typescript-virtual-container 1.4.9 → 1.5.0

package/src/modules/linuxRootfs.ts

@@ -6,12 +6,16 @@
  * Called once during VirtualShell initialization. Idempotent — skips
  * paths that already exist so FS-mode snapshots survive restarts.
  *
+ * Emulation fidelity: modelled after a Fortune GNU/Linux 1.0 (Nyx)
+ * container with Firecracker MicroVM kernel 6.x, virtio block devices
+ * (vda/vdb/vdc/vdd), cgroups v1 hierarchy, Node.js 22, Python 3.12,
+ * GCC 13, OpenJDK 21, and a Fortune-style package database.
+ *
  * Public API:
- *  - bootstrapLinuxRootfs()  one-shot boot (VirtualShell calls this)
- *  - refreshProc()           refresh /proc/* (call on session changes)
- *  - syncEtcPasswd()         sync /etc/passwd|group|shadow from UserManager
- *  - createLinuxRootfsEngine() returns engine with .boot() + .tick() for
- *                            runtimes that want a live refresh loop
+ *  - bootstrapLinuxRootfs()    one-shot boot (VirtualShell calls this)
+ *  - refreshProc()             refresh /proc/* (call on session changes)
+ *  - syncEtcPasswd()           sync /etc/passwd|group|shadow from UserManager
+ *  - createLinuxRootfsEngine() engine with .boot() + .tick() for live loops
  */
 
 import * as os from "node:os";
@@ -33,7 +37,6 @@ function ensureFile(
 	content: string,
 	mode = 0o644,
 ): void {
-	// Use lazy stub — no Buffer allocated until the file is actually read or overwritten
 	vfs.writeStub(path, content, mode);
 }
 
@@ -60,7 +63,7 @@ function bootstrapEtc(
 ): void {
 	ensureDir(vfs, "/etc");
 
-	// os-release — authoritative distro identity used by neofetch, lsb_release
+	// os-release — Fortune Nyx identity
 	ensureFile(
 		vfs,
 		"/etc/os-release",
@@ -70,42 +73,60 @@ function bootstrapEtc(
 			`ID=fortune`,
 			`ID_LIKE=debian`,
 			`HOME_URL="https://github.com/itsrealfortune/typescript-virtual-container"`,
-			`VERSION_CODENAME=aurora`,
-			`VERSION_ID="1.0"`,
+			`VERSION_CODENAME=nyx`,
+			`VERSION_ID="24.04"`,
+			`FORTUNE_CODENAME=nyx`,
 		].join("\n")}\n`,
 	);
 
-	ensureFile(vfs, "/etc/debian_version", "12.0\n");
+	ensureFile(vfs, "/etc/debian_version", "nyx/stable\n");
 	ensureFile(vfs, "/etc/hostname", `${hostname}\n`);
-	ensureFile(vfs, "/etc/shells", "/bin/sh\n/bin/bash\n/usr/bin/bash\n");
+	ensureFile(
+		vfs,
+		"/etc/shells",
+		"/bin/sh\n/bin/bash\n/usr/bin/bash\n/bin/dash\n/usr/bin/dash\n",
+	);
 	ensureFile(
 		vfs,
 		"/etc/profile",
 		`${[
-			"export PATH=/usr/local/bin:/usr/bin:/bin",
+			"export PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
 			"export PS1='\\u@\\h:\\w\\$ '",
 		].join("\n")}\n`,
 	);
 
-	ensureFile(vfs, "/etc/issue", "Fortune GNU/Linux 1.0 \\n \\l\n");
+	ensureFile(vfs, "/etc/issue", "Fortune GNU/Linux 24.04 LTS \\n \\l\n");
+	ensureFile(vfs, "/etc/issue.net", "Fortune GNU/Linux 24.04 LTS\n");
 	ensureFile(
 		vfs,
 		"/etc/motd",
 		["", `Welcome to ${props.os}`, `Kernel: ${props.kernel}`, ""].join("\n"),
 	);
+	ensureFile(vfs, "/etc/lsb-release",
+		`${[
+			"DISTRIB_ID=Fortune",
+			"DISTRIB_RELEASE=24.04",
+			"DISTRIB_CODENAME=nyx",
+			`DISTRIB_DESCRIPTION="${props.os}"`,
+		].join("\n")}\n`,
+	);
 
-	// APT sources
+	// APT — Fortune Nyx sources
 	ensureDir(vfs, "/etc/apt");
 	ensureDir(vfs, "/etc/apt/sources.list.d");
+	ensureDir(vfs, "/etc/apt/trusted.gpg.d");
+	ensureDir(vfs, "/etc/apt/keyrings");
 	ensureFile(
 		vfs,
 		"/etc/apt/sources.list",
 		`${[
-			"# Fortune GNU/Linux package sources",
-			"deb [virtual] fortune://packages.fortune.local aurora main contrib",
-			"deb [virtual] fortune://security.fortune.local aurora-security main",
+			"# Fortune GNU/Linux package sources (Fortune 1.0 Nyx)",
+			"deb [virtual] fortune://packages.fortune.local nyx main contrib non-free",
+			"deb [virtual] fortune://packages.fortune.local nyx-updates main contrib non-free",
+			"deb [virtual] fortune://security.fortune.local nyx-security main",
 		].join("\n")}\n`,
 	);
+	ensureFile(vfs, "/etc/apt/apt.conf.d/70debconf", `// debconf config\n`);
 
 	// network
 	ensureDir(vfs, "/etc/network");
@@ -120,6 +141,18 @@ function bootstrapEtc(
 			"iface eth0 inet dhcp",
 		].join("\n")}\n`,
 	);
+	ensureDir(vfs, "/etc/netplan");
+	ensureFile(
+		vfs,
+		"/etc/netplan/01-eth0.yaml",
+		`${[
+			"network:",
+			"  version: 2",
+			"  ethernets:",
+			"    eth0:",
+			"      dhcp4: true",
+		].join("\n")}\n`,
+	);
 
 	ensureFile(vfs, "/etc/resolv.conf", "nameserver 1.1.1.1\nnameserver 8.8.8.8\n");
 
@@ -130,29 +163,56 @@ function bootstrapEtc(
 			"127.0.0.1   localhost",
 			`127.0.1.1   ${hostname}`,
 			"::1         localhost ip6-localhost ip6-loopback",
+			"fe00::0     ip6-localnet",
+			"ff00::0     ip6-mcastprefix",
+			"ff02::1     ip6-allnodes",
+			"ff02::2     ip6-allrouters",
+		].join("\n")}\n`,
+	);
+
+	ensureFile(vfs, "/etc/nsswitch.conf",
+		`${[
+			"passwd:         files systemd",
+			"group:          files systemd",
+			"shadow:         files",
+			"hosts:          files dns",
+			"networks:       files",
+			"protocols:      db files",
+			"services:       db files",
+			"ethers:         db files",
+			"rpc:            db files",
 		].join("\n")}\n`,
 	);
 
 	ensureDir(vfs, "/etc/cron.d");
+	ensureDir(vfs, "/etc/cron.daily");
+	ensureDir(vfs, "/etc/cron.hourly");
+	ensureDir(vfs, "/etc/cron.weekly");
+	ensureDir(vfs, "/etc/cron.monthly");
 	ensureDir(vfs, "/etc/init.d");
 	ensureDir(vfs, "/etc/systemd");
 	ensureDir(vfs, "/etc/systemd/system");
+	ensureDir(vfs, "/etc/systemd/system/multi-user.target.wants");
+	ensureDir(vfs, "/etc/systemd/network");
+	ensureFile(vfs, "/etc/systemd/system.conf",
+		"[Manager]\nDefaultTimeoutStartSec=90s\nDefaultTimeoutStopSec=90s\n",
+	);
 
-	// fstab
+	// fstab — virtio block devices matching Firecracker layout
 	ensureFile(
 		vfs,
 		"/etc/fstab",
 		`${[
-			"# <file system>  <mount point>  <type>   <options>         <dump>  <pass>",
-			"UUID=00000000-0000-0000-0000-000000000001  /       ext4  errors=remount-ro  0  1",
-			"UUID=00000000-0000-0000-0000-000000000002  /boot   ext4  defaults           0  2",
-			"UUID=00000000-0000-0000-0000-000000000003  none    swap  sw                 0  0",
-			"tmpfs  /tmp   tmpfs  defaults,noatime  0  0",
-			"tmpfs  /run   tmpfs  defaults,noatime  0  0",
+			"# <file system>  <mount point>  <type>    <options>                        <dump>  <pass>",
+			"/dev/vda         /              ext4      rw,relatime,resuid=65534,resgid=65534  0  1",
+			"/dev/vdb         /opt/rclone    squashfs  ro,relatime,errors=continue      0  0",
+			"tmpfs            /tmp           tmpfs     defaults,noatime                 0  0",
+			"tmpfs            /run           tmpfs     defaults,noatime                 0  0",
+			"tmpfs            /dev/shm       tmpfs     rw,relatime                      0  0",
 		].join("\n")}\n`,
 	);
 
-	// login.defs — useradd/passwd defaults
+	// login.defs
 	ensureFile(
 		vfs,
 		"/etc/login.defs",
@@ -174,32 +234,167 @@ function bootstrapEtc(
 
 	// security + pam
 	ensureDir(vfs, "/etc/security");
-	ensureFile(vfs, "/etc/security/limits.conf", "# /etc/security/limits.conf\n");
+	ensureFile(vfs, "/etc/security/limits.conf",
+		"# /etc/security/limits.conf\n*  soft  nofile  1024\n*  hard  nofile  65536\n",
+	);
 	ensureFile(vfs, "/etc/security/access.conf", "# /etc/security/access.conf\n");
 
 	ensureDir(vfs, "/etc/pam.d");
-	ensureFile(vfs, "/etc/pam.d/common-auth",     "auth required pam_unix.so\n");
-	ensureFile(vfs, "/etc/pam.d/common-account",  "account required pam_unix.so\n");
+	ensureFile(vfs, "/etc/pam.d/common-auth",
+		"auth [success=1 default=ignore] pam_unix.so nullok\nauth requisite pam_deny.so\nauth required pam_permit.so\n",
+	);
+	ensureFile(vfs, "/etc/pam.d/common-account",
+		"account [success=1 new_authtok_reqd=done default=ignore] pam_unix.so\naccount requisite pam_deny.so\naccount required pam_permit.so\n",
+	);
 	ensureFile(vfs, "/etc/pam.d/common-password",
-		"password required pam_unix.so obscure sha512\n");
-	ensureFile(vfs, "/etc/pam.d/common-session",  "session required pam_unix.so\n");
+		"password [success=1 default=ignore] pam_unix.so obscure sha512\npassword requisite pam_deny.so\npassword required pam_permit.so\n",
+	);
+	ensureFile(vfs, "/etc/pam.d/common-session",
+		"session [default=1] pam_permit.so\nsession requisite pam_deny.so\nsession required pam_permit.so\nsession optional pam_umask.so\nsession required pam_unix.so\n",
+	);
 	ensureFile(vfs, "/etc/pam.d/sshd",
-		"@include common-auth\n@include common-account\n@include common-session\n");
+		"@include common-auth\n@include common-account\n@include common-session\n",
+	);
+	ensureFile(vfs, "/etc/pam.d/login",
+		"@include common-auth\n@include common-account\n@include common-session\n",
+	);
+	ensureFile(vfs, "/etc/pam.d/sudo",
+		"@include common-auth\n@include common-account\n@include common-session\n",
+	);
 
-	// sudo config
+	// sudo
 	ensureDir(vfs, "/etc/sudoers.d");
 	ensureFile(vfs, "/etc/sudoers",
-		"root ALL=(ALL:ALL) ALL\n%sudo ALL=(ALL:ALL) ALL\n", 0o440);
+		"Defaults\tenv_reset\nDefaults\tmail_badpass\nDefaults\tsecure_path=\"/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin\"\nroot ALL=(ALL:ALL) ALL\n%sudo ALL=(ALL:ALL) ALL\n",
+		0o440,
+	);
+	ensureFile(vfs, "/etc/sudoers.d/README",
+		"# Files in this directory are parsed by sudo, if the file is not a backup.\n",
+		0o440,
+	);
 
 	// ld
 	ensureFile(vfs, "/etc/ld.so.conf", "include /etc/ld.so.conf.d/*.conf\n");
 	ensureDir(vfs, "/etc/ld.so.conf.d");
-	ensureFile(vfs, "/etc/ld.so.conf.d/x86_64-linux-gnu.conf", "/lib/x86_64-linux-gnu\n/usr/lib/x86_64-linux-gnu\n");
+	ensureFile(vfs, "/etc/ld.so.conf.d/x86_64-linux-gnu.conf",
+		"/lib/x86_64-linux-gnu\n/usr/lib/x86_64-linux-gnu\n",
+	);
+	ensureFile(vfs, "/etc/ld.so.conf.d/fakeroot.conf",
+		"/usr/lib/x86_64-linux-gnu/libfakeroot\n",
+	);
 
