				cleanup()
 				log.Printf("cannot rename metadata file: %v", err)
 				return err
 			}
 			cleanup()
 			return errSuccess
 		}).
 			Flag(&flagDropShellActivate, "s", command.BoolFlag(false), "Drop to a shell on activation")
 	}
 	{
 		var (
 			flagDropShellNixGL bool
 			flagAutoDrivers    bool
 		)
 		c.NewCommand("start", "Start an application", func(args []string) error {
 			if len(args) < 1 {
 				log.Println("invalid argument")
 				return syscall.EINVAL
 			}
 			/*
 				Parse app metadata.
 			*/
 			id := args[0]
 			pathSet := pathSetByApp(id)
 			a := loadAppInfo(pathSet.metaPath.String(), func() {})
 			if a.ID != id {
 				log.Printf("app %q claims to have identifier %q", id, a.ID)
 				return syscall.EBADE
 			}
 			/*
 				Prepare nixGL.
 			*/
 			if a.GPU && flagAutoDrivers {
 				withNixDaemon(ctx, msg, "nix-gl", []string{
 					"mkdir -p /nix/.nixGL/auto",
 					"rm -rf /nix/.nixGL/auto",
 					"export NIXPKGS_ALLOW_UNFREE=1",
 					"nix build --impure " +
 						"--out-link /nix/.nixGL/auto/opengl " +
 						"--override-input nixpkgs path:/etc/nixpkgs " +
 						"path:" + a.NixGL,
 					"nix build --impure " +
 						"--out-link /nix/.nixGL/auto/vulkan " +
 						"--override-input nixpkgs path:/etc/nixpkgs " +
 						"path:" + a.NixGL + "#nixVulkanNvidia",
 				}, true, func(config *hst.Config) *hst.Config {
 					config.Container.Filesystem = append(config.Container.Filesystem, []hst.FilesystemConfigJSON{
 						{FilesystemConfig: &hst.FSBind{Source: fhs.AbsEtc.Append("resolv.conf"), Optional: true}},
 						{FilesystemConfig: &hst.FSBind{Source: fhs.AbsSys.Append("block"), Optional: true}},
 						{FilesystemConfig: &hst.FSBind{Source: fhs.AbsSys.Append("bus"), Optional: true}},
 						{FilesystemConfig: &hst.FSBind{Source: fhs.AbsSys.Append("class"), Optional: true}},
 						{FilesystemConfig: &hst.FSBind{Source: fhs.AbsSys.Append("dev"), Optional: true}},
 						{FilesystemConfig: &hst.FSBind{Source: fhs.AbsSys.Append("devices"), Optional: true}},
 					}...)
 					appendGPUFilesystem(config)
 					return config
 				}, a, pathSet, flagDropShellNixGL, func() {})
 			}
 			/*
 				Create app configuration.
 			*/
 			pathname := a.Launcher
 			argv := make([]string, 1, len(args))
 			if flagDropShell {
 				pathname = pathShell
 				argv[0] = bash
 			} else {
 				argv[0] = a.Launcher.String()
 			}
 			argv = append(argv, args[1:]...)
 			config := a.toHst(pathSet, pathname, argv, flagDropShell)
 			/*
 				Expose GPU devices.
 			*/
 			if a.GPU {
 				config.Container.Filesystem = append(config.Container.Filesystem,
 					hst.FilesystemConfigJSON{FilesystemConfig: &hst.FSBind{Source: pathSet.nixPath.Append(".nixGL"), Target: hst.AbsPrivateTmp.Append("nixGL")}})
 				appendGPUFilesystem(config)
 			}
 			/*
 				Spawn app.
 			*/
 			mustRunApp(ctx, msg, config, func() {})
 			return errSuccess
 		}).
 			Flag(&flagDropShellNixGL, "s", command.BoolFlag(false), "Drop to a shell on nixGL build").
 			Flag(&flagAutoDrivers, "auto-drivers", command.BoolFlag(false), "Attempt automatic opengl driver detection")
 	}
 	c.MustParse(os.Args[1:], func(err error) {
 		msg.Verbosef("command returned %v", err)
 		if errors.Is(err, errSuccess) {
 			msg.BeforeExit()
 			os.Exit(0)
 		}
 	})
 	log.Fatal("unreachable")
 }
--- a/cmd/hpkg/paths.go
+++ b/cmd/hpkg/paths.go
@@ -1,117 +0,0 @@
 package main
 import (
 	"log"
 	"os"
 	"os/exec"
 	"strconv"
 	"sync/atomic"
 	"hakurei.app/container/check"
 	"hakurei.app/container/fhs"
 	"hakurei.app/hst"
 	"hakurei.app/message"
 )
 const bash = "bash"
 var (
 	dataHome *check.Absolute
 )
 func init() {
 	// dataHome
 	if a, err := check.NewAbs(os.Getenv("HAKUREI_DATA_HOME")); err == nil {
 		dataHome = a
 	} else {
 		dataHome = fhs.AbsVarLib.Append("hakurei/" + strconv.Itoa(os.Getuid()))
 	}
 }
 var (
 	pathBin = fhs.AbsRoot.Append("bin")
 	pathNix           = check.MustAbs("/nix/")
 	pathNixStore      = pathNix.Append("store/")
 	pathCurrentSystem = fhs.AbsRun.Append("current-system")
 	pathSwBin         = pathCurrentSystem.Append("sw/bin/")
 	pathShell         = pathSwBin.Append(bash)
 	pathData     = check.MustAbs("/data")
 	pathDataData = pathData.Append("data")
 )
 func lookPath(file string) string {
 	if p, err := exec.LookPath(file); err != nil {
 		log.Fatalf("%s: command not found", file)
 		return ""
 	} else {
 		return p
 	}
 }
 var beforeRunFail = new(atomic.Pointer[func()])
 func mustRun(msg message.Msg, name string, arg ...string) {
 	msg.Verbosef("spawning process: %q %q", name, arg)
 	cmd := exec.Command(name, arg...)
 	cmd.Stdin, cmd.Stdout, cmd.Stderr = os.Stdin, os.Stdout, os.Stderr
 	if err := cmd.Run(); err != nil {
 		if f := beforeRunFail.Swap(nil); f != nil {
 			(*f)()
 		}
 		log.Fatalf("%s: %v", name, err)
 	}
 }
 type appPathSet struct {
 	// ${dataHome}/${id}
 	baseDir *check.Absolute
 	// ${baseDir}/app
 	metaPath *check.Absolute
 	// ${baseDir}/files
 	homeDir *check.Absolute
 	// ${baseDir}/cache
 	cacheDir *check.Absolute
 	// ${baseDir}/cache/nix
 	nixPath *check.Absolute
 }
 func pathSetByApp(id string) *appPathSet {
 	pathSet := new(appPathSet)
 	pathSet.baseDir = dataHome.Append(id)
 	pathSet.metaPath = pathSet.baseDir.Append("app")
 	pathSet.homeDir = pathSet.baseDir.Append("files")
 	pathSet.cacheDir = pathSet.baseDir.Append("cache")
 	pathSet.nixPath = pathSet.cacheDir.Append("nix")
 	return pathSet
 }
 func appendGPUFilesystem(config *hst.Config) {
 	config.Container.Filesystem = append(config.Container.Filesystem, []hst.FilesystemConfigJSON{
 		// flatpak commit 763a686d874dd668f0236f911de00b80766ffe79
 		{FilesystemConfig: &hst.FSBind{Source: fhs.AbsDev.Append("dri"), Device: true, Optional: true}},
 		// mali
 		{FilesystemConfig: &hst.FSBind{Source: fhs.AbsDev.Append("mali"), Device: true, Optional: true}},
 		{FilesystemConfig: &hst.FSBind{Source: fhs.AbsDev.Append("mali0"), Device: true, Optional: true}},
 		{FilesystemConfig: &hst.FSBind{Source: fhs.AbsDev.Append("umplock"), Device: true, Optional: true}},
 		// nvidia
 		{FilesystemConfig: &hst.FSBind{Source: fhs.AbsDev.Append("nvidiactl"), Device: true, Optional: true}},
 		{FilesystemConfig: &hst.FSBind{Source: fhs.AbsDev.Append("nvidia-modeset"), Device: true, Optional: true}},
 		// nvidia OpenCL/CUDA
 		{FilesystemConfig: &hst.FSBind{Source: fhs.AbsDev.Append("nvidia-uvm"), Device: true, Optional: true}},
 		{FilesystemConfig: &hst.FSBind{Source: fhs.AbsDev.Append("nvidia-uvm-tools"), Device: true, Optional: true}},
 		// flatpak commit d2dff2875bb3b7e2cd92d8204088d743fd07f3ff
 		{FilesystemConfig: &hst.FSBind{Source: fhs.AbsDev.Append("nvidia0"), Device: true, Optional: true}}, {FilesystemConfig: &hst.FSBind{Source: fhs.AbsDev.Append("nvidia1"), Device: true, Optional: true}},
 		{FilesystemConfig: &hst.FSBind{Source: fhs.AbsDev.Append("nvidia2"), Device: true, Optional: true}}, {FilesystemConfig: &hst.FSBind{Source: fhs.AbsDev.Append("nvidia3"), Device: true, Optional: true}},
 		{FilesystemConfig: &hst.FSBind{Source: fhs.AbsDev.Append("nvidia4"), Device: true, Optional: true}}, {FilesystemConfig: &hst.FSBind{Source: fhs.AbsDev.Append("nvidia5"), Device: true, Optional: true}},
 		{FilesystemConfig: &hst.FSBind{Source: fhs.AbsDev.Append("nvidia6"), Device: true, Optional: true}}, {FilesystemConfig: &hst.FSBind{Source: fhs.AbsDev.Append("nvidia7"), Device: true, Optional: true}},
 		{FilesystemConfig: &hst.FSBind{Source: fhs.AbsDev.Append("nvidia8"), Device: true, Optional: true}}, {FilesystemConfig: &hst.FSBind{Source: fhs.AbsDev.Append("nvidia9"), Device: true, Optional: true}},
 		{FilesystemConfig: &hst.FSBind{Source: fhs.AbsDev.Append("nvidia10"), Device: true, Optional: true}}, {FilesystemConfig: &hst.FSBind{Source: fhs.AbsDev.Append("nvidia11"), Device: true, Optional: true}},
 		{FilesystemConfig: &hst.FSBind{Source: fhs.AbsDev.Append("nvidia12"), Device: true, Optional: true}}, {FilesystemConfig: &hst.FSBind{Source: fhs.AbsDev.Append("nvidia13"), Device: true, Optional: true}},
 		{FilesystemConfig: &hst.FSBind{Source: fhs.AbsDev.Append("nvidia14"), Device: true, Optional: true}}, {FilesystemConfig: &hst.FSBind{Source: fhs.AbsDev.Append("nvidia15"), Device: true, Optional: true}},
 		{FilesystemConfig: &hst.FSBind{Source: fhs.AbsDev.Append("nvidia16"), Device: true, Optional: true}}, {FilesystemConfig: &hst.FSBind{Source: fhs.AbsDev.Append("nvidia17"), Device: true, Optional: true}},
 		{FilesystemConfig: &hst.FSBind{Source: fhs.AbsDev.Append("nvidia18"), Device: true, Optional: true}}, {FilesystemConfig: &hst.FSBind{Source: fhs.AbsDev.Append("nvidia19"), Device: true, Optional: true}},
 	}...)
 }
--- a/cmd/hpkg/proc.go
+++ b/cmd/hpkg/proc.go
@@ -1,61 +0,0 @@
 package main
 import (
 	"context"
 	"encoding/json"
 	"errors"
 	"io"
 	"log"
 	"os"
 	"os/exec"
 	"hakurei.app/hst"
 	"hakurei.app/internal/info"
 	"hakurei.app/message"
 )
 var hakureiPathVal = info.MustHakureiPath().String()
 func mustRunApp(ctx context.Context, msg message.Msg, config *hst.Config, beforeFail func()) {
 	var (
 		cmd *exec.Cmd
 		st  io.WriteCloser
 	)
 	if r, w, err := os.Pipe(); err != nil {
 		beforeFail()
 		log.Fatalf("cannot pipe: %v", err)
 	} else {
 		if msg.IsVerbose() {
 			cmd = exec.CommandContext(ctx, hakureiPathVal, "-v", "app", "3")
 		} else {
 			cmd = exec.CommandContext(ctx, hakureiPathVal, "app", "3")
 		}
 		cmd.Stdin, cmd.Stdout, cmd.Stderr = os.Stdin, os.Stdout, os.Stderr
 		cmd.ExtraFiles = []*os.File{r}
 		st = w
 	}
 	go func() {
 		if err := json.NewEncoder(st).Encode(config); err != nil {
 			beforeFail()
 			log.Fatalf("cannot send configuration: %v", err)
 		}
 	}()
 	if err := cmd.Start(); err != nil {
 		beforeFail()
 		log.Fatalf("cannot start hakurei: %v", err)
 	}
 	if err := cmd.Wait(); err != nil {
 		var exitError *exec.ExitError
 		if errors.As(err, &exitError) {
 			beforeFail()
 			msg.BeforeExit()
 			os.Exit(exitError.ExitCode())
 		} else {
 			beforeFail()
 			log.Fatalf("cannot wait: %v", err)
 		}
 	}
 }
--- a/cmd/hpkg/test/configuration.nix
+++ b/cmd/hpkg/test/configuration.nix
@@ -1,62 +0,0 @@
 { pkgs, ... }:
 {
  users.users = {
    alice = {
      isNormalUser = true;
      description = "Alice Foobar";
      password = "foobar";
      uid = 1000;
    };
  };
  home-manager.users.alice.home.stateVersion = "24.11";
  # Automatically login on tty1 as a normal user:
  services.getty.autologinUser = "alice";
  environment = {
    variables = {
      SWAYSOCK = "/tmp/sway-ipc.sock";
      WLR_RENDERER = "pixman";
    };
  };
  # Automatically configure and start Sway when logging in on tty1:
  programs.bash.loginShellInit = ''
    if [ "$(tty)" = "/dev/tty1" ]; then
      set -e
      mkdir -p ~/.config/sway
      (sed s/Mod4/Mod1/ /etc/sway/config &&
      echo 'output * bg ${pkgs.nixos-artwork.wallpapers.simple-light-gray.gnomeFilePath} fill' &&
      echo 'output Virtual-1 res 1680x1050') > ~/.config/sway/config
      sway --validate
      systemd-cat --identifier=session sway && touch /tmp/sway-exit-ok
    fi
  '';
  programs.sway.enable = true;
  virtualisation = {
    diskSize = 6 * 1024;
    qemu.options = [
      # Need to switch to a different GPU driver than the default one (-vga std) so that Sway can launch:
      "-vga none -device virtio-gpu-pci"
      # Increase zstd performance:
      "-smp 8"
    ];
  };
  environment.hakurei = {
    enable = true;
    stateDir = "/var/lib/hakurei";
    users.alice = 0;
    extraHomeConfig = {
      home.stateVersion = "23.05";
    };
  };
 }
--- a/cmd/hpkg/test/default.nix
+++ b/cmd/hpkg/test/default.nix
@@ -1,34 +0,0 @@
 {
  testers,
  callPackage,
  system,
  self,
 }:
 let
  buildPackage = self.buildPackage.${system};
 in
 testers.nixosTest {
  name = "hpkg";
  nodes.machine = {
    environment.etc = {
      "foot.pkg".source = callPackage ./foot.nix { inherit buildPackage; };
    };
    imports = [
      ./configuration.nix
      self.nixosModules.hakurei
      self.inputs.home-manager.nixosModules.home-manager
    ];
  };
  # adapted from nixos sway integration tests
  # testScriptWithTypes:49: error: Cannot call function of unknown type
  #           (machine.succeed if succeed else machine.execute)(
  #           ^
  # Found 1 error in 1 file (checked 1 source file)
  skipTypeCheck = true;
  testScript = builtins.readFile ./test.py;
 }
--- a/cmd/hpkg/test/foot.nix
+++ b/cmd/hpkg/test/foot.nix
@@ -1,48 +0,0 @@
 {
  lib,
  buildPackage,
  foot,
  wayland-utils,
  inconsolata,
 }:
 buildPackage {
  name = "foot";
  inherit (foot) version;
  identity = 2;
  id = "org.codeberg.dnkl.foot";
  modules = [
    {
      home.packages = [
        foot
        # For wayland-info:
        wayland-utils
      ];
    }
  ];
  nixosModules = [
    {
      # To help with OCR:
      environment.etc."xdg/foot/foot.ini".text = lib.generators.toINI { } {
        main = {
          font = "inconsolata:size=14";
        };
        colors = rec {
          foreground = "000000";
          background = "ffffff";
          regular2 = foreground;
        };
      };
      fonts.packages = [ inconsolata ];
    }
  ];
  script = ''
    exec foot "$@"
  '';
 }
--- a/cmd/hpkg/test/test.py
+++ b/cmd/hpkg/test/test.py
@@ -1,110 +0,0 @@
 import json
 import shlex
 q = shlex.quote
 NODE_GROUPS = ["nodes", "floating_nodes"]
 def swaymsg(command: str = "", succeed=True, type="command"):
    assert command != "" or type != "command", "Must specify command or type"
    shell = q(f"swaymsg -t {q(type)} -- {q(command)}")
    with machine.nested(
            f"sending swaymsg {shell!r}" + " (allowed to fail)" * (not succeed)
    ):
        ret = (machine.succeed if succeed else machine.execute)(
            f"su - alice -c {shell}"
        )
    # execute also returns a status code, but disregard.
    if not succeed:
        _, ret = ret
    if not succeed and not ret:
        return None
    parsed = json.loads(ret)
    return parsed
 def walk(tree):
    yield tree
    for group in NODE_GROUPS:
        for node in tree.get(group, []):
            yield from walk(node)
 def wait_for_window(pattern):
    def func(last_chance):
        nodes = (node["name"] for node in walk(swaymsg(type="get_tree")))
        if last_chance:
            nodes = list(nodes)
            machine.log(f"Last call! Current list of windows: {nodes}")
        return any(pattern in name for name in nodes)
    retry(func)
 def collect_state_ui(name):
    swaymsg(f"exec hakurei ps > '/tmp/{name}.ps'")
    machine.copy_from_vm(f"/tmp/{name}.ps", "")
    swaymsg(f"exec hakurei --json ps > '/tmp/{name}.json'")
    machine.copy_from_vm(f"/tmp/{name}.json", "")
    machine.screenshot(name)
 def check_state(name, enablements):
    instances = json.loads(machine.succeed("sudo -u alice -i XDG_RUNTIME_DIR=/run/user/1000 hakurei --json ps"))
    if len(instances) != 1:
        raise Exception(f"unexpected state length {len(instances)}")
    instance = instances[0]
    if len(instance['container']['args']) != 1 or not (instance['container']['args'][0].startswith("/nix/store/")) or f"hakurei-{name}-" not in (instance['container']['args'][0]):
        raise Exception(f"unexpected args {instance['container']['args']}")
    if instance['enablements'] != enablements:
        raise Exception(f"unexpected enablements {instance['enablements']}")
 start_all()
 machine.wait_for_unit("multi-user.target")
 # To check hakurei's version:
 print(machine.succeed("sudo -u alice -i hakurei version"))
 # Wait for Sway to complete startup:
 machine.wait_for_file("/run/user/1000/wayland-1")
 machine.wait_for_file("/tmp/sway-ipc.sock")
 # Prepare hpkg directory:
 machine.succeed("install -dm 0700 -o alice -g users /var/lib/hakurei/1000")
 # Install hpkg app:
 swaymsg("exec hpkg -v install /etc/foot.pkg && touch /tmp/hpkg-install-ok")
 machine.wait_for_file("/tmp/hpkg-install-ok")
 # Start app (foot) with Wayland enablement:
 swaymsg("exec hpkg -v start org.codeberg.dnkl.foot")
 wait_for_window("hakurei@machine-foot")
 machine.send_chars("clear; wayland-info && touch /tmp/success-client\n")
 machine.wait_for_file("/tmp/hakurei.0/tmpdir/2/success-client")
 collect_state_ui("app_wayland")
 check_state("foot", {"wayland": True, "dbus": True, "pipewire": True})
 # Verify acl on XDG_RUNTIME_DIR:
 print(machine.succeed("getfacl --absolute-names --omit-header --numeric /tmp/hakurei.0/runtime | grep 10002"))
 machine.send_chars("exit\n")
 machine.wait_until_fails("pgrep foot")
 # Verify acl cleanup on XDG_RUNTIME_DIR:
 machine.wait_until_fails("getfacl --absolute-names --omit-header --numeric /tmp/hakurei.0/runtime | grep 10002")
 # Exit Sway and verify process exit status 0:
 swaymsg("exit", succeed=False)
 machine.wait_for_file("/tmp/sway-exit-ok")
 # Print hakurei share and rundir contents:
 print(machine.succeed("find /tmp/hakurei.0 "
    + "-path '/tmp/hakurei.0/runtime/*/*' -prune -o "
    + "-path '/tmp/hakurei.0/tmpdir/*/*' -prune -o "
    + "-print"))
 print(machine.fail("ls /run/user/1000/hakurei"))
--- a/cmd/hpkg/with.go
+++ b/cmd/hpkg/with.go
@@ -1,130 +0,0 @@
 package main
 import (
 	"context"
 	"os"
 	"strings"
 	"hakurei.app/container/check"
 	"hakurei.app/container/fhs"
 	"hakurei.app/hst"
 	"hakurei.app/message"
 )
 func withNixDaemon(
 	ctx context.Context,
 	msg message.Msg,
 	action string, command []string, net bool, updateConfig func(config *hst.Config) *hst.Config,
 	app *appInfo, pathSet *appPathSet, dropShell bool, beforeFail func(),
 ) {
 	flags := hst.FMultiarch | hst.FUserns // nix sandbox requires userns
 	if net {
 		flags |= hst.FHostNet
 	}
 	if dropShell {
 		flags |= hst.FTty
 	}
 	mustRunAppDropShell(ctx, msg, updateConfig(&hst.Config{
 		ID: app.ID,
 		ExtraPerms: []hst.ExtraPermConfig{
 			{Path: dataHome, Execute: true},
 			{Ensure: true, Path: pathSet.baseDir, Read: true, Write: true, Execute: true},
 		},
 		Identity: app.Identity,
 		Container: &hst.ContainerConfig{
 			Hostname: formatHostname(app.Name) + "-" + action,
 			Filesystem: []hst.FilesystemConfigJSON{
 				{FilesystemConfig: &hst.FSBind{Target: fhs.AbsEtc, Source: pathSet.cacheDir.Append("etc"), Special: true}},
 				{FilesystemConfig: &hst.FSBind{Source: pathSet.nixPath, Target: pathNix, Write: true}},
 				{FilesystemConfig: &hst.FSLink{Target: pathCurrentSystem, Linkname: app.CurrentSystem.String()}},
 				{FilesystemConfig: &hst.FSLink{Target: pathBin, Linkname: pathSwBin.String()}},
 				{FilesystemConfig: &hst.FSLink{Target: fhs.AbsUsrBin, Linkname: pathSwBin.String()}},
 				{FilesystemConfig: &hst.FSBind{Target: pathDataData.Append(app.ID), Source: pathSet.homeDir, Write: true, Ensure: true}},
 			},
 			Username: "hakurei",
 			Shell:    pathShell,
 			Home:     pathDataData.Append(app.ID),
 			Path: pathShell,
 			Args: []string{bash, "-lc", "rm -f /nix/var/nix/daemon-socket/socket && " +
 				// start nix-daemon
 				"nix-daemon --store / & " +
 				// wait for socket to appear
 				"(while [ ! -S /nix/var/nix/daemon-socket/socket ]; do sleep 0.01; done) && " +
 				// create directory so nix stops complaining
 				"mkdir -p /nix/var/nix/profiles/per-user/root/channels && " +
 				strings.Join(command, " && ") +
 				// terminate nix-daemon
 				" && pkill nix-daemon",
 			},
 			Flags: flags,
 		},
 	}), dropShell, beforeFail)
 }
 func withCacheDir(
 	ctx context.Context,
 	msg message.Msg,
 	action string, command []string, workDir *check.Absolute,
 	app *appInfo, pathSet *appPathSet, dropShell bool, beforeFail func(),
 ) {
 	flags := hst.FMultiarch
 	if dropShell {
 		flags |= hst.FTty
 	}
 	mustRunAppDropShell(ctx, msg, &hst.Config{
 		ID: app.ID,
 		ExtraPerms: []hst.ExtraPermConfig{
 			{Path: dataHome, Execute: true},
 			{Ensure: true, Path: pathSet.baseDir, Read: true, Write: true, Execute: true},
 			{Path: workDir, Execute: true},
 		},
 		Identity: app.Identity,
 		Container: &hst.ContainerConfig{
 			Hostname: formatHostname(app.Name) + "-" + action,
 			Filesystem: []hst.FilesystemConfigJSON{
 				{FilesystemConfig: &hst.FSBind{Target: fhs.AbsEtc, Source: workDir.Append(fhs.Etc), Special: true}},
 				{FilesystemConfig: &hst.FSBind{Source: workDir.Append("nix"), Target: pathNix}},
 				{FilesystemConfig: &hst.FSLink{Target: pathCurrentSystem, Linkname: app.CurrentSystem.String()}},
 				{FilesystemConfig: &hst.FSLink{Target: pathBin, Linkname: pathSwBin.String()}},
 				{FilesystemConfig: &hst.FSLink{Target: fhs.AbsUsrBin, Linkname: pathSwBin.String()}},
 				{FilesystemConfig: &hst.FSBind{Source: workDir, Target: hst.AbsPrivateTmp.Append("bundle")}},
 				{FilesystemConfig: &hst.FSBind{Target: pathDataData.Append(app.ID, "cache"), Source: pathSet.cacheDir, Write: true, Ensure: true}},
 			},
 			Username: "nixos",
 			Shell:    pathShell,
 			Home:     pathDataData.Append(app.ID, "cache"),
 			Path: pathShell,
 			Args: []string{bash, "-lc", strings.Join(command, " && ")},
 			Flags: flags,
 		},
 	}, dropShell, beforeFail)
 }
 func mustRunAppDropShell(ctx context.Context, msg message.Msg, config *hst.Config, dropShell bool, beforeFail func()) {
 	if dropShell {
 		if config.Container != nil {
 			config.Container.Args = []string{bash, "-l"}
 		}
 		mustRunApp(ctx, msg, config, beforeFail)
 		beforeFail()
 		msg.BeforeExit()
 		os.Exit(0)
 	}
 	mustRunApp(ctx, msg, config, beforeFail)
 }
--- a/cmd/mbf/main.go
+++ b/cmd/mbf/main.go
@@ -0,0 +1,622 @@
 package main
 import (
 	"context"
 	"errors"
 	"fmt"
 	"io"
 	"log"
 	"os"
 	"os/signal"
 	"path/filepath"
 	"runtime"
 	"strconv"
 	"strings"
 	"sync"
 	"sync/atomic"
 	"syscall"
 	"time"
 	"unique"
 	"hakurei.app/command"
 	"hakurei.app/container"
 	"hakurei.app/container/check"
 	"hakurei.app/container/fhs"
 	"hakurei.app/container/seccomp"
 	"hakurei.app/container/std"
 	"hakurei.app/internal/pkg"
 	"hakurei.app/internal/rosa"
 	"hakurei.app/message"
 )
 func main() {
 	container.TryArgv0(nil)
 	log.SetFlags(0)
 	log.SetPrefix("mbf: ")
 	msg := message.New(log.Default())
 	if os.Geteuid() == 0 {
 		log.Fatal("this program must not run as root")
 	}
 	var cache *pkg.Cache
 	ctx, stop := signal.NotifyContext(context.Background(),
 		syscall.SIGINT, syscall.SIGTERM, syscall.SIGHUP)
 	defer stop()
 	defer func() {
 		if cache != nil {
 			cache.Close()
 		}
 		if r := recover(); r != nil {
 			fmt.Println(r)
 			log.Fatal("consider scrubbing the on-disk cache")
 		}
 	}()
 	var (
 		flagQuiet  bool
 		flagCures  int
 		flagBase   string
 		flagTShift int
 		flagIdle   bool
 	)
 	c := command.New(os.Stderr, log.Printf, "mbf", func([]string) (err error) {
 		msg.SwapVerbose(!flagQuiet)
 		flagBase = os.ExpandEnv(flagBase)
 		if flagBase == "" {
 			flagBase = "cache"
 		}
 		var base *check.Absolute
 		if flagBase, err = filepath.Abs(flagBase); err != nil {
 			return
 		} else if base, err = check.NewAbs(flagBase); err != nil {
 			return
 		}
 		if cache, err = pkg.Open(ctx, msg, flagCures, base); err == nil {
 			if flagTShift < 0 {
 				cache.SetThreshold(0)
 			} else if flagTShift > 31 {
 				cache.SetThreshold(1 << 31)
 			} else {
 				cache.SetThreshold(1 << flagTShift)
 			}
 		}
 		if flagIdle {
 			pkg.SchedPolicy = container.SCHED_IDLE
 		}
 		return
 	}).Flag(
 		&flagQuiet,
 		"q", command.BoolFlag(false),
 		"Do not print cure messages",
 	).Flag(
 		&flagCures,
 		"cures", command.IntFlag(0),
 		"Maximum number of dependencies to cure at any given time",
 	).Flag(
 		&flagBase,
 		"d", command.StringFlag("$MBF_CACHE_DIR"),
 		"Directory to store cured artifacts",
 	).Flag(
 		&flagTShift,
 		"tshift", command.IntFlag(-1),
 		"Dependency graph size exponent, to the power of 2",
 	).Flag(
 		&flagIdle,
 		"sched-idle", command.BoolFlag(false),
 		"Set SCHED_IDLE scheduling policy",
 	)
 	{
 		var flagShifts int
 		c.NewCommand(
 			"scrub", "Examine the on-disk cache for errors",
 			func(args []string) error {
 				if len(args) > 0 {
 					return errors.New("scrub expects no arguments")
 				}
 				if flagShifts < 0 || flagShifts > 31 {
 					flagShifts = 12
 				}
 				return cache.Scrub(runtime.NumCPU() << flagShifts)
 			},
 		).Flag(
 			&flagShifts,
 			"shift", command.IntFlag(12),
 			"Scrub parallelism size exponent, to the power of 2",
 		)
 	}
 	{
 		var (
 			flagStatus bool
 			flagReport string
 		)
 		c.NewCommand(
 			"info",
 			"Display out-of-band metadata of an artifact",
 			func(args []string) (err error) {
 				if len(args) == 0 {
 					return errors.New("info requires at least 1 argument")
 				}
 				var r *rosa.Report
 				if flagReport != "" {
 					if r, err = rosa.OpenReport(flagReport); err != nil {
 						return err
 					}
 					defer func() {
 						if closeErr := r.Close(); err == nil {
 							err = closeErr
 						}
 					}()
 					defer r.HandleAccess(&err)()
 				}
 				for i, name := range args {
 					if p, ok := rosa.ResolveName(name); !ok {
 						return fmt.Errorf("unknown artifact %q", name)
 					} else {
 						var suffix string
 						if version := rosa.Std.Version(p); version != rosa.Unversioned {
 							suffix += "-" + version
 						}
 						fmt.Println("name        : " + name + suffix)
 						meta := rosa.GetMetadata(p)
 						fmt.Println("description : " + meta.Description)
 						if meta.Website != "" {
 							fmt.Println("website     : " +
 								strings.TrimSuffix(meta.Website, "/"))
 						}
 						const statusPrefix = "status      : "
 						if flagStatus {
 							if r == nil {
 								var f io.ReadSeekCloser
 								f, err = cache.OpenStatus(rosa.Std.Load(p))
 								if err != nil {
 									if errors.Is(err, os.ErrNotExist) {
 										fmt.Println(
 											statusPrefix + "not yet cured",
 										)
 									} else {
 										return
 									}
 								} else {
 									fmt.Print(statusPrefix)
 									_, err = io.Copy(os.Stdout, f)
 									if err = errors.Join(err, f.Close()); err != nil {
 										return
 									}
 								}
 							} else {
 								status, n := r.ArtifactOf(cache.Ident(rosa.Std.Load(p)))
 								if status == nil {
 									fmt.Println(
 										statusPrefix + "not in report",
 									)
 								} else {
 									fmt.Println("size        :", n)
 									fmt.Print(statusPrefix)
 									if _, err = os.Stdout.Write(status); err != nil {
 										return
 									}
 								}
 							}
 						}
 						if i != len(args)-1 {
 							fmt.Println()
 						}
 					}
 				}
 				return nil
 			},
 		).
 			Flag(
 				&flagStatus,
 				"status", command.BoolFlag(false),
 				"Display cure status if available",
 			).
 			Flag(
 				&flagReport,
 				"report", command.StringFlag(""),
 				"Load cure status from this report file instead of cache",
 			)
 	}
 	c.NewCommand(
 		"report",
 		"Generate an artifact cure report for the current cache",
 		func(args []string) (err error) {
 			var w *os.File
 			switch len(args) {
 			case 0:
 				w = os.Stdout
 			case 1:
 				if w, err = os.OpenFile(
 					args[0],
 					os.O_CREATE|os.O_EXCL|syscall.O_WRONLY,
 					0400,
 				); err != nil {
 					return
 				}
 				defer func() {
 					closeErr := w.Close()
 					if err == nil {
 						err = closeErr
 					}
 				}()
 			default:
 				return errors.New("report requires 1 argument")
 			}
 			if container.Isatty(int(w.Fd())) {
 				return errors.New("output appears to be a terminal")
 			}
 			return rosa.WriteReport(msg, w, cache)
 		},
 	)
 	{
 		var flagJobs int
 		c.NewCommand("updates", command.UsageInternal, func([]string) error {
 			var (
 				errsMu sync.Mutex
 				errs   []error
 				n atomic.Uint64
 			)
 			w := make(chan rosa.PArtifact)
 			var wg sync.WaitGroup
 			for range max(flagJobs, 1) {
 				wg.Go(func() {
 					for p := range w {
 						meta := rosa.GetMetadata(p)
 						if meta.ID == 0 {
 							continue
 						}
 						v, err := meta.GetVersions(ctx)
 						if err != nil {
 							errsMu.Lock()
 							errs = append(errs, err)
 							errsMu.Unlock()
 							continue
 						}
 						if current, latest :=
 							rosa.Std.Version(p),
 							meta.GetLatest(v); current != latest {
 							n.Add(1)
 							log.Printf("%s %s < %s", meta.Name, current, latest)
 							continue
 						}
 						msg.Verbosef("%s is up to date", meta.Name)
 					}
 				})
 			}
 		done:
 			for i := range rosa.PresetEnd {
 				select {
 				case w <- rosa.PArtifact(i):
 					break
 				case <-ctx.Done():
 					break done
 				}
 			}
 			close(w)
 			wg.Wait()
 			if v := n.Load(); v > 0 {
 				errs = append(errs, errors.New(strconv.Itoa(int(v))+
 					" package(s) are out of date"))
 			}
 			return errors.Join(errs...)
 		}).
 			Flag(
 				&flagJobs,
 				"j", command.IntFlag(32),
 				"Maximum number of simultaneous connections",
 			)
 	}
 	{
 		var (
 			flagGentoo   string
 			flagChecksum string
 			flagStage0 bool
 		)
 		c.NewCommand(
 			"stage3",
 			"Check for toolchain 3-stage non-determinism",
 			func(args []string) (err error) {
 				t := rosa.Std
 				if flagGentoo != "" {
 					t -= 3 // magic number to discourage misuse
 					var checksum pkg.Checksum
 					if len(flagChecksum) != 0 {
 						if err = pkg.Decode(&checksum, flagChecksum); err != nil {
 							return
 						}
 					}
 					rosa.SetGentooStage3(flagGentoo, checksum)
 				}
 				_, _, _, stage1 := (t - 2).NewLLVM()
 				_, _, _, stage2 := (t - 1).NewLLVM()
 				_, _, _, stage3 := t.NewLLVM()
 				var (
 					pathname *check.Absolute
 					checksum [2]unique.Handle[pkg.Checksum]
 				)
 				if pathname, _, err = cache.Cure(stage1); err != nil {
 					return err
 				}
 				log.Println("stage1:", pathname)
 				if pathname, checksum[0], err = cache.Cure(stage2); err != nil {
 					return err
 				}
 				log.Println("stage2:", pathname)
 				if pathname, checksum[1], err = cache.Cure(stage3); err != nil {
 					return err
 				}
 				log.Println("stage3:", pathname)
 				if checksum[0] != checksum[1] {
 					err = &pkg.ChecksumMismatchError{
 						Got:  checksum[0].Value(),
 						Want: checksum[1].Value(),
 					}
 				} else {
 					log.Println(
 						"stage2 is identical to stage3",
 						"("+pkg.Encode(checksum[0].Value())+")",
 					)
 				}
 				if flagStage0 {
 					if pathname, _, err = cache.Cure(
 						t.Load(rosa.Stage0),
 					); err != nil {
 						return err
 					}
 					log.Println(pathname)
 				}
 				return
 			},
 		).
 			Flag(
 				&flagGentoo,
 				"gentoo", command.StringFlag(""),
 				"Bootstrap from a Gentoo stage3 tarball",
 			).
 			Flag(
 				&flagChecksum,
 				"checksum", command.StringFlag(""),
 				"Checksum of Gentoo stage3 tarball",
 			).
 			Flag(
 				&flagStage0,
 				"stage0", command.BoolFlag(false),
 				"Create bootstrap stage0 tarball",
 			)
 	}
 	{
 		var (
 			flagDump string
 		)
 		c.NewCommand(
 			"cure",
 			"Cure the named artifact and show its path",
 			func(args []string) error {
 				if len(args) != 1 {
 					return errors.New("cure requires 1 argument")
 				}
 				if p, ok := rosa.ResolveName(args[0]); !ok {
 					return fmt.Errorf("unknown artifact %q", args[0])
 				} else if flagDump == "" {
 					pathname, _, err := cache.Cure(rosa.Std.Load(p))
 					if err == nil {
 						log.Println(pathname)
 					}
 					return err
 				} else {
 					f, err := os.OpenFile(
 						flagDump,
 						os.O_WRONLY|os.O_CREATE|os.O_EXCL,
 						0644,
 					)
 					if err != nil {
 						return err
 					}
 					if err = cache.EncodeAll(f, rosa.Std.Load(p)); err != nil {
 						_ = f.Close()
 						return err
 					}
 					return f.Close()
 				}
 			},
 		).
 			Flag(
 				&flagDump,
 				"dump", command.StringFlag(""),
 				"Write IR to specified pathname and terminate",
 			)
 	}
 	{
 		var (
 			flagNet     bool
 			flagSession bool
 			flagWithToolchain bool
 		)
 		c.NewCommand(
 			"shell",
 			"Interactive shell in the specified Rosa OS environment",
 			func(args []string) error {
 				root := make([]pkg.Artifact, 0, 6+len(args))
 				for _, arg := range args {
 					p, ok := rosa.ResolveName(arg)
 					if !ok {
 						return fmt.Errorf("unknown artifact %q", arg)
 					}
 					root = append(root, rosa.Std.Load(p))
 				}
 				if flagWithToolchain {
 					musl, compilerRT, runtimes, clang := rosa.Std.NewLLVM()
 					root = append(root, musl, compilerRT, runtimes, clang)
 				} else {
 					root = append(root, rosa.Std.Load(rosa.Musl))
 				}
 				root = append(root,
 					rosa.Std.Load(rosa.Mksh),
 					rosa.Std.Load(rosa.Toybox),
 				)
 				type cureRes struct {
 					pathname *check.Absolute
 					checksum unique.Handle[pkg.Checksum]
 				}
 				cured := make(map[pkg.Artifact]cureRes)
 				for _, a := range root {
 					pathname, checksum, err := cache.Cure(a)
 					if err != nil {
 						return err
 					}
 					cured[a] = cureRes{pathname, checksum}
 				}
 				layers := pkg.PromoteLayers(root, func(a pkg.Artifact) (
 					*check.Absolute,
 					unique.Handle[pkg.Checksum],
 				) {
 					res := cured[a]
 					return res.pathname, res.checksum
 				}, func(i int, d pkg.Artifact) {
 					r := pkg.Encode(cache.Ident(d).Value())
 					if s, ok := d.(fmt.Stringer); ok {
 						if name := s.String(); name != "" {
 							r += "-" + name
 						}
 					}
 					msg.Verbosef("promoted layer %d as %s", i, r)
 				})
 				z := container.New(ctx, msg)
 				z.WaitDelay = 3 * time.Second
 				z.SeccompPresets = pkg.SeccompPresets
 				z.SeccompFlags |= seccomp.AllowMultiarch
 				z.ParentPerm = 0700
 				z.HostNet = flagNet
 				z.RetainSession = flagSession
 				z.Hostname = "localhost"
 				z.Uid, z.Gid = (1<<10)-1, (1<<10)-1
 				z.Stdin, z.Stdout, z.Stderr = os.Stdin, os.Stdout, os.Stderr
 				var tempdir *check.Absolute
 				if s, err := filepath.Abs(os.TempDir()); err != nil {
 					return err
 				} else if tempdir, err = check.NewAbs(s); err != nil {
 					return err
 				}
 				z.Dir = fhs.AbsRoot
 				z.Env = []string{
 					"SHELL=/system/bin/mksh",
 					"PATH=/system/bin",
 					"HOME=/",
 				}
 				z.Path = rosa.AbsSystem.Append("bin", "mksh")
 				z.Args = []string{"mksh"}
 				z.
 					OverlayEphemeral(fhs.AbsRoot, layers...).
 					Place(
 						fhs.AbsEtc.Append("hosts"),
 						[]byte("127.0.0.1 localhost\n"),
 					).
 					Place(
 						fhs.AbsEtc.Append("passwd"),
 						[]byte("media_rw:x:1023:1023::/:/system/bin/sh\n"+
 							"nobody:x:65534:65534::/proc/nonexistent:/system/bin/false\n"),
 					).
 					Place(
 						fhs.AbsEtc.Append("group"),
 						[]byte("media_rw:x:1023:\nnobody:x:65534:\n"),
 					).
 					Bind(tempdir, fhs.AbsTmp, std.BindWritable).
 					Proc(fhs.AbsProc).Dev(fhs.AbsDev, true)
 				if err := z.Start(); err != nil {
 					return err
 				}
 				if err := z.Serve(); err != nil {
 					return err
 				}
 				return z.Wait()
 			},
 		).
 			Flag(
 				&flagNet,
 				"net", command.BoolFlag(false),
 				"Share host net namespace",
 			).
 			Flag(
 				&flagSession,
 				"session", command.BoolFlag(false),
 				"Retain session",
 			).
 			Flag(
 				&flagWithToolchain,
 				"with-toolchain", command.BoolFlag(false),
 				"Include the stage3 LLVM toolchain",
 			)
 	}
 	c.Command(
 		"help",
 		"Show this help message",
 		func([]string) error { c.PrintHelp(); return nil },
 	)
 	c.MustParse(os.Args[1:], func(err error) {
 		if cache != nil {
 			cache.Close()
 		}
 		if w, ok := err.(interface{ Unwrap() []error }); !ok {
 			log.Fatal(err)
 		} else {
 			errs := w.Unwrap()
 			for i, e := range errs {
 				if i == len(errs)-1 {
 					log.Fatal(e)
 				}
 				log.Println(e)
 			}
 		}
 	})
 }
--- a/cmd/sharefs/fuse.go
+++ b/cmd/sharefs/fuse.go
@@ -33,6 +33,7 @@ import (
 	"hakurei.app/container"
 	"hakurei.app/container/check"
 	"hakurei.app/container/fhs"
 	"hakurei.app/container/std"
 	"hakurei.app/hst"
 	"hakurei.app/internal/helper/proc"
@@ -441,12 +442,7 @@ func _main(s ...string) (exitCode int) {
 		// keep fuse_parse_cmdline happy in the container
 		z.Tmpfs(check.MustAbs(container.Nonexistent), 1<<10, 0755)
-		if a, err := check.NewAbs(container.MustExecutable(msg)); err != nil {
+		z.Path = fhs.AbsProcSelfExe
 			log.Println(err)
 			return 5
 		} else {
 			z.Path = a
 		}
 		z.Args = s
 		z.ForwardCancel = true
 		z.SeccompPresets |= std.PresetStrict
--- a/container/autoetc.go
+++ b/container/autoetc.go
@@ -10,8 +10,7 @@ import (
 func init() { gob.Register(new(AutoEtcOp)) }
-// Etc appends an [Op] that expands host /etc into a toplevel symlink mirror with /etc semantics.
+// Etc is a helper for appending [AutoEtcOp] to [Ops].
 // This is not a generic setup op. It is implemented here to reduce ipc overhead.
 func (f *Ops) Etc(host *check.Absolute, prefix string) *Ops {
 	e := &AutoEtcOp{prefix}
 	f.Mkdir(fhs.AbsEtc, 0755)
@@ -20,6 +19,9 @@ func (f *Ops) Etc(host *check.Absolute, prefix string) *Ops {
 	return f
 }
 // AutoEtcOp expands host /etc into a toplevel symlink mirror with /etc semantics.
 //
 // This is not a generic setup op. It is implemented here to reduce ipc overhead.
 type AutoEtcOp struct{ Prefix string }
 func (e *AutoEtcOp) Valid() bool                                { return e != nil }
--- a/container/autoroot.go
+++ b/container/autoroot.go
@@ -11,13 +11,15 @@ import (
 func init() { gob.Register(new(AutoRootOp)) }
-// Root appends an [Op] that expands a directory into a toplevel bind mount mirror on container root.
+// Root is a helper for appending [AutoRootOp] to [Ops].
 // This is not a generic setup op. It is implemented here to reduce ipc overhead.
 func (f *Ops) Root(host *check.Absolute, flags int) *Ops {
 	*f = append(*f, &AutoRootOp{host, flags, nil})
 	return f
 }
 // AutoRootOp expands a directory into a toplevel bind mount mirror on container root.
 //
 // This is not a generic setup op. It is implemented here to reduce ipc overhead.
 type AutoRootOp struct {
 	Host *check.Absolute
 	// passed through to bindMount
--- a/container/capability.go
+++ b/container/capability.go
@@ -14,6 +14,7 @@ const (
 	CAP_SYS_ADMIN    = 0x15
 	CAP_SETPCAP      = 0x8
 	CAP_NET_ADMIN    = 0xc
 	CAP_DAC_OVERRIDE = 0x1
 )
@@ -49,10 +50,16 @@ func capset(hdrp *capHeader, datap *[2]capData) error {
 }
 // capBoundingSetDrop drops a capability from the calling thread's capability bounding set.
-func capBoundingSetDrop(cap uintptr) error { return Prctl(syscall.PR_CAPBSET_DROP, cap, 0) }
+func capBoundingSetDrop(cap uintptr) error {
 	return Prctl(syscall.PR_CAPBSET_DROP, cap, 0)
 }
 // capAmbientClearAll clears the ambient capability set of the calling thread.
-func capAmbientClearAll() error { return Prctl(PR_CAP_AMBIENT, PR_CAP_AMBIENT_CLEAR_ALL, 0) }
+func capAmbientClearAll() error {
 	return Prctl(PR_CAP_AMBIENT, PR_CAP_AMBIENT_CLEAR_ALL, 0)
 }
 // capAmbientRaise adds to the ambient capability set of the calling thread.
-func capAmbientRaise(cap uintptr) error { return Prctl(PR_CAP_AMBIENT, PR_CAP_AMBIENT_RAISE, cap) }
+func capAmbientRaise(cap uintptr) error {
 	return Prctl(PR_CAP_AMBIENT, PR_CAP_AMBIENT_RAISE, cap)
 }
--- a/container/check/absolute.go
+++ b/container/check/absolute.go
@@ -9,46 +9,60 @@ import (
 	"slices"
 	"strings"
 	"syscall"
 	"unique"
 )
 // AbsoluteError is returned by [NewAbs] and holds the invalid pathname.
-type AbsoluteError struct{ Pathname string }
+type AbsoluteError string
-func (e *AbsoluteError) Error() string { return fmt.Sprintf("path %q is not absolute", e.Pathname) }
+func (e AbsoluteError) Error() string {
-func (e *AbsoluteError) Is(target error) bool {
+	return fmt.Sprintf("path %q is not absolute", string(e))
-	var ce *AbsoluteError
+}
 func (e AbsoluteError) Is(target error) bool {
 	var ce AbsoluteError
 	if !errors.As(target, &ce) {
 		return errors.Is(target, syscall.EINVAL)
 	}
-	return *e == *ce
+	return e == ce
 }
 // Absolute holds a pathname checked to be absolute.
-type Absolute struct{ pathname string }
+type Absolute struct{ pathname unique.Handle[string] }
 // ok returns whether [Absolute] is not the zero value.
 func (a *Absolute) ok() bool { return a != nil && *a != (Absolute{}) }
 // unsafeAbs returns [check.Absolute] on any string value.
-func unsafeAbs(pathname string) *Absolute { return &Absolute{pathname} }
+func unsafeAbs(pathname string) *Absolute {
 	return &Absolute{unique.Make(pathname)}
 }
 // String returns the checked pathname.
 func (a *Absolute) String() string {
-	if a.pathname == "" {
+	if !a.ok() {
 		panic("attempted use of zero Absolute")
 	}
 	return a.pathname.Value()
 }
 // Handle returns the underlying [unique.Handle].
 func (a *Absolute) Handle() unique.Handle[string] {
 	return a.pathname
 }
 // Is efficiently compares the underlying pathname.
 func (a *Absolute) Is(v *Absolute) bool {
 	if a == nil && v == nil {
 		return true
 	}
-	return a != nil && v != nil &&
+	return a.ok() && v.ok() && a.pathname == v.pathname
 		a.pathname != "" && v.pathname != "" &&
 		a.pathname == v.pathname
 }
 // NewAbs checks pathname and returns a new [Absolute] if pathname is absolute.
 func NewAbs(pathname string) (*Absolute, error) {
 	if !path.IsAbs(pathname) {
-		return nil, &AbsoluteError{pathname}
+		return nil, AbsoluteError(pathname)
 	}
 	return unsafeAbs(pathname), nil
 }
@@ -70,35 +84,49 @@ func (a *Absolute) Append(elem ...string) *Absolute {
 // Dir calls [path.Dir] with [Absolute] as its argument.
 func (a *Absolute) Dir() *Absolute { return unsafeAbs(path.Dir(a.String())) }
-func (a *Absolute) GobEncode() ([]byte, error) { return []byte(a.String()), nil }
+// GobEncode returns the checked pathname.
 func (a *Absolute) GobEncode() ([]byte, error) {
 	return []byte(a.String()), nil
 }
 // GobDecode stores data if it represents an absolute pathname.
 func (a *Absolute) GobDecode(data []byte) error {
 	pathname := string(data)
 	if !path.IsAbs(pathname) {
-		return &AbsoluteError{pathname}
+		return AbsoluteError(pathname)
 	}
-	a.pathname = pathname
+	a.pathname = unique.Make(pathname)
 	return nil
 }
-func (a *Absolute) MarshalJSON() ([]byte, error) { return json.Marshal(a.String()) }
+// MarshalJSON returns a JSON representation of the checked pathname.
 func (a *Absolute) MarshalJSON() ([]byte, error) {
 	return json.Marshal(a.String())
 }
 // UnmarshalJSON stores data if it represents an absolute pathname.
 func (a *Absolute) UnmarshalJSON(data []byte) error {
 	var pathname string
 	if err := json.Unmarshal(data, &pathname); err != nil {
 		return err
 	}
 	if !path.IsAbs(pathname) {
-		return &AbsoluteError{pathname}
+		return AbsoluteError(pathname)
 	}
-	a.pathname = pathname
+	a.pathname = unique.Make(pathname)
 	return nil
 }
 // SortAbs calls [slices.SortFunc] for a slice of [Absolute].
 func SortAbs(x []*Absolute) {
-	slices.SortFunc(x, func(a, b *Absolute) int { return strings.Compare(a.String(), b.String()) })
+	slices.SortFunc(x, func(a, b *Absolute) int {
 		return strings.Compare(a.String(), b.String())
 	})
 }
 // CompactAbs calls [slices.CompactFunc] for a slice of [Absolute].
 func CompactAbs(s []*Absolute) []*Absolute {
-	return slices.CompactFunc(s, func(a *Absolute, b *Absolute) bool { return a.String() == b.String() })
+	return slices.CompactFunc(s, func(a *Absolute, b *Absolute) bool {
 		return a.Is(b)
 	})
 }
--- a/container/check/absolute_test.go
+++ b/container/check/absolute_test.go
@@ -31,8 +31,8 @@ func TestAbsoluteError(t *testing.T) {
 	}{
 		{"EINVAL", new(AbsoluteError), syscall.EINVAL, true},
 		{"not EINVAL", new(AbsoluteError), syscall.EBADE, false},
-		{"ne val", new(AbsoluteError), &AbsoluteError{Pathname: "etc"}, false},
+		{"ne val", new(AbsoluteError), AbsoluteError("etc"), false},
-		{"equals", &AbsoluteError{Pathname: "etc"}, &AbsoluteError{Pathname: "etc"}, true},
+		{"equals", AbsoluteError("etc"), AbsoluteError("etc"), true},
 	}
 	for _, tc := range testCases {
@@ -45,7 +45,7 @@ func TestAbsoluteError(t *testing.T) {
 		t.Parallel()
 		want := `path "etc" is not absolute`
-		if got := (&AbsoluteError{Pathname: "etc"}).Error(); got != want {
+		if got := (AbsoluteError("etc")).Error(); got != want {
 			t.Errorf("Error: %q, want %q", got, want)
 		}
 	})
@@ -62,8 +62,8 @@ func TestNewAbs(t *testing.T) {
 		wantErr  error
 	}{
 		{"good", "/etc", MustAbs("/etc"), nil},
-		{"not absolute", "etc", nil, &AbsoluteError{Pathname: "etc"}},
+		{"not absolute", "etc", nil, AbsoluteError("etc")},
-		{"zero", "", nil, &AbsoluteError{Pathname: ""}},
+		{"zero", "", nil, AbsoluteError("")},
 	}
 	for _, tc := range testCases {
@@ -84,7 +84,7 @@ func TestNewAbs(t *testing.T) {
 		t.Parallel()
 		defer func() {
-			wantPanic := &AbsoluteError{Pathname: "etc"}
+			wantPanic := AbsoluteError("etc")
 			if r := recover(); !reflect.DeepEqual(r, wantPanic) {
 				t.Errorf("MustAbs: panic = %v; want %v", r, wantPanic)
@@ -175,7 +175,7 @@ func TestCodecAbsolute(t *testing.T) {
 			`"/etc"`, `{"val":"/etc","magic":3236757504}`},
 		{"not absolute", nil,
-			&AbsoluteError{Pathname: "etc"},
+			AbsoluteError("etc"),
 			"\t\x7f\x05\x01\x02\xff\x82\x00\x00\x00\a\xff\x80\x00\x03etc",
 			",\xff\x83\x03\x01\x01\x06sCheck\x01\xff\x84\x00\x01\x02\x01\bPathname\x01\xff\x80\x00\x01\x05Magic\x01\x06\x00\x00\x00\t\x7f\x05\x01\x02\xff\x82\x00\x00\x00\x0f\xff\x84\x01\x03etc\x01\xfb\x01\x81\xda\x00\x00\x00",
--- a/container/check/overlay.go
+++ b/container/check/overlay.go
@@ -11,7 +11,8 @@ const (
 	SpecialOverlayPath = ":"
 )
-// EscapeOverlayDataSegment escapes a string for formatting into the data argument of an overlay mount call.
+// EscapeOverlayDataSegment escapes a string for formatting into the data
 // argument of an overlay mount system call.
 func EscapeOverlayDataSegment(s string) string {
 	if s == "" {
 		return ""
--- a/container/container.go
+++ b/container/container.go
@@ -1,4 +1,5 @@
-// Package container implements unprivileged Linux containers with built-in support for syscall filtering.
+// Package container implements unprivileged Linux containers with built-in
 // support for syscall filtering.
 package container
 import (
@@ -37,24 +38,30 @@ type (
 	Container struct {
 		// Whether the container init should stay alive after its parent terminates.
 		AllowOrphan bool
 		// Scheduling policy to set via sched_setscheduler(2). The zero value
 		// skips this call. Supported policies are [SCHED_BATCH], [SCHED_IDLE].
 		SchedPolicy int
 		// Cgroup fd, nil to disable.
 		Cgroup *int
-		// ExtraFiles passed through to initial process in the container,
+		// ExtraFiles passed through to initial process in the container, with
-		// with behaviour identical to its [exec.Cmd] counterpart.
+		// behaviour identical to its [exec.Cmd] counterpart.
 		ExtraFiles []*os.File
-		// param pipe for shim and init
+		// Write end of a pipe connected to the init to deliver [Params].
 		setup *os.File
-		// cancels cmd
+		// Cancels the context passed to the underlying cmd.
 		cancel context.CancelFunc
-		// closed after Wait returns
+		// Closed after Wait returns. Keeps the spawning thread alive.
 		wait chan struct{}
 		Stdin  io.Reader
 		Stdout io.Writer
 		Stderr io.Writer
-		Cancel    func(cmd *exec.Cmd) error
+		// Custom cancellation behaviour for the underlying [exec.Cmd]. Must
 		// deliver [CancelSignal] before returning.
 		Cancel func(cmd *exec.Cmd) error
 		// Copied to the underlying [exec.Cmd].
 		WaitDelay time.Duration
 		cmd *exec.Cmd
@@ -263,6 +270,8 @@ func (p *Container) Start() error {
 			CAP_SYS_ADMIN,
 			// drop capabilities
 			CAP_SETPCAP,
 			// bring up loopback interface
 			CAP_NET_ADMIN,
 			// overlay access to upperdir and workdir
 			CAP_DAC_OVERRIDE,
 		},
@@ -281,7 +290,11 @@ func (p *Container) Start() error {
 	// place setup pipe before user supplied extra files, this is later restored by init
 	if fd, f, err := Setup(&p.cmd.ExtraFiles); err != nil {
-		return &StartError{true, "set up params stream", err, false, false}
+		return &StartError{
 			Fatal: true,
 			Step:  "set up params stream",
 			Err:   err,
 		}
 	} else {
 		p.setup = f
 		p.cmd.Env = []string{setupEnv + "=" + strconv.Itoa(fd)}
@@ -293,10 +306,16 @@ func (p *Container) Start() error {
 		runtime.LockOSThread()
 		p.wait = make(chan struct{})
-		done <- func() error { // setup depending on per-thread state must happen here
+		// setup depending on per-thread state must happen here
-			// PR_SET_NO_NEW_PRIVS: depends on per-thread state but acts on all processes created from that thread
+		done <- func() error {
 			// PR_SET_NO_NEW_PRIVS: thread-directed but acts on all processes
 			// created from the calling thread
 			if err := SetNoNewPrivs(); err != nil {
-				return &StartError{true, "prctl(PR_SET_NO_NEW_PRIVS)", err, false, false}
+				return &StartError{
 					Fatal: true,
 					Step:  "prctl(PR_SET_NO_NEW_PRIVS)",
 					Err:   err,
 				}
 			}
 			// landlock: depends on per-thread state but acts on a process group
@@ -308,28 +327,40 @@ func (p *Container) Start() error {
 				if abi, err := LandlockGetABI(); err != nil {
 					if p.HostAbstract {
-						// landlock can be skipped here as it restricts access to resources
+						// landlock can be skipped here as it restricts access
-						// already covered by namespaces (pid)
+						// to resources already covered by namespaces (pid)
 						goto landlockOut
 					}
-					return &StartError{false, "get landlock ABI", err, false, false}
+					return &StartError{Step: "get landlock ABI", Err: err}
 				} else if abi < 6 {
 					if p.HostAbstract {
 						// see above comment
 						goto landlockOut
 					}
-					return &StartError{false, "kernel version too old for LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET", ENOSYS, true, false}
+					return &StartError{
 						Step:   "kernel too old for LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET",
 						Err:    ENOSYS,
 						Origin: true,
 					}
 				} else {
 					p.msg.Verbosef("landlock abi version %d", abi)
 				}
 				if rulesetFd, err := rulesetAttr.Create(0); err != nil {
-					return &StartError{true, "create landlock ruleset", err, false, false}
+					return &StartError{
 						Fatal: true,
 						Step:  "create landlock ruleset",
 						Err:   err,
 					}
 				} else {
 					p.msg.Verbosef("enforcing landlock ruleset %s", rulesetAttr)
 					if err = LandlockRestrictSelf(rulesetFd, 0); err != nil {
 						_ = Close(rulesetFd)
-						return &StartError{true, "enforce landlock ruleset", err, false, false}
+						return &StartError{
 							Fatal: true,
 							Step:  "enforce landlock ruleset",
 							Err:   err,
 						}
 					}
 					if err = Close(rulesetFd); err != nil {
 						p.msg.Verbosef("cannot close landlock ruleset: %v", err)
@@ -340,9 +371,30 @@ func (p *Container) Start() error {
 			landlockOut:
 			}
 			// sched_setscheduler: thread-directed but acts on all processes
 			// created from the calling thread
 			if p.SchedPolicy > 0 {
 				p.msg.Verbosef("setting scheduling policy %d", p.SchedPolicy)
 				if err := schedSetscheduler(
 					0, // calling thread
 					p.SchedPolicy,
 					&schedParam{0},
 				); err != nil {
 					return &StartError{
 						Fatal: true,
 						Step:  "enforce landlock ruleset",
 						Err:   err,
 					}
 				}
 			}
 			p.msg.Verbose("starting container init")
 			if err := p.cmd.Start(); err != nil {
-				return &StartError{false, "start container init", err, false, true}
+				return &StartError{
 					Step:        "start container init",
 					Err:         err,
 					Passthrough: true,
 				}
 			}
 			return nil
 		}()
@@ -354,6 +406,7 @@ func (p *Container) Start() error {
 }
 // Serve serves [Container.Params] to the container init.
 //
 // Serve must only be called once.
 func (p *Container) Serve() error {
 	if p.setup == nil {
@@ -363,12 +416,21 @@ func (p *Container) Serve() error {
 	setup := p.setup
 	p.setup = nil
 	if err := setup.SetDeadline(time.Now().Add(initSetupTimeout)); err != nil {
-		return &StartError{true, "set init pipe deadline", err, false, true}
+		return &StartError{
 			Fatal:       true,
 			Step:        "set init pipe deadline",
 			Err:         err,
 			Passthrough: true,
 		}
 	}
 	if p.Path == nil {
 		p.cancel()
-		return &StartError{false, "invalid executable pathname", EINVAL, true, false}
+		return &StartError{
 			Step:   "invalid executable pathname",
 			Err:    EINVAL,
 			Origin: true,
 		}
 	}
 	// do not transmit nil
@@ -393,7 +455,8 @@ func (p *Container) Serve() error {
 	return err
 }
-// Wait waits for the container init process to exit and releases any resources associated with the [Container].
+// Wait blocks until the container init process to exit and releases any
 // resources associated with the [Container].
 func (p *Container) Wait() error {
 	if p.cmd == nil || p.cmd.Process == nil {
 		return EINVAL
@@ -438,11 +501,13 @@ func (p *Container) StderrPipe() (r io.ReadCloser, err error) {
 }
 func (p *Container) String() string {
-	return fmt.Sprintf("argv: %q, filter: %v, rules: %d, flags: %#x, presets: %#x",
+	return fmt.Sprintf(
-		p.Args, !p.SeccompDisable, len(p.SeccompRules), int(p.SeccompFlags), int(p.SeccompPresets))
+		"argv: %q, filter: %v, rules: %d, flags: %#x, presets: %#x",
 		p.Args, !p.SeccompDisable, len(p.SeccompRules), int(p.SeccompFlags), int(p.SeccompPresets),
 	)
 }
-// ProcessState returns the address to os.ProcessState held by the underlying [exec.Cmd].
+// ProcessState returns the address of os.ProcessState held by the underlying [exec.Cmd].
 func (p *Container) ProcessState() *os.ProcessState {
 	if p.cmd == nil {
 		return nil
@@ -450,7 +515,8 @@ func (p *Container) ProcessState() *os.ProcessState {
 	return p.cmd.ProcessState
 }
-// New returns the address to a new instance of [Container] that requires further initialisation before use.
+// New returns the address to a new instance of [Container]. This value requires
 // further initialisation before use.
 func New(ctx context.Context, msg message.Msg) *Container {
 	if msg == nil {
 		msg = message.New(nil)
@@ -459,12 +525,18 @@ func New(ctx context.Context, msg message.Msg) *Container {
 	p := &Container{ctx: ctx, msg: msg, Params: Params{Ops: new(Ops)}}
 	c, cancel := context.WithCancel(ctx)
 	p.cancel = cancel
-	p.cmd = exec.CommandContext(c, MustExecutable(msg))
+	p.cmd = exec.CommandContext(c, fhs.ProcSelfExe)
 	return p
 }
 // NewCommand calls [New] and initialises the [Params.Path] and [Params.Args] fields.
-func NewCommand(ctx context.Context, msg message.Msg, pathname *check.Absolute, name string, args ...string) *Container {
+func NewCommand(
 	ctx context.Context,
 	msg message.Msg,
 	pathname *check.Absolute,
 	name string,
 	args ...string,
 ) *Container {
 	z := New(ctx, msg)
 	z.Path = pathname
 	z.Args = append([]string{name}, args...)
--- a/container/container_test.go
+++ b/container/container_test.go
@@ -274,13 +274,13 @@ var containerTestCases = []struct {
 			Dev(check.MustAbs("/dev"), true),
 		),
 		earlyMnt(
-			ent("/", "/dev", "ro,nosuid,nodev,relatime", "tmpfs", "devtmpfs", ignore),
+			ent("/", "/dev", "ro,nosuid,nodev,relatime", "tmpfs", ignore, ignore),
-			ent("/null", "/dev/null", "rw,nosuid", "devtmpfs", "devtmpfs", ignore),
+			ent("/null", "/dev/null", ignore, "devtmpfs", ignore, ignore),
-			ent("/zero", "/dev/zero", "rw,nosuid", "devtmpfs", "devtmpfs", ignore),
+			ent("/zero", "/dev/zero", ignore, "devtmpfs", ignore, ignore),
-			ent("/full", "/dev/full", "rw,nosuid", "devtmpfs", "devtmpfs", ignore),
+			ent("/full", "/dev/full", ignore, "devtmpfs", ignore, ignore),
-			ent("/random", "/dev/random", "rw,nosuid", "devtmpfs", "devtmpfs", ignore),
+			ent("/random", "/dev/random", ignore, "devtmpfs", ignore, ignore),
-			ent("/urandom", "/dev/urandom", "rw,nosuid", "devtmpfs", "devtmpfs", ignore),
+			ent("/urandom", "/dev/urandom", ignore, "devtmpfs", ignore, ignore),
-			ent("/tty", "/dev/tty", "rw,nosuid", "devtmpfs", "devtmpfs", ignore),
+			ent("/tty", "/dev/tty", ignore, "devtmpfs", ignore, ignore),
 			ent("/", "/dev/pts", "rw,nosuid,noexec,relatime", "devpts", "devpts", "rw,mode=620,ptmxmode=666"),
 			ent("/", "/dev/mqueue", "rw,nosuid,nodev,noexec,relatime", "mqueue", "mqueue", "rw"),
 			ent("/", "/dev/shm", "rw,nosuid,nodev,relatime", "tmpfs", "tmpfs", ignore),
@@ -292,13 +292,13 @@ var containerTestCases = []struct {
 			Dev(check.MustAbs("/dev"), false),
 		),
 		earlyMnt(
-			ent("/", "/dev", "ro,nosuid,nodev,relatime", "tmpfs", "devtmpfs", ignore),
+			ent("/", "/dev", "ro,nosuid,nodev,relatime", "tmpfs", ignore, ignore),
-			ent("/null", "/dev/null", "rw,nosuid", "devtmpfs", "devtmpfs", ignore),
+			ent("/null", "/dev/null", ignore, "devtmpfs", ignore, ignore),
-			ent("/zero", "/dev/zero", "rw,nosuid", "devtmpfs", "devtmpfs", ignore),
+			ent("/zero", "/dev/zero", ignore, "devtmpfs", ignore, ignore),
-			ent("/full", "/dev/full", "rw,nosuid", "devtmpfs", "devtmpfs", ignore),
+			ent("/full", "/dev/full", ignore, "devtmpfs", ignore, ignore),
-			ent("/random", "/dev/random", "rw,nosuid", "devtmpfs", "devtmpfs", ignore),
+			ent("/random", "/dev/random", ignore, "devtmpfs", ignore, ignore),
-			ent("/urandom", "/dev/urandom", "rw,nosuid", "devtmpfs", "devtmpfs", ignore),
+			ent("/urandom", "/dev/urandom", ignore, "devtmpfs", ignore, ignore),
-			ent("/tty", "/dev/tty", "rw,nosuid", "devtmpfs", "devtmpfs", ignore),
+			ent("/tty", "/dev/tty", ignore, "devtmpfs", ignore, ignore),
 			ent("/", "/dev/pts", "rw,nosuid,noexec,relatime", "devpts", "devpts", "rw,mode=620,ptmxmode=666"),
 			ent("/", "/dev/shm", "rw,nosuid,nodev,relatime", "tmpfs", "tmpfs", ignore),
 		),
@@ -690,11 +690,22 @@ func init() {
 						return fmt.Errorf("got more than %d entries", len(mnt))
 					}
-					// ugly hack but should be reliable and is less likely to false negative than comparing by parsed flags
+					// ugly hack but should be reliable and is less likely to
-					cur.VfsOptstr = strings.TrimSuffix(cur.VfsOptstr, ",relatime")
+					//false negative than comparing by parsed flags
-					cur.VfsOptstr = strings.TrimSuffix(cur.VfsOptstr, ",noatime")
+					for _, s := range []string{
-					mnt[i].VfsOptstr = strings.TrimSuffix(mnt[i].VfsOptstr, ",relatime")
+						"relatime",
-					mnt[i].VfsOptstr = strings.TrimSuffix(mnt[i].VfsOptstr, ",noatime")
+						"noatime",
 					} {
 						cur.VfsOptstr = strings.TrimSuffix(cur.VfsOptstr, ","+s)
 						mnt[i].VfsOptstr = strings.TrimSuffix(mnt[i].VfsOptstr, ","+s)
 					}
 					for _, s := range []string{
 						"seclabel",
 						"inode64",
 					} {
 						cur.FsOptstr = strings.Replace(cur.FsOptstr, ","+s, "", 1)
 						mnt[i].FsOptstr = strings.Replace(mnt[i].FsOptstr, ","+s, "", 1)
 					}
 					if !cur.EqualWithIgnore(mnt[i], "\x00") {
 						fail = true
@@ -762,14 +773,13 @@ func TestMain(m *testing.M) {
 func helperNewContainerLibPaths(ctx context.Context, libPaths *[]*check.Absolute, args ...string) (c *container.Container) {
 	msg := message.New(nil)
 	msg.SwapVerbose(testing.Verbose())
 	executable := check.MustAbs(container.MustExecutable(msg))
 	c = container.NewCommand(ctx, msg, absHelperInnerPath, "helper", args...)
 	c.Env = append(c.Env, envDoCheck+"=1")
-	c.Bind(executable, absHelperInnerPath, 0)
+	c.Bind(fhs.AbsProcSelfExe, absHelperInnerPath, 0)
 	// in case test has cgo enabled
-	if entries, err := ldd.Resolve(ctx, msg, executable); err != nil {
+	if entries, err := ldd.Resolve(ctx, msg, nil); err != nil {
 		log.Fatalf("ldd: %v", err)
 	} else {
 		*libPaths = ldd.Path(entries)
--- a/container/dispatcher.go
+++ b/container/dispatcher.go
@@ -21,7 +21,8 @@ type osFile interface {
 	fs.File
 }
-// syscallDispatcher provides methods that make state-dependent system calls as part of their behaviour.
+// syscallDispatcher provides methods that make state-dependent system calls as
 // part of their behaviour.
 type syscallDispatcher interface {
 	// new starts a goroutine with a new instance of syscallDispatcher.
 	// A syscallDispatcher must never be used in any goroutine other than the one owning it,
@@ -61,6 +62,8 @@ type syscallDispatcher interface {
 	mountTmpfs(fsname, target string, flags uintptr, size int, perm os.FileMode) error
 	// ensureFile provides ensureFile.
 	ensureFile(name string, perm, pperm os.FileMode) error
 	// mustLoopback provides mustLoopback.
 	mustLoopback(msg message.Msg)
 	// seccompLoad provides [seccomp.Load].
 	seccompLoad(rules []std.NativeRule, flags seccomp.ExportFlag) error
@@ -164,6 +167,7 @@ func (k direct) mountTmpfs(fsname, target string, flags uintptr, size int, perm
 func (direct) ensureFile(name string, perm, pperm os.FileMode) error {
 	return ensureFile(name, perm, pperm)
 }
 func (direct) mustLoopback(msg message.Msg) { mustLoopback(msg) }
 func (direct) seccompLoad(rules []std.NativeRule, flags seccomp.ExportFlag) error {
 	return seccomp.Load(rules, flags)
--- a/container/dispatcher_test.go
+++ b/container/dispatcher_test.go
@@ -238,8 +238,11 @@ func sliceAddr[S any](s []S) *[]S { return &s }
 func newCheckedFile(t *testing.T, name, wantData string, closeErr error) osFile {
 	f := &checkedOsFile{t: t, name: name, want: wantData, closeErr: closeErr}
-	// check happens in Close, and cleanup is not guaranteed to run, so relying on it for sloppy implementations will cause sporadic test results
+	// check happens in Close, and cleanup is not guaranteed to run, so relying
-	f.cleanup = runtime.AddCleanup(f, func(name string) { f.t.Fatalf("checkedOsFile %s became unreachable without a call to Close", name) }, f.name)
+	// on it for sloppy implementations will cause sporadic test results
 	f.cleanup = runtime.AddCleanup(f, func(name string) {
 		panic("checkedOsFile " + name + " became unreachable without a call to Close")
 	}, name)
 	return f
 }
@@ -465,6 +468,8 @@ func (k *kstub) ensureFile(name string, perm, pperm os.FileMode) error {
 		stub.CheckArg(k.Stub, "pperm", pperm, 2))
 }
 func (*kstub) mustLoopback(message.Msg) { /* noop */ }
 func (k *kstub) seccompLoad(rules []std.NativeRule, flags seccomp.ExportFlag) error {
 	k.Helper()
 	return k.Expects("seccompLoad").Error(
--- a/container/errors.go
+++ b/container/errors.go
@@ -18,7 +18,7 @@ func messageFromError(err error) (m string, ok bool) {
 	if m, ok = messagePrefixP[os.PathError]("cannot ", err); ok {
 		return
 	}
-	if m, ok = messagePrefixP[check.AbsoluteError](zeroString, err); ok {
+	if m, ok = messagePrefix[check.AbsoluteError](zeroString, err); ok {
 		return
 	}
 	if m, ok = messagePrefix[OpRepeatError](zeroString, err); ok {
@@ -43,7 +43,8 @@ func messageFromError(err error) (m string, ok bool) {
 }
 // messagePrefix checks and prefixes the error message of a non-pointer error.
-// While this is usable for pointer errors, such use should be avoided as nil check is omitted.
+// While this is usable for pointer errors, such use should be avoided as nil
 // check is omitted.
 func messagePrefix[T error](prefix string, err error) (string, bool) {
 	var targetError T
 	if errors.As(err, &targetError) {
--- a/container/errors_test.go
+++ b/container/errors_test.go
@@ -37,7 +37,7 @@ func TestMessageFromError(t *testing.T) {
 			Err:  stub.UniqueError(0xdeadbeef),
 		}, "cannot mount /sysroot: unique error 3735928559 injected by the test suite", true},
-		{"absolute", &check.AbsoluteError{Pathname: "etc/mtab"},
+		{"absolute", check.AbsoluteError("etc/mtab"),
 			`path "etc/mtab" is not absolute`, true},
 		{"repeat", OpRepeatError("autoetc"),
--- a/container/executable.go
+++ b/container/executable.go
@@ -28,6 +28,9 @@ func copyExecutable(msg message.Msg) {
 	}
 }
 // MustExecutable calls [os.Executable] and terminates the process on error.
 //
 // Deprecated: This is no longer used and will be removed in 0.4.
 func MustExecutable(msg message.Msg) string {
 	executableOnce.Do(func() { copyExecutable(msg) })
 	return executable
--- a/container/fhs/abs.go
+++ b/container/fhs/abs.go
@@ -26,6 +26,8 @@ var (
 	// AbsRunUser is [RunUser] as [check.Absolute].
 	AbsRunUser = unsafeAbs(RunUser)
 	// AbsUsr is [Usr] as [check.Absolute].
 	AbsUsr = unsafeAbs(Usr)
 	// AbsUsrBin is [UsrBin] as [check.Absolute].
 	AbsUsrBin = unsafeAbs(UsrBin)
@@ -40,6 +42,8 @@ var (
 	AbsDevShm = unsafeAbs(DevShm)
 	// AbsProc is [Proc] as [check.Absolute].
 	AbsProc = unsafeAbs(Proc)
 	// AbsProcSelfExe is [ProcSelfExe] as [check.Absolute].
 	AbsProcSelfExe = unsafeAbs(ProcSelfExe)
 	// AbsSys is [Sys] as [check.Absolute].
 	AbsSys = unsafeAbs(Sys)
 )
--- a/container/fhs/fhs.go
+++ b/container/fhs/fhs.go
@@ -9,7 +9,8 @@ const (
 	// Tmp points to the place for small temporary files.
 	Tmp = "/tmp/"
-	// Run points to a "tmpfs" file system for system packages to place runtime data, socket files, and similar.
+	// Run points to a "tmpfs" file system for system packages to place runtime
 	// data, socket files, and similar.
 	Run = "/run/"
 	// RunUser points to a directory containing per-user runtime directories,
 	// each usually individually mounted "tmpfs" instances.
@@ -17,10 +18,12 @@ const (
 	// Usr points to vendor-supplied operating system resources.
 	Usr = "/usr/"
-	// UsrBin points to binaries and executables for user commands that shall appear in the $PATH search path.
+	// UsrBin points to binaries and executables for user commands that shall
 	// appear in the $PATH search path.
 	UsrBin = Usr + "bin/"
-	// Var points to persistent, variable system data. Writable during normal system operation.
+	// Var points to persistent, variable system data. Writable during normal
 	// system operation.
 	Var = "/var/"
 	// VarLib points to persistent system data.
 	VarLib = Var + "lib/"
@@ -29,12 +32,20 @@ const (
 	// Dev points to the root directory for device nodes.
 	Dev = "/dev/"
-	// DevShm is the place for POSIX shared memory segments, as created via shm_open(3).
+	// DevShm is the place for POSIX shared memory segments, as created via
 	// shm_open(3).
 	DevShm = "/dev/shm/"
-	// Proc points to a virtual kernel file system exposing the process list and other functionality.
+	// Proc points to a virtual kernel file system exposing the process list and
 	// other functionality.
 	Proc = "/proc/"
-	// ProcSys points to a hierarchy below /proc/ that exposes a number of kernel tunables.
+	// ProcSys points to a hierarchy below /proc/ that exposes a number of
 	// kernel tunables.
 	ProcSys = Proc + "sys/"
-	// Sys points to a virtual kernel file system exposing discovered devices and other functionality.
+	// ProcSelf resolves to the process's own /proc/pid directory.
 	ProcSelf = Proc + "self/"
 	// ProcSelfExe is a symbolic link to program pathname.
 	ProcSelfExe = ProcSelf + "exe"
 	// Sys points to a virtual kernel file system exposing discovered devices
 	// and other functionality.
 	Sys = "/sys/"
 )
--- a/container/init.go
+++ b/container/init.go
@@ -33,12 +33,12 @@ const (
 	- This path is only accessible by init and root:
 	  The container init sets SUID_DUMP_DISABLE and terminates if that fails.
-	It should be noted that none of this should become relevant at any point since the resulting
+	It should be noted that none of this should become relevant at any point
-	intermediate root tmpfs should be effectively anonymous. */
+	since the resulting intermediate root tmpfs should be effectively anonymous. */
 	intermediateHostPath = fhs.Proc + "self/fd"
-	// setupEnv is the name of the environment variable holding the string representation of
+	// setupEnv is the name of the environment variable holding the string
-	// the read end file descriptor of the setup params pipe.
+	// representation of the read end file descriptor of the setup params pipe.
 	setupEnv = "HAKUREI_SETUP"
 	// exitUnexpectedWait4 is the exit code if wait4 returns an unexpected errno.
@@ -59,7 +59,8 @@ type (
 		// late is called right before starting the initial process.
 		late(state *setupState, k syscallDispatcher) error
-		// prefix returns a log message prefix, and whether this Op prints no identifying message on its own.
+		// prefix returns a log message prefix, and whether this Op prints no
 		// identifying message on its own.
 		prefix() (string, bool)
 		Is(op Op) bool
@@ -71,9 +72,11 @@ type (
 	setupState struct {
 		nonrepeatable uintptr
-		// Whether early reaping has concluded. Must only be accessed in the wait4 loop.
+		// Whether early reaping has concluded. Must only be accessed in the
 		// wait4 loop.
 		processConcluded bool
-		// Process to syscall.WaitStatus populated in the wait4 loop. Freed after early reaping concludes.
+		// Process to syscall.WaitStatus populated in the wait4 loop. Freed
 		// after early reaping concludes.
 		process map[int]WaitStatus
 		// Synchronises access to process.
 		processMu sync.RWMutex
@@ -170,6 +173,10 @@ func initEntrypoint(k syscallDispatcher, msg message.Msg) {
 		offsetSetup = int(setupFd + 1)
 	}
 	if !params.HostNet {
 		k.mustLoopback(msg)
 	}
 	// write uid/gid map here so parent does not need to set dumpable
 	if err := k.setDumpable(SUID_DUMP_USER); err != nil {
 		k.fatalf(msg, "cannot set SUID_DUMP_USER: %v", err)
@@ -212,9 +219,10 @@ func initEntrypoint(k syscallDispatcher, msg message.Msg) {
 	defer cancel()
 	/* early is called right before pivot_root into intermediate root;
-	this step is mostly for gathering information that would otherwise be difficult to obtain
+	this step is mostly for gathering information that would otherwise be
-	via library functions after pivot_root, and implementations are expected to avoid changing
+	difficult to obtain via library functions after pivot_root, and
-	the state of the mount namespace */
+	implementations are expected to avoid changing the state of the mount
 	namespace */
 	for i, op := range *params.Ops {
 		if op == nil || !op.Valid() {
 			k.fatalf(msg, "invalid op at index %d", i)
@@ -254,10 +262,10 @@ func initEntrypoint(k syscallDispatcher, msg message.Msg) {
 		k.fatalf(msg, "cannot enter intermediate root: %v", err)
 	}
-	/* apply is called right after pivot_root and entering the new root;
+	/* apply is called right after pivot_root and entering the new root. This
-	this step sets up the container filesystem, and implementations are expected to keep the host root
+	step sets up the container filesystem, and implementations are expected to
-	and sysroot mount points intact but otherwise can do whatever they need to;
+	keep the host root and sysroot mount points intact but otherwise can do
-	chdir is allowed but discouraged */
+	whatever they need to. Calling chdir is allowed but discouraged. */
 	for i, op := range *params.Ops {
 		// ops already checked during early setup
 		if prefix, ok := op.prefix(); ok {
--- a/container/initbind.go
+++ b/container/initbind.go
@@ -12,14 +12,16 @@ import (
 func init() { gob.Register(new(BindMountOp)) }
-// Bind appends an [Op] that bind mounts host path [BindMountOp.Source] on container path [BindMountOp.Target].
+// Bind is a helper for appending [BindMountOp] to [Ops].
 func (f *Ops) Bind(source, target *check.Absolute, flags int) *Ops {
 	*f = append(*f, &BindMountOp{nil, source, target, flags})
 	return f
 }
-// BindMountOp bind mounts host path Source on container path Target.
+// BindMountOp creates a bind mount from host path Source to container path Target.
-// Note that Flags uses bits declared in this package and should not be set with constants in [syscall].
+//
 // Note that Flags uses bits declared in the [std] package and should not be set
 // with constants in [syscall].
 type BindMountOp struct {
 	sourceFinal, Source, Target *check.Absolute
--- a/container/initdaemon.go
+++ b/container/initdaemon.go
@@ -24,8 +24,7 @@ const (
 	daemonTimeout = 5 * time.Second
 )
-// Daemon appends an [Op] that starts a daemon in the container and blocks until
+// Daemon is a helper for appending [DaemonOp] to [Ops].
 // [DaemonOp.Target] appears.
 func (f *Ops) Daemon(target, path *check.Absolute, args ...string) *Ops {
 	*f = append(*f, &DaemonOp{target, path, args})
 	return f
--- a/container/initdev.go
+++ b/container/initdev.go
@@ -19,7 +19,9 @@ func (f *Ops) Dev(target *check.Absolute, mqueue bool) *Ops {
 }
 // DevWritable appends an [Op] that mounts a writable subset of host /dev.
-// There is usually no good reason to write to /dev, so this should always be followed by a [RemountOp].
+//
 // There is usually no good reason to write to /dev, so this should always be
 // followed by a [RemountOp].
 func (f *Ops) DevWritable(target *check.Absolute, mqueue bool) *Ops {
 	*f = append(*f, &MountDevOp{target, mqueue, true})
 	return f
--- a/container/initmkdir.go
+++ b/container/initmkdir.go
@@ -10,7 +10,7 @@ import (
 func init() { gob.Register(new(MkdirOp)) }
-// Mkdir appends an [Op] that creates a directory in the container filesystem.
+// Mkdir is a helper for appending [MkdirOp] to [Ops].
 func (f *Ops) Mkdir(name *check.Absolute, perm os.FileMode) *Ops {
 	*f = append(*f, &MkdirOp{name, perm})
 	return f
--- a/container/initoverlay.go
+++ b/container/initoverlay.go
@@ -54,8 +54,11 @@ func (e *OverlayArgumentError) Error() string {
 	}
 }
-// Overlay appends an [Op] that mounts the overlay pseudo filesystem on [MountOverlayOp.Target].
+// Overlay is a helper for appending [MountOverlayOp] to [Ops].
-func (f *Ops) Overlay(target, state, work *check.Absolute, layers ...*check.Absolute) *Ops {
+func (f *Ops) Overlay(
 	target, state, work *check.Absolute,
 	layers ...*check.Absolute,
 ) *Ops {
 	*f = append(*f, &MountOverlayOp{
 		Target: target,
 		Lower:  layers,
@@ -65,13 +68,12 @@ func (f *Ops) Overlay(target, state, work *check.Absolute, layers ...*check.Abso
 	return f
 }
-// OverlayEphemeral appends an [Op] that mounts the overlay pseudo filesystem on [MountOverlayOp.Target]
+// OverlayEphemeral appends a [MountOverlayOp] with an ephemeral upperdir and workdir.
 // with an ephemeral upperdir and workdir.
 func (f *Ops) OverlayEphemeral(target *check.Absolute, layers ...*check.Absolute) *Ops {
 	return f.Overlay(target, fhs.AbsRoot, nil, layers...)
 }
-// OverlayReadonly appends an [Op] that mounts the overlay pseudo filesystem readonly on [MountOverlayOp.Target]
+// OverlayReadonly appends a readonly [MountOverlayOp].
 func (f *Ops) OverlayReadonly(target *check.Absolute, layers ...*check.Absolute) *Ops {
 	return f.Overlay(target, nil, nil, layers...)
 }
@@ -82,25 +84,34 @@ type MountOverlayOp struct {
 	// Any filesystem, does not need to be on a writable filesystem.
 	Lower []*check.Absolute
-	// formatted for [OptionOverlayLowerdir], resolved, prefixed and escaped during early
+	// Formatted for [OptionOverlayLowerdir].
 	//
 	// Resolved, prefixed and escaped during early.
 	lower []string
 	// The upperdir is normally on a writable filesystem.
 	//
-	// If Work is nil and Upper holds the special value [fhs.AbsRoot],
+	// If Work is nil and Upper holds the special value [fhs.AbsRoot], an
-	// an ephemeral upperdir and workdir will be set up.
+	// ephemeral upperdir and workdir will be set up.
 	//
-	// If both Work and Upper are nil, upperdir and workdir is omitted and the overlay is mounted readonly.
+	// If both Work and Upper are nil, upperdir and workdir is omitted and the
 	// overlay is mounted readonly.
 	Upper *check.Absolute
-	// formatted for [OptionOverlayUpperdir], resolved, prefixed and escaped during early
+	// Formatted for [OptionOverlayUpperdir].
 	//
 	// Resolved, prefixed and escaped during early.
 	upper string
 	// The workdir needs to be an empty directory on the same filesystem as upperdir.
 	Work *check.Absolute
-	// formatted for [OptionOverlayWorkdir], resolved, prefixed and escaped during early
+	// Formatted for [OptionOverlayWorkdir].
 	//
 	// Resolved, prefixed and escaped during early.
 	work string
 	ephemeral bool
-	// used internally for mounting to the intermediate root
+	// Used internally for mounting to the intermediate root.
 	noPrefix bool
 }
--- a/container/initoverlay_test.go
+++ b/container/initoverlay_test.go
@@ -312,7 +312,10 @@ func TestMountOverlayOp(t *testing.T) {
 			},
 		}},
-		{"ephemeral", new(Ops).OverlayEphemeral(check.MustAbs("/nix/store"), check.MustAbs("/mnt-root/nix/.ro-store")), Ops{
+		{"ephemeral", new(Ops).OverlayEphemeral(
 			check.MustAbs("/nix/store"),
 			check.MustAbs("/mnt-root/nix/.ro-store"),
 		), Ops{
 			&MountOverlayOp{
 				Target: check.MustAbs("/nix/store"),
 				Lower:  []*check.Absolute{check.MustAbs("/mnt-root/nix/.ro-store")},
@@ -320,7 +323,10 @@ func TestMountOverlayOp(t *testing.T) {
 			},
 		}},
-		{"readonly", new(Ops).OverlayReadonly(check.MustAbs("/nix/store"), check.MustAbs("/mnt-root/nix/.ro-store")), Ops{
+		{"readonly", new(Ops).OverlayReadonly(
 			check.MustAbs("/nix/store"),
 			check.MustAbs("/mnt-root/nix/.ro-store"),
 		), Ops{
 			&MountOverlayOp{
 				Target: check.MustAbs("/nix/store"),
 				Lower:  []*check.Absolute{check.MustAbs("/mnt-root/nix/.ro-store")},
--- a/container/initplace.go
+++ b/container/initplace.go
@@ -16,7 +16,7 @@ const (
 func init() { gob.Register(new(TmpfileOp)) }
-// Place appends an [Op] that places a file in container path [TmpfileOp.Path] containing [TmpfileOp.Data].
+// Place is a helper for appending [TmpfileOp] to [Ops].
 func (f *Ops) Place(name *check.Absolute, data []byte) *Ops {
 	*f = append(*f, &TmpfileOp{name, data})
 	return f
--- a/container/initplace_test.go
+++ b/container/initplace_test.go
@@ -21,7 +21,7 @@ func TestTmpfileOp(t *testing.T) {
 			Path: samplePath,
 			Data: sampleData,
 		}, nil, nil, []stub.Call{
-			call("createTemp", stub.ExpectArgs{"/", "tmp.*"}, newCheckedFile(t, "tmp.32768", sampleDataString, nil), stub.UniqueError(5)),
+			call("createTemp", stub.ExpectArgs{"/", "tmp.*"}, (*checkedOsFile)(nil), stub.UniqueError(5)),
 		}, stub.UniqueError(5)},
 		{"Write", &Params{ParentPerm: 0700}, &TmpfileOp{
@@ -35,14 +35,14 @@ func TestTmpfileOp(t *testing.T) {
 			Path: samplePath,
 			Data: sampleData,
 		}, nil, nil, []stub.Call{
-			call("createTemp", stub.ExpectArgs{"/", "tmp.*"}, newCheckedFile(t, "tmp.32768", sampleDataString, stub.UniqueError(3)), nil),
+			call("createTemp", stub.ExpectArgs{"/", "tmp.*"}, newCheckedFile(t, "tmp.Close", sampleDataString, stub.UniqueError(3)), nil),
 		}, stub.UniqueError(3)},
 		{"ensureFile", &Params{ParentPerm: 0700}, &TmpfileOp{
 			Path: samplePath,
 			Data: sampleData,
 		}, nil, nil, []stub.Call{
-			call("createTemp", stub.ExpectArgs{"/", "tmp.*"}, newCheckedFile(t, "tmp.32768", sampleDataString, nil), nil),
+			call("createTemp", stub.ExpectArgs{"/", "tmp.*"}, newCheckedFile(t, "tmp.ensureFile", sampleDataString, nil), nil),
 			call("ensureFile", stub.ExpectArgs{"/sysroot/etc/passwd", os.FileMode(0444), os.FileMode(0700)}, nil, stub.UniqueError(2)),
 		}, stub.UniqueError(2)},
@@ -50,29 +50,29 @@ func TestTmpfileOp(t *testing.T) {
 			Path: samplePath,
 			Data: sampleData,
 		}, nil, nil, []stub.Call{
-			call("createTemp", stub.ExpectArgs{"/", "tmp.*"}, newCheckedFile(t, "tmp.32768", sampleDataString, nil), nil),
+			call("createTemp", stub.ExpectArgs{"/", "tmp.*"}, newCheckedFile(t, "tmp.bindMount", sampleDataString, nil), nil),
 			call("ensureFile", stub.ExpectArgs{"/sysroot/etc/passwd", os.FileMode(0444), os.FileMode(0700)}, nil, nil),
-			call("bindMount", stub.ExpectArgs{"tmp.32768", "/sysroot/etc/passwd", uintptr(0x5), false}, nil, stub.UniqueError(1)),
+			call("bindMount", stub.ExpectArgs{"tmp.bindMount", "/sysroot/etc/passwd", uintptr(0x5), false}, nil, stub.UniqueError(1)),
 		}, stub.UniqueError(1)},
 		{"remove", &Params{ParentPerm: 0700}, &TmpfileOp{
 			Path: samplePath,
 			Data: sampleData,
 		}, nil, nil, []stub.Call{
-			call("createTemp", stub.ExpectArgs{"/", "tmp.*"}, newCheckedFile(t, "tmp.32768", sampleDataString, nil), nil),
+			call("createTemp", stub.ExpectArgs{"/", "tmp.*"}, newCheckedFile(t, "tmp.remove", sampleDataString, nil), nil),
 			call("ensureFile", stub.ExpectArgs{"/sysroot/etc/passwd", os.FileMode(0444), os.FileMode(0700)}, nil, nil),
-			call("bindMount", stub.ExpectArgs{"tmp.32768", "/sysroot/etc/passwd", uintptr(0x5), false}, nil, nil),
+			call("bindMount", stub.ExpectArgs{"tmp.remove", "/sysroot/etc/passwd", uintptr(0x5), false}, nil, nil),
-			call("remove", stub.ExpectArgs{"tmp.32768"}, nil, stub.UniqueError(0)),
+			call("remove", stub.ExpectArgs{"tmp.remove"}, nil, stub.UniqueError(0)),
 		}, stub.UniqueError(0)},
 		{"success", &Params{ParentPerm: 0700}, &TmpfileOp{
 			Path: samplePath,
 			Data: sampleData,
 		}, nil, nil, []stub.Call{
-			call("createTemp", stub.ExpectArgs{"/", "tmp.*"}, newCheckedFile(t, "tmp.32768", sampleDataString, nil), nil),
+			call("createTemp", stub.ExpectArgs{"/", "tmp.*"}, newCheckedFile(t, "tmp.success", sampleDataString, nil), nil),
 			call("ensureFile", stub.ExpectArgs{"/sysroot/etc/passwd", os.FileMode(0444), os.FileMode(0700)}, nil, nil),
-			call("bindMount", stub.ExpectArgs{"tmp.32768", "/sysroot/etc/passwd", uintptr(0x5), false}, nil, nil),
+			call("bindMount", stub.ExpectArgs{"tmp.success", "/sysroot/etc/passwd", uintptr(0x5), false}, nil, nil),
-			call("remove", stub.ExpectArgs{"tmp.32768"}, nil, nil),
+			call("remove", stub.ExpectArgs{"tmp.success"}, nil, nil),
 		}, nil},
 	})
--- a/container/initproc.go
+++ b/container/initproc.go
@@ -10,7 +10,7 @@ import (
 func init() { gob.Register(new(MountProcOp)) }
-// Proc appends an [Op] that mounts a private instance of proc.
+// Proc is a helper for appending [MountProcOp] to [Ops].
 func (f *Ops) Proc(target *check.Absolute) *Ops {
 	*f = append(*f, &MountProcOp{target})
 	return f
--- a/container/initremount.go
+++ b/container/initremount.go
@@ -9,7 +9,7 @@ import (
 func init() { gob.Register(new(RemountOp)) }
-// Remount appends an [Op] that applies [RemountOp.Flags] on container path [RemountOp.Target].
+// Remount is a helper for appending [RemountOp] to [Ops].
 func (f *Ops) Remount(target *check.Absolute, flags uintptr) *Ops {
 	*f = append(*f, &RemountOp{target, flags})
 	return f
--- a/container/initsymlink.go
+++ b/container/initsymlink.go
@@ -31,7 +31,7 @@ func (l *SymlinkOp) Valid() bool { return l != nil && l.Target != nil && l.LinkN
 func (l *SymlinkOp) early(_ *setupState, k syscallDispatcher) error {
 	if l.Dereference {
 		if !path.IsAbs(l.LinkName) {
-			return &check.AbsoluteError{Pathname: l.LinkName}
+			return check.AbsoluteError(l.LinkName)
 		}
 		if name, err := k.readlink(l.LinkName); err != nil {
 			return err
--- a/container/initsymlink_test.go
+++ b/container/initsymlink_test.go
@@ -23,7 +23,7 @@ func TestSymlinkOp(t *testing.T) {
 			Target:      check.MustAbs("/etc/mtab"),
 			LinkName:    "etc/mtab",
 			Dereference: true,
-		}, nil, &check.AbsoluteError{Pathname: "etc/mtab"}, nil, nil},
+		}, nil, check.AbsoluteError("etc/mtab"), nil, nil},
 		{"readlink", &Params{ParentPerm: 0755}, &SymlinkOp{
 			Target:      check.MustAbs("/etc/mtab"),
--- a/container/landlock.go
+++ b/container/landlock.go
@@ -38,6 +38,7 @@ const (
 	_LANDLOCK_ACCESS_FS_DELIM
 )
 // String returns a space-separated string of [LandlockAccessFS] flags.
 func (f LandlockAccessFS) String() string {
 	switch f {
 	case LANDLOCK_ACCESS_FS_EXECUTE:
@@ -116,6 +117,7 @@ const (
 	_LANDLOCK_ACCESS_NET_DELIM
 )
 // String returns a space-separated string of [LandlockAccessNet] flags.
 func (f LandlockAccessNet) String() string {
 	switch f {
 	case LANDLOCK_ACCESS_NET_BIND_TCP:
@@ -152,6 +154,7 @@ const (
 	_LANDLOCK_SCOPE_DELIM
 )
 // String returns a space-separated string of [LandlockScope] flags.
 func (f LandlockScope) String() string {
 	switch f {
 	case LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET:
@@ -184,10 +187,12 @@ type RulesetAttr struct {
 	HandledAccessFS LandlockAccessFS
 	// Bitmask of handled network actions.
 	HandledAccessNet LandlockAccessNet
-	// Bitmask of scopes restricting a Landlock domain from accessing outside resources (e.g. IPCs).
+	// Bitmask of scopes restricting a Landlock domain from accessing outside
 	// resources (e.g. IPCs).