 	// locale + timezone
 	ensureFile(vfs, "/etc/locale.conf", "LANG=en_US.UTF-8\n");
+	ensureFile(vfs, "/etc/locale.gen", "en_US.UTF-8 UTF-8\n");
+	ensureFile(vfs, "/etc/default/locale", "LANG=en_US.UTF-8\n");
 	ensureFile(vfs, "/etc/timezone", "UTC\n");
 	ensureFile(vfs, "/etc/localtime", "UTC\n");
+
+	// environment
+	ensureFile(vfs, "/etc/environment",
+		"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin\n",
+	);
+
+	// adduser.conf
+	ensureFile(vfs, "/etc/adduser.conf",
+		`${[
+			"DSHELL=/bin/bash",
+			"DHOME=/home",
+			"GROUPHOMES=no",
+			"LETTERHOMES=no",
+			"SKEL=/etc/skel",
+			"FIRST_SYSTEM_UID=100",
+			"LAST_SYSTEM_UID=999",
+			"FIRST_SYSTEM_GID=100",
+			"LAST_SYSTEM_GID=999",
+			"FIRST_UID=1000",
+			"LAST_UID=59999",
+			"FIRST_GID=1000",
+			"LAST_GID=59999",
+			"USERGROUPS=yes",
+			"NAME_REGEX=\"^[a-z][-a-z0-9_]*$\"",
+			"SYS_NAME_REGEX=\"^[a-z_][-a-z0-9_]*$\"",
+		].join("\n")}\n`,
+	);
+
+	// /etc/skel
+	ensureDir(vfs, "/etc/skel");
+	ensureFile(vfs, "/etc/skel/.bashrc",
+		`${[
+			"# ~/.bashrc: executed by bash(1) for non-login shells.",
+			"case $- in",
+			"    *i*) ;;",
+			"      *) return;;",
+			"esac",
+			"HISTCONTROL=ignoreboth",
+			"HISTSIZE=1000",
+			"HISTFILESIZE=2000",
+			"shopt -s histappend",
+			"shopt -s checkwinsize",
+			"alias ll='ls -alF'",
+			"alias la='ls -A'",
+			"alias l='ls -CF'",
+		].join("\n")}\n`,
+	);
+	ensureFile(vfs, "/etc/skel/.bash_logout", "# ~/.bash_logout\n");
+	ensureFile(vfs, "/etc/skel/.profile",
+		"# ~/.profile\n[ -n \"$BASH_VERSION\" ] && [ -f \"$HOME/.bashrc\" ] && . \"$HOME/.bashrc\"\n",
+	);
+
+	// alternatives
+	ensureDir(vfs, "/etc/alternatives");
+	const alternatives: [string, string][] = [
+		["python3", "/usr/bin/python3.12"],
+		["python",  "/usr/bin/python3.12"],
+		["editor",  "/usr/bin/nano"],
+		["vi",      "/usr/bin/nano"],
+		["cc",      "/usr/bin/gcc"],
+		["gcc",     "/usr/bin/gcc-13"],
+		["g++",     "/usr/bin/g++-13"],
+		["java",    "/usr/lib/jvm/java-21-openjdk-amd64/bin/java"],
+		["node",    "/usr/bin/node"],
+		["npm",     "/usr/bin/npm"],
+		["awk",     "/usr/bin/mawk"],
+		["pager",   "/usr/bin/less"],
+	];
+	for (const [name, target] of alternatives) {
+		ensureFile(vfs, `/etc/alternatives/${name}`, target);
+	}
+
+	// java
+	ensureDir(vfs, "/etc/java-21-openjdk");
+	ensureDir(vfs, "/etc/java-21-openjdk/security");
+	ensureFile(vfs, "/etc/java-21-openjdk/security/java.security", "# java.security\n");
+	ensureFile(vfs, "/etc/java-21-openjdk/logging.properties", "# logging.properties\n");
+
+	// misc
+	ensureFile(vfs, "/etc/bash.bashrc",
+		"# System-wide .bashrc\n[ -z \"$PS1\" ] && return\n",
+	);
+	ensureFile(vfs, "/etc/inputrc",
+		"# /etc/inputrc\n$include /etc/inputrc.d\nset bell-style none\n",
+	);
+	ensureFile(vfs, "/etc/magic", "# magic\n");
+	ensureFile(vfs, "/etc/magic.mime", "# magic.mime\n");
+	ensureFile(vfs, "/etc/papersize", "a4\n");
+	ensureFile(vfs, "/etc/ucf.conf", "# ucf.conf\n");
+	ensureFile(vfs, "/etc/gai.conf",
+		"# getaddrinfo() configuration\nlabel ::1/128 0\nprecedence ::1/128 50\n",
+	);
+	ensureFile(vfs, "/etc/services",
+		"# Network services\nftp   21/tcp\nssh   22/tcp\nsmtp  25/tcp\nhttp  80/tcp\nhttps 443/tcp\n",
+	);
+	ensureFile(vfs, "/etc/protocols",
+		"# protocols\nip    0   IP\nicmp  1   ICMP\ntcp   6   TCP\nudp   17  UDP\n",
+	);
+
+	ensureDir(vfs, "/etc/profile.d");
+	ensureFile(vfs, "/etc/profile.d/01-locale-fix.sh",
+		"[ -z \"$LANG\" ] && export LANG=en_US.UTF-8\n",
+	);
+	ensureFile(vfs, "/etc/profile.d/apps-bin-path.sh",
+		"export PATH=\"$PATH:/snap/bin\"\n",
+	);
 }
 
 // ─── /etc/passwd + /etc/group + /etc/shadow ─────────────────────────────────
@@ -217,8 +412,26 @@ export function syncEtcPasswd(
 	const passwdLines = [
 		"root:x:0:0:root:/root:/bin/bash",
 		"daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin",
+		"bin:x:2:2:bin:/bin:/usr/sbin/nologin",
+		"sys:x:3:3:sys:/dev:/usr/sbin/nologin",
+		"sync:x:4:65534:sync:/bin:/bin/sync",
+		"games:x:5:60:games:/usr/games:/usr/sbin/nologin",
+		"man:x:6:12:man:/var/cache/man:/usr/sbin/nologin",
+		"lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin",
+		"mail:x:8:8:mail:/var/mail:/usr/sbin/nologin",
+		"news:x:9:9:news:/var/spool/news:/usr/sbin/nologin",
+		"uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin",
+		"proxy:x:13:13:proxy:/bin:/usr/sbin/nologin",
 		"www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin",
+		"backup:x:34:34:backup:/var/backups:/usr/sbin/nologin",
+		"list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin",
+		"irc:x:39:39:ircd:/run/ircd:/usr/sbin/nologin",
+		"_apt:x:42:65534::/nonexistent:/usr/sbin/nologin",
 		"nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin",
+		"messagebus:x:100:106::/nonexistent:/usr/sbin/nologin",
+		"systemd-network:x:998:998:systemd Network Management:/:/usr/sbin/nologin",
+		"systemd-resolve:x:999:999:systemd Resolver:/:/usr/sbin/nologin",
+		"polkitd:x:997:997:polkit:/nonexistent:/usr/sbin/nologin",
 	];
 
 	let uid = 1000;
@@ -230,19 +443,65 @@ export function syncEtcPasswd(
 
 	vfs.writeFile("/etc/passwd", `${passwdLines.join("\n")}\n`);
 
+	const sudoers = userList.filter((u) => users.isSudoer(u)).join(",");
+	const nonRootUsers = userList.filter((u) => u !== "root").join(",");
+
 	const groupLines = [
 		"root:x:0:",
 		"daemon:x:1:",
-		`sudo:x:27:${userList.filter((u) => users.isSudoer(u)).join(",")}`,
-		`users:x:100:${userList.filter((u) => u !== "root").join(",")}`,
+		"bin:x:2:",
+		"sys:x:3:",
+		"adm:x:4:syslog",
+		"tty:x:5:",
+		"disk:x:6:",
+		"lp:x:7:",
+		"mail:x:8:",
+		"news:x:9:",
+		"uucp:x:10:",
+		"man:x:12:",
+		"proxy:x:13:",
+		"kmem:x:15:",
+		"dialout:x:20:",
+		"fax:x:21:",
+		"voice:x:22:",
+		"cdrom:x:24:",
+		"floppy:x:25:",
+		"tape:x:26:",
+		`sudo:x:27:${sudoers}`,
+		"audio:x:29:",
+		"dip:x:30:",
+		"www-data:x:33:",
+		"backup:x:34:",
+		"operator:x:37:",
+		"list:x:38:",
+		"irc:x:39:",
+		"src:x:40:",
+		"_apt:x:42:",
+		"shadow:x:42:",
+		"utmp:x:43:",
+		"video:x:44:",
+		"sasl:x:45:",
+		"plugdev:x:46:",
+		"staff:x:50:",
+		"games:x:60:",
+		`users:x:100:${nonRootUsers}`,
 		"nogroup:x:65534:",
+		"messagebus:x:106:",
+		"systemd-network:x:998:",
+		"systemd-resolve:x:999:",
+		"polkitd:x:997:",
 	];
 	vfs.writeFile("/etc/group", `${groupLines.join("\n")}\n`);
 
-	// shadow — fake hashes, never real credentials
 	const shadowLines = [
 		"root:*:19000:0:99999:7:::",
 		"daemon:*:19000:0:99999:7:::",
+		"nobody:*:19000:0:99999:7:::",
+		"messagebus:*:19000:0:99999:7:::",
+		"_apt:*:19000:0:99999:7:::",
+		"systemd-network:!:19000:::::::",
+		"systemd-resolve:!:19000:::::::",
+		"polkitd:!:19000:::::::",
 	];
 	for (const u of userList) {
 		if (u === "root") continue;
@@ -253,13 +512,11 @@ export function syncEtcPasswd(
 
 // ─── /proc helpers ───────────────────────────────────────────────────────────
 
-/** Derive a stable virtual PID from a tty string e.g. "pts/0" → 1000 */
 function ttyToPid(tty: string): number {
 	const match = tty.match(/(\d+)$/);
 	return 1000 + (match?.[1] ? parseInt(match[1], 10) : 0);
 }
 
-/** Write /proc/<pid>/ subtree for a single virtual process */
 function writeProcPid(
 	vfs: VirtualFileSystem,
 	pid: number,
@@ -273,6 +530,7 @@ function writeProcPid(
 	ensureDir(vfs, dir);
 	ensureDir(vfs, `${dir}/fd`);
 	ensureDir(vfs, `${dir}/fdinfo`);
+	ensureDir(vfs, `${dir}/net`);
 
 	const uptimeSec = Math.floor((Date.now() - new Date(startedAt).getTime()) / 1000);
 	const comm = cmdline.split(/\s+/)[0] ?? "bash";
@@ -284,20 +542,57 @@ function writeProcPid(
 		`${dir}/status`,
 		`${[
 			`Name:   ${comm}`,
+			`Umask:  0022`,
 			`State:  S (sleeping)`,
+			`Tgid:   ${pid}`,
 			`Pid:    ${pid}`,
 			`PPid:   1`,
+			`TracerPid:      0`,
 			`Uid:    0\t0\t0\t0`,
 			`Gid:    0\t0\t0\t0`,
-			`VmRSS:  4096 kB`,
-			`VmSize: 16384 kB`,
+			`FDSize: 64`,
+			`Groups:`,
+			`VmPeak:    20480 kB`,
+			`VmSize:    16384 kB`,
+			`VmLck:         0 kB`,
+			`VmPin:         0 kB`,
+			`VmHWM:      4096 kB`,
+			`VmRSS:      4096 kB`,
+			`RssAnon:     512 kB`,
+			`RssFile:    3584 kB`,
+			`RssShmem:      0 kB`,
+			`VmData:     2048 kB`,
+			`VmStk:       132 kB`,
+			`VmExe:       924 kB`,
+			`VmLib:      2744 kB`,
+			`VmPTE:        52 kB`,
+			`VmSwap:        0 kB`,
 			`Threads: 1`,
+			`SigQ:   0/31968`,
+			`SigPnd: 0000000000000000`,
+			`SigBlk: 0000000000010000`,
+			`SigIgn: 0000000000380004`,
+			`SigCgt: 000000004b817efb`,
+			`CapInh: 0000000000000000`,
+			`CapPrm: 000001ffffffffff`,
+			`CapEff: 000001ffffffffff`,
+			`CapBnd: 000001ffffffffff`,
+			`CapAmb: 0000000000000000`,
+			`NoNewPrivs:     0`,
+			`Seccomp:        0`,
+			`voluntary_ctxt_switches:        100`,
+			`nonvoluntary_ctxt_switches:     10`,
 		].join("\n")}\n`,
 	);
 	write(
 		vfs,
 		`${dir}/stat`,
-		`${pid} (${comm}) S 1 ${pid} ${pid} 0 -1 4194304 0 0 0 0 ${uptimeSec} 0 0 0 20 0 1 0 0 16384 4096 0\n`,
+		`${pid} (${comm}) S 1 ${pid} ${pid} 0 -1 4194304 0 0 0 0 ${uptimeSec} 0 0 0 20 0 1 0 0 16777216 4096 18446744073709551615 93824992235520 93824992290000 140737488347024 0 0 0 65536 3686404 1266761467 1 0 0 17 0 0 0 0 0 0\n`,
+	);
+	write(
+		vfs,
+		`${dir}/statm`,
+		`4096 1024 768 231 0 512 0\n`,
 	);
 	write(
 		vfs,
@@ -306,10 +601,48 @@ function writeProcPid(
 	);
 	write(vfs, `${dir}/cwd`, `/home/${username}\0`);
 	write(vfs, `${dir}/exe`, "/bin/bash\0");
+	write(vfs, `${dir}/maps`,
+		"00400000-004e7000 r-xp 00000000 fd:00 131073  /bin/bash\n" +
+		"006e7000-006e8000 r--p 000e7000 fd:00 131073  /bin/bash\n" +
+		"006e8000-006f1000 rw-p 000e8000 fd:00 131073  /bin/bash\n" +
+		"7fff00000000-7fff00001000 rw-p 00000000 00:00 0   [stack]\n" +
+		"7fff00000000-7fff00001000 r-xp 00000000 00:00 0   [vdso]\n",
+	);
+	write(vfs, `${dir}/limits`,
+		`${[
+			"Limit                     Soft Limit           Hard Limit           Units",
+			"Max cpu time              unlimited            unlimited            seconds",
+			"Max file size             unlimited            unlimited            bytes",
+			"Max data size             unlimited            unlimited            bytes",
+			"Max stack size            8388608              unlimited            bytes",
+			"Max core file size        0                    unlimited            bytes",
+			"Max resident set          unlimited            unlimited            bytes",
+			"Max processes             31968                31968                processes",
+			"Max open files            1048576              1048576              files",
+			"Max locked memory         8388608              8388608              bytes",
+			"Max address space         unlimited            unlimited            bytes",
+			"Max file locks            unlimited            unlimited            locks",
+			"Max pending signals       31968                31968                signals",
+			"Max msgqueue size         819200               819200               bytes",
+			"Max nice priority         0                    0",
+			"Max realtime priority     0                    0",
+			"Max realtime timeout      unlimited            unlimited            us",
+		].join("\n")}\n`,
+	);
+	write(vfs, `${dir}/io`,
+		"rchar: 1048576\nwchar: 65536\nsyscr: 512\nsyscw: 64\nread_bytes: 0\nwrite_bytes: 0\ncancelled_write_bytes: 0\n",
+	);
+	write(vfs, `${dir}/oom_score`, "0\n");
+	write(vfs, `${dir}/oom_score_adj`, "0\n");
+	write(vfs, `${dir}/loginuid`, "0\n");
+	write(vfs, `${dir}/wchan`, "poll_schedule_timeout\n");
+	write(vfs, `${dir}/schedstat`, "1000000 0 1\n");
 
-	// Standard fd stubs (stdin/stdout/stderr)
 	for (const fd of ["0", "1", "2"]) {
 		ensureFile(vfs, `${dir}/fd/${fd}`, "");
+		ensureFile(vfs, `${dir}/fdinfo/${fd}`,
+			`pos:\t0\nflags:\t0${fd === "0" ? "2" : fd === "1" ? "1" : "1"}02\nmnt_id:\t13\n`,
+		);
 	}
 }
 
@@ -321,11 +654,30 @@ function bootProcLog(vfs: VirtualFileSystem, props: ShellProperties): void {
 		vfs,
 		"/proc/boot/log",
 		`${[
-			"[    0.000000] Linux virtual kernel booting...",
-			"[    0.000120] init memory subsystem",
-			"[    0.000240] mount /proc /sys /dev",
-			"[    0.000420] start init",
-			"[    0.000680] system ready",
+			`[    0.000000] Linux version ${props.kernel} (fortune@build) #1 SMP PREEMPT_DYNAMIC`,
+			"[    0.000000] Command line: console=ttyS0 reboot=k panic=1 nomodule random.trust_cpu=1 ipv6.disable=1",
+			"[    0.000060] BIOS-provided physical RAM map:",
+			"[    0.000070] ACPI: RSDP 0x00000000000F05B0 000014 (v00 BOCHS )",
+			"[    0.000120] PCI: Using configuration type 1 for base access",
+			"[    0.000240] clocksource: tsc-early: mask: 0xffffffffffffffff",
+			"[    0.000320] ACPI: IRQ0 used by override",
+			"[    0.000420] Initializing cgroup subsys cpuset",
+			"[    0.000440] Initializing cgroup subsys cpu",
+			"[    0.000450] Initializing cgroup subsys cpuacct",
+			"[    0.000460] Linux agpgart interface v0.103",
+			"[    0.000480] PCI: pci_cache_line_size set to 64 bytes",
+			"[    0.000510] virtio-pci 0000:00:01.0: runtime IRQs not yet assigned",
+			"[    0.000680] NET: Registered PF_INET6 protocol family",
+			"[    0.000720] Freeing unused kernel image (initmem) memory",
+			"[    0.000760] Write protecting the kernel read-only data",
+			"[    0.000800] Run /sbin/init as init process",
+			"[    0.001200] systemd[1]: Detected virtualization kvm",
+			"[    0.001300] systemd[1]: Detected architecture x86-64",
+			"[    0.002000] systemd[1]: Starting Fortune GNU/Linux...",
+			"[    0.003000] systemd[1]: Started Journal Service",
+			"[    0.010000] EXT4-fs (vda): mounted filesystem",
+			"[    0.020000] systemd[1]: Reached target Basic System",
+			"[    0.030000] systemd[1]: Started Login Service",
 		].join("\n")}\n`,
 	);
 	ensureFile(vfs, "/proc/boot/version", `Linux ${props.kernel} (virtual)\n`);
@@ -350,13 +702,18 @@ export function refreshProc(
 	ensureDir(vfs, "/proc");
 
 	const uptimeSec = Math.floor((Date.now() - shellStartTime) / 1000);
-	const idleSec = Math.floor(uptimeSec * 0.9);
+	const idleSec   = Math.floor(uptimeSec * 0.9);
 	write(vfs, "/proc/uptime", `${uptimeSec}.00 ${idleSec}.00\n`);
 
 	// meminfo — real host values, Linux-compatible format
-	const totalMemKb = Math.floor(os.totalmem() / 1024);
-	const freeMemKb = Math.floor(os.freemem() / 1024);
-	const availMemKb = Math.floor(freeMemKb * 0.95);
+	const totalMemKb   = Math.floor(os.totalmem() / 1024);
+	const freeMemKb    = Math.floor(os.freemem() / 1024);
+	const availMemKb   = Math.floor(freeMemKb * 0.95);
+	const buffersKb    = Math.floor(totalMemKb * 0.03);
+	const cachedKb     = Math.floor(totalMemKb * 0.08);
+	const shmemKb      = Math.floor(totalMemKb * 0.005);
+	const slabKb       = Math.floor(totalMemKb * 0.02);
+	const pageTablesKb = Math.floor(totalMemKb * 0.001);
 	write(
 		vfs,
 		"/proc/meminfo",
@@ -364,14 +721,59 @@ export function refreshProc(
 			`MemTotal:       ${String(totalMemKb).padStart(10)} kB`,
 			`MemFree:        ${String(freeMemKb).padStart(10)} kB`,
 			`MemAvailable:   ${String(availMemKb).padStart(10)} kB`,
-			`Buffers:        ${String(Math.floor(totalMemKb * 0.02)).padStart(10)} kB`,
-			`Cached:         ${String(Math.floor(totalMemKb * 0.15)).padStart(10)} kB`,
-			`SwapTotal:      ${String(Math.floor(totalMemKb * 0.5)).padStart(10)} kB`,
-			`SwapFree:       ${String(Math.floor(totalMemKb * 0.5)).padStart(10)} kB`,
+			`Buffers:        ${String(buffersKb).padStart(10)} kB`,
+			`Cached:         ${String(cachedKb).padStart(10)} kB`,
+			`SwapCached:     ${String(0).padStart(10)} kB`,
+			`Active:         ${String(Math.floor((buffersKb + cachedKb) * 1.2)).padStart(10)} kB`,
+			`Inactive:       ${String(Math.floor(cachedKb * 0.6)).padStart(10)} kB`,
+			`Active(anon):   ${String(Math.floor(totalMemKb * 0.001)).padStart(10)} kB`,
+			`Inactive(anon): ${String(Math.floor(totalMemKb * 0.006)).padStart(10)} kB`,
+			`Active(file):   ${String(Math.floor(cachedKb * 1.2)).padStart(10)} kB`,
+			`Inactive(file): ${String(Math.floor(cachedKb * 0.6)).padStart(10)} kB`,
+			`Unevictable:    ${String(0).padStart(10)} kB`,
+			`Mlocked:        ${String(0).padStart(10)} kB`,
+			`SwapTotal:      ${String(0).padStart(10)} kB`,
+			`SwapFree:       ${String(0).padStart(10)} kB`,
+			`Zswap:          ${String(0).padStart(10)} kB`,
+			`Zswapped:       ${String(0).padStart(10)} kB`,
+			`Dirty:          ${String(Math.floor(Math.random() * 64)).padStart(10)} kB`,
+			`Writeback:      ${String(0).padStart(10)} kB`,
+			`AnonPages:      ${String(Math.floor(totalMemKb * 0.001)).padStart(10)} kB`,
+			`Mapped:         ${String(Math.floor(cachedKb * 0.4)).padStart(10)} kB`,
+			`Shmem:          ${String(shmemKb).padStart(10)} kB`,
+			`KReclaimable:   ${String(Math.floor(slabKb * 0.6)).padStart(10)} kB`,
+			`Slab:           ${String(slabKb).padStart(10)} kB`,
+			`SReclaimable:   ${String(Math.floor(slabKb * 0.6)).padStart(10)} kB`,
+			`SUnreclaim:     ${String(Math.floor(slabKb * 0.4)).padStart(10)} kB`,
+			`KernelStack:    ${String(Math.floor(totalMemKb * 0.0005)).padStart(10)} kB`,
+			`PageTables:     ${String(pageTablesKb).padStart(10)} kB`,
+			`NFS_Unstable:   ${String(0).padStart(10)} kB`,
+			`Bounce:         ${String(0).padStart(10)} kB`,
+			`WritebackTmp:   ${String(0).padStart(10)} kB`,
+			`CommitLimit:    ${String(Math.floor(totalMemKb * 0.5)).padStart(10)} kB`,
+			`Committed_AS:   ${String(Math.floor(totalMemKb * 0.05)).padStart(10)} kB`,
+			`VmallocTotal:   ${String(35184372087808 / 1024).padStart(10)} kB`,
+			`VmallocUsed:    ${String(Math.floor(totalMemKb * 0.01)).padStart(10)} kB`,
+			`VmallocChunk:   ${String(0).padStart(10)} kB`,
+			`Percpu:         ${String(Math.floor(totalMemKb * 0.0001)).padStart(10)} kB`,
+			`HardwareCorrupted:  ${String(0).padStart(6)} kB`,
+			`AnonHugePages:  ${String(0).padStart(10)} kB`,
+			`ShmemHugePages: ${String(0).padStart(10)} kB`,
+			`ShmemPmdMapped: ${String(0).padStart(10)} kB`,
+			`FileHugePages:  ${String(0).padStart(10)} kB`,
+			`FilePmdMapped:  ${String(0).padStart(10)} kB`,
+			`HugePages_Total:  ${String(0).padStart(8)}`,
+			`HugePages_Free:   ${String(0).padStart(8)}`,
+			`HugePages_Rsvd:   ${String(0).padStart(8)}`,
+			`HugePages_Surp:   ${String(0).padStart(8)}`,
+			`Hugepagesize:   ${String(2048).padStart(10)} kB`,
+			`Hugetlb:        ${String(0).padStart(10)} kB`,
+			`DirectMap4k:    ${String(Math.floor(totalMemKb * 0.02)).padStart(10)} kB`,
+			`DirectMap2M:    ${String(Math.floor(totalMemKb * 0.98)).padStart(10)} kB`,
 		].join("\n")}\n`,
 	);
 