 	Scoped LandlockScope
 }
 // String returns a user-facing description of [RulesetAttr].
 func (rulesetAttr *RulesetAttr) String() string {
 	if rulesetAttr == nil {
 		return "NULL"
@@ -208,6 +213,7 @@ func (rulesetAttr *RulesetAttr) String() string {
 	return strings.Join(elems, ", ")
 }
 // Create loads the ruleset into the kernel.
 func (rulesetAttr *RulesetAttr) Create(flags uintptr) (fd int, err error) {
 	var pointer, size uintptr
 	// NULL needed for abi version
@@ -216,10 +222,13 @@ func (rulesetAttr *RulesetAttr) Create(flags uintptr) (fd int, err error) {
 		size = unsafe.Sizeof(*rulesetAttr)
 	}
-	rulesetFd, _, errno := syscall.Syscall(std.SYS_LANDLOCK_CREATE_RULESET, pointer, size, flags)
+	rulesetFd, _, errno := syscall.Syscall(
 		std.SYS_LANDLOCK_CREATE_RULESET,
 		pointer, size,
 		flags,
 	)
 	fd = int(rulesetFd)
 	err = errno
 	if fd < 0 {
 		return
 	}
@@ -230,12 +239,19 @@ func (rulesetAttr *RulesetAttr) Create(flags uintptr) (fd int, err error) {
 	return fd, nil
 }
 // LandlockGetABI returns the ABI version supported by the kernel.
 func LandlockGetABI() (int, error) {
 	return (*RulesetAttr)(nil).Create(LANDLOCK_CREATE_RULESET_VERSION)
 }
 // LandlockRestrictSelf applies a loaded ruleset to the calling thread.
 func LandlockRestrictSelf(rulesetFd int, flags uintptr) error {
-	r, _, errno := syscall.Syscall(std.SYS_LANDLOCK_RESTRICT_SELF, uintptr(rulesetFd), flags, 0)
+	r, _, errno := syscall.Syscall(
 		std.SYS_LANDLOCK_RESTRICT_SELF,
 		uintptr(rulesetFd),
 		flags,
 		0,
 	)
 	if r != 0 {
 		return errno
 	}
--- a/container/netlink.go
+++ b/container/netlink.go
@@ -0,0 +1,269 @@
 package container
 import (
 	"encoding/binary"
 	"errors"
 	"net"
 	"os"
 	. "syscall"
 	"unsafe"
 	"hakurei.app/container/std"
 	"hakurei.app/message"
 )
 // rtnetlink represents a NETLINK_ROUTE socket.
 type rtnetlink struct {
 	// Sent as part of rtnetlink messages.
 	pid uint32
 	// AF_NETLINK socket.
 	fd int
 	// Whether the socket is open.
 	ok bool
 	// Message sequence number.
 	seq uint32
 }
 // open creates the underlying NETLINK_ROUTE socket.
 func (s *rtnetlink) open() (err error) {
 	if s.ok || s.fd < 0 {
 		return os.ErrInvalid
 	}
 	s.pid = uint32(Getpid())
 	if s.fd, err = Socket(
 		AF_NETLINK,
 		SOCK_RAW|SOCK_CLOEXEC,
 		NETLINK_ROUTE,
 	); err != nil {
 		return os.NewSyscallError("socket", err)
 	} else if err = Bind(s.fd, &SockaddrNetlink{
 		Family: AF_NETLINK,
 		Pid:    s.pid,
 	}); err != nil {
 		_ = s.close()
 		return os.NewSyscallError("bind", err)
 	} else {
 		s.ok = true
 		return nil
 	}
 }
 // close closes the underlying NETLINK_ROUTE socket.
 func (s *rtnetlink) close() error {
 	if !s.ok {
 		return os.ErrInvalid
 	}
 	s.ok = false
 	err := Close(s.fd)
 	s.fd = -1
 	return err
 }
 // roundtrip sends a netlink message and handles the reply.
 func (s *rtnetlink) roundtrip(data []byte) error {
 	if !s.ok {
 		return os.ErrInvalid
 	}
 	defer func() { s.seq++ }()
 	if err := Sendto(s.fd, data, 0, &SockaddrNetlink{
 		Family: AF_NETLINK,
 	}); err != nil {
 		return os.NewSyscallError("sendto", err)
 	}
 	buf := make([]byte, Getpagesize())
 done:
 	for {
 		p := buf
 		if n, _, err := Recvfrom(s.fd, p, 0); err != nil {
 			return os.NewSyscallError("recvfrom", err)
 		} else if n < NLMSG_HDRLEN {
 			return errors.ErrUnsupported
 		} else {
 			p = p[:n]
 		}
 		if msgs, err := ParseNetlinkMessage(p); err != nil {
 			return err
 		} else {
 			for _, m := range msgs {
 				if m.Header.Seq != s.seq || m.Header.Pid != s.pid {
 					return errors.ErrUnsupported
 				}
 				if m.Header.Type == NLMSG_DONE {
 					break done
 				}
 				if m.Header.Type == NLMSG_ERROR {
 					if len(m.Data) >= 4 {
 						errno := Errno(-std.Int(binary.NativeEndian.Uint32(m.Data)))
 						if errno == 0 {
 							return nil
 						}
 						return errno
 					}
 					return errors.ErrUnsupported
 				}
 			}
 		}
 	}
 	return nil
 }
 // mustRoundtrip calls roundtrip and terminates via msg for a non-nil error.
 func (s *rtnetlink) mustRoundtrip(msg message.Msg, data []byte) {
 	err := s.roundtrip(data)
 	if err == nil {
 		return
 	}
 	if closeErr := Close(s.fd); closeErr != nil {
 		msg.Verbosef("cannot close: %v", err)
 	}
 	switch err.(type) {
 	case *os.SyscallError:
 		msg.GetLogger().Fatalf("cannot %v", err)
 	case Errno:
 		msg.GetLogger().Fatalf("RTNETLINK answers: %v", err)
 	default:
 		msg.GetLogger().Fatalln("RTNETLINK answers with unexpected message")
 	}
 }
 // newaddrLo represents a RTM_NEWADDR message with two addresses.
 type newaddrLo struct {
 	header NlMsghdr
 	data   IfAddrmsg
 	r0 RtAttr
 	a0 [4]byte // in_addr
 	r1 RtAttr
 	a1 [4]byte // in_addr
 }
 // sizeofNewaddrLo is the expected size of newaddrLo.
 const sizeofNewaddrLo = NLMSG_HDRLEN + SizeofIfAddrmsg + (SizeofRtAttr+4)*2
 // newaddrLo returns the address of a populated newaddrLo.
 func (s *rtnetlink) newaddrLo(lo int) *newaddrLo {
 	return &newaddrLo{NlMsghdr{
 		Len:   sizeofNewaddrLo,
 		Type:  RTM_NEWADDR,
 		Flags: NLM_F_REQUEST | NLM_F_ACK | NLM_F_CREATE | NLM_F_EXCL,
 		Seq:   s.seq,
 		Pid:   s.pid,
 	}, IfAddrmsg{
 		Family:    AF_INET,
 		Prefixlen: 8,
 		Flags:     IFA_F_PERMANENT,
 		Scope:     RT_SCOPE_HOST,
 		Index:     uint32(lo),
 	}, RtAttr{
 		Len:  uint16(SizeofRtAttr + len(newaddrLo{}.a0)),
 		Type: IFA_LOCAL,
 	}, [4]byte{127, 0, 0, 1}, RtAttr{
 		Len:  uint16(SizeofRtAttr + len(newaddrLo{}.a1)),
 		Type: IFA_ADDRESS,
 	}, [4]byte{127, 0, 0, 1}}
 }
 func (msg *newaddrLo) toWireFormat() []byte {
 	var buf [sizeofNewaddrLo]byte
 	*(*uint32)(unsafe.Pointer(&buf[0:4][0])) = msg.header.Len
 	*(*uint16)(unsafe.Pointer(&buf[4:6][0])) = msg.header.Type
 	*(*uint16)(unsafe.Pointer(&buf[6:8][0])) = msg.header.Flags
 	*(*uint32)(unsafe.Pointer(&buf[8:12][0])) = msg.header.Seq
 	*(*uint32)(unsafe.Pointer(&buf[12:16][0])) = msg.header.Pid
 	buf[16] = msg.data.Family
 	buf[17] = msg.data.Prefixlen
 	buf[18] = msg.data.Flags
 	buf[19] = msg.data.Scope
 	*(*uint32)(unsafe.Pointer(&buf[20:24][0])) = msg.data.Index
 	*(*uint16)(unsafe.Pointer(&buf[24:26][0])) = msg.r0.Len
 	*(*uint16)(unsafe.Pointer(&buf[26:28][0])) = msg.r0.Type
 	copy(buf[28:32], msg.a0[:])
 	*(*uint16)(unsafe.Pointer(&buf[32:34][0])) = msg.r1.Len
 	*(*uint16)(unsafe.Pointer(&buf[34:36][0])) = msg.r1.Type
 	copy(buf[36:40], msg.a1[:])
 	return buf[:]
 }
 // newlinkLo represents a RTM_NEWLINK message.
 type newlinkLo struct {
 	header NlMsghdr
 	data   IfInfomsg
 }
 // sizeofNewlinkLo is the expected size of newlinkLo.
 const sizeofNewlinkLo = NLMSG_HDRLEN + SizeofIfInfomsg
 // newlinkLo returns the address of a populated newlinkLo.
 func (s *rtnetlink) newlinkLo(lo int) *newlinkLo {
 	return &newlinkLo{NlMsghdr{
 		Len:   sizeofNewlinkLo,
 		Type:  RTM_NEWLINK,
 		Flags: NLM_F_REQUEST | NLM_F_ACK,
 		Seq:   s.seq,
 		Pid:   s.pid,
 	}, IfInfomsg{
 		Family: AF_UNSPEC,
 		Index:  int32(lo),
 		Flags:  IFF_UP,
 		Change: IFF_UP,
 	}}
 }
 func (msg *newlinkLo) toWireFormat() []byte {
 	var buf [sizeofNewlinkLo]byte
 	*(*uint32)(unsafe.Pointer(&buf[0:4][0])) = msg.header.Len
 	*(*uint16)(unsafe.Pointer(&buf[4:6][0])) = msg.header.Type
 	*(*uint16)(unsafe.Pointer(&buf[6:8][0])) = msg.header.Flags
 	*(*uint32)(unsafe.Pointer(&buf[8:12][0])) = msg.header.Seq
 	*(*uint32)(unsafe.Pointer(&buf[12:16][0])) = msg.header.Pid
 	buf[16] = msg.data.Family
 	*(*uint16)(unsafe.Pointer(&buf[18:20][0])) = msg.data.Type
 	*(*int32)(unsafe.Pointer(&buf[20:24][0])) = msg.data.Index
 	*(*uint32)(unsafe.Pointer(&buf[24:28][0])) = msg.data.Flags
 	*(*uint32)(unsafe.Pointer(&buf[28:32][0])) = msg.data.Change
 	return buf[:]
 }
 // mustLoopback creates the loopback address and brings the lo interface up.
 // mustLoopback calls a fatal method of the underlying [log.Logger] of m with a
 // user-facing error message if RTNETLINK behaves unexpectedly.
 func mustLoopback(msg message.Msg) {
 	log := msg.GetLogger()
 	var lo int
 	if ifi, err := net.InterfaceByName("lo"); err != nil {
 		log.Fatalln(err)
 	} else {
 		lo = ifi.Index
 	}
 	var s rtnetlink
 	if err := s.open(); err != nil {
 		log.Fatalln(err)
 	}
 	defer func() {
 		if err := s.close(); err != nil {
 			msg.Verbosef("cannot close netlink: %v", err)
 		}
 	}()
 	s.mustRoundtrip(msg, s.newaddrLo(lo).toWireFormat())
 	s.mustRoundtrip(msg, s.newlinkLo(lo).toWireFormat())
 }
--- a/container/netlink_test.go
+++ b/container/netlink_test.go
@@ -0,0 +1,72 @@
 package container
 import (
 	"testing"
 	"unsafe"
 )
 func TestSizeof(t *testing.T) {
 	if got := unsafe.Sizeof(newaddrLo{}); got != sizeofNewaddrLo {
 		t.Fatalf("newaddrLo: sizeof = %#x, want %#x", got, sizeofNewaddrLo)
 	}
 	if got := unsafe.Sizeof(newlinkLo{}); got != sizeofNewlinkLo {
 		t.Fatalf("newlinkLo: sizeof = %#x, want %#x", got, sizeofNewlinkLo)
 	}
 }
 func TestRtnetlinkMessage(t *testing.T) {
 	t.Parallel()
 	testCases := []struct {
 		name string
 		msg  interface{ toWireFormat() []byte }
 		want []byte
 	}{
 		{"newaddrLo", (&rtnetlink{pid: 1, seq: 0}).newaddrLo(1), []byte{
 			/* Len   */ 0x28, 0, 0, 0,
 			/* Type  */ 0x14, 0,
 			/* Flags */ 5, 6,
 			/* Seq   */ 0, 0, 0, 0,
 			/* Pid   */ 1, 0, 0, 0,
 			/* Family    */ 2,
 			/* Prefixlen */ 8,
 			/* Flags     */ 0x80,
 			/* Scope     */ 0xfe,
 			/* Index     */ 1, 0, 0, 0,
 			/* Len     */ 8, 0,
 			/* Type    */ 2, 0,
 			/* in_addr */ 127, 0, 0, 1,
 			/* Len     */ 8, 0,
 			/* Type    */ 1, 0,
 			/* in_addr */ 127, 0, 0, 1,
 		}},
 		{"newlinkLo", (&rtnetlink{pid: 1, seq: 1}).newlinkLo(1), []byte{
 			/* Len   */ 0x20, 0, 0, 0,
 			/* Type  */ 0x10, 0,
 			/* Flags */ 5, 0,
 			/* Seq   */ 1, 0, 0, 0,
 			/* Pid   */ 1, 0, 0, 0,
 			/* Family */ 0,
 			/* pad    */ 0,
 			/* Type   */ 0, 0,
 			/* Index  */ 1, 0, 0, 0,
 			/* Flags  */ 1, 0, 0, 0,
 			/* Change */ 1, 0, 0, 0,
 		}},
 	}
 	for _, tc := range testCases {
 		t.Run(tc.name, func(t *testing.T) {
 			t.Parallel()
 			if got := tc.msg.toWireFormat(); string(got) != string(tc.want) {
 				t.Fatalf("toWireFormat: %#v, want %#v", got, tc.want)
 			}
 		})
 	}
 }
--- a/container/path.go
+++ b/container/path.go
@@ -15,7 +15,10 @@ import (
 const (
 	// Nonexistent is a path that cannot exist.
-	// /proc is chosen because a system with covered /proc is unsupported by this package.
+	//
 	// This path can never be presented by the kernel if proc is mounted on
 	// /proc/. This can only exist if parts of /proc/ is covered, or proc is not
 	// mounted at all. Neither configuration is supported by this package.
 	Nonexistent = fhs.Proc + "nonexistent"
 	hostPath    = fhs.Root + hostDir
--- a/container/seccomp/libseccomp.go
+++ b/container/seccomp/libseccomp.go
@@ -88,18 +88,22 @@ var resPrefix = [...]string{
 	7: "seccomp_load failed",
 }
-// cbAllocateBuffer is the function signature for the function handle passed to hakurei_export_filter
+// cbAllocateBuffer is the function signature for the function handle passed to
-// which allocates the buffer that the resulting bpf program is copied into, and writes its slice header
+// hakurei_scmp_make_filter which allocates the buffer that the resulting bpf
-// to a value held by the caller.
+// program is copied into, and writes its slice header to a value held by the caller.
 type cbAllocateBuffer = func(len C.size_t) (buf unsafe.Pointer)
 // hakurei_scmp_allocate allocates a buffer of specified size known to the
 // runtime through a callback passed in a [cgo.Handle].
 //
 //export hakurei_scmp_allocate
 func hakurei_scmp_allocate(f C.uintptr_t, len C.size_t) (buf unsafe.Pointer) {
 	return cgo.Handle(f).Value().(cbAllocateBuffer)(len)
 }
-// makeFilter generates a bpf program from a slice of [std.NativeRule] and writes the resulting byte slice to p.
+// makeFilter generates a bpf program from a slice of [std.NativeRule] and
-// The filter is installed to the current process if p is nil.
+// writes the resulting byte slice to p. The filter is installed to the current
 // process if p is nil.
 func makeFilter(rules []std.NativeRule, flags ExportFlag, p *[]byte) error {
 	if len(rules) == 0 {
 		return ErrInvalidRules
@@ -170,8 +174,8 @@ func Export(rules []std.NativeRule, flags ExportFlag) (data []byte, err error) {
 	return
 }
-// Load generates a bpf program from a slice of [std.NativeRule] and enforces it on the current process.
+// Load generates a bpf program from a slice of [std.NativeRule] and enforces it
-// Errors returned by libseccomp is wrapped in [LibraryError].
+// on the current process. Errors returned by libseccomp is wrapped in [LibraryError].
 func Load(rules []std.NativeRule, flags ExportFlag) error { return makeFilter(rules, flags, nil) }
 type (
--- a/container/seccomp/presets_riscv64_test.go
+++ b/container/seccomp/presets_riscv64_test.go
@@ -0,0 +1,27 @@
 package seccomp_test
 import (
 	. "hakurei.app/container/seccomp"
 	. "hakurei.app/container/std"
 )
 var bpfExpected = bpfLookup{
 	{AllowMultiarch | AllowCAN |
 		AllowBluetooth, PresetExt |
 		PresetDenyNS | PresetDenyTTY | PresetDenyDevel |
 		PresetLinux32}: toHash(
 		"a1c4ffa35f4bfbf38061184760b9a09edfcb4964c3b534395e47327b83f3fb61f2f9573ddfcc4772424cc2f5dd12fd32471e6531dbe10e85eda3797dd4fa179f"),
 	{0, 0}: toHash(
 		"f3910fd727d087def593e3876c2c6ab9ace71d82ec8cbc992a26223e7bba85e1d7a0b56c5fc6303703f24595825dad8561637edaedd5384b34a6cd080946633c"),
 	{0, PresetExt}: toHash(
 		"741438c5e3f11c36c92ae8c5934f13440675c6e719541c2dbffeda79a10081bcfd9ad8314a60c1d1f53db86c8080c13fffa3bbcf7fe753935679b4b902737286"),
 	{0, PresetStrict}: toHash(
 		"79e9e464d02405c6d74fd2c771bd72a1311e488221c73a9c32db9270219837c54fccec2f36fe2474895547e60c311514567e2e6cf4e7a7fcf909c1ecd1e254a7"),
 	{0, PresetDenyNS | PresetDenyTTY | PresetDenyDevel}: toHash(
 		"3c443715a6c1e557a284862ea8efb70a5d4ecbe67d1226627323e861cd3646fb3e7768ec5b94b93760b7f652cf6916f66e317a4fbf8716d10c3673aa4fc3ae58"),
 	{0, PresetExt | PresetDenyDevel}: toHash(
 		"4448a74e8cc75a4ab63799c4f2cc2a5af63e5f4e8e9b8ac15a1873d647dfa67a4c67b39ed466d8dd32abc64136d401879fc6185c9ab00feeaf59ccf4305f8201"),
 	{0, PresetExt | PresetDenyNS | PresetDenyDevel}: toHash(
 		"c7c86e793cb7192f5f6c735f372cda27eb43ae1045e587f8eadb64c849520a3280b6570a3d7b601d32cddb38021585a2234db38e506cebfd10aa3d6c75440f17"),
 }
--- a/container/seccomp/std_test.go
+++ b/container/seccomp/std_test.go
@@ -24,8 +24,8 @@ func TestSyscallResolveName(t *testing.T) {
 }
 func TestRuleType(t *testing.T) {
-	assertKind[std.ScmpUint, scmpUint](t)
+	assertKind[std.Uint, scmpUint](t)
-	assertKind[std.ScmpInt, scmpInt](t)
+	assertKind[std.Int, scmpInt](t)
 	assertSize[std.NativeRule, syscallRule](t)
 	assertKind[std.ScmpDatum, scmpDatum](t)
--- a/container/std/mksysnum_linux.pl
+++ b/container/std/mksysnum_linux.pl
@@ -12,6 +12,7 @@ my %syscall_cutoff_arch = (
 	"x86" => 340,
 	"x86_64" => 302,
 	"aarch64" => 281,
 	"riscv64" => 281,
 );
 print <<EOF;
--- a/container/std/seccomp.go
+++ b/container/std/seccomp.go
@@ -7,24 +7,28 @@ import (
 type (
 	// ScmpUint is equivalent to C.uint.
-	ScmpUint uint32
+	//
 	// Deprecated: This type has been renamed to Uint and will be removed in 0.4.
 	ScmpUint = Uint
 	// ScmpInt is equivalent to C.int.
-	ScmpInt int32
+	//
 	// Deprecated: This type has been renamed to Int and will be removed in 0.4.
 	ScmpInt = Int
 	// ScmpSyscall represents a syscall number passed to libseccomp via [NativeRule.Syscall].
-	ScmpSyscall ScmpInt
+	ScmpSyscall Int
 	// ScmpErrno represents an errno value passed to libseccomp via [NativeRule.Errno].
-	ScmpErrno ScmpInt
+	ScmpErrno Int
 	// ScmpCompare is equivalent to enum scmp_compare;
-	ScmpCompare ScmpUint
+	ScmpCompare Uint
 	// ScmpDatum is equivalent to scmp_datum_t.
 	ScmpDatum uint64
 	// ScmpArgCmp is equivalent to struct scmp_arg_cmp.
 	ScmpArgCmp struct {
 		// argument number, starting at 0
-		Arg ScmpUint `json:"arg"`
+		Arg Uint `json:"arg"`
 		// the comparison op, e.g. SCMP_CMP_*
 		Op ScmpCompare `json:"op"`
--- a/container/std/syscall_extra_linux_riscv64.go
+++ b/container/std/syscall_extra_linux_riscv64.go
@@ -0,0 +1,55 @@
 package std
 import "syscall"
 const (
 	SYS_NEWFSTATAT = syscall.SYS_FSTATAT
 )
 var syscallNumExtra = map[string]ScmpSyscall{
 	"uselib":          SNR_USELIB,
 	"clock_adjtime64": SNR_CLOCK_ADJTIME64,
 	"clock_settime64": SNR_CLOCK_SETTIME64,
 	"umount":          SNR_UMOUNT,
 	"chown":           SNR_CHOWN,
 	"chown32":         SNR_CHOWN32,
 	"fchown32":        SNR_FCHOWN32,
 	"lchown":          SNR_LCHOWN,
 	"lchown32":        SNR_LCHOWN32,
 	"setgid32":        SNR_SETGID32,
 	"setgroups32":     SNR_SETGROUPS32,
 	"setregid32":      SNR_SETREGID32,
 	"setresgid32":     SNR_SETRESGID32,
 	"setresuid32":     SNR_SETRESUID32,
 	"setreuid32":      SNR_SETREUID32,
 	"setuid32":        SNR_SETUID32,
 	"modify_ldt":      SNR_MODIFY_LDT,
 	"subpage_prot":    SNR_SUBPAGE_PROT,
 	"switch_endian":   SNR_SWITCH_ENDIAN,
 	"vm86":            SNR_VM86,
 	"vm86old":         SNR_VM86OLD,
 }
 const (
 	SNR_USELIB          ScmpSyscall = __PNR_uselib
 	SNR_CLOCK_ADJTIME64 ScmpSyscall = __PNR_clock_adjtime64
 	SNR_CLOCK_SETTIME64 ScmpSyscall = __PNR_clock_settime64
 	SNR_UMOUNT          ScmpSyscall = __PNR_umount
 	SNR_CHOWN           ScmpSyscall = __PNR_chown
 	SNR_CHOWN32         ScmpSyscall = __PNR_chown32
 	SNR_FCHOWN32        ScmpSyscall = __PNR_fchown32
 	SNR_LCHOWN          ScmpSyscall = __PNR_lchown
 	SNR_LCHOWN32        ScmpSyscall = __PNR_lchown32
 	SNR_SETGID32        ScmpSyscall = __PNR_setgid32
 	SNR_SETGROUPS32     ScmpSyscall = __PNR_setgroups32
 	SNR_SETREGID32      ScmpSyscall = __PNR_setregid32
 	SNR_SETRESGID32     ScmpSyscall = __PNR_setresgid32
 	SNR_SETRESUID32     ScmpSyscall = __PNR_setresuid32
 	SNR_SETREUID32      ScmpSyscall = __PNR_setreuid32
 	SNR_SETUID32        ScmpSyscall = __PNR_setuid32
 	SNR_MODIFY_LDT      ScmpSyscall = __PNR_modify_ldt
 	SNR_SUBPAGE_PROT    ScmpSyscall = __PNR_subpage_prot
 	SNR_SWITCH_ENDIAN   ScmpSyscall = __PNR_switch_endian
 	SNR_VM86            ScmpSyscall = __PNR_vm86
 	SNR_VM86OLD         ScmpSyscall = __PNR_vm86old
 )
--- a/container/std/syscall_linux_riscv64.go
+++ b/container/std/syscall_linux_riscv64.go
@@ -0,0 +1,719 @@
 // mksysnum_linux.pl /usr/include/riscv64-linux-gnu/asm/unistd.h
 // Code generated by the command above; DO NOT EDIT.
 package std
 import . "syscall"
 var syscallNum = map[string]ScmpSyscall{
 	"io_setup":                SNR_IO_SETUP,
 	"io_destroy":              SNR_IO_DESTROY,
 	"io_submit":               SNR_IO_SUBMIT,
 	"io_cancel":               SNR_IO_CANCEL,
 	"io_getevents":            SNR_IO_GETEVENTS,
 	"setxattr":                SNR_SETXATTR,
 	"lsetxattr":               SNR_LSETXATTR,
 	"fsetxattr":               SNR_FSETXATTR,
 	"getxattr":                SNR_GETXATTR,
 	"lgetxattr":               SNR_LGETXATTR,
 	"fgetxattr":               SNR_FGETXATTR,
 	"listxattr":               SNR_LISTXATTR,
 	"llistxattr":              SNR_LLISTXATTR,
 	"flistxattr":              SNR_FLISTXATTR,
 	"removexattr":             SNR_REMOVEXATTR,
 	"lremovexattr":            SNR_LREMOVEXATTR,
 	"fremovexattr":            SNR_FREMOVEXATTR,
 	"getcwd":                  SNR_GETCWD,
 	"lookup_dcookie":          SNR_LOOKUP_DCOOKIE,
 	"eventfd2":                SNR_EVENTFD2,
 	"epoll_create1":           SNR_EPOLL_CREATE1,
 	"epoll_ctl":               SNR_EPOLL_CTL,
 	"epoll_pwait":             SNR_EPOLL_PWAIT,
 	"dup":                     SNR_DUP,
 	"dup3":                    SNR_DUP3,
 	"fcntl":                   SNR_FCNTL,
 	"inotify_init1":           SNR_INOTIFY_INIT1,
 	"inotify_add_watch":       SNR_INOTIFY_ADD_WATCH,
 	"inotify_rm_watch":        SNR_INOTIFY_RM_WATCH,
 	"ioctl":                   SNR_IOCTL,
 	"ioprio_set":              SNR_IOPRIO_SET,
 	"ioprio_get":              SNR_IOPRIO_GET,
 	"flock":                   SNR_FLOCK,
 	"mknodat":                 SNR_MKNODAT,
 	"mkdirat":                 SNR_MKDIRAT,
 	"unlinkat":                SNR_UNLINKAT,
 	"symlinkat":               SNR_SYMLINKAT,
 	"linkat":                  SNR_LINKAT,
 	"umount2":                 SNR_UMOUNT2,
 	"mount":                   SNR_MOUNT,
 	"pivot_root":              SNR_PIVOT_ROOT,
 	"nfsservctl":              SNR_NFSSERVCTL,
 	"statfs":                  SNR_STATFS,
 	"fstatfs":                 SNR_FSTATFS,
 	"truncate":                SNR_TRUNCATE,
 	"ftruncate":               SNR_FTRUNCATE,
 	"fallocate":               SNR_FALLOCATE,
 	"faccessat":               SNR_FACCESSAT,
 	"chdir":                   SNR_CHDIR,
 	"fchdir":                  SNR_FCHDIR,
 	"chroot":                  SNR_CHROOT,
 	"fchmod":                  SNR_FCHMOD,
 	"fchmodat":                SNR_FCHMODAT,
 	"fchownat":                SNR_FCHOWNAT,
 	"fchown":                  SNR_FCHOWN,
 	"openat":                  SNR_OPENAT,
 	"close":                   SNR_CLOSE,
 	"vhangup":                 SNR_VHANGUP,
 	"pipe2":                   SNR_PIPE2,
 	"quotactl":                SNR_QUOTACTL,
 	"getdents64":              SNR_GETDENTS64,
 	"lseek":                   SNR_LSEEK,
 	"read":                    SNR_READ,
 	"write":                   SNR_WRITE,
 	"readv":                   SNR_READV,
 	"writev":                  SNR_WRITEV,
 	"pread64":                 SNR_PREAD64,
 	"pwrite64":                SNR_PWRITE64,
 	"preadv":                  SNR_PREADV,
 	"pwritev":                 SNR_PWRITEV,
 	"sendfile":                SNR_SENDFILE,
 	"pselect6":                SNR_PSELECT6,
 	"ppoll":                   SNR_PPOLL,
 	"signalfd4":               SNR_SIGNALFD4,
 	"vmsplice":                SNR_VMSPLICE,
 	"splice":                  SNR_SPLICE,
 	"tee":                     SNR_TEE,
 	"readlinkat":              SNR_READLINKAT,
 	"newfstatat":              SNR_NEWFSTATAT,
 	"fstat":                   SNR_FSTAT,
 	"sync":                    SNR_SYNC,
 	"fsync":                   SNR_FSYNC,
 	"fdatasync":               SNR_FDATASYNC,
 	"sync_file_range":         SNR_SYNC_FILE_RANGE,
 	"timerfd_create":          SNR_TIMERFD_CREATE,
 	"timerfd_settime":         SNR_TIMERFD_SETTIME,
 	"timerfd_gettime":         SNR_TIMERFD_GETTIME,
 	"utimensat":               SNR_UTIMENSAT,
 	"acct":                    SNR_ACCT,
 	"capget":                  SNR_CAPGET,
 	"capset":                  SNR_CAPSET,
 	"personality":             SNR_PERSONALITY,
 	"exit":                    SNR_EXIT,
 	"exit_group":              SNR_EXIT_GROUP,
 	"waitid":                  SNR_WAITID,
 	"set_tid_address":         SNR_SET_TID_ADDRESS,
 	"unshare":                 SNR_UNSHARE,
 	"futex":                   SNR_FUTEX,
 	"set_robust_list":         SNR_SET_ROBUST_LIST,
 	"get_robust_list":         SNR_GET_ROBUST_LIST,
 	"nanosleep":               SNR_NANOSLEEP,
 	"getitimer":               SNR_GETITIMER,
 	"setitimer":               SNR_SETITIMER,
 	"kexec_load":              SNR_KEXEC_LOAD,
 	"init_module":             SNR_INIT_MODULE,
 	"delete_module":           SNR_DELETE_MODULE,
 	"timer_create":            SNR_TIMER_CREATE,
 	"timer_gettime":           SNR_TIMER_GETTIME,
 	"timer_getoverrun":        SNR_TIMER_GETOVERRUN,
 	"timer_settime":           SNR_TIMER_SETTIME,
 	"timer_delete":            SNR_TIMER_DELETE,
 	"clock_settime":           SNR_CLOCK_SETTIME,
 	"clock_gettime":           SNR_CLOCK_GETTIME,
 	"clock_getres":            SNR_CLOCK_GETRES,
 	"clock_nanosleep":         SNR_CLOCK_NANOSLEEP,
 	"syslog":                  SNR_SYSLOG,
 	"ptrace":                  SNR_PTRACE,
 	"sched_setparam":          SNR_SCHED_SETPARAM,
 	"sched_setscheduler":      SNR_SCHED_SETSCHEDULER,
 	"sched_getscheduler":      SNR_SCHED_GETSCHEDULER,
 	"sched_getparam":          SNR_SCHED_GETPARAM,
 	"sched_setaffinity":       SNR_SCHED_SETAFFINITY,
 	"sched_getaffinity":       SNR_SCHED_GETAFFINITY,
 	"sched_yield":             SNR_SCHED_YIELD,
 	"sched_get_priority_max":  SNR_SCHED_GET_PRIORITY_MAX,
 	"sched_get_priority_min":  SNR_SCHED_GET_PRIORITY_MIN,
 	"sched_rr_get_interval":   SNR_SCHED_RR_GET_INTERVAL,
 	"restart_syscall":         SNR_RESTART_SYSCALL,
 	"kill":                    SNR_KILL,
 	"tkill":                   SNR_TKILL,
 	"tgkill":                  SNR_TGKILL,
 	"sigaltstack":             SNR_SIGALTSTACK,
 	"rt_sigsuspend":           SNR_RT_SIGSUSPEND,
 	"rt_sigaction":            SNR_RT_SIGACTION,
 	"rt_sigprocmask":          SNR_RT_SIGPROCMASK,
 	"rt_sigpending":           SNR_RT_SIGPENDING,
 	"rt_sigtimedwait":         SNR_RT_SIGTIMEDWAIT,
 	"rt_sigqueueinfo":         SNR_RT_SIGQUEUEINFO,
 	"rt_sigreturn":            SNR_RT_SIGRETURN,
 	"setpriority":             SNR_SETPRIORITY,
 	"getpriority":             SNR_GETPRIORITY,
 	"reboot":                  SNR_REBOOT,
 	"setregid":                SNR_SETREGID,
 	"setgid":                  SNR_SETGID,
 	"setreuid":                SNR_SETREUID,
 	"setuid":                  SNR_SETUID,
 	"setresuid":               SNR_SETRESUID,
 	"getresuid":               SNR_GETRESUID,
 	"setresgid":               SNR_SETRESGID,
 	"getresgid":               SNR_GETRESGID,
 	"setfsuid":                SNR_SETFSUID,
 	"setfsgid":                SNR_SETFSGID,
 	"times":                   SNR_TIMES,
 	"setpgid":                 SNR_SETPGID,
 	"getpgid":                 SNR_GETPGID,
 	"getsid":                  SNR_GETSID,
 	"setsid":                  SNR_SETSID,
 	"getgroups":               SNR_GETGROUPS,
 	"setgroups":               SNR_SETGROUPS,
 	"uname":                   SNR_UNAME,
 	"sethostname":             SNR_SETHOSTNAME,
 	"setdomainname":           SNR_SETDOMAINNAME,
 	"getrlimit":               SNR_GETRLIMIT,
 	"setrlimit":               SNR_SETRLIMIT,
 	"getrusage":               SNR_GETRUSAGE,
 	"umask":                   SNR_UMASK,
 	"prctl":                   SNR_PRCTL,
 	"getcpu":                  SNR_GETCPU,
 	"gettimeofday":            SNR_GETTIMEOFDAY,
 	"settimeofday":            SNR_SETTIMEOFDAY,
 	"adjtimex":                SNR_ADJTIMEX,
 	"getpid":                  SNR_GETPID,
 	"getppid":                 SNR_GETPPID,
 	"getuid":                  SNR_GETUID,
 	"geteuid":                 SNR_GETEUID,
 	"getgid":                  SNR_GETGID,
 	"getegid":                 SNR_GETEGID,
 	"gettid":                  SNR_GETTID,
 	"sysinfo":                 SNR_SYSINFO,
 	"mq_open":                 SNR_MQ_OPEN,
 	"mq_unlink":               SNR_MQ_UNLINK,
 	"mq_timedsend":            SNR_MQ_TIMEDSEND,
 	"mq_timedreceive":         SNR_MQ_TIMEDRECEIVE,
 	"mq_notify":               SNR_MQ_NOTIFY,
 	"mq_getsetattr":           SNR_MQ_GETSETATTR,
 	"msgget":                  SNR_MSGGET,
 	"msgctl":                  SNR_MSGCTL,
 	"msgrcv":                  SNR_MSGRCV,
 	"msgsnd":                  SNR_MSGSND,
 	"semget":                  SNR_SEMGET,
 	"semctl":                  SNR_SEMCTL,
 	"semtimedop":              SNR_SEMTIMEDOP,
 	"semop":                   SNR_SEMOP,
 	"shmget":                  SNR_SHMGET,
 	"shmctl":                  SNR_SHMCTL,
 	"shmat":                   SNR_SHMAT,
 	"shmdt":                   SNR_SHMDT,
 	"socket":                  SNR_SOCKET,
 	"socketpair":              SNR_SOCKETPAIR,
 	"bind":                    SNR_BIND,
 	"listen":                  SNR_LISTEN,
 	"accept":                  SNR_ACCEPT,
 	"connect":                 SNR_CONNECT,
 	"getsockname":             SNR_GETSOCKNAME,
 	"getpeername":             SNR_GETPEERNAME,
 	"sendto":                  SNR_SENDTO,
 	"recvfrom":                SNR_RECVFROM,
 	"setsockopt":              SNR_SETSOCKOPT,
 	"getsockopt":              SNR_GETSOCKOPT,
 	"shutdown":                SNR_SHUTDOWN,
 	"sendmsg":                 SNR_SENDMSG,
 	"recvmsg":                 SNR_RECVMSG,
 	"readahead":               SNR_READAHEAD,
 	"brk":                     SNR_BRK,
 	"munmap":                  SNR_MUNMAP,
 	"mremap":                  SNR_MREMAP,
 	"add_key":                 SNR_ADD_KEY,
 	"request_key":             SNR_REQUEST_KEY,
 	"keyctl":                  SNR_KEYCTL,
 	"clone":                   SNR_CLONE,
 	"execve":                  SNR_EXECVE,
 	"mmap":                    SNR_MMAP,
 	"fadvise64":               SNR_FADVISE64,
 	"swapon":                  SNR_SWAPON,
 	"swapoff":                 SNR_SWAPOFF,
 	"mprotect":                SNR_MPROTECT,
 	"msync":                   SNR_MSYNC,
 	"mlock":                   SNR_MLOCK,
 	"munlock":                 SNR_MUNLOCK,
 	"mlockall":                SNR_MLOCKALL,
 	"munlockall":              SNR_MUNLOCKALL,
 	"mincore":                 SNR_MINCORE,
 	"madvise":                 SNR_MADVISE,
 	"remap_file_pages":        SNR_REMAP_FILE_PAGES,
 	"mbind":                   SNR_MBIND,
 	"get_mempolicy":           SNR_GET_MEMPOLICY,
 	"set_mempolicy":           SNR_SET_MEMPOLICY,
 	"migrate_pages":           SNR_MIGRATE_PAGES,
 	"move_pages":              SNR_MOVE_PAGES,
 	"rt_tgsigqueueinfo":       SNR_RT_TGSIGQUEUEINFO,
 	"perf_event_open":         SNR_PERF_EVENT_OPEN,
 	"accept4":                 SNR_ACCEPT4,
 	"recvmmsg":                SNR_RECVMMSG,
 	"wait4":                   SNR_WAIT4,
 	"prlimit64":               SNR_PRLIMIT64,
 	"fanotify_init":           SNR_FANOTIFY_INIT,
 	"fanotify_mark":           SNR_FANOTIFY_MARK,
 	"name_to_handle_at":       SNR_NAME_TO_HANDLE_AT,
 	"open_by_handle_at":       SNR_OPEN_BY_HANDLE_AT,
 	"clock_adjtime":           SNR_CLOCK_ADJTIME,
 	"syncfs":                  SNR_SYNCFS,
 	"setns":                   SNR_SETNS,
 	"sendmmsg":                SNR_SENDMMSG,
 	"process_vm_readv":        SNR_PROCESS_VM_READV,
 	"process_vm_writev":       SNR_PROCESS_VM_WRITEV,
 	"kcmp":                    SNR_KCMP,
 	"finit_module":            SNR_FINIT_MODULE,
 	"sched_setattr":           SNR_SCHED_SETATTR,
 	"sched_getattr":           SNR_SCHED_GETATTR,
 	"renameat2":               SNR_RENAMEAT2,
 	"seccomp":                 SNR_SECCOMP,
 	"getrandom":               SNR_GETRANDOM,
 	"memfd_create":            SNR_MEMFD_CREATE,
 	"bpf":                     SNR_BPF,
 	"execveat":                SNR_EXECVEAT,
 	"userfaultfd":             SNR_USERFAULTFD,
 	"membarrier":              SNR_MEMBARRIER,
 	"mlock2":                  SNR_MLOCK2,
 	"copy_file_range":         SNR_COPY_FILE_RANGE,
 	"preadv2":                 SNR_PREADV2,
 	"pwritev2":                SNR_PWRITEV2,
 	"pkey_mprotect":           SNR_PKEY_MPROTECT,
 	"pkey_alloc":              SNR_PKEY_ALLOC,
 	"pkey_free":               SNR_PKEY_FREE,
 	"statx":                   SNR_STATX,
 	"io_pgetevents":           SNR_IO_PGETEVENTS,
 	"rseq":                    SNR_RSEQ,
 	"kexec_file_load":         SNR_KEXEC_FILE_LOAD,
 	"pidfd_send_signal":       SNR_PIDFD_SEND_SIGNAL,
 	"io_uring_setup":          SNR_IO_URING_SETUP,
 	"io_uring_enter":          SNR_IO_URING_ENTER,
 	"io_uring_register":       SNR_IO_URING_REGISTER,
 	"open_tree":               SNR_OPEN_TREE,
 	"move_mount":              SNR_MOVE_MOUNT,
 	"fsopen":                  SNR_FSOPEN,
 	"fsconfig":                SNR_FSCONFIG,
 	"fsmount":                 SNR_FSMOUNT,
 	"fspick":                  SNR_FSPICK,
 	"pidfd_open":              SNR_PIDFD_OPEN,
 	"clone3":                  SNR_CLONE3,
 	"close_range":             SNR_CLOSE_RANGE,
 	"openat2":                 SNR_OPENAT2,
 	"pidfd_getfd":             SNR_PIDFD_GETFD,
 	"faccessat2":              SNR_FACCESSAT2,
 	"process_madvise":         SNR_PROCESS_MADVISE,
 	"epoll_pwait2":            SNR_EPOLL_PWAIT2,
 	"mount_setattr":           SNR_MOUNT_SETATTR,
 	"quotactl_fd":             SNR_QUOTACTL_FD,
 	"landlock_create_ruleset": SNR_LANDLOCK_CREATE_RULESET,
 	"landlock_add_rule":       SNR_LANDLOCK_ADD_RULE,
 	"landlock_restrict_self":  SNR_LANDLOCK_RESTRICT_SELF,
 	"memfd_secret":            SNR_MEMFD_SECRET,
 	"process_mrelease":        SNR_PROCESS_MRELEASE,
 	"futex_waitv":             SNR_FUTEX_WAITV,
 	"set_mempolicy_home_node": SNR_SET_MEMPOLICY_HOME_NODE,
 	"cachestat":               SNR_CACHESTAT,
 	"fchmodat2":               SNR_FCHMODAT2,
 	"map_shadow_stack":        SNR_MAP_SHADOW_STACK,
 	"futex_wake":              SNR_FUTEX_WAKE,
 	"futex_wait":              SNR_FUTEX_WAIT,
 	"futex_requeue":           SNR_FUTEX_REQUEUE,
 	"statmount":               SNR_STATMOUNT,
 	"listmount":               SNR_LISTMOUNT,
 	"lsm_get_self_attr":       SNR_LSM_GET_SELF_ATTR,
 	"lsm_set_self_attr":       SNR_LSM_SET_SELF_ATTR,
 	"lsm_list_modules":        SNR_LSM_LIST_MODULES,
 	"mseal":                   SNR_MSEAL,
 	"setxattrat":              SNR_SETXATTRAT,
 	"getxattrat":              SNR_GETXATTRAT,
 	"listxattrat":             SNR_LISTXATTRAT,
 	"removexattrat":           SNR_REMOVEXATTRAT,
 }
 const (
 	SYS_USERFAULTFD             = 282
 	SYS_MEMBARRIER              = 283
 	SYS_MLOCK2                  = 284
 	SYS_COPY_FILE_RANGE         = 285
 	SYS_PREADV2                 = 286
 	SYS_PWRITEV2                = 287
 	SYS_PKEY_MPROTECT           = 288
 	SYS_PKEY_ALLOC              = 289
 	SYS_PKEY_FREE               = 290
 	SYS_STATX                   = 291
 	SYS_IO_PGETEVENTS           = 292
 	SYS_RSEQ                    = 293
 	SYS_KEXEC_FILE_LOAD         = 294
 	SYS_PIDFD_SEND_SIGNAL       = 424
 	SYS_IO_URING_SETUP          = 425
 	SYS_IO_URING_ENTER          = 426
 	SYS_IO_URING_REGISTER       = 427
 	SYS_OPEN_TREE               = 428
 	SYS_MOVE_MOUNT              = 429
 	SYS_FSOPEN                  = 430
 	SYS_FSCONFIG                = 431
 	SYS_FSMOUNT                 = 432
 	SYS_FSPICK                  = 433
 	SYS_PIDFD_OPEN              = 434
 	SYS_CLONE3                  = 435
 	SYS_CLOSE_RANGE             = 436
 	SYS_OPENAT2                 = 437
 	SYS_PIDFD_GETFD             = 438
 	SYS_FACCESSAT2              = 439
 	SYS_PROCESS_MADVISE         = 440
 	SYS_EPOLL_PWAIT2            = 441
 	SYS_MOUNT_SETATTR           = 442
 	SYS_QUOTACTL_FD             = 443
 	SYS_LANDLOCK_CREATE_RULESET = 444
 	SYS_LANDLOCK_ADD_RULE       = 445
 	SYS_LANDLOCK_RESTRICT_SELF  = 446
 	SYS_MEMFD_SECRET            = 447
 	SYS_PROCESS_MRELEASE        = 448
 	SYS_FUTEX_WAITV             = 449
 	SYS_SET_MEMPOLICY_HOME_NODE = 450
 	SYS_CACHESTAT               = 451
 	SYS_FCHMODAT2               = 452
 	SYS_MAP_SHADOW_STACK        = 453
 	SYS_FUTEX_WAKE              = 454
 	SYS_FUTEX_WAIT              = 455
 	SYS_FUTEX_REQUEUE           = 456
 	SYS_STATMOUNT               = 457
 	SYS_LISTMOUNT               = 458
 	SYS_LSM_GET_SELF_ATTR       = 459
 	SYS_LSM_SET_SELF_ATTR       = 460
 	SYS_LSM_LIST_MODULES        = 461
 	SYS_MSEAL                   = 462
 	SYS_SETXATTRAT              = 463
 	SYS_GETXATTRAT              = 464
 	SYS_LISTXATTRAT             = 465
 	SYS_REMOVEXATTRAT           = 466
 	SYS_OPEN_TREE_ATTR          = 467
 	SYS_FILE_GETATTR            = 468
 	SYS_FILE_SETATTR            = 469
 )
 const (
 	SNR_IO_SETUP                ScmpSyscall = SYS_IO_SETUP
 	SNR_IO_DESTROY              ScmpSyscall = SYS_IO_DESTROY
 	SNR_IO_SUBMIT               ScmpSyscall = SYS_IO_SUBMIT
 	SNR_IO_CANCEL               ScmpSyscall = SYS_IO_CANCEL
 	SNR_IO_GETEVENTS            ScmpSyscall = SYS_IO_GETEVENTS
 	SNR_SETXATTR                ScmpSyscall = SYS_SETXATTR
 	SNR_LSETXATTR               ScmpSyscall = SYS_LSETXATTR
 	SNR_FSETXATTR               ScmpSyscall = SYS_FSETXATTR
 	SNR_GETXATTR                ScmpSyscall = SYS_GETXATTR
 	SNR_LGETXATTR               ScmpSyscall = SYS_LGETXATTR
 	SNR_FGETXATTR               ScmpSyscall = SYS_FGETXATTR
 	SNR_LISTXATTR               ScmpSyscall = SYS_LISTXATTR
 	SNR_LLISTXATTR              ScmpSyscall = SYS_LLISTXATTR
 	SNR_FLISTXATTR              ScmpSyscall = SYS_FLISTXATTR
 	SNR_REMOVEXATTR             ScmpSyscall = SYS_REMOVEXATTR
 	SNR_LREMOVEXATTR            ScmpSyscall = SYS_LREMOVEXATTR
 	SNR_FREMOVEXATTR            ScmpSyscall = SYS_FREMOVEXATTR
 	SNR_GETCWD                  ScmpSyscall = SYS_GETCWD
 	SNR_LOOKUP_DCOOKIE          ScmpSyscall = SYS_LOOKUP_DCOOKIE
 	SNR_EVENTFD2                ScmpSyscall = SYS_EVENTFD2
 	SNR_EPOLL_CREATE1           ScmpSyscall = SYS_EPOLL_CREATE1
 	SNR_EPOLL_CTL               ScmpSyscall = SYS_EPOLL_CTL
 	SNR_EPOLL_PWAIT             ScmpSyscall = SYS_EPOLL_PWAIT
 	SNR_DUP                     ScmpSyscall = SYS_DUP
 	SNR_DUP3                    ScmpSyscall = SYS_DUP3
 	SNR_FCNTL                   ScmpSyscall = SYS_FCNTL
 	SNR_INOTIFY_INIT1           ScmpSyscall = SYS_INOTIFY_INIT1
 	SNR_INOTIFY_ADD_WATCH       ScmpSyscall = SYS_INOTIFY_ADD_WATCH
 	SNR_INOTIFY_RM_WATCH        ScmpSyscall = SYS_INOTIFY_RM_WATCH
 	SNR_IOCTL                   ScmpSyscall = SYS_IOCTL
 	SNR_IOPRIO_SET              ScmpSyscall = SYS_IOPRIO_SET
 	SNR_IOPRIO_GET              ScmpSyscall = SYS_IOPRIO_GET
 	SNR_FLOCK                   ScmpSyscall = SYS_FLOCK
 	SNR_MKNODAT                 ScmpSyscall = SYS_MKNODAT
 	SNR_MKDIRAT                 ScmpSyscall = SYS_MKDIRAT
 	SNR_UNLINKAT                ScmpSyscall = SYS_UNLINKAT
 	SNR_SYMLINKAT               ScmpSyscall = SYS_SYMLINKAT
 	SNR_LINKAT                  ScmpSyscall = SYS_LINKAT
 	SNR_UMOUNT2                 ScmpSyscall = SYS_UMOUNT2
 	SNR_MOUNT                   ScmpSyscall = SYS_MOUNT
 	SNR_PIVOT_ROOT              ScmpSyscall = SYS_PIVOT_ROOT
 	SNR_NFSSERVCTL              ScmpSyscall = SYS_NFSSERVCTL
 	SNR_STATFS                  ScmpSyscall = SYS_STATFS
 	SNR_FSTATFS                 ScmpSyscall = SYS_FSTATFS
 	SNR_TRUNCATE                ScmpSyscall = SYS_TRUNCATE
 	SNR_FTRUNCATE               ScmpSyscall = SYS_FTRUNCATE
 	SNR_FALLOCATE               ScmpSyscall = SYS_FALLOCATE
 	SNR_FACCESSAT               ScmpSyscall = SYS_FACCESSAT
 	SNR_CHDIR                   ScmpSyscall = SYS_CHDIR
 	SNR_FCHDIR                  ScmpSyscall = SYS_FCHDIR
 	SNR_CHROOT                  ScmpSyscall = SYS_CHROOT
 	SNR_FCHMOD                  ScmpSyscall = SYS_FCHMOD