-	// cpuinfo — real host CPU passthrough
+	// cpuinfo — real host CPU passthrough + x86 feature flags matching Firecracker Xeon
 	const cpus = os.cpus();
 	const cpuLines: string[] = [];
 	for (let i = 0; i < cpus.length; i++) {
@@ -379,9 +781,31 @@ export function refreshProc(
 		if (!c) continue;
 		cpuLines.push(
 			`processor\t: ${i}`,
+			`vendor_id\t: GenuineIntel`,
+			`cpu family\t: 6`,
+			`model\t\t: 85`,
 			`model name\t: ${c.model}`,
+			`stepping\t: 7`,
+			`microcode\t: 0x1`,
 			`cpu MHz\t\t: ${c.speed.toFixed(3)}`,
-			`cache size\t: 8192 KB`,
+			`cache size\t: 33792 KB`,
+			`physical id\t: 0`,
+			`siblings\t: ${cpus.length}`,
+			`core id\t\t: ${i}`,
+			`cpu cores\t: ${cpus.length}`,
+			`apicid\t\t: ${i}`,
+			`initial apicid\t: ${i}`,
+			`fpu\t\t: yes`,
+			`fpu_exception\t: yes`,
+			`cpuid level\t: 13`,
+			`wp\t\t: yes`,
+			`flags\t\t: fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush mmx fxsr sse sse2 ss syscall nx pdpe1gb rdtscp lm constant_tsc rep_good nopl xtopology nonstop_tsc cpuid tsc_known_freq pni pclmulqdq ssse3 fma cx16 pcid sse4_1 sse4_2 x2apic movbe popcnt tsc_deadline_timer aes xsave avx f16c rdrand hypervisor lahf_lm abm 3dnowprefetch cpuid_fault ssbd ibrs ibpb stibp ibrs_enhanced fsgsbase tsc_adjust bmi1 hle avx2 smep bmi2 erms invpcid rtm avx512f avx512dq rdseed adx smap clflushopt clwb avx512cd avx512bw avx512vl xsaveopt xsavec xgetbv1 xsaves arat umip avx512_vnni md_clear arch_capabilities`,
+			`bugs\t\t: spectre_v1 spectre_v2 spec_store_bypass swapgs taa mmio_stale_data retbleed eibrs_pbrsb bhi ibpb_no_ret spectre_v2_user its`,
+			`bogomips\t: ${(c.speed * 2 / 1000).toFixed(2)}`,
+			`clflush size\t: 64`,
+			`cache_alignment\t: 64`,
+			`address sizes\t: 46 bits physical, 48 bits virtual`,
+			`power management:`,
 			"",
 		);
 	}
@@ -390,95 +814,219 @@ export function refreshProc(
 	write(
 		vfs,
 		"/proc/version",
-		`Linux version ${props.kernel} (fortune@build) (gcc version 12.2.0) #1 SMP\n`,
+		`Linux version ${props.kernel} (fortune@nyx-build) (gcc (Fortune 13.3.0-nyx1) 13.3.0, GNU ld (GNU Binutils for Fortune) 2.42) #2 SMP PREEMPT_DYNAMIC\n`,
 	);
 	write(vfs, "/proc/hostname", `${hostname}\n`);
 
-	// loadavg — slightly random but bounded
-	const load = (Math.random() * 0.5).toFixed(2);
+	// loadavg
+	const load     = (Math.random() * 0.3).toFixed(2);
 	const numProcs = 1 + sessions.length;
 	write(vfs, "/proc/loadavg", `${load} ${load} ${load} ${numProcs}/${numProcs} 1\n`);
 
-	// /proc/net stubs
-	ensureDir(vfs, "/proc/net");
-	ensureFile(
-		vfs,
-		"/proc/net/dev",
-		`${[
-			"Inter-|   Receive                                                |  Transmit",
-			" face |bytes    packets errs drop fifo frame compressed multicast|bytes    packets errs drop fifo colls carrier compressed",
-			"    lo:       0       0    0    0    0     0          0         0        0       0    0    0    0     0       0          0",
-			"  eth0:  131072    1024    0    0    0     0          0         0    65536     512    0    0    0     0       0          0",
-		].join("\n")}\n`,
+	// /proc/cmdline — Firecracker boot args
+	write(vfs, "/proc/cmdline",
+		`console=ttyS0 reboot=k panic=1 nomodule random.trust_cpu=1 ipv6.disable=1 swiotlb=noforce rdinit=/process_api init_on_free=1 -- --firecracker-init --addr 0.0.0.0:2024 --max-ws-buffer-size 32768 --block-local-connections\n`,
 	);
-	ensureFile(vfs, "/proc/net/if_inet6", "");
-	ensureFile(vfs, "/proc/net/tcp",  "  sl  local_address rem_address   st tx_queue rx_queue tr tm->when retrnsmt   uid  timeout inode\n");
-	ensureFile(vfs, "/proc/net/tcp6", "  sl  local_address                         remote_address                        st tx_queue rx_queue tr tm->when retrnsmt   uid  timeout inode\n");
-
-	// /proc/cmdline — kernel boot args
-	write(vfs, "/proc/cmdline", `BOOT_IMAGE=/boot/vmlinuz-${props.kernel} root=/dev/sda2 ro quiet splash\n`);
 
-	// /proc/filesystems
-	ensureFile(
-		vfs,
-		"/proc/filesystems",
-		`${["nodev\tsysfs", "nodev\ttmpfs", "nodev\tproc", "nodev\tdevtmpfs", "\text4", "\tvfat", "nodev\tsquashfs", "nodev\toverlay"].join("\n")}\n`,
+	// /proc/filesystems — matching real container
+	write(vfs, "/proc/filesystems",
+		`${[
+			"nodev\tsysfs",
+			"nodev\ttmpfs",
+			"nodev\tbdev",
+			"nodev\tproc",
+			"nodev\tcgroup",
+			"nodev\tcgroup2",
+			"nodev\tcpuset",
+			"nodev\tdevtmpfs",
+			"nodev\tbinfmt_misc",
+			"nodev\tdebugfs",
+			"nodev\tsecurityfs",
+			"nodev\tsockfs",
+			"nodev\tbpf",
+			"nodev\tpipefs",
+			"nodev\tramfs",
+			"nodev\thugetlbfs",
+			"nodev\trpc_pipefs",
+			"nodev\tdevpts",
+			"\text3",
+			"\text2",
+			"\text4",
+			"\tsquashfs",
+			"nodev\tnfs",
+			"nodev\tnfs4",
+			"nodev\tautofs",
+			"\tfuseblk",
+			"nodev\tfuse",
+			"nodev\tfusectl",
+			"nodev\toverlay",
+			"\txfs",
+			"nodev\tmqueue",
+			"nodev\tselinuxfs",
+			"nodev\tpstore",
+		].join("\n")}\n`,
 	);
 
-	// /proc/mounts (= /proc/self/mounts)
+	// /proc/mounts — virtio block device layout
 	const mountsContent = `${[
-		"sysfs /sys sysfs rw,nosuid,nodev,noexec,relatime 0 0",
-		"proc /proc proc rw,nosuid,nodev,noexec,relatime 0 0",
-		"devtmpfs /dev devtmpfs rw,nosuid,size=8192k,nr_inodes=4096,mode=755 0 0",
+		"proc /proc proc rw,relatime 0 0",
+		"sysfs /sys sysfs rw,relatime 0 0",
+		"devtmpfs /dev devtmpfs rw,relatime,size=2045672k,nr_inodes=511418,mode=755 0 0",
+		"tmpfs /dev/shm tmpfs rw,relatime 0 0",
+		"devpts /dev/pts devpts rw,relatime,mode=600,ptmxmode=000 0 0",
+		"tmpfs /sys/fs/cgroup tmpfs rw,relatime 0 0",
+		"cgroup /sys/fs/cgroup/cpu cgroup rw,relatime,cpu 0 0",
+		"cgroup /sys/fs/cgroup/cpuacct cgroup rw,relatime,cpuacct 0 0",
+		"cgroup /sys/fs/cgroup/memory cgroup rw,relatime,memory 0 0",
+		"cgroup /sys/fs/cgroup/devices cgroup rw,relatime,devices 0 0",
+		"cgroup /sys/fs/cgroup/freezer cgroup rw,relatime,freezer 0 0",
+		"cgroup /sys/fs/cgroup/blkio cgroup rw,relatime,blkio 0 0",
+		"cgroup /sys/fs/cgroup/pids cgroup rw,relatime,pids 0 0",
+		"cgroup2 /sys/fs/cgroup/unified cgroup2 rw,relatime 0 0",
+		"/dev/vda / ext4 rw,relatime,resuid=65534,resgid=65534 0 0",
+		"/dev/vdb /opt/rclone squashfs ro,relatime,errors=continue 0 0",
 		"tmpfs /run tmpfs rw,nosuid,nodev,noexec,relatime,size=204800k,mode=755 0 0",
 		"tmpfs /tmp tmpfs rw,nosuid,nodev,noatime 0 0",
-		"/dev/sda2 / ext4 rw,relatime,errors=remount-ro 0 0",
-		"/dev/sda1 /boot ext4 rw,relatime 0 0",
-		"tmpfs /dev/shm tmpfs rw,nosuid,nodev 0 0",
-		"devpts /dev/pts devpts rw,nosuid,noexec,relatime,mode=620,ptmxmode=000 0 0",
-		"squashfs /snap/core squashfs ro,nodev,relatime 0 0",
 	].join("\n")}\n`;
 	write(vfs, "/proc/mounts", mountsContent);
 	ensureDir(vfs, "/proc/self");
 	write(vfs, "/proc/self/mounts", mountsContent);
 
-	// /proc/partitions
+	// /proc/net
+	ensureDir(vfs, "/proc/net");
+	write(vfs, "/proc/net/dev",
+		`${[
+			"Inter-|   Receive                                                |  Transmit",
+			" face |bytes    packets errs drop fifo frame compressed multicast|bytes    packets errs drop fifo colls carrier compressed",
+			"    lo:       0       0    0    0    0     0          0         0        0       0    0    0    0     0       0          0",
+			"  eth0:  128628    1230    0   19    0     0          0         0 52027469    2045    0    0    0     0       0          0",
+		].join("\n")}\n`,
+	);
+	write(vfs, "/proc/net/if_inet6", "");
+	write(vfs, "/proc/net/tcp",
+		"  sl  local_address rem_address   st tx_queue rx_queue tr tm->when retrnsmt   uid  timeout inode\n",
+	);
+	write(vfs, "/proc/net/tcp6",
+		"  sl  local_address                         remote_address                        st tx_queue rx_queue tr tm->when retrnsmt   uid  timeout inode\n",
+	);
+	write(vfs, "/proc/net/udp",
+		"  sl  local_address rem_address   st tx_queue rx_queue tr tm->when retrnsmt   uid  timeout inode\n",
+	);
+	write(vfs, "/proc/net/route",
+		"Iface\tDestination\tGateway\tFlags\tRefCnt\tUse\tMetric\tMask\t\tMTU\tWindow\tIRTT\n" +
+		"eth0\t00000000\t0101A8C0\t0003\t0\t0\t100\t00000000\t0\t0\t0\n" +
+		"eth0\t0000A8C0\t00000000\t0001\t0\t0\t100\t00FFFFFF\t0\t0\t0\n",
+	);
+	write(vfs, "/proc/net/arp",
+		"IP address       HW type     Flags       HW address            Mask     Device\n",
+	);
+	write(vfs, "/proc/net/fib_trie", "Local:\n  +-- 0.0.0.0/0 3 0 5\n");
+	write(vfs, "/proc/net/unix",
+		"Num       RefCount Protocol Flags    Type St Inode Path\n" +
+		"0000000000000000: 00000002 00000000 00010000 0001 01 10000 /run/dbus/system_bus_socket\n",
+	);
+	write(vfs, "/proc/net/sockstat",
+		"sockets: used 8\nTCP: inuse 0 orphan 0 tw 0 alloc 0 mem 0\nUDP: inuse 0 mem 0\nUDPLITE: inuse 0\nRAW: inuse 0\nFRAG: inuse 0 memory 0\n",
+	);
+
+	// /proc/partitions — virtio block devices
 	write(
 		vfs,
 		"/proc/partitions",
 		`${[
 			"major minor  #blocks  name",
 			"",
-			"   8        0   41943040 sda",
-			"   8        1     524288 sda1",
-			"   8        2   41417216 sda2",
-			"   7        0   10485760 loop0",
+			" 254        0 268435456 vda",
+			" 254       16      9664 vdb",
+			" 254       32       656 vdc",
+			" 254       48      5464 vdd",
 		].join("\n")}\n`,
 	);
 
-	// /proc/swaps
-	write(
-		vfs,
-		"/proc/swaps",
-		"Filename\t\t\t\tType\t\tSize\t\tUsed\t\tPriority\n" +
-		`/dev/sda3\t\t\t\tpartition\t${Math.floor(os.totalmem() / 2048)}\t\t0\t\t-2\n`,
+	// /proc/swaps — no swap (matches real env: SwapTotal 0)
+	write(vfs, "/proc/swaps",
+		"Filename\t\t\t\tType\t\tSize\t\tUsed\t\tPriority\n",
 	);
 