 	SNR_FCHMODAT                ScmpSyscall = SYS_FCHMODAT
 	SNR_FCHOWNAT                ScmpSyscall = SYS_FCHOWNAT
 	SNR_FCHOWN                  ScmpSyscall = SYS_FCHOWN
 	SNR_OPENAT                  ScmpSyscall = SYS_OPENAT
 	SNR_CLOSE                   ScmpSyscall = SYS_CLOSE
 	SNR_VHANGUP                 ScmpSyscall = SYS_VHANGUP
 	SNR_PIPE2                   ScmpSyscall = SYS_PIPE2
 	SNR_QUOTACTL                ScmpSyscall = SYS_QUOTACTL
 	SNR_GETDENTS64              ScmpSyscall = SYS_GETDENTS64
 	SNR_LSEEK                   ScmpSyscall = SYS_LSEEK
 	SNR_READ                    ScmpSyscall = SYS_READ
 	SNR_WRITE                   ScmpSyscall = SYS_WRITE
 	SNR_READV                   ScmpSyscall = SYS_READV
 	SNR_WRITEV                  ScmpSyscall = SYS_WRITEV
 	SNR_PREAD64                 ScmpSyscall = SYS_PREAD64
 	SNR_PWRITE64                ScmpSyscall = SYS_PWRITE64
 	SNR_PREADV                  ScmpSyscall = SYS_PREADV
 	SNR_PWRITEV                 ScmpSyscall = SYS_PWRITEV
 	SNR_SENDFILE                ScmpSyscall = SYS_SENDFILE
 	SNR_PSELECT6                ScmpSyscall = SYS_PSELECT6
 	SNR_PPOLL                   ScmpSyscall = SYS_PPOLL
 	SNR_SIGNALFD4               ScmpSyscall = SYS_SIGNALFD4
 	SNR_VMSPLICE                ScmpSyscall = SYS_VMSPLICE
 	SNR_SPLICE                  ScmpSyscall = SYS_SPLICE
 	SNR_TEE                     ScmpSyscall = SYS_TEE
 	SNR_READLINKAT              ScmpSyscall = SYS_READLINKAT
 	SNR_NEWFSTATAT              ScmpSyscall = SYS_NEWFSTATAT
 	SNR_FSTAT                   ScmpSyscall = SYS_FSTAT
 	SNR_SYNC                    ScmpSyscall = SYS_SYNC
 	SNR_FSYNC                   ScmpSyscall = SYS_FSYNC
 	SNR_FDATASYNC               ScmpSyscall = SYS_FDATASYNC
 	SNR_SYNC_FILE_RANGE         ScmpSyscall = SYS_SYNC_FILE_RANGE
 	SNR_TIMERFD_CREATE          ScmpSyscall = SYS_TIMERFD_CREATE
 	SNR_TIMERFD_SETTIME         ScmpSyscall = SYS_TIMERFD_SETTIME
 	SNR_TIMERFD_GETTIME         ScmpSyscall = SYS_TIMERFD_GETTIME
 	SNR_UTIMENSAT               ScmpSyscall = SYS_UTIMENSAT
 	SNR_ACCT                    ScmpSyscall = SYS_ACCT
 	SNR_CAPGET                  ScmpSyscall = SYS_CAPGET
 	SNR_CAPSET                  ScmpSyscall = SYS_CAPSET
 	SNR_PERSONALITY             ScmpSyscall = SYS_PERSONALITY
 	SNR_EXIT                    ScmpSyscall = SYS_EXIT
 	SNR_EXIT_GROUP              ScmpSyscall = SYS_EXIT_GROUP
 	SNR_WAITID                  ScmpSyscall = SYS_WAITID
 	SNR_SET_TID_ADDRESS         ScmpSyscall = SYS_SET_TID_ADDRESS
 	SNR_UNSHARE                 ScmpSyscall = SYS_UNSHARE
 	SNR_FUTEX                   ScmpSyscall = SYS_FUTEX
 	SNR_SET_ROBUST_LIST         ScmpSyscall = SYS_SET_ROBUST_LIST
 	SNR_GET_ROBUST_LIST         ScmpSyscall = SYS_GET_ROBUST_LIST
 	SNR_NANOSLEEP               ScmpSyscall = SYS_NANOSLEEP
 	SNR_GETITIMER               ScmpSyscall = SYS_GETITIMER
 	SNR_SETITIMER               ScmpSyscall = SYS_SETITIMER
 	SNR_KEXEC_LOAD              ScmpSyscall = SYS_KEXEC_LOAD
 	SNR_INIT_MODULE             ScmpSyscall = SYS_INIT_MODULE
 	SNR_DELETE_MODULE           ScmpSyscall = SYS_DELETE_MODULE
 	SNR_TIMER_CREATE            ScmpSyscall = SYS_TIMER_CREATE
 	SNR_TIMER_GETTIME           ScmpSyscall = SYS_TIMER_GETTIME
 	SNR_TIMER_GETOVERRUN        ScmpSyscall = SYS_TIMER_GETOVERRUN
 	SNR_TIMER_SETTIME           ScmpSyscall = SYS_TIMER_SETTIME
 	SNR_TIMER_DELETE            ScmpSyscall = SYS_TIMER_DELETE
 	SNR_CLOCK_SETTIME           ScmpSyscall = SYS_CLOCK_SETTIME
 	SNR_CLOCK_GETTIME           ScmpSyscall = SYS_CLOCK_GETTIME
 	SNR_CLOCK_GETRES            ScmpSyscall = SYS_CLOCK_GETRES
 	SNR_CLOCK_NANOSLEEP         ScmpSyscall = SYS_CLOCK_NANOSLEEP
 	SNR_SYSLOG                  ScmpSyscall = SYS_SYSLOG
 	SNR_PTRACE                  ScmpSyscall = SYS_PTRACE
 	SNR_SCHED_SETPARAM          ScmpSyscall = SYS_SCHED_SETPARAM
 	SNR_SCHED_SETSCHEDULER      ScmpSyscall = SYS_SCHED_SETSCHEDULER
 	SNR_SCHED_GETSCHEDULER      ScmpSyscall = SYS_SCHED_GETSCHEDULER
 	SNR_SCHED_GETPARAM          ScmpSyscall = SYS_SCHED_GETPARAM
 	SNR_SCHED_SETAFFINITY       ScmpSyscall = SYS_SCHED_SETAFFINITY
 	SNR_SCHED_GETAFFINITY       ScmpSyscall = SYS_SCHED_GETAFFINITY
 	SNR_SCHED_YIELD             ScmpSyscall = SYS_SCHED_YIELD
 	SNR_SCHED_GET_PRIORITY_MAX  ScmpSyscall = SYS_SCHED_GET_PRIORITY_MAX
 	SNR_SCHED_GET_PRIORITY_MIN  ScmpSyscall = SYS_SCHED_GET_PRIORITY_MIN
 	SNR_SCHED_RR_GET_INTERVAL   ScmpSyscall = SYS_SCHED_RR_GET_INTERVAL
 	SNR_RESTART_SYSCALL         ScmpSyscall = SYS_RESTART_SYSCALL
 	SNR_KILL                    ScmpSyscall = SYS_KILL
 	SNR_TKILL                   ScmpSyscall = SYS_TKILL
 	SNR_TGKILL                  ScmpSyscall = SYS_TGKILL
 	SNR_SIGALTSTACK             ScmpSyscall = SYS_SIGALTSTACK
 	SNR_RT_SIGSUSPEND           ScmpSyscall = SYS_RT_SIGSUSPEND
 	SNR_RT_SIGACTION            ScmpSyscall = SYS_RT_SIGACTION
 	SNR_RT_SIGPROCMASK          ScmpSyscall = SYS_RT_SIGPROCMASK
 	SNR_RT_SIGPENDING           ScmpSyscall = SYS_RT_SIGPENDING
 	SNR_RT_SIGTIMEDWAIT         ScmpSyscall = SYS_RT_SIGTIMEDWAIT
 	SNR_RT_SIGQUEUEINFO         ScmpSyscall = SYS_RT_SIGQUEUEINFO
 	SNR_RT_SIGRETURN            ScmpSyscall = SYS_RT_SIGRETURN
 	SNR_SETPRIORITY             ScmpSyscall = SYS_SETPRIORITY
 	SNR_GETPRIORITY             ScmpSyscall = SYS_GETPRIORITY
 	SNR_REBOOT                  ScmpSyscall = SYS_REBOOT
 	SNR_SETREGID                ScmpSyscall = SYS_SETREGID
 	SNR_SETGID                  ScmpSyscall = SYS_SETGID
 	SNR_SETREUID                ScmpSyscall = SYS_SETREUID
 	SNR_SETUID                  ScmpSyscall = SYS_SETUID
 	SNR_SETRESUID               ScmpSyscall = SYS_SETRESUID
 	SNR_GETRESUID               ScmpSyscall = SYS_GETRESUID
 	SNR_SETRESGID               ScmpSyscall = SYS_SETRESGID
 	SNR_GETRESGID               ScmpSyscall = SYS_GETRESGID
 	SNR_SETFSUID                ScmpSyscall = SYS_SETFSUID
 	SNR_SETFSGID                ScmpSyscall = SYS_SETFSGID
 	SNR_TIMES                   ScmpSyscall = SYS_TIMES
 	SNR_SETPGID                 ScmpSyscall = SYS_SETPGID
 	SNR_GETPGID                 ScmpSyscall = SYS_GETPGID
 	SNR_GETSID                  ScmpSyscall = SYS_GETSID
 	SNR_SETSID                  ScmpSyscall = SYS_SETSID
 	SNR_GETGROUPS               ScmpSyscall = SYS_GETGROUPS
 	SNR_SETGROUPS               ScmpSyscall = SYS_SETGROUPS
 	SNR_UNAME                   ScmpSyscall = SYS_UNAME
 	SNR_SETHOSTNAME             ScmpSyscall = SYS_SETHOSTNAME
 	SNR_SETDOMAINNAME           ScmpSyscall = SYS_SETDOMAINNAME
 	SNR_GETRLIMIT               ScmpSyscall = SYS_GETRLIMIT
 	SNR_SETRLIMIT               ScmpSyscall = SYS_SETRLIMIT
 	SNR_GETRUSAGE               ScmpSyscall = SYS_GETRUSAGE
 	SNR_UMASK                   ScmpSyscall = SYS_UMASK
 	SNR_PRCTL                   ScmpSyscall = SYS_PRCTL
 	SNR_GETCPU                  ScmpSyscall = SYS_GETCPU
 	SNR_GETTIMEOFDAY            ScmpSyscall = SYS_GETTIMEOFDAY
 	SNR_SETTIMEOFDAY            ScmpSyscall = SYS_SETTIMEOFDAY
 	SNR_ADJTIMEX                ScmpSyscall = SYS_ADJTIMEX
 	SNR_GETPID                  ScmpSyscall = SYS_GETPID
 	SNR_GETPPID                 ScmpSyscall = SYS_GETPPID
 	SNR_GETUID                  ScmpSyscall = SYS_GETUID
 	SNR_GETEUID                 ScmpSyscall = SYS_GETEUID
 	SNR_GETGID                  ScmpSyscall = SYS_GETGID
 	SNR_GETEGID                 ScmpSyscall = SYS_GETEGID
 	SNR_GETTID                  ScmpSyscall = SYS_GETTID
 	SNR_SYSINFO                 ScmpSyscall = SYS_SYSINFO
 	SNR_MQ_OPEN                 ScmpSyscall = SYS_MQ_OPEN
 	SNR_MQ_UNLINK               ScmpSyscall = SYS_MQ_UNLINK
 	SNR_MQ_TIMEDSEND            ScmpSyscall = SYS_MQ_TIMEDSEND
 	SNR_MQ_TIMEDRECEIVE         ScmpSyscall = SYS_MQ_TIMEDRECEIVE
 	SNR_MQ_NOTIFY               ScmpSyscall = SYS_MQ_NOTIFY
 	SNR_MQ_GETSETATTR           ScmpSyscall = SYS_MQ_GETSETATTR
 	SNR_MSGGET                  ScmpSyscall = SYS_MSGGET
 	SNR_MSGCTL                  ScmpSyscall = SYS_MSGCTL
 	SNR_MSGRCV                  ScmpSyscall = SYS_MSGRCV
 	SNR_MSGSND                  ScmpSyscall = SYS_MSGSND
 	SNR_SEMGET                  ScmpSyscall = SYS_SEMGET
 	SNR_SEMCTL                  ScmpSyscall = SYS_SEMCTL
 	SNR_SEMTIMEDOP              ScmpSyscall = SYS_SEMTIMEDOP
 	SNR_SEMOP                   ScmpSyscall = SYS_SEMOP
 	SNR_SHMGET                  ScmpSyscall = SYS_SHMGET
 	SNR_SHMCTL                  ScmpSyscall = SYS_SHMCTL
 	SNR_SHMAT                   ScmpSyscall = SYS_SHMAT
 	SNR_SHMDT                   ScmpSyscall = SYS_SHMDT
 	SNR_SOCKET                  ScmpSyscall = SYS_SOCKET
 	SNR_SOCKETPAIR              ScmpSyscall = SYS_SOCKETPAIR
 	SNR_BIND                    ScmpSyscall = SYS_BIND
 	SNR_LISTEN                  ScmpSyscall = SYS_LISTEN
 	SNR_ACCEPT                  ScmpSyscall = SYS_ACCEPT
 	SNR_CONNECT                 ScmpSyscall = SYS_CONNECT
 	SNR_GETSOCKNAME             ScmpSyscall = SYS_GETSOCKNAME
 	SNR_GETPEERNAME             ScmpSyscall = SYS_GETPEERNAME
 	SNR_SENDTO                  ScmpSyscall = SYS_SENDTO
 	SNR_RECVFROM                ScmpSyscall = SYS_RECVFROM
 	SNR_SETSOCKOPT              ScmpSyscall = SYS_SETSOCKOPT
 	SNR_GETSOCKOPT              ScmpSyscall = SYS_GETSOCKOPT
 	SNR_SHUTDOWN                ScmpSyscall = SYS_SHUTDOWN
 	SNR_SENDMSG                 ScmpSyscall = SYS_SENDMSG
 	SNR_RECVMSG                 ScmpSyscall = SYS_RECVMSG
 	SNR_READAHEAD               ScmpSyscall = SYS_READAHEAD
 	SNR_BRK                     ScmpSyscall = SYS_BRK
 	SNR_MUNMAP                  ScmpSyscall = SYS_MUNMAP
 	SNR_MREMAP                  ScmpSyscall = SYS_MREMAP
 	SNR_ADD_KEY                 ScmpSyscall = SYS_ADD_KEY
 	SNR_REQUEST_KEY             ScmpSyscall = SYS_REQUEST_KEY
 	SNR_KEYCTL                  ScmpSyscall = SYS_KEYCTL
 	SNR_CLONE                   ScmpSyscall = SYS_CLONE
 	SNR_EXECVE                  ScmpSyscall = SYS_EXECVE
 	SNR_MMAP                    ScmpSyscall = SYS_MMAP
 	SNR_FADVISE64               ScmpSyscall = SYS_FADVISE64
 	SNR_SWAPON                  ScmpSyscall = SYS_SWAPON
 	SNR_SWAPOFF                 ScmpSyscall = SYS_SWAPOFF
 	SNR_MPROTECT                ScmpSyscall = SYS_MPROTECT
 	SNR_MSYNC                   ScmpSyscall = SYS_MSYNC
 	SNR_MLOCK                   ScmpSyscall = SYS_MLOCK
 	SNR_MUNLOCK                 ScmpSyscall = SYS_MUNLOCK
 	SNR_MLOCKALL                ScmpSyscall = SYS_MLOCKALL
 	SNR_MUNLOCKALL              ScmpSyscall = SYS_MUNLOCKALL
 	SNR_MINCORE                 ScmpSyscall = SYS_MINCORE
 	SNR_MADVISE                 ScmpSyscall = SYS_MADVISE
 	SNR_REMAP_FILE_PAGES        ScmpSyscall = SYS_REMAP_FILE_PAGES
 	SNR_MBIND                   ScmpSyscall = SYS_MBIND
 	SNR_GET_MEMPOLICY           ScmpSyscall = SYS_GET_MEMPOLICY
 	SNR_SET_MEMPOLICY           ScmpSyscall = SYS_SET_MEMPOLICY
 	SNR_MIGRATE_PAGES           ScmpSyscall = SYS_MIGRATE_PAGES
 	SNR_MOVE_PAGES              ScmpSyscall = SYS_MOVE_PAGES
 	SNR_RT_TGSIGQUEUEINFO       ScmpSyscall = SYS_RT_TGSIGQUEUEINFO
 	SNR_PERF_EVENT_OPEN         ScmpSyscall = SYS_PERF_EVENT_OPEN
 	SNR_ACCEPT4                 ScmpSyscall = SYS_ACCEPT4
 	SNR_RECVMMSG                ScmpSyscall = SYS_RECVMMSG
 	SNR_WAIT4                   ScmpSyscall = SYS_WAIT4
 	SNR_PRLIMIT64               ScmpSyscall = SYS_PRLIMIT64
 	SNR_FANOTIFY_INIT           ScmpSyscall = SYS_FANOTIFY_INIT
 	SNR_FANOTIFY_MARK           ScmpSyscall = SYS_FANOTIFY_MARK
 	SNR_NAME_TO_HANDLE_AT       ScmpSyscall = SYS_NAME_TO_HANDLE_AT
 	SNR_OPEN_BY_HANDLE_AT       ScmpSyscall = SYS_OPEN_BY_HANDLE_AT
 	SNR_CLOCK_ADJTIME           ScmpSyscall = SYS_CLOCK_ADJTIME
 	SNR_SYNCFS                  ScmpSyscall = SYS_SYNCFS
 	SNR_SETNS                   ScmpSyscall = SYS_SETNS
 	SNR_SENDMMSG                ScmpSyscall = SYS_SENDMMSG
 	SNR_PROCESS_VM_READV        ScmpSyscall = SYS_PROCESS_VM_READV
 	SNR_PROCESS_VM_WRITEV       ScmpSyscall = SYS_PROCESS_VM_WRITEV
 	SNR_KCMP                    ScmpSyscall = SYS_KCMP
 	SNR_FINIT_MODULE            ScmpSyscall = SYS_FINIT_MODULE
 	SNR_SCHED_SETATTR           ScmpSyscall = SYS_SCHED_SETATTR
 	SNR_SCHED_GETATTR           ScmpSyscall = SYS_SCHED_GETATTR
 	SNR_RENAMEAT2               ScmpSyscall = SYS_RENAMEAT2
 	SNR_SECCOMP                 ScmpSyscall = SYS_SECCOMP
 	SNR_GETRANDOM               ScmpSyscall = SYS_GETRANDOM
 	SNR_MEMFD_CREATE            ScmpSyscall = SYS_MEMFD_CREATE
 	SNR_BPF                     ScmpSyscall = SYS_BPF
 	SNR_EXECVEAT                ScmpSyscall = SYS_EXECVEAT
 	SNR_USERFAULTFD             ScmpSyscall = SYS_USERFAULTFD
 	SNR_MEMBARRIER              ScmpSyscall = SYS_MEMBARRIER
 	SNR_MLOCK2                  ScmpSyscall = SYS_MLOCK2
 	SNR_COPY_FILE_RANGE         ScmpSyscall = SYS_COPY_FILE_RANGE
 	SNR_PREADV2                 ScmpSyscall = SYS_PREADV2
 	SNR_PWRITEV2                ScmpSyscall = SYS_PWRITEV2
 	SNR_PKEY_MPROTECT           ScmpSyscall = SYS_PKEY_MPROTECT
 	SNR_PKEY_ALLOC              ScmpSyscall = SYS_PKEY_ALLOC
 	SNR_PKEY_FREE               ScmpSyscall = SYS_PKEY_FREE
 	SNR_STATX                   ScmpSyscall = SYS_STATX
 	SNR_IO_PGETEVENTS           ScmpSyscall = SYS_IO_PGETEVENTS
 	SNR_RSEQ                    ScmpSyscall = SYS_RSEQ
 	SNR_KEXEC_FILE_LOAD         ScmpSyscall = SYS_KEXEC_FILE_LOAD
 	SNR_PIDFD_SEND_SIGNAL       ScmpSyscall = SYS_PIDFD_SEND_SIGNAL
 	SNR_IO_URING_SETUP          ScmpSyscall = SYS_IO_URING_SETUP
 	SNR_IO_URING_ENTER          ScmpSyscall = SYS_IO_URING_ENTER
 	SNR_IO_URING_REGISTER       ScmpSyscall = SYS_IO_URING_REGISTER
 	SNR_OPEN_TREE               ScmpSyscall = SYS_OPEN_TREE
 	SNR_MOVE_MOUNT              ScmpSyscall = SYS_MOVE_MOUNT
 	SNR_FSOPEN                  ScmpSyscall = SYS_FSOPEN
 	SNR_FSCONFIG                ScmpSyscall = SYS_FSCONFIG
 	SNR_FSMOUNT                 ScmpSyscall = SYS_FSMOUNT
 	SNR_FSPICK                  ScmpSyscall = SYS_FSPICK
 	SNR_PIDFD_OPEN              ScmpSyscall = SYS_PIDFD_OPEN
 	SNR_CLONE3                  ScmpSyscall = SYS_CLONE3
 	SNR_CLOSE_RANGE             ScmpSyscall = SYS_CLOSE_RANGE
 	SNR_OPENAT2                 ScmpSyscall = SYS_OPENAT2
 	SNR_PIDFD_GETFD             ScmpSyscall = SYS_PIDFD_GETFD
 	SNR_FACCESSAT2              ScmpSyscall = SYS_FACCESSAT2
 	SNR_PROCESS_MADVISE         ScmpSyscall = SYS_PROCESS_MADVISE
 	SNR_EPOLL_PWAIT2            ScmpSyscall = SYS_EPOLL_PWAIT2
 	SNR_MOUNT_SETATTR           ScmpSyscall = SYS_MOUNT_SETATTR
 	SNR_QUOTACTL_FD             ScmpSyscall = SYS_QUOTACTL_FD
 	SNR_LANDLOCK_CREATE_RULESET ScmpSyscall = SYS_LANDLOCK_CREATE_RULESET
 	SNR_LANDLOCK_ADD_RULE       ScmpSyscall = SYS_LANDLOCK_ADD_RULE
 	SNR_LANDLOCK_RESTRICT_SELF  ScmpSyscall = SYS_LANDLOCK_RESTRICT_SELF
 	SNR_MEMFD_SECRET            ScmpSyscall = SYS_MEMFD_SECRET
 	SNR_PROCESS_MRELEASE        ScmpSyscall = SYS_PROCESS_MRELEASE
 	SNR_FUTEX_WAITV             ScmpSyscall = SYS_FUTEX_WAITV
 	SNR_SET_MEMPOLICY_HOME_NODE ScmpSyscall = SYS_SET_MEMPOLICY_HOME_NODE
 	SNR_CACHESTAT               ScmpSyscall = SYS_CACHESTAT
 	SNR_FCHMODAT2               ScmpSyscall = SYS_FCHMODAT2
 	SNR_MAP_SHADOW_STACK        ScmpSyscall = SYS_MAP_SHADOW_STACK
 	SNR_FUTEX_WAKE              ScmpSyscall = SYS_FUTEX_WAKE
 	SNR_FUTEX_WAIT              ScmpSyscall = SYS_FUTEX_WAIT
 	SNR_FUTEX_REQUEUE           ScmpSyscall = SYS_FUTEX_REQUEUE
 	SNR_STATMOUNT               ScmpSyscall = SYS_STATMOUNT
 	SNR_LISTMOUNT               ScmpSyscall = SYS_LISTMOUNT
 	SNR_LSM_GET_SELF_ATTR       ScmpSyscall = SYS_LSM_GET_SELF_ATTR
 	SNR_LSM_SET_SELF_ATTR       ScmpSyscall = SYS_LSM_SET_SELF_ATTR
 	SNR_LSM_LIST_MODULES        ScmpSyscall = SYS_LSM_LIST_MODULES
 	SNR_MSEAL                   ScmpSyscall = SYS_MSEAL
 	SNR_SETXATTRAT              ScmpSyscall = SYS_SETXATTRAT
 	SNR_GETXATTRAT              ScmpSyscall = SYS_GETXATTRAT
 	SNR_LISTXATTRAT             ScmpSyscall = SYS_LISTXATTRAT
 	SNR_REMOVEXATTRAT           ScmpSyscall = SYS_REMOVEXATTRAT
 	SNR_OPEN_TREE_ATTR          ScmpSyscall = SYS_OPEN_TREE_ATTR
 	SNR_FILE_GETATTR            ScmpSyscall = SYS_FILE_GETATTR
 	SNR_FILE_SETATTR            ScmpSyscall = SYS_FILE_SETATTR
 )
--- a/container/std/types.go
+++ b/container/std/types.go
@@ -0,0 +1,8 @@
 package std
 type (
 	// Uint is equivalent to C.uint.
 	Uint uint32
 	// Int is equivalent to C.int.
 	Int int32
 )
--- a/container/syscall.go
+++ b/container/syscall.go
@@ -3,6 +3,8 @@ package container
 import (
 	. "syscall"
 	"unsafe"
 	"hakurei.app/container/std"
 )
 // Prctl manipulates various aspects of the behavior of the calling thread or process.
@@ -41,6 +43,49 @@ func Isatty(fd int) bool {
 	return r == 0
 }
 // include/uapi/linux/sched.h
 const (
 	SCHED_NORMAL = iota
 	SCHED_FIFO
 	SCHED_RR
 	SCHED_BATCH
 	_ // SCHED_ISO: reserved but not implemented yet
 	SCHED_IDLE
 	SCHED_DEADLINE
 	SCHED_EXT
 )
 // schedParam is equivalent to struct sched_param from include/linux/sched.h.
 type schedParam struct {
 	// sched_priority
 	priority std.Int
 }
 // schedSetscheduler sets both the scheduling policy and parameters for the
 // thread whose ID is specified in tid. If tid equals zero, the scheduling
 // policy and parameters of the calling thread will be set.
 //
 // This function is unexported because it is [very subtle to use correctly]. The
 // function signature in libc is misleading: pid actually refers to a thread ID.
 // The glibc wrapper for this system call ignores this semantic and exposes
 // this counterintuitive behaviour.
 //
 // This function is only called from the container setup thread. Do not reuse
 // this if you do not have something similar in place!
 //
 // [very subtle to use correctly]: https://www.openwall.com/lists/musl/2016/03/01/4
 func schedSetscheduler(tid, policy int, param *schedParam) error {
 	if r, _, errno := Syscall(
 		SYS_SCHED_SETSCHEDULER,
 		uintptr(tid),
 		uintptr(policy),
 		uintptr(unsafe.Pointer(param)),
 	); r < 0 {
 		return errno
 	}
 	return nil
 }
 // IgnoringEINTR makes a function call and repeats it if it returns an
 // EINTR error. This appears to be required even though we install all
 // signal handlers with SA_RESTART: see #22838, #38033, #38836, #40846.
--- a/container/vfs/mangle.go
+++ b/container/vfs/mangle.go
@@ -2,6 +2,8 @@ package vfs
 import "strings"
 // Unmangle reverses mangling of strings done by the kernel. Its behaviour is
 // consistent with the equivalent function in util-linux.
 func Unmangle(s string) string {
 	if !strings.ContainsRune(s, '\\') {
 		return s
--- a/container/vfs/mountinfo.go
+++ b/container/vfs/mountinfo.go
@@ -24,6 +24,7 @@ var (
 	ErrMountInfoSep    = errors.New("bad optional fields separator")
 )
 // A DecoderError describes a nonrecoverable error decoding a mountinfo stream.
 type DecoderError struct {
 	Op   string
 	Line int
@@ -51,7 +52,8 @@ func (e *DecoderError) Error() string {
 }
 type (
-	// A MountInfoDecoder reads and decodes proc_pid_mountinfo(5) entries from an input stream.
+	// A MountInfoDecoder reads and decodes proc_pid_mountinfo(5) entries from
 	// an input stream.
 	MountInfoDecoder struct {
 		s *bufio.Scanner
 		m *MountInfo
@@ -72,13 +74,16 @@ type (
 	MountInfoEntry struct {
 		// mount ID: a unique ID for the mount (may be reused after umount(2)).
 		ID int `json:"id"`
-		// parent ID: the ID of the parent mount (or of self for the root of this mount namespace's mount tree).
+		// parent ID: the ID of the parent mount (or of self for the root of
 		// this mount namespace's mount tree).
 		Parent int `json:"parent"`
 		// major:minor: the value of st_dev for files on this filesystem (see stat(2)).
 		Devno DevT `json:"devno"`
-		// root: the pathname of the directory in the filesystem which forms the root of this mount.
+		// root: the pathname of the directory in the filesystem which forms the
 		// root of this mount.
 		Root string `json:"root"`
-		// mount point: the pathname of the mount point relative to the process's root directory.
+		// mount point: the pathname of the mount point relative to the
 		// process's root directory.
 		Target string `json:"target"`
 		// mount options: per-mount options (see mount(2)).
 		VfsOptstr string `json:"vfs_optstr"`
@@ -126,7 +131,8 @@ func (e *MountInfoEntry) Flags() (flags uintptr, unmatched []string) {
 // NewMountInfoDecoder returns a new decoder that reads from r.
 //
-// The decoder introduces its own buffering and may read data from r beyond the mountinfo entries requested.
+// The decoder introduces its own buffering and may read data from r beyond the
 // mountinfo entries requested.
 func NewMountInfoDecoder(r io.Reader) *MountInfoDecoder {
 	return &MountInfoDecoder{s: bufio.NewScanner(r)}
 }
@@ -271,6 +277,8 @@ func parseMountInfoLine(s string, ent *MountInfoEntry) error {
 	return nil
 }
 // EqualWithIgnore compares to [MountInfoEntry] values, ignoring fields that
 // compare equal to ignore.
 func (e *MountInfoEntry) EqualWithIgnore(want *MountInfoEntry, ignore string) bool {
 	return (e.ID == want.ID || want.ID == -1) &&
 		(e.Parent == want.Parent || want.Parent == -1) &&
@@ -284,6 +292,8 @@ func (e *MountInfoEntry) EqualWithIgnore(want *MountInfoEntry, ignore string) bo
 		(e.FsOptstr == want.FsOptstr || want.FsOptstr == ignore)
 }
 // String returns a user-facing representation of a [MountInfoEntry]. It fits
 // roughly into the mountinfo format, but without mangling.
 func (e *MountInfoEntry) String() string {
 	return fmt.Sprintf("%d %d %d:%d %s %s %s %s %s %s %s",
 		e.ID, e.Parent, e.Devno[0], e.Devno[1], e.Root, e.Target, e.VfsOptstr,
--- a/container/vfs/unfold.go
+++ b/container/vfs/unfold.go
@@ -6,6 +6,7 @@ import (
 	"strings"
 )
 // UnfoldTargetError is a pathname that never appeared in a mount hierarchy.
 type UnfoldTargetError string
 func (e UnfoldTargetError) Error() string {
@@ -27,6 +28,7 @@ func (n *MountInfoNode) Collective() iter.Seq[*MountInfoNode] {
 	return func(yield func(*MountInfoNode) bool) { n.visit(yield) }
 }
 // visit recursively visits all visible mountinfo nodes.
 func (n *MountInfoNode) visit(yield func(*MountInfoNode) bool) bool {
 	if !n.Covered && !yield(n) {
 		return false
--- a/dist/install.sh
+++ b/dist/install.sh
@@ -1,12 +1,12 @@
 #!/bin/sh
 cd "$(dirname -- "$0")" || exit 1
-install -vDm0755 "bin/hakurei" "${HAKUREI_INSTALL_PREFIX}/usr/bin/hakurei"
+install -vDm0755 "bin/hakurei" "${DESTDIR}/usr/bin/hakurei"
-install -vDm0755 "bin/sharefs" "${HAKUREI_INSTALL_PREFIX}/usr/bin/sharefs"
+install -vDm0755 "bin/sharefs" "${DESTDIR}/usr/bin/sharefs"
-install -vDm4511 "bin/hsu" "${HAKUREI_INSTALL_PREFIX}/usr/bin/hsu"
+install -vDm4511 "bin/hsu" "${DESTDIR}/usr/bin/hsu"
-if [ ! -f "${HAKUREI_INSTALL_PREFIX}/etc/hsurc" ]; then
+if [ ! -f "${DESTDIR}/etc/hsurc" ]; then
-    install -vDm0400 "hsurc.default" "${HAKUREI_INSTALL_PREFIX}/etc/hsurc"
+    install -vDm0400 "hsurc.default" "${DESTDIR}/etc/hsurc"
 fi
-install -vDm0644 "comp/_hakurei" "${HAKUREI_INSTALL_PREFIX}/usr/share/zsh/site-functions/_hakurei"
+install -vDm0644 "comp/_hakurei" "${DESTDIR}/usr/share/zsh/site-functions/_hakurei"
--- a/dist/release.sh
+++ b/dist/release.sh
@@ -1,20 +1,31 @@
 #!/bin/sh -e
 cd "$(dirname -- "$0")/.."
 VERSION="${HAKUREI_VERSION:-untagged}"
-pname="hakurei-${VERSION}"
+pname="hakurei-${VERSION}-$(go env GOARCH)"
-out="dist/${pname}"
+out="${DESTDIR:-dist}/${pname}"
 echo '# Preparing distribution files.'
 mkdir -p "${out}"
 cp -v "README.md" "dist/hsurc.default" "dist/install.sh" "${out}"
 cp -rv "dist/comp" "${out}"
 echo
 echo '# Building hakurei.'
 go generate ./...
-go build -trimpath -v -o "${out}/bin/" -ldflags "-s -w -buildid= -extldflags '-static'
+go build -trimpath -v -o "${out}/bin/" -ldflags "-s -w
  -buildid= -linkmode external -extldflags=-static
  -X hakurei.app/internal/info.buildVersion=${VERSION}
  -X hakurei.app/internal/info.hakureiPath=/usr/bin/hakurei
  -X hakurei.app/internal/info.hsuPath=/usr/bin/hsu
  -X main.hakureiPath=/usr/bin/hakurei" ./...
 echo
-rm -f "./${out}.tar.gz" && tar -C dist -czf "${out}.tar.gz" "${pname}"
+echo '# Testing hakurei.'
-rm -rf "./${out}"
+go test -ldflags='-buildid= -linkmode external -extldflags=-static' ./...
-(cd dist && sha512sum "${pname}.tar.gz" > "${pname}.tar.gz.sha512")
+echo
 echo '# Creating distribution.'
 rm -f "${out}.tar.gz" && tar -C "${out}/.." -vczf "${out}.tar.gz" "${pname}"
 rm -rf "${out}"
 (cd "${out}/.." && sha512sum "${pname}.tar.gz" > "${pname}.tar.gz.sha512")
 echo
--- a/flake.nix
+++ b/flake.nix
@@ -29,20 +29,6 @@
    {
      nixosModules.hakurei = import ./nixos.nix self.packages;
      buildPackage = forAllSystems (
        system:
        nixpkgsFor.${system}.callPackage (
          import ./cmd/hpkg/build.nix {
            inherit
              nixpkgsFor
              system
              nixpkgs
              home-manager
              ;
          }
        )
      );
      checks = forAllSystems (
        system:
        let
@@ -71,8 +57,6 @@
          sharefs = callPackage ./cmd/sharefs/test { inherit system self; };
          hpkg = callPackage ./cmd/hpkg/test { inherit system self; };
          formatting = runCommandLocal "check-formatting" { nativeBuildInputs = [ nixfmt-rfc-style ]; } ''
            cd ${./.}
@@ -127,11 +111,6 @@
              glibc
              xdg-dbus-proxy
              # hpkg
              zstd
              gnutar
              coreutils
              # for check
              util-linux
              nettools
@@ -143,19 +122,27 @@
            "bin/mount.fuse.sharefs" = "${hakurei}/libexec/sharefs";
          };
-          dist = pkgs.runCommand "${hakurei.name}-dist" { buildInputs = hakurei.targetPkgs ++ [ pkgs.pkgsStatic.musl ]; } ''
+          dist =
-            # go requires XDG_CACHE_HOME for the build cache
+            pkgs.runCommand "${hakurei.name}-dist"
-            export XDG_CACHE_HOME="$(mktemp -d)"
+              {
                buildInputs = hakurei.targetPkgs ++ [
                  pkgs.pkgsStatic.musl
                ];
              }
              ''
                cd $(mktemp -d) \
                    && cp -r ${hakurei.src}/. . \
                    && chmod +w cmd && cp -r ${hsu.src}/. cmd/hsu/ \
                    && chmod -R +w .
-            # get a different workdir as go does not like /build
+                CC="musl-clang -O3 -Werror -Qunused-arguments" \
-            cd $(mktemp -d) \
+                GOCACHE="$(mktemp -d)" \
-                && cp -r ${hakurei.src}/. . \
+                HAKUREI_TEST_SKIP_ACL=1 \
-                && chmod +w cmd && cp -r ${hsu.src}/. cmd/hsu/ \
+                PATH="${pkgs.pkgsStatic.musl.bin}/bin:$PATH" \
-                && chmod -R +w .
+                DESTDIR="$out" \
-
+                HAKUREI_VERSION="v${hakurei.version}" \
-            export HAKUREI_VERSION="v${hakurei.version}"
+                  ./dist/release.sh
-            CC="clang -O3 -Werror" ./dist/release.sh && mkdir $out && cp -v "dist/hakurei-$HAKUREI_VERSION.tar.gz"* $out
+              '';
          '';
        }
      );
@@ -211,7 +198,7 @@
                  ./test/interactive/trace.nix
                  self.nixosModules.hakurei
-                  self.inputs.home-manager.nixosModules.home-manager
+                  home-manager.nixosModules.home-manager
                ];
              };
            in
--- a/go.mod
+++ b/go.mod
@@ -1,3 +1,3 @@
 module hakurei.app
-go 1.24
+go 1.25
--- a/internal/acl/acl_test.go
+++ b/internal/acl/acl_test.go
@@ -24,9 +24,8 @@ var (
 )
 func TestUpdate(t *testing.T) {
-	if os.Getenv("GO_TEST_SKIP_ACL") == "1" {
+	if os.Getenv("HAKUREI_TEST_SKIP_ACL") == "1" {
-		t.Log("acl test skipped")
+		t.Skip("acl test skipped")
 		t.SkipNow()
 	}
 	testFilePath := path.Join(t.TempDir(), testFileName)
@@ -143,6 +142,7 @@ func (c *getFAclInvocation) run(name string) error {
 	}
 	c.cmd = exec.Command("getfacl", "--omit-header", "--absolute-names", "--numeric", name)
 	c.cmd.Stderr = os.Stderr
 	scanErr := make(chan error, 1)
 	if p, err := c.cmd.StdoutPipe(); err != nil {
@@ -254,7 +254,7 @@ func getfacl(t *testing.T, name string) []*getFAclResp {
 		t.Fatalf("getfacl: error = %v", err)
 	}
 	if len(c.pe) != 0 {
-		t.Errorf("errors encountered parsing getfacl output\n%s", errors.Join(c.pe...).Error())
+		t.Errorf("errors encountered parsing getfacl output\n%s", errors.Join(c.pe...))
 	}
 	return c.val
 }
--- a/internal/lockedfile/internal/filelock/filelock.go
+++ b/internal/lockedfile/internal/filelock/filelock.go
@@ -8,7 +8,6 @@
 package filelock
 import (
 	"errors"
 	"io/fs"
 )
@@ -74,10 +73,3 @@ func (lt lockType) String() string {
 		return "Unlock"
 	}
 }
 // IsNotSupported returns a boolean indicating whether the error is known to
 // report that a function is not supported (possibly for a specific input).
 // It is satisfied by errors.ErrUnsupported as well as some syscall errors.
 func IsNotSupported(err error) bool {
 	return errors.Is(err, errors.ErrUnsupported)
 }
--- a/internal/lockedfile/internal/filelock/filelock_test.go
+++ b/internal/lockedfile/internal/filelock/filelock_test.go
@@ -14,7 +14,7 @@ import (
 	"testing"
 	"time"
-	"hakurei.app/container"
+	"hakurei.app/container/fhs"
 	"hakurei.app/internal/lockedfile/internal/filelock"
 	"hakurei.app/internal/lockedfile/internal/testexec"
 )
@@ -197,7 +197,7 @@ func TestLockNotDroppedByExecCommand(t *testing.T) {
 	// Some kinds of file locks are dropped when a duplicated or forked file
 	// descriptor is unlocked. Double-check that the approach used by os/exec does
 	// not accidentally drop locks.
-	cmd := testexec.CommandContext(t, t.Context(), container.MustExecutable(nil), "-test.run=^$")
+	cmd := testexec.CommandContext(t, t.Context(), fhs.ProcSelfExe, "-test.run=^$")
 	if err := cmd.Run(); err != nil {
 		t.Fatalf("exec failed: %v", err)
 	}
--- a/internal/lockedfile/lockedfile.go
+++ b/internal/lockedfile/lockedfile.go
@@ -94,6 +94,11 @@ func (f *File) Close() error {
 	err := closeFile(f.osFile.File)
 	f.cleanup.Stop()
 	// f may be dead at the moment after we access f.cleanup,
 	// so the cleanup can fire before Stop completes. Keep f
 	// alive while we call Stop. See the documentation for
 	// runtime.Cleanup.Stop.
 	runtime.KeepAlive(f)
 	return err
 }
--- a/internal/lockedfile/lockedfile_test.go
+++ b/internal/lockedfile/lockedfile_test.go
@@ -15,7 +15,7 @@ import (
 	"testing"
 	"time"
-	"hakurei.app/container"
+	"hakurei.app/container/fhs"
 	"hakurei.app/internal/lockedfile"
 	"hakurei.app/internal/lockedfile/internal/testexec"
 )
@@ -215,7 +215,7 @@ func TestSpuriousEDEADLK(t *testing.T) {
 		t.Fatal(err)
 	}
-	cmd := testexec.CommandContext(t, t.Context(), container.MustExecutable(nil), "-test.run=^"+t.Name()+"$")
+	cmd := testexec.CommandContext(t, t.Context(), fhs.ProcSelfExe, "-test.run=^"+t.Name()+"$")
 	cmd.Env = append(os.Environ(), fmt.Sprintf("%s=%s", dirVar, dir))
 	qDone := make(chan struct{})
--- a/internal/outcome/sppulse_test.go
+++ b/internal/outcome/sppulse_test.go
@@ -108,7 +108,7 @@ func TestSpPulseOp(t *testing.T) {
 			call("lookupEnv", stub.ExpectArgs{"PULSE_COOKIE"}, "proc/nonexistent/cookie", nil),
 		}, nil, nil, &hst.AppError{
 			Step: "locate PulseAudio cookie",
-			Err:  &check.AbsoluteError{Pathname: "proc/nonexistent/cookie"},
+			Err:  check.AbsoluteError("proc/nonexistent/cookie"),
 		}, nil, nil, nil, nil, nil},
 		{"cookie loadFile", func(bool, bool) outcomeOp {
@@ -272,7 +272,7 @@ func TestDiscoverPulseCookie(t *testing.T) {
 			call("verbose", stub.ExpectArgs{[]any{(*check.Absolute)(nil)}}, nil, nil),
 		}}, &hst.AppError{
 			Step: "locate PulseAudio cookie",
-			Err:  &check.AbsoluteError{Pathname: "proc/nonexistent/pulse-cookie"},
+			Err:  check.AbsoluteError("proc/nonexistent/pulse-cookie"),
 		}},
 		{"success override", fCheckPathname, stub.Expect{Calls: []stub.Call{
@@ -286,7 +286,7 @@ func TestDiscoverPulseCookie(t *testing.T) {
 			call("verbose", stub.ExpectArgs{[]any{(*check.Absolute)(nil)}}, nil, nil),
 		}}, &hst.AppError{
 			Step: "locate PulseAudio cookie",
-			Err:  &check.AbsoluteError{Pathname: "proc/nonexistent/home"},
+			Err:  check.AbsoluteError("proc/nonexistent/home"),
 		}},
 		{"home stat", fCheckPathname, stub.Expect{Calls: []stub.Call{
@@ -321,7 +321,7 @@ func TestDiscoverPulseCookie(t *testing.T) {
 			call("verbose", stub.ExpectArgs{[]any{(*check.Absolute)(nil)}}, nil, nil),
 		}}, &hst.AppError{
 			Step: "locate PulseAudio cookie",
-			Err:  &check.AbsoluteError{Pathname: "proc/nonexistent/xdg"},
+			Err:  check.AbsoluteError("proc/nonexistent/xdg"),
 		}},
 		{"xdg stat", fCheckPathname, stub.Expect{Calls: []stub.Call{
--- a/internal/pkg/dir.go
+++ b/internal/pkg/dir.go
@@ -0,0 +1,203 @@
 package pkg
 import (
 	"crypto/sha512"
 	"encoding/binary"
 	"errors"
 	"io"
 	"io/fs"
 	"math"
 	"os"
 	"path/filepath"
 	"syscall"
 	"hakurei.app/container/check"
 )
 // FlatEntry is a directory entry to be encoded for [Flatten].
 type FlatEntry struct {
 	Mode fs.FileMode // file mode bits
 	Path string      // pathname of the file
 	Data []byte      // file content or symlink destination
 }
 /*
 | mode uint32 | path_sz uint32 |
 |        data_sz uint64        |
 |         path string          |
 |         data []byte          |
 */
 // Encode encodes the entry for transmission or hashing.
 func (ent *FlatEntry) Encode(w io.Writer) (n int, err error) {
 	pPathSize := alignSize(len(ent.Path))
 	if pPathSize > math.MaxUint32 {
 		return 0, syscall.E2BIG
 	}
 	pDataSize := alignSize(len(ent.Data))
 	payload := make([]byte, wordSize*2+pPathSize+pDataSize)
 	binary.LittleEndian.PutUint32(payload, uint32(ent.Mode))
 	binary.LittleEndian.PutUint32(payload[wordSize/2:], uint32(len(ent.Path)))
 	binary.LittleEndian.PutUint64(payload[wordSize:], uint64(len(ent.Data)))
 	copy(payload[wordSize*2:], ent.Path)
 	copy(payload[wordSize*2+pPathSize:], ent.Data)
 	return w.Write(payload)
 }
 // ErrInsecurePath is returned by [FlatEntry.Decode] if validation is requested
 // and a nonlocal path is encountered in the stream.
 var ErrInsecurePath = errors.New("insecure file path")
 // Decode decodes the entry from its representation produced by Encode.
 func (ent *FlatEntry) Decode(r io.Reader, validate bool) (n int, err error) {
 	var nr int
 	header := make([]byte, wordSize*2)
 	nr, err = r.Read(header)
 	n += nr
 	if err != nil {
 		if errors.Is(err, io.EOF) && n != 0 {
 			err = io.ErrUnexpectedEOF
 		}
 		return
 	}
 	ent.Mode = fs.FileMode(binary.LittleEndian.Uint32(header))
 	pathSize := int(binary.LittleEndian.Uint32(header[wordSize/2:]))
 	pPathSize := alignSize(pathSize)
 	dataSize := int(binary.LittleEndian.Uint64(header[wordSize:]))
 	pDataSize := alignSize(dataSize)
 	buf := make([]byte, pPathSize+pDataSize)
 	nr, err = r.Read(buf)
 	n += nr
 	if err != nil {
 		if errors.Is(err, io.EOF) {
 			if nr != len(buf) {
 				err = io.ErrUnexpectedEOF
 				return
 			}
 		} else {
 			return
 		}
 	}
 	ent.Path = string(buf[:pathSize])
 	if ent.Mode.IsDir() {
 		ent.Data = nil
 	} else {
 		ent.Data = buf[pPathSize : pPathSize+dataSize]
 	}
 	if validate && !filepath.IsLocal(ent.Path) {
 		err = ErrInsecurePath
 	}
 	return
 }
 // DirScanner provides an efficient interface for reading a stream of encoded
 // [FlatEntry]. Successive calls to the Scan method will step through the
 // entries in the stream.
 type DirScanner struct {
 	// Underlying reader to scan [FlatEntry] representations from.
 	r io.Reader
 	// First non-EOF I/O error, returned by the Err method.
 	err error
 	// Entry to store results in. Its address is returned by the Entry method
 	// and is updated on every call to Scan.
 	ent FlatEntry
 	// Validate pathnames during decoding.
 	validate bool
 }
 // NewDirScanner returns the address of a new instance of [DirScanner] reading
 // from r. The caller must no longer read from r after this function returns.
 func NewDirScanner(r io.Reader, validate bool) *DirScanner {
 	return &DirScanner{r: r, validate: validate}
 }
 // Err returns the first non-EOF I/O error.
 func (s *DirScanner) Err() error {
 	if errors.Is(s.err, io.EOF) {
 		return nil
 	}
 	return s.err
 }
 // Entry returns the address to the [FlatEntry] value storing the last result.
 func (s *DirScanner) Entry() *FlatEntry { return &s.ent }
 // Scan advances to the next [FlatEntry].
 func (s *DirScanner) Scan() bool {
 	if s.err != nil {
 		return false
 	}
 	var n int
 	n, s.err = s.ent.Decode(s.r, s.validate)
 	if errors.Is(s.err, io.EOF) {
 		return n != 0
 	}
 	return s.err == nil
 }
 // Flatten writes a deterministic representation of the contents of fsys to w.
 // The resulting data can be hashed to produce a deterministic checksum for the
 // directory.
 func Flatten(fsys fs.FS, root string, w io.Writer) (n int, err error) {
 	var nr int
 	err = fs.WalkDir(fsys, root, func(path string, d fs.DirEntry, err error) error {
 		if err != nil {
 			return err
 		}
 		var fi fs.FileInfo
 		fi, err = d.Info()
 		if err != nil {
 			return err
 		}
 		ent := FlatEntry{
 			Path: path,
 			Mode: fi.Mode(),
 		}
 		if ent.Mode.IsRegular() {
 			if ent.Data, err = fs.ReadFile(fsys, path); err != nil {
 				return err
 			}
 		} else if ent.Mode&fs.ModeSymlink != 0 {
 			var newpath string
 			if newpath, err = fs.ReadLink(fsys, path); err != nil {
 				return err
 			}
 			ent.Data = []byte(newpath)
 		} else if !ent.Mode.IsDir() {
 			return InvalidFileModeError(ent.Mode)
 		}
 		nr, err = ent.Encode(w)
 		n += nr
 		return err
 	})
 	return
 }
 // HashFS returns a checksum produced by hashing the result of [Flatten].
 func HashFS(buf *Checksum, fsys fs.FS, root string) error {
 	h := sha512.New384()
 	if _, err := Flatten(fsys, root, h); err != nil {
 		return err
 	}
 	h.Sum(buf[:0])
 	return nil
 }
 // HashDir returns a checksum produced by hashing the result of [Flatten].
 func HashDir(buf *Checksum, pathname *check.Absolute) error {
 	return HashFS(buf, os.DirFS(pathname.String()), ".")
 }
--- a/internal/pkg/dir_test.go
+++ b/internal/pkg/dir_test.go
@@ -0,0 +1,570 @@
 package pkg_test
 import (
 	"bytes"
 	"io/fs"
 	"reflect"
 	"testing"
 	"testing/fstest"
 	"hakurei.app/internal/pkg"
 )
 func TestFlatten(t *testing.T) {
 	t.Parallel()
 	testCases := []struct {
 		name    string
 		fsys    fs.FS
 		entries []pkg.FlatEntry
 		sum     pkg.Checksum
 		err     error
 	}{
 		{"bad type", fstest.MapFS{
 			".":       {Mode: fs.ModeDir | 0700},
 			"invalid": {Mode: fs.ModeCharDevice | 0400},
 		}, nil, pkg.Checksum{}, pkg.InvalidFileModeError(
 			fs.ModeCharDevice | 0400,
 		)},
 		{"empty", fstest.MapFS{
 			".":          {Mode: fs.ModeDir | 0700},
 			"checksum":   {Mode: fs.ModeDir | 0700},
 			"identifier": {Mode: fs.ModeDir | 0700},
 			"work":       {Mode: fs.ModeDir | 0700},
 		}, []pkg.FlatEntry{
 			{Mode: fs.ModeDir | 0700, Path: "."},
 			{Mode: fs.ModeDir | 0700, Path: "checksum"},
 			{Mode: fs.ModeDir | 0700, Path: "identifier"},
 			{Mode: fs.ModeDir | 0700, Path: "work"},
 		}, pkg.MustDecode("E4vEZKhCcL2gPZ2Tt59FS3lDng-d_2SKa2i5G_RbDfwGn6EemptFaGLPUDiOa94C"), nil},
 		{"sample cache file", fstest.MapFS{
 			".": {Mode: fs.ModeDir | 0700},
 			"checksum": {Mode: fs.ModeDir | 0700},
 			"checksum/vsAhtPNo4waRNOASwrQwcIPTqb3SBuJOXw2G4T1mNmVZM-wrQTRllmgXqcIIoRcX": {Mode: 0400, Data: []byte{0}},
 			"checksum/0bSFPu5Tnd-2Jj0Mv6co23PW2t3BmHc7eLFj9TgY3eIBg8zislo7xZYNBqovVLcq": {Mode: 0400, Data: []byte{0, 0, 0, 0, 0xad, 0xb, 0, 4, 0xfe, 0xfe, 0, 0, 0xfe, 0xca, 0, 0}},
 			"identifier": {Mode: fs.ModeDir | 0700},
 			"identifier/vsAhtPNo4waRNOASwrQwcIPTqb3SBuJOXw2G4T1mNmVZM-wrQTRllmgXqcIIoRcX": {Mode: fs.ModeSymlink | 0777, Data: []byte("../checksum/vsAhtPNo4waRNOASwrQwcIPTqb3SBuJOXw2G4T1mNmVZM-wrQTRllmgXqcIIoRcX")},
 			"identifier/0bSFPu5Tnd-2Jj0Mv6co23PW2t3BmHc7eLFj9TgY3eIBg8zislo7xZYNBqovVLcq": {Mode: fs.ModeSymlink | 0777, Data: []byte("../checksum/0bSFPu5Tnd-2Jj0Mv6co23PW2t3BmHc7eLFj9TgY3eIBg8zislo7xZYNBqovVLcq")},
 			"identifier/cafebabecafebabecafebabecafebabecafebabecafebabecafebabecafebabe": {Mode: fs.ModeSymlink | 0777, Data: []byte("../checksum/0bSFPu5Tnd-2Jj0Mv6co23PW2t3BmHc7eLFj9TgY3eIBg8zislo7xZYNBqovVLcq")},
 			"identifier/deadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef": {Mode: fs.ModeSymlink | 0777, Data: []byte("../checksum/0bSFPu5Tnd-2Jj0Mv6co23PW2t3BmHc7eLFj9TgY3eIBg8zislo7xZYNBqovVLcq")},
 			"work": {Mode: fs.ModeDir | 0700},
 		}, []pkg.FlatEntry{
 			{Mode: fs.ModeDir | 0700, Path: "."},
 			{Mode: fs.ModeDir | 0700, Path: "checksum"},
 			{Mode: 0400, Path: "checksum/0bSFPu5Tnd-2Jj0Mv6co23PW2t3BmHc7eLFj9TgY3eIBg8zislo7xZYNBqovVLcq", Data: []byte{0, 0, 0, 0, 0xad, 0xb, 0, 4, 0xfe, 0xfe, 0, 0, 0xfe, 0xca, 0, 0}},
 			{Mode: 0400, Path: "checksum/vsAhtPNo4waRNOASwrQwcIPTqb3SBuJOXw2G4T1mNmVZM-wrQTRllmgXqcIIoRcX", Data: []byte{0}},
 			{Mode: fs.ModeDir | 0700, Path: "identifier"},
 			{Mode: fs.ModeSymlink | 0777, Path: "identifier/0bSFPu5Tnd-2Jj0Mv6co23PW2t3BmHc7eLFj9TgY3eIBg8zislo7xZYNBqovVLcq", Data: []byte("../checksum/0bSFPu5Tnd-2Jj0Mv6co23PW2t3BmHc7eLFj9TgY3eIBg8zislo7xZYNBqovVLcq")},
 			{Mode: fs.ModeSymlink | 0777, Path: "identifier/cafebabecafebabecafebabecafebabecafebabecafebabecafebabecafebabe", Data: []byte("../checksum/0bSFPu5Tnd-2Jj0Mv6co23PW2t3BmHc7eLFj9TgY3eIBg8zislo7xZYNBqovVLcq")},
 			{Mode: fs.ModeSymlink | 0777, Path: "identifier/deadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef", Data: []byte("../checksum/0bSFPu5Tnd-2Jj0Mv6co23PW2t3BmHc7eLFj9TgY3eIBg8zislo7xZYNBqovVLcq")},
 			{Mode: fs.ModeSymlink | 0777, Path: "identifier/vsAhtPNo4waRNOASwrQwcIPTqb3SBuJOXw2G4T1mNmVZM-wrQTRllmgXqcIIoRcX", Data: []byte("../checksum/vsAhtPNo4waRNOASwrQwcIPTqb3SBuJOXw2G4T1mNmVZM-wrQTRllmgXqcIIoRcX")},
 			{Mode: fs.ModeDir | 0700, Path: "work"},
 		}, pkg.MustDecode("St9rlE-mGZ5gXwiv_hzQ_B8bZP-UUvSNmf4nHUZzCMOumb6hKnheZSe0dmnuc4Q2"), nil},
 		{"sample http get cure", fstest.MapFS{
 			".": {Mode: fs.ModeDir | 0700},
 			"checksum": {Mode: fs.ModeDir | 0700},
 			"checksum/fLYGIMHgN1louE-JzITJZJo2SDniPu-IHBXubtvQWFO-hXnDVKNuscV7-zlyr5fU": {Mode: 0400, Data: []byte("\x7f\xe1\x69\xa2\xdd\x63\x96\x26\x83\x79\x61\x8b\xf0\x3f\xd5\x16\x9a\x39\x3a\xdb\xcf\xb1\xbc\x8d\x33\xff\x75\xee\x62\x56\xa9\xf0\x27\xac\x13\x94\x69")},
 			"identifier": {Mode: fs.ModeDir | 0700},
 			"identifier/oM-2pUlk-mOxK1t3aMWZer69UdOQlAXiAgMrpZ1476VoOqpYVP1aGFS9_HYy-D8_": {Mode: fs.ModeSymlink | 0777, Data: []byte("../checksum/fLYGIMHgN1louE-JzITJZJo2SDniPu-IHBXubtvQWFO-hXnDVKNuscV7-zlyr5fU")},
 			"work": {Mode: fs.ModeDir | 0700},
 		}, []pkg.FlatEntry{
 			{Mode: fs.ModeDir | 0700, Path: "."},
 			{Mode: fs.ModeDir | 0700, Path: "checksum"},
 			{Mode: 0400, Path: "checksum/fLYGIMHgN1louE-JzITJZJo2SDniPu-IHBXubtvQWFO-hXnDVKNuscV7-zlyr5fU", Data: []byte("\x7f\xe1\x69\xa2\xdd\x63\x96\x26\x83\x79\x61\x8b\xf0\x3f\xd5\x16\x9a\x39\x3a\xdb\xcf\xb1\xbc\x8d\x33\xff\x75\xee\x62\x56\xa9\xf0\x27\xac\x13\x94\x69")},
 			{Mode: fs.ModeDir | 0700, Path: "identifier"},
 			{Mode: fs.ModeSymlink | 0777, Path: "identifier/oM-2pUlk-mOxK1t3aMWZer69UdOQlAXiAgMrpZ1476VoOqpYVP1aGFS9_HYy-D8_", Data: []byte("../checksum/fLYGIMHgN1louE-JzITJZJo2SDniPu-IHBXubtvQWFO-hXnDVKNuscV7-zlyr5fU")},
 			{Mode: fs.ModeDir | 0700, Path: "work"},
 		}, pkg.MustDecode("L_0RFHpr9JUS4Zp14rz2dESSRvfLzpvqsLhR1-YjQt8hYlmEdVl7vI3_-v8UNPKs"), nil},
 		{"sample directory step simple", fstest.MapFS{
 			".": {Mode: fs.ModeDir | 0500},
 			"check": {Mode: 0400, Data: []byte{0, 0}},
 			"lib":            {Mode: fs.ModeDir | 0700},
 			"lib/libedac.so": {Mode: fs.ModeSymlink | 0777, Data: []byte("/proc/nonexistent/libedac.so")},
 			"lib/pkgconfig": {Mode: fs.ModeDir | 0700},
 		}, []pkg.FlatEntry{
 			{Mode: fs.ModeDir | 0500, Path: "."},
 			{Mode: 0400, Path: "check", Data: []byte{0, 0}},
 			{Mode: fs.ModeDir | 0700, Path: "lib"},
 			{Mode: fs.ModeSymlink | 0777, Path: "lib/libedac.so", Data: []byte("/proc/nonexistent/libedac.so")},
 			{Mode: fs.ModeDir | 0700, Path: "lib/pkgconfig"},
 		}, pkg.MustDecode("qRN6in76LndiiOZJheHkwyW8UT1N5-f-bXvHfDvwrMw2fSkOoZdh8pWE1qhLk65b"), nil},
 		{"sample directory step garbage", fstest.MapFS{
 			".": {Mode: fs.ModeDir | 0500},
 			"lib":       {Mode: fs.ModeDir | 0500},
 			"lib/check": {Mode: 0400, Data: []byte{}},
 			"lib/pkgconfig": {Mode: fs.ModeDir | 0500},
 		}, []pkg.FlatEntry{
 			{Mode: fs.ModeDir | 0500, Path: "."},
 			{Mode: fs.ModeDir | 0500, Path: "lib"},
 			{Mode: 0400, Path: "lib/check", Data: []byte{}},
 			{Mode: fs.ModeDir | 0500, Path: "lib/pkgconfig"},
 		}, pkg.MustDecode("CUx-3hSbTWPsbMfDhgalG4Ni_GmR9TnVX8F99tY_P5GtkYvczg9RrF5zO0jX9XYT"), nil},
 		{"sample directory", fstest.MapFS{
 			".": {Mode: fs.ModeDir | 0700},
 			"checksum": {Mode: fs.ModeDir | 0700},
 			"checksum/qRN6in76LndiiOZJheHkwyW8UT1N5-f-bXvHfDvwrMw2fSkOoZdh8pWE1qhLk65b":                {Mode: fs.ModeDir | 0500},
 			"checksum/qRN6in76LndiiOZJheHkwyW8UT1N5-f-bXvHfDvwrMw2fSkOoZdh8pWE1qhLk65b/check":          {Mode: 0400, Data: []byte{0, 0}},
 			"checksum/qRN6in76LndiiOZJheHkwyW8UT1N5-f-bXvHfDvwrMw2fSkOoZdh8pWE1qhLk65b/lib":            {Mode: fs.ModeDir | 0700},
 			"checksum/qRN6in76LndiiOZJheHkwyW8UT1N5-f-bXvHfDvwrMw2fSkOoZdh8pWE1qhLk65b/lib/pkgconfig":  {Mode: fs.ModeDir | 0700},
 			"checksum/qRN6in76LndiiOZJheHkwyW8UT1N5-f-bXvHfDvwrMw2fSkOoZdh8pWE1qhLk65b/lib/libedac.so": {Mode: fs.ModeSymlink | 0777, Data: []byte("/proc/nonexistent/libedac.so")},
 			"identifier": {Mode: fs.ModeDir | 0700},
 			"identifier/HnySzeLQvSBZuTUcvfmLEX_OmH4yJWWH788NxuLuv7kVn8_uPM6Ks4rqFWM2NZJY": {Mode: fs.ModeSymlink | 0777, Data: []byte("../checksum/qRN6in76LndiiOZJheHkwyW8UT1N5-f-bXvHfDvwrMw2fSkOoZdh8pWE1qhLk65b")},
 			"identifier/Zx5ZG9BAwegNT3zQwCySuI2ktCXxNgxirkGLFjW4FW06PtojYVaCdtEw8yuntPLa": {Mode: fs.ModeSymlink | 0777, Data: []byte("../checksum/qRN6in76LndiiOZJheHkwyW8UT1N5-f-bXvHfDvwrMw2fSkOoZdh8pWE1qhLk65b")},
 			"work": {Mode: fs.ModeDir | 0700},
 		}, []pkg.FlatEntry{
 			{Mode: fs.ModeDir | 0700, Path: "."},
 			{Mode: fs.ModeDir | 0700, Path: "checksum"},
 			{Mode: fs.ModeDir | 0500, Path: "checksum/qRN6in76LndiiOZJheHkwyW8UT1N5-f-bXvHfDvwrMw2fSkOoZdh8pWE1qhLk65b"},
 			{Mode: 0400, Path: "checksum/qRN6in76LndiiOZJheHkwyW8UT1N5-f-bXvHfDvwrMw2fSkOoZdh8pWE1qhLk65b/check", Data: []byte{0, 0}},
 			{Mode: fs.ModeDir | 0700, Path: "checksum/qRN6in76LndiiOZJheHkwyW8UT1N5-f-bXvHfDvwrMw2fSkOoZdh8pWE1qhLk65b/lib"},
 			{Mode: fs.ModeSymlink | 0777, Path: "checksum/qRN6in76LndiiOZJheHkwyW8UT1N5-f-bXvHfDvwrMw2fSkOoZdh8pWE1qhLk65b/lib/libedac.so", Data: []byte("/proc/nonexistent/libedac.so")},
 			{Mode: fs.ModeDir | 0700, Path: "checksum/qRN6in76LndiiOZJheHkwyW8UT1N5-f-bXvHfDvwrMw2fSkOoZdh8pWE1qhLk65b/lib/pkgconfig"},
 			{Mode: fs.ModeDir | 0700, Path: "identifier"},
 			{Mode: fs.ModeSymlink | 0777, Path: "identifier/HnySzeLQvSBZuTUcvfmLEX_OmH4yJWWH788NxuLuv7kVn8_uPM6Ks4rqFWM2NZJY", Data: []byte("../checksum/qRN6in76LndiiOZJheHkwyW8UT1N5-f-bXvHfDvwrMw2fSkOoZdh8pWE1qhLk65b")},
 			{Mode: fs.ModeSymlink | 0777, Path: "identifier/Zx5ZG9BAwegNT3zQwCySuI2ktCXxNgxirkGLFjW4FW06PtojYVaCdtEw8yuntPLa", Data: []byte("../checksum/qRN6in76LndiiOZJheHkwyW8UT1N5-f-bXvHfDvwrMw2fSkOoZdh8pWE1qhLk65b")},
 			{Mode: fs.ModeDir | 0700, Path: "work"},
 		}, pkg.MustDecode("WVpvsVqVKg9Nsh744x57h51AuWUoUR2nnh8Md-EYBQpk6ziyTuUn6PLtF2e0Eu_d"), nil},
 		{"sample tar step unpack", fstest.MapFS{
 			".": {Mode: fs.ModeDir | 0500},
 			"checksum": {Mode: fs.ModeDir | 0500},
 			"checksum/1TL00Qb8dcqayX7wTO8WNaraHvY6b-KCsctLDTrb64QBCmxj_-byK1HdIUwMaFEP":                {Mode: fs.ModeDir | 0500},
 			"checksum/1TL00Qb8dcqayX7wTO8WNaraHvY6b-KCsctLDTrb64QBCmxj_-byK1HdIUwMaFEP/check":          {Mode: 0400, Data: []byte{0, 0}},
 			"checksum/1TL00Qb8dcqayX7wTO8WNaraHvY6b-KCsctLDTrb64QBCmxj_-byK1HdIUwMaFEP/lib":            {Mode: fs.ModeDir | 0500},
 			"checksum/1TL00Qb8dcqayX7wTO8WNaraHvY6b-KCsctLDTrb64QBCmxj_-byK1HdIUwMaFEP/lib/pkgconfig":  {Mode: fs.ModeDir | 0500},
 			"checksum/1TL00Qb8dcqayX7wTO8WNaraHvY6b-KCsctLDTrb64QBCmxj_-byK1HdIUwMaFEP/lib/libedac.so": {Mode: fs.ModeSymlink | 0777, Data: []byte("/proc/nonexistent/libedac.so")},
 			"identifier": {Mode: fs.ModeDir | 0500},
 			"identifier/HnySzeLQvSBZuTUcvfmLEX_OmH4yJWWH788NxuLuv7kVn8_uPM6Ks4rqFWM2NZJY": {Mode: fs.ModeSymlink | 0777, Data: []byte("../checksum/1TL00Qb8dcqayX7wTO8WNaraHvY6b-KCsctLDTrb64QBCmxj_-byK1HdIUwMaFEP")},
 			"identifier/Zx5ZG9BAwegNT3zQwCySuI2ktCXxNgxirkGLFjW4FW06PtojYVaCdtEw8yuntPLa": {Mode: fs.ModeSymlink | 0777, Data: []byte("../checksum/1TL00Qb8dcqayX7wTO8WNaraHvY6b-KCsctLDTrb64QBCmxj_-byK1HdIUwMaFEP")},
 			"work": {Mode: fs.ModeDir | 0500},
 		}, []pkg.FlatEntry{
 			{Mode: fs.ModeDir | 0500, Path: "."},
 			{Mode: fs.ModeDir | 0500, Path: "checksum"},
 			{Mode: fs.ModeDir | 0500, Path: "checksum/1TL00Qb8dcqayX7wTO8WNaraHvY6b-KCsctLDTrb64QBCmxj_-byK1HdIUwMaFEP"},
 			{Mode: 0400, Path: "checksum/1TL00Qb8dcqayX7wTO8WNaraHvY6b-KCsctLDTrb64QBCmxj_-byK1HdIUwMaFEP/check", Data: []byte{0, 0}},
 			{Mode: fs.ModeDir | 0500, Path: "checksum/1TL00Qb8dcqayX7wTO8WNaraHvY6b-KCsctLDTrb64QBCmxj_-byK1HdIUwMaFEP/lib"},
 			{Mode: fs.ModeSymlink | 0777, Path: "checksum/1TL00Qb8dcqayX7wTO8WNaraHvY6b-KCsctLDTrb64QBCmxj_-byK1HdIUwMaFEP/lib/libedac.so", Data: []byte("/proc/nonexistent/libedac.so")},
 			{Mode: fs.ModeDir | 0500, Path: "checksum/1TL00Qb8dcqayX7wTO8WNaraHvY6b-KCsctLDTrb64QBCmxj_-byK1HdIUwMaFEP/lib/pkgconfig"},
 			{Mode: fs.ModeDir | 0500, Path: "identifier"},
 			{Mode: fs.ModeSymlink | 0777, Path: "identifier/HnySzeLQvSBZuTUcvfmLEX_OmH4yJWWH788NxuLuv7kVn8_uPM6Ks4rqFWM2NZJY", Data: []byte("../checksum/1TL00Qb8dcqayX7wTO8WNaraHvY6b-KCsctLDTrb64QBCmxj_-byK1HdIUwMaFEP")},
 			{Mode: fs.ModeSymlink | 0777, Path: "identifier/Zx5ZG9BAwegNT3zQwCySuI2ktCXxNgxirkGLFjW4FW06PtojYVaCdtEw8yuntPLa", Data: []byte("../checksum/1TL00Qb8dcqayX7wTO8WNaraHvY6b-KCsctLDTrb64QBCmxj_-byK1HdIUwMaFEP")},
 			{Mode: fs.ModeDir | 0500, Path: "work"},
 		}, pkg.MustDecode("cTw0h3AmYe7XudSoyEMByduYXqGi-N5ZkTZ0t9K5elsu3i_jNIVF5T08KR1roBFM"), nil},
 		{"sample tar", fstest.MapFS{
 			".": {Mode: fs.ModeDir | 0700},
 			"checksum": {Mode: fs.ModeDir | 0700},
 			"checksum/cTw0h3AmYe7XudSoyEMByduYXqGi-N5ZkTZ0t9K5elsu3i_jNIVF5T08KR1roBFM":                                                                                          {Mode: fs.ModeDir | 0500},
 			"checksum/cTw0h3AmYe7XudSoyEMByduYXqGi-N5ZkTZ0t9K5elsu3i_jNIVF5T08KR1roBFM/checksum":                                                                                 {Mode: fs.ModeDir | 0500},
 			"checksum/cTw0h3AmYe7XudSoyEMByduYXqGi-N5ZkTZ0t9K5elsu3i_jNIVF5T08KR1roBFM/checksum/1TL00Qb8dcqayX7wTO8WNaraHvY6b-KCsctLDTrb64QBCmxj_-byK1HdIUwMaFEP":                {Mode: fs.ModeDir | 0500},
 			"checksum/cTw0h3AmYe7XudSoyEMByduYXqGi-N5ZkTZ0t9K5elsu3i_jNIVF5T08KR1roBFM/checksum/1TL00Qb8dcqayX7wTO8WNaraHvY6b-KCsctLDTrb64QBCmxj_-byK1HdIUwMaFEP/check":          {Mode: 0400, Data: []byte{0, 0}},
 			"checksum/cTw0h3AmYe7XudSoyEMByduYXqGi-N5ZkTZ0t9K5elsu3i_jNIVF5T08KR1roBFM/checksum/1TL00Qb8dcqayX7wTO8WNaraHvY6b-KCsctLDTrb64QBCmxj_-byK1HdIUwMaFEP/lib":            {Mode: fs.ModeDir | 0500},
 			"checksum/cTw0h3AmYe7XudSoyEMByduYXqGi-N5ZkTZ0t9K5elsu3i_jNIVF5T08KR1roBFM/checksum/1TL00Qb8dcqayX7wTO8WNaraHvY6b-KCsctLDTrb64QBCmxj_-byK1HdIUwMaFEP/lib/libedac.so": {Mode: fs.ModeSymlink | 0777, Data: []byte("/proc/nonexistent/libedac.so")},
 			"checksum/cTw0h3AmYe7XudSoyEMByduYXqGi-N5ZkTZ0t9K5elsu3i_jNIVF5T08KR1roBFM/checksum/1TL00Qb8dcqayX7wTO8WNaraHvY6b-KCsctLDTrb64QBCmxj_-byK1HdIUwMaFEP/lib/pkgconfig":  {Mode: fs.ModeDir | 0500},
 			"checksum/cTw0h3AmYe7XudSoyEMByduYXqGi-N5ZkTZ0t9K5elsu3i_jNIVF5T08KR1roBFM/identifier":                                                                               {Mode: fs.ModeDir | 0500},
 			"checksum/cTw0h3AmYe7XudSoyEMByduYXqGi-N5ZkTZ0t9K5elsu3i_jNIVF5T08KR1roBFM/identifier/HnySzeLQvSBZuTUcvfmLEX_OmH4yJWWH788NxuLuv7kVn8_uPM6Ks4rqFWM2NZJY":              {Mode: fs.ModeSymlink | 0777, Data: []byte("../checksum/1TL00Qb8dcqayX7wTO8WNaraHvY6b-KCsctLDTrb64QBCmxj_-byK1HdIUwMaFEP")},
 			"checksum/cTw0h3AmYe7XudSoyEMByduYXqGi-N5ZkTZ0t9K5elsu3i_jNIVF5T08KR1roBFM/identifier/Zx5ZG9BAwegNT3zQwCySuI2ktCXxNgxirkGLFjW4FW06PtojYVaCdtEw8yuntPLa":              {Mode: fs.ModeSymlink | 0777, Data: []byte("../checksum/1TL00Qb8dcqayX7wTO8WNaraHvY6b-KCsctLDTrb64QBCmxj_-byK1HdIUwMaFEP")},
 			"checksum/cTw0h3AmYe7XudSoyEMByduYXqGi-N5ZkTZ0t9K5elsu3i_jNIVF5T08KR1roBFM/work":                                                                                     {Mode: fs.ModeDir | 0500},
 			"identifier": {Mode: fs.ModeDir | 0700},
 			"identifier/W5S65DEhawz_WKaok5NjUKLmnD9dNl5RPauNJjcOVcB3VM4eGhSaLGmXbL8vZpiw": {Mode: fs.ModeSymlink | 0777, Data: []byte("../checksum/cTw0h3AmYe7XudSoyEMByduYXqGi-N5ZkTZ0t9K5elsu3i_jNIVF5T08KR1roBFM")},
 			"identifier/rg7F1D5hwv6o4xctjD5zDq4i5MD0mArTsUIWfhUbik8xC6Bsyt3mjXXOm3goojTz": {Mode: fs.ModeSymlink | 0777, Data: []byte("../checksum/cTw0h3AmYe7XudSoyEMByduYXqGi-N5ZkTZ0t9K5elsu3i_jNIVF5T08KR1roBFM")},
 			"temp": {Mode: fs.ModeDir | 0700},
 			"work": {Mode: fs.ModeDir | 0700},
 		}, []pkg.FlatEntry{
 			{Mode: fs.ModeDir | 0700, Path: "."},
 			{Mode: fs.ModeDir | 0700, Path: "checksum"},
 			{Mode: fs.ModeDir | 0500, Path: "checksum/cTw0h3AmYe7XudSoyEMByduYXqGi-N5ZkTZ0t9K5elsu3i_jNIVF5T08KR1roBFM"},
 			{Mode: fs.ModeDir | 0500, Path: "checksum/cTw0h3AmYe7XudSoyEMByduYXqGi-N5ZkTZ0t9K5elsu3i_jNIVF5T08KR1roBFM/checksum"},
 			{Mode: fs.ModeDir | 0500, Path: "checksum/cTw0h3AmYe7XudSoyEMByduYXqGi-N5ZkTZ0t9K5elsu3i_jNIVF5T08KR1roBFM/checksum/1TL00Qb8dcqayX7wTO8WNaraHvY6b-KCsctLDTrb64QBCmxj_-byK1HdIUwMaFEP"},
 			{Mode: 0400, Path: "checksum/cTw0h3AmYe7XudSoyEMByduYXqGi-N5ZkTZ0t9K5elsu3i_jNIVF5T08KR1roBFM/checksum/1TL00Qb8dcqayX7wTO8WNaraHvY6b-KCsctLDTrb64QBCmxj_-byK1HdIUwMaFEP/check", Data: []byte{0, 0}},
 			{Mode: fs.ModeDir | 0500, Path: "checksum/cTw0h3AmYe7XudSoyEMByduYXqGi-N5ZkTZ0t9K5elsu3i_jNIVF5T08KR1roBFM/checksum/1TL00Qb8dcqayX7wTO8WNaraHvY6b-KCsctLDTrb64QBCmxj_-byK1HdIUwMaFEP/lib"},
 			{Mode: fs.ModeSymlink | 0777, Path: "checksum/cTw0h3AmYe7XudSoyEMByduYXqGi-N5ZkTZ0t9K5elsu3i_jNIVF5T08KR1roBFM/checksum/1TL00Qb8dcqayX7wTO8WNaraHvY6b-KCsctLDTrb64QBCmxj_-byK1HdIUwMaFEP/lib/libedac.so", Data: []byte("/proc/nonexistent/libedac.so")},
 			{Mode: fs.ModeDir | 0500, Path: "checksum/cTw0h3AmYe7XudSoyEMByduYXqGi-N5ZkTZ0t9K5elsu3i_jNIVF5T08KR1roBFM/checksum/1TL00Qb8dcqayX7wTO8WNaraHvY6b-KCsctLDTrb64QBCmxj_-byK1HdIUwMaFEP/lib/pkgconfig"},
 			{Mode: fs.ModeDir | 0500, Path: "checksum/cTw0h3AmYe7XudSoyEMByduYXqGi-N5ZkTZ0t9K5elsu3i_jNIVF5T08KR1roBFM/identifier"},
 			{Mode: fs.ModeSymlink | 0777, Path: "checksum/cTw0h3AmYe7XudSoyEMByduYXqGi-N5ZkTZ0t9K5elsu3i_jNIVF5T08KR1roBFM/identifier/HnySzeLQvSBZuTUcvfmLEX_OmH4yJWWH788NxuLuv7kVn8_uPM6Ks4rqFWM2NZJY", Data: []byte("../checksum/1TL00Qb8dcqayX7wTO8WNaraHvY6b-KCsctLDTrb64QBCmxj_-byK1HdIUwMaFEP")},
 			{Mode: fs.ModeSymlink | 0777, Path: "checksum/cTw0h3AmYe7XudSoyEMByduYXqGi-N5ZkTZ0t9K5elsu3i_jNIVF5T08KR1roBFM/identifier/Zx5ZG9BAwegNT3zQwCySuI2ktCXxNgxirkGLFjW4FW06PtojYVaCdtEw8yuntPLa", Data: []byte("../checksum/1TL00Qb8dcqayX7wTO8WNaraHvY6b-KCsctLDTrb64QBCmxj_-byK1HdIUwMaFEP")},
 			{Mode: fs.ModeDir | 0500, Path: "checksum/cTw0h3AmYe7XudSoyEMByduYXqGi-N5ZkTZ0t9K5elsu3i_jNIVF5T08KR1roBFM/work"},
 			{Mode: fs.ModeDir | 0700, Path: "identifier"},
 			{Mode: fs.ModeSymlink | 0777, Path: "identifier/W5S65DEhawz_WKaok5NjUKLmnD9dNl5RPauNJjcOVcB3VM4eGhSaLGmXbL8vZpiw", Data: []byte("../checksum/cTw0h3AmYe7XudSoyEMByduYXqGi-N5ZkTZ0t9K5elsu3i_jNIVF5T08KR1roBFM")},
 			{Mode: fs.ModeSymlink | 0777, Path: "identifier/rg7F1D5hwv6o4xctjD5zDq4i5MD0mArTsUIWfhUbik8xC6Bsyt3mjXXOm3goojTz", Data: []byte("../checksum/cTw0h3AmYe7XudSoyEMByduYXqGi-N5ZkTZ0t9K5elsu3i_jNIVF5T08KR1roBFM")},
 			{Mode: fs.ModeDir | 0700, Path: "temp"},
 			{Mode: fs.ModeDir | 0700, Path: "work"},
 		}, pkg.MustDecode("NQTlc466JmSVLIyWklm_u8_g95jEEb98PxJU-kjwxLpfdjwMWJq0G8ze9R4Vo1Vu"), nil},
 		{"sample tar expand step unpack", fstest.MapFS{
 			".": {Mode: fs.ModeDir | 0500},
 			"libedac.so": {Mode: fs.ModeSymlink | 0777, Data: []byte("/proc/nonexistent/libedac.so")},
 		}, []pkg.FlatEntry{
 			{Mode: fs.ModeDir | 0500, Path: "."},
 			{Mode: fs.ModeSymlink | 0777, Path: "libedac.so", Data: []byte("/proc/nonexistent/libedac.so")},
 		}, pkg.MustDecode("CH3AiUrCCcVOjOYLaMKKK1Da78989JtfHeIsxMzWOQFiN4mrCLDYpoDxLWqJWCUN"), nil},
 		{"sample tar expand", fstest.MapFS{
 			".": {Mode: fs.ModeDir | 0700},
 			"checksum": {Mode: fs.ModeDir | 0700},
 			"checksum/CH3AiUrCCcVOjOYLaMKKK1Da78989JtfHeIsxMzWOQFiN4mrCLDYpoDxLWqJWCUN":            {Mode: fs.ModeDir | 0500},
 			"checksum/CH3AiUrCCcVOjOYLaMKKK1Da78989JtfHeIsxMzWOQFiN4mrCLDYpoDxLWqJWCUN/libedac.so": {Mode: fs.ModeSymlink | 0777, Data: []byte("/proc/nonexistent/libedac.so")},
 			"identifier": {Mode: fs.ModeDir | 0700},
 			"identifier/W5S65DEhawz_WKaok5NjUKLmnD9dNl5RPauNJjcOVcB3VM4eGhSaLGmXbL8vZpiw": {Mode: fs.ModeSymlink | 0777, Data: []byte("../checksum/CH3AiUrCCcVOjOYLaMKKK1Da78989JtfHeIsxMzWOQFiN4mrCLDYpoDxLWqJWCUN")},
 			"identifier/_v1blm2h-_KA-dVaawdpLas6MjHc6rbhhFS8JWwx8iJxZGUu8EBbRrhr5AaZ9PJL": {Mode: fs.ModeSymlink | 0777, Data: []byte("../checksum/CH3AiUrCCcVOjOYLaMKKK1Da78989JtfHeIsxMzWOQFiN4mrCLDYpoDxLWqJWCUN")},
 			"temp": {Mode: fs.ModeDir | 0700},
 			"work": {Mode: fs.ModeDir | 0700},
 		}, []pkg.FlatEntry{
 			{Mode: fs.ModeDir | 0700, Path: "."},
 			{Mode: fs.ModeDir | 0700, Path: "checksum"},
 			{Mode: fs.ModeDir | 0500, Path: "checksum/CH3AiUrCCcVOjOYLaMKKK1Da78989JtfHeIsxMzWOQFiN4mrCLDYpoDxLWqJWCUN"},
 			{Mode: fs.ModeSymlink | 0777, Path: "checksum/CH3AiUrCCcVOjOYLaMKKK1Da78989JtfHeIsxMzWOQFiN4mrCLDYpoDxLWqJWCUN/libedac.so", Data: []byte("/proc/nonexistent/libedac.so")},
 			{Mode: fs.ModeDir | 0700, Path: "identifier"},
 			{Mode: fs.ModeSymlink | 0777, Path: "identifier/W5S65DEhawz_WKaok5NjUKLmnD9dNl5RPauNJjcOVcB3VM4eGhSaLGmXbL8vZpiw", Data: []byte("../checksum/CH3AiUrCCcVOjOYLaMKKK1Da78989JtfHeIsxMzWOQFiN4mrCLDYpoDxLWqJWCUN")},
 			{Mode: fs.ModeSymlink | 0777, Path: "identifier/_v1blm2h-_KA-dVaawdpLas6MjHc6rbhhFS8JWwx8iJxZGUu8EBbRrhr5AaZ9PJL", Data: []byte("../checksum/CH3AiUrCCcVOjOYLaMKKK1Da78989JtfHeIsxMzWOQFiN4mrCLDYpoDxLWqJWCUN")},
 			{Mode: fs.ModeDir | 0700, Path: "temp"},
 			{Mode: fs.ModeDir | 0700, Path: "work"},
 		}, pkg.MustDecode("hSoSSgCYTNonX3Q8FjvjD1fBl-E-BQyA6OTXro2OadXqbST4tZ-akGXszdeqphRe"), nil},
 		{"testtool", fstest.MapFS{
 			".": {Mode: fs.ModeDir | 0500},
 			"check": {Mode: 0400, Data: []byte{0}},
 		}, []pkg.FlatEntry{
 			{Mode: fs.ModeDir | 0500, Path: "."},
 			{Mode: 0400, Path: "check", Data: []byte{0}},
 		}, pkg.MustDecode("GPa4aBakdSJd7Tz7LYj_VJFoojzyZinmVcG3k6M5xI6CZ821J5sXLhLDDuS47gi9"), nil},
 		{"sample exec container", fstest.MapFS{
 			".": {Mode: fs.ModeDir | 0700},
 			"checksum": {Mode: fs.ModeDir | 0700},
 			"checksum/GPa4aBakdSJd7Tz7LYj_VJFoojzyZinmVcG3k6M5xI6CZ821J5sXLhLDDuS47gi9":       {Mode: fs.ModeDir | 0500},
 			"checksum/GPa4aBakdSJd7Tz7LYj_VJFoojzyZinmVcG3k6M5xI6CZ821J5sXLhLDDuS47gi9/check": {Mode: 0400, Data: []byte{0}},
 			"checksum/MGWmEfjut2QE2xPJwTsmUzpff4BN_FEnQ7T0j7gvUCCiugJQNwqt9m151fm9D1yU":       {Mode: fs.ModeDir | 0500},
 			"checksum/OLBgp1GsljhM2TJ-sbHjaiH9txEUvgdDTAzHv2P24donTt6_529l-9Ua0vFImLlb":       {Mode: 0400, Data: []byte{}},
 			"identifier": {Mode: fs.ModeDir | 0700},
 			"identifier/_gAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA": {Mode: fs.ModeSymlink | 0777, Data: []byte("../checksum/OLBgp1GsljhM2TJ-sbHjaiH9txEUvgdDTAzHv2P24donTt6_529l-9Ua0vFImLlb")},
 			"identifier/dztPS6jRjiZtCF4_p8AzfnxGp6obkhrgFVsxdodbKWUoAEVtDz3MykepJB4kI_ks": {Mode: fs.ModeSymlink | 0777, Data: []byte("../checksum/GPa4aBakdSJd7Tz7LYj_VJFoojzyZinmVcG3k6M5xI6CZ821J5sXLhLDDuS47gi9")},
 			"identifier/vjz1MHPcGBKV7sjcs8jQP3cqxJ1hgPTiQBMCEHP9BGXjGxd-tJmEmXKaStObo5gK": {Mode: fs.ModeSymlink | 0777, Data: []byte("../checksum/MGWmEfjut2QE2xPJwTsmUzpff4BN_FEnQ7T0j7gvUCCiugJQNwqt9m151fm9D1yU")},
 			"temp": {Mode: fs.ModeDir | 0700},
 			"work": {Mode: fs.ModeDir | 0700},
 		}, []pkg.FlatEntry{
 			{Mode: fs.ModeDir | 0700, Path: "."},
 			{Mode: fs.ModeDir | 0700, Path: "checksum"},
 			{Mode: fs.ModeDir | 0500, Path: "checksum/GPa4aBakdSJd7Tz7LYj_VJFoojzyZinmVcG3k6M5xI6CZ821J5sXLhLDDuS47gi9"},
 			{Mode: 0400, Path: "checksum/GPa4aBakdSJd7Tz7LYj_VJFoojzyZinmVcG3k6M5xI6CZ821J5sXLhLDDuS47gi9/check", Data: []byte{0}},
 			{Mode: fs.ModeDir | 0500, Path: "checksum/MGWmEfjut2QE2xPJwTsmUzpff4BN_FEnQ7T0j7gvUCCiugJQNwqt9m151fm9D1yU"},
 			{Mode: 0400, Path: "checksum/OLBgp1GsljhM2TJ-sbHjaiH9txEUvgdDTAzHv2P24donTt6_529l-9Ua0vFImLlb", Data: []byte{}},
 			{Mode: fs.ModeDir | 0700, Path: "identifier"},
 			{Mode: fs.ModeSymlink | 0777, Path: "identifier/_gAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA", Data: []byte("../checksum/OLBgp1GsljhM2TJ-sbHjaiH9txEUvgdDTAzHv2P24donTt6_529l-9Ua0vFImLlb")},
 			{Mode: fs.ModeSymlink | 0777, Path: "identifier/dztPS6jRjiZtCF4_p8AzfnxGp6obkhrgFVsxdodbKWUoAEVtDz3MykepJB4kI_ks", Data: []byte("../checksum/GPa4aBakdSJd7Tz7LYj_VJFoojzyZinmVcG3k6M5xI6CZ821J5sXLhLDDuS47gi9")},
 			{Mode: fs.ModeSymlink | 0777, Path: "identifier/vjz1MHPcGBKV7sjcs8jQP3cqxJ1hgPTiQBMCEHP9BGXjGxd-tJmEmXKaStObo5gK", Data: []byte("../checksum/MGWmEfjut2QE2xPJwTsmUzpff4BN_FEnQ7T0j7gvUCCiugJQNwqt9m151fm9D1yU")},
 			{Mode: fs.ModeDir | 0700, Path: "temp"},
 			{Mode: fs.ModeDir | 0700, Path: "work"},
 		}, pkg.MustDecode("Q5DluWQCAeohLoiGRImurwFp3vdz9IfQCoj7Fuhh73s4KQPRHpEQEnHTdNHmB8Fx"), nil},
 		{"testtool net", fstest.MapFS{
 			".": {Mode: fs.ModeDir | 0500},
 			"check": {Mode: 0400, Data: []byte("net")},
 		}, []pkg.FlatEntry{
 			{Mode: fs.ModeDir | 0500, Path: "."},
 			{Mode: 0400, Path: "check", Data: []byte("net")},
 		}, pkg.MustDecode("a1F_i9PVQI4qMcoHgTQkORuyWLkC1GLIxOhDt2JpU1NGAxWc5VJzdlfRK-PYBh3W"), nil},
 		{"sample exec net container", fstest.MapFS{
 			".": {Mode: fs.ModeDir | 0700},
 			"checksum": {Mode: fs.ModeDir | 0700},
 			"checksum/MGWmEfjut2QE2xPJwTsmUzpff4BN_FEnQ7T0j7gvUCCiugJQNwqt9m151fm9D1yU":       {Mode: fs.ModeDir | 0500},
 			"checksum/OLBgp1GsljhM2TJ-sbHjaiH9txEUvgdDTAzHv2P24donTt6_529l-9Ua0vFImLlb":       {Mode: 0400, Data: []byte{}},
 			"checksum/a1F_i9PVQI4qMcoHgTQkORuyWLkC1GLIxOhDt2JpU1NGAxWc5VJzdlfRK-PYBh3W":       {Mode: fs.ModeDir | 0500},
 			"checksum/a1F_i9PVQI4qMcoHgTQkORuyWLkC1GLIxOhDt2JpU1NGAxWc5VJzdlfRK-PYBh3W/check": {Mode: 0400, Data: []byte("net")},
 			"identifier": {Mode: fs.ModeDir | 0700},
 			"identifier/G8qPxD9puvvoOVV7lrT80eyDeIl3G_CCFoKw12c8mCjMdG1zF7NEPkwYpNubClK3": {Mode: fs.ModeSymlink | 0777, Data: []byte("../checksum/a1F_i9PVQI4qMcoHgTQkORuyWLkC1GLIxOhDt2JpU1NGAxWc5VJzdlfRK-PYBh3W")},
 			"identifier/_gAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA": {Mode: fs.ModeSymlink | 0777, Data: []byte("../checksum/OLBgp1GsljhM2TJ-sbHjaiH9txEUvgdDTAzHv2P24donTt6_529l-9Ua0vFImLlb")},
 			"identifier/vjz1MHPcGBKV7sjcs8jQP3cqxJ1hgPTiQBMCEHP9BGXjGxd-tJmEmXKaStObo5gK": {Mode: fs.ModeSymlink | 0777, Data: []byte("../checksum/MGWmEfjut2QE2xPJwTsmUzpff4BN_FEnQ7T0j7gvUCCiugJQNwqt9m151fm9D1yU")},
 			"temp": {Mode: fs.ModeDir | 0700},
 			"work": {Mode: fs.ModeDir | 0700},
 		}, []pkg.FlatEntry{
 			{Mode: fs.ModeDir | 0700, Path: "."},
 			{Mode: fs.ModeDir | 0700, Path: "checksum"},
 			{Mode: fs.ModeDir | 0500, Path: "checksum/MGWmEfjut2QE2xPJwTsmUzpff4BN_FEnQ7T0j7gvUCCiugJQNwqt9m151fm9D1yU"},
 			{Mode: 0400, Path: "checksum/OLBgp1GsljhM2TJ-sbHjaiH9txEUvgdDTAzHv2P24donTt6_529l-9Ua0vFImLlb", Data: []byte{}},
 			{Mode: fs.ModeDir | 0500, Path: "checksum/a1F_i9PVQI4qMcoHgTQkORuyWLkC1GLIxOhDt2JpU1NGAxWc5VJzdlfRK-PYBh3W"},
 			{Mode: 0400, Path: "checksum/a1F_i9PVQI4qMcoHgTQkORuyWLkC1GLIxOhDt2JpU1NGAxWc5VJzdlfRK-PYBh3W/check", Data: []byte("net")},
 			{Mode: fs.ModeDir | 0700, Path: "identifier"},
 			{Mode: fs.ModeSymlink | 0777, Path: "identifier/G8qPxD9puvvoOVV7lrT80eyDeIl3G_CCFoKw12c8mCjMdG1zF7NEPkwYpNubClK3", Data: []byte("../checksum/a1F_i9PVQI4qMcoHgTQkORuyWLkC1GLIxOhDt2JpU1NGAxWc5VJzdlfRK-PYBh3W")},
 			{Mode: fs.ModeSymlink | 0777, Path: "identifier/_gAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA", Data: []byte("../checksum/OLBgp1GsljhM2TJ-sbHjaiH9txEUvgdDTAzHv2P24donTt6_529l-9Ua0vFImLlb")},
 			{Mode: fs.ModeSymlink | 0777, Path: "identifier/vjz1MHPcGBKV7sjcs8jQP3cqxJ1hgPTiQBMCEHP9BGXjGxd-tJmEmXKaStObo5gK", Data: []byte("../checksum/MGWmEfjut2QE2xPJwTsmUzpff4BN_FEnQ7T0j7gvUCCiugJQNwqt9m151fm9D1yU")},
 			{Mode: fs.ModeDir | 0700, Path: "temp"},
 			{Mode: fs.ModeDir | 0700, Path: "work"},
 		}, pkg.MustDecode("bPYvvqxpfV7xcC1EptqyKNK1klLJgYHMDkzBcoOyK6j_Aj5hb0mXNPwTwPSK5F6Z"), nil},
 		{"sample exec container overlay root", fstest.MapFS{
 			".": {Mode: fs.ModeDir | 0700},
 			"checksum": {Mode: fs.ModeDir | 0700},
 			"checksum/GPa4aBakdSJd7Tz7LYj_VJFoojzyZinmVcG3k6M5xI6CZ821J5sXLhLDDuS47gi9":       {Mode: fs.ModeDir | 0500},
 			"checksum/GPa4aBakdSJd7Tz7LYj_VJFoojzyZinmVcG3k6M5xI6CZ821J5sXLhLDDuS47gi9/check": {Mode: 0400, Data: []byte{0}},
 			"checksum/MGWmEfjut2QE2xPJwTsmUzpff4BN_FEnQ7T0j7gvUCCiugJQNwqt9m151fm9D1yU":       {Mode: fs.ModeDir | 0500},
 			"identifier": {Mode: fs.ModeDir | 0700},
 			"identifier/RdMA-mubnrHuu3Ky1wWyxauSYCO0ZH_zCPUj3uDHqkfwv5sGcByoF_g5PjlGiClb": {Mode: fs.ModeSymlink | 0777, Data: []byte("../checksum/GPa4aBakdSJd7Tz7LYj_VJFoojzyZinmVcG3k6M5xI6CZ821J5sXLhLDDuS47gi9")},
 			"identifier/vjz1MHPcGBKV7sjcs8jQP3cqxJ1hgPTiQBMCEHP9BGXjGxd-tJmEmXKaStObo5gK": {Mode: fs.ModeSymlink | 0777, Data: []byte("../checksum/MGWmEfjut2QE2xPJwTsmUzpff4BN_FEnQ7T0j7gvUCCiugJQNwqt9m151fm9D1yU")},
 			"temp": {Mode: fs.ModeDir | 0700},
 			"work": {Mode: fs.ModeDir | 0700},
 		}, []pkg.FlatEntry{
 			{Mode: fs.ModeDir | 0700, Path: "."},
 			{Mode: fs.ModeDir | 0700, Path: "checksum"},
 			{Mode: fs.ModeDir | 0500, Path: "checksum/GPa4aBakdSJd7Tz7LYj_VJFoojzyZinmVcG3k6M5xI6CZ821J5sXLhLDDuS47gi9"},
 			{Mode: 0400, Path: "checksum/GPa4aBakdSJd7Tz7LYj_VJFoojzyZinmVcG3k6M5xI6CZ821J5sXLhLDDuS47gi9/check", Data: []byte{0}},
 			{Mode: fs.ModeDir | 0500, Path: "checksum/MGWmEfjut2QE2xPJwTsmUzpff4BN_FEnQ7T0j7gvUCCiugJQNwqt9m151fm9D1yU"},
 			{Mode: fs.ModeDir | 0700, Path: "identifier"},
 			{Mode: fs.ModeSymlink | 0777, Path: "identifier/RdMA-mubnrHuu3Ky1wWyxauSYCO0ZH_zCPUj3uDHqkfwv5sGcByoF_g5PjlGiClb", Data: []byte("../checksum/GPa4aBakdSJd7Tz7LYj_VJFoojzyZinmVcG3k6M5xI6CZ821J5sXLhLDDuS47gi9")},
 			{Mode: fs.ModeSymlink | 0777, Path: "identifier/vjz1MHPcGBKV7sjcs8jQP3cqxJ1hgPTiQBMCEHP9BGXjGxd-tJmEmXKaStObo5gK", Data: []byte("../checksum/MGWmEfjut2QE2xPJwTsmUzpff4BN_FEnQ7T0j7gvUCCiugJQNwqt9m151fm9D1yU")},
 			{Mode: fs.ModeDir | 0700, Path: "temp"},
 			{Mode: fs.ModeDir | 0700, Path: "work"},
 		}, pkg.MustDecode("PO2DSSCa4yoSgEYRcCSZfQfwow1yRigL3Ry-hI0RDI4aGuFBha-EfXeSJnG_5_Rl"), nil},
 		{"sample exec container overlay work", fstest.MapFS{
 			".": {Mode: fs.ModeDir | 0700},
 			"checksum": {Mode: fs.ModeDir | 0700},
 			"checksum/GPa4aBakdSJd7Tz7LYj_VJFoojzyZinmVcG3k6M5xI6CZ821J5sXLhLDDuS47gi9":       {Mode: fs.ModeDir | 0500},
 			"checksum/GPa4aBakdSJd7Tz7LYj_VJFoojzyZinmVcG3k6M5xI6CZ821J5sXLhLDDuS47gi9/check": {Mode: 0400, Data: []byte{0}},
 			"checksum/MGWmEfjut2QE2xPJwTsmUzpff4BN_FEnQ7T0j7gvUCCiugJQNwqt9m151fm9D1yU":       {Mode: fs.ModeDir | 0500},
 			"identifier": {Mode: fs.ModeDir | 0700},
 			"identifier/5hlaukCirnXE4W_RSLJFOZN47Z5RiHnacXzdFp_70cLgiJUGR6cSb_HaFftkzi0-": {Mode: fs.ModeSymlink | 0777, Data: []byte("../checksum/GPa4aBakdSJd7Tz7LYj_VJFoojzyZinmVcG3k6M5xI6CZ821J5sXLhLDDuS47gi9")},
 			"identifier/vjz1MHPcGBKV7sjcs8jQP3cqxJ1hgPTiQBMCEHP9BGXjGxd-tJmEmXKaStObo5gK": {Mode: fs.ModeSymlink | 0777, Data: []byte("../checksum/MGWmEfjut2QE2xPJwTsmUzpff4BN_FEnQ7T0j7gvUCCiugJQNwqt9m151fm9D1yU")},
 			"temp": {Mode: fs.ModeDir | 0700},
 			"work": {Mode: fs.ModeDir | 0700},
 		}, []pkg.FlatEntry{
 			{Mode: fs.ModeDir | 0700, Path: "."},
 			{Mode: fs.ModeDir | 0700, Path: "checksum"},
 			{Mode: fs.ModeDir | 0500, Path: "checksum/GPa4aBakdSJd7Tz7LYj_VJFoojzyZinmVcG3k6M5xI6CZ821J5sXLhLDDuS47gi9"},
 			{Mode: 0400, Path: "checksum/GPa4aBakdSJd7Tz7LYj_VJFoojzyZinmVcG3k6M5xI6CZ821J5sXLhLDDuS47gi9/check", Data: []byte{0}},
 			{Mode: fs.ModeDir | 0500, Path: "checksum/MGWmEfjut2QE2xPJwTsmUzpff4BN_FEnQ7T0j7gvUCCiugJQNwqt9m151fm9D1yU"},
 			{Mode: fs.ModeDir | 0700, Path: "identifier"},
 			{Mode: fs.ModeSymlink | 0777, Path: "identifier/5hlaukCirnXE4W_RSLJFOZN47Z5RiHnacXzdFp_70cLgiJUGR6cSb_HaFftkzi0-", Data: []byte("../checksum/GPa4aBakdSJd7Tz7LYj_VJFoojzyZinmVcG3k6M5xI6CZ821J5sXLhLDDuS47gi9")},
 			{Mode: fs.ModeSymlink | 0777, Path: "identifier/vjz1MHPcGBKV7sjcs8jQP3cqxJ1hgPTiQBMCEHP9BGXjGxd-tJmEmXKaStObo5gK", Data: []byte("../checksum/MGWmEfjut2QE2xPJwTsmUzpff4BN_FEnQ7T0j7gvUCCiugJQNwqt9m151fm9D1yU")},
 			{Mode: fs.ModeDir | 0700, Path: "temp"},
 			{Mode: fs.ModeDir | 0700, Path: "work"},
 		}, pkg.MustDecode("iaRt6l_Wm2n-h5UsDewZxQkCmjZjyL8r7wv32QT2kyV55-Lx09Dq4gfg9BiwPnKs"), nil},
 		{"sample exec container multiple layers", fstest.MapFS{
 			".": {Mode: fs.ModeDir | 0700},
 			"checksum": {Mode: fs.ModeDir | 0700},
 			"checksum/GPa4aBakdSJd7Tz7LYj_VJFoojzyZinmVcG3k6M5xI6CZ821J5sXLhLDDuS47gi9":       {Mode: fs.ModeDir | 0500},
 			"checksum/GPa4aBakdSJd7Tz7LYj_VJFoojzyZinmVcG3k6M5xI6CZ821J5sXLhLDDuS47gi9/check": {Mode: 0400, Data: []byte{0}},
 			"checksum/MGWmEfjut2QE2xPJwTsmUzpff4BN_FEnQ7T0j7gvUCCiugJQNwqt9m151fm9D1yU":       {Mode: fs.ModeDir | 0500},
 			"checksum/OLBgp1GsljhM2TJ-sbHjaiH9txEUvgdDTAzHv2P24donTt6_529l-9Ua0vFImLlb":       {Mode: 0400, Data: []byte{}},
 			"checksum/nY_CUdiaUM1OL4cPr5TS92FCJ3rCRV7Hm5oVTzAvMXwC03_QnTRfQ5PPs7mOU9fK":       {Mode: fs.ModeDir | 0500},
 			"checksum/nY_CUdiaUM1OL4cPr5TS92FCJ3rCRV7Hm5oVTzAvMXwC03_QnTRfQ5PPs7mOU9fK/check": {Mode: 0400, Data: []byte("layers")},
 			"identifier": {Mode: fs.ModeDir | 0700},
 			"identifier/_gAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA": {Mode: fs.ModeSymlink | 0777, Data: []byte("../checksum/OLBgp1GsljhM2TJ-sbHjaiH9txEUvgdDTAzHv2P24donTt6_529l-9Ua0vFImLlb")},
 			"identifier/B-kc5iJMx8GtlCua4dz6BiJHnDAOUfPjgpbKq4e-QEn0_CZkSYs3fOA1ve06qMs2": {Mode: fs.ModeSymlink | 0777, Data: []byte("../checksum/nY_CUdiaUM1OL4cPr5TS92FCJ3rCRV7Hm5oVTzAvMXwC03_QnTRfQ5PPs7mOU9fK")},
 			"identifier/p1t_drXr34i-jZNuxDMLaMOdL6tZvQqhavNafGynGqxOZoXAUTSn7kqNh3Ovv3DT": {Mode: fs.ModeSymlink | 0777, Data: []byte("../checksum/GPa4aBakdSJd7Tz7LYj_VJFoojzyZinmVcG3k6M5xI6CZ821J5sXLhLDDuS47gi9")},
 			"identifier/vjz1MHPcGBKV7sjcs8jQP3cqxJ1hgPTiQBMCEHP9BGXjGxd-tJmEmXKaStObo5gK": {Mode: fs.ModeSymlink | 0777, Data: []byte("../checksum/MGWmEfjut2QE2xPJwTsmUzpff4BN_FEnQ7T0j7gvUCCiugJQNwqt9m151fm9D1yU")},
 			"temp": {Mode: fs.ModeDir | 0700},
 			"work": {Mode: fs.ModeDir | 0700},
 		}, []pkg.FlatEntry{
 			{Mode: fs.ModeDir | 0700, Path: "."},
 			{Mode: fs.ModeDir | 0700, Path: "checksum"},
 			{Mode: fs.ModeDir | 0500, Path: "checksum/GPa4aBakdSJd7Tz7LYj_VJFoojzyZinmVcG3k6M5xI6CZ821J5sXLhLDDuS47gi9"},
 			{Mode: 0400, Path: "checksum/GPa4aBakdSJd7Tz7LYj_VJFoojzyZinmVcG3k6M5xI6CZ821J5sXLhLDDuS47gi9/check", Data: []byte{0}},
 			{Mode: fs.ModeDir | 0500, Path: "checksum/MGWmEfjut2QE2xPJwTsmUzpff4BN_FEnQ7T0j7gvUCCiugJQNwqt9m151fm9D1yU"},
 			{Mode: 0400, Path: "checksum/OLBgp1GsljhM2TJ-sbHjaiH9txEUvgdDTAzHv2P24donTt6_529l-9Ua0vFImLlb", Data: []byte{}},
 			{Mode: fs.ModeDir | 0500, Path: "checksum/nY_CUdiaUM1OL4cPr5TS92FCJ3rCRV7Hm5oVTzAvMXwC03_QnTRfQ5PPs7mOU9fK"},
 			{Mode: 0400, Path: "checksum/nY_CUdiaUM1OL4cPr5TS92FCJ3rCRV7Hm5oVTzAvMXwC03_QnTRfQ5PPs7mOU9fK/check", Data: []byte("layers")},
 			{Mode: fs.ModeDir | 0700, Path: "identifier"},
 			{Mode: fs.ModeSymlink | 0777, Path: "identifier/B-kc5iJMx8GtlCua4dz6BiJHnDAOUfPjgpbKq4e-QEn0_CZkSYs3fOA1ve06qMs2", Data: []byte("../checksum/nY_CUdiaUM1OL4cPr5TS92FCJ3rCRV7Hm5oVTzAvMXwC03_QnTRfQ5PPs7mOU9fK")},
 			{Mode: fs.ModeSymlink | 0777, Path: "identifier/_gAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA", Data: []byte("../checksum/OLBgp1GsljhM2TJ-sbHjaiH9txEUvgdDTAzHv2P24donTt6_529l-9Ua0vFImLlb")},
 			{Mode: fs.ModeSymlink | 0777, Path: "identifier/p1t_drXr34i-jZNuxDMLaMOdL6tZvQqhavNafGynGqxOZoXAUTSn7kqNh3Ovv3DT", Data: []byte("../checksum/GPa4aBakdSJd7Tz7LYj_VJFoojzyZinmVcG3k6M5xI6CZ821J5sXLhLDDuS47gi9")},
 			{Mode: fs.ModeSymlink | 0777, Path: "identifier/vjz1MHPcGBKV7sjcs8jQP3cqxJ1hgPTiQBMCEHP9BGXjGxd-tJmEmXKaStObo5gK", Data: []byte("../checksum/MGWmEfjut2QE2xPJwTsmUzpff4BN_FEnQ7T0j7gvUCCiugJQNwqt9m151fm9D1yU")},
 			{Mode: fs.ModeDir | 0700, Path: "temp"},
 			{Mode: fs.ModeDir | 0700, Path: "work"},
 		}, pkg.MustDecode("O2YzyR7IUGU5J2CADy0hUZ3A5NkP_Vwzs4UadEdn2oMZZVWRtH0xZGJ3HXiimTnZ"), nil},
 		{"sample exec container layer promotion", fstest.MapFS{
 			".": {Mode: fs.ModeDir | 0700},
 			"checksum": {Mode: fs.ModeDir | 0700},
 			"checksum/GPa4aBakdSJd7Tz7LYj_VJFoojzyZinmVcG3k6M5xI6CZ821J5sXLhLDDuS47gi9":       {Mode: fs.ModeDir | 0500},
 			"checksum/GPa4aBakdSJd7Tz7LYj_VJFoojzyZinmVcG3k6M5xI6CZ821J5sXLhLDDuS47gi9/check": {Mode: 0400, Data: []byte{0}},
 			"checksum/MGWmEfjut2QE2xPJwTsmUzpff4BN_FEnQ7T0j7gvUCCiugJQNwqt9m151fm9D1yU":       {Mode: fs.ModeDir | 0500},
 			"identifier": {Mode: fs.ModeDir | 0700},
 			"identifier/kvJIqZo5DKFOxC2ZQ-8_nPaQzEAz9cIm3p6guO-uLqm-xaiPu7oRkSnsu411jd_U": {Mode: fs.ModeSymlink | 0777, Data: []byte("../checksum/MGWmEfjut2QE2xPJwTsmUzpff4BN_FEnQ7T0j7gvUCCiugJQNwqt9m151fm9D1yU")},
 			"identifier/vjz1MHPcGBKV7sjcs8jQP3cqxJ1hgPTiQBMCEHP9BGXjGxd-tJmEmXKaStObo5gK": {Mode: fs.ModeSymlink | 0777, Data: []byte("../checksum/MGWmEfjut2QE2xPJwTsmUzpff4BN_FEnQ7T0j7gvUCCiugJQNwqt9m151fm9D1yU")},
 			"identifier/xXTIYcXmgJWNLC91c417RRrNM9cjELwEZHpGvf8Fk_GNP5agRJp_SicD0w9aMeLJ": {Mode: fs.ModeSymlink | 0777, Data: []byte("../checksum/GPa4aBakdSJd7Tz7LYj_VJFoojzyZinmVcG3k6M5xI6CZ821J5sXLhLDDuS47gi9")},
 			"temp": {Mode: fs.ModeDir | 0700},
 			"work": {Mode: fs.ModeDir | 0700},
 		}, []pkg.FlatEntry{
 			{Mode: fs.ModeDir | 0700, Path: "."},
 			{Mode: fs.ModeDir | 0700, Path: "checksum"},
 			{Mode: fs.ModeDir | 0500, Path: "checksum/GPa4aBakdSJd7Tz7LYj_VJFoojzyZinmVcG3k6M5xI6CZ821J5sXLhLDDuS47gi9"},
 			{Mode: 0400, Path: "checksum/GPa4aBakdSJd7Tz7LYj_VJFoojzyZinmVcG3k6M5xI6CZ821J5sXLhLDDuS47gi9/check", Data: []byte{0}},
 			{Mode: fs.ModeDir | 0500, Path: "checksum/MGWmEfjut2QE2xPJwTsmUzpff4BN_FEnQ7T0j7gvUCCiugJQNwqt9m151fm9D1yU"},
 			{Mode: fs.ModeDir | 0700, Path: "identifier"},
 			{Mode: fs.ModeSymlink | 0777, Path: "identifier/kvJIqZo5DKFOxC2ZQ-8_nPaQzEAz9cIm3p6guO-uLqm-xaiPu7oRkSnsu411jd_U", Data: []byte("../checksum/MGWmEfjut2QE2xPJwTsmUzpff4BN_FEnQ7T0j7gvUCCiugJQNwqt9m151fm9D1yU")},
 			{Mode: fs.ModeSymlink | 0777, Path: "identifier/vjz1MHPcGBKV7sjcs8jQP3cqxJ1hgPTiQBMCEHP9BGXjGxd-tJmEmXKaStObo5gK", Data: []byte("../checksum/MGWmEfjut2QE2xPJwTsmUzpff4BN_FEnQ7T0j7gvUCCiugJQNwqt9m151fm9D1yU")},
 			{Mode: fs.ModeSymlink | 0777, Path: "identifier/xXTIYcXmgJWNLC91c417RRrNM9cjELwEZHpGvf8Fk_GNP5agRJp_SicD0w9aMeLJ", Data: []byte("../checksum/GPa4aBakdSJd7Tz7LYj_VJFoojzyZinmVcG3k6M5xI6CZ821J5sXLhLDDuS47gi9")},
 			{Mode: fs.ModeDir | 0700, Path: "temp"},
 			{Mode: fs.ModeDir | 0700, Path: "work"},
 		}, pkg.MustDecode("3EaW6WibLi9gl03_UieiFPaFcPy5p4x3JPxrnLJxGaTI-bh3HU9DK9IMx7c3rrNm"), nil},
 		{"sample file short", fstest.MapFS{
 			".": {Mode: fs.ModeDir | 0700},
 			"checksum": {Mode: fs.ModeDir | 0700},
 			"checksum/vsAhtPNo4waRNOASwrQwcIPTqb3SBuJOXw2G4T1mNmVZM-wrQTRllmgXqcIIoRcX": {Mode: 0400, Data: []byte{0}},
 			"identifier": {Mode: fs.ModeDir | 0700},
 			"identifier/3376ALA7hIUm2LbzH2fDvRezgzod1eTK_G6XjyOgbM2u-6swvkFaF0BOwSl_juBi": {Mode: fs.ModeSymlink | 0777, Data: []byte("../checksum/vsAhtPNo4waRNOASwrQwcIPTqb3SBuJOXw2G4T1mNmVZM-wrQTRllmgXqcIIoRcX")},
 			"work": {Mode: fs.ModeDir | 0700},
 		}, []pkg.FlatEntry{
 			{Mode: fs.ModeDir | 0700, Path: "."},
 			{Mode: fs.ModeDir | 0700, Path: "checksum"},
 			{Mode: 0400, Path: "checksum/vsAhtPNo4waRNOASwrQwcIPTqb3SBuJOXw2G4T1mNmVZM-wrQTRllmgXqcIIoRcX", Data: []byte{0}},
 			{Mode: fs.ModeDir | 0700, Path: "identifier"},
 			{Mode: fs.ModeSymlink | 0777, Path: "identifier/3376ALA7hIUm2LbzH2fDvRezgzod1eTK_G6XjyOgbM2u-6swvkFaF0BOwSl_juBi", Data: []byte("../checksum/vsAhtPNo4waRNOASwrQwcIPTqb3SBuJOXw2G4T1mNmVZM-wrQTRllmgXqcIIoRcX")},
 			{Mode: fs.ModeDir | 0700, Path: "work"},
 		}, pkg.MustDecode("iR6H5OIsyOW4EwEgtm9rGzGF6DVtyHLySEtwnFE8bnus9VJcoCbR4JIek7Lw-vwT"), nil},
 	}
 	for _, tc := range testCases {
 		t.Run(tc.name, func(t *testing.T) {
 			t.Parallel()
 			t.Run("roundtrip", func(t *testing.T) {
 				t.Parallel()
 				var buf bytes.Buffer
 				if _, err := pkg.Flatten(
 					tc.fsys,
 					".",
 					&buf,
 				); !reflect.DeepEqual(err, tc.err) {
 					t.Fatalf("Flatten: error = %v, want %v", err, tc.err)
 				} else if tc.err != nil {
 					return
 				}
 				s := pkg.NewDirScanner(bytes.NewReader(buf.Bytes()), true)
 				var got []pkg.FlatEntry
 				for s.Scan() {
 					got = append(got, *s.Entry())
 				}
 				if err := s.Err(); err != nil {
 					t.Fatalf("Err: error = %v", err)
 				}
 				if !reflect.DeepEqual(got, tc.entries) {
 					t.Fatalf("Scan: %#v, want %#v", got, tc.entries)
 				}
 			})
 			if tc.err != nil {
 				return
 			}
 			t.Run("hash", func(t *testing.T) {
 				t.Parallel()
 				var got pkg.Checksum
 				if err := pkg.HashFS(&got, tc.fsys, "."); err != nil {
 					t.Fatalf("HashFS: error = %v", err)
 				} else if got != tc.sum {
 					t.Fatalf("HashFS: %v", &pkg.ChecksumMismatchError{
 						Got:  got,
 						Want: tc.sum,
 					})
 				}
 			})
 		})
 	}
 }
--- a/internal/pkg/exec.go
+++ b/internal/pkg/exec.go
@@ -0,0 +1,542 @@
 package pkg
 import (
 	"bufio"
 	"context"
 	"errors"
 	"fmt"
 	"io"
 	"os"
 	"os/exec"
 	"path"
 	"slices"
 	"strconv"
 	"syscall"
 	"time"
 	"unique"
 	"hakurei.app/container"
 	"hakurei.app/container/check"
 	"hakurei.app/container/fhs"
 	"hakurei.app/container/seccomp"
 	"hakurei.app/container/std"
 	"hakurei.app/message"
 )
 // AbsWork is the container pathname [TContext.GetWorkDir] is mounted on.