-	// /proc/sys — sysctl virtual tree
+	// /proc/diskstats — virtio block device I/O counters
+	write(vfs, "/proc/diskstats",
+		`${[
+			" 254       0 vda 1000 0 8000 500 200 0 1600 100 0 600 600 0 0 0 0",
+			" 254      16 vdb 100 0 800 50 0 0 0 0 0 50 50 0 0 0 0",
+			" 254      32 vdc 50 0 400 25 0 0 0 0 0 25 25 0 0 0 0",
+			" 254      48 vdd 80 0 640 40 0 0 0 0 0 40 40 0 0 0 0",
+		].join("\n")}\n`,
+	);
+
+	// /proc/interrupts
+	write(vfs, "/proc/interrupts",
+		`           CPU0\n  0:         ${Math.floor(uptimeSec * 250)}  IO-APIC   2-edge   timer\n  1:             9  IO-APIC   1-edge   i8042\n NMI:             0  Non-maskable interrupts\n ERR:             0\n MIS:             0\n PIN:             0  Posted-interrupt notification event\n NPI:             0  Nested posted-interrupt event\n PIW:             0  Posted-interrupt wakeup event\n`,
+	);
+
+	// /proc/sys — sysctl virtual tree (real values)
 	ensureDir(vfs, "/proc/sys");
 	ensureDir(vfs, "/proc/sys/kernel");
 	ensureDir(vfs, "/proc/sys/net");
+	ensureDir(vfs, "/proc/sys/net/ipv4");
+	ensureDir(vfs, "/proc/sys/net/ipv6");
+	ensureDir(vfs, "/proc/sys/net/core");
 	ensureDir(vfs, "/proc/sys/vm");
-	ensureFile(vfs, "/proc/sys/kernel/hostname",            `${hostname}\n`);
-	ensureFile(vfs, "/proc/sys/kernel/ostype",               "Linux\n");
-	ensureFile(vfs, "/proc/sys/kernel/osrelease",            `${props.kernel}\n`);
-	ensureFile(vfs, "/proc/sys/kernel/pid_max",              "32768\n");
-	ensureFile(vfs, "/proc/sys/kernel/threads-max",          "65536\n");
-	ensureFile(vfs, "/proc/sys/kernel/randomize_va_space",   "2\n");
-	ensureFile(vfs, "/proc/sys/kernel/dmesg_restrict",       "0\n");
-	ensureFile(vfs, "/proc/sys/net/ipv4/ip_forward",         "0\n");
-	ensureFile(vfs, "/proc/sys/vm/swappiness",               "60\n");
-	ensureFile(vfs, "/proc/sys/vm/overcommit_memory",        "0\n");
+	ensureDir(vfs, "/proc/sys/fs");
+	ensureDir(vfs, "/proc/sys/fs/inotify");
+
+	write(vfs, "/proc/sys/kernel/hostname",              `${hostname}\n`);
+	write(vfs, "/proc/sys/kernel/ostype",                "Linux\n");
+	write(vfs, "/proc/sys/kernel/osrelease",             `${props.kernel}\n`);
+	write(vfs, "/proc/sys/kernel/pid_max",               "32768\n");
+	write(vfs, "/proc/sys/kernel/threads-max",           "31968\n");
+	write(vfs, "/proc/sys/kernel/randomize_va_space",    "2\n");
+	write(vfs, "/proc/sys/kernel/dmesg_restrict",        "0\n");
+	write(vfs, "/proc/sys/kernel/kptr_restrict",         "0\n");
+	write(vfs, "/proc/sys/kernel/perf_event_paranoid",   "2\n");
+	write(vfs, "/proc/sys/kernel/printk",                "4\t4\t1\t7\n");
+	write(vfs, "/proc/sys/kernel/sysrq",                 "176\n");
+	write(vfs, "/proc/sys/kernel/panic",                 "1\n");
+	write(vfs, "/proc/sys/kernel/panic_on_oops",         "1\n");
+	write(vfs, "/proc/sys/kernel/core_pattern",          "core\n");
+	write(vfs, "/proc/sys/kernel/core_uses_pid",         "0\n");
+	write(vfs, "/proc/sys/kernel/ngroups_max",           "65536\n");
+	write(vfs, "/proc/sys/kernel/cap_last_cap",          "40\n");
+	write(vfs, "/proc/sys/kernel/unprivileged_userns_clone", "1\n");
+	write(vfs, "/proc/sys/net/ipv4/ip_forward",          "0\n");
+	write(vfs, "/proc/sys/net/ipv4/tcp_syncookies",      "1\n");
+	write(vfs, "/proc/sys/net/ipv4/tcp_fin_timeout",     "60\n");
+	write(vfs, "/proc/sys/net/ipv4/tcp_keepalive_time",  "7200\n");
+	write(vfs, "/proc/sys/net/ipv4/conf/all/rp_filter",  "2\n");
+	write(vfs, "/proc/sys/net/ipv6/conf/all/disable_ipv6", "1\n");
+	write(vfs, "/proc/sys/net/core/somaxconn",           "4096\n");
+	write(vfs, "/proc/sys/net/core/rmem_max",            "212992\n");
+	write(vfs, "/proc/sys/net/core/wmem_max",            "212992\n");
+	write(vfs, "/proc/sys/vm/swappiness",                "60\n");
+	write(vfs, "/proc/sys/vm/overcommit_memory",         "0\n");
+	write(vfs, "/proc/sys/vm/overcommit_ratio",          "50\n");
+	write(vfs, "/proc/sys/vm/dirty_ratio",               "20\n");
+	write(vfs, "/proc/sys/vm/dirty_background_ratio",    "10\n");
+	write(vfs, "/proc/sys/vm/min_free_kbytes",           "65536\n");
+	write(vfs, "/proc/sys/vm/vfs_cache_pressure",        "100\n");
+	write(vfs, "/proc/sys/fs/file-max",                  "1048576\n");
+	write(vfs, "/proc/sys/fs/inotify/max_user_watches",  "524288\n");
+	write(vfs, "/proc/sys/fs/inotify/max_user_instances","512\n");
+	write(vfs, "/proc/sys/fs/inotify/max_queued_events", "16384\n");
+
+	// /proc/cgroups — v1 hierarchy
+	write(vfs, "/proc/cgroups",
+		`${[
+			"#subsys_name\thierarchy\tnum_cgroups\tenabled",
+			"cpuset\t5\t1\t1",
+			"cpu\t1\t1\t1",
+			"cpuacct\t2\t1\t1",
+			"blkio\t6\t1\t1",
+			"memory\t3\t1\t1",
+			"devices\t4\t1\t1",
+			"freezer\t7\t1\t1",
+			"pids\t8\t1\t1",
+		].join("\n")}\n`,
+	);
 
 	// init process (PID 1)
 	writeProcPid(vfs, 1, "root", "pts/0", "/sbin/init", new Date(shellStartTime).toISOString(), {});
@@ -487,23 +1035,25 @@ export function refreshProc(
 	for (const session of sessions) {
 		const pid = ttyToPid(session.tty);
 		writeProcPid(vfs, pid, session.username, session.tty, "bash", session.startedAt, {
-			USER: session.username,
-			HOME: `/home/${session.username}`,
-			TERM: "xterm-256color",
-			SHELL: "/bin/bash",
+			USER:     session.username,
+			HOME:     `/home/${session.username}`,
+			TERM:     "xterm-256color",
+			SHELL:    "/bin/bash",
+			LANG:     "en_US.UTF-8",
+			PATH:     "/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
+			LOGNAME:  session.username,
 		});
 	}
 
-	// /proc/self — mirror of most recent session, or init
+	// /proc/self — mirror of most recent session
 	const selfPid = sessions.length > 0 ? ttyToPid(sessions[sessions.length - 1]!.tty) : 1;
-
-	if (vfs.exists("/proc/self")) {
-		try { vfs.remove("/proc/self"); } catch { /* ignore */ }
-	}
+	try { vfs.remove("/proc/self"); } catch { /* ignore */ }
 
 	const selfSrc = `/proc/${selfPid}`;
 	ensureDir(vfs, "/proc/self");
 	ensureDir(vfs, "/proc/self/fd");
+	ensureDir(vfs, "/proc/self/fdinfo");
+	ensureDir(vfs, "/proc/self/net");
 
 	if (vfs.exists(selfSrc)) {
 		for (const entry of vfs.list(selfSrc)) {
@@ -512,16 +1062,15 @@ export function refreshProc(
 			try {
 				const st = vfs.stat(srcPath);
 				if (st.type === "file") write(vfs, dstPath, vfs.readFile(srcPath));
-			} catch { /* skip unreadable entries */ }
+			} catch { /* skip */ }
 		}
 	} else {
-		// Minimal fallback
-		write(vfs, "/proc/self/cmdline", "bash\0");
-		write(vfs, "/proc/self/comm", "bash");
-		write(vfs, "/proc/self/status", "Name:\tbash\nState:\tS (sleeping)\nPid:\t1\nPPid:\t0\n");
-		write(vfs, "/proc/self/environ", "");
-		write(vfs, "/proc/self/cwd", "/root\0");
-		write(vfs, "/proc/self/exe", "/bin/bash\0");
+		write(vfs, "/proc/self/cmdline",  "bash\0");
+		write(vfs, "/proc/self/comm",     "bash");
+		write(vfs, "/proc/self/status",   "Name:\tbash\nState:\tS (sleeping)\nPid:\t1\nPPid:\t0\n");
+		write(vfs, "/proc/self/environ",  "");
+		write(vfs, "/proc/self/cwd",      "/root\0");
+		write(vfs, "/proc/self/exe",      "/bin/bash\0");
 	}
 }
 
@@ -529,12 +1078,83 @@ export function refreshProc(
 
 function bootstrapSys(vfs: VirtualFileSystem, hostname: string, props: ShellProperties): void {
 	ensureDir(vfs, "/sys");
+
+	// No real DMI in Firecracker — /sys/devices/virtual/dmi/id does not exist.
+	// Expose /sys/class/net, /sys/fs/cgroup, /sys/kernel only.
+
 	ensureDir(vfs, "/sys/devices");
 	ensureDir(vfs, "/sys/devices/virtual");
+	ensureDir(vfs, "/sys/devices/system");
+	ensureDir(vfs, "/sys/devices/system/cpu");
+	ensureDir(vfs, "/sys/devices/system/cpu/cpu0");
+	ensureFile(vfs, "/sys/devices/system/cpu/cpu0/online", "1\n");
+	ensureFile(vfs, "/sys/devices/system/cpu/online",  "0\n");
+	ensureFile(vfs, "/sys/devices/system/cpu/possible", "0\n");
+	ensureFile(vfs, "/sys/devices/system/cpu/present",  "0\n");
+	ensureDir(vfs, "/sys/devices/system/node");
+	ensureDir(vfs, "/sys/devices/system/node/node0");
+	ensureFile(vfs, "/sys/devices/system/node/node0/cpumap", "1\n");
+
+	ensureDir(vfs, "/sys/class");
+	ensureDir(vfs, "/sys/class/net");
+	ensureDir(vfs, "/sys/class/net/eth0");
+	ensureFile(vfs, "/sys/class/net/eth0/operstate",  "up\n");
+	ensureFile(vfs, "/sys/class/net/eth0/carrier",    "1\n");
+	ensureFile(vfs, "/sys/class/net/eth0/mtu",        "1500\n");
+	ensureFile(vfs, "/sys/class/net/eth0/speed",      "10000\n");
+	ensureFile(vfs, "/sys/class/net/eth0/duplex",     "full\n");
+	ensureFile(vfs, "/sys/class/net/eth0/address",    "aa:bb:cc:dd:ee:ff\n");
+	ensureFile(vfs, "/sys/class/net/eth0/tx_queue_len","1000\n");
+
+	const seed    = fnv1a(hostname);
+	const macSeed = seed.toString(16).padStart(8, "0");
+	ensureFile(vfs, "/sys/class/net/eth0/address",
+		`52:54:00:${macSeed.slice(0,2)}:${macSeed.slice(2,4)}:${macSeed.slice(4,6)}\n`,
+	);
+
+	ensureDir(vfs, "/sys/class/net/lo");
+	ensureFile(vfs, "/sys/class/net/lo/operstate",  "unknown\n");
+	ensureFile(vfs, "/sys/class/net/lo/carrier",    "1\n");
+	ensureFile(vfs, "/sys/class/net/lo/mtu",        "65536\n");
+	ensureFile(vfs, "/sys/class/net/lo/address",    "00:00:00:00:00:00\n");
+
+	ensureDir(vfs, "/sys/class/block");
+	ensureDir(vfs, "/sys/class/block/vda");
+	ensureFile(vfs, "/sys/class/block/vda/size",     "536870912\n");
+	ensureFile(vfs, "/sys/class/block/vda/ro",       "0\n");
+	ensureFile(vfs, "/sys/class/block/vda/removable","0\n");
+
+	// cgroup fs
+	ensureDir(vfs, "/sys/fs");
+	ensureDir(vfs, "/sys/fs/cgroup");
+	for (const subsys of ["cpu", "cpuacct", "memory", "devices", "blkio", "pids", "freezer", "unified"]) {
+		ensureDir(vfs, `/sys/fs/cgroup/${subsys}`);
+		if (subsys !== "unified") {
+			ensureFile(vfs, `/sys/fs/cgroup/${subsys}/tasks`, "1\n");
+			ensureFile(vfs, `/sys/fs/cgroup/${subsys}/notify_on_release`, "0\n");
+			ensureFile(vfs, `/sys/fs/cgroup/${subsys}/release_agent`, "");
+		}
+	}
+	ensureFile(vfs, "/sys/fs/cgroup/memory/memory.limit_in_bytes",     `${os.totalmem()}\n`);
+	ensureFile(vfs, "/sys/fs/cgroup/memory/memory.usage_in_bytes",      `${os.totalmem() - os.freemem()}\n`);
+	ensureFile(vfs, "/sys/fs/cgroup/memory/memory.memsw.limit_in_bytes",`${os.totalmem()}\n`);
+	ensureFile(vfs, "/sys/fs/cgroup/cpu/cpu.cfs_period_us",             "100000\n");
+	ensureFile(vfs, "/sys/fs/cgroup/cpu/cpu.cfs_quota_us",              "-1\n");
+	ensureFile(vfs, "/sys/fs/cgroup/cpu/cpu.shares",                    "1024\n");
+
+	ensureDir(vfs, "/sys/kernel");
+	ensureFile(vfs, "/sys/kernel/hostname",  `${hostname}\n`);
+	ensureFile(vfs, "/sys/kernel/osrelease", `${props.kernel}\n`);
+	ensureFile(vfs, "/sys/kernel/ostype",    "Linux\n");
+
+	// security
+	ensureDir(vfs, "/sys/kernel/security");
+
+
+	// Still; we will create virtual dmi
+	ensureDir(vfs, "/sys/devices/virtual");
 	ensureDir(vfs, "/sys/devices/virtual/dmi");
 	ensureDir(vfs, "/sys/devices/virtual/dmi/id");
-
-	const seed = fnv1a(hostname);
 	const product = `VirtualNode-${(seed % 10000).toString().padStart(4, "0")}`;
 