 var AbsWork = fhs.AbsRoot.Append("work/")
 // ExecPath is a slice of [Artifact] and the [check.Absolute] pathname to make
 // it available at under in the container.
 type ExecPath struct {
 	// Pathname in the container mount namespace.
 	P *check.Absolute
 	// Artifacts to mount on the pathname, must contain at least one [Artifact].
 	// If there are multiple entries or W is true, P is set up as an overlay
 	// mount, and entries of A must not implement [FileArtifact].
 	A []Artifact
 	// Whether to make the mount point writable via the temp directory.
 	W bool
 }
 // SchedPolicy is the [container] scheduling policy.
 var SchedPolicy int
 // PromoteLayers returns artifacts with identical-by-content layers promoted to
 // the highest priority instance, as if mounted via [ExecPath].
 func PromoteLayers(
 	artifacts []Artifact,
 	getArtifact func(Artifact) (*check.Absolute, unique.Handle[Checksum]),
 	report func(i int, d Artifact),
 ) []*check.Absolute {
 	layers := make([]*check.Absolute, 0, len(artifacts))
 	checksums := make(map[unique.Handle[Checksum]]struct{}, len(artifacts))
 	for i := range artifacts {
 		d := artifacts[len(artifacts)-1-i]
 		pathname, checksum := getArtifact(d)
 		if _, ok := checksums[checksum]; ok {
 			report(len(artifacts)-1-i, d)
 			continue
 		}
 		checksums[checksum] = struct{}{}
 		layers = append(layers, pathname)
 	}
 	slices.Reverse(layers)
 	return layers
 }
 // layers returns pathnames collected from A deduplicated via [PromoteLayers].
 func (p *ExecPath) layers(f *FContext) []*check.Absolute {
 	msg := f.GetMessage()
 	return PromoteLayers(p.A, f.GetArtifact, func(i int, d Artifact) {
 		if msg.IsVerbose() {
 			msg.Verbosef(
 				"promoted layer %d as %s",
 				i, reportName(d, f.cache.Ident(d)),
 			)
 		}
 	})
 }
 // Path returns a populated [ExecPath].
 func Path(pathname *check.Absolute, writable bool, a ...Artifact) ExecPath {
 	return ExecPath{pathname, a, writable}
 }
 // MustPath is like [Path], but takes a string pathname via [check.MustAbs].
 func MustPath(pathname string, writable bool, a ...Artifact) ExecPath {
 	return ExecPath{check.MustAbs(pathname), a, writable}
 }
 const (
 	// ExecTimeoutDefault replaces out of range [NewExec] timeout values.
 	ExecTimeoutDefault = 15 * time.Minute
 	// ExecTimeoutMax is the arbitrary upper bound of [NewExec] timeout.
 	ExecTimeoutMax = 48 * time.Hour
 )
 // An execArtifact is an [Artifact] that produces output by running a program
 // part of another [Artifact] in a [container] to produce its output.
 //
 // Methods of execArtifact does not modify any struct field or underlying arrays
 // referred to by slices.
 type execArtifact struct {
 	// Caller-supplied user-facing reporting name, guaranteed to be nonzero
 	// during initialisation.
 	name string
 	// Caller-supplied inner mount points.
 	paths []ExecPath
 	// Passed through to [container.Params].
 	dir *check.Absolute
 	// Passed through to [container.Params].
 	env []string
 	// Passed through to [container.Params].
 	path *check.Absolute
 	// Passed through to [container.Params].
 	args []string
 	// Duration the initial process is allowed to run. The zero value is
 	// equivalent to [ExecTimeoutDefault].
 	timeout time.Duration
 	// Caller-supplied exclusivity value, returned as is by IsExclusive.
 	exclusive bool
 }
 var _ fmt.Stringer = new(execArtifact)
 // execNetArtifact is like execArtifact but implements [KnownChecksum] and has
 // its resulting container keep the host net namespace.
 type execNetArtifact struct {
 	checksum Checksum
 	execArtifact
 }
 var _ KnownChecksum = new(execNetArtifact)
 // Checksum returns the caller-supplied checksum.
 func (a *execNetArtifact) Checksum() Checksum { return a.checksum }
 // Kind returns the hardcoded [Kind] constant.
 func (*execNetArtifact) Kind() Kind { return KindExecNet }
 // Cure cures the [Artifact] in the container described by the caller. The
 // container retains host networking.
 func (a *execNetArtifact) Cure(f *FContext) error {
 	return a.cure(f, true)
 }
 // NewExec returns a new [Artifact] that executes the program path in a
 // container with specified paths bind mounted read-only in order. A private
 // instance of /proc and /dev is made available to the container.
 //
 // The working and temporary directories are both created and mounted writable
 // on [AbsWork] and [fhs.AbsTmp] respectively. If one or more paths target
 // [AbsWork], the final entry is set up as a writable overlay mount on /work for
 // which the upperdir is the host side work directory. In this configuration,
 // the W field is ignored, and the program must avoid causing whiteout files to
 // be created. Cure fails if upperdir ends up with entries other than directory,
 // regular or symlink.
 //
 // If checksum is non-nil, the resulting [Artifact] implements [KnownChecksum]
 // and its container runs in the host net namespace.
 //
 // The container is allowed to run for the specified duration before the initial
 // process and all processes originating from it is terminated. A zero or
 // negative timeout value is equivalent tp [ExecTimeoutDefault], a timeout value
 // greater than [ExecTimeoutMax] is equivalent to [ExecTimeoutMax].
 //
 // The user-facing name and exclusivity value are not accessible from the
 // container and does not affect curing outcome. Because of this, it is omitted
 // from parameter data for computing identifier.
 func NewExec(
 	name string,
 	checksum *Checksum,
 	timeout time.Duration,
 	exclusive bool,
 	dir *check.Absolute,
 	env []string,
 	pathname *check.Absolute,
 	args []string,
 	paths ...ExecPath,
 ) Artifact {
 	if name == "" {
 		name = "exec-" + path.Base(pathname.String())
 	}
 	if timeout <= 0 {
 		timeout = ExecTimeoutDefault
 	}
 	if timeout > ExecTimeoutMax {
 		timeout = ExecTimeoutMax
 	}
 	a := execArtifact{name, paths, dir, env, pathname, args, timeout, exclusive}
 	if checksum == nil {
 		return &a
 	}
 	return &execNetArtifact{*checksum, a}
 }
 // Kind returns the hardcoded [Kind] constant.
 func (*execArtifact) Kind() Kind { return KindExec }
 // Params writes paths, executable pathname and args.
 func (a *execArtifact) Params(ctx *IContext) {
 	ctx.WriteString(a.name)
 	ctx.WriteUint32(uint32(len(a.paths)))
 	for _, p := range a.paths {
 		if p.P != nil {
 			ctx.WriteString(p.P.String())
 		} else {
 			ctx.WriteString("invalid P\x00")
 		}
 		ctx.WriteUint32(uint32(len(p.A)))
 		for _, d := range p.A {
 			ctx.WriteIdent(d)
 		}
 		if p.W {
 			ctx.WriteUint32(1)
 		} else {
 			ctx.WriteUint32(0)
 		}
 	}
 	ctx.WriteString(a.dir.String())
 	ctx.WriteUint32(uint32(len(a.env)))
 	for _, e := range a.env {
 		ctx.WriteString(e)
 	}
 	ctx.WriteString(a.path.String())
 	ctx.WriteUint32(uint32(len(a.args)))
 	for _, arg := range a.args {
 		ctx.WriteString(arg)
 	}
 	ctx.WriteUint32(uint32(a.timeout & 0xffffffff))
 	ctx.WriteUint32(uint32(a.timeout >> 32))
 	if a.exclusive {
 		ctx.WriteUint32(1)
 	} else {
 		ctx.WriteUint32(0)
 	}
 }
 // readExecArtifact interprets IR values and returns the address of execArtifact
 // or execNetArtifact.
 func readExecArtifact(r *IRReader, net bool) Artifact {
 	r.DiscardAll()
 	name := r.ReadString()
 	sz := r.ReadUint32()
 	if sz > irMaxDeps {
 		panic(ErrIRDepend)
 	}
 	paths := make([]ExecPath, sz)
 	for i := range paths {
 		paths[i].P = check.MustAbs(r.ReadString())
 		sz = r.ReadUint32()
 		if sz > irMaxDeps {
 			panic(ErrIRDepend)
 		}
 		paths[i].A = make([]Artifact, sz)
 		for j := range paths[i].A {
 			paths[i].A[j] = r.ReadIdent()
 		}
 		paths[i].W = r.ReadUint32() != 0
 	}
 	dir := check.MustAbs(r.ReadString())
 	sz = r.ReadUint32()
 	if sz > irMaxValues {
 		panic(ErrIRValues)
 	}
 	env := make([]string, sz)
 	for i := range env {
 		env[i] = r.ReadString()
 	}
 	pathname := check.MustAbs(r.ReadString())
 	sz = r.ReadUint32()
 	if sz > irMaxValues {
 		panic(ErrIRValues)
 	}
 	args := make([]string, sz)
 	for i := range args {
 		args[i] = r.ReadString()
 	}
 	timeout := time.Duration(r.ReadUint32())
 	timeout |= time.Duration(r.ReadUint32()) << 32
 	exclusive := r.ReadUint32() != 0
 	checksum, ok := r.Finalise()
 	var checksumP *Checksum
 	if net {
 		if !ok {
 			panic(ErrExpectedChecksum)
 		}
 		checksumVal := checksum.Value()
 		checksumP = &checksumVal
 	} else {
 		if ok {
 			panic(ErrUnexpectedChecksum)
 		}
 	}
 	return NewExec(
 		name, checksumP, timeout, exclusive, dir, env, pathname, args, paths...,
 	)
 }
 func init() {
 	register(KindExec,
 		func(r *IRReader) Artifact { return readExecArtifact(r, false) })
 	register(KindExecNet,
 		func(r *IRReader) Artifact { return readExecArtifact(r, true) })
 }
 // Dependencies returns a slice of all artifacts collected from caller-supplied
 // [ExecPath].
 func (a *execArtifact) Dependencies() []Artifact {
 	artifacts := make([][]Artifact, 0, len(a.paths))
 	for _, p := range a.paths {
 		artifacts = append(artifacts, p.A)
 	}
 	return slices.Concat(artifacts...)
 }
 // IsExclusive returns the caller-supplied exclusivity value.
 func (a *execArtifact) IsExclusive() bool { return a.exclusive }
 // String returns the caller-supplied reporting name.
 func (a *execArtifact) String() string { return a.name }
 // Cure cures the [Artifact] in the container described by the caller.
 func (a *execArtifact) Cure(f *FContext) (err error) {
 	return a.cure(f, false)
 }
 const (
 	// execWaitDelay is passed through to [container.Params].
 	execWaitDelay = time.Nanosecond
 )
 // scanVerbose prefixes program output for a verbose [message.Msg].
 func scanVerbose(
 	msg message.Msg,
 	cancel context.CancelFunc,
 	done chan<- struct{},
 	prefix string,
 	r io.Reader,
 ) {
 	defer close(done)
 	s := bufio.NewScanner(r)
 	s.Buffer(
 		make([]byte, bufio.MaxScanTokenSize),
 		bufio.MaxScanTokenSize<<12,
 	)
 	for s.Scan() {
 		msg.Verbose(prefix, s.Text())
 	}
 	if err := s.Err(); err != nil && !errors.Is(err, os.ErrClosed) {
 		cancel()
 		msg.Verbose("*"+prefix, err)
 	}
 }
 // SeccompPresets is the [seccomp] presets used by exec artifacts.
 const SeccompPresets = std.PresetStrict &
 	^(std.PresetDenyNS | std.PresetDenyDevel)
 // cure is like Cure but allows optional host net namespace. This is used for
 // the [KnownChecksum] variant where networking is allowed.
 func (a *execArtifact) cure(f *FContext, hostNet bool) (err error) {
 	overlayWorkIndex := -1
 	for i, p := range a.paths {
 		if p.P == nil || len(p.A) == 0 {
 			return os.ErrInvalid
 		}
 		if p.P.Is(AbsWork) {
 			overlayWorkIndex = i
 		}
 	}
 	var artifactCount int
 	for _, p := range a.paths {
 		artifactCount += len(p.A)
 	}
 	ctx, cancel := context.WithTimeout(f.Unwrap(), a.timeout)
 	defer cancel()
 	z := container.New(ctx, f.GetMessage())
 	z.WaitDelay = execWaitDelay
 	z.SeccompPresets = SeccompPresets
 	z.SeccompFlags |= seccomp.AllowMultiarch
 	z.ParentPerm = 0700
 	z.HostNet = hostNet
 	z.Hostname = "cure"
 	z.SchedPolicy = SchedPolicy
 	if z.HostNet {
 		z.Hostname = "cure-net"
 	}
 	z.Uid, z.Gid = (1<<10)-1, (1<<10)-1
 	var status io.Writer
 	if status, err = f.GetStatusWriter(); err != nil {
 		return
 	}
 	if msg := f.GetMessage(); msg.IsVerbose() {
 		var stdout, stderr io.ReadCloser
 		if stdout, err = z.StdoutPipe(); err != nil {
 			return
 		}
 		if stderr, err = z.StderrPipe(); err != nil {
 			_ = stdout.Close()
 			return
 		}
 		defer func() {
 			if err != nil && !errors.As(err, new(*exec.ExitError)) {
 				_ = stdout.Close()
 				_ = stderr.Close()
 			}
 		}()
 		brStdout, brStderr := f.cache.getReader(stdout), f.cache.getReader(stderr)
 		stdoutDone, stderrDone := make(chan struct{}), make(chan struct{})
 		go scanVerbose(
 			msg, cancel, stdoutDone,
 			"("+a.name+":1)",
 			io.TeeReader(brStdout, status),
 		)
 		go scanVerbose(
 			msg, cancel, stderrDone,
 			"("+a.name+":2)",
 			io.TeeReader(brStderr, status),
 		)
 		defer func() {
 			<-stdoutDone
 			<-stderrDone
 			f.cache.putReader(brStdout)
 			f.cache.putReader(brStderr)
 		}()
 	} else {
 		z.Stdout, z.Stderr = status, status
 	}
 	z.Dir, z.Env, z.Path, z.Args = a.dir, a.env, a.path, a.args
 	z.Grow(len(a.paths) + 4)
 	temp, work := f.GetTempDir(), f.GetWorkDir()
 	for i, b := range a.paths {
 		if i == overlayWorkIndex {
 			if err = os.MkdirAll(work.String(), 0700); err != nil {
 				return
 			}
 			tempWork := temp.Append(".work")
 			if err = os.MkdirAll(tempWork.String(), 0700); err != nil {
 				return
 			}
 			z.Overlay(
 				AbsWork,
 				work,
 				tempWork,
 				b.layers(f)...,
 			)
 			continue
 		}
 		if a.paths[i].W {
 			tempUpper, tempWork := temp.Append(
 				".upper", strconv.Itoa(i),
 			), temp.Append(
 				".work", strconv.Itoa(i),
 			)
 			if err = os.MkdirAll(tempUpper.String(), 0700); err != nil {
 				return
 			}
 			if err = os.MkdirAll(tempWork.String(), 0700); err != nil {
 				return
 			}
 			z.Overlay(b.P, tempUpper, tempWork, b.layers(f)...)
 		} else if len(b.A) == 1 {
 			pathname, _ := f.GetArtifact(b.A[0])
 			z.Bind(pathname, b.P, 0)
 		} else {
 			z.OverlayReadonly(b.P, b.layers(f)...)
 		}
 	}
 	if overlayWorkIndex < 0 {
 		z.Bind(
 			work,
 			AbsWork,
 			std.BindWritable|std.BindEnsure,
 		)
 	}
 	z.Bind(
 		f.GetTempDir(),
 		fhs.AbsTmp,
 		std.BindWritable|std.BindEnsure,
 	)
 	z.Proc(fhs.AbsProc).Dev(fhs.AbsDev, true)
 	if err = z.Start(); err != nil {
 		return
 	}
 	if err = z.Serve(); err != nil {
 		return
 	}
 	if err = z.Wait(); err != nil {
 		return
 	}
 	// do not allow empty directories to succeed
 	for {
 		err = syscall.Rmdir(work.String())
 		if err != syscall.EINTR {
 			break
 		}
 	}
 	if err != nil && errors.Is(err, syscall.ENOTEMPTY) {
 		err = nil
 	}
 	return
 }
--- a/internal/pkg/exec_test.go
+++ b/internal/pkg/exec_test.go
@@ -0,0 +1,339 @@
 package pkg_test
 //go:generate env CGO_ENABLED=0 go build -tags testtool -o testdata/testtool ./testdata
 import (
 	_ "embed"
 	"encoding/gob"
 	"errors"
 	"net"
 	"os"
 	"os/exec"
 	"slices"
 	"testing"
 	"unique"
 	"hakurei.app/container/check"
 	"hakurei.app/container/stub"
 	"hakurei.app/hst"
 	"hakurei.app/internal/pkg"
 )
 // testtoolBin is the container test tool binary made available to the
 // execArtifact for testing its curing environment.
 //
 //go:embed testdata/testtool
 var testtoolBin []byte
 func TestExec(t *testing.T) {
 	t.Parallel()
 	wantChecksumOffline := pkg.MustDecode(
 		"GPa4aBakdSJd7Tz7LYj_VJFoojzyZinmVcG3k6M5xI6CZ821J5sXLhLDDuS47gi9",
 	)
 	checkWithCache(t, []cacheTestCase{
 		{"offline", nil, func(t *testing.T, base *check.Absolute, c *pkg.Cache) {
 			c.SetStrict(true)
 			testtool, testtoolDestroy := newTesttool()
 			cureMany(t, c, []cureStep{
 				{"container", pkg.NewExec(
 					"exec-offline", nil, 0, false,
 					pkg.AbsWork,
 					[]string{"HAKUREI_TEST=1"},
 					check.MustAbs("/opt/bin/testtool"),
 					[]string{"testtool"},
 					pkg.MustPath("/file", false, newStubFile(
 						pkg.KindHTTPGet,
 						pkg.ID{0xfe, 0},
 						nil,
 						nil, nil,
 					)),
 					pkg.MustPath("/.hakurei", false, &stubArtifact{
 						kind:   pkg.KindTar,
 						params: []byte("empty directory"),
 						cure: func(t *pkg.TContext) error {
 							return os.MkdirAll(t.GetWorkDir().String(), 0700)
 						},
 					}),
 					pkg.MustPath("/opt", false, testtool),
 				), ignorePathname, wantChecksumOffline, nil},
 				{"error passthrough", pkg.NewExec(
 					"", nil, 0, true,
 					pkg.AbsWork,
 					[]string{"HAKUREI_TEST=1"},
 					check.MustAbs("/opt/bin/testtool"),
 					[]string{"testtool"},
 					pkg.MustPath("/proc/nonexistent", false, &stubArtifact{
 						kind:   pkg.KindTar,
 						params: []byte("doomed artifact"),
 						cure: func(t *pkg.TContext) error {
 							return stub.UniqueError(0xcafe)
 						},
 					}),
 				), nil, pkg.Checksum{}, &pkg.DependencyCureError{
 					{
 						Ident: unique.Make(pkg.ID(pkg.MustDecode(
 							"Sowo6oZRmG6xVtUaxB6bDWZhVsqAJsIJWUp0OPKlE103cY0lodx7dem8J-qQF0Z1",
 						))),
 						Err: stub.UniqueError(0xcafe),
 					},
 				}},
 				{"invalid paths", pkg.NewExec(
 					"", nil, 0, false,
 					pkg.AbsWork,
 					[]string{"HAKUREI_TEST=1"},
 					check.MustAbs("/opt/bin/testtool"),
 					[]string{"testtool"},
 					pkg.ExecPath{},
 				), nil, pkg.Checksum{}, os.ErrInvalid},
 			})
 			// check init failure passthrough
 			var exitError *exec.ExitError
 			if _, _, err := c.Cure(pkg.NewExec(
 				"", nil, 0, false,
 				pkg.AbsWork,
 				nil,
 				check.MustAbs("/opt/bin/testtool"),
 				[]string{"testtool"},
 			)); !errors.As(err, &exitError) ||
 				exitError.ExitCode() != hst.ExitFailure {
 				t.Fatalf("Cure: error = %v, want init exit status 1", err)
 			}
 			testtoolDestroy(t, base, c)
 		}, pkg.MustDecode("Q5DluWQCAeohLoiGRImurwFp3vdz9IfQCoj7Fuhh73s4KQPRHpEQEnHTdNHmB8Fx")},
 		{"net", nil, func(t *testing.T, base *check.Absolute, c *pkg.Cache) {
 			c.SetStrict(true)
 			testtool, testtoolDestroy := newTesttool()
 			wantChecksum := pkg.MustDecode(
 				"a1F_i9PVQI4qMcoHgTQkORuyWLkC1GLIxOhDt2JpU1NGAxWc5VJzdlfRK-PYBh3W",
 			)
 			cureMany(t, c, []cureStep{
 				{"container", pkg.NewExec(
 					"exec-net", &wantChecksum, 0, false,
 					pkg.AbsWork,
 					[]string{"HAKUREI_TEST=1"},
 					check.MustAbs("/opt/bin/testtool"),
 					[]string{"testtool", "net"},
 					pkg.MustPath("/file", false, newStubFile(
 						pkg.KindHTTPGet,
 						pkg.ID{0xfe, 0},
 						nil,
 						nil, nil,
 					)),
 					pkg.MustPath("/.hakurei", false, &stubArtifact{
 						kind:   pkg.KindTar,
 						params: []byte("empty directory"),
 						cure: func(t *pkg.TContext) error {
 							return os.MkdirAll(t.GetWorkDir().String(), 0700)
 						},
 					}),
 					pkg.MustPath("/opt", false, testtool),
 				), ignorePathname, wantChecksum, nil},
 			})
 			testtoolDestroy(t, base, c)
 		}, pkg.MustDecode("bPYvvqxpfV7xcC1EptqyKNK1klLJgYHMDkzBcoOyK6j_Aj5hb0mXNPwTwPSK5F6Z")},
 		{"overlay root", nil, func(t *testing.T, base *check.Absolute, c *pkg.Cache) {
 			c.SetStrict(true)
 			testtool, testtoolDestroy := newTesttool()
 			cureMany(t, c, []cureStep{
 				{"container", pkg.NewExec(
 					"exec-overlay-root", nil, 0, false,
 					pkg.AbsWork,
 					[]string{"HAKUREI_TEST=1", "HAKUREI_ROOT=1"},
 					check.MustAbs("/opt/bin/testtool"),
 					[]string{"testtool"},
 					pkg.MustPath("/", true, &stubArtifact{
 						kind:   pkg.KindTar,
 						params: []byte("empty directory"),
 						cure: func(t *pkg.TContext) error {
 							return os.MkdirAll(t.GetWorkDir().String(), 0700)
 						},
 					}),
 					pkg.MustPath("/opt", false, testtool),
 				), ignorePathname, wantChecksumOffline, nil},
 			})
 			testtoolDestroy(t, base, c)
 		}, pkg.MustDecode("PO2DSSCa4yoSgEYRcCSZfQfwow1yRigL3Ry-hI0RDI4aGuFBha-EfXeSJnG_5_Rl")},
 		{"overlay work", nil, func(t *testing.T, base *check.Absolute, c *pkg.Cache) {
 			c.SetStrict(true)
 			testtool, testtoolDestroy := newTesttool()
 			cureMany(t, c, []cureStep{
 				{"container", pkg.NewExec(
 					"exec-overlay-work", nil, 0, false,
 					pkg.AbsWork,
 					[]string{"HAKUREI_TEST=1", "HAKUREI_ROOT=1"},
 					check.MustAbs("/work/bin/testtool"),
 					[]string{"testtool"},
 					pkg.MustPath("/", true, &stubArtifact{
 						kind:   pkg.KindTar,
 						params: []byte("empty directory"),
 						cure: func(t *pkg.TContext) error {
 							return os.MkdirAll(t.GetWorkDir().String(), 0700)
 						},
 					}), pkg.MustPath("/work/", false, &stubArtifact{
 						kind:   pkg.KindTar,
 						params: []byte("empty directory"),
 						cure: func(t *pkg.TContext) error {
 							return os.MkdirAll(t.GetWorkDir().String(), 0700)
 						},
 					}), pkg.Path(pkg.AbsWork, false /* ignored */, testtool),
 				), ignorePathname, wantChecksumOffline, nil},
 			})
 			testtoolDestroy(t, base, c)
 		}, pkg.MustDecode("iaRt6l_Wm2n-h5UsDewZxQkCmjZjyL8r7wv32QT2kyV55-Lx09Dq4gfg9BiwPnKs")},
 		{"multiple layers", nil, func(t *testing.T, base *check.Absolute, c *pkg.Cache) {
 			c.SetStrict(true)
 			testtool, testtoolDestroy := newTesttool()
 			cureMany(t, c, []cureStep{
 				{"container", pkg.NewExec(
 					"exec-multiple-layers", nil, 0, false,
 					pkg.AbsWork,
 					[]string{"HAKUREI_TEST=1", "HAKUREI_ROOT=1"},
 					check.MustAbs("/opt/bin/testtool"),
 					[]string{"testtool", "layers"},
 					pkg.MustPath("/", true, &stubArtifact{
 						kind:   pkg.KindTar,
 						params: []byte("empty directory"),
 						cure: func(t *pkg.TContext) error {
 							return os.MkdirAll(t.GetWorkDir().String(), 0700)
 						},
 					}, &stubArtifactF{
 						kind:   pkg.KindExec,
 						params: []byte("test sample with dependencies"),
 						deps: slices.Repeat([]pkg.Artifact{newStubFile(
 							pkg.KindHTTPGet,
 							pkg.ID{0xfe, 0},
 							nil,
 							nil, nil,
 						), &stubArtifact{
 							kind:   pkg.KindTar,
 							params: []byte("empty directory"),
 							// this is queued and might run instead of the other
 							// one so do not leave it as nil
 							cure: func(t *pkg.TContext) error {
 								return os.MkdirAll(t.GetWorkDir().String(), 0700)
 							},
 						}}, 1<<5 /* concurrent cache hits */),
 						cure: func(f *pkg.FContext) error {
 							work := f.GetWorkDir()
 							if err := os.MkdirAll(work.String(), 0700); err != nil {
 								return err
 							}
 							return os.WriteFile(work.Append("check").String(), []byte("layers"), 0400)
 						},
 					}),
 					pkg.MustPath("/opt", false, testtool),
 				), ignorePathname, wantChecksumOffline, nil},
 			})
 			testtoolDestroy(t, base, c)
 		}, pkg.MustDecode("O2YzyR7IUGU5J2CADy0hUZ3A5NkP_Vwzs4UadEdn2oMZZVWRtH0xZGJ3HXiimTnZ")},
 		{"overlay layer promotion", nil, func(t *testing.T, base *check.Absolute, c *pkg.Cache) {
 			c.SetStrict(true)
 			testtool, testtoolDestroy := newTesttool()
 			cureMany(t, c, []cureStep{
 				{"container", pkg.NewExec(
 					"exec-layer-promotion", nil, 0, true,
 					pkg.AbsWork,
 					[]string{"HAKUREI_TEST=1", "HAKUREI_ROOT=1"},
 					check.MustAbs("/opt/bin/testtool"),
 					[]string{"testtool", "promote"},
 					pkg.MustPath("/", true, &stubArtifact{
 						kind:   pkg.KindTar,
 						params: []byte("another empty directory"),
 						cure: func(t *pkg.TContext) error {
 							return os.MkdirAll(t.GetWorkDir().String(), 0700)
 						},
 					}, &stubArtifact{
 						kind:   pkg.KindTar,
 						params: []byte("empty directory"),
 						cure: func(t *pkg.TContext) error {
 							return os.MkdirAll(t.GetWorkDir().String(), 0700)
 						},
 					}),
 					pkg.MustPath("/opt", false, testtool),
 				), ignorePathname, wantChecksumOffline, nil},
 			})
 			testtoolDestroy(t, base, c)
 		}, pkg.MustDecode("3EaW6WibLi9gl03_UieiFPaFcPy5p4x3JPxrnLJxGaTI-bh3HU9DK9IMx7c3rrNm")},
 	})
 }
 // newTesttool returns an [Artifact] that cures into testtoolBin. The returned
 // function must be called at the end of the test but not deferred.
 func newTesttool() (
 	testtool pkg.Artifact,
 	testtoolDestroy func(t *testing.T, base *check.Absolute, c *pkg.Cache),
 ) {
 	// testtoolBin is built during go:generate and is not deterministic
 	testtool = overrideIdent{pkg.ID{0xfe, 0xff}, &stubArtifact{
 		kind: pkg.KindTar,
 		cure: func(t *pkg.TContext) error {
 			work := t.GetWorkDir()
 			if err := os.MkdirAll(
 				work.Append("bin").String(),
 				0700,
 			); err != nil {
 				return err
 			}
 			if ift, err := net.Interfaces(); err != nil {
 				return err
 			} else {
 				var f *os.File
 				if f, err = os.Create(t.GetWorkDir().Append(
 					"ift",
 				).String()); err != nil {
 					return err
 				} else {
 					err = gob.NewEncoder(f).Encode(ift)
 					closeErr := f.Close()
 					if err != nil {
 						return err
 					}
 					if closeErr != nil {
 						return closeErr
 					}
 				}
 			}
 			return os.WriteFile(t.GetWorkDir().Append(
 				"bin",
 				"testtool",
 			).String(), testtoolBin, 0500)
 		},
 	}}
 	testtoolDestroy = newDestroyArtifactFunc(testtool)
 	return
 }
--- a/internal/pkg/file.go
+++ b/internal/pkg/file.go
@@ -0,0 +1,81 @@
 package pkg
 import (
 	"bytes"
 	"crypto/sha512"
 	"fmt"
 	"io"
 )
 // A fileArtifact is an [Artifact] that cures into data known ahead of time.
 type fileArtifact []byte
 var _ KnownChecksum = new(fileArtifact)
 // fileArtifactNamed embeds fileArtifact alongside a caller-supplied name.
 type fileArtifactNamed struct {
 	fileArtifact
 	// Caller-supplied user-facing reporting name.
 	name string
 }
 var _ fmt.Stringer = new(fileArtifactNamed)
 var _ KnownChecksum = new(fileArtifactNamed)
 // String returns the caller-supplied reporting name.
 func (a *fileArtifactNamed) String() string { return a.name }
 // Params writes the caller-supplied reporting name and the file body.
 func (a *fileArtifactNamed) Params(ctx *IContext) {
 	ctx.WriteString(a.name)
 	ctx.Write(a.fileArtifact)
 }
 // NewFile returns a [FileArtifact] that cures into a caller-supplied byte slice.
 //
 // Caller must not modify data after NewFile returns.
 func NewFile(name string, data []byte) FileArtifact {
 	f := fileArtifact(data)
 	if name != "" {
 		return &fileArtifactNamed{f, name}
 	}
 	return &f
 }
 // Kind returns the hardcoded [Kind] constant.
 func (*fileArtifact) Kind() Kind { return KindFile }
 // Params writes an empty string and the file body.
 func (a *fileArtifact) Params(ctx *IContext) {
 	ctx.WriteString("")
 	ctx.Write(*a)
 }
 func init() {
 	register(KindFile, func(r *IRReader) Artifact {
 		name := r.ReadString()
 		data := r.ReadStringBytes()
 		if _, ok := r.Finalise(); !ok {
 			panic(ErrExpectedChecksum)
 		}
 		return NewFile(name, data)
 	})
 }
 // Dependencies returns a nil slice.
 func (*fileArtifact) Dependencies() []Artifact { return nil }
 // IsExclusive returns false: Cure returns a prepopulated buffer.
 func (*fileArtifact) IsExclusive() bool { return false }
 // Checksum computes and returns the checksum of caller-supplied data.
 func (a *fileArtifact) Checksum() Checksum {
 	h := sha512.New384()
 	h.Write(*a)
 	return Checksum(h.Sum(nil))
 }
 // Cure returns the caller-supplied data.
 func (a *fileArtifact) Cure(*RContext) (io.ReadCloser, error) {
 	return io.NopCloser(bytes.NewReader(*a)), nil
 }
--- a/internal/pkg/file_test.go
+++ b/internal/pkg/file_test.go
@@ -0,0 +1,29 @@
 package pkg_test
 import (
 	"testing"
 	"hakurei.app/container/check"
 	"hakurei.app/internal/pkg"
 )
 func TestFile(t *testing.T) {
 	t.Parallel()
 	checkWithCache(t, []cacheTestCase{
 		{"file", nil, func(t *testing.T, base *check.Absolute, c *pkg.Cache) {
 			c.SetStrict(true)
 			cureMany(t, c, []cureStep{
 				{"short", pkg.NewFile("null", []byte{0}), base.Append(
 					"identifier",
 					"3376ALA7hIUm2LbzH2fDvRezgzod1eTK_G6XjyOgbM2u-6swvkFaF0BOwSl_juBi",
 				), pkg.MustDecode(
 					"vsAhtPNo4waRNOASwrQwcIPTqb3SBuJOXw2G4T1mNmVZM-wrQTRllmgXqcIIoRcX",
 				), nil},
 			})
 		}, pkg.MustDecode(
 			"iR6H5OIsyOW4EwEgtm9rGzGF6DVtyHLySEtwnFE8bnus9VJcoCbR4JIek7Lw-vwT",
 		)},
 	})
 }
--- a/internal/pkg/ir.go
+++ b/internal/pkg/ir.go
@@ -0,0 +1,769 @@
 package pkg
 import (
 	"bufio"
 	"bytes"
 	"context"
 	"crypto/sha512"
 	"encoding/binary"
 	"errors"
 	"fmt"
 	"io"
 	"slices"
 	"strconv"
 	"syscall"
 	"unique"
 	"unsafe"
 )
 // wordSize is the boundary which binary segments are always aligned to.
 const wordSize = 8
 // alignSize returns the padded size for aligning sz.
 func alignSize(sz int) int {
 	return sz + (wordSize-(sz)%wordSize)%wordSize
 }
 // panicToError recovers from a panic and replaces a nil error with the panicked
 // error value. If the value does not implement error, it is re-panicked.
 func panicToError(errP *error) {
 	r := recover()
 	if r == nil {
 		return
 	}
 	if err, ok := r.(error); !ok {
 		panic(r)
 	} else if *errP == nil {
 		*errP = err
 	}
 }
 // IContext is passed to [Artifact.Params] and provides methods for writing
 // values to the IR writer. It does not expose the underlying [io.Writer].
 //
 // IContext is valid until [Artifact.Params] returns.
 type IContext struct {
 	// Address of underlying [Cache], should be zeroed or made unusable after
 	// [Artifact.Params] returns and must not be exposed directly.
 	cache *Cache
 	// Written to by various methods, should be zeroed after [Artifact.Params]
 	// returns and must not be exposed directly.
 	w io.Writer
 }
 // Unwrap returns the underlying [context.Context].
 func (i *IContext) Unwrap() context.Context { return i.cache.ctx }
 // irZero is a zero IR word.
 var irZero [wordSize]byte
 // IRValueKind denotes the kind of encoded value.
 type IRValueKind uint32
 const (
 	// IRKindEnd denotes the end of the current parameters stream. The ancillary
 	// value is interpreted as [IREndFlag].
 	IRKindEnd IRValueKind = iota
 	// IRKindIdent denotes the identifier of a dependency [Artifact]. The
 	// ancillary value is reserved for future use.
 	IRKindIdent
 	// IRKindUint32 denotes an inlined uint32 value.
 	IRKindUint32
 	// IRKindString denotes a string with its true length encoded in header
 	// ancillary data. Its wire length is always aligned to 8 byte boundary.