 	// Full DMI table — deterministic, seeded from hostname
@@ -566,6 +1186,7 @@ function bootstrapSys(vfs: VirtualFileSystem, hostname: string, props: ShellProp
 	ensureFile(vfs, "/sys/kernel/hostname", `${hostname}\n`);
 	ensureFile(vfs, "/sys/kernel/osrelease", `${props.kernel}\n`);
 	ensureFile(vfs, "/sys/kernel/ostype", "Linux\n");
+
 }
 
 // ─── /dev ─────────────────────────────────────────────────────────────────────
@@ -573,38 +1194,70 @@ function bootstrapSys(vfs: VirtualFileSystem, hostname: string, props: ShellProp
 function bootstrapDev(vfs: VirtualFileSystem): void {
 	ensureDir(vfs, "/dev");
 
-	// character devices
-	ensureFile(vfs, "/dev/null",    "", 0o666);
-	ensureFile(vfs, "/dev/zero",    "", 0o666);
-	ensureFile(vfs, "/dev/full",    "", 0o666);
-	ensureFile(vfs, "/dev/random",  "", 0o444);
-	ensureFile(vfs, "/dev/urandom", "", 0o444);
-	ensureFile(vfs, "/dev/mem",     "", 0o640);
+	// character devices — matching real Firecracker container
+	ensureFile(vfs, "/dev/null",        "", 0o666);
+	ensureFile(vfs, "/dev/zero",        "", 0o666);
+	ensureFile(vfs, "/dev/full",        "", 0o666);
+	ensureFile(vfs, "/dev/random",      "", 0o444);
+	ensureFile(vfs, "/dev/urandom",     "", 0o444);
+	ensureFile(vfs, "/dev/mem",         "", 0o640);
+	ensureFile(vfs, "/dev/port",        "", 0o640);
+	ensureFile(vfs, "/dev/kmsg",        "", 0o660);
+	ensureFile(vfs, "/dev/hwrng",       "", 0o660);
+	ensureFile(vfs, "/dev/fuse",        "", 0o660);
+	ensureFile(vfs, "/dev/autofs",      "", 0o660);
+	ensureFile(vfs, "/dev/userfaultfd", "", 0o660);
+	ensureFile(vfs, "/dev/cpu_dma_latency", "", 0o660);
+	ensureFile(vfs, "/dev/ptp0",        "", 0o660);
+
+	// snapshot (KVM-specific)
+	ensureFile(vfs, "/dev/snapshot",    "", 0o660);
 
 	// terminal devices
-	ensureFile(vfs, "/dev/console", "", 0o600);
-	ensureFile(vfs, "/dev/tty",     "", 0o666);
-	ensureFile(vfs, "/dev/tty0",    "", 0o620);
-	ensureFile(vfs, "/dev/tty1",    "", 0o620);
-	ensureFile(vfs, "/dev/ttyS0",   "", 0o660);
+	ensureFile(vfs, "/dev/console",     "", 0o600);
+	ensureFile(vfs, "/dev/tty",         "", 0o666);
+	ensureFile(vfs, "/dev/ttyS0",       "", 0o660);
+	ensureFile(vfs, "/dev/ptmx",        "", 0o666);
+
+	// tty0–63 (like real env)
+	for (let i = 0; i <= 63; i++) {
+		ensureFile(vfs, `/dev/tty${i}`, "", 0o620);
+	}
 
-	// loop devices
+	// vcs devices
+	ensureFile(vfs, "/dev/vcs",         "", 0o620);
+	ensureFile(vfs, "/dev/vcs1",        "", 0o620);
+	ensureFile(vfs, "/dev/vcsa",        "", 0o620);
+	ensureFile(vfs, "/dev/vcsa1",       "", 0o620);
+	ensureFile(vfs, "/dev/vcsu",        "", 0o620);
+	ensureFile(vfs, "/dev/vcsu1",       "", 0o620);
+
+	// loop devices (0–7)
 	for (let i = 0; i < 8; i++) {
 		ensureFile(vfs, `/dev/loop${i}`, "", 0o660);
 	}
 	ensureDir(vfs, "/dev/loop-control");
 
-	// block device stubs (sda + partitions)
-	ensureFile(vfs, "/dev/sda",  "", 0o660);
-	ensureFile(vfs, "/dev/sda1", "", 0o660);
-	ensureFile(vfs, "/dev/sda2", "", 0o660);
+	// virtio block devices (vda–vdd matching mounts)
+	ensureFile(vfs, "/dev/vda",  "", 0o660);
+	ensureFile(vfs, "/dev/vdb",  "", 0o660);
+	ensureFile(vfs, "/dev/vdc",  "", 0o660);
+	ensureFile(vfs, "/dev/vdd",  "", 0o660);
+
+	// network tun
+	ensureDir(vfs, "/dev/net");
+	ensureFile(vfs, "/dev/net/tun", "", 0o660);
 
 	// misc
 	ensureDir(vfs, "/dev/pts");
 	ensureDir(vfs, "/dev/shm");
+	ensureDir(vfs, "/dev/cpu");
 	ensureFile(vfs, "/dev/stdin",  "", 0o666);
 	ensureFile(vfs, "/dev/stdout", "", 0o666);
 	ensureFile(vfs, "/dev/stderr", "", 0o666);
+	ensureDir(vfs, "/dev/fd");
+	ensureFile(vfs, "/dev/vga_arbiter", "", 0o660);
+	ensureFile(vfs, "/dev/vsock",       "", 0o660);
 }
 
 // ─── /usr ─────────────────────────────────────────────────────────────────────
@@ -617,13 +1270,31 @@ function bootstrapUsr(vfs: VirtualFileSystem): void {
 	ensureDir(vfs, "/usr/local/bin");
 	ensureDir(vfs, "/usr/local/lib");
 	ensureDir(vfs, "/usr/local/share");
+	ensureDir(vfs, "/usr/local/include");
+	ensureDir(vfs, "/usr/local/sbin");
 	ensureDir(vfs, "/usr/share");
 	ensureDir(vfs, "/usr/share/doc");
 	ensureDir(vfs, "/usr/share/man");
 	ensureDir(vfs, "/usr/share/man/man1");
+	ensureDir(vfs, "/usr/share/man/man5");
+	ensureDir(vfs, "/usr/share/man/man8");
+	ensureDir(vfs, "/usr/share/common-licenses");
+	ensureDir(vfs, "/usr/share/ca-certificates");
+	ensureDir(vfs, "/usr/share/zoneinfo");
 	ensureDir(vfs, "/usr/lib");
-
-	// Stubs so `which` can resolve built-in commands
+	ensureDir(vfs, "/usr/lib/x86_64-linux-gnu");
+	ensureDir(vfs, "/usr/lib/python3");
+	ensureDir(vfs, "/usr/lib/python3/dist-packages");
+	ensureDir(vfs, "/usr/lib/python3.12");
+	ensureDir(vfs, "/usr/lib/jvm");
+	ensureDir(vfs, "/usr/lib/jvm/java-21-openjdk-amd64");
+	ensureDir(vfs, "/usr/lib/jvm/java-21-openjdk-amd64/bin");
+	ensureDir(vfs, "/usr/lib/node_modules");
+	ensureDir(vfs, "/usr/lib/node_modules/npm");
+	ensureDir(vfs, "/usr/include");
+	ensureDir(vfs, "/usr/src");
+
+	// builtins — all bins present in the real container
 	const builtins = [
 		"sh", "bash", "ls", "cat", "echo", "grep", "find", "sort",
 		"head", "tail", "cut", "tr", "sed", "awk", "wc", "tee",
@@ -633,58 +1304,452 @@ function bootstrapUsr(vfs: VirtualFileSystem): void {
 		"nano", "diff", "uniq", "xargs", "base64",
 	];
 
+	// From a real container
+	// const builtins = [
+	// 	// core
+	// 	"sh", "bash", "dash",
+	// 	"ls", "cat", "echo", "grep", "find", "sort",
+	// 	"head", "tail", "cut", "tr", "sed", "awk", "mawk", "gawk",
+	// 	"wc", "tee", "tar", "gzip", "gunzip", "bzip2", "xz",
+	// 	"touch", "mkdir", "rm", "mv", "cp", "ln", "pwd",
+	// 	"chmod", "chown", "chgrp", "env", "date", "sleep",
+	// 	"id", "whoami", "hostname", "uname", "ps", "kill",
+	// 	"df", "du", "dd", "stat", "file",
+	// 	// net
+	// 	"curl", "wget", "nc", "netcat", "ss", "ip",
+	// 	// editors
+	// 	"nano", "vi",
+	// 	// text
+	// 	"diff", "uniq", "xargs", "base64", "md5sum", "sha256sum",
+	// 	"strings", "hexdump", "od", "column", "fmt", "paste",
+	// 	"join", "comm", "split", "csplit", "fold", "expand",
+	// 	// archive
+	// 	"zip", "unzip",
+	// 	// process
+	// 	"top", "htop", "free", "uptime", "dmesg", "lsof",
+	// 	"strace", "ltrace", "pgrep", "pkill", "nohup", "nice",
+	// 	// fs
+	// 	"mount", "umount", "lsblk", "fdisk", "blkid", "e2fsck",
+	// 	// misc
+	// 	"bc", "expr", "seq", "yes", "true", "false", "test",
+	// 	"readlink", "realpath", "dirname", "basename", "mktemp",
+	// 	"install", "make",
+	// 	// dev tools
+	// 	"gcc", "gcc-13", "g++", "g++-13", "cpp", "as", "ld",
+	// 	"ar", "nm", "objdump", "objcopy", "strip", "size",
+	// 	"cc", "c++", "pkg-config",
+	// 	// package
+	// 	"apt", "apt-get", "apt-cache", "dpkg", "dpkg-query",
+	// 	"lsb_release", "add-apt-repository",
+	// 	// scripting
+	// 	"perl", "python3", "python3.12", "pipx",
+	// 	// node/npm
+	// 	"node", "npm", "npx",
+	// 	// java
+	// 	"java", "javac", "jar", "javadoc",
+	// 	// security
+	// 	"openssl", "gpg", "gpg2", "gpgv", "ssh", "ssh-keygen",
+	// 	"sudo", "su", "passwd", "adduser", "useradd",
+	// 	// misc system
+	// 	"systemctl", "journalctl", "loginctl",
+	// 	"timedatectl", "localectl",
+	// 	"lshw", "lscpu", "lsusb", "lspci",
+	// 	// text proc
+	// 	"jq", "xmllint", "pandoc",
+	// 	// multimedia
+	// 	"ffmpeg",
+	// ];
+
 	for (const bin of builtins) {
 		ensureFile(vfs, `/usr/bin/${bin}`, `#!/bin/sh\nexec builtin ${bin} "$@"\n`, 0o755);
 	}
 
-	ensureFile(vfs, "/usr/bin/lsb_release", '#!/bin/sh\nexec lsb_release "$@"\n', 0o755);
+	// sbin equivalents
+	const sbins = [
+		"nologin", "useradd", "userdel", "groupadd", "groupdel",
+		"adduser", "deluser", "shutdown", "reboot", "halt",
+		"init", "service", "update-alternatives", "update-rc.d",
+		"depmod", "modprobe", "insmod", "rmmod", "lsmod",
+		"ifconfig", "route", "iptables", "ip6tables",
+		"arp", "iwconfig", "ethtool",
+		"fdisk", "parted", "mkfs.ext4", "fsck",
+		"ldconfig", "ldconfig.real",
+	];
+	for (const bin of sbins) {
+		ensureFile(vfs, `/usr/sbin/${bin}`, `#!/bin/sh\nexec builtin ${bin} "$@"\n`, 0o755);
+	}
+
+	// versioned python symlink stubs
+	ensureFile(vfs, "/usr/bin/python3.12", `#!/bin/sh\nexec python3 "$@"\n`, 0o755);
+	ensureFile(vfs, "/usr/bin/python3",    `#!/bin/sh\nexec python3.12 "$@"\n`, 0o755);
+
+	// node version stubs
+	ensureFile(vfs, "/usr/bin/node",  `#!/bin/sh\nexec node "$@"\n`, 0o755);
+	ensureFile(vfs, "/usr/bin/npm",   `#!/bin/sh\nexec npm "$@"\n`, 0o755);
+	ensureFile(vfs, "/usr/bin/npx",   `#!/bin/sh\nexec npx "$@"\n`, 0o755);
+
+	// java stubs
+	ensureFile(vfs, "/usr/lib/jvm/java-21-openjdk-amd64/bin/java",
+		`#!/bin/sh\nexec java "$@"\n`, 0o755);
+	ensureFile(vfs, "/usr/lib/jvm/java-21-openjdk-amd64/bin/javac",
+		`#!/bin/sh\nexec javac "$@"\n`, 0o755);
+
+	// /usr/share/common-licenses stubs
+	ensureFile(vfs, "/usr/share/common-licenses/GPL-2",   "GNU General Public License v2\n");
+	ensureFile(vfs, "/usr/share/common-licenses/GPL-3",   "GNU General Public License v3\n");
+	ensureFile(vfs, "/usr/share/common-licenses/LGPL-2.1","GNU Lesser General Public License v2.1\n");
+	ensureFile(vfs, "/usr/share/common-licenses/Apache-2.0","Apache License 2.0\n");
+	ensureFile(vfs, "/usr/share/common-licenses/MIT",     "MIT License\n");
 }
 