 	IRKindString
 	irHeaderShift = 32
 	irHeaderMask  = 0xffffffff
 )
 // String returns a user-facing name of k.
 func (k IRValueKind) String() string {
 	switch k {
 	case IRKindEnd:
 		return "terminator"
 	case IRKindIdent:
 		return "ident"
 	case IRKindUint32:
 		return "uint32"
 	case IRKindString:
 		return "string"
 	default:
 		return "invalid kind " + strconv.Itoa(int(k))
 	}
 }
 // irValueHeader encodes [IRValueKind] and a 32-bit ancillary value.
 type irValueHeader uint64
 // encodeHeader returns irValueHeader encoding [IRValueKind] and ancillary data.
 func (k IRValueKind) encodeHeader(v uint32) irValueHeader {
 	return irValueHeader(v)<<irHeaderShift | irValueHeader(k)
 }
 // put stores h in b[0:8].
 func (h irValueHeader) put(b []byte) {
 	binary.LittleEndian.PutUint64(b[:], uint64(h))
 }
 // append appends the bytes of h to b and returns the appended slice.
 func (h irValueHeader) append(b []byte) []byte {
 	return binary.LittleEndian.AppendUint64(b, uint64(h))
 }
 // IREndFlag is ancillary data encoded in the header of an [IRKindEnd] value and
 // specifies the presence of optional fields in the remaining [IRKindEnd] data.
 // Order of present fields is the order of their corresponding constants defined
 // below.
 type IREndFlag uint32
 const (
 	// IREndKnownChecksum denotes a [KnownChecksum] artifact. For an [IRKindEnd]
 	// value with this flag set, the remaining data contains the [Checksum].
 	IREndKnownChecksum IREndFlag = 1 << iota
 )
 // mustWrite writes to IContext.w and panics on error. The panic is recovered
 // from by the caller and used as the return value.
 func (i *IContext) mustWrite(p []byte) {
 	if _, err := i.w.Write(p); err != nil {
 		panic(err)
 	}
 }
 // WriteIdent writes the identifier of [Artifact] to the IR. The behaviour of
 // WriteIdent is not defined for an [Artifact] not part of the slice returned by
 // [Artifact.Dependencies].
 func (i *IContext) WriteIdent(a Artifact) {
 	buf := i.cache.getIdentBuf()
 	defer i.cache.putIdentBuf(buf)
 	IRKindIdent.encodeHeader(0).put(buf[:])
 	*(*ID)(buf[wordSize:]) = i.cache.Ident(a).Value()
 	i.mustWrite(buf[:])
 }
 // WriteUint32 writes a uint32 value to the IR.
 func (i *IContext) WriteUint32(v uint32) {
 	i.mustWrite(IRKindUint32.encodeHeader(v).append(nil))
 }
 // irMaxStringLength is the maximum acceptable wire size of [IRKindString].
 const irMaxStringLength = 1 << 24
 // IRStringError is a string value too big to encode in IR.
 type IRStringError string
 func (IRStringError) Error() string {
 	return "params value too big to encode in IR"
 }
 // Write writes p as a string value to the IR.
 func (i *IContext) Write(p []byte) {
 	sz := alignSize(len(p))
 	if len(p) > irMaxStringLength || sz > irMaxStringLength {
 		panic(IRStringError(p))
 	}
 	i.mustWrite(IRKindString.encodeHeader(uint32(len(p))).append(nil))
 	i.mustWrite(p)
 	psz := sz - len(p)
 	if psz > 0 {
 		i.mustWrite(irZero[:psz])
 	}
 }
 // WriteString writes s as a string value to the IR.
 func (i *IContext) WriteString(s string) {
 	p := unsafe.Slice(unsafe.StringData(s), len(s))
 	i.Write(p)
 }
 // Encode writes a deterministic, efficient representation of a to w and returns
 // the first non-nil error encountered while writing to w.
 func (c *Cache) Encode(w io.Writer, a Artifact) (err error) {
 	deps := a.Dependencies()
 	idents := make([]*extIdent, len(deps))
 	for i, d := range deps {
 		dbuf, did := c.unsafeIdent(d, true)
 		if dbuf == nil {
 			dbuf = c.getIdentBuf()
 			binary.LittleEndian.PutUint64(dbuf[:], uint64(d.Kind()))
 			*(*ID)(dbuf[wordSize:]) = did.Value()
 		} else {
 			c.storeIdent(d, dbuf)
 		}
 		defer c.putIdentBuf(dbuf)
 		idents[i] = dbuf
 	}
 	slices.SortFunc(idents, func(a, b *extIdent) int {
 		return bytes.Compare(a[:], b[:])
 	})
 	idents = slices.CompactFunc(idents, func(a, b *extIdent) bool {
 		return *a == *b
 	})
 	// kind uint64 | deps_sz uint64
 	var buf [wordSize * 2]byte
 	binary.LittleEndian.PutUint64(buf[:], uint64(a.Kind()))
 	binary.LittleEndian.PutUint64(buf[wordSize:], uint64(len(idents)))
 	if _, err = w.Write(buf[:]); err != nil {
 		return
 	}
 	for _, dn := range idents {
 		// kind uint64 | ident ID
 		if _, err = w.Write(dn[:]); err != nil {
 			return
 		}
 	}
 	func() {
 		i := IContext{c, w}
 		defer panicToError(&err)
 		defer func() { i.cache, i.w = nil, nil }()
 		a.Params(&i)
 	}()
 	if err != nil {
 		return
 	}
 	var f IREndFlag
 	kcBuf := c.getIdentBuf()
 	sz := wordSize
 	if kc, ok := a.(KnownChecksum); ok {
 		f |= IREndKnownChecksum
 		*(*Checksum)(kcBuf[wordSize:]) = kc.Checksum()
 		sz += len(Checksum{})
 	}
 	IRKindEnd.encodeHeader(uint32(f)).put(kcBuf[:])
 	_, err = w.Write(kcBuf[:sz])
 	c.putIdentBuf(kcBuf)
 	return
 }
 // encodeAll implements EncodeAll by recursively encoding dependencies and
 // performs deduplication by value via the encoded map.
 func (c *Cache) encodeAll(
 	w io.Writer,
 	a Artifact,
 	encoded map[Artifact]struct{},
 ) (err error) {
 	if _, ok := encoded[a]; ok {
 		return
 	}
 	for _, d := range a.Dependencies() {
 		if err = c.encodeAll(w, d, encoded); err != nil {
 			return
 		}
 	}
 	encoded[a] = struct{}{}
 	return c.Encode(w, a)
 }
 // EncodeAll writes a self-describing IR stream of a to w and returns the first
 // non-nil error encountered while writing to w.
 //
 // EncodeAll tries to avoid encoding the same [Artifact] more than once, however
 // it will fail to do so if they do not compare equal by value, as that will
 // require buffering and greatly reduce performance. It is therefore up to the
 // caller to avoid causing dependencies to be represented in a way such that
 // two equivalent artifacts do not compare equal. While an IR stream with
 // repeated artifacts is valid, it is somewhat inefficient, and the reference
 // [IRDecoder] implementation produces a warning for it.
 //
 // Note that while EncodeAll makes use of the ident free list, it does not use
 // the ident cache, nor does it contribute identifiers it computes back to the
 // ident cache. Because of this, multiple invocations of EncodeAll will have
 // similar cost and does not amortise when combined with a call to Cure.
 func (c *Cache) EncodeAll(w io.Writer, a Artifact) error {
 	return c.encodeAll(w, a, make(map[Artifact]struct{}))
 }
 // ErrRemainingIR is returned for a [IRReadFunc] that failed to call
 // [IRReader.Finalise] before returning.
 var ErrRemainingIR = errors.New("implementation did not consume final value")
 // DanglingIdentError is an identifier in a [IRKindIdent] value that was never
 // described in the IR stream before it was encountered.
 type DanglingIdentError unique.Handle[ID]
 func (e DanglingIdentError) Error() string {
 	return "artifact " + Encode(unique.Handle[ID](e).Value()) +
 		" was never described"
 }
 type (
 	// IRDecoder decodes [Artifact] from an IR stream. The stream is read to
 	// EOF and the final [Artifact] is returned. Previous artifacts may be
 	// looked up by their identifier.
 	//
 	// An [Artifact] may appear more than once in the same IR stream. A
 	// repeating [Artifact] generates a warning via [Cache] and will appear if
 	// verbose logging is enabled. Artifacts may only depend on artifacts
 	// previously described in the IR stream.
 	//
 	// IRDecoder rejects an IR stream on the first decoding error, it does not
 	// check against nonzero reserved ancillary data or incorrectly ordered or
 	// redundant unstructured dependencies. An invalid IR stream as such will
 	// yield [Artifact] values with identifiers disagreeing with those computed
 	// by IRDecoder. For this reason, IRDecoder does not access the ident cache
 	// to avoid putting [Cache] into an inconsistent state.
 	//
 	// Methods of IRDecoder are not safe for concurrent use.
 	IRDecoder struct {
 		// Address of underlying [Cache], must not be exposed directly.
 		c *Cache
 		// Underlying IR reader. Methods of [IRReader] must not use this as it
 		// bypasses ident measurement.
 		r io.Reader
 		// Artifacts already seen in the IR stream.
 		ident map[unique.Handle[ID]]Artifact
 		// Whether Decode returned, and the entire IR stream was decoded.
 		done, ok bool
 	}
 	// IRReader provides methods to decode the IR wire format and read values
 	// from the reader embedded in the underlying [IRDecoder]. It is
 	// deliberately impossible to obtain the [IRValueKind] of the next value,
 	// and callers must never recover from panics in any read method.
 	//
 	// It is the responsibility of the caller to call Finalise after all IR
 	// values have been read. Failure to call Finalise causes the resulting
 	// [Artifact] to be rejected with [ErrRemainingIR].
 	//
 	// For an [Artifact] expected to have dependencies, the caller must consume
 	// all dependencies by calling Next until all dependencies are depleted, or
 	// call DiscardAll to explicitly discard them and rely on values encoded as
 	// [IRKindIdent] instead. Failure to consume all unstructured dependencies
 	// causes the resulting [Artifact] to be rejected with [MissedDependencyError].
 	//
 	// Requesting the value of an unstructured dependency not yet described in
 	// the IR stream via Next, or reading an [IRKindIdent] value not part of
 	// unstructured dependencies via ReadIdent may cause the resulting
 	// [Artifact] to be rejected with [DanglingIdentError], however either
 	// method may return a non-nil [Artifact] implementation of unspecified
 	// value.
 	IRReader struct {
 		// Address of underlying [IRDecoder], should be zeroed or made unusable
 		// after finalisation and must not be exposed directly.
 		d *IRDecoder
 		// Common buffer for word-sized reads.
 		buf [wordSize]byte
 		// Dependencies sent before params, sorted by identifier. Resliced on
 		// each call to Next and checked to be depleted during Finalise.
 		deps []*extIdent
 		// Number of values already read, -1 denotes a finalised IRReader.
 		count int
 		// Header of value currently being read.
 		h irValueHeader
 		// Measured IR reader. All reads for the current [Artifact] must go
 		// through this to produce a correct ident.
 		r io.Reader
 		// Buffers measure writes. Flushed and returned to d during Finalise.
 		ibw *bufio.Writer
 	}
 	// IRReadFunc reads IR values written by [Artifact.Params] to produce an
 	// instance of [Artifact] identical to the one to produce these values.
 	IRReadFunc func(r *IRReader) Artifact
 )
 // kind returns the [IRValueKind] encoded in h.
 func (h irValueHeader) kind() IRValueKind {
 	return IRValueKind(h & irHeaderMask)
 }
 // value returns ancillary data encoded in h.
 func (h irValueHeader) value() uint32 {
 	return uint32(h >> irHeaderShift)
 }
 // irArtifact refers to artifact IR interpretation functions and must not be
 // written to directly.
 var irArtifact = make(map[Kind]IRReadFunc)
 // InvalidKindError is an unregistered [Kind] value.
 type InvalidKindError Kind
 func (e InvalidKindError) Error() string {
 	return "invalid artifact kind " + strconv.Itoa(int(e))
 }
 // register records the [IRReadFunc] of an implementation of [Artifact] under
 // the specified [Kind]. Expecting to be used only during initialization, it
 // panics if the mapping between [Kind] and [IRReadFunc] is not a bijection.
 //
 // register is not safe for concurrent use. register must not be called after
 // the first instance of [Cache] has been opened.
 func register(k Kind, f IRReadFunc) {
 	if _, ok := irArtifact[k]; ok {
 		panic("attempting to register " + strconv.Itoa(int(k)) + " twice")
 	}
 	irArtifact[k] = f
 }
 // Register records the [IRReadFunc] of a custom implementation of [Artifact]
 // under the specified [Kind]. Expecting to be used only during initialization,
 // it panics if the mapping between [Kind] and [IRReadFunc] is not a bijection,
 // or the specified [Kind] is below [KindCustomOffset].
 //
 // Register is not safe for concurrent use. Register must not be called after
 // the first instance of [Cache] has been opened.
 func Register(k Kind, f IRReadFunc) {
 	if k < KindCustomOffset {
 		panic("attempting to register within internal kind range")
 	}
 	register(k, f)
 }
 // NewDecoder returns a new [IRDecoder] that reads from the [io.Reader].
 func (c *Cache) NewDecoder(r io.Reader) *IRDecoder {
 	return &IRDecoder{c, r, make(map[unique.Handle[ID]]Artifact), false, false}
 }
 const (
 	// irMaxValues is the arbitrary maximum number of values allowed to be
 	// written by [Artifact.Params] and subsequently read via [IRReader].
 	irMaxValues = 1 << 12
 	// irMaxDeps is the arbitrary maximum number of direct dependencies allowed
 	// to be returned by [Artifact.Dependencies] and subsequently decoded by
 	// [IRDecoder].
 	irMaxDeps = 1 << 10
 )
 var (
 	// ErrIRValues is returned for an [Artifact] with too many parameter values.
 	ErrIRValues = errors.New("artifact has too many IR parameter values")
 	// ErrIRDepend is returned for an [Artifact] with too many dependencies.
 	ErrIRDepend = errors.New("artifact has too many dependencies")
 	// ErrAlreadyFinalised is returned when attempting to use an [IRReader] that
 	// has already been finalised.
 	ErrAlreadyFinalised = errors.New("reader has already finalised")
 )
 // enterReader panics with an appropriate error for an out-of-bounds count and
 // must be called at some point in any exported method.
 func (ir *IRReader) enterReader(read bool) {
 	if ir.count < 0 {
 		panic(ErrAlreadyFinalised)
 	}
 	if ir.count >= irMaxValues {
 		panic(ErrIRValues)
 	}
 	if read {
 		ir.count++
 	}
 }
 // IRKindError describes an attempt to read an IR value of unexpected kind.
 type IRKindError struct {
 	Got, Want IRValueKind
 	Ancillary uint32
 }
 func (e *IRKindError) Error() string {
 	return fmt.Sprintf(
 		"got %s IR value (%#x) instead of %s",
 		e.Got, e.Ancillary, e.Want,
 	)
 }
 // readFull reads until either p is filled or an error is encountered.
 func (ir *IRReader) readFull(p []byte) (n int, err error) {
 	for n < len(p) && err == nil {
 		var nn int
 		nn, err = ir.r.Read(p[n:])
 		n += nn
 	}
 	return
 }
 // mustRead reads from the underlying measured reader and panics on error. If
 // an [io.EOF] is encountered and n != len(p), the error is promoted to a
 // [io.ErrUnexpectedEOF], if n == 0, [io.EOF] is kept as is, otherwise it is
 // zeroed.
 func (ir *IRReader) mustRead(p []byte) {
 	n, err := ir.readFull(p)
 	if err == nil {
 		return
 	}
 	if errors.Is(err, io.EOF) {
 		if n == len(p) {
 			return
 		}
 		err = io.ErrUnexpectedEOF
 	}
 	panic(err)
 }
 // mustReadHeader reads the next header via d and checks its kind.
 func (ir *IRReader) mustReadHeader(k IRValueKind) {
 	ir.mustRead(ir.buf[:])
 	ir.h = irValueHeader(binary.LittleEndian.Uint64(ir.buf[:]))
 	if wk := ir.h.kind(); wk != k {
 		panic(&IRKindError{wk, k, ir.h.value()})
 	}
 }
 // putAll returns all dependency buffers to the underlying [Cache].
 func (ir *IRReader) putAll() {
 	for _, buf := range ir.deps {
 		ir.d.c.putIdentBuf(buf)
 	}
 	ir.deps = nil
 }
 // DiscardAll discards all unstructured dependencies. This is useful to
 // implementations that encode dependencies as [IRKindIdent] which are read back
 // via ReadIdent.
 func (ir *IRReader) DiscardAll() {
 	if ir.deps == nil {
 		panic("attempting to discard dependencies twice")
 	}
 	ir.putAll()
 }
 // ErrDependencyDepleted is returned when attempting to advance to the next
 // unstructured dependency when there are none left.
 var ErrDependencyDepleted = errors.New("reading past end of dependencies")
 // Next returns the next unstructured dependency.
 func (ir *IRReader) Next() Artifact {
 	if len(ir.deps) == 0 {
 		panic(ErrDependencyDepleted)
 	}
 	id := unique.Make(ID(ir.deps[0][wordSize:]))
 	ir.d.c.putIdentBuf(ir.deps[0])
 	ir.deps = ir.deps[1:]
 	if a, ok := ir.d.ident[id]; !ok {
 		ir.putAll()
 		panic(DanglingIdentError(id))
 	} else {
 		return a
 	}
 }
 // MissedDependencyError is the number of unstructured dependencies remaining
 // in [IRReader] that was never requested or explicitly discarded before
 // finalisation.
 type MissedDependencyError int
 func (e MissedDependencyError) Error() string {
 	return "missed " + strconv.Itoa(int(e)) + " unstructured dependencies"
 }
 var (
 	// ErrUnexpectedChecksum is returned by a [IRReadFunc] that does not expect
 	// a checksum but received one in [IRKindEnd] anyway.
 	ErrUnexpectedChecksum = errors.New("checksum specified on unsupported artifact")
 	// ErrExpectedChecksum is returned by a [IRReadFunc] that expects a checksum
 	// but did not receive one in [IRKindEnd].
 	ErrExpectedChecksum = errors.New("checksum required but not specified")
 )
 // Finalise reads the final [IRKindEnd] value and marks r as finalised. Methods
 // of r are invalid upon entry into Finalise. If a [Checksum] is available via
 // [IREndKnownChecksum], its handle is returned and the caller must store its
 // value in the resulting [Artifact].
 func (ir *IRReader) Finalise() (checksum unique.Handle[Checksum], ok bool) {
 	ir.enterReader(true)
 	ir.count = -1
 	ir.mustReadHeader(IRKindEnd)
 	f := IREndFlag(ir.h.value())
 	if f&IREndKnownChecksum != 0 {
 		buf := ir.d.c.getIdentBuf()
 		defer ir.d.c.putIdentBuf(buf)
 		ir.mustRead(buf[wordSize:])
 		checksum = unique.Make(Checksum(buf[wordSize:]))
 		ok = true
 	}
 	if err := ir.ibw.Flush(); err != nil {
 		panic(err)
 	}
 	ir.r, ir.ibw = nil, nil
 	if len(ir.deps) != 0 {
 		panic(MissedDependencyError(len(ir.deps)))
 	}
 	return
 }
 // ReadIdent reads the next value as [IRKindIdent].
 func (ir *IRReader) ReadIdent() Artifact {
 	ir.enterReader(true)
 	ir.mustReadHeader(IRKindIdent)
 	buf := ir.d.c.getIdentBuf()
 	defer ir.d.c.putIdentBuf(buf)
 	ir.mustRead(buf[wordSize:])
 	id := unique.Make(ID(buf[wordSize:]))
 	if a, ok := ir.d.ident[id]; !ok {
 		panic(DanglingIdentError(id))
 	} else {
 		return a
 	}
 }
 // ReadUint32 reads the next value as [IRKindUint32].
 func (ir *IRReader) ReadUint32() uint32 {
 	ir.enterReader(true)
 	ir.mustReadHeader(IRKindUint32)
 	return ir.h.value()
 }
 // ReadStringBytes reads the next value as [IRKindString] but returns it as a
 // byte slice instead.
 func (ir *IRReader) ReadStringBytes() []byte {
 	ir.enterReader(true)
 	ir.mustReadHeader(IRKindString)
 	sz := int(ir.h.value())
 	szWire := alignSize(sz)
 	if szWire > irMaxStringLength {
 		panic(IRStringError("\x00"))
 	}
 	p := make([]byte, szWire)
 	ir.mustRead(p)
 	return p[:sz]
 }
 // ReadString reads the next value as [IRKindString].
 func (ir *IRReader) ReadString() string {
 	p := ir.ReadStringBytes()
 	return unsafe.String(unsafe.SliceData(p), len(p))
 }
 // decode decodes the next [Artifact] in the IR stream and returns any buffer
 // originating from [Cache] before returning. decode returns [io.EOF] if and
 // only if the underlying [io.Reader] is already read to EOF.
 func (d *IRDecoder) decode() (a Artifact, err error) {
 	defer panicToError(&err)
 	var ir IRReader
 	defer func() { ir.d = nil }()
 	ir.d = d
 	h := sha512.New384()
 	ir.ibw = d.c.getWriter(h)
 	defer d.c.putWriter(ir.ibw)
 	ir.r = io.TeeReader(d.r, ir.ibw)
 	if n, _err := ir.readFull(ir.buf[:]); _err != nil {
 		if errors.Is(_err, io.EOF) {
 			if n != 0 {
 				_err = io.ErrUnexpectedEOF
 			}
 		}
 		err = _err
 		return
 	}
 	ak := Kind(binary.LittleEndian.Uint64(ir.buf[:]))
 	f, ok := irArtifact[ak]
 	if !ok {
 		err = InvalidKindError(ak)
 		return
 	}
 	defer ir.putAll()
 	ir.mustRead(ir.buf[:])
 	sz := binary.LittleEndian.Uint64(ir.buf[:])
 	if sz > irMaxDeps {
 		err = ErrIRDepend
 		return
 	}
 	ir.deps = make([]*extIdent, sz)
 	for i := range ir.deps {
 		ir.deps[i] = d.c.getIdentBuf()
 	}
 	for _, buf := range ir.deps {
 		ir.mustRead(buf[:])
 	}
 	a = f(&ir)
 	if a == nil {
 		err = syscall.ENOTRECOVERABLE
 		return
 	}
 	if ir.count != -1 {
 		err = ErrRemainingIR
 		return
 	}
 	buf := d.c.getIdentBuf()
 	h.Sum(buf[wordSize:wordSize])
 	id := unique.Make(ID(buf[wordSize:]))
 	d.c.putIdentBuf(buf)
 	if _, ok = d.ident[id]; !ok {
 		d.ident[id] = a
 	} else {
 		d.c.msg.Verbosef(
 			"artifact %s appeared more than once in IR stream",
 			Encode(id.Value()),
 		)
 	}
 	return
 }
 // Decode consumes the IR stream to EOF and returns the final [Artifact]. After
 // Decode returns, Lookup is available and Decode must not be called again.
 func (d *IRDecoder) Decode() (a Artifact, err error) {
 	if d.done {
 		panic("attempting to decode an IR stream twice")
 	}
 	defer func() { d.done = true }()
 	var cur Artifact
 next:
 	a, err = d.decode()
 	if err == nil {
 		cur = a
 		goto next
 	}
 	if errors.Is(err, io.EOF) {
 		a, err = cur, nil
 		d.ok = true
 	}
 	return
 }
 // Lookup looks up an [Artifact] described by the IR stream by its identifier.
 func (d *IRDecoder) Lookup(id unique.Handle[ID]) (a Artifact, ok bool) {
 	if !d.ok {
 		panic("attempting to look up artifact without full IR stream")
 	}
 	a, ok = d.ident[id]
 	return
 }
--- a/internal/pkg/ir_test.go
+++ b/internal/pkg/ir_test.go
@@ -0,0 +1,114 @@
 package pkg_test
 import (
 	"bytes"
 	"io"
 	"reflect"
 	"testing"
 	"hakurei.app/container/check"
 	"hakurei.app/internal/pkg"
 )
 func TestIRRoundtrip(t *testing.T) {
 	t.Parallel()
 	testCases := []struct {
 		name string
 		a    pkg.Artifact
 	}{
 		{"http get aligned", pkg.NewHTTPGet(
 			nil, "file:///testdata",
 			pkg.Checksum(bytes.Repeat([]byte{0xfd}, len(pkg.Checksum{}))),
 		)},
 		{"http get unaligned", pkg.NewHTTPGet(
 			nil, "https://hakurei.app",
 			pkg.Checksum(bytes.Repeat([]byte{0xfc}, len(pkg.Checksum{}))),
 		)},
 		{"http get tar", pkg.NewHTTPGetTar(
 			nil, "file:///testdata",
 			pkg.Checksum(bytes.Repeat([]byte{0xff}, len(pkg.Checksum{}))),
 			pkg.TarBzip2,
 		)},
 		{"http get tar unaligned", pkg.NewHTTPGetTar(
 			nil, "https://hakurei.app",
 			pkg.Checksum(bytes.Repeat([]byte{0xfe}, len(pkg.Checksum{}))),
 			pkg.TarUncompressed,
 		)},
 		{"exec offline", pkg.NewExec(
 			"exec-offline", nil, 0, false,
 			pkg.AbsWork,
 			[]string{"HAKUREI_TEST=1"},
 			check.MustAbs("/opt/bin/testtool"),
 			[]string{"testtool"},
 			pkg.MustPath("/file", false, pkg.NewFile("file", []byte(
 				"stub file",
 			))), pkg.MustPath("/.hakurei", false, pkg.NewHTTPGetTar(
 				nil, "file:///hakurei.tar",
 				pkg.Checksum(bytes.Repeat([]byte{0xfc}, len(pkg.Checksum{}))),
 				pkg.TarUncompressed,
 			)), pkg.MustPath("/opt", false, pkg.NewHTTPGetTar(
 				nil, "file:///testtool.tar.gz",
 				pkg.Checksum(bytes.Repeat([]byte{0xfc}, len(pkg.Checksum{}))),
 				pkg.TarGzip,
 			)),
 		)},
 		{"exec net", pkg.NewExec(
 			"exec-net",
 			(*pkg.Checksum)(bytes.Repeat([]byte{0xfc}, len(pkg.Checksum{}))),
 			0, false,
 			pkg.AbsWork,
 			[]string{"HAKUREI_TEST=1"},
 			check.MustAbs("/opt/bin/testtool"),
 			[]string{"testtool", "net"},
 			pkg.MustPath("/file", false, pkg.NewFile("file", []byte(
 				"stub file",
 			))), pkg.MustPath("/.hakurei", false, pkg.NewHTTPGetTar(
 				nil, "file:///hakurei.tar",
 				pkg.Checksum(bytes.Repeat([]byte{0xfc}, len(pkg.Checksum{}))),
 				pkg.TarUncompressed,
 			)), pkg.MustPath("/opt", false, pkg.NewHTTPGetTar(
 				nil, "file:///testtool.tar.gz",
 				pkg.Checksum(bytes.Repeat([]byte{0xfc}, len(pkg.Checksum{}))),
 				pkg.TarGzip,
 			)),
 		)},
 		{"file anonymous", pkg.NewFile("", []byte{0})},
 		{"file", pkg.NewFile("stub", []byte("stub"))},
 	}
 	testCasesCache := make([]cacheTestCase, len(testCases))
 	for i, tc := range testCases {
 		want := tc.a
 		testCasesCache[i] = cacheTestCase{tc.name, nil,
 			func(t *testing.T, base *check.Absolute, c *pkg.Cache) {
 				r, w := io.Pipe()
 				done := make(chan error, 1)
 				go func() {
 					t.Helper()
 					done <- c.EncodeAll(w, want)
 					_ = w.Close()
 				}()
 				if got, err := c.NewDecoder(r).Decode(); err != nil {
 					t.Fatalf("Decode: error = %v", err)
 				} else if !reflect.DeepEqual(got, want) {
 					t.Fatalf("Decode: %#v, want %#v", got, want)
 				}
 				if err := <-done; err != nil {
 					t.Fatalf("EncodeAll: error = %v", err)
 				}
 			}, pkg.MustDecode(
 				"E4vEZKhCcL2gPZ2Tt59FS3lDng-d_2SKa2i5G_RbDfwGn6EemptFaGLPUDiOa94C",
 			),
 		}
 	}
 	checkWithCache(t, testCasesCache)
 }
--- a/internal/pkg/net.go
+++ b/internal/pkg/net.go
@@ -0,0 +1,106 @@
 package pkg
 import (
 	"fmt"
 	"io"
 	"net/http"
 	"path"
 	"unique"
 )
 // An httpArtifact is an [Artifact] backed by a [http] url string. The method is
 // hardcoded as [http.MethodGet]. Request body is not allowed because it cannot
 // be deterministically represented by Params.
 type httpArtifact struct {
 	// Caller-supplied url string.
 	url string
 	// Caller-supplied checksum of the response body. This is validated when
 	// closing the [io.ReadCloser] returned by Cure.
 	checksum unique.Handle[Checksum]
 	// client is the address of the caller-supplied [http.Client].
 	client *http.Client
 }
 var _ KnownChecksum = new(httpArtifact)
 var _ fmt.Stringer = new(httpArtifact)
 // NewHTTPGet returns a new [FileArtifact] backed by the supplied client. A GET
 // request is set up for url. If c is nil, [http.DefaultClient] is used instead.
 func NewHTTPGet(
 	c *http.Client,
 	url string,
 	checksum Checksum,
 ) FileArtifact {
 	return &httpArtifact{url: url, checksum: unique.Make(checksum), client: c}
 }
 // Kind returns the hardcoded [Kind] constant.
 func (*httpArtifact) Kind() Kind { return KindHTTPGet }
 // Params writes the backing url string. Client is not represented as it does
 // not affect [Cache.Cure] outcome.
 func (a *httpArtifact) Params(ctx *IContext) { ctx.WriteString(a.url) }
 func init() {
 	register(KindHTTPGet, func(r *IRReader) Artifact {
 		url := r.ReadString()
 		checksum, ok := r.Finalise()
 		if !ok {
 			panic(ErrExpectedChecksum)
 		}
 		return NewHTTPGet(nil, url, checksum.Value())
 	})
 }
 // Dependencies returns a nil slice.
 func (*httpArtifact) Dependencies() []Artifact { return nil }
 // IsExclusive returns false: Cure returns as soon as a response is received.
 func (*httpArtifact) IsExclusive() bool { return false }
 // Checksum returns the caller-supplied checksum.
 func (a *httpArtifact) Checksum() Checksum { return a.checksum.Value() }
 // String returns [path.Base] over the backing url.
 func (a *httpArtifact) String() string { return path.Base(a.url) }
 // ResponseStatusError is returned for a response returned by an [http.Client]
 // with a status code other than [http.StatusOK].
 type ResponseStatusError int
 func (e ResponseStatusError) Error() string {
 	return "the requested URL returned non-OK status: " + http.StatusText(int(e))
 }
 // Cure sends the http request and returns the resulting response body reader
 // wrapped to perform checksum validation. It is valid but not encouraged to
 // close the resulting [io.ReadCloser] before it is read to EOF, as that causes
 // Close to block until all remaining data is consumed and validated.
 func (a *httpArtifact) Cure(r *RContext) (rc io.ReadCloser, err error) {
 	var req *http.Request
 	req, err = http.NewRequestWithContext(r.Unwrap(), http.MethodGet, a.url, nil)
 	if err != nil {
 		return
 	}
 	req.Header.Set("User-Agent", "Hakurei/1.1")
 	c := a.client
 	if c == nil {
 		c = http.DefaultClient
 	}
 	var resp *http.Response
 	if resp, err = c.Do(req); err != nil {
 		return
 	}
 	if resp.StatusCode != http.StatusOK {
 		_ = resp.Body.Close()
 		return nil, ResponseStatusError(resp.StatusCode)
 	}
 	rc = r.NewMeasuredReader(resp.Body, a.checksum)
 	return
 }
--- a/internal/pkg/net_test.go
+++ b/internal/pkg/net_test.go
@@ -0,0 +1,161 @@
 package pkg_test
 import (
 	"crypto/sha512"
 	"io"
 	"net/http"
 	"reflect"
 	"testing"
 	"testing/fstest"
 	"unique"
 	"unsafe"
 	"hakurei.app/container/check"
 	"hakurei.app/internal/pkg"
 )
 func TestHTTPGet(t *testing.T) {
 	t.Parallel()
 	const testdata = "\x7f\xe1\x69\xa2\xdd\x63\x96\x26\x83\x79\x61\x8b\xf0\x3f\xd5\x16\x9a\x39\x3a\xdb\xcf\xb1\xbc\x8d\x33\xff\x75\xee\x62\x56\xa9\xf0\x27\xac\x13\x94\x69"
 	testdataChecksum := func() unique.Handle[pkg.Checksum] {
 		h := sha512.New384()
 		h.Write([]byte(testdata))
 		return unique.Make(pkg.Checksum(h.Sum(nil)))
 	}()
 	var transport http.Transport
 	client := http.Client{Transport: &transport}
 	transport.RegisterProtocol("file", http.NewFileTransportFS(fstest.MapFS{
 		"testdata": {Data: []byte(testdata), Mode: 0400},
 	}))
 	checkWithCache(t, []cacheTestCase{
 		{"direct", nil, func(t *testing.T, base *check.Absolute, c *pkg.Cache) {
 			var r pkg.RContext
 			rCacheVal := reflect.ValueOf(&r).Elem().FieldByName("cache")
 			reflect.NewAt(
 				rCacheVal.Type(),
 				unsafe.Pointer(rCacheVal.UnsafeAddr()),
 			).Elem().Set(reflect.ValueOf(c))
 			f := pkg.NewHTTPGet(
 				&client,
 				"file:///testdata",
 				testdataChecksum.Value(),
 			)
 			var got []byte
 			if rc, err := f.Cure(&r); err != nil {
 				t.Fatalf("Cure: error = %v", err)
 			} else if got, err = io.ReadAll(rc); err != nil {
 				t.Fatalf("ReadAll: error = %v", err)
 			} else if string(got) != testdata {
 				t.Fatalf("Cure: %x, want %x", got, testdata)
 			} else if err = rc.Close(); err != nil {
 				t.Fatalf("Close: error = %v", err)
 			}
 			// check direct validation
 			f = pkg.NewHTTPGet(
 				&client,
 				"file:///testdata",
 				pkg.Checksum{},
 			)
 			wantErrMismatch := &pkg.ChecksumMismatchError{
 				Got: testdataChecksum.Value(),
 			}
 			if rc, err := f.Cure(&r); err != nil {
 				t.Fatalf("Cure: error = %v", err)
 			} else if got, err = io.ReadAll(rc); err != nil {
 				t.Fatalf("ReadAll: error = %v", err)
 			} else if string(got) != testdata {
 				t.Fatalf("Cure: %x, want %x", got, testdata)
 			} else if err = rc.Close(); !reflect.DeepEqual(err, wantErrMismatch) {
 				t.Fatalf("Close: error = %#v, want %#v", err, wantErrMismatch)
 			}
 			// check fallback validation
 			if rc, err := f.Cure(&r); err != nil {
 				t.Fatalf("Cure: error = %v", err)
 			} else if err = rc.Close(); !reflect.DeepEqual(err, wantErrMismatch) {
 				t.Fatalf("Close: error = %#v, want %#v", err, wantErrMismatch)
 			}
 			// check direct response error
 			f = pkg.NewHTTPGet(
 				&client,
 				"file:///nonexistent",
 				pkg.Checksum{},
 			)
 			wantErrNotFound := pkg.ResponseStatusError(http.StatusNotFound)
 			if _, err := f.Cure(&r); !reflect.DeepEqual(err, wantErrNotFound) {
 				t.Fatalf("Cure: error = %#v, want %#v", err, wantErrNotFound)
 			}
 		}, pkg.MustDecode("E4vEZKhCcL2gPZ2Tt59FS3lDng-d_2SKa2i5G_RbDfwGn6EemptFaGLPUDiOa94C")},
 		{"cure", nil, func(t *testing.T, base *check.Absolute, c *pkg.Cache) {
 			var r pkg.RContext
 			rCacheVal := reflect.ValueOf(&r).Elem().FieldByName("cache")
 			reflect.NewAt(
 				rCacheVal.Type(),
 				unsafe.Pointer(rCacheVal.UnsafeAddr()),
 			).Elem().Set(reflect.ValueOf(c))
 			f := pkg.NewHTTPGet(
 				&client,
 				"file:///testdata",
 				testdataChecksum.Value(),
 			)
 			wantPathname := base.Append(
 				"identifier",
 				"oM-2pUlk-mOxK1t3aMWZer69UdOQlAXiAgMrpZ1476VoOqpYVP1aGFS9_HYy-D8_",
 			)
 			if pathname, checksum, err := c.Cure(f); err != nil {
 				t.Fatalf("Cure: error = %v", err)
 			} else if !pathname.Is(wantPathname) {
 				t.Fatalf("Cure: %q, want %q", pathname, wantPathname)
 			} else if checksum != testdataChecksum {
 				t.Fatalf("Cure: %x, want %x", checksum.Value(), testdataChecksum.Value())
 			}
 			var got []byte
 			if rc, err := f.Cure(&r); err != nil {
 				t.Fatalf("Cure: error = %v", err)
 			} else if got, err = io.ReadAll(rc); err != nil {
 				t.Fatalf("ReadAll: error = %v", err)
 			} else if string(got) != testdata {
 				t.Fatalf("Cure: %x, want %x", got, testdata)
 			} else if err = rc.Close(); err != nil {
 				t.Fatalf("Close: error = %v", err)
 			}
 			// check load from cache
 			f = pkg.NewHTTPGet(
 				&client,
 				"file:///testdata",
 				testdataChecksum.Value(),
 			)
 			if rc, err := f.Cure(&r); err != nil {
 				t.Fatalf("Cure: error = %v", err)
 			} else if got, err = io.ReadAll(rc); err != nil {
 				t.Fatalf("ReadAll: error = %v", err)
 			} else if string(got) != testdata {
 				t.Fatalf("Cure: %x, want %x", got, testdata)
 			} else if err = rc.Close(); err != nil {
 				t.Fatalf("Close: error = %v", err)
 			}
 			// check error passthrough
 			f = pkg.NewHTTPGet(
 				&client,
 				"file:///nonexistent",
 				pkg.Checksum{},
 			)
 			wantErrNotFound := pkg.ResponseStatusError(http.StatusNotFound)
 			if _, _, err := c.Cure(f); !reflect.DeepEqual(err, wantErrNotFound) {
 				t.Fatalf("Pathname: error = %#v, want %#v", err, wantErrNotFound)
 			}
 		}, pkg.MustDecode("L_0RFHpr9JUS4Zp14rz2dESSRvfLzpvqsLhR1-YjQt8hYlmEdVl7vI3_-v8UNPKs")},
 	})
 }
--- a/internal/pkg/pkg.go
+++ b/internal/pkg/pkg.go
--- a/internal/pkg/pkg_test.go
+++ b/internal/pkg/pkg_test.go
--- a/internal/pkg/tar.go
+++ b/internal/pkg/tar.go
@@ -0,0 +1,263 @@
 package pkg
 import (
 	"archive/tar"
 	"compress/bzip2"
 	"compress/gzip"
 	"errors"
 	"fmt"
 	"io"
 	"io/fs"
 	"net/http"
 	"os"
 	"path"
 )
 const (
 	// TarUncompressed denotes an uncompressed tarball.
 	TarUncompressed = iota
 	// TarGzip denotes a tarball compressed via [gzip].
 	TarGzip
 	// TarBzip2 denotes a tarball compressed via [bzip2].
 	TarBzip2
 )
 // A tarArtifact is an [Artifact] unpacking a tarball backed by a [FileArtifact].
 type tarArtifact struct {
 	// Caller-supplied backing tarball.
 	f Artifact
 	// Compression on top of the tarball.
 	compression uint32
 }
 // tarArtifactNamed embeds tarArtifact for a [fmt.Stringer] tarball.
 type tarArtifactNamed struct {
 	tarArtifact
 	// Copied from tarArtifact.f.
 	name string
 }
 var _ fmt.Stringer = new(tarArtifactNamed)
 // String returns the name of the underlying [Artifact] suffixed with unpack.
 func (a *tarArtifactNamed) String() string { return a.name + "-unpack" }
 // NewTar returns a new [Artifact] backed by the supplied [Artifact] and
 // compression method. The source [Artifact] must be compatible with
 // [TContext.Open].
 func NewTar(a Artifact, compression uint32) Artifact {
 	ta := tarArtifact{a, compression}
 	if s, ok := a.(fmt.Stringer); ok {
 		if name := s.String(); name != "" {
 			return &tarArtifactNamed{ta, name}
 		}
 	}
 	return &ta
 }
 // NewHTTPGetTar is abbreviation for NewHTTPGet passed to NewTar.
 func NewHTTPGetTar(
 	hc *http.Client,
 	url string,
 	checksum Checksum,
 	compression uint32,
 ) Artifact {
 	return NewTar(NewHTTPGet(hc, url, checksum), compression)
 }
 // Kind returns the hardcoded [Kind] constant.
 func (a *tarArtifact) Kind() Kind { return KindTar }
 // Params writes compression encoded in little endian.
 func (a *tarArtifact) Params(ctx *IContext) { ctx.WriteUint32(a.compression) }
 func init() {
 	register(KindTar, func(r *IRReader) Artifact {
 		a := NewTar(r.Next(), r.ReadUint32())
 		if _, ok := r.Finalise(); ok {
 			panic(ErrUnexpectedChecksum)
 		}
 		return a
 	})
 }
 // Dependencies returns a slice containing the backing file.
 func (a *tarArtifact) Dependencies() []Artifact {
 	return []Artifact{a.f}
 }
 // IsExclusive returns false: decompressor and tar reader are fully sequential.
 func (a *tarArtifact) IsExclusive() bool { return false }
 // A DisallowedTypeflagError describes a disallowed typeflag encountered while
 // unpacking a tarball.
 type DisallowedTypeflagError byte
 func (e DisallowedTypeflagError) Error() string {
 	return "disallowed typeflag '" + string(e) + "'"
 }
 // Cure cures the [Artifact], producing a directory located at work.
 func (a *tarArtifact) Cure(t *TContext) (err error) {
 	var tr io.ReadCloser
 	if tr, err = t.Open(a.f); err != nil {
 		return
 	}
 	defer func(f io.ReadCloser) {
 		if err == nil {
 			err = tr.Close()
 		}
 		closeErr := f.Close()
 		if err == nil {
 			err = closeErr
 		}
 	}(tr)
 	br := t.cache.getReader(tr)
 	defer t.cache.putReader(br)
 	tr = io.NopCloser(br)
 	switch a.compression {
 	case TarUncompressed:
 		break
 	case TarGzip:
 		if tr, err = gzip.NewReader(tr); err != nil {
 			return
 		}
 		break
 	case TarBzip2:
 		tr = io.NopCloser(bzip2.NewReader(tr))
 		break
 	default:
 		return os.ErrInvalid
 	}
 	type dirTargetPerm struct {
 		path string
 		mode fs.FileMode
 	}
 	var madeDirectories []dirTargetPerm
 	if err = os.MkdirAll(t.GetTempDir().String(), 0700); err != nil {
 		return
 	}
 	var root *os.Root
 	if root, err = os.OpenRoot(t.GetTempDir().String()); err != nil {
 		return
 	}
 	defer func() {
 		closeErr := root.Close()
 		if err == nil {
 			err = closeErr
 		}
 	}()
 	var header *tar.Header
 	r := tar.NewReader(tr)
 	for header, err = r.Next(); err == nil; header, err = r.Next() {
 		typeflag := header.Typeflag
 		if typeflag == 0 {
 			if len(header.Name) > 0 && header.Name[len(header.Name)-1] == '/' {
 				typeflag = tar.TypeDir
 			} else {
 				typeflag = tar.TypeReg
 			}
 		}
 		if typeflag >= '0' && typeflag <= '9' && typeflag != tar.TypeDir {
 			if err = root.MkdirAll(path.Dir(header.Name), 0700); err != nil {
 				return
 			}
 		}
 		switch typeflag {
 		case tar.TypeReg:
 			var f *os.File
 			if f, err = root.OpenFile(
 				header.Name,
 				os.O_CREATE|os.O_EXCL|os.O_WRONLY,
 				header.FileInfo().Mode()&0500,
 			); err != nil {
 				return
 			}
 			if _, err = io.Copy(f, r); err != nil {
 				_ = f.Close()
 				return
 			} else if err = f.Close(); err != nil {
 				return
 			}
 			break
 		case tar.TypeLink:
 			if err = root.Link(
 				header.Linkname,
 				header.Name,
 			); err != nil {
 				return
 			}
 			break
 		case tar.TypeSymlink:
 			if err = root.Symlink(
 				header.Linkname,
 				header.Name,
 			); err != nil {
 				return
 			}
 			break
 		case tar.TypeDir:
 			madeDirectories = append(madeDirectories, dirTargetPerm{
 				path: header.Name,
 				mode: header.FileInfo().Mode(),
 			})
 			if err = root.MkdirAll(header.Name, 0700); err != nil {
 				return
 			}
 			break
 		case tar.TypeXGlobalHeader:
 			continue // ignore
 		default:
 			return DisallowedTypeflagError(typeflag)
 		}
 	}
 	if errors.Is(err, io.EOF) {
 		err = nil
 	}
 	if err == nil {
 		for _, e := range madeDirectories {
 			if err = root.Chmod(e.path, e.mode&0500); err != nil {
 				return
 			}
 		}
 	} else {
 		return
 	}
 	temp := t.GetTempDir()
 	if err = os.Chmod(temp.String(), 0700); err != nil {
 		return
 	}
 	var entries []os.DirEntry
 	if entries, err = os.ReadDir(temp.String()); err != nil {
 		return
 	}
 	if len(entries) == 1 && entries[0].IsDir() {
 		p := temp.Append(entries[0].Name())
 		if err = os.Chmod(p.String(), 0700); err != nil {
 			return
 		}
 		err = os.Rename(p.String(), t.GetWorkDir().String())
 	} else {
 		err = os.Rename(temp.String(), t.GetWorkDir().String())
 	}
 	return
 }
--- a/internal/pkg/tar_test.go
+++ b/internal/pkg/tar_test.go
@@ -0,0 +1,226 @@
 package pkg_test
 import (
 	"archive/tar"
 	"bytes"
 	"compress/gzip"
 	"crypto/sha512"
 	"errors"
 	"io/fs"
 	"net/http"
 	"os"
 	"testing"
 	"testing/fstest"
 	"hakurei.app/container/check"
 	"hakurei.app/container/stub"
 	"hakurei.app/internal/pkg"
 )
 func TestTar(t *testing.T) {
 	t.Parallel()
 	checkWithCache(t, []cacheTestCase{
 		{"http", nil, func(t *testing.T, base *check.Absolute, c *pkg.Cache) {
 			checkTarHTTP(t, base, c, fstest.MapFS{
 				".": {Mode: fs.ModeDir | 0700},
 				"checksum": {Mode: fs.ModeDir | 0700},
 				"checksum/1TL00Qb8dcqayX7wTO8WNaraHvY6b-KCsctLDTrb64QBCmxj_-byK1HdIUwMaFEP":                {Mode: fs.ModeDir | 0700},
 				"checksum/1TL00Qb8dcqayX7wTO8WNaraHvY6b-KCsctLDTrb64QBCmxj_-byK1HdIUwMaFEP/check":          {Mode: 0400, Data: []byte{0, 0}},
 				"checksum/1TL00Qb8dcqayX7wTO8WNaraHvY6b-KCsctLDTrb64QBCmxj_-byK1HdIUwMaFEP/lib":            {Mode: fs.ModeDir | 0700},
 				"checksum/1TL00Qb8dcqayX7wTO8WNaraHvY6b-KCsctLDTrb64QBCmxj_-byK1HdIUwMaFEP/lib/pkgconfig":  {Mode: fs.ModeDir | 0700},
 				"checksum/1TL00Qb8dcqayX7wTO8WNaraHvY6b-KCsctLDTrb64QBCmxj_-byK1HdIUwMaFEP/lib/libedac.so": {Mode: fs.ModeSymlink | 0777, Data: []byte("/proc/nonexistent/libedac.so")},
 				"identifier": {Mode: fs.ModeDir | 0700},
 				"identifier/HnySzeLQvSBZuTUcvfmLEX_OmH4yJWWH788NxuLuv7kVn8_uPM6Ks4rqFWM2NZJY": {Mode: fs.ModeSymlink | 0777, Data: []byte("../checksum/1TL00Qb8dcqayX7wTO8WNaraHvY6b-KCsctLDTrb64QBCmxj_-byK1HdIUwMaFEP")},
 				"identifier/Zx5ZG9BAwegNT3zQwCySuI2ktCXxNgxirkGLFjW4FW06PtojYVaCdtEw8yuntPLa": {Mode: fs.ModeSymlink | 0777, Data: []byte("../checksum/1TL00Qb8dcqayX7wTO8WNaraHvY6b-KCsctLDTrb64QBCmxj_-byK1HdIUwMaFEP")},
 				"work": {Mode: fs.ModeDir | 0700},
 			}, pkg.MustDecode(
 				"cTw0h3AmYe7XudSoyEMByduYXqGi-N5ZkTZ0t9K5elsu3i_jNIVF5T08KR1roBFM",
 			))
 		}, pkg.MustDecode("NQTlc466JmSVLIyWklm_u8_g95jEEb98PxJU-kjwxLpfdjwMWJq0G8ze9R4Vo1Vu")},
 		{"http expand", nil, func(t *testing.T, base *check.Absolute, c *pkg.Cache) {
 			checkTarHTTP(t, base, c, fstest.MapFS{
 				".": {Mode: fs.ModeDir | 0700},
 				"lib":            {Mode: fs.ModeDir | 0700},
 				"lib/libedac.so": {Mode: fs.ModeSymlink | 0777, Data: []byte("/proc/nonexistent/libedac.so")},
 			}, pkg.MustDecode(
 				"CH3AiUrCCcVOjOYLaMKKK1Da78989JtfHeIsxMzWOQFiN4mrCLDYpoDxLWqJWCUN",
 			))
 		}, pkg.MustDecode("hSoSSgCYTNonX3Q8FjvjD1fBl-E-BQyA6OTXro2OadXqbST4tZ-akGXszdeqphRe")},
 	})
 }
 func checkTarHTTP(
 	t *testing.T,
 	base *check.Absolute,
 	c *pkg.Cache,
 	testdataFsys fs.FS,
 	wantChecksum pkg.Checksum,
 ) {
 	var testdata string
 	{
 		var buf bytes.Buffer
 		w := tar.NewWriter(&buf)
 		if err := w.AddFS(testdataFsys); err != nil {
 			t.Fatalf("AddFS: error = %v", err)
 		}
 		if err := w.Close(); err != nil {
 			t.Fatalf("Close: error = %v", err)
 		}
 		var zbuf bytes.Buffer
 		gw := gzip.NewWriter(&zbuf)
 		if _, err := gw.Write(buf.Bytes()); err != nil {
 			t.Fatalf("Write: error = %v", err)
 		}
 		if err := gw.Close(); err != nil {
 			t.Fatalf("Close: error = %v", err)
 		}
 		testdata = zbuf.String()
 	}
 	testdataChecksum := func() pkg.Checksum {
 		h := sha512.New384()
 		h.Write([]byte(testdata))
 		return (pkg.Checksum)(h.Sum(nil))
 	}()
 	var transport http.Transport
 	client := http.Client{Transport: &transport}
 	transport.RegisterProtocol("file", http.NewFileTransportFS(fstest.MapFS{
 		"testdata": {Data: []byte(testdata), Mode: 0400},
 	}))
 	wantIdent := func() pkg.ID {
 		h := sha512.New384()
 		// kind uint64
 		h.Write([]byte{byte(pkg.KindTar), 0, 0, 0, 0, 0, 0, 0})
 		// deps_sz uint64
 		h.Write([]byte{1, 0, 0, 0, 0, 0, 0, 0})
 		// kind uint64
 		h.Write([]byte{byte(pkg.KindHTTPGet), 0, 0, 0, 0, 0, 0, 0})
 		// ident ID
 		h0 := sha512.New384()
 		// kind uint64
 		h0.Write([]byte{byte(pkg.KindHTTPGet), 0, 0, 0, 0, 0, 0, 0})
 		// deps_sz uint64
 		h0.Write([]byte{0, 0, 0, 0, 0, 0, 0, 0})
 		// url string
 		h0.Write([]byte{byte(pkg.IRKindString), 0, 0, 0})
 		h0.Write([]byte{0x10, 0, 0, 0})
 		h0.Write([]byte("file:///testdata"))
 		// end(KnownChecksum)
 		h0.Write([]byte{byte(pkg.IRKindEnd), 0, 0, 0})
 		h0.Write([]byte{byte(pkg.IREndKnownChecksum), 0, 0, 0})
 		// checksum Checksum
 		h0.Write(testdataChecksum[:])
 		h.Write(h0.Sum(nil))
 		// compression uint32
 		h.Write([]byte{byte(pkg.IRKindUint32), 0, 0, 0})
 		h.Write([]byte{pkg.TarGzip, 0, 0, 0})
 		// end
 		h.Write([]byte{byte(pkg.IRKindEnd), 0, 0, 0})
 		h.Write([]byte{0, 0, 0, 0})
 		return pkg.ID(h.Sum(nil))
 	}()
 	a := pkg.NewHTTPGetTar(
 		&client,
 		"file:///testdata",
 		testdataChecksum,
 		pkg.TarGzip,
 	)
 	tarDir := stubArtifact{
 		kind:   pkg.KindExec,
 		params: []byte("directory containing a single regular file"),
 		cure: func(t *pkg.TContext) error {
 			work := t.GetWorkDir()
 			if err := os.MkdirAll(work.String(), 0700); err != nil {
 				return err
 			}
 			return os.WriteFile(
 				work.Append("sample.tar.gz").String(),
 				[]byte(testdata),
 				0400,
 			)
 		},
 	}
 	tarDirMulti := stubArtifact{
 		kind:   pkg.KindExec,
 		params: []byte("directory containing a multiple entries"),
 		cure: func(t *pkg.TContext) error {
 			work := t.GetWorkDir()
 			if err := os.MkdirAll(work.Append(
 				"garbage",
 			).String(), 0700); err != nil {
 				return err
 			}
 			return os.WriteFile(
 				work.Append("sample.tar.gz").String(),
 				[]byte(testdata),
 				0400,
 			)
 		},
 	}
 	tarDirType := stubArtifact{
 		kind:   pkg.KindExec,
 		params: []byte("directory containing a symbolic link"),
 		cure: func(t *pkg.TContext) error {
 			work := t.GetWorkDir()
 			if err := os.MkdirAll(work.String(), 0700); err != nil {
 				return err
 			}
 			return os.Symlink(
 				work.String(),
 				work.Append("sample.tar.gz").String(),
 			)
 		},
 	}
 	// destroy these to avoid including it in flatten test case
 	defer newDestroyArtifactFunc(&tarDir)(t, base, c)
 	defer newDestroyArtifactFunc(&tarDirMulti)(t, base, c)
 	defer newDestroyArtifactFunc(&tarDirType)(t, base, c)
 	cureMany(t, c, []cureStep{
 		{"file", a, base.Append(
 			"identifier",
 			pkg.Encode(wantIdent),
 		), wantChecksum, nil},
 		{"directory", pkg.NewTar(
 			&tarDir,
 			pkg.TarGzip,
 		), ignorePathname, wantChecksum, nil},
 		{"multiple entries", pkg.NewTar(
 			&tarDirMulti,
 			pkg.TarGzip,
 		), nil, pkg.Checksum{}, errors.New(
 			"input directory does not contain a single regular file",
 		)},
 		{"bad type", pkg.NewTar(
 			&tarDirType,
 			pkg.TarGzip,
 		), nil, pkg.Checksum{}, errors.New(
 			"input directory does not contain a single regular file",
 		)},
 		{"error passthrough", pkg.NewTar(&stubArtifact{
 			kind:   pkg.KindExec,
 			params: []byte("doomed artifact"),
 			cure: func(t *pkg.TContext) error {
 				return stub.UniqueError(0xcafe)
 			},
 		}, pkg.TarGzip), nil, pkg.Checksum{}, stub.UniqueError(0xcafe)},
 	})
 }
--- a/internal/pkg/testdata/main.go
+++ b/internal/pkg/testdata/main.go
@@ -0,0 +1,268 @@
 //go:build testtool
 package main
 import (
 	"encoding/gob"
 	"log"
 	"net"
 	"os"
 	"path"
 	"reflect"
 	"slices"
 	"strings"
 	"hakurei.app/container/check"
 	"hakurei.app/container/fhs"
 	"hakurei.app/container/vfs"
 )
 func main() {
 	log.SetFlags(0)
 	log.SetPrefix("testtool: ")
 	var hostNet, layers, promote bool
 	if len(os.Args) == 2 && os.Args[0] == "testtool" {
 		switch os.Args[1] {
 		case "net":
 			hostNet = true
 			log.SetPrefix("testtool(net): ")
 			break
 		case "layers":
 			layers = true
 			log.SetPrefix("testtool(layers): ")
 			break
 		case "promote":
 			promote = true
 			log.SetPrefix("testtool(promote): ")
 		default:
 			log.Fatalf("Args: %q", os.Args)
 			return
 		}
 	} else if wantArgs := []string{"testtool"}; !slices.Equal(os.Args, wantArgs) {
 		log.Fatalf("Args: %q, want %q", os.Args, wantArgs)
 	}
 	var overlayRoot bool
 	wantEnv := []string{"HAKUREI_TEST=1"}
 	if len(os.Environ()) == 2 {
 		overlayRoot = true
 		if !layers && !promote {
 			log.SetPrefix("testtool(overlay root): ")
 		}
 		wantEnv = []string{"HAKUREI_TEST=1", "HAKUREI_ROOT=1"}
 	}
 	if !slices.Equal(wantEnv, os.Environ()) {
 		log.Fatalf("Environ: %q, want %q", os.Environ(), wantEnv)
 	}
 	var overlayWork bool
 	const (
 		wantExec     = "/opt/bin/testtool"
 		wantExecWork = "/work/bin/testtool"
 	)
 	var iftPath string
 	if got, err := os.Executable(); err != nil {
 		log.Fatalf("Executable: error = %v", err)
 	} else {
 		iftPath = path.Join(path.Dir(path.Dir(got)), "ift")
 		if got != wantExec {
 			switch got {
 			case wantExecWork:
 				overlayWork = true
 				log.SetPrefix("testtool(overlay work): ")
 			default:
 				log.Fatalf("Executable: %q, want %q", got, wantExec)
 			}
 		}
 	}
 	wantHostname := "cure"
 	if hostNet {
 		wantHostname += "-net"
 	}
 	if hostname, err := os.Hostname(); err != nil {
 		log.Fatalf("Hostname: error = %v", err)
 	} else if hostname != wantHostname {
 		log.Fatalf("Hostname: %q, want %q", hostname, wantHostname)
 	}
 	var m *vfs.MountInfo
 	if f, err := os.Open(fhs.Proc + "self/mountinfo"); err != nil {
 		log.Fatalf("Open: error = %v", err)
 	} else {
 		err = vfs.NewMountInfoDecoder(f).Decode(&m)
 		closeErr := f.Close()
 		if err != nil {
 			log.Fatalf("Decode: error = %v", err)
 		}
 		if closeErr != nil {
 			log.Fatalf("Close: error = %v", err)
 		}
 	}
 	if ift, err := net.Interfaces(); err != nil {
 		log.Fatal(err)
 	} else if !hostNet {
 		if len(ift) != 1 || ift[0].Name != "lo" {
 			log.Fatalln("got interfaces", strings.Join(slices.Collect(func(yield func(ifn string) bool) {
 				for _, ifi := range ift {
 					if !yield(ifi.Name) {
 						break
 					}
 				}
 			}), ", "))
 		}
 	} else {
 		var iftParent []net.Interface
 		var r *os.File
 		if r, err = os.Open(iftPath); err != nil {
 			log.Fatal(err)
 		} else {
 			err = gob.NewDecoder(r).Decode(&iftParent)
 			closeErr := r.Close()
 			if err != nil {
 				log.Fatal(err)
 			}
 			if closeErr != nil {
 				log.Fatal(closeErr)
 			}
 		}
 		if !reflect.DeepEqual(ift, iftParent) {
 			log.Fatalf("Interfaces: %#v, want %#v", ift, iftParent)
 		}
 	}
 	const checksumEmptyDir = "MGWmEfjut2QE2xPJwTsmUzpff4BN_FEnQ7T0j7gvUCCiugJQNwqt9m151fm9D1yU"
 	ident := "dztPS6jRjiZtCF4_p8AzfnxGp6obkhrgFVsxdodbKWUoAEVtDz3MykepJB4kI_ks"
 	log.Println(m)
 	next := func() { m = m.Next; log.Println(m) }
 	if overlayRoot {
 		ident = "RdMA-mubnrHuu3Ky1wWyxauSYCO0ZH_zCPUj3uDHqkfwv5sGcByoF_g5PjlGiClb"
 		if m.Root != "/" || m.Target != "/" ||
 			m.Source != "overlay" || m.FsType != "overlay" {
 			log.Fatal("unexpected root mount entry")
 		}
 		var lowerdir string
 		for _, o := range strings.Split(m.FsOptstr, ",") {
 			const lowerdirKey = "lowerdir="
 			if strings.HasPrefix(o, lowerdirKey) {
 				lowerdir = o[len(lowerdirKey):]
 			}
 		}
 		if !layers {
 			if path.Base(lowerdir) != checksumEmptyDir {
 				log.Fatal("unexpected artifact checksum")
 			}
 		} else {
 			ident = "p1t_drXr34i-jZNuxDMLaMOdL6tZvQqhavNafGynGqxOZoXAUTSn7kqNh3Ovv3DT"
 			lowerdirsEscaped := strings.Split(lowerdir, ":")
 			lowerdirs := lowerdirsEscaped[:0]
 			// ignore the option separator since it does not appear in ident
 			for i, e := range lowerdirsEscaped {
 				if len(e) > 0 &&
 					e[len(e)-1] == check.SpecialOverlayEscape[0] &&
 					(len(e) == 1 || e[len(e)-2] != check.SpecialOverlayEscape[0]) {
 					// ignore escaped pathname separator since it does not
 					// appear in ident
 					e = e[:len(e)-1]
 					if len(lowerdirsEscaped) != i {
 						lowerdirsEscaped[i+1] = e + lowerdirsEscaped[i+1]
 						continue
 					}
 				}
 				lowerdirs = append(lowerdirs, e)
 			}
 			if len(lowerdirs) != 2 ||
 				path.Base(lowerdirs[0]) != "MGWmEfjut2QE2xPJwTsmUzpff4BN_FEnQ7T0j7gvUCCiugJQNwqt9m151fm9D1yU" ||
 				path.Base(lowerdirs[1]) != "nY_CUdiaUM1OL4cPr5TS92FCJ3rCRV7Hm5oVTzAvMXwC03_QnTRfQ5PPs7mOU9fK" {
 				log.Fatalf("unexpected lowerdirs %s", strings.Join(lowerdirs, ", "))
 			}
 		}
 	} else {
 		if hostNet {
 			ident = "G8qPxD9puvvoOVV7lrT80eyDeIl3G_CCFoKw12c8mCjMdG1zF7NEPkwYpNubClK3"
 		}
 		if m.Root != "/sysroot" || m.Target != "/" {
 			log.Fatal("unexpected root mount entry")
 		}
 		next()
 		if path.Base(m.Root) != "OLBgp1GsljhM2TJ-sbHjaiH9txEUvgdDTAzHv2P24donTt6_529l-9Ua0vFImLlb" {
 			log.Fatal("unexpected file artifact checksum")
 		}
 		next()
 		if path.Base(m.Root) != checksumEmptyDir {
 			log.Fatal("unexpected artifact checksum")
 		}
 	}
 	if promote {
 		ident = "xXTIYcXmgJWNLC91c417RRrNM9cjELwEZHpGvf8Fk_GNP5agRJp_SicD0w9aMeLJ"
 	}
 	next() // testtool artifact
 	next()
 	if overlayWork {
 		ident = "5hlaukCirnXE4W_RSLJFOZN47Z5RiHnacXzdFp_70cLgiJUGR6cSb_HaFftkzi0-"
 		if m.Root != "/" || m.Target != "/work" ||
 			m.Source != "overlay" || m.FsType != "overlay" {
 			log.Fatal("unexpected work mount entry")
 		}
 	} else {
 		if path.Base(m.Root) != ident || m.Target != "/work" {
 			log.Fatal("unexpected work mount entry")
 		}
 	}
 	next()
 	if path.Base(m.Root) != ident || m.Target != "/tmp" {
 		log.Fatal("unexpected temp mount entry")
 	}
 	next()
 	if m.Root != "/" || m.Target != "/proc" || m.Source != "proc" || m.FsType != "proc" {
 		log.Fatal("unexpected proc mount entry")
 	}
 	next()
 	if m.Root != "/" || m.Target != "/dev" || m.Source != "devtmpfs" || m.FsType != "tmpfs" {
 		log.Fatal("unexpected dev mount entry")
 	}
 	for i := 0; i < 9; i++ { // private /dev entries
 		next()
 	}
 	if m.Next != nil {
 		log.Println("unexpected extra mount entries")
 		for m.Next != nil {
 			next()
 		}
 		os.Exit(1)
 	}
 	checkData := []byte{0}
 	if hostNet {
 		checkData = []byte("net")
 	}
 	if err := os.WriteFile("check", checkData, 0400); err != nil {
 		log.Fatal(err)
 	}
 }
--- a/internal/rosa/acl.go
+++ b/internal/rosa/acl.go
@@ -0,0 +1,106 @@
 package rosa
 import "hakurei.app/internal/pkg"
 func (t Toolchain) newAttr() (pkg.Artifact, string) {
 	const (
 		version  = "2.5.2"
 		checksum = "YWEphrz6vg1sUMmHHVr1CRo53pFXRhq_pjN-AlG8UgwZK1y6m7zuDhxqJhD0SV0l"
 	)
 	return t.NewPackage("attr", version, pkg.NewHTTPGetTar(
 		nil, "https://download.savannah.nongnu.org/releases/attr/"+
 			"attr-"+version+".tar.gz",
 		mustDecode(checksum),
 		pkg.TarGzip,
 	), &PackageAttr{
 		Patches: [][2]string{
 			{"libgen-basename", `From 8a80d895dfd779373363c3a4b62ecce5a549efb2 Mon Sep 17 00:00:00 2001
 From: "Haelwenn (lanodan) Monnier" <contact@hacktivis.me>
 Date: Sat, 30 Mar 2024 10:17:10 +0100
 Subject: tools/attr.c: Add missing libgen.h include for basename(3)
 Fixes compilation issue with musl and modern C99 compilers.
 See: https://bugs.gentoo.org/926294
 ---
 tools/attr.c | 1 +
 1 file changed, 1 insertion(+)
 diff --git a/tools/attr.c b/tools/attr.c
 index f12e4af..6a3c1e9 100644
 --- a/tools/attr.c
 +++ b/tools/attr.c
@@ -28,6 +28,7 @@
 #include <errno.h>
 #include <string.h>
 #include <locale.h>
 +#include <libgen.h>
 #include <attr/attributes.h>
 -- 
 cgit v1.1`},
 			{"musl-errno", `diff --git a/test/attr.test b/test/attr.test
 index 6ce2f9b..e9bde92 100644
 --- a/test/attr.test
 +++ b/test/attr.test
@@ -11,7 +11,7 @@ Try various valid and invalid names
 	$ touch f
 	$ setfattr -n user -v value f
 -	> setfattr: f: Operation not supported
 +	> setfattr: f: Not supported
 	$ setfattr -n user. -v value f
 	> setfattr: f: Invalid argument
 `},
 		},
 		ScriptEarly: `
 ln -s ../../system/bin/perl /usr/bin
 `,
 	}, (*MakeHelper)(nil),
 		Perl,
 	), version
 }
 func init() {
 	artifactsM[Attr] = Metadata{
 		f: Toolchain.newAttr,
 		Name:        "attr",
 		Description: "Commands for Manipulating Filesystem Extended Attributes",
 		Website:     "https://savannah.nongnu.org/projects/attr/",
 		ID: 137,
 	}
 }
 func (t Toolchain) newACL() (pkg.Artifact, string) {
 	const (
 		version  = "2.3.2"
 		checksum = "-fY5nwH4K8ZHBCRXrzLdguPkqjKI6WIiGu4dBtrZ1o0t6AIU73w8wwJz_UyjIS0P"
 	)
 	return t.NewPackage("acl", version, pkg.NewHTTPGetTar(
 		nil, "https://download.savannah.nongnu.org/releases/acl/"+
 			"acl-"+version+".tar.gz",
 		mustDecode(checksum),
 		pkg.TarGzip,
 	), nil, &MakeHelper{
 		// makes assumptions about uid_map/gid_map
 		SkipCheck: true,
 	},
 		Attr,
 	), version
 }
 func init() {
 	artifactsM[ACL] = Metadata{
 		f: Toolchain.newACL,
 		Name:        "acl",
 		Description: "Commands for Manipulating POSIX Access Control Lists",
 		Website:     "https://savannah.nongnu.org/projects/acl/",
 		ID: 16,
 	}
 }
--- a/internal/rosa/all.go
+++ b/internal/rosa/all.go
@@ -0,0 +1,276 @@
 package rosa
 import (
 	"context"
 	"encoding/json"
 	"errors"
 	"net/http"
 	"strconv"
 	"sync"
 	"hakurei.app/internal/pkg"
 )
 // PArtifact is a lazily-initialised [pkg.Artifact] preset.
 type PArtifact int
 const (
 	LLVMCompilerRT PArtifact = iota
 	LLVMRuntimes
 	LLVMClang
 	// ImageInitramfs is the Rosa OS initramfs archive.
 	ImageInitramfs
 	// Kernel is the generic Rosa OS Linux kernel.
 	Kernel
 	// KernelHeaders is an installation of kernel headers for [Kernel].
 	KernelHeaders
 	// KernelSource is a writable kernel source tree installed to [AbsUsrSrc].
 	KernelSource
 	ACL
 	ArgpStandalone
 	Attr
 	Autoconf
 	Automake
 	BC
 	Bash
 	Binutils
 	Bison
 	Bzip2
 	CMake
 	Coreutils
 	Curl
 	DTC
 	Diffutils
 	Elfutils
 	Fakeroot
 	Findutils
 	Flex
 	Fuse
 	GMP
 	GLib
 	Gawk
 	GenInitCPIO
 	Gettext
 	Git
 	Go
 	Gperf
 	Grep
 	Gzip
 	Hakurei
 	HakureiDist
 	Kmod
 	LibXau
 	Libcap
 	Libexpat
 	Libiconv
 	Libpsl
 	Libffi
 	Libgd
 	Libtool
 	Libseccomp
 	Libucontext
 	Libxml2
 	Libxslt
 	M4
 	MPC
 	MPFR
 	Make
 	Meson
 	Mksh
 	MuslFts
 	MuslObstack
 	NSS
 	NSSCACert
 	Ncurses
 	Ninja
 	OpenSSL
 	PCRE2
 	Patch
 	Perl
 	PerlLocaleGettext
 	PerlMIMECharset
 	PerlModuleBuild
 	PerlPodParser
 	PerlSGMLS
 	PerlTermReadKey
 	PerlTextCharWidth
 	PerlTextWrapI18N
 	PerlUnicodeGCString
 	PerlYAMLTiny
 	PkgConfig
 	Procps
 	Python
 	PythonIniConfig
 	PythonPackaging
 	PythonPluggy
 	PythonPyTest
 	PythonPygments
 	QEMU
 	Rsync
 	Sed
 	Setuptools
 	SquashfsTools
 	TamaGo
 	Tar
 	Texinfo
 	Toybox
 	toyboxEarly
 	Unzip
 	UtilLinux
 	Wayland
 	WaylandProtocols
 	XCB
 	XCBProto
 	Xproto
 	XZ
 	Zlib
 	Zstd
 	// PresetUnexportedStart is the first unexported preset.
 	PresetUnexportedStart
 	buildcatrust = iota - 1
 	utilMacros
 	// Musl is a standalone libc that does not depend on the toolchain.
 	Musl
 	// gcc is a hacked-to-pieces GCC toolchain meant for use in intermediate
 	// stages only. This preset and its direct output must never be exposed.
 	gcc
 	// Stage0 is a tarball containing all compile-time dependencies of artifacts
 	// part of the [Std] toolchain.
 	Stage0
 	// PresetEnd is the total number of presets and does not denote a preset.
 	PresetEnd
 )
 // Metadata is stage-agnostic information of a [PArtifact] not directly
 // representable in the resulting [pkg.Artifact].
 type Metadata struct {
 	f func(t Toolchain) (a pkg.Artifact, version string)
 	// Unique package name.
 	Name string `json:"name"`
 	// Short user-facing description.
 	Description string `json:"description"`
 	// Project home page.
 	Website string `json:"website,omitempty"`
 	// Project identifier on [Anitya].
 	//
 	// [Anitya]: https://release-monitoring.org/
 	ID int `json:"-"`
 	// Optional custom version checking behaviour.
 	latest func(v *Versions) string
 }
 // GetLatest returns the latest version described by v.
 func (meta *Metadata) GetLatest(v *Versions) string {
 	if meta.latest != nil {
 		return meta.latest(v)
 	}
 	return v.Latest
 }
 // Unversioned denotes an unversioned [PArtifact].
 const Unversioned = "\x00"
 // UnpopulatedIDError is returned by [Metadata.GetLatest] for an instance of
 // [Metadata] where ID is not populated.
 type UnpopulatedIDError struct{}
 func (UnpopulatedIDError) Unwrap() error { return errors.ErrUnsupported }
 func (UnpopulatedIDError) Error() string { return "Anitya ID is not populated" }
 // Versions are package versions returned by Anitya.
 type Versions struct {
 	// The latest version for the project, as determined by the version sorting algorithm.
 	Latest string `json:"latest_version"`
 	// List of all versions that aren’t flagged as pre-release.
 	Stable []string `json:"stable_versions"`
 	// List of all versions stored, sorted from newest to oldest.
 	All []string `json:"versions"`
 }
 // getStable returns the first Stable version, or Latest if that is unavailable.
 func (v *Versions) getStable() string {
 	if len(v.Stable) == 0 {
 		return v.Latest
 	}
 	return v.Stable[0]
 }
 // GetVersions returns versions fetched from Anitya.
 func (meta *Metadata) GetVersions(ctx context.Context) (*Versions, error) {
 	if meta.ID == 0 {
 		return nil, UnpopulatedIDError{}
 	}
 	var resp *http.Response
 	if req, err := http.NewRequestWithContext(
 		ctx,
 		http.MethodGet,
 		"https://release-monitoring.org/api/v2/versions/?project_id="+
 			strconv.Itoa(meta.ID),
 		nil,
 	); err != nil {
 		return nil, err
 	} else {
 		req.Header.Set("User-Agent", "Rosa/1.1")
 		if resp, err = http.DefaultClient.Do(req); err != nil {
 			return nil, err
 		}
 	}
 	var v Versions
 	err := json.NewDecoder(resp.Body).Decode(&v)
 	return &v, errors.Join(err, resp.Body.Close())
 }
 var (
 	// artifactsM is an array of [PArtifact] metadata.
 	artifactsM [PresetEnd]Metadata
 	// artifacts stores the result of Metadata.f.
 	artifacts [_toolchainEnd][len(artifactsM)]pkg.Artifact
 	// versions stores the version of [PArtifact].
 	versions [_toolchainEnd][len(artifactsM)]string
 	// artifactsOnce is for lazy initialisation of artifacts.
 	artifactsOnce [_toolchainEnd][len(artifactsM)]sync.Once
 )
 // GetMetadata returns [Metadata] of a [PArtifact].
 func GetMetadata(p PArtifact) *Metadata { return &artifactsM[p] }
 // Load returns the resulting [pkg.Artifact] of [PArtifact].
 func (t Toolchain) Load(p PArtifact) pkg.Artifact {
 	artifactsOnce[t][p].Do(func() {
 		artifacts[t][p], versions[t][p] = artifactsM[p].f(t)
 	})
 	return artifacts[t][p]
 }
 // Version returns the version string of [PArtifact].
 func (t Toolchain) Version(p PArtifact) string {
 	artifactsOnce[t][p].Do(func() {
 		artifacts[t][p], versions[t][p] = artifactsM[p].f(t)
 	})
 	return versions[t][p]
 }
 // ResolveName returns a [PArtifact] by name.
 func ResolveName(name string) (p PArtifact, ok bool) {
 	for i := range PresetUnexportedStart {
 		if name == artifactsM[i].Name {
 			return i, true
 		}
 	}
 	return 0, false
 }
--- a/internal/rosa/all_test.go
+++ b/internal/rosa/all_test.go
@@ -0,0 +1,66 @@
 package rosa_test
 import (
 	"testing"
 	"hakurei.app/internal/rosa"
 )
 func TestLoad(t *testing.T) {
 	t.Parallel()
 	for i := range rosa.PresetEnd {
 		p := rosa.PArtifact(i)
 		t.Run(rosa.GetMetadata(p).Name, func(t *testing.T) {
 			t.Parallel()
 			rosa.Std.Load(p)
 		})
 	}
 }
 func TestResolveName(t *testing.T) {
 	t.Parallel()
 	for i := range rosa.PresetUnexportedStart {
 		p := i
 		name := rosa.GetMetadata(p).Name
 		t.Run(name, func(t *testing.T) {
 			t.Parallel()
 			if got, ok := rosa.ResolveName(name); !ok {
 				t.Fatal("ResolveName: ok = false")
 			} else if got != p {
 				t.Fatalf("ResolveName: %d, want %d", got, p)
 			}
 		})
 	}
 }
 func TestResolveNameUnexported(t *testing.T) {
 	t.Parallel()
 	for i := rosa.PresetUnexportedStart; i < rosa.PresetEnd; i++ {
 		p := i
 		name := rosa.GetMetadata(p).Name
 		t.Run(name, func(t *testing.T) {
 			t.Parallel()
 			if got, ok := rosa.ResolveName(name); ok {
 				t.Fatalf("ResolveName: resolved unexported preset %d", got)
 			}
 		})
 	}
 }
 func TestUnique(t *testing.T) {
 	t.Parallel()
 	names := make(map[string]struct{})
 	for i := range rosa.PresetEnd {
 		name := rosa.GetMetadata(rosa.PArtifact(i)).Name
 		if _, ok := names[name]; ok {
 			t.Fatalf("name %s is not unique", name)
 		}
 		names[name] = struct{}{}
 	}
 }
--- a/internal/rosa/argp-standalone.go
+++ b/internal/rosa/argp-standalone.go
@@ -0,0 +1,36 @@
 package rosa
 import "hakurei.app/internal/pkg"
 func (t Toolchain) newArgpStandalone() (pkg.Artifact, string) {
 	const (
 		version  = "1.3"
 		checksum = "vtW0VyO2pJ-hPyYmDI2zwSLS8QL0sPAUKC1t3zNYbwN2TmsaE-fADhaVtNd3eNFl"
 	)
 	return t.NewPackage("argp-standalone", version, pkg.NewHTTPGetTar(
 		nil, "http://www.lysator.liu.se/~nisse/misc/"+
 			"argp-standalone-"+version+".tar.gz",
 		mustDecode(checksum),
 		pkg.TarGzip,
 	), &PackageAttr{
 		Env: []string{
 			"CC=cc -std=gnu89 -fPIC",
 		},
 	}, &MakeHelper{
 		Install: `
 install -D -m644 /usr/src/argp-standalone/argp.h /work/system/include/argp.h
 install -D -m755 libargp.a /work/system/lib/libargp.a
 `,
 	},
 		Diffutils,
 	), version
 }
 func init() {
 	artifactsM[ArgpStandalone] = Metadata{
 		f: Toolchain.newArgpStandalone,
 		Name:        "argp-standalone",
 		Description: "hierarchical argument parsing library broken out from glibc",
 		Website:     "http://www.lysator.liu.se/~nisse/misc/",
 	}
 }
--- a/internal/rosa/busybox.go
+++ b/internal/rosa/busybox.go
@@ -0,0 +1,125 @@
 package rosa
 import (
 	"fmt"
 	"io"
 	"net/http"
 	"os"
 	"runtime"
 	"time"
 	"hakurei.app/container/fhs"
 	"hakurei.app/internal/pkg"
 )
 // busyboxBin is a busybox binary distribution installed under bin/busybox.
 type busyboxBin struct {
 	// Underlying busybox binary.
 	bin pkg.FileArtifact
 }
 // Kind returns the hardcoded [pkg.Kind] value.
 func (a busyboxBin) Kind() pkg.Kind { return kindBusyboxBin }
 // Params is a noop.
 func (a busyboxBin) Params(*pkg.IContext) {}
 // IsExclusive returns false: Cure performs a trivial filesystem write.
 func (busyboxBin) IsExclusive() bool { return false }
 // Dependencies returns the underlying busybox [pkg.File].
 func (a busyboxBin) Dependencies() []pkg.Artifact {
 	return []pkg.Artifact{a.bin}
 }
 func init() {
 	pkg.Register(kindBusyboxBin, func(r *pkg.IRReader) pkg.Artifact {
 		a := busyboxBin{r.Next().(pkg.FileArtifact)}
 		if _, ok := r.Finalise(); ok {
 			panic(pkg.ErrUnexpectedChecksum)
 		}
 		return a
 	})
 }
 // String returns the reporting name of the underlying file prefixed with expand.
 func (a busyboxBin) String() string {
 	return "expand-" + a.bin.(fmt.Stringer).String()
 }
 // Cure installs the underlying busybox [pkg.File] to bin/busybox.
 func (a busyboxBin) Cure(t *pkg.TContext) (err error) {
 	var r io.ReadCloser
 	if r, err = t.Open(a.bin); err != nil {
 		return
 	}
 	defer func() {
 		closeErr := r.Close()
 		if err == nil {
 			err = closeErr
 		}
 	}()
 	binDir := t.GetWorkDir().Append("bin")
 	if err = os.MkdirAll(binDir.String(), 0700); err != nil {
 		return
 	}
 	var w *os.File
 	if w, err = os.OpenFile(
 		binDir.Append("busybox").String(),
 		os.O_WRONLY|os.O_CREATE|os.O_EXCL,
 		0500,
 	); err != nil {
 		return
 	}
 	defer func() {
 		closeErr := w.Close()
 		if err == nil {
 			err = closeErr
 		}
 	}()
 	_, err = io.Copy(w, r)
 	return
 }
 // newBusyboxBin returns a [pkg.Artifact] containing a busybox installation from
 // the https://busybox.net/downloads/binaries/ binary release.
 func newBusyboxBin() pkg.Artifact {
 	var version, url, checksum string
 	switch runtime.GOARCH {
 	case "amd64":
 		version = "1.35.0"
 		url = "https://busybox.net/downloads/binaries/" +
 			version + "-" + linuxArch() + "-linux-musl/busybox"
 		checksum = "L7OBIsPu9enNHn7FqpBT1kOg_mCLNmetSeNMA3i4Y60Z5jTgnlX3qX3zcQtLx5AB"
 	case "arm64":
 		version = "1.31.0"
 		url = "https://busybox.net/downloads/binaries/" +
 			version + "-defconfig-multiarch-musl/busybox-armv8l"
 		checksum = "npJjBO7iwhjW6Kx2aXeSxf8kXhVgTCDChOZTTsI8ZfFfa3tbsklxRiidZQdrVERg"
 	default:
 		panic("unsupported target " + runtime.GOARCH)
 	}
 	return pkg.NewExec(
 		"busybox-bin-"+version, nil, pkg.ExecTimeoutMax, false,
 		fhs.AbsRoot, []string{
 			"PATH=/system/bin",
 		},
 		AbsSystem.Append("bin", "busybox"),
 		[]string{"hush", "-c", "" +
 			"busybox mkdir -p /work/system/bin/ && " +
 			"busybox cp /system/bin/busybox /work/system/bin/ && " +
 			"busybox --install -s /work/system/bin/"},
 		pkg.Path(AbsSystem, true, busyboxBin{pkg.NewHTTPGet(
 			&http.Client{Transport: &http.Transport{
 				// busybox website is really slow to respond
 				TLSHandshakeTimeout: 2 * time.Minute,
 			}}, url,
 			mustDecode(checksum),
 		)}),
 	)
 }
--- a/internal/rosa/bzip2.go
+++ b/internal/rosa/bzip2.go
@@ -0,0 +1,38 @@
 package rosa
 import "hakurei.app/internal/pkg"
 func (t Toolchain) newBzip2() (pkg.Artifact, string) {
 	const (
 		version  = "1.0.8"
 		checksum = "cTLykcco7boom-s05H1JVsQi1AtChYL84nXkg_92Dm1Xt94Ob_qlMg_-NSguIK-c"
 	)
 	return t.NewPackage("bzip2", version, pkg.NewHTTPGetTar(
 		nil, "https://sourceware.org/pub/bzip2/bzip2-"+version+".tar.gz",
 		mustDecode(checksum),
 		pkg.TarGzip,
 	), &PackageAttr{
 		Writable:    true,
 		EnterSource: true,
 	}, &MakeHelper{
 		// uses source tree as scratch space
 		SkipConfigure: true,
 		SkipCheck:     true,
 		InPlace:       true,
 		Make: []string{
 			"CC=cc",
 		},
 		Install: "make PREFIX=/work/system install",
 	}), version
 }
 func init() {
 	artifactsM[Bzip2] = Metadata{
 		f: Toolchain.newBzip2,
 		Name:        "bzip2",
 		Description: "a freely available, patent free, high-quality data compressor",
 		Website:     "https://sourceware.org/bzip2/",
 		ID: 237,
 	}
 }
--- a/internal/rosa/cmake.go
+++ b/internal/rosa/cmake.go
@@ -0,0 +1,193 @@
 package rosa
 import (
 	"path"
 	"slices"
 	"strings"
 	"hakurei.app/internal/pkg"
 )
 func (t Toolchain) newCMake() (pkg.Artifact, string) {
 	const (
 		version  = "4.2.3"
 		checksum = "Y4uYGnLrDQX78UdzH7fMzfok46Nt_1taDIHSmqgboU1yFi6f0iAXBDegMCu4eS-J"
 	)
 	return t.NewPackage("cmake", version, pkg.NewHTTPGetTar(
 		nil, "https://github.com/Kitware/CMake/releases/download/"+
 			"v"+version+"/cmake-"+version+".tar.gz",
 		mustDecode(checksum),
 		pkg.TarGzip,
 	), &PackageAttr{
 		// test suite expects writable source tree
 		Writable: true,
 		// expected to be writable in the copy made during bootstrap
 		Chmod: true,
 		Patches: [][2]string{
 			{"bootstrap-test-no-openssl", `diff --git a/Tests/BootstrapTest.cmake b/Tests/BootstrapTest.cmake
 index 137de78bc1..b4da52e664 100644
 --- a/Tests/BootstrapTest.cmake
 +++ b/Tests/BootstrapTest.cmake
@@ -9,7 +9,7 @@ if(NOT nproc EQUAL 0)
 endif()
 message(STATUS "running bootstrap: ${bootstrap} ${ninja_arg} ${parallel_arg}")
 execute_process(
 -  COMMAND ${bootstrap} ${ninja_arg} ${parallel_arg}
 +  COMMAND ${bootstrap} ${ninja_arg} ${parallel_arg} -- -DCMAKE_USE_OPENSSL=OFF
   WORKING_DIRECTORY "${bin_dir}"
   RESULT_VARIABLE result
   )
 `},
 			{"disable-broken-tests-musl", `diff --git a/Tests/CMakeLists.txt b/Tests/CMakeLists.txt
 index 2ead810437..f85cbb8b1c 100644
 --- a/Tests/CMakeLists.txt
 +++ b/Tests/CMakeLists.txt
@@ -384,7 +384,6 @@ if(BUILD_TESTING)
     add_subdirectory(CMakeLib)
   endif()
   add_subdirectory(CMakeOnly)
 -  add_subdirectory(RunCMake)
   add_subdirectory(FindPackageModeMakefileTest)
@@ -528,9 +527,6 @@ if(BUILD_TESTING)
                                  -DCMake_TEST_CUDA:BOOL=${CMake_TEST_CUDA}
                                  -DCMake_INSTALL_NAME_TOOL_BUG:BOOL=${CMake_INSTALL_NAME_TOOL_BUG}
                                  )
 -  ADD_TEST_MACRO(ExportImport ExportImport)
 -  set_property(TEST ExportImport APPEND
 -    PROPERTY LABELS "CUDA")
   ADD_TEST_MACRO(Unset Unset)
   ADD_TEST_MACRO(PolicyScope PolicyScope)
   ADD_TEST_MACRO(EmptyLibrary EmptyLibrary)
@@ -624,7 +620,6 @@ if(BUILD_TESTING)
   # run test for BundleUtilities on supported platforms/compilers
   if((MSVC OR
       MINGW OR
 -      CMAKE_SYSTEM_NAME MATCHES "Linux" OR
       CMAKE_SYSTEM_NAME MATCHES "Darwin")
     AND NOT CMAKE_GENERATOR STREQUAL "Watcom WMake")
@@ -3095,10 +3090,6 @@ if(BUILD_TESTING)
     "${CMake_SOURCE_DIR}/Tests/CTestTestFdSetSize/test.cmake.in"
     "${CMake_BINARY_DIR}/Tests/CTestTestFdSetSize/test.cmake"
     @ONLY ESCAPE_QUOTES)
 -  add_test(CTestTestFdSetSize ${CMAKE_CTEST_COMMAND}
 -    -S "${CMake_BINARY_DIR}/Tests/CTestTestFdSetSize/test.cmake" -j20 -V --timeout 120
 -    --output-log "${CMake_BINARY_DIR}/Tests/CTestTestFdSetSize/testOutput.log"
 -    )
   if(CMAKE_TESTS_CDASH_SERVER)
     set(regex "^([^:]+)://([^/]+)(.*)$")
 `},
 		},
 	}, &MakeHelper{
 		OmitDefaults: true,
 		ConfigureName: "/usr/src/cmake/bootstrap",
 		Configure: [][2]string{
 			{"prefix", "/system"},
 			{"parallel", `"$(nproc)"`},
 			{"--"},
 			{"-DCMAKE_USE_OPENSSL", "OFF"},
 			{"-DCMake_TEST_NO_NETWORK", "ON"},
 		},
 		Check: []string{
 			"CTEST_OUTPUT_ON_FAILURE=1",
 			"CTEST_PARALLEL_LEVEL=128",
 			"test",
 		},
 	},
 		KernelHeaders,
 	), version
 }
 func init() {
 	artifactsM[CMake] = Metadata{
 		f: Toolchain.newCMake,
 		Name:        "cmake",
 		Description: "cross-platform, open-source build system",
 		Website:     "https://cmake.org/",
 		ID: 306,
 	}
 }
 // CMakeHelper is the [CMake] build system helper.
 type CMakeHelper struct {
 	// Joined with name with a dash if non-empty.
 	Variant string
 	// Path elements joined with source.
 	Append []string
 	// CMake CACHE entries.
 	Cache [][2]string
 	// Runs after install.
 	Script string
 }
 var _ Helper = new(CMakeHelper)
 // name returns its arguments and an optional variant string joined with '-'.
 func (attr *CMakeHelper) name(name, version string) string {
 	if attr != nil && attr.Variant != "" {
 		name += "-" + attr.Variant
 	}
 	return name + "-" + version
 }
 // extra returns a hardcoded slice of [CMake] and [Ninja].
 func (*CMakeHelper) extra(int) []PArtifact {
 	return []PArtifact{CMake, Ninja}
 }
 // wantsChmod returns false.
 func (*CMakeHelper) wantsChmod() bool { return false }
 // wantsWrite returns false.
 func (*CMakeHelper) wantsWrite() bool { return false }
 // scriptEarly returns the zero value.
 func (*CMakeHelper) scriptEarly() string { return "" }
 // createDir returns true.
 func (*CMakeHelper) createDir() bool { return true }
 // wantsDir returns a hardcoded, deterministic pathname.
 func (*CMakeHelper) wantsDir() string { return "/cure/" }
 // script generates the cure script.
 func (attr *CMakeHelper) script(name string) string {
 	if attr == nil {
 		attr = &CMakeHelper{
 			Cache: [][2]string{
 				{"CMAKE_BUILD_TYPE", "Release"},
 			},
 		}
 	}
 	if len(attr.Cache) == 0 {
 		panic("CACHE must be non-empty")
 	}
 	return `
 cmake -G Ninja \
 	-DCMAKE_C_COMPILER_TARGET="${ROSA_TRIPLE}" \
 	-DCMAKE_CXX_COMPILER_TARGET="${ROSA_TRIPLE}" \
 	-DCMAKE_ASM_COMPILER_TARGET="${ROSA_TRIPLE}" \
 	` + strings.Join(slices.Collect(func(yield func(string) bool) {
 		for _, v := range attr.Cache {
 			if !yield("-D" + v[0] + "=" + v[1]) {
 				return
 			}
 		}
 	}), " \\\n\t") + ` \
 	-DCMAKE_INSTALL_PREFIX=/work/system \
 	'/usr/src/` + name + `/` + path.Join(attr.Append...) + `'
 cmake --build .
 cmake --install .
 ` + attr.Script
 }
--- a/internal/rosa/curl.go
+++ b/internal/rosa/curl.go
@@ -0,0 +1,40 @@
 package rosa
 import "hakurei.app/internal/pkg"
 func (t Toolchain) newCurl() (pkg.Artifact, string) {
 	const (
 		version  = "8.18.0"
 		checksum = "YpOolP_sx1DIrCEJ3elgVAu0wTLDS-EZMZFvOP0eha7FaLueZUlEpuMwDzJNyi7i"
 	)
 	return t.NewPackage("curl", version, pkg.NewHTTPGetTar(
 		nil, "https://curl.se/download/curl-"+version+".tar.bz2",
 		mustDecode(checksum),
 		pkg.TarBzip2,
 	), nil, &MakeHelper{
 		Configure: [][2]string{
 			{"with-openssl"},
 			{"with-ca-bundle", "/system/etc/ssl/certs/ca-bundle.crt"},
 		},
 		Check: []string{
 			"TFLAGS=-j256",
 			"check",
 		},
 	},
 		Perl,
 		Libpsl,
 		OpenSSL,
 	), version
 }
 func init() {
 	artifactsM[Curl] = Metadata{
 		f: Toolchain.newCurl,
 		Name:        "curl",
 		Description: "command line tool and library for transferring data with URLs",
 		Website:     "https://curl.se/",
 		ID: 381,
 	}
 }
--- a/internal/rosa/dtc.go
+++ b/internal/rosa/dtc.go
@@ -0,0 +1,43 @@
 package rosa
 import "hakurei.app/internal/pkg"
 func (t Toolchain) newDTC() (pkg.Artifact, string) {
 	const (
 		version  = "1.7.2"
 		checksum = "vUoiRynPyYRexTpS6USweT5p4SVHvvVJs8uqFkkVD-YnFjwf6v3elQ0-Etrh00Dt"
 	)
 	return t.NewPackage("dtc", version, pkg.NewHTTPGetTar(
 		nil, "https://git.kernel.org/pub/scm/utils/dtc/dtc.git/snapshot/"+
 			"dtc-v"+version+".tar.gz",
 		mustDecode(checksum),
 		pkg.TarGzip,
 	), &PackageAttr{
 		// works around buggy test:
 		// fdtdump-runtest.sh /usr/src/dtc/tests/fdtdump.dts
 		Writable: true,
 		Chmod:    true,
 	}, &MesonHelper{
 		Setup: [][2]string{
 			{"Dyaml", "disabled"},
 			{"Dstatic-build", "true"},
 		},
 	},
 		Flex,
 		Bison,
 		M4,
 		Coreutils,
 		Diffutils,
 	), version
 }
 func init() {
 	artifactsM[DTC] = Metadata{
 		f: Toolchain.newDTC,
 		Name:        "dtc",
 		Description: "The Device Tree Compiler",
 		Website:     "https://git.kernel.org/pub/scm/utils/dtc/dtc.git/",
 		ID: 16911,
 	}
 }
--- a/internal/rosa/elfutils.go
+++ b/internal/rosa/elfutils.go
@@ -0,0 +1,51 @@
 package rosa
 import "hakurei.app/internal/pkg"
 func (t Toolchain) newElfutils() (pkg.Artifact, string) {
 	const (
 		version  = "0.194"
 		checksum = "Q3XUygUPv9vR1TkWucwUsQ8Kb1_F6gzk-KMPELr3cC_4AcTrprhVPMvN0CKkiYRa"
 	)
 	return t.NewPackage("elfutils", version, pkg.NewHTTPGetTar(
 		nil, "https://sourceware.org/elfutils/ftp/"+
 			version+"/elfutils-"+version+".tar.bz2",
 		mustDecode(checksum),
 		pkg.TarBzip2,
 	), &PackageAttr{
 		Env: []string{
 			"CC=cc" +
 				// nonstandard glibc extension
 				" -DFNM_EXTMATCH=0",
 		},
 	}, &MakeHelper{
 		// nonstandard glibc extension
 		SkipCheck: true,
 		Configure: [][2]string{
 			{"enable-deterministic-archives"},
 		},
 	},
 		M4,
 		PkgConfig,
 		Zlib,
 		Bzip2,
 		Zstd,
 		ArgpStandalone,
 		MuslFts,
 		MuslObstack,
 		KernelHeaders,
 	), version
 }
 func init() {
 	artifactsM[Elfutils] = Metadata{
 		f: Toolchain.newElfutils,
 		Name:        "elfutils",
 		Description: "utilities and libraries to handle ELF files and DWARF data",
 		Website:     "https://sourceware.org/elfutils/",
 		ID: 5679,
 	}
 }
--- a/internal/rosa/etc.go
+++ b/internal/rosa/etc.go
@@ -0,0 +1,163 @@
 package rosa
 import (
 	"errors"
 	"io"
 	"os"
 	"sync"
 	"syscall"
 	"hakurei.app/container/fhs"
 	"hakurei.app/internal/pkg"
 )
 // cureEtc contains deterministic elements of /etc, made available as part of
 // [Toolchain]. This silences test suites expecting certain standard files to be
 // available in /etc.
 type cureEtc struct {
 	// Optional via newIANAEtc.
 	iana pkg.Artifact
 }
 // Cure writes hardcoded configuration to files under etc.
 func (a cureEtc) Cure(t *pkg.FContext) (err error) {
 	etc := t.GetWorkDir().Append("etc")
 	if err = os.MkdirAll(etc.String(), 0700); err != nil {
 		return
 	}
 	for _, f := range [][2]string{
 		{"hosts", "127.0.0.1 localhost cure cure-net\n"},
 		{"passwd", `root:x:0:0:System administrator:/proc/nonexistent:/bin/sh
 cure:x:1023:1023:Cure:/usr/src:/bin/sh
 nobody:x:65534:65534:Overflow user:/proc/nonexistent:/system/bin/false
 `},
 		{"group", `root:x:0:
 cure:x:1023:
 nobody:x:65534:
 `},
 	} {
 		if err = os.WriteFile(
 			etc.Append(f[0]).String(),
 			[]byte(f[1]),
 			0400,
 		); err != nil {
 			return
 		}
 	}
 	if a.iana != nil {
 		iana, _ := t.GetArtifact(a.iana)
 		buf := make([]byte, syscall.Getpagesize()<<3)
 		for _, name := range []string{
 			"protocols",
 			"services",
 		} {
 			var dst, src *os.File
 			if dst, err = os.OpenFile(
 				etc.Append(name).String(),
 				syscall.O_CREAT|syscall.O_EXCL|syscall.O_WRONLY,
 				0400,
 			); err != nil {
 				return
 			}
 			if src, err = os.Open(
 				iana.Append(name).String(),
 			); err != nil {
 				_ = dst.Close()
 				return
 			}
 			_, err = io.CopyBuffer(dst, src, buf)
 			closeErrs := [...]error{
 				dst.Close(),
 				src.Close(),
 			}
 			if err != nil {
 				return
 			} else if err = errors.Join(closeErrs[:]...); err != nil {
 				return
 			}
 		}
 	}
 	return os.Chmod(etc.String(), 0500)
 }
 // Kind returns the hardcoded [pkg.Kind] value.
 func (cureEtc) Kind() pkg.Kind { return kindEtc }
 // Params writes whether iana-etc is populated.
 func (a cureEtc) Params(ctx *pkg.IContext) {
 	if a.iana != nil {
 		ctx.WriteUint32(1)
 	} else {
 		ctx.WriteUint32(0)
 	}
 }
 func init() {
 	pkg.Register(kindEtc, func(r *pkg.IRReader) pkg.Artifact {
 		a := cureEtc{}
 		if r.ReadUint32() != 0 {
 			a.iana = r.Next()
 		}
 		if _, ok := r.Finalise(); ok {
 			panic(pkg.ErrUnexpectedChecksum)
 		}
 		return a
 	})
 }
 // IsExclusive returns false: Cure performs a few trivial filesystem writes.
 func (cureEtc) IsExclusive() bool { return false }
 // Dependencies returns a slice containing the backing iana-etc release.
 func (a cureEtc) Dependencies() []pkg.Artifact {
 	if a.iana != nil {
 		return []pkg.Artifact{a.iana}
 	}
 	return nil
 }
 // String returns a hardcoded reporting name.
 func (a cureEtc) String() string {
 	if a.iana == nil {
 		return "cure-etc-minimal"
 	}
 	return "cure-etc"
 }
 // newIANAEtc returns an unpacked iana-etc release.
 func newIANAEtc() pkg.Artifact {
 	const (
 		version  = "20251215"
 		checksum = "kvKz0gW_rGG5QaNK9ZWmWu1IEgYAdmhj_wR7DYrh3axDfIql_clGRHmelP7525NJ"
 	)
 	return pkg.NewHTTPGetTar(
 		nil, "https://github.com/Mic92/iana-etc/releases/download/"+
 			version+"/iana-etc-"+version+".tar.gz",
 		mustDecode(checksum),
 		pkg.TarGzip,
 	)
 }
 var (
 	resolvconfPath pkg.ExecPath
 	resolvconfOnce sync.Once
 )
 // resolvconf returns a hardcoded /etc/resolv.conf file.
 func resolvconf() pkg.ExecPath {
 	resolvconfOnce.Do(func() {
 		resolvconfPath = pkg.Path(
 			fhs.AbsEtc.Append("resolv.conf"), false,
 			pkg.NewFile("resolv.conf", []byte(`
 nameserver 1.1.1.1
 nameserver 1.0.0.1
 `)),
 		)
 	})
 	return resolvconfPath
 }
--- a/Show More
+++ b/Show More
`@@ -1,3 +1,3 @@`
	`module hakurei.app`	`module hakurei.app`

	`go 1.24`	`go 1.25`