 // ─── /var ─────────────────────────────────────────────────────────────────────
 
+/** Realistic dpkg status database from real container package list */
+const DPKG_STATUS = `\
+Package: bash
+Status: install ok installed
+Priority: required
+Section: shells
+Installed-Size: 7012
+Maintainer: Fortune Maintainers <maintainers@fortune.local>
+Architecture: amd64
+Version: 5.2.21-2nyx1
+Depends: base-files (>= 2.1.12), fortune-utils (>= 1.0)
+Description: GNU Bourne Again SHell
+ bash is an sh-compatible command language interpreter that executes commands
+ read from the standard input or from a file.
+
+Package: coreutils
+Status: install ok installed
+Priority: required
+Section: utils
+Installed-Size: 18272
+Maintainer: Fortune Maintainers <maintainers@fortune.local>
+Architecture: amd64
+Version: 9.4-3nyx1
+Depends: libacl1 (>= 2.2.23), libattr1 (>= 1:2.4.44), libc6 (>= 2.17)
+Description: GNU core utilities
+ This package contains the basic file, shell and text manipulation utilities.
+
+Package: nodejs
+Status: install ok installed
+Priority: optional
+Section: web
+Installed-Size: 107120
+Maintainer: NodeSource <nodejs@nodesource.com>
+Architecture: amd64
+Version: 22.22.2-1nyx1
+Depends: libc6 (>= 2.17), libgcc-s1 (>= 3.0), libstdc++6 (>= 9.0)
+Description: Node.js event-based server-side javascript engine
+ Node.js is similar in design to and influenced by systems like Ruby's Twisted.
+
+Package: python3
+Status: install ok installed
+Priority: important
+Section: python
+Installed-Size: 68
+Maintainer: Fortune Maintainers <maintainers@fortune.local>
+Architecture: amd64
+Version: 3.12.3-0nyx1
+Depends: python3.12 (>= 3.12.3-0nyx1)
+Description: interactive high-level object-oriented language (default python3)
+ Python, the high-level, interactive object oriented language, includes an
+ extensive class library with lots of goodies for network programming.
+
+Package: python3.12
+Status: install ok installed
+Priority: optional
+Section: python
+Installed-Size: 36
+Maintainer: Fortune Maintainers <maintainers@fortune.local>
+Architecture: amd64
+Version: 3.12.3-1nyx1
+Depends: python3.12-minimal (= 3.12.3-1nyx1), libpython3.12-stdlib
+Description: Interactive high-level object-oriented language (version 3.12)
+ Python is a high-level, interactive, object-oriented language. Its 3.12 version
+ includes an extensive class library.
+
+Package: gcc-13
+Status: install ok installed
+Priority: optional
+Section: devel
+Installed-Size: 70460
+Maintainer: Fortune GCC Maintainers <gcc@fortune.local>
+Architecture: amd64
+Version: 13.3.0-6nyx1
+Depends: cpp-13 (= 13.3.0-6nyx1), gcc-13-base (= 13.3.0-6nyx1)
+Description: GNU C compiler
+ This is the GNU C compiler, a fairly portable optimizing compiler for C.
+
+Package: openjdk-21-jre-headless
+Status: install ok installed
+Priority: optional
+Section: java
+Installed-Size: 174488
+Maintainer: Fortune Maintainers <maintainers@fortune.local>
+Architecture: amd64
+Version: 21.0.10+7-1~nyx
+Depends: libc6 (>= 2.17), libgcc-s1 (>= 3.4)
+Description: OpenJDK Java runtime, using Hotspot JIT (headless)
+ Minimal Java runtime - needed for executing non-graphical Java programs.
+
+Package: curl
+Status: install ok installed
+Priority: standard
+Section: web
+Installed-Size: 544
+Maintainer: Fortune Maintainers <maintainers@fortune.local>
+Architecture: amd64
+Version: 8.5.0-2nyx1
+Depends: libcurl4 (= 8.5.0-2nyx1), zlib1g (>= 1:1.1.4)
+Description: command line tool for transferring data with URL syntax
+ curl is a command line tool for transferring data with URL syntax, supporting
+ DICT, FILE, FTP, FTPS, GOPHER, HTTP, HTTPS, IMAP, IMAPS, LDAP, LDAPS, POP3,
+ POP3S, RTMP, RTSP, SCP, SFTP, SMTP, SMTPS, TELNET and TFTP.
+
+Package: git
+Status: install ok installed
+Priority: optional
+Section: vcs
+Installed-Size: 36552
+Maintainer: Fortune VCS Team <vcs@fortune.local>
+Architecture: amd64
+Version: 1:2.43.0-1nyx1
+Depends: liberror-perl, git-man, libc6 (>= 2.34), libcurl3-gnutls
+Description: fast, scalable, distributed revision control system
+ Git is popular version control system designed to handle very large projects
+ with speed and efficiency; it is used mainly for various open source projects.
+
+Package: openssl
+Status: install ok installed
+Priority: optional
+Section: utils
+Installed-Size: 1320
+Maintainer: Fortune Security Team <security@fortune.local>
+Architecture: amd64
+Version: 3.0.13-0nyx1
+Depends: libssl3 (>= 3.0.13)
+Description: Secure Sockets Layer toolkit - cryptographic utility
+ This package is part of the OpenSSL project's implementation of the SSL and TLS
+ cryptographic protocols and related technologies.
+
+Package: wget
+Status: install ok installed
+Priority: standard
+Section: web
+Installed-Size: 1100
+Maintainer: Fortune Maintainers <maintainers@fortune.local>
+Architecture: amd64
+Version: 1.21.4-1nyx1
+Depends: libc6 (>= 2.17), libgnutls30 (>= 3.7.9), libidn2-0 (>= 2.0.0)
+Description: retrieves files from the web
+ GNU Wget is a program for retrieving files from the web, supporting the HTTP,
+ HTTPS and FTP protocols.
+
+Package: make
+Status: install ok installed
+Priority: optional
+Section: devel
+Installed-Size: 556
+Maintainer: Fortune Maintainers <maintainers@fortune.local>
+Architecture: amd64
+Version: 4.3-4.1nyx1
+Depends: libc6 (>= 2.17)
+Description: utility for directing compilation
+ GNU Make is a utility which controls the generation of executables and other
+ target files of a program from the program's source files.
+
+Package: ffmpeg
+Status: install ok installed
+Priority: optional
+Section: video
+Installed-Size: 2184
+Maintainer: Fortune Multimedia Team <multimedia@fortune.local>
+Architecture: amd64
+Version: 7:6.1.1-3nyx1
+Depends: libavcodec60, libavdevice60, libavfilter9, libavformat60, libavutil58
+Description: Tools for transcoding, streaming and playing of multimedia files
+ FFmpeg is a complete, cross-platform solution to record, convert and stream
+ audio and video.
+
+Package: pandoc
+Status: install ok installed
+Priority: optional
+Section: text
+Installed-Size: 96248
+Maintainer: Fortune Haskell Group <haskell@fortune.local>
+Architecture: amd64
+Version: 3.1.3+ds-2
+Depends: libgmp10, libgcc-s1, libffi8
+Description: general markup converter
+ Pandoc is a Haskell library for converting from one markup format to another.
+
+Package: tesseract-ocr
+Status: install ok installed
+Priority: optional
+Section: graphics
+Installed-Size: 1736
+Maintainer: Fortune OCR Team <ocr@fortune.local>
+Architecture: amd64
+Version: 5.3.4-1build5
+Depends: libc6 (>= 2.14), libleptonica-dev
+Description: Tesseract Open Source OCR Engine
+ Tesseract is an Open Source OCR Engine, originally developed by HP and now
+ sponsored by Google.
+
+Package: dpkg
+Status: install ok installed
+Priority: required
+Section: admin
+Installed-Size: 6800
+Maintainer: Fortune Package Team <dpkg@fortune.local>
+Architecture: amd64
+Version: 1.22.6nyx1
+Depends: libc6 (>= 2.17), libzstd1 (>= 1.5.5)
+Description: Fortune package management system
+ This package provides the low-level infrastructure for handling the
+ installation and removal of Fortune software packages.
+
+Package: apt
+Status: install ok installed
+Priority: important
+Section: admin
+Installed-Size: 4236
+Maintainer: Fortune Package Team <apt@fortune.local>
+Architecture: amd64
+Version: 2.8.3nyx1
+Depends: libapt-pkg6.0 (>= 2.8.3), adduser, gpgv
+Description: commandline package manager
+ This package provides commandline tools for searching and managing as well as
+ querying information about packages as a low-level access to all features of
+ the libapt-pkg library.
+
+Package: systemd
+Status: install ok installed
+Priority: optional
+Section: admin
+Installed-Size: 36476
+Maintainer: Fortune System Team <systemd@fortune.local>
+Architecture: amd64
+Version: 255.4-1nyx1
+Depends: libacl1 (>= 2.2.23), libblkid1 (>= 2.24), libc6 (>= 2.39)
+Description: system and service manager
+ systemd is a system and service manager for Linux. It provides aggressive
+ parallelization capabilities, uses socket and D-Bus activation for starting
+ services, offers on-demand starting of daemons, keeps track of processes using
+ Linux cgroups, maintains mount and automount points, and implements an
+ elaborate transactional dependency-based service control logic.
+
+Package: nano
+Status: install ok installed
+Priority: important
+Section: editors
+Installed-Size: 888
+Maintainer: Fortune Maintainers <maintainers@fortune.local>
+Architecture: amd64
+Version: 7.2-2
+Depends: libc6 (>= 2.17), libncursesw6 (>= 6)
+Description: small, friendly text editor inspired by Pico
+ GNU nano is an easy-to-use text editor originally designed as a replacement
+ for Pico, the ncurses-based editor from the non-free mailer package Pine.
+
+Package: less
+Status: install ok installed
+Priority: important
+Section: text
+Installed-Size: 344
+Maintainer: Fortune Maintainers <maintainers@fortune.local>
+Architecture: amd64
+Version: 1:640-2build2
+Depends: libc6 (>= 2.17), libtinfo6 (>= 6)
+Description: pager program similar to more
+ This package provides the \`less\` command, which is similar to more but allows
+ you to move backwards through the file.
+
+`;
+
 function bootstrapVar(vfs: VirtualFileSystem): void {
 	ensureDir(vfs, "/var");
 	ensureDir(vfs, "/var/log");
 	ensureDir(vfs, "/var/log/apt");
+	ensureDir(vfs, "/var/log/journal");
+	ensureDir(vfs, "/var/log/private");
 	ensureDir(vfs, "/var/tmp");
 	ensureDir(vfs, "/var/cache");
 	ensureDir(vfs, "/var/cache/apt");
 	ensureDir(vfs, "/var/cache/apt/archives");
+	ensureDir(vfs, "/var/cache/apt/archives/partial");
+	ensureDir(vfs, "/var/cache/debconf");
+	ensureDir(vfs, "/var/cache/ldconfig");
+	ensureDir(vfs, "/var/cache/fontconfig");
+	ensureDir(vfs, "/var/cache/PackageKit");
 	ensureDir(vfs, "/var/lib");
 	ensureDir(vfs, "/var/lib/apt");
 	ensureDir(vfs, "/var/lib/apt/lists");
+	ensureDir(vfs, "/var/lib/apt/lists/partial");
 	ensureDir(vfs, "/var/lib/dpkg");
 	ensureDir(vfs, "/var/lib/dpkg/info");
+	ensureDir(vfs, "/var/lib/dpkg/updates");
+	ensureDir(vfs, "/var/lib/dpkg/alternatives");
 	ensureDir(vfs, "/var/lib/misc");
+	ensureDir(vfs, "/var/lib/systemd");
+	ensureDir(vfs, "/var/lib/systemd/coredump");
+	ensureDir(vfs, "/var/lib/pam");
+	ensureDir(vfs, "/var/lib/git");
+	ensureDir(vfs, "/var/lib/PackageKit");
+	ensureDir(vfs, "/var/lib/python");
 	ensureDir(vfs, "/var/spool");
 	ensureDir(vfs, "/var/spool/cron");
+	ensureDir(vfs, "/var/spool/mail");
 	ensureDir(vfs, "/var/mail");
+	ensureDir(vfs, "/var/backups");
+	ensureDir(vfs, "/var/www");
 
-	// dpkg status — starts empty, VirtualPackageManager populates it
-	ensureFile(vfs, "/var/lib/dpkg/status", "");
+	// dpkg status — realistic package database
+	ensureFile(vfs, "/var/lib/dpkg/status", DPKG_STATUS);
 	ensureFile(vfs, "/var/lib/dpkg/available", "");
+	ensureFile(vfs, "/var/lib/dpkg/lock", "");
+	ensureFile(vfs, "/var/lib/dpkg/lock-frontend", "");
+
+	// apt state
+	ensureFile(vfs, "/var/lib/apt/lists/lock", "");
+	ensureFile(vfs, "/var/cache/apt/pkgcache.bin", "");
+	ensureFile(vfs, "/var/cache/apt/srcpkgcache.bin", "");
 
 	// syslog stubs
-	ensureFile(vfs, "/var/log/syslog", `${new Date().toUTCString()} fortune kernel: Virtual container started\n`);
-	ensureFile(vfs, "/var/log/auth.log", "");
-	ensureFile(vfs, "/var/log/kern.log", "");
-	ensureFile(vfs, "/var/log/dpkg.log", "");
-	ensureFile(vfs, "/var/log/apt/history.log", "");
-	ensureFile(vfs, "/var/log/apt/term.log", "");
-
-	// /run — systemd tmpfs runtime dir (canonical on modern Debian)
-	// /var/run is a legacy symlink to /run
+	ensureFile(vfs, "/var/log/syslog",
+		`${new Date().toUTCString()} ${""} kernel: Virtual container started\n`,
+	);
+	ensureFile(vfs, "/var/log/auth.log",        "");
+	ensureFile(vfs, "/var/log/kern.log",         "");
+	ensureFile(vfs, "/var/log/dpkg.log",         "");
+	ensureFile(vfs, "/var/log/apt/history.log",  "");
+	ensureFile(vfs, "/var/log/apt/term.log",     "");
+	ensureFile(vfs, "/var/log/faillog",          "");
+	ensureFile(vfs, "/var/log/lastlog",          "");
+	ensureFile(vfs, "/var/log/wtmp",             "");
+	ensureFile(vfs, "/var/log/btmp",             "");
+	ensureFile(vfs, "/var/log/alternatives.log", "");
+
+	// /run
 	ensureDir(vfs, "/run");
 	ensureDir(vfs, "/run/lock");
+	ensureDir(vfs, "/run/lock/subsys");
 	ensureDir(vfs, "/run/systemd");
+	ensureDir(vfs, "/run/systemd/ask-password");
+	ensureDir(vfs, "/run/systemd/sessions");
+	ensureDir(vfs, "/run/systemd/users");
 	ensureDir(vfs, "/run/user");
+	ensureDir(vfs, "/run/dbus");
+	ensureDir(vfs, "/run/adduser");
 	ensureFile(vfs, "/run/utmp", "");
+	ensureFile(vfs, "/run/dbus/system_bus_socket", "");
 }
 
 // ─── /bin + /sbin symlinks ────────────────────────────────────────────────────
 
 function bootstrapBin(vfs: VirtualFileSystem): void {
-	// Modern Debian: /bin and /sbin are symlinks to /usr/bin and /usr/sbin
+	// Modern Fortune Nyx: /bin and /sbin are symlinks to /usr/bin and /usr/sbin
 	if (!vfs.exists("/bin"))  vfs.symlink("/usr/bin",  "/bin");
 	if (!vfs.exists("/sbin")) vfs.symlink("/usr/sbin", "/sbin");
 
@@ -695,18 +1760,30 @@ function bootstrapBin(vfs: VirtualFileSystem): void {
 	ensureDir(vfs, "/lib64");
 	ensureDir(vfs, "/lib/x86_64-linux-gnu");
 	ensureDir(vfs, "/lib/modules");
+
+	// lib64 symlink (standard on x86_64)
+	if (!vfs.exists("/lib64/ld-linux-x86-64.so.2")) {
+		ensureFile(vfs, "/lib64/ld-linux-x86-64.so.2", "", 0o755);
+	}
 }
 
 // ─── /tmp ─────────────────────────────────────────────────────────────────────
 
 function bootstrapTmp(vfs: VirtualFileSystem): void {
 	ensureDir(vfs, "/tmp", 0o1777);
+	// node compile cache dir (present in real env)
+	ensureDir(vfs, "/tmp/node-compile-cache", 0o1777);
 }
 
 // ─── /root home ───────────────────────────────────────────────────────────────
 
 function bootstrapRoot(vfs: VirtualFileSystem): void {
 	ensureDir(vfs, "/root", 0o700);
+	ensureDir(vfs, "/root/.ssh", 0o700);
+	ensureDir(vfs, "/root/.config", 0o755);
+	ensureDir(vfs, "/root/.config/pip", 0o755);
+	ensureDir(vfs, "/root/.local", 0o755);
+	ensureDir(vfs, "/root/.local/share", 0o755);
 	ensureFile(
 		vfs,
 		"/root/.bashrc",
@@ -714,66 +1791,71 @@ function bootstrapRoot(vfs: VirtualFileSystem): void {
 			"# root .bashrc",
 			"export PS1='\\[\\033[0;31m\\]\\u@\\h\\[\\033[0m\\]:\\[\\033[0;34m\\]\\w\\[\\033[0m\\]# '",
 			"export PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
+			"export LANG=en_US.UTF-8",
 			"alias ll='ls -la'",
 			"alias la='ls -A'",
+			"alias l='ls -CF'",
 		].join("\n")}\n`,
 	);
-	ensureFile(vfs, "/root/.profile", "[ -f ~/.bashrc ] && . ~/.bashrc\n");
+	ensureFile(vfs, "/root/.profile",
+		"[ -f ~/.bashrc ] && . ~/.bashrc\n",
+	);
+	ensureFile(vfs, "/root/.bash_logout",
+		"# ~/.bash_logout\n",
+	);
+	ensureFile(vfs, "/root/.config/pip/pip.conf",
+		"[global]\nbreak-system-packages = true\n",
+	);
 }
 
-// ─── /opt /srv /mnt /media /home ─────────────────────────────────────────────
+// ─── /opt /srv /mnt /media ────────────────────────────────────────────────────
 
 function bootstrapMisc(vfs: VirtualFileSystem, props: ShellProperties): void {
 	ensureDir(vfs, "/opt");
+	ensureDir(vfs, "/opt/rclone");
 	ensureDir(vfs, "/srv");
 	ensureDir(vfs, "/mnt");
 	ensureDir(vfs, "/media");
-	ensureDir(vfs, "/home");
 
-	// /boot — grub + kernel images
+	// /boot — no kernel images in Firecracker containers (kernel is external),
+	// but maintain the directory structure for tool compatibility
 	ensureDir(vfs, "/boot");
 	ensureDir(vfs, "/boot/grub");
-	ensureDir(vfs, "/boot/grub/grub.cfg.d");
-	ensureFile(
-		vfs,
-		"/boot/grub/grub.cfg",
+	ensureFile(vfs, "/boot/grub/grub.cfg",
 		`${[
 			"# GRUB configuration (virtual)",
 			"set default=0",
-			"set timeout=5",
+			"set timeout=0",
 			"",
 			`menuentry "Fortune GNU/Linux" {`,
-			`  linux   /vmlinuz root=/dev/sda2 ro quiet splash`,
-			`  initrd  /initrd.img`,
+			`  linux   /vmlinuz-${props.kernel} root=/dev/vda rw console=ttyS0`,
+			`  initrd  /initrd.img-${props.kernel}`,
 			`}`,
 		].join("\n")}\n`,
 	);
-	// kernel + initrd stubs in /boot
+
 	const kver = props.kernel;
-	ensureFile(vfs, `/boot/vmlinuz-${kver}`, "", 0o644);
-	ensureFile(vfs, `/boot/initrd.img-${kver}`, "", 0o644);
-	ensureFile(vfs, `/boot/System.map-${kver}`, `${kver} virtual\n`, 0o644);
-	ensureFile(vfs, `/boot/config-${kver}`, `# Linux kernel config ${kver}\n`, 0o644);
-
-	// root-level symlinks (Debian convention)
-	if (!vfs.exists("/vmlinuz"))     vfs.symlink(`/boot/vmlinuz-${kver}`, "/vmlinuz");
-	if (!vfs.exists("/vmlinuz.old")) vfs.symlink(`/boot/vmlinuz-${kver}`, "/vmlinuz.old");
-	if (!vfs.exists("/initrd.img"))     vfs.symlink(`/boot/initrd.img-${kver}`, "/initrd.img");
-	if (!vfs.exists("/initrd.img.old")) vfs.symlink(`/boot/initrd.img-${kver}`, "/initrd.img.old");
-
-	// /snap — snapd mount namespace root
-	ensureDir(vfs, "/snap");
-	ensureDir(vfs, "/snap/bin");
-
-	// /lost+found — ext4 fsck recovery dir (mode 0o700, root only)
+	ensureFile(vfs, `/boot/vmlinuz-${kver}`,         "", 0o644);
+	ensureFile(vfs, `/boot/initrd.img-${kver}`,       "", 0o644);
+	ensureFile(vfs, `/boot/System.map-${kver}`,       `${kver} virtual\n`, 0o644);
+	ensureFile(vfs, `/boot/config-${kver}`,           `# Linux kernel config ${kver}\nCONFIG_VIRTIO=y\nCONFIG_VIRTIO_BLK=y\nCONFIG_VIRTIO_NET=y\nCONFIG_KVM_GUEST=y\n`, 0o644);
+
+	if (!vfs.exists("/vmlinuz"))        vfs.symlink(`/boot/vmlinuz-${kver}`,   "/vmlinuz");
+	if (!vfs.exists("/vmlinuz.old"))    vfs.symlink(`/boot/vmlinuz-${kver}`,   "/vmlinuz.old");
+	if (!vfs.exists("/initrd.img"))     vfs.symlink(`/boot/initrd.img-${kver}`,"/initrd.img");
+	if (!vfs.exists("/initrd.img.old")) vfs.symlink(`/boot/initrd.img-${kver}`,"/initrd.img.old");
+
+	// No /snap — not present in Firecracker container
+	// /proc/cmdline confirms: no snapd boot args
+
+	// /lost+found — ext4 recovery
 	ensureDir(vfs, "/lost+found", 0o700);
+
+	// /home — users managed by bootstrapRoot + syncEtcPasswd
+	ensureDir(vfs, "/home");
 }
 
 // ── Static rootfs snapshot cache ─────────────────────────────────────────────
-// The static parts of the rootfs (dev, usr, var, bin, tmp, etc, sys, misc)
-// are identical for all shells sharing the same hostname+props.
-// We build them once, serialise to VFSB binary, and clone via decodeVfs()
-// for each new shell — avoiding ~250 JS object allocations per instance.
 
 const _staticRootfsCache = new Map<string, Buffer>();
 
@@ -791,11 +1873,10 @@ export function getStaticRootfsSnapshot(
 	hostname: string,
 	props: ShellProperties,
 ): Buffer {
-	const key = _staticCacheKey(hostname, props);
+	const key    = _staticCacheKey(hostname, props);
 	const cached = _staticRootfsCache.get(key);
 	if (cached) return cached;
 
-	// Build the static subset into a temporary VFS
 	const tmp = new VirtualFileSystem({ mode: "memory" });
 	bootstrapEtc(tmp, hostname, props);
 	bootstrapSys(tmp, hostname, props);
@@ -812,7 +1893,6 @@ export function getStaticRootfsSnapshot(
 	return snapshot;
 }
 
-
 // ─── main entry point ─────────────────────────────────────────────────────────
 
 /**
@@ -834,15 +1914,21 @@ export function bootstrapLinuxRootfs(
 	shellStartTime: number,
 	sessions: VirtualActiveSession[] = [],
 ): void {
-	// Fast path: clone the cached static rootfs snapshot (VFSB decode ~0.07ms)
-	// instead of rebuilding ~250 JS objects from scratch each time.
 	const snapshot = getStaticRootfsSnapshot(hostname, props);
-	vfs.importRootTree(decodeVfs(snapshot));
+	const hasRestoredData = vfs.getMode() === "fs" && vfs.exists("/home");
+
+	if (hasRestoredData) {
+		// Snapshot was already restored — merge static rootfs without
+		// clobbering user files and directories.
+		vfs.mergeRootTree(decodeVfs(snapshot));
+	} else {
+		// Fresh start — replace the empty tree with the full static rootfs.
+		vfs.importRootTree(decodeVfs(snapshot));
+	}
 
-	// Dynamic parts: per-instance data injected after the static clone
-	bootstrapRoot(vfs);           // /root home dir + .bashrc
-	refreshProc(vfs, props, hostname, shellStartTime, sessions);  // /proc live data
-	syncEtcPasswd(vfs, users);   // /etc/passwd|group|shadow
+	bootstrapRoot(vfs);
+	refreshProc(vfs, props, hostname, shellStartTime, sessions);
+	syncEtcPasswd(vfs, users);
 }
 
 // ─── optional live engine ─────────────────────────────────────────────────────